Wednesday, April 19, 2017

Leadership lessons

Normally use this blog for longer form discussions about public news in the "cyber" field, but since I don't have another blogging forum I'm going to post this writeup here.

Getting tweens/teens to do chores can provide some lessons on leadership. I've assembled ten of them below for your enjoyment. 😀

1) Questions are OK. Sure, they're doing it to try to delay/distract/disrupt your objective as long as humanly possible. But it's OK to want to know what the objective and buy into the overall mission.
2) Be specific. If you don't know where you're going it's unlikely you'll get there. Describe what you're looking for and there's a small (OK, tiny) possibility it will happen the first time around.
3) Explain what triggers task completion and try to avoid time based metrics. If it's time, the human response is to conserve energy (see: USSR as an example of how well that works out). But if it's goal based, people will often choose to work harder to accomplish the objective quickly and do other things they value more. Like watch Netflix.
4) Positive and negative outcomes are useful and must be tailored to the individual. Some people love chocolate, others don't. Some would consider reading a punishment, others a pleasure. Personally I find beatings are consistently unpopular but you might find something else works well. 😏
5) Music and humor are great ways to make tasks more enjoyable and lighten the mood. Unless you're listening to NF's rap song about Mom dying and leaving him, in which case you want to start crying and console each other.
6) Yelling doesn't produce anything positive IMHO. Except fear/anger. Which, if you're trying to train a Sith could be useful I suppose.
7) Showing/training is important for things more complicated than "carry this from here to there". Although sometimes even that requires instructions.
8) Have reasonable expectations and don't accept poor work. The DMV is a great reminder that even adult humans are perfectly willing to work in a way that yields a terrible product/experience. Don't be United Airlines and accept that just because it's the way things are or you might end up with kicking, screaming and blood everywhere.
9) Positive feedback provided promptly to people doing great work or with a great attitude is helpful. Kind of like participation trophies, but actually earned. 🏆
10) Lead by example. Returning to my Sith Lord example, Darth Vader doesn't make his troops do all the enemy soldier killing, he's at the front of the line doing it himself (even at a distance). Showing everyone you're willing to work just as hard slaughtering enemy troops means they have someone that they can and should follow. Or get force choked.

Hardware enabled trust

Siege has been doing some work with hardware and software enabled root of trust implementations over the past few years. Specifically, looking at implementations like Trusted Platform Module (TPM), boot processes, UEFI, hypervisors and other implementations that utilize hardware "trust" functionality. Wanted to share some insight into what the research and implementation communities are doing.

To start, the major presentation that started a lot of attention for hypervisors and hardware trust was Joanna Rutkowska's 2006 Blue Pill presentation at Blackhat. That discussed injecting a hypervisor rootkit into a running operating system utilizing AMD's SVM (Secure Virtual Machine) instructions. Also discussed countermeasures, detections, and possible extensions to Intel's VT-x instructions. Also in 2006 researchers from Watson research discussed virtualizing the TPM so virtual machines could utilize TPM functionality.

In 2009 Rafal Wojtczuk, Rutkowska and Alexander Tereshkin presented several attacks  against the Intel's TXT (Trusted Execution Technology). Also in 2009 Rafal and Joanna presented an attack against System Management Mode (SMM). From the paper:
System Management Mode (SMM) is the most privileged CPU operation mode on x86/x86_64 architectures. It can be thought of as of "Ring -2", as the code executing in SMM has more privileges than even hardware hypervisors (VT), which are colloquially referred to as if operating in "Ring -1".
The authors describe
how to practically exploit this problem, showing working proof of concept codes that allow for arbitrary SMM code execution. This allows for various kind of abuses of the super-privileged SMM mode, e.g. via SMM rootkits
In 2011 Rafal Wojtczuk and Rutkowska presented an attack against the Intel VT-d and by extension Intel's TXT (Trusted Execution Technology). Wojticzuk, Rutkowska and Tereshkin were all part of Rutkowska's Invisible Things Lab, where the Qubes OS was also developed. Some of their posts on Qubes are available here. Qubes is an interesting project as they are attempting to implement defenses against the operating system/kernel, hypervisors and hardware that they are aware of by utilizing the full functionality of the hardware and secure design principles with strong isolation to build a significantly more secure operating system environment.
There are tons of other papers out there as well, I'd love to do a more comprehensive survey on the topic at some point. Siege has been doing some really cool research in the area and we started years ago, finally got to present it at Blackhat in 2016. Breaking Hardware Enforced Security with Hypervisors has some good information on the area and approaches to subverting the TPM interactions with the kernel/boot process by leveraging other architectural features (in our case, VT-x). Hopefully we'll have an opportunity to present some of the other things we've done in the domain in the next few years.