Friday, January 29, 2010

Information Markets

Vulnerability data is a subset of a broader market in information. There's a great company called Intrade running a full market exchange based on boolean future facts (such and such will or will not happen). They were accurately predicting the Scott Brown victory well before it happened. Not a perfect system, but an interesting way to quantify the estimates being made and associated confidence metrics. You can email them to suggest new markets. Would be interesting to see the community suggest some 0-day related topics to price. The graphic shown lists the market price that the Higgs Boson Particle will be observed on/before 31 Dec 2010.

Also read an interesting article from ABC News using the recent Google compromise as an excuse to discuss the vulnerability market. Some of the more memorable quotes:
"Likely, they merely had to tap a thriving underground market, where a hole "wide enough to drive a truck through" can command hundreds of thousands of dollars, said Ken Silva, chief technology officer of VeriSign Inc. Such flaws can take months of full-time hacking to find." Zero days are the safest for attackers to use, but they're also the hardest to find," Silva said. "If it's not a zero day, it's not valuable at all.""
"Pedram Amini, manager of the Zero Day Initiative at the security firm TippingPoint, estimated that the IE flaw could have fetched as much as $40,000. He said even more valuable zero-day flaws are ones that can infect computers without any action on the users' part."
In this case, Microsoft actually knew about the flaw since September but hadn't planned to fix it until February, as companies sometimes prioritize fixing other problems and wait on the ones they haven't seen it used in attacks.
There's also another, highly secretive market for zero days: U.S. and other government agencies, which vie with criminals to offer the most money for the best vulnerabilities to improve their military and intelligence capabilities and shore up their defenses.
TippingPoint's Amini said he has heard of governments offering as high as $1 million for a single vulnerability — a price tag that private industry currently doesn't match.
Little is publicly known about such efforts, and the U.S. government typically makes deals through contractors, Amini said. Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment.
One researcher who has been open about his experience is Charlie Miller, a former National Security Agency analyst who now works in the private sector with Independent Security Evaluators. Miller netted $50,000 from an unspecified U.S. government contractor for a bug he found in a version of the Linux operating system.
I had to chuckle at the line "Several U.S. government agencies contacted by The Associated Press did not respond to requests for comment." Go figure. My blog post on this topic with link's to Pedram and Charlie's papers as well as some companies that advertise their work in the domain is here.

Also of interest  is Google's announcement that they will be copying Mozilla in paying for vulnerabilities reported to them privately.  With Chrome and Firefox both monetizing this information (at arbitrary, as opposed to market prices) it remains to be seen how long Microsoft will hold out refusing to pay for third party research.

Thursday, January 28, 2010

Hacking embedded systems - March update

Big news recently was the exploit against the PS3 hypervisor developed by George Hotz. Nate Lawson has a good writeup explaining the attach on his blog. He fills a section of memory with duplicate pointers to a buffer of memory that he controls. He then deallocates the section of memory with the duplicate pointers but interrupts the system in hardware before it completes the deallocation. Thus the hypervisor now has memory pointing to a buffer controlled by the Linux kernel, which is under the attacker's control. The attacker then creates virtual memory buffers until the Hypervisor creates one that overlaps the section that is controlled by the attacker. Once this is complete, the magic completes when the exploit creates:

HTAB entries that will give it full access to the main segment, which maps all of memory. Once the hypervisor switches to this virtual segment, the attacker now controls all of memory and thus the hypervisor itself. The exploit installs two syscalls that give direct read/write access to any memory address, then returns back to the kernel.

The attack requires the attacker to run a timed voltage in the nanoseconds on a particular line (shown by the red circle on the graphic above) on the PS3 memory bus to confuse the system and interrupt the memory deallocation. George has not compromised the secret keys, and much work remains. But, attackers can now access all of the hypervisor code and should be able to operate in memory outside of the hypervisor on the main Cell processor (PPE). There are seven other Cell (SPE) coprocessors, including one dedicated to security functions.

It's a testament to the level of security engineering put in by Sony that it's lasted this long. Their willingness to allow dual booting Linux potentially subverted intense analysis, since some of the objectives in hacking the system were eliminated.

On a personal note George Hotz is developing an impressive track record. He is one of the key developers behind the iPhone/Ipod Touch hacks and released the primary tool for "jailbreaking" those systems. For a 21-year old he has a bright future in the field...

UPDATE (March 29th, 2010):
Sony has responded to George's research by announcing that on April 1st they will be disabling the "Other OS" feature on all deployed Sony PS3s. Since this was a feature advertised when they sold the devices, some users are speculating that Sony will be sued for retroactively removing a feature that many people paid for. George is being blamed by some users and is planning to create a workaround. Interesting unintended consequence and heavy handed response by Sony.