For close to three decades security has failed to stand up to the challenges imposed by malware authors and by the underground cyber crimes. Malware attacks take place underneath the host operating system, comprising the entire computing experience in such a way that nothing is far from the reach of malware authors.
One of the advanced attacks towards the end of 2009 was Operation Aurora. I happened to be one of the principal forensic analysts who worked on figuring out what happened during the attack including how it started, what went wrong and what was stolen. We never published our findings officially but it was clear that the bad guys were able to access the source code behind the software powering most of today's digital infrastructure including: devices, servers, networks, storage and the cloud.
This incident was not isolated. Since then, a considerable number of carefully and cleverly coordinated attacks have taken place, which could potentially result in some catastrophic tragedies, that and challenge the stability of the modern digital economy.
In analyzing several advanced attacks, by 2010, many things became clear:
- Pure software-based security solutions are not capable of preventing waves of advanced, persistent attacks
- Security has to live underneath the operating system, not on top of it, and be further assisted by the system hardware
- APT (advanced persistent threat) attacks will continue to target stolen software products as seen during Operation Aurora
- Data can no longer be protected once; the bad guys know the software security algorithms used to protect them
- Some private keys have already been stolen and have compromised the validity of the asymmetric public crypto infrastructure
Even with all of the above, one can still say that today we are at a much stronger defensive position. This is mainly due to the development of many hardware-rooted security technologies that provide out-of-band security assurances.
Obviously, I would start by mentioning the work at Intel and McAfee developing the DeepSAFE vision and technology. The main vision was to develop an out-of-band security that meets the following criteria:
- Can be fully isolated from the reach of an un-trusted code
- Has full control and visibility to execution environment
- Can fully access, trigger, trap and instrument the execution environment
- Has the ability to change the flow of execution with no limit
- Can safely inject and replace code modules with no restriction
- Can protect any piece of code from untrusted read, write and execute access
- Can partition execution environment into containers associating different access controls and privileges to each
- Provide continuous protection through: disk, CPU, GPU, memory and network operations
- Can tag and track data move operations across hardware subsystems
- Can store its data securely and communicate out-of-band with each other via networks and local buses
1The usage of Intel's hardware virtualization and TXT has proven to work allowing out-of-band protection for the Windows kernel and applications.