Is Too Much Focus Put on the Application Layer?

Friday, May 06, 2011

Keith Mendoza

Af9c34417f8e5e0d240850bb353b5d40

Anyone who follows the tech world knows that information system security is now a big thing; to the point that companies like IBM are putting a lot of effort to promote their security services, and start-ups are getting lots of funding and growing.

Information system security is really nothing new, its just that no one has paid much attention to it until recently; and the focus seem to mostly be on securing the application.

My question is: who will make sure that the attack vector will not come from the hardware layer? I feel that it's a matter of time that someone will formulate a way to send data packet where the network device driver will cause some sort of buffer overflow.

Device drivers have the same privileges as the OS itself; get in that way and you already got all the privileges you can ever want. You are free to do whatever you want to do at that end.

Maybe I just haven't seen it yet, so I thought I'd ask: Who is reviewing the device drivers and making sure that it's not vulnerable to the same vulnerabilities that browsers, PDF readers, web servers, and any other applications are plagued with?

Granted that going this way is very hard; but, I feel it's a matter of time. Sooner or later, privilege escalation by generating specially-crafted javascript code or jpegs, pdf, mp3 files, whatever, becomes so easy that someone out there will look for the new way to one-up everyone else.

I feel at that point the target will be the hardware itself. To be honest, we've seen it with the Stuxnet virus. This virus didn't only search for specific industrial hardware, it modifies the PLC of its target hardware.

A common thief will break into a home that they can break into easily; however, a sophisticated cat burglar will break into a museum.

Currently, the easiest way to break into a system is through the software layer; however, I feel that sooner or later someone will figure out a way to formulate an attack using the hardware layer.

I hope that the information security industry has a way to mitigate this when it happens.

Cross-posted from Home+Power

Possibly Related Articles:
8496
Webappsec->General
Information Security
Software Application Security Operating Systems Stuxnet Information Security Privilege Escalation Device Drivers
Post Rating I Like this!
Default-avatar
Lucian Andrei I hope that you are wrong, because I don't imagine an easy "update" of the firmware of few hundreds of devices.

But I think that you are right, and we will see something like this. Bye Bye patch management.
1304737124
Af9c34417f8e5e0d240850bb353b5d40
Keith Mendoza Lucian,
I didn't even think about the hardware itself being the attack vector. Now that I think about it, the more likely scenario would be a failure in both the firmware and the device driver. If the firmware is indeed an issue, the device driver can be rewritten in a way to handle the shortcoming of the firmware; however, I think that will only work if the issue with the firmware is an edge case that the device driver can send an acknowledged to the hardware but not pass it further along, or send a "try again" signal to the hardware that would change some hardware state where the attack vector is mitigated on the next interrupt.
1304751525
44a2e0804995faf8d2e3b084a1e2db1d
Don Eijndhoven The reason this hasn't already happened (well...it has, remember MBR virusses way back when?) is that firmware can generally only be altered in very specific modes. You could say that its secured like a block of concrete, in that there just isn't that much write access to begin with. Device drivers on the OS level is a different story, but these are some of the most hardened files/venues (for lack of a better term) of every operating system for precisely this reason.

I'd say Relax, but of course I can't guarantee the future. The scenario you paint is currently unlikely though (referring to both the article writer as well as Keith here).
1305024220
44a2e0804995faf8d2e3b084a1e2db1d
Don Eijndhoven Sorry, didn't see that they are one and the same.
1305024269
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.