Pwn2Own 2017: Your stuff as mincemeat
They came from miles around to carry out a hallowed, decade-long mission: To eat your lunch.
The security researchers assembled at the Pwn2Own 2017 hacking competition, sponsored by Trend Micro, and occasionally grouped together, then performed essentially zero-day exploits (at least by the rules, heretofore unknown) on your favorite stuff, such as Windows, MacOS and Linux. Smoldering pits in the screen were left, as teams collected cash prizes and creds.
For giggles and grins, a Type 2 Hypervisor, VMWare Workstation was also left for shrapnel, one of the first times a hypervisor has been penetrated by a virtual machine in this way. It wasn’t a cascade effect, but rather a shot across the bow. I suspect there are more ways to penetrate a foundational hypervisor, too, but they haven’t been seen in captivity to my knowledge.
Yes, Ubuntu was rooted, but it was because of a bug in the Linux kernel and not something Canonical (necessarily) left open.
The methods are known, and lots of compilers were running over the weekend to push new patches and fixes into the items found. We hope.
So, how does an organization protect against such things, such apparently easy zero-days?
First, it wasn’t that easy.
Second, the researchers had physical access to the machine and could control its networking. The most interesting cracks were implemented using browsers, indeed Microsoft’s Edge browser and Apple’s Safari.
Third, these were great teams, and they earned their tens of thousands of dollars worth of prize money.
And by far, there are more. Some of the zero-days out there are known but unpatched or fixed and have been waiting for years for a theoretical attack to become real. The CVEs are full of such things, long shots made short by enterprising individuals with a knack for tenacity and love of a good explosion.
Each is happy to go to events like Defcon, Black Hat, Chaos Computer Club (CCC) and RSA. This is done for sport, certainly, but also the revenue. A decent living can be made by bug finding—and sadly, also for bug selling.
A moral issue is conjured about the nature of bug finding and bug finders. Make no mistake that the Pwn2Own contest looks on the surface like a huge embarrassment—as it should—to software vendors. The smoking craters mean much work went for naught. It also means nothing is foolproof because fools are so ingenious, and the decoupling of operating system functions and constant-revisions practices may themselves be a problem.
Software companies’ growth—and the problems that come with it
Publicly traded companies must report way-cool quarter after quarter growth to their slavemaster, Wall Street. Growth has to come from new purchasers, upgraders, service plans, and especially new releases. The lore that software organizations would like you to believe is that the new stuff is better than the old stuff—see our preview, our beta lists or our demo/trialware.
Growth is incredibly important because financial butts are on the line to make the numbers each and and every quarter, unless that quarter everyone is taking a financial bath. So, buy the new stuff. Buy our stuff that’s the result of our latest acquisition, which might work in a few quarters as though we actually thought and designed it.
The compelling nature of software growth also makes it very vulnerable. Code has become incredibly sophisticated and complex. It must interact with lots of other software successfully. It had lines of demarcation between other software, the host operating system, a hypervisor or other foundation layer, the hardware, the smarts of local networking, as well as the quality or hostility of incoming data.
Hackers want your stuff, too
Sunday night, as I was digging through WordFence on one of my websites, I noticed that there were several attempts at page loads from pages long gone—the kind you’d need to find in the Internet Archives, e.g. pages long gone. The attempts were from vastly geographically disperse IP addresses. They were undoubtedly bots.
But they want me. For what? Who knows. But they want, you, too. Except for watching network behavior, you wouldn’t have been able to have stopped most of the attacks cited in this year’s Pwn2Own. If your network smarts had identified stateless transactions or weird IP addresses, you’d have a small chance of stanching the attacks.
Clearly, if they have access, you are toast. Controlling the network access—if you can—is the best bet towards stanching hostile flows. Otherwise, adding another layer of access barriers, such as encryption or microservices protected by autonomous (or vastly federated) security, is your best hope.