HIPS with Kernel Patch Protection?

Discussion in 'other anti-malware software' started by Rasheed187, Mar 21, 2014.

  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Google for Truetype font fuzzing if you'd like to see what amounts to RCE in kernel via nothing but text.
     
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Somehow I missed the above...

    @noone_particular: In the case of Metasploit it's delivered via Flash for some reason (maybe to discourage script kiddies?). But the exploit in question would work perfectly well with an embedded font in a web page. Or in a PDF or Postscript file. Or an Office document, etc. This is an extremely nasty kind of exploit, and a good example of why an OS must maintain good separation between user and kernel space.

    (Also something that Linux is AFAIK largely invulnerable to, as font parsing is done in X client programs using one or another rendering library; I believe Xorg only displays the resulting bitmaps. Slower, but much safer.)
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, I know what you´re saying, but I´ve read her posts in the past, and it sounds like she´s expecting 100% security, while we all know, that isn´t possible. I bet even the Qubes OS can get hacked. :ouch:

    But the best thing would be to test this stuff in real life situations. So let´s say that tools like McAfee Deep Defender and Hypersight Rootkit Detector can stop the top 25 of the most nasty rootkits out there. It´s quite hard to argue with that. :)
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Re current rootkits, that would say little about future developments.... Which I suspect there would be. Part of the reason hypervisors are so seemingly invulnerable is that they contain much, much less code than a normal OS kernel. But what happens when you bloat up a hypervisor with a built-in AV engine? Then you're creating more attack surface.

    Re security in general, I'm personally not a fan of the security-through-isolation school of thought - it smacks of too much complexity from my viewpoint. But 100% security is not the point. Don't think "impenetrable OS" so much as "OS that I don't have to patch every few weeks or risk getting insta-pwned."

    (And sadly all modern desktop OSes fall into that category. Windows? Updates galore. Linux? Updates galore. OSX? Has a reputation for being vulnerable because it doesn't have updates galore. Etc.)
     
  5. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Well, I wouldn´t worry that much about "creating more attack surface". From what I´ve read, tools like Deep Defender simply monitor and protect the OS kernel, just like KPP. I don´t believe that these kind of hypervisors have to become "bloated". Of course it also depends on the design.

    Also, I don´t think it´s that easy for (future) rootkits to bypass the hypervisor. You know why? Because luckily, rootkits can´t use magic to infect systems.

    Let´s face it, after all these years, rootkits (and other malware) are still using the same techniques. Yes, some tricks are new, but none of them are groundbreaking IMO. A good designed HIPS should be able to stop both current and future rootkits/trojans. So all in all, I´m not really that worried about "future developments". :)
     
  6. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Btw, I was thinking, how would you attack a hypervisor? You can´t do it from inside the OS, I suppose?

    I think you can only attack it with stuff like Blue Pill (virtual machine based rootkit), but Secure Boot (UEFI) should protect you from that. And I wouldn´t be surprised if hypervisors can also be protected with stuff like DEP and ASLR.

    Edit: check out link number three. :)

    http://en.wikipedia.org/wiki/Blue_Pill_(software)
    http://www.maketecheasier.com/disable-secure-boot-in-windows-8/
    http://www.darkreading.com/risk/researchers-lock-down-the-hypervisor/d/d-id/1133513

    More info about Deep Defender:

    http://www.esecurityplanet.com/windows-security/review-mcafee-deep-defender.html
    http://www.mcafeeworks.com/Deep-Defender.asp
     
  7. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    Well, as earlier I'll admit I'm biased; I have a serious distrust of anything with the McAfee brand attached. Nor do I like the idea of yet another utterly closed, proprietary layer south of the kernel.

    I suppose the next few years will show which of us is right. Personally I suspect this stupid arms race will continue for some time.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    McAfee = Intel :)

    I suppose you´re using an AMD processor? :D

    And besides, all security companies can write such a tool, not only Intel.
    Even Microsoft could make a hypervisor run on top of Windows (KPP on steroids). Would you distrust that too?
     
    Last edited: Apr 10, 2014
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Btw, it turns out that Deep Defender has already been tested. :)

    http://www.mcafee.com/us/independent-reports/av-test.aspx

    See attached file for old Hypersight Rootkit Detector test results. So this stuff is really working. :thumb:

    @ Gullible Jones

    I already know why you don´t like McAfee, it´s because of that John McAfee guy right? He´s crazy as hell. You do know that he departed from the company in 1994? :argh:

    Edit: changed John McAfee link, movie (original link) was a bit explicit, my apologies, should have checked first.
     

    Attached Files:

    Last edited: Apr 14, 2014
  10. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,466
    That they kept McAfee's name, despite him being a criminal (to put it mildly), is part of it. The other part is my own experiences with their products. I'm open to the idea that they may have improved under the Intel management, but I've only seen bad stuff from them so far.

    [Edit: I would have further choice words regarding most realtime AVs, and vendors of such, in general, and their marketing tactics in particular. But those words would be liable to get me banned, so I'll keep my mouth shut on that.]

    In any case
    a) The McAfee "test results" you linked to contain a great deal of buzzwords and no actual test results (impressive bar graphs do not count, you can find those on absolutely any AV vendor's web site)
    b) The Hypersight test is only vs. two rootkits, not exactly what I'd call a preponderance of evidence

    Edit: mind you, this is coming from a guy who refuses to use ReiserFS for anything, so take it as you will.
     
  11. AutoCascade

    AutoCascade Registered Member

    Joined:
    Feb 16, 2014
    Posts:
    741
    Location:
    United States
    Interesting read for those, like myself, who don't have a deep understanding of this subject.

    So MS closing up the kernel via Patchguard to a great degree is what keeps a lot of security software from being upgraded to work on 64 bit systems if I read this correctly. This also describes some attacks on Patchguard where DeepSafe compliments it to prevent them. Interesting.

    http://www.mcafee.com/us/resources/reports/rp-defeating-patchguard.pdf
     
  12. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ Gullible Jones

    LOL, I was joking, but apparently, I wasn´t that for away from the truth. :p


    That´s true of course, but that´s the problem with all of these tests, we can´t verify them. But I think you´re being a bit too skeptical. Check this out, it was able to stop Uroburos, another example of why KPP is not good enough. :)

    http://blogs.mcafee.com/mcafee-labs/analyzing-uroburos-patchguard-bypass
    https://blog.gdatasoftware.com/blog...travel-into-kernel-protection-mitigation.html

    About Hypersight, it´s already a dead product (Win 32 bit only), but it did have potential IMO, more info:

    http://northsecuritylabs.blogspot.n...pdated-max=2011-01-01T00:00:00Z&max-results=2
     
    Last edited: Apr 16, 2014
  13. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    I actually think that Microsoft has made the right decision to deny access to the kernel. Like I said before, so far no HIPS has ever been able to protect the OS kernel, at least not when malicious code has already been loaded. KPP is at least trying to counter rootkits. However, it´s not strong enough to protect against advanced attacks, as described in the report. :)

    Btw, did y´all notice that nobody is complaining about KPP anymore? Perhaps Microsoft has beefed up the PatchGuard API´s for security tools? I mean, I´ve noticed that HIPS on Win 8 64 bit are just as powerful as on 32 bit.

    http://windowsitpro.com/hardware/what-you-need-know-about-kernel-patch-protection
    http://www.computerworld.com/s/article/9006251/Microsoft_releases_first_draft_of_PatchGuard_APIs
     
    Last edited: Apr 16, 2014
  14. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    3,344
    Location:
    Europe, UE citizen
    I disagree. I want to choose how defend my pc, and if I trust third part softwares than PatchGuard I have to can do it.
     
  15. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Btw, this is another interesting paper, make sure to read page 3.

    http://www.google.nl/url?q=http://w...EQFjAA&usg=AFQjCNHU0huvhA_YTaDuihb0g9TfzfHv4w

    It basically answers my question: HIPS can´t fully protect the OS kernel (not even on Win 32 bit), because the Windows OS doesn´t give the option (to a third party HIPS) to fully control the kernel.

    If M$ could build such an option (which they won´t because of KPP) then user-mode HIPS would have had almost the same abilities as Deep Defender. It could then for example stop modifications to the SSTD. :)
     
    Last edited: Apr 20, 2014
  16. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    How do I get a trial of McAfee Deep Defender? I have been unable to on their site. My download never starts after selecting the platform i'm using on McAfee's website.
     
  17. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I just found McAfee Deep Defender on Softpedia, but I would prefer to download it from McAfee's website. It would safer, and insure I have the most up to date version.
     
  18. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
  19. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429

    And the download size is 207MB. FWIW

    Let us know how it works if you go for it. :)
     
  20. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Is Deep Defender just meant to protect against Rootkits?
     
  21. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    Yes, but it´s not meant for home PC´s, you also need some other McAfee enterprise software in order to make this work.
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    I prefer other AV's over McAfee home products. I'm not exactly your average home user though. I have a Netgear Prosecure UTM 25 on my home network as well. We had McAfee Enterprise at work which was ok. Definitely better than their home products. I have not tried their home products in a while so i'm not sure what they are like now. Maybe this will be more useful for Mid Size Businesses-Enterprise customers then.
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
  24. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    There are quite a number of papers on kernel protection. Search Google Scholar for patchguard. Also search Google Scholar for windows kernel integrity.
     
  25. syrinx

    syrinx Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    427
    The softpedia External Mirror 1 links to the mcafee site for the eval zip.
    h**p://downloadcenter.mcafee.com/products/evaluation/Deep_Defender/v1.6/deepdefender_1.6.0.513.1_eval_pkg.zip
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.