Is Too Much Focus Put on the Application Layer?

Friday, May 06, 2011

Contributed By:
Keith Mendoza

Anyone who follows the tech world knows that information system security is now a big thing; to the point that companies like IBM are putting a lot of effort to promote their security services, and start-ups are getting lots of funding and growing.

Information system security is really nothing new, its just that no one has paid much attention to it until recently; and the focus seem to mostly be on securing the application.

My question is: who will make sure that the attack vector will not come from the hardware layer? I feel that it's a matter of time that someone will formulate a way to send data packet where the network device driver will cause some sort of buffer overflow.

Device drivers have the same privileges as the OS itself; get in that way and you already got all the privileges you can ever want. You are free to do whatever you want to do at that end.

Maybe I just haven't seen it yet, so I thought I'd ask: Who is reviewing the device drivers and making sure that it's not vulnerable to the same vulnerabilities that browsers, PDF readers, web servers, and any other applications are plagued with?

Granted that going this way is very hard; but, I feel it's a matter of time. Sooner or later, privilege escalation by generating specially-crafted javascript code or jpegs, pdf, mp3 files, whatever, becomes so easy that someone out there will look for the new way to one-up everyone else.

I feel at that point the target will be the hardware itself. To be honest, we've seen it with the Stuxnet virus. This virus didn't only search for specific industrial hardware, it modifies the PLC of its target hardware.

A common thief will break into a home that they can break into easily; however, a sophisticated cat burglar will break into a museum.

Currently, the easiest way to break into a system is through the software layer; however, I feel that sooner or later someone will figure out a way to formulate an attack using the hardware layer.

I hope that the information security industry has a way to mitigate this when it happens.

Cross-posted from Home+Power

Share This! |

Views:	3223
Categories:	Webappsec->General
Industries:	Information Security
Tags:	Software Application Security Operating Systems Stuxnet Information Security Privilege Escalation Device Drivers

Post Rating I Like this!

Comments:

Lucian Andrei I hope that you are wrong, because I don't imagine an easy "update" of the firmware of few hundreds of devices.

But I think that you are right, and we will see something like this. Bye Bye patch management.

1304737124

Keith Mendoza Lucian,
I didn't even think about the hardware itself being the attack vector. Now that I think about it, the more likely scenario would be a failure in both the firmware and the device driver. If the firmware is indeed an issue, the device driver can be rewritten in a way to handle the shortcoming of the firmware; however, I think that will only work if the issue with the firmware is an edge case that the device driver can send an acknowledged to the hardware but not pass it further along, or send a "try again" signal to the hardware that would change some hardware state where the attack vector is mitigated on the next interrupt.

1304751525

Don Eijndhoven The reason this hasn't already happened (well...it has, remember MBR virusses way back when?) is that firmware can generally only be altered in very specific modes. You could say that its secured like a block of concrete, in that there just isn't that much write access to begin with. Device drivers on the OS level is a different story, but these are some of the most hardened files/venues (for lack of a better term) of every operating system for precisely this reason.

I'd say Relax, but of course I can't guarantee the future. The scenario you paint is currently unlikely though (referring to both the article writer as well as Keith here).

1305024220

Don Eijndhoven Sorry, didn't see that they are one and the same.

1305024269

You Must Register or Login to Comment

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked

Latest Member Comments

"Have you ever dreamed that your 90′s cyberpunk movies goes real? Well, we almost there, meet the Deep Web. The Deep Web (also called ..."

What is the Deep Web? A Trip into the Abyss.... Smukke Smukke on 06-13-2013

"The author of this article is answering the wrong question. It appears (he) is writing this article in response to all the attention gi..."

NSA Surveillance Is Legal And Not Targeting ... John Smith on 06-13-2013

"Agreed, good post. There is the ISO standard take on processes and implementing lasting changes then there is the practical operational..."

Vulnerability Management and Root Cause Anal... Ian Tibble on 06-12-2013

"Good post. One of the key elements in Vulnerability Management is having the contact details of the person knowledgeable on why a certa..."

Vulnerability Management and Root Cause Anal... Koen Van Impe on 06-11-2013