

New attack bypasses virtually all AV protection - yanw
http://www.theregister.co.uk/2010/05/07/argument_switch_av_bypass/

======
bensummers
This project <http://sysjail.bsd.lv/> was dropped because of exactly the same
problem with systrace on BSD systems, found in 2007.

Details: [http://www.lightbluetouchpaper.org/2007/08/06/usenix-
woot07-...](http://www.lightbluetouchpaper.org/2007/08/06/usenix-
woot07-exploiting-concurrency-vulnerabilities-in-system-call-wrappers-and-the-
evil-genius/) (Exploiting Concurrency Vulnerabilities in System Call Wrappers)

It's not really possible to write wrappers which can inspect system calls,
allow them to be blocked or modified, AND be efficient. Therefore they're not
useful for security purposes because of the inherent race conditions.

------
pcof
A new attack on Windows machines. In the immortal words of the Slayer, "Dawn
is in danger. It must be Tuesday."

------
postfuturist
This article is an abomination of journalism, go to the original site
(<http://www.matousec.com/>) for something that makes sense.

~~~
mmphosis
Thanks for the link. I found the article confusing.

Was the article specifically about the list of results in this posting:
[http://www.matousec.com/projects/proactive-security-
challeng...](http://www.matousec.com/projects/proactive-security-
challenge/results.php) I am sure that other systems can be compromised, but I
gather this is concerning Windows only?

I ask because when reinstalling a Windows/PC last week, and I needed to copy
some missing drivers (network/video) onto a USB flash drive from a working
computer. I happened to notice there was a Ubuntu installer on the USB stick,
and was very tempted to install Ubuntu!

------
Amnon
Summary of the article: AV software hook into Windows system calls. When user-
mode calls a kernel function, the AV hook handler first checks that the
arguments comply with the security policy. If they do, it passes the arguments
to Windows in order to execute the call. However, another user-mode thread can
change the data between the time of the check and the execution. The AV will
see valid data, but Windows itself will act upon the malicious data.

This is a vulnerability in AV software, not in Windows. If the attack succeeds
the system remains just as secure as other operating systems which don't have
AV.

How can the attack be prevented? I guess in the same way that the kernel
itself prevents such attacks (after all, the kernel has its own checks, which
presumably can't be bypassed). There's probably a way to make memory pages
read-only for the duration of the system call, so the data can't be changed.

------
some1else
Since hardware virtualization was introduced, the whole system can be wrapped
by an attacker. Therefore, well coded malware could use the SSDT vulnerability
to virtualize the currently running OS and not even have to remove AV
protection afterwards. Tech keeps getting more and more flakey :-/

~~~
jrockway
Not really. Read "Reflections on Trusting Trust":

[http://en.wikipedia.org/wiki/Backdoor_(computing)#Reflection...](http://en.wikipedia.org/wiki/Backdoor_\(computing\)#Reflections_on_Trusting_Trust)

------
devinj
What did the researchers propose as a solution? The article doesn't mention
any way around this.

~~~
Agent101
The first thing I would try is a bit hacky but might work. I'd take a copy of
the data structures you are analysing when looking for malware and then copy
it back to the original place just before you call the normal windows
function.

It would minimise the amount of time the malware had to get the data in.

What you really need is to move the data into kernel space somehow. That would
need a tweak to windows though.

The difficulty for the attacker comes in creating the initial attacker and
faker threads. Possibly AV can hook the creation of threads and examine new
threads for this potential behaviour (this might kill heavily threaded apps
though). Then the virus make would have to attack two separate threads.

~~~
bensummers
Two problems:

1) Efficiency

2) When an argument refers to a large amount of data which is necessarily in
the user's memory space - eg memory mapped files.

------
brianobush
I love the arms race between AV and attacks. Always an interesting read.

------
jmah
Would this timing attack affect Google's NativeClient as well?
<http://code.google.com/p/nativeclient/>

------
zokier
The last paragraph is interesting. How did bypassing AV become privilege
escalation?

note: i have yet to read what matousec.com really says.

------
xtacy
In short, a race condition in Windows.

~~~
wazoox
Not really. Actually Windows is a sophisticated form of distributed race
condition.

