Issue No.06 - November/December (2010 vol.8)
Published by the IEEE Computer Society
Gary McGraw , Cigital
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2010.188
Silver Bullet Security Podcast host Gary McGraw interviews Iván Arce, chief technology officer of Core Security Technologies.
Iván Arce is cofounder of Core Security Technologies, a company offering penetration testing software solutions. In his role as CTO, he helps to set the technical direction for the company. Arce is also a well-respected industry pundit, appearing in the press with some regularity. He's an associate editor for IEEE Security & Privacy magazine.
Hear the full podcast at www.computer.org/security/podcasts/ or www.cigital.com/silverbullet.
Gary McGraw: You and I started playing with computers at roughly the same time—in 1981 or so. I still have my Apple ][+, by the way. What got you going in computer science, and how did that morph into computer security?
Iván Arce: Well, my first computer, as you know, was a Commodore VIC-20. It wasn't an Apple ][+—I wasn't spoiled—but it wasn't that bad. And if you look at the user manual of the VIC-20, it's "play with this thing, experiment. You can explore a lot of possibilities, and we're encouraging you to do that." Something to that effect is actually written in the user manual, so I did that, and that's how I started with computers. Originally, I started as many people did: transcribing games from magazines to the computer to play them. But then I did some programming, and that's how I started. Eventually, I got a Commodore 64, then a Commodore 128. Then I got a PC. Then I got several PCs, and so on.
McGraw: So when did you turn to computer security from playing around with little, tiny machines?
Arce: I would say the early '90s. By then, I was studying electronic engineering here at the University of Buenos Aires and also working for a computer telephony integration company. It was a 10-person company—not a huge lab or anything. But we were developing applications and deploying systems in very critical places, and for that, we used a lot of proprietary software, starting with SCO Unix and telephony cards from a company called Dialogic, which was later acquired by Intel. We had another application development framework for things like credit-card information online and chat systems from a company in California. All of this was closed source, proprietary, and full of bugs that make things break. On top of that, I was in Argentina, with a bunch of different public [telephony] switches from multiple companies—Alcatel, AT&T, Siemens—probably as diverse as in the US, but signaling protocols in telephony here are different—closer to the European standards. If you put all those things together, what you get is something that doesn't work most of the time.
McGraw: So broken things got you into computer security.
Arce: Yes, broken things—having to develop and place systems based on broken things in sensitive places without support from vendors got me in computer security. I was this guy in a small company in Buenos Aires, so most vendors didn't care much about my problems. I had to solve them myself, and that usually involved reverse engineering, binary patching, or trying to hack into my systems when I couldn't get something done to be able to replace or patch things.
McGraw: These days, your company makes a business from wielding the attacker's perspective. Tell me about the shift from hacking at the binary level to taking the attacker's perspective—how did that happen?
Arce: Several of my friends were working at AFIP [Administración Federal de Ingresos Públicos], the tax agency in Argentina, on a team that was formed to evaluate and assess the security of several technologies that were proposed to the agency for deployment nationwide. These guys were successful in several international programming competitions and their work involved trying to break stuff to determine if it was robust. They were my friends, and we all shared an interest in computer security and in trying to break things to make them work better. One day, we said, hey, why don't we just work together on this rather than meeting for coffee to talk about what we're doing at home by ourselves? Why don't we get together and make a living from it?
McGraw: And that was Core.
Arce: Exactly. The first two jobs that we had as a consultancy were software development for a Canadian company that was building a vulnerability scanner. The other was a penetration test of the customs agency in Argentina. So from the start, we had the mindset of the attacker—penetration, theft, and that kind of thing—but we also got the experience of developing commercial software on a contractual base.
McGraw: Do you think that you can teach people how to think like a bad guy, or is that some sort of an innate natural phenomenon that you just have to go around and collect?
Arce: No, I think you can teach people. I don't think it's innate. It's like trying to ride a bicycle—you can learn. But it's important to exercise [or practice] that kind of thinking.
McGraw: I used to believe that we should try to teach developers the attacker's perspective so that they can understand it while they're working on their own systems and their own code. But lately I've rethought that position because of conversations I've had with Steve Lipner. He points out that, sure, somebody needs to be able to think like a bad guy, but trying to teach all developers how is crazy. Do you disagree with that? Do you think that my original perspective was better?
Arce: People in computer science, particularly in information security, tend to have a binary view of things—it's either one thing or the other. But the real world has a degree of gray, things aren't clearly one thing or the other, there's a bit of variation and diversity. What am I implying with this? That if you teach a developer to think like an attacker, it doesn't mean that the developer will become an attacker or that he will become a single-track person who will always think like an attacker. And if you teach all your developers to think like attackers, it doesn't mean that your development facility or team will always focus on how to break things instead of build them. I think that a degree of paranoia and thinking with the adversary's viewpoint is healthy. It's healthy for everybody.
McGraw: How does your home base in Argentina help or hinder your high-tech career, and how many countries have you lived in, anyway?
Arce: I've lived in Argentina, in Mexico, in Peru. I spend a lot of time in the US. I spent some time in Brazil in the past, so I kind of live in many countries, all of them on the "American" continent. I know people who have lived in many more countries than I have.
When I started doing things with computers in Argentina, technology wasn't so easy to come by—or at least it wasn't the latest and greatest in technology or computers—and it was expensive compared to the US. You needed to figure out how to make them work with, say, outdated software, outdated hardware. If things broke, you needed to figure out how to solve them or fix them by yourself. There was a lot of that, and I don't know if that helped me or actually prevented me from doing things or from having an easier career. But overall, I think it was good. It forced me to figure things out.
McGraw: Switching gears a little, long ago in 1996, Ed Felten and I were talking about malicious code on the Web and, in particular, Java--based Web-borne attacks. This persistent Web malware installed in some sort of a drive-by way seems to be on the upswing. Do you think we should be alarmed?
Arce: We aren't alarmed?
McGraw: Are we alarmed? I'm not sure.
Arce: I think people in the security industry are aware of this, and most of them are alarmed about this upswing in malware and drive-by downloads and so on.
McGraw: There's probably a little bit of what we call the "cry wolf" phenomenon, where if you say over and over again, "the end of the world is nigh, the end of the world is nigh," for 14 years, then after a while, people say, "Right, you've been saying that for 14 years, and I'm still using my computer."
Arce: It doesn't help if you're dressed in black all the time, saying that, right?
McGraw: It makes it easier to get dressed in the morning, though. So, VM wrappers on browsers could protect a client target. Do you think that'll help, or is it just postponing the inevitable?
Arce: I think it will help for awhile and make things harder to exploit, but eventually the attackers will catch up or find something else that's easier to exploit, and that's when we'll need to address that new attack or that new way of getting compromised. It's a constant game. And during some phases of that game, whoever is attacking has the advantage; in other phases, the defender has the advantage. I don't think that the problems will go away magically, and I don't think that software will be written without vulnerabilities. But maybe that's a bias that I have because I come from a practitioner's world.
McGraw: Well, yeah, I mean, you know what software actually looks like. I think there's one interesting place to look where the arms race seems to be tilted in favor of the attacker—and has been for maybe a decade—and that is this fractal boundary between hardware and software, or the hardware/software interface. You've spent plenty of time looking at this stuff in terms of rootkits and BIOS attacks, so I'm wondering what's going on in that space these days.
Arce: My view is that embedded systems are becoming more of an issue because access to them is more widespread and cheaper and because the security of the code running on those systems is up to the standards of 10 years ago—if anything, between 10 and 20 years ago.
McGraw: It's a little behind in terms of defense.
Arce: It's a little behind, yes, and these things are ubiquitous. They're everywhere nowadays, so I think that's an attack vector I've seen overlooked. If you're an attacker, you need one of two things—go underneath the OS closer to the hardware or attack the application layer—and that's what we see happening.
McGraw: The Web is getting a lot of myopic interest, with people focusing so much attention on the application layer and the presentation layer that they forget that this other area of attack exists—and the attackers are not forgetting that.
Arce: No, they'll do whatever is easier and whatever they think will yield better results. Especially because of the Web, it's really about the state of the application layer in terms of security. Security is really bad, but it's also very visible. The things that are closer to the hardware are not so visible.
Arce: In fact, there's a concerted effort to hide them and abstract them, so I suspect that's one of the reasons why the hardware is being overlooked, because we are told to overlook the hardware.
McGraw: Well, it's easier to overlook, too, because it's not bright red, shiny, and in your face.
Arce: Yes, but the reason that it's not in your face is because we build our technology to hide it. You [used to] need to know how a processor worked in order to develop something. You don't need that today.
McGraw: I know that you guys [at Core] are in a current disagreement with Microsoft about the importance of a virtual PC attack [see www.informit.com/articles/article.aspx?p=1588145 for background]. Do you think that these attacks get deemphasized because they're not shining in red?
Arce: It's not just us. Some other companies—and people—have similar disagreements. The argument in this case is that one of the guys who works at Core, Nicolás Economou, found out that the hypervisor in VirtualPC maps portions of memory and makes it available to guest operating systems. Applications running in the user space on those guest operating system have those pages available—memory pages mapped at the 2-Gbyte address or above. On any Windows operating system, you can't normally access that memory—it will generate a fault if you try. That's something common to all Windows operating systems. But the VirtualPC hypervisor invalidates that assumption, meaning a basic assumption of the operating system has been invalidated. What are the consequences of that? Well, any security hardening mechanism implemented in the OS can be bypassed, and we're talking about things that Microsoft has developed in the last 10 years, including Address Space Layout Randomization.
McGraw: So if you're counting on those mechanisms to be working, and they're not, then you have an interesting condition.
Arce: Yes. The second problem is that certain bugs that weren't considered exploitable under normal circumstances now turn out to be exploitable. For example, if you have a bug in your software that the only thing an attacker can do is write to an address above the 2-Gbyte offset, then it isn't exploitable because when the attacker tries to do that, it generates a fault and the process terminates. It's not exploitable, so patching it is not a priority. Therefore, it's not a security problem. It just so happens that we think that this is a problem, and that Microsoft, which agrees with our analysis, doesn't think that it's a problem because there's no implementation.
McGraw: Oh, I've heard that before. I remember when people used to think that trampolining attacks were theoretical and they would never happen in the wild. Turns out that was wrong!
Arce: But this is not an implementation bug. This is a design flaw, making the hypervisor rely on portions of memory being available or putting portions of memory [mapping them] above the [2-Gbyte] offset in order to make some mechanism in the hypervisor work—that's a design decision. It's not an implementation flaw, it's a design decision, but design decisions can also lead to vulnerabilities.
McGraw: You seem to be skeptical about cyber war and the attention that's being paid to this issue. I'm currently reading Richard Clarke's new book on the subject, in which he argues that in a situation where the world is so misbalanced from a kinetic weapons perspective, where the US power from a kinetic perspective is just so overwhelming that it makes sense for other nation states like the Chinese and the Russians to go virtual, it seems to me to be a sane argument. What do you think about the whole cyber war thing?
Arce: I think there may be a little fuel behind several arguments about cyber war and the potential for nation states to launch a cyber-attack. I have no doubts about that. I know that in many countries there are people who are trained and capable of doing that. But I think that the whole thing has been exaggerated.
McGraw: Too much hyperbole, but hyperbole, of course, works best with a grain of truth in the core.
Arce: Yes, and when I see this balloon growing bigger and bigger, I wonder why. Why is that happening? Why is everybody talking about cyber war and the potential for devastating attacks over the Internet when there are more concerning things than this scenario of war within a big country? And by the way, the only place where I hear so much emphasis on this topic is in the US.
McGraw: So you see this hype and it's a little alarming.
Arce: Everybody's talking about this, and there's so much hype around it, but why? I suspect that there are several spurious interests that are not just concerned with the possibility of cyber warfare but also with business.
McGraw: Making money.
Arce: Making money, yes.
McGraw: So have you spent any time in Russia or China, to see whether they're talking about cyber war within their culture?
Arce: I haven't spent any time in China. I went to Russia on vacation several years ago, but I was just on vacation. But all the news I've read about this comes from the US, not from Russia, China, or even Europe.
McGraw: Switching gears here: you recommended last year, maybe two years ago, that I read Accelerando by Charles Stross, which was absolutely awesome. At the time, my son was getting into science fiction, and I was asking you about any new, good, science fiction—any other recommendations?
Arce: I recommend Vernor Vinge's two books. Well, he's got more than two, but A Deepness in the Sky and A Fire Upon the Deep.
McGraw: I've read those, so I definitely concur with you. What's your favorite bourbon?
Arce: I like scotch better, but bourbon is fine. I know you take offense from that comment but...
McGraw: That's why I asked you what your favorite bourbon is.
Arce: My favorite bourbon is single malt bourbon from the highlands in Scotland.
McGraw: You're a bad person.
Thanks for your time, Iván. I really appreciate it.
Arce: Thanks, Gary. Thank you.
See the full podcast list at www.computer.org/security/podcasts.
Selected CS articles and columns are also available for free at http://ComputingNow.computer.org.
Gary McGraw is Cigital's chief technology officer. He's the author of Exploiting Online Games (Addison-Wesley, 2007), Software Security: Building Security In (Addison-Wesley, 2006), Exploiting Software: How to Break Code (Addison-Wesley, 2004), and six other books. McGraw has a BA in philosophy from the University of Virginia and a dual PhD in computer science and cognitive science from Indiana University. Contact him at firstname.lastname@example.org.