Liminal states

{ 12 }

Comments

1. Adam | 27-Mar-08 at 9:09 pm | Permalink

   I wish the market was more efficient. It would reveal a lot more.

2. jon | 27-Mar-08 at 9:23 pm | Permalink

   indeed — and more transparent, too, so that more of the information would be revealed to everybody. still, even with imperfections, the markets are interesting and valuable.

   a related topic that would be really cool for future pwn2own’s is to run a “prediction market” in parallel. it would be revealing both of expectations and potential gaps between expectations and reality.

3. Adam | 28-Mar-08 at 8:05 pm | Permalink

   Good point! I should have been more transparent in saying that a market in which prices are secret is highly inefficient, because buyers and sellers lack information about the value of their goods.

4. jon | 29-Mar-08 at 8:52 am | Permalink

   Wednesday evening, Tipping Point reported that all three of the laptops made it through the first day of the pwn2own context at CanSecWest: in hacker speak, no remote pre-auth 0days. Thursday was a different story, as Darren Murph reports for Engadget:

   And just think — last year you were singing Dino Dai Zovi’s praises for taking control of a MacBook Pro in nine whole hours. This year, the PWN 2 OWN hacking competition at CanSecWest was over nearly as quickly as the second day started, as famed iPhone hacker Charlie Miller showed the MacBook Air on display who its father really was. Apparently Mr. Miller visited a website which contained his exploit code, which then “allowed him to seize control of the computer, as about 20 onlookers [read: unashamed nerds] cheered him on.” Of note, contestants could only use software that came pre-loaded on the OS, so obviously it was Safari that fell victim here.

   Hah, I (and the rest of the known security universe) had that one pegged.

   Tipping Point’s Zero Day Initiave blog has more, with yet another spelling of the contest name:

   Congratulations to our first winner of the CanSecWest PWN to OWN contest! At 12:38pm local time, the team of Charlie Miller, Jake Honoroff, and Mark Daniel from Independent Security Evaluators have successfully compromised the Apple MacBook Air, winning the laptop and $10,000 from TippingPoint’s Zero Day Initiative. They were able to exploit a brand new 0day vulnerability in Apple’s Safari web browser. Coincidentally, Apple has just started to ship Safari to some Windows machines, with its iTunes update service.

   What a coincidence! Note to Apple for future reference: don’t go out of your way to annoy Mozilla fans — or people who believe that security updating services should provide security updates rather than unsolicited new applications — right before a hacking contest, especially when your browser’s so vulnerable.

   The vulnerability has been acquired by the Zero Day Initiative, and has been responsibly disclosed to Apple who is now working on the issue. Until Apple releases a patch for this issue, neither we nor the contestants will be giving out any additional information about the vulnerability.

   Discussions on Slashdot and elsewhere, expressing a general lack of surprise.

   At 5:45, the contest closed for the day with still no successful hacks to the Vista or Ubuntu laptops. On Friday, they added more targets: attackers could now exploit vulnerabilities in common applications as well as the default install. Late in the afternoon, Shane Macaulay from Security Objectives exploited an Adobe Flash vulnerability to pwn the Windows Vista laptop.

   Congratulations to Charlie, Shane … and to Ubuntu Linux, which emerged intact! More info and pics on the Tipping Point blog.

5. jon | 30-Mar-08 at 2:49 pm | Permalink

   I posted this on Facebook, and my friend Ben Smith had some interesting comments; with his permission, here are excerpts from our dialog.

   Ben:

   To me these are effective publicity stunts and little else. To analogize, to me they are like watching one of those World’s Strongest Man competitions where a Herculean-man-god lifts a 250 pound smooth stone onto a pedestal. Impressive, but not altogether very relevant or useful in the real world.

   I think something of a more relevant test would be to find a few average Joe and Jills (or dare I say Abbys 🙂 ), provide each with a OOB laptop and have them use each in a normal way for a month and see what happens. The same type of thing would be interesting for an average small to medium business IT guy.

   Me:

   While I agree that there’s an element of publicity stunt about it and that it’s important not to infer too much, I also think you’re overlooking a lot of things that are genuinely valuable. For example, last year it took somebody 12 hours to get some access [maybe root, maybe not] via a new exploit on MacOS X; if Dino could do it, so could a group of bright motivated high school or college students — and even if it might take them a little long, so what? also, the discussion of the prize this year gives a rough estimate on what a vulnerability would be worth: the prize for an 0-day remote accesss exploit is $20K, and so it probably cost less than (say) $100K on the black market. this in turn implies a lot about what intelligence services and criminal organizations can do, and so on. yes it’s only one data point, but it’s very independent of others.

   i agree that what you describe would be more relevant to more people — and again, very complementary.

   heck, i’ll even go so far as to it would be great if companies like Microsoft, Apple, Ubuntu, Red Hat — or hardware vendors — found a way to make things like this happen and published the results. it’s scarcely seems fair to me to criticize contests like Pwn2Own, which actually *are* doing something (admittedly imperfect), for the corporations’ failure to act.

   Ben:

   Does it though? We have lots of people that send us real security vulns for no compensation so to many the value is $0 and the thanks of a greatful company. On the other hand this type of thing will not surface those that hold 0-days in their back pocket where the desired price is >20K. I am not sure one could tell much about the market from these type of events more than those already embedded in the criminal hacker underground. (as I am sure we will read about 15 years from now writting by a privatized/retired NSA/DIA/FBI agent.)

   Me:

   that’s the point though. i have no access to the criminal hacker underground and current NSA/DIA/FBI agents — or corporate security experts — very justifiably won’t discuss the current reality with me. so this is one of the few signals i have. and while it’s distorted, so is everything else.

   also, just because many people are altruistic enough (or value Microsoft’s thanks enough) to do it for nothing doesn’t mean it’s right to assume that everybody will — or should.

6. jon | 30-Mar-08 at 3:11 pm | Permalink

   Controversy in the blogosphere!

   As the title implies, Thom Holwerda’s two-part CanSecWest: Countering Misinformation on OS News doesn’t see eye to eye with most of what Daniel Eran Dilger says in Mac Shot First: 10 Reasons Why CanSecWest Targets Apple. The two do agree on one thing, though; as Thom says:

   Indeed, there is little market (at his point in time) for selling exploits for the Mac, simply because the Apple user base is still too small to be of significant use to malware creators. This is no rocket science; malware creators are after easy profit, and attacking 90% of the market makes more sense than attacking 5% of the market.

   They draw different conclusions from this, though. Dan argues that because of this, Mac vulnerabilities are essentially irrelevant outside of contests like pwn2own, because nobody’s going to exploit them. Since he also disagrees with the just-published Swiss study showing that Apple patches more slowly than Microsoft, he believes that Mac exploits don’t result in “any catastrophic destruction.” This strikes me as a classic “nobody’s stolen anything yet so it doesn’t matter that the locks don’t work” argument but Dan sees it as evidence of a Microsoft-led plot with assistance from Charlie Miller and the complicit media. The commenters on this thread and his earlier CanSecWest and Swiss Federal Institute of Tech Deliver Attacks on the Reality of Mac Security are pretty skeptical too; one of them suggested easing up on the paranoia beans.

   Thom by contrast continues

   However, this does not mean that the exploit used to win the contest is of any less relevance. It is still a security hole, and it needs to be fixed. The details of the exploit have been forwarded to Apple, without making them public, allowing Apple to fix the issue. Therefore, this exploit will most likely not affect the real-world security of Mac OS X – but the theoretical security has been severely compromised, which is not something to sneeze at.

   Indeed. Thom’s essay also does a great job of analyzing the Dan’s other “top 10 reasons” and providing an excellent characterization both of the value and limitations of pwn2own.

7. jon | 30-Mar-08 at 11:01 pm | Permalink

   pwn2own has been on Google News’ front page all day. ArsTechnica has a brief update with an excellent comment thread. The Flash vulnerability was described as “in all versions”; was it exploitable on Linux? Unclear … we shall see.

   Robert MacMillan’s story for IDG got picked up a bunch of places as well, including here on the New York Times’ site.

8. jon | 31-Mar-08 at 11:13 am | Permalink

   Bruce Byfield has a detailed wrapup on Linux.com, with some great quotes from winner Charlie Miller:

   “On TV and stuff, the hackers sit down and they break into systems in seconds,” Miller says. “But in real life what happens is that they announced this contest a month ago, and me and my team of security guys made a conscious decision that we wanted to enter the contest.

   “We decided that we would try the Mac, just because it was the easiest target. We’ve sort of looked at all these guys in the past, and every time we look at the Mac, we find something. When we’ve look at the other systems, we’ve usually not been so lucky. So we figured we go with what we’ve found easiest in the past.”

   Miller points out that contestants only enter if they think they’ve got a chance, so the contest doesn’t say anything about how many people tried and failed on a given platform. [For that matter, since they only give out one prize per platform, we also don’t know how many other people would have succeeded.] And …

   Miller’s says that his motivations for entering Pwn to Own was a mixture of the challenge and the chance to help security. “I like to compete,” he says, “and I don’t get much of a chance to do so. Also, of course, we have skills that help make things more secure, and here is an opportunity for us to use those skills in a positive manner. If it hadn’t been for the competition, we wouldn’t have looked for bugs, and this bug wouldn’t have got fixed.”

   Harnessing competitiveness, indeed 🙂

9. jon | 01-May-08 at 3:32 pm | Permalink

   A detailed post by Rob Hensing on Microsoft’s Blue Hat Blog discusses Shane Macauley and Alexander Sotirov’s challenges in exploiting the Flash vulnerability on day 3:

   For some reason, throughout the day the exploit wasn’t working properly and IE was just crashing instead of running the shellcode. At the time, the working theory was that in Vista SP1 we must have marked the heap pages as non-executable or more accurately, Vista SP1 started enforcing no execution of instructions out of pages of memory that were not marked as executable via a concept known as DEP (Data Execution Prevention). However, this was not the case – IE7 on XPSP2 and Vista SP0/SP1 does not ”opt-in” to DEP (…yet, and more on that later).

   [Why’s that? Application compatibility, of course; until recently, most ActiveX plugins would crash if you tried to run them in with DEP — so IE disables it. But I digress.]

   He speculates that in the end they may have taken advantage of some differences in behavior between Javascript and the Java VM to unleash a “heap spray”* exploit.

   There’s lots of other good stuff in the article, including a description of how Mark Dowd of IBM-ISS that Robert says “blew a lot of minds with his pretty impressive work exploiting yet another Flash vulnerability”.

   Mark mentions in his paper that his exploit worked reliably on Vista because Adobe didn’t opt-in to ASLR with the core Flash binary (which on my machine is flash9f.ocx, the most recent version that contains the fix for the vulnerability discovered by Mark). It turns out that the 4-byte write that Mark uses to “get things started” is to a known memory location that never changes (even between IE and Firefox!), which is only possible because the Flash AX control always loads at the same address in memory every time. If Adobe would have opted-in to ASLR it would have made this technique MUCH less reliable.

   Hmm. There’s currently some gnashing of teeth in a thread on MiniMSFT questioning why people might switch from Flash to Microsoft’s Silverlight. With Flash is becoming such a high-profile target for exploits, Adobe might want to prioritize taking the basic steps like enabling ASLR. In the interim, Rob helpfully posts instructions for any Windows users who want to provide this extra level of protection on their own machine; Not sure whether there are equivalent workarounds on the Mac or Linux.

   * One of the cool things about security is that lots of stuff has great names.

10. Liminal states » Vegas, baby! Black Hat 2008 | 12-Aug-08 at 10:08 pm | Permalink

    […] And pwnies!!!! (Pronounced “ponie”, etymologically linked to pwn2own.) […]

11. Liminal states » Black Hat part 2: Iron Chef Black Hat (DRAFT) | 14-Aug-08 at 10:33 pm | Permalink

    […] Chef Black Hat is a great idea, tapping into the same competitiveness as Tipping Point’s pwn2own contest, and so it’s great to see it become an annual tradition. Black Hat and Fortify still […]

12. The “P” Word? — MacBook Air First To Be Compromised In Hacking Contest | 12-Sep-08 at 1:55 pm | Permalink

    […] SlashDot and Liminal states: A MacBook Air was the first laptop to fall in the CanSecWest hacking contest. The successful […]