Sunday, June 24, 2012

Cyber War or Cyber Peace, are your systems safe?

In May [May/15/2012] Dr. Hamadoun I. Toure', International Telecommunication Union (ITU) Secretary-General, gave a speech High Level Dialogue - The Governance of Cyberspace and Cyberpeace calling for Cyberpeace.

..."We therefore need to act - and we need to act fast - to set up new strategies to ensure cyberpeace at national, regional and international levels.

I am firmly convinced that building an international framework for cybersecurity - with key, high-level principles, such as international cooperation - is vital to ensure cybersecurity and the correct governance of cyberspace.

Governments, the private sector, international organizations and civil society are now called upon to develop the implementation of international norms and principles that will lead to a sustainable and proactive culture of cybersecurity, building on national, regional and international efforts."

Dr. Toure' is calling for cyberpeace because according to Richard Clarke, who served three presidents as counter-terrorism czar, now at Good Harbor Consulting, we have already been deeply involved in a cyberwar for several years.

You may think this is academic exercise, however you may not even have to look far to find a security problem in your own facility. Have you actually taken a close look at that Air Freshener by the file server? Perhaps it is really a Pwn Plug from Pwnie Express, or maybe The New Guy is not really addicted to texting but is using a PwnPhone for industrial espionage.

What brings me to discuss all of this is the recent discovery of the malware known as sKyWIper, Flame or Flamer. Confusion on the name exists due to finding different parts of the same attack at the same time by different organizations, and the controversy over a module named FLAME written in the Lua scripting language. Malware Attribute Enumeration and Characterization (MAEC) is meant to prevent this type of description/naming problem.

Flame (the most popular name in the press) has apparently been evading detection for years and targeting systems in the Middle East. The May 28th 2012 Virus News headline read:

Kaspersky Lab announces the discovery of a highly sophisticated malicious program that is actively being used as a cyber weapon attacking entities in several countries. The complexity and functionality of the newly discovered malicious program exceed those of all other cyber menaces known to date.

The Laboratory of Cryptography and System Security (CrySyS Lab) is publishing sKyWIper (A.K.A. Flame A.K.A. Flamer): A complex malware for targeted attacks, a live document that is being modified all the time as more is learned about this complex cyber attack. The Security List has also put together The Flame: Questions and Answers A.K.A 'the Flame FAQ prepared by Kaspersky Lab; see also Kaspersky Lab and ITU Research Reveals New Advanced Cyber Threat.

The thing I find most interesting is how Microsoft Certificate Was Used to Sign "Flame" Malware. Microsoft's official response: Unauthorized digital certificates could allow spoofing and in their blog. I always did think signing code just so I could install a driver on Windows was nothing but a money making scam, this proves it. Anyone with the wherewithal and the incentive can break anything. Such as compromising Windows Update, Flame malware hijacks Windows Update to spread from PC to PC with a MD5 collision attack.

Marc Stevens from the Centrum Wiskunde & Informatica (CWI) in Amsterdam, known for 'breaking' the MD5 hash function for https security in 2008, analyzed the recent Flame virus: Attacks on Hash Functions and Applications, Marc Stevens. PhD thesis. 19 June 2012, and cryptanalyst discovers new cryptographic attack variant in Flame spy malware.

One almost humorous comment, if it was not for the seriousness of the issue, on Slash Dot:

"It seems the authors of Stuxnet/Duqu/Flame used the LZO library [LZO is a portable loss-less data compression library written in ANSI C.], which is under GNU General Public License (GPL). And so, someone has asked the U.S. government to release the code under the GPL. (Other code uses various permissive licenses. As works of the U.S. federal government, the rest is of course public domain. [I'm not sure that applies to Israeli's claim of involvement?] Perhaps the author could enlist the SFLC to send a copyright notice to the U.S. government...

Under the GPL, only people that the executable was distributed to are allowed to request the code - and since it's a weapon, the US government isn't alliowed to send it to Iran." [Due to International Traffic in Arms Regulations 2011 or the updated Consolidated version with admendments, that is not actually considred "official".]

As an aside, in that past I was involved with a 68000 based system that was destined for a coal mine in China. We had to jump through many State Department/ITAR hoops to get our 68000 approved, as not being to powerful to ship to China at that time. When the mine complained that it did not arrive on time, someone dug into why. We were told, with no way to verify, they found that a Cray Supercomputer fell of the delivery truck and it was taking them a while longer to ship stuff to the mine, so it would not fall off again. Thinking of that incident makes me want to get a XMOS XK-XMP-64 HypberCube Development Board, has more power today than the Cray then...sorry to must get back on topic... Did the assumed government organizations invovled get State Department approval to export this technology to ITAR band countries?

Flame also uses the scripting language Lua. Lua can very easily interfaced with C code. I've used it in embedded systems to handle user interface issues. On the coal mining machine I mentioned earlier it was common for motors and their transducers to be changed in the field. So I set up Lua scripts that the end user could easily edit to put in the proper scaling factors. Many parts of Flame have high order logic written in Lua - with effective attack subroutines and libraries compiled from C++.

Even tho Flame authors order infected computers to remove all traces of the malware, this is probably the beaning of the story rather than the end.

If you have limited time, yet want to keep up on the field then sign up for Bruce Schneier Crypto-Gram Newsletter.

Some organizations have taken to using "active defense" or "strike-back" technology, to turn the tables on their attackers. Does this only end when it has escalated to the annihilation of Mankind? Perhaps you'll want to join the debate on Should There Be an International Treaty on Cyberwarfare?

New publications that are starting to come out of academia and the military and moving into the real world. A good place to get a summary of the security issues we should all be dealing with are the Pocket Guides published by the Department of Homeland Security (DHS) Cyber Security Division Software Assurance Section:

Additional information and resources in software assurance and cybersecurity are available:

Build Security In (BSI) is a collaborative effort that provides practices, tools, guidelines, rules, principles, and other resources that software developers, architects, and security practitioners can use to build security into our products.

Then there are several other organizations such as SAE International, that covers automotive standards getting involved in securing systems. SAE has recently put together the Vehicle Electrical System Security Committee. Does anyone really expect our vehicles to not be attacked at some point? Who's Minding Your Data? The Department of Transportation already thinks it is going to happen: An Introduction to Cyber Security Issues for Transportation.

There is also the SESAMO project that started last month [May/2012] with the goal of integrating security and safety assessment together into methods and tools for model-driven development of embedded systems. SESAMO is one of the many projects of ARTEMIS Industry Association, which is a collaboration of European Government and private industry covering Embedded Systems directly. For example Fostering analysis on industrial embedded systems development process and CHESS: Four pilars for building time-predictable and dependable systems are recent topics of their May 2012 magazine issue.

The March/April 2012 of CrossTalk covered Securing a Mobile World which you can view as Digital Flip Book version (a technique that never fits on any screen I've ever used, forcing millennia-old paper portrait format on to modern landscape screens is never going to work correctly) or download the PDF. As well as Creating Attack-Aware Software Applications with Real-Time Defenses in Vol. 24, No. 5, Sep/Oct 2011 by Coates, Michael, Groves, Dennis, Melton, John, Watson, Colin.

CrossTalk is the Journal of Defense Software Engineering approved by the U.S. Department of Defense. It discusses engineering development of software in order to improve the reliability, sustainability, and responsiveness of the U.S.'s warfighting capability, via new software engineering technologies, and occasionally covers policy decisions.

You may be interested in the SwA Forums, on reliability, security, and the supply chain are their major focus areas.

"In a world where we had made security a must-have in the infrastructure we build on, rather than in the code we develop, think of how much more amazing code could have been written. Instead, we spend endless time in code reviews, following best practices, and otherwise cleaning up after our security-challenged operating systems, languages and platform." -- James Turner.

Now what can we do to prevent our own designs from becoming those kinds of news headlines? For starters many (Most?) organizations need to get out of their comfort zone with dangerous languages like C and look more at languages such as ADA, or even modern C++ with smart pointers if ADA is to big of a leap for Embedded System developers; See also Ada-95: A guide for C and C++ programmers by Simon Johnston.

Some pointers to practical to apply techniques to develop better code, from the SANS InfoSec Reading Room on Secure Code, of which these are Must Read:

  • Securely Programming in C by Sayed Jamil Ahmed. This paper will discuss the main issues in secure programming in the C programming language in a UNIX environment (Buffer Overflows, Format Strings and Race Conditions), topics such as overflows are relevant in Windows, and Embedded Systems too.
  • The Intrinsic Hole In Information Security by Douglas Gaer. The lack of type safety in the C program crates a massive hole in information security.
  • Defeating Overflow Attacks by Jason Deckard. Buffer overflows are the most common of all software bugs, even after decades of being told this. Buffer overflow attacks are detectable and preventable. This paper describes what a buffer overflow attack is and how to protect applications from such an attack.
  • Inside the Buffer Overflow Attack:Mechanism, Method, & Prevention by Mark E. Donaldson. The objective of this study is to take one inside the buffer overflow attack and bridge the gap between the "descriptive account" and the "technically intensive account".

Related items from other sources:

Consider taking the class on Secure Coding in C & C++, to learn of the most common attacks on systems of all types, Embedded included:

  • Buffer Overflows
  • Fundamentals of Shellcode Creation
  • Proof of Concept Exploit Demonstration
  • Null Terminated Byte Strings
  • Standard Library function behavior
  • Integers
  • Integer Overflows & Underflows
  • Integer Promotions
  • Sign Errors
  • Off by One errors

The Software Engineering Institute of Carnegie Mellon has a large section on Secure Coding and Secure Coding Standards.

To close out this our paper here today, Test Driven Development with the help of some basic frame works is something you can start applying today to your systems.

Google C++ Testing Framework. Google's framework for writing C++ tests on a variety of platforms (Linux, Mac OS X, Windows, Cygwin, Windows CE, and Symbian). Based on the xUnit architecture. Supports automatic test discovery, a rich set of assertions, user-defined assertions, death tests, fatal and non-fatal failures, value- and type-parameterized tests, various options for running the tests, and XML test report generation.

CUnit: A Unit Testing Framework for C is built as a static library which is linked with your testing code. It uses a simple framework for building test structures, and provides a set of assertions for testing common data types. In addition, several different interfaces are provided for running tests and reporting results.

CppUnit 2 is a C++ test framework primarily targeted at unit testing, but with high level features that makes it attractiveness for small functional testing. Collection oriented assertions, rich customization, better test organization with test meta data, dependencies, parallelization, time-out...

CppUTest is used extensively in the book Test Driven Development for Embedded C (Pragmatic Programmers) by James Grenning, whom was a signer of the Agile Manfesto.

Bernard Cole, editor at, summarizes several other security techniques in The growing challenge of securing embedded systems.

In the end there are no shortcuts to security and safety. It takes time, money, and proper requirements to build a system that is secure. It also takes a management team with the commitment to make quality products and the vision to look beyond the next quarters proffits.