Saturday, October 16, 2010

The amazing Stuxnet worm

Information about the Stuxnet worm has been bouncing around for a few
weeks, but more analysis has come out recently that points to how
amazing the worm is. I'll provide some choice quotes from two great summaries.

Schneier says:
... What Stuxnet looks for is a particular model of Programmable
Logic Controller (PLC) made by Siemens. These are small embedded
industrial control systems that run all sorts of automated
processes: on factory floors, in chemical plants, in oil refineries,
at pipelines--and, yes, in nuclear power plants.
In addition to the multiple vulnerabilities that it exploits, it
installs its own driver into Windows. These have to be signed, of
course, but Stuxnet used a stolen legitimate certificate.
Interestingly, the stolen certificate was revoked on July 16, and a
Stuxnet variant with a different stolen certificate was discovered
on July 17.
Stuxnet has two ways to update itself. It checks back to two control
servers, one in Malaysia and the other in Denmark, but also uses a
peer-to-peer update system: When two Stuxnet infections encounter
each other, they compare versions and make sure they both have the
most recent one.
We don't know who wrote Stuxnet. We don't know why. We don't know
what the target is, or if Stuxnet reached it. But you can see why
there is so much speculation that it was created by a government.
Stuxnet was expensive to create. Estimates are that it took 8 to 10
people six months to write.
Additionally, [4] zero-day exploits are valuable. They're hard to
find, and they can only be used once.
...maybe one of the pieces of the message is "we have so many
resources that we can burn four or five man-years of effort and four
zero-day vulnerabilities just for the fun of it." If that message
were for me, I'd be impressed.

Semmantic says:
Stuxnet represents the first of many milestones in malicious code
history – it is the first to exploit four 0-day vulnerabilities,
compromise two digital certificates, and inject code into industrial
control systems and hide the code from the operator.
The real-world implications of Stuxnet are beyond any threat we have
seen in the past. Despite the exciting challenge in reverse
engineering Stuxnet and understanding its purpose, Stuxnet is the
type of threat we hope to never see again.

Friday, January 1, 2010

The Vertex Vortex: Visualizing Android's Permissions

The Android platform offers a set of security mechanisms to protect apps from one-another. Since apps can communicate with each-other and access each-others' data, there needs to be a way to protect that data from apps that shouldn't have access to it. The "permissions" system is one way this is accomplished.
The user sees this when they download an app and it warns them that the app wants to access the Internet, or read their contacts, or dial 911 or what-have-you. That's a pretty nice feature.

Android is made up of a number of communicating components. I wanted to visualize all of the applications on the system and how they interact via permissions. Let's look at the permissions system from this global point of view. Read on, or just view the big pretty picture.

I wrote a little app that allows a user to browse through the packages and permissions on an Android device, and as part of the process, it can generate a system map (using GraphViz) of all of the app and how they inter-relate.

I can run this app on the Android emulator, but when I run it on a real phone like my G1, the resulting image is very big, and I can't render an image with labels for the entire system.
Read on for the whole article and several pictures :)