Posts Tagged ‘Google Chrome OS’

Processor Assisted Or OS Embedded Endpoint Security?

September 14, 2011 1 comment

Yesterday, September the 13th 2011, the Information Security Arena has been shaken by a couple of announcements earthquakes unleashed by two of the most important players in this market.

The first earthquake was detected in San Francisco, at the Intel Developer Forum, where McAfee announced DeepSAFE, a jointly developed technology from McAfee and Intel that enables to build hardware-assisted security products that take advantage of a deeper security footprint. According to McAfee, sitting beyond the operating system and close to the silicon, DeepSAFE technology allows to gain an additional vantage point in the computing stack to better protect systems. Although initially conceived as an anti-rootkit (and 0-day) technology, McAfee promises that DeepSAFE Technology will be the foundation for its next gen security products, maybe landing also on the Android Platform (but not on Intel’s MeeGo Mobile Platform).

The second earthquake was detected in Redmond where Microsoft announced that antivirus protection will be a standard feature for its next gen flagship OS Windows 8: features from its Security Essentials program, currently available as a separate download for Windows users, will be added to the Windows Defender package already built into Windows, allowing the users to get out-of-the-box protection against malware, along with firewall and parental controls, from within Windows without requiring a separate software. Another new security feature being baked into Windows 8 is protection from bootable USB drives that are infected with malware.

Although easily predictable (even if Microsoft took only 6 years to fully embed Sybari technology inside its OSes after the 2005 acquisition, rumors on a hardware assisted security technology were the pillars of the McAfee acquisition by Intel), these announcements have a potential huge impact on the landscape, both for consumers and more in general for the whole antivirus industry.

As fare as the Micorsoft announcement is concerned, consumers will be happy to find a free “OS-embedded” antimalware solution inside their (favourite ?) desktop operating system, on the other hand the antivirus industry will likely not be happy to have an embedded competitor to fight against (and to disable during the installation of their own products).

Similarly, just like the Operating System, the processor itself is a “necessary evil” for a PC so the other endpoint security vendors will not be happy to fight against a competitor technology which (quoting textual words) allows “McAfee DeepSAFE technology (to) sit beyond the operating system (and close to the silicon) allowing McAfee products to have an additional vantage point in the computing stack to better protect systems.”

Of course all this turmoil on the endpoint security arena looks paradoxical if compared with Google’s assertions according to which, its brand new ChromeOS will need no antivirus at all because of its many built in layers of security. On the other hand it risks to become a turmoil for the consumer who will have soon to face an hard question: will my next operating system need “software embedded” antimalware, “hardware assisted” antimalware or no antimalware at all?

Personally I do not like the idea of a single Microsoft Antivirus for every PC equipped with Windows 8 (a single vulnerability would be enough to infect millions of devices), in the same way I believe that an Operating System without antimalware protection is an unrealistic model which is not compatible with the multi-layer approach of the endpoint security (it is not a coincidence that ChromeOS has already fallen under the blows of a XSS vulnerability.

Similarly I do believe that, in order to avoid (further) Antitrust lawsuits Intel will open its direct access to processor layer to other vendors besides McAfee. On the other hand, in order to obtain the “go-ahead” from the European Commission, Intel promised to ensure that rival security vendors will have access to “all necessary information” to use the functionalities of Intel’s CPUs and chipsets in the same way as those functionalities are used by McAfee, the commission said in a statement…

Otherwise the lawyers seriously risk to be the sole winners of this endpoint revolution.

The Antivirus is Dead, Long Live the Antivirus!

May 18, 2011 1 comment

The Google Chromebook (that is the first Chromium OS powered devices) was presented few days ago (and is ready to reach our shelves for the half of June), but only yesterday I accidentally came across an interesting article (which I had already reported in yesterday’s post) which led me to several thoughts concerning the future of endpoint security, or better, how endpoint protection technologies will adapt themselves to the rapidly mutating landscape, which is shifting from an endpoint-centric to a cloud-centric model. My personal confessions of a dangerous mind derive from Google’s assertion that: Chromebooks have many layers of security built in so there is no anti-virus software to buy and maintain. Moreover, the fact that data reside mainly on the cloud moves the data protection requirements towards the cloud rather than on the endpoint.  If this is true many security giants (such as Intel McAfee, Symantec, Trend Micro, etc.) focalized on endpoint would seriously have to worry about.

The core of the Chromium OS is represented by the Chrome web browser. Through a Web Interface, and most of all thanks to HTML5, Open Web Platform APIs and Google Chrome Extensions, the users will be able to access virtually any kind of applications from the cloud.

What does it mean from a security perspective? The Security Overview document describing the Security Mechanisms adopted by the Chromium OS is clear: the operating system has been designed from the ground up with security in mind, security as an iterative process focused on for the life of the operating system. As a matter of fact, since the OS is browser-centric, the security design efforts have been concentrated on this aspect starting from the foundation, that is the Operating Systems. Several  of the weapons adopted by Chromium OS include:

  • OS Hardening through techniques of Process sandboxing (at OS and browser level), toolchain hardening, Kernel hardening and configuration paring, Additional file system restrictions (Read-only root partition, tmpfs-based /tmp, user home directories without executables, privileged executables, or device nodes;
  • Modular browser with sandboxes for media and HTML parsers;
  • Protection for Phishing, XSS and other Web vulnerabilities;
  • Secure autoupdate protecting itself from attacks by mean of Signed updates downloaded over SSL, checking of Version numbers of updates and verification of the integrity of each update on subsequent boot, by man of Verified Boot process;

That said, is really true that Chromium OS will be the death knell for antivirus?

Before answering this 10 million Dollars question (rigorously Monopoly Dollars) there is a due premise that must necessarily be done: classifying an endpoint protection technology as Antivirus is maybe a little bit reductive and anachronistic. The new generations of threats (the so called blended threats or APTs) make use of several combination of attack vectors ranging from malicious phishing web sites to 0-day OS or application vulnerabilities. This has implied in the last two/three years that the concept of multi-layered protection has found fertile ground in the endpoints as well (as previously done in the network with UTM/XTM technologies) since the new threats are not simple malware but complex combinations of attack vectors which need different layers of protections. A simple antivirus does not exist anymore in a corporate context, but has been substituted by a set of protection technologies combining Anti-Malware, Personal Firewall, Host Intrusion Prevention, Encryption, Data Leackage Prevention, Compliance.

With this premise in mind there are some points for which, in my opinion, endpoint protection technologies will be still needed (at least for version 1.0);

  • Some Critical voices stress the fact that Google will provide an SDK dedicated to write native applications.  Although Google has probably done everything to secure those apps with their double sandbox design, in theory will be possibility to install malicious code or simply bugged code, unaware vector of vulnerabilities in the system (or in the cloud).
  • Since the OS is browser-centric, protection of the browser becomes a critical factor. The security design document states that the web browser provides Protection for Phishing, XSS and other Web vulnerabilities, but the description is not so satisfying: “Phishing, XSS, and other web-based exploits are no more of an issue for Chromium OS systems than they are for Chromium browsers on other platforms.  The only JavaScript APIs used in web applications on Chromium OS devices will be the same HTML5 and Open Web Platform APIs that are being deployed in Chromium browsers everywhere.  As the browser goes, so will we”. Only one simple consideration about this point: a vulnerability on the Webkit rendering engine caused a serious security flaw on the Android and Chrome Browser (and on the Safari Browser and Apple And Blackberry smartphone browsers as well during the last Pwn2Own 2011). Moreover phishing has registered a tremendous growth in the last months as the initial vector for perpetrating complex multi-layered attacks. I am not aware of the fact that chrome users have been less affected than the users of other browsers.
  • There is also another important point: the security overview document identifies two possible kinds of adversaries: opportunistic adversaries and dedicated adversaries. The first kind just tries to compromise an individual user’s machine and/or data, the second kind may target a user or an enterprise specifically for attack. According to Google version 1.0 will be focuses on dangers posed by opportunistic adversaries. This means that, at least for the first version, the Chromium OS will not offer countermeasures targeted to mitigate network-level attacks.

So what are the conclusions? Maybe the death knell for Antivirus technologies (or would be better to say endpoint protection technologies) is still far, rather I believe more realistically that endpoint security technologies will have to be redefined (or better tailored) to better fit the new scenario in which the endpoints act as web-centric gates for the cloud. Maybe antivirus will be no more necessary, but security efforts on the endpoints will have to be directed to protect this new role from OS and web application vulnerabilities (see authentication tokens in clear), malicious web sites, phishing, data loss/leakage (even if the Chromium OS already offers some native features in this direction), and, last but not least, compliance issues (for an enterprise usage). How this will be achieved? Simple, by mean of cloud based security services…


Get every new post delivered to your Inbox.

Join 3,710 other followers