Saturday, July 7, 2007

security research, rootkits and TPM

The recent highlight on security research has encouraged a lot of "security researchers" (although the term is a bit too generic...these people are actually "vulnerability researchers"). Today's software contains a lot of security bugs and these researchers find a lot of them. It is a good thing...it helps raise awareness of the problem and pushes the software vendors to fix these bugs.
The media limelight on these researchers also encourages "publicity stunts" and other "celebrity wars". Here is an example:
http://www.securityfocus.com/brief/537
http://www.matasano.com/log/895/joanna-we-can-detect-bluepill-let-us-prove-it/

I do believe that "theoretically" it is impossible to write an undetectable rootkit if the detection system is allowed access to the external world (network access is usually good enough). However, "practically" it is a contest between the rootkit engineer and the rootkit detector engineer. It is certainly possible although difficult to create a rootkit that will be very hard to detect. Similarly, it is possible but difficult to engineer a rootkit detector good enough to detect this rootkit.

Trusted Platform Module is a promising technology that might render the issue moot in the long run. However, TPM itself may have bugs in the beginning: http://www.networkworld.com/news/2007/062707-black-hat.html
I don't know why these guys withdrew...was it because they had found no exploits or were silenced by the TCG?

TPM may have some vulnerabilities in its specification and implementations of the specification will certainly have more. It is still a good technology because in a world with TPM bugs will be confined to a small area and therefore could be more easily found and fixed than in a world without TPM.

Add to Technorati Favorites
Add to Technorati Favorites
Add to Technorati Favorites

1 comment:

Bipin 3~ Upadhyay said...

If you remember Michael Lynn's case, then you can easily guess the reason :)
http://codeinmybug.wordpress.com/2007/07/05/tpm-boys-withdraw-paper-from-blackhat-usa/

BTW, nice to see more people blogging on these topics.