{"id":58,"date":"2012-01-10T06:35:02","date_gmt":"2012-01-10T06:35:02","guid":{"rendered":"https:\/\/trouble.org\/wp\/?p=58"},"modified":"2012-02-22T23:21:47","modified_gmt":"2012-02-22T23:21:47","slug":"security-in-bullet-time","status":"publish","type":"post","link":"https:\/\/trouble.org\/?p=58","title":{"rendered":"Security in Bullet Time"},"content":{"rendered":"<div>\n<p>I&#8217;ve been thinking of virtual systems and probing and prodding the same. Virtualizing is sort of sticking something in amber, but instead of being a dead or frozen system it&#8217;s a place you can run anything you want for as long as you want, it&#8217;s alive; and it can be exactly like a target you want to hit, analyze, tear apart.<\/p>\n<p>To me in the virtual flytrap world things get interesting because the baseline assumptions one makes are considerably different when calculating things in the real world. For instance there are a few items that are inherently large parts of any scanner\/audit\/probe tool (although Metasploit and some other attack tools are a bit different, I still think it holds true.) A great deal of time, effort, and complexity are spent on such things as:<\/p>\n<ul>\n<li>Targeting. Simply getting the machinery to do the right thing at what you want.<\/li>\n<li>Identity. Is that the same thing you scanned last time? Also &#8211; don&#8217;t scan the same things twice in one run, etcetera<\/li>\n<li>Time. You&#8217;ve only so many hours in a day to scan something. This is particularly true en masse.<\/li>\n<li>Intensity. If you hit something too hard and it breaks, that&#8217;s usually bad.<\/li>\n<\/ul>\n<p>There are others, I&#8217;m sure, but I can assure you if those issues went away attacking would be a lot easier! However&#8230; Why do we scan things? \u00a0\u00a0Well, generally to see if there are weaknesses that can be compromised. The usual logic goes that no matter how good the attacker is they only have a certain amount of time to break something because eventually things will change. And for awhile I was thinking the same thing&#8230;.<\/p>\n<p>But actually&#8230; Time isn&#8217;t really time if you can toss things into a virtual jail. As a matter of fact, things get kind of strange in there&#8230; makes me think of black holes and time. What if an attacker had until the end of time to break in? You&#8217;d think they&#8217;d eventually get in.<\/p>\n<p>Because if you can virtualize something you almost have eternity to test it, and throw attacks that in the real world simply aren&#8217;t feasible because of the resources it takes to break it. This is because of the magic of parallelization, but also &#8211; well, that system isn&#8217;t going anywhere. You can test things for a year or more, on many copies&#8230; no one outside will ever know.<\/p>\n<p>Now you might say well, well, we don&#8217;t clone people (yet!), sure, but but you will be able to create something like expert systems or codify the approach that a skilled attacker would take. It doesn&#8217;t matter if it&#8217;s inefficient, because you have all the time in the world.<\/p>\n<p>This is very different than the past, because while you could duplicate methods you couldn&#8217;t duplicate the live target (well obviously you could have in theory, we&#8217;re all just turing machines) &#8211; and who cares if you exploit a system long after it&#8217;s changed in the meantime?<\/p>\n<p>Attack tools have the notion of time moving forward (not a bad assumption, admittedly) baked into them now. This will change.<\/p>\n<p>Forensics and system analytics will change as well, not to mention performance analysis and metrics. \u00a0The ability to endlessly play with systems under varying the exact same conditions is something that&#8217;s really striking.<\/p>\n<\/div>\n<p>I suspect there are a class of probes, analytics, attacks, etc. that haven&#8217;t been really considered\u00a0because they just take too long &#8211; but who cares if you run tests for\u00a0some months on a system to try and break something&#8230; Or the equivalent\u00a0of 100 or 10,000 years of testing that&#8217;s been split up over a bunch of\u00a0machines that all are identical? \u00a0What could you do to a machine if you had a thousand years to break it, or break in?<\/p>\n<p>You can not only brute force attack something. You can run any attacks\u00a0you want for essentially infinite amounts of time. You can also have\u00a0parallel people attacking the system as well, so that an entire community\u00a0or squadron of people are all at the same time hitting something. You can\u00a0run essentially infinite attack scenarios. What could you do\u00a0in a thousand years of attacking something? The flow of time\u00a0changing is what I&#8217;m talking about.<\/p>\n<figure id=\"attachment_59\" aria-describedby=\"caption-attachment-59\" style=\"width: 300px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/trouble.org\/wp-content\/uploads\/2012\/01\/trinity.jpeg\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-59\" title=\"trinity\" src=\"https:\/\/trouble.org\/wp-content\/uploads\/2012\/01\/trinity-300x149.jpg\" alt=\"\" width=\"300\" height=\"149\" srcset=\"https:\/\/trouble.org\/wp-content\/uploads\/2012\/01\/trinity-300x149.jpg 300w, https:\/\/trouble.org\/wp-content\/uploads\/2012\/01\/trinity.jpeg 699w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/a><figcaption id=\"caption-attachment-59\" class=\"wp-caption-text\">Dodge This!<\/figcaption><\/figure>\n<p>Fuzzing certainly comes to mind as a simple if dull example that people are working on (with no disrespect to the fuzzy folks ;)) \u00a0Sane folks generally never run fuzzing tools because it takes so long to run them (not to mention probably rarely have truly actionable output, but I wouldn&#8217;t know, having never run one.) But perhaps if you run one long enough you might actually come up with useful data.<\/p>\n<p>Some of the other attributes are also interesting&#8230; like intensity &#8211; how hard do you hit? The usual thing people do is when something goes down you stop testing it ;) Or, as the old joke goes &#8220;doctor, I broke my leg in two place&#8230;&#8221; &#8220;Well then stop going to those two places!&#8221; Of course you can hit virtual punching bags harder than real systems, you can just reboot them. But rather than stopping, however, marking what breaks things and continue to catalogue all the break points. It&#8217;s not often done in the real world, whatever that is.<\/p>\n<p>As an added bonus all those tools that run on windows that you&#8217;ve always wanted to run (or vice-versa, the linux ones, or w\/e) &#8211; sure, some tools only run on windows, some on linux, some on macs, etc. Rather than have a single platform to attack have an armarda. It&#8217;s only memory, CPU time, and your imagination&#8230;.<\/p>\n<p>I suspect that the next rev of things is going to get more and more interesting. We shall see. Of course there&#8217;s probably already a distro that does all this ;) \u00a0But don&#8217;t let people get to your backups or get an image of your system ;)<\/p>\n<p>Happy happy new year.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve been thinking of virtual systems and probing and prodding the same. Virtualizing is sort of sticking something in amber, but instead of being a dead or frozen system it&#8217;s a place you can run anything you want for as long as you want, it&#8217;s alive; and it can be exactly like a target you [&hellip;]<\/p>\n","protected":false},"author":44,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19,4],"tags":[51,52,48,50,49],"class_list":["post-58","post","type-post","status-publish","format-standard","hentry","category-philosophy","category-security","tag-black-holes","tag-change","tag-matrix","tag-time-distortion","tag-virtual-systems"],"_links":{"self":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/58","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/users\/44"}],"replies":[{"embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=58"}],"version-history":[{"count":14,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/58\/revisions"}],"predecessor-version":[{"id":61,"href":"https:\/\/trouble.org\/index.php?rest_route=\/wp\/v2\/posts\/58\/revisions\/61"}],"wp:attachment":[{"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=58"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=58"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trouble.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=58"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}