Paul Parkinson

Yesterday, I had strong sense of déjà vu as I read the news story 'Major cyber spy network uncovered' (BBC News), which reports on a 10-month investigation by the Information Warfare Monitor (IWM) into a cyber espionage network, which they called GhostNet. This has a number of similarities with the plot within the novel 'The Edge of Madness' which I discussed in a previous blog.

The IWM report ''Tracking Ghostnet: Investigating a Cyber Espionage Network' is comprehensive to say the least, and I expect that people will find it either fascinating or terrifying, depending on their disposition. The IWM report is available to view online at the IWM website, but I found it more convenient to download the PDF version from the F-Secure mirror site to read offline.

The report contains lots of fascinating detail about the IWM investigation, but what really struck me was that the infection methods (p 39) were all based on contamination of data with executable code (web pages, PDF documents and Word documents), and relied on the application processing the data to execute the code. Once these trojans had opened a back door into a system, this provided access to the attacker for control and further exploitation.

This security vulnerability is due to the principle of allowing applications to run commands and/or code from an external source.

Q. Do I trust my web browser not to run malicious code?
Well no, I don't. I could disable all Javascript and Flash in my web browser and restrict other behaviour as well, but that would mean that many websites would become unusable.

Q. Do I rely on the host operating system to limit their actions?
Again, no, as the host operating system that I have to use has a relatively weak file system and security architecture.

So, because I don't trust either the web browser or the host operating system on which it executes, I instead use an secure containment approach. I do this by running the web browser in a virtualized environment. This means that the web browser has only the resources it needs to operate, but runs in a restricted environment, isolated from the rest of the system and is unable to perform priviledged operations, and most importantly it cannot access or corrupt my documents.

I decided to use this approach a while ago, after learning about the secure separation kernel and virtualization approaches used in VxWorks MILS 2.0, and after reading the IWM report my actions no longer seem as paranoid to me as they did at the time...