rdist

May 4, 2007

Second try gets it right

Filed under: Misc — Nate Lawson @ 2:32 pm

It seems some people still miss the point about my previous post — the focus is on the misleading PR approach, not the contents of the talk or speaker’s ability. So in that vein, let’s compare the two articles, both post-talk and pre-talk (same author, same publication, two weeks apart.)

First Article Second Article
Title New class of attack targets embedded devices” “New attack puts routers, cell phones at risk”
Major tech focus JTAG (no NULL pointers) NULL pointers (no JTAG)
Impact “criminals could … steal sensitive information from mobile phones or redirect Internet traffic on routers” “Jack plans to show how his attack could be used to make changes to the firmware of a router so that it injects a malicious code into any executable files downloaded from the Internet” (i.e. this talk)

The second article gets it right. It has enough details to know the general type of attack being discussed, downplays the hype, and lacks the misleading focus on JTAG. If the first article had never been written, I wouldn’t be discussing any of this.

The important thing to note is that the same author wrote both, so the only difference had to be the information that was provided to him. It was easy for me to recognize the PR influence since previous companies I’ve worked at have done the same thing. Security researchers, please make the effort to provide accurate details when announcing your talk, despite pressure from your PR department to overhype it or withhold information necessary to even know the topic.

7 Comments

  1. Let me add my analysis of conclusions in previous post, now that enough information is available to reevaluate.

    1. Attack has been done before (bonus: no citation of prior work in the same area)

    This is still true even though the attack details now are NULL pointer instead of JTAG. As ivan mentioned, pt_chmod in 1994. Also, attacks against smart cards and win32.

    2. Researcher previously gave same talk at another conference

    Half right: the part of patching win32 binaries with custom router firmware was used previously here. Half wrong: NULL pointer exploitation not part of that previous talk.

    3. Implications of attack wildly speculative

    Yes, still not a new class of attack, my bank account is still safe.

    4. Attack uses very polished, mature tools and requires little or no custom development

    Wrong, tools were only used to find the hole. Custom code required to exploit it.

    5. Deployed systems already have defenses against the attack

    I want to say half right since unmapping page 0 is common on nearly any system with memory protection. However, I’ll have to say wrong since most embedded systems do have page 0 mapped.

    6. New researcher or new field for existing researcher

    Wrong, malicious code is his main background.

    7. Venue is a talk at a minor conference, not a peer-reviewed paper (bonus: no details given)

    75% right. CSW now not a minor conference. Right: no paper, no details were given in advance.

    8. Announcement first appears in trade press or Slashdot

    Right.

    9. Slogan or catch-phrase consistently used to advertise attack

    Cheap shot, should have thrown this out.

    So that gives me 4.25 out of 8 after throwing out the last one, about half right.

    I’m curious to hear what part Barnaby played in all this. Did he even talk to the reporter or just his PR team? Why did he refuse to give any details given that he was fine with releasing them 2 weeks later? Why does it seem no one else here is upset about the way this talk was announced? Do you really think this is how it should be done?

    Comment by Nate Lawson — May 4, 2007 @ 2:57 pm

  2. Barnaby released a paper:
    http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf

    Looks like an attack class to me.

    Comment by Anonymous — May 4, 2007 @ 5:28 pm

  3. I saw the original article and made a few heckles at it (in a chat room, yah, I’m one of those guys). I thought it was silly and probably wrong. I didn’t really stop to think who did the fud (reporter or PR team). I wasn’t “outraged” but I did think it was silly.
    Full disclosure: Guardent spun my TCP paper much in the WSJ much harder than BJ’s paper was spun by this reporter or his PR team. I kinda dug getting the WSJ mention (I still have the clipping) although it was pretty far off base.

    Comment by newsham — May 5, 2007 @ 2:20 pm

  4. newsham, if the reporter was doing the FUD (and that was possible), why did he follow up 2 weeks later with an article that was much closer to the truth? Did he see the topic “Exploiting Embedded Systems – The Sequel!” and make up the rest of the first article? Or did he talk to someone, who chose not to give any details but promise it was a new “class of attack”?

    I definitely fault the reporter for getting spun — he got no details except the JTAG tangent, decided to trust the source, and published the hype. That’s bad reporting and happens too often in the trade press.

    I’m upset though at the companies initiating this kind of thing (and to a greater extent, the researchers who go along with this since they could give details or more accurately portray an attack if they wished.) When a new “class of attack” is announced all the time, eventually it becomes like the boy who cried wolf. When there really is a new class of attack and people need to change their whole way of doing things, it gets easily dismissed and downplayed as just business as usual.

    I’ve been in the same situation as you re: Guardent but on the product side (not vulnerabilities). I stepped in and said “this is an interesting product but it doesn’t do all of what you’re claiming yet.” And when I talked with the reporter, I did my best to portray things accurately. Occasionally they got it wrong, but it was much less wrong than if I had intentionally withheld information while playing up the capabilities.

    Perhaps this is Juniper and Barnaby’s first transgression in this area. Other companies are definitely worse. But shouldn’t we be doing our best to make things better?

    Comment by Nate Lawson — May 6, 2007 @ 10:49 am

  5. anon: Sorry, it fails my “existing defenses” test. How come smart card manufacturers have been dealing with this for years in the area of glitching attacks? Just because one side of the industry (commodity embedded hardware) hasn’t learned the lessons of another (secure microcontrollers) doesn’t make it a new class of attack.

    A perfect example is timing attacks. They were first used against smart cards in a paper published by Kocher in 1995. The recommended defense was blinding. Then in 2003, Boneh showed how OpenSSL was vulnerable to remote timing attacks. The defense? Blinding. Just because network software developers thought the increased noise of their environment kept the flaw from being exploited doesn’t make it a new class of attack once the exploit was improved. Barnaby’s talk, like Boneh’s paper is a great advance of applying a known attack to a new area. But it’s not a new class of attack.

    Comment by Nate Lawson — May 6, 2007 @ 11:01 am

  6. In my experience, reporters get it wrong all the time (http://en.wikipedia.org/wiki/Hanlon’s_razor). I imagine the reporters got some minimal explanation and just plain missed the point, thought that JTAG was the attack, got a few quotes from other sources (ie. joe grand) and then wrote it up. Coulda been some PR or marketting guy hooked him up with bad info, or could be he got the right info and missed the point…

    “But shouldn’t we be doing our best to make things better?” Definitely. It’s not always easy and sometimes out of our control.

    Comment by newsham — May 6, 2007 @ 8:17 pm

  7. The thing that keeps getting me is the reporter got it basically right the second time. So either he screwed up on his own the first time and someone helped clue him in, or he was purposefully given no info but decided to write the article anyway. Sure that was a bad decision, but the source was also complicit.

    Comment by Nate Lawson — May 6, 2007 @ 8:52 pm


RSS feed for comments on this post.

Blog at WordPress.com.