August 2007
Electronic Voting Machines (1 August 2007)
Are Secure Systems Possible? (3 August 2007)
Dealing With Security Problems (6 August 2007)
Minnesota Court Orders Release of Alcohol Breath Tester Source Code (10 August 2007)
Safes, Locks, and Override Codes (14 August 2007)
The Skype Outage (20 August 2007)
Defending Against the Owner (24 August 2007)
The Amtrak Ticket System Outage (26 August 2007)
Update on the Amtrak Outage (28 August 2007)
The FBI and Computer Security (Updated) (29 August 2007)

Defending Against the Owner

24 August 2007

Traditionally, computer security has been about defending your computer against outsiders. Sometimes, though, the owner is seen as the threat, either by the manufacturer or by application or content providers. They have a much harder job.

The case that’s in the news right now is the apparent unlocking of the Apple iPhone by a New Jersey teenager. His attack involves a temporary hardware mod to the phone to confuse the boot ROM. According to his blog entry, the boot ROM checks certain memory locations. If they’re all 0xFFFFFFFF, the code assumes that new memory has been installed, and skips its usual checks. Otherwise, it insists that the code be digitally signed. That should be adequate protection, because those memory locations can’t be overwritten. The hardware mod, though, changes a bit on the address bus, making the check look at locations that can be changed.

There are claims of a software-only attack, and a forthcoming commercial unlock service. No details have been released, but the claims are not implausible, especially if they’ve found another root exploit.

There’s another recent case that has drawn much less attention but makes the same point, albeit more subtly. In this case, someone has been sued for making it easy for people to circumvent protection on downloadable coupons. Software that consumers can download from coupons.com lets them print their own coupons; however, this software limits how many coupons any one user can print. It does this by assigning "each user’s computer a unique identifier, which the company uses to track and control the consumer’s coupon-printing practices, usually limiting each user to two coupons per product. Each printed coupon has its own unique serial code."

The offending behavior, then, consisted of deleting files or registry keys. In other words, coupons.com is claiming that if done for improper purposes, users are not allowed to modify a disk drive on a computer that they own. Who owns the machine? (I note that the license agreement does not seem to prohibit circumventing their protections.)

Clearly, this protection scheme is rather easy to bypass, the company’s claims notwithstanding:

When consumers first print a coupon from our systems, the Coupon Printer is installed on their computer. It is an industry-standard browser plug-in that enables the security features required to print real coupons. Unlike cookie-based controls, removing and reinstalling the Coupon Printer does not affect its security settings. A coupon never appears on the consumer’s screen but prints directly to the printer.
(We’ll ignore for now the security implications of teaching consumers to install software offered by random web sites…) But how strong is this protection? Not very.

The obvious thing to do is to remove the offending files or registry keys. Doing that requires knowing which those files or keys are, which most consumers won’t know. On the other hand, ordinary roll-back software — common on many PCs — will do the job quite nicely. But virtualization makes it easier still.

If you run virtual machines, it’s really easy to discard changes. The virtual machine’s "disks" are typically ordinary files on the host computer. Boot a VM, print the coupons you want, exit, and restore the disk from the copy of it you make beforehand. It’s even easier with, say, VMware, which features "undoable disks": when you shut down the VM, all changes you’ve made are discarded.

What is the lesson here? Leaving out the legal aspects — for once, I won’t dissect a statute, though I find the notion of copyrighting a coupon serial number to be dubious in the extreme — it’s really hard to defend against someone with unlimited access to the machine. Coupons.com did it rather poorly, but they were constrained to work within the constraints of existing, commercial operating systems. Apple tried a lot harder, but it seems that even they failed.

Succeeding requires tamper-proof hardware. But no security professional will speak of tamper-proof devices, as opposed to tamper-resistant ones. Security is a matter of economics, and not just technology. How much will your attacker spend to defeat your security? Are you protecting something valuable enough that your enemy will resort to the three B’s: burglary, bribery or blackmail? Protecting against determined adversaries is very hard; it’s rarely wise to bet your business on it.

https://www.cs.columbia.edu/~smb/blog/2007-08/2007-08-24.html