Threat Estimations : Low-Level Proprietary Code

14 réponses [Dernière contribution]
PsychicEcho
Hors ligne
A rejoint: 04/05/2020

(drivers, firmware, etc..)
Whilst access to the code is denied, what estimations can be made regarding its innocuous/harmful scale?

From observing the behaviour if these pieces of closed-source code, what can we learn about their threat-level? Does confidence of the code's safety increase with time? How hidden can malware remain while it continues to behave undesirably?

RootFarmer
Hors ligne
A rejoint: 08/24/2020

i dont like proprietary code

PsychicEcho
Hors ligne
A rejoint: 04/05/2020

Me either, but it is extremely difficult for most people to completely avoid it. Thus, in the cases when it is used, it would be good to have a sense of its harmfulness.

This thread is meant to be focused on mitigation.

lutes
Hors ligne
A rejoint: 09/04/2020

I love proprietary software. Without it there would be much less to mitigate and computing would be so boring. Nobody would even be talking about free software since that would be totally redundant. We would be completely spoiled. It is when we start having limited access to a resource we used to take for granted that we realize its true value.

Proprietary software is the thorn in our computing shoe that makes us feel better once we have managed to take some bits out.

About mitigation: https://www.fsfla.org/ikiwiki/blogs/lxo/pub/who-is-afraid-of-spectre-and-meltdown.en.html

nadebula.1984
Hors ligne
A rejoint: 05/01/2018

But only if you can take some bits out. You can try to hack Intel Boot Guard or Apple T2, and see whether they can make you feel any better.

lutes
Hors ligne
A rejoint: 09/04/2020

You might have misunderstood my point. Some pain is necessary in order to get any amount of relief from it.

You cannot completely ignore efforts like ARM, RISC-V or PPC systems in your pain vs. relief assessment.

RootFarmer
Hors ligne
A rejoint: 08/24/2020

arm is bought by nvidia, expect bad things to happen

lutes
Hors ligne
A rejoint: 09/04/2020

...for the modest sum of $40 billion. That's only $5 per human being, after all. Plus collection costs.

Thanks, I had missed that.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

From a freedom standpoint, all non-free code is equally bad. From a security standpoint, you may be interested in Whonix's analysis: https://www.whonix.org/wiki/Dev/nonfree

Magic Banana

I am a member!

Hors ligne
A rejoint: 07/24/2010

Firmware has definitely been used to attack specific targets. The NSA ANT Catalog, which leaked seven years ago, include for instance IRATEMONK, which infects the disk firmware: https://archive.f-secure.com/weblog/archives/00002791.html

If you have not seen Jacob Appelbaum's talk at the CCC13: https://media.ccc.de/v/30C3_-_5713_-_en_-_saal_2_-_201312301130_-_to_protect_and_infect_part_2_-_jacob (software implants are mostly listed starting at 39:37)

Jacob Appelbaum collaborated with Spiegel, which made a series of article, including for instance https://www.spiegel.de/international/world/catalog-reveals-nsa-has-back-doors-for-numerous-devices-a-940994.html

PsychicEcho
Hors ligne
A rejoint: 04/05/2020

Following chaosmonk's link, it said that it has been confirmed that nvidia's closed-source drivers contain telemetry code. Does anybody know how this has been determined? Or how similar examples have been determined?

Is it by a process of reverse-engineering?

lutes
Hors ligne
A rejoint: 09/04/2020

One needs only to execute binary code and observe its behavior in order to know what it does. Access to the source is necessary only if you want to know how it does it, to modify it or to fully review it.

Anything that sends data through the network would usually be reasonably easy to monitor.

Magic Banana

I am a member!

Hors ligne
A rejoint: 07/24/2010

One needs only to execute binary code and observe its behavior in order to know what it does.

What it does while you are executing it. If, for instance, some code is for targeted espionage and you are not a target (or not a target while you are monitoring the execution), you will never know.

chaosmonk

I am a member!

I am a translator!

Hors ligne
A rejoint: 07/07/2017

> What it does while you are executing it.

Right, which makes it very difficult to prove a negative claim like "this software never makes unsolicited background connections under any conditions" but still quite possible to prove a positive claim like "this software does make unsocilited background connections under some conditions, because we just caught it in the act."

PsychicEcho
Hors ligne
A rejoint: 04/05/2020

Very good.

Does anybody know of any projects with the goal of establishing a depository for low-level proprietary code? Insights and estimations into the behaviour and threat-levels of these drivers could be archived and made available to the public.