Shulou(Shulou.com)06/01 Report--

Give a man a fish and you feed him for a day. Teach him how to fish and you feed him for a lifetime

-- Symantec solution to CPU vulnerabilities

Preface

On January 4th, foreign security research institutions announced two groups of CPU vulnerabilities. Because the vulnerabilities are serious and have a wide range of influence, they have attracted global attention and become the first information security focus since the beginning of 2018. Starting with the analysis of the background and principle of vulnerabilities, this paper gives the solutions of Symanec for these two vulnerabilities, hoping to help readers not only understand these two vulnerabilities, but also understand the solutions of symantec from the perspective of the two most classic information security protection technologies on the blacklist and whitelist, so as to prevent similar threats from happening again. The background and principle of vulnerabilities

Meltdown (fuse), dealing with vulnerability CVE-2017-5754

Specter (Ghost), corresponding to vulnerability CVE-2017-5753/CVE-2017-5715.

Using the Meltdown vulnerability, low-privilege users can access the contents of the kernel and obtain the underlying information of the local operating system.

When a user visits a website that contains malicious Spectre exploiting programs through a browser, the user's personal privacy information, such as account number, password, mailbox, and so on, may be leaked. In cloud service scenarios, Spectre can be used to break through the isolation between tenants and steal the data of other tenants.

Meltdown vulnerabilities affect almost all Intel CPU and some ARM CPU, while Spectre affects all Intel CPU and AMD CPU, as well as mainstream ARM CPU. From personal computers, servers, cloud computer servers to mobile smartphones are affected by these two sets of hardware vulnerabilities. The impact in the cloud environment is more prominent, but this vulnerability can cause VM1 users to access VM2's data, but not the host's in-memory data.

The related vulnerabilities take advantage of the implementation defect of the implementation acceleration mechanism at the hardware level of the chip to implement the side channel *, which can read the system memory data indirectly through CPU cache. In the process, Intel does not properly separate low-privilege applications from accessing kernel memory, which means that people can use malicious applications to obtain private data that should be quarantined.

If this loophole is to be fully remedied at the CPU level, CPU performance will return to the level it was before 2000.

The related vulnerabilities mainly rely on the two pipelined designs of "branch prediction" and "out-of-order execution" used by CPU to accelerate. Let's start with a brief description of these two mechanisms:

2.1. Branch prediction

Branch prediction (Branch Prediction): from the beginning of P5, an advanced data processing method to solve the problem of pipeline failure caused by processing branch instructions (if-then-else). The direction of the program branch is judged by CPU, which can speed up the operation. Is a CPU optimization technique where CPU performs tasks that may be performed in the future. When branch instructions are issued, processors without related optimization techniques will not do any processing until they receive the correct feedback. On the other hand, the new processor with the ability of optimization technology can predict the instructions to be executed and process the data needed by some instructions in advance, such as loading the memory to be accessed by the next instruction into the CPU cache in advance, which avoids reading memory when executing specific instructions, thus speeding up the execution speed of CPU.

The flow chart is as follows

1. CPU will execute process 1 to transfer the data from memory to cache.

2, the data of process 1 goes from the cache to the register

3, the calculator performs the operation

4, the design based on branch prediction, although processes 2 and 3 cannot be executed for the time being, in order to speed up the pipeline processing speed, the controller will load the data of processes 2 and 3 into the cache.

5. Judging from the execution process of process 1, the result is "YES", and process 2 calls into the register and then executes

6, according to the judgment, process 3 will not be executed, but it has been called into the cache, and CPU will not clear it, causing the memory to be executed without permission.

2.2. Out of order execution

Out-of-sequence execution (out-of-order execution): refers to the technology that CPU allows multiple instructions to be sent separately to the corresponding circuit units for processing in the order specified by the program. In this way, according to the state of each circuit unit and the specific situation of whether each instruction can be executed in advance, the instructions that can be executed in advance will be sent to the corresponding circuit immediately.

In order to speed up the processing effect of CPU, the execution flow can be designed without following the first-in-first-out order of the program. In this way, according to the state of each circuit unit and the specific situation of whether each instruction can be executed in advance, the instructions that can be executed in advance will be immediately sent to the corresponding circuit unit for execution. During this period, the instructions will not be executed in the prescribed order. Then the results of each execution unit are rearranged in order of instruction by the rearranging unit. The purpose of using out-of-sequence execution technology is to make the internal circuit of CPU run at full load and improve the running speed of CPU program accordingly.

An analogy is used to vividly understand how vulnerabilities leak information:

1.KFC sells French fries, chicken nuggets, hamburgers and colas.

2. A went to KFC to order a hamburger, ate it and left.

3.B came after An and said to the ordering waiter, "I'll have the same as A."

4. The order waiter said, "I'm sorry there's another one in front of you. Wait a minute, but the cook heard it and made a hamburger."

5. It's B's turn to order, said the waiter. You can't do that. Oh, it's an invasion of other people's privacy!

6.C lined up after B and said to the waiter, "I'll order French fries, chicken nuggets, hamburgers and colas. I'm starving to death. Give me which one first!"

7.C get the hamburger first!

8.C got it. A bought a hamburger in KFC today!

Schematic diagram of CPU vulnerability

For the new processors with predictive execution ability, in the actual CPU execution process, the memory loading link required for subsequent instructions does not depend on whether the pre-order instructions can be executed normally, and the link from memory to cache loading will not verify whether the accessed memory is legal and valid. Even if instruction 3 has an exception and instruction 4 cannot be executed, the memory data required by instruction 4 has been loaded into the CPU cache, which results in instruction 4 loading memory data into the CPU cache even if instruction 4 loads memory data that does not have permission to access. Because CPU only checks whether the address is legal when it is cached to the register, and CPU branch prediction only completes the loading of memory to CPU cache, the actual instruction 4 is not really executed, so his illegal access will not trigger an exception.

The exploitation of CPU vulnerability first requires the virus in the target machine or the execution of malicious JS code through the browser. Whether on the server side or the terminal side, the protection solution must start from the perspective of untrusted program management or malicious code protection. Symantec's Security whitelist Technology solution-DCS/SA

3.1. For virtualized environment

Data Center Security (DCS) is a new generation of security solution provided by Symantec for data center security. Users can solve the security threats in virtualized and physical environments through DCS. The DCS architecture refers to the following figure:

DCS delivers host malicious code security protection services through SVA (Security Virtual Appliance) in virtualized environments, and provides infrastructure protection in vSphere environments, including vCenter platform hardening and ESXi host monitoring services.

 agentless malicious code protection capability

DCS security solutions provide malicious code protection against SDDC (software define data center). DCS effectively integrates with VMware vSphere and VMware NSX to provide customers with protection against viruses and malicious code without security agents. The delivery of malicious code protection services and capabilities changes with the change of virtual resource groups, and the online time of the business will no longer be affected by complex security measures and policy configuration. Symantec DCS provides industry-leading malicious code protection technology that can be delivered to all systems as a basic security service in software-defined data centers and seamlessly protect hosts in all data centers as a never-offline security service.

3.2. For physical servers and IaaS environments

Before introducing the principle of DCS:SA defense, let's briefly review the architecture of the operating system.

Architecture diagram of the operating system

In the architecture design of the operating system, the kernel is responsible for managing and abstracting all hardware devices, and there are system libraries that provide API for applications. In general, the general flow of a program is as follows: when an application program makes an execution request, CPU issues an interrupt and the kernel process is responsible for allocating memory space, and operating disk DMA transfers the program's data into the allocated memory space; at the same time, the physical address of memory is translated into logical address to transfer the data into cache and register, and the next step is calculated by the calculator. After obtaining the operation results, the page file of the memory is translated into a physical address to write to the memory, and then written back to the hard disk or network stack, peripherals and so on.

The DCS:SA defense system is as follows

Its characteristic is that it provides host security reinforcement based on local agent Advanced Agent for hosts with high security requirements (whether virtual hosts or physical hosts), and distinguishes virtual hosts of different importance.

Security hardening and active Defense capability of  based on Host Agent

The protection capability provided by DCS on agent-based systems is system security locking protection, which is based on operating system proxy deployment and is recommended to be deployed on key business virtual or physical servers to provide proactive security protection measures. DCS security protection is based on whitelist mechanism, which is different from anti-virus and other blacklist mechanisms, and is more suitable for server environments with relatively single functions and fewer maintenance changes. DCS can effectively resist zero-day vulnerabilities and reduce the cost of patch management.

DCS is based on the agent sandboxie technology for security protection; applications only need limited resources to complete the related work, but most programs have resources far beyond their own requirements, malicious * often use these gaps to gradually complete the system. As shown in the following figure, access to users, programs, parameters, behaviors, and resources is allowed only if there is a "path" from left to right. It is equivalent to limiting every allowable behavior of the system to a sandboxie, and resources or behaviors beyond sandboxie are explicitly prohibited. There is no need to enumerate all the malicious acts, only the explicitly allowed behavior can ensure the safe and stable operation of the system. The DCS system comes with a large number of sandboxie. Users only need to check the sandboxie they need to complete the policy configuration.

For the server running core business or dedicated business, its operation task is single, which requires long-term, stable and uninterrupted operation of the business. Because the traditional technology based on feature library upgrade, patching and so on has been unable to meet the business needs of customers.

Unknown threats are constantly changing, and the protection based on feature library can not effectively defend against 0-Day threats. But in these single business servers, we clearly know what business is running, this is the whitelist technology.

Each allowed program in the system is put into a sandbox, only the specified application is allowed to access the specified system resources, and the other access is defined as illegal access.

It is often found that there is a vulnerability in an application in the real environment, but the vulnerability cannot be patched and updated because of the application availability requirement or the application can only run under this version. Then DCS can provide a protection policy based on the custom application to minimize the resource rights protection of the application, which is lower than the patch security cost and less risk, because the policy of DCS can be backed back. The failure of patch installation is generally non-fallback. This is critical to the availability of the system.

Symantec DCS provides an on-demand data center security suite that delivers security service integration and infrastructure protection in a VMware SDDC environment. This is only part of Symantec's security integration for data centers. Symantec will continue to provide more types of security services to help users build flexible and intelligent software-defined data centers for rapid application delivery.

System architecture diagram under the protection of DCS:SA

After installing DCS:SA, a layer of protection is added to the kernel. Any user-mode process in the whitelist initiates memory request / access, file read / write, peripheral access, user rights promotion / change and other operations will go through the sandbox of DCS:SA HIPS to control and restrict and audit the HIDS before switching from CPU to kernel process, which fundamentally protects the security of the system.

Compared with the process executed by the general program just now, when the application state program makes an execution request, the CPU issues an interrupt and the kernel state process is responsible for allocating memory space (at this time, DCS:SA will determine whether the program is allowed to run according to the application whitelist), and operate the disk DMA (DCS:SA will check whether the program's directory and data have read and write permissions) call the program's data into the allocated memory space At the same time, the physical address of the memory is translated into a logical address to call the data into the cache and register, and the next step is calculated by the arithmetic unit (DCS:SA will restrict the process to run with minimum permissions in sandboxie). After obtaining the operation result, the page file of the memory is translated into the physical address to write to the memory (if there are dangers such as memory overflow or leakage, DCS:SA will protect the memory space of each program from illegal access), and the kernel process will write back to the hard disk or network stack, peripherals, etc. (DCS:SA will determine whether the corresponding directory, file, device has write permission to prevent tampering with the protected content). The loading, operation and writing back of the whole program will be carried out under the strict constraints, monitoring and protection of DCS:SA, and even if there are zero days, it will not be possible because it does not have the permission to respond.

Back to the scenario of CPU vulnerability, the prerequisite for the implementation of * * is that a virus enters the host first and cooperates with the vulnerability. Then it is divided into the following two possibilities for analysis:

a. An untrusted program

A virus is also a program, assuming that a virus with CPU vulnerabilities has escaped the protection of antivirus software, but if it wants to run on a DCS:SA-protected server, it must first be able to be called into memory. DCS:SA will allow trusted programs to run in the form of a whitelist. Obviously, if the virus is not on this list, it will not run at all.

b. Trusted program

If the virus is infected with a trusted program, the memory data of unconditional execution instructions is stuck in the cache according to the principles of "branch prediction" and "out-of-order execution", resulting in the possibility of being maliciously stolen. However, DCS:SA strictly controls the memory space that each program can access and gives minimum permissions, even if there are similar memory leaks and overflows, it does not allow other processes to access beyond the scope.

Based on the above analysis, DCS:SA 's protection concept based on processes and methods is born with a zero-day protection gene, which does not require administrators to update signature frequently, so as to achieve the goal of once and for all.

Symantec official links and explanations for the defense of CPU vulnerabilities

Meltdowns and ghost local privilege escalation vulnerabilities mean that malware must be installed on the target system before these vulnerabilities can be exploited. Symantec data Center Security: server Advanced (DCS:SA) by ensuring that only licensed software is allowed to execute.

For Windows update patches, no changes are required to the security agent. As an additional precaution against kernel-level changes, we analyzed the patch information for Microsoft and tested it when the patch was released. Windows 2016, 2012R2, 2008 R2 are fully certified and no other issues have been found so far. For the Linux platform, we tested it when we released the patch. So far, all platforms have been successfully tested. Only Amazon Linux needs a driver update.

Original: https://www.symantec.com/connect/articles/data-center-security-meltdown-and-spectre-situation-updateSymantec dynamic threat solution-SEP

SEP (Symantec Endpoint Protection) is designed to address today's threat situations, providing comprehensive protection and deep defense throughout the chain. Using the power of the world's largest threat intelligence network, SEP uses a new generation of technologies such as multidimensional machine learning, reputation analysis and real-time behavior monitoring to effectively intercept advanced threats. It can be combined with the same important basic protection technology to provide comprehensive protection for enterprises. Symantec Endpoint Protection is a lightweight agent with a single management console that integrates with other products in the security infrastructure to respond quickly to threats and achieve optimal endpoint protection.

* Defense

Network protection, URL and firewall policies: Symantec's network threat protection technology analyzes incoming and outgoing data to prevent threats from passing through network endpoints in a timely manner. This protection technology also includes rule-based firewall and browser protection, which can effectively resist the network. Overall, with strong network protection technology, more than half of the threats are killed and intercepted before reaching the endpoint.

Application behavior control: controls access to files and registries, and sets how processes are allowed to run.

Device control: restrict access to selected hardware and control which types of devices can upload or download information. Peripheral control can be combined with application control to provide a more flexible control strategy.

Exploit protection: eradicate zero-day exploits in popular software that vendors have not released patches, including Heap Spray, SEHOP Overwrite, and Java exploits. This featureless technology is effective in preventing malware from initiating * * by exploiting any defects, errors or vulnerabilities.

Infection prevention

Reputation analysis: Symantec's unique reputation analysis technology leverages tens of billions of relationships between users, files, and websites in our intelligence network to proactively intercept more threats and quickly resist malware variants. By analyzing key file attributes, such as how often the file is downloaded, how long the file exists, and where the source of the download is, we can accurately determine whether the file is secure and specify a reputation score before the file is transferred to the endpoint. After using file reputation analysis, users only need to scan risky files, thus significantly reducing the scanning workload.

Machine learning: multi-dimensional machine learning technology on endpoints uses learned content to intercept new threats and unknown threats, thus greatly reducing our dependence on features when identifying threats. The machine has also been repeatedly trained by trillions of security files and malicious file examples in the global threat intelligence network to ensure that false positives are minimized.

Simulation: a high-speed simulator can detect malware hidden by polymorphic custom wrappers. The static data scanner runs each file in a lightweight virtual machine in just a few milliseconds, thus revealing the threat instantly, not only improving the detection rate, but also improving performance.

Antivirus file protection: feature-based antivirus features and advanced file heuristics detect and eradicate malware on your system against viruses, worms, Trojans, spyware, zombies, adware, and Rootkit.

Behavior monitoring: the behavior monitoring function in Symantec Endpoint Protection shows great efficiency, although a very small number of threats have reached the endpoint quietly. It uses machine learning to provide zero-day protection, monitors nearly 1400 applications and identifies file risks in real time, effectively preventing new and unknown threats.

Leakage protection

Power Cleaner: this proactive cleanup tool can be triggered remotely to find advanced persistent threats and remove malware that is difficult to remove.

Host integrity checks and policy enforcement: ensure that endpoints are properly protected and compliant by enforcing policies, detecting unauthorized changes, conducting damage assessments, and isolating noncompliant endpoints. Used in conjunction with threat detection products, you can coordinate responses to isolate infected endpoints, quickly curbing the spread of infection and making it easy for you to repair endpoints or rebuild endpoint images.

System locking: allows you to run whitelisted applications (known to be secure) or blocks blacklisted applications (known to be insecure). Symantec Advanced Threat Protection (ATP) and Secure Web Gateway can use programmable API to communicate with SEP Management (SEPM) Console and coordinate responses to blacklist newly discovered malicious applications through application control features. It runs across Windows ®, Mac ®, Linux ®, virtual machines, and embedded systems.

Secure Web Gateway integration: the new programmable REST API supports the integration of third-party products such as SEP and Secure Web Gateway to coordinate endpoint response measures to quickly curb the spread of infection.

Symantec's SEP solution is not only suitable for the protection of common Windows terminals, but also provides dynamic security protection for MAC OS and even mobile terminal (mobile phone) users. Summary

The DCS:SA solution fundamentally solves the defense problem of the server, because the defense based on methods and processes is not based on signatures, but once and for all. The whitelist technology is simple to configure, takes up less running resources, and can greatly reduce the maintenance work of the server by operation and maintenance personnel and security personnel.

SEP (Symantec Endpoint Protection)'s powerful machine learning, application reputation and vulnerability defense system can achieve more perfect defense without increasing the terminal load too much, adjust the protection measurement timely and dynamically, and shut out viruses and threats.

This article only introduces the solution that Symantec brings to you from the point of view of server and endpoint protection. It is better to retreat from the net than to respond passively. Symantec provides complete information security protection platform and services for enterprises and individual users. Provide a comprehensive information security protection platform from cloud, big data, network security, mail, mobile applications and terminals, authentication and single sign-on, data encryption, ATP and WAN acceleration. For more information on other products and solutions, please see the following link: http://www.symantec.com/

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.