Monday, March 19, 2007

Instrumentation is the Next Internet Explorer

I read Rik Farrow's Musings(.pdf) in the latest USENIX ;login: and noticed this section:

[Rik read] an amazing paper by Chad Verbowski... of Microsoft Research... Flight Data Recorder (.pdf) (FDR) (say, haven’t I heard of another similarly named software project?) has the goal of capturing configuration and file changes from Microsoft systems and will be shipped with Windows Vista.

Using a time window of only 6 ms, FDR captures all changes to system configuration–related registry entries and files, saves the log locally, then cleverly compresses it, without losing any interesting data, before uploading the compressed logs to a server. The goal was to capture data from thousands of servers while using less than 1% of network bandwidth, with a less than 20 MB/day logfile per system that can be analyzed in 3 seconds.

Sounds unbelievable, but FDR manages to compress each event into an average of 0.7 of a byte. The motivation for this clever work was the discovery that 33% of system outages were related to configuration changes, so tracking those changes was key to system reliability.

This made me remember a comment in the Joanna Rutkowska interview I didn't previously highlight:

"The scary part is that once an attacker [gets] into the system, we can't reliably read system memory, neither using software-based, nor hardware-based, methods. That means we can't answer the question of whether the system is clean or not," she says.

In other words, we have a problem with instrumentation. Microsoft is working on better instrumentation as demonstrated by FDR, but it's not what Joanna means or needs. We might be able to get better instrumentation if the OS is running within a hypervisor that monitors all aspects of the OS.

How does this relate to Internet Explorer? The Web browser was one of the first major components moved into the OS, once Microsoft saw how powerful Netscape was. Since then Microsoft has continued to move other features into the OS or into the suites of applications Microsoft provides, with anti-virus, host-based IPS and PC health the latest initiatives. I think we'll see greater moves towards instrumentation of the OS for security purposes, but the question will be whether non-Microsoft people and/or products will be able to access these offerings.

If these instrumentation readings are available, then we'll see vendors like Guidance Software make use of them for forensics purposes. Alternatively Microsoft might move deeper into the security space and sell its own forensics software. Many of the great Sysinternals tools which are now part of Microsoft have forensic and security purposes. That could be one sign of the future.


Anonymous said...

Would you trust a system where the vendor offers you absolutely everything, from the hypervisor, to the operating system, to the antivirus? I don't think I will, moreover if it's closed source.

Richard Bejtlich said...

Probably not! Then again, I do trust open systems that someone could audit, like OpenBSM.