Background Image

Blog Post

 

Nov 17

Sandsifter


How many times have you seen the list of updates on any given OS and wondered what went wrong? Security patches, bugfixes, upgrades, and even some of the stuff you know you aren't using seems to just need constant babying to keep it operational. Chances are you are using an x86 or x86_64 machine, but even on arm there are plenty of updates - just a bit less often. The reason that many of you don't really hear about is kind of a neat story.

Processors And Hidden Language 

So when I say extension, some of you start thinking of .zip or .exe or maybe browser extensions. In binary the extensions are not surprisingly ones, and zeros. In the windows registry and other places there are extensions in hexidecimal and some of them look like 6Jhf <-- That isn't a real one that I know of. But processors also have a language and it has hexidecimal style (machine code) extensions that have meanings. Some of them are to allow a bit of memory to pass, some are to allow a buffer, some are for secure code, etc. And in each case those extensions vary a bit from processor to processor, and from module to module.

The Video Mentions Sandsifter

If that video is taken down we'll just put up another one because this is important. While the video is about breaking X86 - it might actually be about saving it. The most common exploits people are aware of have little to do with this level of hacking. This is beyond kernel hacking, and it could be the layer where all of the exploits could be stopped. I feel like I pull an alarm by saying that. A proper inspection of a processor's allowed and not allowed snips of machine code are just the beginning when it comes to fixing the way a program can be exploited or exploitative. This is hardware hacking in a literal sense, but just like on software, if you have a program like office and it uses snips that have certain privileges, those privileges are probably the ones that an attacking hacker will use to craft something undetectable. Alternatively understanding this is the best way to craft products to block such attacks. You may not be able to block every port at all times, and your heuristics based antivirus programs don't work on this level of code, if indeed they work at all.

Yes Alright The Antivirus Indictment 

When you google the phrase antivirus doesn't work, what do you see? Yes there are advertisements and services built on the premise. That isn't the point though, the point is that it's at least somewhat true. Even if antivirus products worked as they claimed (which they don't) they could never work against machine code that has permissions set correctly and isn't seen as an attack. That is how the bad viruses, worms, trojans, etc get introduced. They make use of legit coding against an accepted ruleset and aren't seen as a problem. Does that mean we need to change everything?

Maybe Just A Few Things

If a tool like sandsifter can document the rules a processor is using correctly, and every software product evaluates those rules against their programs and makes those few changes to meet a type of compliance that leaves everyone safer... That's a huge step forward that could potentially save 2-3 Billion dollars a year that is typically lost just to a few types of cyber crime. It will take a lot of people to make this happen, but this tool exists. That's why we brought it up, and now you have something to say to cyber security experts.

Back   
 
Add Comment:
Please login or register to add your comment or get notified when a comment is added.
1 person will be notified when a comment is added.