Digging Deeper into Host-based Security on Intel-based Systems

January 4, 2013
Cyber Training: Post by Xeno Kovah

This is the second in a series of posts about internally developed computer security training classes that have been taught within MITRE (Cyber Training) and have been publicly released.

In this post, the editor continues an interview with Xeno Kovah about his 2-day training class, Introductory Interl x86: Assembly, Architecture, and Applications, released to the Open Training community.

Editor: What topics do you cover in this intermediate class?

Xeno Kovah: Whereas the Intro x86 class leans toward assembly over architecture, this class leans the other way. The majority of the time is spent covering topics that are essential to the proper functioning of modern operating systems like Windows, Linux, or Mac OS X. These topics include memory management via page tables, interrupts, port IO, and hardware support for debugging. It also included a topic I didn't expect to cover, because most OS classes skip it. But as I delved into the previous topics, I found that the topic of memory segmentation was important to them.

As with the other classes I have made, you can scroll to the bottom of the http://OpenSecurityTraining.info/IntermediateX86.html training page, and click on the pi symbol, and you will see a work-in-progress map of the nitty-gritty details of what is covered in the class. It's not given a more prominent position on the page yet because I want to make it so that when you click on the topics, you go to the portion of the class video that talks about it.

[Ed.]: Why do you think it's important that people have this great depth of information?

[XK]: Part of why I think this is important is the same reason why colleges feel it's important to teach it in their OS classes. The principles and mechanisms learned when developing OSes tend to be reused across many OSes. Therefore learning the principles allows a student to understand how other people have likely constructed their OSes. I know that when I learned some of these topics in the CMU OS class, I then was able to turn around and apply them to my understanding of the Windows OS, which I had not had particularly much experience with before coming to MITRE.

Another reason is because I feel that there are a lot of people who know network security, but not enough who know host security. When you treat hosts as black boxes, that's an awful lot of capability and complexity that is hidden from your view. And when you learn about things that other people have skipped, you can find new problems, create new solutions, and just generally make yourself more valuable to your workplace.

[Ed.]: With this intermediate level of knowledge, what security jobs can make use of it?

[XK]: The most obvious one is being an OS developer with an eye toward security. It's always necessary to have people who have an eye for security doing the actual core system design. Indeed you will see that many companies like Microsoft, Apple, Nvidia, and VMware compete for students who have taken OS classes that cover this type of material. (And I know from firsthand experience that not all OS classes are created equal. Having taken both kinds, I value a class where the student has had to learn this type of material by making their own kernel much more than one where it's just covered in passing.)

The latter example of VMware looking for this kind of knowledge is indicative of the fact that OS knowledge is often re-applied in the context of virtualization. Indeed, most hypervisors or Virtual Machine Monitors can be thought of as much simplified OSes. This is because OSes manage resources for many processes, and hypervisors manage resources for many OSes. There are many security companies that are trying to leverage virtualization to help improve the security of end systems.

And while it's a more specialized area, there is always need for people who know OS internals to interpret malware that infects the OS internals. This is because a general malware analyst who doesn't know how OSes work will not understand the context of what an OS is trying to do, and how the malware benefits by manipulating what the OS is trying to do.

As I noted previously, NSA announced a Center for Academic Excellence in Cyber Operations. Operating Systems Theory is a specific type of knowledge that the NSA wants students to receive.

[Ed.]: Your work at MITRE is making use of this type of knowledge?

[XK]: Yes. I have used this core OS knowledge extensively in my work at MITRE. I've spent a number of years working on Windows kernel development for a security project called Checkmate. Checkmate needs to interact with the Windows kernel at a low level to provide additional security capabilities. As I already mentioned, I hadn't had much experience with Windows internals before coming to MITRE, as I grew up on Mac OS and Mac OS X. Some of the topics that I included in the class though, like hardware debugging, I just put in because I wanted to learn it better, and then later I found potential applicability in other MITRE work.

[Ed.]: We know you have a larger training curriculum in mind. Where does this course fit?

[XK]: This class contains important knowledge that is recommended a student know before taking the later Rootkits class. In particular rootkits can manipulate all of the topic areas in order to gain some leverage in hiding themselves. There are course maps on this class's training page of what other classes utilize this knowledge. As I have already mentioned a couple times, this sort of OS level knowledge often finds itself re-applied in the context of virtualization, which is why this class is a prerequisite for Advanced x86: Virtualization with Intel VT-x.

[Ed.]: Why make a more intermediate class publicly available?

[XK]: I see this class fundamentally as having extracted the core bits from my college OS classes, which have been the most directly applicable to my work. I think broad-based knowledge as delivered in college classes has its place, but I also want to support delivering things that are a mix between foundational and vocational knowledge. I want people to be able to get the foundational knowledge that has guaranteed vocational applicability. To that end, I knew that this sort of class would not only be helpful for bootstrapping people to help work on my projects, but help bootstrap people in other companies to be able to do similar work.

[Ed.]: What's next in your curriculum?

[XK]: Right now I'm mostly focused on improving my existing four classes. This class focused on 32-bit architectural details. Right now I'm updating it to focus on 64-bit systems, which are becoming more common as people switch to 64-bit desktop OSes. In particular, the segmentation component that had gone largely unused in modern OSes has been mostly deprecated. But vestiges of it are still hanging around, and used by various OSes in their own way, and I want to share that in an updated class. I'm also trying to make this class have more hands-on time, by incorporating a new system of games, which will reinforce the knowledge from the class and give the student immediate feedback. Importantly, the game rounds/questions are randomized to allow infinite replayability, either in class, or months after class as a refresher. Once I'm done updating my existing courses, I do hope to teach a new class on Intel's Trusted Execution Technology (TXT), which will likely require this class and the Advanced x86: Virtualization with Intel VT-x as hard prerequisites.

[Ed.]: Thank you, Xeno. We'll be speaking with you again to understand why binaries have a life of their own.