Thinking about Windows security software

Citation note >> " Zhang Pei" " Original: Www.YiiYee.cn/blog"

Recently, I have re-read several of the Windows system security books, while surfing the Internet access to information, it was very surprising that many years ago, the popular cattle fork technology, although still in books and Web pages vividly, but in fact, most of them can not be used in the new system. I have also had some personal thinking, although I have not been in touch with security technology for many years, but the ability to think is still there.

Analyze the source of security issues

There is always a security risk, only the occurrence of attack action , and because of a large number of attacks, and then the need to create security protection . Therefore, we must study the source of security risks. In general, security problems can be divided into local and distributed, so the method of security attack can be divided into local attack and distributed network attack.

First look at the security risks that exist on the local machine, that is, a security risk inside a PC with a Windows system installed, dividing it into the following two categories:

The first category is the structural design flaws or imperfections that exist in the OS architecture itself , leading to attacks on local resources that are exploited by backdoor software and launched accordingly. The main manifestation of this is that the OS provides the convenience of a range of hook technologies. Hook technology, which exists on Windows systems, has been popular since the 1990. In summary, it includes the static modification of binary files and the execution of dynamic modification of the running logic in both ways.

The method of digitally signing makes most of the static modification methods ineffective. Digital signatures are now only mandatory for drivers running on 64-bit OS or 32-bit OS with secure boot, as well as for all Metro apps, but will not be ruled out in the future. It can also be used by service programs or even desktop user programs. By digitally signing a method to check the integrity of a binary file, any static modification destroys file integrity, which causes the file load to fail.

By means of Patch guard , the kernel files and critical data of the OS are protected, which completely invalidates the runtime hooks for OS systems. The Patch guard mechanism dynamically checks the integrity of the system and, once detected, modifies the system's blue screen. The popular IDT, SSDT, and run-time patches have all failed.

In addition, Microsoft's new OS continuously enhances the management of access control List (ACL) and strengthens the security of system objects.

The reason the security software is dead .

Second class, I call a design error or code bug . The operating system also has a large number of software modules, which are not the basic functional modules of the system, but are still used by many software. These modules may be provided by Microsoft or may be provided by a third party. However, because of the complexity of these software modules, limited application scope, not strong universality, the interface is not uniform and so on, so the general security software may not be able to take care of them, or can not completely cover them, backdoor software can therefore find a living space.

For example, an open SSL-based Heart-bleed vulnerability and a bash shell vulnerability on a linux/unix system that broke out in the previous period originate from code bugs that exist in the software implementation. The essence of this type of problem is that software is designed and written by programmers, and human beings are inherently less than exhaustive, just looking at the severity of the problem.

Explore security techniques for distributed network applications

If the software module is used in distributed applications, when its security risks erupt, the degree of harm will be very large, far more than the damage caused by the single-machine system. So it is worth thinking about the network security.

The design of a distributed (Network) protocol and implementation module can be improved by some technical innovation. I cite the example of a distributed denial of service attack (DDoS) to illustrate possible scenarios:

When a malicious attacker organizes thousands of "meat machines" to make an invalid and massive network request to a designated server to rapidly consume its network resources in a short period of time, thus causing it to lose its normal responsiveness, this is how DDoS attacks are implemented. If you think of the problem out of technical detail, you will find that the attacker always uses illegal means to get his "meat machine" resources. Because it is not only too expensive but also easy to find by using legal means to organize these machines. The attacker planted the trojan into the target system to infect it, thus becoming its "meat machine". The meat machine itself is also a victim. In the process of DDoS attacks, thousands of victims "meat machine", Mengmengdongdong to the victim "server" launched an attack, making the event into a Two victims of the war between the , and the real enemy will always hide behind the scenes.

From what I've gathered, the current server is generally using a passive defense strategy to avoid the meat machine bombing, and there is no way to take proactive measures to stop the meat machine attack. As the two people in Freemasonry, the meat machine may not be repentant if it can be communicated by sound and gas. However, based on the C/s architecture, if there is no client coordination, the server can not actively deliver messages or instructions to the client. In this case, the client is a trojan and it is not possible to respond to server-side requests at all. But let's think about the possibility that there is a client software that can parse the server instructions on the meat machine side. When the server checks that the meat machine is involved in a DDoS attack, it attempts to post messages to this client. The minimum effect is that when the client receives a message to the user to pop up a risk warning prompt box, it is recommended that the user urgently take the Trojan horse measures. The user may take immediate action or not, but if the hit rate reaches a certain height, it will effectively and quickly slow down the DDoS attack; in the long run, the meat machine, as the most valuable resource of the attackers, will greatly weaken the effective force of the attackers.

I call this method " Cloud protection ", that is, not just rely on the power of the server alone, but also to bring the meat machine to their own camp, and the server in cooperation .

The popularity of clients is the basis of effective implementation of "cloud protection". Domestic BAT Company's client software has a lot of installed capacity, if used, it should be very promising.

Visionary innovation

Over the years, I have come to understand that the theoretical and practical innovations that have been made through the analysis and research of the basic framework are far more important than purely technical replication and implementation. In the environment of the computer, the connotation and extension of security is destined to change greatly when the application of cloud interconnection from the heavy single PC to the light client is changed.

When Norton senses "Security software is dead", they are feeling that with XP and older OS and the long-lost due to the OS itself caused by the proliferation of security brilliant, but Norton himself is certainly very clear, security is never sunset eternal topic, but the object has changed quietly. No, the latest news shows that Norton has now started to secure the clothing (pocket) certification. This is one end of Norton's transformation and innovation. How about the other merchants?

Thinking about Windows security software