Digital security is tough to get right, and on the software side of the equation, it’s even harder. Traditionally, software security has come in the form of edge-of-network devices, like firewalls and intrusion detection systems. It is the software itself, however, that often offers up the exploitable surface area to an attacker.
USENIX Enigma, a new conference from the USENIX Advanced Computing Systems Association, brought attendees new ideas in software security, ranging from a new type of binary scanner to cutting-edge firmware-monitoring tools employed by Facebook.
In a world where the firewall cannot save the network from all the evils online, end-point security becomes paramount. This is compounded by the fact that some of the newest and most dangerous security exploits online involve firmware replacement and poisoning.
Teddy Reed, security engineer at Facebook, showed off an open-source tool his team built in order to counter this new threat: OSQuery. It works by hooking into the end machine’s stream of events at the kernel level. These events are pushed upstream to a monitoring console, and thus administrators and developers can use the tool to gain insight into events happening on networked machines.
Such event notifications can be triggered for something as trivial as the insertion of a USB plug, or as major as a kernel panic or firmware update. Reed said that having OSQuery on every computer is useful, but the type of computer determines the importance of those notifications.
On a developer’s laptop, for example, many unique USB devices may be randomly plugged in and brought online. On a server, however, anything plugged in via USB should immediately set off a red flag, as it’s a rare occurrence.
Reed encouraged the audience to try OSQuery, and then offered to help any users who wished to integrate it into an odd stack. He said this tool provides a form of security he called attestation. “Owner controller attestation will make devices safer,” he said.