Tuesday, December 20, 2016

The Wierding Way

You don't have to believe I know anything about cyber combat or science fiction, but if you read this blog, and haven't read Dune, you're missing out on the philosophy behind how cyber offense works. 
I want to teach the whole Policy World about the Weirding Way in this blogpost. It is hard to explain, but I want to start with this: Scrippie is a better exploit writer than I ever was. I am in the good fortune to be able to watch world class exploit writers do their work. Even now, when I should be selling INFILTRATE tickets, I stand around behind people and talk to them about their exploitation strategies and how they are manipulating a heap overflow to do what they want and what their chances of success are. Sometimes I can help. Mostly I just help by letting them talk it out.

I know that no policy lawyer can read Bratus's paper on Weird Machines. I also know that even Halvar's INFILTRATE keynote on the subject is probably too technical.

But let me tell you something in the Wassenaar Arrangement that is leading the policy world down the wrong path, a sugar coated path of simplicity: The idea that computer code has intent, and even a chain of preferred execution!

The reason Scrippie is a better exploit writer than I am is because he flattens the code out in his head. He reads the whole thing, and then inside his head the input parsing routines and the heap allocation routines and even the KERNEL system call routines are all at the same level, literally as if they are all in a line and he is simply calling them with his data.

This is what it takes to do real exploitation in the world where you don't have Javascript around to do your heap grooming for you. Because most policy experts have only really seen clientsides in occasions where there is a Javascript interpreter, they have a warped view of how exploitation works in general.

Below, I respond to Nicolas Weaver's Lawfare post, but with <sarcasm>, which translates poorly on Twitter.

Nopes.

Ok, so if you're still with me, I want you to think of it this way: Data is also code. I don't mean "Code can be represented as data because everything is just bytes". I mean, the data I pump into your algorithm controls it as much as the executable code itself does. That's how hackers think of your code and it's closer to the true nature of the code than how the regulators and most academics are thinking right now. It's why every time an academic paper comes out on "ROP/JOP/etc" hackers find it redundant and hilarious.

To make this a Koan: Your computer is a state-space, and our data explores it. When it has no input, your computer program is in all potential quantum states - literally anything is possible because it is Turing complete if it has enough complexity. When we give it data, we collapse that waveform into a particular state of our choosing.

Hopefully that helps?


No comments:

Post a Comment