Show 152: Elias Levy discusses hacking, programming languages, full disclosure, inventory control, and software security

November 21, 2018

Elias Levy, a.k.a. Aleph One, is a distinguished engineer in Cisco’s Security Business Group, where he works on big data and cloud technologies in support of endpoint security. Previously he was senior technical director for Symantec’s Security Technology and Response organization. He was also CTO of SecurityFocus in the late ’90s. Elias was the moderator of the mailing list Bugtraq from May 1996 until he stepped down in October 2001, and he was the author of “Smashing the Stack for Fun and Profit,” which was published in Phrack 49. Elias served as department editor for IEEE’s S&P magazine’s Attack Trends and Malware Recon departments. He’s also an avid scuba diver, and he lives in the Bay Area in California with his family.

Listen as Gary and Elias discuss how Elias got started in software security 25 years ago and wrote “Smashing the Stack” about stack buffer overflows. They talk about whether we’ve made enough progress in security since then, and Elias shares his optimistic views on security in areas such as architecture, languages, and platforms. Gary asks Elias what he thinks about fixing problems in broken programming languages versus fixing the languages themselves, and about his current views on the “full disclosure” debate that surrounded Bugtraq. Elias explains his “trajectory” patent as it relates to computer security and technology inventory and how it helps to be imaginative in the field. Finally, Gary and Elias discuss what computer security will look like in 25 years.

Listen to podcast

Transcript

Gary McGraw: This is a Silver Bullet Security Podcast with Gary McGraw. I’m your host, Gary McGraw, vice president of security technology at Synopsys and author of Software Security. This podcast series is co-sponsored by Synopsys and IEEE Security & Privacy magazine. For more, see www.computer.org/security and www.synopsys.com/silverbullet. This is the 152nd in a series of interviews with security gurus, and I am super pleased to have today with me Elias Levy. Hi, Elias.

Elias Levy: Hey, how are you doing?

Gary: Elias Levy, a.k.a. Aleph One, is a distinguished engineer in Cisco’s Security Business group, where he works on big data and cloud technologies in support of endpoint security. Previously he was senior technical director for Symantec’s Security Technology and Response organization. He was also CTO of SecurityFocus in the late ’90s. Elias was the moderator of the mailing list Bugtraq from May 1996 until he stepped down in October 2001, and he was the author of “Smashing the Stack for Fun and Profit,” which was published in Phrack 49. Elias served as department editor for IEEE S&P Magazine’s Attack Trends and Malware Recon departments. He’s also an avid scuba diver, and he lives in the Bay Area in California with his family.

So thanks for joining us today.

Elias: Thank you. I notice you must have done some intel if you found the scuba diving thing.

Gary: Actually, I’ve got something to ask you about that. If you’ll forgive me, I have to start with possibly your most famous work of all. Is that OK?

Elias: Sure.

Gary: When did you take that picture of a great white shark that pervades the internet?

Elias: That was probably about five years ago. It was on a dive trip I did to Guadalupe Island, which is off the coast of Mexico about where Ensenada is. It was cage diving, specifically to go see a great white. It was a great boat. They have a couple of cages right behind the boat, so you can just slip in. But those are right at the surface.

So they got a couple of, they call them wranglers, on each side of the boat that have tuna tails on ropes with floaters. So they throw this thing out there to try to get the shark a little bit closer to you, and that’s pretty exciting. But then on the side of the boat, they have a winch, and attached to the winch, they have a cage that can go down about 30 feet. That one’s the greatest. Essentially an elevator. So you get in that thing.

Gary: You go down.

Elias: In that particular photo, I climbed towards the top of the cage and got my camera out above it, and we just had this great, beautiful shark going around the cage and the silhouette.

Gary: It’s a phenomenal picture. What’s funny is if you look in, like, I don’t know, nature publications and diving publications, you’ll see this great picture of a shark, and it has you as the photographer. You’re credited all over the place with that.

Elias: It was pretty popular. It’s funny because I just put them out with the right Creative Commons copyright, of course, and everybody that’s looking for something to add to their article on sharks comes across it.

Gary: That’s great. All right, let’s talk about computer security, I guess. You’ve been in security for a long, long time, way over 25 years. What got you started in computer security in the first place?

Elias: That’s a good question. In some ways I’m not 100% sure. I was definitely interested in computers as a kid, although probably unlike a lot of people in the industry, I had a pretty late start. I was not born in the U.S.. I was born in Venezuela. Even though we did have some computers, personally, I didn’t really have one until I was maybe 16. I badgered my mother for about a year until she got me one. As luck would have it, what she got me was an Apple IIGS.

Gary: Of course!

Elias: It was kind of at the end of the line for that particular type of computer.

Gary: Yeah, I got a II Plus in 1981 but I think a few years before you got your GS.

Elias: This was back in Venezuela. As far as I knew, there were no BBSs. No one else had an Apple IIGS, and I had no software, so I could do very little with it. The one great thing about those old computers is if you just let them boot with no disk in them, you end up with usually a BASIC interpreter. So that was the first thing I learned. It wasn’t really until I moved to the U.S. for university that I really had a lot more access and became more interested.

It’s hard to tell what was the initial thing, but it was about that time that I started reading The Cuckoo’s Egg by Cliff Stoll and Cyberpunk by Mark Hoff, and you know, one thing led to another, and I started doing research. I remember spending a lot of time at the library, in the microfilm section, just looking up old articles. I actually dug out the old Esquire article on the blue box and Captain Crunch.

At one point I learned of 2600. Santa Monica had a place where you could buy them, so I ended up getting a copy. And I was lucky enough that I think the first copy I had was the one where they had instructions on how to do a red box. So I picked it up and decided to try to make one.

So I walked down to my local Radio Shack. And obviously you have to order the particular crystals to make the modification, and it’s a kind of very specific part. And as I’m at the store, there’s actually another couple of odd-looking characters in there as well. And as I walk out of the store, they’re actually waiting for me. And the guys are like, “So...”

Gary: “What are you going to do with those crystals?”

Elias: Yeah, exactly! And you know, I was like, “Oh, I’m building this thing. It’s a red box.” And they’re like, “Oh! We’re building the blue box.” Those two folks happened to be a couple of local enthusiasts of security, if you will. And they actually gave me the number for a local, very famous hacker BBS called Lunatic Labs that had been around for a very long time. And that just opened many doors to other things.

So that was kind of my introduction to the whole thing.

Gary: Wow. What year was that?

Elias: That was probably ’92, I would say.

Gary: ’92. Cool. Yeah, I know you did some work later with Mudge and some of the other guys from the L0pht. Did you work with those guys?

Elias: Not particularly closely. I mean, we definitely knew each other. Mudge in particular was a pretty prolific researcher, and especially around the time the whole buffer overflow stuff was coming out, there were a number of people that were releasing work and papers about the stuff they were doing.

So when it came time for me to write that article for Phrack on buffer overflows—which, I can’t even remember if route/daemon9, who was editor of Phrack at the time, whether I pitched it to him or he asked me to write something. But in any case, it was some of his stuff, and Red Dragon, and other people that I was sort of bothering. So it all ended up being in the mix and resulted in that article.

Gary: Yeah. So I wanted to ask you about that super famous article. It was Phrack 49, and it was published November 8, 1996, so it just turned 22, which means that—

Elias: It did, yeah.

Gary: It’s old enough to drink on its own in most states. The article provided this step-by-step introduction to stack buffer overflows, for people who don’t know that. You told us a little bit about the backstory. So you pitched it to them, or did they come and get you and say, “We need something”? And were you surprised by how quickly it took off?

Elias: To the former question, I can’t really recall. I mean, it’s been such a long time. But you know, daemon9/route, he was local to there, so we kind of knew each other. And then I can’t recall how that went down. But as to the latter, I have to say I am surprised at how popular and influential and widely quoted it ended up being.

Gary: Yeah, I mean you hit the zeitgeist. It was just the perfect time to publish that.

Elias: It was, it was. I mean, in some ways—actually not in some ways, in all the ways—I mean the article was really just an exercise of me trying to understand those types of vulnerabilities, given the available information. I was really doing it for myself. I just happened to wind up at the end with an article on Phrack.

Gary: Well, that’s the way most science actually progresses, turns out.

Elias: Well, I mean, looking back at it, that’s probably one of the reasons it was so popular, right? Because it really walks you through the progression of understanding the memory models, how things are laid out in memory, and then step-by-step how you build one of these things, how you make them more complex, how you make them more reliable, for this particular type of buffer overflow. I guess anyone that needs to learn about it, that’s the same progression that you go through. So I think that’s probably why it was so popular.

Gary: Yeah. So it turns out you were working on software security well before it was even a field. When Viega and I referenced and extended your work in Building Secure Software—that was 2001, so five years later—it was still super important. Do you think we’ve been making sufficient progress in software security in the last 25 years?

Elias: You know, I am actually somewhat optimistic, which is something pretty rare for me to say.

Gary: No, I am too. I’m with you.

Elias: I mostly tend to be not that much of an optimist in general. I mean, if you look at specific areas—like protections being developed in operating systems, or a systematic architecture, from an architecture point of view, things like the work that has been done in web browsers; new languages that are being developed that are more immune to certain types of vulnerabilities, like whether it’s Golang or Rust, and their more widespread adoption; and more secure platforms, like iOS, or even some of the changes being done in more general operating systems like Windows and Mac to make them a little bit more locked down—I think in general, I am optimistic.

There’s no perfect solution, but if you see the exploits nowadays, they have to jump through so many hoops to make them work, and it’s incredible that they still do. In some ways, it shows that someone with enough resources still will be able to get through, but definitely the low-hanging fruit has been cleared away, in many cases.

Gary: Yeah, I agree. I mean, I’m really glad I wrote Exploiting Software in 2004 and not, say, last year.

Elias: Oh yeah, I mean—

Gary: It was a lot easier to do, right?

Elias: The people who write exploits now, I mean, they’re geniuses, right? The amount of work that goes into them is incredible. Yeah, no, I’d rather not be doing that now.

Gary: Since 1996, as you mentioned, we’ve seen better programming languages, better operating systems, better technology for finding bugs in terrible languages like C and C++. Static analysis tools, for example, actually work and are widely available commercially. So what’s your opinion on tools for finding problems in pervasive but broken programming languages, versus fixing the programming languages themselves?

Elias: I’m definitely in the latter camp. I mean, knock on wood, I haven’t had to write any C++ in over a decade, I think. And if I don’t ever—

Gary: Maybe it’ll die all by itself.

Elias: Yeah! If I don’t ever have to do that again, I’ll be happy. So the more security that gets baked into the languages and the frameworks and the architectures, the better that will definitely be. Obviously there’s still a large pile of old software out there, and this stuff still gets taught in universities and is still used in many shops, so it’s going to be around for a long time. So the other tools are still required. But I mean the way forward is new languages, new platforms, new frameworks.

Gary: Yeah, I agree with you.

We’ll be right back after this message.

If you like what you’re hearing on Silver Bullet, make sure to check out my other projects on garymcgraw.com. There, you can find writings, videos, and even original music.

For the record, I also agree with you that the only way to really understand computer security is to talk explicitly about exploits and attacks, which in your early days, you really did a lot of. Back when you were moderating Bugtraq, you took an active role in the full-disclosure debate, and then chaos ensued. What’s your view of that whole debacle or debate or whatever you want to call it these days?

Elias: That’s one of the discussions I hate the most.

Gary: Yeah, I hate it too, but I think it should be dead. I mean, it’s obvious to me we have to publish that stuff.

Elias: Yeah, I mean, I hate it in some ways because there’s no really easy answer. So reasonable people can potentially come to different conclusions about, I believe, some of the nuances regarding disclosure. The other thing too is, I was obviously, I guess you can call it at the forefront of those discussions when I was moderating Bugtraq.

Gary: Oh, absolutely. I mean we used Bugtraq to publish all the stuff about the Java security errors back in the ’90s. And then a whole bunch of the, you know, when Microsoft tried to do StackGuard and got it wrong, Bugtraq was the place we turned to for that release.

Elias: Yes, right, and I think I wrote a bunch of editorials on the subject of it at some point, maybe in SecurityFocus or elsewhere. So that definitely is something I have advocated. At the same time, I don’t necessarily consider myself an absolutist on the subject. I understand that people that argue for some restraint are doing so because they also want to protect users from the worst of the impact of those particular policies. So things like, do you give people enough time to fix something, or do you need to release an exploit right away? You know, those are things that are more nuanced. But if you have to choose one side, personally, the side to choose is the one where you disclose that information.

Gary: Because people have to learn how not to do that.

Elias: People have to learn, right. So you can only improve things in the long term if you share information. If you do not make it available, then you do not learn from your own or from others’ mistakes. And at the end of the day, that was the reason why Bugtraq was created, because back in the day, everything was kept secret, and the vendors patched things silently or they didn’t patch them at all and released this one paragraph advisory that didn’t really tell you anything about anything.

So it was kind of the dark days, the dark times. And more disclosure was kind of a fresh light into that darkness, and I think it accelerated many things. It accelerated good things, and it accelerated bad things. But hopefully, over the long term, the good overwhelms the bad, and things become better.

Gary: Right. So along with our mutual friend Ivan Arce, you published a very interesting column in IEEE S&P bringing some security street smarts, if you want to call it that, to the science community. What was your favorite column back in that body of work?

Elias: Oh my God, that was such a long time ago.

Gary: Ah, I’m making you think. That was only 10 years ago, man. We’ve fast-forwarded 15 years.

Elias: I feel like it’s kind of hard to tell.

Gary: I mean, look, all right, let’s set it up a little more. S&P, at the time, was really about academic computer security. There wasn’t much about exploits or attacks or even thinking about things like disclosure, malware. And you guys changed that—for the better, I think. So what do you have to say about that in general?

Elias: Well, yes, I mean, I think that’s definitely something that was needed in our particular industry or, I guess, area of study. All too often, research tends to be kind of “ivory tower” sort of research that doesn’t really end up being applicable to the real world. Or it’s looking at very esoteric problems when maybe the problems that we have in the field are actually a lot more mundane.

So from that sense, seeing what actually happens in the streets, as you call them, I suppose the magazine’s audience tends to be more research-oriented. It’s probably bringing to them some information that they wouldn’t know otherwise.

One thing that I always come back to, it’s not related to anything that me and Ivan wrote about, but one that I’ve seen over and over for over 20 years is anomaly detection systems, which researchers just love. I mean, there’s paper after paper after paper on anomaly systems. And I’ve yet to see a single serious commercial product that’s been successful that’s an anomaly detection system. Because at the end of the day, they generate way too many alerts.

Gary: Yeah, and if you’re an attacker, the best thing to do is just to set off alerts in Sector 4 and attack in Sector 2 or whatever.

Elias: Right. So when you’re actually looking at some of the products to get a feel of it, the customers have way too many alerts already. They don’t need something else to tell them something is suspicious. They need an alert that tells them something is bad. They need some level of certainty. From a commercial perspective, anomaly has always been a big flop. And I think that’s something that no team has seemed to really penetrate in the academic research area.

Gary: Yeah, although there are zillions of publications in the academic research area, so you’re right.

Elias: Oh God, I mean, you can go back 30 years, and you’ll have mountains of research papers to read.

Gary: Yeah, I think some of the first was Teresa Lunt’s work in the early ’90s.

So you hold six patents, which is kind of interesting for a full-disclosure kind of guy. Tell us a little bit about the Trajectory patent that you have and its relationship to inventory and computer security and knowing what you have and what it’s doing.

Elias: Sure. That one kind of relates to some of the work that we did first at Sourcefire and at Cisco for our endpoint security product, which is sort of an endpoint detection and response product. Basically, it’s a product that allows you to record activity at an endpoint to hopefully detect (but if not, at least help you remediate) an endpoint after a breach. I’ve always been a jack-of-all-trades. I really have spent very little time specializing in any one area. But one area that’s always been of interest to me has been visualization. So that particular patent revolves around some of the visualizations that I developed for the Cisco AMP [Advanced Malware Protection] product. And the idea is to help responders easily see what the interactions between processes were inside an endpoint to more easily pinpoint the activities that an attacker performed.

Gary: Can you draw some sort of relationship to this notion of inventory or knowing what you have or knowing what you’re running, or am I just crazy?

Elias: No, it’s definitely a key feature of any product. You need to be able to figure out what it is that you’re running in your environment. Because it’s the only way that you’re going to be able to figure out what is new in it, and therefore what actually you should be focusing on.

Any security product, in many ways, is just a filter. You need to be able to ignore everything that is normal, everything that is nonmalicious, and then be able to focus down on what actually shouldn’t be there. And inventory is one of the ways to do that.

Now, most products that have tried to go down the sort of whitelisting route—where you inventory systems, and then whitelist, and then flag anything or stop anything else from running—unless they have a very locked-down environment, they don’t tend to work very well, because, obviously, users need to get their job done. That’ll usually involve downloading other files for them to do their job.

Gary: Well, yeah, and also we invented these things called virtual machines that you can run anything on! So as long as you have permission to run a Turing-complete computer on your computer, you can’t lock it down anymore. Whatever.

Elias: So it’s a management impossibility to whitelist everything or go with a whitelist-only approach. So usually you use some sort of hybrid, right? You inventory what you can, you allow users the flexibility to do what they want to do without getting in their way, but then you use that inventory to filter what is known and then allow the responder to focus on what’s unknown and suspicious.

Gary: OK, something completely different. So in my view, you’re kind of an artist at heart, with interests in photography and music and acting. Does artistic mindset and having a knack for art help in a field like computer security these days?

Elias: I guess it depends on what your role is. But yeah, I mean, having an imagination is really what it boils down to, right? You need to be creative, have creative thoughts. Certainly your attackers are creative, so you need to be able to match them, just to try to figure out whatever it is they’re doing.

Gary: So here’s a total flyer, and I’m only going to give you one minute to answer this. What will computer security look like in 25 years?

Elias: Well, I think probably a lot like your iPhone. I think it’s going to keep getting more locked down, and there’s going to be more of a walled garden. In many ways that’s going to be good, and in a lot of ways, especially for people like us that really love messing around with computers, that’s not going to be that great.

Gary: So more walled garden, Apple/AOL approaches?

Elias: Pretty much yeah.

Gary: Great. Thanks a lot, man.

So what is your favorite place to scuba dive?

Elias: Ah, man, that would probably be almost anywhere in the Philippines or Indonesia. Like Raja Ampat in Indonesia, like close to Papua New Guinea, is just awesome.

Gary: What’s so great over there? I haven’t been over there yet.

Elias: In Raja Ampat in particular, you get a little bit of everything. I mean, the Philippines and Indonesia, are well-known for their kind of strange, small critters. So if you are into macrophotography, it’s just wonderful. You got coral, you got muck dives, where you actually dive in the mud, looking for little things to pop out. But they also have big dives. You got places where they got sharks. In Raja Ampat, you got places with manta rays. So if you get on a boat, and then you go from island to island, when you wake up, you’re on a new island, three or four, five times a day. And then have a good meal, wake up next morning, and do it again.

Gary: Cool! Well, hey, thanks. This has been a fun conversation. I really appreciate your participating.

Elias: Hey, you’re welcome. Thanks for having me.

Gary: This has been a Silver Bullet Security Podcast with Gary McGraw. Silver Bullet is co-sponsored by Synopsys and IEEE Security & Privacy magazine and syndicated by SearchSecurity. The September/October issue of IEEE S&P Magazine is a special issue devoted to postquantum cryptography. The issue features our interview with Tanya Janca from Microsoft. Show links, notes, and an online discussion can be found on the Silver Bullet webpage at www.synopsys.com/silverbullet. This is Gary McGraw.

Elias Levy