Black Hat Dan Kaminsky, the savior of DNS and chief scientist for White Ops, has used the opening keynote of Black Hat 2016 to outline three technologies he has been working on that could make working online a lot safer – if they are adopted.

First, and most importantly, Kaminsky has been developing a micro-sandboxing system that spins up small virtual machines (VMs) to carry out sensitive tasks, limiting their ability to infect other parts of the system.

Dubbed Autoclave, it limits the ability of the code running in the VM to communicate, and monitors what's going on inside to make sure there are no unexplained requests. The name comes from the heated chambers used to sterilize surgical equipment.

Container technology is perfect for this, Kaminsky told The Register before the show, since it has great application compatibility. He cited Docker as a great example of what could be used, but other container systems could also spin up VMs in milliseconds to cut down the processor lag that might turn off some users.

The downside is that, at the moment, none of the major cloud vendors are going to support this kind of rapid spinning up and down of VMs. Amazon and Google won't support the Autoclave as it stands at the moment, and Azure can only do so in limited circumstances – but Kaminsky said that if enough people demand it, they could.

Kaminsky is expecting this to be a long fight, similar to the one about medical germ theory, which he references in the name of the system. Hopefully he won't end up like Ignaz Semmelweis, who provided the first empirical proof of germ theory but was shunned by the medical community and ended up a crazed alcoholic.

The second piece of technology is IronFrame, the theory for which Kaminsky outlined at last year's DEFCON. IronFrame can be built into a "magic browser," he said, which would allow web designers to build webpages that allow functions in a known safe state.

If a new software build isn't finalized then it can be embedded in the browser and run as a separate file, while suppressing extraneous functions. It would also allow direct contact with third-party web functions without having to leave a target page. As Kaminsky is an advisor to the World Wide Web Consortium, it's possible that IronFrame could be put into future browser specifications, but that's a ways down the line. In the meantime, Kaminsky said, it would allow web designers to have better control of what's on their web pages and would let users try out new features without imperiling their systems.

Kaminsky's third idea is, he acknowledged, a bit out there - which is why he didn't talk about it at Black Hat. The technology, dubbed Astatica, aims to apply machine learning techniques to software training for fleshy humans.

"It wasn't until I tried to learn machine learning that I understood how so many people have problems with security," he said. "We are terrible at teaching people how to make things secure. We're not paying enough attention to what they need."

Astatica uses CSV files to process information and suggest new ways of learning about security issues. The system is still in its early stages, but Kaminsky says it could be a major breakthrough in teaching people about security.

None of these technologies is going to fix the internet instantly; it's a long-term process, he said. Ideally this is something government should be devoted to fixing long term (as in five to ten years of research). Business won't do it, he said, because it only thinks about the next quarter's results.

But action is desperately needed, he opined, because for the first time people are actually losing confidence in the internet. He cited the pathetic security of Internet of Things devices, which has left people assuming technology is unsafe, and this could provide a stimulus for change.

"We have the opportunity, we've got the interest, we've got the – I hate to say it – fear," Kaminsky said. "Not all fear is FUD – things are actually getting compromised – so let's figure out why this is hard, and let's go fix it." ®

Sponsored: 2016 Cyberthreat defense report

The Register - Security

Leave a Reply

Your email address will not be published. Required fields are marked *