In October 2017, I happened to attend an advertising seminar for the DeviceLock DLP system, where, in addition to the main functionality of leak protection such as closing USB ports, contextual analysis of mail and clipboard, administrator protection was advertised. The model is simple and beautiful - an installer comes to a small company, installs a set of programs, a BIOS password, creates a DeviceLock administrator account, and leaves the local admin only the rights to manage Windows itself and the rest of the software. Even in case of intent, this admin will not be able to steal anything. But this is all theory...
Because For 20+ years of work in the field of developing information security tools, I have clearly seen that an administrator can do anything, especially having physical access to a computer, then the main protection against it can only be organizational measures such as strict reporting and physical protection of computers containing important information, then immediately the idea arose to test the stability of the proposed product.
An attempt to do it immediately after the end of the seminar failed, in the forehead protection against deletion of the main service DlService.exe was done, and they even didn’t forget about access rights and choosing the last known good configuration, as a result of which they knocked it down, like most viruses, prohibiting the system from reading and executing , Did not work out.
To all questions about the protection of drivers that are probably included in the product, a representative of the developer company Smart Line confidently stated that "everything is at the same level."
A day later, I decided to continue my research, downloaded a trial version. I was immediately surprised by the distribution size of almost 2 GB! I'm used to the fact that system software, which is commonly referred to as information security tools (IPS), usually has a much more compact size.
After installation, I was surprised the 2nd time - the size of the above-mentioned executable is also quite big - 13Mb. I immediately thought that with such a volume there is something to cling to. I tried to replace the module using delayed writing - closed. I dug into the directories of the program, and there are already 11 drivers alone! Poked in permissions - are not closed for change! Well, all the ban, we are overloaded!
The effect is simply enchanting - all functions turned off, the service did not start. What kind of self-defense is there, take and copy whatever you want, even on flash drives, even over the network. The first serious drawback of the system came out - the interconnection of the components is too strong. Yes, the service with the drivers should communicate, but why fall if no one answers? As a result, there is one way to bypass protection.
Having found out that the miracle service is so gentle and sensitive, I decided to check its dependencies on third-party libraries. It’s even simpler here, the list is large, we just randomly erase the WinSock_II library and observe a similar picture - the service did not start, the system is open.
As a result, we have the same thing that the speaker painted at the seminar, a powerful fence, but not enclosing the entire protected perimeter due to lack of money, but in an open area there is just a prickly dog rose. In this case, given the architecture of the software product, which does not imply an environment closed by default, but a variety of plugs, interceptors, traffic analyzers, this is more like a picket fence, and many planks are screwed on with self-tapping screws from the outside and it is very easy to unscrew them. The problem with most of these solutions is that in such a huge number of potential holes, there is always a chance to forget something, miss a relationship, or affect stability by unsuccessfully implementing one of the interceptors. Judging by the fact that the vulnerabilities listed in this article just lie on the surface, the product contains many more others, which take a couple of hours longer to look for.
Moreover, the market is full of examples of competent implementation of protection against shutdowns, for example, domestic anti-virus tools, where self-defense cannot simply be bypassed. As far as I know, they were not too lazy to get FSTEC certification.
After several conversations with Smart Line employees, several similar places that they had not even heard of were found. One example is the AppInitDll mechanism.
Although it is not the deepest, in many cases it allows you to do without getting into the kernel of the OS and not affect its stability. nVidia drivers make full use of this mechanism to adjust the video adapter for a specific game.
The complete lack of an integrated approach to building an automated system based on DL 8.2 raises questions. It is proposed to describe the advantages of the product to the customer, check the computing power of existing PCs and servers (context analyzers are very resource-intensive and Atom-based office monoblocks and nettops are not suitable in this case), and simply roll the product on top. At the same time, such terms as “access control”, “closed software environment” were not even mentioned at the seminar. It was said about encryption that, in addition to complexity, it will raise questions from regulators, although in reality there are no problems with this. Questions about certification, even in the FSTEC, are swept aside due to their alleged complexity and protractedness. As an information security specialist who has repeatedly taken part in such procedures, I can say that in the course of their implementation many vulnerabilities similar to those described in this material are revealed, because specialists of certifying laboratories have serious specialized training.
As a result, the presented DLP system can perform a very small set of functions that actually ensure information security, while generating a serious computational load and creating a feeling of corporate data security among the company's management, inexperienced in information security issues.
It can really protect only really big data from an unprivileged user, because. the administrator is quite capable of completely deactivating the protection, and for non-voluminous secrets, even a junior cleaning manager will guess to quietly photograph the screen, or even remember the address or credit card number, looking at the screen over the shoulder of a colleague.
Moreover, all this is true only if it is impossible for employees to have physical access to the insides of the PC, or at least to the BIOS to activate boot from external media. Then even BitLoker may not help, which is hardly used in companies that have only thought about protecting information.
The conclusion, no matter how trite it may sound, is in an integrated approach to information security, including not only software / hardware solutions, but also organizational and technical measures to exclude photo / video shooting and to prevent outsiders “boys with a phenomenal memory” from entering the object. Relying on the miracle product DL 8.2, advertised as a one-step solution to most enterprise security problems, is by no means possible.
Source: habr.com