Security researcher Dino Dai Zovi is making waves this Halloween thanks to recent comments he made at this week's Hack in the Box conference in Malaysia regarding the security of the x86 architecture.

Zovi, formerly of Matasano Security, isn't a high-profile figure in the industry, but he has worked on several notable projects, including the hardware-based Vitriol rootkit that took advantage of Intel's VT-x technology to infect a system. He won the April 2007 MacBook hacking contest, has presented at Black Hat, and maintains a strong interest in how processor architectures affect security.

At the Hack in the Box conference, Zovi warned that a theoretical x86 iPhone would have to deal with security problems that an ARM-based phone would not encounter. "That [the use of an x86 processor] will make the iPhone x86 and that will make a lot of attacks easier," the researcher told InfoWorld. "The iPhone uses the ARM processor and most people are not familiar with it...If you're doing exploits and vulnerability research, you need to know the specifics of the processor that's running."

Zovi did not give specifics on precisely how malware authors and hackers might exploit the x86 architecture to attack a smartphone, but he did note that the version of OS X that runs on the iPhone is "significantly" less secure than its desktop counterpart. Again, he declined to provide exact information on how the two were different.

x86 = security risk?

Dino Dai Zovi's comments on the merits of an x86-based iPhone are highly theoretical, given Apple's recently-announced plans to build its own iPhone CPU. Even if Apple had no such intentions, Intel doesn't currently have a solution that fits within a smartphone's power profile; such a chip won't appear until Atom transitions to 32nm, and it isn't a sure bet even then.



Safer than x86?

If Intel cares about Zovi's comments at all, it's because there's no reason to assume the iPhone would be the only device effected by hypothetical weaknesses in the x86 architecture. I've discussed Intel's branding and association plans before; the company is encouraging customers to associate "Intel Inside" with MIDs or smartphones. The idea that the x86 architecture is some sort of security risk for these devices is not good for that message, especially when the entire conversation involves products that don't even exist.

It's worth asking just how much the issues Zovi raises matter in the real world. I'm not contesting his claim that security researchers need to be familiar with specific architectural details, but security researchers are not malware authors. To date, the malware epidemics that have swept the Internet have generally not been complex attacks that required a specific client configuration or a near-genius author. The best/most virulent malware attacks have historically been quite simple ones that took advantage of broad security flaws that affected multiple operating systems.

As more of these flaws have been patched, we've seen malware authors switch attack vectors and begin focusing more on social exploits—hence the rise of phishing. Phishing attacks, however, are often simple themselves, and are far more likely to rely on user gullibility (i.e, "Click here to reset your Paypal account") than on truly sophisticated tomfoolery.

As malware creation and distribution becomes more of a commercial enterprise, the concerns of those involved are beginning to mirror the concerns of legitimate businesses. The commercial mass-marketing appeal of botnets lies in the fact that they are cheap, easy to create, and easy to maintain. No one system may remain zombiefied for very long but, as long as the system infection rate exceeds the system turnover rate, that's not a problem. The entire structure of the business is geared towards keeping costs low and distribution rates high.

The inherently reactive nature of modern IT security only fosters this approach. One reason Storm stuck around as long as it did is because its authors/distributors kept spinning new variants that got past AV filters. The black hats could spin new variants faster than the white hats could patch them.

I have no doubt that Dino Dai Zovi is correct when he says that the degree of general knowledge that's available regarding the x86 architecture is useful to malware authors, but any consideration of device security has to account for the protective mechanisms built into both a device's OS and its actual hardware.

Both AMD and Intel have deployed new technology to improve the latter over the past five years; AMD pioneered the "NX Disable" bit, which prevents certain types of buffer overloads from executing, while Intel has its own Trusted Execution Technology that's designed to completely sandbox certain programs in order to prevent any sort of tampering. Since the entire TXT system is hardware-based from start to finish, Intel can effectively isolate the code in question.

I don't know to what degree the problems AMD and Intel have addressed in hardware are actually inherent faults within the x86 ISA, but it seems premature to assume that any flaws of this sort cannot be addressed through the use of additional hardware.

Finding the light switch



Finally, I'd like to note that Dai Zovi's argument in favor of ARM rests on the concept of security through obscurity, an inherently weak argument. A security system based on obfuscation offers all the protection of a perfectly empty, perfectly dark room, and is promptly broken as soon as someone finds the light switch.

If a lack of familiarity with the ARM architecture is the only thing standing between the malware industry and its profits, you can bet that wall will come down fast. The cost of retraining one's employees is infinitesimal compared to the potential benefits of a smartphone botnet, and it doesn't take a genius to see the dollar signs.

If Dai Zovi seriously contends that the x86 architecture is a significant, unaddressable security risk to the smartphone industry, he's needs to release more details to show it.