Wednesday, September 05, 2007

Denier's Dilemma

Shankar Vendatam at the Washington Post writes:

The federal Centers for Disease Control and Prevention recently issued a flier to combat myths about the flu vaccine. It recited various commonly held views and labeled them either "true" or "false." Among those identified as false were statements such as "The side effects are worse than the flu" and "Only older people need flu vaccine."

When University of Michigan social psychologist Norbert Schwarz had volunteers read the CDC flier, however, he found that within 30 minutes, older people misremembered 28 percent of the false statements as true. Three days later, they remembered 40 percent of the myths as factual.


(By way of the often excellent, and often nutty, Overcoming Bias.) I'm reminded of the difficulty I've had explaining that VMs and security don't really have much to do with one another. Is it possible that, in attempting to explain something really convoluted to a crowd that barely cares, we sometimes do more harm than good? If you find yourself in a situation where you're in possession of a counter-intuitive result, that's really hard to explain, but important none the less, what's the ethical thing to do, given that saying "X" will register in a lot of folks' minds as "not X"?


Blogger Thomas Ptacek said...

You probably shouldn't overgeneralize. VM's do profoundly impact security. I'll agree that the impact is a net positive. But as a concrete example: many of the same tricks we can use to detect hypervisors can also potentially be used to pry RSA keys out of sibling VMs.

3:14 PM  
Blogger Keith Adams said...

Thanks. You're absolutely right that saying "security and VMs don't have much to do with one another" is an overgeneralization. But I'm not sure I understand your specific example; the existence of covert channels between VMs is amenable to the usual techniques for defeating covert channels, e.g., fuzzing, more coarse performance isolation, etc. But hypervisor detection tricks aren't "covert channels" per se; trying to apply fuzzing only makes the hypervisor more detectable. Or is this cross-VM RSA key fishing you're talking about something more subtle and sinister than I'm guessing? Please inform me.

6:49 AM  
Blogger Thomas Ptacek said...

Here's a great intro paper you've probably already read, but for the sake of explaining where my head's at: Osvik & Tromer,

What got me started on this specifically is the BTB paper: Aciicmez & Seifert,

In both cases, the crypto running inside a VM needs to be carefully structured to avoid leaking information about key bits (via cache timing or branch latency in these two cases). How confident are we that all such side channels have been identified and will be extinguished? I'm not at all.

11:11 AM  
Blogger Keith Adams said...

Thanks for taking me to school; both papers are interesting reading for a security novice like myself.

I should have worded my claims more weakly; to clarify, I was talking specifically about so-called "hypervisor-based rootkits," which I claim are a myth. From an attacker's point of view, they provide much more hassle than a more traditional kernel compromise, for a very minimal gain in difficulty of detection.

7:56 AM  
Blogger tontobius said...

In the CDC example, apparently a number of statements were listed, some of which were negated independently of the statement itself. Requiring people to do mental operations like sentence negation is a sure way to reduce comprehension. I don't think the subsequent study demonstrates much except that this is a bad way to present information, particularly to a general audience.

If you want people to remember something, make the statements you want them to remember, make them as unambiguous as possible, make them positive statements if possible, and avoid complex constructions like double negatives, etc.

However, it does sounds as though your VM paper runs into this sort of problem, almost inevitably: reasoning about what bad actors will do in response to detecting emulated environments ends up involving multiple potential levels of negation, like reasoning about what a double agent will do if he knows you know he knows etc...

This could perhaps be mitigated by stating the conclusions you want to communicate as directly as possible up front, and only then getting into the logic of those conclusions.

5:30 PM  
Blogger fche said...

The phenomenon may have something in common with postmodern literary criticism ... where by the very act of asking a question, one may be interpreted to assert an answer. See this article for an engineer's visit to the wacky lit-crit world.

4:01 PM  

Post a Comment

<< Home