In our ongoing series of interviews, this week Matthieu Suiche answered a few questions and pulled back the curtain a bit on the methods, tools and motivation for the work he does.
Suiche is director and founder of MoonSols, a computer security and kernel code consulting and software company. He mainly focuses on reverse code engineering and volatile memory analysis. His previous researches/utilities include the Windows hibernation file, Windows physical memory acquisition (Win32dd/Win64dd) and Mac OS X Physical Memory Analysis.
Suiche has been a speaker at various security conferences such as PacSec, BlackHat USA, EUROPOL High Tech Crime Meeting, Shakacon etc. Prior to starting MoonSols in 2010, he worked for companies such as E.A.D.S. (European Aeronautic Defense and Space Company) and the Netherlands Forensics Institute of the Dutch Ministry of Justice.
What motivates you to find security vulnerabilities?
Most of the time, the main purpose is not to find security vulnerabilities but to understand how a module or a piece of code works — either to be able to use it or to improve it. There are enough people looking for security vulnerabilities or doing software QA for free or in multi-billion dollar companies, I don’t think the industry really needs me for that. :)
What are the primary tools you use, and how do you use them?
Most of my tools are like most other people’s: IDA because it’s a powerful disassembler with a powerful framework, Visual Studio as a compiler, either Microsoft WinDbg or OllyDbg for debugging purposes. Especially WinDbg, which is really helpful on several fields from crash dumps analysis to live debugging sessions like I do with MoonSols LiveCloudKd that makes it possible to open the physical memory of a running Microsoft Hyper-V Windows virtual machine as Microsoft full memory crash dump.
How do you choose your target of investigation? Do you pick your target application and look for bugs, or look for a genre of bug in many different applications?
Most of the time, if it’s not a kernel module, I won’t be interested in looking at it. And the numbers of interesting kernel modules is not that big so it makes things easier. Basically, it’s been known for several years that Microsoft win32k.sys kernel module is the perfect target for kernel bugs in Windows.
How do you handle disclosure? Which vendors have been good to work with and which have not?
Hum, that’s a very wide question. Microsoft has been pretty good, they usually have a pretty good relationship with researchers — I’ve never dealt with RIM but I can tell that their Program Managers have a really good relationship with researchers too.
What are you working on currently?
I spend most of my time working on an application to monitor Microsoft Hyper-V virtual machines from the host. Basically, to retrieve any information related to processes, dlls, objects, handles, kernel modules and kernel structures that can be useful for troubleshooting but also for incident response or malwares detection.
What do you think is the biggest challenge facing InfoSec as an industry?
The biggest challenge of InfoSec is still the people, from end-users to the CISO. Most of the time, people don’t even understand what security really is. The example of Sony is pretty meaningful, they got hacked and they’re probably gonna lose billions. They started to look for “Security People” and if you read the job offer it’s pretty ridiculous. The required skills were basically; Nessus, “Intermediate level of dev exp with one of the web languages such as PHP, .NET, JAVA, HTML, Perl, Python, Ruby on Rails etc is required” and last but not least “Knowledge of SANS Top 25 and OWASP Top 10 vulnerabilities.” This is just a shame. I didn’t even mention that it was a “Senior” position — Here is the link if you want to check by yourself http://www.careerbuilder.com/JobSeeker/Jobs/JobDetails.aspx?job_did=J3F4GV6PLHHGXQC9WWF
What what do you see as the biggest changes in computer forensics in the past few years?
The general interest for computer forensics and incident response had definitely increased in the past few years, like it did with computer security. People start to understand slowly that security is important, especially because everybody is using it daily either from their laptops or their cellphones.
How can computer forensics be used offensively?
In the case of physical memory forensic expertise, this knowledge can be applied to hiding pieces of code efficiently in memory, and also how to inject code with precision in virtual machines from the host. For instance, that could be used for mass infection of virtual machines.