LURE halts BrickerBot destruction

April 11, 2017

One of the key operating principles of LURE – The Linux, Unpriviledged Root Environment, is to make ‘root’ or privileged access to an IoT or industrial control device, a “don’t care”.  This “don’t care” principal enables LURE to provide brickerbot defense and protect devices from malware attacks such as BrickerBot

LURE’s Mandatory access control (MAC) model prevents the disastrous side effects of BrickerBot from being invoked, and enables systems to provide brickerbot defense. LURE does not prevent attackers from gaining access through default username / password combinations; however, once an attacker gains access to a LURE protected device, they will not be able to brick the device, render it inoperable, or establish the device within a botnet.

By default, LURE prevents all access to character and block devices, as well as direct access to hardware including flash and storage subsystems. Additionally, LURE prevents access to special devices that can be used to directly read / write memory and application state outside of normal channels. These device and hardware restrictions are inherent to the Linux Security Module (LSM) utilized by LURE. LURE enables access control policies to be written offline and assigned to specific applications, such as a system updater, at runtime. Applications protected by LURE are encrypted at rest, and validated at runtime using a block-level HMAC. Additionally, LURE prevents the modification, examination, and introspection of protected applications, libraries and configuration files. The access control policies enforced by LURE cannot be disabled or subverted at runtime. Additionally, LURE integrates several additional security frameworks from the Linux kernel, such as module signing, which prevents executable, and potentially malicious code from being injected into a system.

Malware such as BrickerBot relies on having the ability to directly interact with the hardware and the corresponding block devices. LURE stops the effects of BrickerBot from being invoked on a protected system. Additionally, LURE enforces protections around the tunable kernel parameters BrickerBot modifies on infected systems to decrease the device’s performance and increase the impact of the attack.

LURE protects IoT and industrial control systems from disaster consequences, even with the attacker has ‘root’ or privileged access on the system.  LURE transforms compromised credentials, such as those used by Brickerbot, and privilege escalation vulnerabilities such as Dirty Cow / CVE-2016-5195, into “don’t cares” and continues to enforce system level protections and Mandatory Access Control.

Contact Star Lab today for a hands-on demo of LURE, and find out how LURE can be used to protect your Linux-based systems and devices from the permanent effects of malware such as BrickerBot.