I think that I would like to focus more on the defense side now. In the past two years I have worked on several offensive techniques, starting from passive, very hard to detect covert channels ("Nushu"), then I presented "Stealth by Design", type II malware, then I showed that Vista kernel can be subverted despite the new protection mechanism and also demonstrated that recent hardware virtualization technology can be used to create a new class of stealth malware - something I call type III malware (e.g. "Blue Pill"). And just recently I found that hardware based memory acquisition as used for forensics, believed to be absolutely reliable, because it uses so called "Direct Memory Access" to read memory, can be cheated in some cases.

Unfortunately I haven't seen any serious effort in the security world to address most of those threats. We still don't have any effective way to combat type II malware. Network intrusion detection systems and firewalls are years behind when it comes to detecting or preventing any more advanced covert channels. We still don't have any good solution to prevent or detect hardware virtualization based malware...


I would like to work more on the defense side now - I believe that we should convince OS vendors (and also CPU vendors) to make systems verifiable - so that we could come up with *systematic* ways to check whether the system is infected by any of type I, II or III malware.