Let's cyber: hacking, 0days and vulnerability research. PATROKLOS ARGYROUDIS CENSUS S.A.

Transcription

1 Let's cyber: hacking, 0days and vulnerability research PATROKLOS ARGYROUDIS CENSUS S.A.

2 Who am I Researcher at CENSUS S.A. - Vulnerability research, reverse engineering, exploit development, binary & source code auditing, tooling for these Before CENSUS I was a postdoc at Trinity College Dublin - Designing, implementing, attacking network security protocols Heap exploitation obsession, both userland and kernel

3 About CENSUS IT security services that require lab work - Penetration testing - Incident response - Digital forensics - Code auditing - Secure SDLC - Training - Vulnerability research (device & software) - Exploit development

4 Research at CENSUS Our research work enhances and defines our services Presented at international conferences - INFILTRATE ZeroNights AthCon Black Hat USA Black Hat Europe 2011 and 2010 Integrated into publicly available tools - Metasploit Framework Is a service itself

5 Outline (cyber)vulnerabilities! (cyber)exploits! (cyber)0days! (cyber)hacking! (cyber)defense!

6 Vulnerabilities The term vulnerability describes a violation of a system's security model Plainly, a bug that allows actions not intended by the developer Implementation specific: e.g. mismanaged buffers, mismanaged integers Logic specific: e.g. privileged actions without correct checks Holistic view: the poor code quality of your media player can violate the security of your PC

7 Bug discovery If source code not available, binary reverse engineering (RE) mov eax, [ebp + arg_0] shl eax, 2 push eax call _malloc - An experienced reverser finds such bugs in an hour or less Available source code makes the process faster (usually) Fuzzing (usually) gives poor quality bugs - If used properly can uncover good bugs

8 Bug quality Some bugs are better than others - Allow greater control over the target process - Read/write process memory primitives Bug collisions - Better bugs are reached through complex application logic - Are more difficult to find Target - Some media player - A library that most browsers use - A proprietary web server for embedded devices - Linux kernel

9 Exploits The term exploit describes a program that utilizes one or more vulnerabilities in order to break the security boundaries of a system - E.g. a Firefox exploit uses a bug (or more) in Firefox's code to make the browser read all your files and send them over the network It's not easy to assess the impact of a vulnerability without an exploit - There are many examples of bugs declared by experts as not exploitable only for full exploits to be released by others a few days later

10 Exploit mitigations Countermeasures provided by the platform (i.e. the operating system and/or the application) that aim to generically stop exploits - Not executable stack and heap - Heap and stack cookies - Randomization (ASLR, PIE) - Sandboxing and process isolation - API ACLs - Control-Flow Integrity (CFI) - Managed code (C#, Java, etc.) that people think it doesn't suffer from memory corruption bugs Sometimes make a bug not exploitable - Other times reduce an exploit's reliability

11 Exploitation techniques Exploit development requires a lot of man-days - Complexity of targets - Mitigations - Reliability (making sure an exploit works in the wild ) Exploitation techniques are re-usable methodologies for exploiting different bugs - Of the same application / target (nowadays) - Many different targets on the same OS (up to early 2000s) Techniques are of equal importance as bugs themselves Most important techniques stay private i.e. you can't really assess risk with public information

12 0days A zero-day bug (or oh-day ) is a vulnerability that is not publicly known discovered in private and kept secret A 0day exploit is an exploit that utilizes one or more 0day bugs 0days are nearly impossible to detect - Generic signatures? Behavioral IDS? > Haven't encountered one that can't be bypassed - How do you know it's there? > No one uses high-valued 0days in an unknown network high risk of losing them

13 Traditional pentesting

14 Advanced pentesting

15 Defense WTF!!!!111one, we got hacked! - Security based on boxes : firewalls, IDS, IPS, antivirus gateways, etc. Your security defense strategy must deal with the reality of 0day bugs/exploits and techniques You must proactively look for vulnerabilities in software/devices you depend on - Or wait for the attackers to find them first ;)

16 Outlook Prepare accordingly Look for 0day bugs in your software and software you depend on like an attacker would Develop exploits / exploitation techniques against it If you can't do it, hire offensive minded IT security companies (like CENSUS ;) to do it for you

17 References Dave Aitel: The hacker strategy Patroklos Argyroudis: Η αξία της έρευνας ευπαθειών στις δοκιμές παρείσδυσης Dan Guido: The exploit intelligence project Microsoft: Software vulnerability exploitation trends Dino Dai Zovi: Attacker math