The Hacker Strategy. Dave Aitel dave@immunityinc.com. Security Research

Similar documents
Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Testing for Security

ASL IT SECURITY XTREME XPLOIT DEVELOPMENT

Reverse Engineering and Computer Security

90% of data breaches are caused by software vulnerabilities.

Peach Fuzzer Platform

SAFECode Security Development Lifecycle (SDL)

*[Bug hunting ] Jose Miguel Esparza 7th November 2007 Pamplona S21sec

Vulnerability Management Nirvana: A Study in Predicting Exploitability

0days: How hacking really works. V 1.0 Jan 29, 2005 Dave Aitel dave@immunitysec.com

Integrating Tools Into the SDLC

DISCOVERY OF WEB-APPLICATION VULNERABILITIES USING FUZZING TECHNIQUES

The Advantages of Block-Based Protocol Analysis for Security Testing

Web App Security Audit Services

Telecom Testing and Security Certification. A.K.MITTAL DDG (TTSC) Department of Telecommunication Ministry of Communication & IT

Source Code Review Using Static Analysis Tools

Defense-in-Depth Strategies for Secure, Open Remote Access to Control System Networks

Threat Modeling. Categorizing the nature and severity of system vulnerabilities. John B. Dickson, CISSP

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

WHITEPAPER. Nessus Exploit Integration

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Application Intrusion Detection

Network and Host-based Vulnerability Assessment

Banking Security using Honeypot

Security Tools - Hands On

<Insert Picture Here> What's New in NetBeans IDE 7.2

Web Application Security

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

What Do You Mean My Cloud Data Isn t Secure?

Security Testing in Critical Systems

White Paper. Automating Your Code Review: Moving to a SaaS Model for Application Security

OPC & Security Agenda

Integrating Web Application Security into the IT Curriculum

Automating Security Testing. Mark Fallon Senior Release Manager Oracle

Chapter 14 Analyzing Network Traffic. Ed Crowley

Intrusion Defense Firewall

Staying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro

The Web AppSec How-to: The Defenders Toolbox

Intrusion Detection and Cyber Security Monitoring of SCADA and DCS Networks

Developing Secure Software in the Age of Advanced Persistent Threats

Deep Security Vulnerability Protection Summary

SANS Top 20 Critical Controls for Effective Cyber Defense

X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation IBM System p, AIX 5L & Linux Technical University

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

Tools and Techniques to automate the discovery of Zero Day Vulnerabilities. A.K.A Fuzzing 101

Security Products Development. Leon Juranic

Firewalls Overview and Best Practices. White Paper

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

The Security Development Lifecycle. OWASP 24 June The OWASP Foundation

Research on the Essential Network Equipment Risk Assessment Methodology based on Vulnerability Scanning Technology Xiaoqin Song 1

Programming Flaws and How to Fix Them

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

TOOL EVALUATION REPORT: FORTIFY

HoneyBOT User Guide A Windows based honeypot solution

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

SECURITY TRENDS & VULNERABILITIES REVIEW 2015

ensuring security the way how we do it

Cyber R &D Research Roundtable

Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com

Web Application Security

INTRUSION DETECTION SYSTEM (IDS) D souza Adam Jerry Joseph I MCA

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Database Security Guide

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Penetration Testing Lessons Learned. Security Research

Defending Against Data Beaches: Internal Controls for Cybersecurity

Moderator: Benjamin McGee, CISSP Cyber Security Lead SAIC

Malicious Network Traffic Analysis

TECHNICAL NOTE 08/04 IINTRODUCTION TO VULNERABILITY ASSESSMENT TOOLS

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

SAST, DAST and Vulnerability Assessments, = 4

Devising a Server Protection Strategy with Trend Micro

What is Really Needed to Secure the Internet of Things?

Why Should You Care About Security Issues? SySmox WEB security Top seven ColdFusion Security Issues

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Information Technology Career Cluster Introduction to Cybersecurity Course Number:

Devising a Server Protection Strategy with Trend Micro

Computer Networks & Computer Security

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

Lecture 15 - Web Security

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

Enterprise Cybersecurity: Building an Effective Defense

Threat Modeling/ Security Testing. Tarun Banga, Adobe 1. Agenda

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Rapid Security Framework (RSF) Taxonomie, Bewertungsparameter und Marktanalyse zur Auswahl von Fuzzing-Tools

Operating System Security

Endpoint Security 2.0: The Emerging Role of Application Whitelisting Solutions. Todd Schell

The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Transcription:

1 The Hacker Strategy Dave Aitel dave@immunityinc.com Security Research

Who am I? CTO, Immunity Inc. History: NSA->@stake -> Immunity Responsible for new product development Vulnerability Sharing Club Immunity CANVAS Immunity Debugger SILICA 2

3 Hackers use People, Processes and Technology to obtain a singular goal: Information dominance

Take a sample product X and attack it remotely Obtain Product Protocol Analysis Manual Network Vulnerability Analysis Fuzzing Source/Binary Analysis Private Source Research Exploit Development Open Source Research 4

5 The unseen step: Picking your targets Target: Bob's Network Server Steve's ISAPI Filter Yusef's AntiVirus Carl's Backup Dan's Software Management

6 Third party software is often the problem Target Software This you think you understand SSLeay Zlib OpenLDAP libcurl Crystal Reports Etc This you may not even know is being used Platform API's (Win32/Posix/etc)

7 Obtaining hardware and software is the hardest step

Protocol Analysis is often quite easy 8

9 Hackers always create custom client protocol libraries Custom Client Exploits Manual Analysis Fuzzers

10 Manual Security Analysis Recon Authentication Overflows Other Crypto Backdoors

11 Basic Binary Analysis For Fun and Profit Look at all DLL's loaded by the application and all exposed API's and text strings Trace from all incoming packets to get a feel for the structure of the application Look for dangerous code patterns Conduct code coverage review

Not The Ideal Coding Style

13 What you can find in 1 hour of binary analysis Basic data flow from the network Coding style (the use of bad API's, f.e.) Simple backdoors ( DEBUG string in command list, etc) Potential vulnerabilities

One Week of Binary Analysis should get you at least one good vulnerability But will probably get you several exploitable bugs, and potentially an exploit as well Real binary analysis is almost never just static analysis Which is why automated static analyzers are at a severe disadvantage from a human This data will feed quite well into your fuzzer 14

15 One month of binary analysis will get you a vulnerability no one else will ever find Defeating the automated systems such as Prefix/Prefast, the SDL and SafeSEH+NX +ASDL may require this amount of effort A lot of what you will do is build custom binary analysis scripts and protocol libraries Vulnerabilities no one else will ever have are extremely useful

What binary analysis is and is not In its most advanced form, you transform the program into another kind of program or equation and solve it to find vulnerabilities Most people scan for code patterns or have code scanning for code patterns Finding some bug classes is insanely hard this way 16

17 Source Code Analysis Not as hard as you think from a hacker's perspective Auditing entire Solaris source tree for one bug can be done in a morning Doing intense study of some part of the Linux kernel can take several weeks http://taossa.com/

Hackers do have the source code Maintaining global information dominance means that source code to almost every product is available to a skilled hacker group This puts them at an immediate advantage over security teams They also have a tendency to work at software vendors 18

Automated source code analyzers don't solve the problem High false positive rate No ability to read and understand comments Can't prioritize Can't follow unstated data flow Only find the simple bug-classes, such as strcpy() Microsoft has the world's best source code analyzers it helps, but it's no solution 19

20 On Tools Tools are very useful, we build a lot of tools, and use them all the time here at Microsoft. Some of those tools have found their way into our SDKs and Visual Studio so our customers can use them too. But I would never claim that these tools make code "free of security defects." - Michael Howard (Microsoft SWI)

The defensive side Manual analysis Burns out programmers quickly Secure Software Design Programs such as Microsoft's threat modeling work to some degree Moving to a more secure platform provides the largest benefit 21

22 How to build a fuzzer that finds bugs you care about

23 Your fuzzer and another hacker's fuzzer will not find all the same bugs! Hacker's bugs Your bugs The Venn Diagram usually looks like this

24 What kind of fuzzer to write? I prefer block based Use Python (everyone does) Sulley is a good option SPIKE 3.0 Peach etc

Fuzzing is a many year process For each vulnerability that comes out, make sure your fuzzer can find it, then abstract it a bit more There's two basic things you need to add Transformations A->AAAAAAA...AAAAAA Syntax patterns GET /<fuzz string> HTTP/1.0\r\n\r\n 25

26 Myth: Fuzzing only catches low hanging fruit Fuzzing can catch many vulnerabilities that are hard to see from the naked eye or from static analysis DTLogin Arbitrary Free, is one example Off by ones Race conditions

27 Looking at emergent behaviours in the hacker community from small to large

28 Things you can't see that no doubt exist Vendor Management Teams X.25 Attack Research was very popular in the late 90's and remains so to this day SCADA is certainly on everyone's radar

29 Hackers maintain a pipeline of things: What protocols are most buggy that no one else is looking at Bug classes that are hard to scan for by automated technologies Bugs themselves Exploitation techniques

0days are a hacker obsession An 0day is a vulnerability that is not publicly known IDS/IPS cannot find them Can your forensics team figure them out? Modern 0days often combine multiple attack vectors and vulnerabilities into one exploit Many of these are used only once on high value targets 30

31 As of June 16 2007: Real-world 0day Statistics Average 0day lifetime: 348 days Shortest life: 99 days Longest life: 1080 (3 years)

The Market Always Wins: 0day is for sale. Deal with it. Tippingpoint WabiSabiLabi Eeye Breakingpoint Gleg.net etc Dsquare Idefense Digital Armaments 32

33 Classes of Vulnerabilities The classic example is the format string bug printf(user_supplied_string,args); Easy to scan for with automatic tools or compiler options Commonly available in code in 2000 Now an extinct species

34 Vulnerability Classes you know about Stack/Heap overflows Format Strings Race conditions Uninitialized variable problems Integer overflows and indexing problems

Vulnerability classes you don't know about Race conditions Sophisticated timing attacks Extremely complex multi-vector overflows Kernel attacks Lots of vulnerabilities in hardware you've never seen attacked publicly 35

36 Now: Defeating Patching, IDS, Anti-Virus, etc. Be faster to attack than the defender can deploy patches Attack frameworks, better debuggers Attack with vulnerabilities that are unknown (0days) New bug classes, better debuggers, new exploit techniques

37 The Future Look for more embedded system attacks Look for more interesting bug classes Vista/Windows 7 not the answer Hacker Teamwork

38 Thank you for your time Contact us at: admin@immunityinc.com Security Research Team

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information