vale security conference - 2011 - 17 - rodrigo rubira branco (bsdaemon)

Behind The ScenesSecurity Research

Rodrigo Rubira Branco (BSDaemon)Director, Vulnerability & Malware Research Labs

rbranco *noSPAM* qualys.com

http://twitter.com/bsdaemon

2Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo

AgendaAgenda

� Objectives

� Introduction

� Security research as a worldwide wype

– Where are the real hackers?

– What is the difference between the public exploits and the private ones?

� Security conferences around the globe

� The problems in the security industry

� Future


ObjectivesObjectives

� Discuss about security problems and security industry

problems

� Demonstrate how vulnerability finding works (or is

supposed to work) – focusing on building the team

� Explain the challenges the exploit writer faces nowadays

� Be fun?


Security nowadaysSecurity nowadays

� Buggy programs deployed on critical servers

� Rapidly-evolving threats, attackers and tools

(exploitation frameworks)

� Lack of developers training, resources and people to fix

problems and create safe code

� That’s why we are here today, right?


Security nowadays – 0day challengeSecurity nowadays – 0day challenge

First host

attacked

All vulnerable hosts

attacked

Reaction time

Slammer: 10 mins

Future worms: < 1 minute [Staniford et. al. 2002]

“0day Statistics

Average 0day lifetime:

348 days

Shortest life:

99 days

Longest life:

1080 (3 years)"

- Justine Aitel


!exploitable!exploitable

_declspec(naked) int main() {

_asm {

mov eax, 0x41414141

call eax

}

}


!exploitable!exploitable

� This is incorrectly classified as EXPLOITABLE because

the tool always assume that the attacker has control over

all the input operands

� So, what is the point? The point is that security research

is a long-way run, shortcuts will only give you tainted

information (hidden joke)


State Transition for Memory CorruptionState Transition for Memory Corruption

c: corrupting instruction

t: takeover instruction

f: faulting instruction

� Case 1

(green):

Format String

� Case 2 and 3

(red and

blue): buffer

overflow

� Case 4

(purple):

unpredictable

Source:

Automatic Diagnosis and

Response to Memory

Corruption Vulnerabilities


Source:

http://www.h2hc.com.br/repositorio/2008/Nico.pdf


The Extinction of Hackers - FXThe Extinction of Hackers - FX

� FX wrote the article long ago (well, I only have a copy of

the file so didn’t manage to get the right timing and just

forgot to ask him before coming)

� He seems to be actually right:

– Kids use the computers for games

– Things are a lot easier to do nowadays (in means that you don’t

really need to know how to use the computer to actually do

something useful with it)

– Things are a lot more complex nowadays (yeah, in the opposite

direction of the other statement) -> Exploiting software is

becoming a complex task (no easy 0x41414141 anymore)


Vulnerability Coordination?Vulnerability Coordination?

� Basically is a mess (but it is getting better)

� Lots of conflicts (and lots of conflicts of interest)

� Difficult to really scientificaly measure the impacts of any

decision:

– Full disclosure (everybody is aware, instead of only the person

who is already exploiting it)


Vulnerability CoordinationVulnerability Coordination

� Case 1: Security issue affecting 3 vendors. What one of

them replies?

– “We don’t know how to fix the code, do you mind in ask to the

other vendor to SHARE the patch?”

� Case 2: Security issue in an ‘encryption’ mechanism of

a security software. What the vendor replies?

– “Ok, we going to change the documentation to say it is not

encryption”

� Case 3: Security issue in a web software. What the

vendor says about it?

– “There is no security issue. Millions of people use the software

and none reported the problem before”


Who buys?Who buys?

� Because everybody is buying vulnerabilities, it is

becoming difficult to see vulnerability discussions on

public

� Reliable/good exploits are not available for free anymore

(at large)

� Governments, private sector, brokers, criminals

– They all want our 0days

– Legislation helps some countries

– This is destroying the new generations


Security Myth #1: The ‘EXPERT’Security Myth #1: The ‘EXPERT’

� The Market for Lemons: Quality Uncertainty and the Market Mechanism – George Akerlof

� Asymetric knowledge

– Complex subject

– Industry defines its own standards

– Politics defines ‘auditing’ (SOX)


Security Myth #2: There is no 0day riskSecurity Myth #2: There is no 0day risk

� Crime and Punishment: An Economic Approach -Gary S. Becker

� There is no 100% security

– Since there is no guarantees, why should vendor cares?

– Security highly makes use of the ‘ass factor’:

» “Why should I buy from vendor X?”

» “Because everybody is doing so”


Security Myth #3: Computer power is growingSecurity Myth #3: Computer power is growing

� Moore’s law does not help the security industry

� Forcing the perimeter to inspect everything expecting to

benefit from the growing capabilities of hardware seems

to be non-sense

� Simple like that: As the computers have more power,

engineers start to use it, to save bandwitdth and provide

security:

– Compression

– Encryption

� In the end, the gateway has more work to do


Security Myth #4: IPSSecurity Myth #4: IPS

� Many people seems to highly believe the IPS is a bunch of parsers running in a central location:

– Most likely it will be more pattern-match-like based technology

– This is true for security filters as well (such as the XSS protections in

IE)

– Really parsing the complex file formats on gateways is infeasible,

parcial parsing is used

� Everybody believes IPS is a bridge

– It does interact with packets (for inspection)

– It can be exploited as any other piece of software (not common)

� Virtual Patching

– Trust in it only when a vulnerability is public, but there is no patch (in

this case, you have no options)

– False positives ARE very important: Check them before buying


Security Myth #5: Rogue <you name it> Security Myth #5: Rogue <you name it>

� Amazing question by Michael Golub: “What are the

features an AV has, that a Rogue AV doesn’t?”

– Both does not guarantee anything

– Both have ‘upgrade to premium’ options

– Both will have a nice GUI (rogue AV usually is nicer)

– Both will affect the performance of your computer (rogue AV

usually is faster)

– Both will have false alarms (false positives) -> Well, I never

heard that millions of users were affected by the rogue AV

quarantining a fundamental dll of Windows and thus letting the

computer unusable


So, why build a research team?So, why build a research team?

� Companies highly benefit from security research:

– Better understanding

– Real-life awareness

– Solving complex problems with lower budgets

� Having security researchers are not only for security

vendors:

– As presented in Hackito: A researcher is capable of solving

complex tasks, such as analyzing huge amounts of logs

– A researcher can provide real understanding of the threats in an

organization, ‘translate’ the marketing materials (bullshit) to the

real-world benefit it will provide


The expertsThe experts

� When choosing a researcher, careful to select him

– Remember the ‘Market for Lemons’ lessons

– Lots of conferences around the world: Be a speaker in many of

them means nothing

– Lots of security issues been released: Be one of the guys who

found them means nothing

» Many crappy security issues been released (it is part of the priorities

list of vendors to have as much as possible released issues)

– Ask around, go to the conferences and see it yourself, be

involved if you care


What to expectWhat to expect

� It is important to define targets

– If you don’t know what you want, don’t expect much:

Researchers are lazy creatures (yeah, we are!)

� Don’t define how do you want, only your expectations

– If you really knew what you want, you’ve hired developers, not

researchers

– I always like to tell people: “Ok, now you are giving me the

solution. I better know the problem first”

� Security research is not only exploitation

– Defensive capabilities

– Complex problems

– Malware Analysis


Targets/DeliverablesTargets/Deliverables

� Some companies count exploits/person/year

– Highly complex way to track work

– Will work if you have very capable manager (able to differentiate

complex from simple exploits)

– Usually done when the company is a research company or

somehow has exploit writers and security researchers in different

teams

� Small groups together

– Very effective way to work and keep track of work

– Changing the groups and see the results – Easy to spot laziness


Research capabilitiesResearch capabilities

� Very often, even companies that does not have research

area have research capabilities

– They are hidden inside development teams

– Usually embedded in the job description of senior workers in

such teams

� Create a communication link

– Since the research is hidden inside teams, sometimes it does

not achieve its maximal capability

– Gathering information inside the company will reveal much more

knowledge then initially expected


ManagementManagement

� Many processes or No processes

– Somehow in the between

– Important to define areas where the research has freedom to act

» For example, to speed up the communication process with vendors

– No paperwork means higher productivity and less boredom

» Still, some way to track work will be required by the company

� Your team gotta travel

– Yes, they will want to go to H2HC in Brazil

– They will love to spend the weekend with friends in Sao Jose

dos Campos for Vale Security Conf (at least I do ☺ )

– They will be at Hackito in Paris as well

– And there is NOTHING you can do about that

» Better define good-to-go conferences in advance

» Give real time for real research (yeah, REAL)


Fuzzing, tools and othersFuzzing, tools and others

� If your research team is going to find vulnerabilities you:

– Want them to have real hardware resources (fuzzers are heavy

animals)

– Want them to have real understanding of what they are testing

(and this is VERY time consuming)

– Want them to have good tools for the process (expect to buy

tools such as IDA, Zynamics Binavi, Canvas)

� Please, please, please:

– No dumb fuzzing anymore (I’m tired of crashes)

– Add analysis capabilities to the game

– Let them expend time writing tools


FutureFuture

� I can’t foresee the future!

� Hope more researchers will start to complain about the industry

� Strongly believe the real experts at some point will receive the

real attention, since the problem is constanly growing and not

been fixed: Something wrong is going on...


Special ThanksSpecial Thanks

� Michael Golub

– A good friend

– The main point of reference/discussions for many/most of the

presented ideas

� Vale Security Conference Staff

– Great initiative, congrats and tks!

– For trusting me for discuss this subject here

End! Really !?

Rodrigo Rubira Branco (BSDaemon)Director, Vulnerability & Malware Research Labs

rbranco *noSPAM* qualys.com

http://twitter.com/bsdaemon

vale security conference - 2011 - 17 - rodrigo rubira branco (bsdaemon)

Technology

security issue

security problems

security myth

security conferences

security researchis

auditing sox kernel

new generations kernel

vulnerability discussions