Behind The ScenesSecurity Research
Rodrigo Rubira Branco (BSDaemon)Director, Vulnerability & Malware Research Labs
rbranco *noSPAM* qualys.com
http://twitter.com/bsdaemon
2Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
AgendaAgenda
� Objectives
� Introduction
� Security research as a worldwide wype
– Where are the real hackers?
– What is the difference between the public exploits and the private ones?
� Security conferences around the globe
� The problems in the security industry
� Future
3Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
ObjectivesObjectives
� Discuss about security problems and security industry
problems
� Demonstrate how vulnerability finding works (or is
supposed to work) – focusing on building the team
� Explain the challenges the exploit writer faces nowadays
� Be fun?
4Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Security nowadaysSecurity nowadays
� Buggy programs deployed on critical servers
� Rapidly-evolving threats, attackers and tools
(exploitation frameworks)
� Lack of developers training, resources and people to fix
problems and create safe code
� That’s why we are here today, right?
5Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Security nowadays – 0day challengeSecurity nowadays – 0day challenge
First host
attacked
All vulnerable hosts
attacked
Reaction time
Slammer: 10 mins
Future worms: < 1 minute [Staniford et. al. 2002]
“0day Statistics
Average 0day lifetime:
348 days
Shortest life:
99 days
Longest life:
1080 (3 years)"
- Justine Aitel
6Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
!exploitable!exploitable
_declspec(naked) int main() {
_asm {
mov eax, 0x41414141
call eax
}
}
7Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
!exploitable!exploitable
� This is incorrectly classified as EXPLOITABLE because
the tool always assume that the attacker has control over
all the input operands
� So, what is the point? The point is that security research
is a long-way run, shortcuts will only give you tainted
information (hidden joke)
8Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
State Transition for Memory CorruptionState Transition for Memory Corruption
c: corrupting instruction
t: takeover instruction
f: faulting instruction
� Case 1
(green):
Format String
� Case 2 and 3
(red and
blue): buffer
overflow
� Case 4
(purple):
unpredictable
Source:
Automatic Diagnosis and
Response to Memory
Corruption Vulnerabilities
9Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Source:
http://www.h2hc.com.br/repositorio/2008/Nico.pdf
10Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
The Extinction of Hackers - FXThe Extinction of Hackers - FX
� FX wrote the article long ago (well, I only have a copy of
the file so didn’t manage to get the right timing and just
forgot to ask him before coming)
� He seems to be actually right:
– Kids use the computers for games
– Things are a lot easier to do nowadays (in means that you don’t
really need to know how to use the computer to actually do
something useful with it)
– Things are a lot more complex nowadays (yeah, in the opposite
direction of the other statement) -> Exploiting software is
becoming a complex task (no easy 0x41414141 anymore)
11Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Vulnerability Coordination?Vulnerability Coordination?
� Basically is a mess (but it is getting better)
� Lots of conflicts (and lots of conflicts of interest)
� Difficult to really scientificaly measure the impacts of any
decision:
– Full disclosure (everybody is aware, instead of only the person
who is already exploiting it)
12Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Vulnerability CoordinationVulnerability Coordination
� Case 1: Security issue affecting 3 vendors. What one of
them replies?
– “We don’t know how to fix the code, do you mind in ask to the
other vendor to SHARE the patch?”
� Case 2: Security issue in an ‘encryption’ mechanism of
a security software. What the vendor replies?
– “Ok, we going to change the documentation to say it is not
encryption”
� Case 3: Security issue in a web software. What the
vendor says about it?
– “There is no security issue. Millions of people use the software
and none reported the problem before”
13Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Who buys?Who buys?
� Because everybody is buying vulnerabilities, it is
becoming difficult to see vulnerability discussions on
public
� Reliable/good exploits are not available for free anymore
(at large)
� Governments, private sector, brokers, criminals
– They all want our 0days
– Legislation helps some countries
– This is destroying the new generations
14Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Security Myth #1: The ‘EXPERT’Security Myth #1: The ‘EXPERT’
� The Market for Lemons: Quality Uncertainty and the Market Mechanism – George Akerlof
� Asymetric knowledge
– Complex subject
– Industry defines its own standards
– Politics defines ‘auditing’ (SOX)
15Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Security Myth #2: There is no 0day riskSecurity Myth #2: There is no 0day risk
� Crime and Punishment: An Economic Approach -Gary S. Becker
� There is no 100% security
– Since there is no guarantees, why should vendor cares?
– Security highly makes use of the ‘ass factor’:
» “Why should I buy from vendor X?”
» “Because everybody is doing so”
16Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Security Myth #3: Computer power is growingSecurity Myth #3: Computer power is growing
� Moore’s law does not help the security industry
� Forcing the perimeter to inspect everything expecting to
benefit from the growing capabilities of hardware seems
to be non-sense
� Simple like that: As the computers have more power,
engineers start to use it, to save bandwitdth and provide
security:
– Compression
– Encryption
� In the end, the gateway has more work to do
17Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Security Myth #4: IPSSecurity Myth #4: IPS
� Many people seems to highly believe the IPS is a bunch of parsers running in a central location:
– Most likely it will be more pattern-match-like based technology
– This is true for security filters as well (such as the XSS protections in
IE)
– Really parsing the complex file formats on gateways is infeasible,
parcial parsing is used
� Everybody believes IPS is a bridge
– It does interact with packets (for inspection)
– It can be exploited as any other piece of software (not common)
� Virtual Patching
– Trust in it only when a vulnerability is public, but there is no patch (in
this case, you have no options)
– False positives ARE very important: Check them before buying
18Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Security Myth #5: Rogue <you name it> Security Myth #5: Rogue <you name it>
� Amazing question by Michael Golub: “What are the
features an AV has, that a Rogue AV doesn’t?”
– Both does not guarantee anything
– Both have ‘upgrade to premium’ options
– Both will have a nice GUI (rogue AV usually is nicer)
– Both will affect the performance of your computer (rogue AV
usually is faster)
– Both will have false alarms (false positives) -> Well, I never
heard that millions of users were affected by the rogue AV
quarantining a fundamental dll of Windows and thus letting the
computer unusable
19Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
So, why build a research team?So, why build a research team?
� Companies highly benefit from security research:
– Better understanding
– Real-life awareness
– Solving complex problems with lower budgets
� Having security researchers are not only for security
vendors:
– As presented in Hackito: A researcher is capable of solving
complex tasks, such as analyzing huge amounts of logs
– A researcher can provide real understanding of the threats in an
organization, ‘translate’ the marketing materials (bullshit) to the
real-world benefit it will provide
20Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
The expertsThe experts
� When choosing a researcher, careful to select him
– Remember the ‘Market for Lemons’ lessons
– Lots of conferences around the world: Be a speaker in many of
them means nothing
– Lots of security issues been released: Be one of the guys who
found them means nothing
» Many crappy security issues been released (it is part of the priorities
list of vendors to have as much as possible released issues)
– Ask around, go to the conferences and see it yourself, be
involved if you care
21Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
What to expectWhat to expect
� It is important to define targets
– If you don’t know what you want, don’t expect much:
Researchers are lazy creatures (yeah, we are!)
� Don’t define how do you want, only your expectations
– If you really knew what you want, you’ve hired developers, not
researchers
– I always like to tell people: “Ok, now you are giving me the
solution. I better know the problem first”
� Security research is not only exploitation
– Defensive capabilities
– Complex problems
– Malware Analysis
22Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Targets/DeliverablesTargets/Deliverables
� Some companies count exploits/person/year
– Highly complex way to track work
– Will work if you have very capable manager (able to differentiate
complex from simple exploits)
– Usually done when the company is a research company or
somehow has exploit writers and security researchers in different
teams
� Small groups together
– Very effective way to work and keep track of work
– Changing the groups and see the results – Easy to spot laziness
23Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Research capabilitiesResearch capabilities
� Very often, even companies that does not have research
area have research capabilities
– They are hidden inside development teams
– Usually embedded in the job description of senior workers in
such teams
� Create a communication link
– Since the research is hidden inside teams, sometimes it does
not achieve its maximal capability
– Gathering information inside the company will reveal much more
knowledge then initially expected
24Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
ManagementManagement
� Many processes or No processes
– Somehow in the between
– Important to define areas where the research has freedom to act
» For example, to speed up the communication process with vendors
– No paperwork means higher productivity and less boredom
» Still, some way to track work will be required by the company
� Your team gotta travel
– Yes, they will want to go to H2HC in Brazil
– They will love to spend the weekend with friends in Sao Jose
dos Campos for Vale Security Conf (at least I do ☺ )
– They will be at Hackito in Paris as well
– And there is NOTHING you can do about that
» Better define good-to-go conferences in advance
» Give real time for real research (yeah, REAL)
25Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Fuzzing, tools and othersFuzzing, tools and others
� If your research team is going to find vulnerabilities you:
– Want them to have real hardware resources (fuzzers are heavy
animals)
– Want them to have real understanding of what they are testing
(and this is VERY time consuming)
– Want them to have good tools for the process (expect to buy
tools such as IDA, Zynamics Binavi, Canvas)
� Please, please, please:
– No dumb fuzzing anymore (I’m tired of crashes)
– Add analysis capabilities to the game
– Let them expend time writing tools
26Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
FutureFuture
� I can’t foresee the future!
� Hope more researchers will start to complain about the industry
� Strongly believe the real experts at some point will receive the
real attention, since the problem is constanly growing and not
been fixed: Something wrong is going on...
27Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo
Special ThanksSpecial Thanks
� Michael Golub
– A good friend
– The main point of reference/discussions for many/most of the
presented ideas
� Vale Security Conference Staff
– Great initiative, congrats and tks!
– For trusting me for discuss this subject here
End! Really !?
Rodrigo Rubira Branco (BSDaemon)Director, Vulnerability & Malware Research Labs
rbranco *noSPAM* qualys.com
http://twitter.com/bsdaemon