DaveAitel_TheHackerStrategy2

8/21/2019 DaveAitel_TheHackerStrategy2

1/40

1

The Hacker Strategy

Security Research

Dave Aitel

[email protected]
mailto:[email protected]:[email protected]


2/40

2

Who am I !T"# Immunity Inc.

History$ %SA&'@stake &' Immunity

Res(onsi)le *or ne+ (roductdevelo(ment

,ulnera)ility Sharing !lu)

Immunity !A%,AS

Immunity De)ugger

SI-I!A


3/40

Hackers use /eo(le# /rocesses andTechnology to o)tain a singular

goal$ In*ormation dominance


4/400

our strategic security (lan$AI-

/olicy

Secure Develo(ment-i*ecyclesTechnology

Automated Source!ode Analysis

%on&34ecuteAS-R Stack /rotecting

!om(ilers Hea( cookies


5/405

Take a sam(le (roduct 6 andattack it remotely

")tain /roduct /rotocol Analysis

u77ing8anual %et+ork

,ulnera)ility Analysis

Source9:inary

Analysis

34(loit Develo(ment

"(en SourceResearch/rivate Source

Research


6/40;

The unseen ste($ /icking yourtargets

Target$ :o)


7/40=

Third (arty so*t+are is o*tenthe (ro)lem

Target So*t+are

/lat*orm A/IWin29/osi49etc?

3tc

li)!rystalRe(orts

"(en-DA/ li)curl

SS-eay

This youthink you

understand

This you may noteven kno+ is )eing

used


8/40

")taining hard+are andso*t+are is the hardest ste(


9/40B

/rotocol Analysis is o*ten Cuite easy


10/401

Hackers al+ays create custom client(rotocol li)raries

!ustom !lient

u77ers8anual Analysis

34(loits


11/4011

8anual Security Analysis

"ther

Authentication

!ry(to

"ver*lo+s

:ackdoors

Recon


12/4012

:asic :inary Analysis or unand /ro*it

-ook at all D--


13/40

%ot The Ideal

!oding Style


14/40

10

What you can *ind in 1 houro* )inary analysis

:asic data *lo+ *rom the net+ork !oding style >the use o* )ad A/IED3:FG string in

command list# etc? /otential vulnera)ilities


15/40

15

"ne Week o* :inary Analysisshould get you at least one goodvulnera)ility

:ut +ill (ro)a)ly get you several e4(loita)le)ugs# and (otentially an e4(loit as +ell

Real )inary analysis is almost never uststatic analysis

Which is +hy automated static analy7ersare at a severe disadvantage *rom ahuman

This data +ill *eed Cuite +ell into your *u77er


16/40

1;

Dynamic analysis (rovides *or)etter analysis

:inDi**Ty(e

ReconstructionData lo+Analysis

!all Gra(hs>unction

/ointers?

StaticDisassem)ly

DynamicAnalysis

HumanAnalysis


17/40

1=

"ne month o* )inary analysis+ill get you a vulnera)ility noone else +ill ever *ind

De*eating the automated systems such as/re*i49/re*ast# the SD- and Sa*eS3HJ%6JASD- may reCuire this amount o* e**ort

A lot o* +hat you +ill do is )uild custom

)inary analysis scri(ts and (rotocol li)raries

,ulnera)ilities no one else +ill ever have aree4tremely use*ul


18/40

1

What )inary analysis is and isnot

In its most advanced *orm# youtrans*orm the (rogram into anotherkind o* (rogram or eCuation andEsolve it to *ind vulnera)ilities

8ost (eo(le scan *or code (atterns orhave code scanning *or code (atterns

inding some )ug classes is insanelyhard this +ay


19/40

1B

Source !ode Analysis

%ot as hard as you think *rom ahacker


20/40

2

Hackers do have the sourcecode

8aintaining glo)al in*ormationdominance means that source code toalmost every (roduct is availa)le to askilled hacker grou(

This (uts them at an immediateadvantage over security teams

They also have a tendency to +ork atso*t+are vendors


21/40

21

Automated source codeanaly7ers don


22/40

22

"n Tools

Tools are very use*ul# +e )uild a lot o* tools#and use them all the time here at 8icroso*t.Some o* those tools have *ound their +ay into

our SDMs and ,isual Studio so our customerscan use them too. :ut I +ould never claim thatthese tools make code N*ree o* securityde*ects.N & 8ichael Ho+ard >8icroso*t SWI?


23/40

2

The de*ensive side

8anual analysis :urns out (rogrammers Cuickly

Secure So*t+are Design /rograms

such as 8icroso*t


24/40

20

Ho+ to )uild a *u77er that*inds )ugs you care a)out


25/40

25

our *u77er and anotherhacker


26/40

2;

What kind o* *u77er to +rite

I (re*er )lock )ased Fse /ython >everyone does?

Sulley is a good o(tion

S/IM3 . /each

etc


27/40

2=

u77ing is a many year(rocess

or each vulnera)ility that comes out# makesure your *u77er can *ind it# then a)stract ita )it more

There


28/40

2

8yth$ u77ing only catcheslo+ hanging *ruit

u77ing can catch many vulnera)ilitiesthat are hard to see *rom the nakedeye or *rom static analysis

DT-ogin Ar)itrary ree# is one e4am(le "** )y ones

Race conditions


29/40

2B

-ooking at emergent )ehavioursin the hacker community *romsmall to large


30/40

Things you can


31/40

1

Hackers maintain a (i(elineo* things$

What (rotocols are most )uggy that noone else is looking at

:ug classes that are hard to scan *or

)y automated technologies :ugs themselves

34(loitation techniCues


32/40

2

days are a hacker o)session

An day is a vulnera)ility that is not (u)liclykno+n

IDS9I/S cannot *ind them

!an your *orensics team *igure them out

8odern days o*ten com)ine multi(le attackvectors and vulnera)ilities into one e4(loit

8any o* these are used only once on high

value targets


33/40

Real&+orld day StatisticsAs o* une 1; 2=$

Average day li*etime$ 0 days

Shortest li*e$ BB days

-ongest li*e$ 1 > years?


34/40

0

The 8arket Al+ays Wins$day is *or sale. Deal +ith it.

Ti((ing(oint 3eye

Gleg.net

DsCuare

Ide*ense

DigitalArmaments

Wa)iSa)i-a)i :reaking(oint

etc


35/40

5

!lasses o* ,ulnera)ilities

The classic e4am(le is the *ormatstring )ug

(rint*>usersu((liedstring#args?

3asy to scan *or +ith automatic tools orcom(iler o(tions

!ommonly availa)le in code in 2

%o+ an e4tinct s(ecies


36/40

;

,ulnera)ility !lasses youkno+ a)out

Stack9Hea( over*lo+s ormat Strings

Race conditions

Fninitiali7ed varia)le (ro)lems

Integer over*lo+s and inde4ing(ro)lems


37/40

=

,ulnera)ility classes youdon


38/40

%o+$ De*eating /atching#IDS# Anti&,irus# etc.

:e *aster to attack than the de*endercan de(loy (atches

Attack *rame+orks# )etter de)uggers

Attack +ith vulnera)ilities that areunkno+n >days?

%e+ )ug classes# )etter de)uggers# ne+e4(loit techniCues


39/40

B

The uture

-ook *or more em)edded system

attacks -ook *or more interesting )ug classes

,ista9Windo+s = K not the ans+er

Hacker Team+ork


40/40

0

Thank you *or your time

!ontact us at$

[email protected]

Security Research Team

Documents

DaveAitel_TheHackerStrategy2