The Hacker Strategy

Dave Aitel dave@immunityinc.com

Security Research
1

Who am I

!T"# Immunity Inc. History$

%SA&'@stake &' Immunity

Res(onsi)le *or ne+ (roduct develo(ment

,ulnera)ility Sharing !lu) Immunity !A%,AS Immunity De)ugger SI-I!A

2

Hackers use /eo(le# /rocesses and Technology to o)tain a singular goal$ In*ormation dominance

1our strategic security (lan$ 2AI/olicy Secure Develo(ment -i*ecycles Technology Automated Source !ode Analysis %on&34ecute AS-R Stack /rotecting !om(ilers Hea( cookies

Take a sam(le (roduct 6 and attack it remotely

")tain /roduct /rotocol Analysis

8anual %et+ork ,ulnera)ility Analysis

2u77ing

Source9:inary Analysis "(en Source Research

5

/rivate Source Research

34(loit Develo(ment

The unseen ste($ /icking your targets

Target$ :o)<s %et+ork Server Steve<s ISA/I 2ilter !arl<s :acku(

1use*<s Anti,irus Dan<s So*t+are 8anagement

;

Third (arty so*t+are is o*ten the (ro)lem

Target So*t+are SS-eay
"(en-DA/

This you think you understand

@li) li)curl

!rystal Re(orts 3tc /lat*orm A/I<s >Win.29/osi49etc?

This you may not even kno+ is )eing used

=

")taining hard+are and so*t+are is the hardest ste(

/rotocol Analysis is o*ten Cuite easy

Hackers al+ays create custom client (rotocol li)raries

!ustom !lient

34(loits 8anual Analysis

2u77ers

1D

8anual Security Analysis

Recon

Authentication

"ver*lo+s "ther

!ry(to

:ackdoors
11

:asic :inary Analysis 2or 2un and /ro*it

-ook at all D--<s loaded )y the a((lication and all e4(osed A/I<s and te4t strings Trace *rom all incoming (ackets to get a *eel *or the structure o* the a((lication -ook *or dangerous code (atterns !onduct code coverage revie+
12

%ot The Ideal !oding Style

What you can *ind in 1 hour o* )inary analysis

:asic data *lo+ *rom the net+ork !oding style >the use o* )ad A/I<s# *.e.? Sim(le )ackdoors >ED3:FGH string in command list# etc? /otential vulnera)ilities
10

"ne Week o* :inary Analysis should get you at least one good vulnera)ility

:ut +ill (ro)a)ly get you several e4(loita)le )ugs# and (otentially an e4(loit as +ell Real )inary analysis is almost never Iust static analysis

Which is +hy automated static analy7ers are at a severe disadvantage *rom a human
15

This data +ill *eed Cuite +ell into your *u77er

Dynamic analysis (rovides *or )etter analysis

Static Disassem)ly Dynamic Analysis Human Analysis

:inDi**

Ty(e Reconstruction

Data 2lo+ Analysis

!all Gra(hs >2unction /ointers?

1;

"ne month o* )inary analysis +ill get you a vulnera)ility no one else +ill ever *ind

De*eating the automated systems such as /re*i49/re*ast# the SD- and Sa*eS3HJ%6 JASD- may reCuire this amount o* e**ort A lot o* +hat you +ill do is )uild custom )inary analysis scri(ts and (rotocol li)raries ,ulnera)ilities no one else +ill ever have are e4tremely use*ul
1=

What )inary analysis is and is not

In its most advanced *orm# you trans*orm the (rogram into another kind o* (rogram or eCuation and EsolveH it to *ind vulnera)ilities 8ost (eo(le scan *or code (atterns or have code scanning *or code (atterns 2inding some )ug classes is insanely hard this +ay
1A

Source !ode Analysis

%ot as hard as you think *rom a hacker<s (ers(ective

Auditing entire Solaris source tree *or one )ug can )e done in a morning Doing intense study o* some (art o* the -inu4 kernel can take several +eeks

htt($99taossa.com9
1B

Hackers do have the source code

8aintaining glo)al in*ormation dominance means that source code to almost every (roduct is availa)le to a skilled hacker grou( This (uts them at an immediate advantage over security teams They also have a tendency to +ork at so*t+are vendors
2D

Automated source code analy7ers don<t solve the (ro)lem

High *alse (ositive rate %o a)ility to read and understand comments

!an<t (rioriti7e !an<t *ollo+ unstated data *lo+

"nly *ind the sim(le )ug&classes# such as strc(y>? 8icroso*t has the +orld<s )est source code analy7ers K it hel(s# )ut it<s no solution
21

"n Tools
Tools are very use*ul# +e )uild a lot o* tools# and useLthem all the time here at 8icroso*t. Some o* those tools haveL*ound their +ay into our SDMs and ,isual Studio so our customers can use them too. :ut I +ould never claim that these tools make code N*ree o* security de*ects.NL& 8ichael Ho+ard >8icroso*t SWI?
22

The de*ensive side

8anual analysis

:urns out (rogrammers Cuickly

Secure So*t+are Design /rograms such as 8icroso*t<s threat modeling +ork to some degree 8oving to a more secure (lat*orm (rovides the largest )ene*it
2.

Ho+ to )uild a *u77er that *inds )ugs you care a)out

20

1our *u77er and another hacker<s *u77er +ill not *ind all the same )ugsO
The ,enn Diagram usually looks like this

Hacker<s )ugs 1our )ugs

25

What kind o* *u77er to +rite

I (re*er )lock )ased

Fse /ython >everyone does? Sulley is a good o(tion S/IM3 ..D /each etc
2;

2u77ing is a many year (rocess

2or each vulnera)ility that comes out# make sure your *u77er can *ind it# then a)stract it a )it more There<s t+o )asic things you need to add

Trans*ormations A&'AAAAAAA...AAAAAA Synta4 (atterns

G3T 9P*u77 string' HTT/91.DQrQnQrQn

2=

8yth$ 2u77ing only catches lo+ hanging *ruit

2u77ing can catch many vulnera)ilities that are hard to see *rom the naked eye or *rom static analysis

DT-ogin Ar)itrary 2ree# is one e4am(le

"** )y ones Race conditions

2A

-ooking at emergent )ehaviours in the hacker community *rom small to large

2B

Things you can<t see that no dou)t e4ist

E,endor 8anagementH Teams 6.25 Attack Research +as very (o(ular in the late BD<s and remains so to this day S!ADA is certainly on everyone<s radar

.D

Hackers maintain a (i(eline o* things$

What (rotocols are most )uggy that no one else is looking at :ug classes that are hard to scan *or )y automated technologies :ugs themselves 34(loitation techniCues
.1

Ddays are a hacker o)session

An Dday is a vulnera)ility that is not (u)licly kno+n

IDS9I/S cannot *ind them !an your *orensics team *igure them out

8odern Ddays o*ten com)ine multi(le attack vectors and vulnera)ilities into one e4(loit

8any o* these are used only once on high value targets

.2

As o* Rune 1; 2DD=$

Real&+orld Dday Statistics

Average Dday li*etime$ .0A days Shortest li*e$ BB days -ongest li*e$ 1DAD >. years?

..

The 8arket Al+ays Wins$ Dday is *or sale. Deal +ith it.

Ti((ing(oint 3eye Gleg.net DsCuare Ide*ense Digital Armaments

Wa)iSa)i-a)i :reaking(oint etc

.0

!lasses o* ,ulnera)ilities

The classic e4am(le is the *ormat string )ug

(rint*>userSsu((liedSstring#args?T 3asy to scan *or +ith automatic tools or com(iler o(tions !ommonly availa)le in code in 2DDD %o+ an e4tinct s(ecies
.5

,ulnera)ility !lasses you kno+ a)out

Stack9Hea( over*lo+s 2ormat Strings Race conditions Fninitiali7ed varia)le (ro)lems Integer over*lo+s and inde4ing (ro)lems
.;

,ulnera)ility classes you don<t kno+ a)out

Race conditions So(histicated timing attacks 34tremely com(le4 multi&vector over*lo+s Mernel attacks -ots o* vulnera)ilities in hard+are you<ve never seen attacked (u)licly
.=

%o+$ De*eating /atching# IDS# Anti&,irus# etc.

:e *aster to attack than the de*ender can de(loy (atches

Attack *rame+orks# )etter de)uggers

Attack +ith vulnera)ilities that are unkno+n >Ddays?

%e+ )ug classes# )etter de)uggers# ne+ e4(loit techniCues

.A

The 2uture

-ook *or more em)edded system attacks -ook *or more interesting )ug classes ,ista9Windo+s = K not the ans+er Hacker Team+ork

.B

Thank you *or your time !ontact us at$ admin@immunityinc.com

Security Research Team

0D