Escolar Documentos
Profissional Documentos
Cultura Documentos
Security Research
1
Who am I
Hackers use /eo(le# /rocesses and Technology to o)tain a singular goal$ In*ormation dominance
1our strategic security (lan$ 2AI/olicy Secure Develo(ment -i*ecycles Technology Automated Source !ode Analysis %on&34ecute AS-R Stack /rotecting !om(ilers Hea( cookies
2u77ing
34(loit Develo(ment
@li) li)curl
2u77ers
1D
Authentication
"ver*lo+s "ther
!ry(to
:ackdoors
11
-ook at all D--<s loaded )y the a((lication and all e4(osed A/I<s and te4t strings Trace *rom all incoming (ackets to get a *eel *or the structure o* the a((lication -ook *or dangerous code (atterns !onduct code coverage revie+
12
:asic data *lo+ *rom the net+ork !oding style >the use o* )ad A/I<s# *.e.? Sim(le )ackdoors >ED3:FGH string in command list# etc? /otential vulnera)ilities
10
"ne Week o* :inary Analysis should get you at least one good vulnera)ility
:ut +ill (ro)a)ly get you several e4(loita)le )ugs# and (otentially an e4(loit as +ell Real )inary analysis is almost never Iust static analysis
Which is +hy automated static analy7ers are at a severe disadvantage *rom a human
15
:inDi**
Ty(e Reconstruction
"ne month o* )inary analysis +ill get you a vulnera)ility no one else +ill ever *ind
De*eating the automated systems such as /re*i49/re*ast# the SD- and Sa*eS3HJ%6 JASD- may reCuire this amount o* e**ort A lot o* +hat you +ill do is )uild custom )inary analysis scri(ts and (rotocol li)raries ,ulnera)ilities no one else +ill ever have are e4tremely use*ul
1=
In its most advanced *orm# you trans*orm the (rogram into another kind o* (rogram or eCuation and EsolveH it to *ind vulnera)ilities 8ost (eo(le scan *or code (atterns or have code scanning *or code (atterns 2inding some )ug classes is insanely hard this +ay
1A
Auditing entire Solaris source tree *or one )ug can )e done in a morning Doing intense study o* some (art o* the -inu4 kernel can take several +eeks
htt($99taossa.com9
1B
8aintaining glo)al in*ormation dominance means that source code to almost every (roduct is availa)le to a skilled hacker grou( This (uts them at an immediate advantage over security teams They also have a tendency to +ork at so*t+are vendors
2D
"nly *ind the sim(le )ug&classes# such as strc(y>? 8icroso*t has the +orld<s )est source code analy7ers K it hel(s# )ut it<s no solution
21
"n Tools
Tools are very use*ul# +e )uild a lot o* tools# and useLthem all the time here at 8icroso*t. Some o* those tools haveL*ound their +ay into our SDMs and ,isual Studio so our customers can use them too. :ut I +ould never claim that these tools make code N*ree o* security de*ects.NL& 8ichael Ho+ard >8icroso*t SWI?
22
8anual analysis
Secure So*t+are Design /rograms such as 8icroso*t<s threat modeling +ork to some degree 8oving to a more secure (lat*orm (rovides the largest )ene*it
2.
20
1our *u77er and another hacker<s *u77er +ill not *ind all the same )ugsO
The ,enn Diagram usually looks like this
25
Fse /ython >everyone does? Sulley is a good o(tion S/IM3 ..D /each etc
2;
2or each vulnera)ility that comes out# make sure your *u77er can *ind it# then a)stract it a )it more There<s t+o )asic things you need to add
2=
2u77ing can catch many vulnera)ilities that are hard to see *rom the naked eye or *rom static analysis
2B
E,endor 8anagementH Teams 6.25 Attack Research +as very (o(ular in the late BD<s and remains so to this day S!ADA is certainly on everyone<s radar
.D
What (rotocols are most )uggy that no one else is looking at :ug classes that are hard to scan *or )y automated technologies :ugs themselves 34(loitation techniCues
.1
IDS9I/S cannot *ind them !an your *orensics team *igure them out
8odern Ddays o*ten com)ine multi(le attack vectors and vulnera)ilities into one e4(loit
.2
As o* Rune 1; 2DD=$
..
The 8arket Al+ays Wins$ Dday is *or sale. Deal +ith it.
.0
!lasses o* ,ulnera)ilities
(rint*>userSsu((liedSstring#args?T 3asy to scan *or +ith automatic tools or com(iler o(tions !ommonly availa)le in code in 2DDD %o+ an e4tinct s(ecies
.5
Stack9Hea( over*lo+s 2ormat Strings Race conditions Fninitiali7ed varia)le (ro)lems Integer over*lo+s and inde4ing (ro)lems
.;
Race conditions So(histicated timing attacks 34tremely com(le4 multi&vector over*lo+s Mernel attacks -ots o* vulnera)ilities in hard+are you<ve never seen attacked (u)licly
.=
The 2uture
-ook *or more em)edded system attacks -ook *or more interesting )ug classes ,ista9Windo+s = K not the ans+er Hacker Team+ork
.B