Your SlideShare is downloading. ×
0
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Vale Security Conference - 2011 - 17 - Rodrigo Rubira Branco (BSDaemon)

620

Published on

Vale Security Conference - 2011 …

Vale Security Conference - 2011
Domingo - 17ª Palestra
Palestrante : Rodrigo Rubira Branco (BSDaemon)
Palestra : Behind the scenes - Security Research
Twitter (Rodrigo Rubira Branco) : https://twitter.com/#!/bsdaemon
Video (YouTube) : http://www.youtube.com/watch?v=6JYM6nPdIXg
Slide (SlideShare) : http://www.slideshare.net/valesecconf/rubira

Published in: Technology, News & Politics
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
620
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Behind The Scenes Security Research Rodrigo Rubira Branco (BSDaemon) Director, Vulnerability & Malware Research Labs rbranco *noSPAM* qualys.com http://twitter.com/bsdaemon
  • 2. Agenda Objectives Introduction Security research as a worldwide wype – Where are the real hackers? – What is the difference between the public exploits and the private ones? Security conferences around the globe The problems in the security industry Future Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 2
  • 3. Objectives Discuss about security problems and security industry problems Demonstrate how vulnerability finding works (or is supposed to work) – focusing on building the team Explain the challenges the exploit writer faces nowadays Be fun? Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 3
  • 4. Security nowadays Buggy programs deployed on critical servers Rapidly-evolving threats, attackers and tools (exploitation frameworks) Lack of developers training, resources and people to fix problems and create safe code That’s why we are here today, right? Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 4
  • 5. Security nowadays – 0day challenge First host All vulnerable hosts attacked attacked Reaction time Slammer: 10 mins Future worms: < 1 minute [Staniford et. al. 2002] “0day Statistics Average 0day lifetime: 348 days Shortest life: 99 days Longest life: 1080 (3 years)" - Justine Aitel Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 5
  • 6. !exploitable _declspec(naked) int main() { _asm { mov eax, 0x41414141 call eax } } Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 6
  • 7. !exploitable This is incorrectly classified as EXPLOITABLE because the tool always assume that the attacker has control over all the input operands So, what is the point? The point is that security research is a long-way run, shortcuts will only give you tainted information (hidden joke) Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 7
  • 8. State Transition for Memory Corruption Case 1 (green): Format String Case 2 and 3 (red and blue): buffer overflow Case 4 (purple): unpredictableSource:Automatic Diagnosis and c: corrupting instructionResponse to Memory t: takeover instructionCorruption Vulnerabilities f: faulting instruction Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 8
  • 9. Source: http://www.h2hc.com.br/repositorio/2008/Nico.pdfKernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 9
  • 10. The Extinction of Hackers - FX FX wrote the article long ago (well, I only have a copy of the file so didn’t manage to get the right timing and just forgot to ask him before coming) He seems to be actually right: – Kids use the computers for games – Things are a lot easier to do nowadays (in means that you don’t really need to know how to use the computer to actually do something useful with it) – Things are a lot more complex nowadays (yeah, in the opposite direction of the other statement) -> Exploiting software is becoming a complex task (no easy 0x41414141 anymore) Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 10
  • 11. Vulnerability Coordination? Basically is a mess (but it is getting better) Lots of conflicts (and lots of conflicts of interest) Difficult to really scientificaly measure the impacts of any decision: – Full disclosure (everybody is aware, instead of only the person who is already exploiting it) Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 11
  • 12. Vulnerability Coordination Case 1: Security issue affecting 3 vendors. What one of them replies? – “We don’t know how to fix the code, do you mind in ask to the other vendor to SHARE the patch?” Case 2: Security issue in an ‘encryption’ mechanism of a security software. What the vendor replies? – “Ok, we going to change the documentation to say it is not encryption” Case 3: Security issue in a web software. What the vendor says about it? – “There is no security issue. Millions of people use the software and none reported the problem before” Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 12
  • 13. Who buys? Because everybody is buying vulnerabilities, it is becoming difficult to see vulnerability discussions on public Reliable/good exploits are not available for free anymore (at large) Governments, private sector, brokers, criminals – They all want our 0days – Legislation helps some countries – This is destroying the new generations Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 13
  • 14. Security Myth #1: The ‘EXPERT’ The Market for Lemons: Quality Uncertainty and the Market Mechanism – George Akerlof Asymetric knowledge – Complex subject – Industry defines its own standards – Politics defines ‘auditing’ (SOX) Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 14
  • 15. Security Myth #2: There is no 0day risk Crime and Punishment: An Economic Approach - Gary S. Becker There is no 100% security – Since there is no guarantees, why should vendor cares? – Security highly makes use of the ‘ass factor’: » “Why should I buy from vendor X?” » “Because everybody is doing so” Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 15
  • 16. Security Myth #3: Computer power is growing Moore’s law does not help the security industry Forcing the perimeter to inspect everything expecting to benefit from the growing capabilities of hardware seems to be non-sense Simple like that: As the computers have more power, engineers start to use it, to save bandwitdth and provide security: – Compression – Encryption In the end, the gateway has more work to do Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 16
  • 17. Security Myth #4: IPSMany people seems to highly believe the IPS is a bunch of parsersrunning in a central location:– Most likely it will be more pattern-match-like based technology– This is true for security filters as well (such as the XSS protections in IE)– Really parsing the complex file formats on gateways is infeasible, parcial parsing is usedEverybody believes IPS is a bridge– It does interact with packets (for inspection)– It can be exploited as any other piece of software (not common)Virtual Patching– Trust in it only when a vulnerability is public, but there is no patch (in this case, you have no options)– False positives ARE very important: Check them before buying Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 17
  • 18. Security Myth #5: Rogue <you name it> Amazing question by Michael Golub: “What are the features an AV has, that a Rogue AV doesn’t?” – Both does not guarantee anything – Both have ‘upgrade to premium’ options – Both will have a nice GUI (rogue AV usually is nicer) – Both will affect the performance of your computer (rogue AV usually is faster) – Both will have false alarms (false positives) -> Well, I never heard that millions of users were affected by the rogue AV quarantining a fundamental dll of Windows and thus letting the computer unusable Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 18
  • 19. So, why build a research team? Companies highly benefit from security research: – Better understanding – Real-life awareness – Solving complex problems with lower budgets Having security researchers are not only for security vendors: – As presented in Hackito: A researcher is capable of solving complex tasks, such as analyzing huge amounts of logs – A researcher can provide real understanding of the threats in an organization, ‘translate’ the marketing materials (bullshit) to the real-world benefit it will provide Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 19
  • 20. The experts When choosing a researcher, careful to select him – Remember the ‘Market for Lemons’ lessons – Lots of conferences around the world: Be a speaker in many of them means nothing – Lots of security issues been released: Be one of the guys who found them means nothing » Many crappy security issues been released (it is part of the priorities list of vendors to have as much as possible released issues) – Ask around, go to the conferences and see it yourself, be involved if you care Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 20
  • 21. What to expect It is important to define targets – If you don’t know what you want, don’t expect much: Researchers are lazy creatures (yeah, we are!) Don’t define how do you want, only your expectations – If you really knew what you want, you’ve hired developers, not researchers – I always like to tell people: “Ok, now you are giving me the solution. I better know the problem first” Security research is not only exploitation – Defensive capabilities – Complex problems – Malware Analysis Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 21
  • 22. Targets/Deliverables Some companies count exploits/person/year – Highly complex way to track work – Will work if you have very capable manager (able to differentiate complex from simple exploits) – Usually done when the company is a research company or somehow has exploit writers and security researchers in different teams Small groups together – Very effective way to work and keep track of work – Changing the groups and see the results – Easy to spot laziness Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 22
  • 23. Research capabilities Very often, even companies that does not have research area have research capabilities – They are hidden inside development teams – Usually embedded in the job description of senior workers in such teams Create a communication link – Since the research is hidden inside teams, sometimes it does not achieve its maximal capability – Gathering information inside the company will reveal much more knowledge then initially expected Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 23
  • 24. Management Many processes or No processes – Somehow in the between – Important to define areas where the research has freedom to act » For example, to speed up the communication process with vendors – No paperwork means higher productivity and less boredom » Still, some way to track work will be required by the company Your team gotta travel – Yes, they will want to go to H2HC in Brazil – They will love to spend the weekend with friends in Sao Jose dos Campos for Vale Security Conf (at least I do ☺ ) – They will be at Hackito in Paris as well – And there is NOTHING you can do about that » Better define good-to-go conferences in advance » Give real time for real research (yeah, REAL) Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 24
  • 25. Fuzzing, tools and others If your research team is going to find vulnerabilities you: – Want them to have real hardware resources (fuzzers are heavy animals) – Want them to have real understanding of what they are testing (and this is VERY time consuming) – Want them to have good tools for the process (expect to buy tools such as IDA, Zynamics Binavi, Canvas) Please, please, please: – No dumb fuzzing anymore (I’m tired of crashes) – Add analysis capabilities to the game – Let them expend time writing tools Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 25
  • 26. FutureI can’t foresee the future!Hope more researchers will start to complain about the industryStrongly believe the real experts at some point will receive thereal attention, since the problem is constanly growing and notbeen fixed: Something wrong is going on... Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 26
  • 27. Special Thanks Michael Golub – A good friend – The main point of reference/discussions for many/most of the presented ideas Vale Security Conference Staff – Great initiative, congrats and tks! – For trusting me for discuss this subject here Kernel Hacking: If you really know, you can hack! – http://www.kernelhacking.com/rodrigo 27
  • 28. End! Really !? Rodrigo Rubira Branco (BSDaemon) Director, Vulnerability & Malware Research Labs rbranco *noSPAM* qualys.com http://twitter.com/bsdaemon

×