Strange security mitigations

Strange security mitigations
Tips and tricks from an attacker’s mind
Author: CoolerVoid
Tips and tricks to understand some typical vulnerabilities and how to mitigate them
following an untypical intelligent approach.
abr. 17, 2022
Antonio Costa (github.com/CoolerVoid) Strange security mitigations abr. 17, 2022

Summary
1 Whoamy
2 Depths of vulnerabilities (not all)
3 Always watch your home

Whoamy
Whoamy

Whoamy
Whoamy
Antonio Costa - CoolerVoid
Appsec tech leader
Cybersecurity engineer
Open-source programmer
Reverse engineer
github.com/CoolerVoid

Depths of vulnerabilities (not all)

Heap overflow
In late 2001, ”Vudo Malloc Tricks” by Michel ”MaXX” and ”Once
Upon A free()” defined the exploitation of overflowed dynamic
memory chunks on Linux.
late 2004, a series of patches to GNU libc malloc implemented over a
dozen mandatory integrity assertions, effectively rendering the existing
techniques to exploit obsolete.
Malloc Maleficarum by Phantasmal Phantasmagoria
dl.packetstormsecurity.net/papers/attack/MallocMaleficarum.txt
cwe.mitre.org/data/definitions/122.html
github.com/shellphish/how2heap

Heap overflow - Malloc resources
ptmalloc2 – glibc
jemalloc – FreeBSD and Firefox
tcmalloc – Google
libumem – Solaris
Hoard - CISCO, SAP and CreditSuisse

First rant, libraries alternatives
In late 2010
DieHard Allocator - DieHard: An error-resistant memory allocator for
Windows, Linux, and Mac OS X
microsoft.com/en-us/research/video/dieharder-securing-the-heap/
github.com/emeryberger/DieHard
In late 2017
FreeGuard: A Faster Secure Heap Allocator
https://arxiv.org/abs/1709.02746

Heart bleed in OpenSSL
OpenSSL library CVE-2014-0160
A missing bounds check in the handling of the TLS heartbeat
extension can be used to reveal up to 64k of memory to a connected
client or server.
https://www.openssl.org/news/secadv/20140407.txt

Second rant, libraries alternatives
OpenBSD’s LibreSSL
Memory sanitization is a central feature in LibreSSL that is lacking in
OpenSSL. Prior to the deallocation of objects, LibreSSL explicitly
zeros out memory using OpenBSD’s explicit_bzero(3) function. This
proactively reduces the impact of memory exposure in the event of a
future vulnerability or an unprivileged process that gains control of a
tainted memory segment.
Google’s BoringSSL
Currently BoringSSL is the SSL library in Chrome/Chromium and
Android.
BearSSL, MatrixSSL, mbedtls, PolarSSL, lib sodium and so on

Big check list
Stack buffer overflow, Heap Overflow, integer overflow, buffer
underflow, off-byone, memory leak, use after free, double free, race
conditions(TOCTOU), lack of ASLR, lack of DEP, lack of stack
cookie, lack of relro, lack of certificate pinning, lack of signature
check, RCE, IDOR, RFI, LFI, SSO, CSRF, SSRF , SSTI, XEE,
ReDOS, NoSQLi, SQLi, blind SQLi, XSS, blind XSS, DomXSS, Open
Redirect, Path traversal, Insecure deserealization, LDAP injection,
HQL injection, http parameter pollution, improper permissions,
uncontrolled upload, uncontrolled resource consumption, CSV
injection, graph injection, Denial of service, weak cryptography, lack
of salt, lack of secret key, lack of anti-tampering, lack of root detect,
lack of secomp/pledge, lack of rate limiting, lack of resource
anti-robot, lack of http header hardening, lack of anti-hooking,
misconfiguration, Uncontrolled Search Path Element, information
leak,hardcoded credentials, tempest attack...

Dark depths in vulnerabilities - fuzzing! AFL!
Figure: Magic the gathering card, dark depths by Mathias Kollros

Always watch your home

Allow list of syscalls
Enumerate syscalls of each resource
Linux’s seccomp() function
OpenBSD’s Pledge() function
Restrict a Container’s Syscalls with seccomp
github.com/antitree/syscall2seccomp

Hide your treasures
Prevent hardcoded credentials using the proper vault
Uses a safe library example LibreSSL and lib sodium
Use safe algorithm for cryptography following OWASP, CERT and
NIST.

LKM to hide and protect file system resources
Casper-fs is a custom Linux Kernel Module generator to work with
resources to protect or hide a custom list of files.
Each LKM has resources to protect or hide files following a custom
list in the YAML rule file.
Not even the root has permission to see the files or make actions like
edit and remove. The files only can be caught, edited, and deleted if
the user sends a proper key to the custom device.
github.com/CoolerVoid/casper-fs

Master librarian to audit operational system libraries
Figure: from the game castlevania 1997

Master librarian to audit operational system libraries
A tool to audit Unix/*BSD/Linux system libraries to find public
security vulnerabilities
Uses pkg-config resource to list all operational system libraries
github.com/CoolerVoid/master_librarian

Vision to audit all services banners
Vision2 analyses the Nmap XML scanning results, parses each CPE
context, and correlates to search CVE on NIST. You can use that to
find public vulnerabilities in services
Uses nmap result to search security issues following NVD
github.com/CoolerVoid/Vision2

LKM for Hidden firewall
Tool to generate a Linux kernel module for hidden and custom rules
with Netfilter hooking. (block ports, Hidden mode, firewall functions)
The motivation: in a bad situation, an attacker can put your
iptables/ufw to fall. But if you have HiddenWall, the attacker will not
find the hidden kernel module that blocks external access because it
has a hook to netfilter on kernel land(think like a second layer for
Firewall).
github.com/CoolerVoid/HiddenWall

Shared Library Application Firewall ”SLAF”
Spock SLAF is a Shared Library Application Firewall ”SLAF”. It has
the purpose to protect any service that uses the OpenSSL library. The
SLAF inserts hooking to intercept all communication to detect
security anomalies and block and log attacks like buffer overflow, path
traversal, XXE and SQL injection.
github.com/CoolerVoid/spock_slaf

Thank you

Strange security mitigations

More Related Content

Similar to Strange security mitigations

More from Antonio Costa aka Cooler_

Recently uploaded

Strange security mitigations