Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow...
Transcript of Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow...
![Page 1: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/1.jpg)
SESSION ID: SESSION ID:
#RSAC
Mitja Kolsek
Fixing the Fixing
TECH-R03
CEO and Co-Founder 0patch and ACROS Security @mkolsek, @0patch
Stanka Salamun COO and Co-Founder 0patch and ACROS Security @0patch
![Page 2: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/2.jpg)
#RSAC
16 Years of Breaking in...
FIND PUBLIC EXPLOIT for a known vulnerability
TAILOR EXPLOIT to work with your RAT
MUTATE EXPLOIT until VirusTotal doesn't recognize it
PHISH THE TARGET until you're in
![Page 3: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/3.jpg)
#RSAC
„But... We have all this cool technology“
![Page 4: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/4.jpg)
#RSAC
4
Beating Around the Bush
![Page 5: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/5.jpg)
#RSAC
Your Knee Hurts?
Doctors:
„No problem, we‘ll cut off your leg and replace it with a new one.“
![Page 6: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/6.jpg)
#RSAC
Security Update Gap
![Page 7: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/7.jpg)
#RSAC
Are 0-Days a Real Problem?
Rob Joyce, NSA Hacker-In-Chief
„We don't need zero-days to get inside your network.“
![Page 8: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/8.jpg)
#RSAC
176
Updates: Days from release to install
* US banks; source: NopSec, 2015 State of Vulnerability Risk Management
![Page 9: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/9.jpg)
#RSAC
3
Updates: Days from release to exploit
* Source: FireEye, Angler EK Exploiting Adobe Flash CVE-2015-0359 with CFG Bypass
![Page 10: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/10.jpg)
#RSAC
111.000.000.000
New lines of software code every year
* Cybersecurity Ventures, 0 day report Q1 2017 prediction: 111 billions lines of new code
![Page 11: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/11.jpg)
#RSAC
Patching is Still a Hard Problem
11
![Page 12: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/12.jpg)
#RSAC
But it‘s someone else‘s problem
END OF LIFE PRODUCTS
• Win Srv 2003, Win XP
• Java JRE 7, IE9, IE10
UNPATCHED VULNERABILITIES
• 0days
• known vulnerabilities
INTER- OPERABILITY REQUIREMENTS
LEGACY SYSTEMS
• SCADA
• Mainframes
3rd PARTY LIBRARIES
• OpenSSL
IoT
• botnets
• massive attacks against and from IoT
OLD VERSIONS
• Java
• Flash
• QuickTime
![Page 13: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/13.jpg)
USE
RS •Hate downtime
•Expensive patch deployment
•Complex patches – no control of new code
•Uninstalling patches
•Big official updates change functionalities
•Anti-malware protections bypassable
•Updating = risk of breakage
•Not updating = risk of ownage
SOFT
WA
RE
VEN
DO
RS •Direct and opportunity
costs
•Patch development „traditional“ and long
•Testing and distributing fixes is costly
•Have better things to do
![Page 14: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/14.jpg)
![Page 15: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/15.jpg)
#RSAC
Emerging Alternatives in Patching
![Page 16: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/16.jpg)
#RSAC
Evolution of Patching
No patching
„Fat“ patching
„Live“ patching
Micro patching
![Page 17: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/17.jpg)
#RSAC
(Re-)Emerging Patching Trends
Live („hot“) patching
Runtime Application Self-Protection (RASP)
Virtual patching
![Page 18: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/18.jpg)
#RSAC
Live Patching
LIVE PATCHING
Linux/UX
Cloud
App patching (Jspatch)
Hot patching (discon.)
Adaptive kernel
live (Baidu)
Patch Droid
0patch
Ksplice
Kpatch
Live Update
Kernel Care
kGraft
Kexec
XEN Project
0patch
![Page 19: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/19.jpg)
#RSAC
Linux Live (or „hot“) Patching
• No system/application rebooting
• „unpatch“ feature
• Focused on kernel patching
• From source code, decently automated
• Replacing entire functions (problem if the function is executing)
Key Characteristics
![Page 20: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/20.jpg)
#RSAC
Linux Live Patching: Before
20
NOP bytes
Original Function
call
return
![Page 21: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/21.jpg)
#RSAC
Linux Live Patching: After
21
Original Function
call
Replacement Function
CALL/JMP
return
![Page 22: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/22.jpg)
#RSAC
Linux Live Patching Today
• Source code needed to replace entire function
• No patching of closed-source applications
• Original function must be prepared to be patchable (NOP prolog)
• Patching and unpatching functions on call stack is risky and complex
• Vendor still has monopoly on patches
Shortcomings
![Page 23: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/23.jpg)
#RSAC
Micropatching: Next-Generation Live Patching Fundamentally changing the security game!
![Page 24: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/24.jpg)
#RSAC
1. Patching closed-source code
2. Minimal risk of defects
3. Enable 3rd-party review of patches
4. Enable anyone to contribute patches
![Page 25: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/25.jpg)
#RSAC
Micropatching: Before
25
Function
call
return
Some instructions
![Page 26: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/26.jpg)
#RSAC
Micropatching: After
26
Function
call
return
Micropatch JMP
Some instructions
![Page 27: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/27.jpg)
#RSAC
Micropatching Advantages
27
MINIMAL CODE CHANGES
minimal risk, easy to review
3RD PARTY „CROWDPATCHING“
even for closed source
LOW BANDWIDTH
smart grid, satellite, HF radio, SMS
NO DELAYS
for functions currently on call stack
IOT: REMOTE PATCHING
AND UNPATCHING
automatic and safe
POTENTIAL FOR FORMAL PROOFS
and code-change impact analysis
![Page 28: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/28.jpg)
#RSAC
Demo: Micropatching WebEx
![Page 29: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/29.jpg)
![Page 30: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/30.jpg)
#RSAC
What Can be Micropatched?
30
• Native binary files (executables, drivers, libraries)
• Compiled bytecode (Java, C#)
• Just-in-time compiled code
• „Installable“ web applications (WordPress, Magento, Bugzilla, etc)
• IoT devices
• Medical devices
• Mobile devices – OS and apps
Any „reasonably static“ code
![Page 31: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/31.jpg)
#RSAC
Not Ideal for Micropatching
31
• Administrative scripts
• PHP, Perl scripts
Code that is often manually modified
• In-house web applications (easy to manually modify)
Code that is not deployed to users
![Page 32: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/32.jpg)
#RSAC Goal: Decoupling Security Patches From (Mostly Functional) Updates
... Fat update Micropatch CVE-2020-
3702
Micropatch CVE-2020-
4284
Micropatch CVE-2020-
8802
Micropatch CVE-2020-
8803
Micropatch CVE-2020-
8966 Fat update
Micropatch CVE-2020-
9923 ...
![Page 33: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/33.jpg)
#RSAC
What Can You Do?
Getting micropatching off the ground
![Page 34: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/34.jpg)
#RSAC
Organizations and Users
34
• Measure your Security Update Gap
• Find main reasons for your delays in applying security patches
Tomorrow
• Consider using existing live patching for updating your Linux servers
• Set up a test process for applying micropatches wherever possible
Next six months
![Page 35: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/35.jpg)
#RSAC
Software Vendors
35
• Calculate your users‘ costs because of „fat“ (conventional) patching
• Analyze your total production, testing, deployment and PR costs for in-house security patch production
Tomorrow
• Launch a micropatching pilot with one product
• IoT vendors: consider automatic micropatching of your devices
Next six months
![Page 36: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/36.jpg)
#RSAC
Researchers
36
• Arm yourself with powerful tools (WinDbg, IDA, binary editors)
• Download your copy of free 0patch Agent for Developers and play with it
Tomorrow
• Brush up on your low level programming, reverse engineering skills
• When preparing an exploit PoC, also write a micropatch
Next six months
![Page 37: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/37.jpg)
#RSAC
Malicious Use of Live Patching
37
• BAE Systems: „Two bytes to $951m“
• SWIFT Alliance Access Software „micropatched“
• 2 bytes of liboradb.dll replaced with NOP
SWIFT - Bank of Bangladesh
![Page 38: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/38.jpg)
#RSAC
Software Patching Sci-Fi
It's 2025.
People are using 3rd party patches for "dumbing down" their smart devices, blocking vendors from peeking in their fridge and collecting data.
![Page 39: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/39.jpg)
#RSAC
200 micropatches walk into a bar. ...
Thumbs up if you think that‘s how
patching should look like in the future.
Nobody notices.
![Page 40: Fixing the Fixing - ACROS Security . Finding Your … · Linux Live Patching Today ... Tomorrow •Launch a micropatching pilot with one product ... •When preparing an exploit PoC,](https://reader031.fdocuments.in/reader031/viewer/2022021802/5b8335917f8b9a7d3a8c5703/html5/thumbnails/40.jpg)
#RSAC
Let‘s Fix the Fixing!
We can make attackers‘ job much, much harder.