Predictability: The Essence of Attacking Systems

Andrew Wilson

Howdy YALL! (that’s how you say it right?!)

• Who am I?

• Recovering Developer

• Professional AppSec Pentester

• Sandan in Jiyushinkai Aikibudo

Overview

• Why predictability matters

• Analyzing Systems

• Complexities In Vulnerabilities

• Approaches to Taking Advantage

Historical Context

• The slides represent the life work of the above people.

Predictability

• The essence of science is based on predictability.

• Computer science is all about algorithms and rules.

• Computer security is all social engineering.

Why Predictability

• Knowledge == Power

• Consistency leads to success

• All the cool kids are doing it!

Analyzing Systems

• You can’t measure results without understanding a system

• Consistency comes from knowledge and experience

• Two categories:– General Theory– Specific Implementation

• The human body is a set of complex systems– Nervous, Muscular, Cardio

Vascular, Structural• Computers are a set of

complex systems:– Processor, Disk,

Networking, Memory, Logical, Graphics

Systems in Theory

Systems in Reality

• Systems don’t exist in theory

• Implementations are often different than the “ideal”

• Flaws come from:– External forces– Choice

Where’s Vulndo?

• Essential components– Dependencies & Commitments– Relationships & Expectations

• Data Processing– Flow & Recovery

• What isn’t needed• What is “default”

Innate Vulnerabilities

• Every system has vulnerabilities

• Everything is broken!

• Some are more likely to occur than others

Complex reality

• Why don’t things get beat up more often?

• Gedan Budo: It’s not that easy.

• Functional Example

Strategy Goals

• The goal in both attack & defense is the same:– Reduce possibility of being wrong– Increase possibility of being right

• To accomplish this we:– Remove variables– Increase Control– Constantly Adapt

Elements of Strategy

• Target– What am I interacting with

• Distance– How far am I from it

• Timing– When to attack

Target

• What is the closest target I can attack?

• How will I interact with it?

• Why choose it?– Effect of impact– Opportunities to expose other openings

Relative Distance

• To-Ma (Long Distance)

• Uchi-Ma (Striking Distance)

• Chica-Ma (Short Distance)

Timing / Initiative

• All cycles have a beginning, middle and end.

• Our actions related to cyclical timing is called Sen. (Initiative)

• There are three versions of Sen:– Sen Sen no Sen (Superior Initiative)– Sen no Sen (Early Initiative)– Go no Sen (Late Initiative)

Taking Advantage (Waza)

“The nicety of Judo / Aikibudo technique lies not in the action of performing techniques, but rather in the skill with which the preparing is done as a preliminary” – Kenji Tomiki Sensei

Unbalancing (Kuzushi)

• Altering an intended cycle : (Extending, Interrupting)

• Caused by changing any one of the components of the interaction – (target, distance, timing)

崩し

Fitting (Tsukuri)

• Once a cycle has been broken, surrogacy must occur or the system will fail.

• There are two primary points to fitting:– Jibun no Tsukuri (fitting yourself)– Aite no Tsukuri (fitting the other)

作り

Technique (Kake)

• Kake doesn’t mean technique per say, it means to begin.

• This is the nature of the payload itself, what does it do, how does it succeed?

掛け

Story Time!

Summary

• Systems, by their very nature, are vulnerable to manipulation

• Attackers and Defenders have the same toolbox

• Awareness is the essential tool attack and defense

QA