Predictability: The Essence of Attacking Systems
description
Transcript of Predictability: The Essence of Attacking Systems
Predictability: The Essence of Attacking Systems
Andrew Wilson
Howdy YALL! (that’s how you say it right?!)
• Who am I?
• Recovering Developer
• Professional AppSec Pentester
• Sandan in Jiyushinkai Aikibudo
Overview
• Why predictability matters
• Analyzing Systems
• Complexities In Vulnerabilities
• Approaches to Taking Advantage
Historical Context
• The slides represent the life work of the above people.
Predictability
• The essence of science is based on predictability.
• Computer science is all about algorithms and rules.
• Computer security is all social engineering.
Why Predictability
• Knowledge == Power
• Consistency leads to success
• All the cool kids are doing it!
Analyzing Systems
• You can’t measure results without understanding a system
• Consistency comes from knowledge and experience
• Two categories:– General Theory– Specific Implementation
• The human body is a set of complex systems– Nervous, Muscular, Cardio
Vascular, Structural• Computers are a set of
complex systems:– Processor, Disk,
Networking, Memory, Logical, Graphics
Systems in Theory
Systems in Reality
• Systems don’t exist in theory
• Implementations are often different than the “ideal”
• Flaws come from:– External forces– Choice
Where’s Vulndo?
• Essential components– Dependencies & Commitments– Relationships & Expectations
• Data Processing– Flow & Recovery
• What isn’t needed• What is “default”
Innate Vulnerabilities
• Every system has vulnerabilities
• Everything is broken!
• Some are more likely to occur than others
Complex reality
• Why don’t things get beat up more often?
• Gedan Budo: It’s not that easy.
• Functional Example
Strategy Goals
• The goal in both attack & defense is the same:– Reduce possibility of being wrong– Increase possibility of being right
• To accomplish this we:– Remove variables– Increase Control– Constantly Adapt
Elements of Strategy
• Target– What am I interacting with
• Distance– How far am I from it
• Timing– When to attack
Target
• What is the closest target I can attack?
• How will I interact with it?
• Why choose it?– Effect of impact– Opportunities to expose other openings
Relative Distance
• To-Ma (Long Distance)
• Uchi-Ma (Striking Distance)
• Chica-Ma (Short Distance)
Timing / Initiative
• All cycles have a beginning, middle and end.
• Our actions related to cyclical timing is called Sen. (Initiative)
• There are three versions of Sen:– Sen Sen no Sen (Superior Initiative)– Sen no Sen (Early Initiative)– Go no Sen (Late Initiative)
Taking Advantage (Waza)
“The nicety of Judo / Aikibudo technique lies not in the action of performing techniques, but rather in the skill with which the preparing is done as a preliminary” – Kenji Tomiki Sensei
Unbalancing (Kuzushi)
• Altering an intended cycle : (Extending, Interrupting)
• Caused by changing any one of the components of the interaction – (target, distance, timing)
崩し
Fitting (Tsukuri)
• Once a cycle has been broken, surrogacy must occur or the system will fail.
• There are two primary points to fitting:– Jibun no Tsukuri (fitting yourself)– Aite no Tsukuri (fitting the other)
作り
Technique (Kake)
• Kake doesn’t mean technique per say, it means to begin.
• This is the nature of the payload itself, what does it do, how does it succeed?
掛け
Story Time!
Summary
• Systems, by their very nature, are vulnerable to manipulation
• Attackers and Defenders have the same toolbox
• Awareness is the essential tool attack and defense
QA