Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging...
-
Upload
endgameinc -
Category
Technology
-
view
108 -
download
0
Transcript of Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging...
Vulnerability and Exploit Trends: Combining behavioral analysis and OS defenses to combat emerging threats
Cody Pierce, Director of Vulnerability Research
About myself
6 years researching vulnerabilities at Endgame 4 years as a senior researcher for TippingPoint Zero Day
Initiative Discovered dozens of vulnerabilities in major vendor
software for over a decade
Vulnerabilities do not compromise systems. An exploit is needed to effectively demonstrate the
impact of flaws.
Sample
Vulnerabilities covering 2006 - 2014 NVD CVE XML data set CVSS Score Medium+ Counted vendors have a minimum of 5 CVE per year or
15 CVE total. Category grouping using CWE (Common Weakness
Enumeration) Exploits cross-referenced by CVE ID with Metasploit,
Core Impact, and Canvas
Sample Size
18,027 Qualifying CVE Entries 34% of Total CVE Entries
2006 2007 2008 2009 2010 2011 2012 2013 20140
500
1000
1500
2000
2500
3000
3500
CVE Entries
Total CVEs over timeN
umbe
r of C
VEs
Resource Management/Use After Free10%
Race Condition1%
Cross-Site Request Forgery (CSRF)
2%Cryptographic Issues
3%Improper Authentication/Authenti-
cation Bypass3%
Privilege Escalation13%
Credentials Management1%
Credential Management0%
Information Exposure5%
Information Management Errors
0%Numeric Errors
5%
Format String0%
Buffer Mismanagement21%
Code Injection5%
SQL Injection4%
Cross Site Scripting11%
Command Injection/Shell Injection
0%
Command Injection0%
Input Validation0%
Link Following/Symlink At-tack1%
Path Traversal2%Input Validation
12%
Data Handling0%
Design Flaw0%
Configuration1%
Total CWE distribution
2006 2007 2008 2009 2010 2011 2012 2013 20140
100
200
300
400
500
600
700
Auth Bypass Buffer Mismanagement Privilege EscalationInput Validation SQL Injection
Sampling of CWE over timeN
umbe
r of C
VEs
Observation
Vulnerability discoveries are increasing but category distribution appears consistent
Why?
An increase in the size of the security community, and advancement in tools and techniques has led to the increase in vulnerability discoveries
2006 2007 2008 2009 2010 2011 2012 2013 20140
500
1000
1500
2000
2500
3000
3500
Exploited CVE Total CVE
CVEs compared to CVE exploitsN
umbe
r of C
VEs
Resource Management/Use After Free6% Race Condition
1%
Cross-Site Request Forgery (CSRF)
0%Cryptographic Issues
1%Improper Authentica-tion/Authentication
Bypass2%
Privilege Escalation10%
Credentials Man-agement
1%Information Exposure
2%Numeric Errors
3%Format String
1%
Buffer Mismanagement38%
Code Injection14%
SQL Injection2%
Cross Site Scripting1%
Command Injection/Shell Injec-
tion2%
Command Injection0%
Link Following/Symlink Attack
0%
Path Traversal5%
Input Validation11%
Data Handling0%
Configuration1%
Exploited CWE distribution
2006 2007 2008 2009 2010 2011 2012 2013 20140
10
20
30
40
50
60
Sampling of Exploited CWE Over Time
Auth Bypass Buffer Mismanagement Privilege EscalationInput Validation SQL Injection
Sampling of exploited CWE over time
Observation
The number of public exploits is small and in relative decline compared to vulnerabilities
Why?
• Few – or zero – exploits are needed to have an effective arsenal
• Unpatched and misconfigured systems are the norm. No reason to make new exploits when old ones still work!
• Writing exploits is getting harder and more expensive
Exploit mitigations
Exploit mitigations are very effective and can often prevent 0day attacks.
Proper implementation has directly led to a relative decline in exploit development.
19 types of mitigations available today ???
Why am I still getting hacked?
Mitigations typically only apply to memory corruption vulnerabilities.
It’s hard enough to patch and properly configure software, much less upgrade compilers, applications, and operating systems.
Exploitation often has a behavior. Using these behaviors we can increase the detection and
prevention of a greater number of flaws on current and legacy systems.
Behavior analysis
Exploit Indicators (Process/ Thread creation)
Behavior
Abnormal process creation
• New thread entry point outside of loaded modules code section
Intent
Stage next phase of persistence or privilege escalation
Avoid user detection
Attackers spawn malicious code in new contexts.
Exploit Indicators(Library Usage)
Behavior
Loading non-ASLR libraries
Loading DLLs over the network into memory
Loading abnormal libraries
Intent
Bypassing Mitigations Exploit vulnerabilities in
legacy components Exploit vulnerabilities in
library loading
Attackers use weaknesses in legacy libraries to exploit software and bypass mitigations.
Exploit Indicators(Memory Usage)
Behavior
Abnormal Memory usage Allocations of consistent
sizes Large contiguous
memory blocks Executable Memory
Intent
Reliably corrupt memory Control Use After Free
conditions Create predictable
addresses
Attackers often have to control the memory layout of software being exploited.
Behavioral Analysis
Is complementary to mitigations Detects and prevent exploitation of unknown
threats Correlate environmental data like network flows Adapts through additional modeling
Key Takeaways
Vulnerability discoveries are increasing Exploitation of some vulnerability categories is
on the decline A small exploit arsenal is still effective Mitigations have raised the difficulty of memory
corruption exploitation Exploitation, Malware, and Adversarial behaviors
often generate a signal Abnormal behavioral monitoring can add to the
defensive posture of systems
For more information contact: [email protected]