S
A 0-day’s life
“Offense as Defense”
Panel Discussion – Offensive Markets for Vulnerability Research – Pros and Cons
Donato Ferrante
@dntbug
Washington DC – Feb 2013
Who?
SDonato Ferrante
Sdonato@revuln.com
Stwitter.com/dntbug
SCo-Founder and Principal Security Researcher at ReVuln
Srevuln.com
ReVuln Ltd. 2
Who?
SReVuln Ltd.
S0-day and 1-day vulnerability feeds
SSCADA/HMI security
SPenetration testing
STraining
SConsulting
ReVuln Ltd. 3
revuln.com
info@revuln.com
twitter.com/revuln
What do you do?
SAs ReVuln
SWe sell 0-days
SWe sell 1-days
SWe dont buy vulnerabilities. We find them.
SAnd.. we are not evil :]
ReVuln Ltd. 4
Agenda
SIntroduction
SWhere does a 0-day come from?
SWhat does a 0-day do?
SHow does a 0-day die?
SConclusion
ReVuln Ltd. 5
Introduction I
SWhen we use / We mean
SBug = a software/hardware issue
S0-day = a private/non-public bug
S1-day = a bug usually coming from patch analysis
SExploit = a way to use bugs
ReVuln Ltd. 6
Introduction II
SA quick tour through the life of a 0-day
SWe will cover just some aspects of 0-days and exploits
SWe will discuss a way to use offense as defense
SGoal: generate a discussion (and questions)
ReVuln Ltd. 7
Agenda
SIntroduction
SWhere does a 0-day come from?
SWhat does a 0-day do?
SHow does a 0-day die?
SConclusion
ReVuln Ltd. 8
Where does a 0-day come from?
SVulnerability research
SFuzzing, easy way but they tend to die sooner
SEverybody is fuzzing..
S(Usually) Not a good investment
SCode review, medium way
S(Usually) A good investment
SReversing, hard way but they usually last longer
S(Usually) A good investment
ReVuln Ltd. 9
Where does a 0-day come from?
SMalware analysis
SNot actually 0-days, let’s call them 0.5-days
SThey usually tend to die quickly
SYou shouldn’t invest on 0-day coming from malware analysis
SThere are several examples of such 0-days found in the wild
SMila of Contagiodump found several of them in the wild
SExploits kits are good examples of 0.5-day / 1-day collections
ReVuln Ltd. 10
SExploits kits’ CVE recap:
S2006-2009, just a few
S2010-2011, more
S2012, more and more
SExploits kits’ targets:
SMainly PDF, Flash and JAVA
SBut even some Office..
ReVuln Ltd. 11
Where does a 0-day come from?
Agenda
SIntroduction
SWhere did a 0-day come from?
SWhat does a 0-day do?
SHow does a 0-day die?
SConclusion
ReVuln Ltd. 12
What does a 0-day do?
SNothing per-se
SIt can be used to write code
SIt can be used to write patch
ReVuln Ltd. 13
What does a 0-day do?
SPlease be aware of an important point
S0-day and exploit are two different entities
S0-days refer to unpatched and undisclosed bugs
SExploits refer to a way of using/abusing bugs
SWe should reformulate the question..
SWhat does an exploit do?
ReVuln Ltd. 14
What does an exploit do?
SIt depends
SIt can be a simple proof-of-concept
SIt can be something more complex
S… it depends on the “user”
SFrom now on, exploits are not meant as proof-of-concepts
ReVuln Ltd. 15
What does an exploit do?
SSeveral usages
STesting
SAs proof-of-concept
SAttack
SWell known
SDefense
SWait!
ReVuln Ltd. 16
What does an exploit do?
SQuestion: should you use exploits for defense?
ReVuln Ltd. 17
What does an exploit do?
SQuestion: should you use 0-days for defense?
ReVuln Ltd. 18
What does an exploit do?
SConcept: using exploits for defense (signatures)
ReVuln Ltd. 19
What does an exploit do?
SConcept: using exploits for defense (signatures)
SWhy is this sentence wrong?
ReVuln Ltd. 20
What does an exploit do?
SConcept: using exploits for defense (signatures)
STo write signatures for AV/IDS/IPS/etc. you dont actually
need a fully working ASLR-DEP-bypass exploit
SYou just need a simple proof-of-concept
ReVuln Ltd. 21
What does an exploit do?
SConcept: using exploits for defense (signatures)
SWhat happens if you write your detections on the
techniques” used instead of the actual problem?
SLet’s reason on this question..
ReVuln Ltd. 22
What does an exploit do?
S1 bug = n exploits
SGiven 2 exploits (E1, E2) for the same bug
SE1 does ROP, E2 doesn’t
SE1 uses a local payload, E2 uses a remote payload
SThey are obviously different exploits
SBut they do exploit the same bug
ReVuln Ltd. 23
What does an exploit do?
SConcept: using exploits for defense (signatures)
SIf a Company works on defense-solutions (IPS/AV/etc):
SIt doesnt usually need the exploit (DEP-ASLR-bypass one..)
SIt needs the 0-day
SInfo
SProof-of-concept
SConcept: using 0-days for defense (signatures)
ReVuln Ltd. 24
What does an exploit do?
SIs there any way to use exploits for “offensive” defense?
SAny ideas?
ReVuln Ltd. 25
What does an exploit do?
SIs there any way to use exploits for “offensive” defense?
SAny ideas?
SHINT: don’t think about penetration-testing
ReVuln Ltd. 26
What does an exploit do?
SIs there any way to use exploits for “offensive” defense?
SYes. Data exfiltration / Attribution.
ReVuln Ltd. 27
What does an exploit do?
SData exfiltration (exfil)
SData exfiltration, also called data extrusion, is the
unauthorized transfer of data from a computer.!
SKey points:
SPrivacy
SConfidentiality
SIntellectual Property
SEtc..
ReVuln Ltd. 28
What does an exploit do?
SAttribution
SAttribution, detecting an enemy’s fingerprints on a cyber-attack
SKey points:
SCounter-intelligence
SFingerprints
SEtc..
ReVuln Ltd. 29
What does an exploit do?
SProblem, case of study assumptions
STarget data: big files ( i.e. .doc /.xls /.pdf )
SComputer compromised
SSmart way, so no trivial hooks on APIs etc
SLet’s say in a smart and professional way
SNetwork compromised
SNot sure if the traffic you see is the real one
ReVuln Ltd. 30
What does an exploit do?
SProblem, case of study goals
SBe able to spot exfil events
SBe able to (reasonably) detect the attacker’s identity
ReVuln Ltd. 31
What does an exploit do?
SExfil/Attribution problems, possible solution
SAny ideas?
ReVuln Ltd. 32
What does an exploit do?
SExfil/Attribution problems, possible solution
SWrite a “call-back-home” exploit, able to..
SGather fingerprints (locations, docs, etc.)
SDeploy the exploit in your sensitive documents
SDon’t need to use fake documents, they recognize them
SWelcome Exploit-based “watermarking”
SWait for a “call”..
ReVuln Ltd. 33
What does an exploit do?
SExploit-based watermarking
SUse exploits as a sort of “watermark”, for your defense
SA way to counter-attack or better…
SIf you prefer Counter-intelligence
ReVuln Ltd. 34
What does an exploit do?
SExploit-based watermarking considerations
SIt can be expensive, if you use 0-days
SIt can be cheaper, if you use 1-days
SBut, money-wise you are very likely to get your return…
ReVuln Ltd. 35
What does an exploit do?
SExploit-based watermarking considerations
SAt some point the exfil’ed document will be opened in a wrong place
Si.e. not inside a VM without network connections..
SWhy? Attackers are humans too, at some point they will fail
SAnd especially …
ReVuln Ltd. 36
What does an exploit do?
SExploit-based watermarking considerations
STechnical people “can’t read” the documents they get
SSo a non-technical person will have to access the documents
Si.e. a person knowledgeable in the topic of the exfil’ed documents
SNon-technical person ~ 99% fail rate
SUsing non-updated software versions
SUsing “popular” software
SHaving almost no knowledge about security
SEtc.
ReVuln Ltd. 37
Agenda
SIntroduction
SWhere does a 0-day come from?
SWhat does a 0-day do?
SHow does a 0-day die?
SConclusion
ReVuln Ltd. 38
How does a 0-day die?
S0-days dont like to go public
SMailing lists
SMail to vendors
SEtc.
S0-days tend to approach death
SBecause of possible detections, when used in
SExploits
SMalware
ReVuln Ltd. 39
How does a 0-day die?
SWhy do people like killing bugs?
SThey dont like animals
SThey work for vendors
SFame
SFun
SMoney?
ReVuln Ltd. 40
How does a 0-day die?
SMoney?
SThis is an interesting point
SVendors usually pay for 0-days via bug-bounty programs
S(Usually) A way to “underpay” researchers valuable work
SA bug reported to the vendor is a dead bug
SA 1-time only sale
SThe points above should be kept in consideration while defining the
rewards for bug-bounty programs
ReVuln Ltd. 41
Agenda
SIntroduction
SWhere does a 0-day come from?
SWhat does a 0-day do?
SHow does a 0-day die?
SConclusion
ReVuln Ltd. 42
Conclusion
SExploits are for offense
SYou dont need exploits for defense
SAs long as defense doesnt mean “offensive” defense
S0-days are for both: defense and offense
SThey give you ways to detect possible exploits
SThey give you the info to write exploits
SThink at least 100 times before killing a bug :]
ReVuln Ltd. 43
Thanks! Questions?
SDonato Ferrante
Sdonato@revuln.com
Stwitter.com/dntbug
ReVuln Ltd. 44
revuln.com
info@revuln.com twitter.com/revuln
Invincibility lies in the defense,
the possibility of victory in the attack.