Paper review - May 2013

13 May 2013

I'm going to start publishing summaries here of papers I read that are interesting, pointing out the high-lights I read. I have a lot of catching up to do, and sometimes I don't find out about a paper until later, so I will be reviewing some older papers here as well, but I'll make sure to include dates. Let me know if these summaries are interesting to you by contacting me at 0xdabbad00 on gmail and twitter!

Mitigating Software Vulnerabilities

Microsoft paper, July 2011, Authors: Matt Miller, Tim Burrell, Michael Howard

  • Great tables showing mitigations (DEP, ASLR, SEHOP and others) available for different versions of Windows, Visual Studio compilers, and versions of IE and Office. Shows when different technologies were introduced.
  • Describes the economics of exploitation and how these mitigations drive up costs for an attacker. Using 3 tactics:
    • Enforce invariants: "Invalidate an attacker‘s implicit assumptions" - DEP, SEHOP
    • Create artificial diversity: ASLR
    • Leverage knowledge deficits: /GS (stack cookies)
  • "There are no known exploits for stack-based vulnerabilities that have been capable of bypassing the combination of /GS, SEHOP, DEP, and ASLR."
  • "No exploits have been observed in the wild that rely on corrupting heap metadata and target Windows Vista and beyond. " Note this statement is only relevant to "heap metadata" corruptions.
  • Links to this great presentation (video and audio, but no slides, 45min) from Matt Miller BlueHat v8: Mitigations Unplugged

Low-level Software Security: Attacks and Defenses

Microsoft paper, November 2007, Author: Ulfar Erlingsson

Describes memory corruption attacks, but more importantly to me, describes defenses (and their performance impacts) which are:

  1. "Checking Stack Canaries on Return Address" - This is /GS. Discusses how this protection is not applied to all functions due to heuristics, to try to be performant, but this allowed for the ANI vulnerability.
  2. "Moving function-local variables below stack buffers" - Compiler can rearrange variables on the stack so a buffer overflow will not over-write other variables.
  3. "Make data not be executable as machine code" - DEP
  4. "Enforcing control-flow integrity on code exe" - The concept here is that for things like C-structs that contain function pointers, to avoid having these over-written with arbitrary function addresses and subsequently executed, you can check these if you happen to know that they can only be one of some set of possible values.
  5. "Encrypting addresses in code and data pointers" - Even though a function pointer might be over-written, encrypt it so that the attacker doesn't know what value to over-write it with. This concept is used on Vista's heap metadata.
  6. "Randomizing the layout of code and data in memory" - ASLR

TASK FORCE REPORT: Resilient Military Systems and the Advanced Cyber Threat

Defense Science Board, January 2013, dozens of authors, approx 90 pages.

  • Categorizes adversaries into:
    1. Those that can take advantage of known threats.
    2. Those that can find 0-days
    3. Those that can create vulnerabilities in systems (Tier V-VI threats)
  • The only countries capable of creating vulnerabilities, according to the report, are the Russians, Chinese, and US. Those that create vulnerabilities are basically those that can modify the supply chain or leverage insiders. Willing to spend billions of dollars and years to do so. Provides the example of The Gunman Project. According to the report, these advanced threats require the US to spy on adversaries in order to know about them at all.
  • Section 8 is the most interesting part to read, as it discusses "Enhancing Defenses to Thwart Low- and Mid-Tier Threats", and provides a success story of how this has been accomplished in the Dept of State. See pages 59-62, which describe:
    • " Automate Patch and Threat Management Functions" states "Over time, fewer staff should be needed to maintain software patches and network configurations, allowing a shift in effort toward hunting adversaries who have penetrated our networks. Most of the COTS technologies available today have user interfaces that allow high levels of flexibility for determining what is deemed unusual network behavior, allowing system administrators to adjust and adapt the monitoring systems as threats evolve."
    • " Audit to the Enterprise Standard" - Discusses improvement of security posture not only in terms of technical solutions but also through "peer pressure" by grading personnel and holding managers responsible.
    • " Build Network Recovery Capability" - Advocates having a back-up network and systems to use while kicking an adversary out of one network.
    • " Recover to a Known (Trusted) State" - Have the ability to rapidly revert to back-ups.
  • Like much of the thought leadership occurring in cyber, it advocates better defined career paths for "cyber warriors". You can tell this doc is gov focused, as it mentions "cyber" repeatedly (911 times!).
  • Strong focus in the report on nuclear. Discusses how US nuclear defense should be a guide for how cyber could be similarly organized and implemented (isolated and very different than other capabilities).