Security Technology Arms Race 2021 - Medal Event

Security Technology Arms Race 2021 - Medal Event

Hack In The Box Security Conference via YouTube Direct link

Detection has historically been very poor . Figure out a signature, work around it Vendors have the advantage of scale to detect anomalies • Microsoft Defender for Endpoint

15 of 27

15 of 27

Detection has historically been very poor . Figure out a signature, work around it Vendors have the advantage of scale to detect anomalies • Microsoft Defender for Endpoint

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

Security Technology Arms Race 2021 - Medal Event

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 Security was not a primary design concern at the outset • Unsigned code was the default mode of operation • Devices do not have open and attestable codebases • We rely on legacy design decisions ofte…
  3. 3 Security boundaries were sometimes ill defined and/or moved as technology progressed • Lock screens • Admin loading a kernel driver • Windows desktops
  4. 4 A lot of security science was in its infancy • Vulnerability patterns + attack strategies • Static analysis and decompilation • Fuzzing methodologies • Best programming practices
  5. 5 Defensive ecosystem started small • Difficulty of patch management / updating Third party libraries especially • Difficulty of detecting (sophisticated) attacks and compromise
  6. 6 Technology breakthroughs sometimes undermines defensive strategies and assumptions • Encryption and hashing breakthroughs (MD5)
  7. 7 The perfect storm for offense • Motivation • Relatively low cost
  8. 8 Discovery cost is rarely linear • Large start cost to find first bug, following bugs much quicker Same with development cost • Develop a technique or bypass, reuse Halvar Flake discussed this concept…
  9. 9 Major discovery costs: • Improved vendor bug discovery
  10. 10 Major development costs
  11. 11 Maintenance as an ongoing cost is rarely discussed • Software releases are frequent (4-6 weeks cyde) • Keeping an exploit operational is a lot of work "Stockpiling" is largely a myth specifically bec…
  12. 12 Isolation has been the primary cause of dramatically increased cost Multiplier effect: Each link in the chain requires a new discovery + development cost
  13. 13 Example: There is no market for stolen iPhones (And: if you lose your iPhone, the chances of a stranger being able to unlock it are practically zero) Even LEO might have trouble
  14. 14 Modern iPhone browser chain limitations • Cannot inject into other processes without PPL bypass • Retaining access on reboot is very challenging
  15. 15 Detection has historically been very poor . Figure out a signature, work around it Vendors have the advantage of scale to detect anomalies • Microsoft Defender for Endpoint
  16. 16 Sandboxing is effective • Constrained to limited privileges • Might be able to break it periodically, but not continuously
  17. 17 CFI is increasingly effective to prevent execution
  18. 18 Data Pointer Integrity (DPI) has landed* • MTE will likely follow on multiple platforms
  19. 19 Most early stage mitigations are limited to 1 or 2 bug classes • Render some vulnerabilities useless Data PAC and MTE are game changers Early stage mitigation that potentially applies to everything
  20. 20 Defensive Advantage: Detection of compromise becomes easier • If telemetry runs with more privileges that offensive tooling can obtain, it is harder to evade
  21. 21 Historically, memory corruption is the favoured technique • Applicable to most technologies and attack vectors • Often most powerful (unfettered access to function and data) • Difficult to detect and…
  22. 22 Cryptography Flaws • Cryptography underpins nearly all current security technology in one form or another in every layer of the technology stack
  23. 23 Potential to: • Eavesdropping and payload delivery (browser/chat) Bypassing code signing and trusted boot
  24. 24 Protocol Attacks • Revisiting and examining new network protocol attacks has potential, particularly when coupled with other flaws
  25. 25 One of offense's initial advantages was the reliance on legacy design principles for secure computing Is offense starting to incur a similar cost?
  26. 26 Offensive tools are often written to be deployed based on various assumptions Most interesting traffic is on an open and distributed internet
  27. 27 1 Memory.corruption is still the most effective strategy for offense, but it's advantages are eroding 2 Increasingly, offense will replace memory corruption components with other lógic flaws 3 Defens…

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.