Security Technology Arms Race 2021 - Medal Event

Intro
Security was not a primary design concern at the outset • Unsigned code was the default mode of operation • Devices do not have open and attestable codebases • We rely on legacy design decisions often now with some level of
Security boundaries were sometimes ill defined and/or moved as technology progressed • Lock screens • Admin loading a kernel driver • Windows desktops
A lot of security science was in its infancy • Vulnerability patterns + attack strategies • Static analysis and decompilation • Fuzzing methodologies • Best programming practices
Defensive ecosystem started small • Difficulty of patch management / updating Third party libraries especially • Difficulty of detecting (sophisticated) attacks and compromise
Technology breakthroughs sometimes undermines defensive strategies and assumptions • Encryption and hashing breakthroughs (MD5)
The perfect storm for offense • Motivation • Relatively low cost
Discovery cost is rarely linear • Large start cost to find first bug, following bugs much quicker Same with development cost • Develop a technique or bypass, reuse Halvar Flake discussed this concept in depth in a 2017 keynote
Major discovery costs: • Improved vendor bug discovery
Major development costs
Maintenance as an ongoing cost is rarely discussed • Software releases are frequent (4-6 weeks cyde) • Keeping an exploit operational is a lot of work "Stockpiling" is largely a myth specifically because of this cost
Isolation has been the primary cause of dramatically increased cost Multiplier effect: Each link in the chain requires a new discovery + development cost
Example: There is no market for stolen iPhones (And: if you lose your iPhone, the chances of a stranger being able to unlock it are practically zero) Even LEO might have trouble
Modern iPhone browser chain limitations • Cannot inject into other processes without PPL bypass • Retaining access on reboot is very challenging
Detection has historically been very poor . Figure out a signature, work around it Vendors have the advantage of scale to detect anomalies • Microsoft Defender for Endpoint
Sandboxing is effective • Constrained to limited privileges • Might be able to break it periodically, but not continuously
CFI is increasingly effective to prevent execution
Data Pointer Integrity (DPI) has landed* • MTE will likely follow on multiple platforms
Most early stage mitigations are limited to 1 or 2 bug classes • Render some vulnerabilities useless Data PAC and MTE are game changers Early stage mitigation that potentially applies to everything
Defensive Advantage: Detection of compromise becomes easier • If telemetry runs with more privileges that offensive tooling can obtain, it is harder to evade
Historically, memory corruption is the favoured technique • Applicable to most technologies and attack vectors • Often most powerful (unfettered access to function and data) • Difficult to detect and stop
Cryptography Flaws • Cryptography underpins nearly all current security technology in one form or another in every layer of the technology stack
Potential to: • Eavesdropping and payload delivery (browser/chat) Bypassing code signing and trusted boot
Protocol Attacks • Revisiting and examining new network protocol attacks has potential, particularly when coupled with other flaws
One of offense's initial advantages was the reliance on legacy design principles for secure computing Is offense starting to incur a similar cost?
Offensive tools are often written to be deployed based on various assumptions Most interesting traffic is on an open and distributed internet
1 Memory.corruption is still the most effective strategy for offense, but it's advantages are eroding 2 Increasingly, offense will replace memory corruption components with other lógic flaws 3 Defense profits by Improved detection facilities as a result of less powerful offensive toolkits, and moving to the doud