advanced persistent response - pwn2own › csw12 › csw2012-advpersistent... · advanced...
TRANSCRIPT
![Page 1: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/1.jpg)
P l Uhl | Pl tf S it St t i tAdvanced Persistent ResponsePeleus Uhley | Platform Security Strategist
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.
![Page 2: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/2.jpg)
Outline
Background Analyzing threatAnalyzing threat Finding resources
Planning a response Planning a response Tool release Conclusion
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 2
![Page 3: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/3.jpg)
Advanced Persistent Threat
“usually refers to a group with both the capability and the intent to persistently and p y p yeffectively target a specific entity”- Wikipedia- Wikipedia
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 3
![Page 4: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/4.jpg)
Flash Player 0-days
4 SWF in PDF attacks
3 XSS attacks
4 SWF in Office document attacks
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 4
![Page 5: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/5.jpg)
Flash Player 0-days – Alternative measurement
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 5
![Page 6: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/6.jpg)
Advanced Persistent Response
The strategy necessary to inhibit or reduce a malicious entity or entities’ capabilities to y prepeatedly conduct attacks leveraging a specific platform or against a specific target.p p g p g
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 6
![Page 7: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/7.jpg)
Information Gathering
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 7
![Page 8: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/8.jpg)
Know your adversary
Who are they? Why are they upset?Why are they upset? Does it change over time?
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 8
![Page 9: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/9.jpg)
CVE-2011-0609
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 9
![Page 10: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/10.jpg)
CVE-2011-0611
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 10
![Page 11: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/11.jpg)
yuange1975
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 11
![Page 12: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/12.jpg)
Beware of false positives
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 12
![Page 13: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/13.jpg)
Technical Analysis
Their sources? Their targets?Their targets? Their skill?
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 13
![Page 14: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/14.jpg)
Data Source Analysis
Series of attacks based on SWFs from flashandmath.com
Indicates the areas of code that are being attacked Learn from mimicking their approachLearn from mimicking their approach
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 14
![Page 15: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/15.jpg)
Targets
Reports from government customers
Document-based spearDocument based spear phishing attacks
Most exploits are never widely deployedwidely deployed
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 15
![Page 16: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/16.jpg)
Payload Analysis
Symantec studied payloads from 2006 -> 2011
Attacks grouped based on the malware installed (Sykipot)(Sykipot)
L d & t l b t t Large command & control botnet
Mostly used zero-day attacks within several different products to install
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 16
![Page 17: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/17.jpg)
Sykipot
“Thus, the Sykipot attackers are likely to be an organized and skilled group of individuals. g g pGiven their persistence and their long-running campaigns, the attackers are likely to have p g , yconsistent funding for their efforts.”
- Symantec Blog, December 08, 2011
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 17
![Page 18: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/18.jpg)
Changes in the field
A change in targets will require changes to security feature strategy
Exploit kits recently started using SWFs.Exploit kits recently started using SWFs.
E l it kit tt k th t t l t 2 th Exploit kits use attacks that are at least 2 months old
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 18
![Page 19: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/19.jpg)
Effect of exploit kits
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 19
![Page 20: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/20.jpg)
Everything is relative
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 20
![Page 21: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/21.jpg)
Evolution of attacks
Attackers gain skill with practice
Hackers will utilize published research
Makes signature development more difficult
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 21
![Page 22: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/22.jpg)
CVE-2009-1862
Simple bit flip of existing SWF from the web A second SWF was used for the heap sprayA second SWF was used for the heap spray Both SWFs were inside a PDF
Flash was a means to an end Flash was a means to an end
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 22
![Page 23: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/23.jpg)
2010 Improvements
Eventually moved to a single file approach
Parent SWF
Initialization& Heap Spray
Crashing Child SWFCrashing Child SWF
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 23
![Page 24: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/24.jpg)
Trying new research
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 24
![Page 25: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/25.jpg)
CVE-2011-2110
Dynamically passing obfuscated data
main.swf?info=02E6B1525353CAA8AD555555AD31B3D73034B657AA31B4B5AFB5B2B537AF55543549AEB550AC55303736B337AF51D35271B4B5AFB5B2B537AF55543549AEB550AC55303736B337AF51D3527B7AF4C66B7E
Targeting specific versions
if ((((((Capabilities.version.toLowerCase() == "win 10,3,181,14")) || ((Capabilities version toLowerCase() == "win 10 3 181 22")))) ||((Capabilities.version.toLowerCase() == win 10,3,181,22 )))) || ((Capabilities.version.toLowerCase() == "win 10,3,181,23")))){
Return orientated programming
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 25
![Page 26: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/26.jpg)
Conversion to logic based attacks
CVE-2011-2107, CVE-2011-2444 & CVE-2012-0757 were XSS attacks
Required ActionScript programming knowledge Trial & error methods used to identify vulnerabilitiesTrial & error methods used to identify vulnerabilities
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 26
![Page 27: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/27.jpg)
Overall Advancements
• Dumb fuzzing
2009 • Brute force memory tricks
2010• Modularizing code• Experimenting with research techniques
• Full language understanding• ROP exploitation
2011ROP exploitation
• Bypassing mitigation strategies
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 27
![Page 28: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/28.jpg)
Resourcing a response plan
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 28
![Page 29: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/29.jpg)
All you need is…
More time More moneyMore money More hardware
More people More people More…
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 29
![Page 30: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/30.jpg)
Balancing the load
Security teams should focus on larger, high value projects
Any developer should be able to fix a software crash
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 30
![Page 31: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/31.jpg)
Training
Minimum security training level for everyone
Everyone within the Flash Runtime team has at least a white belt security certificationleast a white belt security certification
B b lt j t ll th ti Brown belt projects allow the entirecompany to assist!
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 31
![Page 32: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/32.jpg)
Adobe training results
60Zero Day Response Over Time
40
50
30
40
Zero Day Response Over
20
pTime
0
10
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 32
2008 2009 2010 2011
![Page 33: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/33.jpg)
Make friends!
“It is easy enough to be friendly to one's friends. But to befriend the one who regards himself as your enemy is the quintessence of true religion The other is merereligion. The other is mere business.”
― Mahatma Gandhi
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 33
![Page 34: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/34.jpg)
Types of friends
Researchers Business partnersBusiness partners Defensive software companies
Victims of attacks Victims of attacks Tool vendors
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 34
![Page 35: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/35.jpg)
Planning a response strategy
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 35
![Page 36: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/36.jpg)
Secure Product Lifecycle?
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 36
![Page 37: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/37.jpg)
Goals
1. Increase the difficultly of exploitation.y p
2. Limit the window of opportunity for use.
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 37
![Page 38: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/38.jpg)
Killing bugs
VS
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 38
![Page 39: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/39.jpg)
Fuzzing at scale
Partnered with Google on FP fuzzing effort 2,000 CPUs2,000 CPUs Corpus distillation of 2 TB of SWFs into 20,000 files
(1 week)(1 week) 3 weeks of fuzzing
Bit fli i h Bit flipping approach 1 fuzzing guru (Tavis Ormandy)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 39
![Page 40: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/40.jpg)
“Patching at scale”
400 files distilled into 80 unique issues Used fuzzers to reproduce and classify issuesUsed fuzzers to reproduce and classify issues Authored app to auto-file bugs
Created tiger team to address the issues Created tiger team to address the issues Majority of issues addressed within 60 days
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 40
![Page 41: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/41.jpg)
Fuzzing results
!exploitable
510
6
ExploitableProbably ExploitableUnknownProbably Not Exploitable
59
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 41
![Page 42: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/42.jpg)
Alternative measurement
“This is completely unfair competition and unfair practices vis-a-vis other securityunfair practices vis a vis other security researchers (or fuzzer enthus). …You guyz killed couple of my bugs ”You guyz killed couple of my bugs.
- TestFuzzer August 16 2011TestFuzzer, August 16, 2011
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 42
![Page 43: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/43.jpg)
Lessons learned
Bugs were spread across the entire code base
Eliminated some low hanging fruit
1 code change per 12,600 CPU hours (1.44 years)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 43
![Page 44: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/44.jpg)
Using fuzzing as hints
1 good dev == CPU years of fuzzing effort
Fuzzing can provide hints of where to focus code review.review.
F d l th th b fi i Focus on code cleanup rather than bug fixing.
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 44
![Page 45: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/45.jpg)
And, of course…
There is always one more to find…
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 45
![Page 46: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/46.jpg)
Integrating security defenses
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 46
![Page 47: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/47.jpg)
Holistic mitagations
Work smarter, not harder.
More effective at deterring attacks
Require experienced resources
Require longer periods of development time.q g p p
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 47
![Page 48: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/48.jpg)
Standard White Background Bullet Slide
JavaScript blacklist Improved updaterImproved updater Reader X Sandbox
Dedicated team for over 1 year of effort Dedicated team for over 1 year of effort Additional engineers for misc. support External consultants
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 48
![Page 49: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/49.jpg)
Cause and effect
Reader JavaScript blacklist introduced
PDF O l tt kPDF-Only attack
PDF w/ SWF attack
PDF attacks switch from JS to SWF
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 49
![Page 50: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/50.jpg)
Effect of sandboxing
Reader X sandbox launched
CVE-2009-1862
CVE-2010-3654
CVE-2011-0611
CVE-2010-1297
CVE-2011-0609
CVE-2011-0627
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 50
![Page 51: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/51.jpg)
Sandboxing in Flash Player
Currently sandboxed in Chrome Firefox currently in betaFirefox currently in beta Researching:
Chrome pepper sandbox Chrome pepper sandbox IE improvements
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 51
![Page 52: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/52.jpg)
Other minor improvements
Safe unlinking in garbage collection Random function alignmentRandom function alignment Random NOP insertion
Constant folding* Constant folding*
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 52
![Page 53: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/53.jpg)
Other minor improvements
Safe unlinking in garbage collection Random function alignmentRandom function alignment Random NOP insertion
Constant folding* Constant folding*
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 53
![Page 54: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/54.jpg)
Updating end-users
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 54
![Page 55: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/55.jpg)
Update Goals
Work with AV and IDS vendors to create accurate signatures that will protect end-users until they get the patch (MAPP)
Reduce the time to update the majority of end-users to minimize the window of opportunity for the exploit
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 55
![Page 56: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/56.jpg)
We have a background updater!!
New updater will allow us to do silent updates for zero-day patches
Updates both IE and open-source browsers
Complete technical details will be posted with the launch!
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 56
![Page 57: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/57.jpg)
Handling response
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 57
![Page 58: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/58.jpg)
Incident response strategies
Be prepared to triage duplicates, triplicates, quadruplicates, etc….
Set a response timeline goal Have a regular update scheduleHave a regular update schedule Be willing to shift launch dates
A d h t l And have tools….
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 58
![Page 59: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/59.jpg)
Adobe SWF Investigator
Open-source AIR application View SWF tags, disassembly and binaryView SWF tags, disassembly and binary Test AMF services and check for XSS
Inspect LSOs and settings files Inspect LSOs and settings files Execute the SWF in various contexts
Available TODAY!!!!!
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 59
![Page 60: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/60.jpg)
Summary
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 60
![Page 61: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/61.jpg)
Advanced Persistent Response
Understand your threats
Advanced, holisitic security features are needed to ward off future threats
Need to utilize both internal and external resources to accomplish goals
Start early because the best defenses require time to develop
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 61
![Page 62: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/62.jpg)
Looking ahead
Mac auto-updater
Improved IE Sandboxing
Yet more fuzzing
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 62
![Page 63: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/63.jpg)
References
Security portal: (customer & channel partners) http://adobe.com/security
Advisories and updates: http://www.adobe.com/support/security/
ASSET blog: http://blogs.adobe.com/asset
Adobe Security on Twitter: @AdobeSecurity
PSIRT blog: http://blogs.adobe.com/psirt
Documentation Wiki: http://learn.adobe.com/wiki/display/security/Home
Adobe Security on Twitter: @AdobeSecurity
Peleus Uhley on Twitter: @PeleusUhley
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential. 63
![Page 64: Advanced Persistent Response - Pwn2Own › csw12 › CSW2012-AdvPersistent... · Advanced Persistent Threat “usually refers to a group with both the cappy p yability and the intent](https://reader035.vdocuments.net/reader035/viewer/2022062311/5f033bd27e708231d408329a/html5/thumbnails/64.jpg)
© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.