attacker math

8/3/2019 Attacker Math

1/47

Attacker Math 101Professor Dai Zovi

Institute for the Advancement ofMemory Corruption


2/47

What is this all

about?

Thinking like an attackerModeling their choices

Predicting future behaviorMaking better defense decisions


3/47

Attacker MathIf the cost to attack is less than the valueof your information to the attacker, you

will be attacked

Mass malware must be financiallyprofitable for the profit-driven

attackersAPT campaigns must scale according tothe resources at the attackers disposal


4/47

Attack GraphsInformal tool to visualize and analyze howto attack a system (software, network, etc)

Nodes represent levels of access/positionsor actions to perform

Nodes can be weighted with a cost,

calculated in terms of capital, skill, risk,opportunity, or time/effort required

Actors can be modeled in similar terms


5/47

Adversary

ModelingDifferent groups/types of attackers have differentintents, capabilities, strategies, and tactics

Most organizations are not concerned with all ofthem

Mass malware

APTZFO / Anonymous / LulzSec

Stuxnet


6/47

ConjectureAttackers will take the least cost paththrough an attack graph from their start

node to their goal node, where:Cost is a multi-variable equation

Start nodes represent some level of

access or positionGoal nodes represent a consequence thatis good for attacker, bad for defender


7/47

??? ProfitInternet

Access

Mass Malware


8/47

BankingCreds

StolenCC#

StolenPII

MaliciousHTML/JS

Masscompromiseand infect

MaliciousAds

SEO

ProfitInternetAccess

Drive-byDownload

SocialEngineering

Installations


9/47

Malicious

HTML/JSExecution

SandboxedLow

IntegrityNative CodeExecution

MediumIntegrityNativeCode

Execution

LowIntegrity

NativeCode

Execution

Chrome 10

IE 8/9

FF 4 FirefoxVulnerability

WebKitVulnerability

ASLRBypass DEPBypass

IEVulnerability ASLRBypass DEPBypass

ASLRBypass

DEPBypass


10/47

Malicious

HTML/JSExecution

SandboxedLow

IntegrityNative CodeExecution


Execution

LowIntegrity

NativeCode

Execution

Chrome 10

IE 8/9

FF 4 FirefoxVulnerability

WebKitVulnerability

ASLRBypass DEPBypass

IEVulnerability ASLRBypass DEPBypass

ASLRBypass

DEPBypass

JavaVulnerability


11/47

Sandboxed

Low

Integrity

Native Code

Execution

Sandboxescape

Local

Privilege

Escalation

Admin

User

RCE

Medium

Integrity

Native

Code

Execution

High

Integrity

Privileged

RCE

Install

Rootkit

Privileged

Host

Persistence

M-H

Integrity

Escalation

Low

Integrity

Native Code

Execution

Integrity

Escalation


12/47

Sandboxed

Low

Integrity

Native Code

Execution

Sandboxescape

Local

Privilege

Escalation

Admin

User

RCE

Medium

Integrity

Native

Code

Execution

High

Integrity

Privileged

RCE

Install

Rootkit

Privileged

Host

Persistence

M-H

Integrity

Escalation

Low

Integrity

Native Code

Execution

Integrity

Escalation

Kernel

exploit


13/47

Attacker Math

Cost(Medium Integrity RCE) = Min(

.10 * (WebKit vuln + ASLR/DEP + Sandbox),

.60 * (IE vuln + ASLR/DEP + IE PM),

.20 * (FF vuln + ASLR/DEP),

.95 * (Flash vuln + ASLR/DEP + IE PM),

.75 * (Java vuln))


14/47

Exploits are Hard

Mass malware wants to go from injectedcontent to installations at the least cost

If drive-by downloads become unprofitable,they will increasingly shift to socialengineering (self-signed applets, rogue AV, etc)

If no one published exploits, they would justrepurpose exploits captured from targetedattacks (they are already doing this)


15/47

LessonsExploiting Java is the cheapest path to MediumIntegrity Native Code Execution or User-privilegedRemote Command Execution

Therefore, attackers will prefer exploiting Javaover browser vulnerabilities

Exploiting the kernel is the cheapest path from

Unprivileged Native Code Execution to PrivilegedCode/Command Execution

Therefore, attackers will deploy kernel exploitsbefore sandbox evasions (and already have)


16/47

JailbreakMe 2.0


17/47

iOS 4.0 Runtime

Securit FeaturesMandatory Code SigningAll executables must be signed by Apple or a

provisioned code signing certificateCode Signing Enforcement

All executable memory pages must have a validsignature

Runtime sandbox

The actions that the app may perform are restrictedby the kernel at runtime


18/47

MobileSafariHTML

Memory

corruptionvulnerability

Return-

orientedexecution

Code signing

enforcementbypass

Unprivileged

native codeexecution

Sandboxevasion

Mandatory

code signingevasion

PrivilegeEscalation

Privilegednative

codeexecution


19/47

MobileSafariHTML

Memory

corruptionvulnerability

Return-

orientedexecution

Code signing

enforcementbypass

Unprivileged

native codeexecution

Sandboxevasion

Mandatory

code signingevasion

PrivilegeEscalation

Privilegednative

codeexecution

Kernel

exploit


20/47

ResponseApple released iOS 4.0.1 to patch vulnerabilities within 2weeks

Speed of response discourages similar 0day jailbreaksJB community shifted focus back to boot ROM exploits

Press and users largely celebrated the release of the jailbreak

What would the response have been if the same techniques

were branded as an exploit (bad) rather than jailbreak(good) ?

Jailbreak was quickly adapted into a PoC rootkit by EricMonti


21/47

LessonsJailbreak developers use of exploits mimics maliciousattackers

They are resource constrained, just like defendersDesire maximum return on investment for their exploits

Deploy exploits strategically

Preservation of SHAtter in favor of Limera1nexploit

Choose target attack surfaces for maximum return

Boot ROM (unpatchable) vs. iOS (quickly patchable)


22/47

Conjecture

The level of security offered by a paththrough an attack graph is measured by the

cost required for an attacker to traverse it

Measuring the precise cost of a pathrequires spending exactly that amount to

traverse itHowever, we can estimate or bound costsof some subpaths by proxy or observation


23/47

Observable Cost

MeasurementsFuzzing statisticsFuzzing stats measure cost to find a crashin a particular product

Bug bounties

Anonymous ZDI submissions measure costto find a vulnerability in that product

Pwn2Own measures cost to develop anexploit against that product


24/47

Lies, Damn Lies, and FuzzingStatistics


25/47

Charlie Millers

Fuzzing StatsDumb fuzzing

12-25% of uniquecrashes deemedexploitable

33-50% of unique

crashes deemedexploitable orprobablyex loitable

Miller, Charlie. "Babysitting an Army of Monkeys: An Analysis of Fuzzing 4 Products with 5 Lines of Python". CanSecWest 2010.

http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt
http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppthttp://securityevaluators.com/files/slides/cmiller_CSW_2010.ppthttp://securityevaluators.com/files/slides/cmiller_CSW_2010.ppthttp://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt


26/47

Meditate On These

Numbers300 file formatparsers

1,000,000 fuzziterations

1600 unique bugs

200-800 likelyexploitablevulnerabilities

Withers, Stephen. Fuzzing Detected 1600 Office 2010 bugs During Development, ITWire, July 15, 2010.

http://www.itwire.com/business-it-news/security/40430-fuzzing-detected-1600-office-2010-bugs-during-development
http://www.itwire.com/business-it-news/security/40430-fuzzing-detected-1600-office-2010-bugs-during-developmenthttp://www.itwire.com/business-it-news/security/40430-fuzzing-detected-1600-office-2010-bugs-during-developmenthttp://www.itwire.com/business-it-news/security/40430-fuzzing-detected-1600-office-2010-bugs-during-developmenthttp://www.itwire.com/business-it-news/security/40430-fuzzing-detected-1600-office-2010-bugs-during-developmenthttp://www.itwire.com/business-it-news/security/40430-fuzzing-detected-1600-office-2010-bugs-during-development


27/47

Bugs as natural

resourcesDon't just count quantity of bugs,

measure the drilling depth requiredto extract them

Can they be refined (exploited) using

current technology and processes?Estimate size of discovered fields


28/47

Theorem

Cost to discover a vulnerability in aparticular product is less than the sum of aclaimed bug bounty for that type ofvulnerability plus the value of credit to thatparticular researcher

Cost(Vuln)


29/47

Your credit is no

good here

The value of credit to differentresearchers is variable, so letsremove it from the equation:

Cost(Vuln)


30/47

ZDI/iDefense

Anonymous SubmissionsNo exploit is required, just a verifiablesecurity vulnerability in a product

significant enough that ZDI would care topay for the bug

ZDI bounties paid are confidential, but wewill assume that they are less than Pwn2Own

So we dont actually get Cost(Vuln), just theproducts for which:Cost(Vuln)


31/47


32/47

Anonymous ZDI

Advisories in 2011HP Client Automation/Radia (ZDI-11-105),Cisco Secure Desktop (ZDI-11-092, ZDI-11-091)

Microsoft PowerPoint (ZDI-11-125, ZDI-11-124,ZDI-11-123), Excel (ZDI-11-043, ZDI-11-042,ZDI-11-041, ZDI-11-040)

WebKit (ZDI-11-104, ZDI-11-101, ZDI-11-097)Adobe Flash (ZDI-11-081), Shockwave(ZDI-11-079), Reader (ZDI-11-075)


33/47

CorollaryThe cost to discover and reliably exploit avulnerability in a particular product is less than thesum of a claimed Pwn2Own prize for that product,

the value of the laptop, and the value of fame to thatresearcher

Cost(Exploit)


34/47

MaliciousHTML/JSExecution

Sandboxed

LowIntegrityNative CodeExecution


Execution

LowIntegrityNativeCode

Execution

Chrome 9

IE 8

FF 3

Safari 5

FirefoxVulnerability

WebKitVulnerability

ASLRBypass

DEPBypass

IE

Vulnerability

ASLR

Bypass

DEPBypass

ASLRBypass

DEPBypass

ChromeSandboxEscape

WindowsKernelExploit

IE PMEscape

File writeaccess

WebKitVulnerability

64-bit NX

Bypass

Native

CodeExecution


35/47


Sandboxed



Execution


Execution

Chrome 9

IE 8

FF 3

Safari 5


WebKitVulnerability

ASLRBypass

DEPBypass

IE

Vulnerability

ASLR

Bypass

DEPBypass

ASLRBypass

DEPBypass

ChromeSandboxEscape


IE PMEscape

File writeaccess

WebKitVulnerability

64-bit NX

Bypass

Native

CodeExecution


36/47


Sandboxed



Execution


Execution

Chrome 9

IE 8

FF 3

Safari 5


WebKitVulnerability

ASLRBypass

DEPBypass

IE

Vulnerability

ASLR

Bypass

DEPBypass

ASLRBypass

DEPBypass

ChromeSandboxEscape


IE PMEscape

File writeaccess

WebKitVulnerability

64-bit NX

Bypass

Native

CodeExecution


37/47


38/47

Lessons

Requiring evasion of mitigations or

exploitation of additionalvulnerabilities in the chain increasestime to develop a full exploit linearly

And therefore, it also increases thecost to develop such an exploitlinearly


39/47

Hypothetical: Browser

Ex loit PowerballOnce a year, public bounty is posted for reliable enoughexploits against dominant desktop configurations

Must gain enough privs to accomplish attacker objectivesPrices gradually increase until first winning submission isreceived for a particular target

Incentivizes submitting as early as possible

Contestants MUST sign NDA on disclosing participation andsubmission, vulnerability is reported to vendor anonymously

Forcibly removes credit and fame from the equation


40/47

Armchair APT

Anal sis


41/47

Conjecture

APT attacks must scale according

to resources at the attackers disposalAurora campaign wasnt justagainst Google, or only 34

targets, but apparently againstthousands of organizations(Reuters)


42/47

Cloppert's APT Kill

Chain ModelRecon

Vulnerability weaponization

Exploit delivery

Host exploitation

Host persistenceCommand and control

Actions on Objectives


43/47

Does it Scale?

Phase Does it scaleReconWea onizationEx loit deliverHost ex loitation

Host ersistenceCommand and controlActions on Ob ectives

NOT SO MUCHHELL YESHELL YESHELL YES

HELL YESHELL YESNOT AT ALL


44/47


45/47

Lessons

Focusing defensive countermeasures

on the cheapest (for the attacker)phases of the attack is not aseffective as focusing on theexpensive

If your defense is cheaper than theiroffense, you will gain the advantage


46/47

Conclusion

Think like an attacker to predict whatthey will do and how they will attack you

Model your understanding of theirintent, capabilities, and constraints

Adjust your threat model based on new

information on attackers and theircapabilities

i.e. Anonymous pre- and post-Gawker


47/47

Questions?

@dinodaizovi / [email protected]

htt ://blog.trailofbits.com
mailto:[email protected]:[email protected]

attacker math

Documents