8/3/2019 Attacker Math
1/47
Attacker Math 101Professor Dai Zovi
Institute for the Advancement ofMemory Corruption
8/3/2019 Attacker Math
2/47
What is this all
about?
Thinking like an attackerModeling their choices
Predicting future behaviorMaking better defense decisions
8/3/2019 Attacker Math
3/47
Attacker MathIf the cost to attack is less than the valueof your information to the attacker, you
will be attacked
Mass malware must be financiallyprofitable for the profit-driven
attackersAPT campaigns must scale according tothe resources at the attackers disposal
8/3/2019 Attacker Math
4/47
Attack GraphsInformal tool to visualize and analyze howto attack a system (software, network, etc)
Nodes represent levels of access/positionsor actions to perform
Nodes can be weighted with a cost,
calculated in terms of capital, skill, risk,opportunity, or time/effort required
Actors can be modeled in similar terms
8/3/2019 Attacker Math
5/47
Adversary
ModelingDifferent groups/types of attackers have differentintents, capabilities, strategies, and tactics
Most organizations are not concerned with all ofthem
Mass malware
APTZFO / Anonymous / LulzSec
Stuxnet
8/3/2019 Attacker Math
6/47
ConjectureAttackers will take the least cost paththrough an attack graph from their start
node to their goal node, where:Cost is a multi-variable equation
Start nodes represent some level of
access or positionGoal nodes represent a consequence thatis good for attacker, bad for defender
8/3/2019 Attacker Math
7/47
??? ProfitInternet
Access
Mass Malware
8/3/2019 Attacker Math
8/47
BankingCreds
StolenCC#
StolenPII
MaliciousHTML/JS
Masscompromiseand infect
MaliciousAds
SEO
ProfitInternetAccess
Drive-byDownload
SocialEngineering
Installations
8/3/2019 Attacker Math
9/47
Malicious
HTML/JSExecution
SandboxedLow
IntegrityNative CodeExecution
MediumIntegrityNativeCode
Execution
LowIntegrity
NativeCode
Execution
Chrome 10
IE 8/9
FF 4 FirefoxVulnerability
WebKitVulnerability
ASLRBypass DEPBypass
IEVulnerability ASLRBypass DEPBypass
ASLRBypass
DEPBypass
8/3/2019 Attacker Math
10/47
Malicious
HTML/JSExecution
SandboxedLow
IntegrityNative CodeExecution
MediumIntegrityNativeCode
Execution
LowIntegrity
NativeCode
Execution
Chrome 10
IE 8/9
FF 4 FirefoxVulnerability
WebKitVulnerability
ASLRBypass DEPBypass
IEVulnerability ASLRBypass DEPBypass
ASLRBypass
DEPBypass
JavaVulnerability
8/3/2019 Attacker Math
11/47
Sandboxed
Low
Integrity
Native Code
Execution
Sandboxescape
Local
Privilege
Escalation
Admin
User
RCE
Medium
Integrity
Native
Code
Execution
High
Integrity
Privileged
RCE
Install
Rootkit
Privileged
Host
Persistence
M-H
Integrity
Escalation
Low
Integrity
Native Code
Execution
Integrity
Escalation
8/3/2019 Attacker Math
12/47
Sandboxed
Low
Integrity
Native Code
Execution
Sandboxescape
Local
Privilege
Escalation
Admin
User
RCE
Medium
Integrity
Native
Code
Execution
High
Integrity
Privileged
RCE
Install
Rootkit
Privileged
Host
Persistence
M-H
Integrity
Escalation
Low
Integrity
Native Code
Execution
Integrity
Escalation
Kernel
exploit
8/3/2019 Attacker Math
13/47
Attacker Math
Cost(Medium Integrity RCE) = Min(
.10 * (WebKit vuln + ASLR/DEP + Sandbox),
.60 * (IE vuln + ASLR/DEP + IE PM),
.20 * (FF vuln + ASLR/DEP),
.95 * (Flash vuln + ASLR/DEP + IE PM),
.75 * (Java vuln))
8/3/2019 Attacker Math
14/47
Exploits are Hard
Mass malware wants to go from injectedcontent to installations at the least cost
If drive-by downloads become unprofitable,they will increasingly shift to socialengineering (self-signed applets, rogue AV, etc)
If no one published exploits, they would justrepurpose exploits captured from targetedattacks (they are already doing this)
8/3/2019 Attacker Math
15/47
LessonsExploiting Java is the cheapest path to MediumIntegrity Native Code Execution or User-privilegedRemote Command Execution
Therefore, attackers will prefer exploiting Javaover browser vulnerabilities
Exploiting the kernel is the cheapest path from
Unprivileged Native Code Execution to PrivilegedCode/Command Execution
Therefore, attackers will deploy kernel exploitsbefore sandbox evasions (and already have)
8/3/2019 Attacker Math
16/47
JailbreakMe 2.0
8/3/2019 Attacker Math
17/47
iOS 4.0 Runtime
Securit FeaturesMandatory Code SigningAll executables must be signed by Apple or a
provisioned code signing certificateCode Signing Enforcement
All executable memory pages must have a validsignature
Runtime sandbox
The actions that the app may perform are restrictedby the kernel at runtime
8/3/2019 Attacker Math
18/47
MobileSafariHTML
Memory
corruptionvulnerability
Return-
orientedexecution
Code signing
enforcementbypass
Unprivileged
native codeexecution
Sandboxevasion
Mandatory
code signingevasion
PrivilegeEscalation
Privilegednative
codeexecution
8/3/2019 Attacker Math
19/47
MobileSafariHTML
Memory
corruptionvulnerability
Return-
orientedexecution
Code signing
enforcementbypass
Unprivileged
native codeexecution
Sandboxevasion
Mandatory
code signingevasion
PrivilegeEscalation
Privilegednative
codeexecution
Kernel
exploit
8/3/2019 Attacker Math
20/47
ResponseApple released iOS 4.0.1 to patch vulnerabilities within 2weeks
Speed of response discourages similar 0day jailbreaksJB community shifted focus back to boot ROM exploits
Press and users largely celebrated the release of the jailbreak
What would the response have been if the same techniques
were branded as an exploit (bad) rather than jailbreak(good) ?
Jailbreak was quickly adapted into a PoC rootkit by EricMonti
8/3/2019 Attacker Math
21/47
LessonsJailbreak developers use of exploits mimics maliciousattackers
They are resource constrained, just like defendersDesire maximum return on investment for their exploits
Deploy exploits strategically
Preservation of SHAtter in favor of Limera1nexploit
Choose target attack surfaces for maximum return
Boot ROM (unpatchable) vs. iOS (quickly patchable)
8/3/2019 Attacker Math
22/47
Conjecture
The level of security offered by a paththrough an attack graph is measured by the
cost required for an attacker to traverse it
Measuring the precise cost of a pathrequires spending exactly that amount to
traverse itHowever, we can estimate or bound costsof some subpaths by proxy or observation
8/3/2019 Attacker Math
23/47
Observable Cost
MeasurementsFuzzing statisticsFuzzing stats measure cost to find a crashin a particular product
Bug bounties
Anonymous ZDI submissions measure costto find a vulnerability in that product
Pwn2Own measures cost to develop anexploit against that product
8/3/2019 Attacker Math
24/47
Lies, Damn Lies, and FuzzingStatistics
8/3/2019 Attacker Math
25/47
Charlie Millers
Fuzzing StatsDumb fuzzing
12-25% of uniquecrashes deemedexploitable
33-50% of unique
crashes deemedexploitable orprobablyex loitable
Miller, Charlie. "Babysitting an Army of Monkeys: An Analysis of Fuzzing 4 Products with 5 Lines of Python". CanSecWest 2010.
http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt
http://securityevaluators.com/files/slides/cmiller_CSW_2010.ppthttp://securityevaluators.com/files/slides/cmiller_CSW_2010.ppthttp://securityevaluators.com/files/slides/cmiller_CSW_2010.ppthttp://securityevaluators.com/files/slides/cmiller_CSW_2010.ppt8/3/2019 Attacker Math
26/47
Meditate On These
Numbers300 file formatparsers
1,000,000 fuzziterations
1600 unique bugs
200-800 likelyexploitablevulnerabilities
Withers, Stephen. Fuzzing Detected 1600 Office 2010 bugs During Development, ITWire, July 15, 2010.
http://www.itwire.com/business-it-news/security/40430-fuzzing-detected-1600-office-2010-bugs-during-development
http://www.itwire.com/business-it-news/security/40430-fuzzing-detected-1600-office-2010-bugs-during-developmenthttp://www.itwire.com/business-it-news/security/40430-fuzzing-detected-1600-office-2010-bugs-during-developmenthttp://www.itwire.com/business-it-news/security/40430-fuzzing-detected-1600-office-2010-bugs-during-developmenthttp://www.itwire.com/business-it-news/security/40430-fuzzing-detected-1600-office-2010-bugs-during-developmenthttp://www.itwire.com/business-it-news/security/40430-fuzzing-detected-1600-office-2010-bugs-during-development8/3/2019 Attacker Math
27/47
Bugs as natural
resourcesDon't just count quantity of bugs,
measure the drilling depth requiredto extract them
Can they be refined (exploited) using
current technology and processes?Estimate size of discovered fields
8/3/2019 Attacker Math
28/47
Theorem
Cost to discover a vulnerability in aparticular product is less than the sum of aclaimed bug bounty for that type ofvulnerability plus the value of credit to thatparticular researcher
Cost(Vuln)
8/3/2019 Attacker Math
29/47
Your credit is no
good here
The value of credit to differentresearchers is variable, so letsremove it from the equation:
Cost(Vuln)
8/3/2019 Attacker Math
30/47
ZDI/iDefense
Anonymous SubmissionsNo exploit is required, just a verifiablesecurity vulnerability in a product
significant enough that ZDI would care topay for the bug
ZDI bounties paid are confidential, but wewill assume that they are less than Pwn2Own
So we dont actually get Cost(Vuln), just theproducts for which:Cost(Vuln)
8/3/2019 Attacker Math
31/47
8/3/2019 Attacker Math
32/47
Anonymous ZDI
Advisories in 2011HP Client Automation/Radia (ZDI-11-105),Cisco Secure Desktop (ZDI-11-092, ZDI-11-091)
Microsoft PowerPoint (ZDI-11-125, ZDI-11-124,ZDI-11-123), Excel (ZDI-11-043, ZDI-11-042,ZDI-11-041, ZDI-11-040)
WebKit (ZDI-11-104, ZDI-11-101, ZDI-11-097)Adobe Flash (ZDI-11-081), Shockwave(ZDI-11-079), Reader (ZDI-11-075)
8/3/2019 Attacker Math
33/47
CorollaryThe cost to discover and reliably exploit avulnerability in a particular product is less than thesum of a claimed Pwn2Own prize for that product,
the value of the laptop, and the value of fame to thatresearcher
Cost(Exploit)
8/3/2019 Attacker Math
34/47
MaliciousHTML/JSExecution
Sandboxed
LowIntegrityNative CodeExecution
MediumIntegrityNativeCode
Execution
LowIntegrityNativeCode
Execution
Chrome 9
IE 8
FF 3
Safari 5
FirefoxVulnerability
WebKitVulnerability
ASLRBypass
DEPBypass
IE
Vulnerability
ASLR
Bypass
DEPBypass
ASLRBypass
DEPBypass
ChromeSandboxEscape
WindowsKernelExploit
IE PMEscape
File writeaccess
WebKitVulnerability
64-bit NX
Bypass
Native
CodeExecution
8/3/2019 Attacker Math
35/47
MaliciousHTML/JSExecution
Sandboxed
LowIntegrityNative CodeExecution
MediumIntegrityNativeCode
Execution
LowIntegrityNativeCode
Execution
Chrome 9
IE 8
FF 3
Safari 5
FirefoxVulnerability
WebKitVulnerability
ASLRBypass
DEPBypass
IE
Vulnerability
ASLR
Bypass
DEPBypass
ASLRBypass
DEPBypass
ChromeSandboxEscape
WindowsKernelExploit
IE PMEscape
File writeaccess
WebKitVulnerability
64-bit NX
Bypass
Native
CodeExecution
8/3/2019 Attacker Math
36/47
MaliciousHTML/JSExecution
Sandboxed
LowIntegrityNative CodeExecution
MediumIntegrityNativeCode
Execution
LowIntegrityNativeCode
Execution
Chrome 9
IE 8
FF 3
Safari 5
FirefoxVulnerability
WebKitVulnerability
ASLRBypass
DEPBypass
IE
Vulnerability
ASLR
Bypass
DEPBypass
ASLRBypass
DEPBypass
ChromeSandboxEscape
WindowsKernelExploit
IE PMEscape
File writeaccess
WebKitVulnerability
64-bit NX
Bypass
Native
CodeExecution
8/3/2019 Attacker Math
37/47
8/3/2019 Attacker Math
38/47
Lessons
Requiring evasion of mitigations or
exploitation of additionalvulnerabilities in the chain increasestime to develop a full exploit linearly
And therefore, it also increases thecost to develop such an exploitlinearly
8/3/2019 Attacker Math
39/47
Hypothetical: Browser
Ex loit PowerballOnce a year, public bounty is posted for reliable enoughexploits against dominant desktop configurations
Must gain enough privs to accomplish attacker objectivesPrices gradually increase until first winning submission isreceived for a particular target
Incentivizes submitting as early as possible
Contestants MUST sign NDA on disclosing participation andsubmission, vulnerability is reported to vendor anonymously
Forcibly removes credit and fame from the equation
8/3/2019 Attacker Math
40/47
Armchair APT
Anal sis
8/3/2019 Attacker Math
41/47
Conjecture
APT attacks must scale according
to resources at the attackers disposalAurora campaign wasnt justagainst Google, or only 34
targets, but apparently againstthousands of organizations(Reuters)
8/3/2019 Attacker Math
42/47
Cloppert's APT Kill
Chain ModelRecon
Vulnerability weaponization
Exploit delivery
Host exploitation
Host persistenceCommand and control
Actions on Objectives
8/3/2019 Attacker Math
43/47
Does it Scale?
Phase Does it scaleReconWea onizationEx loit deliverHost ex loitation
Host ersistenceCommand and controlActions on Ob ectives
NOT SO MUCHHELL YESHELL YESHELL YES
HELL YESHELL YESNOT AT ALL
8/3/2019 Attacker Math
44/47
8/3/2019 Attacker Math
45/47
Lessons
Focusing defensive countermeasures
on the cheapest (for the attacker)phases of the attack is not aseffective as focusing on theexpensive
If your defense is cheaper than theiroffense, you will gain the advantage
8/3/2019 Attacker Math
46/47
Conclusion
Think like an attacker to predict whatthey will do and how they will attack you
Model your understanding of theirintent, capabilities, and constraints
Adjust your threat model based on new
information on attackers and theircapabilities
i.e. Anonymous pre- and post-Gawker
8/3/2019 Attacker Math
47/47
Questions?
@dinodaizovi / [email protected]
htt ://blog.trailofbits.com
mailto:[email protected]:[email protected]Top Related