Advanced Persistent Response - CanSecWest

Advanced Persistent Response P l Peleus Uhl Uhley | Pl Platform tf S Security it St Strategist t i t

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

Outline 

Background



Analyzing threat



Finding resources



Planning a response



Tool release



Conclusion

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

2

Advanced Persistent Threat

“usually refers to a group with both the p y and the intent to p persistently y and capability effectively target a specific entity” - Wikipedia

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

3

Flash Player 0-days

4 SWF in PDF attacks 4 SWF in Office document attacks 3 XSS attacks

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

4

Flash Player 0-days – Alternative measurement

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

5

Advanced Persistent Response

The strategy necessary to inhibit or reduce a y or entities’ capabilities p to malicious entity repeatedly conduct attacks leveraging a p p platform or against g a specific p target. g specific

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

6

Information Gathering

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

7

Know your adversary 

Who are they?



Why are they upset?



Does it change over time?

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

8

CVE-2011-0609

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

9

CVE-2011-0611

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

10

yuange1975

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

11

Beware of false positives

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

12

Technical Analysis 

Their sources?



Their targets?



Their skill?

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

13

Data Source Analysis 

Series of attacks based on SWFs from flashandmath.com



Indicates the areas of code that are being attacked



Learn from mimicking their approach

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

14

Targets 

Reports from government customers



Document based spear Document-based phishing attacks



Most exploits are never widely deployed

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

15

Payload Analysis 

Symantec studied payloads from 2006 -> 2011



Attacks grouped based on the malware installed (Sykipot)



L Large command d & control t l botnet b t t



Mostly used zero-day attacks within several different products to install

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

16

Sykipot

“Thus, the Sykipot attackers are likely to be an g and skilled g group p of individuals. organized Given their persistence and their long-running p g , the attackers are likely y to have campaigns, consistent funding for their efforts.” - Symantec Blog, December 08, 2011

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

17

Changes in the field 

A change in targets will require changes to security feature strategy



Exploit kits recently started using SWFs.



Exploit E l it kit kits use attacks tt k that th t are att least l t 2 months th old

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

18

Effect of exploit kits

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

19

Everything is relative

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

20

Evolution of attacks 

Attackers gain skill with practice



Hackers will utilize published research



Makes signature development more difficult

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

21

CVE-2009-1862 

Simple bit flip of existing SWF from the web



A second SWF was used for the heap spray



Both SWFs were inside a PDF



Flash was a means to an end

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

22

2010 Improvements 

Eventually moved to a single file approach Parent SWF

Initialization & Heap Spray

Crashing Child SWF

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

23

Trying new research

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

24

CVE-2011-2110 

Dynamically passing obfuscated data main.swf?info=02E6B1525353CAA8AD555555AD31B3D73034B657AA3 1B4B5AFB5B2B537AF55543549AEB550AC55303736B337AF51D3527 B7AF4C66B7E



Targeting specific versions if ((((((Capabilities.version.toLowerCase() == "win 10,3,181,14")) || ((Capabilities version toLowerCase() == "win ((Capabilities.version.toLowerCase() win 10 10,3,181,22 3 181 22")))) )))) || ((Capabilities.version.toLowerCase() == "win 10,3,181,23")))){



Return orientated programming

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

25

Conversion to logic based attacks 

CVE-2011-2107, CVE-2011-2444 & CVE-2012-0757 were XSS attacks



Required ActionScript programming knowledge



Trial & error methods used to identify vulnerabilities

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

26

Overall Advancements

2009 2010 2011

• Dumb fuzzing • Brute force memory tricks

• Modularizing code • Experimenting with research techniques • Full language understanding • ROP exploitation • Bypassing mitigation strategies

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

27

Resourcing a response plan

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

28

All you need is… 

More time



More money



More hardware



More people



More…

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

29

Balancing the load 

Security teams should focus on larger, high value projects



Any developer should be able to fix a software crash

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

30

Training 

Minimum security training level for everyone



Everyone within the Flash Runtime team has at least a white belt security certification



B Brown belt b lt projects j t allow ll th the entire ti company to assist!

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

31

Adobe training results Zero Day Response Over Time 60

50

40

Zero Day Response p Over Time

30

20

10

0 2008

2009

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

2010

2011 32

Make friends!

“It is easy enough to be friendly to one's friends. But to befriend the one who regards himself as your enemy is the quintessence of true religion The other is mere religion. business.” ― Mahatma Gandhi

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

33

Types of friends 

Researchers



Business partners



Defensive software companies



Victims of attacks



Tool vendors

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

34

Planning a response strategy

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

35

Secure Product Lifecycle?

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

36

Goals

1.

Increase the difficultly y of exploitation. p

2.

Limit the window of opportunity for use.

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

37

Killing bugs

VS

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

38

Fuzzing at scale 

Partnered with Google on FP fuzzing effort



2,000 CPUs



Corpus distillation of 2 TB of SWFs into 20,000 files (1 week)



3 weeks of fuzzing



Bit flipping fli i approach h



1 fuzzing guru (Tavis Ormandy)

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

39

“Patching at scale” 

400 files distilled into 80 unique issues



Used fuzzers to reproduce and classify issues



Authored app to auto-file bugs



Created tiger team to address the issues



Majority of issues addressed within 60 days

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

40

Fuzzing results

!exploitable 5

6

10 Exploitable Probably Exploitable Unknown Probably Not Exploitable

59

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

41

Alternative measurement

“This is completely unfair competition and unfair practices vis vis-a-vis a vis other security researchers (or fuzzer enthus). … You guyz killed couple of my bugs. bugs ” - TestFuzzer, TestFuzzer August 16 16, 2011

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

42

Lessons learned 

Bugs were spread across the entire code base



Eliminated some low hanging fruit



1 code change per 12,600 CPU hours (1.44 years)

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

43

Using fuzzing as hints 

1 good dev == CPU years of fuzzing effort



Fuzzing can provide hints of where to focus code review.



F Focus on code d cleanup l rather th th than b bug fi fixing. i

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

44

And, of course…

There is always one more to find… © 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

45

Integrating security defenses

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

46

Holistic mitagations 

Work smarter, not harder.



More effective at deterring attacks



Require experienced resources



Require q longer g p periods of development p time.

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

47

Standard White Background Bullet Slide 

JavaScript blacklist



Improved updater



Reader X Sandbox 

Dedicated team for over 1 year of effort



Additional engineers for misc. support



External consultants

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

48

Cause and effect

Reader JavaScript blacklist introduced

PDF O l attack PDF-Only tt k PDF w/ SWF attack

PDF attacks switch from JS to SWF

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

49

Effect of sandboxing

Reader X sandbox launched

CVE20091862

CVE20103654

CVE20101297

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

CVE20110611

CVE20110609

50

CVE20110627

Sandboxing in Flash Player 

Currently sandboxed in Chrome



Firefox currently in beta



Researching: 

Chrome pepper sandbox



IE improvements

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

51

Other minor improvements 

Safe unlinking in garbage collection



Random function alignment



Random NOP insertion



Constant folding*

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

52

Other minor improvements 

Safe unlinking in garbage collection



Random function alignment



Random NOP insertion



Constant folding*

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

53

Updating end-users

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

54

Update Goals 

Work with AV and IDS vendors to create accurate signatures that will protect end-users until they get the patch (MAPP)



Reduce the time to update the majority of end-users to minimize the window of opportunity for the exploit

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

55

We have a background updater!!

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.



New updater will allow us to do silent updates for zero-day patches



Updates both IE and opensource browsers



Complete technical details will be posted with the launch!

56

Handling response

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

57

Incident response strategies 

Be prepared to triage duplicates, triplicates, quadruplicates, etc….



Set a response timeline goal



Have a regular update schedule



Be willing to shift launch dates



A dh And have ttools…. l

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

58

Adobe SWF Investigator 

Open-source AIR application



View SWF tags, disassembly and binary



Test AMF services and check for XSS



Inspect LSOs and settings files



Execute the SWF in various contexts



Available TODAY!!!!!

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

59

Summary

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

60

Advanced Persistent Response 

Understand your threats



Advanced, holisitic security features are needed to ward off future threats



Need to utilize both internal and external resources to accomplish goals



Start early because the best defenses require time to develop

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

61

Looking ahead 

Mac auto-updater



Improved IE Sandboxing



Yet more fuzzing 

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

62

References



Security portal: (customer & channel partners) http://adobe.com/security



Advisories and updates: http://www.adobe.com/support/security/



ASSET blog: http://blogs.adobe.com/asset



PSIRT blog: http://blogs.adobe.com/psirt



Documentation Wiki: http://learn.adobe.com/wiki/display/security/Home



Adobe Security on Twitter: @AdobeSecurity



Peleus Uhley on Twitter: @PeleusUhley

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.

63

© 2012 Adobe Systems Incorporated. All Rights Reserved. Adobe Confidential.