Yes, Now YOU Can Patch That Vulnerability Too!

Presented at DeepSec 2015 „DeepSec No. 9“, Nov. 19, 2015, 11:10 a.m. (50 minutes)

Software vulnerabilities are likely the biggest problem of information security, fueling a rapidly growing market for "0days", "1days" and exploits alike. It can be highly intellectually challenging to find a vulnerability and create an exploit for it, and super entertaining to reveal it all to the bug-hungry crowds (preferably along with a logo and a catchy name, courtesy of the marketing department). As a result, there's been a lot of innovation and progress on the offensive side of information security, and a corresponding defensive industry is thriving providing quasi-solutions that can be bypassed by any motivated attacker. But almost nothing has changed at the core of the problem: software vendors still produce critical vulnerabilities, aren't motivated to provide patches, and only a handful of them are capable of responding and delivering a security update when a 0day gets published. And then, when a vendor's security update is available, it takes weeks or months before it gets applied throughout a corporate network as the risk of interrupting business processes requires testing and gradual deployment. (And do we need to mention that exploit kits tend to add exploits just a few days after official patches come out?) Now, what if vendors didn't have a monopoly on patching their code because any vulnerability researcher could write a patch instead of (okay, in addition to) writing an exploit? And what if admins weren't afraid to apply the patches because patches could be applied instantly without relaunching applications or restarting computer, and could also be instantly un-applied if they turned out to be causing problems? The technology for this exists, and will allow vulnerability researchers to not only research a vulnerability but also fix it with just a few well-chosen machine code instructions - and monetize their hard work in an unquestionably ethical way. In this session, we will take apart a known vulnerability, determine its root cause and create a micropatch for it, which will then get applied to the vulnerable application while the application is running. We'll look at the tools needed for this and hopefully turn some of the exploit developers in the audience into patch creators.

Presenters:

  • Mitja Kolsek - ACROS d.o.o.
    Mitja Kolsek last 15 years of infosec career comprise co-running a small security outfit which ran APT-like attack simulations before China was guilty of everything, using SQL injection before it had a name, and discovering vulnerability types which were previously unknown. In contrast to just finding and exploiting vulnerabilities, his next 15 years will be augmented by fixing them. Most of all he'd like to leave information security some day in a state where it'll be darn difficult to break into a typical network deploying standard and inexpensive security solutions.

Links:

Similar Presentations: