Do-It-Yourself Patching: Writing Your Own Micropatch (closed)

Presented at DeepSec 2016 „Ten“, Unknown date/time (Unknown duration).

The current state of updating software - be it operating systems, applications or appliances - is arguably much better than it was a decade ago, but apparently not nearly good enough to keep even the most critical systems patched in a timely manner - or at all. Official vendor updates are cumbersome, costly to apply, even more costly to revert and prone to breaking things as they replace entire chunks of a product. Enterprises are therefore left with extensive and expensive testing of such updates before they dare to apply them in production, which gives attackers an endless supply of "n-day" vulnerabilities with published exploit code. Furthermore, for various entirely rational reasons, many organizations are using products with no security updates such as old Java runtimes, Windows XP, or expensive industry systems that still work perfectly well but are not supported any more by their vendor. Fortunately, there is a better way to approach vulnerability patching, one that not just minimizes the risk, hassle and costs, but also allows 3rd parties with no access to source code to write a patch. It's called micropatching and it injects or replaces tiny fractions of machine code within the memory of a running process to patch a vulnerability. (Or, why not, a functional defect in your unsupported application.) This two-day workshop will teach you how to create a 3rd party "unofficial" micropatch for various known vulnerabilities in popular Windows software. We will start with a proof-of-concept document that triggers a vulnerability, determine the type of vulnerability (buffer overflow, use-after-free, format string…), find its root cause, and finally create a micropatch for it, which we'll apply using the 0patch Agent. You will learn how to approach patching of different types of security flaws, how to find a suitable patching location, and how to test a micropatch. Attendees should have experience with reading assembly language (ideally also reverse engineering) and have their own Windows laptops with the following software installed: - Microsoft WinDbg 32bit version x.y.z (to be defined before the workshop) - Adobe Reader DC version x.y.z (to be defined before the workshop) - Foxit Reader version x.y.z (to be defined before the workshop) - 0patch Agent for Windows version x.y.z (to be defined before the workshop) - 0patch Factory version x.y.z (to be defined before the workshop) But also do come if you happen to have a nasty functional defect in your expensive custom application that would cost you an arm and leg to update. This workshop is suitable for security researchers, who will learn how to write micropatches for vulnerabilities they find, as well as for software vendors, who want to avoid the costly process of rebuilding, retesting and redeploying their product every time someone finds a vulnerability in it that could be fixed with a few machine instructions.

Presenters:

  • Mitja Kolsek - ACROS d.o.o.
    Mitja's last 15 years of career comprises co-leading a small security outfit which ran APT-like attack simulations before China was guilty of everything, using SQL injection before it had a name, and discovering vulnerability types which were previously unknown. In addition to finding and exploiting vulnerabilities, his next 15 years will be augmented by fixing them. Most of all he'd like to leave information security some day in a state where it'll be seriously difficult to break into a typical network deploying standard and inexpensive security solutions.

Links:

Similar Presentations: