Chaos Patching: Can’t Get Hacked If I Hack Myself

Presented at ShmooCon 2022 Rescheduled, March 24, 2022, 3 p.m. (30 minutes).

Defensive tools should always be judged on their effectiveness. But how should a tool be measured when true positives are difficult or rare to find? With the essence of chaos engineering in mind, we introduce Chaos Patching as a method to test our approach for stopping software supply chain attacks.

We inject custom code into compiled binaries using various automated binary patching techniques to simulate supply chain attacks. We employ this technique at random and mix up the types of attacks inserted to confirm our approach and run drills to increase our chances of pre-empting the next SolarWinds-style breach.


Presenters:

  • Andrew Hendela
    Andrew Hendela and Eric Lee have many years of experience solving hard problems for diverse topics including automated program analysis, vulnerability research, threat actor attribution, etc. Andrew has been leading and contributing to multiple cyber security projects for over a decade, ranging from automated malware reverse engineering to vulnerability research. The focus of Eric’s work has been on automated program analysis, and he competed as a member of the Deep Red team at DARPA’s Cyber Grand Challenge final event. Together, we started Karambit.AI to focus our technical expertise on addressing supply chain attacks.
  • Eric Lee
    Andrew Hendela and Eric Lee have many years of experience solving hard problems for diverse topics including automated program analysis, vulnerability research, threat actor attribution, etc. Andrew has been leading and contributing to multiple cyber security projects for over a decade, ranging from automated malware reverse engineering to vulnerability research. The focus of Eric’s work has been on automated program analysis, and he competed as a member of the Deep Red team at DARPA’s Cyber Grand Challenge final event. Together, we started Karambit.AI to focus our technical expertise on addressing supply chain attacks.

Similar Presentations: