Security Basics mailing list archives
Re: How to prevent zero day attacks
From: Michał Purzyński <michal () rsbac org>
Date: Tue, 22 May 2012 23:22:45 +0200
If we're talking about some speficic systems, enumerate them. Windows - learn how to use EMET. Btw - i am aware of that "here's another way to bypass EMET". Most, if not all of them are build up on a bad assumption - like, the process beeing attacked has full Administrator/Local System privileges, with write access to debug registers. If your MSSQL can do that - you aready have a bigger problem.EMET is a nice tool (I don't hear it mentioned too often. Another neat one is BinScope, which allows you to examine platform security integration, such as ASLR and DEP.
Just make sure it will detect EMET specific ASLR that does differ from platform one.
Do not trust defaults. Run services into separate accounts and give them only what they need. Same goes for user applications, as someone has pointed out already. Get some _kernel_ enforced software that can whitelist binaries that can be run. Use build-in things in Windows, like (parts of, at least) MAC and MIC (Mandatory Access Control and Mandatory Integrity Control, if anyone wonders).So much for "Secure Out of the Box".
It's secure till it stays in the box. Against remote attacks, not physical ;)
Linux - learn how to use PaX in a right way. How to make your executables into proper PIE. Learn some MAC system and use it - RSBAC, for example. Or Grsec RBAC.Don't hold your breathe for --noexec-heap (unless its a hardend distribution). Checksec is a good tool to audit binaries for this.
Like i said. If you want to have a full cover, you need to recompile lots of binaries, libs, etc.
0-days aren't some kind of black magic, that if it's done to your servers will make them all turn into kitten-killing-zombies. They are ordinary exploits - made by people who know a lot more than you. Use exploit mittigation techniques.According to Verizon Data Breach Report, most breaches are not 0-day, which probably makes them closer to 90-day, 6-month-dat, or Forever-day.
Yeah, you are right - people do not patch their systems. And even if they do, who tests them later? Windows administrators - when was the last time you have checked if MS security patch has really applied and does not have a status failed? But hey, we're talking about 0-days here. So the first thing you should do is to build your threat model. If i can phone someone at your company and get all the necesary data why would i bother with a 0-day, in the first place?
After all, there's not much you can do on Linux system, with PaX, with PIE binaries, NX + full ASLR enforced, with mprotect() restrictions. Unless you have some information leak in application _before_ it is exploited, that's it.ROP anyone? I understand a new iPhone break for iOS 5.1 will be out shortly ;) http://www.redmondpie.com/jailbreak-5.1-untethered-successfully-completed-by-pod2g-on-iphone-4/
Good luck doing ROP on full ASLR (from PaX) without any information leak. What will you jump to? Wait for the night, turn off the lights, cover windows so they don't leak any light from outside. You will pretty much feel like an exploit trying to do ROP on full ASLR system. Iphone is a bad example, with most of mitigations disabled or implemented poorly. No, there's definitely not full ASLR on iphone. Or any phone for that matter. Every time ROP has some success, is because there was some little .dll or whatever loaded under the very same address, everytime, for everyone. Or some kind of information leak. Or both of them. Enforce it (you can do it on Windows and Linux). OS X Lion is said to have full ASLR, too. Btw - i'm talking about x64 all the time. ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- RES: How to prevent zero day attacks, (continued)
- RES: How to prevent zero day attacks Fábio Soto (May 28)
- Re: How to prevent zero day attacks securityfocus (May 22)
- Re: How to prevent zero day attacks Matt J. Corrigan (May 22)
- Re: How to prevent zero day attacks synja (May 22)
- Re: How to prevent zero day attacks Stephanus J Alex Taidri (May 22)
- Re: How to prevent zero day attacks Michał Purzyński (May 22)
- Message not available
- Re: How to prevent zero day attacks Memory Vandal (May 22)
- Re: How to prevent zero day attacks synja (May 22)
- Re: How to prevent zero day attacks Stephanus J Alex Taidri (May 22)
- Re: How to prevent zero day attacks Jeffrey Walton (May 22)
- Re: How to prevent zero day attacks Michał Purzyński (May 22)