Re: How to prevent zero day attacks

[Michał Purzyński <michal () rsbac org>]

> > If we're talking about some speficic systems, enumerate them.
> >
> > Windows - learn how to use EMET. Btw - i am aware of that "here's
> > another way to bypass EMET". Most, if not all of them are build up on
> > a bad assumption - like, the process beeing attacked has full
> > Administrator/Local System privileges, with write access to debug
> > registers. If your MSSQL can do that - you aready have a bigger
> > problem.
> EMET is a nice tool (I don't hear it mentioned too often. Another neat
> one is BinScope, which allows you to examine platform security
> integration, such as ASLR and DEP.

Just make sure it will detect EMET specific ASLR that does differ from platform one.

> > Do not trust defaults. Run services into separate accounts and give
> > them only what they need. Same goes for user applications, as someone
> > has pointed out already. Get some _kernel_ enforced software that can
> > whitelist binaries that can be run. Use build-in things in Windows,
> > like (parts of, at least) MAC and MIC (Mandatory Access Control and
> > Mandatory Integrity Control, if anyone wonders).
> So much for "Secure Out of the Box".

It's secure till it stays in the box. Against remote attacks, not physical ;)

> > Linux - learn how to use PaX in a right way. How to make your
> > executables into proper PIE. Learn some MAC system and use it - RSBAC,
> > for example.  Or Grsec RBAC.
> Don't hold your breathe for --noexec-heap (unless its a hardend
> distribution). Checksec is a good tool to audit binaries for this.

Like i said. If you want to have a full cover, you need to recompile lots of binaries, libs, etc.

> > 0-days aren't some kind of black magic, that if it's done to your
> > servers will make them all turn into kitten-killing-zombies. They are
> > ordinary exploits - made by people who know a lot more than you. Use
> > exploit mittigation techniques.
> According to Verizon Data Breach Report, most breaches are not 0-day,
> which probably makes them closer to 90-day, 6-month-dat, or
> Forever-day.

Yeah, you are right - people do not patch their systems. And even if they do, who tests them later? Windows 
administrators - when was the last time you have checked if MS security patch has really applied and does not have a 
status failed?

But hey, we're talking about 0-days here. So the first thing you should do is to build your threat model. If i can 
phone someone at your company and get all the necesary data why would i bother with a 0-day, in the first place?

> > After all, there's not much you can do on Linux system, with PaX, with
> > PIE binaries, NX + full ASLR enforced, with mprotect() restrictions.
> > Unless you have some information leak in application _before_ it is
> > exploited, that's it.
> ROP anyone? I understand a new iPhone break for iOS 5.1 will be out shortly ;)
>
> http://www.redmondpie.com/jailbreak-5.1-untethered-successfully-completed-by-pod2g-on-iphone-4/

Good luck doing ROP on full ASLR (from PaX) without any information leak. What will you jump to? Wait for the night, 
turn off the lights, cover windows so they don't leak any light from outside. You will pretty much feel like an exploit 
trying to do ROP on full ASLR system.

Iphone is a bad example, with most of mitigations disabled or implemented poorly. No, there's definitely not full ASLR 
on iphone. Or any phone for that matter.

Every time ROP has some success, is because there was some little .dll or whatever loaded under the very same address, 
everytime, for everyone. Or some kind of information leak. Or both of them.

Enforce it (you can do it on Windows and Linux). OS X Lion is said to have full ASLR, too. Btw - i'm talking about x64 
all the time.
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------