Guest Editorial by Dave Aitel
The story of modern computer security can never be told -- it's the story of the unknown. Right now, most people treat vulnerabilities as a constant stream of one-offs. In many real ways, the entire CVE database is the tip of an iceberg.
In Singapore at the boutique SyScan conference, Immunity had two speakers: Justine Aitel, our CEO, gave the keynote, “The IPO of 0day” (.pdf) and Nicolas Waisman gave a talk on “Understanding and Bypassing Windows Heap Protection” (.pdf).
Yes, that last slide of Justine's talk is Vista recovering from a remote kernel 0day (no exploit is perfect!). This may surprise you, given the recent PR from Microsoft. The reason Windows Vista appears to have such a good security track record is that a vulnerability in Vista is not something you would give up. The iceberg is more under-water than it used to be.
Also in her talk are our internal statistics for how long 0day lasts. These weren't cross-site scripting 0days, in case you're curious. I don't know of another organization ever having gone public with these sorts of numbers, but certainly they won't seem out of place to any even moderately skilled hacker.
But Justine's talk is not all statistics and screenshots. The focus of the talk is on how a CSO can reorganize their business focus to protect against the unknown. The first step is hiring a team of people that can find and write their own 0days. If you don't have a team that can do that, you're floating blind in arctic waters, relying on what security vendors tell you. This is the industry that brought us anti-virus software and network IDS. They like to make up their own definitions for 0day based on whatever technology they're trying to sell so they can say they prevent it.
I half keep expecting to see "0day IDS Protection System" being sold next to Airborn "Designed by a teacher!" cold pills in the hippie grocery store next door.
A few years ago, I was at Gcon in Mexico City, and I saw Nico give a talk on exploiting a heap overflow in GDB by constructing a malicious binary. Anyone who is so good at heap overflows they do them for fun was someone we had to have on the team. Heap overflows are hard and only getting harder.
These days modern heap libraries include protections such as heap cookies designed to make them unexploitable. Nico's SyScan talk is about the tools and techniques you can use to get reliable exploits out of places people assumed would be protected. The strategic process here is that by writing a custom technique per program you are exploiting, you defeat the built-in protections.
You can protect against Nico's heap techniques by making your heap non-deterministic, for example, by randomizing your allocations between two heap areas.
Perhaps Immunity will patent that to preserve the exploitability of Longhorn. Then again, perhaps we don't have to. :>
* Dave Aitel is the CTO of Immunity, Inc., responsible for research and development for the CANVAS exploitation system.