Browsers, brokers and BIOS: you could safely call that triumvirate the past, present and future of security, but you’d be wrong.
If last week’s CanSecWest conference, and Pwn2Own and Pwnium contests are indeed a point-in-time snapshot of the technical side of information security, then after last week it’s a no-brainer all three merit more than a lackadaisical passing interest.
Researchers came to the Pwn2Own and Pwnium tables with an alarming rash of exploits for zero-day browser vulnerabilities. None was to be spared among the big four of Internet Explorer, Firefox, Chrome and Safari, each falling despite state-of-the-art mitigations and constant reminders about the threats posed by Web-based exploits and malware.
Experts also spent hours during the second day of CanSecWest painstakingly explaining detailed problems in device hardware, in particular how attackers can and will soon exploit weaknesses in bootloaders and machine BIOS in order to own systems. The controversy over the legitimacy of badBIOS did little to dissuade researchers from MITRE and Intel from coming to Vancouver and explaining how an attacker gaining access at this level of system architecture might as well take up permanent residency on a computer.
And then there are the brokers. While VUPEN founder and top boss Chaouki Bekrar may bristle at the notion of being labeled a broker, preferring instead “exploit vendor,” companies like his hover over events like this and over vulnerability research. Their presence is a reminder that high-level hacking is all about playing for keeps, and while $400,000 may be enough of a lure to burn some 0days on a public stage, imagine the deals cut behind closed doors.
On to the three B’s of CanSecWest and Pwn2Own:
Browsers: The greatest payoffs at Pwn2Own—aside from the $150,000 grand prize for Microsoft EMET bypasses—were for browser exploits. Vupen collected skins for zero-days in IE 11, Firefox and Chrome; it withdrew from a chance at a Safari takedown, but only after the Keen Team of China successfully bypassed the sandbox in the Apple browser. Browsers are hardened, but even with sandboxes and other mitigations in place, white hats are finding ways to sidestep those protections.
“Exploitation is harder. Finding zero-days in browsers is hard,” Bekrar said.
Researchers have to find one or more vulnerabilities and chain together exploits in order to beat the enhancements vendors have made; Bekrar said his team was able to find a Firefox zero-day, but only after running 60 million test cases through a fuzzer.
“That proves Firefox [Mozilla] has done a great job fixing flaws. The same for Chrome,” Bekrar said of the Google browser. “Chrome has the strongest sandbox; it’s even more difficult to create exploits for it.”
BIOS: Easily the headiest session track at CanSecWest, the threat to the boot-up process is real and it may be one area where researchers have a jump on attackers. What hackers covet, perhaps more than anything, is a persistent presence on a machine. Replacing a computer’s BIOS or Master Boot Record gives an attacker that nearly unbreakable grip on a computer.
Researchers from MITRE and Intel shared tales of sophisticated bootkits that execute before start-up and take advantage of signed checks built into the boot process to validate its presence and escalate all the way up to platform firmware. It’s a fatal infection, one that often lingers after BIOS is re-flashed.
There’s plenty more to come on this, but one thing is for certain: Sharpen your skills around this discipline and prepare for an investment in people who are adept at BIOS and firmware security research and forensics.
Brokers: A few years back, there was the No More Free Bugs movement, a grassroots cause that clamored for vendors to pay up for bugs. While this didn’t exactly spawn the market that gave us the VUPEN and Endgame Systems of the world, it did draw them out from the shadows. Bugs are big business and companies such as these develop six- and seven-figure exploits for the exclusive purview of their customers. Bekrar says his customers are NATO governments and that he would not sell to an oppressive regime. This is, however, the new normal.
“We were trying to convince vendors to put bounties in place and no one accepted this,” Bekrar said. “We moved to another model which is a paid subscription model; the aim for us is the same, protect our customers.”
“I believe our industry is now normal business,” Bekrar said. “Now a lot of companies, most in the U.S., are doing the same research as Vupen and selling to government customers. It’s become common and nothing surprising. Not one of our exploits has ever been discovered in the wild. All of our customers use exploits in a targeted way for specific national security missions.”
*CanSecWest image via leduardo‘s Flickr photostream