Kernel Kraker - Bromium Labs demonstrates inherent weaknesses of stacked up endpoint security technologies
(M2 PressWIRE Via Acquire Media NewsEdge) LONDON (UK) -- Bromium Labs will today be presenting research titled 'LOL (Layer on Layer) attacks', which shows how attacks can slice past multiple layers of security software in a single action, without detection.
The research will be made public for the first time at Infosecurity Europe and BSides London. In a talk at BSides, they will demonstrate how small adjustments to the recent public exploit of EPATHOBJ Windows kernel vulnerability can be used to bypass virtually every security software product, rendering them ineffective. Application sandboxes, AV, HIPS, rootkit detectors, EMET and SMEP, even if stacked one upon other, can all systematically be disabled and/or bypassed, allowing the attacker not only entry but to remain undetected indefinitely.
The attack exploits a vulnerability in the windows OS kernel. Once the attacker exploits the vulnerability, he gains system privileges after which he can either disable or subtly cripple all other security technologies. After this step, the malware is free to run any malicious code on the compromised machine, and act as a launching pad for exploiting other machines on the network. The talk will be delivered by renowned security researcher Rafal Wojtczuk, Principal Security Architect of Bromium Labs.
Rahul Kashyap, Head of Security Research at Bromium, explains, "While many were aware of the discovery of the TDL4 rootkit rumoured to be using kernel exploit code at the end of last year, few paid it any serious attention. And that was a huge error of judgement. We discuss that such vulnerabilities can prove lethal to Enterprise security and likely go unnoticed for a long periods of time. By simply 'tweaking' the exploit, we found we could bypass all the different layers of security software that an Enterprise might deploy on and end user machine."
The security industry has advocated that organisations take a layered defence-in-depth approach. However, while theoretically a good strategy, many fail to understand the limitations of each layer, and that when those limitations align it is much easier for malware to target them and succeed.
Every product has a design exemption - the fundamental architectural limitation of the product. Almost all endpoint technologies such as AV, Host IPS rely on the integrity of the kernel and, if that becomes compromised, the attackers can disable or selectively cripple them without detection. Similarly, application sandboxes are designed to contain exploits, but if it is a kernel exploit then it can be designed to bypass the sandbox entirely.
Rahul adds, "Each kernel exploit can be converted into a 'Swiss army knife' attack which could be delivered via a spear-phishing email carrying a malicious attachment, or as a second stage payload after exploiting a 'run-the-mill' java or browser vulnerability. The attacker can then undetectably disable the security software and assume ownership of the machine. Our research shows that this is a very versatile vector for sophisticated attacks."
The Windows kernel has an attack surface of many millions of lines of code, with flaws being discovered frequently. It is inevitable that many more zero day vulnerabilities exist.
As a matter of urgency, Bromium encourages all organisations:
Not to rely solely on AV or similar technologies that require prior knowledge of a particular exploit before being able to defend against it
Evaluate the entire stack - a layered defence is not enough if each layer has the same limitation
Attackers will always try to exploit the Achilles heel of any system. In this case it is the OS kernel -- design a layered architecture that covers all aspects and types of threats
Any security technology that isolates threats needs to be able to reliably protect the integrity of the OS kernel. As demonstrated, application sandboxes are unable to protect the kernel Kashyap concludes, "A layered approach is still the only way to protect organisations. It's vital when designing and architecting enterprise security that organisations are aware of fundamental technology limitations at each level, adding layers of protection that address these weaknesses, and in so doing make sure each layer counts. A robust endpoint technology, such as micro-virtualization, is needed to defend against such advanced attacks"
Bromium will be presenting its research findings during the BSides London event, 29 April at Kensington and Chelsea Town Hall, London.
Follow Bromium on the Web at:
o Twitter (@bromium)
About Bromium Products
Bromium's innovative enterprise security solutions - vSentry and LAVA (Live Attack Visualization & Analysis). vSentry uses Intel CPU features for virtualization and security to automatically hardware-isolate each user task that accesses the Internet or untrusted documents. Its architecture is designed to defeat advanced targeted attacks and automatically discard malware when the task is completed. In addition, LAVA automates live attack visualization and analysis - giving security analysts unparalleled insight into attacks when they occur.
Bromium is re-inventing enterprise security with its powerful new technology, micro-virtualization, which was designed to protect businesses from advanced malware, while simultaneously empowering users and delivering unmatched threat intelligence to IT. Unlike traditional security methods, which rely on complex and ineffective detection techniques, Bromium protects against malware from the Web, email or USB devices, by automatically isolating each user-task at the endpoint in a hardware-isolated micro-VM, preventing theft or damage to any enterprise resource. Bromium's technological innovations have earned the company numerous industry awards including being named as a CNBC Disruptor and a Gartner Cool Vendor for 2013. Bromium counts a rapidly growing set of Fortune 500 companies and government agencies as customers, including NYSE and BlackRock.
+44 (0)207 183 2834
(c) 2014 M2 COMMUNICATIONS
[ InfoTech Spotlight's Homepage ]