Adam Duby - Moving Target Defense Evasive Maneuvers in Cyberspace

wrong with chiil right so do everybody have fun yeah have you learned something new today did you need a new friend today excellent that's what I like to hear uh so our next presenter uh is Mr Adam dby uh he's going to have a couple of really cool giveaways so make sure you pay attention to his talk he may need some triv questions that's really going to make you listen to his talk and and do the right thing and answer those questions give cool gifts so ladies and gentlemen please join me welcoming Mr Adam

doie thanks Doug thanks for the uh warm reception um so this talk is going to be about moving dark Target defense um and I'm going to focus the talk because it's a short one we get about 25 minutes on applications in software and binary diversifications in order to evade threats a little bit about me I'm instructor and course manager for nor University's online Bachelor of Science and cyber secur um I also have a lot of research inter interests Focus around moving Target defensive operations um but at the end of the day I'm just some guy so I'm going to try and formalize a case for moving Target defense what it is and the motivation behind it I'll

talk about endpoints uh tactics briefly cover strategy and the resistance in the community to moving Target defense I have to cover some brief definitions before I go into my um formal proof here so attack patterns I Define them into two uh two charact two types of attacks right we have opportunistic attacks that are scalable you cast a y net against a wide range of victim set the probability that each individual victim is compromised as low but the aggregate sum is relatively High then there's targeted attacks that require some sort of intimate knowledge of the target this often incurs a higher cost so let me formalize a threat agent uh there's a lot of threat models

out there but across all the threat models I've seen two common things that a threat is funded and resourced and is sufficiently motivated to conduct attack to begin with therefore we can uh summarize a threat as a function of a capability and intent and it's the sufficiently motivated piece that drives moving Target defense as a defensive strategy so Target so attacks are motivated by some sort of gain there's a profit there's something to be uh gained by launching the attack attack also incurs a cost I'll say uh C subn is the cost for each attack um n in general right the gain has to uh be greater than the cast of the attack the attack otherwise what's

the point that's basic economics however when we talk about attack persistence how many times is you are you going to repeatedly be attacked to achieve that same gain you can look at what I'm calling the persistence variable P so the number of attacks will continue P will continue to increase as long as this inequality holds true then there's also this uh security design principle called adequate protection which essentially states that your cost of your defense in terms of Manpower maintenance initialization has to be proportional to the cost of the asset it's defending and proportional to the operational impact if it's compromised it makes sense right I'm not going to spend $2,000 defending something that is

$500 in value therefore we we have what appears to be some sort of hopeless defense for the blue team because of the principle of adequate protection I cannot defend against everything furthermore it's impossible to enumerate all potential attacks and I can't say with any sense of confidence that all the software on my system is free of vulnerabilities that can be exploited again the attacks are relatively cheap because they're scalable where whereas our defenses are not scalable and this gives rise to what asymmetric cyber warfare so why do vulnerable assets Escape exploitation and compromise to begin with out there there are assets that exist they are vulnerable but they manage to evade compromise why is that either the existence is unknown

nobody cares about it or it's just simply not targeted why are assets not targeted it's because the gain is negligible or the gain is less than the cost of the attack to begin with so therefore moving Target defense thrives at increasing the cost of the attack as opposed to mitigating all your vulnerabilities because we realizing and we have to accept the fact that vulnerabilities are inevitable therefore let's make the attack a little bit more complex and more and more challenging for each system so moving Target defense Paradigm is motivated by this asymmetric costs that are that are borne to the Cyber defenders in an effort to trying to defend everything against attack pattern that are impossible to enumerate and we do

this by trying to increase the complexity of the cost of the attacks reducing the exposure of the vulnerabilities the vulnerabil are there but how long are they there for so then we get into diversification as a security furthermore we can reduce the duration of persistent threat activity by diversifying our systems even if they do compromise this system how long can they stay in there before your system is Diversified and their persistence is then then they're kicked out further reduce scalability of opportunistic attacks so again all of our we have this monoculture in defensive cyberspace where we configure our systems and we don't touch them and we leave them alone therefore attacks are scalable uh across a vast array of victim sets we

want to reduce the scalability that drives cost of attack way up further let's render threat intelligence unreliable uh they conduct reconnaissance scanning enumeration activities reverse engineering of your software then they go and weaponize build their exploit develop their attack Plan before they deploy it so let's ask ourselves if I were to enumerate if we go back to our systems that we're charged with defending and enumerate it and scan it is it going to be the same weeks months or even years from now how long is that intelligence valuable for so there's different ways to manage our attack surface through attack surface reduction right the less stuff we have the less we have to defend but

we're all digital hoarders no one wants to do that then there's this uh concept of attack surface expansion which is an artificial logical boundary expansion of your network that you're trying to defend make yourself look bigger than you really are we had to talk about honey Nets and decoys earlier this morning that kind of play into that then there's attack surface manipulation through diversification that's where an attack surface expands and contracts at random intervals so any type of scanning enumeration or intelligence collection efforts are therefore unreliable for any significant duration of time again short talk so I'm going to focus some of the uh case studies on software uh specific applications and diversification all started with address

based layout randomization motivated by buffer over flows and this randomizes various memory locations uh Global offset tables and this combined with data execution prevention um and various stack protection mechanisms such as uh canaries was Fairly reliable but then we started seeing an increase in return oriented programming attacks process injection dll hijacking uh linking search order hijacking so this level of randomization was not enough and how does a return oriented uh or rchain work it finds Gadgets in existing code a gadget is a piece of code that's already been loaded into memory and it pieces together all the gadgets to do something uh useful I can't bring my weapon into the building but if I can find all the parts to make

the within the building then I'm good right so at the end of the day the the attacker still needs to know something about the target it needs to know where those gadgets are if it could find one by correctly guessing the offset and it can find multiples then came this idea of instruction set randomization right if you want to conduct if you want to inject a code into a Target you have to know the target's uh instruction set right you can't inject x86 assembly code or um machine code into an armed system Etc so the concept of instruction set randomization diversifies the instructions and decrypts them when the instruction register fetches these instructions from data however this is still vulnerable to

uh pre-compiled libraries because they're already compiled on the system and then You're vulnerable to uh correlation attacks and so forth not to mention this requires Hardware support and it's expensive so kernel interface diversification then became a new topic of research uh let's randomize system call interfaces let's do some excessive function name mangling and then resolve them at runtime to try and defeat uh Pro uh dll injection or dll hijacking Library search order diversification and then there's this tool called ranis ranis was a theoretical tool developed in conjunction uh with a research project from George Mason Microsoft and Purdue the problem is that it is Extreme expensive to run there's an uh incredible performance overhead incurred

um and also it was still vulnerable to some R attacks because it didn't diversify the uh the actual executable itself so we have to add binary executable format code section randomization to try and defeat those Ro building of rck chains now let's talk about a little bit of the research area I'm mostly interested in that's compiler generated diversity where every time I compile a piece of software from source code to Target code every time I compile it it gives me a different version there some sort of random number generator injected into the optimization scheme of the compiler can give me a different version of the software every time well it doesn't work for scripted languages right we have to now look at

injecting the Randomness at a higher level if the uh in the compiler chain so we look at lexical analysis randomization and this can be done by extending the grammar to include some sort of uh random tag at the end of keywords so therefore if uh someone launches a a script or code onto the target system it won't be parsed correctly it probably invokes some sort of a exception error because the lexical analyzer won't produce the correct tokens again the intent is to produce a unique instance of the software every time now what about dayout structure uh data structure layout randomization this is the concept of diversifying our data structures and again it can be done by

extend extending the grammar of high level languages but more importantly we don't always want to trust our compiler to completely randomize our stuff for us because if you think about public facing apis or network protocols those stuff that they have to be static in order for other systems to communicate with them hence application programming interface so now we put put the control in the hands of the programmer so here's a struct uh and that can random the intent is to randomize the location in memory of these values all right because code injection requires uh knowledge of the location of a function pointer uh relative to the uh return address on a stack right and if you can diversify

that every time you can intentionally effectively try to defeat those types of attacks so another example of DSLR suppos I have some function I called it besides austa I know how it's going to look like when it's compiled into assembly code and here I'm using sedal uh calling convention just as an example I know that all my parameters are going to be pushed onto the stack from right to left so now I want to see how I can diversify that so DSLR enabled compilers try to uh include uh mix those up add some padding in there add garbage variables so that way you don't know the absolute off offset relative to the base frame now with all this diversification

going on we have the potential for an entropy problem right diversification has to be non-deterministic if you can determine the outcome of your diversification routines then what's the point and true Randomness is not free it requires resources uh you have to uh get system resources whether it's average access time core temperatures something like that to build your enty pool inside of the operating system however static systems that you configure once and you leave it alone you never touch it again it has trouble building entropy a few years back this was known as the boot time entropy hole and Linux systems where we're able to a simple for Loop can drain out Dev random which is my entropy pool and I started

getting uh blocking just after a few a few queries from the entropy pool it couldn't produce any more entropy I don't think the entropy problem personally is going to be that big of a deal because rule of thumb right we only need about 256 bits of entropy um to be considered uh effective in cryptography so and furthermore we can try and scale our diversification techniques to limit that so I Envision a a scalable binary diversification scheme where everyone wants to use the same software however everyone gets a different instance of the soft software it's been Diversified and randomized therefore if you develop an exploit against uh clients client one's version of the software that attack is no longer

scalable against the other clients now you're driving the cost of the attack way up so there's also work out there for theoretical Frameworks for moving Target as a strategy as a defensive strategy on Enterprise networks I think personally that we're a long way from achieving anything like this but with proliferation of virtualized systems and and software to find networking I don't think it's unreasonable so imagine your your thing clients every time you spin them up you get a different instance of a v a virtualized machine it's completely different operating system configuration changes um your Source code's been recompiled to be diverse so these are called multivariant systems and if you're sold on the idea of threat

intelligence as an as a uh defense then you can leverage an Intel feed and you want to make sure that the Diversified system is in orthogonal to the attack Vector if it's not then it's not effective therefore and if you can achieve that you've effectively created a defensive maneuver on your system there's a lot of resistance to moving Target as a defensive strategy out there when I talk to Network owners maintainers and I present them with ideas like this they look at me like I'm crazy and they say absolutely not I need to know the state of my system at any given point in time and that's a change management nightmare well nobody really does change management anyway so I don't

really buy that as an excuse but there are other good excuses right application whitelisting by hash that's done quite frequently and if you're doing runtime software Transformations this won't be effective anymore writable code sections for runtime software transformation I think we can all agree that writable code sections might be a bad idea we did that decades ago we don't want to go back to that um also runtime uh software Integrity checks and and performance and overhead but it's really this psychological acceptability of of diversifying our systems that's the biggest hinder to progress in the MTD research Community I need to know my system needs to be static I need to know what it looks like at any given point in time

because I need to find anomalies well if anomaly detection is your only defense you're telling me that your defense is looking for adversary activity after it's already been launched whereas deterrence should be our primary line of effort from a defensive standpoint so diversification aims to try to shift that asymmetric advantage in favor of the Defenders attackers have been doing it for years they diversify their malware and then we're sold on using the idea of an md5 hash to find the malware but it's Diversified every time why don't we diversify our systems make them a little bit harder to to attack make the make the intelligence unreliable so that's where the discussion comes in right it's a lot harder to hit a

moving Target and why do us as Defenders why do we why do we think that moving Target defense might be a bad idea might be a good idea and I'm interested in feedback from the audience at this point can you imagine def diversifying your cyber look at that thing go can you imagine diversifying your cyberspace terrain to in an unpredictable man manner that you might not have full control over or furthermore can you imagine your software constantly changing and you don't know what it's changing to it the diversification itself May introduce new vulnerabilities however if you continually change over time those vulnerabilities won't be persistent and their exposure is reduced yes please one more also

so

what a great adversary tactic yeah I remember remember the conficker um problem where the domain kept changing constantly we can never figure out what the next domain was going to be so adversaries are use diversification or or mve moving Target offense I guess we can call it um in the past

maybe compromise the diversification engine itself and take control of that yeah so you you may introd if you're going to do it in in a scalable fashion then you may introduce a single point of failure um maybe then it's worthy to look at peer-to-peer systems um for diversification but no that's a great point to bring up yes please con talking about applying something technique wise to your perimeter to your defensive measures but to your actual core that that thing you're trying to defend you got to know it's defended there's just no way to know it's defended point it out I know it's about deter but I've got to know I've got to know that I've actually been ahead with

my yes please I see

upill battles is you know how how is this justers affect your ability to work me so you know something has changed you know we try we have to first see where the diversification mechanism has taken your systems to be able to find that out and then get to um troubleshooting your that I think it it it could potentially add an additional layer steps to get into solve the problem agreed I mean if we can't if the diversification creates a second or third order effect on the operational requirements of the system itself um yeah that could invoke some troubleshooting nightmares I agree yes so the idea more to every time I go download you know Libre office or something and

automatically recompile it when downloading and I get a unique version and somebody else downloads it correct or is it more built into the operating system be some manag so that things always can be Chang correct V why not all right so you're saying I mean one is easier to get to one is easier to do right because once you download it you recompile it you have your unique instance but then you're still vulnerable to a targeted attack someone manages to get into your system they extract your unique instance of that software they can still reverse engineer it somehow but if it's constantly changing you've increased the effectively increased the deterrence yes please um well I'm going to support you

on this uh your main argument is that it's economics and we all have a business I mean the phomen shadow it applies to security it's too expensive it's not going to be done so uh I think there's a lot of validity to this um that you've got to find a way to do it cheaper and this could be accomplished cheaper cheaper and and reliable scalable and uh effective yeah there's not a lot of research out there on the effectiveness on this type of stuff how much time do I got I got five okay yes Mr Bounce please so is anybody doing this in the real world right now your idea I mean is it actually being

done research researching right now or what right now it's just mostly academic research um but it is being done in the real world by the red team but not in blue space terribly often sometimes we off you skate our code for for IP protection and stuff like that but not for the intent of diversifying um the attack surus that I know of yes please I think a supporting example very very fast moving all the way software changes very frequently and it's very hard to on possible it's not to the level that you're discussing but definitely you got many of these kinds of feates you can't necessarily launch successful taxs against the software stop working everybody it's a great Point yeah thank

you for bringing that up yeah so the tech might work once but it's not going to work for so long yes please

that's huge you got

issue haveing

agreed yeah trusting the compiler that's that's the the trusting trust security debate that's been going on for years um where does the compiler lay in terms of the architecture who's in control of that compiler and these are all good points yes please in the back similar to uh the previous comment in the event that this technology is being developed means primarily still academic does that mean it's in the private sector and if so how is that going to fit into the current concerns regarding encryption and the government having a back door in order to access it because at least the current state of Technology this sounds like would be essentially an unbreakable sort of code if it fall a

wrong hands is Def going to need to have a key role in its development in order to have the propriety of control over it to safeguard its own systems or would this be something to the general public I mean research and development always comes best from the open source Community um and actually just 10 days ago I IBM uh published their initial research results on rockchain um deterrence using a moving Target platform by diversifying at random intervals their portable executable format so IB is working on this but I I think we're out of time I got some gifts to give away real quick someone uh tell me one example of software transformation that I

discussed this next one is for it's a local local can someone talk about in