Friday, January 22, 2016

Bridging the "Security Update Gap" With 0patch

Vulnerability Patches Can be Really Small and Easy to Apply

Yesterday we tweeted a proof-of-concept actual micropatch for the "Winshock" vulnerability (CVE-2014-6321, MS14-066) in Windows schannel.dll. The patch fixes a buffer overflow vulnerability that allowed attackers to execute arbitrary code on any SSL-enabled IIS server. (Thanks to Mike Czumak, BeyondTrust and Malware Tech for their awesome analyses, especially Mike for also sharing his method for triggering the bug.)

Our "0patch" for Winshock consists of just 11 machine instructions (28 bytes), which is a fairly typical size for a 0patch judging from over 300 0patches we've written so far. To put these 28 bytes in perspective, you should know that the official Microsoft's update that fixed the same vulnerability (although it might also have changed some other bits here and there) was 243 KB, which makes our 0patch roughly 8,800 times smaller than the official fix.

You have to understand that vendor updates - be it Microsoft's, Adobe's, Oracle's - simply replace entire executable files, even if just a single sanity check has been added to them to fix a vulnerability. This has several unpleasant side-effects:

  1. In order to replace an executable file that is currently in use by one or more running processes (which is often the case, including with the above-mentioned vulnerability), these processes need to be terminated, which leads to something we all hate: restarting the computer.
  2. In the unlikely but possible event that the vendor update should cause functional problems, reverting the change (i.e., uninstalling the update) again requires a computer restart. In contrast to installing updates, which can be managed centrally for an entire enterprise, uninstalling requires manual handling of each affected computer - which is especially difficult with laptops traveling around the world.
  3. Large updates are impossible for administrators (or basically anyone) to thoroughly review before installing. What are the changes they introduce, do they also "silently" modify some functionality? 

As a result, enterprise administrators schedule extensive and lengthy testing of vendor updates before installing them in production. It is common to have vendor updates installed in an enterprise several months after they have been released. Think about it: attackers start reverse-engineering vendor updates the same day these get released, and often have reliable exploits in just a few days. Defenders, on the other hand, are struggling with testing these updates and remain vulnerable to exploits extracted from official vendor updates. By the time defenders have finally installed vendor updates from two months ago, they're already vulnerable to the exploits from last month's updates. The game seems to be eternally rigged in favor of attacker.

Now this problem is getting a solution. 0patch can help defenders bridge this "security update gap" by 0patches protecting them from newly extracted exploits while the official updates are being tested. Since creating a 0patch from an official update is a similar process to creating an exploit from the same update, defenders finally have a chance to compete with attackers - and even outrun them.


And why would administrators dare to apply 0patches to production without rigorous testing? Here's why:

  1. 0patches are designed to be applied to running processes. This means that the above-mentioned Winshock 0patch gets applied to a running IIS server without having to even restart a service, much less the entire computer.
  2. 0patches are designed to be removed from running processes just as easily - no restarts. This allows admins to instantly revert to pre-0patched state (i.e., instantly un-applying the Winshock 0patch from a server).
  3. Both applying and removing 0patches can be done remotely, from a central location.
  4. 0patches are so small that anyone with some knowledge of machine programming can review them. This means that administrators know exactly what changes they're introducing by applying 0patches.

Making the "security update gap" a thing of the past is one of our most important goals. Until we get there, no matter what security technology corporate and government networks are using, breaking into them will remain a child's play.

Subscribe at https://0patch.com and become part of the solution.

@mkolsek
@0patch


0patch: Fixing The Fixing

Microscopic Cures for BIG Security Problems

Those of you following our work at ACROS Security have noticed the near-silence in our public department during the last two years. The blog was static, there were no news on the web site to speak of, and googling us gave no recent hits. Sure, our customers know we were as busy as ever under the blanket of serial NDAs, but what was going on in our "free" time?

One word: 0patch. We were building what we believe is going to fundamentally change the security game. And it seems so trivial, it's hard to comprehend that something like this hasn't been a standard procedure for ages. Well, no-one seemed to have bothered building it*, so we did.

Critical remotely exploitable vulnerabilities have become a daily routine, but fixes for them are still sporadic and delayed if they exist at all, providing attackers with a growing supply of ammo. Believe us, it does get frustrating when you can use the same "pick an exploit, phish, win" procedure for 15 years and successfully break into every single network, despite all the fancy security technology they're using. Defenders have absolutely no fighting chance.

It became clear to us that whatever else our security industry does to protect against breaches will remain utterly futile until we fix the fixing.

Thus, 0patch (pronounced 'zero patch') got presented to the public for the first time at the DeepSec 2015 conference in Vienna (slides, video).

0patch is a platform for instantly distributing, applying and removing microscopic binary patches to/from running processes without having to restart these processes (much less reboot the entire computer).

0patch doesn't change a single byte on the file system: all patching is done in memory, as soon as a vulnerable module (e.g., EXE or DLL) is loaded by any process.

Patches deployed by 0patch (called '0patches') are extremely small, usually containing just a handful of machine instructions. This makes it easy to review them and absolutely minimizes the risk of them causing functional problems to the patched processes. Compared to typical official vendor updates that also just fix a couple of vulnerabilities, 0patches are roughly a million times smaller! And about a million times easier and faster to apply and remove.

0patch allows vulnerability researchers to create patches instead of exploits, and to get paid for that by the very consumers of these patches.

And finally, 0patch allows software vendors to fix vulnerabilities in their products running on users' computers quickly and cheaply, providing an unprecedented ability to actually outrun attackers for the first time in history.

You're welcome to learn more at https://0patch.com and follow us at @0patch.

Godspeed, 0patch!




* Granted, we're nowhere near the first to be doing hot-patching or unofficial vulnerability patching (shoutout to Determina and Alex Sotirov, eEye, Luis Miras, Ilfak Guilfanov,the PatchDroid team, Jeff Arnold and M. Frans Kaashoek and the Ksplice team, ZERT et al., and those whose ideas they have borrowed), but there is currently no generic production-grade solution allowing system administrators to instantly hot-apply official or unofficial micropatches with minimum risk of functional problems, and instantly hot-remove them should such problems happen to occur.