Microscopic Cures for BIG Security Problems
Those of you following our work at ACROS Security have noticed the near-silence in our
public department during the last two years. The blog was static, there
were no news on the web site to speak of, and googling us gave no recent
hits. Sure, our customers know we were as busy as ever under the
blanket of serial NDAs, but what was going on in our "free" time?
One word: 0patch.
We were building what we believe is going to fundamentally change the
security game. And it seems so trivial, it's hard to comprehend that
something like this hasn't been a standard procedure for ages. Well,
no-one seemed to have bothered building it*, so we did.
remotely exploitable vulnerabilities have become a daily routine, but
fixes for them are still sporadic and delayed if they exist at all,
providing attackers with a growing supply of ammo. Believe us, it does
get frustrating when you can use the same "pick an exploit, phish, win"
procedure for 15 years and successfully break into every single network,
despite all the fancy security technology they're using. Defenders have
absolutely no fighting chance.
It became clear to us
that whatever else our security industry does to protect against
breaches will remain utterly futile until we fix the fixing.
Thus, 0patch (pronounced 'zero patch') got presented to the public for the first time at the DeepSec 2015 conference in Vienna (slides, video).
Patches deployed by 0patch
(called '0patches') are extremely small, usually containing just a
handful of machine instructions. This makes it easy to review them and
absolutely minimizes the risk of them causing functional problems to the
patched processes. Compared to typical official vendor updates that
also just fix a couple of vulnerabilities, 0patches are roughly a million times smaller! And about a million times easier and faster to apply and remove.
And finally, 0patch allows
software vendors to fix vulnerabilities in their products running on
users' computers quickly and cheaply, providing an unprecedented ability
to actually outrun attackers for the first time in history.
* Granted, we're nowhere near the first to be doing hot-patching or unofficial vulnerability patching (shoutout to Determina and Alex Sotirov, eEye, Luis Miras, Ilfak Guilfanov,the PatchDroid
team, Jeff Arnold and M. Frans Kaashoek and the Ksplice team, ZERT et al., and those whose ideas they have borrowed), but there
is currently no generic production-grade solution allowing system
administrators to instantly hot-apply official or unofficial
micropatches with minimum risk of functional problems, and instantly
hot-remove them should such problems happen to occur.