Friday, January 22, 2016

0patch: Fixing The Fixing

Microscopic Cures for BIG Security Problems

Those of you following our work at ACROS Security have noticed the near-silence in our public department during the last two years. The blog was static, there were no news on the web site to speak of, and googling us gave no recent hits. Sure, our customers know we were as busy as ever under the blanket of serial NDAs, but what was going on in our "free" time?

One word: 0patch. We were building what we believe is going to fundamentally change the security game. And it seems so trivial, it's hard to comprehend that something like this hasn't been a standard procedure for ages. Well, no-one seemed to have bothered building it*, so we did.

Critical remotely exploitable vulnerabilities have become a daily routine, but fixes for them are still sporadic and delayed if they exist at all, providing attackers with a growing supply of ammo. Believe us, it does get frustrating when you can use the same "pick an exploit, phish, win" procedure for 15 years and successfully break into every single network, despite all the fancy security technology they're using. Defenders have absolutely no fighting chance.

It became clear to us that whatever else our security industry does to protect against breaches will remain utterly futile until we fix the fixing.

Thus, 0patch (pronounced 'zero patch') got presented to the public for the first time at the DeepSec 2015 conference in Vienna (slides, video).

0patch is a platform for instantly distributing, applying and removing microscopic binary patches to/from running processes without having to restart these processes (much less reboot the entire computer).

0patch doesn't change a single byte on the file system: all patching is done in memory, as soon as a vulnerable module (e.g., EXE or DLL) is loaded by any process.

Patches deployed by 0patch (called '0patches') are extremely small, usually containing just a handful of machine instructions. This makes it easy to review them and absolutely minimizes the risk of them causing functional problems to the patched processes. Compared to typical official vendor updates that also just fix a couple of vulnerabilities, 0patches are roughly a million times smaller! And about a million times easier and faster to apply and remove.

0patch allows vulnerability researchers to create patches instead of exploits, and to get paid for that by the very consumers of these patches.

And finally, 0patch allows software vendors to fix vulnerabilities in their products running on users' computers quickly and cheaply, providing an unprecedented ability to actually outrun attackers for the first time in history.

You're welcome to learn more at and follow us at @0patch.

Godspeed, 0patch!

* Granted, we're nowhere near the first to be doing hot-patching or unofficial vulnerability patching (shoutout to Determina and Alex Sotirov, eEye, Luis Miras, Ilfak Guilfanov,the PatchDroid team, Jeff Arnold and M. Frans Kaashoek and the Ksplice team, ZERT et al., and those whose ideas they have borrowed), but there is currently no generic production-grade solution allowing system administrators to instantly hot-apply official or unofficial micropatches with minimum risk of functional problems, and instantly hot-remove them should such problems happen to occur.

No comments:

Post a Comment