Ensilo_Blog_02-23-17-500x500.jpg

In 2017, we predict that security – the good and the bad – will be moving down the stack.

Both sides — defense vs offense — are moving down the stack. On one side: the confidentiality, integrity and availability of data, operations and processes. On the other: threat actors that are looking to steal, tamper or disrupt these.

And on both sides we see movement down the stack. New defenses are moving to the hardware level, while threat actors have a broader target potential by exploiting vulnerabilities in the OS down to the hardware.

Let’s start with the good guys:

The past few decades have demonstrated that defense in hardware and operating system components is more robust than placing security measures on the software and application layer. The impact of placing security measures on the hardware was proven in 2004 with Windows’ introduction of Data Execution Prevention (DEP) which required a hardware support. Although it was a single modification, it significantly changed the ways that threat actors carried out their attacks, forcing them to adopt new techniques such as ROP (Return-On-Programming).

New low-level security measures that have recently been introduced include:

  • Microsoft’s Virtualization- Based Security (VBS). VBS uses hypervisor (Hyper-V), an additional layer residing between the hardware and the OS, to ensure security. VBS is part of Device Guard - a Windows’ component that prevents malicious code from running by leveraging advanced hardware features.
    Components of VBS include:
    • Hypervisor Code Integrity (HVCI). HVCI was introduced in Windows 10 and Server 2016. Hypervisor prevents unsigned code from running in the kernel (and it can also be applied in user-mode).
    • Virtual Secure Mode (VSM). VSM uses the virtualization extensions of the CPU to provide additional security to data in memory. Basically, it allows running services and processes as if they were on a separate virtual machine.
    • Credential Guard. Used to mitigate the theft of credentials by moving the LSA service to run in a VSM, Credential Guard essentially makes pass-the-hash attacks much harder.
    • Edge in VSM (Application Guard). Application Guard will be introduced in the coming year to harden the Edge browser so that code will run in VSM too, essentially isolating unauthorized code from the underlying OS. This means attackers will be need to find a way to breakout of the VSM in order to compromise the target machine even if they have a 0-day for the browser.

  • New anti-ROP/JOP security features in Intel processors.
    • Intel will release a processor with a new instruction set, called CET (Control-Flow Enforcement Technology), that supports ROP/JOP mitigations. This is achieved by creating a shadow stack. The idea is that the shadow stack will contain return address data as the traditional stack but on every function return. The stacks are compared against each other so that control is transferred only if both stacks contain the same information. This is a stronger hardware-enforced version of the upcoming windows RFG (Return-Flow-Guard) mitigation.
    • Ensuring integrity of operations through a new instruction that marks legal targets for control flow instructions. This added feature is a stronger hardware-enforced version of Microsoft’s CFG (Control-Flow Guard) software-based CFI (Control-Flow Integrity).

The bad guys are taking heed and moving down the stack too:

Threat actors on their end love hardware vulnerabilities. After all, if there’s a hardware vulnerability – it impacts all devices with that hardware. Furthermore, in many cases the vulnerability cannot be simply fixed by applying a patch. The only fix in these cases is for the victim to replace the device.

Attack examples that leveraged hardware include RowHammering. RowHammering is done by repeatedly accessing a row of memory in DRAM in order to cause bit flips in adjacent rows. This research got a major boost with Project Zero’s publication of “Exploiting the DRAM rowhammer bug to gain kernel privileges.” The initial publication only showed how RowHammering can be used for local privilege escalation. However, since then, researchers were able to leverage this technique to gain remote exploitation by combining it with another hardware-based technique that leverages memory deduplication. The researchers proved it was possible to achieve remote code execution without using a software vulnerability.

This attack vector was further extended to gain root access on Android devices.

Implications of security moving down the stack:

As in the game of cat and mouse, in 2017 we're bound to see three trends given Microsoft’s hardening:

  1. We’ll see articles on bypassing VBS features, while Microsoft on their end will be quick to patch due to the severity of such vulnerabilities.
  2. Malware authors will look for ways to exploit other parts of the system in order to run. For instance, we’ll see more fileless malware — malicious code that directly writes to memory instead of through an executable file – in order to overcome Device Guard technology.
  3. Threat actors will increasingly use different tools that are built into the Windows system that can run .NET or Powershell. The reason is that Device Guard allows the execution only of signed applications with pre-defined signatures so that what’s not authorized, or has no signature, won’t be able to run. Since the built-in system tools have those signatures, threat actors will start compiling their code in, say, MSBuild to generate malicious .NET code in runtime, without the need to have a new executable file on disk. 

What can organizations do?

  1. Updating software must become best practice. Indeed, some hardware vulnerabilities can be mitigated to some extent by software patches. For example, some RowHammering attacks can be mitigated by disallowing the use of CLFLUSH instruction.

  2. Deploy new hardening technologies. Clearly, leveraging new technologies such as VBS and Device Guard can significantly increase endpoint protection.

  3. Don’t rely solely on file inspection. Fileless malware will fly under the radar of technologies that rely on file analysis.

  4. Ensure that protections go beyond the endpoint. A hardware-based attack will go undetected by a security solution residing on the software layer. Under the assumption that threat actors will always enter – and the endpoint security solution cannot grab that – what’s required is a non-endpoint component, such as one residing on the network, to serve as an integrity check for the endpoint. While the endpoint can provide visibility to the processes’ activities, the additional component can analyze it, including comparing states, to determine malicious activity.