martedì 28 giugno 2011

Olli-Pekka Niemi - Dealing with evasions

It's time for a new contribution to "Voci Amiche" section of the blog and I'm very happy to introduce Olli-Pekka Niemi, an expert on a very hot topic: the Advanced Evasion Techniques (AETs).

I met Olli during a workshop organized by Stonesoft and I admired his ability to explain hard concepts in a simple way. He is brilliant and has an amazing knowledge of network security topics.

As Head of the Stonesoft Vulnerability Analysis Goup (VAG) he delved into multiple evasion methods to bypass the detection of Intrusion Prevention Systems and break into the remote system. So, at the moment, his knowledge of AETs is pretty unique and I'm very proud that the "Punto 1" readers can approach this "advanced" topic through his contribution.

Thank you very much Olli, I hope that we will have other occasions to collaborate, now the floor is yours...
The role of a network security device such as IPS/NGFW/UTM is to analyze and  pass through data that is allowed according to Security Policies, while preventing threatening data such as remote exploits against vulnerable clients and servers. Exploits can apply multiple evasion methods to bypass the detection and protection capabilities of the network security device and break into the remote host.

What's evasion?

TCP/IP implementations will follow a general principle of robustness: Be conservative in what you do, be liberal in what you accept from others. There are always multiple ways to do things, i.e. to encode and transmit data. The multitude of data encoding and transmission possibilities provide ample opportunity for the malicious to discover and apply evasions. Simply put, an evasion is just a method of transmitting data in a way that is not expected or understood properly by the network security device.

This also means that many of the evasion methods that can be applied to hide malicious data like exploits are not actually threatening or malicious by themselves. Only the payload is. An evasion happens when the security device misclassifies the transmitted data as legitimate, even though it is in fact malicious. Evasions are not just some protocol anomalies or violations, or malicious data that can be dropped by the security device, but simply alternative ways of encoding data.

Evasion research, nothing new under the sun?

Evasions have been researched before. A lot. One of the first comprehensive description of evasions is a research paper "Insertion, Evasion, and Denial of  Service: Eluding Network Intrusion Detection" written by Ptacek and Newsham in January 1998. This paper is kind of the founding stone of evasions, and in fact most of evasions are somewhat based on the research done. In 1998, an article in the Phrack Magazine also describes ways to bypass network intrusion detection. In 1999 http related evasions were studied in "Whisker evasion tactics" by Rain Forest Puppy. Later on Handley and Paxson suggested evasion prevention via normalization in 2001, Gorton and Champion suggested combinations of evasions in 2004, and finally Moore and Caswell discussed MSPRC evasions at Black Hat 2006. 
At Stonesoft we have followed the research of evasions ever since we started our own security gateway development over a decade ago, and started our own research into the topic back in 2007. In the summer of 2010 we announced the concept of Advanced Evasions Techniques (AET). In our release we combined evasion techniques to form new evasions. However, AETs are not just a single release of evasion techniques, but a new paradigm, where Network Security Devices are systematically tested with all possible ways of transmitting data between hosts.

Why do evasions still work?

Why do evasions still work, after all these years? Some vendors are actually saying that they do not. But they are mistaken: while their products may offer protection against some specific evasions, the claim that all evasions are handled properly is simply untrue. The problem is that evasion are not a single concept or item or technique, but the general inability to correctly understand the data being transmitted and analyzed.

Evasions work because many of the network security devices are too much throughput oriented by design, sacrificing the security analysis capabilities for performance. The security devices are lacking proper understanding and analysis of the networking protocols. Evasions work because implementing middle box TCP/IP stack and protocol normalization is difficult. Anomaly based evasion preventions lead to false positives. Simple and throughput-wise effective packet based pattern matching will miss attacks deploying evasions. Proper TCP/IP reassembly that is invulnerable to TCP evasions requires a lot of memory. And finally, testing evasions is difficult. It requires tools, but most of the tools available contain only a few evasions. Network security devices tend to detect some of those evasions that are required for certifications or can be tested in publicly available tools but they often miss attacks that contain evasions that are not implemented in available testing tools.

Dealing with evasions

Properly dealing with evasions requires a thorough understanding of the network protocols. For example, some Network Security Devices could be fooled by splitting a TCP stream into small segments. Some vendors protect themselves against this by having their product block small segments. However, small segments are a perfectly legitimate feature of TCP, and they risk blocking legitimate traffic.

To deal with TCP segmentation properly requires understanding that TCP is essentially a method of transmitting a data stream, so it is the data stream that should be investigated, not individual segments.

To properly deal with evasions and inspect the traffic, the Network Security Device must understand it thoroughly.
There is no substitute for an in-depth understanding of the networking protocols used. That understanding must not be limited to proper usage of the protocols, but must encompass also the behavior of typical endpoint systems when subjected to improper protocol usage. That understanding must also be dynamic and adaptable. The Internet is in a never-ending change process. Even though there are things that at least seem static, there are continuous changes even in the basic building blocks of the Net. The pace of change requires a lot of flexibility and updatability from the network security devices. Network security devices cannot be static appliances but they must be updated regularly and effortlessly.

Olli-Pekka Niemi has been working in the area of Internet security since 1996. Since 2000, he has worked at Stonesoft’s R&D department, developing Stonesoft's StoneGate network security solutions. His main areas of responsibility include the analysis of network based attacks and attack methods as well as the research of new detection and analysis methods that could be implemented into StoneGate network security solutions. Mr. Niemi is also the Head of the Stonesoft Vulnerability Analysis Goup (VAG). Before joining Stonesoft Mr. Niemi worked at KPMG Information Risk Management, where he mainly focused on penetration testing and security audits. He has also worked as a system administrator at the Helsinki University of Technology.

Nessun commento:

Posta un commento