如何击溃IPS特征检索?How to Hack IPS Signatures

Errata Security says attackers are already reverse-engineering IPS vendors' zero-day signatures like TippingPoint's to wage attacks, bypass IPSs

JULY 30, 2007 | Careful, that zero-day signature you just got from your IPS vendor could be used against you: Researchers from Errata Security at Black Hat USA this week will show how an attacker can easily reverse-engineer these zero-day filters that IPS (intrusion prevention system) vendors distribute, and then use them to leverage an attack. Errata CEO Robert Graham and CTO David Maynor will demonstrate this using TippingPoint's signatures, but Graham says it's possible to reverse-engineer any IPS vendor's zero-day signatures. The company was also able to do the same with signatures from Cisco, Juniper Networks, and McAfee, he says, although they will only demonstrate their research on TippingPoint's IPS in its Thursday morning session, entitled "Simple Solutions to Complex Problems from the Lazy Hacker’s Handbook." The researchers will show how these signatures basically give an attacker the ammunition to do damage using bugs that wouldn't have otherwise been known about yet. "The point is that if you're a black hat, it's easier to get a zero-day from the vendor than to develop your own," Graham says. Graham says it's no surprise this could be accomplished, but it was a bit of a shock to him that attackers are already using it to their advantage. "The biggest surprise is people are already doing it. We found one [of these attacks] in the wild... We're pushing this issue to prove how easily it can be done." TippingPoint late last month temporarily removed its Zero Day Initiative (ZDI) signature updates for its IPSs after getting the word from Errata on its research. The IPS vendor said it then added more secure storage and delivery to its software and recently released an update with those enhancements. And now its customers can choose to "opt in" to receive future ZDI filters. But the cat was already out of the bag. Graham says Errata decided to test the ZDI signatures after finding at least two different hacking groups that wrote zero-day attacks using the signature TippingPoint released to patch the hole found in the infamous $10,000 Apple hacking contest at CanSec West earlier this year. "One person we know who's done this is pissed off at us because he's been feeding off these free zero-days for a while now. Now he knows he's going to be cut off" with TippingPoint securing it, he says. Errata used the well known IDA Pro reverse-engineering tool, and also wrote its own tools for decrypting TippingPoint's signatures. Graham says he won't be releasing the tools: "We want to demonstrate that it can be done... We don't want to make it easy for others to do this." He argues that the trouble with these zero-day signatures is they are often used more for marketing purposes so an IPS vendors can show that they "got there" first, but this process instead invites trouble. "The value of a zero-day [signature] is if there is a threat. But if the signature is more for marketing purposes, it becomes more of a threat than the zero-day [vulnerability]." TippingPoint's ZDI program has stirred controversy because it pays hackers for zero-day bugs and then issues signatures for them in TippingPoint's products. "It doesn't give TippingPoint any greater understanding for its own researchers, but it's buying content from others and encouraging black-hat activity," Graham says. "ZDI is just a publicity stunt." TippingPoint, meanwhile, maintains that the ZDI program has merit. "We believe, and our customers agree, that providing zero-day filters in advance of vendor announcement of a vulnerability is serving a positive security purpose, in spite of the risk that some point out," says Terri Forslof, manager of security response for TippingPoint. "We appreciate Errata bringing to our attention concerns related to zero-day delivery and storage, and took them seriously enough to invest development time in [these] enhancements." TippingPoint emphasized that this is not a vendor-specific issue. "Any product with zero-day filters can be reverse engineered. We just happen to have been highlighted as proof of concept," Forslof says. "We encourage other zero-day vendors to thoroughly evaluate their own policies and protective measures." Errata's Graham says what made TippingPoint's signatures easy to decrypt is that they ship the decryption key hidden within the signature update -- "so all we needed to do was figure out where they hid it." How can IPS vendors protect their signatures? Graham says Errata's Black Hat briefing session will also include some strategies for this, but the bottom line is vendors cannot protect themselves with software alone. Specialized hardware is necessary, and they can make reverse-engineering more difficult for attackers by compiling their signatures beforehand. "An important first step would be to compile the signatures at the factory before sending them to the box, rather than shipping the source of their signatures." As for IPS customers, if you're a high-value target, Graham says, you need to be aware that the bad guys already have these signatures, and they could use them to hit you. It's simple for an attacker to bypass the IPS altogether: "All they have to do is change a few bytes in the patterns" of the exploit, and they can get right past the IPS. — Kelly Jackson Higgins, Senior Editor, Dark Reading