Professional Documents
Culture Documents
ARMAS
A Deterministic Platform
to Defend Against File-less,
Memory-Based Cyber Attacks
ARMASTM
Introduction
Increasingly, sophisticated cyber hacking is moving in the direction of file-less, memory-based
exploits. Unlike amateur script kiddie attacks, these attacks are usually not easy to acquire or
easily learned. Given the higher level of technical sophistication, these exploits are harder to find and
execute, but all indications are they are increasing in frequency and accessibility.
This should be of tremendous concern to enterprise organizations, given the near indefensible nature
of memory- corruption and memory-based attacks. This paper examines this class of attacks and the
limitations in current approaches to thwarting memory-based compromises from malicious actors.
We also discuss the promising use of Trusted Execution and Virsec ARMAS in providing enterprises
with a defense mechanism against these insidious and growing attacks.
However, since 2010 when this definition was provided, ROP chain attacks have come on the scene as
the leading source of malicious exploit on the Windows operating system according to Microsoft. ROP
chains are even more insidious and they have been proven to circumvent many of the OS mitigations
introduced for prior memory-corruption attacks (i.e. ASLR and DEP). ROP chains can use an
applications legitimate instruction sequences to execute malicious code when chained in a specific
way (via what are known as gadgets).
Memory corruption attacks and vulnerabilities are decidedly arcane and require patience to
understand. However, it is clear that a typical enterprise computing infrastructure provides plenty
of vulnerabilities and opportunities to exploit them. These exploits are the domain of sophisticated
hackers and overlap with other categorizations of cyber attacks such as zero-day and advanced
persistent threats. The National Institute of Standards and Technology (NIST), along with US-CERT,
sponsors the National Vulnerability Database (NVD), a repository which categorizes vulnerabilities
in submitted applications for examination. The NVD database consistently ranks buffer error
vulnerabilities, an opening for memory-corruption attacks, as the most frequent vulnerability found in
applications.
This is a big problem in that well-crafted buffer overrun exploits can be the basis of attacks such as
remote code execution that can give an external hacker direct access to an internal network. Remote
code execution or reverse shell connections are the most serious implications of memory corruption
(referred to as memory-based attacks subsequently) attacks as they create backdoors for malicious
actors into a network.
In summary, memory-based attacks 1) comprise the most insidious attacks on critical applications,
and 2) exploit the most common vulnerability in applications, the buffer overflow vulnerability, and 3)
represent the most frequently used advanced exploit for the prior 2 years, as disclosed by Microsoft in
2015. Given that no new mitigations have been introduced in the past several years to deal with these
attacks, it is no wonder that many are regarded as indefensible by todays security products.
1
ARMASTM
Listed below are 5 reasons we believe are key to why memory-based attacks evade existing security
solutions today:
For advanced attacks in memory, looking for pattern matches on pre-determined indicators of
malicious behavior, file or code is a non-starter for correct and comprehensive detection.
2. Most enterprise cyber security defenses are built on network and authorization-based
strategies, while memory-based attacks happen in the guts of applications
The best memory-based attacks take place on high value hosts or targets. As mentioned above, they
take place in the memory of an application and manipulate an applications execution path. By the
time a successful memory-based attack makes a network transmission, it is doing so over normal
2
ARMASTM
channels and will evade detection. Most enterprise security strategy is built on an authentication/
authorization model, network checkpoints and sandboxes that sample or inspect moving packets
across the network. Memory-based attacks may have already used phished or insider credentials with
adequately escalated privileges or may use remote OS commands to execute. Packets are simply too
high level a construct to adequately detect or stop memory-based attacks, like ROP chain attacks, that
take place on critical applications running on high value servers.
It is worth noting that points 3 and 4 point to a general lack of investment in adequate application
security strategies. Substantial sums have been invested in network and endpoint-based approaches
while repeated surveys point to applications and OS vulnerabilities as the biggest areas of cyber
security exposure in enterprise security today (outside of the human link).
5. Most companies fail at systematically patching vital applications and host OS binaries
In 2014, a study by Trustwave found that 58% of companies did not have a mature patch
management strategy in place and 12% did not have one at all. Even with patches in place,
sophisticated hackers can penetrate important software with zero-day exploits that are increasingly
available from secretive and not so secretive outfits around the world. The problem is worse when
you consider that those zero-day attacks can still be used when good hackers scan to identify what
software is being run by an organization that is missing a patch. Verizons Annual Data Breach Report,
the most authoritative report on the subject, confirms that most breaches occur using vulnerabilities
for which a CVE (or patch) has existed for several years.
3
ARMASTM
Trusted Execution differs from traditional approaches to security detection and monitoring by
its emphasis on execution integrity. This execution integrity approach does not focus on pattern
matching malicious events or malware but relies on ensuring that application processes stay on their
legitimate control flow paths. By ensuring applications execute in the manner intended by their original
coding, the protection extends to all threats, including zero-day exploits on unknown vulnerabilities
With respect to the latter fact, it is important to underscore that Trusted Execution can protect against
never before seen or unknown attacks on vulnerable code, i.e. Virsec closes the window of exposure
organizations face with zero-day vulnerabilities and the attacks that exploit them.
A second key characteristic is its contextual granularity. ARMAS works deep in the guts of an
application process, continuously monitoring and protecting the CPU execution of the process or
processes that make up the application in memory. In this way, Trusted Execution uniquely detects
and helps prevent breach from file-less exploits that can only be detected in memory through intimate
knowledge of the application process being attacked. All application binaries are profiled during load
time to produce an AppMAP, which is used to ensure an applications execution integrity.
Because of the deterministic nature and absence of any guessing for indicators of compromise
or attack, ARMAS produces no false positives in protecting an application from memory corruption
events and attacks on compiled binaries.
Protected application binaries are instrumented with a very lightweight ARMAS Probe. Probes become
part of application processes and communicate with a remote Analysis Engine for security detection.
The Analysis Engine can be deployed either as a virtual machine or a physical server. The ARMAS
Management Server acts as the central coordination point for the solution for various administrative
and system functions.
4
ARMASTM
User
ARMASTM
Analysis Engine
AppMAPTM
User Interface
Management
Server
Admin
Ease of Deployment Applications are instrumented dynamically as they load into memory, making
deployment of binary protection trivial for applications on Windows or Linux. Special emphasis has
been placed on supporting 32-bit and 64-bit execution configurations that exist today.
While not the focus of this paper, it is worth noting that ARMAS Trusted Execution also enables
protection of Web Applications against traditional OWASP Top Ten type attacks. Users can choose
5
ARMASTM
to deploy WAP (Web Application Protection) on the same platform, alongside memory-based
protection, for real-time detection of traditional web application attacks such as SQL injection and
XSS (cross-site scripting). When used in combination with the memory-based protection described
in this paper, ARMAS provides a comprehensive, full-stack defense against hacking attacks that
may lead to data breaches.
Conclusion
ARMAS and its Trusted Execution technology represents a powerful new approach for organizations
to protect their critical applications against the growing use of memory-based attacks from
advanced nation-state and sophisticated hackers. Unlike existing security approaches or OS
mitigations, the approach is highly deterministic and accurate, leaving little room for exposure to a
data breach through this previously indefensible vector of attack.