Whitepaper

ARMAS
A Deterministic Platform
to Defend Against File-less,
Memory-Based Cyber Attacks
 ARMASTM

Introduction
Increasingly, sophisticated cyber hacking is moving in the direction of file-less, memory-based
exploits. Unlike amateur script kiddie attacks, these attacks are usually not easy to acquire or
easily learned. Given the higher level of technical sophistication, these exploits are harder to find and
execute, but all indications are they are increasing in frequency and accessibility.

This should be of tremendous concern to enterprise organizations, given the near indefensible nature
of memory- corruption and memory-based attacks. This paper examines this class of attacks and the
limitations in current approaches to thwarting memory-based compromises from malicious actors.
We also discuss the promising use of Trusted Execution and Virsec ARMAS in providing enterprises
with a defense mechanism against these insidious and growing attacks.

Memory Corruption Attacks are Pervasive

As discussed in the most comprehensive timeline of memory corruption attacks ever presented
at Black Hat, memory corruption attacks can be defined as attacks that allow an attacker to
deterministically alter the execution flow of a program by submitting crafted input to an application.
This definition is adequate for traditional memory corruption attacks such as return-to-libc attacks.

However, since 2010 when this definition was provided, ROP chain attacks have come on the scene as
the leading source of malicious exploit on the Windows operating system according to Microsoft. ROP
chains are even more insidious and they have been proven to circumvent many of the OS mitigations
introduced for prior memory-corruption attacks (i.e. ASLR and DEP). ROP chains can use an
applications legitimate instruction sequences to execute malicious code when chained in a specific
way (via what are known as gadgets).

Memory corruption attacks and vulnerabilities are decidedly arcane and require patience to
understand. However, it is clear that a typical enterprise computing infrastructure provides plenty
of vulnerabilities and opportunities to exploit them. These exploits are the domain of sophisticated
hackers and overlap with other categorizations of cyber attacks such as zero-day and advanced
persistent threats. The National Institute of Standards and Technology (NIST), along with US-CERT,
sponsors the National Vulnerability Database (NVD), a repository which categorizes vulnerabilities
in submitted applications for examination. The NVD database consistently ranks buffer error
vulnerabilities, an opening for memory-corruption attacks, as the most frequent vulnerability found in
applications.

This is a big problem in that well-crafted buffer overrun exploits can be the basis of attacks such as
remote code execution that can give an external hacker direct access to an internal network. Remote
code execution or reverse shell connections are the most serious implications of memory corruption
(referred to as memory-based attacks subsequently) attacks as they create backdoors for malicious
actors into a network.

In summary, memory-based attacks 1) comprise the most insidious attacks on critical applications,
and 2) exploit the most common vulnerability in applications, the buffer overflow vulnerability, and 3)
represent the most frequently used advanced exploit for the prior 2 years, as disclosed by Microsoft in
2015. Given that no new mitigations have been introduced in the past several years to deal with these
attacks, it is no wonder that many are regarded as indefensible by todays security products.

1
 ARMASTM

Graphic A: NVD Categories Covered

Difficulty with Stopping Memory-Based Attacks in Cyber Attacks

One only needs to see the logos of breached organizations in the newspaper every week to realize
that hackers today can infiltrate even the most sophisticated and well-funded enterprise. Given names
like Home Depot, Target and Sony, not to mention the NSA itself, it is not a stretch to realize that staple
cyber security protections such as next-gen firewalls, IDS/IPS systems, web and endpoint security
defenses, not to mention specific application protection products such as Web Application Firewalls
and database monitoring solutions, are no match against advanced cyber attacks. Breaches continue
to happen, and at an increasing rate and scope. It is clear that hackers today have figured out ways to
circumvent the traditional slate of enterprise security products.

Listed below are 5 reasons we believe are key to why memory-based attacks evade existing security
solutions today:

1. Memory-based attacks cannot be identified via signature

Buffer error and return-to-libc attacks, as well as any memory corruption exploit, attack the call stack
or memory registers of an application in non-repeated ways. This presents 2 problems for traditional
security approaches: 1) most security approaches are based on pattern matching; they look for
signatures of the malware or malicious action, and 2) most recent defenses against memory exploit
techniques from endpoint vendors still work using signatures, trying to match pieces of executable
code found in memory.

For advanced attacks in memory, looking for pattern matches on pre-determined indicators of
malicious behavior, file or code is a non-starter for correct and comprehensive detection.

2. Most enterprise cyber security defenses are built on network and authorization-based
strategies, while memory-based attacks happen in the guts of applications
The best memory-based attacks take place on high value hosts or targets. As mentioned above, they
take place in the memory of an application and manipulate an applications execution path. By the
time a successful memory-based attack makes a network transmission, it is doing so over normal

2
 ARMASTM

channels and will evade detection. Most enterprise security strategy is built on an authentication/
authorization model, network checkpoints and sandboxes that sample or inspect moving packets
across the network. Memory-based attacks may have already used phished or insider credentials with
adequately escalated privileges or may use remote OS commands to execute. Packets are simply too
high level a construct to adequately detect or stop memory-based attacks, like ROP chain attacks, that
take place on critical applications running on high value servers.

3. While endpoint security is pervasive in enterprises, it lacks the ability to stop

file-less exploits
Endpoint-centric approaches are helpful in a world where a ringed perimeter has all but disappeared
in traditional campus and branch architecture, but the fact is endpoint technologies are focused on
dynamic end user laptops and less so on more static high-value server targets. That said, there are
host-based IPS (HIPS), app control and server endpoint suites available on the market but each of
these suffers limitations when put up against memory-based attacks. False positives have been the
bane of HIPS and file whitelisting app control on the endpoint. Notwithstanding, file whitelisting is
growing in popularity given it is the most stringent of all endpoint approaches. Unfortunately, even this
approach will miss memory-based attacks entirely. ROP chains, buffer errors and return-to-libc attacks
all use legitimate applications that would be allowed to run in a file whitelist environment.

It is worth noting that points 3 and 4 point to a general lack of investment in adequate application
security strategies. Substantial sums have been invested in network and endpoint-based approaches
while repeated surveys point to applications and OS vulnerabilities as the biggest areas of cyber
security exposure in enterprise security today (outside of the human link).

4. Application Security does not secure applications; it focuses on vulnerability

elimination, an ineffective strategy focused on code above the interpreter level
The foregoing points leave applications as a potential area to protect against memory-based
attacks; after all, these hacking exploits typically target software and applications in an enterprise.
Unfortunately, the vast majority of application security solutions focus on identifying and remediating
vulnerabilities in developer code. There have been serious negatives to this near exclusive focus:
1) having to shift developers to security instead of function programming, 2) difficulty in baselining
risk and automating the process for organizations with large numbers of applications (including
3rd party components), and 3) the imprecision of existing application security products in correctly
identifying vulnerabilities and lowering false positives.

5. Most companies fail at systematically patching vital applications and host OS binaries
In 2014, a study by Trustwave found that 58% of companies did not have a mature patch
management strategy in place and 12% did not have one at all. Even with patches in place,
sophisticated hackers can penetrate important software with zero-day exploits that are increasingly
available from secretive and not so secretive outfits around the world. The problem is worse when
you consider that those zero-day attacks can still be used when good hackers scan to identify what
software is being run by an organization that is missing a patch. Verizons Annual Data Breach Report,
the most authoritative report on the subject, confirms that most breaches occur using vulnerabilities
for which a CVE (or patch) has existed for several years.

3
 ARMASTM

Trusted Execution Security with ARMAS

ARMAS is Virsecs cyber security platform that enables enterprises to protect their most valued
data and applications from file-less, memory-based attacks. Trusted Execution represents a new
approach to cyberattack detection that is specifically designed to ferret out application-based exploits
involved in data exfiltration (breach) events or more complex, long chain cyberattacks. Applicable to
any application on a Windows or Linux environment, Trusted Execution enables applications to defend
themselves at runtime in a deterministic and highly precise manner.

Trusted Execution differs from traditional approaches to security detection and monitoring by
its emphasis on execution integrity. This execution integrity approach does not focus on pattern
matching malicious events or malware but relies on ensuring that application processes stay on their
legitimate control flow paths. By ensuring applications execute in the manner intended by their original
coding, the protection extends to all threats, including zero-day exploits on unknown vulnerabilities
With respect to the latter fact, it is important to underscore that Trusted Execution can protect against
never before seen or unknown attacks on vulnerable code, i.e. Virsec closes the window of exposure
organizations face with zero-day vulnerabilities and the attacks that exploit them.

A second key characteristic is its contextual granularity. ARMAS works deep in the guts of an
application process, continuously monitoring and protecting the CPU execution of the process or
processes that make up the application in memory. In this way, Trusted Execution uniquely detects
and helps prevent breach from file-less exploits that can only be detected in memory through intimate
knowledge of the application process being attacked. All application binaries are profiled during load
time to produce an AppMAP, which is used to ensure an applications execution integrity.

Because of the deterministic nature and absence of any guessing for indicators of compromise
or attack, ARMAS produces no false positives in protecting an application from memory corruption
events and attacks on compiled binaries.

Protected application binaries are instrumented with a very lightweight ARMAS Probe. Probes become
part of application processes and communicate with a remote Analysis Engine for security detection.
The Analysis Engine can be deployed either as a virtual machine or a physical server. The ARMAS
Management Server acts as the central coordination point for the solution for various administrative
and system functions.

4
 ARMASTM

Key Design Capabilities

Trusted ExecutionTM Protection

Protected Protected Database

Web Server(s) Application Server(s) Server(s)
Hacker

User
ARMASTM
Analysis Engine

AppMAPTM
User Interface

Management
Server
Admin

Graphic B: ARMAS Deployment Overview

Low Performance Impact Performance testing on a Trusted Execution implementation has

validated a less than 5% CPU performance impact on protected applications. The low performance
impact is achieved due to a design that separates collection of inspection events from analysis
processing (which happens remotely and away from the application being protected).

Ease of Deployment Applications are instrumented dynamically as they load into memory, making
deployment of binary protection trivial for applications on Windows or Linux. Special emphasis has
been placed on supporting 32-bit and 64-bit execution configurations that exist today.

Microsecond Detection Trusted Execution enables immediate (near real-time) detection of

memory-based attacks on protected application processes within microseconds. Security analysts
can be notified as soon as suspicious events occur to enable proactive action to thwart advanced
security threats before serious harm is done. ARMAS counteracts large windows of dwell time
(weeks,months) that have become characteristic of advanced persistent threats on breached
organizations.

Full-Stack Application Protection with WAP

(Web Application Protection)
It is worth noting that with the increasing use of web applications, memory-based attacks are
increasingly used in conjunction with traditional attacks on interpreted, server-side languages such as
Java and PHP. Well documented web application attacks such as path traversal, privilege escalation
and file upload attacks can provide the starting point for execution of malicious code that ultimately
takes advantage of vulnerabilities enabling memory-based attacks.

While not the focus of this paper, it is worth noting that ARMAS Trusted Execution also enables
protection of Web Applications against traditional OWASP Top Ten type attacks. Users can choose

5
 ARMASTM

to deploy WAP (Web Application Protection) on the same platform, alongside memory-based
protection, for real-time detection of traditional web application attacks such as SQL injection and
XSS (cross-site scripting). When used in combination with the memory-based protection described
in this paper, ARMAS provides a comprehensive, full-stack defense against hacking attacks that
may lead to data breaches.

More information on Web Application Protection is available on

www.virsec.com/web-application-protection/.

Conclusion
ARMAS and its Trusted Execution technology represents a powerful new approach for organizations
to protect their critical applications against the growing use of memory-based attacks from
advanced nation-state and sophisticated hackers. Unlike existing security approaches or OS
mitigations, the approach is highly deterministic and accurate, leaving little room for exposure to a
data breach through this previously indefensible vector of attack.

More information is available at www.virsec.com.

About Virsec Systems, Inc.

Based in Santa Clara, CA, Virsec Systems is a next generation Cyber Security vendor pioneering
Trusted Execution security. Virsec ARMAS deterministically prevents zero- day and advanced
cyberattacks against applications and server endpoints full-stack: from sophisticated memory
corruption attacks such as ROP chain exploits to web application attacks such as SQL injection.
ARMAS uses patented technology to deterministically stop these application-based security attacks
without false positives and near 100% accuracy.

US West Coast: US East Coast:

4699 Old Ironsides, Suite 430 Santa Clara, CA 95054 125 Nagog Park, Suite 220 Acton, MA 01720

Email: info@virsec.com Phone: (877) 213-3558 Web: www.virsec.com Twitter: virsecsystems

Virsec Systems. Do not copy, distribute or facilitate copying or redistribution. 6