Xiao jie XP Attack and Defense Technology

Xiao jie XP Attack and Defense Technology

 

Some time ago, I was so worried that I had to kill our overseas products and participate in XP attack and defense. XP attack and defense should be well done, which is more challenging. On the one hand, it does have a technical portal. Few domestic and foreign security vendors have really done this well. On the other hand, developers are required to have a sound security background.

Therefore, during this period, he picked up the technical skills of the rivers and lakes that have been dusty for many years, and supplemented the knowledge related to vulnerability analysis and utilization in a few days.

Some people who do not know about it may ask, XP protection, is it possible to turn on the system firewall, configure rules, and get a few more security policies? In fact, this is not the case at all.

XP protection technology can be divided into several layers:

1. Overflow Protection

Overflow Protection creates some trouble for hackers to exploit the vulnerability.

 

At the operating system level, Microsoft has implemented some protection technologies for vulnerability exploitation, mainly after Windows 7. At the same time, Microsoft has an independent tool named EMET (Enhanced Mitigation Experience Toolkit, some overflow protection technologies are also implemented. Including DEP and ASLR. If you want to know about the overflow protection technology, you can take a look.

 

In common techniques that disrupt hackers, ASLR has obvious effects. If ASLR can be implemented, various default IE vulnerabilities in MSF cannot break the system. MSF is a presentation tool, the exploitation of XP attacks does not bypass ASLR.

However, the implementation of ASLR alone does not really solve the problem. Hackers still have various vulnerability exploitation methods to intrude into the XP system. Therefore, overflow protection should cover all kinds of exploitation methods and techniques as much as possible, including but not limited to the following:

DEP, ASLR, VDM, Sehop, Nullpage, drop, heapspray, ROP-I and so on.

It seems completely complete, but this is still a problem. For example, someone may find a new method of exploits, or modify the existing one. If we do not know, there is still no defense. Or even if you know it, the defense costs are very high, especially some exploitation methods. It is difficult to defend against some strange vulnerabilities. In this case, the following methods are needed.

2. hot Patching

Hot patching is the dynamic patching of vulnerabilities that Microsoft does not provide, that is, the secondary reinforcement of some of Microsoft's "characteristic" Old vulnerabilities.

Specifically, we need to implement a hotpatch architecture, ideally at the kernel layer. If you want to quickly participate in the evaluation, you can also perform dynamic patching on the target process at the application layer, or secondary verification to solve some special vulnerability exploitation problems.

The number of vulnerabilities to be handled is small, but more experienced people need to follow up and output the processing list and handling methods.

 

3. Application Isolation

 

Through the above two parts, we can curb the exploitation of most vulnerabilities. If it is better, will it be able to prevent hacker intrusion?

No, even if you can defend against 100 types of attacks, the system will still be cracked if you miss one.

Therefore, we can implement a layer of reinforcement through application isolation. Assuming that hackers intrude into the computer even if they use the software successfully, we restrict the hackers in one region so that they cannot access our important data, it does not affect our other applications, so it still protects our computers.

This technology is simply a sandbox. By applying untrusted or risky applications to the sandbox, you can open and run them to avoid potential damage to the system. In the XP protection system, the sandbox can implement the data protection after the previous protection measures are penetrated.

However, anti-penetration protection of the sandbox itself is also a problem. The Sandbox looks beautiful, complicated to implement, and requires a large amount of work. From the perspective of attack and defense, the sandbox is not simply the process, file, registry isolation, there are many places to deal with, the rivers and lakes spread a variety of penetration ideas need to deal.

If all three of the above schemes are implemented, the XP protection scheme will be initially developed.

Of course, with a few simple and cumbersome means, the effect is better. Then, join the competition and invite friends from the rivers and lakes to help evaluate the problems found after improvement.

A mature XP protection product has been released.