Memory Protection beyond the Endpoint

Monday, July 16, 2018

Liviu Arsene


Threat actors have been digging into an ever-growing bag of tricks to compromise endpoints:  social engineering, phishing, malware, zero-day vulnerabilities, advertising, ransomware -- even recent cryptocurrency jacking operations are just a few examples of the diversity, and even the sophistication, of some attacks. However, as different as these attacks may appear on the surface, some share similar features, and relying on a handful of the same methods for compromising endpoints and data. For instance, the use of zero day or unpatched vulnerabilities is commonplace when discussing how victims are compromised. In a way, the methods used to breach systems have remained fairly consistent – partially because they’re still very effective, regardless of the actual malware payload or the threat actor’s end goal.

Memory Manipulation – The Achilles Heel

Memory manipulation through the use of zero day or unpatched vulnerabilities is usually the weapon of choice for threat actors, as it allows them to dodge traditional in-guest security solutions and execute malicious code on the victim’s endpoint. Threat actors have long been using these vulnerabilities in compromising victims either through drive-by downloads and malicious advertisements, or even infected email attachments.  

The interesting aspect of vulnerabilities is that, at their core, when they manipulate an application’s memory, they use only a handful of memory manipulation techniques, regardless of how sophisticated or critical these vulnerabilities might seem. Unfortunately, traditional security solutions usually lack the ability to protect an endpoint’s memory space, and only focus on files stored on-disk.

This Achilles heel of traditional security solutions means that threat actors can regularly exploit the same vulnerability and constantly deliver various payloads until one of them bypasses scrutiny from the security solution. Since payloads can range from ransomware to keyloggers and even coin mining software, memory manipulation of a victim’s endpoint using vulnerabilities is extremely effective.

Worse, some threat actors rely on exploit kits – a collection of known vulnerabilities in popular applications, such as Java, Adobe Reader, browsers and even operating systems – to automatically probe endpoints for known vulnerable software to drop malicious payloads. Although some of the most popular and versatile exploit kits, such as Angler and Rig have been dismantled by law enforcement, threat actors still rely on memory manipulation vulnerabilities.

Memory Protection

The obvious question is: how do you protect the memory space from being manipulated by vulnerabilities? There are in-guest next generation layered security solutions that offer anti-exploit capabilities. Anti-exploit technologies work by watching for Return-oriented Programming (ROP) techniques usually associated with attackers trying to hijack a program’s control flow and execute already-present specific instructions. Such anti-exploit technologies can block memory execution of ROP chains as well as other stack manipulation techniques usually associated with exploit techniques employed by vulnerabilities.

However, with organizations leveraging the power of virtualization and cloud infrastructures, we’ve reached a point where multiple guests – or operating systems – can share the same host – or hardware. Some technologies can protect the memory of all guests – without impacting their performance – by sitting between the hardware and the operating system layers.

Memory introspection technology is highly effective and efficient in protecting against known and unknown memory manipulation techniques associated with vulnerabilities, as it’s entirely outside the operating system. Because it’s isolated from the guest operating system, it’s completely untouchable by any in-guest threat – regardless of how sophisticated it is – but at the same time has complete visibility into the memory of each guest virtual workload.

Leveraging bare metal hypervisors, memory introspection technologies provide an additional security layer for virtual infrastructures, offering protection against any zero day or unpatched vulnerability that threat actors are trying to exploit. Instead of focusing on the actual payload, as most traditional security technologies do, memory introspection focuses on the initial point of compromise.

For instance, if a threat actor tries to exploit a zero-day Adobe Reader vulnerability to drop coin mining software, ransomware, or keylogging malware, memory introspection would plug the attack as soon as the attacker tries to perform the memory manipulation to escalate his privileges. This means the attack kill chain would be broken long before any payload or damage to the infrastructure would even occur.

Security beyond the Endpoint

Endpoints –virtual and physical – still play a vital role in organizations, and security needs to address these infrastructures holistically, and protect them without affecting performance. Software-defined datacenters, hyper-converged infrastructures, and hybrid clouds have changed the way businesses operate and scale. But security has mostly focused on the actual endpoint (e.g. VDI, VPS).

Re-engineering security solutions to fit the new infrastructure, performance, and scalability needs of organizations is crucial as advanced threats often exploit security blind spots. Having security technologies – both in-guest and outside the OS, as close to the hypervisor as possible – that can protect against memory manipulation techniques used to deliver anything from advanced persistent threats to coin miners and ransomware, can make a world of difference in ensuring business continuity, as well as in avoiding financial and reputational losses.

About the author: Liviu Arsene is a Senior E-Threat analyst for Bitdefender, with a strong background in security and technology. Reporting on global trends and developments in computer security, he writes about malware outbreaks and security incidents while coordinating with technical and research departments.

Possibly Related Articles:
Cloud Security Operating Systems Viruses & Malware Enterprise Security
Security Solution cyber-security Vulnerability cyber-attack Memory Protection
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.