Tuesday, June 7, 2016

0patch Open Beta is Launched

After a long period of internal development and testing, our mighty little patching machine finally got wings and flew out of the nest.

This is BIG for us. We've invested a significant part of our last three years into building a technology and a business model that we believe can make a big difference in how vulnerabilities are getting fixed, and consequently make attacks considerably harder and more expensive. It is our sincere hope that the concept of vulnerability micropatching will some day become a "goes without saying" feature in all computers, from large data-processing machines and employee workstations, to car computers, mobile phones and the tiniest Internet-of-Things gadgets.

0patch does not claim to be a silver bullet, and it only aims to solve a very specific problem of patching vulnerabilities, but we believe it's the most efficient possible way to bridge the security update gap that makes it so unforgivably easy to break into any network today.

We're very excited about new users testing our technology, as well as security researchers getting a tool for fixing the vulnerabilities they find. However, as with any new technology, we're expecting that the wheels will sometimes get stuck, and things might crack or break in unexpected ways - that's the point of testing. So please remember that our technology is in beta, don't use it in production yet!

Getting Started

Enough of small talk. For an introduction to 0patch you can watch the DeepSec 2015 presentation or get the main idea from this compact 3-minute video.

To try out 0patch, simply head over to our web site, download the 0patch agent for Windows (sorry, Linux and Mac agents are still in the works) and install* it on some Windows machine. We support all Windows platforms from XP and Server 2003 onward.

Once you install the agent, you will be asked for email and password to register your agent on the server. Since you probably don't have an account yet, click "SIGN UP FOR A FREE ACCOUNT" and create an account on our server, then continue registering your agent. Once the agent has been registered, it will download all currently available micropatches from the server and immediately start applying them to newly launched and already running processes on your computer.

(Important: the agent must be able to connect to our server in order to download patches. If you're installing the agent behind a proxy and/or firewall, follow the steps described in user manual, section "Network Connectivity".)

However, you probably won't see anything interesting happening, because you don't have the exact vulnerable applications installed that we have patches for at this early stage of patch development. To really see how 0patch works, you'll have to install some of these applications and run proof-of-concept exploits against them. Luckily for you, we have prepared a couple of vulnerable applications' installers and their respective exploits, which you can find at https://0patch.com/poc/. Simply install one or more of these applications and launch their associated exploits (e.g., POC_ZP-3.pdf for Foxit Reader 4.1.1), once with 0patch agent enabled and once with the agent disabled, to see the difference.

You can change pop-up settings to get notified about each applied patch for full Hollywood effect :) But seriously, these pop-ups are really here just to demonstrate how 0patch works, and for you to help you test it. In actual production, users won't want to be bothered with these "details", and only admins will be interested in events generated by 0patch.

Please refer to the user manual  to learn how to navigate the 0patch agent console. If anything remains unclear or confusing, or if you encounter any problems with 0patch whatsoever - be it errors, strange behavior, negative impact on anything, or any crashes or freezes -, please let us know by sending an email at support@0patch.com or filling out a support form at https://0patch.zendesk.com.

We hope you'll be as excited about our technology as we are. Remember: the goal is to make attackers' lives much harder. Do you think this is the right way to go? Do let us know.

* (Big thanks to Ryan O'Horo for alerting us about silly draft boilerplate terms regarding marketing, funding, confidentiality and reverse engineering in our beta license agreement included with the first public 0patch Agent build. We corrected this in a subsequent build.)

But Where Are The Other Patches?

0patch is per se not a solution for vulnerability patching, it is merely a tool that allows micropatches to be inexpensively delivered to users and then quickly applied to new and running processes (or removed therefrom) without disturbing users in any way. To prove the concept, our team has so far created 200+ micropatches for various types of vulnerabilities in different software products, including Java Runtime, Foxit Reader, Adobe Reader, Firefox and Windows schannel and usp10 libraries.

However, in order to really make an impact on security, we need thousands of micropatches for existing vulnerabilities and also fresh "temporary" micropatches every time an official security update is published by a software vendor. Ideally, we'd like to see software vendors embrace the concept and start delivering micropatches for their vulnerabilities, but there will be a constant need for 3rd party micropatches for those that don't or can't.

Our team is far too small to create all these patches. In fact, we believe only a global crowdsourced community of security researchers can tackle this problem. And now that the technology is available, this is our next step: building a tribe of 0patch contributors who will augment their existing vulnerability research and reverse engineering skills with a new challenge, creating a micropatch. We call this crowdpatching.

Only a powerful, knowledgeable community with a sincere desire to make things better will be able to produce the amount of micropatches that will make users significantly more secure. Once the technology is adopted and traction is gained on the user side, it will also become possible to motivate researchers financially, as we all know that you can't keep a machine running solely on enthusiasm.

That being said, we have built a so-called 0patch Factory, a tool that makes it easy for security researchers to compile micropatches from source code into a form understood by the 0patch agent, and quickly test them. It still needs a few final touches before we can share it with researchers, but we'll appreciate your expressing interest in writing micropatches by sending us an email to crowdpatching@0patch.com. We're excited to hear what you think and help you create your first micropatch.

Security of 0patch

0patch is a security technology, i.e., its goal is to increase the security of a system. Our team has put a lot of effort into building a resilient architecture with a security model that doesn't explode in contact with today's reality (servers get compromised, communications are monitored by adversaries, malware may already be running on computers), and into code that hopefully shouldn't contain security bugs that we regularly find in other people's code.

Obviously, every additional functionality - even security functionality - brings new attack surface to the system, through which attackers gain new interaction points that they can try to abuse. 0patch is no exception: just the fact that our agent has ability to inject new code into any running process, and that this code comes from our server, must give pause to anyone concerned about security. (Never mind that every software updater presents essentially the same kind of security concern.)

Our security model is built on these premises:

  1. The server will get compromised, even though we harden it and promptly apply all security updates. When it does, the attacker should not be able to diminish the security of connecting users' systems, and the impact should be limited to denial of service for delivery of new micropatches. Gaining full control of the server and its database should not allow the attacker to start delivering his own code to users or prevent agents on users' computers from applying the micropatches they already have. We achieve this goal by digitally signing each patch, and each patch revocation, with a dedicated private key on an air-gapped machine, then uploading the signed patch blob to the server. The agent refuses to accept a patch or a revocation from the server without it being accompanied by a valid signature.
  2. Communication between agents and server can be monitored and actively modified by attackers. Again, this should not allow the attacker to either deliver malicious code to users or prevent agents on users' computers from applying existing micropatches. While all agent-server communication is done via securely configured HTTPS, we all know that certification authorities can get compromised. The problem of this attack scenario then becomes a subset of the"compromised server" scenario above.
  3. Malware will get executed on users' computers with 0patch agent installed. If such malware has system or administrative privileges, there is nothing we can do. However, malware with limited privileges should not be able to abuse agent's functionality or data to elevate its privileges. Furthermore, such malware should not be able to prevent 0patch agent from applying micropatches to processes on the computer (as it could then exploit an otherwise micropatched vulnerability in a privileged process).

It is tempting to think that our 15 years of finding all sorts of vulnerabilities in our customers' products and many widely-used applications, discovering new attack methods and improving existing ones would qualify us for developing a product without any significant vulnerabilities. But we're just people with blinds spots like everyone else, and we have missed things - perhaps big things. So we humbly submit our work to the global security research community to find bugs and hopefully tell us about them.

If you find a vulnerability in 0patch agent, server, or anywhere else, and would like to report it to us, please do so via security@0patch.com and preferably use our PGP key. We'll highly appreciate your effort and look forward to experiencing being on the receiving end of vulnerability disclosure. And just imagine: what would be a better validation of this technology than 0patch agent micropatching its own vulnerability?

The 0patch Team

In closing, a few words about the people behind 0patch. 0patch was built by a small group of security veterans who otherwise go by the name of ACROS Security, and a handful of external contributors. We were frustrated by the fact that with all the "advances" in information security, our penetration testing engagements, where we realistically simulate an actual attacker, have not gotten any harder in the 15 years of our practice. And this means that actual attackers' job also hasn't gotten any harder. So we made a decision and dedicated a significant chunk of our time to building something that, if implemented properly, would make our job much harder.

This is our team:

  1. Simon Raner - 0patch agent for Windows, writing patches
  2. Jure Skofic - 0patch distribution server, writing patches
  3. Renata Stupar - vulnerability management, business intelligence, testing
  4. Luka Treiber - 0patch factory, writing patches, internal security reviews
  5. Stanka Salamun - business development, project management  
  6. Bostjan Praznik - 0patch agent GUI for Windows
  7. Bozidar Jovanovic - branding and graphic design
  8. Robi Faric - 0patch agent for Mac and Linux
  9. Mitja Kolsek - security architecture, writing patches

We're proud to have been given this opportunity to make a serious global change, and believe that the time is ripe for it. We hope our contribution will give rise to many discussions, new ideas and constructive criticism, eventually leading to a better standard approach to fixing vulnerabilities.

We'd like to extend a warm thank you to our closed beta users who have invested a lot of their time in helping us analyze and fix bugs. We wouldn't have a decent product to share with the world without you!

And finally, immense thanks to all new beta users, security researchers and software vendors for your help, support and encouragement. We need to remind ourselves that we're all on the same team when it comes to defending our systems against attackers.We hope that 0patch will provide an additional link that will connect us in our joint efforts.


No comments:

Post a Comment