Supply chain attacks

Symantec’s new “Internet Security Threat Report,” shows a 200% increase in reported supply chain cyberattacks year on year.1 A supply chain attack seeks to damage an organization by targeting vulnerable elements in its global supply network. For example, auto suppliers’ contribution to vehicle has increased from 56% in the 1980s to over 80% today. The supply chain issue is the same whether the organization is involved in automotive, critical infrastructure, Industrial Internet of Things (IIoT), medical devices, or national security.

Adversaries tamper with the build or update process to introduce malware, spyware, or viruses. These can be hidden in third party-party binaries, libraries, middleware, containers, hypervisors, the OS, firmware, and even in the chips themselves.

Kryptowire found that Android mobile devices2had factory firmware that collected personal data and transmitted it to third-party servers. The Target3 security breach and the Stuxnet4 computer worm are both examples of supply chain attacks, the former stealing financial information from 41 million customers via compromised HVAC (Heating, Ventilation, and Air Conditioning) Operational Technology (OT) and the latter via compromised Industrial Control Systems (ICS). The most recent such attack was NotPetya, which the White House described as “the most destructive and costly cyberattack in history.”5

Fileless memory corruption and ROP chain attacks

Malware need not even be intentionally introduced into the supply chain. Common software development bugs found anywhere in the supply chain can open the door to memory corruption attacks such as buffer overflow, stack, and heap attacks that overwrite memory. Such memory-based or fileless attacks sidestep traditional network and endpoint security.6

A related type of attack called Return Oriented Programming (ROP) chain attacks simply rewrites the order of execution. It is extremely hard to defend against them. Commonly used software protection measures such as encryption and code signing have no effect on ROP chain attacks.

Car and drone hacks

Researchers Valasek and Miller took advantage of memory corruption attacks in their remote control of Jeeps.7.Similarly, researchers at Johns Hopkins University showed how exploiting buffer overflow attacks in drones could cause them to crash.8 Homeland Security maintains a database9 of many more in critical infrastructure.10,11

The issue of building trusted software on top of untrusted platforms became such a concern that the DoD asked DARPA to set up a program in 2015, to research innovative techniques for cyber hardening of embedded systems ranging from medical devices, to routers, to cars and drones.12,13

A new approach — prevention over detection

Enabling kernel hardening, operating system, and compiler options like ASLR (Address Space Layout Randomization), DEP (Data Execution Prevention), NX/DX (No Execute / Execute Disable) bits or stack canaries where available offers some protection but these well-known techniques have proven easy to bypass by adversaries.

Adding network and endpoint detection software such as firewalls, gateways, IDS (Intrusion Detection System), and inspection adds more protection, with the caveats previously mentioned regarding memory corruption and ROP chain attacks.

At a fundamental level, these approaches rely on detection, so tend to be better at finding known issues than new types of attack coming from the outside, insider threats or a compromised supply chain. The addition of detection agent software and services to systems can itself negatively impact the systems being monitored, causing performance jitters, potentially requiring additional hardware resources, retesting and recertification.

RunSafe came out of the DARPA cyber hardening program. Its engineers believe that a good offense makes for a good defense. Instead of seeking to detect and report on vulnerabilities, their goal is to automatically stop compromised supply chain, zeroday, memory corruption, and ROP chain attacks, dramatically reducing these attack vectors compared to traditional approaches.14

Strength in diversity

Today, if one Jeep is vulnerable, 1.4 million families are vulnerable. If one St. Jude’s pacemaker is vulnerable, 500,000 people are vulnerable. Why? Because they are all the same – get an exploit to run on one and the attack can be scaled to them all.

RunSafe Security renders protected systems logically unique but functionally identical, with its patented, agentless, and low-overhead binary stirring and CFI (Control Flow Integrity) RASP (Runtime App Self Protection) techniques. RunSafe uses the attackers’ playbook against them – it is the target system which is different every time, hard to detect and figure out by the malware rather than vice versa!

RunSafe works with binaries, which are transformed one time and off device. It does not require additional hardware, software, or services to be running on the target systems, or for their source code to be available. This makes it ideal for retrofitting older systems, and can be applied to the entire supply chain, where the costs, timelines, and risks of re-engineering source code, introducing agents and services, or ripping and replacing large sections of critical infrastructure is prohibitive.


1 Supply chain cyberattacks
darkreading.com/attacks-breaches/supply-chain-cyberattacks-surged-200–in-2017/d/did/1331337

2 Compromised Android devices
kryptowire.com/adups_security_analysis.html

³ Target attack
wired.com/2013/12/target-hack-hits-40-million/

4 Stuxnet attack
wired.com/2014/11/countdown-to-zero-day-stuxnet/

White house comments
whitehouse.gov/briefings-statements/statement-press-secretary-25/

6 Fileless attacks
http://www.zdnet.com/article/fileless-attacks-surge-in-2017-and-security-solutions-arenot-stopping-them/

Remote hacking of vehicles
illmatics.com/Remote%20Car%20Hacking.pdf

8 Remote hacking of drones
hub.jhu.edu/2016/06/08/hacking-drones-security-flaws/

9 Critical Infrastructure – Industrial Control Systems (ICS) Cyber Emergency Response Team (CERT)
https://ics-cert.us-cert.gov/

10 Homeland Security Critical Infrastructure –
1. Chemical
2. Commercial Facilities
3. Communications
4. Critical Manufacturing
5. Dams
6. Defense Industrial Base
7. Emergency Services
8. Energy
9. Financial Services
10. Food and Agriculture
11. Government Facilities
12. Healthcare and Public Health
13. Information Technology
14. Nuclear Reactors, Materials, and Waste
15. Transportation Systems
16. Water and Wastewater Systems
+ Elections Infrastructure

https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policydirective-critical-infrastructure-security-and-resil
https://www.eac.gov/election-officials/elections-critical-infrastructure/

11 EO 13800 Critical Infrastructure
https://www.us-cert.gov/eo13800

12 DARPA HACMS program
darpa.mil/program/high-assurance-cyber-military-systems

13 DODI 5200.44 – Protection of Mission Critical Functions to Achieve Trusted Systems and Networks
fas.org/irp/doddir/dod/i5200_44.pdf

14 Some types of attack vectors such as logic errors, backdoors, weak identity management, insecure data handling, or compromised random number generation cannot be remedied by automatic binary transformation tools.