Key take-aways
- The Pyramid of Pain has been an essential tool for defenders, but may place too much emphasis on detection and response and inadvertently marginalized prevention.
- Tactics, Techniques, and Procedures (TTPs) support detection and response, but looking at attack Primitives can help support prevention.
- Patching particular vulnerabilities in specific software components is necessary but not sufficient to protect against Primitives—like Dirty Pagedirectory—that can be leveraged by entire classes of bugs (in this case, memory corruption like Use-After-Free, double free, and Out-Of-Bounds).
- Security-centric virtualization—like BedRock—is the best mechanism to protect against such Primitives because it is decoupled from the operating system: it has visibility into the system without the dependence on the system itself.
Over-emphasizing detection and response
By now, David J. Bianco’s Pyramid of Pain should be well-known to defenders: originally published in 2013 (with minor updates in 2014), the model provides a succinct categorization of attack indicators and the corresponding difficulty adversaries have when attempting to obfuscate those indicators. The Pyramid’s insight that Tactics, Techniques, and Procedures (TTPs)—i.e., adversaries’ specific patterns of behavior—are the most difficult to change, coupled with the public release and maturation of the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) matrices (which created standardized taxonomies for TTPs), have profoundly influenced how defenders operate.
The Pyramid of Pain has been extremely valuable but—like any tool—it is better suited for some jobs than others. It is, after all, focused on forensic byproducts and therefore most helpful when thinking about detection. Of course, the emphasis on detection has emerged as a reaction to increasing acceptance of the idea that 100% prevention is not possible. What the Pyramid clearly illustrates is that the artifacts that support prevention—those closer to the base—often turn out to be too static to be reliable: adversaries need only make minor changes and the artifacts become useless in all but the most rudimentary scenarios. Even so, the pendulum is beginning to swing away from the extreme of detection and response toward the idea of resilience (which necessarily involves some element of prevention). Just as one wouldn’t rely solely on paramedics to mitigate a potential adverse outcome from an automobile accident, cyber security teams shouldn’t be resigned to reacting. Cars have a wide variety of safety mechanisms including anti-lock brakes, seat belts, airbags, traction control, and even automated pre-collision warning systems, all of which are intended to help maintain control during unexpected conditions and prevent adverse outcomes or—barring that—dramatically reduce their severity. Because these prevention mechanisms exist, emergency response is also more effective.
The unnamed apex of the Pyramid
The Pyramid may also be missing an important piece. Even though the concept TTPs may seem to encompass everything adversaries need to operate, there is one final element that is required: Primitives which, like TTPs, tend to be relatively static. Just as “normal” interactions with software depend on a prescribed set of capabilities (usually exposed through an API), adversarial interactions usually rely on a relatively narrow set of generic operations. Chief among these is arbitrarily reading and writing data, abilities that are often central to Tactics like Execution and Privilege Escalation.
CVE-2024-1086: A case study in reusable Primitives
CVE-2024-1086—a Local Privilege Escalation (LPE) vulnerability in a utility that is part of a Linux packet filtering framework—and its exploitation has been covered extensively, but it’s worth revisiting to examine the role of Primitives and specifically how Techniques that are billed as “new and novel” still depend in large measure on prior art. Before getting into the particulars, a quick recap of what makes the exploit dubbed Dirty Pagedirectory noteworthy is in order:
- It has a very high success rate on a wide range of kernel versions, including heavily hardened kernels, without needing to be rebuilt for each vulnerable version.
- It is a data-only, user-space attack that resuscitates the Kernel Space Mirroring Attack (KSMA), bypassing the mitigations such as Control Flow Integrity (CFI) and Kernel Address Space Layout Randomization (KASLR).
Dirty Pagedirectory builds on an earlier Technique called Dirty Pagetable which is, itself, noteworthy because it’s a Technique that can be employed with Use-After-Free (UAF), double free, and Out-Of-Bounds (OOB) vulnerabilities to target the kernel directly instead of attacking the page caches of binaries or libraries and—as Nicolas Wu, the discoverer of the Dirty Pagetable, says— “... push the exploitation of these vulnerabilities to the next level” and achieve “privilege escalation more conveniently”. The key to both Dirty Pagetable and and Dirty Pagedirectory is that they both manipulate Page Table Entries (PTEs) in such a way as to enable arbitrary reads/writes that make it possible to patch the kernel so that certain syscalls called can be made from unprivileged processes.
As noted above, Dirty Pagedirectory leveraged CVE-2024-1086. DirtyPagetable used CVE-2023-21400. Each of those vulnerabilities applied to a different utility or feature which have since been patched, but that’s not the end of the story for either Technique: the only thing standing in their way is the discovery of the next UAF, double free, or OOB vulnerability in some other software component.
Conclusion
Just as the industry has developed robust tooling and processes for detection of and response to adversary TTPs, we must also explore implementation of more robust prevention of attack Primitives. This is exactly what the BedRock Systems solution provides. Our security-focused microhypervisor provides multiple methods of protecting memory, as well as stopping other malicious actions downstream from the initial exploitation (e.g., rewriting modprobe_path, one of the steps in the POC exploit) in a way that is both vulnerability-agnostic and decoupled from the operating system itself. This enables a unique level of protection that is both extremely high performance and very difficult to bypass. By expanding the aperture of TTPs to include Primitives, it's possible to achieve better protection against advanced attacks without playing whack-a-mole for the latest CVEs.
