Parker Garrison
Parker Garrison has consistently finished 1st in various CTFs, including a previous year's CarolinaCon CTF, and presented at conferences such as DerbyCon, where he gave a live demonstration of exploit development and bypassing exploit mitigations. He has professional experience in the private and public sectors, as well as an independent consultant.
Session
Abstract
Zero-day web server exploits are notoriously difficult to detect, and attackers will always be able to find a way around exploit detection solutions whether they are based on traditional signatures, AI, or the latest buzzword. However, my research has made use of an opportunity, namely that high-impact exploits against a web server on one OS have never coexisted with high-impact exploits against a different web server on a separate OS, as supported by Project Zero data. So what if we were able to take an incoming HTTP request, and poll the results of 2 or more web servers, such as Apache on Linux, and IIS on Windows, to see if anything’s different with one of the responses before returning a final response?
Part 1: Introduction
Part 1 of the presentation, will introduce the concept of Consensus-Based Defense as applied to web servers: issuing the same request to a group of 2 or more web servers, normalizing the responses, and comparing them for equality. Even if one of the web servers was exploited and sent back sensitive data, the difference in the responses will be detected and the result is only that the attacker will see an error page. If the responses for a benign user's request match as expected, they won't even know that this defense is in place.
If the responses don't match, this solution gives the SOC a high-likelihood alert that an actual exploit against one of their systems has taken place, rather than a generic scan or failed exploit attempt, and allows the organization's security team to take action including updating or replacing the impacted vulnerable platform.
Part 2: Hands-on exploit development and exploit detection
In Part 2 of the presentation, we'll dive into one of today's most common class of attacks, buffer overflow exploits, with live exploit writing demos; and show how to bypass common defenses such as Stack Canaries and ASLR. I will then show how a Consensus-Based Defense prevents any of these mainstay exploits and exploit bypasses from working.
We will then examine precisely which additional classes of attacks are either detected or prevented by this defense, mapping to the OWASP Top 10 and CWE frameworks.
Actionable takeaways are understanding the shortcomings and blind spots of existing defense mechanisms, such as IPS, IDS, and EDR; and how a consensus-based defense allows an organization to move beyond "Assume Compromise" as in Zero-trust (detection) to "Assume Available Exploit" (enabling up-front prevention).