Sometimes bolting a security solution on the side of technology just doesn’t work as well as built-in protection. One example of this on Linux systems is libpreloadvaccine, a whitelisting solution I built that aimed, and failed, to provide foolproof protection against abuse of LD_PRELOAD process injection. This talk will cover how adversaries use LD_PRELOAD, how its built-in audit system works, and how the audit system can be leveraged for whitelisting. We’ll also examine design and implementation considerations for whitelisting, closing the talk by showing how checks built into the dynamic linker would be much more effective than a solution thrown on top.
Tony Lambert (@ForensicITGuy) is a professional geek who loves to jump into all things related to detection and digital forensics. After working for several years in Desktop and Systems Administration, he joined the Red Canary team to help find evil and augment detection capabilities for organizations. Tony holds a Master’s of Science in Digital Forensic Science from Champlain College and has taught numerous technology classes for a local community college.