Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one- by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures.
Udi Yavo has more than 15 years of experience in cyber-security with a proventrack record in leading cutting edge cyber-security R&D; projects. Priorto enSilo, Udi spearheaded the direction of the cyber-security unit at theNational Electronic Warfare Research & Simulation Center of Rafael AdvancedDefense System and served as its CTO. Additionally, he developed and ledRafael's cyber training programs. Udi's achievements at Rafael have beenrecognized, winning him excellence and innovation awards on complex securityprojects. Prior to Rafael, Udi served as a system architect at the IDF. Heholds a BA in Computer Science from the Open University.
Tomer Bitton is VP of Research at enSilo. Tomer has over 12 years ofexperience in security research. Tomer focuses on original research such asmalware reversing, hostile code and extreme packers. In his prior role, Tomerserved as a low-level security researcher at the National Electronic WarfareResearch & Simulation Center of Rafael Advanced Defense Systems. There, he wonexcellence and innovation awards for complex security projects. Before that,Tomer managed the security content team at Imperva. Previous roles included asecurity researcher at Radware and a senior malware researcher at RSASecurity.