WEBVTT 1 00:00:00.000 --> 00:00:01.410 In this lesson, 2 00:00:01.410 --> 00:00:04.770 we will learn about Memory-based Attacks. 3 00:00:04.770 --> 00:00:08.310 Memory-based attacks exploit vulnerabilities 4 00:00:08.310 --> 00:00:12.600 in a system's memory management to execute malicious code, 5 00:00:12.600 --> 00:00:16.290 manipulate data, or cause system crashes. 6 00:00:16.290 --> 00:00:19.650 Memory-based attacks include attacker tactics, 7 00:00:19.650 --> 00:00:24.650 techniques and procedures or TTPs specific to memory 8 00:00:24.672 --> 00:00:26.881 and shimming. 9 00:00:26.881 --> 00:00:28.080 These attacks often target 10 00:00:28.080 --> 00:00:31.969 the way a program allocates and manages memory, 11 00:00:31.969 --> 00:00:35.160 taking advantage of vulnerabilities like buffer overflows 12 00:00:35.160 --> 00:00:38.460 to inject or execute harmful code. 13 00:00:38.460 --> 00:00:42.300 Shimming works by placing a malicious layer of code 14 00:00:42.300 --> 00:00:46.080 that intercepts communication between the application 15 00:00:46.080 --> 00:00:49.500 and the operating system, allowing the attacker 16 00:00:49.500 --> 00:00:54.090 to modify inputs, outputs, or system calls. 17 00:00:54.090 --> 00:00:58.110 Let's learn more about memory and shimming attacks. 18 00:00:58.110 --> 00:01:00.900 First, we have memory attacks. 19 00:01:00.900 --> 00:01:04.260 Memory attacks are a type of malicious activity 20 00:01:04.260 --> 00:01:06.990 that targets a system's memory management 21 00:01:06.990 --> 00:01:11.580 to exploit vulnerabilities and execute harmful code. 22 00:01:11.580 --> 00:01:15.540 These attacks often manipulate how memory is allocated 23 00:01:15.540 --> 00:01:17.550 and accessed in programs, 24 00:01:17.550 --> 00:01:21.510 taking advantage of programming flaws like buffer overflows 25 00:01:21.510 --> 00:01:23.970 or null pointer dereferences. 26 00:01:23.970 --> 00:01:27.180 When attackers exploit these vulnerabilities, 27 00:01:27.180 --> 00:01:31.350 they can inject malicious code, manipulate data in memory, 28 00:01:31.350 --> 00:01:33.930 or crash the system entirely. 29 00:01:33.930 --> 00:01:36.900 Memory attacks are particularly effective 30 00:01:36.900 --> 00:01:40.590 because they leverage the system's own memory processes 31 00:01:40.590 --> 00:01:43.950 making it difficult for standard security software 32 00:01:43.950 --> 00:01:47.970 to detect them until after the attack is in progress. 33 00:01:47.970 --> 00:01:52.560 For example, a common memory attack is the buffer overflow, 34 00:01:52.560 --> 00:01:55.290 where an attacker deliberately inputs data 35 00:01:55.290 --> 00:01:57.660 that exceeds a buffer's capacity, 36 00:01:57.660 --> 00:02:00.690 overriding adjacent memory locations. 37 00:02:00.690 --> 00:02:03.300 In doing so, the attacker can replace 38 00:02:03.300 --> 00:02:05.250 legitimate code in memory 39 00:02:05.250 --> 00:02:07.860 with their own malicious instructions. 40 00:02:07.860 --> 00:02:12.000 If successful, the system will execute the attacker's code 41 00:02:12.000 --> 00:02:15.570 with the same permissions as the vulnerable application, 42 00:02:15.570 --> 00:02:17.490 which could allow for activities 43 00:02:17.490 --> 00:02:22.020 like unauthorized data access or command execution. 44 00:02:22.020 --> 00:02:25.380 Next, a null pointer dereference occurs 45 00:02:25.380 --> 00:02:29.160 when an attacker attempts to access or modify data 46 00:02:29.160 --> 00:02:32.962 through a pointer that has a null or a zero value. 47 00:02:32.962 --> 00:02:35.820 In programming, a pointer is a variable 48 00:02:35.820 --> 00:02:39.060 that holds the memory address of another variable, 49 00:02:39.060 --> 00:02:42.540 allowing the program to access a location. 50 00:02:42.540 --> 00:02:47.100 A null pointer, however, points to no valid memory location. 51 00:02:47.100 --> 00:02:51.120 So when a program tries to dereference a null pointer, 52 00:02:51.120 --> 00:02:54.880 meaning when it attempts to read or write data 53 00:02:54.880 --> 00:02:57.390 at that null address, this can lead to a crash 54 00:02:57.390 --> 00:02:59.858 or abnormal termination 55 00:02:59.858 --> 00:03:01.500 because the system doesn't allow access 56 00:03:01.500 --> 00:03:04.500 to this invalid memory area. 57 00:03:04.500 --> 00:03:06.210 Null pointer dereferences 58 00:03:06.210 --> 00:03:09.420 may also create security vulnerabilities. 59 00:03:09.420 --> 00:03:12.870 For example, if an attacker can control inputs 60 00:03:12.870 --> 00:03:14.220 to the program, 61 00:03:14.220 --> 00:03:16.980 they might trigger a null pointer dereference 62 00:03:16.980 --> 00:03:21.150 causing a denial of service by crashing the application. 63 00:03:21.150 --> 00:03:24.690 In certain cases, null pointer dereferences 64 00:03:24.690 --> 00:03:27.990 can also be combined with other vulnerabilities 65 00:03:27.990 --> 00:03:32.910 to escalate privileges or execute unauthorized code. 66 00:03:32.910 --> 00:03:36.180 So to mitigate memory-based attacks, 67 00:03:36.180 --> 00:03:39.720 developers should employ secure coding practices 68 00:03:39.720 --> 00:03:43.791 like input validation and bounds checking, 69 00:03:43.791 --> 00:03:45.180 which help prevent buffer overflows 70 00:03:45.180 --> 00:03:48.000 and other input vulnerabilities. 71 00:03:48.000 --> 00:03:50.580 Using languages or libraries 72 00:03:50.580 --> 00:03:53.280 with built-in memory safety features 73 00:03:53.280 --> 00:03:56.100 can also reduce the likelihood of errors 74 00:03:56.100 --> 00:03:58.260 that attackers could exploit. 75 00:03:58.260 --> 00:04:01.200 Finally, implementing security mechanisms 76 00:04:01.200 --> 00:04:04.680 such as Address Space Layout Randomization 77 00:04:04.680 --> 00:04:08.760 and Data Execution Prevention make it more challenging 78 00:04:08.760 --> 00:04:11.520 for attackers to predict memory addresses 79 00:04:11.520 --> 00:04:15.900 and execute unauthorized code in protected regions, 80 00:04:15.900 --> 00:04:18.570 providing an additional layer of defense 81 00:04:18.570 --> 00:04:21.330 against memory related exploits. 82 00:04:21.330 --> 00:04:24.150 Second, we have shimming attacks. 83 00:04:24.150 --> 00:04:27.810 Shimming attacks involve placing a malicious shim 84 00:04:27.810 --> 00:04:30.990 or layer of code between an application 85 00:04:30.990 --> 00:04:32.850 and the operating system 86 00:04:32.850 --> 00:04:36.390 to intercept and manipulate system calls. 87 00:04:36.390 --> 00:04:39.450 By doing so, the attacker gains control 88 00:04:39.450 --> 00:04:42.870 over the inputs and outputs between the software 89 00:04:42.870 --> 00:04:46.320 and the system, potentially modifying data 90 00:04:46.320 --> 00:04:51.240 or redirecting commands to achieve unauthorized actions. 91 00:04:51.240 --> 00:04:53.700 Shims are often used in attacks 92 00:04:53.700 --> 00:04:56.400 that require persistence and stealth 93 00:04:56.400 --> 00:05:00.450 as they allow attackers to inject or alter code 94 00:05:00.450 --> 00:05:04.590 in a way that bypasses traditional detection methods. 95 00:05:04.590 --> 00:05:06.630 Shimming is especially dangerous 96 00:05:06.630 --> 00:05:09.120 because it operates at a low level 97 00:05:09.120 --> 00:05:11.340 below standard applications, 98 00:05:11.340 --> 00:05:14.400 making it challenging for antivirus programs 99 00:05:14.400 --> 00:05:17.430 and security software to detect. 100 00:05:17.430 --> 00:05:21.360 An example of a shimming attack is an attacker targeting 101 00:05:21.360 --> 00:05:25.494 a vulnerable application to inject a malicious shim 102 00:05:25.494 --> 00:05:30.350 that intercepts system calls related to user authentication. 103 00:05:30.350 --> 00:05:34.350 This shim, which is essentially a small piece of code 104 00:05:34.350 --> 00:05:37.230 that intercepts and modifies interactions 105 00:05:37.230 --> 00:05:41.400 between an application and the underlying operating system, 106 00:05:41.400 --> 00:05:44.040 often by manipulating system calls 107 00:05:44.040 --> 00:05:47.670 or application programming interface functions 108 00:05:47.670 --> 00:05:51.810 could intercept login credentials or system commands, 109 00:05:51.810 --> 00:05:54.510 redirecting them to an attacker's server 110 00:05:54.510 --> 00:05:58.950 or enabling unauthorized access to secure data. 111 00:05:58.950 --> 00:06:00.810 Attackers could use methods 112 00:06:00.810 --> 00:06:03.900 like application programming interface hooking 113 00:06:03.900 --> 00:06:07.620 or reflective dynamic link library injection 114 00:06:07.620 --> 00:06:11.940 to place the shim, allowing them to manipulate data flows, 115 00:06:11.940 --> 00:06:13.320 capture passwords, 116 00:06:13.320 --> 00:06:16.740 or escalate privileges from a standard user 117 00:06:16.740 --> 00:06:20.250 to an administrator without being noticed. 118 00:06:20.250 --> 00:06:23.070 So to prevent shimming attacks, 119 00:06:23.070 --> 00:06:26.850 organizations should deploy code integrity practices 120 00:06:26.850 --> 00:06:30.420 that verify only trusted signed code 121 00:06:30.420 --> 00:06:33.000 is allowed to load on a system. 122 00:06:33.000 --> 00:06:36.600 Additionally, implementing application allow listing 123 00:06:36.600 --> 00:06:40.080 and using secure boot can also help ensure 124 00:06:40.080 --> 00:06:42.720 that only verified applications 125 00:06:42.720 --> 00:06:45.720 interact with system processes. 126 00:06:45.720 --> 00:06:49.560 Next, regularly updating and patching software 127 00:06:49.560 --> 00:06:54.360 can protect systems as updates often address security flaws 128 00:06:54.360 --> 00:06:57.690 that could be exploited by shimming techniques. 129 00:06:57.690 --> 00:07:00.030 Finally, using monitoring tools 130 00:07:00.030 --> 00:07:02.460 like endpoint detection and response 131 00:07:02.460 --> 00:07:05.490 and security information and event management 132 00:07:05.490 --> 00:07:07.080 or SIM platforms 133 00:07:07.080 --> 00:07:10.770 that detect unusual activity in system calls 134 00:07:10.770 --> 00:07:14.880 or user privileges can help identify and mitigate 135 00:07:14.880 --> 00:07:17.040 shimming attacks early. 136 00:07:17.040 --> 00:07:22.020 So remember, memory-based attacks target weaknesses 137 00:07:22.020 --> 00:07:24.720 in how a system manages its memory, 138 00:07:24.720 --> 00:07:28.350 allowing attackers to execute malicious code, 139 00:07:28.350 --> 00:07:32.220 manipulate data, or crash applications. 140 00:07:32.220 --> 00:07:35.130 These attacks often exploit flaws 141 00:07:35.130 --> 00:07:37.890 in memory allocation or management, 142 00:07:37.890 --> 00:07:40.140 such as buffer overflows 143 00:07:40.140 --> 00:07:44.550 to insert harmful code into an IT system. 144 00:07:44.550 --> 00:07:48.360 Shimming attacks, also a type of memory-based attack, 145 00:07:48.360 --> 00:07:51.480 involves placing a layer of malicious code 146 00:07:51.480 --> 00:07:55.080 between an application and the operating system 147 00:07:55.080 --> 00:07:58.050 intercepting and altering system calls 148 00:07:58.050 --> 00:08:01.920 to achieve unauthorized access or actions. 149 00:08:01.920 --> 00:08:04.680 Both types of attacks are dangerous 150 00:08:04.680 --> 00:08:08.880 because they operate within the system's own processes, 151 00:08:08.880 --> 00:08:10.200 making them difficult 152 00:08:10.200 --> 00:08:13.410 for traditional security tools to detect. 153 00:08:13.410 --> 00:08:16.410 So to prevent these vulnerabilities, 154 00:08:16.410 --> 00:08:20.490 secure coding practices, regular software updates 155 00:08:20.490 --> 00:08:23.190 and monitoring tools should be used 156 00:08:23.190 --> 00:08:26.490 to detect and mitigate suspicious activity 157 00:08:26.490 --> 00:08:29.133 at the memory and system level.