DeepSec2016: 0patch – Self-healing Security Updates. DeepSec and ACROS Security Introduce a Platform for Micropatches
As soon as a security gap in an computer application is made public the anxious wait begins. Whether it is software for your own network, online applications or apps for your mobile devices, as a user you will quickly become aware of your own vulnerability. The nervousness increases. When will the vendor publish the security update? In the meanwhile is there anything you can do to reduce the risks? Alternatively, how long can you manage without this certain software?
To provide answers to these questions is the central point of security management. Some vendors have fixed dates for security updates. However, occasionally unscheduled updates take place, while some vendors wait quite a few years before they release another update. And this is only true for applications that are still in production or come with a support contract. What happens to programs no longer supported? One possible answer is 0patch, a platform for so-called micropatches in live mode.
Micropatches as emergency management
Contrary to popular belief patches can not only be provided by a software’s vendor. It is possible to change applications both at runtime and during a short interrupt. Since publicly disclosed vulnerabilities are already thoroughly documented by security researchers, micro-patches can be created on the basis of this information, serving directly to eliminate the vulnerabilities in question. This system is called 0patch. It has been developed by security experts who have been penetrating networks for more than 15 years. In such attacks, you must also inject code, thus apply micropatches. Every exploitation of vulnerabilities is based on this principle. Simply put, 0patch is the opposite of an exploit.
“Our technology called 0patch is a result of the frustration about the fact that its just as easy to break into networks as it was 15 years ago,” says Mitja Kolsek, Managing Director of ACROS Security. With the micropatch platform, there is an incentive for researchers to document vulnerabilities and design patches to fix them. In return they get a compensation from the users of these micropatches.
Patching software might not sound very innovative, nevertheless, this very process is still one of the biggest sore points of IT security
And there are further extension possibilities: In IT security research concepts are tested, which automatically find gaps in code and propose corresponding micro-patches. Such technologies could also be incorporated into Quality assurance processes.
Modern protection for legacy systems
One does not like to talk about it, but in almost every infrastructure there are legacy systems in the form of old applications or software packages, which are no longer supported. In the times of mainframes code has simply been taken along with compatibility layers. This is still happening today, but now without space-filling computers. The 0patch platform is especially interesting for these applications. With the help of micropatches, vulnerabilities can be closed even without the support of a vendor. A far more beneficial option than to wait and hope that lightning will strike somewhere else.
European Premiere: Workshop 0patch platform for users
As part of its 10th anniversary, the DeepSec In-Depth Security Conference offers high-caliber trainings to its participants. Among other things, there is the workshop “Do-It-Yourself Patching: Writing Your Own Micropatch”, held by Mitja Kolsek and other developers of 0patch. It is a training with practical examples from the working world. You learn how to create unofficial micropatches based on real vulnerabilities and to apply them correctly, even during runtime. The workshop focuses on software for Microsoft® Windows, but it will provide examples for all platforms. The content is intended for security researchers as well as users from IT departments. Software developers are also welcome to participate and get to know the system. After all, a micropatch can help both vendors and customers to save precious time and avoid uncertainties.
Annual meeting of international renowned security experts in Vienna
The topics of this year’s DeepSec trainings range from WLAN attacks, patches, cryptography, targeted attacks on Apple’s iPhone and IoT devices, Windows PowerShell for attackers, network technology for secure web application development to social engineering. International trainers bring their expertise to the heart of Europe, thereby providing you with a unique training opportunity.
And then there’s the two-day conference filled with lectures from all areas of IT Security. The keynote will be given by Marcus Ranum, who set up the first e-mail server for whitehouse.gov, and will reflect upon over 30 years of IT security.
The complete conference program is available on:
The workshops will be held on the 8th / November 2016
The conference takes place on 10/11. November
Venue: The Imperial Riding School Vienna – A Renaissance Hotel