AppSecurityLimits

IDEA:

Define security-related limits for an executable and embed them into the application, EDR/AV products are responsible for retrieving the data at execution time and limit the application behavior based on the limits.

The tool aims to limit exploit capabilities.

whoami: @_qaz_qaz

Implementation

Developer's role:

Run AppSecurityLimits.exe with an executable path and location of the JSON file. The tool creates .appsec section in the executable and inserts the JSON config file into the section.

section

EDR/AV's role:

If an executable contains .appsec section and a magic string is .appseclimits_ then extract a JSON content from the section and control the application behavior accordingly.

python

For Example, if a JSON content contains following field: { ... "remote_process_access" : false, ... } then an EDR/AV product should deny calls like WriteRemoteProcess since it's not intended to be used according to the application developer.

json

Third-party

LIEF (Apache License 2.0)
nlohmann/json (MIT License)

AppSecurityLimits
AppSecurityLimits copied to clipboard

Metadata

AppSecurityLimits

IDEA:

whoami: @_qaz_qaz

Implementation

Developer's role:

EDR/AV's role:

Third-party

← Metadata

Owner

Metadata

AppSecurityLimits AppSecurityLimits copied to clipboard

Metadata

AppSecurityLimits

IDEA:

whoami: @_qaz_qaz

Implementation

Developer's role:

EDR/AV's role:

Third-party

← Metadata

Owner

Metadata

AppSecurityLimits
AppSecurityLimits copied to clipboard