a peek under the blue coat
play

A peek under the Blue Coat ProxySG internals Raphal Rigo / AGI / - PowerPoint PPT Presentation

Dec 12, 2022 •205 likes •640 views

A peek under the Blue Coat ProxySG internals Raphal Rigo / AGI / TX5IT Ruxcon - 2015-10-24 A peek under the Blue Coat Outline Introduction 1 Storage: filesystems and registry 2 Binaries 3 Kernel and OS mechanisms 4 Understanding

  1. A peek under the Blue Coat ProxySG internals Raphaël Rigo / AGI / TX5IT Ruxcon - 2015-10-24

  2. A peek under the Blue Coat Outline Introduction 1 Storage: filesystems and registry 2 Binaries 3 Kernel and OS mechanisms 4 Understanding internals 5 Security mechanisms 6 Conclusion 7 Ruxcon - 2015-10-24 2

  3. A peek under the Blue Coat Outline Introduction 1 Storage: filesystems and registry 2 Binaries 3 Kernel and OS mechanisms 4 Understanding internals 5 Security mechanisms 6 Conclusion 7 Ruxcon - 2015-10-24 3

  4. A peek under the Blue Coat What? Why? Blue Coat ProxySG? enterprise (Web) proxy one of the most deployed in big companies lots of complex features: URL categorization (WebSense and others) video streaming / instant messaging specific handling MAPI and SMB proxy / cache / prefetcher etc. runs proprietary SGOS Why research ProxySG? widely used in Airbus Group interesting target for malicious actors: log bypass, Internet exposed, MITM, etc. no known previous research: unknown security level security bulletins: mostly OpenSSL and Web administration interface bugs Ruxcon - 2015-10-24 4

  5. A peek under the Blue Coat Research Study objectives: assess the global security level write recommendations for secure deployment be prepared for forensics in case of a compromised ProxySG Why publish? first public info but surely not first research foster research = ⇒ better security Today’s presentation: raw technical results, as a starting point for research goes from low level (FS) to high level, following our approach applies to all ProxySG models and 6.x versions up to Q1 2015 Ruxcon - 2015-10-24 5

  6. A peek under the Blue Coat Getting started Running ProxySG: hardware: commodity x86 CPUs, HDD, etc. VMware appliances Common versions: 5.5: older version, EOL Aug 2014 6.2: previous long term release , EOL Oct 2015 6.5: latest long term release , recommended by BC To get a first look, we need to access the filesystem: 6.? ( ≥ 6.4): small FAT32 partition containing proprietary BCFS image older versions: fully proprietary disk partitionning/data (no FAT32) Ruxcon - 2015-10-24 6

  7. A peek under the Blue Coat Outline Introduction 1 Storage: filesystems and registry 2 Binaries 3 Kernel and OS mechanisms 4 Understanding internals 5 Security mechanisms 6 Conclusion 7 Ruxcon - 2015-10-24 7

  8. A peek under the Blue Coat On disk data: intro Hardware Basic architecture: 3 disks (or more) small CompactFlash or SSD for OS (FAT32) 2 or more drives for data (proprietary FS) Filesystems Remarks unknowns: static, read-only FS for OS ( BCFS ): OS files CEFS structures log storage format low level (static) configuration: kernel options, resource limits on-disk partition structures are very cache engine FS based on hash complex tables ( CEFS ) (Patent US7539818) today: only static FS (BCFS) for OS registry in CEFS for settings files Ruxcon - 2015-10-24 8

  9. A peek under the Blue Coat System disk organization (BIOS mode) Files on FAT32 partition bootloader: starter.si 6 MiB /sgos/boot/systems/system1 /sgos/boot/cmpnts/starter.si basic SGOS (UP kernel, drivers, no /sgos/boot/cmpnts/boot.exe application) /sgos/boot/meta.txt looks up available systems /sgos/fbr.con displays GRUB-like boot menu Both starter.si and system1 use BCFS Real OS: system1 210 MiB full blown OS: SMP kernel Web UI actual applications etc. Ruxcon - 2015-10-24 9

  10. A peek under the Blue Coat Boot sequence (BIOS) BIOS 1 MBR 2 boot sector of active partition 3 boot.exe , found by hardcoded sector number 4 kernel.exe , first file entry in starter.si FS 5 kernel starts sequencer.exe , second entry in starter.si 6 sequencer.exe parses the main.cfg script and starts the necessary drivers 7 main.cfg finally launches starter.exe which displays the boot menu 8 starter.exe loads the selected system 9 Ruxcon - 2015-10-24 10

  11. A peek under the Blue Coat BCFS (read-only FS) format String Table _CP_ xxxx xxxx _HP_ .size .offset .crc32 czk How to extract? .size .offset .crc32 data . . . .HMAC czk (6.5) read CPCE entries, .HMAC data (6.5) 1 +0xc00 Strings _CP_ xxxx xxxx _CZK note offsets for .data_size .nr_cpce strings table and +0xd0 _CP_ xxxx xxxx _CE_ Files Table files table .elmnts {.nr .sz} _CP_ xxxx xxxx _IE_ 0x4000 .offset = str table .abs_off +0x40 parse files table .rel_off 2 _CP_ xxxx xxxx _CE_ ———– .elmnts {.nr .sz} (CPIE) linearly .offset .offset = cpve table .size +0x40 _CP_ xxxx xxxx _CE_ get file name from _CP_ xxxx xxxx _IE_ 3 .elmnts {.nr .sz} .abs_off .offset = cpie table strings table .rel_off +0x40 ———– _CP_ xxxx xxxx _CE_ .offset empty .size How to modify? ... ... string table cannot increase file 1 CPVE table Files content size CPIE table fix CRC and HMAC 2 Ruxcon - 2015-10-24 11

  12. A peek under the Blue Coat System image configuration variables (CPVE) offset and size specified by 3rd _CP_ _CE_ entry modifying the variable implies fixing CRC/HMAC and reboot variable names can be found in sequencer.exe Structure Known variables ( section , number : description ) Section 4, kernel : struct cpve_entry { uint32_t magic1; /* _CP_ */ 4,0: flags : uint64_t unk; 0x8: GDB monitor enabled uint32_t magic2; /* _VE_ */ 0x200: int3 at OS startup 0x400: kernel debug logs enabled uint16_t number; 4,1: arch_flags uint16_t section; 1: activate Write Protect in cr0 uint32_t unk2; uint64_t value; } 4,3: console_speed (in bauds) Ruxcon - 2015-10-24 12

  13. A peek under the Blue Coat Cache Engine FS (CEFS): writable storage hash-table object storage with disk backend mostly used for cache data: web content CIFS files MAPI mails etc. regular files are also supported, with prefix /legacy/cache_engine/ Some files (paths straight from the code, no typo) .../persistent/replicated/authorized_keys .../persistent/replicated/volatile//config/v9/registry/registry.xml .../transient//snmp.log .../persistent/replicated/licensing_certificate Ruxcon - 2015-10-24 13

  14. A peek under the Blue Coat Registry: settings storage tree structure used for all settings entries are referenced by strings like “config:Authenticator:local_users” on-disk storage: xml file on writable CEFS URLs (admin rights needed) Interesting CLI extensions (cf slide 24) /registry/show reg-set /registry/registry.html reg-delete /registry/registry.xml reg-list /registry/debug reg-trace Ruxcon - 2015-10-24 14

  15. A peek under the Blue Coat Outline Introduction 1 Storage: filesystems and registry 2 Binaries 3 Kernel and OS mechanisms 4 Understanding internals 5 Security mechanisms 6 Conclusion 7 Ruxcon - 2015-10-24 15

  16. A peek under the Blue Coat OS Filesystem organization / *.cfg var/[...]/lib/lib(gcc_s|stdc++)_sgos.so home/jenkins/workspace/SGOS6_sg_6_5_xx7/scorpius/sg_6_5_xx7/ bootchain/x86/release/ bin/x86_64/sgos_native/release/gcc_v4.4.2/ data files stripped/ libs and programs mp_cr/kernel.exe storage/ drivers .exe Ruxcon - 2015-10-24 16

  17. A peek under the Blue Coat ELF files: kernel, libs, programs Everything interesting is located in .../stripped/ : .exe , .exe.so and .so extensions (version 5 was using PE files) 32 or 64 bits ELF files, depending on model (RAM size?) everything in C++, compiled with g++ with custom sgos target lots of unit tests more than 2600 source files referenced everything is stripped, but lots of external symbols heavy template use: AMI::Config_Data::Config_Data(AMI::Storage_Class, AMI::String_Ref const&, AMI::Shared_Ptr<AMI::Installed_Systems const> const&, AMI::Shared_Ptr<AMI::Config_General const> const&, AMI::Shared_Ptr<AMI::Shell const> const&, AMI::Shared_Ptr<AMI::SSL const> const&, AMI::Shared_Ptr<AMI::SMTP_Data const> const&, AMI::Shared_Ptr<AMI::BC_Threat_Protection const> const&, AMI::Shared_Ptr<AMI::Banner_Settings const> const&, AMI::Shared_Ptr<AMI::Policy_Settings const> const&, AMI::Shared_Ptr<AMI::Statistics_Export_Settings const> const&) “custom” ABI in 32 bits (probably gcc called with -mregparm ): EAX, EDX, ECX, stack in 64 bits, standard SysV ABI: RDI, RSI, RDX, RCX, R8, R9, stack Ruxcon - 2015-10-24 17

  18. A peek under the Blue Coat Known code? Interesting open source libraries (version numbers from 6.5 release, Aug 2014): BGET: memory allocator (first dev in 1972!) NET-SNMP 5.4.2.1 (2008-10-31) newlib: libc expat 1.95.2: XML parser (2001!) libxml2 2.7.7-82143f4 (2010-11-04) OpenSSH 6.3 (2013-09-13) OpenSSL 1.0.1e (2013-02-11) zlib 1.2.3 (2005-07-18) Blue Coat states that they backport fixes regularly (without necessarily changing the version string) . Ruxcon - 2015-10-24 18

  19. A peek under the Blue Coat Outline Introduction 1 Storage: filesystems and registry 2 Binaries 3 Kernel and OS mechanisms 4 Understanding internals 5 Security mechanisms 6 Conclusion 7 Ruxcon - 2015-10-24 19

  20. A peek under the Blue Coat Kernel The kernel in practice Some syscalls kernel access partially abstracted in Nop Suicide libknl_api.so Enable_event_logging small (~800 KiB), basic primitives: Register_worker_address interrupt/exception handling semaphores/locks Symbol_address message passing Processor_voltage drivers Semaphore_signal_all ds:1014h points to a “TEB”-like Grow_stack structure Ruxcon - 2015-10-24 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

COVID-19 Wider opening at Blue Coat school Welcome Back! We have really missed you all

COVID-19 Wider opening at Blue Coat school Welcome Back! We have really missed you all

COVID-19 Wider opening at Blue Coat school Welcome Back! We have really missed you all COVID- 19 a time of uncertainty, anxiety and constant change. Blue Coat . the same staff, the same values, the same care. We are here for

701 views • 31 slides
E E -CoAT -CoAT E uropean Cooperation of Abuse fighting Teams Remarks on E -CoAT

E E -CoAT -CoAT E uropean Cooperation of Abuse fighting Teams Remarks on E -CoAT

E E -CoAT -CoAT E uropean Cooperation of Abuse fighting Teams Remarks on E -CoAT TF-CSIRT/ FIRST joint event Amsterdam, January 2006 Don Stikvoort (e-coat workshop chair) S ORBS blacklist entries FI 5036 BR 173885 US 330142 CH

569 views • 10 slides
Dawes Reunion 2014 Healdsburg CA 1 Dawes Coat of Arms Silver: three gold swans on a blue

Dawes Reunion 2014 Healdsburg CA 1 Dawes Coat of Arms Silver: three gold swans on a blue

Dawes Reunion 2014 Healdsburg CA 1 Dawes Coat of Arms Silver: three gold swans on a blue diagonal bend between two narrow red diagonal bends, accompanied by six black battle axes. Above the shield and helmet is the crest which is

643 views • 61 slides
The Blue Coat School Ski Trip 2020 Saalbach Austria 1) Key Information for the trip 2) Safety

The Blue Coat School Ski Trip 2020 Saalbach Austria 1) Key Information for the trip 2) Safety

The Blue Coat School Ski Trip 2020 Saalbach Austria 1) Key Information for the trip 2) Safety on and off the slopes 3) Behaviour expectations 4) Ski Rossendale Information 5) AC Sports Clothing Key Information for the Trip Friday 14 th

568 views • 18 slides
A Level French Blue Coat Church of England Coventry This presentation will cover.. A level

A Level French Blue Coat Church of England Coventry This presentation will cover.. A level

A Level French Blue Coat Church of England Coventry This presentation will cover.. A level changes and Q &amp; As Year 12 Year 13 Exams Grammar trailer + task A level what next 10 reasons ... NEW A LEVEL FRENCH

885 views • 30 slides
Coat of arms Knights couldnt tell who was on their side and who the enemies were so they

Coat of arms Knights couldnt tell who was on their side and who the enemies were so they

Coat of arms Knights couldnt tell who was on their side and who the enemies were so they painted patterns on their shields. It became fashionable to have a Coat of Arms. People hired artists to design them. Some famous coat of

315 views • 7 slides
Mt. San Jacinto College Student Health Center Kay Peek, DBA, RN, MSHCM, PHN C. Grant Peek, MD,

Mt. San Jacinto College Student Health Center Kay Peek, DBA, RN, MSHCM, PHN C. Grant Peek, MD,

Mt. San Jacinto College Student Health Center Kay Peek, DBA, RN, MSHCM, PHN C. Grant Peek, MD, ABEM, CAEP The Chancellors office and the Ed. Code have provided extensive guidance in reference to Student Health Services for California

293 views • 13 slides
Calibration and Simulation of the Automotive E-Coat Dipping Process in STAR-CCM+ (V8.02) Frank

Calibration and Simulation of the Automotive E-Coat Dipping Process in STAR-CCM+ (V8.02) Frank

Calibration and Simulation of the Automotive E-Coat Dipping Process in STAR-CCM+ (V8.02) Frank Pfluger, Klaus Wechsler CD-adapco How Virtual Manufacturing Can Support Digital Product Development Better Corrosion Protection by E-Coat

2.07k views • 23 slides
Blue A Sketch Model Review Blue A Blue A Smooth Passenger Bag Be Gone Talker Blue A

Blue A Sketch Model Review Blue A Blue A Smooth Passenger Bag Be Gone Talker Blue A

Blue A Sketch Model Review Blue A Blue A Smooth Passenger Bag Be Gone Talker Blue A SMOOTH TALKER Blue A !!!! Users 515,000 children in America with ASD who communicate verbally Design Blue A Fastening

246 views • 10 slides
www.inari.fi INARI MUNICIPALITY Established in 1876 MUNICIPAL COAT OF ARMS Silver whitefish

www.inari.fi INARI MUNICIPALITY Established in 1876 MUNICIPAL COAT OF ARMS Silver whitefish

www.inari.fi INARI MUNICIPALITY Established in 1876 MUNICIPAL COAT OF ARMS Silver whitefish with golden reindeer antlers on a black background. The coat of arms symbolizes traditional sources of livelihood in the municipality. Designer: Ahti

470 views • 44 slides
Meet Akira Sneak Peek July 2020 with Ilsa Hampton, CEO Proudly supported by This

Meet Akira Sneak Peek July 2020 with Ilsa Hampton, CEO Proudly supported by This

Meet Akira Sneak Peek July 2020 with Ilsa Hampton, CEO Proudly supported by This presentation 1. Show you how Meet Akira was designed. 2. Give you a sneak peek at the experience. A little history: PCA workforce Digital

917 views • 63 slides
Green Blue Blue Blue Red Red Text visualization Why use text in visualization? Instant

Green Blue Blue Blue Red Red Text visualization Why use text in visualization? Instant

Web-pages Email Green Blue Blue Blue Red Red Text visualization Why use text in visualization? Instant messages Digitized books, articles Lucas Rizoli CPSC 533C, November 2006 2 3 4 Fast Text can be a dense representation New York

576 views • 3 slides
Cellulose biosynthesis in Arabidopsis seed coat epidermal cells Jonathan Griffiths Incoming from

Cellulose biosynthesis in Arabidopsis seed coat epidermal cells Jonathan Griffiths Incoming from

Cellulose biosynthesis in Arabidopsis seed coat epidermal cells Jonathan Griffiths Incoming from Canada Genetics http://www.brookings.edu Huffington Post The Plant Cell Wall Seed coat mucilage is a good model for cell wall biosynthesis

272 views • 15 slides
Website Sneak Peek &amp; Social Media Tips Elizabeth Elmore (ABJ 08, BBA 08) Director of

Website Sneak Peek &amp; Social Media Tips Elizabeth Elmore (ABJ 08, BBA 08) Director of

Website Sneak Peek &amp; Social Media Tips Elizabeth Elmore (ABJ 08, BBA 08) Director of Communications Division of Development and Alumni Relations Topics Website Sneak Peek Five Social Media Tips Boosted Posts vs. Paid

491 views • 36 slides
2020 Blue's Tour August 2020 We would like to Welcome you on behalf of Blue Cross and Blue Shield

2020 Blue's Tour August 2020 We would like to Welcome you on behalf of Blue Cross and Blue Shield

2020 Blue's Tour August 2020 We would like to Welcome you on behalf of Blue Cross and Blue Shield of Kansas to the 2020 Blue's Tour! We are glad you could all join us virtually today! I am Jessica Moore, Education and Communication Coordinator

290 views • 26 slides
COAT PRESENTATION Justice Greg Garde AO RFD Past President of VCAT June 2018 VCAT s Vision,

COAT PRESENTATION Justice Greg Garde AO RFD Past President of VCAT June 2018 VCAT s Vision,

COAT PRESENTATION Justice Greg Garde AO RFD Past President of VCAT June 2018 VCAT s Vision, Values and Goal 2 Presentation to COAT VCAT Snapshot 2016/17 VCAT s service 228 members, 218 staff 84,878 cases finalised 56%

399 views • 9 slides
Filesystem Attributes Name Ownership Type Position Size Allocated size

Filesystem Attributes Name Ownership Type Position Size Allocated size

Calcolatori Elettronici e Sistemi Operativi File Logical unit of storage usually persistent shareable among processes and users Filesystem Attributes Name Ownership Type Position Size Allocated size

214 views • 10 slides
Dinosaurs? &amp; Dinosaur Wars ! Frederick P. Brooks' Mythical Man-Month (1975). Description of

Dinosaurs? &amp; Dinosaur Wars ! Frederick P. Brooks' Mythical Man-Month (1975). Description of

Dinosaurs? &amp; Dinosaur Wars ! Frederick P. Brooks' Mythical Man-Month (1975). Description of the software crises - likens large scale programming to a tarpit &quot; CSCI 6730 / 4730 No scene from prehistory is quite so vivid as that of the

665 views • 8 slides
Welcome to CSC 720 In this course you will: apply your knowledge of Operating Systems to

Welcome to CSC 720 In this course you will: apply your knowledge of Operating Systems to

Welcome to CSC 720 In this course you will: apply your knowledge of Operating Systems to build your own OS learn about the PC architecture learn the basics of the Intel x86 CPU learn how to program I/ O devices In

405 views • 17 slides
GEOM Tutorial Poul-Henning Kamp phk@FreeBSD.org Outline Background and analysis. The

GEOM Tutorial Poul-Henning Kamp phk@FreeBSD.org Outline Background and analysis. The

GEOM Tutorial Poul-Henning Kamp phk@FreeBSD.org Outline Background and analysis. The local architectural scenery GEOM fundamentals. (tea break) Slicers (not a word about libdisk!) Tales of the unexpected. Q/A etc.

1.04k views • 68 slides
Computer Organization von Neumann Computer Arithmetic-Logical Unit Control Unit (ALU) Data

Computer Organization von Neumann Computer Arithmetic-Logical Unit Control Unit (ALU) Data

Computer Organization von Neumann Computer Arithmetic-Logical Unit Control Unit (ALU) Data Address Primary Memory Device (Executable Memory) Device Device The ALU Right Operand Left Operand R1 R2 . . . Rn Functional Unit Status

485 views • 19 slides
Protection and Security Threat is potential security violation Attack is attempt to breach

Protection and Security Threat is potential security violation Attack is attempt to breach

CSC 4103 - Operating Systems The Security Problem Spring 2007 Security must consider external environment of the system, and protect the system resources Lecture - XX Intruders (crackers) attempt to breach security Protection and

195 views • 4 slides
Solution to ensure TPM resistance to offline dictionary attack Liqun Chen Mark D. Ryan HP Labs,

Solution to ensure TPM resistance to offline dictionary attack Liqun Chen Mark D. Ryan HP Labs,

Solution to ensure TPM resistance to offline dictionary attack Liqun Chen Mark D. Ryan HP Labs, Bristol HP Labs, Bristol University of Birmingham Future of Trust 2008 June 2008 The Trusted Platform Module A hardware chip currently

473 views • 19 slides
Introduction What I do Research new vulnerabilities, malware, and other security threats

Introduction What I do Research new vulnerabilities, malware, and other security threats

Introduction What I do Research new vulnerabilities, malware, and other security threats Create defensive measures Evaluate security software What this talk is about Windows rootkits How they are used How they work

790 views • 54 slides

More recommend