developing managed code rootkits for the java runtime
play

Developing Managed Code Rootkits for the Java Runtime Environment - PowerPoint PPT Presentation

Nov 28, 2023 •113 likes •762 views

Developing Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment DEFCON 24, August 6th 2016 Benjamin Holland (daedared) ben-holland.com DEFCON 24, August 6th 2016 Developing

  1. Developing Managed Code Rootkits for the Java Runtime Environment Developing Managed Code Rootkits for the Java Runtime Environment DEFCON 24, August 6th 2016 Benjamin Holland (daedared) ben-holland.com DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  2. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Developing Managed Code Rootkits for the Java Runtime Environment DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  3. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A $ whoami DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  4. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A $ whoami Benjamin Holland (daedared) B.S. in Computer Engineering (2005 - 2010) Wabtec Railway Electronics, Ames Lab, Rockwell Collins B.S. in Computer Science (2010 - 2011) M.S. in Computer Engineering and Information Assurance (2010 - 2012) MITRE Iowa State University Research (2012 - 2015) DARPA Automated Program Analysis for Cybersecurity (APAC) Program PhD in Computer Engineering (2015-????) DARPA Space/Time Analysis for Cybersecurity (STAC) Program DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  5. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Background DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  6. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Hello World DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  7. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Java Runtime Environment DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  8. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Java Runtime Environment DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  9. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Java Runtime Environment DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  10. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Java Runtime Environment DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  11. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Java Runtime Environment DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  12. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Managed Code Rootkits (MCRs) Post exploitation activity (need root/administrator privileges) C:\Program Files\Java\. . . \lib\rt.jar Compromises EVERY program using the modified runtime Out of sight out of mind Code reviews/audits don’t typically audit runtimes May be overlooked by forensic investigators Rootkits can be platform independent Runtimes are already fully featured Object Oriented programming Standard libraries Additional access to low level APIs (key events, networking, etc.) DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  13. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Pioneering Work Pioneering work by Erez Metula (DEFCON 17) Explored implications of MCRs "ReFrameworker" tool to modify .NET runtimes XML modules to define manipulation tasks Uses an assembler/disassembler pair to make modifications Generates deployment scripts DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  14. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Strategies for Modifying the Runtime DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  15. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Strategies for Modifying the Runtime DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  16. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A New Framework Goals MCR support for Java Runtime Environment Minimal prerequisite user knowledge No knowledge of bytecode or intermediate languages Simple development cycle Consider: developing, debugging, deploying Strive towards portability (Write Once, Exploit Everywhere) DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  17. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A JReFrameworker DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  18. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A JReFrameworker Write rootkits in Java source! Modification behaviors defined with code annotations Develop and debug in Eclipse IDE Exploit "modules" are Eclipse Java projects Exportable payload droppers Bytecode injections are computed on the fly Free + Open Source (MIT License): github.com/JReFrameworker DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  19. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A JReFrameworker Write rootkits in Java source! Modification behaviors defined with code annotations Develop and debug in Eclipse IDE Exploit "modules" are Eclipse Java projects Exportable payload droppers Bytecode injections are computed on the fly Free + Open Source (MIT License): github.com/JReFrameworker DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  20. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Hello World Revisited @MergeType public class BackwardsPrintStream extends java.io.PrintStream { @MergeMethod @Override public void println(String str){ StringBuilder sb = new StringBuilder(str); super.println(sb.reverse().toString()); } } DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  21. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Annotation Types DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  22. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Annotation Types DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  23. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Annotation Types DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  24. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Modules DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  25. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Get Creative Time to get creative... DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  26. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Hidden File @MergeType public class HiddenFile extends java.io.File { @MergeMethod @Override public boolean exists(){ if(isFile() && getName().equals("secretFile")){ return false; } else { return super.exists(); } } } DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  27. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Hidden File DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

  28. Developing Managed Code Rootkits for the Java Runtime Environment $ whoami Background JReFrameworker Modules Mitigations Q/A Hidden File DEFCON 24, August 6th 2016 Developing Managed Code Rootkits for the Java Runtime Environment

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Marawacc: A Framework for Heterogeneous Computing in Java Motivation Marawacc-API Runtime Code

Marawacc: A Framework for Heterogeneous Computing in Java Motivation Marawacc-API Runtime Code

Marawacc Marawacc: A Framework for Heterogeneous Computing in Java Motivation Marawacc-API Runtime Code Generation Juan Fumero, Michel Steuwer, Christophe Dubach Runtime Management Results Conclusion The University of Edinburgh UK

405 views • 23 slides
Advanced Programming Lab 1 JDK, JRE JDK = Java Development Kit tools for

Advanced Programming Lab 1 JDK, JRE JDK = Java Development Kit tools for

Advanced Programming Lab 1 JDK, JRE JDK = Java Development Kit tools for developing, debugging, and monitoring Java applications Oracle JDK, OpenJDK Download JRE = Java Runtime Environment tools required for

560 views • 14 slides
Runtime Specialization Java has never been so dynamic before Stephan Herrmann Simply Retail.

Runtime Specialization Java has never been so dynamic before Stephan Herrmann Simply Retail.

Runtime Specialization Java has never been so dynamic before Stephan Herrmann Simply Retail. Two Camps Strict Rules No Ceremony compiler detects errors Freedom Modularity Flexibility separate maintenance self modifying code Enforced

304 views • 17 slides
Characteristics of Adapti tive Runtime Systems in HPC Laxmikant (Sanjay) Kale

Characteristics of Adapti tive Runtime Systems in HPC Laxmikant (Sanjay) Kale

Characteristics of Adapti tive Runtime Systems in HPC Laxmikant (Sanjay) Kale h3p://charm.cs.illinois.edu What runtime are we talking about? Java runtime: JVM + Java class library Implements JAVA API MPI

688 views • 48 slides
A New Java Runtime for a Parallel World Christoph Reichenbach, Yannis Smaragdakis University of

A New Java Runtime for a Parallel World Christoph Reichenbach, Yannis Smaragdakis University of

A New Java Runtime for a Parallel World Christoph Reichenbach, Yannis Smaragdakis University of Massachusetts, Amherst 1 P ARALLELIZABILITY ACCORDING TO C OMPLEXITY T HEORY Serial Code degree of parallelizability . . . FOL + transitive

897 views • 20 slides
The good, the bad and the ugly: Experiences with developing a PGAS runtime on top of MPI-3 6th

The good, the bad and the ugly: Experiences with developing a PGAS runtime on top of MPI-3 6th

The good, the bad and the ugly: Experiences with developing a PGAS runtime on top of MPI-3 6th Workshop on Runtime and Operating Systems for the Many-core Era (ROME 2018) www.dash-project.org Karl Frlinger Ludwig-Maximilians-Universitt

450 views • 25 slides
Runtime Considerations Were moving towards actually producing target code. This means we need

Runtime Considerations Were moving towards actually producing target code. This means we need

10/29/2012 Runtime Considerations Were moving towards actually producing target code. This means we need to consider the runtime actions of the program. CS 1622: Runtime support: Functions and local variable storage Activation

160 views • 4 slides
JAVA Java vs. Java Java Language Specification

JAVA Java vs. Java Java Language Specification

BR 10/05 JAVA Java vs. Java Java Language Specification http://java.sun.com/docs/books/jls/second_edition/html/j.title.doc.html Java programming language is compiled into java byte code Java Virtual Machine Specification

1.07k views • 44 slides
Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of

Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of

Java Technologies Enterprise Java Beans (EJB) The Context We are in the context of developing large , distributed applications. What components should contain the code that fulfills the purpose of the application: where should we write

779 views • 43 slides
Introduction To Java Questions to be addressed Why would I use Java for developing my

Introduction To Java Questions to be addressed Why would I use Java for developing my

Introduction To Java Questions to be addressed Why would I use Java for developing my applications? How do I get started on developing Java applications? What applications do I need to start developing? Why Java? Platform

476 views • 14 slides
1 Pointers Better than sliced bread! Similar to Java references Java code example:

1 Pointers Better than sliced bread! Similar to Java references Java code example:

1 Pointers Better than sliced bread! Similar to Java references Java code example: myX = new X(); myX 2 Assume the X object instance fits in the box myX 3 19 20 42060 ( myX ) 20 4 Java code: myX.doSomething(13); C

630 views • 47 slides
Java for OOP Objects de-mystified Christoph Angerer Java Virtual Machine VM Heap Program

Java for OOP Objects de-mystified Christoph Angerer Java Virtual Machine VM Heap Program

Java for OOP Objects de-mystified Christoph Angerer Java Virtual Machine VM Heap Program Memory (Program Code (Classes, JIT Memory) etc.) Reads Internal use Virtual Machine Slide 2 Runtime Model public class BankAccount {

307 views • 30 slides
1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

1 Java compilation model Java bytecode format void spin () { int i; for (i = 0; i < 100;

The Java programming environment Introduction to JVM Based on material produced by Bill Venners 1 2 The Java platform The role of the virtual machime byte code generated by the Java front-end is an intermediate representation (IR)

834 views • 3 slides
PYTHON VS. JAVA: DYNAMIC VS. STATIC In Python, typing is determined dynamically, at runtime In

PYTHON VS. JAVA: DYNAMIC VS. STATIC In Python, typing is determined dynamically, at runtime In

PYTHON VS. JAVA: DYNAMIC VS. STATIC In Python, typing is determined dynamically, at runtime In Java, typing is determined statically, at compile-time: This means every variable must be rst declared with a particular type, and you're not

197 views • 6 slides
Linux rootkits & TTY Hijacking Antonio Prez Prez <antonio.perez.perez@cern.ch> CERN

Linux rootkits & TTY Hijacking Antonio Prez Prez <antonio.perez.perez@cern.ch> CERN

Linux rootkits & TTY Hijacking Antonio Prez Prez <antonio.perez.perez@cern.ch> CERN Computer Security Team EGI Technical Forum 2011, Lyon, France Outline Rootkits: Introduction Linux rootkits History Detection and monitoring

423 views • 26 slides
Java ByteCode Manuel Oriol June 8th, 2006 Byte Code? The Java language is compiled into an

Java ByteCode Manuel Oriol June 8th, 2006 Byte Code? The Java language is compiled into an

Java ByteCode Manuel Oriol June 8th, 2006 Byte Code? The Java language is compiled into an intermediary form called byte code It ensures portability The byte code is a succession of instructions that manipulate a stack Each

723 views • 57 slides
Analysis of optimistic multi-party contract signing Rohit Chadha 1,2 , Steve Kremer 3 , Andre

Analysis of optimistic multi-party contract signing Rohit Chadha 1,2 , Steve Kremer 3 , Andre

Analysis of optimistic multi-party contract signing Rohit Chadha 1,2 , Steve Kremer 3 , Andre Scedrov 1 1 University of Pennsylvania 2 University of Sussex 3 Universit Libre de Bruxelles Digital Contract signing Use dig ita l sig na ture s

623 views • 31 slides
Panta Rhei Water and Society: Science and Education Thorsten Wagener 1

Panta Rhei Water and Society: Science and Education Thorsten Wagener 1

Panta Rhei Water and Society: Science and Education Thorsten Wagener 1 thorsten.wagener@bristol.ac.uk In this talk I will discuss how I see hydrology education evolve 1. Water and society 2. Shifting baseline for hydrology education 3.

579 views • 41 slides
Step up your game Step up your game & bring your projects to the bring your projects to the

Step up your game Step up your game & bring your projects to the bring your projects to the

Step up your game Step up your game & bring your projects to the bring your projects to the Next Level Next Level bit.ly/goto-amstd Olivier Combe Olivier Combe @ocombe github.com/ocombe Front end dev @ 1. Setup your project 2. Write

867 views • 45 slides
A Story About JavaScript Natalie Silvanovich May 21, 2020 About Me Natalie Silvanovich AKA

A Story About JavaScript Natalie Silvanovich May 21, 2020 About Me Natalie Silvanovich AKA

A Story About JavaScript Natalie Silvanovich May 21, 2020 About Me Natalie Silvanovich AKA natashenka Project Zero member Reported 100+ vulnerabilities in JavaScript and Flash over the past 5 years LangSec Ambiguity of

512 views • 28 slides
Learning Theory Bridges Loss Functions July 13 rd , 2020 Han Bao (The University of Tokyo / RIKEN

Learning Theory Bridges Loss Functions July 13 rd , 2020 Han Bao (The University of Tokyo / RIKEN

Learning Theory Bridges Loss Functions July 13 rd , 2020 Han Bao (The University of Tokyo / RIKEN AIP) Han Bao ( ) in Binary Classification. (AISTATS2020) knowledge learning transfer learning similarity robustness to Binary

529 views • 51 slides
Introduction to Jest testing framework Painless JavaScript Testing platform Vasyl Boroviak

Introduction to Jest testing framework Painless JavaScript Testing platform Vasyl Boroviak

Introduction to Jest testing framework Painless JavaScript Testing platform Vasyl Boroviak Transform your inspection process with smart, mobile forms. checklists into digital forms and access them on site, in the field, where Typical set of

405 views • 28 slides
Attentive Neural Architecture for Ad-hoc Structured Document Retrieval Saeid Balaneshin 1

Attentive Neural Architecture for Ad-hoc Structured Document Retrieval Saeid Balaneshin 1

Attentive Neural Architecture for Ad-hoc Structured Document Retrieval Saeid Balaneshin 1 Alexander Kotov 1 Fedor Nikolaev 1 , 2 1 Textual Data Analytics Lab, Department of Computer Science, Wayne State University 2 Kazan Federal University 1/25

786 views • 36 slides
JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming

JavaScript: The Good Parts vs. JavaScript: The Definitive Guide CS 252: Advanced Programming Language Principles Introduction to JavaScript Prof. Tom Austin San Jos State University History of JavaScript In 1995, Netscape hired Brendan

395 views • 16 slides

More recommend