MAKE DKOM ATTACKS GREAT AGAIN MARIANO GRAZIANO Bologna, Italy - - - PowerPoint PPT Presentation

make dkom attacks great again
SMART_READER_LITE
LIVE PREVIEW

MAKE DKOM ATTACKS GREAT AGAIN MARIANO GRAZIANO Bologna, Italy - - - PowerPoint PPT Presentation

Sep 30, 2023 341 likes •807 views

MAKE DKOM ATTACKS GREAT AGAIN MARIANO GRAZIANO Bologna, Italy - 29/10/2016 1 whoami Security researcher at Cisco in the Talos group Ph.D. Telecom ParisTech/Eurecom Hackademic Malware analysis / memory forensics 2 ROOTKIT

slide-1
SLIDE 1

MAKE DKOM ATTACKS GREAT AGAIN

MARIANO GRAZIANO

Bologna, Italy - 29/10/2016

1

slide-2
SLIDE 2

whoami

  • Security researcher at Cisco in the Talos group
  • Ph.D. Telecom ParisTech/Eurecom
  • Hackademic
  • Malware analysis / memory forensics

2

slide-3
SLIDE 3

ROOTKIT

“Software to maintain a persistent and stealthy access on a compromised machine”

3

slide-4
SLIDE 4

HOW?

4

RING 3 RING 0 RING -1 RING -2 RING -3

PRIVILEGES

slide-5
SLIDE 5

HOW?

5

RING 3 RING 0 RING -1 RING -2 RING -3

PRIVILEGES DETECTION

slide-6
SLIDE 6

HOW?

6

RING 3 RING 0 RING -1 RING -2 RING -3

PRIVILEGES DETECTION COMMON ROOTKITS

slide-7
SLIDE 7

HOW?

7

RING 3 RING 0 RING -1 RING -2 RING -3

PRIVILEGES DETECTION

  • “Subvirt: Implementing malware with virtual machines“ - S&P 06
  • Blue Pill - Joanna Rutkowska - Syscan 06
  • Vitriol - Dino Dai Zovi - BHUS 06

RING -1

slide-8
SLIDE 8

HOW?

8

RING 3 RING 0 RING -1 RING -2 RING -3

PRIVILEGES DETECTION

  • Duflot SMM research
  • “SMM rootkits: A new breed of OS independent malware” - SP 08
  • “System Management Mode Hacks” - Phrack #65 - ’08
  • “Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers” -

Phrack #66 - ’09

  • “Implementing SMM PS/2 Keyboard sniffer” - Beist - 2009
  • NSA
  • http://blog.cr4.sh/2016/02/exploiting-smm-callout-vulnerabilities.html

RING -2

slide-9
SLIDE 9

HOW?

9

slide-10
SLIDE 10

HOW?

10

RING 3 RING 0 RING -1 RING -2 RING -3

PRIVILEGES DETECTION

  • “Introducing Ring -3 Rootkits” - Tereshkin & Wojtczuk - BHUS’09
  • “Understanding DMA Malware” - Stewin et al. - DIMVA ‘12
  • http://me.bios.io/Resources

RING -3

slide-11
SLIDE 11

HOW?

11

DKOM BOOTKITS ROP ROOTKITS BLUEPILLS FIRMWARE

slide-12
SLIDE 12

HOW?

12

DKOM BOOTKITS ROP ROOTKITS BLUEPILLS FIRMWARE

slide-13
SLIDE 13

ROP ¡ROOTKIT?

  • Motivation
  • “Return-oriented rootkits: Bypassing kernel code

integrity protection mechanisms” - USENIX Security 09

  • “Persistent Data-only Malware: Function Hooks

without Code” - NDSS ‘14

13

slide-14
SLIDE 14

ROP ¡ROOTKIT?

  • Persistence technique:
  • CVE-2013-2094
  • sysenter
  • IA32_SYSENTER_ESP (0x175)
  • IA32_SYSENTER_EIP (0x176)

14

slide-15
SLIDE 15

ROP ¡ROOTKIT?

15

Chuck ROP chains:

slide-16
SLIDE 16

DKOM

“Direct Kernel Object Manipulation”

16

slide-17
SLIDE 17

TRADITIONAL ¡DKOM

17

EPROCESS EPROCESS EPROCESS

slide-18
SLIDE 18

TRADITIONAL ¡DKOM

18

EPROCESS EPROCESS EPROCESS

slide-19
SLIDE 19

DKOM ¡vs ¡PROCESSES

  • DKOM is a generic technique
  • Processes:
  • Windows: KPROCESS/EPROCESS/PEB
  • Linux: task_struct
  • OSX: proc/task

19

slide-20
SLIDE 20

(E)PROCESS?

20

slide-21
SLIDE 21

(E)PROCESS?

21

slide-22
SLIDE 22

(K)PROCESS?

22

slide-23
SLIDE 23

PROCESS?

23

slide-24
SLIDE 24

PROCESS?

  • EPROCESS info:
  • Creation and exit time
  • PID and PPID
  • Pointer to the handle table
  • VAD, etc
  • PEB info:
  • Pointer to the Image Base Address
  • Pointer to the DLLs loaded
  • Heap size, etc

24

slide-25
SLIDE 25

DKOM ¡DEFENSES

  • Kernel data integrity solutions:
  • invariants
  • external systems
  • memory analysis
  • data partitioning

25

slide-26
SLIDE 26

VOLATILITY ¡-­‑ ¡PSLIST

26

slide-27
SLIDE 27

DEMO

“DKOM DEMO”

27

slide-28
SLIDE 28

E-­‑DKOM

“Evolutionary Direct Kernel Object Manipulation”

“Subverting Operating System Properties through Evolutionary DKOM Attacks” Mariano Graziano, Lorenzo Flore, Andrea Lanzi, Davide Balzarotti DIMVA 2016, San Sebastian, Spain

28

slide-29
SLIDE 29

E-­‑DKOM

29

Data structure of interest Time

slide-30
SLIDE 30

E-­‑DKOM

30

Violation of a temporal property

slide-31
SLIDE 31

E-­‑DKOM

31

Violation of a temporal property The attack cannot be detected looking at a single snapshot

slide-32
SLIDE 32

STATE ¡vs ¡PROPERTY

  • Traditional DKOM affects the state and are discrete
  • Evolutionary DKOM (E-DKOM) affects the evolution

in time of a given property and are continuous

32

slide-33
SLIDE 33

LINUX ¡CFS ¡SCHEDULER

33

slide-34
SLIDE 34

LINUX ¡CFS ¡SCHEDULER

34

target

slide-35
SLIDE 35

LINUX ¡CFS ¡SCHEDULER

35

target right-most

slide-36
SLIDE 36

LINUX ¡CFS ¡SCHEDULER

36

target right-most Set targetvruntime > rightmostvruntime

slide-37
SLIDE 37

LINUX ¡CFS ¡SCHEDULER

37

target target

We affect the evolution of the data structure over time. We altered the scheduler property (fair execution)

slide-38
SLIDE 38

DEMO

“E-DKOM DEMO”

38

slide-39
SLIDE 39

DEFENSES?

  • Reference monitor that mimics the OS property:
  • OS specific
  • Difficult to generalize

39

slide-40
SLIDE 40

DEFENSE ¡FRAMEWORK

40

slide-41
SLIDE 41

DEFENSE ¡FRAMEWORK

41

slide-42
SLIDE 42

DEFENSE ¡FRAMEWORK

42

slide-43
SLIDE 43

FUTURE

  • Minimalism
  • Possibile trends:
  • Infections for the masses
  • Stealthy and multi stage attacks
  • Cat and mouse game
  • Microsoft approach:
  • Credential Guard
  • Application Guard

43

slide-44
SLIDE 44

CONCLUSION

  • Rootkit technology evolution
  • New attack based on data structure evolution
  • Experiment on the Linux CFS scheduler
  • Defense based on hypervisor
  • General mitigation/solution very hard

44

slide-45
SLIDE 45

THE ¡END

THANK YOU

email: magrazia@cisco.com twitter: @emd3l

45