make dkom attacks great again
play

MAKE DKOM ATTACKS GREAT AGAIN MARIANO GRAZIANO Bologna, Italy - - PowerPoint PPT Presentation

Sep 30, 2023 •341 likes •806 views

MAKE DKOM ATTACKS GREAT AGAIN MARIANO GRAZIANO Bologna, Italy - 29/10/2016 1 whoami Security researcher at Cisco in the Talos group Ph.D. Telecom ParisTech/Eurecom Hackademic Malware analysis / memory forensics 2 ROOTKIT

  1. MAKE DKOM ATTACKS GREAT AGAIN MARIANO GRAZIANO Bologna, Italy - 29/10/2016 1

  2. whoami ‣ Security researcher at Cisco in the Talos group ‣ Ph.D. Telecom ParisTech/Eurecom ‣ Hackademic ‣ Malware analysis / memory forensics 2

  3. ROOTKIT “Software to maintain a persistent and stealthy access on a compromised machine” 3

  4. HOW? RING 3 RING 0 RING -1 RING -2 RING -3 PRIVILEGES 4

  5. HOW? DETECTION RING 3 RING 0 RING -1 RING -2 RING -3 PRIVILEGES 5

  6. HOW? DETECTION RING 3 COMMON ROOTKITS RING 0 RING -1 RING -2 RING -3 PRIVILEGES 6

  7. HOW? DETECTION RING 3 RING 0 - “Subvirt: Implementing malware with virtual machines“ - S&P 06 RING -1 RING -1 - Blue Pill - Joanna Rutkowska - Syscan 06 - Vitriol - Dino Dai Zovi - BHUS 06 RING -2 RING -3 PRIVILEGES 7

  8. HOW? DETECTION RING 3 - Duflot SMM research - “SMM rootkits: A new breed of OS independent malware” - SP 08 RING 0 - “System Management Mode Hacks” - Phrack #65 - ’08 - “Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers” - Phrack #66 - ’09 RING -1 RING -2 - “Implementing SMM PS/2 Keyboard sniffer” - Beist - 2009 - NSA - http://blog.cr4.sh/2016/02/exploiting-smm-callout-vulnerabilities.html RING -2 RING -3 PRIVILEGES 8

  9. HOW? 9

  10. HOW? DETECTION RING 3 RING 0 - “Introducing Ring -3 Rootkits” - Tereshkin & Wojtczuk - BHUS’09 - “Understanding DMA Malware” - Stewin et al. - DIMVA ‘12 RING -1 RING -3 - http://me.bios.io/Resources RING -2 RING -3 PRIVILEGES 10

  11. HOW? DKOM BOOTKITS ROP ROOTKITS BLUEPILLS FIRMWARE 11

  12. HOW? DKOM BOOTKITS ROP ROOTKITS BLUEPILLS FIRMWARE 12

  13. ROP ¡ROOTKIT? ‣ Motivation ‣ “ Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms ” - USENIX Security 09 ‣ “ Persistent Data-only Malware: Function Hooks without Code ” - NDSS ‘14 13

  14. ROP ¡ROOTKIT? ‣ Persistence technique: ‣ CVE-2013-2094 ‣ sysenter ‣ IA32_SYSENTER_ESP (0x175) ‣ IA32_SYSENTER_EIP (0x176) 14

  15. ROP ¡ROOTKIT? Chuck ROP chains: 15

  16. DKOM “ D irect K ernel O bject M anipulation” 16

  17. TRADITIONAL ¡DKOM EPROCESS EPROCESS EPROCESS 17

  18. TRADITIONAL ¡DKOM EPROCESS EPROCESS EPROCESS 18

  19. DKOM ¡vs ¡PROCESSES ‣ DKOM is a generic technique ‣ Processes: ‣ Windows: KPROCESS/EPROCESS/PEB ‣ Linux: task_struct ‣ OSX : proc/task 19

  20. (E)PROCESS? 20

  21. (E)PROCESS? 21

  22. (K)PROCESS? 22

  23. PROCESS? 23

  24. PROCESS? ‣ EPROCESS info: ‣ Creation and exit time ‣ PID and PPID ‣ Pointer to the handle table ‣ VAD, etc ‣ PEB info: ‣ Pointer to the Image Base Address ‣ Pointer to the DLLs loaded ‣ Heap size, etc 24

  25. DKOM ¡DEFENSES ‣ Kernel data integrity solutions: ‣ invariants ‣ external systems ‣ memory analysis ‣ data partitioning 25

  26. VOLATILITY ¡-­‑ ¡PSLIST 26

  27. DEMO “ DKOM DEMO ” 27

  28. E-­‑DKOM “ E volutionary D irect K ernel O bject M anipulation” “Subverting Operating System Properties through Evolutionary DKOM Attacks” Mariano Graziano, Lorenzo Flore, Andrea Lanzi, Davide Balzarotti DIMVA 2016, San Sebastian, Spain 28

  29. E-­‑DKOM Data structure of interest Time 29

  30. E-­‑DKOM Violation of a temporal property 30

  31. E-­‑DKOM Violation of a temporal property The attack cannot be detected looking at a single snapshot 31

  32. STATE ¡vs ¡PROPERTY ‣ Traditional DKOM affects the state and are discrete ‣ Evolutionary DKOM (E-DKOM) affects the evolution in time of a given property and are continuous 32

  33. LINUX ¡CFS ¡SCHEDULER 33

  34. LINUX ¡CFS ¡SCHEDULER target 34

  35. LINUX ¡CFS ¡SCHEDULER target right-most 35

  36. LINUX ¡CFS ¡SCHEDULER Set target vruntime > rightmost vruntime target right-most 36

  37. LINUX ¡CFS ¡SCHEDULER We affect the evolution of the data structure over time. We altered the scheduler property (fair execution) target target 37

  38. DEMO “ E-DKOM DEMO ” 38

  39. DEFENSES? ‣ Reference monitor that mimics the OS property: ‣ OS specific ‣ Difficult to generalize 39

  40. DEFENSE ¡FRAMEWORK 40

  41. DEFENSE ¡FRAMEWORK 41

  42. DEFENSE ¡FRAMEWORK 42

  43. FUTURE ‣ Minimalism ‣ Possibile trends: ‣ Infections for the masses ‣ Stealthy and multi stage attacks ‣ Cat and mouse game ‣ Microsoft approach: ‣ Credential Guard ‣ Application Guard 43

  44. CONCLUSION ‣ Rootkit technology evolution ‣ New attack based on data structure evolution ‣ Experiment on the Linux CFS scheduler ‣ Defense based on hypervisor ‣ General mitigation/solution very hard 44

  45. THE ¡END THANK YOU email: magrazia@cisco.com twitter: @emd3l 45

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Subverting Operating System Properties through Evolutionary DKOM Attacks Mariano Graziano,

Subverting Operating System Properties through Evolutionary DKOM Attacks Mariano Graziano,

Subverting Operating System Properties through Evolutionary DKOM Attacks Mariano Graziano, Lorenzo Flore, Andrea Lanzi, Davide Balzarotti Cisco Systems, Inc. Universita degli Studi di

703 views • 22 slides
Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C.

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C.

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C. Rossow (1) , F. J. Ryba (2) , T. C. Schmidt (3) , M. Whlisch (2) (1) CISPA / MMCI, Saarland University (2) Freie Universitt Berlin (3) HAW Hamburg

520 views • 36 slides
DKOM 3.0 Hiding and Hooking with Windows Extension Hosts Alex Ionescu @aionescu Infiltrate

DKOM 3.0 Hiding and Hooking with Windows Extension Hosts Alex Ionescu @aionescu Infiltrate

DKOM 3.0 Hiding and Hooking with Windows Extension Hosts Alex Ionescu @aionescu Infiltrate Gabrielle Viala @pwissenlit 2019 Yarden Shafir @yarden_shafir About Yarden Shafir Software Engineer at CrowdStrike Circusing most of

776 views • 42 slides
CS 61: Database Systems Security With great power comes great responsibility OR William

CS 61: Database Systems Security With great power comes great responsibility OR William

CS 61: Database Systems Security With great power comes great responsibility OR William Lamb, 2nd Spider Mans Viscount Melbourne uncle Ben 2 Source: Wikipedia Agenda 1. MySQL permissions 2. Demo: SQL injection attacks 3.

542 views • 29 slides
Hello. Its great to be able to make this presenta5on via webinar for all those who were not

Hello. Its great to be able to make this presenta5on via webinar for all those who were not

Hello. Its great to be able to make this presenta5on via webinar for all those who were not able to a9end the recent Triangle Marke5ng Club meetup where I made the same presenta5on. 1 My name is Douglas Burde9 and Im the founder and

707 views • 41 slides
The Franklin Band We make great memories! Band kids spend a lot of time together and build

The Franklin Band We make great memories! Band kids spend a lot of time together and build

The Franklin Band We make great memories! Band kids spend a lot of time together and build healthy relationships that help them through high school. They make lots of great memories! Band kids score better on standardized tests. The College

618 views • 19 slides
The Franklin Band We make great memories! Band kids spend a lot of time together and build

The Franklin Band We make great memories! Band kids spend a lot of time together and build

The Franklin Band We make great memories! Band kids spend a lot of time together and build healthy relationships that help them through high school. They make lots of great memories! Band kids score better on standardized tests. The College

457 views • 18 slides
Make ETW Great Again. Exploring some of the many uses of Event Tracing for Windows (ETW) Ben

Make ETW Great Again. Exploring some of the many uses of Event Tracing for Windows (ETW) Ben

Make ETW Great Again. Exploring some of the many uses of Event Tracing for Windows (ETW) Ben Lelonek Nate Rogers CyberPoint is a cyber security company. Were in the business of protecEng whats invaluable to you. Who We Are

1.05k views • 43 slides
Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning Stronger Jingfeng Zhang 1 * , Xilie Xu 2* , Bo Han 34 , Gang Niu 4 , Lichen Cui 5 , Masashi Sugiyama 46 , and Mohan Kankanhalli 1 1 Department of Computer

376 views • 14 slides
USER AUTHENTICATION GRAD SEC SEP 26 2017 TODAYS PAPERS SPEARPHISHING ATTACKS

USER AUTHENTICATION GRAD SEC SEP 26 2017 TODAYS PAPERS SPEARPHISHING ATTACKS

USER AUTHENTICATION GRAD SEC SEP 26 2017 TODAYS PAPERS SPEARPHISHING ATTACKS SPEARPHISHING ATTACKS Imbue the email with a sense of trust or authority LURE Spoof (or log in as) the source / name Make the topic such that theyll

632 views • 25 slides
Scholarships 101 SCHOLARSHIPS Write a GREAT essay Make it personal Resume

Scholarships 101 SCHOLARSHIPS Write a GREAT essay Make it personal Resume

Scholarships 101 SCHOLARSHIPS Write a GREAT essay Make it personal Resume Proofread Research online Embassy FREE MONEY Usually awarded based on: Academic achievements Interests & career plans

428 views • 5 slides
Make Your Reports Look Great with the Versatile Proc Tabulate Ben Cochran The Bedford Group

Make Your Reports Look Great with the Versatile Proc Tabulate Ben Cochran The Bedford Group

Make Your Reports Look Great with the Versatile Proc Tabulate Ben Cochran The Bedford Group bencochran@nc.rr.com A Silver Member of the SAS Alliance Make Your Reports Look Great with the Versatile Proc Tabulate by Ben Cochran Bio:

547 views • 32 slides
L ESSON 6- M AKING A GREAT PRESENTATION Acknowledgement: Most images and some contents of this

L ESSON 6- M AKING A GREAT PRESENTATION Acknowledgement: Most images and some contents of this

L ESSON 6- M AKING A GREAT PRESENTATION Acknowledgement: Most images and some contents of this presentation are borrowed from the internet. H OW TO MAKE A GREAT PRESENTATION ? There are hundreds different ways to make a presentation.

494 views • 18 slides
Attendance via Zoom Lets try to make this a great experience for all of us: Please check your

Attendance via Zoom Lets try to make this a great experience for all of us: Please check your

Attendance via Zoom Lets try to make this a great experience for all of us: Please check your setup before the meeting. We start all calls 10 minutes early, where you can do so. Please connect before the meeting starts. Please join using your

318 views • 13 slides
TCP/IP Sockets in C Computer Chat How do we make computers talk? Great and inexpensive book:

TCP/IP Sockets in C Computer Chat How do we make computers talk? Great and inexpensive book:

TCP/IP Sockets in C Computer Chat How do we make computers talk? Great and inexpensive book: How are they interconnected? Michael J. Donahoo Kenneth L. Calvert Internet Protocol (IP) Morgan Kaufmann Publisher $14.95 Paperback

299 views • 9 slides
TO DEVELOP GREAT TEACHING? #SNEsummit15 What will it taketo develop great teaching? Robert

TO DEVELOP GREAT TEACHING? #SNEsummit15 What will it taketo develop great teaching? Robert

What will it take TO DEVELOP GREAT TEACHING? #SNEsummit15 What will it taketo develop great teaching? Robert Coe SCHOOLS NorthEast Summit 2015 My argument If you make decisions about education, you should be informed by a

474 views • 32 slides
Some challenges of four-dimensional data assimilation problems Juan Carlos De los Reyes Centro

Some challenges of four-dimensional data assimilation problems Juan Carlos De los Reyes Centro

Some challenges of four-dimensional data assimilation problems Juan Carlos De los Reyes Centro de Modelizacin Matemtica (MODEMAT) Escuela Politcnica Nacional de Ecuador New trends in PDE constrained optimization Linz, 2019 1 / 30

706 views • 66 slides
Dark soliton in a disorder potential Magorzata Mochol , Marcin Podzie, Krzysztof Sacha

Dark soliton in a disorder potential Magorzata Mochol , Marcin Podzie, Krzysztof Sacha

Introduction Classical description: Deformation of a dark soliton Quantum description Conclusions Dark soliton in a disorder potential Magorzata Mochol , Marcin Podzie, Krzysztof Sacha Institute of Physics Jagiellonian University in

354 views • 16 slides
Clustering Ciira Maina Dedan Kimathi University of Technology 17th June 2015 Introduction

Clustering Ciira Maina Dedan Kimathi University of Technology 17th June 2015 Introduction

Clustering Ciira Maina Dedan Kimathi University of Technology 17th June 2015 Introduction In most data science applications we are start off with a large collection of objects which form our data set. Clustering is often an initial

1.38k views • 53 slides
Costcompetitive Reduction of Carbon Emissions of up to 80% from the US Electric Sector by 2030

Costcompetitive Reduction of Carbon Emissions of up to 80% from the US Electric Sector by 2030

Costcompetitive Reduction of Carbon Emissions of up to 80% from the US Electric Sector by 2030 Alexander E. MacDonald Christopher Clack* Anneliese Alexander* Adam Dunbar Yuanfu Xie James Wilczak NOAA Earth System Research Laboratory

517 views • 28 slides
Pampa & Edenor Joint Q4 17 Results Call March 13, 2017 10 AM EST / 11 AM ART Disclaimer

Pampa & Edenor Joint Q4 17 Results Call March 13, 2017 10 AM EST / 11 AM ART Disclaimer

Pampa & Edenor Joint Q4 17 Results Call March 13, 2017 10 AM EST / 11 AM ART Disclaimer The material that follows is a presentation of general background information about Pampa Energa SA as of the date of the presentation. It is

418 views • 24 slides
Non-Intrusive Algorithms for Measure-Theoretic Propagation of Uncertainties: Errors,

Non-Intrusive Algorithms for Measure-Theoretic Propagation of Uncertainties: Errors,

Non-Intrusive Algorithms for Measure-Theoretic Propagation of Uncertainties: Errors, Opportunities, and Challenges T. Butler University of Colorado Denver Research supported by DOE DE-SC0009286 and NSF DMS-1228206 Collaborators: Don Estep,

713 views • 38 slides
Trial of Labor after Cesarean I have not had a cesarean delivery Delivery: Which Patients?

Trial of Labor after Cesarean I have not had a cesarean delivery Delivery: Which Patients?

6/6/2014 Disclosures Trial of Labor after Cesarean I have not had a cesarean delivery Delivery: Which Patients? Which I do not get paid more money for doing Hospitals? cesarean deliveries I did help write ACOG PB #115 Jeffrey L

371 views • 16 slides
Interrupted Time-Series Designs for Policy and Intervention Analysis Tim Bruckner, PhD, MPH

Interrupted Time-Series Designs for Policy and Intervention Analysis Tim Bruckner, PhD, MPH

Interrupted Time-Series Designs for Policy and Intervention Analysis Tim Bruckner, PhD, MPH Associate Professor, Public Health University of California, Irvine tim.bruckner@uci.edu https://faculty.sites.uci.edu/bruckner/ Overview why ITS?

719 views • 37 slides

More recommend