nailgun breaking the privilege isolation on arm
play

Nailgun: Breaking the Privilege Isolation on ARM Zhenyu Ning - PowerPoint PPT Presentation

Oct 19, 2023 •259 likes •1.44k views

Nailgun: Breaking the Privilege Isolation on ARM Zhenyu Ning COMPASS Lab Wayne State University Sep 23, 2019 Nailgun: Breaking the Privilege Isolation on ARM 1 Outline I Background I Introduction I Obstacles for Misusing the Traditional

  1. Inter-Processor Debugging We can use one processor on the chip to debug another one on the same chip, and we refer it as inter-processor debugging . I Memory-mapped debugging registers. - Introduced since ARMv7. I No JTAG, No physical access. Nailgun: Breaking the Privilege Isolation on ARM 44

  2. Inter-Processor Debugging Debug Authentication Memory-mapped Interface Debug Target Debug Host (TARGET) (HOST) Nailgun: Breaking the Privilege Isolation on ARM 45

  3. Obstacles for Misusing the Traditional Debugging Obstacles for attackers: I Obstacle 1 : Physical access. I Obstacle 2 : Debug authentication mechanism. Does debug authentication work as expected? Nailgun: Breaking the Privilege Isolation on ARM 46

  4. Processor in Normal State TARGET (Normal State) ... pc MOV x3, #3 x4, #4 MOV animation by animate[2015/03/11] MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... TARGET is executing instructions pointed by pc Nailgun: Breaking the Privilege Isolation on ARM 47

  5. Processor in Non-invasive Debugging TARGET (Normal State) ... pc MOV x3, #3 x4, #4 MOV animation by animate[2015/03/11] MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Non-invasive Debugging : Monitoring without control Nailgun: Breaking the Privilege Isolation on ARM 48

  6. Processor in Invasive Debugging TARGET (Debug State) ... MOV x3, #3 pc x4, #4 MOV animation by animate[2015/03/11] MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Invasive Debugging : Control and change status Nailgun: Breaking the Privilege Isolation on ARM 49

  7. ARM Debug Authentication Mechanism TARGET (Normal State) ... Debug pc Disabled MOV x3, #3 x4, #4 MOV animation by animate[2015/03/11] MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Debug Authentication Signal : Whether debugging is allowed Nailgun: Breaking the Privilege Isolation on ARM 50

  8. ARM Debug Authentication Mechanism TARGET (Normal State) ... Debug pc Disabled MOV x3, #3 x4, #4 MOV animation by animate[2015/03/11] MOV x0, x3 x1, x4 MOV LDR pc, [pc, #-0x10] ... Four signals for: Secure/Non-secure, Invasive/Non-invasive Nailgun: Breaking the Privilege Isolation on ARM 51

  9. ARM Ecosystem ARM SoC Vendor OEM User Nailgun: Breaking the Privilege Isolation on ARM 52

  10. ARM Ecosystem ARM SoC Vendor OEM User I ARM licenses technology to the System-On-Chip (SoC) Vendors. - E.g., ARM architectures and Cortex processors I Defines the debug authentication signals. Nailgun: Breaking the Privilege Isolation on ARM 53

  11. ARM Ecosystem ARM SoC Vendor OEM User I The SoC Vendors develop chips for Original Equipment Manufacturers (OEMs). - E.g., Qualcomm Snapdragon SoCs I Implement the debug authentication signals. Nailgun: Breaking the Privilege Isolation on ARM 54

  12. ARM Ecosystem ARM SoC Vendor OEM User I The OEMs produce devices for the users. - E.g., Samsung Galaxy Series and Huawei Mate Series I Configure the debug authentication signals. Nailgun: Breaking the Privilege Isolation on ARM 55

  13. ARM Ecosystem ARM SoC Vendor OEM User I Finally, the User can enjoy the released devices. - Tablets, smartphones, and other devices I Learn the status of debug authentication signals. Nailgun: Breaking the Privilege Isolation on ARM 56

  14. Obstacles for Misusing the Traditional Debugging Obstacles for attackers: I Obstacle 1 : Physical access. I Obstacle 2 : Debug authentication mechanism. Does debug authentication work as expected? Nailgun: Breaking the Privilege Isolation on ARM 57

  15. Debug Authentication Signals I What is the status of the signals in real-world device? I How to manage the signals in real-world device? Nailgun: Breaking the Privilege Isolation on ARM 58

  16. Debug Authentication Signals Table: Debug Authentication Signals on Real Devices. Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN ARM Juno r1 Board 4 4 4 4 Development Boards NXP i.MX53 QSB 6 4 6 6 IoT Devices Raspberry PI 3 B+ 4 4 4 4 64-bit ARM miniNode 4 4 4 4 Cloud Packet Type 2A Server 4 4 4 4 Platforms Scaleway ARM C1 Server 4 4 4 4 Google Nexus 6 6 4 6 6 Samsung Galaxy Note 2 4 4 6 6 Mobile Huawei Mate 7 4 4 4 4 Devices Motorola E4 Plus 4 4 4 4 Xiaomi Redmi 6 4 4 4 4 Nailgun: Breaking the Privilege Isolation on ARM 59

  17. Debug Authentication Signals Table: Debug Authentication Signals on Real Devices. Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN ARM Juno r1 Board 4 4 4 4 Development Boards NXP i.MX53 QSB 6 4 6 6 IoT Devices Raspberry PI 3 B+ 4 4 4 4 64-bit ARM miniNode 4 4 4 4 Cloud Packet Type 2A Server 4 4 4 4 Platforms Scaleway ARM C1 Server 4 4 4 4 Google Nexus 6 6 4 6 6 Samsung Galaxy Note 2 4 4 6 6 Mobile Huawei Mate 7 4 4 4 4 Devices Motorola E4 Plus 4 4 4 4 Xiaomi Redmi 6 4 4 4 4 Nailgun: Breaking the Privilege Isolation on ARM 60

  18. Debug Authentication Signals Table: Debug Authentication Signals on Real Devices. Debug Authentication Signals Category Platform / Device DBGEN NIDEN SPIDEN SPNIDEN ARM Juno r1 Board 4 4 4 4 Development Boards NXP i.MX53 QSB 6 4 6 6 IoT Devices Raspberry PI 3 B+ 4 4 4 4 64-bit ARM miniNode 4 4 4 4 Cloud Packet Type 2A Server 4 4 4 4 Platforms Scaleway ARM C1 Server 4 4 4 4 Google Nexus 6 6 4 6 6 Samsung Galaxy Note 2 4 4 6 6 Mobile Huawei Mate 7 4 4 4 4 Devices Motorola E4 Plus 4 4 4 4 Xiaomi Redmi 6 4 4 4 4 Nailgun: Breaking the Privilege Isolation on ARM 61

  19. Debug Authentication Signals How to manage the signals in real-world device? I For both development boards with manual, we cannot fully control the debug authentication signals. - Signals in i.MX53 QSB can be enabled by JTAG. - The DBGEN and NIDEN in ARM Juno board cannot be disabled. I In some mobile phones, we find that the signals are controlled by One-Time Programmable (OTP) fuse. For all the other devices, nothing is publicly available. Nailgun: Breaking the Privilege Isolation on ARM 62

  20. Obstacles for Misusing the Traditional Debugging Obstacles for attackers: I Obstacle 1 : Physical access. We don’t need physical access to debug a processor. I Obstacle 2 : Debug authentication mechanism. The debug authentication mechanism allows us to debug the processor. Nailgun: Breaking the Privilege Isolation on ARM 63

  21. Outline I Background I Introduction I Obstacles for Misusing the Traditional Debugging I Nailgun Attack I Mitigations I Conclusion Nailgun: Breaking the Privilege Isolation on ARM 64

  22. Inter-processor Debugging Memory-mapped Interface Debug Target Debug Host (TARGET) (HOST) Nailgun: Breaking the Privilege Isolation on ARM 65

  23. Inter-processor Debugging Memory-mapped Interface Debug Target Debug Host (TARGET) (HOST) Nailgun: Breaking the Privilege Isolation on ARM 66

  24. Nailgun Attack A Multi-processor SoC System High-privilege Resource (Secure RAM/Register/Peripheral) Privilege Escalation Request TARGET HOST (Normal State) (Normal State) (High Privilege) (High Privilege) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) An example SoC system: I Two processors as HOST and TARGET , respectively. I Low-privilege and High-privilege resource. Nailgun: Breaking the Privilege Isolation on ARM 67

  25. Nailgun Attack A Multi-processor SoC System High-privilege Resource (Secure RAM/Register/Peripheral) Privilege Escalation Request TARGET HOST (Normal State) (Normal State) (High Privilege) (High Privilege) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) I Low-privilege refers to non-secure kernel-level privilege I High-privilege refers to any other higher privilege Nailgun: Breaking the Privilege Isolation on ARM 68

  26. Nailgun Attack A Multi-processor SoC System High-privilege Resource (Secure RAM/Register/Peripheral) Debug TARGET HOST Request (Normal State) (Normal State) (Low Privilege) (Low Privilege) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Both processors are only access low-privilege resource. I Normal state I Low-privilege mode Nailgun: Breaking the Privilege Isolation on ARM 69

  27. Nailgun Attack A Multi-processor SoC System High-privilege Resource (Secure RAM/Register/Peripheral) Debug TARGET HOST Request (Normal State) (Normal State) (Low Privilege) (Low Privilege) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) HOST sends a Debug Request to TARGET , I TARGET checks its authentication signal. I Privilege of HOST is ignored. Nailgun: Breaking the Privilege Isolation on ARM 70

  28. Nailgun Attack A Multi-processor SoC System High-privilege Resource (Secure RAM/Register/Peripheral) Debug TARGET HOST Request (Normal State) (Normal State) (Low Privilege) (Low Privilege) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) HOST sends a Debug Request to TARGET , I TARGET checks its authentication signal. I Privilege of HOST is ignored. Nailgun: Breaking the Privilege Isolation on ARM 71

  29. Nailgun Attack A Multi-processor SoC System High-privilege Resource (Secure RAM/Register/Peripheral) Debug TARGET HOST Request (Normal State) (Normal State) (Low Privilege) (Low Privilege) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Implication: A low-privilege processor can make an arbitrary proces- sor (even a high-privilege processor) enter the debug state. Nailgun: Breaking the Privilege Isolation on ARM 72

  30. Nailgun Attack A Multi-processor SoC System High-privilege Resource (Secure RAM/Register/Peripheral) Debug TARGET HOST Request (Debug State) (Normal State) (Low Privilege) (Low Privilege) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) TARGET turns to Debug State according to the request. I Low-privilege mode I No access to high-privilege resource Nailgun: Breaking the Privilege Isolation on ARM 73

  31. Nailgun Attack A Multi-processor SoC System High-privilege Resource (Secure RAM/Register/Peripheral) Privilege Escalation TARGET HOST Request (Debug State) (Normal State) (Low Privilege) (Low Privilege) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) HOST sends a Privilege Escalation Request to TARGET , I E.g., executing DCPS series instructions. I The instructions can be executed at any privilege level. Nailgun: Breaking the Privilege Isolation on ARM 74

  32. Nailgun Attack A Multi-processor SoC System High-privilege Resource (Secure RAM/Register/Peripheral) Privilege Escalation TARGET HOST Request (Debug State) (Normal State) (Low Privilege) (Low Privilege) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Implication: The privilege escalation instructions enable a processor running in the debug state to gain a high privilege without restric- tion. Nailgun: Breaking the Privilege Isolation on ARM 75

  33. Nailgun Attack A Multi-processor SoC System High-privilege Resource (Secure RAM/Register/Peripheral) Privilege Escalation TARGET HOST Request (Debug State) (Normal State) (Low Privilege) (High Privilege) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) TARGET turns to High-privilege Mode according to the request. I Debug state, high-privilege mode I Gained access to high-privilege resource Nailgun: Breaking the Privilege Isolation on ARM 76

  34. Nailgun Attack A Multi-processor SoC System High-privilege Resource (Secure RAM/Register/Peripheral) Resource Access TARGET HOST Request (Debug State) (Normal State) (Low Privilege) (High Privilege) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) HOST sends a Resource Access Request to TARGET , I E.g., accessing secure RAM/register/peripheral. I Privilege of HOST is ignored. Nailgun: Breaking the Privilege Isolation on ARM 77

  35. Nailgun Attack A Multi-processor SoC System High-privilege Resource (Secure RAM/Register/Peripheral) Resource Access TARGET HOST Request (Debug State) (Normal State) (Low Privilege) (High Privilege) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) Implication: The instruction execution and resource access in TARGET does not take the privilege of HOST into account. Nailgun: Breaking the Privilege Isolation on ARM 78

  36. Nailgun Attack A Multi-processor SoC System High-privilege Resource (Secure RAM/Register/Peripheral) Debug TARGET HOST Response (Debug State) (Normal State) (Low Privilege) (High Privilege) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) TARGET return the result to HOST , I i.e., content of the high-privilege resource. I Privilege of HOST is ignored. Nailgun: Breaking the Privilege Isolation on ARM 79

  37. Nailgun Attack A Multi-processor SoC System High-privilege Resource (Secure RAM/Register/Peripheral) Debug TARGET HOST Response (Debug State) (Normal State) (Low Privilege) (High Privilege) Low-privilege Resource (Non-Secure RAM/Register/Peripheral) HOST gains access to the high-privilege resource while running in, I Normal state I Low-privilege mode Nailgun: Breaking the Privilege Isolation on ARM 80

  38. Nailgun Attack Nailgun: Break the privilege isolation of ARM platform. I Achieve access to high-privilege resource via misusing the ARM debugging features. I Can be used to craft di ff erent attacks. Nailgun: Breaking the Privilege Isolation on ARM 81

  39. Attack Scenarios I Implemented Attack Scenarios: - Inferring AES keys from TrustZone. - Read Secure Configuration Register (SCR). - Arbitrary payload execution in TrustZone. I Covered Architectures: - ARMv7, 32-bit ARMv8, and 64-bit ARMv8 architecture. I Vulnerable Devices: - Development boards, IoT devices, cloud platforms, mobile devices. Nailgun: Breaking the Privilege Isolation on ARM 82

  40. Attack Scenarios I Implemented Attack Scenarios: - Inferring AES keys from TrustZone. - Read Secure Configuration Register (SCR). - Arbitrary payload execution in TrustZone. I Covered Architectures: - ARMv7, 32-bit ARMv8, and 64-bit ARMv8 architecture. I Vulnerable Devices: - Development boards, IoT devices, cloud platforms, mobile devices. Nailgun: Breaking the Privilege Isolation on ARM 83

  41. Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory ... DLR EL0 ... mov X0, #1 ... eret VBAR EL3 VBAR EL3 + 0x400 + 0x400 b handler ... I DLR EL0 points to the debug return address. I VBAR EL3 points to the exception vector in EL3. Nailgun: Breaking the Privilege Isolation on ARM 84

  42. Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory ... payload: DLR EL0 ... mov X0, #1 ... ... VBAR EL3 VBAR EL3 + 0x400 + 0x400 b handler ... I With Nailgun, we can directly copy the payload to the secure memory. Nailgun: Breaking the Privilege Isolation on ARM 85

  43. Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory ... payload: DLR EL0 ... smc #0 ... ... VBAR EL3 VBAR EL3 + 0x400 + 0x400 b handler ... I Modify the instruction pointed by DLR EL0 to get into TrustZone. Nailgun: Breaking the Privilege Isolation on ARM 86

  44. Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory ... payload: DLR EL0 ... smc #0 ... ... VBAR EL3 VBAR EL3 + 0x400 + 0x400 b payload ... I Manipulate the exception vector to execute the payload while the SMC exception is routed to EL3. Nailgun: Breaking the Privilege Isolation on ARM 87

  45. Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory ... payload: DLR EL0 ... smc #0 ... eret VBAR EL3 VBAR EL3 + 0x400 + 0x400 b payload ... I The last instruction of the payload should be eret . Nailgun: Breaking the Privilege Isolation on ARM 88

  46. Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory ... payload: PC ... smc #0 ... eret VBAR EL3 VBAR EL3 + 0x400 + 0x400 b payload ... I Make TARGET exit the debug state. Nailgun: Breaking the Privilege Isolation on ARM 89

  47. Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory ... payload: ... smc #0 ELR EL3 ... eret VBAR EL3 PC + 0x400 b payload ... I ELR EL3 points to the exception return address. Nailgun: Breaking the Privilege Isolation on ARM 90

  48. Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory ... payload: PC ... smc #0 ELR EL3 ... eret VBAR EL3 VBAR EL3 + 0x400 + 0x400 b payload ... I The payload get executed. Nailgun: Breaking the Privilege Isolation on ARM 91

  49. Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory ... payload: PC ... smc #0 ELR EL3 ... eret VBAR EL3 VBAR EL3 + 0x400 + 0x400 b handler ... I In the payload, we first restore the exception vector. Nailgun: Breaking the Privilege Isolation on ARM 92

  50. Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory ... payload: ELR EL3 PC ... mov X0, #1 ... eret VBAR EL3 VBAR EL3 + 0x400 + 0x400 b handler ... I Roll back the ELR EL3 register. I Revert the modified instruction. Nailgun: Breaking the Privilege Isolation on ARM 93

  51. Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory ... payload: ELR EL3 ... mov X0, #1 PC ... eret VBAR EL3 VBAR EL3 + 0x400 + 0x400 b handler ... I The eret instruction will finish the exception handle process. Nailgun: Breaking the Privilege Isolation on ARM 94

  52. Arbitrary Code Execution in TrustZone Non-secure Memory Secure Memory ... payload: PC ... mov X0, #1 ... eret VBAR EL3 VBAR EL3 + 0x400 + 0x400 b handler ... I After that, everything goes back to the original state. Nailgun: Breaking the Privilege Isolation on ARM 95

  53. Nailgun Attack Fingerprint extraction in commercial mobile phone. I Deivce: Huawei Mate 7 (MT-L09) I Firmware: MT7-L09V100R001C00B121SP05 I Fingerprint sensor: FPC1020 We choose this phone because the manual and driver of the fingerprint sensor is publicly available. Similar attack can be demonstrated on other devices with enabled debug authentication signals. Nailgun: Breaking the Privilege Isolation on ARM 96

  54. Nailgun Attack I Step 1: Learn the location of fingerprint data in secure RAM. - Achieved by reverse engineering. I Step 2: Extract the data. - With the inter-processor debugging in Nailgun. I Step 3: Restore fingerprint image from the extracted data. - Read the publicly available sensor manual. Nailgun: Breaking the Privilege Isolation on ARM 97

  55. Nailgun Attack I The right part of the image is blurred for privacy concerns. I Source code: https://compass.cs.wayne.edu/nailgun/ I The issue has been fixed in Huawei devices. Nailgun: Breaking the Privilege Isolation on ARM 98

  56. Nailgun Attack

  57. Disclosure March 2018 Preliminary findings are reported to ARM August 2018 Report to ARM and related OEMs with enriched result October 2018 Issue is reported to MITRE February 2019 PoCs and demos are released April 2019 CVE-2018-18068 is released Nailgun: Breaking the Privilege Isolation on ARM 100

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Secure Architecture Principles Isolation and Least Privilege Access Control Concepts

Secure Architecture Principles Isolation and Least Privilege Access Control Concepts

Secure Architecture Principles Isolation and Least Privilege Access Control Concepts Operating Systems Browser Isolation and Least Privilege Original slides were created by Prof. John Mitchel and Suman Janna Some slides are from

1.03k views • 58 slides
X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native

X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native

X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native Containers Zhiming Shen Cornell University Joint work with Zhen Sun, Gur-Eyal Sela, Eugene Bagdasaryan, Christina Delimitrou, Robbert Van Renesse, Hakim

266 views • 26 slides
Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and

Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and

CSE 127: Computer Security Privilege separation and isolation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage Chromium security architecture Browser ("kernel") Full privileges (file system,

603 views • 29 slides
Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for

Privilege: An Update Litigation Privilege: a brief definition Confidential Made for dominant purpose of civil or criminal litigation Relate to litigation which is pending, reasonably contemplated, or existing Legal Advice Privilege:

532 views • 20 slides
Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan

CSE 127: Computer Security Least privilege and privilege separation Deian Stefan Slides adopted from John Mitchell, Dan Boneh, and Stefan Savage This week How to build secure systems Least privilege and privilege separation

578 views • 46 slides
Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege

Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege

Outline Secure use of the OS Bernsteins perspective CSci 5271 Techniques for privilege separation Introduction to Computer Security Announcements intermission Day 9: OS security basics OS security: protection and isolation Stephen

649 views • 13 slides
Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable

Serializable Snapshot Isolation Making ISOLATION LEVEL SERIALIZABLE Provide Serializable Isolation Dan Ports Kevin Grittner MIT Wisconsin Court System Saturday, May 21, 2011 1 Overview Serializable isolation makes it easier to reason

922 views • 60 slides
Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners

Legal Privilege, Client Communication and Discovery Cayman Islands Legal Practitioners Association Adam Huckle 27 March 2019 Overview What is Privilege? Types: Legal Advice Privilege Litigation Privilege Recent cases

226 views • 18 slides
Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix

Privilege Escala-on Manual privilege escala/on techniques on Unix and Windows Michal Knapkiewicz, May 2016 whoami Senior Consultant at Advanced Security

884 views • 51 slides
+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited

+ The Primacy of Client Privilege: Designing a Statutory Advice Privilege for Accredited Non-Lawyer Tax Advisors Nicole Wilson-Rogers, Annette Morgan and Dale Pinto + Structure Snapshot: Argument advanced in the paper Current Privileges

422 views • 17 slides
Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests

Presenting a live 90-minute webinar with interactive Q&A Attorney-Client Privilege Between Affiliated Entities: Who Owns the Privilege When Interests Diverge? Navigating the Complexities of Joint Representations During Litigation, Spinoffs,

889 views • 42 slides
Zones - Containers Server Consolidation Run multiple workloads on system Improve utilization of

Zones - Containers Server Consolidation Run multiple workloads on system Improve utilization of

Zones - Containers Server Consolidation Run multiple workloads on system Improve utilization of resources Reduce costs Run workloads in isolation Cannot observe others Security Isolation Running apps as different user not enough - privilege

274 views • 15 slides
I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias

I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias

I Control Your Code Attack Vectors through the Eyes of Software-based Fault Isolation Mathias Payer <mathias.payer@nebelwelt.net> Motivation Current exploits are powerful because Applications run on coarse-grained user-privilege

800 views • 39 slides
Side-channels Deian Stefan Slides adopted from Stefan Savage, Nadia Heninger, Sunjay Cauligi

Side-channels Deian Stefan Slides adopted from Stefan Savage, Nadia Heninger, Sunjay Cauligi

CSE 127: Computer Security Side-channels Deian Stefan Slides adopted from Stefan Savage, Nadia Heninger, Sunjay Cauligi Context Isolation is key to building secure systems Used to implement privilege separation, least privilege and

1.21k views • 103 slides
ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating

ADAPTED SPAULDING PYRAMID Making Isolation: How does it work? Patient Isolation- Creating auxiliary isolation rooms (CDC) SCRUBBERS - 1 ea to serve patient room, and 1 for Airlock Typically deployed on supplied wheel platform

144 views • 3 slides
Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client

Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client

Presenting a live 90-minute webinar with interactive Q&A Protecting Privilege in Post-Accident Investigations Successfully Asserting Attorney-Client Privilege, Self-Critical Analysis Privilege, Work Product Doctrine and More TUESDAY, MARCH

471 views • 36 slides
Advice-Based Exploration in Model-Based Reinforcement Learning Rodrigo Toro Icarte 1 , 2 Toryn Q.

Advice-Based Exploration in Model-Based Reinforcement Learning Rodrigo Toro Icarte 1 , 2 Toryn Q.

Advice-Based Exploration in Model-Based Reinforcement Learning Rodrigo Toro Icarte 1 , 2 Toryn Q. Klassen 1 Richard Valenzano 1 , 3 Sheila A. McIlraith 1 1 University of Toronto, Toronto, Canada { rntoro,toryn,rvalenzano,sheila } @cs.toronto.edu 2

604 views • 37 slides
Introduction to embodiment Language has function Language is situated Interpreting

Introduction to embodiment Language has function Language is situated Interpreting

Language and Conceptualization Introduction to embodiment Language has function Language is situated Interpreting language requires experiential, embodied understanding of the world linguistic capabilities are created as humans

601 views • 24 slides
Vector Semantics and Embeddings CSE354 - Spring 2020 Natural Language Processing Tasks

Vector Semantics and Embeddings CSE354 - Spring 2020 Natural Language Processing Tasks

Vector Semantics and Embeddings CSE354 - Spring 2020 Natural Language Processing Tasks Dimensionality Reduction Vectors which represent words Recurrent Neural Network and how? or sequences Sequence Models Objective To

1.15k views • 76 slides
"To a man with a hammer, everything looks like a nail" -Mark Twain Underneath the

"To a man with a hammer, everything looks like a nail" -Mark Twain Underneath the

Topic 12 Introduction to Recursion "To a man with a hammer, everything looks like a nail" -Mark Twain Underneath the Hood. CS314 Recursion 2 The Program Stack When you invoke a method in your code what happens when that

728 views • 50 slides
Envelopes and String Art Gregory Quenell 1 Activity: 1 Draw line segments connecting 0 . 8 (0

Envelopes and String Art Gregory Quenell 1 Activity: 1 Draw line segments connecting 0 . 8 (0

Envelopes and String Art Gregory Quenell 1 Activity: 1 Draw line segments connecting 0 . 8 (0 , x ) with (1 x, 0) 0 . 6 for x = 0 . 1 , 0 . 2 , . . . , 0 . 9. 0 . 4 Benefits: 0 . 2 Gives you something to do during calculus class 0 .

349 views • 34 slides
The Fragmentation Attack in Practice Andrea Bittau a.bittau@cs.ucl.ac.uk September 17, 2005 Aim

The Fragmentation Attack in Practice Andrea Bittau a.bittau@cs.ucl.ac.uk September 17, 2005 Aim

Introduction Theory Practice Conclusion 1/24 The Fragmentation Attack in Practice Andrea Bittau a.bittau@cs.ucl.ac.uk September 17, 2005 Aim Introduction Theory Practice Conclusion 2/24 Transmit arbitrary WEP data without knowing the

1k views • 62 slides
Ring Models for Group Candidates William McCune August 2004 http://www.mcs.anl.gov/

Ring Models for Group Candidates William McCune August 2004 http://www.mcs.anl.gov/

Ring Models for Group Candidates William McCune August 2004 http://www.mcs.anl.gov/ mccune/projects/gtsax/

373 views • 9 slides
CS 557 Inter-Domain Routing Introduction to BGP Routing Tutorial slides from Tim Griffin, 2001

CS 557 Inter-Domain Routing Introduction to BGP Routing Tutorial slides from Tim Griffin, 2001

CS 557 Inter-Domain Routing Introduction to BGP Routing Tutorial slides from Tim Griffin, 2001 Spring 2013 Inter-domain Routing 2153 11537 1706 52 FRGP Level 3 ARIZONA ColoState Autonomous Systems (AS) Border Gateway Protocol

566 views • 30 slides

More recommend