subverting system authentication with context aware
play

Subverting System Authentication With Context-Aware, Reactive - PowerPoint PPT Presentation

Oct 02, 2022 •277 likes •814 views

Background Detailed Design Implementation Evaluation Related Work Summary Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection Yangchun Fu , Zhiqiang Lin, Kevin Hamlen Department of Computer Science The

  1. Background Detailed Design Implementation Evaluation Related Work Summary Subverting System Authentication With Context-Aware, Reactive Virtual Machine Introspection Yangchun Fu , Zhiqiang Lin, Kevin Hamlen Department of Computer Science The University of Texas at Dallas December 12 th , 2013

  2. Background Detailed Design Implementation Evaluation Related Work Summary Outline Background 1 Detailed Design 2 Implementation 3 Evaluation 4 5 Related Work Summary 6

  3. Outline Background 1 Detailed Design 2 Implementation 3 Evaluation 4 Related Work 5 Summary 6

  4. Background Detailed Design Implementation Evaluation Related Work Summary Traditional computer system structure login sshd Vsftpd Target OS Hardware

  5. Background Detailed Design Implementation Evaluation Related Work Summary Traditional computer system structure Authentication protection Mechanism login sshd Vsftpd Anti-debugging Logic Cryptographic Security Target OS Code Obfuscation Hardware Self-Checking Trust?

  6. Background Detailed Design Implementation Evaluation Related Work Summary Traditional computer system structure Authentication protection Mechanism login sshd Vsftpd anti-debugging logic cryptographic security Target OS code obfuscation Hardware self-checking Trust?

  7. Background Detailed Design Implementation Evaluation Related Work Summary Virtualization login sshd Vsftpd login sshd Vsftpd Target OS VMM Target OS Hardware Hardware

  8. Background Detailed Design Implementation Evaluation Related Work Summary Motivations Adding a virtualization layer login sshd Vsftpd VMM runs at higher privilege than guest OS Target OS Great isolation, more stealthy VMM A full control of guest OS A grand view of the entire Hardware state of guest OS.

  9. Background Detailed Design Implementation Evaluation Related Work Summary Malicious VMM Goal Subverting authentication(e.g., login ) with Context-Aware, Reactive Virtual Machine Introspection(VMI) Attackers can gain fun and profit: Accessing sensitive data in a computer (e.g., a laptop, or a VM)

  10. Background Detailed Design Implementation Evaluation Related Work Summary Malicious VMM Goal Subverting authentication(e.g., login ) with Context-Aware, Reactive Virtual Machine Introspection(VMI) Attackers can gain fun and profit: Accessing sensitive data in a computer (e.g., a laptop, or a VM) Assumptions Assume physical access (lost of laptop, VMs running in a cloud) Possible attackers/users Malicious cloud providers (cloud being compromised) Law enforcement (accessing criminal’s computer, note that a physical machine can be virtualized)

  11. Background Detailed Design Implementation Evaluation Related Work Summary Running a machine inside a malicious VMM

  12. Background Detailed Design Implementation Evaluation Related Work Summary Running a machine inside a malicious VMM Inception Attack Changing your idea using a dream Dream can be inside a dream

  13. Background Detailed Design Implementation Evaluation Related Work Summary Running a machine inside a malicious VMM Inception Attack Changing your idea using a dream Dream can be inside a dream Malicious Virtualization Monitor Running a machine inside a virtual machine We change the guest OS state from the malicious virtual machine without the awareness from any insider programs

  14. Background Detailed Design Implementation Evaluation Related Work Summary How it works

  15. Background Detailed Design Implementation Evaluation Related Work Summary How it works

  16. Background Detailed Design Implementation Evaluation Related Work Summary How it works

  17. Background Detailed Design Implementation Evaluation Related Work Summary How it works

  18. Background Detailed Design Implementation Evaluation Related Work Summary How it works Malicious Virtual Machine Monitor (X86) Hardware

  19. Background Detailed Design Implementation Evaluation Related Work Summary How it works Malicious Virtual Machine Monitor (X86) Hardware

  20. Outline Background 1 Detailed Design 2 Implementation 3 Evaluation 4 Related Work 5 Summary 6

  21. Background Detailed Design Implementation Evaluation Related Work Summary Overview EAX& ESP& Vic6m) Vic6m) EBX& EBP& Process)Code) Process)Data) ECX& ESI& EDX& EDI& EIP& …& login Process& Opera8ng&Systems&(Linux/Windows)& Syscall)Execu6on) Context2aware,) Instruc6on)Execu6on) Tampering) Reac6ve)Introspec6on) Tampering) Malicious)Virtual)Machine)Monitor) (X86)&Hardware&

  22. Background Detailed Design Implementation Evaluation Related Work Summary Using Hardware Virtualization EAX& ESP& Vic6m) Vic6m) EBX& EBP& Process)Code) Process)Data) ECX& ESI& EDX& EDI& EIP& …& login Process& Opera8ng&Systems&(Linux/Windows)& Syscall)Execu6on) Context2aware,) Instruc6on)Execu6on) Tampering) Reac6ve)Introspec6on) Tampering) Malicious)Virtual)Machine)Monitor) Hardware) Virtualiza6on)(Xen/ (X86)&Hardware& KVM))

  23. Background Detailed Design Implementation Evaluation Related Work Summary Using Software Virtualization EAX& ESP& Vic6m) Vic6m) EBX& EBP& Process)Code) Process)Data) ECX& ESI& EDX& EDI& EIP& …& login Process& Opera8ng&Systems&(Linux/Windows)& Syscall)Execu6on) Context2aware,) Instruc6on)Execu6on) Tampering) Reac6ve)Introspec6on) Tampering) Malicious)Virtual)Machine)Monitor) SoJware) (X86)&Hardware& Virtualiza6on)(QEMU))

  24. Background Detailed Design Implementation Evaluation Related Work Summary Working Example: from instructions perspective if (pw_auth (user_passwd, username, reason, (char *) 0) == 0) { 804a868: a1 0c 62 05 08 mov 0x805620c,%eax 804a86d: c7 44 24 0c 00 00 00 movl $0x0,0xc(%esp) 804a874: 00 804a875: 89 3c 24 mov %edi,(%esp) 804a878: 89 44 24 08 mov %eax,0x8(%esp) 804a87c: a1 48 65 05 08 mov 0x8056548,%eax 804a881: 89 44 24 04 mov %eax,0x4(%esp) 804a885: e8 86 87 00 00 call 8053010<pw_auth> 804a88a: 85 c0 test %eax,%eax 804a88c: 0f 84 6d fd ff ff je 804a5ff<main+0x64f> goto auth_ok; } Figure : Binary Code Snippet of the login Program.

  25. Background Detailed Design Implementation Evaluation Related Work Summary Insight-I Instruction Execution Tampering Tampering with Instruction Opcode 804a88c:0f 84 (je) → 0f 85 (jne) Tampering with Instruction Operand 804a88a:test %eax,%eax → Tampering w/ eax / EFLAGS Tampering with both Opcode and Operand 804a885:call 8053010 → mov $0,%eax

  26. Background Detailed Design Implementation Evaluation Related Work Summary Working Example: from system call perspective 1 execve("/bin/login", ["login"], [/* 16 vars */]) = 0 2 uname({sys="Linux", node="ubuntu", ...}) = 0 ... 409 open("/etc/passwd", O_RDONLY) = 4 410 fcntl64(4, F_GETFD) = 0 411 fcntl64(4, F_SETFD, FD_CLOEXEC) = 0 412 _llseek(4, 0, [0], SEEK_CUR) = 0 413 fstat64(4, {st_mode=S_IFREG|0644, st_size=952, ...}) = 0 414 mmap2(NULL, 952, PROT_READ, MAP_SHARED, 4, 0) = 0x4021a000 415 _llseek(4, 952, [952], SEEK_SET) = 0 416 munmap(0x4021a000, 952) = 0 417 close(4) = 0 418 open("/etc/shadow", O_RDONLY) = 4 419 fcntl64(4, F_GETFD) = 0 420 fcntl64(4, F_SETFD, FD_CLOEXEC) = 0 421 _llseek(4, 0, [0], SEEK_CUR) = 0 422 fstat64(4, {st_mode=S_IFREG|0640, st_size=657, ...}) = 0 423 mmap2(NULL, 657, PROT_READ, MAP_SHARED, 4, 0) = 0x4021a000 424 _llseek(4, 657, [657], SEEK_SET) = 0 425 munmap(0x4021a000, 657) = 0 426 close(4) = 0 ... Figure : System Call Trace Snippet of the login Program.

  27. Background Detailed Design Implementation Evaluation Related Work Summary Insight-II System Call Execution Tampering Tampering with Disk-IO Syscall Replacing /etc/shadow file when it loads to the memory. Essentially a man-in-the-middle Attack. We can hijack the file open syscall and provide an attacker controlled password file Tampering with Memory-Map Syscall Tampering with mmap2 syscall by replacing the memory contents mapped by this syscall (immediately after it finishes) with the password hash values we control.

  28. Background Detailed Design Implementation Evaluation Related Work Summary Insight-II System Call Execution Tampering Tampering with Disk-IO Syscall Replacing /etc/shadow file when it loads to the memory. Essentially a man-in-the-middle Attack. We can hijack the file open syscall and provide an attacker controlled password file Tampering with Memory-Map Syscall Tampering with mmap2 syscall by replacing the memory contents mapped by this syscall (immediately after it finishes) with the password hash values we control. Advantages Transparent, can work for many other login types of programs No binary code reverse engineering

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P

Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P

Toolkit to Support Intelligibility in Context Aware Applications Context-Aware Applications P Presented by Mary Salinas t d b M S li What problem are they trying to solve? l ? Context-aware applications are great for Context aware

164 views • 13 slides
A Context-Aware Multi-Agent System for AmI Environments

A Context-Aware Multi-Agent System for AmI Environments

A Context-Aware Multi-Agent System for AmI Environments Andrei Olaru Supervisors: Adina Magda Florea, AI-MAS Lab, UPB Amal El Fallah Seghrouchni,

459 views • 7 slides
Light-Weight, Delay-Aware and Scalable Authentication for Smart-Grid System Dr. Attila A. Yavuz,

Light-Weight, Delay-Aware and Scalable Authentication for Smart-Grid System Dr. Attila A. Yavuz,

Light-Weight, Delay-Aware and Scalable Authentication for Smart-Grid System Dr. Attila A. Yavuz, Oregon State University Presented by Muslum Ozgur Ozmen Funded by the U.S. Department of Energy and the U.S. Department of Homeland Security |

138 views • 10 slides
A Context-Aware Multi-Agent System for AmI Environments

A Context-Aware Multi-Agent System for AmI Environments

A Context-Aware Multi-Agent System for AmI Environments Andrei Olaru Scientific advisers: Adina Magda Florea, AI-MAS Lab, UPB

837 views • 70 slides
Context- -aware Migratory Services aware Migratory Services Context in Ad Hoc Networks* in Ad

Context- -aware Migratory Services aware Migratory Services Context in Ad Hoc Networks* in Ad

Context- -aware Migratory Services aware Migratory Services Context in Ad Hoc Networks* in Ad Hoc Networks* Rutgers-Helsinki Ph.D. Student Workshop on Spontaneous Networking 8-12th May 2006 Oriana Riva University of Helsinki, Dep. of

361 views • 15 slides
Subverting Operating System Properties through Evolutionary DKOM Attacks Mariano Graziano,

Subverting Operating System Properties through Evolutionary DKOM Attacks Mariano Graziano,

Subverting Operating System Properties through Evolutionary DKOM Attacks Mariano Graziano, Lorenzo Flore, Andrea Lanzi, Davide Balzarotti Cisco Systems, Inc. Universita degli Studi di

703 views • 22 slides
A Context-Aware Multi-Agent System for Ambient Intelligence Environments

A Context-Aware Multi-Agent System for Ambient Intelligence Environments

A Context-Aware Multi-Agent System for Ambient Intelligence Environments Andrei Olaru University Politehnica of Bucharest

728 views • 41 slides
A Context-Aware Multi-Agent System for AmI Environments PhD thesis proposal

A Context-Aware Multi-Agent System for AmI Environments PhD thesis proposal

A Context-Aware Multi-Agent System for AmI Environments PhD thesis proposal Andrei Olaru Supervisors: Adina Magda

655 views • 41 slides
On the Design Framework of Context Aware Embedded System Xian-He Sun With Abhay Daftari, Nehal

On the Design Framework of Context Aware Embedded System Xian-He Sun With Abhay Daftari, Nehal

On the Design Framework of Context Aware Embedded System Xian-He Sun With Abhay Daftari, Nehal Mehta, Shubhanan Bakre Illinois Institute of Technology Monterey workshop 03 Request Position, View Point Software Engineering for

1.06k views • 29 slides
Im Feeling LoCo: A Location Based Context Aware Recommendation System Saiph Savage 1 , Maciej

Im Feeling LoCo: A Location Based Context Aware Recommendation System Saiph Savage 1 , Maciej

Im Feeling LoCo: A Location Based Context Aware Recommendation System Saiph Savage 1 , Maciej Baranski 1 , Norma Elva Chavez 2 , Tobias Hollerer 1 1 University of California, Santa Barbara 2 Universidad Nacional Autonoma de Mexico 1

443 views • 26 slides
Component- -based, Context based, Context- -aware aware Component Software Systems Software

Component- -based, Context based, Context- -aware aware Component Software Systems Software

Component- -based, Context based, Context- -aware aware Component Software Systems Software Systems Workshop on Spontaneous Networking Rutgers University Michael Przybilski 1 10.05.2006 michael.przybilski@cs.helsinki.fi Outline

593 views • 19 slides
Recommender System in KKBOX Simple Complex Ranking Model Collaborative Persona Aware based

Recommender System in KKBOX Simple Complex Ranking Model Collaborative Persona Aware based

Recommender System in KKBOX Simple Complex Ranking Model Collaborative Persona Aware based Filtering Embedding Attribute Based Context Aware Representation #Item x #users x #attributes Serendipity/Novelty Diversity Precision

346 views • 34 slides
Intro to Context-Aware Computing Matthew Lee 05-899 Special Topics in Ubiquitous Computing

Intro to Context-Aware Computing Matthew Lee 05-899 Special Topics in Ubiquitous Computing

Intro to Context-Aware Computing Matthew Lee 05-899 Special Topics in Ubiquitous Computing Readings Context-Aware Computing Applications, by Bill Schilit, Norman Adams, and Roy Want Ask not for whom the cell phone tolls: Some problems

923 views • 27 slides
A component-based approach for Context-Aware Systems specification Brahim Djoudi , Chafia

A component-based approach for Context-Aware Systems specification Brahim Djoudi , Chafia

Constantine 2 University LIRE laboratory Team Software Engineering and Distributed Systems A component-based approach for Context-Aware Systems specification Brahim Djoudi , Chafia Bouanaka, Nadia Zeghib Plan Introduction Context-Aware

477 views • 35 slides
Management Challenges of Context Management Challenges of Context- - Aware Services in

Management Challenges of Context Management Challenges of Context- - Aware Services in

DSOM 2003 DSOM 2003 Management Challenges of Context Management Challenges of Context- - Aware Services in Ubiquitous Aware Services in Ubiquitous Environments Environments Heinz-Gerd Hegering, Axel Kpper Claudia Linnhoff-Popien, Helmut

307 views • 6 slides
Context-aware recommendation Eirini Kolomvrezou, Hendrik Heuer Special Course in Computer and

Context-aware recommendation Eirini Kolomvrezou, Hendrik Heuer Special Course in Computer and

Context-aware recommendation Eirini Kolomvrezou, Hendrik Heuer Special Course in Computer and Information Science User Modelling &amp; Recommender Systems Aalto University Context-aware recommendation 2 Recommendation Problem

479 views • 34 slides
COMP 50: Autonomous Additional Research Talk Option Intelligent Robotics Collaborative

COMP 50: Autonomous Additional Research Talk Option Intelligent Robotics Collaborative

COMP 50: Autonomous Additional Research Talk Option Intelligent Robotics Collaborative All-Weather Sensing for Automated Vehicles Todd E. Humphreys UT Austin Thursday, March 15 th , 3:00 pm @ Nelson Auditorium SEC Anderson 112 Graduate

279 views • 7 slides
Strategy Learning Culture 1 3/6/17 &amp; Introductions Questions Todays Focus 1. New

Strategy Learning Culture 1 3/6/17 &amp; Introductions Questions Todays Focus 1. New

3/6/17 Strategy Transformation with the Agile Canvas Twitter: @thriveworkteam Facebook: @thriveatworkteam Materials Available: http://thriveatworkteam.com/agilecanvas thriveatworkteam.com ThriveatworkTeam.com Your best future is possible

263 views • 12 slides
Variational Inference for Adaptor Gramars Shay Cohen School of Computer Science Carnegie Mellon

Variational Inference for Adaptor Gramars Shay Cohen School of Computer Science Carnegie Mellon

Variational Inference for Adaptor Gramars Shay Cohen School of Computer Science Carnegie Mellon University David Blei Computer Science Department Princeton University Noah Smith School of Computer Science Carnegie Mellon University Shay

456 views • 32 slides
Daphne Taylor &amp; Suncica Getter Dreaming into the Future of Coaching Introduction to the

Daphne Taylor &amp; Suncica Getter Dreaming into the Future of Coaching Introduction to the

Inspiring Coaching: The Next 20 Years Dreaming Into the Future of Coaching Daphne Taylor &amp; Suncica Getter Dreaming into the Future of Coaching Introduction to the Model of Three Levels of Reality Model developed by CRR Global Inc, based on

506 views • 23 slides
Agency Partnership Caf Caf Purpose To share our experiences with successful community

Agency Partnership Caf Caf Purpose To share our experiences with successful community

Agency Partnership Caf Caf Purpose To share our experiences with successful community collaborations. Explore hopes for our programs. Discuss what we need from our communities, the agency network and the Foodbank to make change.

275 views • 12 slides
Speculative Everything: Design, Fiction, and Social Dreaming Dunne &amp; Raby Dreams

Speculative Everything: Design, Fiction, and Social Dreaming Dunne &amp; Raby Dreams

Speculative Everything: Design, Fiction, and Social Dreaming Dunne &amp; Raby Dreams seem to be downgraded to hopes, Speculative Everything: and design is seen as a problem-solving practice. Design, Fiction, and

244 views • 6 slides
Attention, Binding, and Consciousness 1. Perceptual binding, dynamic binding 2. Neural

Attention, Binding, and Consciousness 1. Perceptual binding, dynamic binding 2. Neural

4/18/17 Attention, Binding, and Consciousness 1. Perceptual binding, dynamic binding 2. Neural Correlates of Consciousness: Binocular rivalry 3. Attention vs. consciousness 4. Binding revisited: Split-brain, split-consciousness 2 1

534 views • 17 slides
Frege purely functional programming on the JVM GOTO Berlin 2015 Dierk Knig canoo

Frege purely functional programming on the JVM GOTO Berlin 2015 Dierk Knig canoo

Frege purely functional programming on the JVM GOTO Berlin 2015 Dierk Knig canoo mittie Dreaming of code Why do we care? a = 1 1 1 2 2 b = 2 tj me 1 c = b 1 1 2 tj me 2 b = a 1 2 2 tj me 3 a = c 1 2 place 1 place 2

721 views • 37 slides

More recommend