a peek under the blue coat
play

A peek under the Blue Coat ProxySG internals Raphal Rigo / AGI / - PowerPoint PPT Presentation

Dec 12, 2022 •205 likes •640 views

A peek under the Blue Coat ProxySG internals Raphal Rigo / AGI / TX5IT Ruxcon - 2015-10-24 A peek under the Blue Coat Outline Introduction 1 Storage: filesystems and registry 2 Binaries 3 Kernel and OS mechanisms 4 Understanding

  1. A peek under the Blue Coat ProxySG internals Raphaël Rigo / AGI / TX5IT Ruxcon - 2015-10-24

  2. A peek under the Blue Coat Outline Introduction 1 Storage: filesystems and registry 2 Binaries 3 Kernel and OS mechanisms 4 Understanding internals 5 Security mechanisms 6 Conclusion 7 Ruxcon - 2015-10-24 2

  3. A peek under the Blue Coat Outline Introduction 1 Storage: filesystems and registry 2 Binaries 3 Kernel and OS mechanisms 4 Understanding internals 5 Security mechanisms 6 Conclusion 7 Ruxcon - 2015-10-24 3

  4. A peek under the Blue Coat What? Why? Blue Coat ProxySG? enterprise (Web) proxy one of the most deployed in big companies lots of complex features: URL categorization (WebSense and others) video streaming / instant messaging specific handling MAPI and SMB proxy / cache / prefetcher etc. runs proprietary SGOS Why research ProxySG? widely used in Airbus Group interesting target for malicious actors: log bypass, Internet exposed, MITM, etc. no known previous research: unknown security level security bulletins: mostly OpenSSL and Web administration interface bugs Ruxcon - 2015-10-24 4

  5. A peek under the Blue Coat Research Study objectives: assess the global security level write recommendations for secure deployment be prepared for forensics in case of a compromised ProxySG Why publish? first public info but surely not first research foster research = ⇒ better security Today’s presentation: raw technical results, as a starting point for research goes from low level (FS) to high level, following our approach applies to all ProxySG models and 6.x versions up to Q1 2015 Ruxcon - 2015-10-24 5

  6. A peek under the Blue Coat Getting started Running ProxySG: hardware: commodity x86 CPUs, HDD, etc. VMware appliances Common versions: 5.5: older version, EOL Aug 2014 6.2: previous long term release , EOL Oct 2015 6.5: latest long term release , recommended by BC To get a first look, we need to access the filesystem: 6.? ( ≥ 6.4): small FAT32 partition containing proprietary BCFS image older versions: fully proprietary disk partitionning/data (no FAT32) Ruxcon - 2015-10-24 6

  7. A peek under the Blue Coat Outline Introduction 1 Storage: filesystems and registry 2 Binaries 3 Kernel and OS mechanisms 4 Understanding internals 5 Security mechanisms 6 Conclusion 7 Ruxcon - 2015-10-24 7

  8. A peek under the Blue Coat On disk data: intro Hardware Basic architecture: 3 disks (or more) small CompactFlash or SSD for OS (FAT32) 2 or more drives for data (proprietary FS) Filesystems Remarks unknowns: static, read-only FS for OS ( BCFS ): OS files CEFS structures log storage format low level (static) configuration: kernel options, resource limits on-disk partition structures are very cache engine FS based on hash complex tables ( CEFS ) (Patent US7539818) today: only static FS (BCFS) for OS registry in CEFS for settings files Ruxcon - 2015-10-24 8

  9. A peek under the Blue Coat System disk organization (BIOS mode) Files on FAT32 partition bootloader: starter.si 6 MiB /sgos/boot/systems/system1 /sgos/boot/cmpnts/starter.si basic SGOS (UP kernel, drivers, no /sgos/boot/cmpnts/boot.exe application) /sgos/boot/meta.txt looks up available systems /sgos/fbr.con displays GRUB-like boot menu Both starter.si and system1 use BCFS Real OS: system1 210 MiB full blown OS: SMP kernel Web UI actual applications etc. Ruxcon - 2015-10-24 9

  10. A peek under the Blue Coat Boot sequence (BIOS) BIOS 1 MBR 2 boot sector of active partition 3 boot.exe , found by hardcoded sector number 4 kernel.exe , first file entry in starter.si FS 5 kernel starts sequencer.exe , second entry in starter.si 6 sequencer.exe parses the main.cfg script and starts the necessary drivers 7 main.cfg finally launches starter.exe which displays the boot menu 8 starter.exe loads the selected system 9 Ruxcon - 2015-10-24 10

  11. A peek under the Blue Coat BCFS (read-only FS) format String Table _CP_ xxxx xxxx _HP_ .size .offset .crc32 czk How to extract? .size .offset .crc32 data . . . .HMAC czk (6.5) read CPCE entries, .HMAC data (6.5) 1 +0xc00 Strings _CP_ xxxx xxxx _CZK note offsets for .data_size .nr_cpce strings table and +0xd0 _CP_ xxxx xxxx _CE_ Files Table files table .elmnts {.nr .sz} _CP_ xxxx xxxx _IE_ 0x4000 .offset = str table .abs_off +0x40 parse files table .rel_off 2 _CP_ xxxx xxxx _CE_ ———– .elmnts {.nr .sz} (CPIE) linearly .offset .offset = cpve table .size +0x40 _CP_ xxxx xxxx _CE_ get file name from _CP_ xxxx xxxx _IE_ 3 .elmnts {.nr .sz} .abs_off .offset = cpie table strings table .rel_off +0x40 ———– _CP_ xxxx xxxx _CE_ .offset empty .size How to modify? ... ... string table cannot increase file 1 CPVE table Files content size CPIE table fix CRC and HMAC 2 Ruxcon - 2015-10-24 11

  12. A peek under the Blue Coat System image configuration variables (CPVE) offset and size specified by 3rd _CP_ _CE_ entry modifying the variable implies fixing CRC/HMAC and reboot variable names can be found in sequencer.exe Structure Known variables ( section , number : description ) Section 4, kernel : struct cpve_entry { uint32_t magic1; /* _CP_ */ 4,0: flags : uint64_t unk; 0x8: GDB monitor enabled uint32_t magic2; /* _VE_ */ 0x200: int3 at OS startup 0x400: kernel debug logs enabled uint16_t number; 4,1: arch_flags uint16_t section; 1: activate Write Protect in cr0 uint32_t unk2; uint64_t value; } 4,3: console_speed (in bauds) Ruxcon - 2015-10-24 12

  13. A peek under the Blue Coat Cache Engine FS (CEFS): writable storage hash-table object storage with disk backend mostly used for cache data: web content CIFS files MAPI mails etc. regular files are also supported, with prefix /legacy/cache_engine/ Some files (paths straight from the code, no typo) .../persistent/replicated/authorized_keys .../persistent/replicated/volatile//config/v9/registry/registry.xml .../transient//snmp.log .../persistent/replicated/licensing_certificate Ruxcon - 2015-10-24 13

  14. A peek under the Blue Coat Registry: settings storage tree structure used for all settings entries are referenced by strings like “config:Authenticator:local_users” on-disk storage: xml file on writable CEFS URLs (admin rights needed) Interesting CLI extensions (cf slide 24) /registry/show reg-set /registry/registry.html reg-delete /registry/registry.xml reg-list /registry/debug reg-trace Ruxcon - 2015-10-24 14

  15. A peek under the Blue Coat Outline Introduction 1 Storage: filesystems and registry 2 Binaries 3 Kernel and OS mechanisms 4 Understanding internals 5 Security mechanisms 6 Conclusion 7 Ruxcon - 2015-10-24 15

  16. A peek under the Blue Coat OS Filesystem organization / *.cfg var/[...]/lib/lib(gcc_s|stdc++)_sgos.so home/jenkins/workspace/SGOS6_sg_6_5_xx7/scorpius/sg_6_5_xx7/ bootchain/x86/release/ bin/x86_64/sgos_native/release/gcc_v4.4.2/ data files stripped/ libs and programs mp_cr/kernel.exe storage/ drivers .exe Ruxcon - 2015-10-24 16

  17. A peek under the Blue Coat ELF files: kernel, libs, programs Everything interesting is located in .../stripped/ : .exe , .exe.so and .so extensions (version 5 was using PE files) 32 or 64 bits ELF files, depending on model (RAM size?) everything in C++, compiled with g++ with custom sgos target lots of unit tests more than 2600 source files referenced everything is stripped, but lots of external symbols heavy template use: AMI::Config_Data::Config_Data(AMI::Storage_Class, AMI::String_Ref const&, AMI::Shared_Ptr<AMI::Installed_Systems const> const&, AMI::Shared_Ptr<AMI::Config_General const> const&, AMI::Shared_Ptr<AMI::Shell const> const&, AMI::Shared_Ptr<AMI::SSL const> const&, AMI::Shared_Ptr<AMI::SMTP_Data const> const&, AMI::Shared_Ptr<AMI::BC_Threat_Protection const> const&, AMI::Shared_Ptr<AMI::Banner_Settings const> const&, AMI::Shared_Ptr<AMI::Policy_Settings const> const&, AMI::Shared_Ptr<AMI::Statistics_Export_Settings const> const&) “custom” ABI in 32 bits (probably gcc called with -mregparm ): EAX, EDX, ECX, stack in 64 bits, standard SysV ABI: RDI, RSI, RDX, RCX, R8, R9, stack Ruxcon - 2015-10-24 17

  18. A peek under the Blue Coat Known code? Interesting open source libraries (version numbers from 6.5 release, Aug 2014): BGET: memory allocator (first dev in 1972!) NET-SNMP 5.4.2.1 (2008-10-31) newlib: libc expat 1.95.2: XML parser (2001!) libxml2 2.7.7-82143f4 (2010-11-04) OpenSSH 6.3 (2013-09-13) OpenSSL 1.0.1e (2013-02-11) zlib 1.2.3 (2005-07-18) Blue Coat states that they backport fixes regularly (without necessarily changing the version string) . Ruxcon - 2015-10-24 18

  19. A peek under the Blue Coat Outline Introduction 1 Storage: filesystems and registry 2 Binaries 3 Kernel and OS mechanisms 4 Understanding internals 5 Security mechanisms 6 Conclusion 7 Ruxcon - 2015-10-24 19

  20. A peek under the Blue Coat Kernel The kernel in practice Some syscalls kernel access partially abstracted in Nop Suicide libknl_api.so Enable_event_logging small (~800 KiB), basic primitives: Register_worker_address interrupt/exception handling semaphores/locks Symbol_address message passing Processor_voltage drivers Semaphore_signal_all ds:1014h points to a “TEB”-like Grow_stack structure Ruxcon - 2015-10-24 20

Recommend

COVID-19 Wider opening at Blue Coat school Welcome Back! We have really missed you all

COVID-19 Wider opening at Blue Coat school Welcome Back! We have really missed you all

COVID-19 Wider opening at Blue Coat school Welcome Back! We have really missed you all COVID- 19 a time of uncertainty, anxiety and constant change. Blue Coat . the same staff, the same values, the same care. We are here for

701 views • 31 slides
E E -CoAT -CoAT E uropean Cooperation of Abuse fighting Teams Remarks on E -CoAT

E E -CoAT -CoAT E uropean Cooperation of Abuse fighting Teams Remarks on E -CoAT

E E -CoAT -CoAT E uropean Cooperation of Abuse fighting Teams Remarks on E -CoAT TF-CSIRT/ FIRST joint event Amsterdam, January 2006 Don Stikvoort (e-coat workshop chair) S ORBS blacklist entries FI 5036 BR 173885 US 330142 CH

569 views • 10 slides
Dawes Reunion 2014 Healdsburg CA 1 Dawes Coat of Arms Silver: three gold swans on a blue

Dawes Reunion 2014 Healdsburg CA 1 Dawes Coat of Arms Silver: three gold swans on a blue

Dawes Reunion 2014 Healdsburg CA 1 Dawes Coat of Arms Silver: three gold swans on a blue diagonal bend between two narrow red diagonal bends, accompanied by six black battle axes. Above the shield and helmet is the crest which is

643 views • 61 slides
The Blue Coat School Ski Trip 2020 Saalbach Austria 1) Key Information for the trip 2) Safety

The Blue Coat School Ski Trip 2020 Saalbach Austria 1) Key Information for the trip 2) Safety

The Blue Coat School Ski Trip 2020 Saalbach Austria 1) Key Information for the trip 2) Safety on and off the slopes 3) Behaviour expectations 4) Ski Rossendale Information 5) AC Sports Clothing Key Information for the Trip Friday 14 th

568 views • 18 slides
A Level French Blue Coat Church of England Coventry This presentation will cover.. A level

A Level French Blue Coat Church of England Coventry This presentation will cover.. A level

A Level French Blue Coat Church of England Coventry This presentation will cover.. A level changes and Q &amp; As Year 12 Year 13 Exams Grammar trailer + task A level what next 10 reasons ... NEW A LEVEL FRENCH

885 views • 30 slides
Coat of arms Knights couldnt tell who was on their side and who the enemies were so they

Coat of arms Knights couldnt tell who was on their side and who the enemies were so they

Coat of arms Knights couldnt tell who was on their side and who the enemies were so they painted patterns on their shields. It became fashionable to have a Coat of Arms. People hired artists to design them. Some famous coat of

315 views • 7 slides
Mt. San Jacinto College Student Health Center Kay Peek, DBA, RN, MSHCM, PHN C. Grant Peek, MD,

Mt. San Jacinto College Student Health Center Kay Peek, DBA, RN, MSHCM, PHN C. Grant Peek, MD,

Mt. San Jacinto College Student Health Center Kay Peek, DBA, RN, MSHCM, PHN C. Grant Peek, MD, ABEM, CAEP The Chancellors office and the Ed. Code have provided extensive guidance in reference to Student Health Services for California

293 views • 13 slides
Calibration and Simulation of the Automotive E-Coat Dipping Process in STAR-CCM+ (V8.02) Frank

Calibration and Simulation of the Automotive E-Coat Dipping Process in STAR-CCM+ (V8.02) Frank

Calibration and Simulation of the Automotive E-Coat Dipping Process in STAR-CCM+ (V8.02) Frank Pfluger, Klaus Wechsler CD-adapco How Virtual Manufacturing Can Support Digital Product Development Better Corrosion Protection by E-Coat

2.07k views • 23 slides
Blue A Sketch Model Review Blue A Blue A Smooth Passenger Bag Be Gone Talker Blue A

Blue A Sketch Model Review Blue A Blue A Smooth Passenger Bag Be Gone Talker Blue A

Blue A Sketch Model Review Blue A Blue A Smooth Passenger Bag Be Gone Talker Blue A SMOOTH TALKER Blue A !!!! Users 515,000 children in America with ASD who communicate verbally Design Blue A Fastening

246 views • 10 slides
www.inari.fi INARI MUNICIPALITY Established in 1876 MUNICIPAL COAT OF ARMS Silver whitefish

www.inari.fi INARI MUNICIPALITY Established in 1876 MUNICIPAL COAT OF ARMS Silver whitefish

www.inari.fi INARI MUNICIPALITY Established in 1876 MUNICIPAL COAT OF ARMS Silver whitefish with golden reindeer antlers on a black background. The coat of arms symbolizes traditional sources of livelihood in the municipality. Designer: Ahti

470 views • 44 slides
Meet Akira Sneak Peek July 2020 with Ilsa Hampton, CEO Proudly supported by This

Meet Akira Sneak Peek July 2020 with Ilsa Hampton, CEO Proudly supported by This

Meet Akira Sneak Peek July 2020 with Ilsa Hampton, CEO Proudly supported by This presentation 1. Show you how Meet Akira was designed. 2. Give you a sneak peek at the experience. A little history: PCA workforce Digital

917 views • 63 slides
Green Blue Blue Blue Red Red Text visualization Why use text in visualization? Instant

Green Blue Blue Blue Red Red Text visualization Why use text in visualization? Instant

Web-pages Email Green Blue Blue Blue Red Red Text visualization Why use text in visualization? Instant messages Digitized books, articles Lucas Rizoli CPSC 533C, November 2006 2 3 4 Fast Text can be a dense representation New York

576 views • 3 slides
Cellulose biosynthesis in Arabidopsis seed coat epidermal cells Jonathan Griffiths Incoming from

Cellulose biosynthesis in Arabidopsis seed coat epidermal cells Jonathan Griffiths Incoming from

Cellulose biosynthesis in Arabidopsis seed coat epidermal cells Jonathan Griffiths Incoming from Canada Genetics http://www.brookings.edu Huffington Post The Plant Cell Wall Seed coat mucilage is a good model for cell wall biosynthesis

272 views • 15 slides
Website Sneak Peek &amp; Social Media Tips Elizabeth Elmore (ABJ 08, BBA 08) Director of

Website Sneak Peek &amp; Social Media Tips Elizabeth Elmore (ABJ 08, BBA 08) Director of

Website Sneak Peek &amp; Social Media Tips Elizabeth Elmore (ABJ 08, BBA 08) Director of Communications Division of Development and Alumni Relations Topics Website Sneak Peek Five Social Media Tips Boosted Posts vs. Paid

491 views • 36 slides
2020 Blue's Tour August 2020 We would like to Welcome you on behalf of Blue Cross and Blue Shield

2020 Blue's Tour August 2020 We would like to Welcome you on behalf of Blue Cross and Blue Shield

2020 Blue's Tour August 2020 We would like to Welcome you on behalf of Blue Cross and Blue Shield of Kansas to the 2020 Blue's Tour! We are glad you could all join us virtually today! I am Jessica Moore, Education and Communication Coordinator

290 views • 26 slides
COAT PRESENTATION Justice Greg Garde AO RFD Past President of VCAT June 2018 VCAT s Vision,

COAT PRESENTATION Justice Greg Garde AO RFD Past President of VCAT June 2018 VCAT s Vision,

COAT PRESENTATION Justice Greg Garde AO RFD Past President of VCAT June 2018 VCAT s Vision, Values and Goal 2 Presentation to COAT VCAT Snapshot 2016/17 VCAT s service 228 members, 218 staff 84,878 cases finalised 56%

399 views • 9 slides
RC Claim Assist Kelly Hayes Blue Cross / Blue Care Network Provider Outreach Blue Cross Blue

RC Claim Assist Kelly Hayes Blue Cross / Blue Care Network Provider Outreach Blue Cross Blue

RC Claim Assist Kelly Hayes Blue Cross / Blue Care Network Provider Outreach Blue Cross Blue Shield of Michigan and Blue Care Network are nonprofit corporations and independent licensees of the Blue Cross and Blue Shield Association. RC Claim

423 views • 7 slides
New CLSI Document for the Validation of Methods Preformed by Flow Cytometry Sneak Peek and

New CLSI Document for the Validation of Methods Preformed by Flow Cytometry Sneak Peek and

New CLSI Document for the Validation of Methods Preformed by Flow Cytometry Sneak Peek and Update Virginia Litwin, Ph.D. Vice President, Immunology CLSI H62 Validation of Methods Performed by Flow Cytometry Sneak Peek Overview

905 views • 65 slides
Overview ew Overview of Corporate Philanthropy Overview of Florida Blue Corporate and Foundation

Overview ew Overview of Corporate Philanthropy Overview of Florida Blue Corporate and Foundation

L ESSONS L EARNED FROM A C ORPORATE D ONOR Susan B. Towler Florida Blue October 21, 2015 Orange Park, FL Blue Cross and Blue Shield of Florida Foundation is an Independent Licensee of the Blue Cross and Blue Shield Association. Overview ew

422 views • 16 slides
Trade Service Corporation Manufacture of water-borne inorganic coating agent AD-Tech COAT

Trade Service Corporation Manufacture of water-borne inorganic coating agent AD-Tech COAT

Introduction of AD-Tech COAT ( Water-borne inorganic Coaintg agent) (Nano particles of liquid ceramics coating materials from Japan Actual record at top companies of fields Contribute to

209 views • 16 slides
The New Cooling Unit Generation Blue e+ 1 Die neue Khlgerte-Generation Blue e+ The Blue e+

The New Cooling Unit Generation Blue e+ 1 Die neue Khlgerte-Generation Blue e+ The Blue e+

The New Cooling Unit Generation Blue e+ 1 Die neue Khlgerte-Generation Blue e+ The Blue e+ cooling unit series the ultimate in efficiency. 2 The new Cooling Unit Generation Blue e+ Enclosure Climate Control Sensitive electronic

319 views • 27 slides
BLUE COMMUNITIES What is a Blue Community? The Blue Communities Project encourages municipalities

BLUE COMMUNITIES What is a Blue Community? The Blue Communities Project encourages municipalities

BLUE COMMUNITIES What is a Blue Community? The Blue Communities Project encourages municipalities and Indigenous communities to adopt a water commons framework by: 1. recognizing water and sanitation as human rights 2. banning bottled water in

183 views • 15 slides
EC Blue for Water Testing EC Blue for water testing Can you detect contaminant (bacteria) from

EC Blue for Water Testing EC Blue for water testing Can you detect contaminant (bacteria) from

EC Blue for Water Testing EC Blue for water testing Can you detect contaminant (bacteria) from water without color? EC Blue for water testing (1) Product profile, EC Blue EC Blue was introduced in 1998, and being an official water test

130 views • 9 slides
Organic Molecular Modeling Lab coat and goggle are not necessary 2016/03/20 revised

Organic Molecular Modeling Lab coat and goggle are not necessary 2016/03/20 revised

Organic Molecular Modeling Lab coat and goggle are not necessary 2016/03/20 revised Self-prepare digital camera Download Avogadro and Chemsketch free software (reference expt.) Collect and check contents: MOLYMOLD Organic Set White

616 views • 15 slides

More recommend