make dkom attacks great again
play

MAKE DKOM ATTACKS GREAT AGAIN MARIANO GRAZIANO Bologna, Italy - - PowerPoint PPT Presentation

Sep 30, 2023 •341 likes •806 views

MAKE DKOM ATTACKS GREAT AGAIN MARIANO GRAZIANO Bologna, Italy - 29/10/2016 1 whoami Security researcher at Cisco in the Talos group Ph.D. Telecom ParisTech/Eurecom Hackademic Malware analysis / memory forensics 2 ROOTKIT

  1. MAKE DKOM ATTACKS GREAT AGAIN MARIANO GRAZIANO Bologna, Italy - 29/10/2016 1

  2. whoami ‣ Security researcher at Cisco in the Talos group ‣ Ph.D. Telecom ParisTech/Eurecom ‣ Hackademic ‣ Malware analysis / memory forensics 2

  3. ROOTKIT “Software to maintain a persistent and stealthy access on a compromised machine” 3

  4. HOW? RING 3 RING 0 RING -1 RING -2 RING -3 PRIVILEGES 4

  5. HOW? DETECTION RING 3 RING 0 RING -1 RING -2 RING -3 PRIVILEGES 5

  6. HOW? DETECTION RING 3 COMMON ROOTKITS RING 0 RING -1 RING -2 RING -3 PRIVILEGES 6

  7. HOW? DETECTION RING 3 RING 0 - “Subvirt: Implementing malware with virtual machines“ - S&P 06 RING -1 RING -1 - Blue Pill - Joanna Rutkowska - Syscan 06 - Vitriol - Dino Dai Zovi - BHUS 06 RING -2 RING -3 PRIVILEGES 7

  8. HOW? DETECTION RING 3 - Duflot SMM research - “SMM rootkits: A new breed of OS independent malware” - SP 08 RING 0 - “System Management Mode Hacks” - Phrack #65 - ’08 - “Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers” - Phrack #66 - ’09 RING -1 RING -2 - “Implementing SMM PS/2 Keyboard sniffer” - Beist - 2009 - NSA - http://blog.cr4.sh/2016/02/exploiting-smm-callout-vulnerabilities.html RING -2 RING -3 PRIVILEGES 8

  9. HOW? 9

  10. HOW? DETECTION RING 3 RING 0 - “Introducing Ring -3 Rootkits” - Tereshkin & Wojtczuk - BHUS’09 - “Understanding DMA Malware” - Stewin et al. - DIMVA ‘12 RING -1 RING -3 - http://me.bios.io/Resources RING -2 RING -3 PRIVILEGES 10

  11. HOW? DKOM BOOTKITS ROP ROOTKITS BLUEPILLS FIRMWARE 11

  12. HOW? DKOM BOOTKITS ROP ROOTKITS BLUEPILLS FIRMWARE 12

  13. ROP ¡ROOTKIT? ‣ Motivation ‣ “ Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms ” - USENIX Security 09 ‣ “ Persistent Data-only Malware: Function Hooks without Code ” - NDSS ‘14 13

  14. ROP ¡ROOTKIT? ‣ Persistence technique: ‣ CVE-2013-2094 ‣ sysenter ‣ IA32_SYSENTER_ESP (0x175) ‣ IA32_SYSENTER_EIP (0x176) 14

  15. ROP ¡ROOTKIT? Chuck ROP chains: 15

  16. DKOM “ D irect K ernel O bject M anipulation” 16

  17. TRADITIONAL ¡DKOM EPROCESS EPROCESS EPROCESS 17

  18. TRADITIONAL ¡DKOM EPROCESS EPROCESS EPROCESS 18

  19. DKOM ¡vs ¡PROCESSES ‣ DKOM is a generic technique ‣ Processes: ‣ Windows: KPROCESS/EPROCESS/PEB ‣ Linux: task_struct ‣ OSX : proc/task 19

  20. (E)PROCESS? 20

  21. (E)PROCESS? 21

  22. (K)PROCESS? 22

  23. PROCESS? 23

  24. PROCESS? ‣ EPROCESS info: ‣ Creation and exit time ‣ PID and PPID ‣ Pointer to the handle table ‣ VAD, etc ‣ PEB info: ‣ Pointer to the Image Base Address ‣ Pointer to the DLLs loaded ‣ Heap size, etc 24

  25. DKOM ¡DEFENSES ‣ Kernel data integrity solutions: ‣ invariants ‣ external systems ‣ memory analysis ‣ data partitioning 25

  26. VOLATILITY ¡-­‑ ¡PSLIST 26

  27. DEMO “ DKOM DEMO ” 27

  28. E-­‑DKOM “ E volutionary D irect K ernel O bject M anipulation” “Subverting Operating System Properties through Evolutionary DKOM Attacks” Mariano Graziano, Lorenzo Flore, Andrea Lanzi, Davide Balzarotti DIMVA 2016, San Sebastian, Spain 28

  29. E-­‑DKOM Data structure of interest Time 29

  30. E-­‑DKOM Violation of a temporal property 30

  31. E-­‑DKOM Violation of a temporal property The attack cannot be detected looking at a single snapshot 31

  32. STATE ¡vs ¡PROPERTY ‣ Traditional DKOM affects the state and are discrete ‣ Evolutionary DKOM (E-DKOM) affects the evolution in time of a given property and are continuous 32

  33. LINUX ¡CFS ¡SCHEDULER 33

  34. LINUX ¡CFS ¡SCHEDULER target 34

  35. LINUX ¡CFS ¡SCHEDULER target right-most 35

  36. LINUX ¡CFS ¡SCHEDULER Set target vruntime > rightmost vruntime target right-most 36

  37. LINUX ¡CFS ¡SCHEDULER We affect the evolution of the data structure over time. We altered the scheduler property (fair execution) target target 37

  38. DEMO “ E-DKOM DEMO ” 38

  39. DEFENSES? ‣ Reference monitor that mimics the OS property: ‣ OS specific ‣ Difficult to generalize 39

  40. DEFENSE ¡FRAMEWORK 40

  41. DEFENSE ¡FRAMEWORK 41

  42. DEFENSE ¡FRAMEWORK 42

  43. FUTURE ‣ Minimalism ‣ Possibile trends: ‣ Infections for the masses ‣ Stealthy and multi stage attacks ‣ Cat and mouse game ‣ Microsoft approach: ‣ Credential Guard ‣ Application Guard 43

  44. CONCLUSION ‣ Rootkit technology evolution ‣ New attack based on data structure evolution ‣ Experiment on the Linux CFS scheduler ‣ Defense based on hypervisor ‣ General mitigation/solution very hard 44

  45. THE ¡END THANK YOU email: magrazia@cisco.com twitter: @emd3l 45

Recommend

Subverting Operating System Properties through Evolutionary DKOM Attacks Mariano Graziano,

Subverting Operating System Properties through Evolutionary DKOM Attacks Mariano Graziano,

Subverting Operating System Properties through Evolutionary DKOM Attacks Mariano Graziano, Lorenzo Flore, Andrea Lanzi, Davide Balzarotti Cisco Systems, Inc. Universita degli Studi di

703 views • 22 slides
Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C.

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C.

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C. Rossow (1) , F. J. Ryba (2) , T. C. Schmidt (3) , M. Whlisch (2) (1) CISPA / MMCI, Saarland University (2) Freie Universitt Berlin (3) HAW Hamburg

520 views • 36 slides
DKOM 3.0 Hiding and Hooking with Windows Extension Hosts Alex Ionescu @aionescu Infiltrate

DKOM 3.0 Hiding and Hooking with Windows Extension Hosts Alex Ionescu @aionescu Infiltrate

DKOM 3.0 Hiding and Hooking with Windows Extension Hosts Alex Ionescu @aionescu Infiltrate Gabrielle Viala @pwissenlit 2019 Yarden Shafir @yarden_shafir About Yarden Shafir Software Engineer at CrowdStrike Circusing most of

776 views • 42 slides
CS 61: Database Systems Security With great power comes great responsibility OR William

CS 61: Database Systems Security With great power comes great responsibility OR William

CS 61: Database Systems Security With great power comes great responsibility OR William Lamb, 2nd Spider Mans Viscount Melbourne uncle Ben 2 Source: Wikipedia Agenda 1. MySQL permissions 2. Demo: SQL injection attacks 3.

542 views • 29 slides
Hello. Its great to be able to make this presenta5on via webinar for all those who were not

Hello. Its great to be able to make this presenta5on via webinar for all those who were not

Hello. Its great to be able to make this presenta5on via webinar for all those who were not able to a9end the recent Triangle Marke5ng Club meetup where I made the same presenta5on. 1 My name is Douglas Burde9 and Im the founder and

707 views • 41 slides
The Franklin Band We make great memories! Band kids spend a lot of time together and build

The Franklin Band We make great memories! Band kids spend a lot of time together and build

The Franklin Band We make great memories! Band kids spend a lot of time together and build healthy relationships that help them through high school. They make lots of great memories! Band kids score better on standardized tests. The College

618 views • 19 slides
The Franklin Band We make great memories! Band kids spend a lot of time together and build

The Franklin Band We make great memories! Band kids spend a lot of time together and build

The Franklin Band We make great memories! Band kids spend a lot of time together and build healthy relationships that help them through high school. They make lots of great memories! Band kids score better on standardized tests. The College

457 views • 18 slides
Make ETW Great Again. Exploring some of the many uses of Event Tracing for Windows (ETW) Ben

Make ETW Great Again. Exploring some of the many uses of Event Tracing for Windows (ETW) Ben

Make ETW Great Again. Exploring some of the many uses of Event Tracing for Windows (ETW) Ben Lelonek Nate Rogers CyberPoint is a cyber security company. Were in the business of protecEng whats invaluable to you. Who We Are

1.05k views • 43 slides
Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning

Friendly Adversarial Training: Attacks Which Do Not Kill Training Make Adversarial Learning Stronger Jingfeng Zhang 1 * , Xilie Xu 2* , Bo Han 34 , Gang Niu 4 , Lichen Cui 5 , Masashi Sugiyama 46 , and Mohan Kankanhalli 1 1 Department of Computer

376 views • 14 slides
USER AUTHENTICATION GRAD SEC SEP 26 2017 TODAYS PAPERS SPEARPHISHING ATTACKS

USER AUTHENTICATION GRAD SEC SEP 26 2017 TODAYS PAPERS SPEARPHISHING ATTACKS

USER AUTHENTICATION GRAD SEC SEP 26 2017 TODAYS PAPERS SPEARPHISHING ATTACKS SPEARPHISHING ATTACKS Imbue the email with a sense of trust or authority LURE Spoof (or log in as) the source / name Make the topic such that theyll

632 views • 25 slides
Scholarships 101 SCHOLARSHIPS Write a GREAT essay Make it personal Resume

Scholarships 101 SCHOLARSHIPS Write a GREAT essay Make it personal Resume

Scholarships 101 SCHOLARSHIPS Write a GREAT essay Make it personal Resume Proofread Research online Embassy FREE MONEY Usually awarded based on: Academic achievements Interests & career plans

428 views • 5 slides
Make Your Reports Look Great with the Versatile Proc Tabulate Ben Cochran The Bedford Group

Make Your Reports Look Great with the Versatile Proc Tabulate Ben Cochran The Bedford Group

Make Your Reports Look Great with the Versatile Proc Tabulate Ben Cochran The Bedford Group bencochran@nc.rr.com A Silver Member of the SAS Alliance Make Your Reports Look Great with the Versatile Proc Tabulate by Ben Cochran Bio:

547 views • 32 slides
L ESSON 6- M AKING A GREAT PRESENTATION Acknowledgement: Most images and some contents of this

L ESSON 6- M AKING A GREAT PRESENTATION Acknowledgement: Most images and some contents of this

L ESSON 6- M AKING A GREAT PRESENTATION Acknowledgement: Most images and some contents of this presentation are borrowed from the internet. H OW TO MAKE A GREAT PRESENTATION ? There are hundreds different ways to make a presentation.

494 views • 18 slides
Attendance via Zoom Lets try to make this a great experience for all of us: Please check your

Attendance via Zoom Lets try to make this a great experience for all of us: Please check your

Attendance via Zoom Lets try to make this a great experience for all of us: Please check your setup before the meeting. We start all calls 10 minutes early, where you can do so. Please connect before the meeting starts. Please join using your

318 views • 13 slides
TCP/IP Sockets in C Computer Chat How do we make computers talk? Great and inexpensive book:

TCP/IP Sockets in C Computer Chat How do we make computers talk? Great and inexpensive book:

TCP/IP Sockets in C Computer Chat How do we make computers talk? Great and inexpensive book: How are they interconnected? Michael J. Donahoo Kenneth L. Calvert Internet Protocol (IP) Morgan Kaufmann Publisher $14.95 Paperback

299 views • 9 slides
TO DEVELOP GREAT TEACHING? #SNEsummit15 What will it taketo develop great teaching? Robert

TO DEVELOP GREAT TEACHING? #SNEsummit15 What will it taketo develop great teaching? Robert

What will it take TO DEVELOP GREAT TEACHING? #SNEsummit15 What will it taketo develop great teaching? Robert Coe SCHOOLS NorthEast Summit 2015 My argument If you make decisions about education, you should be informed by a

474 views • 32 slides
JaTest Build Software So Secure You May Actually Make America Great Again Jake Weissman,

JaTest Build Software So Secure You May Actually Make America Great Again Jake Weissman,

JaTest Build Software So Secure You May Actually Make America Great Again Jake Weissman, Andrew Grant, Jemma Losh, Jared Weiss Why JaTest? JaTest promotes good coding practices, allowing the programmer to easily define test cases,

791 views • 22 slides
10 Tips to Great Mentoring LeAnn Johnson, Ph.D . Shepherd University 1. Make Time Build a

10 Tips to Great Mentoring LeAnn Johnson, Ph.D . Shepherd University 1. Make Time Build a

10 Tips to Great Mentoring LeAnn Johnson, Ph.D . Shepherd University 1. Make Time Build a regular mee6ng 6me with your mentee into your schedule. Dont let other things bump it. Stay focused. 2. Rapport Think back to your own

651 views • 12 slides
Make the Internet safe with DNS firewall Response Policy Zones (RPZ) SGNOG 7 2019 2 Great

Make the Internet safe with DNS firewall Response Policy Zones (RPZ) SGNOG 7 2019 2 Great

1 Make the Internet safe with DNS firewall Response Policy Zones (RPZ) SGNOG 7 2019 2 Great Asean Fastest Growing Area of Threats Over 200 Billion devices connected worldwide by 2020. Over 13 million active bots recorded for January 2019.

766 views • 38 slides
NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3

CMPS122: COMPUTER SECURITY NETWORKING ATTACKS NETWORKING ATTACKS NOTICES Lab #2 extended to Feb. 17 @ 23:59 HW #3 due tonight NETWORKING ATTACKS LAST TIME TCP/IP networking stack Physical layer Data link layer Network

1.1k views • 61 slides
Make Streaming Great Again IEEE ComSoc Distinguished Lectures Portland State University, Dec.

Make Streaming Great Again IEEE ComSoc Distinguished Lectures Portland State University, Dec.

Make Streaming Great Again IEEE ComSoc Distinguished Lectures Portland State University, Dec. 2019 Ali C. Begen, PhD http://ali.begen.net Ankara BS in EE Toronto, ON Istanbul San Jose, CA Adv. Res. and Dev. Prof. in CS Dept. Atlanta,

681 views • 49 slides
Make Your Macro Great from the Very Beginning Yuliia Bahatska Vladlen Ivanushkin Syneos Health

Make Your Macro Great from the Very Beginning Yuliia Bahatska Vladlen Ivanushkin Syneos Health

Make Your Macro Great from the Very Beginning Yuliia Bahatska Vladlen Ivanushkin Syneos Health DataFocus PhUSE EU Connect 2018, Frankfurt INTRODUCTION This is me when I think of my first macro 2 THE COUNTW FUNCTION

561 views • 29 slides
Great Eagle Holdings Investor Presentation 3Q15 1 Great Eagle Holdings Limited Financials

Great Eagle Holdings Investor Presentation 3Q15 1 Great Eagle Holdings Limited Financials

Great Eagle Holdings Investor Presentation 3Q15 1 Great Eagle Holdings Limited Financials Highlights of 1H 2015 Results 1. The Group has continued to make positive progress with its strategy to expand its asset base and thus far into 2015,

646 views • 43 slides
San Francisco State University We Make Great Things Happen Earthquake Awareness Presented by

San Francisco State University We Make Great Things Happen Earthquake Awareness Presented by

San Francisco State University We Make Great Things Happen Earthquake Awareness Presented by University Police Department, Division of Emergency Services Aide V. Jurez What is an Earthquake? When two blocks of the earth suddenly slip

370 views • 23 slides

More recommend