A Security Barrier Device protects PC and other control devices by relaying every port between the motherboard and the peripherals. The SBD is totally transparent from the PC and can be installed regardless of OS or application. At this presentation I will discuss the storage securing function achieved by the SBD relaying the SATA port. The SBD has a security information disk only accessible to itself where it stores the access privilege information of the original disk in the PC. When the PC issues a data access request to the original disk, the SBD will reference the access privileges of that particular sector, if the sector is read-deny then returns dummy data of 0 , if the sector is write-deny then it won’t write to that sector. The SBD not only allows for sector based protection but also a file based protection. In case of a file write-deny, there were some issues with the disc related cache in memory not being synchronised or the pointer’s position to the file in regards to its directory being shifted , but I will show how it was solved. I will also talk about the fact that a SBD is an effective protection against any malware that attempts to manipulate the boot data sector or system files, once it detects any access right violations it can shutdown the ethernet port remotely and thwart the spreading of malware. Kenji Toda At the National Institute of Advanced Industrial Science and Technology conducted research and development of 30 Gbps intrusion detection systems , 60 Gbps URL filtering systems and or network devices testing equipment for such systems. Currently co-developing security barrier devices with the Research and Development Control System Security Center. (Presented at international conferences regarding MST and real-time systems) http://codeblue.jp/en-speaker.html#KenjiToda
The demo is here - https://www.youtube.com/watch?v=vi9TzLrO_pE All details and source code are here - http://www.bit.ly/MemoryMonRWX Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.
IWSEC2014(The 9th International Workshop on Security 弘前) で"Kernel Memory Protection by an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints"
MemoryRanger is a hypervisor-based project, which isolates kernel-mode drivers and their allocated data by running drivers in isolated kernel enclaves. All the details are here - bit.ly/MemoryRanger
This document discusses different techniques for injecting code on Windows systems, including PE file infection, IAT hooking, and runtime code injection. PE file infection involves overwriting a section like .code and changing the entry point to inject malicious code. IAT hooking changes the DLL name in the import address table to point to a proxy DLL for intercepting function calls. Runtime code injection uses APIs like CreateRemoteThread and WriteProcessMemory to load a DLL or executable into another process's memory and execute it remotely.
The document discusses exploiting vulnerabilities in the Windows registry and kernel to execute malicious code without detection. It describes how vulnerabilities in functions like RtlQueryRegistryValues and win32k.sys that improperly read registry values can be triggered to cause a buffer overflow and gain kernel code execution. The goal is to store malicious code in the registry and have it execute by exploiting these vulnerabilities during system startup before detection can occur.
This document discusses the history and evolution of bootkits from legacy BIOS to UEFI environments. It describes various bootkit techniques used in BIOS and UEFI, including MBR/VBR modification, hidden file systems, and replacing bootloaders. It also covers attacks against secure boot and forensic tools for analyzing firmware like HiddenFsReader and CHIPSEC.
Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools. Applying Memory Forensics to Rootkit Detection #adfsl #Virginia #USA http://bit.ly/cdfsl_paper http://bit.ly/cdfsl_slides http://bit.ly/cdfsl_speech
Advanced Threats are rising in the Windows 10 environment, where sophisticated attack vectors are being used to evade threat detection tools and extract privileged data from the user. This talk presents a collection of tools and techniques developed after reverse engineering and playing with Windows interfaces, aim to evade detection system (A/V or A/C) and to escalate kernel privileges.
This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.
Для всех популярных облачных провайдеров данных существуют сервисы, позволяющие анонимно загружать файлы в расшаренные пользователями хранилища. Примерами таких сервисов могут служить Dropittome, Balloon, Cloudwok, Sookasa. С учетом того, что конечные пользователи часто устанавливают клиенты для синхронизации с облаком, данный способ доставки зловредов на компьютер жертвы становится весьма действенным.
This document summarizes techniques for reverse engineering MIPS firmware. It discusses extracting firmware from devices, analyzing firmware binaries to find code, filesystems and encryption. It provides an overview of the MIPS architecture and reversing tools. It also presents a case study on analyzing routers from Draytek, including decrypting configuration files, dumping firmware and extracting the compressed filesystem. Master keys were derived from MAC addresses using a simple polynomial algorithm.
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
The document discusses attacks on kernel memory data structures in Windows. It describes three types of attacks: handle table hijacking, hijacking NTFS file structures, and token hijacking. The author previously developed MemoryRanger, a hypervisor that runs drivers in isolated kernel enclaves to block such attacks. A new feature called a data-only enclave is introduced. The document then demonstrates how hijacking file structures could allow bypassing file access controls by copying a file object's data to gain unauthorized access to a secret file. MemoryRanger is shown to prevent this attack by isolating drivers and their memory.
Attacking VxWorks: from Stone Age to Interstellar presented by Yannick Formaggio at 44CON London 2015.
This document provides an introduction to secure boot. It begins with an overview of the topics to be covered, including attack surfaces, attack types, and basic defenses for embedded devices. It then describes the typical boot chain process, including the roles of the ROM bootloader, SPL, main bootloader, OS kernel, and initramfs. Finally, it discusses the basic chain of trust for secure boot and compares it to the PC bootchain, noting some vulnerabilities in the basic secure bootchain model.
I have presented that files open in an exclusive mode can be illegally accessed without any security reaction. After that, I’ve presented my MemoryRanger, which can prevent such unauthorized memory access. All the details are here - https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html
The document provides information about I/O systems and a case study, including details about disk structure, disk scheduling algorithms, disk management techniques, direct memory access, swap space management, RAID structure, disk attachment methods, and features of the Windows 2000 and MS-DOS operating systems. Key points covered include how disks are addressed as logical blocks, techniques for minimizing seek time and maximizing disk bandwidth, common disk scheduling algorithms like SSTF and SCAN, and how swap space is allocated and managed in different operating systems.
This document provides an overview of installing Linux, including planning partitions and file systems, hardware requirements, choosing between Fedora Core and Red Hat Enterprise Linux, and performing a fresh vs upgraded installation. It discusses setting up partitions, including primary/extended partitions and logical volume management. Recommendations are given for recommended partition sizes. The document also briefly discusses RAID levels and using ISO images to install from CD/DVD.
A case study of Fault Tolerance features of BTRFS. These slides were prepared for the coursework for a Masters level program at Tallinn University of Technology, Estonia. A lot of materials in the slides are taken from the materials in the public domain. Many thanks to the people on BTRFS IRC Channel.
The document provides an overview of the Sector/Sphere software which includes two components: the Sector distributed file system and the Sphere parallel data processing framework. Sector provides data locality, simplified programming, and global-scale capabilities while Sphere allows for simplified data parallel processing. The document outlines the key features and components of Sector including the security server, master server, slave nodes, clients, topology awareness, replication, and fault tolerance. It also describes how Sphere allows for parallel data processing via user-defined functions.
The document provides information on several topics related to IT and networking: 1. It discusses the components of a motherboard including the north bridge and south bridge, and their functions. 2. It provides steps for performing a zero-level format of a hard drive using Windows 98. 3. It describes different types of RAID configurations (RAID 0-10) and their characteristics in terms of performance and fault tolerance.
The document discusses the need for standardization of self-encrypting storage security. It outlines the scope, goals, threat models, and alternatives of a potential standard. The key advantages of self-encrypting storage are that it provides low-cost encryption using true random keys generated and stored within the device, protecting data even if the host is compromised. A standard could simplify security analysis and increase trust compared to proprietary solutions.
The JetStor NAS 724UXD is a unified / hybrid NAS storage system that consolidates NAS and IP-based iSCSI SAN in one chassis. Featuring the newest Intel Haswell platform to lower power consumption and 7x 1Gb Ethernet host ports per controller, all encompassed in a small 4U enclosure. The JetStor NAS 724UXD offers SSD Caching to boost random I/O intensive application, Snapshot, Thin Provisioning, Online Capacity Expansion and Controller-based cable-less design for excellent manageability.