SlideShare a Scribd company logo

Memory Corruption: from sandbox to SMM

Download as PPTX, PDF
Positive Hack Days
Positive Hack Days

Memory Corruption: from sandbox to SMM

Technology
1 of 72
Memory Corruption: from sandbox to SMM Nikita Tarakanov Security Center of Excellence Oleksandr Bazhaniuk, Yuriy Bulygin, Andrew Furtak, Mikhail Gorobets, John Loucaides, Alexander Matrosov, Mickey Shkatov Advanced Threat Research (www.intelsecurity.com/atr) Positive Hack Days 2015 Moscow, Russia
Agenda • Introduction • Memory Corruption: Ring3 -> Ring0 • Memory Corruption: Ring0 -> SMM • Q&A
Introduction • Ring3(IE, Adobe Reader, Flash player, MS Office etc) applications as first attack vector • Not privileged level • Sandboxes (IE EPM, Reader sandbox, Chrome sandbox etc) • Need to get Ring0 to have ability to make fancy stuff • So, Elevation of Privileges (R3->R0) Exploits/Vulnerabilities are critical • Good examples: pwn2own 2013/2014 IE EPM sandbox escapes via kernel exploit • Ring0 is powerful, but there is more privileged mode - SMM
Memory Corruption: Ring3 -> Ring0
Memory Corruption types: Ring3 -> Ring0 • Stack-based buffer overflow – rare, out-of-scope • Pool overflow • Arbitrary memory corruption
Memory Corruption: Ring0 mitigations • Various security checks: Stack-canary, Pool metadata integrity checks • KASLR • SMEP • SMAP
Memory Corruption: Pool overflow
Techniques to exploit pool overflows • Pool metadata corruption • Object metadata corruption (DKOHM) • Object Type Confusion (DKOHM + DKOM)
Object Metadata • OBJECT_HEADER • Optional headers POOL_HEADER Optional Headers OBJECT_HEADER Object
OBJECT_HEADER • • kd> dt nt!_OBJECT_HEADER • • +0x000 PointerCount : Int4B • • +0x004 HandleCount : Int4B • • +0x004 NextToFree : Ptr32 Void • • +0x008 Lock : _EX_PUSH_LOCK • • +0x00c TypeIndex : UChar <- Index of pointer to OBJECT_TYPE structure in ObTypeIndexTable • • +0x00d TraceFlags : UChar • • +0x00d DbgRefTrace : Pos 0, 1 Bit • • +0x00d DbgTracePermanent : Pos 1, 1 Bit • • +0x00e InfoMask : UChar • • +0x00f Flags : UChar • • +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION • • +0x010 QuotaBlockCharged : Ptr32 Void • • +0x014 SecurityDescriptor : Ptr32 Void • • +0x018 Body : _QUAD
ObTypeIndexTable • • kd> dd nt!ObTypeIndexTable L40 • • 81a3edc0 00000000 bad0b0b0 8499c040 849aa390 • • 81a3edd0 84964f70 8499b4c0 84979500 84999618 • • 81a3ede0 84974868 849783c8 8499bf70 84970b40 • • 81a3edf0 849a8888 84979340 849aaf70 849a6a38 • • 81a3ee00 8496df70 8495b040 8498cf70 84930a50 • • 81a3ee10 8495af70 8497ff70 84985040 84999e78 • • 81a3ee20 84997f70 8496c040 849646e0 84978f70 • • 81a3ee30 8497aec0 84972608 849a0040 849a9750 • • 81a3ee40 849586d8 84984f70 8499d578 849ab040 • • 81a3ee50 84958938 84974a58 84967168 84967098 • • 81a3ee60 8496ddd0 849a5140 8497ce40 849aa138 • • 81a3ee70 84a6c058 84969c58 8497e720 85c62a28 • • 81a3ee80 85c625f0 00000000 00000000 00000000
OBJECT_TYPE • kd> dt nt!_OBJECT_TYPE • +0x000 TypeList : _LIST_ENTRY • +0x008 Name : _UNICODE_STRING • +0x010 DefaultObject : Ptr32 Void • +0x014 Index : UChar • +0x018 TotalNumberOfObjects : Uint4B • +0x01c TotalNumberOfHandles : Uint4B • +0x020 HighWaterNumberOfObjects : Uint4B • +0x024 HighWaterNumberOfHandles : Uint4B • +0x028 TypeInfo : _OBJECT_TYPE_INITIALIZER • +0x080 TypeLock : _EX_PUSH_LOCK • +0x084 Key : Uint4B • +0x088 CallbackList : _LIST_ENTRY
Procedures • kd> dt nt!_OBJECT_TYPE_INITIALIZER • [..] • +0x030 DumpProcedure : Ptr32 void • +0x034 OpenProcedure : Ptr32 long • +0x038 CloseProcedure : Ptr32 void • +0x03c DeleteProcedure : Ptr32 void • +0x040 ParseProcedure : Ptr32 long • +0x044 SecurityProcedure : Ptr32 long • +0x048 QueryNameProcedure : Ptr32 long • +0x04c OkayToCloseProcedure : Ptr32 unsigned char
ObTypeIndexTable & Object Type Object Header TypeIndex Pointer to OBJECT_TYPE ObTypeIndexTable OBJECT_TYPE Pointers to various procedures Object’s dispatch func
Object Type Index Table (x86)
Object Type Index Table (x64)
Object metadata corruption (DKOHM) POOL_HEADER Optional Headers OBJECT_HEADER Object overflow ObTypeIndexTable 0x00000000 0xBAD0B0B0 Fake OBJECT_TYPE Shellcode
Windows 8.1 • 0xBAD0B0B0 has gone 
Object Type Confusion (DKOHM + DKOM) • Set TypeIndex value to different object type (object type confusion) • Object Manager is fooled (before it was Type A, not it’s Type B) • Craft malicious object’s data (counters, pointers) • Invoke system service(s) to trigger access to malicious object • Profit
Object data corruption (DKOHM + DKOM) Object Header Object Data ObTypeIndexTable FILE OBJECT_TYPE ALPC OBJECT_TYPE
Object data corruption (DKOHM+DKOM) Object Header FILE_OBJECT Object Header ALPC_OBJECT(all data is under control) exploit Invoke system service trigger access to object Different scenarios After overwrite -> type confusion
OBJECT_TYPE_INITIALIZER Procedures • +0x030 DumpProcedure : (null) • +0x038 OpenProcedure : (null) • +0x040 CloseProcedure : 0xfffff801`5b913b44 void nt!ObpCloseDirectoryObject+0 • +0x048 DeleteProcedure : 0xfffff801`5b92743c void nt!ObpDeleteDirectoryObject+0 • +0x050 ParseProcedure : (null) • +0x058 SecurityProcedure : 0xfffff801`5b848e54 long nt!SeDefaultObjectMethod+0 • +0x060 QueryNameProcedure : (null) • +0x068 OkayToCloseProcedure : (null)
OBJECT_TYPE_INITIALIZER Procedures • +0x030 DumpProcedure : (null) • +0x038 OpenProcedure : (null) • +0x040 CloseProcedure : (null) • +0x048 DeleteProcedure : 0xfffff801`5b9250fc void nt!IopDeleteDevice+0 • +0x050 ParseProcedure : 0xfffff801`5b86dde0 long nt!IopParseDevice+0 • +0x058 SecurityProcedure : 0xfffff801`5b842028 long nt!IopGetSetSecurityObject+0 • +0x060 QueryNameProcedure : (null) • +0x068 OkayToCloseProcedure : (null)
Object Type Confusion Object Header Event Object Object Header FILE_OBJECT(all data is under control) exploit nt!IopGetSetSecurityObject NtQuerySecurityObject After overwrite -> type confusion nt!SeDefaultObjectMethod
SecurityProcedure vector • For most object types: nt!SeDefaultObjectMethod • WmiGuid object type: nt!WmipSecurityMethod • File/Device object type: nt!IopGetSetSecurityObject • Key object type: nt!CmpSecurityMethod
nt!IopGetSetSecurityObject • FILE_OBJECT -> DEVICE_OBJECT -> DRIVER_OBJECT -> MAJOR_ROUTINE -> attacker’s shellcode • Execution Hijack by three consequent dereferences!!!!
nt!IopGetSetSecurityObject
nt!IopGetSetSecurityObject chain • 0: kd> dt nt!_FILE_OBJECT • +0x000 Type : Int2B • +0x002 Size : Int2B • +0x008 DeviceObject : Ptr64 _DEVICE_OBJECT • 0: kd> dt nt!_DEVICE_OBJECT • +0x000 Type : Int2B • +0x002 Size : Uint2B • +0x004 ReferenceCount : Int4B • +0x008 DriverObject : Ptr64 _DRIVER_OBJECT
nt!IopGetSetSecurityObject chain • 0: kd> dt nt!_DRIVER_OBJECT • +0x000 Type : Int2B • +0x002 Size : Int2B • +0x008 DeviceObject : Ptr64 _DEVICE_OBJECT • +0x010 Flags : Uint4B • +0x018 DriverStart : Ptr64 Void • +0x020 DriverSize : Uint4B • +0x028 DriverSection : Ptr64 Void • +0x030 DriverExtension : Ptr64 _DRIVER_EXTENSION • +0x038 DriverName : _UNICODE_STRING • +0x048 HardwareDatabase : Ptr64 _UNICODE_STRING • +0x050 FastIoDispatch : Ptr64 _FAST_IO_DISPATCH • +0x058 DriverInit : Ptr64 long • +0x060 DriverStartIo : Ptr64 void • +0x068 DriverUnload : Ptr64 void • +0x070 MajorFunction : [28] Ptr64 long
Close/Delete Procedure vector • Huge amount of different execution flows: 56 functions • Mostly arbitrary memory overwrite • Some adjacent read/write • Some hijack of execution flow
Other Procedures • DumpProcedure, OpenProcedure, ParseProcedure, QueryNameProcedure, OkayToCloseProcedure • Are rare – no interest in here
Object’s body vector (DKOM) • There are several typical OOP interfaces • Constructor – NtCreate* (NtCreateFile) • Destructor – NtClose • Getter – NtQueryInformation* (NtQueryInformationWorkerFactory) • Setter – NtSetInformation* (NtSetInformationKey) • Object Type specific: NtClearEvent, NtAlpcAcceptConnectPort, NtEnumerateValueKey, NtRecoverResourceManager etc
DKOHM+DKOM restrictions • Unfortunately you cant freely use Getter/Setter/Specific when you change type of an object – caused by ValidAccessMask field  • +0x010 Name : _UNICODE_STRING "WindowStation“ • +0x01c ValidAccessMask : 0xf037f • +0x010 Name : _UNICODE_STRING "Directory“ • +0x01c ValidAccessMask : 0xf000f • But you can still smash object’s data without changing object type
DKOHM+DKOM restrictions • Some Object Types have same ValidAccessMask • +0x010 Name : _UNICODE_STRING "Section“ • +0x01c ValidAccessMask : 0x1f001f • +0x010 Name : _UNICODE_STRING "Job“ • +0x01c ValidAccessMask : 0x1f001f • So technique using Getter/Setter/Specific is possible, but limited
Symbolic Link: Getter vector NtQuerySymbolicLinkObject
Directory Object: Getter vector NtQueryDirectoryObject • Up-to 0x25 times of reading arbitrary memory
WorkerFactory object Getter: NtQueryInformationWorkerFactory
WorkerFactory object Setter: NtSetInformationWorkerFactory
Memory Corruption: Ring3 -> Ring0 • So we have all primitives: • Arbitrary Memory Overwrite -> store payload in kernel executable memory • Arbitrary Memory Read -> KASLR bypass • Arbitrary Code Execution -> execution with Ring0 privileges
Memory Corruption: Ring0 -> SMM
System Management Mode (SMM) • System Management Interrupt (SMI) • CPU (OS) state is saved in SMRAM upon entry to SMM and restored upon exit from SMM • SMI handlers are invoked by CPU upon System Management Interrupt (SMI) from chipset or other logical CPUs and execute in System Management Mode (SMM) of x86 CPU • SMI handlers return to the OS using RSM instruction • SMRAM is a range of DRAM reserved by BIOS SMI handlers • Protected from software and device acces
System Management Interrupt (SMI) Handlers SMRR_PHYSBASE SMRAM 0x00000000 0xFFFFFFFF SMI handlers SMM state save area SMBASE + 8000h SMBASE SMBASE + FFFFh SMRAM
System Management Interrupt (SMI) Handlers • SMM handler execution environment: • At entry, CS = SMBASE (0x30000 at reset), EIP=0x8000 • Addressable physical space from 0 to 0xFFFFFFFFh (4G) • No paging • All hardware interrupts are disabled SMM Core dispatcher SMI SMST CPU info Memory info I/O info SMM Driver SMM Driver SMM Driver SMM callback SMM callback SMM callback ... RSM SMM code flow
Trigger ‘SW’ SMI via APMC I/O Port• _swsmi PROC • .. • ; setting up GPR (arguments) to SMI handler call • ; AX gets overwritten by _smi_code_data (which is passed in RCX) • ; DX gets overwritten by the value of APMC port (= 0x00B2) • mov rax, rdx ; rax_value • mov ax, cx ; smi_code_data • mov rdx, r10 ; rdx_value • mov dx, 0B2h ; APMC SMI control port 0xB2 • mov rbx, r8 ; rbx_value • mov rcx, r9 ; rcx_value • mov rsi, r11 ; rsi_value • mov rdi, r12 ; rdi_value • ; write smi_code_data value to SW SMI control/data ports (0xB2/0xB3) • out dx, ax • .. • ret • _swsmi ENDP
Trigger ‘SW’ SMI using CHIPSEC • From command line: • # chipsec_util.py smi smic smid [RAX RBX RCX RDX RSI RDI] • From any module in CHIPSEC: • self.intr = chipsec.hal.Interrupts( self.cs ) • self.intr.send_SW_SMI(smic,smid,rax,rbx,rcx,rdx,rsi,rdi )
Known SMI Vulnerabilities
Known Vulnerabilities Related to SMM • Issue • When D_LCK is not set by BIOS, SMM space decode can be changed to open access to CSEG when CPU is not in SMM: Using CPU SMM to Circumvent OS Security Functions • Also Using SMM For Other Purposes • Mitigation • D_LCK bit locks down Compatible SMM space (a.k.a. CSEG) configuration (SMRAMC) • SMRAMC[D_OPEN]=0 forces access to legacy SMM space decode to system bus rather than to DRAM where SMI handlers are when CPU is not in System Management Mode (SMM) • Check •chipsec_main –-module common.smm Unlocked Compatible/Legacy SMRAM
Known Vulnerabilities Related to SMM • Issue • CPU executes from cache if memory type is cacheable • Ring0 exploit can make SMRAM cacheable (variable MTRR) • Ring0 exploit can then populate cache-lines at SMBASE with SMI exploit code (ex. modify SMBASE) and trigger SMI • CPU upon entering SMM will execute SMI exploit from cache • Attacking SMM Memory via Intel Cache Poisoning • Getting Into the SMRAM: SMM Reloaded • Mitigation • CPU System Management Range Registers (SMRR) forcing UC and blocking access to SMRAM when CPU is not in SMM • Check •chipsec_main –-module common.smrr SMRAM “Cache Poisoning” Attacks
Legacy SMI Handlers Calling Out of SMRAM • OS level exploit stores payload in F-segment below 1MB (0xF8070 Physical Address) • Exploit has to also reprogram PAM for F-segment • Then triggers “SW SMI” via APMC port (I/O 0xB2) • SMI handler does CALL 0F000:08070 in SMM • BIOS SMM Privilege Escalation Vulnerabilities (14 issues in just one SMI Handler) • System Management Mode Design and Security Issues Branch Outside of SMRAM
Legacy SMI Handlers Calling Out of SMRAM Phys Memory SMRAM CALL F000:8070 Legacy BIOS Shadow (F/ E-segments) PA = 0xF0000 1 MB
Legacy SMI Handlers Calling Out of SMRAM Phys Memory SMRAM CALL F000:8070 Legacy BIOS Shadow (F/ E-segments) PA = 0xF0000 1 MB Code fetch in SMM
Legacy SMI Handlers Calling Out of SMRAM Phys Memory SMRAM CALL F000:8070 Legacy BIOS Shadow (F/ E-segments) PA = 0xF0000 1 MB 0xF8070: payload0F000:08070 = 0xF8070 PA Code fetch in SMM
Function Pointers Outside of SMRAM (DXE SMI) Phys Memory SMRAM mov ACPINV+x, %rax call *0x18(%rax) ACPI NV Area payload 1. Read function pointer from ACPI NVS memory (outside SMRAM) Pointer to payload 2. Call function pointer (payload outside SMRAM) Attacking Intel BIOS
Mitigating SMM “Call-Outs” • These issues are specific to particular SMI Handler implementation… • static analysis of binary? • run-time debugging? • CPU Hardware Support (starting in Haswell) • SMM Code Access Check • SMM_Code_Chk_En (SMM-RW) • This control bit is available onlyif MSR_SMM_MCA_CAP[58] == 1. • When set to ‘0’ (default) none of the logical processors are prevented from executing SMM code outside the ranges defined by the SMRR. • When set to ‘1’ any logical processor in the package that attempts to execute SMM code not within the ranges defined by the SMRR will assert an unrecoverable MCE. • Attempts to execute code outside SMRAM while inside SMM result in a Machine Check Exception!
Legacy SMI Handlers Calling Out of SMRAM Phys Memory SMRAM CALL F000:8070 Legacy BIOS Shadow (F/ E-segments) PA = 0xF0000 1 MB 0xF8070: payload0F000:08070 = 0xF8070 PA Code fetch in SMM – causes Machine Check Exception
Function Pointers Outside of SMRAM (DXE SMI) Phys Memory SMRAM mov ACPINV+x, %rax call *0x18(%rax) ACPI NV Area payload 1. Read function pointer from ACPI NVS memory (outside SMRAM) Pointer to payload 2. Call function pointer (payload outside SMRAM) -- causes MCE!
A new class of vulnerabilities in SMI handlers
Pointer Arguments to SMI Handlers Phys Memory SMI Handlers in SMRAM OS Memory SMI Handler writes result to a buffer at address passed in RBX… RAX (code) RBX (pointer) RCX (function) RDX RSI RDI SMI handler specific structure SMI
Pointer Vulnerabilities Phys Memory SMI Handlers in SMRAM OS Memory Exploit tricks SMI handler to write to an address inside SMRAM RAX (code) RBX (pointer) RCX (function) RDX RSI RDI Fake structure inside SMRAM SMI
What to overwrite inside SMRAM?• Depending on the vulnerability, caller may control address to write, the value written, or both. • Often the caller controls the address but doesn’t have control over the values written to the address by the SMI handler • In our example the attacker controls the address and does not control the value: The SMI handler writes 0 value to the specified address
What to overwrite inside SMRAM?• What can an exploit overwrite in SMRAM without crashing? • SMI Handler code starting at SMBASE + 8000h • Internal SMI handler’s state/flags inside SMRAM • Contents of SMM state save area at SMBASE + FC00h, where the CPU state is stored on SMM entry
What to overwrite inside SMRAM?• Current value of SMBASE MSR is also saved in SMM state save area by CPU at offset SMBASE + FEF8h upon SMI • Stored value of SMBASE is restored upon executing RSM • SMBASE relocation: SMI handler may change the saved value of SMBASE in order to change the location of SMRAM upon next SMI • The idea: Move SMBASE to a new, unprotected location by changing the SMBASE value stored in the SMM state save area.
How do we know where to write? SMM state save is at SMBASE + FC00h But SMBASE is not known • SMBASE MSR can be read only in SMM • SMBASE is different per CPU thread • SMBASE is different per BIOS implementation SMBASE should be programmed at some offset from TSEG/SMRR_PHYSBASE
How do we know where to write?1. Dump contents of SMRAM • Use hardware debugger • Use similar “pointer read” vulnerability • Use another vulnerability (e.g. S3 boot script) to disable SMRAM DMA protection and use DMA via graphics aperture to read SMRAM And in the dump look for  SMI handler entry point code  Known values in GP registers (invoke SMI with these values before dump) 2. Read SPI flash memory & RE initialization code to find SMBASE there. 3. Guess location of SMBASE: • SMBASE = SMRR_PHYSBASE • SMBASE = SMRR_PHYSBASE - 8000h (SMRR_PHYSBASE at SMI handler location) • Blind iteration through all offsets within SMRAM as potential saved SMBASE value
How does the attack work? Phys Memory SMI Handler OS Memory • CPU stores current value of SMBASE in SMM save state area on SMI and restores it on RSM RAX (code) RBX (pointer) RCX (function) SMI handler specific structure SMI SMBASE SMM State Save AreaSaved SMBASE value SMI Entry Point (SMBASE + 8000h)
How does the attack work? Phys Memory SMI Handler OS Memory • Attacker prepares fake SMRAM with new SMI handler outside of SMRAM at some address (PA 0) that will be a new SMBASE Fake SMI handler SMBASE Saved SMBASE value SMM State Save Area SMI Entry Point (SMBASE + 8000h)
How does the attack work? Phys Memory SMI Handler OS Memory • Attacker triggers SMI w/ RBX pointing to saved SMBASE address in SMRAM • SMI handler overwrites saved SMBASE on exploit’s behalf with address of fake SMBASE (e.g. 0 PA) RAX (code) RBX (pointer) RCX (function) SMI SMBASE Fake SMI handler Saved SMBASE value SMM State Save Area SMI Entry Point (SMBASE + 8000h)
How does the attack work? Phys Memory SMI Handler OS Memory • Attacker triggers another SMI • CPU executes fake SMI handler at new entry point outside of original protected SMRAM because SMBASE location changed SMI SMBASE Fake SMI handler Saved SMBASE value SMM State Save Area New SMI Entry Point
How does the attack work? • Fake SMI handler disables original SMRAM protection (disables SMRR) • Then restores original SMBASE value to switch back to original SMRAM Phys Memory SMI Handler (SMRAM is not protected) OS Memory SMBASE Fake SMI handler SMM State Save Area New SMI Entry Point SMI Handler (SMRAM is not protected) Original saved SMBASE value
How does the attack work? Phys Memory SMI Handler (SMRAM is not protected) OS Memory • The SMRAM is restored but not protected by HW anymore • The SMI handler may be modified by attacker as well as other SMRAM data SMBASE SMI Entry Point (SMBASE + 8000h)
Demo
Q&A • Thank you!

Recommended

BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...Moabi.com
 
이제 문서는 DocC로 만들때가 되지 않았나요?
이제 문서는 DocC로 만들때가 되지 않았나요?이제 문서는 DocC로 만들때가 되지 않았나요?
이제 문서는 DocC로 만들때가 되지 않았나요?hyunho Lee
 
Windows Sistemlerde Yetkili Hesapları İzleyerek Yanal Hareketleri Yakalama
Windows Sistemlerde Yetkili Hesapları İzleyerek Yanal Hareketleri YakalamaWindows Sistemlerde Yetkili Hesapları İzleyerek Yanal Hareketleri Yakalama
Windows Sistemlerde Yetkili Hesapları İzleyerek Yanal Hareketleri YakalamaBGA Cyber Security
 
Process Doppelgänging
Process Doppelgänging Process Doppelgänging
Process Doppelgänging KarlFrank99
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRaghav Bisht
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 

Recommended

BIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredBIOS and Secure Boot Attacks Uncovered
BIOS and Secure Boot Attacks UncoveredAlex Matrosov
 
Secure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior - Defense in depth
Secure Code Warrior - Defense in depthSecure Code Warrior
 
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...Moabi.com
 
이제 문서는 DocC로 만들때가 되지 않았나요?
이제 문서는 DocC로 만들때가 되지 않았나요?이제 문서는 DocC로 만들때가 되지 않았나요?
이제 문서는 DocC로 만들때가 되지 않았나요?hyunho Lee
 
Windows Sistemlerde Yetkili Hesapları İzleyerek Yanal Hareketleri Yakalama
Windows Sistemlerde Yetkili Hesapları İzleyerek Yanal Hareketleri YakalamaWindows Sistemlerde Yetkili Hesapları İzleyerek Yanal Hareketleri Yakalama
Windows Sistemlerde Yetkili Hesapları İzleyerek Yanal Hareketleri YakalamaBGA Cyber Security
 
Process Doppelgänging
Process Doppelgänging Process Doppelgänging
Process Doppelgänging KarlFrank99
 
Sql injection attack
Sql injection attackSql injection attack
Sql injection attackRaghav Bisht
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Alphorm.com Formation CEHV9 II
Alphorm.com Formation CEHV9 IIAlphorm.com Formation CEHV9 II
Alphorm.com Formation CEHV9 IIAlphorm
 
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Alcyon Ferreira de Souza Junior, MSc
 
Siber Saldırılar i̇çin Erken Uyarı Sistemi
Siber Saldırılar i̇çin Erken Uyarı SistemiSiber Saldırılar i̇çin Erken Uyarı Sistemi
Siber Saldırılar i̇çin Erken Uyarı SistemiBGA Cyber Security
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18BGA Cyber Security
 
BTRisk Android Mobil Uygulama Denetimi Eğitimi
BTRisk Android Mobil Uygulama Denetimi EğitimiBTRisk Android Mobil Uygulama Denetimi Eğitimi
BTRisk Android Mobil Uygulama Denetimi EğitimiBTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project ReportRaghav Bisht
 
[Question Paper] Visual Basic – 6 (Old Syllabus) [April / 2014]
[Question Paper] Visual Basic – 6 (Old Syllabus) [April / 2014][Question Paper] Visual Basic – 6 (Old Syllabus) [April / 2014]
[Question Paper] Visual Basic – 6 (Old Syllabus) [April / 2014]Mumbai B.Sc.IT Study
 
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim SunumuBTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim SunumuBTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Web uygulama açıklıklarından faydalanarak sistem ele geçirme
Web uygulama açıklıklarından faydalanarak sistem ele geçirmeWeb uygulama açıklıklarından faydalanarak sistem ele geçirme
Web uygulama açıklıklarından faydalanarak sistem ele geçirmeBTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
Temel Kavramlar, DoS/DDoS Saldırıları ve Çeşitleri
Temel Kavramlar, DoS/DDoS Saldırıları ve ÇeşitleriTemel Kavramlar, DoS/DDoS Saldırıları ve Çeşitleri
Temel Kavramlar, DoS/DDoS Saldırıları ve ÇeşitleriBGA Cyber Security
 
Hosting Firmalarına Yönelik DDoS Saldırıları ve Çözüm Önerileri
Hosting Firmalarına Yönelik DDoS Saldırıları ve Çözüm ÖnerileriHosting Firmalarına Yönelik DDoS Saldırıları ve Çözüm Önerileri
Hosting Firmalarına Yönelik DDoS Saldırıları ve Çözüm ÖnerileriBGA Cyber Security
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 2
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 2Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 2
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 2BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Hacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShellHacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShellAdeo Security
 
Man in the Middle Atack (Ortadaki Adam Saldırısı)
Man in the Middle Atack (Ortadaki Adam Saldırısı)Man in the Middle Atack (Ortadaki Adam Saldırısı)
Man in the Middle Atack (Ortadaki Adam Saldırısı)Ahmet Gürel
 
Sql Injection
Sql Injection Sql Injection
Sql Injection Mehmet Tuncer
 
Jurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case studyJurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case studyDefconRussia
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassSam Thomas
 

More Related Content

What's hot

Alphorm.com Formation CEHV9 II
Alphorm.com Formation CEHV9 IIAlphorm.com Formation CEHV9 II
Alphorm.com Formation CEHV9 IIAlphorm
 
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Alcyon Ferreira de Souza Junior, MSc
 
Siber Saldırılar i̇çin Erken Uyarı Sistemi
Siber Saldırılar i̇çin Erken Uyarı SistemiSiber Saldırılar i̇çin Erken Uyarı Sistemi
Siber Saldırılar i̇çin Erken Uyarı SistemiBGA Cyber Security
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18BGA Cyber Security
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory ForensicsIIJ
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project ReportRaghav Bisht
 
[Question Paper] Visual Basic – 6 (Old Syllabus) [April / 2014]
[Question Paper] Visual Basic – 6 (Old Syllabus) [April / 2014][Question Paper] Visual Basic – 6 (Old Syllabus) [April / 2014]
[Question Paper] Visual Basic – 6 (Old Syllabus) [April / 2014]Mumbai B.Sc.IT Study
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Controlidingolay
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Ajay Negi
 
Temel Kavramlar, DoS/DDoS Saldırıları ve Çeşitleri
Temel Kavramlar, DoS/DDoS Saldırıları ve ÇeşitleriTemel Kavramlar, DoS/DDoS Saldırıları ve Çeşitleri
Temel Kavramlar, DoS/DDoS Saldırıları ve ÇeşitleriBGA Cyber Security
 
Hosting Firmalarına Yönelik DDoS Saldırıları ve Çözüm Önerileri
Hosting Firmalarına Yönelik DDoS Saldırıları ve Çözüm ÖnerileriHosting Firmalarına Yönelik DDoS Saldırıları ve Çözüm Önerileri
Hosting Firmalarına Yönelik DDoS Saldırıları ve Çözüm ÖnerileriBGA Cyber Security
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Cleverence Kombe
 
Hacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShellHacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShellAdeo Security
 
Man in the Middle Atack (Ortadaki Adam Saldırısı)
Man in the Middle Atack (Ortadaki Adam Saldırısı)Man in the Middle Atack (Ortadaki Adam Saldırısı)
Man in the Middle Atack (Ortadaki Adam Saldırısı)Ahmet Gürel
 

What's hot (20)

Alphorm.com Formation CEHV9 II
Alphorm.com Formation CEHV9 IIAlphorm.com Formation CEHV9 II
Alphorm.com Formation CEHV9 II
 
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
Aula 05 - Curso GRATUITO EAD de Desenvolvimento Seguro de Software com Alcyon...
 
Siber Saldırılar i̇çin Erken Uyarı Sistemi
Siber Saldırılar i̇çin Erken Uyarı SistemiSiber Saldırılar i̇çin Erken Uyarı Sistemi
Siber Saldırılar i̇çin Erken Uyarı Sistemi
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 16, 17, 18
 
BTRisk Android Mobil Uygulama Denetimi Eğitimi
BTRisk Android Mobil Uygulama Denetimi EğitimiBTRisk Android Mobil Uygulama Denetimi Eğitimi
BTRisk Android Mobil Uygulama Denetimi Eğitimi
 
Super Easy Memory Forensics
Super Easy Memory ForensicsSuper Easy Memory Forensics
Super Easy Memory Forensics
 
Intrusion Detection System Project Report
Intrusion Detection System Project ReportIntrusion Detection System Project Report
Intrusion Detection System Project Report
 
[Question Paper] Visual Basic – 6 (Old Syllabus) [April / 2014]
[Question Paper] Visual Basic – 6 (Old Syllabus) [April / 2014][Question Paper] Visual Basic – 6 (Old Syllabus) [April / 2014]
[Question Paper] Visual Basic – 6 (Old Syllabus) [April / 2014]
 
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim SunumuBTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
BTRİSK Web Uygulama Güvenliği Denetimi Eğitim Sunumu
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
 
Information Security Principles - Access Control
Information Security Principles - Access ControlInformation Security Principles - Access Control
Information Security Principles - Access Control
 
Web uygulama açıklıklarından faydalanarak sistem ele geçirme
Web uygulama açıklıklarından faydalanarak sistem ele geçirmeWeb uygulama açıklıklarından faydalanarak sistem ele geçirme
Web uygulama açıklıklarından faydalanarak sistem ele geçirme
 
Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)Logical Attacks(Vulnerability Research)
Logical Attacks(Vulnerability Research)
 
Temel Kavramlar, DoS/DDoS Saldırıları ve Çeşitleri
Temel Kavramlar, DoS/DDoS Saldırıları ve ÇeşitleriTemel Kavramlar, DoS/DDoS Saldırıları ve Çeşitleri
Temel Kavramlar, DoS/DDoS Saldırıları ve Çeşitleri
 
Hosting Firmalarına Yönelik DDoS Saldırıları ve Çözüm Önerileri
Hosting Firmalarına Yönelik DDoS Saldırıları ve Çözüm ÖnerileriHosting Firmalarına Yönelik DDoS Saldırıları ve Çözüm Önerileri
Hosting Firmalarına Yönelik DDoS Saldırıları ve Çözüm Önerileri
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 2
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 2Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 2
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 2
 
Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems Intrusion Detection Systems and Intrusion Prevention Systems
Intrusion Detection Systems and Intrusion Prevention Systems
 
Hacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShellHacker’ların Yeni Gozdesi - PowerShell
Hacker’ların Yeni Gozdesi - PowerShell
 
Man in the Middle Atack (Ortadaki Adam Saldırısı)
Man in the Middle Atack (Ortadaki Adam Saldırısı)Man in the Middle Atack (Ortadaki Adam Saldırısı)
Man in the Middle Atack (Ortadaki Adam Saldırısı)
 
Sql Injection
Sql Injection Sql Injection
Sql Injection
 

Similar to Memory Corruption: from sandbox to SMM

Jurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case studyJurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case studyDefconRussia
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassSam Thomas
 
Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeeringKent Huang
 
ch_4x organization and information m.ppt
ch_4x organization and information m.pptch_4x organization and information m.ppt
ch_4x organization and information m.pptubaidullah75790
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013] Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013]Kuba Břečka
 
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...Positive Hack Days
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...Felipe Prado
 
SMART Seminar Series: "Blockchain and its Applications". Presented by Prof Wi...
SMART Seminar Series: "Blockchain and its Applications". Presented by Prof Wi...SMART Seminar Series: "Blockchain and its Applications". Presented by Prof Wi...
SMART Seminar Series: "Blockchain and its Applications". Presented by Prof Wi...SMART Infrastructure Facility
 
201403 microsoft mvp com camp 2014-한주성
201403 microsoft mvp com camp 2014-한주성201403 microsoft mvp com camp 2014-한주성
201403 microsoft mvp com camp 2014-한주성주성 한
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
 
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig)
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig) A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig)
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig) David Salz
 
Devoxx 2010 | LAB : ReST in Java
Devoxx 2010 | LAB : ReST in JavaDevoxx 2010 | LAB : ReST in Java
Devoxx 2010 | LAB : ReST in JavaNGDATA
 
BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox
BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox
BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox BlueHat Security Conference
 
Cross-Platform Mobile Apps & Drupal Web Services
Cross-Platform Mobile Apps & Drupal Web ServicesCross-Platform Mobile Apps & Drupal Web Services
Cross-Platform Mobile Apps & Drupal Web ServicesBob Sims
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Daniel Bohannon
 

Similar to Memory Corruption: from sandbox to SMM (20)

Jurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case studyJurczyk windows kernel reference count vulnerabilities. case study
Jurczyk windows kernel reference count vulnerabilities. case study
 
Object Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypassObject Oriented Exploitation: New techniques in Windows mitigation bypass
Object Oriented Exploitation: New techniques in Windows mitigation bypass
 
Reverse eningeering
Reverse eningeeringReverse eningeering
Reverse eningeering
 
ch_4x organization and information m.ppt
ch_4x organization and information m.pptch_4x organization and information m.ppt
ch_4x organization and information m.ppt
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013] Multithreading and Parallelism on iOS [MobOS 2013]
Multithreading and Parallelism on iOS [MobOS 2013]
 
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
Positive Hack Days. Матросов. Мастер-класс: Проведение криминалистической экс...
 
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...
 
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
DEF CON 27 - WENXIANG QIAN and YUXIANG LI HUIYU - breaking google home exploi...
 
SMART Seminar Series: "Blockchain and its Applications". Presented by Prof Wi...
SMART Seminar Series: "Blockchain and its Applications". Presented by Prof Wi...SMART Seminar Series: "Blockchain and its Applications". Presented by Prof Wi...
SMART Seminar Series: "Blockchain and its Applications". Presented by Prof Wi...
 
201403 microsoft mvp com camp 2014-한주성
201403 microsoft mvp com camp 2014-한주성201403 microsoft mvp com camp 2014-한주성
201403 microsoft mvp com camp 2014-한주성
 
Introduction to FIWARE IoT
Introduction to FIWARE IoTIntroduction to FIWARE IoT
Introduction to FIWARE IoT
 
FIWARE IoT Introduction 1
FIWARE IoT Introduction 1FIWARE IoT Introduction 1
FIWARE IoT Introduction 1
 
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...
 
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig)
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig) A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig)
A simple and powerful property system for C++ (talk at GCDC 2008, Leipzig)
 
Devoxx 2010 | LAB : ReST in Java
Devoxx 2010 | LAB : ReST in JavaDevoxx 2010 | LAB : ReST in Java
Devoxx 2010 | LAB : ReST in Java
 
BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox
BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox
BlueHat v17 || Corrupting Memory in Microsoft Office Protected-View Sandbox
 
Cross-Platform Mobile Apps & Drupal Web Services
Cross-Platform Mobile Apps & Drupal Web ServicesCross-Platform Mobile Apps & Drupal Web Services
Cross-Platform Mobile Apps & Drupal Web Services
 
Demystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchIDDemystifying Apple 'Pie' & TouchID
Demystifying Apple 'Pie' & TouchID
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 

More from Positive Hack Days

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesPositive Hack Days
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerPositive Hack Days
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesPositive Hack Days
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikPositive Hack Days
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQubePositive Hack Days
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityPositive Hack Days
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Positive Hack Days
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для ApproofPositive Hack Days
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Positive Hack Days
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложенийPositive Hack Days
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложенийPositive Hack Days
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application SecurityPositive Hack Days
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летPositive Hack Days
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиPositive Hack Days
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОPositive Hack Days
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке СиPositive Hack Days
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CorePositive Hack Days
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опытPositive Hack Days
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterPositive Hack Days
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиPositive Hack Days
 

More from Positive Hack Days (20)

Инструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release NotesИнструмент ChangelogBuilder для автоматической подготовки Release Notes
Инструмент ChangelogBuilder для автоматической подготовки Release Notes
 
Как мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows DockerКак мы собираем проекты в выделенном окружении в Windows Docker
Как мы собираем проекты в выделенном окружении в Windows Docker
 
Типовая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive TechnologiesТиповая сборка и деплой продуктов в Positive Technologies
Типовая сборка и деплой продуктов в Positive Technologies
 
Аналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + QlikАналитика в проектах: TFS + Qlik
Аналитика в проектах: TFS + Qlik
 
Использование анализатора кода SonarQube
Использование анализатора кода SonarQubeИспользование анализатора кода SonarQube
Использование анализатора кода SonarQube
 
Развитие сообщества Open DevOps Community
Развитие сообщества Open DevOps CommunityРазвитие сообщества Open DevOps Community
Развитие сообщества Open DevOps Community
 
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
Методика определения неиспользуемых ресурсов виртуальных машин и автоматизаци...
 
Автоматизация построения правил для Approof
Автоматизация построения правил для ApproofАвтоматизация построения правил для Approof
Автоматизация построения правил для Approof
 
Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»Мастер-класс «Трущобы Application Security»
Мастер-класс «Трущобы Application Security»
 
Формальные методы защиты приложений
Формальные методы защиты приложенийФормальные методы защиты приложений
Формальные методы защиты приложений
 
Эвристические методы защиты приложений
Эвристические методы защиты приложенийЭвристические методы защиты приложений
Эвристические методы защиты приложений
 
Теоретические основы Application Security
Теоретические основы Application SecurityТеоретические основы Application Security
Теоретические основы Application Security
 
От экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 летОт экспериментального программирования к промышленному: путь длиной в 10 лет
От экспериментального программирования к промышленному: путь длиной в 10 лет
 
Уязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на граблиУязвимое Android-приложение: N проверенных способов наступить на грабли
Уязвимое Android-приложение: N проверенных способов наступить на грабли
 
Требования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПОТребования по безопасности в архитектуре ПО
Требования по безопасности в архитектуре ПО
 
Формальная верификация кода на языке Си
Формальная верификация кода на языке СиФормальная верификация кода на языке Си
Формальная верификация кода на языке Си
 
Механизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET CoreМеханизмы предотвращения атак в ASP.NET Core
Механизмы предотвращения атак в ASP.NET Core
 
SOC для КИИ: израильский опыт
SOC для КИИ: израильский опытSOC для КИИ: израильский опыт
SOC для КИИ: израильский опыт
 
Honeywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services CenterHoneywell Industrial Cyber Security Lab & Services Center
Honeywell Industrial Cyber Security Lab & Services Center
 
Credential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атакиCredential stuffing и брутфорс-атаки
Credential stuffing и брутфорс-атаки
 

Recently uploaded

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 

Recently uploaded (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 

Memory Corruption: from sandbox to SMM

  • 1. Memory Corruption: from sandbox to SMM Nikita Tarakanov Security Center of Excellence Oleksandr Bazhaniuk, Yuriy Bulygin, Andrew Furtak, Mikhail Gorobets, John Loucaides, Alexander Matrosov, Mickey Shkatov Advanced Threat Research (www.intelsecurity.com/atr) Positive Hack Days 2015 Moscow, Russia
  • 2. Agenda • Introduction • Memory Corruption: Ring3 -> Ring0 • Memory Corruption: Ring0 -> SMM • Q&A
  • 3. Introduction • Ring3(IE, Adobe Reader, Flash player, MS Office etc) applications as first attack vector • Not privileged level • Sandboxes (IE EPM, Reader sandbox, Chrome sandbox etc) • Need to get Ring0 to have ability to make fancy stuff • So, Elevation of Privileges (R3->R0) Exploits/Vulnerabilities are critical • Good examples: pwn2own 2013/2014 IE EPM sandbox escapes via kernel exploit • Ring0 is powerful, but there is more privileged mode - SMM
  • 5. Memory Corruption types: Ring3 -> Ring0 • Stack-based buffer overflow – rare, out-of-scope • Pool overflow • Arbitrary memory corruption
  • 6. Memory Corruption: Ring0 mitigations • Various security checks: Stack-canary, Pool metadata integrity checks • KASLR • SMEP • SMAP
  • 8. Techniques to exploit pool overflows • Pool metadata corruption • Object metadata corruption (DKOHM) • Object Type Confusion (DKOHM + DKOM)
  • 9. Object Metadata • OBJECT_HEADER • Optional headers POOL_HEADER Optional Headers OBJECT_HEADER Object
  • 10. OBJECT_HEADER • • kd> dt nt!_OBJECT_HEADER • • +0x000 PointerCount : Int4B • • +0x004 HandleCount : Int4B • • +0x004 NextToFree : Ptr32 Void • • +0x008 Lock : _EX_PUSH_LOCK • • +0x00c TypeIndex : UChar <- Index of pointer to OBJECT_TYPE structure in ObTypeIndexTable • • +0x00d TraceFlags : UChar • • +0x00d DbgRefTrace : Pos 0, 1 Bit • • +0x00d DbgTracePermanent : Pos 1, 1 Bit • • +0x00e InfoMask : UChar • • +0x00f Flags : UChar • • +0x010 ObjectCreateInfo : Ptr32 _OBJECT_CREATE_INFORMATION • • +0x010 QuotaBlockCharged : Ptr32 Void • • +0x014 SecurityDescriptor : Ptr32 Void • • +0x018 Body : _QUAD
  • 11. ObTypeIndexTable • • kd> dd nt!ObTypeIndexTable L40 • • 81a3edc0 00000000 bad0b0b0 8499c040 849aa390 • • 81a3edd0 84964f70 8499b4c0 84979500 84999618 • • 81a3ede0 84974868 849783c8 8499bf70 84970b40 • • 81a3edf0 849a8888 84979340 849aaf70 849a6a38 • • 81a3ee00 8496df70 8495b040 8498cf70 84930a50 • • 81a3ee10 8495af70 8497ff70 84985040 84999e78 • • 81a3ee20 84997f70 8496c040 849646e0 84978f70 • • 81a3ee30 8497aec0 84972608 849a0040 849a9750 • • 81a3ee40 849586d8 84984f70 8499d578 849ab040 • • 81a3ee50 84958938 84974a58 84967168 84967098 • • 81a3ee60 8496ddd0 849a5140 8497ce40 849aa138 • • 81a3ee70 84a6c058 84969c58 8497e720 85c62a28 • • 81a3ee80 85c625f0 00000000 00000000 00000000
  • 12. OBJECT_TYPE • kd> dt nt!_OBJECT_TYPE • +0x000 TypeList : _LIST_ENTRY • +0x008 Name : _UNICODE_STRING • +0x010 DefaultObject : Ptr32 Void • +0x014 Index : UChar • +0x018 TotalNumberOfObjects : Uint4B • +0x01c TotalNumberOfHandles : Uint4B • +0x020 HighWaterNumberOfObjects : Uint4B • +0x024 HighWaterNumberOfHandles : Uint4B • +0x028 TypeInfo : _OBJECT_TYPE_INITIALIZER • +0x080 TypeLock : _EX_PUSH_LOCK • +0x084 Key : Uint4B • +0x088 CallbackList : _LIST_ENTRY
  • 13. Procedures • kd> dt nt!_OBJECT_TYPE_INITIALIZER • [..] • +0x030 DumpProcedure : Ptr32 void • +0x034 OpenProcedure : Ptr32 long • +0x038 CloseProcedure : Ptr32 void • +0x03c DeleteProcedure : Ptr32 void • +0x040 ParseProcedure : Ptr32 long • +0x044 SecurityProcedure : Ptr32 long • +0x048 QueryNameProcedure : Ptr32 long • +0x04c OkayToCloseProcedure : Ptr32 unsigned char
  • 14. ObTypeIndexTable & Object Type Object Header TypeIndex Pointer to OBJECT_TYPE ObTypeIndexTable OBJECT_TYPE Pointers to various procedures Object’s dispatch func
  • 15. Object Type Index Table (x86)
  • 16. Object Type Index Table (x64)
  • 17. Object metadata corruption (DKOHM) POOL_HEADER Optional Headers OBJECT_HEADER Object overflow ObTypeIndexTable 0x00000000 0xBAD0B0B0 Fake OBJECT_TYPE Shellcode
  • 19. Object Type Confusion (DKOHM + DKOM) • Set TypeIndex value to different object type (object type confusion) • Object Manager is fooled (before it was Type A, not it’s Type B) • Craft malicious object’s data (counters, pointers) • Invoke system service(s) to trigger access to malicious object • Profit
  • 20. Object data corruption (DKOHM + DKOM) Object Header Object Data ObTypeIndexTable FILE OBJECT_TYPE ALPC OBJECT_TYPE
  • 21. Object data corruption (DKOHM+DKOM) Object Header FILE_OBJECT Object Header ALPC_OBJECT(all data is under control) exploit Invoke system service trigger access to object Different scenarios After overwrite -> type confusion
  • 22. OBJECT_TYPE_INITIALIZER Procedures • +0x030 DumpProcedure : (null) • +0x038 OpenProcedure : (null) • +0x040 CloseProcedure : 0xfffff801`5b913b44 void nt!ObpCloseDirectoryObject+0 • +0x048 DeleteProcedure : 0xfffff801`5b92743c void nt!ObpDeleteDirectoryObject+0 • +0x050 ParseProcedure : (null) • +0x058 SecurityProcedure : 0xfffff801`5b848e54 long nt!SeDefaultObjectMethod+0 • +0x060 QueryNameProcedure : (null) • +0x068 OkayToCloseProcedure : (null)
  • 23. OBJECT_TYPE_INITIALIZER Procedures • +0x030 DumpProcedure : (null) • +0x038 OpenProcedure : (null) • +0x040 CloseProcedure : (null) • +0x048 DeleteProcedure : 0xfffff801`5b9250fc void nt!IopDeleteDevice+0 • +0x050 ParseProcedure : 0xfffff801`5b86dde0 long nt!IopParseDevice+0 • +0x058 SecurityProcedure : 0xfffff801`5b842028 long nt!IopGetSetSecurityObject+0 • +0x060 QueryNameProcedure : (null) • +0x068 OkayToCloseProcedure : (null)
  • 24. Object Type Confusion Object Header Event Object Object Header FILE_OBJECT(all data is under control) exploit nt!IopGetSetSecurityObject NtQuerySecurityObject After overwrite -> type confusion nt!SeDefaultObjectMethod
  • 25. SecurityProcedure vector • For most object types: nt!SeDefaultObjectMethod • WmiGuid object type: nt!WmipSecurityMethod • File/Device object type: nt!IopGetSetSecurityObject • Key object type: nt!CmpSecurityMethod
  • 26. nt!IopGetSetSecurityObject • FILE_OBJECT -> DEVICE_OBJECT -> DRIVER_OBJECT -> MAJOR_ROUTINE -> attacker’s shellcode • Execution Hijack by three consequent dereferences!!!!
  • 28. nt!IopGetSetSecurityObject chain • 0: kd> dt nt!_FILE_OBJECT • +0x000 Type : Int2B • +0x002 Size : Int2B • +0x008 DeviceObject : Ptr64 _DEVICE_OBJECT • 0: kd> dt nt!_DEVICE_OBJECT • +0x000 Type : Int2B • +0x002 Size : Uint2B • +0x004 ReferenceCount : Int4B • +0x008 DriverObject : Ptr64 _DRIVER_OBJECT
  • 29. nt!IopGetSetSecurityObject chain • 0: kd> dt nt!_DRIVER_OBJECT • +0x000 Type : Int2B • +0x002 Size : Int2B • +0x008 DeviceObject : Ptr64 _DEVICE_OBJECT • +0x010 Flags : Uint4B • +0x018 DriverStart : Ptr64 Void • +0x020 DriverSize : Uint4B • +0x028 DriverSection : Ptr64 Void • +0x030 DriverExtension : Ptr64 _DRIVER_EXTENSION • +0x038 DriverName : _UNICODE_STRING • +0x048 HardwareDatabase : Ptr64 _UNICODE_STRING • +0x050 FastIoDispatch : Ptr64 _FAST_IO_DISPATCH • +0x058 DriverInit : Ptr64 long • +0x060 DriverStartIo : Ptr64 void • +0x068 DriverUnload : Ptr64 void • +0x070 MajorFunction : [28] Ptr64 long
  • 30. Close/Delete Procedure vector • Huge amount of different execution flows: 56 functions • Mostly arbitrary memory overwrite • Some adjacent read/write • Some hijack of execution flow
  • 31. Other Procedures • DumpProcedure, OpenProcedure, ParseProcedure, QueryNameProcedure, OkayToCloseProcedure • Are rare – no interest in here
  • 32. Object’s body vector (DKOM) • There are several typical OOP interfaces • Constructor – NtCreate* (NtCreateFile) • Destructor – NtClose • Getter – NtQueryInformation* (NtQueryInformationWorkerFactory) • Setter – NtSetInformation* (NtSetInformationKey) • Object Type specific: NtClearEvent, NtAlpcAcceptConnectPort, NtEnumerateValueKey, NtRecoverResourceManager etc
  • 33. DKOHM+DKOM restrictions • Unfortunately you cant freely use Getter/Setter/Specific when you change type of an object – caused by ValidAccessMask field  • +0x010 Name : _UNICODE_STRING "WindowStation“ • +0x01c ValidAccessMask : 0xf037f • +0x010 Name : _UNICODE_STRING "Directory“ • +0x01c ValidAccessMask : 0xf000f • But you can still smash object’s data without changing object type
  • 34. DKOHM+DKOM restrictions • Some Object Types have same ValidAccessMask • +0x010 Name : _UNICODE_STRING "Section“ • +0x01c ValidAccessMask : 0x1f001f • +0x010 Name : _UNICODE_STRING "Job“ • +0x01c ValidAccessMask : 0x1f001f • So technique using Getter/Setter/Specific is possible, but limited
  • 35. Symbolic Link: Getter vector NtQuerySymbolicLinkObject
  • 36. Directory Object: Getter vector NtQueryDirectoryObject • Up-to 0x25 times of reading arbitrary memory
  • 39. Memory Corruption: Ring3 -> Ring0 • So we have all primitives: • Arbitrary Memory Overwrite -> store payload in kernel executable memory • Arbitrary Memory Read -> KASLR bypass • Arbitrary Code Execution -> execution with Ring0 privileges
  • 41. System Management Mode (SMM) • System Management Interrupt (SMI) • CPU (OS) state is saved in SMRAM upon entry to SMM and restored upon exit from SMM • SMI handlers are invoked by CPU upon System Management Interrupt (SMI) from chipset or other logical CPUs and execute in System Management Mode (SMM) of x86 CPU • SMI handlers return to the OS using RSM instruction • SMRAM is a range of DRAM reserved by BIOS SMI handlers • Protected from software and device acces
  • 42. System Management Interrupt (SMI) Handlers SMRR_PHYSBASE SMRAM 0x00000000 0xFFFFFFFF SMI handlers SMM state save area SMBASE + 8000h SMBASE SMBASE + FFFFh SMRAM
  • 43. System Management Interrupt (SMI) Handlers • SMM handler execution environment: • At entry, CS = SMBASE (0x30000 at reset), EIP=0x8000 • Addressable physical space from 0 to 0xFFFFFFFFh (4G) • No paging • All hardware interrupts are disabled SMM Core dispatcher SMI SMST CPU info Memory info I/O info SMM Driver SMM Driver SMM Driver SMM callback SMM callback SMM callback ... RSM SMM code flow
  • 44. Trigger ‘SW’ SMI via APMC I/O Port• _swsmi PROC • .. • ; setting up GPR (arguments) to SMI handler call • ; AX gets overwritten by _smi_code_data (which is passed in RCX) • ; DX gets overwritten by the value of APMC port (= 0x00B2) • mov rax, rdx ; rax_value • mov ax, cx ; smi_code_data • mov rdx, r10 ; rdx_value • mov dx, 0B2h ; APMC SMI control port 0xB2 • mov rbx, r8 ; rbx_value • mov rcx, r9 ; rcx_value • mov rsi, r11 ; rsi_value • mov rdi, r12 ; rdi_value • ; write smi_code_data value to SW SMI control/data ports (0xB2/0xB3) • out dx, ax • .. • ret • _swsmi ENDP
  • 45. Trigger ‘SW’ SMI using CHIPSEC • From command line: • # chipsec_util.py smi smic smid [RAX RBX RCX RDX RSI RDI] • From any module in CHIPSEC: • self.intr = chipsec.hal.Interrupts( self.cs ) • self.intr.send_SW_SMI(smic,smid,rax,rbx,rcx,rdx,rsi,rdi )
  • 47. Known Vulnerabilities Related to SMM • Issue • When D_LCK is not set by BIOS, SMM space decode can be changed to open access to CSEG when CPU is not in SMM: Using CPU SMM to Circumvent OS Security Functions • Also Using SMM For Other Purposes • Mitigation • D_LCK bit locks down Compatible SMM space (a.k.a. CSEG) configuration (SMRAMC) • SMRAMC[D_OPEN]=0 forces access to legacy SMM space decode to system bus rather than to DRAM where SMI handlers are when CPU is not in System Management Mode (SMM) • Check •chipsec_main –-module common.smm Unlocked Compatible/Legacy SMRAM
  • 48. Known Vulnerabilities Related to SMM • Issue • CPU executes from cache if memory type is cacheable • Ring0 exploit can make SMRAM cacheable (variable MTRR) • Ring0 exploit can then populate cache-lines at SMBASE with SMI exploit code (ex. modify SMBASE) and trigger SMI • CPU upon entering SMM will execute SMI exploit from cache • Attacking SMM Memory via Intel Cache Poisoning • Getting Into the SMRAM: SMM Reloaded • Mitigation • CPU System Management Range Registers (SMRR) forcing UC and blocking access to SMRAM when CPU is not in SMM • Check •chipsec_main –-module common.smrr SMRAM “Cache Poisoning” Attacks
  • 49. Legacy SMI Handlers Calling Out of SMRAM • OS level exploit stores payload in F-segment below 1MB (0xF8070 Physical Address) • Exploit has to also reprogram PAM for F-segment • Then triggers “SW SMI” via APMC port (I/O 0xB2) • SMI handler does CALL 0F000:08070 in SMM • BIOS SMM Privilege Escalation Vulnerabilities (14 issues in just one SMI Handler) • System Management Mode Design and Security Issues Branch Outside of SMRAM
  • 50. Legacy SMI Handlers Calling Out of SMRAM Phys Memory SMRAM CALL F000:8070 Legacy BIOS Shadow (F/ E-segments) PA = 0xF0000 1 MB
  • 51. Legacy SMI Handlers Calling Out of SMRAM Phys Memory SMRAM CALL F000:8070 Legacy BIOS Shadow (F/ E-segments) PA = 0xF0000 1 MB Code fetch in SMM
  • 52. Legacy SMI Handlers Calling Out of SMRAM Phys Memory SMRAM CALL F000:8070 Legacy BIOS Shadow (F/ E-segments) PA = 0xF0000 1 MB 0xF8070: payload0F000:08070 = 0xF8070 PA Code fetch in SMM
  • 53. Function Pointers Outside of SMRAM (DXE SMI) Phys Memory SMRAM mov ACPINV+x, %rax call *0x18(%rax) ACPI NV Area payload 1. Read function pointer from ACPI NVS memory (outside SMRAM) Pointer to payload 2. Call function pointer (payload outside SMRAM) Attacking Intel BIOS
  • 54. Mitigating SMM “Call-Outs” • These issues are specific to particular SMI Handler implementation… • static analysis of binary? • run-time debugging? • CPU Hardware Support (starting in Haswell) • SMM Code Access Check • SMM_Code_Chk_En (SMM-RW) • This control bit is available onlyif MSR_SMM_MCA_CAP[58] == 1. • When set to ‘0’ (default) none of the logical processors are prevented from executing SMM code outside the ranges defined by the SMRR. • When set to ‘1’ any logical processor in the package that attempts to execute SMM code not within the ranges defined by the SMRR will assert an unrecoverable MCE. • Attempts to execute code outside SMRAM while inside SMM result in a Machine Check Exception!
  • 55. Legacy SMI Handlers Calling Out of SMRAM Phys Memory SMRAM CALL F000:8070 Legacy BIOS Shadow (F/ E-segments) PA = 0xF0000 1 MB 0xF8070: payload0F000:08070 = 0xF8070 PA Code fetch in SMM – causes Machine Check Exception
  • 56. Function Pointers Outside of SMRAM (DXE SMI) Phys Memory SMRAM mov ACPINV+x, %rax call *0x18(%rax) ACPI NV Area payload 1. Read function pointer from ACPI NVS memory (outside SMRAM) Pointer to payload 2. Call function pointer (payload outside SMRAM) -- causes MCE!
  • 57. A new class of vulnerabilities in SMI handlers
  • 58. Pointer Arguments to SMI Handlers Phys Memory SMI Handlers in SMRAM OS Memory SMI Handler writes result to a buffer at address passed in RBX… RAX (code) RBX (pointer) RCX (function) RDX RSI RDI SMI handler specific structure SMI
  • 59. Pointer Vulnerabilities Phys Memory SMI Handlers in SMRAM OS Memory Exploit tricks SMI handler to write to an address inside SMRAM RAX (code) RBX (pointer) RCX (function) RDX RSI RDI Fake structure inside SMRAM SMI
  • 60. What to overwrite inside SMRAM?• Depending on the vulnerability, caller may control address to write, the value written, or both. • Often the caller controls the address but doesn’t have control over the values written to the address by the SMI handler • In our example the attacker controls the address and does not control the value: The SMI handler writes 0 value to the specified address
  • 61. What to overwrite inside SMRAM?• What can an exploit overwrite in SMRAM without crashing? • SMI Handler code starting at SMBASE + 8000h • Internal SMI handler’s state/flags inside SMRAM • Contents of SMM state save area at SMBASE + FC00h, where the CPU state is stored on SMM entry
  • 62. What to overwrite inside SMRAM?• Current value of SMBASE MSR is also saved in SMM state save area by CPU at offset SMBASE + FEF8h upon SMI • Stored value of SMBASE is restored upon executing RSM • SMBASE relocation: SMI handler may change the saved value of SMBASE in order to change the location of SMRAM upon next SMI • The idea: Move SMBASE to a new, unprotected location by changing the SMBASE value stored in the SMM state save area.
  • 63. How do we know where to write? SMM state save is at SMBASE + FC00h But SMBASE is not known • SMBASE MSR can be read only in SMM • SMBASE is different per CPU thread • SMBASE is different per BIOS implementation SMBASE should be programmed at some offset from TSEG/SMRR_PHYSBASE
  • 64. How do we know where to write?1. Dump contents of SMRAM • Use hardware debugger • Use similar “pointer read” vulnerability • Use another vulnerability (e.g. S3 boot script) to disable SMRAM DMA protection and use DMA via graphics aperture to read SMRAM And in the dump look for  SMI handler entry point code  Known values in GP registers (invoke SMI with these values before dump) 2. Read SPI flash memory & RE initialization code to find SMBASE there. 3. Guess location of SMBASE: • SMBASE = SMRR_PHYSBASE • SMBASE = SMRR_PHYSBASE - 8000h (SMRR_PHYSBASE at SMI handler location) • Blind iteration through all offsets within SMRAM as potential saved SMBASE value
  • 65. How does the attack work? Phys Memory SMI Handler OS Memory • CPU stores current value of SMBASE in SMM save state area on SMI and restores it on RSM RAX (code) RBX (pointer) RCX (function) SMI handler specific structure SMI SMBASE SMM State Save AreaSaved SMBASE value SMI Entry Point (SMBASE + 8000h)
  • 66. How does the attack work? Phys Memory SMI Handler OS Memory • Attacker prepares fake SMRAM with new SMI handler outside of SMRAM at some address (PA 0) that will be a new SMBASE Fake SMI handler SMBASE Saved SMBASE value SMM State Save Area SMI Entry Point (SMBASE + 8000h)
  • 67. How does the attack work? Phys Memory SMI Handler OS Memory • Attacker triggers SMI w/ RBX pointing to saved SMBASE address in SMRAM • SMI handler overwrites saved SMBASE on exploit’s behalf with address of fake SMBASE (e.g. 0 PA) RAX (code) RBX (pointer) RCX (function) SMI SMBASE Fake SMI handler Saved SMBASE value SMM State Save Area SMI Entry Point (SMBASE + 8000h)
  • 68. How does the attack work? Phys Memory SMI Handler OS Memory • Attacker triggers another SMI • CPU executes fake SMI handler at new entry point outside of original protected SMRAM because SMBASE location changed SMI SMBASE Fake SMI handler Saved SMBASE value SMM State Save Area New SMI Entry Point
  • 69. How does the attack work? • Fake SMI handler disables original SMRAM protection (disables SMRR) • Then restores original SMBASE value to switch back to original SMRAM Phys Memory SMI Handler (SMRAM is not protected) OS Memory SMBASE Fake SMI handler SMM State Save Area New SMI Entry Point SMI Handler (SMRAM is not protected) Original saved SMBASE value
  • 70. How does the attack work? Phys Memory SMI Handler (SMRAM is not protected) OS Memory • The SMRAM is restored but not protected by HW anymore • The SMI handler may be modified by attacker as well as other SMRAM data SMBASE SMI Entry Point (SMBASE + 8000h)
  • 71. Demo

Editor's Notes

  1. Responsible for finding and mitigating new issues