SlideShare a Scribd company logo

Monitoring Systems & Binaries

Marcus Botacin
Marcus Botacin

Class @ FAU Erlangen in 2018 about modern systems monitoring, including BIOS, hypervisors, performance counters, kernels and so on.

Science
1 of 57
Download to read offline
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Monitoring Systems & Binaries Marcus Botacin1 1Informatics - Federal University of Parana (UFPR) - Brazil mfbotacin@inf.ufpr.br November 2018 Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra About Me Malware Analyst (2012) BsC. Computer Engineer @ UNICAMP (2015) Sandbox Development MsC. Computer Science @ UNICAMP (2017) Hardware-Assisted Malware Analysis PhD. Computer Science @ UFPR (Present) Hardware-Assisted Malware Detection AntiVirus Evaluation Future Threats Contextual and Social Malware effects Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Why Monitoring ? Policy Enforcement Logging Forensics Debugging Malware Analysis Reverse Engineer Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Real Trace Examples 1 7/4/2014 −13:5:1.895| DeleteOperation |2032|C: deposito . exe |C: ProgramData r r . t x t | 1 7/4/2014 −13:3:48.294| CreateProcess |3028|C: Monitor Malware v i s u a l i z a r . exe |2440|C: WindowsSysWOW64 d l l . exe 1 2014−05−14 20:02:40.963113 10.10.100.101 XX. YY. ZZ.121 HTTP 290 GET /. swim01/ c o n t r o l . php? i a&mi=00B5AB4E−47098BC3 HTTP/1.1 Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Function Interposition Figure: Source: https://www.malwaretech.com/2015/01/ inline-hooking-for-programmers-part-1.html Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Techniques I Kernel Tables System Service Dispatch Table (SSDT) Interrupt Descriptor Table (IDT) Global Descriptor Table (GDT) Userland Tables API hooking DLL injection Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Techniques II Binary Patching Inline hooking OS Support Detours Callbacks Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra In Practice... Figure: Real malware claiming a registry problem when an anti-analysis trick succeeded. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra In Practice... Figure: Commercial solution armored with anti-debug technique. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra In Practice... Figure: Real malware impersonating a secure solution which cannot run under an hypervisor. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Detecting Analysis Procedures 1 i f ( IsDebuggerPresent () ) 2 p r i n t f (” debuggedn ”) ; 3 e l s e 4 p r i n t f (”NO DBGn ”) ; 1 cmp [ eax+0xe9 ] , eax ; ; 0xe9 = JMP 2 pop rbp Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Anti-Analysis Summary Table: Anti-Analysis: Tricks summary. Malware samples may employ multiple techniques to evade distinct analysis procedures. Technique Description Reason Implementation Anti Check if running Blocks reverse Fingerprinting Debug inside a debugger engineering attempts Anti Check if running Analysts use VMs Execution VM inside a VM for scalability Side-effect Anti Fool disassemblers AV signatures may Undecidable Disassembly to generate wrong opcodes be based on opcodes Constructions Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Transparency 1 Higher privileged. 2 No non-privileged side-effects. 3 Identical Basic Instruction Semantics. 4 Transparent Exception Handling. 5 Identical Measurement of Time. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Hardware Features Summary Technique PROS CONS Gaps HVM Ring -1 Hypervisor High development overhead SMM Ring -2 BIOS High development implementation cost AMT Ring -3 Chipset No malware code change analysis solution HPCs Lightweight Context-limited No malware information analysis solution GPU Easy to program No register No introspection data procedures SGX Isolates goodware Also isolates No enclave malware inspection SOCs Tamper-proof Passive Raise alarms components Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra HVM Figure: HVM operating layers . Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra HVM Figure: Ether Sandbox Exits. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra SMM Figure: Operation modes. Source: https://tinyurl.com/l2uqr8d Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Figure: SMI generation. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra A ring to rule them all! Figure: Privileged rings. Figure: New privileged rings. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Isolated Enclaves Figure: SGX Memory Protection Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra DMA Attacks I Figure: Hypervisor Attack . Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra DMA Attacks II Figure: Source: https: //www.intel.com/content/dam/www/public/us/en/documents/ reference-guides/pcie-device-security-enhancements.pdf . Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra SGX Malware Figure: SGX Malware Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra References Who watches the watchmen: A security-focused review on current state-of-the-art techniques, tools and methods for systems and binary analysis on modern platforms—ACM Computing Surveys. Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging—ACM Transactions on Privacy and Security. The other guys: automated analysis of marginalized malware—Journal of Computer Virology and Hacking techniques. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Conclusions Thanks Tilo for hosting me. Open to hear your questions. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Proposed Framework Figure: Proposed framework architecture. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Data Storage (DS) AREA. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Local Vector Table (LVT). Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: ASLR - Library placement after two consecutive reboots. Library NTDLL KERNEL32 KERNELBASE Address 1 0xBAF80000 0xB9610000 0xB8190000 Address 2 0x987B0000 0x98670000 0x958C0000 Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: Function Offsets from ntdll.dll library. Function Offset NtCreateProcess 0x3691 NtCreateProcessEx 0x30B0 NtCreateProfile 0x36A1 NtCreateResourceManager 0x36C1 NtCreateSemaphore 0x36D1 NtCreateSymbolicLinkObject 0x36E1 NtCreateThread 0x30C0 NtCreateThreadEx 0x36F1 Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Figure: Introspection Mechanism. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? _lock_file+0x90printf+0xe3__iob_funcprintf+0xcaprintfNewToy Figure: Step Into. scanf+0x3f NewToy printf Figure: Step Over. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is CFG reconstruction possible? Figure: Code block identification. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Identified tricks 1 0x190 xor eax , eax 2 0x192 jnz 0x19c 1 0x180 push 0x10a 2 0x185 r e t Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Identified tricks 1 0x340 cmp eax ,0 xe9 2 0x345 jnz 0x347 1 0x400 QWORD PTR f s :0 x0 , rsp 2 0x409 mov rax ,QWORD PTR [ rsp+0xc ] 3 0x40e cmp rbx ,QWORD PTR [ rax+0x4 ] Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Deviating Behavior Figure: Deviating behavior identification. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Deviating Behavior Figure: Divergence: True Positive. Figure: Divergence: False Positive. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a Debugger? Inverted I/O Figure: Debugger’s working mechanism. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a Debugger? Suspending Processes EnumProcessThreads + SuspendThread. DebugActiveProcess. NtSuspendProcess. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a Debugger? Integration Figure: GDB integration. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? ROP Attacks Figure: ROP chain example. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? CALL-RET Policy Figure: CALL-RET CFI policy. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? Gadget-size policy Figure: KBouncer’s exploit stack. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? Exploit Analysis Table: Excerpt of the branch window of the ROP payload. FROM TO —- 0x7c346c0a 0x7c346c0b 0x7c37a140 0x7c37a141 —- Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? Exploit Analysis 1 7 c346c08 : f2 0 f 58 c3 addsd %xmm3,%xmm0 2 7 c346c0c : 66 0 f 13 44 24 04 movlpd %xmm0,0 x4(%esp ) 1 0x1000 ( s i z e =1) pop rax 2 0x1001 ( s i z e =1) r e t Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the solution easy to implement? Lines of Code comparison 100 1000 10000 100000 1×106 Ether:Comp Ether:Xen Ether:Patches Ether:Patch Ether:Ctl MAVMM:Comp MAVMM:Rep Bit:Comp Our:Comp Our:Cli Our:Drv Our:Scr Lines of Code by solution Solution Figure: Lines of Code by solution. Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the solution portable? Talking about Linux 1 s t a t i c i n i t i n t b t s i n i t ( void ) 2 bts pmu . c a p a b i l i t i e s = PERF PMU CAP AUX NO SG | PERF PMU CAP ITRACE 3 bts pmu . t a s k c t x n r = p e r f s w c o n t e x t ; 4 bts pmu . e v e n t i n i t = b t s e v e n t i n i t ; 5 bts pmu . add = b t s e v e n t a d d ; 6 bts pmu . d e l = b t s e v e n t d e l ; 7 bts pmu . s t a r t = b t s e v e n t s t a r t ; 8 bts pmu . stop = b t s e v e n t s t o p ; 9 bts pmu . read = b t s e v e n t r e a d ; 10 r e t u r n p e r f p m u r e g i s t e r (&bts pmu , 11 ” i n t e l b t s ”,−1) Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the solution portable? Talking about Linux 1 p e r f i n i t (&pe , MMAP PAGES) ; 2 f c n t l ( g b l s t a t u s . fd evt , F SETOWN, get pid () ) ; 3 monitor loop ( p i d c h i l d , s o u t f i l e ) ; Monitoring Systems & Binaries FAU @ Erlangen
Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is solution’s overhead acceptable? Could the solution run in real-time? Task Base value System monitoring Penalty Benchmark monitoring Penalty Floating-point operations (op/s) 101530464 99221196 2.27% 97295048 4.17% Integer operations (op/s) 285649964 221666796 22.40% 219928736 23.01% MD5 Hashes (hash/s) 777633 568486 26.90% 568435 26.90% RAM transfer (MB/s) 7633 6628 13.17% 6224 18.46% HDD transfer (MB/s) 90 80 11.11% 75 16.67% Overall (benchm. pt) 518 470 9.27% 439 15.25% Monitoring Systems & Binaries FAU @ Erlangen

Recommended

Cst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.comCst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.comBaileyabw
 
CST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comCST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comkopiko147
 
Cst 630 Inspiring Innovation--tutorialrank.com
Cst 630 Inspiring Innovation--tutorialrank.comCst 630 Inspiring Innovation--tutorialrank.com
Cst 630 Inspiring Innovation--tutorialrank.comPrescottLunt385
 
Cst 630 Education Organization-snaptutorial.com
Cst 630 Education Organization-snaptutorial.comCst 630 Education Organization-snaptutorial.com
Cst 630 Education Organization-snaptutorial.comrobertlesew6
 
Cst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.comCst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.comDavis11a
 
Cst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.comCst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.comMcdonaldRyan79
 
CST 630 Effective Communication - snaptutorial.com
CST 630 Effective Communication - snaptutorial.comCST 630 Effective Communication - snaptutorial.com
CST 630 Effective Communication - snaptutorial.comdonaldzs8
 
CST 630 Exceptional Education - snaptutorial.com
CST 630 Exceptional Education - snaptutorial.comCST 630 Exceptional Education - snaptutorial.com
CST 630 Exceptional Education - snaptutorial.comDavisMurphyA97
 

Recommended

Cst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.comCst 630 Enhance teaching / snaptutorial.com
Cst 630 Enhance teaching / snaptutorial.comBaileyabw
 
CST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comCST 630 RANK Achievement Education--cst630rank.com
CST 630 RANK Achievement Education--cst630rank.comkopiko147
 
Cst 630 Inspiring Innovation--tutorialrank.com
Cst 630 Inspiring Innovation--tutorialrank.comCst 630 Inspiring Innovation--tutorialrank.com
Cst 630 Inspiring Innovation--tutorialrank.comPrescottLunt385
 
Cst 630 Education Organization-snaptutorial.com
Cst 630 Education Organization-snaptutorial.comCst 630 Education Organization-snaptutorial.com
Cst 630 Education Organization-snaptutorial.comrobertlesew6
 
Cst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.comCst 630 Believe Possibilities / snaptutorial.com
Cst 630 Believe Possibilities / snaptutorial.comDavis11a
 
Cst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.comCst 630Education Specialist / snaptutorial.com
Cst 630Education Specialist / snaptutorial.comMcdonaldRyan79
 
CST 630 Effective Communication - snaptutorial.com
CST 630 Effective Communication - snaptutorial.comCST 630 Effective Communication - snaptutorial.com
CST 630 Effective Communication - snaptutorial.comdonaldzs8
 
CST 630 Exceptional Education - snaptutorial.com
CST 630 Exceptional Education - snaptutorial.comCST 630 Exceptional Education - snaptutorial.com
CST 630 Exceptional Education - snaptutorial.comDavisMurphyA97
 
CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comKeatonJennings104
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comagathachristie113
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comagathachristie266
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comVSNaipaul15
 
CST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comCST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comchrysanthemu49
 
CST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comCST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comclaric241
 
AUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWAUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWcscpconf
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
 
Security life cycle
Security life cycleSecurity life cycle
Security life cycleJuan Perez
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedAshley Zupkus
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Codenomicon
 
Hardware-Assisted Malware Analysis
Hardware-Assisted Malware AnalysisHardware-Assisted Malware Analysis
Hardware-Assisted Malware AnalysisMarcus Botacin
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryAshley Zupkus
 
Five Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAFive Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAAnn Marie Neufelder
 
Learn software testing with tech partnerz 2
Learn software testing with tech partnerz 2Learn software testing with tech partnerz 2
Learn software testing with tech partnerz 2Techpartnerz
 
Mathematically Guaranteeing Code Correctness with TrustInSoft
Mathematically Guaranteeing Code Correctness with TrustInSoftMathematically Guaranteeing Code Correctness with TrustInSoft
Mathematically Guaranteeing Code Correctness with TrustInSoftAshley Zupkus
 
Introduction to Software Failure Modes Effects Analysis
Introduction to Software Failure Modes Effects AnalysisIntroduction to Software Failure Modes Effects Analysis
Introduction to Software Failure Modes Effects AnalysisAnn Marie Neufelder
 
Software Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewSoftware Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewAnn Marie Neufelder
 
NASA Software Safety Guidebook
NASA Software Safety GuidebookNASA Software Safety Guidebook
NASA Software Safety GuidebookVapula
 
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...University of Antwerp
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureRADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureNRC
 

More Related Content

What's hot

CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comKeatonJennings104
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comagathachristie113
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comagathachristie266
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comVSNaipaul15
 
CST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comCST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comchrysanthemu49
 
CST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comCST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comclaric241
 
AUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWAUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWcscpconf
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
 
Security life cycle
Security life cycleSecurity life cycle
Security life cycleJuan Perez
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedAshley Zupkus
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Codenomicon
 
Hardware-Assisted Malware Analysis
Hardware-Assisted Malware AnalysisHardware-Assisted Malware Analysis
Hardware-Assisted Malware AnalysisMarcus Botacin
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryAshley Zupkus
 
Five Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAFive Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAAnn Marie Neufelder
 
Learn software testing with tech partnerz 2
Learn software testing with tech partnerz 2Learn software testing with tech partnerz 2
Learn software testing with tech partnerz 2Techpartnerz
 
Mathematically Guaranteeing Code Correctness with TrustInSoft
Mathematically Guaranteeing Code Correctness with TrustInSoftMathematically Guaranteeing Code Correctness with TrustInSoft
Mathematically Guaranteeing Code Correctness with TrustInSoftAshley Zupkus
 
Introduction to Software Failure Modes Effects Analysis
Introduction to Software Failure Modes Effects AnalysisIntroduction to Software Failure Modes Effects Analysis
Introduction to Software Failure Modes Effects AnalysisAnn Marie Neufelder
 
Software Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewSoftware Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewAnn Marie Neufelder
 
NASA Software Safety Guidebook
NASA Software Safety GuidebookNASA Software Safety Guidebook
NASA Software Safety GuidebookVapula
 

What's hot (19)

CST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.comCST 630 RANK Inspiring Innovation--cst630rank.com
CST 630 RANK Inspiring Innovation--cst630rank.com
 
CST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.comCST 630 RANK Become Exceptional--cst630rank.com
CST 630 RANK Become Exceptional--cst630rank.com
 
CST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.comCST 630 RANK Introduction Education--cst630rank.com
CST 630 RANK Introduction Education--cst630rank.com
 
CST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.comCST 630 RANK Educational Specialist--cst630rank.com
CST 630 RANK Educational Specialist--cst630rank.com
 
CST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.comCST 630 RANK Remember Education--cst630rank.com
CST 630 RANK Remember Education--cst630rank.com
 
CST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.comCST 630 RANK Redefined Education--cst630rank.com
CST 630 RANK Redefined Education--cst630rank.com
 
AUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEWAUTOMATED PENETRATION TESTING: AN OVERVIEW
AUTOMATED PENETRATION TESTING: AN OVERVIEW
 
IRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET- A Study on Penetration Testing using Metasploit Framework
IRJET- A Study on Penetration Testing using Metasploit Framework
 
Security life cycle
Security life cycleSecurity life cycle
Security life cycle
 
Zero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically GuaranteedZero-bug Software, Mathematically Guaranteed
Zero-bug Software, Mathematically Guaranteed
 
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
Fuzzing101 uvm-reporting-and-mitigation-2011-02-10
 
Hardware-Assisted Malware Analysis
Hardware-Assisted Malware AnalysisHardware-Assisted Malware Analysis
Hardware-Assisted Malware Analysis
 
Towards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industryTowards 0-bug software in the automotive industry
Towards 0-bug software in the automotive industry
 
Five Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECAFive Common Mistakes made when Conducting a Software FMECA
Five Common Mistakes made when Conducting a Software FMECA
 
Learn software testing with tech partnerz 2
Learn software testing with tech partnerz 2Learn software testing with tech partnerz 2
Learn software testing with tech partnerz 2
 
Mathematically Guaranteeing Code Correctness with TrustInSoft
Mathematically Guaranteeing Code Correctness with TrustInSoftMathematically Guaranteeing Code Correctness with TrustInSoft
Mathematically Guaranteeing Code Correctness with TrustInSoft
 
Introduction to Software Failure Modes Effects Analysis
Introduction to Software Failure Modes Effects AnalysisIntroduction to Software Failure Modes Effects Analysis
Introduction to Software Failure Modes Effects Analysis
 
Software Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis OverviewSoftware Failure Modes Effects Analysis Overview
Software Failure Modes Effects Analysis Overview
 
NASA Software Safety Guidebook
NASA Software Safety GuidebookNASA Software Safety Guidebook
NASA Software Safety Guidebook
 

Similar to Monitoring Systems & Binaries

Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...University of Antwerp
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chanceDr. Anish Cheriyan (PhD)
 
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureRADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureNRC
 
Fuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsFuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsCodenomicon
 
LC Chen Presentation at Icinga Camp 2015 Kuala Lumpur
LC Chen Presentation at Icinga Camp 2015 Kuala LumpurLC Chen Presentation at Icinga Camp 2015 Kuala Lumpur
LC Chen Presentation at Icinga Camp 2015 Kuala LumpurIcinga
 
Seven habits of effective devops - DevOps Day - 02/02/2017
Seven habits of effective devops - DevOps Day - 02/02/2017Seven habits of effective devops - DevOps Day - 02/02/2017
Seven habits of effective devops - DevOps Day - 02/02/2017Clara Feuillet
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementCodenomicon
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsEnergySec
 
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdfX41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdfnattamailru
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environmentsamiable_indian
 
Software Fault Tolerance
Software Fault ToleranceSoftware Fault Tolerance
Software Fault ToleranceAnkit Singh
 
AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011dma1965
 
Science of Security Industry Day - October 2015
Science of Security Industry Day - October 2015Science of Security Industry Day - October 2015
Science of Security Industry Day - October 2015Chris Theisen
 
Sa No Scan Paper
Sa No Scan PaperSa No Scan Paper
Sa No Scan Papertafinley
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint SecurityBurak DAYIOGLU
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle1&1
 
Leveraging Open Source Automation: A Selenium WebDriver Example
Leveraging Open Source Automation: A Selenium WebDriver ExampleLeveraging Open Source Automation: A Selenium WebDriver Example
Leveraging Open Source Automation: A Selenium WebDriver ExampleTechWell
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protectionxband
 

Similar to Monitoring Systems & Binaries (20)

Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
Finding Bugs, Fixing Bugs, Preventing Bugs — Exploiting Automated Tests to In...
 
Penetration testing dont just leave it to chance
Penetration testing dont just leave it to chancePenetration testing dont just leave it to chance
Penetration testing dont just leave it to chance
 
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-SecureRADAR - Le nouveau scanner de vulnérabilité par F-Secure
RADAR - Le nouveau scanner de vulnérabilité par F-Secure
 
smpef
smpefsmpef
smpef
 
Fuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for TelecommunicationsFuzzing101: Unknown vulnerability management for Telecommunications
Fuzzing101: Unknown vulnerability management for Telecommunications
 
LC Chen Presentation at Icinga Camp 2015 Kuala Lumpur
LC Chen Presentation at Icinga Camp 2015 Kuala LumpurLC Chen Presentation at Icinga Camp 2015 Kuala Lumpur
LC Chen Presentation at Icinga Camp 2015 Kuala Lumpur
 
Seven habits of effective devops - DevOps Day - 02/02/2017
Seven habits of effective devops - DevOps Day - 02/02/2017Seven habits of effective devops - DevOps Day - 02/02/2017
Seven habits of effective devops - DevOps Day - 02/02/2017
 
Fuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day ManagementFuzzing 101 Webinar on Zero Day Management
Fuzzing 101 Webinar on Zero Day Management
 
Slide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and MitigationsSlide Griffin - Practical Attacks and Mitigations
Slide Griffin - Practical Attacks and Mitigations
 
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdfX41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
X41-TUF-Audit-2022-Final-Report-PUBLIC.pdf
 
Security Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA EnvironmentsSecurity Considerations in Process Control and SCADA Environments
Security Considerations in Process Control and SCADA Environments
 
Software Fault Tolerance
Software Fault ToleranceSoftware Fault Tolerance
Software Fault Tolerance
 
AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011AMI Security 101 - Smart Grid Security East 2011
AMI Security 101 - Smart Grid Security East 2011
 
Science of Security Industry Day - October 2015
Science of Security Industry Day - October 2015Science of Security Industry Day - October 2015
Science of Security Industry Day - October 2015
 
Security in open source projects
Security in open source projectsSecurity in open source projects
Security in open source projects
 
Sa No Scan Paper
Sa No Scan PaperSa No Scan Paper
Sa No Scan Paper
 
Redefining Endpoint Security
Redefining Endpoint SecurityRedefining Endpoint Security
Redefining Endpoint Security
 
Secure Software Development Lifecycle
Secure Software Development LifecycleSecure Software Development Lifecycle
Secure Software Development Lifecycle
 
Leveraging Open Source Automation: A Selenium WebDriver Example
Leveraging Open Source Automation: A Selenium WebDriver ExampleLeveraging Open Source Automation: A Selenium WebDriver Example
Leveraging Open Source Automation: A Selenium WebDriver Example
 
Complete Endpoint protection
Complete Endpoint protectionComplete Endpoint protection
Complete Endpoint protection
 

More from Marcus Botacin

Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareMarcus Botacin
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?Marcus Botacin
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About AntivirusesMarcus Botacin
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change![Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!Marcus Botacin
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoringMarcus Botacin
 
How do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideHow do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideMarcus Botacin
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Marcus Botacin
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisExtraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisMarcus Botacin
 
On the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel ApproachesOn the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel ApproachesMarcus Botacin
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareMarcus Botacin
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Marcus Botacin
 
Integridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareIntegridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareMarcus Botacin
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...Marcus Botacin
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesMarcus Botacin
 
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...Marcus Botacin
 
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Marcus Botacin
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyMarcus Botacin
 

More from Marcus Botacin (20)

Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change![Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoring
 
How do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guideHow do we detect malware? A step-by-step guide
How do we detect malware? A step-by-step guide
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisExtraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
 
On the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel ApproachesOn the Malware Detection Problem: Challenges & Novel Approaches
On the Malware Detection Problem: Challenges & Novel Approaches
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
 
Integridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareIntegridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomware
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
 
On the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software RepositoriesOn the Security of Application Installers & Online Software Repositories
On the Security of Application Installers & Online Software Repositories
 
UMLsec
UMLsecUMLsec
UMLsec
 
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
 
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and Reassembly
 

Recently uploaded

Neurodevelopmental disorders according to the dsm 5 tr
Neurodevelopmental disorders according to the dsm 5 trNeurodevelopmental disorders according to the dsm 5 tr
Neurodevelopmental disorders according to the dsm 5 trssuser06f238
 
Analytical Profile of Coleus Forskohlii | Forskolin .pptx
Analytical Profile of Coleus Forskohlii | Forskolin .pptxAnalytical Profile of Coleus Forskohlii | Forskolin .pptx
Analytical Profile of Coleus Forskohlii | Forskolin .pptxSwapnil Therkar
 
Call Girls in Hauz Khas Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Hauz Khas Delhi 💯Call Us 🔝9953322196🔝 💯Escort.Call Girls in Hauz Khas Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Hauz Khas Delhi 💯Call Us 🔝9953322196🔝 💯Escort.aasikanpl
 
Vision and reflection on Mining Software Repositories research in 2024
Vision and reflection on Mining Software Repositories research in 2024Vision and reflection on Mining Software Repositories research in 2024
Vision and reflection on Mining Software Repositories research in 2024AyushiRastogi48
 
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |aasikanpl
 
‏‏VIRUS - 123455555555555555555555555555555555555555
‏‏VIRUS - 123455555555555555555555555555555555555555‏‏VIRUS - 123455555555555555555555555555555555555555
‏‏VIRUS - 123455555555555555555555555555555555555555kikilily0909
 
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.aasikanpl
 
Microphone- characteristics,carbon microphone, dynamic microphone.pptx
Microphone- characteristics,carbon microphone, dynamic microphone.pptxMicrophone- characteristics,carbon microphone, dynamic microphone.pptx
Microphone- characteristics,carbon microphone, dynamic microphone.pptxpriyankatabhane
 
Module 4: Mendelian Genetics and Punnett Square
Module 4: Mendelian Genetics and Punnett SquareModule 4: Mendelian Genetics and Punnett Square
Module 4: Mendelian Genetics and Punnett SquareIsiahStephanRadaza
 
Artificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PArtificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PPRINCE C P
 
Dashanga agada a formulation of Agada tantra dealt in 3 Rd year bams agada tanta
Dashanga agada a formulation of Agada tantra dealt in 3 Rd year bams agada tantaDashanga agada a formulation of Agada tantra dealt in 3 Rd year bams agada tanta
Dashanga agada a formulation of Agada tantra dealt in 3 Rd year bams agada tantaPraksha3
 
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.PraveenaKalaiselvan1
 
zoogeography of pakistan.pptx fauna of Pakistan
zoogeography of pakistan.pptx fauna of Pakistanzoogeography of pakistan.pptx fauna of Pakistan
zoogeography of pakistan.pptx fauna of Pakistanzohaibmir069
 
TOTAL CHOLESTEROL (lipid profile test).pptx
TOTAL CHOLESTEROL (lipid profile test).pptxTOTAL CHOLESTEROL (lipid profile test).pptx
TOTAL CHOLESTEROL (lipid profile test).pptxdharshini369nike
 
Recombinant DNA technology( Transgenic plant and animal)
Recombinant DNA technology( Transgenic plant and animal)Recombinant DNA technology( Transgenic plant and animal)
Recombinant DNA technology( Transgenic plant and animal)DHURKADEVIBASKAR
 
Heredity: Inheritance and Variation of Traits
Heredity: Inheritance and Variation of TraitsHeredity: Inheritance and Variation of Traits
Heredity: Inheritance and Variation of TraitsCharlene Llagas
 
Twin's paradox experiment is a meassurement of the extra dimensions.pptx
Twin's paradox experiment is a meassurement of the extra dimensions.pptxTwin's paradox experiment is a meassurement of the extra dimensions.pptx
Twin's paradox experiment is a meassurement of the extra dimensions.pptxEran Akiva Sinbar
 
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxSOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxkessiyaTpeter
 

Recently uploaded (20)

Neurodevelopmental disorders according to the dsm 5 tr
Neurodevelopmental disorders according to the dsm 5 trNeurodevelopmental disorders according to the dsm 5 tr
Neurodevelopmental disorders according to the dsm 5 tr
 
Analytical Profile of Coleus Forskohlii | Forskolin .pptx
Analytical Profile of Coleus Forskohlii | Forskolin .pptxAnalytical Profile of Coleus Forskohlii | Forskolin .pptx
Analytical Profile of Coleus Forskohlii | Forskolin .pptx
 
Call Girls in Hauz Khas Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Hauz Khas Delhi 💯Call Us 🔝9953322196🔝 💯Escort.Call Girls in Hauz Khas Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Hauz Khas Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
 
Vision and reflection on Mining Software Repositories research in 2024
Vision and reflection on Mining Software Repositories research in 2024Vision and reflection on Mining Software Repositories research in 2024
Vision and reflection on Mining Software Repositories research in 2024
 
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
Call Us ≽ 9953322196 ≼ Call Girls In Mukherjee Nagar(Delhi) |
 
‏‏VIRUS - 123455555555555555555555555555555555555555
‏‏VIRUS - 123455555555555555555555555555555555555555‏‏VIRUS - 123455555555555555555555555555555555555555
‏‏VIRUS - 123455555555555555555555555555555555555555
 
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
Call Girls in Mayapuri Delhi 💯Call Us 🔝9953322196🔝 💯Escort.
 
Microphone- characteristics,carbon microphone, dynamic microphone.pptx
Microphone- characteristics,carbon microphone, dynamic microphone.pptxMicrophone- characteristics,carbon microphone, dynamic microphone.pptx
Microphone- characteristics,carbon microphone, dynamic microphone.pptx
 
Engler and Prantl system of classification in plant taxonomy
Engler and Prantl system of classification in plant taxonomyEngler and Prantl system of classification in plant taxonomy
Engler and Prantl system of classification in plant taxonomy
 
Module 4: Mendelian Genetics and Punnett Square
Module 4: Mendelian Genetics and Punnett SquareModule 4: Mendelian Genetics and Punnett Square
Module 4: Mendelian Genetics and Punnett Square
 
Artificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C PArtificial Intelligence In Microbiology by Dr. Prince C P
Artificial Intelligence In Microbiology by Dr. Prince C P
 
Volatile Oils Pharmacognosy And Phytochemistry -I
Volatile Oils Pharmacognosy And Phytochemistry -IVolatile Oils Pharmacognosy And Phytochemistry -I
Volatile Oils Pharmacognosy And Phytochemistry -I
 
Dashanga agada a formulation of Agada tantra dealt in 3 Rd year bams agada tanta
Dashanga agada a formulation of Agada tantra dealt in 3 Rd year bams agada tantaDashanga agada a formulation of Agada tantra dealt in 3 Rd year bams agada tanta
Dashanga agada a formulation of Agada tantra dealt in 3 Rd year bams agada tanta
 
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
BIOETHICS IN RECOMBINANT DNA TECHNOLOGY.
 
zoogeography of pakistan.pptx fauna of Pakistan
zoogeography of pakistan.pptx fauna of Pakistanzoogeography of pakistan.pptx fauna of Pakistan
zoogeography of pakistan.pptx fauna of Pakistan
 
TOTAL CHOLESTEROL (lipid profile test).pptx
TOTAL CHOLESTEROL (lipid profile test).pptxTOTAL CHOLESTEROL (lipid profile test).pptx
TOTAL CHOLESTEROL (lipid profile test).pptx
 
Recombinant DNA technology( Transgenic plant and animal)
Recombinant DNA technology( Transgenic plant and animal)Recombinant DNA technology( Transgenic plant and animal)
Recombinant DNA technology( Transgenic plant and animal)
 
Heredity: Inheritance and Variation of Traits
Heredity: Inheritance and Variation of TraitsHeredity: Inheritance and Variation of Traits
Heredity: Inheritance and Variation of Traits
 
Twin's paradox experiment is a meassurement of the extra dimensions.pptx
Twin's paradox experiment is a meassurement of the extra dimensions.pptxTwin's paradox experiment is a meassurement of the extra dimensions.pptx
Twin's paradox experiment is a meassurement of the extra dimensions.pptx
 
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptxSOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
SOLUBLE PATTERN RECOGNITION RECEPTORS.pptx
 

Monitoring Systems & Binaries

  • 1. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Monitoring Systems & Binaries Marcus Botacin1 1Informatics - Federal University of Parana (UFPR) - Brazil mfbotacin@inf.ufpr.br November 2018 Monitoring Systems & Binaries FAU @ Erlangen
  • 2. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 3. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 4. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra About Me Malware Analyst (2012) BsC. Computer Engineer @ UNICAMP (2015) Sandbox Development MsC. Computer Science @ UNICAMP (2017) Hardware-Assisted Malware Analysis PhD. Computer Science @ UFPR (Present) Hardware-Assisted Malware Detection AntiVirus Evaluation Future Threats Contextual and Social Malware effects Monitoring Systems & Binaries FAU @ Erlangen
  • 5. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Why Monitoring ? Policy Enforcement Logging Forensics Debugging Malware Analysis Reverse Engineer Monitoring Systems & Binaries FAU @ Erlangen
  • 6. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Real Trace Examples 1 7/4/2014 −13:5:1.895| DeleteOperation |2032|C: deposito . exe |C: ProgramData r r . t x t | 1 7/4/2014 −13:3:48.294| CreateProcess |3028|C: Monitor Malware v i s u a l i z a r . exe |2440|C: WindowsSysWOW64 d l l . exe 1 2014−05−14 20:02:40.963113 10.10.100.101 XX. YY. ZZ.121 HTTP 290 GET /. swim01/ c o n t r o l . php? i a&mi=00B5AB4E−47098BC3 HTTP/1.1 Monitoring Systems & Binaries FAU @ Erlangen
  • 7. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 8. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Function Interposition Figure: Source: https://www.malwaretech.com/2015/01/ inline-hooking-for-programmers-part-1.html Monitoring Systems & Binaries FAU @ Erlangen
  • 9. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Techniques I Kernel Tables System Service Dispatch Table (SSDT) Interrupt Descriptor Table (IDT) Global Descriptor Table (GDT) Userland Tables API hooking DLL injection Monitoring Systems & Binaries FAU @ Erlangen
  • 10. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Techniques II Binary Patching Inline hooking OS Support Detours Callbacks Monitoring Systems & Binaries FAU @ Erlangen
  • 11. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 12. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra In Practice... Figure: Real malware claiming a registry problem when an anti-analysis trick succeeded. Monitoring Systems & Binaries FAU @ Erlangen
  • 13. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra In Practice... Figure: Commercial solution armored with anti-debug technique. Monitoring Systems & Binaries FAU @ Erlangen
  • 14. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra In Practice... Figure: Real malware impersonating a secure solution which cannot run under an hypervisor. Monitoring Systems & Binaries FAU @ Erlangen
  • 15. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Detecting Analysis Procedures 1 i f ( IsDebuggerPresent () ) 2 p r i n t f (” debuggedn ”) ; 3 e l s e 4 p r i n t f (”NO DBGn ”) ; 1 cmp [ eax+0xe9 ] , eax ; ; 0xe9 = JMP 2 pop rbp Monitoring Systems & Binaries FAU @ Erlangen
  • 16. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Anti-Analysis Summary Table: Anti-Analysis: Tricks summary. Malware samples may employ multiple techniques to evade distinct analysis procedures. Technique Description Reason Implementation Anti Check if running Blocks reverse Fingerprinting Debug inside a debugger engineering attempts Anti Check if running Analysts use VMs Execution VM inside a VM for scalability Side-effect Anti Fool disassemblers AV signatures may Undecidable Disassembly to generate wrong opcodes be based on opcodes Constructions Monitoring Systems & Binaries FAU @ Erlangen
  • 17. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 18. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Transparency 1 Higher privileged. 2 No non-privileged side-effects. 3 Identical Basic Instruction Semantics. 4 Transparent Exception Handling. 5 Identical Measurement of Time. Monitoring Systems & Binaries FAU @ Erlangen
  • 19. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Hardware Features Summary Technique PROS CONS Gaps HVM Ring -1 Hypervisor High development overhead SMM Ring -2 BIOS High development implementation cost AMT Ring -3 Chipset No malware code change analysis solution HPCs Lightweight Context-limited No malware information analysis solution GPU Easy to program No register No introspection data procedures SGX Isolates goodware Also isolates No enclave malware inspection SOCs Tamper-proof Passive Raise alarms components Monitoring Systems & Binaries FAU @ Erlangen
  • 20. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra HVM Figure: HVM operating layers . Monitoring Systems & Binaries FAU @ Erlangen
  • 21. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra HVM Figure: Ether Sandbox Exits. Monitoring Systems & Binaries FAU @ Erlangen
  • 22. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra SMM Figure: Operation modes. Source: https://tinyurl.com/l2uqr8d Monitoring Systems & Binaries FAU @ Erlangen
  • 23. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Figure: SMI generation. Monitoring Systems & Binaries FAU @ Erlangen
  • 24. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra A ring to rule them all! Figure: Privileged rings. Figure: New privileged rings. Monitoring Systems & Binaries FAU @ Erlangen
  • 25. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Isolated Enclaves Figure: SGX Memory Protection Monitoring Systems & Binaries FAU @ Erlangen
  • 26. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 27. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra DMA Attacks I Figure: Hypervisor Attack . Monitoring Systems & Binaries FAU @ Erlangen
  • 28. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra DMA Attacks II Figure: Source: https: //www.intel.com/content/dam/www/public/us/en/documents/ reference-guides/pcie-device-security-enhancements.pdf . Monitoring Systems & Binaries FAU @ Erlangen
  • 29. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra SGX Malware Figure: SGX Malware Monitoring Systems & Binaries FAU @ Erlangen
  • 30. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 31. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra References Who watches the watchmen: A security-focused review on current state-of-the-art techniques, tools and methods for systems and binary analysis on modern platforms—ACM Computing Surveys. Enhancing Branch Monitoring for Security Purposes: From Control Flow Integrity to Malware Analysis and Debugging—ACM Transactions on Privacy and Security. The other guys: automated analysis of marginalized malware—Journal of Computer Virology and Hacking techniques. Monitoring Systems & Binaries FAU @ Erlangen
  • 32. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Conclusions Thanks Tilo for hosting me. Open to hear your questions. Monitoring Systems & Binaries FAU @ Erlangen
  • 33. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Agenda 1 Introduction 2 Software-Based Solutions 3 Evasion Techniques 4 Hardware-Assisted Solutions 5 Attacks 6 Conclusions 7 Extra Monitoring Systems & Binaries FAU @ Erlangen
  • 34. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Proposed Framework Figure: Proposed framework architecture. Monitoring Systems & Binaries FAU @ Erlangen
  • 35. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Data Storage (DS) AREA. Monitoring Systems & Binaries FAU @ Erlangen
  • 36. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Could I isolate processes’ actions? Figure: Local Vector Table (LVT). Monitoring Systems & Binaries FAU @ Erlangen
  • 37. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: ASLR - Library placement after two consecutive reboots. Library NTDLL KERNEL32 KERNELBASE Address 1 0xBAF80000 0xB9610000 0xB8190000 Address 2 0x987B0000 0x98670000 0x958C0000 Monitoring Systems & Binaries FAU @ Erlangen
  • 38. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Table: Function Offsets from ntdll.dll library. Function Offset NtCreateProcess 0x3691 NtCreateProcessEx 0x30B0 NtCreateProfile 0x36A1 NtCreateResourceManager 0x36C1 NtCreateSemaphore 0x36D1 NtCreateSymbolicLinkObject 0x36E1 NtCreateThread 0x30C0 NtCreateThreadEx 0x36F1 Monitoring Systems & Binaries FAU @ Erlangen
  • 39. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? Figure: Introspection Mechanism. Monitoring Systems & Binaries FAU @ Erlangen
  • 40. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a performance-counter-based malware analyzer? Is CG reconstruction possible? _lock_file+0x90printf+0xe3__iob_funcprintf+0xcaprintfNewToy Figure: Step Into. scanf+0x3f NewToy printf Figure: Step Over. Monitoring Systems & Binaries FAU @ Erlangen
  • 41. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is CFG reconstruction possible? Figure: Code block identification. Monitoring Systems & Binaries FAU @ Erlangen
  • 42. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Identified tricks 1 0x190 xor eax , eax 2 0x192 jnz 0x19c 1 0x180 push 0x10a 2 0x185 r e t Monitoring Systems & Binaries FAU @ Erlangen
  • 43. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Identified tricks 1 0x340 cmp eax ,0 xe9 2 0x345 jnz 0x347 1 0x400 QWORD PTR f s :0 x0 , rsp 2 0x409 mov rax ,QWORD PTR [ rsp+0xc ] 3 0x40e cmp rbx ,QWORD PTR [ rax+0x4 ] Monitoring Systems & Binaries FAU @ Erlangen
  • 44. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Deviating Behavior Figure: Deviating behavior identification. Monitoring Systems & Binaries FAU @ Erlangen
  • 45. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the final solution transparent? Deviating Behavior Figure: Divergence: True Positive. Figure: Divergence: False Positive. Monitoring Systems & Binaries FAU @ Erlangen
  • 46. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a Debugger? Inverted I/O Figure: Debugger’s working mechanism. Monitoring Systems & Binaries FAU @ Erlangen
  • 47. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a Debugger? Suspending Processes EnumProcessThreads + SuspendThread. DebugActiveProcess. NtSuspendProcess. Monitoring Systems & Binaries FAU @ Erlangen
  • 48. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Could I develop a Debugger? Integration Figure: GDB integration. Monitoring Systems & Binaries FAU @ Erlangen
  • 49. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? ROP Attacks Figure: ROP chain example. Monitoring Systems & Binaries FAU @ Erlangen
  • 50. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? CALL-RET Policy Figure: CALL-RET CFI policy. Monitoring Systems & Binaries FAU @ Erlangen
  • 51. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? Gadget-size policy Figure: KBouncer’s exploit stack. Monitoring Systems & Binaries FAU @ Erlangen
  • 52. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? Exploit Analysis Table: Excerpt of the branch window of the ROP payload. FROM TO —- 0x7c346c0a 0x7c346c0b 0x7c37a140 0x7c37a141 —- Monitoring Systems & Binaries FAU @ Erlangen
  • 53. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Does the solution handle ROP attacks? Exploit Analysis 1 7 c346c08 : f2 0 f 58 c3 addsd %xmm3,%xmm0 2 7 c346c0c : 66 0 f 13 44 24 04 movlpd %xmm0,0 x4(%esp ) 1 0x1000 ( s i z e =1) pop rax 2 0x1001 ( s i z e =1) r e t Monitoring Systems & Binaries FAU @ Erlangen
  • 54. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the solution easy to implement? Lines of Code comparison 100 1000 10000 100000 1×106 Ether:Comp Ether:Xen Ether:Patches Ether:Patch Ether:Ctl MAVMM:Comp MAVMM:Rep Bit:Comp Our:Comp Our:Cli Our:Drv Our:Scr Lines of Code by solution Solution Figure: Lines of Code by solution. Monitoring Systems & Binaries FAU @ Erlangen
  • 55. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the solution portable? Talking about Linux 1 s t a t i c i n i t i n t b t s i n i t ( void ) 2 bts pmu . c a p a b i l i t i e s = PERF PMU CAP AUX NO SG | PERF PMU CAP ITRACE 3 bts pmu . t a s k c t x n r = p e r f s w c o n t e x t ; 4 bts pmu . e v e n t i n i t = b t s e v e n t i n i t ; 5 bts pmu . add = b t s e v e n t a d d ; 6 bts pmu . d e l = b t s e v e n t d e l ; 7 bts pmu . s t a r t = b t s e v e n t s t a r t ; 8 bts pmu . stop = b t s e v e n t s t o p ; 9 bts pmu . read = b t s e v e n t r e a d ; 10 r e t u r n p e r f p m u r e g i s t e r (&bts pmu , 11 ” i n t e l b t s ”,−1) Monitoring Systems & Binaries FAU @ Erlangen
  • 56. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is the solution portable? Talking about Linux 1 p e r f i n i t (&pe , MMAP PAGES) ; 2 f c n t l ( g b l s t a t u s . fd evt , F SETOWN, get pid () ) ; 3 monitor loop ( p i d c h i l d , s o u t f i l e ) ; Monitoring Systems & Binaries FAU @ Erlangen
  • 57. Introduction Software-Based Solutions Evasion Techniques Hardware-Assisted Solutions Attacks Conclusions Extra Is solution’s overhead acceptable? Could the solution run in real-time? Task Base value System monitoring Penalty Benchmark monitoring Penalty Floating-point operations (op/s) 101530464 99221196 2.27% 97295048 4.17% Integer operations (op/s) 285649964 221666796 22.40% 219928736 23.01% MD5 Hashes (hash/s) 777633 568486 26.90% 568435 26.90% RAM transfer (MB/s) 7633 6628 13.17% 6224 18.46% HDD transfer (MB/s) 90 80 11.11% 75 16.67% Overall (benchm. pt) 518 470 9.27% 439 15.25% Monitoring Systems & Binaries FAU @ Erlangen