A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
A Security Barrier Device protects PC and other control devices by relaying every port between the motherboard and the peripherals. The SBD is totally transparent from the PC and can be installed regardless of OS or application. At this presentation I will discuss the storage securing function achieved by the SBD relaying the SATA port.
The SBD has a security information disk only accessible to itself where it stores the access privilege information of the original disk in the PC. When the PC issues a data access request to the original disk, the SBD will reference the access privileges of that particular sector, if the sector is read-deny then returns dummy data of 0 , if the sector is write-deny then it won’t write to that sector. The SBD not only allows for sector based protection but also a file based protection. In case of a file write-deny, there were some issues with the disc related cache in memory not being synchronised or the pointer’s position to the file in regards to its directory being shifted , but I will show how it was solved.
I will also talk about the fact that a SBD is an effective protection against any malware that attempts to manipulate the boot data sector or system files, once it detects any access right violations it can shutdown the ethernet port remotely and thwart the spreading of malware.
Kenji Toda
At the National Institute of Advanced Industrial Science and Technology conducted research and development of 30 Gbps intrusion detection systems , 60 Gbps URL filtering systems and or network devices testing equipment for such systems. Currently co-developing security barrier devices with the Research and Development Control System Security Center. (Presented at international conferences regarding MST and real-time systems)
http://codeblue.jp/en-speaker.html#KenjiToda
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
IWSEC2014(The 9th International Workshop on Security 弘前) で"Kernel Memory Protection by an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints"
A talk I gave at Hackware v1.9 about my experience in using an Intel Edison in my company's product.
The video of my talk can be found here: https://engineers.sg/v/828
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
Intel Management Engine ("ME") is a dedicated microcontroller embedded in all recent Intel motherboard chipsets. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. It not only performs the management tasks for which it was originally designed, but also implements features such as Intel Identity Protection Technology (IPT), Protected Audio-Video Path, Intel Anti-Theft, Intel TPM, NFC communication and more. There is not much info available about how exactly it works, and this talk aims to fill the gap and describe the low-level details.
Igor Skochinsky
Igor Skochinsky is currently one of the main developers of the world-famous Interactive Disassembler and Hex-Rays Decompiler. Even before joining Hex-Rays in 2008 he had been interested in reverse engineering for a long time and had brief periods of Internet fame after releasing a dumper for DRM-ed iTunes files (QTFairUse6) and hacking the original Amazon Kindle. He spoke previously at Recon, Breakpoint and Hack.LU.
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇACODE BLUE
You got root access in OS X and now what?
Apple introduced mandatory code signing for kernel extensions in the new Yosemite version.
You are too cheap to buy a code signing certificate, or your OPSEC is against this?
You can't or don't want to steal someone's else certificate?
This presentation is about solving these problems with techniques that allow you to bypass all code signing requirements and regular kernel extensions loading interfaces.
The goal is to convince you that code signing isn't a serious obstacle in OS X, especially when its design is flawed and public known vulnerabilities remain "unpatched".
And if bad designs and vulnerabilities aren't enough then I'll also show you how to (ab)use an OS X feature for the same evil purposes.
The only requirement for this talk is uid=0(root). Well, the world isn't perfect!
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
A Security Barrier Device protects PC and other control devices by relaying every port between the motherboard and the peripherals. The SBD is totally transparent from the PC and can be installed regardless of OS or application. At this presentation I will discuss the storage securing function achieved by the SBD relaying the SATA port.
The SBD has a security information disk only accessible to itself where it stores the access privilege information of the original disk in the PC. When the PC issues a data access request to the original disk, the SBD will reference the access privileges of that particular sector, if the sector is read-deny then returns dummy data of 0 , if the sector is write-deny then it won’t write to that sector. The SBD not only allows for sector based protection but also a file based protection. In case of a file write-deny, there were some issues with the disc related cache in memory not being synchronised or the pointer’s position to the file in regards to its directory being shifted , but I will show how it was solved.
I will also talk about the fact that a SBD is an effective protection against any malware that attempts to manipulate the boot data sector or system files, once it detects any access right violations it can shutdown the ethernet port remotely and thwart the spreading of malware.
Kenji Toda
At the National Institute of Advanced Industrial Science and Technology conducted research and development of 30 Gbps intrusion detection systems , 60 Gbps URL filtering systems and or network devices testing equipment for such systems. Currently co-developing security barrier devices with the Research and Development Control System Security Center. (Presented at international conferences regarding MST and real-time systems)
http://codeblue.jp/en-speaker.html#KenjiToda
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
IWSEC2014(The 9th International Workshop on Security 弘前) で"Kernel Memory Protection by an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints"
A talk I gave at Hackware v1.9 about my experience in using an Intel Edison in my company's product.
The video of my talk can be found here: https://engineers.sg/v/828
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
Intel Management Engine ("ME") is a dedicated microcontroller embedded in all recent Intel motherboard chipsets. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. It not only performs the management tasks for which it was originally designed, but also implements features such as Intel Identity Protection Technology (IPT), Protected Audio-Video Path, Intel Anti-Theft, Intel TPM, NFC communication and more. There is not much info available about how exactly it works, and this talk aims to fill the gap and describe the low-level details.
Igor Skochinsky
Igor Skochinsky is currently one of the main developers of the world-famous Interactive Disassembler and Hex-Rays Decompiler. Even before joining Hex-Rays in 2008 he had been interested in reverse engineering for a long time and had brief periods of Internet fame after releasing a dumper for DRM-ed iTunes files (QTFairUse6) and hacking the original Amazon Kindle. He spoke previously at Recon, Breakpoint and Hack.LU.
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇACODE BLUE
You got root access in OS X and now what?
Apple introduced mandatory code signing for kernel extensions in the new Yosemite version.
You are too cheap to buy a code signing certificate, or your OPSEC is against this?
You can't or don't want to steal someone's else certificate?
This presentation is about solving these problems with techniques that allow you to bypass all code signing requirements and regular kernel extensions loading interfaces.
The goal is to convince you that code signing isn't a serious obstacle in OS X, especially when its design is flawed and public known vulnerabilities remain "unpatched".
And if bad designs and vulnerabilities aren't enough then I'll also show you how to (ab)use an OS X feature for the same evil purposes.
The only requirement for this talk is uid=0(root). Well, the world isn't perfect!
Live Memory Forensics on Android devicesNikos Gkogkos
This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
The hangover: A "modern" (?) high performance approach to build an offensive ...Nelson Brito
T50 (an Experimental Mixed Packet Injector) very first public tak about the version 2.5 (The Murder Version).
Check the original demonstration videos:
- https://www.youtube.com/playlist?list=PLda9TmFadx_m2qdd-euUf4zhQ-5juTVEx
For further source codes, please, refer to:
- http://t50.sourceforge.net/
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
PH-Neutral lecture about Permutation Oriented Programming (formerly known as Exploit Next Generation® Methodology).
Permutation Oriented Programming is the simplest way to avoid security solution detection and shows the Pattern Matching technology weakness.
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Igor Korkin
Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs.
For new age touch-based embedded devices, Android is becoming a popular OS going beyond mobile phones. With its roots from Embedded Linux, Android framework offers benefits in terms of rich libraries, open-source and multi-device support. Emertxe’s hands-on Embedded Android Training Course is designed to customize, build and deploy custom Embedded OS on ARM target. Rich set of projects will make your learning complete.
امروزه مجازیسازی یکی از روشهای پرطرفدار برای پیادهسازی کارگزاران وب است. این فناوری موجب کاهش هزینههای تجارتهای کوچک میشود. مجازیسازی یکی از جنبههای مهم ارائه خدمات ابری است که حتی برای تجارتهای بزرگ نیز از جذابیت زیادی برخوردار است.
در این سخنرانی به امکاناتی همچون Control Groups و Containers که در نسخههای جدیدتر هسته سیستم عامل لینوکس پیادهسازی شده است میپردازیم. هرچند این امکانات مجازیسازی کامل را به ارمغان نمیآورند، اما بسیاری از مزایای آن را با سربار بسیار کم در سطح هسته فراهم میکنند. راه حلهایی همچون LXC و Docker بر اساس این امکانات توانستهاند به نتایج خوبی برسند که هم از لحاظ تجاری در خور توجه هستند و هم تبعات و کاربردهای امنیتی دارند.
Live Memory Forensics on Android devicesNikos Gkogkos
This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
The hangover: A "modern" (?) high performance approach to build an offensive ...Nelson Brito
T50 (an Experimental Mixed Packet Injector) very first public tak about the version 2.5 (The Murder Version).
Check the original demonstration videos:
- https://www.youtube.com/playlist?list=PLda9TmFadx_m2qdd-euUf4zhQ-5juTVEx
For further source codes, please, refer to:
- http://t50.sourceforge.net/
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.
[PH-Neutral 0x7db] Exploit Next Generation®Nelson Brito
PH-Neutral lecture about Permutation Oriented Programming (formerly known as Exploit Next Generation® Methodology).
Permutation Oriented Programming is the simplest way to avoid security solution detection and shows the Pattern Matching technology weakness.
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Igor Korkin
Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs.
For new age touch-based embedded devices, Android is becoming a popular OS going beyond mobile phones. With its roots from Embedded Linux, Android framework offers benefits in terms of rich libraries, open-source and multi-device support. Emertxe’s hands-on Embedded Android Training Course is designed to customize, build and deploy custom Embedded OS on ARM target. Rich set of projects will make your learning complete.
امروزه مجازیسازی یکی از روشهای پرطرفدار برای پیادهسازی کارگزاران وب است. این فناوری موجب کاهش هزینههای تجارتهای کوچک میشود. مجازیسازی یکی از جنبههای مهم ارائه خدمات ابری است که حتی برای تجارتهای بزرگ نیز از جذابیت زیادی برخوردار است.
در این سخنرانی به امکاناتی همچون Control Groups و Containers که در نسخههای جدیدتر هسته سیستم عامل لینوکس پیادهسازی شده است میپردازیم. هرچند این امکانات مجازیسازی کامل را به ارمغان نمیآورند، اما بسیاری از مزایای آن را با سربار بسیار کم در سطح هسته فراهم میکنند. راه حلهایی همچون LXC و Docker بر اساس این امکانات توانستهاند به نتایج خوبی برسند که هم از لحاظ تجاری در خور توجه هستند و هم تبعات و کاربردهای امنیتی دارند.
Docker, Linux Containers, and Security: Does It Add Up?Jérôme Petazzoni
Containers are becoming increasingly popular. They have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting an new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
In this presentation, we will:
- Review the actual security risks, in particular for multi-tenant environments running arbitrary applications and code
- Discuss how to mitigate those risks
- Focus on containers as implemented by Docker and the libcontainer project, but the discussion also stands for plain containers as implemented by LXC
LXC, Docker, security: is it safe to run applications in Linux Containers?Jérôme Petazzoni
Linux Containers (or LXC) is now a popular choice for development and testing environments. As more and more people use them in production deployments, they face a common question: are Linux Containers secure enough? It is often claimed that containers have weaker isolation than virtual machines. We will explore whether this is true, if it matters, and what can be done about it.
Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach.
Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach.
The topic will cover content such as: * Why virtualisation in embedded * Hypervisor architectures on ARM and a quick roundup of examples * Relevant security technologies * Specific requirements for embedded systems * Example usage of FOSS based hypervisors in embedded * Challenges such as safety certification and how this may be approached
Virtual machines are generally considered secure. At least, secure enough to power highly multi-tenant, large-scale public clouds, where a single physical machine can host a large number of virtual instances belonging to different customers. Containers have many advantages over virtual machines: they boot faster, have less performance overhead, and use less resources. However, those advantages also stem from the fact that containers share the kernel of their host, instead of abstracting a new independent environment. This sharing has significant security implications, as kernel exploits can now lead to host-wide escalations.
We will show techniques to harden Linux Containers; including kernel capabilities, mandatory access control, hardened kernels, user namespaces, and more, and discuss the remaining attack surface.
Containers and workload security an overview Krishna-Kumar
Beginner Level Talk - Presented at Bangalore container conf 2018 - Containers and workload security an overview. Hope it get starts your container security journey :-)
Secure Container solution is to enhance container security by isolating memory between Docker containers inside one VM with Intel VT-x EPT HW, which is highly effective to protect container’s memory and at the meantime defends ret2user privilege escalation attack that exploits kernel vulnerabilities (eg. CVE-2017-6074 UAF (use-after-free) vulnerability). It extends KVM interfaces which the guest OS can leverage to isolate container memory from other containers, and the interfaces rely on Intel VT-x EPT hardware extension and provide memory access protection for the container which sits in an isolated memory region. Each secure container has a dedicated EPT table rather than sharing one EPT table with guest OS, which enforces the cross-EPT memory access protection. The whole solution is user-friendly to fit in the existing cloud server infrastructure with very limited changes.
[Defcon] Hardware backdooring is practicalMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly.
The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Software Engineering, Software Consulting, Tech Lead.
Spring Boot, Spring Cloud, Spring Core, Spring JDBC, Spring Security,
Spring Transaction, Spring MVC,
Log4j, REST/SOAP WEB-SERVICES.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamtakuyayamamoto1800
In this slide, we show the simulation example and the way to compile this solver.
In this solver, the Helmholtz equation can be solved by helmholtzFoam. Also, the Helmholtz equation with uniformly dispersed bubbles can be simulated by helmholtzBubbleFoam.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Top 7 Unique WhatsApp API Benefits | Saudi ArabiaYara Milbes
Discover the transformative power of the WhatsApp API in our latest SlideShare presentation, "Top 7 Unique WhatsApp API Benefits." In today's fast-paced digital era, effective communication is crucial for both personal and professional success. Whether you're a small business looking to enhance customer interactions or an individual seeking seamless communication with loved ones, the WhatsApp API offers robust capabilities that can significantly elevate your experience.
In this presentation, we delve into the top 7 distinctive benefits of the WhatsApp API, provided by the leading WhatsApp API service provider in Saudi Arabia. Learn how to streamline customer support, automate notifications, leverage rich media messaging, run scalable marketing campaigns, integrate secure payments, synchronize with CRM systems, and ensure enhanced security and privacy.
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
1. Seunghun Han, Jungwhan Kang
(hanseunghun || ultract)@nsr.re.kr
Myth and Truth about
Hypervisor-Based Kernel Protector:
The Reason Why You Need Shadow-Box
2. - Senior security researcher at NSR (National
Security Research Institute of South Korea)
- Speaker at HITBSecConf 2016
- Author of the book series titled “64-bit multi-
core OS principles and structure, Vol.1&2”
- a.k.a kkamagui, @kkamagui1
Who are we ?
- Researcher at NSR
- Participated final round of some CTFs
(Codegate, ISEC… held in South Korea)
- Interested in OSsecurity and reading write-up of CTFs
- Got married last year
- a.k.a ultract, @ultractt
3. Goal of This Presentation
- We present lightweight hypervisor-based
kernel protector, “Shadow-box”
- Shadow-box defends kernel from security threats
efficiently, and we made it from scratch
- We share lessons learned from deploying
and operating Shadow-box in real world
systems
- We have been operating Shadow-box since
last year and share lessons learned!
6. Security Threats of Linux Kernel
- The Linux kernel suffers from rootkits and
security vulnerabilities
- Rootkits: EnyeLKM, Adore-ng, Sebek, suckit,
kbeast, and so many descendants
- Vulnerabilities: CVE-2014-3153, CVE-2015-3636,
CVE-2016-4557, CVE-2017-6074, etc.
Devices which use Linux kernel
share security threats
7. Melee Combats at the Kernel-level
- Kernel-level (Ring 0) protections are not
enough
- Lots of rootkits and exploits work in the Ring 0 level
- Protections against them are often easily bypassed
and neutralized
- Kernel Object Hooking (KOH)
- Direct Kernel Object Manipulation (DKOM)
Protections need
an even lower level (Ring -1)
9. Taking the Higher Ground
- Leveraging virtualization technology (VT)
- VT separates a machine into a host (secure world)
and a guest (normal world)
- The host in Ring -1 can freely access/control
the guest in Ring 0 (the converse doesn’t hold)
- VT-equipped HW: Intel VT-x, AMD AMD-v,
ARM TrustZone
10. UserUser
Trends of Introducing Ring -1
User
Kernel
Guest
(Normal World)
Host
(Secure World)
Host OS Guest OS
User
Kernel
Virtualization Technology
(T.Z., VT-x, AMD-v)
Monitor, control
12. Researches Are Excellent, But They Look …
I heard and knew about them
But, I can not find in real world!
13. - Many researches have preconditions
- They usually change kernel code or hypervisor
- They also need well-known hashes of LKM,
well-known value of kernel data, secure VM
for analyzing target VM, etc.
- Many researches consume much resource
- The host and the guest run each OS
- They allocate resources independently!
- The host consumes many CPU cycles to introspect
the guest because of semantic gap
Restrictions on Previous Researches (1)
14. Restrictions on Previous Researches (2)
- In conclusion, previous researches are
considered for laboratory environment only
- They assume they can control environment!
- But, real world environment is totally different from
laboratory environment!
- You even don’t know the
actual environment before
the software is installed!
REAL WORLD!
WELCOME TO
16. Design Goals of Kernel Protector
- Lightweight
- Focus on rootkit detection and protection
- Simple and extensible architecture
- Small memory footprint
- No secure VMs and no multiple OSes
- Practical
- Out-of-box approach
- No modification of kernel code and data
- Dynamic injection
- Load any time from boot to runtime
19. Security Architecture in Shadow Play
Ring -1 Monitoring Mechanism
Activities in OS
Security Monitor
We named this architecture
“Shadow-box”
(Light-Box)
(Shadow-Watcher)
20. User
Shared
Area
Light-Box
(Lightweight Hypervisor)
Architecture of Shadow-Box
User
(Read/Write
Permission)
Shared Kernel
(Read-only
Permission)
Guest (Ring 0~3)Host (Ring -1)
Shared Kernel Only Shared Kernel and User
Shared Kernel
(Read/Write
Permission)
Shadow-
Watcher
(Monitor)
Monitor, control
21. - Light-box, lightweight hypervisor,
- Isolates worlds by using memory protection
technique in VT
- Shares the kernel area between the host (Ring -1)
and the guest (Ring 0 ~ 3)
- Does not run each OS in two worlds
- Uses smaller resources than existing mechanisms
and has narrow semantic gap
- Can be loaded any time (loadable kernel module)
Architecture of Light-Box
22. - Shadow-watcher
- Monitors the guest by using Light-box
- Checks if applications of the guest modify kernel
objects or not by event-driven way
- Code, system table, IDT table, etc.
- Checks the integrity of the guest by introspecting
kernel object by periodic way
- Process list, loadable kernel module (LKM) list,
function pointers of file system and socket
Architecture of Shadow-Watcher
23. What can Shadow-Box do?
- Shadow-box protects Linux kernel from
- Static kernel object attacks
- Static kernel object = immutable in runtime
- Code modification and system table modification attacks
- Dynamic kernel object attacks
- Dynamic kernel object = mutable in runtime
- Process hiding and module hiding
- Function pointer modification attacks
29. Static Kernel Object Protection (4)
User
Area
Static
Kernel
Objects
Shadow-
Box
Objects
DMA
VT-d DMA Remapping
Reporting (DMAR) Table
Physical Address
DMA Address
Read, Write
No
Permission
No
Permission
Level.3
Level 4
Level 3
Level 2
Level 1
Paging Structure of
Second Level Page Table
Level.2
Level.1
Physical
Physical
Physical
context
Root
Table
Level.4
Context
Table
30. Dynamic Kernel Object Protection (1)
A B F...
Next
Prev
Next Next
Prev Prev
Task and Module List
in Guest
⑤ Comparing data
Task and Module
Create Function
do_fork() or
load_module()
{
create_object();
modify_list();
}
Task and Module
Delete Function
release_task() or
delete_module()
{
delete_object();
modify_list();
}
② Inserting
H/W breakpoint
③ Monitoring
Task and Module List
in Shadow-box① Creating initial data
A B F...
Next
Prev
Next Next
Prev Prev
④ Shadowing
list data
31. VFS and Socket Objects
of Guest
FP
Pointer
Host
Logical Address
Module
Code
Malicious
Code
Open
Function Pointer
Structure
Read
Write
Close
Kernel
Code
...
Invalid
Invalid
Valid
Valid
Malicious
Code
(Loaded after
Shadow-box)
User
Area
Kernel
Area
Dynamic Kernel Object Protection (2)
: Code area loaded before Shadow-box
32. Privileged Register Protection
- GDTR, LDTR and IDTR change interactions
between kernel and user level
- IA32_SYSENTER_CS, IA32_SYSENTER_ESP,
IA32_STAR, IA32-LSTAR and IA32_FMASK
MSR also change them
- These privileged registers are rarely changed
after boot!
- So, Shadow-box
- Locks the privileged registers
- Locks and Monitors GDT, LDT, and IDT table
33. Rootkit Detection
- All rootkits are detected
Name Detected? Detected Point
EnyeLKM √
code change,
module hide
Adore-ng 0.56 √
function pointer change,
module hide
Sebek 2.0 √
system table change,
module hide
Suckit 2.0 √ system table change
kbeast √
system table change,
module hide
34. Performance Measurements of Prototype
- Application benchmarks show 1% ~ 10%
performance overhead
- 5.3% at kernel compile in single-core processor
- 6.2% at kernel compile in multi-core processor
Results of Application Benchmark. Lower is better.
(Intel i7-4790 4core 8thread 3.6GHz, 32GB RAM, 512GB SSD)
Single-core processor Multi-core processor
37. We met
BEASTS of REAL WORLD!
(false positive, slow-down, system hang, etc.)
WHAT HAPPENED…
OH, NO…
Previous researches did not
tell us something important!
AGAIN!
NICE TO MEET YOU
38. Lessons Learned - 1
- Code is not immutable!
- Linux kernel has a CONFIG_JUMP_LABEL option!
- If this option is set, Linux kernel patches itself on
runtime!
- Unfortunately, this option is set by default!
- Solution
- Option 1: Add exceptional cases for mutable code
pages
- Option 2: If you can build kernel,
Turn Off CONFIG_JUMP_LABEL option NOW!
39. Lessons Learned - 2
- Cache type in EPT is very important!
- Linux system has some memory mapped I/O area
- BIOS area, APIC area, PCI area, etc.
- Misconfiguration makes various problems such as
system hang, slow down, video mode change error,
etc.
- Solution
- Set uncacheable type by default
- Set write-back type to “System RAM” area only!
40. Lessons Learned - 2
Write-back
Cache Type
Uncacheable
Cache Type
by Default
41. Lessons Learned - 3
- Multi-core environment is more complicated
than you think!
- Each core modifies process list and module list
concurrently
- When H/W breakpoint exception occurred,
other cores could be changing the lists already!
- So, we need a mechanism for synchronizing lists
- Solution
- Lock tasklist_lock and module_mutex of the guest
while Shadow-box is checking the lists!
46. Conclusion and Black Hat Sound Bytes
- Kernel-level (Ring 0) threats should be
protected in a more privileged level (Ring -1)
- We create Ring -1 level by using VT from scratch
- Shadow-box is lightweight and practical
- Shadow-box uses less resource than existing
mechanisms and protects kernel from rootkits
- Real world is Serengeti!
- Real world is different from laboratory environment
- You should have a strong mentality for defeating
beasts of real world! or use Shadow-box instead!
47. THANK YOU
THE CHOICE IS YOURS !
Contact: hanseunghun@nsr.re.kr, @kkamagui1
ultract@nsr.re.kr, @ultractt
Project : github.com/kkamagui/shadow-box-for-x86