The document discusses virtualization and introduces virtual 8086 mode. It notes that 78% of companies have virtualized production servers, with VMWare being used by 98% of companies. While real mode and virtual 8086 mode allow direct hardware access, this is not possible inside a virtual machine. However, both Windows and Linux emulate virtual 8086 mode to allow 16-bit applications to run in protected mode.
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 modeMoabi.com
The document introduces virtual 8086 mode as a way to directly access hardware through interrupts in order to test virtualization platforms more thoroughly. It notes that virtual 8086 mode allows calling every function on every device by passing different parameters to interrupts, providing better coverage than standard APIs. Examples are given of how interrupts could be used to fuzz test virtual hard disks and keyboards by calling all the relevant interrupt functions with varied parameters.
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
Analysis of virtualized rootkit detection methods. Introduces "Samsara", our framework for detecting virtualization and an implementation of data/instruction TLB sizing, HPET timer, and VT errata tests. We predict the future will be cat-and-mouse, where each side analyzes and responds to the behavior of their opponent, ad infinitum. Joint talk given with Thomas Ptacek and Peter Ferrie.
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
The document introduces PMCMA, a debugger tool that analyzes memory corruption bugs by forcing processes to fork, overwriting memory locations in the offspring processes, and monitoring execution to map exploitable scenarios. PMCMA aims to provide a roadmap for exploitation by identifying vulnerabilities and possible exploitation techniques like truncating function pointers or exploiting 4-byte aligned memory writes. The tool is available online and has received over 10,000 downloads in its first two months.
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
This document provides an overview of using virtualization and hypervisors for malicious purposes. It discusses hypervisors, how they work, and why they could be useful for malware. It then covers setting up a basic virtual machine using KVM on Linux, including initializing memory, injecting code, handling I/O, and converting the code to a shellcode. The presentation includes demos of creating a KVM-powered hypervisor and a hypervisor shellcode.
This document describes an exploit for the Linux kernel versions before 2.6.36-rc1 that allows privilege escalation. It takes advantage of an integer overflow vulnerability in the Controller Area Network (CAN) subsystem. The exploit triggers the overflow to crash the system or gain root access. It works by sending crafted CAN traffic and overwriting kernel memory to redirect execution and modify credentials.
GOD MODE Unlocked: Hardware backdoors in x86 CPUsPriyanka Aash
Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in x86 processors, and they’re buried deeper than we ever imagined possible.
In this talk, we walk through how we discovered a privilege escalation backdoor in a family of x86 CPUs, that allows an unprivileged user, on an unmodified system, to circumvent all processor security checks and escalate from ring 3 to ring 0 – permitting an unprivileged, arbitrary userland program to directly modify and execute code inside of the kernel, regardless of the operating system, security patches, antivirus, firmware, etc.
Speakers:
Christopher Domas, Cyber Security Researcher
The document provides an overview of the Linux boot process from power-on to starting the kernel. It discusses:
- What bootloaders like U-Boot and GRUB do to initialize hardware and load the kernel
- The differences between ARM and x86 boot processes
- How the kernel starts as PID 1 without a userspace environment
- What initrds are and how to explore one
- How to get more debug messages from the kernel boot process
- Tips for learning more using QEMU, GDB and systemd-bootchart
The document examines the boot process in detail from a low-level perspective using tools like GDB and binutils to disassemble binaries.
[Ruxcon] Breaking virtualization by switching the cpu to virtual 8086 modeMoabi.com
The document introduces virtual 8086 mode as a way to directly access hardware through interrupts in order to test virtualization platforms more thoroughly. It notes that virtual 8086 mode allows calling every function on every device by passing different parameters to interrupts, providing better coverage than standard APIs. Examples are given of how interrupts could be used to fuzz test virtual hard disks and keyboards by calling all the relevant interrupt functions with varied parameters.
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
Analysis of virtualized rootkit detection methods. Introduces "Samsara", our framework for detecting virtualization and an implementation of data/instruction TLB sizing, HPET timer, and VT errata tests. We predict the future will be cat-and-mouse, where each side analyzes and responds to the behavior of their opponent, ad infinitum. Joint talk given with Thomas Ptacek and Peter Ferrie.
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
The document introduces PMCMA, a debugger tool that analyzes memory corruption bugs by forcing processes to fork, overwriting memory locations in the offspring processes, and monitoring execution to map exploitable scenarios. PMCMA aims to provide a roadmap for exploitation by identifying vulnerabilities and possible exploitation techniques like truncating function pointers or exploiting 4-byte aligned memory writes. The tool is available online and has received over 10,000 downloads in its first two months.
Malicious Hypervisor - Virtualization in Shellcodes by Adhokshaj MishraOWASP Delhi
This document provides an overview of using virtualization and hypervisors for malicious purposes. It discusses hypervisors, how they work, and why they could be useful for malware. It then covers setting up a basic virtual machine using KVM on Linux, including initializing memory, injecting code, handling I/O, and converting the code to a shellcode. The presentation includes demos of creating a KVM-powered hypervisor and a hypervisor shellcode.
This document describes an exploit for the Linux kernel versions before 2.6.36-rc1 that allows privilege escalation. It takes advantage of an integer overflow vulnerability in the Controller Area Network (CAN) subsystem. The exploit triggers the overflow to crash the system or gain root access. It works by sending crafted CAN traffic and overwriting kernel memory to redirect execution and modify credentials.
GOD MODE Unlocked: Hardware backdoors in x86 CPUsPriyanka Aash
Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in x86 processors, and they’re buried deeper than we ever imagined possible.
In this talk, we walk through how we discovered a privilege escalation backdoor in a family of x86 CPUs, that allows an unprivileged user, on an unmodified system, to circumvent all processor security checks and escalate from ring 3 to ring 0 – permitting an unprivileged, arbitrary userland program to directly modify and execute code inside of the kernel, regardless of the operating system, security patches, antivirus, firmware, etc.
Speakers:
Christopher Domas, Cyber Security Researcher
The document provides an overview of the Linux boot process from power-on to starting the kernel. It discusses:
- What bootloaders like U-Boot and GRUB do to initialize hardware and load the kernel
- The differences between ARM and x86 boot processes
- How the kernel starts as PID 1 without a userspace environment
- What initrds are and how to explore one
- How to get more debug messages from the kernel boot process
- Tips for learning more using QEMU, GDB and systemd-bootchart
The document examines the boot process in detail from a low-level perspective using tools like GDB and binutils to disassemble binaries.
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
This document summarizes a presentation on analyzing the Win32/Olmarik(TDL4) rootkit through forensic examination and debugging techniques. It discusses the evolution of rootkits from x86 to x64 systems and techniques used by TDL rootkits to bypass security protections like driver signature enforcement. It also demonstrates tools like TdlFsReader that were developed to analyze the hidden TDL file system and decrypt encrypted files.
This document discusses Device Tree, which is a data structure used to describe hardware platforms in Linux. It consists of a series of named nodes and properties. Device Tree is compiled from a Device Tree Source file (.dts) into a binary blob (.dtb) by a Device Tree Compiler. It allows hardware information to be passed to the operating system at boot time without needing to be encoded in code. The format and common uses of Device Tree are explained along with how drivers can probe for devices based on Device Tree properties and nodes.
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeFrancesco Gadaleta
We present HyperForce, a framework which allows the deployment of security-critical code in a way that significantly outperforms previous in-hypervisor systems while maintaining similar guarantees with respect to security and integrity. HyperForce is a hybrid system which combines the performance of an in-guest security mechanism with the security of in-hypervisor one.
This document discusses a theoretical DNS cache poisoning attack against BIND 8 DNS servers. It begins by describing the two transaction ID algorithms used in BIND 8 - NSID_USE_POOL and NSID_SHUFFLE_ONLY. It then analyzes the NSID_USE_POOL algorithm and shows that with 3 consecutive transaction IDs, the linear coefficients relating the IDs can be reconstructed, allowing prediction of the next ID. A similar analysis is done for NSID_SHUFFLE_ONLY. The document concludes there is a theoretical attack possible against BIND 9 as well, though not currently feasible.
Kernel Recipes 2015: Representing device-tree peripherals in ACPIAnne Nicolas
Platforms using ACPI firmware are becoming increasingly interesting to embedded developers. This presentation will demonstrate the new features in the ACPI 5.1 specification which make it possible for ACPI to transparently represent devices using existing device-tree bindings, and for Linux to use existing device drivers which should automatically work for both ACPI and device-tree.
David Woodhouse, Intel
Sun fire x2250 technical training presentationxKinAnx
The document provides an overview of the Sun Fire X2250 server including:
- It has two Intel Xeon processors, up to 8GB of RAM, and can run Solaris, Linux or Windows.
- The hardware includes two SATA hard drives, a DVD drive, two Gigabit Ethernet ports, and one PCIe expansion slot.
- It also describes the server's architecture, storage, I/O ports, dimensions, and compares it to competing 1U rackmount servers from HP, Dell, and IBM.
- Device Tree (DT) is a data structure that describes hardware configurations and is used as a standard interface between bootloaders and operating systems on ARM devices.
- DT avoids hardcoding platform details and makes it easier to support multiple device types with a single kernel image.
- Key components of DT include the device tree source (DTS) file, device tree compiler (DTC), and device tree blob (DTB) binary file. DT provides a unified way to describe hardware across ARM platforms in Linux.
[HackInTheBox] Breaking virtualization by any meansMoabi.com
The document discusses various techniques for attacking virtualization systems and escalating privileges. It begins with an overview of virtualization definitions and market shares. It then covers methods such as privilege escalation on guest systems and the host, attacking isolation between guest operating systems, denial of service attacks targeting both the host and guests, and escaping the virtualized environment to the host system. Specific vulnerabilities and research are referenced to illustrate different attack vectors. The document concludes with a discussion of fuzzing the hypervisor or host operating system through techniques like virtual 8086 mode, I/O port fuzzing, and PCI device fuzzing to identify new ways to escalate privileges on the host system.
Hardware backdooring is practical : slidesMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
[Defcon] Hardware backdooring is practicalMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
This paper is an analysis of the current state of virtual machines’ security, showcasing how features have been turned into attack vectors that can pose threats to real enterprise level infrastructures. Despite the few real world scenarios that have actively exploited security holes, they remain one of the most dangerous threats organizations have to look out for.
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
Hardware backdooring by state actors is practical according to the speaker. The speaker demonstrates a proof of concept called Rakshasa that can backdoor computer firmware like BIOS and network cards to achieve persistent remote access. Rakshasa leverages existing free and open source software like Coreboot and iPXE to make the backdoor stealthy and hard to detect. It also discusses challenges with attribution and detection of such backdoors, and argues that strong protections are not currently possible given vulnerabilities in computer hardware and supply chains.
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
Charlie Miller and Vincenzo Iozzo presented techniques for post-exploitation on the iPhone 2 including:
1. Running arbitrary shellcode by overwriting memory protections and calling vm_protect to mark pages as read/write/executable.
2. Loading an unsigned dynamic library called Meterpreter by mapping it over an existing signed library, patching dyld to ignore code signing, and forcing unloaded of linked libraries.
3. Adding new functionality to Meterpreter, such as a module to vibrate and play a sound on the iPhone, demonstrating how payloads can be extended once loaded into memory.
Virtualization allows multiple virtual machines to run on a single physical machine. It relies on hardware advances like multi-core CPUs and networking improvements. Virtualization works by either emulating hardware, trapping privileged instructions and emulating them, dynamic binary translation, or paravirtualization where the guest OS is aware it is virtualized. I/O virtualization can emulate devices, use paravirtualized drivers, or directly assign devices to VMs. This enables server consolidation and efficient utilization of resources in cloud computing.
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
The document describes vulnerabilities found in the Windows kernel trap handlers and NTVDM subsystem. It provides a case study of vulnerabilities disclosed in MS13-063, including CVE-2013-3196 which allowed a write-what-where condition in the nt!PushInt handler due to improper validation of operands during emulation of 16-bit instructions. The document also covers prior research on NTVDM vulnerabilities and the architecture of legacy software execution in Windows, highlighting the complex kernel interfaces and large attack surface involved in supporting older programs.
Remote code execution in restricted windows environmentsBorja Merino
This document discusses techniques for remote code execution in restricted Windows environments, specifically focusing on stagers. A stager is shellcode responsible for fetching and executing the next stage, such as malware or an implant. The document provides examples of open source stagers and frameworks that can be reused for implants. It also covers transport protocols, techniques for socket hunting to reuse existing connections, and drawbacks of "universal" stagers that try to be exploit agnostic.
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
This presentation covers a real-world case study of Bitdefender Hypervisor Introspection (HVI) that is based on Xen Project software. On April 14th, The Shadow Brokers released the Eternalblue exploit toolkit, which exploited an SMBv1 vulnerability across a wide range of Windows operating systems. The exploit was most famously used as a propagation mechanism for the WannaCryransomware. HVI prevented exploitation attempts with no prior knowledge of the exploit or underlying vulnerability. This talk will cover the exploit mechanism, how HVI detects its actions, and illustrate some of the advantages of HVI built through open source collaboration. Audience members will takeaway a better understanding of this type of exploit and how something like hypervisor introspection and security through a hypervisor approach can help companies avoid these types of new exploits.
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
This document discusses exploiting Qualcomm WLAN and modem chips over-the-air. It begins with introductions to the researchers and Tencent Blade Team. It then outlines the agenda and provides background on Qualcomm chips, including the WLAN firmware, modem firmware loading process, and attack surfaces. It details a vulnerability in the WLAN firmware that allows overwriting memory and escalating privileges to the modem and kernel. It demonstrates exploiting this vulnerability over-the-air to achieve remote code execution on Android devices. The document concludes with discussions on stability of exploitation and delivering payloads across different devices.
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
Protocol gateways are embedded devices used in industrial facilities to integrate legacy equipment such as serial PLCs with modern control networks. Given the importance that these devices play in the operation of manufacturing plants, we conducted a vendor agnostic analysis of the technology behind protocol translation, by identifying new unexplored weaknesses and vulnerabilities. We evaluated five popular gateway products and discovered translation problems that enable potential adversaries to conduct stealthy and difficult-to-detect attacks, for example to arbitrarily disable, or enable a targeted machinery by mean of innocent-looking packets that bypass common ICS firewalls. In this presentation, we share the results of our findings and discuss the impact to the problems that we identified and their potential countermeasures.
syzkaller is an unsupervised, coverage-guided Linux syscall fuzzer.
The presentation covers basic of operation of the fuzzer, gives tutorial on how to run it and how to extend it to fuzz new drivers.
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
This document summarizes a presentation on analyzing the Win32/Olmarik(TDL4) rootkit through forensic examination and debugging techniques. It discusses the evolution of rootkits from x86 to x64 systems and techniques used by TDL rootkits to bypass security protections like driver signature enforcement. It also demonstrates tools like TdlFsReader that were developed to analyze the hidden TDL file system and decrypt encrypted files.
This document discusses Device Tree, which is a data structure used to describe hardware platforms in Linux. It consists of a series of named nodes and properties. Device Tree is compiled from a Device Tree Source file (.dts) into a binary blob (.dtb) by a Device Tree Compiler. It allows hardware information to be passed to the operating system at boot time without needing to be encoded in code. The format and common uses of Device Tree are explained along with how drivers can probe for devices based on Device Tree properties and nodes.
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeFrancesco Gadaleta
We present HyperForce, a framework which allows the deployment of security-critical code in a way that significantly outperforms previous in-hypervisor systems while maintaining similar guarantees with respect to security and integrity. HyperForce is a hybrid system which combines the performance of an in-guest security mechanism with the security of in-hypervisor one.
This document discusses a theoretical DNS cache poisoning attack against BIND 8 DNS servers. It begins by describing the two transaction ID algorithms used in BIND 8 - NSID_USE_POOL and NSID_SHUFFLE_ONLY. It then analyzes the NSID_USE_POOL algorithm and shows that with 3 consecutive transaction IDs, the linear coefficients relating the IDs can be reconstructed, allowing prediction of the next ID. A similar analysis is done for NSID_SHUFFLE_ONLY. The document concludes there is a theoretical attack possible against BIND 9 as well, though not currently feasible.
Kernel Recipes 2015: Representing device-tree peripherals in ACPIAnne Nicolas
Platforms using ACPI firmware are becoming increasingly interesting to embedded developers. This presentation will demonstrate the new features in the ACPI 5.1 specification which make it possible for ACPI to transparently represent devices using existing device-tree bindings, and for Linux to use existing device drivers which should automatically work for both ACPI and device-tree.
David Woodhouse, Intel
Sun fire x2250 technical training presentationxKinAnx
The document provides an overview of the Sun Fire X2250 server including:
- It has two Intel Xeon processors, up to 8GB of RAM, and can run Solaris, Linux or Windows.
- The hardware includes two SATA hard drives, a DVD drive, two Gigabit Ethernet ports, and one PCIe expansion slot.
- It also describes the server's architecture, storage, I/O ports, dimensions, and compares it to competing 1U rackmount servers from HP, Dell, and IBM.
- Device Tree (DT) is a data structure that describes hardware configurations and is used as a standard interface between bootloaders and operating systems on ARM devices.
- DT avoids hardcoding platform details and makes it easier to support multiple device types with a single kernel image.
- Key components of DT include the device tree source (DTS) file, device tree compiler (DTC), and device tree blob (DTB) binary file. DT provides a unified way to describe hardware across ARM platforms in Linux.
[HackInTheBox] Breaking virtualization by any meansMoabi.com
The document discusses various techniques for attacking virtualization systems and escalating privileges. It begins with an overview of virtualization definitions and market shares. It then covers methods such as privilege escalation on guest systems and the host, attacking isolation between guest operating systems, denial of service attacks targeting both the host and guests, and escaping the virtualized environment to the host system. Specific vulnerabilities and research are referenced to illustrate different attack vectors. The document concludes with a discussion of fuzzing the hypervisor or host operating system through techniques like virtual 8086 mode, I/O port fuzzing, and PCI device fuzzing to identify new ways to escalate privileges on the host system.
Hardware backdooring is practical : slidesMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
[Defcon] Hardware backdooring is practicalMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
This paper is an analysis of the current state of virtual machines’ security, showcasing how features have been turned into attack vectors that can pose threats to real enterprise level infrastructures. Despite the few real world scenarios that have actively exploited security holes, they remain one of the most dangerous threats organizations have to look out for.
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
Hardware backdooring by state actors is practical according to the speaker. The speaker demonstrates a proof of concept called Rakshasa that can backdoor computer firmware like BIOS and network cards to achieve persistent remote access. Rakshasa leverages existing free and open source software like Coreboot and iPXE to make the backdoor stealthy and hard to detect. It also discusses challenges with attribution and detection of such backdoors, and argues that strong protections are not currently possible given vulnerabilities in computer hardware and supply chains.
Post Exploitation Bliss: Loading Meterpreter on a Factory iPhone, Black Hat U...Vincenzo Iozzo
Charlie Miller and Vincenzo Iozzo presented techniques for post-exploitation on the iPhone 2 including:
1. Running arbitrary shellcode by overwriting memory protections and calling vm_protect to mark pages as read/write/executable.
2. Loading an unsigned dynamic library called Meterpreter by mapping it over an existing signed library, patching dyld to ignore code signing, and forcing unloaded of linked libraries.
3. Adding new functionality to Meterpreter, such as a module to vibrate and play a sound on the iPhone, demonstrating how payloads can be extended once loaded into memory.
Virtualization allows multiple virtual machines to run on a single physical machine. It relies on hardware advances like multi-core CPUs and networking improvements. Virtualization works by either emulating hardware, trapping privileged instructions and emulating them, dynamic binary translation, or paravirtualization where the guest OS is aware it is virtualized. I/O virtualization can emulate devices, use paravirtualized drivers, or directly assign devices to VMs. This enables server consolidation and efficient utilization of resources in cloud computing.
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
The document describes vulnerabilities found in the Windows kernel trap handlers and NTVDM subsystem. It provides a case study of vulnerabilities disclosed in MS13-063, including CVE-2013-3196 which allowed a write-what-where condition in the nt!PushInt handler due to improper validation of operands during emulation of 16-bit instructions. The document also covers prior research on NTVDM vulnerabilities and the architecture of legacy software execution in Windows, highlighting the complex kernel interfaces and large attack surface involved in supporting older programs.
Remote code execution in restricted windows environmentsBorja Merino
This document discusses techniques for remote code execution in restricted Windows environments, specifically focusing on stagers. A stager is shellcode responsible for fetching and executing the next stage, such as malware or an implant. The document provides examples of open source stagers and frameworks that can be reused for implants. It also covers transport protocols, techniques for socket hunting to reuse existing connections, and drawbacks of "universal" stagers that try to be exploit agnostic.
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
This presentation covers a real-world case study of Bitdefender Hypervisor Introspection (HVI) that is based on Xen Project software. On April 14th, The Shadow Brokers released the Eternalblue exploit toolkit, which exploited an SMBv1 vulnerability across a wide range of Windows operating systems. The exploit was most famously used as a propagation mechanism for the WannaCryransomware. HVI prevented exploitation attempts with no prior knowledge of the exploit or underlying vulnerability. This talk will cover the exploit mechanism, how HVI detects its actions, and illustrate some of the advantages of HVI built through open source collaboration. Audience members will takeaway a better understanding of this type of exploit and how something like hypervisor introspection and security through a hypervisor approach can help companies avoid these types of new exploits.
DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over th...Felipe Prado
This document discusses exploiting Qualcomm WLAN and modem chips over-the-air. It begins with introductions to the researchers and Tencent Blade Team. It then outlines the agenda and provides background on Qualcomm chips, including the WLAN firmware, modem firmware loading process, and attack surfaces. It details a vulnerability in the WLAN firmware that allows overwriting memory and escalating privileges to the modem and kernel. It demonstrates exploiting this vulnerability over-the-air to achieve remote code execution on Android devices. The document concludes with discussions on stability of exploitation and delivering payloads across different devices.
Lost in Translation: When Industrial Protocol Translation goes Wrong [CONFide...Marco Balduzzi
Protocol gateways are embedded devices used in industrial facilities to integrate legacy equipment such as serial PLCs with modern control networks. Given the importance that these devices play in the operation of manufacturing plants, we conducted a vendor agnostic analysis of the technology behind protocol translation, by identifying new unexplored weaknesses and vulnerabilities. We evaluated five popular gateway products and discovered translation problems that enable potential adversaries to conduct stealthy and difficult-to-detect attacks, for example to arbitrarily disable, or enable a targeted machinery by mean of innocent-looking packets that bypass common ICS firewalls. In this presentation, we share the results of our findings and discuss the impact to the problems that we identified and their potential countermeasures.
syzkaller is an unsupervised, coverage-guided Linux syscall fuzzer.
The presentation covers basic of operation of the fuzzer, gives tutorial on how to run it and how to extend it to fuzz new drivers.
A survey of Ferrie\’s Virus Bulletin series on anti-unpacking techniques and an examination of these techniques (or lack) in prevalent malware families.
Presented at Virus Bulletin 2009.
http://www.virusbtn.com
Reducing attack surface on ICS with Windows native solutionsJan Seidl
This document summarizes steps for hardening Windows systems used in industrial control systems (ICS). It recommends:
1. Performing basic hardening steps like removing unnecessary software, disabling services, and restricting file system access.
2. Leveraging the native Windows firewall to prevent backdoors and malware from communicating.
3. Implementing whitelisting of authorized software using Software Restriction Policies or AppLocker to prevent unauthorized code execution.
4. Using Enhanced Mitigation Experience Toolkit (EMET) for exploitation mitigation to reduce the impact of zero-day vulnerabilities.
5. Leveraging PowerShell remoting and Just Enough Administration (JEA) to restrict remote access without using
This document discusses dynamic malware analysis and the challenges posed by self-modifying code. It examines existing general purpose dynamic binary instrumentation frameworks like Pin and DynamoRIO, finding that while they handle self-modifying code, they are not designed with a "malware mindset" and have exploitable gaps. The document demonstrates these gaps through examples, showing how transitions in virtual memory protections and program counter virtualization can be exploited. It concludes that a framework with a "malware mindset" is needed to properly handle malware analysis at scale.
Mingbo Zhang, Rutgers University
Saman Zonouz, Rutgers University
Time-of-check-to-time-of-use (TOCTOU) also known as “race condition” or “double fetch” is a long standing problem. Since memory read/write is so common an operation, it barely triggers no security mechanisms. We leverage a CPU feature called SMAP(Supervisor Mode Access Prevention) to efficiently monitor the events of kernel accessing user-mode memory. When user pages being accessed by kernel, our mitigation kicks in and protect them against further modifications from other user-mode threads. We also leverage the same CPU feature to find double fetch errors in kernel modules. A simple hypervisor is used to confine a system wide CPU feature such as SMAP to particular process.
NetBSD can run on Google Compute Engine virtual machines. To set this up, one must install the Google Cloud SDK and create a NetBSD disk image with the vioscsi driver. This disk image is uploaded to Google Cloud Storage and used to create a virtual machine instance on Google Compute Engine. When the instance boots, the boot messages can be viewed which show the virtual devices like virtio SCSI and network being initialized and the root file system mounting from the persistent disk.
Similar to D1 t2 jonathan brossard - breaking virtualization by switching to virtual 8086 mode (20)
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Ukraine
Під час доповіді відповімо на питання, навіщо потрібно підвищувати продуктивність аплікації і які є найефективніші способи для цього. А також поговоримо про те, що таке кеш, які його види бувають та, основне — як знайти performance bottleneck?
Відео та деталі заходу: https://bit.ly/45tILxj
"Frontline Battles with DDoS: Best practices and Lessons Learned", Igor IvaniukFwdays
At this talk we will discuss DDoS protection tools and best practices, discuss network architectures and what AWS has to offer. Also, we will look into one of the largest DDoS attacks on Ukrainian infrastructure that happened in February 2022. We'll see, what techniques helped to keep the web resources available for Ukrainians and how AWS improved DDoS protection for all customers based on Ukraine experience
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...Jason Yip
The typical problem in product engineering is not bad strategy, so much as “no strategy”. This leads to confusion, lack of motivation, and incoherent action. The next time you look for a strategy and find an empty space, instead of waiting for it to be filled, I will show you how to fill it in yourself. If you’re wrong, it forces a correction. If you’re right, it helps create focus. I’ll share how I’ve approached this in the past, both what works and lessons for what didn’t work so well.
Dandelion Hashtable: beyond billion requests per second on a commodity serverAntonios Katsarakis
This slide deck presents DLHT, a concurrent in-memory hashtable. Despite efforts to optimize hashtables, that go as far as sacrificing core functionality, state-of-the-art designs still incur multiple memory accesses per request and block request processing in three cases. First, most hashtables block while waiting for data to be retrieved from memory. Second, open-addressing designs, which represent the current state-of-the-art, either cannot free index slots on deletes or must block all requests to do so. Third, index resizes block every request until all objects are copied to the new index. Defying folklore wisdom, DLHT forgoes open-addressing and adopts a fully-featured and memory-aware closed-addressing design based on bounded cache-line-chaining. This design offers lock-free index operations and deletes that free slots instantly, (2) completes most requests with a single memory access, (3) utilizes software prefetching to hide memory latencies, and (4) employs a novel non-blocking and parallel resizing. In a commodity server and a memory-resident workload, DLHT surpasses 1.6B requests per second and provides 3.5x (12x) the throughput of the state-of-the-art closed-addressing (open-addressing) resizable hashtable on Gets (Deletes).
The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event.
The objectives of the Lunch and Learn presentation were to:
- Review what KM ‘is’ and ‘isn’t’
- Understand the value of KM and the benefits of engaging
- Define and reflect on your “what’s in it for me?”
- Share actionable ways you can participate in Knowledge - - Capture & Transfer
QA or the Highway - Component Testing: Bridging the gap between frontend appl...zjhamm304
These are the slides for the presentation, "Component Testing: Bridging the gap between frontend applications" that was presented at QA or the Highway 2024 in Columbus, OH by Zachary Hamm.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...DanBrown980551
This LF Energy webinar took place June 20, 2024. It featured:
-Alex Thornton, LF Energy
-Hallie Cramer, Google
-Daniel Roesler, UtilityAPI
-Henry Richardson, WattTime
In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms.
This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups.
Three primary specifications will be discussed:
-Discovery and client registration, emphasizing transparent processes and secure and private access
-Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure
-Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data
"NATO Hackathon Winner: AI-Powered Drug Search", Taras KlobaFwdays
This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application.
In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy.
We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.
This talk will cover ScyllaDB Architecture from the cluster-level view and zoom in on data distribution and internal node architecture. In the process, we will learn the secret sauce used to get ScyllaDB's high availability and superior performance. We will also touch on the upcoming changes to ScyllaDB architecture, moving to strongly consistent metadata and tablets.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Keywords: AI, Containeres, Kubernetes, Cloud Native
Event Link: https://meine.doag.org/events/cloudland/2024/agenda/#agendaId.4211
Introducing BoxLang : A new JVM language for productivity and modularity!Ortus Solutions, Corp
Just like life, our code must adapt to the ever changing world we live in. From one day coding for the web, to the next for our tablets or APIs or for running serverless applications. Multi-runtime development is the future of coding, the future is to be dynamic. Let us introduce you to BoxLang.
Dynamic. Modular. Productive.
BoxLang redefines development with its dynamic nature, empowering developers to craft expressive and functional code effortlessly. Its modular architecture prioritizes flexibility, allowing for seamless integration into existing ecosystems.
Interoperability at its Core
With 100% interoperability with Java, BoxLang seamlessly bridges the gap between traditional and modern development paradigms, unlocking new possibilities for innovation and collaboration.
Multi-Runtime
From the tiny 2m operating system binary to running on our pure Java web server, CommandBox, Jakarta EE, AWS Lambda, Microsoft Functions, Web Assembly, Android and more. BoxLang has been designed to enhance and adapt according to it's runnable runtime.
The Fusion of Modernity and Tradition
Experience the fusion of modern features inspired by CFML, Node, Ruby, Kotlin, Java, and Clojure, combined with the familiarity of Java bytecode compilation, making BoxLang a language of choice for forward-thinking developers.
Empowering Transition with Transpiler Support
Transitioning from CFML to BoxLang is seamless with our JIT transpiler, facilitating smooth migration and preserving existing code investments.
Unlocking Creativity with IDE Tools
Unleash your creativity with powerful IDE tools tailored for BoxLang, providing an intuitive development experience and streamlining your workflow. Join us as we embark on a journey to redefine JVM development. Welcome to the era of BoxLang.
What is an RPA CoE? Session 2 – CoE RolesDianaGray10
In this session, we will review the players involved in the CoE and how each role impacts opportunities.
Topics covered:
• What roles are essential?
• What place in the automation journey does each role play?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
4. Virtualization :
market shares
Source : Forrester Research 2009
78% of companies have production servers
virtualized.
20% only have virtualized servers.
5. Virtualization :
market shares
Source : Forrester Research 2009
VMWare is present in 98% of the
companies.
Microsoft virtualization products are used
by 17%.
Citrix/Xen is used by 10%.
6. Bottom line...
Virtualization software are so widespread
that they have become more attractive
targets than say web, mail or dns servers !
There is a lower variety too !
8. Virtualization : Definitions
Virtualization
Virtualization is the name given to the
simulation with higher level components, of lower
level components.
NOTE: Virtualization of applications (as
opposed to full Oses) is out of topic.
9. Virtualization : Definitions
Virtual Machine
A virtual machine (VM) is : "an efficient,
isolated duplicate of a real machine".
-- Gerald J. Popek and Robert P. Goldberg (1974).
"Formal Requirements for Virtualizable Third
Generation Architectures", Communications of the
ACM.
11. Virtualization : Definitions
Paravirtualization
Requires the modification of the guest
Oses (eg: Xen, UML, Qemu with kquemu,
VMWare Workstation with VMWare Tools).
Opposed to « full virtualization ».
12. Virtualization : Definitions
There are two types of virtualizations :
Virtual Machine Monitors (or Hypervisors)
of type I and type II.
16. Virtualization : Definitions
Hypervizors of type II
Run as a process inside a host OS to
virtualize guests Oses (eg: Qemu,
Virtualbox, VMWare Workstation,
Parallels).
18. Hardware assisted
virtualization
- Takes advantage of AMD-V On Intel VT-x CPU
extentions for virtualization.
- x64 Only.
- The hypervizor is running in « ring -1 ».
- Much like the NX bit : requires the motherboard
to support it and activation in the BIOS.
19. Virtualization : Definitions
Isolation
Isolation of the userland part of the OS to
simulate independant machines (eg: Linux-
Vservers, Solaris « Zones », BSD « jails »,
OpenVZ under GNU/Linux).
22. Privilege escalation on the
host
VMware Tools HGFS Local Privilege
Escalation Vulnerability
(http://labs.idefense.com/intelligence/
vulnerabilities/display.php?id=712)
23. Privilege escalation on the
Guest
CVE-2009-2267 « Mishandled exception on page fault
in VMware » Tavis Ormandy and Julien Tinnes
27. Attack surface analysis :
usage
Hosting two companies on the same
hardware is very common (shared hosting).
Getting a shell on the same machine as a
given target may therefor be a matter of
paying a few euros a month.
28. Attack surface : conclusion
Owning the Host OS from the Guest is
practical : security through virtualization is
a failure.
Seemingly minor bugs (local, DoS) do
matter : virtualization amplifies
consequences.
30. The need for new tools :
example
How to dynamically test a virtual Hard
Drive ?
31. How to dynamically test a
virtual Hard Drive ? Naive
approach
Standard API :
ssize_t read(int fd, void *buf, size_t count);
ssize_t write(int fd, const void *buf, size_t count);
This would mostly fuzz the kernel, not the Virtual
Machine :(
We need something (much) lower level.
33. How did we used to do it
« back in the days » ?
MS Dos : direct access to the hardware
(interrupts : BIOS, HD, Display, …)
Can we get back to this ?
35. Introducing the
Virtual 8086 mode
Introduced with Intel 386 (1985)
36. Introducing the
Virtual 8086 mode
Intel x86 cpus support 3 modes
- Protected mode
- Real mode
- System Management Mode (SMM)
37. Introducing the
Virtual 8086 mode
Protected mode
This mode is the native state of the processor. Among the
capabilities of protected mode is the ability to directly
execute “real-address mode” 8086 software in a
protected, multi-tasking environment. This feature is
called virtual-8086 mode, although it is not actually a
processor mode. Virtual-8086 mode is actually a protected
mode attribute that can be enabled for any task.
38. Introducing the
Virtual 8086 mode
Real-address mode
This mode implements the programming environment
of the Intel 8086 processor with extensions (such as the
ability to switch to protected or system management
mode). The processor is placed in real-address mode
following power-up or a reset.
39. Introducing the
Virtual 8086 mode
System management mode (SMM)
This mode provides an operating system or executive
with a transparent mechanism for implementing platform
specific functions such as power management and system
security. The processor enters SMM when the external
SMM interrupt pin (SMI#) is activated or an SMI is
received from the advanced programmable interrupt
controller (APIC).
40. Nice things about Real
mode / Virtual 8086 mode
Direct access to hardware via
interruptions !
41. example:
Mov ah, 0x42 ; read sector from drive
Mov ch, 0x01 ; Track
Mov cl, 0x02 ; Sector
Mov dh, 0x03 ; Head
Mov dl, 0x80 ; Drive (here first HD)
Mov bx, offset buff ; es:bx is destination
Int 0x13 ; hard disk operation
42. Complexity
ax*bx*cx*dx (per interruption)
Id est: [0;65535]^4 ~ 1.8 * 10^19
=> still huge
=> much better than ioctl()'s arbitrary input
length !
43. Introducing the
Virtual 8086 mode
Problem is... is this even
possible inside a virtual
machine ?
44. Introducing the
Virtual 8086 mode
A closer look at the boot sequence...
45.
46. Introducing the
Virtual 8086 mode
The kernel boots in (16b) real mode, and
then switches to protected mode (32b).
The cpu normally doesn't get back to real
mode untill next reboot.
47. Introducing the
Virtual 8086 mode
Corollary
The hypervisor could run under any mode.
protected mode in practice (being it ring0,
ring1 or ring3).
All of the guests run only in protected
mode.
48. Now how to swith to Virtual 8086 mode ? It
this even possible ?
49. Leaving protected mode ?
(Ascii Art : Courtesy of phrack 65)
Setting the VM flag in CR0 under protected mode would get us to Virtual Mode
Removing the PE flag from CR0 would get us back to real mode
53. Truth is : we don't need to
switch back to real mode/
virtual 8086 mode !
Most Operating systems offer a way to run
16b applications (eg: MS DOS) under
protected mode by emulating a switch to
Virtual 8086 Mode.
Notably Windows (x86) and Linux (x86).
54. The Windows case
NTVDM : ntvdm.exe
« Windows 16b Virtual Machine »
55.
56. The Linux case
The linux kernel provides an emulation of
real mode in the form of two syscalls:
#define __NR_vm86old 113
#define __NR_vm86 166
57. The Linux case
#include <sys/vm86.h>
int vm86old(struct vm86_struct *info);
int vm86(unsigned long fn, struct
vm86plus_struct *v86);
58. struct vm86_struct {
struct vm86_regs regs;
unsigned long flags;
unsigned long screen_bitmap;
unsigned long cpu_type;
struct revectored_struct
int_revectored;
struct revectored_struct
int21_revectored;
};
59. The Linux case
linux-2.6.31/arch/x86/include/asm/vm86.h:
struct vm86_regs {
long ebx;
long ecx;
long edx;
long esi;
long edi;
long ebp;
long eax;
(…)
unsigned short es, __esh;
unsigned short ds, __dsh;
unsigned short fs, __fsh;
unsigned short gs, __gsh;
};
60. In a nutshell
- The switch to Virtual mode is entirely emulated
by the kernel (this will work inside a VM)
- We can still program using old school
interruptions (easy !)
- Those interruptions are delivered to the
hardware (id est: either the emulated one, or the
real one).
=> We just got a « bare metal (possibly
virtualized) hardware interface »
62. The x64 case
X64 cpus in 64b long mode can't swith to
Virtual mode.
That's too bad : we'd like to fuzz latest
Vmware ESX or Microsoft HyperV
(necessarily under x64).
But under virtualization, the switch to VM86
mode is being emulated by the kernel...
63. The x64 case
Using kernel patches, we can add VM86
capabilities to a x64 GNU/Linux kernel.
EG: http://v86-64.sourceforge.net to run
Dosemu under x64.
What's not possible in real hardware
becomes possible under a virtualized
environment !
65. Practical use : Fuzzing using
vm86()
Looking at the IVT allows us to fuzz
all the hardware know after BIOS
Post, efficently (no calls to empty/
dummy interrupts).