SlideShare a Scribd company logo

Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces

Download as PPTX, PDF
Igor Korkin
Igor Korkin

MemoryRanger is a hypervisor-based project, which isolates kernel-mode drivers and their allocated data by running drivers in isolated kernel enclaves. All the details are here - bit.ly/MemoryRanger

Software
1 of 47
DIVIDE ET IMPERA: MEMORY RANGER RUNS DRIVERS IN ISOLATED KERNEL SPACES Igor Korkin, Ph.D
WHOAMI  MEPhI Alumni, PhD in Cyber Security, published 23 papers  Area of interest is Windows Kernel security:  Memory Forensics  Rootkits Detection  Bare-Metal Hypervisors  Fan of academic cross-disciplinary research - igorkorkin.blogspot.com  Love traveling and powerlifting - igor.korkin
AGENDA  Attacking the kernel-mode memory  Existing protection:Windows built-in security and research projects  MemoryRanger hypervisor: idea, details, demos
ATTACKS ON KERNEL MODE MEMORY allocate read / write Windows OS kernel Kernel-mode drivers Allocated Memory Data Allocated Memory Data Allocated Memory Data OS structuresOS structuresOS structures
ATTACKS ON KERNEL MODE MEMORY allocate read / write Malware Windows OS kernel Kernel-mode drivers privilege escalation reverse engineering stealing users data damaging sensor reading Allocated Memory Data Allocated Memory Data Allocated Memory Data OS structuresOS structuresOS structures
TWO HOUSES WITH PRIVATE ART COLLECTIONS Stars by Wassily Kandinsky Girl with Balloon by Banksy Hi all! I am a hacker-attacker! I will inspect these houses to steal and damage painting!
Allocator OS Kernel Structures OS Kernel Code Allocator cmd Driver Driver Driver Allocated Data Allocated Data Attacker DEMO: THE ATTACK
DEMO: THE ATTACK The online version is here – https://www.youtube.com/embed/HNxc-tjy3QA?vq=hd1080
TWO HOUSES WITH PRIVATE ART COLLECTIONS Stars by Wassily Kandinsky Girl with Balloon by Banksy Yo Ho Ho! The both collections are mine! 1 1 1 1 2222
THE ATTACK HAS NOT BEEN PREVENTED Allocator OS Kernel Structures OS Kernel Code Allocator cmd Driver Driver Driver Allocated Data Allocated Data Attacker
BACKGROUND ANALYSIS Memory protection projects Malware attacks on Code of OS & third-party drivers OS data: internal structures Data of third- party drivers Read Write Read Write Read Write Windows Security - BSOD 0xBE by Device Guard - BSOD 0x109 by PatchGuard - - PrivGuard - - - + - - LAKEED + + + + - - LKMG - + + + + + rR^X + + - - - - AllMemPro - - + + + + Memory Ranger + + + + + +
IDEA OF DRIVERS EXECUTION ISOLATION Driver A The same kernel memory space Data A Driver B Data B Now all drivers share the same memory space
IDEA OF DRIVERS EXECUTION ISOLATION Driver A The same kernel memory space Let s execute these two drivers into separate memory enclosures Data A Driver B Data B Driver A Memory enclave only for Driver A Data A Memory enclave only for Driver B Driver B Data B Now all drivers share the same memory space
PROCESSING MEMORY ACCESS: EPT FEATURE Host Physical Address H Guest OS Hypervisor VT-x without EPT = G Guest Physical Address Paging structures V G Guest Virtual Address Host Memory
PROCESSING MEMORY ACCESS: EPT FEATURE Host Physical Address H Guest OS Hypervisor EPT Paging structures VT-x without EPT = EEPT Physical Address Host Physical Address VT-x with EPT G =EPT( )G E Guest Physical Address Paging structures V G Guest Virtual Address Guest Physical Address Paging structures V G Guest Virtual Address H = Host Memory
INSIDE EPT PAGING STRUCTURES. EPT PFN Host Memory Protected Page EPT Paging structures EPT Page Table Entries Memory Access Bits EPT TablesGuest Physical Address Page Frame Number Memory Access Bits Page Frame Number
INSIDE EPT PAGING STRUCTURES. EPT PFN Host Memory Protected Page EPT Paging structures EPT Page Table Entries Memory Access Bits EPT TablesGuest Physical Address Page Frame Number Memory Access Bits Page Frame Number Fake Page
Host Memory Page INSIDE EPT PAGING STRUCTURES. EPT BITS Hypervisor traps all these access attempts Memory Access Bits: • exec = true • read = true • write = true read/write access execute access Host Memory Page Memory Access Bits: • exec = false • read = false • write = false Memory Page Hypervisor does not care Memory Page read/write access execute access
INSIDE EPT PAGING STRUCTURES EPT structures #1 EPT structures #2 EPT structures #3 EPT Pointer Other fields VMCS for hypervisor
APPLYING EPT FOR DRIVERS ISOLATION Current Situation OS Kernel Code exe=true rw=true OS Kernel Structures exe=true rw=true Other Drivers exe=true rw=true Other Data exe=true rw=true
APPLYING EPT FOR DRIVERS ISOLATION Current Situation OS Kernel Code exe=true rw=true Driver A exe=true rw=true OS Kernel Structures exe=true rw=true Allocated data A exe=true rw=true Other Drivers exe=true rw=true Other Data exe=true rw=true
APPLYING EPT FOR DRIVERS ISOLATION Current Situation OS Kernel Code exe=true rw=true Driver A exe=true rw=true OS Kernel Structures exe=true rw=true Allocated data A exe=true rw=true Other Drivers exe=true rw=true Other Data exe=true rw=true Default EPT OS Kernel Code exe=true rw=true OS Kernel Structures exe=true rw=true Other Data exe=true rw=true Other Drivers exe=true rw=true EPT pointer
APPLYING EPT FOR DRIVERS ISOLATION Current Situation OS Kernel Code exe=true rw=true Driver A exe=true rw=true OS Kernel Structures exe=true rw=true Allocated data A exe=true rw=true Other Drivers exe=true rw=true Other Data exe=true rw=true Default EPT OS Kernel Code exe=true rw=true Driver A exe=false rw=false OS Kernel Structures exe=true rw=true Other Data exe=true rw=true EPT for new Driver A OS Kernel Code exe=true rw=true Driver A exe=true rw=true OS Kernel Structures exe=false rw=false Other Drivers exe=false rw=false Other Data exe=true rw=true Other Drivers exe=true rw=true EPT pointer
APPLYING EPT FOR DRIVERS ISOLATION Current Situation OS Kernel Code exe=true rw=true Driver A exe=true rw=true OS Kernel Structures exe=true rw=true Allocated data A exe=true rw=true Other Drivers exe=true rw=true Other Data exe=true rw=true Default EPT OS Kernel Code exe=true rw=true Driver A exe=false rw=false OS Kernel Structures exe=true rw=true Allocated data A exe=false rw=false Other Data exe=true rw=true EPT for new Driver A OS Kernel Code exe=true rw=true Driver A exe=true rw=true OS Kernel Structures exe=false rw=false Allocated data A exe=true rw=true Other Drivers exe=false rw=false Other Data exe=true rw=true Other Drivers exe=true rw=true EPT pointer
That will be a great treasure! Ha-ha! Stars by Wassily Kandinsky Girl with Balloon by Banksy No.5 by Jackson Pollock THREE HOUSES WITH PRIVATE ART COLLECTIONS
THREE HOUSES WITH PRIVATE ART COLLECTIONS Stars by Wassily Kandinsky Oh no! I can steal nothing! Girl with Balloon by Banksy No.5 by Jackson Pollock
Allocator OS Kernel Structures OS Kernel Code Allocator Allocator cmd Driver Driver Driver Driver Allocated Data Allocated Data Allocated Data Attacker DEMO: THE ATTACK PREVENTION
DEMO: THE ATTACK PREVENTION The online version is here – https://www.youtube.com/embed/vrm9cgn5DsU?vq=hd1080
DEMO: THE ATTACK PREVENTION Allocator OS Kernel Structures OS Kernel Code MemoryRanger Hypervisor Allocator Allocator cmd Driver Driver Driver Driver Driver Allocated Data Allocated Data Allocated Data Attacker
MEMORY RANGER: PRINCIPLE OF LEAST PRIVILEGE Kernel- mode drivers Drivers Code ✔ ✔ ✔ ✔ OS kernel ✔ ✔ ✔ ✔
MEMORY RANGER: PRINCIPLE OF LEAST PRIVILEGE Kernel- mode drivers Drivers Code Allocated Memory Data EPROCESS structures ✔ ✔ ✔ ✔ ✔ ✔ ✔ OS kernel ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
MEMORY RANGER: PRINCIPLE OF LEAST PRIVILEGE Kernel- mode drivers Drivers Code Allocated Memory Data EPROCESS structures ✔ ❌ ❌ ❌ ✔ ❌ ❌ ❌ ❌ ✔ ❌ ❌ ❌ ✔ ❌ ❌ ❌ ❌ ✔ ❌ ❌ ❌ ✔ ❌ ❌ ❌ ❌ ✔ ❌ ❌ ❌ ❌ OS kernel ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
MemoryMonRWX* DdiMon* Memory Access Policy EPT violations: read, write, exec Process is created Memory is allocated * by Satoshi Tanda, @standa_t, https://github.com/tandasat MEMORY RANGER ARCHITECTURE: THREE PARTS Driver is loaded
MemoryMonRWX* DdiMon* Memory Access Policy EPT violations: read, write, exec Process is created Memory is allocated * by Satoshi Tanda, @standa_t, https://github.com/tandasat List of EPROCESSES Information MEMORY RANGER ARCHITECTURE: THREE PARTS Driver is loaded
MemoryMonRWX* DdiMon* Memory Access Policy EPT violations: read, write, exec Process is created Memory is allocated * by Satoshi Tanda, @standa_t, https://github.com/tandasat List of Memory Enclaves List of EPROCESSES Information MEMORY RANGER ARCHITECTURE: THREE PARTS Driver is loaded
MemoryMonRWX* DdiMon* Memory Access Policy EPT violations: read, write, exec Process is created Memory is allocated * by Satoshi Tanda, @standa_t, https://github.com/tandasat List of Memory Enclaves List of Allocated Memory Pools List of EPROCESSES Information MEMORY RANGER ARCHITECTURE: THREE PARTS Driver is loaded
MemoryMonRWX* DdiMon* Memory Access Policy EPT violations: read, write, exec Process is created Memory is allocated * by Satoshi Tanda, @standa_t, https://github.com/tandasat List of Memory Enclaves List of Allocated Memory Pools List of EPROCESSES Information MEMORY RANGER ARCHITECTURE: THREE PARTS Driver is loaded ?
switch (exit_reason){ case (execute_violation): change_ept(); break; case (read_violation|| write_violation): if (access_legal()==false){ set_pte(pfn, read|write, fake_page); set_monitor_trap_flag(); break; } case (monitor_trap_flag): set_pte(pfn, no_access, original_page); clear_monitor_trap_flag(); break; } MEMORY RANGER DISPATCHER (SIMPLIFIED)
switch (exit_reason){ case (execute_violation): change_ept(); break; case (read_violation|| write_violation): if (access_legal()==false){ set_pte(pfn, read|write, fake_page); set_monitor_trap_flag(); break; } case (monitor_trap_flag): set_pte(pfn, no_access, original_page); clear_monitor_trap_flag(); break; } MEMORY RANGER DISPATCHER (SIMPLIFIED)
switch (exit_reason){ case (execute_violation): change_ept(); break; case (read_violation|| write_violation): if (access_legal()==false){ set_pte(pfn, read|write, fake_page); set_monitor_trap_flag(); break; } case (monitor_trap_flag): set_pte(pfn, no_access, original_page); clear_monitor_trap_flag(); break; } MEMORY RANGER DISPATCHER (SIMPLIFIED)
switch (exit_reason){ case (execute_violation): change_ept(); break; case (read_violation|| write_violation): if (access_legal()==false){ set_pte(pfn, read|write, fake_page); set_monitor_trap_flag(); break; } case (monitor_trap_flag): set_pte(pfn, no_access, original_page); clear_monitor_trap_flag(); break; } MEMORY RANGER DISPATCHER (SIMPLIFIED)
1. Callback - creating a list of protected objects  Add objects’ addresses & sizes to the list  Restrict memory access for objects memory via EPT 2. EPT dispatcher – processing EPT violations for this data  type_of_access – read or write  guest_ip is the ‘source address’  fault_va is the ‘destination address’  Temporary allow access to the data using MTF  Redirect access to the fake data using MTF and EPT.PFN HOW TO PROTECT YOUR DATA IN MEMORY?
1. Callback - creating a list of protected objects  Add objects’ addresses & sizes to the list  Restrict memory access for objects memory via EPT 2. EPT dispatcher – processing EPT violations for this data  type_of_access – read or write  guest_ip is the ‘source address’  fault_va is the ‘destination address’  Temporary allow access to the data using MTF  Redirect access to the fake data using MTF and EPT.PFN HOW TO PROTECT YOUR DATA IN MEMORY?
Driver Allocated Memory Reads/Writes 70±2 100.000±4.000 500.000±10.000 170.000±7.000 0 1 2 3 4 5 Enabled Cache Disabled Cache AllMemPro MemoryRanger x100000 MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME * AllMemPro details - http://bit.ly/AllMemPro *
 Kernel-mode memory is out of control  MemoryRanger isolates drivers execution by using a specific EPT structure for each driver  MemoryRanger seems to prevent Spectre and Meltdown CPU attacks: research is ongoing BLACK HAT SOUND BYTES OR CONCLUSION
Dīvide et Imperā* from Latin divide and rule * Cartledge, P. (2013). Sparta and Lakonia: A regional history 1300-362 BC. Routledge.
Thank you! Igor Korkin igor.korkin@gmail.com All the details & my CV are here igorkorkin.blogspot.com

Recommended

MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
 
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...Igor Korkin
 
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainKernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainIgor Korkin
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
 
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainProtected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainIgor Korkin
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Igor Korkin
 

Recommended

MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelMemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
 
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...
Hypervisor-Based Active Data Protection for Integrity and Confidentiality of ...Igor Korkin
 
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainKernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainIgor Korkin
 
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessDetect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
 
Applying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionApplying Memory Forensics to Rootkit Detection
Applying Memory Forensics to Rootkit DetectionIgor Korkin
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
 
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainProtected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainIgor Korkin
 
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...
Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluc...Igor Korkin
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsWindows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsNullbyte Security Conference
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNoSuchCon
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtDEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtFelipe Prado
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNCERT
 
Tisa mobile forensic
Tisa mobile forensicTisa mobile forensic
Tisa mobile forensicPrathan Phongthiproek
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5Brent Muir
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezShakacon
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinESET
 
Learning AOSP - Building AOSP for Nexus 7
Learning AOSP - Building AOSP for Nexus 7Learning AOSP - Building AOSP for Nexus 7
Learning AOSP - Building AOSP for Nexus 7Nanik Tolaram
 

More Related Content

What's hot

Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsWindows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsNullbyte Security Conference
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNoSuchCon
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devicesNikos Gkogkos
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtDEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtFelipe Prado
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & futureAlex Matrosov
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNCERT
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageMohamed Khaled
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5Brent Muir
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without AntivirusEnergySec
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolBrent Muir
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testingSanthosh Kumar
 
How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezShakacon
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 

What's hot (20)

Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsWindows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
 
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected ProcessesNSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
NSC #2 - D3 05 - Alex Ionescu- Breaking Protected Processes
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
44CON London 2015 - 15-Minute Linux Incident Response Live Analysis
 
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo shtDEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
DEF CON 27 - MICHAEL LEIBOWITZ and TOPHER TIMZEN - edr is coming hide yo sht
 
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
44CON London 2015 - Windows 10: 2 Steps Forward, 1 Step Back
 
Bootkits: past, present & future
Bootkits: past, present & futureBootkits: past, present & future
Bootkits: past, present & future
 
MNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensicsMNSEC 2018 - Windows forensics
MNSEC 2018 - Windows forensics
 
Tisa mobile forensic
Tisa mobile forensicTisa mobile forensic
Tisa mobile forensic
 
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...
 
Android forensics an Custom Recovery Image
Android forensics an Custom Recovery ImageAndroid forensics an Custom Recovery Image
Android forensics an Custom Recovery Image
 
SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5SanDisk SecureAccess Encryption 1.5
SanDisk SecureAccess Encryption 1.5
 
Fighting Malware Without Antivirus
Fighting Malware Without AntivirusFighting Malware Without Antivirus
Fighting Malware Without Antivirus
 
44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software44CON 2014 - Breaking AV Software
44CON 2014 - Breaking AV Software
 
WinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage ToolWinFE: The (Almost) Perfect Triage Tool
WinFE: The (Almost) Perfect Triage Tool
 
Android– forensics and security testing
Android– forensics and security testingAndroid– forensics and security testing
Android– forensics and security testing
 
How to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew SuarezHow to Make Android's Bootable Recovery Work For You by Drew Suarez
How to Make Android's Bootable Recovery Work For You by Drew Suarez
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
 

Similar to Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces

Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinESET
 
Learning AOSP - Building AOSP for Nexus 7
Learning AOSP - Building AOSP for Nexus 7Learning AOSP - Building AOSP for Nexus 7
Learning AOSP - Building AOSP for Nexus 7Nanik Tolaram
 
Persistent Memory Development Kit (PMDK) Essentials: Part 1
Persistent Memory Development Kit (PMDK) Essentials: Part 1Persistent Memory Development Kit (PMDK) Essentials: Part 1
Persistent Memory Development Kit (PMDK) Essentials: Part 1Intel® Software
 
Persistent Memory Development Kit (PMDK) Essentials: Part 2
Persistent Memory Development Kit (PMDK) Essentials: Part 2Persistent Memory Development Kit (PMDK) Essentials: Part 2
Persistent Memory Development Kit (PMDK) Essentials: Part 2Intel® Software
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Windows Embedded in the Real World
Windows Embedded in the Real WorldWindows Embedded in the Real World
Windows Embedded in the Real Worldukdpe
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosurech0psticks
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
You're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareYou're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareCylance
 
Windows container security
Windows container securityWindows container security
Windows container securityDocker, Inc.
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenBitdefender Enterprise
 
Virtual Pc Seminar
Virtual Pc SeminarVirtual Pc Seminar
Virtual Pc Seminarguest5b5549
 
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...Igor Korkin
 
Redis — memcached on steroids
Redis — memcached on steroidsRedis — memcached on steroids
Redis — memcached on steroidsRobert Lehmann
 
S4 xen hypervisor_20080622
S4 xen hypervisor_20080622S4 xen hypervisor_20080622
S4 xen hypervisor_20080622Todd Deshane
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging BasicsBala Subra
 

Similar to Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces (20)

Bootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus BulletinBootkits: Past, Present & Future - Virus Bulletin
Bootkits: Past, Present & Future - Virus Bulletin
 
Learning AOSP - Building AOSP for Nexus 7
Learning AOSP - Building AOSP for Nexus 7Learning AOSP - Building AOSP for Nexus 7
Learning AOSP - Building AOSP for Nexus 7
 
Persistent Memory Development Kit (PMDK) Essentials: Part 1
Persistent Memory Development Kit (PMDK) Essentials: Part 1Persistent Memory Development Kit (PMDK) Essentials: Part 1
Persistent Memory Development Kit (PMDK) Essentials: Part 1
 
Persistent Memory Development Kit (PMDK) Essentials: Part 2
Persistent Memory Development Kit (PMDK) Essentials: Part 2Persistent Memory Development Kit (PMDK) Essentials: Part 2
Persistent Memory Development Kit (PMDK) Essentials: Part 2
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Windows Embedded in the Real World
Windows Embedded in the Real WorldWindows Embedded in the Real World
Windows Embedded in the Real World
 
Readactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory DisclosureReadactor-Practical Code Randomization Resilient to Memory Disclosure
Readactor-Practical Code Randomization Resilient to Memory Disclosure
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis Problem
 
You're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security SoftwareYou're Off the Hook: Blinding Security Software
You're Off the Hook: Blinding Security Software
 
Jnode
JnodeJnode
Jnode
 
Windows container security
Windows container securityWindows container security
Windows container security
 
WinCE
WinCEWinCE
WinCE
 
Zero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xenZero footprint guest memory introspection from xen
Zero footprint guest memory introspection from xen
 
You suck at Memory Analysis
You suck at Memory AnalysisYou suck at Memory Analysis
You suck at Memory Analysis
 
Virtual Pc Seminar
Virtual Pc SeminarVirtual Pc Seminar
Virtual Pc Seminar
 
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...
 
Redis — memcached on steroids
Redis — memcached on steroidsRedis — memcached on steroids
Redis — memcached on steroids
 
S4 xen hypervisor_20080622
S4 xen hypervisor_20080622S4 xen hypervisor_20080622
S4 xen hypervisor_20080622
 
Hardware course
Hardware courseHardware course
Hardware course
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging Basics
 

Recently uploaded

The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfPower Karaoke
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software DevelopersVinodh Ram
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...soniya singh
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...stazi3110
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...ICS
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comFatema Valibhai
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideChristina Lin
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantAxelRicardoTrocheRiq
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyFrank van der Linden
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfjoe51371421
 

Recently uploaded (20)

The Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdfThe Evolution of Karaoke From Analog to App.pdf
The Evolution of Karaoke From Analog to App.pdf
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Professional Resume Template for Software Developers
Professional Resume Template for Software DevelopersProfessional Resume Template for Software Developers
Professional Resume Template for Software Developers
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
Russian Call Girls in Karol Bagh Aasnvi ➡️ 8264348440 💋📞 Independent Escort S...
 
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
Building a General PDE Solving Framework with Symbolic-Numeric Scientific Mac...
 
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
The Real-World Challenges of Medical Device Cybersecurity- Mitigating Vulnera...
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
HR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.comHR Software Buyers Guide in 2024 - HRSoftware.com
HR Software Buyers Guide in 2024 - HRSoftware.com
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop SlideBuilding Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
Building Real-Time Data Pipelines: Stream & Batch Processing workshop Slide
 
Salesforce Certified Field Service Consultant
Salesforce Certified Field Service ConsultantSalesforce Certified Field Service Consultant
Salesforce Certified Field Service Consultant
 
Engage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The UglyEngage Usergroup 2024 - The Good The Bad_The Ugly
Engage Usergroup 2024 - The Good The Bad_The Ugly
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
why an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdfwhy an Opensea Clone Script might be your perfect match.pdf
why an Opensea Clone Script might be your perfect match.pdf
 

Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces

  • 1. DIVIDE ET IMPERA: MEMORY RANGER RUNS DRIVERS IN ISOLATED KERNEL SPACES Igor Korkin, Ph.D
  • 2. WHOAMI  MEPhI Alumni, PhD in Cyber Security, published 23 papers  Area of interest is Windows Kernel security:  Memory Forensics  Rootkits Detection  Bare-Metal Hypervisors  Fan of academic cross-disciplinary research - igorkorkin.blogspot.com  Love traveling and powerlifting - igor.korkin
  • 3. AGENDA  Attacking the kernel-mode memory  Existing protection:Windows built-in security and research projects  MemoryRanger hypervisor: idea, details, demos
  • 4. ATTACKS ON KERNEL MODE MEMORY allocate read / write Windows OS kernel Kernel-mode drivers Allocated Memory Data Allocated Memory Data Allocated Memory Data OS structuresOS structuresOS structures
  • 5. ATTACKS ON KERNEL MODE MEMORY allocate read / write Malware Windows OS kernel Kernel-mode drivers privilege escalation reverse engineering stealing users data damaging sensor reading Allocated Memory Data Allocated Memory Data Allocated Memory Data OS structuresOS structuresOS structures
  • 6. TWO HOUSES WITH PRIVATE ART COLLECTIONS Stars by Wassily Kandinsky Girl with Balloon by Banksy Hi all! I am a hacker-attacker! I will inspect these houses to steal and damage painting!
  • 8. DEMO: THE ATTACK The online version is here – https://www.youtube.com/embed/HNxc-tjy3QA?vq=hd1080
  • 9. TWO HOUSES WITH PRIVATE ART COLLECTIONS Stars by Wassily Kandinsky Girl with Balloon by Banksy Yo Ho Ho! The both collections are mine! 1 1 1 1 2222
  • 10. THE ATTACK HAS NOT BEEN PREVENTED Allocator OS Kernel Structures OS Kernel Code Allocator cmd Driver Driver Driver Allocated Data Allocated Data Attacker
  • 11. BACKGROUND ANALYSIS Memory protection projects Malware attacks on Code of OS & third-party drivers OS data: internal structures Data of third- party drivers Read Write Read Write Read Write Windows Security - BSOD 0xBE by Device Guard - BSOD 0x109 by PatchGuard - - PrivGuard - - - + - - LAKEED + + + + - - LKMG - + + + + + rR^X + + - - - - AllMemPro - - + + + + Memory Ranger + + + + + +
  • 12. IDEA OF DRIVERS EXECUTION ISOLATION Driver A The same kernel memory space Data A Driver B Data B Now all drivers share the same memory space
  • 13. IDEA OF DRIVERS EXECUTION ISOLATION Driver A The same kernel memory space Let s execute these two drivers into separate memory enclosures Data A Driver B Data B Driver A Memory enclave only for Driver A Data A Memory enclave only for Driver B Driver B Data B Now all drivers share the same memory space
  • 14. PROCESSING MEMORY ACCESS: EPT FEATURE Host Physical Address H Guest OS Hypervisor VT-x without EPT = G Guest Physical Address Paging structures V G Guest Virtual Address Host Memory
  • 15. PROCESSING MEMORY ACCESS: EPT FEATURE Host Physical Address H Guest OS Hypervisor EPT Paging structures VT-x without EPT = EEPT Physical Address Host Physical Address VT-x with EPT G =EPT( )G E Guest Physical Address Paging structures V G Guest Virtual Address Guest Physical Address Paging structures V G Guest Virtual Address H = Host Memory
  • 16. INSIDE EPT PAGING STRUCTURES. EPT PFN Host Memory Protected Page EPT Paging structures EPT Page Table Entries Memory Access Bits EPT TablesGuest Physical Address Page Frame Number Memory Access Bits Page Frame Number
  • 17. INSIDE EPT PAGING STRUCTURES. EPT PFN Host Memory Protected Page EPT Paging structures EPT Page Table Entries Memory Access Bits EPT TablesGuest Physical Address Page Frame Number Memory Access Bits Page Frame Number Fake Page
  • 18. Host Memory Page INSIDE EPT PAGING STRUCTURES. EPT BITS Hypervisor traps all these access attempts Memory Access Bits: • exec = true • read = true • write = true read/write access execute access Host Memory Page Memory Access Bits: • exec = false • read = false • write = false Memory Page Hypervisor does not care Memory Page read/write access execute access
  • 19. INSIDE EPT PAGING STRUCTURES EPT structures #1 EPT structures #2 EPT structures #3 EPT Pointer Other fields VMCS for hypervisor
  • 20. APPLYING EPT FOR DRIVERS ISOLATION Current Situation OS Kernel Code exe=true rw=true OS Kernel Structures exe=true rw=true Other Drivers exe=true rw=true Other Data exe=true rw=true
  • 21. APPLYING EPT FOR DRIVERS ISOLATION Current Situation OS Kernel Code exe=true rw=true Driver A exe=true rw=true OS Kernel Structures exe=true rw=true Allocated data A exe=true rw=true Other Drivers exe=true rw=true Other Data exe=true rw=true
  • 22. APPLYING EPT FOR DRIVERS ISOLATION Current Situation OS Kernel Code exe=true rw=true Driver A exe=true rw=true OS Kernel Structures exe=true rw=true Allocated data A exe=true rw=true Other Drivers exe=true rw=true Other Data exe=true rw=true Default EPT OS Kernel Code exe=true rw=true OS Kernel Structures exe=true rw=true Other Data exe=true rw=true Other Drivers exe=true rw=true EPT pointer
  • 23. APPLYING EPT FOR DRIVERS ISOLATION Current Situation OS Kernel Code exe=true rw=true Driver A exe=true rw=true OS Kernel Structures exe=true rw=true Allocated data A exe=true rw=true Other Drivers exe=true rw=true Other Data exe=true rw=true Default EPT OS Kernel Code exe=true rw=true Driver A exe=false rw=false OS Kernel Structures exe=true rw=true Other Data exe=true rw=true EPT for new Driver A OS Kernel Code exe=true rw=true Driver A exe=true rw=true OS Kernel Structures exe=false rw=false Other Drivers exe=false rw=false Other Data exe=true rw=true Other Drivers exe=true rw=true EPT pointer
  • 24. APPLYING EPT FOR DRIVERS ISOLATION Current Situation OS Kernel Code exe=true rw=true Driver A exe=true rw=true OS Kernel Structures exe=true rw=true Allocated data A exe=true rw=true Other Drivers exe=true rw=true Other Data exe=true rw=true Default EPT OS Kernel Code exe=true rw=true Driver A exe=false rw=false OS Kernel Structures exe=true rw=true Allocated data A exe=false rw=false Other Data exe=true rw=true EPT for new Driver A OS Kernel Code exe=true rw=true Driver A exe=true rw=true OS Kernel Structures exe=false rw=false Allocated data A exe=true rw=true Other Drivers exe=false rw=false Other Data exe=true rw=true Other Drivers exe=true rw=true EPT pointer
  • 25. That will be a great treasure! Ha-ha! Stars by Wassily Kandinsky Girl with Balloon by Banksy No.5 by Jackson Pollock THREE HOUSES WITH PRIVATE ART COLLECTIONS
  • 26. THREE HOUSES WITH PRIVATE ART COLLECTIONS Stars by Wassily Kandinsky Oh no! I can steal nothing! Girl with Balloon by Banksy No.5 by Jackson Pollock
  • 27. Allocator OS Kernel Structures OS Kernel Code Allocator Allocator cmd Driver Driver Driver Driver Allocated Data Allocated Data Allocated Data Attacker DEMO: THE ATTACK PREVENTION
  • 28. DEMO: THE ATTACK PREVENTION The online version is here – https://www.youtube.com/embed/vrm9cgn5DsU?vq=hd1080
  • 29. DEMO: THE ATTACK PREVENTION Allocator OS Kernel Structures OS Kernel Code MemoryRanger Hypervisor Allocator Allocator cmd Driver Driver Driver Driver Driver Allocated Data Allocated Data Allocated Data Attacker
  • 30. MEMORY RANGER: PRINCIPLE OF LEAST PRIVILEGE Kernel- mode drivers Drivers Code ✔ ✔ ✔ ✔ OS kernel ✔ ✔ ✔ ✔
  • 31. MEMORY RANGER: PRINCIPLE OF LEAST PRIVILEGE Kernel- mode drivers Drivers Code Allocated Memory Data EPROCESS structures ✔ ✔ ✔ ✔ ✔ ✔ ✔ OS kernel ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
  • 32. MEMORY RANGER: PRINCIPLE OF LEAST PRIVILEGE Kernel- mode drivers Drivers Code Allocated Memory Data EPROCESS structures ✔ ❌ ❌ ❌ ✔ ❌ ❌ ❌ ❌ ✔ ❌ ❌ ❌ ✔ ❌ ❌ ❌ ❌ ✔ ❌ ❌ ❌ ✔ ❌ ❌ ❌ ❌ ✔ ❌ ❌ ❌ ❌ OS kernel ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
  • 33. MemoryMonRWX* DdiMon* Memory Access Policy EPT violations: read, write, exec Process is created Memory is allocated * by Satoshi Tanda, @standa_t, https://github.com/tandasat MEMORY RANGER ARCHITECTURE: THREE PARTS Driver is loaded
  • 34. MemoryMonRWX* DdiMon* Memory Access Policy EPT violations: read, write, exec Process is created Memory is allocated * by Satoshi Tanda, @standa_t, https://github.com/tandasat List of EPROCESSES Information MEMORY RANGER ARCHITECTURE: THREE PARTS Driver is loaded
  • 35. MemoryMonRWX* DdiMon* Memory Access Policy EPT violations: read, write, exec Process is created Memory is allocated * by Satoshi Tanda, @standa_t, https://github.com/tandasat List of Memory Enclaves List of EPROCESSES Information MEMORY RANGER ARCHITECTURE: THREE PARTS Driver is loaded
  • 36. MemoryMonRWX* DdiMon* Memory Access Policy EPT violations: read, write, exec Process is created Memory is allocated * by Satoshi Tanda, @standa_t, https://github.com/tandasat List of Memory Enclaves List of Allocated Memory Pools List of EPROCESSES Information MEMORY RANGER ARCHITECTURE: THREE PARTS Driver is loaded
  • 37. MemoryMonRWX* DdiMon* Memory Access Policy EPT violations: read, write, exec Process is created Memory is allocated * by Satoshi Tanda, @standa_t, https://github.com/tandasat List of Memory Enclaves List of Allocated Memory Pools List of EPROCESSES Information MEMORY RANGER ARCHITECTURE: THREE PARTS Driver is loaded ?
  • 38. switch (exit_reason){ case (execute_violation): change_ept(); break; case (read_violation|| write_violation): if (access_legal()==false){ set_pte(pfn, read|write, fake_page); set_monitor_trap_flag(); break; } case (monitor_trap_flag): set_pte(pfn, no_access, original_page); clear_monitor_trap_flag(); break; } MEMORY RANGER DISPATCHER (SIMPLIFIED)
  • 39. switch (exit_reason){ case (execute_violation): change_ept(); break; case (read_violation|| write_violation): if (access_legal()==false){ set_pte(pfn, read|write, fake_page); set_monitor_trap_flag(); break; } case (monitor_trap_flag): set_pte(pfn, no_access, original_page); clear_monitor_trap_flag(); break; } MEMORY RANGER DISPATCHER (SIMPLIFIED)
  • 40. switch (exit_reason){ case (execute_violation): change_ept(); break; case (read_violation|| write_violation): if (access_legal()==false){ set_pte(pfn, read|write, fake_page); set_monitor_trap_flag(); break; } case (monitor_trap_flag): set_pte(pfn, no_access, original_page); clear_monitor_trap_flag(); break; } MEMORY RANGER DISPATCHER (SIMPLIFIED)
  • 41. switch (exit_reason){ case (execute_violation): change_ept(); break; case (read_violation|| write_violation): if (access_legal()==false){ set_pte(pfn, read|write, fake_page); set_monitor_trap_flag(); break; } case (monitor_trap_flag): set_pte(pfn, no_access, original_page); clear_monitor_trap_flag(); break; } MEMORY RANGER DISPATCHER (SIMPLIFIED)
  • 42. 1. Callback - creating a list of protected objects  Add objects’ addresses & sizes to the list  Restrict memory access for objects memory via EPT 2. EPT dispatcher – processing EPT violations for this data  type_of_access – read or write  guest_ip is the ‘source address’  fault_va is the ‘destination address’  Temporary allow access to the data using MTF  Redirect access to the fake data using MTF and EPT.PFN HOW TO PROTECT YOUR DATA IN MEMORY?
  • 43. 1. Callback - creating a list of protected objects  Add objects’ addresses & sizes to the list  Restrict memory access for objects memory via EPT 2. EPT dispatcher – processing EPT violations for this data  type_of_access – read or write  guest_ip is the ‘source address’  fault_va is the ‘destination address’  Temporary allow access to the data using MTF  Redirect access to the fake data using MTF and EPT.PFN HOW TO PROTECT YOUR DATA IN MEMORY?
  • 44. Driver Allocated Memory Reads/Writes 70±2 100.000±4.000 500.000±10.000 170.000±7.000 0 1 2 3 4 5 Enabled Cache Disabled Cache AllMemPro MemoryRanger x100000 MEMORY RANGER BENCHMARKS: MEMORY ACCESS TIME * AllMemPro details - http://bit.ly/AllMemPro *
  • 45.  Kernel-mode memory is out of control  MemoryRanger isolates drivers execution by using a specific EPT structure for each driver  MemoryRanger seems to prevent Spectre and Meltdown CPU attacks: research is ongoing BLACK HAT SOUND BYTES OR CONCLUSION
  • 46. Dīvide et Imperā* from Latin divide and rule * Cartledge, P. (2013). Sparta and Lakonia: A regional history 1300-362 BC. Routledge.
  • 47. Thank you! Igor Korkin igor.korkin@gmail.com All the details & my CV are here igorkorkin.blogspot.com

Editor's Notes

  1. Hi! I’m Igor! Today I’d like to show, to present you my MemoryRanger, which can isolate drivers code and allocated data from illegal access in the kernel memory. This topic is of critical importance for all security experts who are dealing with protection of operating systems.
  2. A few words about mé. I earned my PhD 7 years ago. My area of expertise includes Windows Kernel security, rootkits detection and hypervísors /ˈhaɪpə(r)ˌvaɪzə(r)z /. I carry out research projects by my own as a hobby. I’m a fan of cross-disciplinary research. You can find my results in my blog. By the way I am fond of travelling and powerlifting as well.
  3. I have divided my talk into three main parts. First we’ll be looking at the consequences of attacks on kernel memory. After thát, I’ll give you a brief analysis of Windows built-ín security features and research projects, which are designed to protect kernel memory. Finally, I’ll show you how I solve this problem using my MemoryRanger. Feel frée to ask me any questions at the end of the talk.
  4. Nowadays kernel-mode drivers share the same memory space with the rest of the OS kernel. All drivers can read and write any part of kernel-mode memory without any hardware restrictions; this fact makes the modern operating systems to be prone to rootkit attacks and kernel exploitation.
  5. Malware driver can dump the drivers’ code and tamper allocated memory, for example, Windows Internal structures and allocated data of the third party drivers. As a result, hackers can èscalàte privileges, hide their footprints, steal users’ secrets, or even disrupt industrial systems, which are controlled by drivers. Let me demonstrate you some of these attacks.
  6. Let’s imagine two houses with private art collections: Russian house and a British one. In the Russian house we can see the panting of Wassily Kandinksy, you know he was a great Russian painter. The Banksy’s art is in the British house. I hope everyone is familiar with Banksy’s painting. And here is the “hacker-attacker”, who wants to grab all these masterpieces. If these houses are not protected the both private collections will be stolen. In the kernel-mode memory, the situation is absolutely the same.
  7. If drivers are not protected the data can be stolen. Let’s see how it can happen. I will load two drivers. The Russian driver and a British one, which store their data in the allocated memory pools. After that, the attacker’s driver will be loaded to dump the drivers’ code and steal both Russian and British data buffers. And finally, I will show you how the attacker can even escalate process privileges. Let’s see how it can happen.
  8. I am launching a Russian console /kənˈsəʊl/, which loads a Russian driver. In the same way, I am loading a British driver. Finally, the hacker-attacker is launching its driver to access kernel memory. Now, the attacker is trying to dump the Russian driver using its loaded address. Look, the attacker is successfully reading the first byte, which is M and the second one is Z. What about the British driver? Hackers are reading the first two bytes without any problems as well. We can see that the code of both drivers can be stolen. Let’s move on to the private data, which can be stored in the allocated memory. The Russian driver is allocating data and setting it content as “Wassily Kandinsky”. Let’s check “Kandinsky”. Fine. The data has been allocated. The British driver is allocating memory and setting Banksy as its content. Let’s check Banksy. It’s all right. Now the attacker wants to steal these “priceless” data content. To steal Kandinsky, hackers need to know the corresponding memory address. Let’s assume they do know this address. Usually hackers do know everything. So the attacker can read this data, and overwrite it. Here we have only four ones instead. We can see that the attacker did modify the data. Now, the attacker is entering the British house to steal Banksy’s art. After overwriting we have only four twos instead. Banksy collection has disappeared. Both data buffers were stolen and modified.
  9. Hacker-attacker has successfully stolen both private collections. It means that our houses were not protected in a proper way. What was wrong? How can we defend them? We will see it later. And now let’s go back to demo to see how the attacker can even escalate process privileges. The attacker is starting the CMD. After launching it, he is getting its process ID. Done. He is copying its PID. We can see that the CMD has users’ privileges and it is not enough to reconfigure the Windows Firewall, which is expected. Now the attacker is trying to elevate the CMD privileges. He is using PRIV command with process ID. Checking the privileges again. The privileges have been escalated. Now the CMD has the highest privileges and now CMD can reconfigure the Windows Firewall service and even can turn it off. We can see only a small message, which confirms that the Firewall is out of service and it cannot be automatically restarted. This is very good news for hackers. But let’s wait for PatchGuard reaction, which is designed to prevent illegal memory modifications. We’ve been waiting for 10 hours it is quite a long time and nothing has happened. The OS has not been crushed. It means that PatchGuard didn’t prevent the invasion and the OS became infected.
  10. So, we can see that Windows Kernel cannot prevent illegal memory access. The attacker can read the driver’s code, steal and change allocated data and even escalate process privileges without any security reaction, such as a Blue Screen of Death. Let’s have a look at the current situation with memory protection projects.
  11. Look at this table. Microsoft has developed a number of security features for memory protection. The first one is “Device Guard”, which provides kernel code integrity by marking executable pages as “read-only” . So any modifications of the code will crash the system. Not bád. The second one is “PatchGuard”, which crashes the OS after revealing some changes of internal structures, for example EPROCESS unlinking. But you’ve just seen that PatchGuard does not protect EPROCESS structures completely. Finally, Windows Security does not protect memory allocated by the third party drivers. Many security experts from all around the world are trying to fill /fɪl/ this gap. There are several research projects, which are designed for memory protection. And you can see that there is no general solution, which can deal with all these issues at the same time. Today I will propose the solution. I’ll present you my MemoryRanger, which provides both integrity and con-fiden-tiality for drivers code and allocated data. 
  12. Look at this. Nowadays kernel mode drivers share the same memory space with the rest of the kernel.
  13. If we can move these two drivers with their allocations into two separate memory enclosures, we will protect their memory from each other. The thing is that Windows OS doesn’t give us such an opportunity.
  14. Luckily for us, hardware virtualization technology provides the mechanism, which can be used to implement the idea of memory ísolátion /ˌaɪsəˈleɪʃ(ə)n/. I mean Extended Page Tables or EPT feature. Without EPT guest physical addrésses are used to access the host physical memory. Address H is equal to the address G.
  15. Using EPT we get an additional or second level of address translation. When EPT is enabled, guest physical addresses are translated to host physical addrésses by traversing a set of EPT paging structures. Now, address H is equal to the address E, not to G. Let’s have a look at EèePèeTèe details.
  16. EPT structures include EPT entries, which determine the mapping between the guest memory and the host memory. Each EPT entry includes memory access bits and page frame number.
  17. This number is linked to the corresponding host physical address. It can be used to prevent access to the protected data. We can rédiréct / riːdʌɪrɛkt, / the access from the protected data to the fàke one by changing PFN value to the addréss of fake page.
  18. Memory access bits indicate whether access attempts are allowed to the page referenced by this entry. Any dìsallowed access attempts will trigger EPT violations, and then control goes to the hypervisor. So we can trap read- write and execute- access to the page by changing these memory access bits.
  19. Another interesting feature is that we can allocate several EPT paging structures with various memory access configurations. By switching between them, we can organize drivers’ execution in ìsolated enclaves. EPT feature seems to be very promising for the memory isolation /ˌaɪsəˈleɪʃ(ə)n/. Let me show you how all these ideas are implemented in my Memory Ranger.
  20. I explored the following scenario. The OS kernel and other drivers are loaded into the memory and access their data. We have two legal access attempts, which are marked by green arrows.
  21. As the Driver A is loaded, it allocates memory and áccesses this newly allocated data. All in all we have three legal access attempts, which are marked by green. Red lines indicate the following illegal access attempts. Driver A modifies the OS internal structures. Other Drivers read the memory of Driver A and try to overwrite its allocated data. As you remember that all drivers share at the same memory space, all these illegal access attempts are becoming uncontrolled.
  22. Let’s roll back and launch MemoryRanger to isolate Driver A from the rest of the OS kernel. First of all, my MemoryRanger allocates the default EPT structure. All loaded drivers and Windows Kernel are executed inside the default EPT structure.
  23. MemoryRanger traps the loading of Driver A and allocates a new EPT structure for Driver A. Memory Ranger updates all EPT structures in the following way. Only Driver A and OS kernel are executed inside new EPT. In the new EPT structure, memory access bits have been cleared to 0 for OS structures to restrict access from Driver A. In the default EPT structure, memory access bits for the driver A have been cleared as well.
  24. After driver A allocates memory data, my Memory Ranger updates all EPT structures again. As a result, any access from other drivers to the driver A and its allocated memory will be trapped and blocked. Also, all áccess to the OS structures is forbidden for the Driver A. In the same way, Memory Ranger allocates a separate EPT structure for each new driver and updates all other EPT structures. This is the main idea. Let’s move on to the demonstration.
  25. Let’s add one more treasure house to our criminal story, let it be American house full of Jackson Pollock paintings. Now we have three houses with three private art collections. The attacker is more motivated.  To protect these houses we need to build at least a fence.
  26. It helps to prevent attacker’s access and isolates three houses from each other as well.
  27. In the kernel mode, the drivers memory will be isolated in the same way. I will load three drivers. We call them Russian, British and American. All these drivers store their data in the allocated memory pools. After that, I will launch a malware driver in order to steal and modify these data buffers as well as dumping the drivers’ code. Finally, a malware driver will try to èscalàte process privileges. Let’s have a look what will happen if I launch MemoryRanger befo-o-re.
  28. First of all, I am launching Memory Ranger console application. It loads the driver and activates the hypervisor. Then, I am launching three drivers: Russian, British, and American. Finally, the hacker-attacker is launching its driver. The attacker wants to dump the Russian driver first. He copies its address and we can see, that the attacker can read zero value. What about the next byte? He has a zero value as well. So the attacker fails to dump this driver. Now let’s read the drivers’ content using the driver itself. Now we have M and Z value. We can see that Memory Ranger can protect the content of the Russian driver. Now the attacker is entering the British house. He is going to dump British driver. He is copying its address and trying to read its content. So he gets a zero value again. MemoryRanger is foisting the fake null data to the attacker instead of the real one. Let’s try to access the British driver using the British driver itself. Now we are reading MZ bytes. It means that MemoryRanger can prevent unauthorized access attempts and grants the legal access.  And now let’s check if the American driver can read the content of the British driver. We have zero value again. <MSC>Memory Ranger isolates drivers from each other</MSC>. Let’s move on to the private data, which can be stored in the allocated memory. For the Russian driver I am allocating “Wassily Kandinsky”. Now, let’s check the allocation. Wassily Kandinsky. For the British driver I am allocating “Banksy”. Now, let’s check the allocation. Banksy. And finally for the American driver I am allocating the data and setting “Jackson Pollock”. Now, let’s check this allocation. Jackson Pollock. Now the attacker wants to steal all these treasures. Let’s see if he does manage that. He is starting with Russian house and Kandinsky art. He copies its address and tries to read. The attacker can read only a null string. He is trying to overwrite this data. It’s time to check if the Kandinsky has been modified. We go back to the Russian driver and check the allocation. Memory Ranger is protecting this data. Hackers failed to steal and modify Kandinsky. Now the attacker is entering the British house to steal Banksy. He is coping its address. And we can see that the attacker have read nothing again. He is trying to overwrite this data. Now, we go back to the British app and check Banksy collection. We can see that the MemoryRanger is protecting Banksy as well. And now let’s check if the American driver can access Banksy’s data. As you can see the American driver can read nothing. It is trying to overwrite the data. No results. Memory Ranger is ísoláting drivers allocation from each other as well. We can change the data only by the driver, which allocates thís véry dáta. Let’s check it. Let’s replace “Wassily Kandinsky” with “Ivan Aivazovsky”. The allocated buffer has been updated in a legal way. MemoryRanger is protecting even allocated data. Let’s start CMD to test privilege escalation attack. The attacker is launching CMD, getting its process ID, and checking its privileges. As we expected CMD has users’ privileges and cannot reconfigure the Windows Firewall. The attacker is trying to elevate the CMD privileges. The attacker is using PRIV command with process ID to escalate privileges. Let’s check the privileges. Cmd has still users’ privileges and cannot reconfigure the Windows Firewall service. It means that attacker has failed. CMD is not able stop the Windows Firewall service. The OS is protected.
  29. So you have just seen that MemoryRanger prevents illegal memory access by running drivers into ísoláted kernel spaces or enclosures /ɪnˈkləʊʒə(r)z/. Let’s have a look at memory access rules which are provided by MemoryRanger.
  30. Memory Ranger protects memory according to the principle of least privilege. Newly loaded drivers can access only their own code.
  31. The read and write access to the data is granted only to the drivers, which allocate these data buffers. All other memory access attempts are blocked.
  32. Memory Ranger protects drivers’ code from being dumped, it prevents read and write access to the allocated data, and finally, it prevents a privilege escalation attack. Let’s move on the Memory Ranger architecture.
  33. This MemoryRanger includes the following three parts: MemoryMonRWX, DdiMon and Memory Access Policy. The first two parts were developed by Satoshi Tanda, during our collaboration. MemoryMonRWX processes the loading a new drivers and processes as well as all EPT violations, while DdiMon installs the invisible hooks on kernel functions, which allocate and deallocate /diː/ memory. I developed Memory Access Policy, which is a kind of brain for the first two parts.
  34. For each newly loaded process, MemoryRanger adds the following structure to the list. This structure includes process ID and the address of its EPROCESS structure.
  35. For each newly loaded driver MemoryRanger adds the following structure to the list. This structure includes an address of allocated EPT structure for this driver, as well as drivers start and end addresses, and the vector to collect memory addresses, which will be allocated by this driver.
  36. Each time the driver allocates memory data MemoryRanger adds the following information to the list. This structure includes the address and size of newly allocated data.
  37. Memory Access Policy manages all these lists and decides to grant memory access or to deny it.
  38. To put it in a nutshell the MemoryRanger dispatcher is here. It processes three EPT violations and one VM exit.
  39. For éxecúte violation MemoryRanger changes pointer to the appropriate EPT structure, so the kernel-mode code continues its execution into the corresponding EPT structure.
  40.  For read and write violations MemoryRanger checks whether this access is legal. For an illegal access, the MemoryRanger changes PFN value of the protected page to the fake one, and allows /əˈlaʊz/ access to this fake data. Finally, it sets Monitor Trap Flag. As a result, after a driver reads the fake data the control goes to the hypervisor again.
  41. Now MemoryRanger restores PFN value to the protected page and blocks any access to this page. Finally, it resets the Monitor Trap Flag.
  42. Here are the steps how to add a new data to be protected by my Memory Ranger. First of all you need to create a list of addresses and sizes of memory regions, which need to be protected and clear access bits to restrict the access. Do not forget to update this list, for example using callback function.
  43. Then dispatch EPT violations, which occur during access to your data. To process all violations you have three input parameters: type of access, address of module, which tries to access and finally the address of data, which has been accessed. You can only monitor the access attempts as well as redirect them.
  44. Now let’s move final step, which is the benchmark assessment.  I measure the time of legal access from driver to the allocated data in four situations. Without memory protection with enabled cache, with disabled cache, and with two memory protectors: AllMemPro and MemoryRanger. AllMemPro or Allocated Memory Protector is the closest competitor for MemoryRanger, which I developed a year ago. AllMemPro uses only one EPT structure to prevent illegal access to the allocated memory. I can conclude that MemoryRanger is a bit slower than access to the memory with disabled cache and it three times faster than the closest competitor.
  45. We are close to the end of our dramatic story. Let me recap very briefly on what I have presented and what you learn. First of all, I’ve demonstrated that drivers can access kernel-mode memory without any security reaction. Then, I’ve presented MemoryRanger, which can prevent unauthorized memory access by running drivers in isolated enclaves. Finally, I’d like to highlight one important thing. MemoryRanger seems to prevent the recent side-channel attacks. If anyone has a proof-of-concepts of Meltdown or Spectre, please send it to me.
  46. I’d just like to conclude with old Làtin expression. It is on the screen. I believe it is applicable not only for ancient Sparta but also for kernel-mode drivers in newest Windows.
  47. Thank you!