The document discusses different approaches used by operating systems to detect hardware components during system boot. It describes methods like hardcoding details, using static configuration, device trees, and dynamic configuration via ACPI and bus-based detection. ACPI is covered in depth, including its components, tables, and complexity. Platform and PCI devices are also briefly explained.
This Presentation Speaks about Compiling Linux Kernel from source, How Device Drivers are implemented in Linux,Udev,Loading and Unloading of Kernel modules.
Shreyas MM
www.shreyasmm.com
This presentation gives an overview of Linux kernel block I/O susbsystem functionality, importance of I/O schedulers in Block layer. It also describes the different types of I/O Schedulers including the Deadline I/O scheduler, Anticipatory I/O Scheduler, Complete Fair queuing I/O scheduler and Noop I/O scheduler.
Linux device drivers (LDDs) are low-level software that handle hardware controllers and hide their peculiarities from users. They present a uniform view of devices. Each physical device like keyboards or disks has a hardware controller that is managed by a device driver. Device drivers control and status registers to initialize and diagnose devices. The code for managing hardware controllers is kept in the Linux kernel rather than applications. Device drivers provide the layer between applications and hardware devices.
The document discusses device drivers and kernel modules in Linux. It describes the role of device drivers in providing abstraction between hardware and software. Device drivers require low-level access to hardware and operate in a privileged environment. The document also covers loading kernel modules dynamically at runtime using insmod and rmmod. It discusses different types of devices, modules, and the initialization and cleanup functions required for modules.
This document provides an overview of different Linux I/O models including blocking I/O, non-blocking I/O, I/O multiplexing using select, poll, epoll, signal-driven I/O and asynchronous I/O. It describes key functions and system calls used for each model and provides examples of how they can be used in drivers and applications.
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...The Linux Foundation
This talk presents a new client virtualization platform that allows Xen to be used on mobile phones and tablets. These embedded devices require special consideration, particularly in the context of client virtualization. We will outline the technical challenges of virtualizing common tablet devices, including the touchscreen, audio, webcam, accelerometer, Wi-Fi, cellular, and display devices. TrustZone implications will also be discussed.
We will present the current project status and what it took (or will take) to get NVIDIA's Jetson TX1 development board and Google's Pixel C tablet running multiple Android instances. We will provide an overview of the platform’s build toolchain and source trees. Finally, we will open up discussions on the future of the platform and the challenges associated with improving Xen adoption on mobile ARM devices.
linux device drivers: Role of Device Drivers, Splitting The Kernel, Classes of
Devices and Modules, Security Issues, Version Numbering, Building and Running Modules
Kernel Modules Vs. Applications, Compiling and Loading, Kernel Symbol Table,
Preliminaries, Interaction and Shutdown, Module Parameters, Doing It in User Space.
The document discusses different approaches used by operating systems to detect hardware components during system boot. It describes methods like hardcoding details, using static configuration, device trees, and dynamic configuration via ACPI and bus-based detection. ACPI is covered in depth, including its components, tables, and complexity. Platform and PCI devices are also briefly explained.
This Presentation Speaks about Compiling Linux Kernel from source, How Device Drivers are implemented in Linux,Udev,Loading and Unloading of Kernel modules.
Shreyas MM
www.shreyasmm.com
This presentation gives an overview of Linux kernel block I/O susbsystem functionality, importance of I/O schedulers in Block layer. It also describes the different types of I/O Schedulers including the Deadline I/O scheduler, Anticipatory I/O Scheduler, Complete Fair queuing I/O scheduler and Noop I/O scheduler.
Linux device drivers (LDDs) are low-level software that handle hardware controllers and hide their peculiarities from users. They present a uniform view of devices. Each physical device like keyboards or disks has a hardware controller that is managed by a device driver. Device drivers control and status registers to initialize and diagnose devices. The code for managing hardware controllers is kept in the Linux kernel rather than applications. Device drivers provide the layer between applications and hardware devices.
The document discusses device drivers and kernel modules in Linux. It describes the role of device drivers in providing abstraction between hardware and software. Device drivers require low-level access to hardware and operate in a privileged environment. The document also covers loading kernel modules dynamically at runtime using insmod and rmmod. It discusses different types of devices, modules, and the initialization and cleanup functions required for modules.
This document provides an overview of different Linux I/O models including blocking I/O, non-blocking I/O, I/O multiplexing using select, poll, epoll, signal-driven I/O and asynchronous I/O. It describes key functions and system calls used for each model and provides examples of how they can be used in drivers and applications.
XPDS16: Xenbedded: Xen-based client virtualization for phones and tablets - ...The Linux Foundation
This talk presents a new client virtualization platform that allows Xen to be used on mobile phones and tablets. These embedded devices require special consideration, particularly in the context of client virtualization. We will outline the technical challenges of virtualizing common tablet devices, including the touchscreen, audio, webcam, accelerometer, Wi-Fi, cellular, and display devices. TrustZone implications will also be discussed.
We will present the current project status and what it took (or will take) to get NVIDIA's Jetson TX1 development board and Google's Pixel C tablet running multiple Android instances. We will provide an overview of the platform’s build toolchain and source trees. Finally, we will open up discussions on the future of the platform and the challenges associated with improving Xen adoption on mobile ARM devices.
linux device drivers: Role of Device Drivers, Splitting The Kernel, Classes of
Devices and Modules, Security Issues, Version Numbering, Building and Running Modules
Kernel Modules Vs. Applications, Compiling and Loading, Kernel Symbol Table,
Preliminaries, Interaction and Shutdown, Module Parameters, Doing It in User Space.
The document provides an introduction to Linux kernel modules. It discusses that kernel modules extend the capabilities of the Linux kernel by executing code as part of the kernel. It then describes the anatomy of a kernel module, including initialization and cleanup functions. The document demonstrates a simple "hello world" kernel module example and how to build, load and unload kernel modules. It also introduces the idea of character device drivers as a more advanced kernel module example.
The document provides an overview of the key components of the Linux operating system, including:
1) The Linux kernel, which acts as a resource manager for processes, memory, and hardware devices.
2) Process and memory management systems that control how processes are allocated and memory is allocated and freed.
3) The file system which organizes how files are stored and accessed.
4) Device drivers that allow the operating system to interface with hardware.
5) The network stack which handles network protocols and connections.
6) Architecture-dependent code that provides hardware-specific implementations of core functions.
The document provides an introduction to Linux and device drivers. It discusses Linux directory structure, kernel components, kernel modules, character drivers, and registering drivers. Key topics include dynamically loading modules, major and minor numbers, private data, and communicating with hardware via I/O ports and memory mapping.
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Linaro
Session ID: SFO17-403
Session Name: Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Speaker: Christoffer Dall
Track: Virtualization
★ Session Summary ★
A key drawback in the use of full system virtualization is the performance penalty introduced by hypervisors. This problem is especially present on ARM, which has significantly higher overhead for some workloads compared to x86, due to differences in the hardware virtualization support. The key reason for the overhead on ARM is the need to multiplex kernel mode state between the hypervisor and VMs, which each run their own kernel. This talk will cover how we have redesigned and optimized KVM/ARM, resulting in an order of magnitude reduction in overhead, and resulted in less overhead than x86 on key hypervisor operations. Our optimizations rely on new hardware support in ARMv8.1, the Virtualization Host Extensions (VHE), but also support legacy hardware through invasive modifications to Linux to support running the kernel in the hypervisor-specific CPU mode, EL2
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/sfo17/sfo17-403/
Presentation: https://www.slideshare.net/linaroorg/optimizing-the-design-and-implementation-of-kvmarm-sfo17403
Video: https://www.youtube.com/watch?v=foRxjfKQeas
---------------------------------------------------
★ Event Details ★
Linaro Connect San Francisco 2017 (SFO17)
25-29 September 2017
Hyatt Regency San Francisco Airport
---------------------------------------------------
Keyword:
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
The document discusses system calls and how they are handled in operating systems. It explains that system calls allow user processes to request services from the kernel by generating an interrupt that switches the processor into kernel mode. On x86 processors, the interrupt handler saves process state and routes the call to the appropriate kernel code based on an interrupt descriptor table with 256 entries. The document provides details on how Linux/x86 implements system calls, exceptions, and interrupts using the IDT, and switches between user and kernel mode to maintain isolation.
The document discusses the GNU Build System, which helps simplify the development and building of portable software distributed as source code. It provides an overview of the key components of the GNU Build System - autoconf, automake, and libtool - and how they are used to generate configuration scripts and Makefile templates from initial files. The document also outlines the typical process of applying the GNU Build System tools to create software packages that can be easily built, installed, and distributed.
The Linux kernel acts as an interface between applications and hardware, managing system resources and providing access through system calls; it uses a monolithic design where all components run in the kernel thread for high performance but can be difficult to maintain, though Linux allows dynamic loading of modules. Device drivers interface hardware like keyboards, hard disks, and network devices with the operating system, and are implemented as loadable kernel modules that are compiled using special makefiles and registered with the kernel through system calls.
The document discusses Linux device drivers, including how they interface between user programs and hardware using a file interface, are implemented as loadable kernel modules (LKMs) that are inserted into the kernel, and how common operations like open, read, write, and release are mapped to kernel functions through a file operations structure.
This document provides an introduction to Linux device drivers. It discusses that device drivers provide an abstraction layer between software and hardware, hiding hardware details. It describes different types of devices like character and block devices. It covers key concepts like loadable modules, driver entry/exit points, interrupts, deferred work, and memory-mapped peripherals. The document uses serial/UART drivers and the TTY layer as examples to illustrate driver concepts.
Part 01 Linux Kernel Compilation (Ubuntu)Tushar B Kute
Presentation on "Linux Kernel Compilation" (Ubuntu based).
Presented at Army Institute of Technology, Pune for FDP on "Basics of Linux Kernel Programming". by Tushar B Kute (http://tusharkute.com).
This document provides an overview of the Linux kernel, including its history, structure, build process, installation, updating, and customization. It discusses getting the kernel source code, configuring and building the kernel, installing modules and the kernel, applying updates via patches, and determining the correct driver for PCI devices by matching the vendor and device IDs. The key steps are to find the PCI IDs, search for the IDs in kernel headers to identify the driver, search the kernel makefiles and configuration to enable that driver for compilation.
The document discusses how to configure, compile, and install a custom Linux kernel, including downloading the source code, configuring options such as file systems and drivers, compiling and installing the kernel, and enabling features like SMP and SELinux support. Instructions are provided for both manual and DEB package installation of the custom kernel. Key steps involve obtaining the source, running make menuconfig to configure options, compiling with make, and installing the new kernel and initrd files.
This document discusses several important Android kernel modules. It begins by outlining key network modules like Netlink for IPC, network schedulers for packet sequencing, Netfilter for packet filtering, and Nftables as a new packet filtering framework. For sound, it describes ALSA as the software API for sound card drivers. Regarding graphics, it mentions the Direct Rendering Manager for interfacing with GPUs and configuring display modes, and the Graphics Execution Manager for managing graphics memory. Finally, it notes the evdev input driver handles input from devices like keyboards and mice.
The second part of Linux Internals covers system calls, process subsystem and inter process communication mechanisms. Understanding these services provided by Linux are essential for embedded systems engineer.
The document provides an overview of configuring the Linux kernel, beginning with definitions of the kernel and reasons for customization. It then covers obtaining kernel sources, compiling the kernel, and configuring kernel options via make config/menuconfig. Key areas covered in configuring include hardware support, filesystems, security, and optimization. Loading and unloading kernel modules is also discussed.
This presentation gives introduction to kernel module programming with sample kernel module.
It helps to start with kernel programming and how it can be used to develop various types of device drivers.
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
Second presentation of my research into reverse engineering a TomTom Runner GPS watch. In this I explain how I got running code inside an unfamiliar device and proceeded to bypass its security measures and extract firmware keys and code from the device.
More details on my personal blog, at http://grangeia.io
Presented in October 2015 at "Confraria de Segurança da Informação" in Lisbon
DEF CON 27 - DOUGLAS MCKEE - hvacking understanding the delta between securit...Felipe Prado
The document discusses gaining root access to a system through exploitation. It outlines having execution control via GOT overwrite, netcat installed by default, and memory on the heap. The goal is gaining persistence and root access by putting shellcode in controlled memory and calling system() to execute a reverse shell. Steps include overwriting the GOT, placing shellcode in memory, and calling system() to fire a reverse shell through netcat.
The document provides an introduction to Linux kernel modules. It discusses that kernel modules extend the capabilities of the Linux kernel by executing code as part of the kernel. It then describes the anatomy of a kernel module, including initialization and cleanup functions. The document demonstrates a simple "hello world" kernel module example and how to build, load and unload kernel modules. It also introduces the idea of character device drivers as a more advanced kernel module example.
The document provides an overview of the key components of the Linux operating system, including:
1) The Linux kernel, which acts as a resource manager for processes, memory, and hardware devices.
2) Process and memory management systems that control how processes are allocated and memory is allocated and freed.
3) The file system which organizes how files are stored and accessed.
4) Device drivers that allow the operating system to interface with hardware.
5) The network stack which handles network protocols and connections.
6) Architecture-dependent code that provides hardware-specific implementations of core functions.
The document provides an introduction to Linux and device drivers. It discusses Linux directory structure, kernel components, kernel modules, character drivers, and registering drivers. Key topics include dynamically loading modules, major and minor numbers, private data, and communicating with hardware via I/O ports and memory mapping.
Optimizing the Design and Implementation of KVM/ARM - SFO17-403Linaro
Session ID: SFO17-403
Session Name: Optimizing the Design and Implementation of KVM/ARM - SFO17-403
Speaker: Christoffer Dall
Track: Virtualization
★ Session Summary ★
A key drawback in the use of full system virtualization is the performance penalty introduced by hypervisors. This problem is especially present on ARM, which has significantly higher overhead for some workloads compared to x86, due to differences in the hardware virtualization support. The key reason for the overhead on ARM is the need to multiplex kernel mode state between the hypervisor and VMs, which each run their own kernel. This talk will cover how we have redesigned and optimized KVM/ARM, resulting in an order of magnitude reduction in overhead, and resulted in less overhead than x86 on key hypervisor operations. Our optimizations rely on new hardware support in ARMv8.1, the Virtualization Host Extensions (VHE), but also support legacy hardware through invasive modifications to Linux to support running the kernel in the hypervisor-specific CPU mode, EL2
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/sfo17/sfo17-403/
Presentation: https://www.slideshare.net/linaroorg/optimizing-the-design-and-implementation-of-kvmarm-sfo17403
Video: https://www.youtube.com/watch?v=foRxjfKQeas
---------------------------------------------------
★ Event Details ★
Linaro Connect San Francisco 2017 (SFO17)
25-29 September 2017
Hyatt Regency San Francisco Airport
---------------------------------------------------
Keyword:
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
The document discusses system calls and how they are handled in operating systems. It explains that system calls allow user processes to request services from the kernel by generating an interrupt that switches the processor into kernel mode. On x86 processors, the interrupt handler saves process state and routes the call to the appropriate kernel code based on an interrupt descriptor table with 256 entries. The document provides details on how Linux/x86 implements system calls, exceptions, and interrupts using the IDT, and switches between user and kernel mode to maintain isolation.
The document discusses the GNU Build System, which helps simplify the development and building of portable software distributed as source code. It provides an overview of the key components of the GNU Build System - autoconf, automake, and libtool - and how they are used to generate configuration scripts and Makefile templates from initial files. The document also outlines the typical process of applying the GNU Build System tools to create software packages that can be easily built, installed, and distributed.
The Linux kernel acts as an interface between applications and hardware, managing system resources and providing access through system calls; it uses a monolithic design where all components run in the kernel thread for high performance but can be difficult to maintain, though Linux allows dynamic loading of modules. Device drivers interface hardware like keyboards, hard disks, and network devices with the operating system, and are implemented as loadable kernel modules that are compiled using special makefiles and registered with the kernel through system calls.
The document discusses Linux device drivers, including how they interface between user programs and hardware using a file interface, are implemented as loadable kernel modules (LKMs) that are inserted into the kernel, and how common operations like open, read, write, and release are mapped to kernel functions through a file operations structure.
This document provides an introduction to Linux device drivers. It discusses that device drivers provide an abstraction layer between software and hardware, hiding hardware details. It describes different types of devices like character and block devices. It covers key concepts like loadable modules, driver entry/exit points, interrupts, deferred work, and memory-mapped peripherals. The document uses serial/UART drivers and the TTY layer as examples to illustrate driver concepts.
Part 01 Linux Kernel Compilation (Ubuntu)Tushar B Kute
Presentation on "Linux Kernel Compilation" (Ubuntu based).
Presented at Army Institute of Technology, Pune for FDP on "Basics of Linux Kernel Programming". by Tushar B Kute (http://tusharkute.com).
This document provides an overview of the Linux kernel, including its history, structure, build process, installation, updating, and customization. It discusses getting the kernel source code, configuring and building the kernel, installing modules and the kernel, applying updates via patches, and determining the correct driver for PCI devices by matching the vendor and device IDs. The key steps are to find the PCI IDs, search for the IDs in kernel headers to identify the driver, search the kernel makefiles and configuration to enable that driver for compilation.
The document discusses how to configure, compile, and install a custom Linux kernel, including downloading the source code, configuring options such as file systems and drivers, compiling and installing the kernel, and enabling features like SMP and SELinux support. Instructions are provided for both manual and DEB package installation of the custom kernel. Key steps involve obtaining the source, running make menuconfig to configure options, compiling with make, and installing the new kernel and initrd files.
This document discusses several important Android kernel modules. It begins by outlining key network modules like Netlink for IPC, network schedulers for packet sequencing, Netfilter for packet filtering, and Nftables as a new packet filtering framework. For sound, it describes ALSA as the software API for sound card drivers. Regarding graphics, it mentions the Direct Rendering Manager for interfacing with GPUs and configuring display modes, and the Graphics Execution Manager for managing graphics memory. Finally, it notes the evdev input driver handles input from devices like keyboards and mice.
The second part of Linux Internals covers system calls, process subsystem and inter process communication mechanisms. Understanding these services provided by Linux are essential for embedded systems engineer.
The document provides an overview of configuring the Linux kernel, beginning with definitions of the kernel and reasons for customization. It then covers obtaining kernel sources, compiling the kernel, and configuring kernel options via make config/menuconfig. Key areas covered in configuring include hardware support, filesystems, security, and optimization. Loading and unloading kernel modules is also discussed.
This presentation gives introduction to kernel module programming with sample kernel module.
It helps to start with kernel programming and how it can be used to develop various types of device drivers.
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
Second presentation of my research into reverse engineering a TomTom Runner GPS watch. In this I explain how I got running code inside an unfamiliar device and proceeded to bypass its security measures and extract firmware keys and code from the device.
More details on my personal blog, at http://grangeia.io
Presented in October 2015 at "Confraria de Segurança da Informação" in Lisbon
DEF CON 27 - DOUGLAS MCKEE - hvacking understanding the delta between securit...Felipe Prado
The document discusses gaining root access to a system through exploitation. It outlines having execution control via GOT overwrite, netcat installed by default, and memory on the heap. The goal is gaining persistence and root access by putting shellcode in controlled memory and calling system() to execute a reverse shell. Steps include overwriting the GOT, placing shellcode in memory, and calling system() to fire a reverse shell through netcat.
Owning computers without shell access 2Royce Davis
These are the slides from my talk at BSides Puerto Rico 2013. I will post a link to the slides later.
Abstract:
For many years Penetration Testers have relied on gaining shell access to remote systems in order to take ownership of network resources and enterprise owned assets. AntiVirus (AV) companies are becoming increasingly more aware of shell signatures and are therefore making it more and more difficult to compromise remote hosts. The current industry mentality seams to believe the answer is stealthier payloads and super complex obfuscation techniques. I believe a more effective answer might lie in alternative attack methodologies involving authenticated execution of native Windows commands to accomplish the majority of shell reliant tasks common to most network level penetration tests. The techniques I will be discussing were developed precisely with this style of attack in mind. Using these new tools, I will demonstrate how to accomplish the same degree of network level compromise that has been enjoyed in the past with shell-based attack vectors, while avoiding detection from AV solut
Jean-Ian Boutin, ESET
Frédéric Vachon, ESET
BIOS rootkits have been researched and discussed heavily in the past few years, but sparse evidence has been presented of real campaigns actively trying to compromise a system at this level. Our talk will reveal such a campaign successfully executed by STRONTIUM.
Earlier this year, there was a public report stating that the infamous Sofacy/APT28/Sednit APT group successfully trojanized a userland LoJack agent and used it against their targets. LoJack, a controversial anti-theft software, was scrutinized by security researchers in the past because of its unusual persistence method: a module preinstalled in many computers' UEFI/BIOS software. Several security risks were found through the years in their product, but no large in-the-wild activity was ever detected until the discovery of the STRONTIUM group leveraging some of these vulnerabilities affecting the userland agent. However, through our research, we now know that they did not stop there: they also tried, and succeeded, in installing a custom UEFI module directly in the systems' SPI flash memory.
In this talk, we will detail the full infection chain showing how STRONTIUM was able to install their custom UEFI module on key targets' computers.
Additionally, we will provide an in-depth analysis of their UEFI module and the associated trojanized LoJack agent.
Signature verification of hibernate snapshotjoeylikernel
This document discusses signature verification of hibernate snapshots to ensure integrity when resuming from hibernation in a multi-boot environment. It proposes using either a PKI or HMAC approach to sign snapshots before hibernation and verify signatures when restoring. It discusses implementing key generation in the bootloader and signature generation/verification in the kernel, and addresses challenges around entropy, performance, and status of patches.
The document summarizes post-exploitation techniques on OSX and iPhone. It describes a technique called "userland-exec" that allows executing applications on OSX without using the kernel. This technique was adapted to work on jailbroken iPhones by injecting a non-signed library and hijacking the dynamic linker (dlopen) to map and link the library. With some additional patches, the authors were able to load an arbitrary non-signed library into the address space of a process on factory iPhones, representing the first reliable way to execute payloads on these devices despite code signing protections.
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
The document describes the process of starting a process on a PC. It explains that when a PC boots, the BIOS starts executing and loads the boot loader from the boot disk sector. The boot loader then loads the kernel into memory and jumps to it. The kernel boot loader then initializes devices and creates the first process by setting up its page table and memory space. The first process's state is set to runnable and the scheduler runs it, switching to its address space. The first process makes a system call to load the /init program, which creates the console and shell that runs as the main process.
The document discusses techniques for monitoring native 64-bit API calls in 32-bit WoW64 applications running on 64-bit Windows. It describes injecting a 64-bit DLL using various methods like Wow64log.dll injection, Heaven's Gate transitions, and APC injection. It also discusses overcoming challenges like CFG validation and implementing inline hooks without dependencies on 32-bit libraries. The techniques allow deep monitoring of WoW64 processes not possible with typical user-mode hooking.
This document discusses a presentation on practical Windows kernel exploitation. It covers the basics of kernel exploitation, common vulnerability classes like write-what-where and use-after-free, techniques for executing code, mitigation technologies, writing Windows kernel exploits for Metasploit, and improving reliability. The speaker works at SecureState researching and developing kernel exploits and is an open source contributor to projects like Metasploit.
Embedded Fest 2019. Руслан Биловол. Linux Boot: The Big Bang theoryEmbeddedFest
Many Linux developers and users know that Bootloader boots Linux Kernel which starts Userspace.
But what is behind that?
Linux Boot process is very similar to the Big Bang which happened in our world: from singularity to the whole beautiful Universe of running Linux processes. What do you think is a black hole equivalent in the Linux? Come to hear about all of that from an engineer who worked on a new processors and boards bringup, Linux boot process modifications and did boot time optimization many times.
The document describes hypervisors and their role in virtualization. It discusses how a hypervisor sits between virtual machines and hardware to provide an isolated environment for each VM. It also compares different types of hypervisors, including describing how early hypervisors used full virtualization through trap-and-emulate to virtualize privileged instructions. The document then discusses the design conditions for a hypervisor based on Popek and Goldberg's virtualization theorem, including how the hypervisor must provide equivalence, performance, and resource control for virtual machines.
Practical Malware Analysis: Ch 10: Kernel Debugging with WinDbgSam Bowne
This document discusses using WinDbg for kernel debugging and analyzing rootkits. It explains that WinDbg can debug in both user-mode and kernel-mode, unlike OllyDbg which is only for user-mode. Device drivers run code in the Windows kernel and are difficult to analyze. The DriverEntry routine is called when a driver is loaded and it registers callback functions. Malware often imports functions from Ntoskrnl.exe and Hal.dll to manipulate the kernel. WinDbg commands like bp, lm, and dt are demonstrated for setting breakpoints, listing modules, and viewing structures. Symbol files from Microsoft provide function and structure names to make debugging easier.
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
This document discusses techniques for injecting code into processes without directly writing code to the target process's memory. It introduces a technique called "Trap Frame Injection" which hijacks the CPU's user mode state that is stored in trap frames during system calls. It also presents a "Codeless Code Injection" technique which builds ROP chains on the user stack and manipulates the stack pointer to trigger execution without direct code writes. Challenges with this approach like getting return values and avoiding deadlocks are also outlined along with solutions like using a device handle callback or creating a dedicated thread.
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
Virtual machines play a crucial role in modern computing. They often are used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. The assumption being made is that by running in a virtual machine, the potentially harmful code cannot execute anywhere else. However, this is not foolproof, as a vulnerability in the virtual machine hypervisor can give access to the entire system. While this was once thought of as just hypothetical, two separate demonstrations at Pwn2Own 2017 proved this exact scenario.
This talk details the host-to-guest communications within VMware. Additionally, the presentation covers the functionalities of the RPC interface. In this section of the presentation, we discuss the techniques that can be used to record or sniff the RPC requests sent from the Guest OS to the Host OS automatically. We also demonstrate how to write tools to query the RPC Interface in C++ and Python for fuzzing purposes.
Finally, we demonstrate how to exploit Use-After-Free vulnerabilities in VMware by walking through a patched vulnerability.
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...Odinot Stanislas
(FR)
Introduction très sympathique autour des environnements Cloud avec un focus particulier sur la virtualisation et les containers (Docker)
(ENG)
Friendly presentation about Cloud solutions with a focus on virtualization and containers (Docker).
Author: Nicholas Weaver – Principal Architect, Intel Corporation
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device.
This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried.
Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon
Piratng Avs to bypass exploit mitigationPriyanka Aash
"Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures."
(Source: Black Hat USA 2016, Las Vegas)
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
This document provides an overview of virtual machines, bytecode, and techniques for efficiently executing bytecode. It discusses:
1) How virtual machines simulate processors through bytecode instruction sets and memory management.
2) Bytecode formats and examples of bytecode for operations.
3) Different techniques for executing bytecode like interpretation, threaded code, and just-in-time compilation.
4) Optimizations for method lookup like inline caching and polymorphic inline caching to speed up dynamic method dispatch.
5) Advanced dynamic optimization techniques used in virtual machines like HotSpot that recompile and optimize hot code sections at runtime.
A Windows 0day vulnerability was found in the task scheduler that allows escalating privileges. When importing an old job file from Windows XP, the scheduler first impersonates the user, then reverts and sets permissions on the job file, but a bug allows it to instead set permissions on a different file linked to the job file. This can be exploited to grant user access to critical system files by linking a job file to that system file and triggering the import. A demonstration of the exploit was shown.
The document discusses code signing, what trust means in the context of code signing, and best practices for code signing. Trust in code signing means integrity (the signed file has not been tampered with), non-repudiation (the signature binds the file to its publisher), and trusting the software publisher, certifying authorities, cryptography algorithms and standards, and cryptography libraries. The document also covers ways of subverting code signing like using stolen or compromised certificates, compromised software publishers or certifying authorities, and exploiting weaknesses in signing algorithms or the Windows implementation. It recommends code signing best practices like minimizing private key access and revoking compromised certificates.
TOR, or The Onion Router, is proxy software that uses the TOR network to conceal a user's identity and location when browsing the web. The TOR network is a worldwide volunteer-run overlay network consisting of TOR nodes. It allows users to access the dark web anonymously via the TOR browser or other TOR-enabled software. The dark web consists of websites hosted on TOR that offer illegal goods and services, keeping both client and server identities hidden due to TOR's anonymity features.
Malware classification using Machine LearningJapneet Singh
Uses examples from book titled "Malware Data Science" to explain how AV companies use Machine learning to identify malware. Also, refers to open-source project "Ember" which provides a data set and python code to train and classify malware.
This document discusses reverse engineering and some of its common applications and techniques. Reverse engineering can be used by security researchers to understand malware and find vulnerabilities, while malware authors may use it to find ways to bypass security software or exploit vulnerabilities. The document then provides an overview of x64 architecture components like registers and calling conventions, as well as basic reverse engineering instructions. It also introduces the IDA reverse engineering tool and some alternatives. Finally, it outlines some example reverse engineering labs covering topics like branching, loops, and binary patching.
The document discusses several real-world advanced persistent threat (APT) attacks throughout history, including the first known cyber espionage incident called "The Cuckoo's Egg" in 1986, the Stuxnet cyber weapon used against Iran's nuclear facilities in 2010, and Operation Aurora which targeted major corporations like Google and Adobe in 2009. It defines APTs as targeted, advanced, persistent attacks usually carried out by well-funded nation-state groups, and outlines the common goals, phases, actors, and challenges of attributing APTs. The document concludes by providing further resources on APT reports, frameworks, and demonstrating attack techniques using Metasploit and Armitage.
This document discusses buffer overflow attacks. It begins with an overview of the topics that will be covered, including vulnerabilities, exploits, and buffer overflows. It then provides definitions for key terms and describes different types of memory corruption vulnerabilities. The bulk of the document focuses on stack-based buffer overflows, explaining how they work by overwriting the return address on the stack to point to injected shellcode. It includes diagrams of stack layout and function prologue and epilogue. The document concludes with a demonstration of a buffer overflow and discusses some mitigations like stack cookies and ASLR.
CHINA’S GEO-ECONOMIC OUTREACH IN CENTRAL ASIAN COUNTRIES AND FUTURE PROSPECTjpsjournal1
The rivalry between prominent international actors for dominance over Central Asia's hydrocarbon
reserves and the ancient silk trade route, along with China's diplomatic endeavours in the area, has been
referred to as the "New Great Game." This research centres on the power struggle, considering
geopolitical, geostrategic, and geoeconomic variables. Topics including trade, political hegemony, oil
politics, and conventional and nontraditional security are all explored and explained by the researcher.
Using Mackinder's Heartland, Spykman Rimland, and Hegemonic Stability theories, examines China's role
in Central Asia. This study adheres to the empirical epistemological method and has taken care of
objectivity. This study analyze primary and secondary research documents critically to elaborate role of
china’s geo economic outreach in central Asian countries and its future prospect. China is thriving in trade,
pipeline politics, and winning states, according to this study, thanks to important instruments like the
Shanghai Cooperation Organisation and the Belt and Road Economic Initiative. According to this study,
China is seeing significant success in commerce, pipeline politics, and gaining influence on other
governments. This success may be attributed to the effective utilisation of key tools such as the Shanghai
Cooperation Organisation and the Belt and Road Economic Initiative.
Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapte...University of Maribor
Slides from talk presenting:
Aleš Zamuda: Presentation of IEEE Slovenia CIS (Computational Intelligence Society) Chapter and Networking.
Presentation at IcETRAN 2024 session:
"Inter-Society Networking Panel GRSS/MTT-S/CIS
Panel Session: Promoting Connection and Cooperation"
IEEE Slovenia GRSS
IEEE Serbia and Montenegro MTT-S
IEEE Slovenia CIS
11TH INTERNATIONAL CONFERENCE ON ELECTRICAL, ELECTRONIC AND COMPUTING ENGINEERING
3-6 June 2024, Niš, Serbia
We have compiled the most important slides from each speaker's presentation. This year’s compilation, available for free, captures the key insights and contributions shared during the DfMAy 2024 conference.
Introduction- e - waste – definition - sources of e-waste– hazardous substances in e-waste - effects of e-waste on environment and human health- need for e-waste management– e-waste handling rules - waste minimization techniques for managing e-waste – recycling of e-waste - disposal treatment methods of e- waste – mechanism of extraction of precious metal from leaching solution-global Scenario of E-waste – E-waste in India- case studies.
ACEP Magazine edition 4th launched on 05.06.2024Rahul
This document provides information about the third edition of the magazine "Sthapatya" published by the Association of Civil Engineers (Practicing) Aurangabad. It includes messages from current and past presidents of ACEP, memories and photos from past ACEP events, information on life time achievement awards given by ACEP, and a technical article on concrete maintenance, repairs and strengthening. The document highlights activities of ACEP and provides a technical educational article for members.
Embedded machine learning-based road conditions and driving behavior monitoringIJECEIAES
Car accident rates have increased in recent years, resulting in losses in human lives, properties, and other financial costs. An embedded machine learning-based system is developed to address this critical issue. The system can monitor road conditions, detect driving patterns, and identify aggressive driving behaviors. The system is based on neural networks trained on a comprehensive dataset of driving events, driving styles, and road conditions. The system effectively detects potential risks and helps mitigate the frequency and impact of accidents. The primary goal is to ensure the safety of drivers and vehicles. Collecting data involved gathering information on three key road events: normal street and normal drive, speed bumps, circular yellow speed bumps, and three aggressive driving actions: sudden start, sudden stop, and sudden entry. The gathered data is processed and analyzed using a machine learning system designed for limited power and memory devices. The developed system resulted in 91.9% accuracy, 93.6% precision, and 92% recall. The achieved inference time on an Arduino Nano 33 BLE Sense with a 32-bit CPU running at 64 MHz is 34 ms and requires 2.6 kB peak RAM and 139.9 kB program flash memory, making it suitable for resource-constrained embedded systems.
Understanding Inductive Bias in Machine LearningSUTEJAS
This presentation explores the concept of inductive bias in machine learning. It explains how algorithms come with built-in assumptions and preferences that guide the learning process. You'll learn about the different types of inductive bias and how they can impact the performance and generalizability of machine learning models.
The presentation also covers the positive and negative aspects of inductive bias, along with strategies for mitigating potential drawbacks. We'll explore examples of how bias manifests in algorithms like neural networks and decision trees.
By understanding inductive bias, you can gain valuable insights into how machine learning models work and make informed decisions when building and deploying them.
8. Windows internals: Io Controls
• System call served by specific driver
• Send messages to a driver, and receive response
• Each message is assigned different identifier unique to that driver
9. Windows internals: Access token
• Every process running on Windows has an associated Primary token
• Token consists of
• User Security Identifier (SID)
• Group memberships
• Privileges
• Etc.
• Token is part of EPROCESS structure
10. Windows internals: Heaps/Pools
• Functionality
• Support API to allocate/deallocate
• Track allocated and free memory
• Handle internal fragmentation
• Troubleshooting aspects
• Structurally support ways to detect heap/pool corruptions
• Provide debugging aids
• Performance aspects
• Handle external fragmentation
• Coalesce adjacent memory areas when memory gets free
13. Exploit details
• What we want to achieve?
• Use after Free
• Kernel pool spray
• Shellcode execution
• Token stealing
14. What we want to achieve?
• We want to steal System token from System Process
15. What we want to achieve?
• We want to steal System token from System Process
• We need to find a vulnerability in a driver
16. What we want to achieve?
• We want to steal System token from System Process
• We need to gain RCE in kernel mode to execute our shellcode which
performs Token stealing
17. What we want to achieve?
• We want to steal System token from System Process
• We need to gain RCE in kernel mode to execute our shellcode which
performs Token stealing
• We know of a vulnerable kernel driver which has two vulnerabilities
• It allows Use After Free (will see shortly)
• It allows us to place a buffer of arbitrary size in kernel mode memory.
Contents of the buffer are in our control.
18. What we want to achieve?
• We want to steal System token from System Process
• We need to gain RCE in kernel mode to execute our shellcode which
performs Token stealing
• We know of a vulnerable kernel driver which has two vulnerabilities
• V1 - It allows Use After Free (will see shortly)
• V2 - It allows us to place a buffer of arbitrary size in kernel mode memory.
Contents of the buffer are in our control.
• We exploit the kernel driver vulnerability V2 to place a pointer to our
shellcode in kernel memory, and achieve execution of it using
vulnerability V1
19. What we want to achieve?
• We want to steal System token from System Process
• We need to gain RCE in kernel mode to execute our shellcode which
performs Token stealing
• We know of a vulnerable kernel driver which has two vulnerabilities
• V1 - It allows Use After Free (will see shortly)
• V2 - It allows us to place a buffer of arbitrary size in kernel mode memory. Contents
of the buffer are in our control.
• We exploit the kernel driver vulnerability V2 to place a pointer to our
shellcode in kernel memory, and achieve execution of it using vulnerability
V1
• Finally shellcode gets executed and we get System privilege by stealing
System Token
20. What we want to achieve?
• We want to steal System token from System Process
• We need to gain RCE in kernel mode to execute our shellcode which
performs Token stealing
• We know of a vulnerable kernel driver which has two vulnerabilities
• V1 - It allows Use After Free (will see shortly)
• V2 - It allows us to place a buffer of arbitrary size in kernel mode memory. Contents
of the buffer are in our control.
• We exploit the kernel driver vulnerability V2 to place a pointer to our
shellcode in kernel memory, and achieve execution of it using vulnerability
V1
• Finally shellcode gets executed and we get System privilege by stealing
System Token
• Then we launch cmd.exe as System user
21. Step 1: Allocation
Step 2: Free
Step 3: Use
Use after Free
Buffer
Callback
PTR
Buffer
Callback
PTR
PTR->Callback();
22. Step 1: Allocation
Step 2: Free
Step 2.5: Allocate at freed loc
Step 3: Use
(Ab)Use after Free
Buffer
Callback
PTR
Buffer
Callback
PTR
PTR->Callback();
Buffer
Callback
PTR
23. Question
• How can we allocate a controlled object at pre-determined location?
24. Kernel pool spray aka Grooming
• A - Allocate large number of objects to remove fragmentation
• B - Allocate large number of objects to create a big chunk of
allocation
• Create holes in B by deallocating alternate objects in B to make
further allocations deterministic
• Any further allocation of similar sized object would be in one of the
holes created in B
30. Full sequence of exploit
• Groom the pool to create holes
• Allocate and free
• Allocate - Allocation will happen in one of the holes
• Deallocate – now we can place fake objects
• Create fake objects containing callback pointer to our shellcode
• Place fake objects
• Fill all the holes with fake objects
• Trigger UaF
• This leads to callback to our shellcode
• Shellcode performs Token stealing
• Now launch cmd.exe using stolen token
31. Token stealing
• Find EPROCESS of a System process
• Jump to token offset in the EPROCESS
• Copy token privileges into current EPROCESS token
Usermode accesses System functionality using System calls
Usermode accesses System functionality using System calls
Allocate an object
Global object
Object has a callback pointer
Deallocate the object
Free the object
Pointer not set to NULL
Use the object
Invoke the callback