Kelvin Chan works as a security and kernel researcher at Tencent. His work involves understanding how games are hacked in order to better defend against cheats and exploits. He discusses how cheats are typically developed through reverse engineering games to obtain needed information from memory, then building cheat programs or modules. Kelvin emphasizes the importance of low-level operating system and CPU research for security, as this allows monitoring at the instruction level where attacks occur. His examples demonstrate using this research to implement anti-debugging techniques and virtualization-based monitoring to detect unauthorized access.
In the time when software is so complex and rapidly changing so, the users cannot trust their own computers and smartphones to protect their secrets from attackers, more and more solutions rely on hardware to be the last measure of protection. As a result, there are a number of manufacturers developing hardware wallets which are meant to protect cryptocurrency private keys.
This talk presents a wide range of attacks, which can be successfully applied to most popular hardware wallets on the market, from app isolation bypass to fault injection attacks on the microcontroller. Additionally the talk presents secure design requirements and countermeasures making life of an attacker much more difficult, which are applicable to all kings of secure hardware devices.
This paper attempts to look behind the wheels of android and keeping special focus on custom rom’s and basically check for security misconfiguration’s which could yield to device compromise, which may result in malware infection or data theft.
The course syllabus of our course in metasploit from novice to Ninja advanced skills.
If you are a penetration tester, network/system administrator or even novice finding your way into ethical hacking >> this course is for you.
In the time when software is so complex and rapidly changing so, the users cannot trust their own computers and smartphones to protect their secrets from attackers, more and more solutions rely on hardware to be the last measure of protection. As a result, there are a number of manufacturers developing hardware wallets which are meant to protect cryptocurrency private keys.
This talk presents a wide range of attacks, which can be successfully applied to most popular hardware wallets on the market, from app isolation bypass to fault injection attacks on the microcontroller. Additionally the talk presents secure design requirements and countermeasures making life of an attacker much more difficult, which are applicable to all kings of secure hardware devices.
This paper attempts to look behind the wheels of android and keeping special focus on custom rom’s and basically check for security misconfiguration’s which could yield to device compromise, which may result in malware infection or data theft.
The course syllabus of our course in metasploit from novice to Ninja advanced skills.
If you are a penetration tester, network/system administrator or even novice finding your way into ethical hacking >> this course is for you.
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.
System-level Threats: Dangerous Assumptions in modern Product SecurityCristofaro Mune
Current devices are complex products: a result of an ecosystem effort, with HW and SW components provided by several manufacturers, across long supply chains.
System-level threats may materialize in the interaction of diverse sub-systems and components, due to assumptions occurring at different stages of the production chain. This encompasses not only the design phase, but also (HW & SW) development, threat modeling and even security testing.
This presentation explores some classes of such assumptions, as distilled by presenter’s experience.
Relevant attacks such as "Timing Attacks against IoT devices" or "Bypassing an encrypted Secure Boot with Fault Injection" are also discussed.
If you are involved in securing modern digital products, as a Developer, HW or SW System Architect, Product Security Manager or as a Security Researcher, you may find them interesting
This talk has been presented at HITB Dubai 2018 security conference.
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
Smart connected devices such as mobile phones, tablets and Digital TVs are required to handle data with strong security and confidentiality requirements. A “Trusted Execution Environment” (TEE) provides an environment for processing data securely, protected from normal platform applications. This talk is intended as an introduction to Trusted Execution, and the open-source Trusted Execution Environment OP-TEE in particular. It introduces the GlobalPlatform TEE Specifications, explains how Trusted Execution is implemented by ARM TrustZone and OP-TEE, and outlines how trusted boot software manages the secure boot of an ARM platform. Finally, it gives some pointers on how to get started with OP-TEE.
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...CODE BLUE
An embedded system has a stub to connect with a host PC and debug a program on the system remotely. A stub is an independent control program that controls a main program to enable debugging by a debugger. A stub is simplified by only processing the simple controls such as reading or writing of the register or of a memory, and a debugger processes a complicated analysis on the host PC.
Communication with a debugger on the host PC and a stub on the embedded system is performed by a protocol called Remote Serial Protocol (RSP) over a serial communication or TCP/IP communication. If this communication is taken away, it becomes possible to operate a stub arbitrarily. We considered what kind of attack possibility there was in that case, and identified that execution of arbitrary code constructed from pieces of machine code, combined with (SOP: Step-Oriented Programming) is possible by repeating step execution while changing the value of the program counter. Therefore it is possible to construct an arbitrary code and execute it from existing machine code, even if execution of the injected machine code is impossible because execution on data area is prevented by DEP or only machine code on the flash ROM are allowed execution.
I will explain about an attack principle by SOP and the results from constructed attack code and actual inspection.
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
The recorded version of 'Best Of The World Webcast Series' [Webinar] where Jacob Holcomb speaks on 'RIoT (Raiding Internet of Things)' is available on CISOPlatform.
Best Of The World Webcast Series are webinars where breakthrough/original security researchers showcase their study, to offer the CISO/security experts the best insights in information security.
For more signup(it's free): www.cisoplatform.com
A Battle Against the Industry - Beating Antivirus for Meterpreter and MoreCTruncer
This talk goes over how stagers work in a different manner. Rather than standard function calls, I show how to utilize the same functionality in a slightly different way. It talks about Veil-Evasion, and a signature that was developed for it. Finally, I get into custom code and showcase three pieces of custom code that completely bypass antivirus.
System-level Threats: Dangerous Assumptions in modern Product SecurityCristofaro Mune
Current devices are complex products: a result of an ecosystem effort, with HW and SW components provided by several manufacturers, across long supply chains.
System-level threats may materialize in the interaction of diverse sub-systems and components, due to assumptions occurring at different stages of the production chain. This encompasses not only the design phase, but also (HW & SW) development, threat modeling and even security testing.
This presentation explores some classes of such assumptions, as distilled by presenter’s experience.
Relevant attacks such as "Timing Attacks against IoT devices" or "Bypassing an encrypted Secure Boot with Fault Injection" are also discussed.
If you are involved in securing modern digital products, as a Developer, HW or SW System Architect, Product Security Manager or as a Security Researcher, you may find them interesting
This talk has been presented at HITB Dubai 2018 security conference.
BKK16-110 A Gentle Introduction to Trusted Execution and OP-TEELinaro
Smart connected devices such as mobile phones, tablets and Digital TVs are required to handle data with strong security and confidentiality requirements. A “Trusted Execution Environment” (TEE) provides an environment for processing data securely, protected from normal platform applications. This talk is intended as an introduction to Trusted Execution, and the open-source Trusted Execution Environment OP-TEE in particular. It introduces the GlobalPlatform TEE Specifications, explains how Trusted Execution is implemented by ARM TrustZone and OP-TEE, and outlines how trusted boot software manages the secure boot of an ARM platform. Finally, it gives some pointers on how to get started with OP-TEE.
Possibility of arbitrary code execution by Step-Oriented Programming by Hiroa...CODE BLUE
An embedded system has a stub to connect with a host PC and debug a program on the system remotely. A stub is an independent control program that controls a main program to enable debugging by a debugger. A stub is simplified by only processing the simple controls such as reading or writing of the register or of a memory, and a debugger processes a complicated analysis on the host PC.
Communication with a debugger on the host PC and a stub on the embedded system is performed by a protocol called Remote Serial Protocol (RSP) over a serial communication or TCP/IP communication. If this communication is taken away, it becomes possible to operate a stub arbitrarily. We considered what kind of attack possibility there was in that case, and identified that execution of arbitrary code constructed from pieces of machine code, combined with (SOP: Step-Oriented Programming) is possible by repeating step execution while changing the value of the program counter. Therefore it is possible to construct an arbitrary code and execute it from existing machine code, even if execution of the injected machine code is impossible because execution on data area is prevented by DEP or only machine code on the flash ROM are allowed execution.
I will explain about an attack principle by SOP and the results from constructed attack code and actual inspection.
Multi-source connectivity as the driver of solar wind variability in the heli...Sérgio Sacani
The ambient solar wind that flls the heliosphere originates from multiple
sources in the solar corona and is highly structured. It is often described
as high-speed, relatively homogeneous, plasma streams from coronal
holes and slow-speed, highly variable, streams whose source regions are
under debate. A key goal of ESA/NASA’s Solar Orbiter mission is to identify
solar wind sources and understand what drives the complexity seen in the
heliosphere. By combining magnetic feld modelling and spectroscopic
techniques with high-resolution observations and measurements, we show
that the solar wind variability detected in situ by Solar Orbiter in March
2022 is driven by spatio-temporal changes in the magnetic connectivity to
multiple sources in the solar atmosphere. The magnetic feld footpoints
connected to the spacecraft moved from the boundaries of a coronal hole
to one active region (12961) and then across to another region (12957). This
is refected in the in situ measurements, which show the transition from fast
to highly Alfvénic then to slow solar wind that is disrupted by the arrival of
a coronal mass ejection. Our results describe solar wind variability at 0.5 au
but are applicable to near-Earth observatories.
THE IMPORTANCE OF MARTIAN ATMOSPHERE SAMPLE RETURN.Sérgio Sacani
The return of a sample of near-surface atmosphere from Mars would facilitate answers to several first-order science questions surrounding the formation and evolution of the planet. One of the important aspects of terrestrial planet formation in general is the role that primary atmospheres played in influencing the chemistry and structure of the planets and their antecedents. Studies of the martian atmosphere can be used to investigate the role of a primary atmosphere in its history. Atmosphere samples would also inform our understanding of the near-surface chemistry of the planet, and ultimately the prospects for life. High-precision isotopic analyses of constituent gases are needed to address these questions, requiring that the analyses are made on returned samples rather than in situ.
Cancer cell metabolism: special Reference to Lactate PathwayAADYARAJPANDEY1
Normal Cell Metabolism:
Cellular respiration describes the series of steps that cells use to break down sugar and other chemicals to get the energy we need to function.
Energy is stored in the bonds of glucose and when glucose is broken down, much of that energy is released.
Cell utilize energy in the form of ATP.
The first step of respiration is called glycolysis. In a series of steps, glycolysis breaks glucose into two smaller molecules - a chemical called pyruvate. A small amount of ATP is formed during this process.
Most healthy cells continue the breakdown in a second process, called the Kreb's cycle. The Kreb's cycle allows cells to “burn” the pyruvates made in glycolysis to get more ATP.
The last step in the breakdown of glucose is called oxidative phosphorylation (Ox-Phos).
It takes place in specialized cell structures called mitochondria. This process produces a large amount of ATP. Importantly, cells need oxygen to complete oxidative phosphorylation.
If a cell completes only glycolysis, only 2 molecules of ATP are made per glucose. However, if the cell completes the entire respiration process (glycolysis - Kreb's - oxidative phosphorylation), about 36 molecules of ATP are created, giving it much more energy to use.
IN CANCER CELL:
Unlike healthy cells that "burn" the entire molecule of sugar to capture a large amount of energy as ATP, cancer cells are wasteful.
Cancer cells only partially break down sugar molecules. They overuse the first step of respiration, glycolysis. They frequently do not complete the second step, oxidative phosphorylation.
This results in only 2 molecules of ATP per each glucose molecule instead of the 36 or so ATPs healthy cells gain. As a result, cancer cells need to use a lot more sugar molecules to get enough energy to survive.
Unlike healthy cells that "burn" the entire molecule of sugar to capture a large amount of energy as ATP, cancer cells are wasteful.
Cancer cells only partially break down sugar molecules. They overuse the first step of respiration, glycolysis. They frequently do not complete the second step, oxidative phosphorylation.
This results in only 2 molecules of ATP per each glucose molecule instead of the 36 or so ATPs healthy cells gain. As a result, cancer cells need to use a lot more sugar molecules to get enough energy to survive.
introduction to WARBERG PHENOMENA:
WARBURG EFFECT Usually, cancer cells are highly glycolytic (glucose addiction) and take up more glucose than do normal cells from outside.
Otto Heinrich Warburg (; 8 October 1883 – 1 August 1970) In 1931 was awarded the Nobel Prize in Physiology for his "discovery of the nature and mode of action of the respiratory enzyme.
WARNBURG EFFECT : cancer cells under aerobic (well-oxygenated) conditions to metabolize glucose to lactate (aerobic glycolysis) is known as the Warburg effect. Warburg made the observation that tumor slices consume glucose and secrete lactate at a higher rate than normal tissues.
A brief information about the SCOP protein database used in bioinformatics.
The Structural Classification of Proteins (SCOP) database is a comprehensive and authoritative resource for the structural and evolutionary relationships of proteins. It provides a detailed and curated classification of protein structures, grouping them into families, superfamilies, and folds based on their structural and sequence similarities.
Seminar of U.V. Spectroscopy by SAMIR PANDASAMIR PANDA
Spectroscopy is a branch of science dealing the study of interaction of electromagnetic radiation with matter.
Ultraviolet-visible spectroscopy refers to absorption spectroscopy or reflect spectroscopy in the UV-VIS spectral region.
Ultraviolet-visible spectroscopy is an analytical method that can measure the amount of light received by the analyte.
(May 29th, 2024) Advancements in Intravital Microscopy- Insights for Preclini...Scintica Instrumentation
Intravital microscopy (IVM) is a powerful tool utilized to study cellular behavior over time and space in vivo. Much of our understanding of cell biology has been accomplished using various in vitro and ex vivo methods; however, these studies do not necessarily reflect the natural dynamics of biological processes. Unlike traditional cell culture or fixed tissue imaging, IVM allows for the ultra-fast high-resolution imaging of cellular processes over time and space and were studied in its natural environment. Real-time visualization of biological processes in the context of an intact organism helps maintain physiological relevance and provide insights into the progression of disease, response to treatments or developmental processes.
In this webinar we give an overview of advanced applications of the IVM system in preclinical research. IVIM technology is a provider of all-in-one intravital microscopy systems and solutions optimized for in vivo imaging of live animal models at sub-micron resolution. The system’s unique features and user-friendly software enables researchers to probe fast dynamic biological processes such as immune cell tracking, cell-cell interaction as well as vascularization and tumor metastasis with exceptional detail. This webinar will also give an overview of IVM being utilized in drug development, offering a view into the intricate interaction between drugs/nanoparticles and tissues in vivo and allows for the evaluation of therapeutic intervention in a variety of tissues and organs. This interdisciplinary collaboration continues to drive the advancements of novel therapeutic strategies.
2. About Me
Name: Kelvin Chan
Work: Tencent Game Security and Windows Kernel Researcher
Facebook: Kelvin Chan
Email : KelvinChan@tencent.com
3. Introduction
•Understanding why a games security exists.
•Sharing some specific work and operation of a Commercial Security Research team
•Explaining how a cheat develop.
•Understanding why low-level knowledge strongly related to security research.
•Understanding the overview of how a game security production.
4. Outline
• Type of dark market
• Value of Game Security
• How cheat is developed
• Regular Works of Game Security
• How to defense a hackers?
• OS / CPU based research
• How research being used and example
• Monitoring
• Production and Stability
5. Type of black market
•DDOS
•Trojan
•Spam
•Malware
– E.g. Ransomware
•Game Cheat Studio
6. Values of Game Security
- It is a big “business” in dark market, really profitable
- In 2014, whole games industry is lost 74 billion in the US, because of game hacked.
8. Type of Cheat
• Automation attack, run, do a mission, emulate any process specific with game logic,
etc.
• I/O Device emulation, keyboard, mouse, joystick,etc.
• Game Logic modification, invincible character, unlimited HP(Health Point)
• Speed Acceleration
• Network Packet Emulation, fully emulate a client with reverse enginering whole
network protocol
9. How cheat is developed?
• Online-Game, actually is a process that running on a
specific OS (e.g. Windows)
• Normally, Hackers will analysis a game first, by
Reverse Engineering(Debugging)
• Hackers will get the information what they needs. Such
as, an address of Function(e.g. attack function), a
character object base address, monster object base
address. any character attribute loaded in the memory.
• Typical skills, stack-trace, hardware breakpoint,
Software breakpoint, and step-into, so on.
10. How cheat is developed?
•Hacker will then build a cheat program / module.
•And since the memory address space is isolated when we started
protected-mode and paging from CPU start-up period.
•Some common method they may used:
– Directly use windows API, WriteProcessMemory
– Inject a module into game process, and directly read, write
by normal memory access
– Driver direct read/write (relatively rare)
– ShellCode injection
– so on.... (umlimited method for hacking...)
11. How cheat is developed?
• Generic Attack Method:
– Attack on windows kernel protection mechanism, such as, attack patch guard for hooking some critical API
• Game Logic modification and Automation :
– Memory hiding
– attack on windows kernel protection mechanism
• Speedy Acceleration :
– Modify a clock, and fake a system the next second is actually second * 2 (depend on how many we what)
• Keyboard emulation :
– RGB capture
– Emulated by SendMessage to Game Window
– Direct write to the I/O port which is corresponding to the keyboard and mouse.
– Driver emulation, send a keyboard / mouse message packet from kernel to user mode.
– Game Enginee hacked (e.g. Direct-X)
13. Why OS / CPU based research
•Any cheat, running in a specific OS, it is just a
process, or module. So, from the OS aspect to protect
our game. It is a good choice.
•As low level as possible. Because all of the API a
cheat used will finally be called into the Ring 0(kernel
mode).
•More Accurately, some instruction will be running on
Ring 0 level, so the granularity of detection point can
be a instruction execution (if we can, VT-x may be a
good choice.)
•p.s. Windows is only used Ring 0 and Ring 3 as kernel
mode and user mode respectively.
•Ring 1 and Ring 2 is reserved, for software-based-
virtualization, they maybe used for isolation between
VMs
14. How research being used ?
•Since hackers need to ensure they are able to debug(reversing) our games, then getting
the information they wants.
•So, anti-debugging will be the very first wall for defensing their attack.
•As we said, a process is running on Windows, so, we can reused this concept for anti-
debugging.
•So the question is : How debugger / disassembler works?
•We need to proceed a research of debugging and analysis, for understand how
debugging works in specific windows.
15. Example
• Since we need to anti-debugging
• After studying how a debugging
is supported by Windows kernel.
• We can know that, debugger and
debuggee is connected by a
kernel-maintained structure,
• This structure is stored in process
structure as a member, called
DebugPort, which is an pointer of
debugport structure.
• If we detect or clear this member,
we can know if we are being
debugged, or stop the debugging
instantly.
16. Monitoring
- Exception exploitation
•For example:
• We directly set a specific memory address’s page is invalid, and any process access this page will
issue a Page-Fault.
- Virtualization-based method
• Intel VT-x provided Extended page table(EPT) for virtualizing a physical memory.
• This ability is good for monitoring a memory accessing.
• Because Exception exploitation is not a perfect method for monitoring, it is dangerous in case we
modify the OS logic.
17. Production and Stability
• Full System test – we need to make a full system test on
Windows before we release a protect solution.
• Gray Scale - we need to ensure the stability of over 100
million end-user environment is stable.
18. Conclusion
• Explained why game security needs R&D
• Given a overview of the war between hackers and research team.
• That’s why low level is required for playing hacking or security research.
• In real commercial security production, we need to 100% ensure, our solution is not
affecting the games(product) functionality.
https://github.com/Kelvinhack/kHypervisor