A Security Barrier Device protects PC and other control devices by relaying every port between the motherboard and the peripherals. The SBD is totally transparent from the PC and can be installed regardless of OS or application. At this presentation I will discuss the storage securing function achieved by the SBD relaying the SATA port.
The SBD has a security information disk only accessible to itself where it stores the access privilege information of the original disk in the PC. When the PC issues a data access request to the original disk, the SBD will reference the access privileges of that particular sector, if the sector is read-deny then returns dummy data of 0 , if the sector is write-deny then it won’t write to that sector. The SBD not only allows for sector based protection but also a file based protection. In case of a file write-deny, there were some issues with the disc related cache in memory not being synchronised or the pointer’s position to the file in regards to its directory being shifted , but I will show how it was solved.
I will also talk about the fact that a SBD is an effective protection against any malware that attempts to manipulate the boot data sector or system files, once it detects any access right violations it can shutdown the ethernet port remotely and thwart the spreading of malware.
Kenji Toda
At the National Institute of Advanced Industrial Science and Technology conducted research and development of 30 Gbps intrusion detection systems , 60 Gbps URL filtering systems and or network devices testing equipment for such systems. Currently co-developing security barrier devices with the Research and Development Control System Security Center. (Presented at international conferences regarding MST and real-time systems)
http://codeblue.jp/en-speaker.html#KenjiToda
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
Intel Management Engine ("ME") is a dedicated microcontroller embedded in all recent Intel motherboard chipsets. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. It not only performs the management tasks for which it was originally designed, but also implements features such as Intel Identity Protection Technology (IPT), Protected Audio-Video Path, Intel Anti-Theft, Intel TPM, NFC communication and more. There is not much info available about how exactly it works, and this talk aims to fill the gap and describe the low-level details.
Igor Skochinsky
Igor Skochinsky is currently one of the main developers of the world-famous Interactive Disassembler and Hex-Rays Decompiler. Even before joining Hex-Rays in 2008 he had been interested in reverse engineering for a long time and had brief periods of Internet fame after releasing a dumper for DRM-ed iTunes files (QTFairUse6) and hacking the original Amazon Kindle. He spoke previously at Recon, Breakpoint and Hack.LU.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇACODE BLUE
You got root access in OS X and now what?
Apple introduced mandatory code signing for kernel extensions in the new Yosemite version.
You are too cheap to buy a code signing certificate, or your OPSEC is against this?
You can't or don't want to steal someone's else certificate?
This presentation is about solving these problems with techniques that allow you to bypass all code signing requirements and regular kernel extensions loading interfaces.
The goal is to convince you that code signing isn't a serious obstacle in OS X, especially when its design is flawed and public known vulnerabilities remain "unpatched".
And if bad designs and vulnerabilities aren't enough then I'll also show you how to (ab)use an OS X feature for the same evil purposes.
The only requirement for this talk is uid=0(root). Well, the world isn't perfect!
Speaker:Santhosh Kumar
Event:Defcon Kerala
Date:8/03/2014
Android-Forensic and Security Analysis.
Android one of the leading Mobile Operating System which is managed by Google released back in 2008 now stands with a 4.4.x version Android KitKat.The Study Shows that increasing Crime Rates are switching from Computer Centered to PDA Based.Crime against Women,Children And Abuse.As the Digital Forensics and Law Enforcement Agencies find new Hard Challenges Cracking Down different Situation in the Android Environment.Google Play Store which has over 1 Million Application Active has also added to the Pain.
The Talk Focus on various Methods,the Various Situation where the forensics is useful.
The Methods are classified as Logical and physical which involves from breaking the passcodes to exploring virtual NAND memory.
The talk also focus on various places where is information is available to the forensic point of view.
Affected by Mobile Cyber Attack? Tortured by a Android Smartphone ? Relax there is a solution to each and everything.
The Talk also focus on using both Windows And linux as the Forensic Investigation Environment.
Android Which has the linux kernel at Heart can be best paradise when it comes to Forensic Data.
Various Tools on way this can be done in faster way.
Forensic always useful whether you are from a corporate environment or even from the massive Law enforcement Agencies.
Secret of Intel Management Engine by Igor SkochinskyCODE BLUE
Intel Management Engine ("ME") is a dedicated microcontroller embedded in all recent Intel motherboard chipsets. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. It not only performs the management tasks for which it was originally designed, but also implements features such as Intel Identity Protection Technology (IPT), Protected Audio-Video Path, Intel Anti-Theft, Intel TPM, NFC communication and more. There is not much info available about how exactly it works, and this talk aims to fill the gap and describe the low-level details.
Igor Skochinsky
Igor Skochinsky is currently one of the main developers of the world-famous Interactive Disassembler and Hex-Rays Decompiler. Even before joining Hex-Rays in 2008 he had been interested in reverse engineering for a long time and had brief periods of Internet fame after releasing a dumper for DRM-ed iTunes files (QTFairUse6) and hacking the original Amazon Kindle. He spoke previously at Recon, Breakpoint and Hack.LU.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇACODE BLUE
You got root access in OS X and now what?
Apple introduced mandatory code signing for kernel extensions in the new Yosemite version.
You are too cheap to buy a code signing certificate, or your OPSEC is against this?
You can't or don't want to steal someone's else certificate?
This presentation is about solving these problems with techniques that allow you to bypass all code signing requirements and regular kernel extensions loading interfaces.
The goal is to convince you that code signing isn't a serious obstacle in OS X, especially when its design is flawed and public known vulnerabilities remain "unpatched".
And if bad designs and vulnerabilities aren't enough then I'll also show you how to (ab)use an OS X feature for the same evil purposes.
The only requirement for this talk is uid=0(root). Well, the world isn't perfect!
Speaker:Santhosh Kumar
Event:Defcon Kerala
Date:8/03/2014
Android-Forensic and Security Analysis.
Android one of the leading Mobile Operating System which is managed by Google released back in 2008 now stands with a 4.4.x version Android KitKat.The Study Shows that increasing Crime Rates are switching from Computer Centered to PDA Based.Crime against Women,Children And Abuse.As the Digital Forensics and Law Enforcement Agencies find new Hard Challenges Cracking Down different Situation in the Android Environment.Google Play Store which has over 1 Million Application Active has also added to the Pain.
The Talk Focus on various Methods,the Various Situation where the forensics is useful.
The Methods are classified as Logical and physical which involves from breaking the passcodes to exploring virtual NAND memory.
The talk also focus on various places where is information is available to the forensic point of view.
Affected by Mobile Cyber Attack? Tortured by a Android Smartphone ? Relax there is a solution to each and everything.
The Talk also focus on using both Windows And linux as the Forensic Investigation Environment.
Android Which has the linux kernel at Heart can be best paradise when it comes to Forensic Data.
Various Tools on way this can be done in faster way.
Forensic always useful whether you are from a corporate environment or even from the massive Law enforcement Agencies.
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainIgor Korkin
Windows OS issued a newly updated security mechanism to prevent illegal access to the memory of critical processes as well as for Digital Rights Management (DRM) requirements. It is Protected Process Light (PPL). Intruders can disable PPL to access the memory content of protected processes using a kernel driver. Also, they can illegally enable PPL for the malware apps to provide self-protection and access memory of protected processes, without disabling their PPL. PatchGuard does not check the integrity of PPL. This kind of attack is crucial for OS security and has to be prevented. This paper presents some undocumented internals of PPL during the creation of the protected process as well as accessing the protected process memory to analyze how the PPL can be tampered with. In this contribution, the hypervisor-based solution called MemoryRanger is applied to prevent such type of kernel attacks on PPL. MemoryRanger can prevent both types of attacks on PPL: disabling and enabling PPL in run time. MemoryRanger has been successfully tested on the recent Windows 10, version 20H2 Build 19042.631 x64.
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE
How and why the famous disassembler was created; how it grew into a tool of choice for many security analysts; what is the current state and what is in its agenda for tomorrow.
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
The demo is here - https://www.youtube.com/watch?v=vi9TzLrO_pE
All details and source code are here - http://www.bit.ly/MemoryMonRWX
Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
IWSEC2014(The 9th International Workshop on Security 弘前) で"Kernel Memory Protection by an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints"
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesIgor Korkin
MemoryRanger is a hypervisor-based project, which isolates kernel-mode drivers and their allocated data by running drivers in isolated kernel enclaves.
All the details are here - bit.ly/MemoryRanger
Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)?
The aim of this presentation is to show how bootkit threats have evolved over time and what we should expect in the near future. Firstly, we will summarize what we've learned about the bootkits seen in the wild targeting the Microsoft Windows platform: from TDL4 and Rovnix (which was used by the Carberp banking trojan) up to Gapz (which employs one of the stealthiest bootkit infection techniques seen so far). We will review their infection approaches and the methods they have employed to evade detection and removal from the system.
Secondly, we will look at the security of the increasingly popular UEFI platform from the point of view of the bootkit author, as UEFI is becoming a target of choice for researchers in offensive security, and proof-of-concept bootkits targeting Windows 8 OS using UEFI have already been released. We will focus on various attack vectors against UEFI and discuss available tools and what measures should be taken to mitigate against them.
Applying Memory Forensics to Rootkit DetectionIgor Korkin
Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.
Applying Memory Forensics to Rootkit Detection #adfsl #Virginia #USA
http://bit.ly/cdfsl_paper
http://bit.ly/cdfsl_slides
http://bit.ly/cdfsl_speech
Advanced Threats are rising in the Windows 10 environment, where sophisticated attack vectors are being used to evade threat detection tools and extract privileged data from the user. This talk presents a collection of tools and techniques developed after reverse engineering and playing with Windows interfaces, aim to evade detection system (A/V or A/C) and to escalate kernel privileges.
Live Memory Forensics on Android devicesNikos Gkogkos
This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.
Для всех популярных облачных провайдеров данных существуют сервисы, позволяющие анонимно загружать файлы в расшаренные пользователями хранилища. Примерами таких сервисов могут служить Dropittome, Balloon, Cloudwok, Sookasa. С учетом того, что конечные пользователи часто устанавливают клиенты для синхронизации с облаком, данный способ доставки зловредов на компьютер жертвы становится весьма действенным.
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainIgor Korkin
The security of a computer system depends on the OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, which can be used by hackers. The idea of this paper is to continue the research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the opportunities of MemoryRanger to prevent these attacks. This paper demonstrates three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to the files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts issue new protection features, access attempts to the dynamically allocated data in kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64.
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
I have presented that files open in an exclusive mode can be illegally accessed without any security reaction. After that, I’ve presented my MemoryRanger, which can prevent such unauthorized memory access.
All the details are here - https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainIgor Korkin
Windows OS issued a newly updated security mechanism to prevent illegal access to the memory of critical processes as well as for Digital Rights Management (DRM) requirements. It is Protected Process Light (PPL). Intruders can disable PPL to access the memory content of protected processes using a kernel driver. Also, they can illegally enable PPL for the malware apps to provide self-protection and access memory of protected processes, without disabling their PPL. PatchGuard does not check the integrity of PPL. This kind of attack is crucial for OS security and has to be prevented. This paper presents some undocumented internals of PPL during the creation of the protected process as well as accessing the protected process memory to analyze how the PPL can be tampered with. In this contribution, the hypervisor-based solution called MemoryRanger is applied to prevent such type of kernel attacks on PPL. MemoryRanger can prevent both types of attacks on PPL: disabling and enabling PPL in run time. MemoryRanger has been successfully tested on the recent Windows 10, version 20H2 Build 19042.631 x64.
CODE BLUE 2014 : [Keynote] IDA and digital security by Ilfak GuilfanovCODE BLUE
How and why the famous disassembler was created; how it grew into a tool of choice for many security analysts; what is the current state and what is in its agenda for tomorrow.
Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory AccessIgor Korkin
The demo is here - https://www.youtube.com/watch?v=vi9TzLrO_pE
All details and source code are here - http://www.bit.ly/MemoryMonRWX
Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
IWSEC2014(The 9th International Workshop on Security 弘前) で"Kernel Memory Protection by an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints"
Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel SpacesIgor Korkin
MemoryRanger is a hypervisor-based project, which isolates kernel-mode drivers and their allocated data by running drivers in isolated kernel enclaves.
All the details are here - bit.ly/MemoryRanger
Bootkit threats have always been a powerful weapon in the hands of cybercriminals, allowing them to establish persistent and stealthy presence in their victims' systems. The most recent notable spike in bootkit infections was associated with attacks on 64-bit versions of the Microsoft Windows platform, which restrict the loading of unsigned kernel-mode drivers. However, these bootkits aren't effective against UEFI-based platforms. So, are UEFI-based machines immune against bootkit threats (or would they be)?
The aim of this presentation is to show how bootkit threats have evolved over time and what we should expect in the near future. Firstly, we will summarize what we've learned about the bootkits seen in the wild targeting the Microsoft Windows platform: from TDL4 and Rovnix (which was used by the Carberp banking trojan) up to Gapz (which employs one of the stealthiest bootkit infection techniques seen so far). We will review their infection approaches and the methods they have employed to evade detection and removal from the system.
Secondly, we will look at the security of the increasingly popular UEFI platform from the point of view of the bootkit author, as UEFI is becoming a target of choice for researchers in offensive security, and proof-of-concept bootkits targeting Windows 8 OS using UEFI have already been released. We will focus on various attack vectors against UEFI and discuss available tools and what measures should be taken to mitigate against them.
Applying Memory Forensics to Rootkit DetectionIgor Korkin
Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools.
Applying Memory Forensics to Rootkit Detection #adfsl #Virginia #USA
http://bit.ly/cdfsl_paper
http://bit.ly/cdfsl_slides
http://bit.ly/cdfsl_speech
Advanced Threats are rising in the Windows 10 environment, where sophisticated attack vectors are being used to evade threat detection tools and extract privileged data from the user. This talk presents a collection of tools and techniques developed after reverse engineering and playing with Windows interfaces, aim to evade detection system (A/V or A/C) and to escalate kernel privileges.
Live Memory Forensics on Android devicesNikos Gkogkos
This presentation deals with some RAM forensics on the Android OS using the LiME tool for getting a RAM dump and the Volatility framework for the analysis part!
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.
Для всех популярных облачных провайдеров данных существуют сервисы, позволяющие анонимно загружать файлы в расшаренные пользователями хранилища. Примерами таких сервисов могут служить Dropittome, Balloon, Cloudwok, Sookasa. С учетом того, что конечные пользователи часто устанавливают клиенты для синхронизации с облаком, данный способ доставки зловредов на компьютер жертвы становится весьма действенным.
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft’s Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue AgainIgor Korkin
The security of a computer system depends on the OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, which can be used by hackers. The idea of this paper is to continue the research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the opportunities of MemoryRanger to prevent these attacks. This paper demonstrates three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to the files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts issue new protection features, access attempts to the dynamically allocated data in kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64.
MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows KernelIgor Korkin
I have presented that files open in an exclusive mode can be illegally accessed without any security reaction. After that, I’ve presented my MemoryRanger, which can prevent such unauthorized memory access.
All the details are here - https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html
Case study of BtrFS: A fault tolerant File systemKumar Amit Mehta
A case study of Fault Tolerance features of BTRFS. These slides were prepared for the coursework for a Masters level program at Tallinn University of Technology, Estonia. A lot of materials in the slides are taken from the materials in the public domain. Many thanks to the people on BTRFS IRC Channel.
JetStor NAS 724uxd 724uxd 10g - technical presentationGene Leyzarovich
The JetStor NAS 724UXD is a unified / hybrid NAS storage system that consolidates NAS and IP-based iSCSI SAN in one chassis. Featuring the newest Intel Haswell platform to lower power consumption and 7x 1Gb Ethernet host ports per controller, all encompassed in a small 4U enclosure. The JetStor NAS 724UXD offers SSD Caching to boost random I/O intensive application, Snapshot, Thin Provisioning, Online Capacity Expansion and Controller-based cable-less design for excellent manageability.
JetStor NAS 724UXD Dual Controller Active-Active ZFS BasedGene Leyzarovich
The JetStor NAS 724UXD is a unified / hybrid NAS storage system that consolidates NAS and IP-based iSCSI SAN in one chassis. Featuring the newest Intel Haswell platform to lower power consumption and 7x 1Gb Ethernet host ports per controller, all encompassed in a small 4U enclosure. The JetStor NAS 724UXD offers SSD Caching to boost random I/O intensive application, Snapshot, Thin Provisioning, Online Capacity Expansion and Controller-based cable-less design for excellent manageability.
[Defcon] Hardware backdooring is practicalMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
Hardware backdooring is practical : slidesMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
Let Me Pick Your Brain - Remote Forensics in Hardened EnvironmentsNicolas Collery
Full Disk Encryption (FDE) may be rather useful as a defense mechanism against potential theft of a computer system. Usually such protections comes with some levels of hardening like removing administrative rights. However, when the system is compromised and requires careful forensic analysis, FDE and hardening can be quite painful to forensic analysts. This presentation delivered at IIC-SG-2018 (Infosec In the City - Singapore) and at Div0 (Division0 local security meetup) highlights few techniques to let a remote analyst perform investigations.
https://www.infosec-city.com
https://www.meetup.com/div-zero/
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
Most 5G networks are built in fundamentally new ways, opening new hacking avenues.
Mobile networks have so far been monolithic systems from big vendors; now they become open vendor-mixed ecosystems. Networks are rapidly adopting cloud technologies including dockerization and orchestration. Cloud hacking techniques become highly relevant to mobile networks.
The talk dives into the hacking potential of the technologies needed for these open networks. We illustrate the security challenges with vulnerabilities we found in real-world networks.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg.
For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad.
Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations.
After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Generating a custom Ruby SDK for your web service or Rails API using Smithyg2nightmarescribd
Have you ever wanted a Ruby client API to communicate with your web service? Smithy is a protocol-agnostic language for defining services and SDKs. Smithy Ruby is an implementation of Smithy that generates a Ruby SDK using a Smithy model. In this talk, we will explore Smithy and Smithy Ruby to learn how to generate custom feature-rich SDKs that can communicate with any web service, such as a Rails JSON API.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or Applications by Just Installing It. by Keiji Toda
1. Security Barrier Device
Protects Critical Data Regardless of OS
and Applications by Just Attached
Kenji TODA, Ichiro EBIHARA, Koji SEGAWA,
Koichi TAKAHASHI and Kazukuni KOBARA
The National Institute of Advanced Industrial
Science and Technology (AIST)
in cooperation with
Control System Security Center (CSSC)
2. Contents
• Background
• Concept of SBD
• Data Protection Mechanism
• Hardware and Security Tag
• Sector Based Access Control
• File Based Access Control
• Malware Prevention
• Demonstration Video
• Future Work
Currently NTFS is implemented.
EXT and FAT are under development.
Applicable for other file systems.
2
3. Background:
PC and/or Server
• Hard to fix all the
vulnerabilities of complex
OS and applications.
• There exists undefended
period called zero-day
exposing unknown or
discovered-but-not-yet-
fixed vulnerabilities.
#Identified Vulnerabilities in a year
(http://www.symantec.com/ja/jp/threatreport/topic.jsp?id=vulnerability_trends&aid=
total_number_of_vulnerabilities)3
4. Background:
Control System
• Additional security software is not
affordable for restricted hardware
resources and / or realtime systems
• Outdated OS and applications might be
used without any security patch.
We develop SBD, the hardware solution of
easy attachable regardless of any OS and
applications without software installation.
4
5. SBD – Easy Attaching
Target
System
Just insert SBD between
IO Ports on the original hardware.
Protecting important data
regardless of OS and
applications.5
6. SBD:
Data Protection Mechanism
①The target system issues an
IO request to the original
HDD.
②SBD reads the security
information of corresponding
IO blocks.
③Data access is handled
according to the information
(permitted / inhibited /
queried) .
①
②
Added HDD:
Security Information
←Invisible from the System!
Original HDD:
Data
RW=10
③
Read〇
Write×
6
8. Security Barrier Device (SBD):
Board and Specifications
• Board size: PCI Express card (230mm x 110mm)
• FPGA chip: Xilinx Kintex-7 676pin XC7K325T
• Configuration Flush Rom: for power-on-write to FPGA
• Memory I/F: DDR3 SODIMM×1
• Display input: HDMI×1
• Display output: HDMI×1
• Optical audio: input×1, output×1
• Storage I/F: SATA (7pin)×5
• Ethernet I/F: 1G/100Mbit Ether (RJ-45) ×2
• USB I/F: USB (Type A)×6 (USB2.0)
• SBD host PC I/F: PCI Express×18
9. SBD Board Connections
SBD Control PC
SBD Board
Target Control Device
USB0
Ethernet (LAN)
HDMI
SATA0
PCIe
(card slot)
SATA1
USB1
SATA0
SATA1
USB0
USB1
HDMI
Ethernet
(LAN)
Peripherals of Target Control Device
9
10. Security Barrier Device (SBD):
Security Tags (sector based control)
Security Barrier Device (SBD)
Additional Storage for SBD Security
Target Control Device
User Login to
SBD
SBD PASSWORD FILE
USER
NAME
PASSWORD
(root)
UID
0
GID
SBD Control PC
(Linux kernel 2.6 or above)
SBD Board
OWNER GROUP OTHER
RqraWqra RqraWqra RqraWqraRqraWqra
UID GID
Original Storage of Target Control Device
SBD SECURITY TAGs for corresponding BLOCK
BLOCK
Original Data in Target Storage
USER
NAME
PASSWORD
UID
1
GID
Storage Access Storage Access
Additional Storage
Access
Loop Back
...
LoopBack / AccessControl:
{Query - assert / negate},
{Recording - all / no},
{Alert - no}
SBD SECURITY MODE
for storage access
(R: read, W: write, q: query, r: record, a: alert)
USB
USB
HDMI
SATA
PCIe
UID
SBD DEFAULT UID & GID
Ethernet
Loop Back
GID
• SATA Port Handling Logic is
implemented.
• Ethernet can be cut-off.
10
11. Security Barrier Device (SBD):
Sector Based Access Control
The target of storage access control is block devices
such as HDD / SSD / USB memory.
Since storage access is performed sector based
(512Byte unit),
implementation of sector based access control is
straightforward.
• Defense of disk regions and partitions is OK!
• Gathering to-be-write-protected data and system files
to write-protected partitions.
• Gathering to-be-read-protected data to read-protected
partitions.11
12. SBD: File Based Access Control
Motivation
File based access control extends defense coverage and
improves convenience dramatically:
• Critical system and user data is mostly files.
• No need to gather important files to protected partitions
• Original data disk can be protected as is.
• Easy assigning and releasing of protection on files.
• No stress on attaching and detaching of SBD (just plug
in/out IO connectors).
12
13. SBD: File Based Access Control
Requirements
Commonly-used file systems:
• NTFS (Windows, …)
• EXT(Linux, Android, …)
• FAT(old Windows, MS-DOS, VxWorks, USB memory,..)
• HFS+(Mac OS X,…)
Requirements to handle the above file systems:
• On access control of data blocks,
→〇 sector based control is appropriate;
→〇 read access control is appropriate;
→×write access control is NOT appropriate because pointers to
the data blocks may change their locations.
In non-resident data file and parent directories
13
14. SBD: File Based Access Control
Fine Grain Control
Protection is required on data of file and path from
the root.
Access granularity for directories and pointer areas
≦ sector size (512B)
1. Put access control granularity to the security information
corresponding to a sector.
2. In case of write to a sector, in addition to the security
information, the content of the sector is also read.
Then the write protected portion of the read data is used
instead of the sector data intended to write.
Consequently, fine grain control is achieved.14
15. Security Barrier Device (SBD):
File Read Protection (no difficulty)
In case SBD
returns zeroes for
read protected
data:
An error message
on opening
protected data on
a target system
(Ubuntu) →
15
16. SBD: Requirement for
Write Protection -- EXT2(Linux)
• /appdata/app_critical is a write protected file.
Path from the root directory needs protection.16
17. SBD: File Based Access Control
Remaining Difficulties
Problems of write protection on NTFS file:
① Inconsistency between disk-relating caches on the memory of a
defense target system and the disk may destroy file system and
cause OS crash.
② The locations of pointer entries relating the write protected file in its
parent directories may change by addition or deletion of other non-
protected files. Because, the location is rearranged by balanced
tree algorithm in NFTS. (←SBD achieves high performance by
means of FPGA circuit assuming fixed location.)
17
18. SBD: File Based Access Control
Disk-Relating OS Caches
[Problems] Linux (also Windows) utilizes following
caches for performance:
• Superblock (block group descriptor, bitmaps of free
block and free i-node, …)
• i-node cache
• Directory entry cache
• Buffer cache (for disk block data)
• Page cache (for file data)
Write inhibition on the disk causes
inconsistency between OS caches and the disk!18
19. SBD: File Based Access Control
Solution
Problems of write protection on NTFS file:
① Inconsistency between disk-relating caches on the memory of a
defense target system and a data disk may destroy file system and
cause OS crash.
② The locations of pointer entries relating the write protected file in its
parent directories may change by addition or deletion of other non-
protected files. Because, the location is rearranged by balanced
tree algorithm in NFTS. (←SBD achieves high performance by
means of FPGA circuit assuming fixed location.)
By observing OS
behavior using
SBD
→SBD makes the OS handle an accessed write-
protected file entry as a (pseudo) bad block by returning
a disk access error to the OS!
→The pointer location to its patent directory is never
changed as long as its directory pass is not changed!19
20. SBD: File Based Access Control
Write Protection Procedure
Write protection on NFTS file:
① In case of write, if rename or deletion is performed to the write
protected file, the operation is done on caches and appears
successful.
② In a short period, the contents of the caches are written to the disk,
then SBD detects it.
③ SBD returns a device error on the file access and issues an alert to
a user. OS handles the file entry as it is in a (pseudo) bad block.
(An Ethernet port can be shut-off by the alert as a trigger.)
① When a user reboots the OS, SBD restores the write protected files
in prior to OS booting. Hence, the OS can be booted as it was.
SBD makes write protection
consistent with the OS!
The pseudo bad blocks are restored from
$BadClus file.24
21. SBD: File Based Access Control
Mechanism
Security Barrier Device (SBD)
Additional Storage for SBD Security
Target Control Device
User Login to
SBD
SBD PASSWORD FILE
USER
NAME
PASSWORD
(root)
UID
0
GID
SBD Control PC
(Linux kernel 2.6 or above)
SBD Board
OWNER GROUP OTHER
RqraWqra RqraWqra RqraWqraRqraWqra
UID GID
Original Storage of Target Control Device
SBD SECURITY TAGs for corresponding BLOCK
BLOCK
Original Data in Target Storage
USER
NAME
PASSWORD
UID
1
GID
Storage Access Storage Access
Additional Storage
Access
Loop Back
...
LoopBack / AccessControl:
{Query - assert / negate},
{Recording - all / no},
{Alert - no}
SBD SECURITY MODE
for storage access
(R: read, W: write, q: query, r: record, a: alert)
USB
USB
HDMI
SATA
PCIe
UID
SBD DEFAULT UID & GID
Ethernet
Loop Back
GID
Detecting information is
prepared in prior to detection.
File system Dependent
Detection is
performed in fine
grain, byte unit,
by FPGA.
File system
Independent
25
22. SBD:
Performance of Access Control
In case of fine grain, byte unit, detection (at high
overhead sate) = File based access control (read /
write) is enabled:
Experimentally 100MByte/s
Measuring Condition:
A original data disk and a security information disk:
Samsung SSD 830, 128GB
Benchmark Program:
Read-Only Benchmark, Ubuntu Disk Utility
Sector-wide comparator with byte unit mask circuit
+ Multi-sector IO buffer circuit
26
24. 28
Bootkit:
Definition and Win32/Gapz
• The most dangerous infectious form bootkit launches before
Windows and hides in between hardware and OS. Hence, it
becomes undetectable and accesses system resources unlimitedly. 。
(technet.microsoft.com)
• Win32/Gapz: Advanced Evasion Techniques VBR infection type replaces
only a few bytes in BIOS Parameter Block. Hence, it is hard to detect.
(Evolved form of MBR infection type) (blog.eset-smart-security.jp)
25. 29
Bootkit
Win32/Gapz
MBR Infection type
• Fig shows the infection sequence of
MBR infection type (Traditional
Techniques)
① Bootkit code is loaded from disk,
Int 13h disk handler is hooked.
② ntldr, bootmgr, winload.exe and
loInitSystem are hooked in series,
kernel mode code (rootkit) is
launched.
26. 30
Bootkit
Win32/Gapz VBR
Infection type
• VBR Infection Type disk
image (Advanced techs)
① Hidden Sectors (4B) at
BIOS Parameter Block
in Volume Boot Record
is modified.
② Bootkit is launched
instead of IPL by mean
of skipping whole NTFS
volume in front of
bootkit
27. 31
Bootkit: ELAM
• ELAM(Early Launch Anti-Malware Module), introduced in
Windows 8, does not work. (blog.eset-smart-security.jp)
28. 32
Bootkit
Win32/Gapz
• VBR Infection Type disk
image (Advanced techs)
① Hidden Sectors (4B) at
BIOS Parameter Block
in Volume Boot Record
is modified.
② Bootkit is launched
instead of IPL by mean
of skipping whole NTFS
volume before bootkit
③ The rest is the same as
MBR Infection type.
SBD protectable!
29. 34
Bootkit: Secure Boot
• On the secure boot, UEFI (Unified Extensible Firmware
Interface) verifies boot loader in advance of its loading. In case the
boot loader is modified or replaced (by bootkit), the secure boot
prevents its execution. (technet.microsoft.com, blogs.msdn.com)
The boot
loader code
itself is not
protected!
The boot loader
is stored in a
file for
verification!
30. 35
Bootkit: Secure Boot
• On the secure boot, UEFI (Unified Extensible Firmware
Interface) verifies boot loader in advance of its loading. In case the
boot loader is modified or replaced (by bootkit), the secure boot
prevents its execution. (technet.microsoft.com, blogs.msdn.com)
The boot
loader code
itself is not
protected!
The boot loader
is stored in a
file for
verification!
SBD protectable!
31. 36
Rootkit:
Definition and Sample
• Generic name of tool which invades and modifies computer
system with root (system manager) privilege (ASCII.jp)
• Typical rootkit hides Logon, Process, File and Log. It often
monitors input from network and/or keyboard. In many cases,
rootkit is also Trojan Horse. (Wikipedia)
• SONY BMG CD XCP case: It is audio player software with Copy
Guard function, on the side, access control (permitting outgoing
transmission and system invasion) using rootkit is installed. It
transmits data on computer and also prevents other media player
software from playing a music CD and/or copying to disk. Its
vulnerability was found and abused by malware. (→Currently,
Windows update has fixed it.) (Wikipedia)
System files
are modified!
32. 37
Rootkit:
Definition and Sample
• Generic name of tool which invades and modifies computer
system with root (system manager) privilege (ASCII.jp)
• Typical rootkit hides Logon, Process, File and Log. It often
monitors input from network and/or keyboard. In many cases,
rootkit is also Trojan Horse. (Wikipedia)
• SONY BMG CD XCP case: It is audio player software with Copy
Guard function, on the side, access control (permitting outgoing
transmission and system invasion) using rootkit is installed. It
transmits data on computer and also prevents other media player
software from playing a music CD and/or copying to disk. Its
vulnerability was found and abused by malware. (→Currently,
Windows update has fixed it.) (Wikipedia)
System files
are modified!SBD protectable!
33. SBD prevents write on boot area and shut-off
Ethernet, and stops Remote Control.
Attacker
Victim
Network is shut-off.
Defense by SBD
38
34. Future Work
• Feasibility study and
its feedback to SBD at
Control System Security
Center (CSSC)
• Linux EXT families and
widely-used FAT families are under development.
(Applicable for other file systems also.)
• Improvements on performance and robustness
• Tests using various malware
• Extension of SBD defense ability by developing
Ethernet, USB and HDMI port-supervisory circuit.
• Downsizing (such as a SBD storage)
39