SlideShare a Scribd company logo

Kernel Mode Threats and Practical Defenses

Priyanka Aash
Priyanka Aash

Recent advancements in OS security from Microsoft such as PatchGuard, Driver Signature Enforcement, and SecureBoot have helped curtail once-widespread commodity kernel mode malware such as TDL4 and ZeroAccess. However, advanced attackers have found ways of evading these protections and continue to leverage kernel mode malware to stay one step ahead of the defenders. We will examine the techniques from malware such as DoublePulsar, SlingShot, and Turla that help attackers evade endpoint defenses. We will also reveal a novel method to execute a fully kernel mode implant without hitting disk or being detected by security products. The method builds on publicly available tools which makes it easily within grasp of novice adversaries. While attacker techniques have evolved to evade endpoint protections, the current state of the art in kernel malware detection has also advanced to hinder these new kernel mode threats. We will discuss these new defensive techniques to counter kernel mode threats, including real-time detection techniques that leverage hypervisors along with an innovative hardware assisted approach that utilizes performance monitoring units. In addition, we will discuss on-demand techniques that leverage page table entry remapping to hunt for kernel malware at scale. To give defenders a leg up, we will release a tool that is effective at thwarting advanced kernel mode threats. Kernel mode threats will only continue to grow in prominence and impact. This talk will provide both the latest attacker techniques in this area, and a new tool to curtail these attacks, proving real-world strategies for immediate implementation.

Technology
1 of 52
Download to read offline
KERNEL MODE THREATS AND PRACTICAL DEFENSES Joe Desimone Gabriel Landau
ABOUT US Joe Desimone Senior Malware Researcher Interests include offensive security research, reverse engineering, threat intelligence, and development of endpoint protections. Gabriel Landau Principal Software Engineer Past work includes product & DRM evaluation, malware RE, and offensive security research. Interests include Windows internals, with a focus development of endpoint protections. @gabriellandau @dez_
AGENDA PART 1 Evolution of kernel mode threats and platform protections PART 2 Offensive tradecraft to evade platform protections PART 3 Augmenting OS defenses
WHY THE KERNEL? Defense Evasion • Hide processes, files, registry keys, network activity • Entrenchment/Persistence • Lack of visibility into kernel Privilege Escalation • Same privilege as security software EVOLUTION
FIRST GENERATION KERNEL MALWARE Rustock (~2007) • Infect Windows drivers on disk • Standard rootkit functionality TDSS/TDL-1 (~2008) • Reg/File/Process/Network hiding • Infect driver ZeroAccess (~2009) • Overwrite random driver • Hidden encrypted NTFS volume • x86 only EVOLUTION
PatchGuard • Detect kernel patching/hooks à BSOD • First on XP SP3 x64 (~2005) Driver Signature Enforcement (DSE) • All drivers must be digitally signed • First on Vista x64 (~2007) Both defenses became more important as x64 market share grew NEW OS DEFENSES EVOLUTION
BOOTKITS EEye Bootroot (2005) • First public POC Mebroot AKA Sinowal (~2008) • NDIS hook to evade FW TLD4 (~2010) • Replace kdcom.dll to gain early execution • Modify Boot Config Data (BCD) to disable DSE Replace MBR (or VBR), gain execution before OS. Xpaj (~2012) • Set hooks before PG initialization EVOLUTION
COUNTERING BOOTKITS Secure Boot • UEFI validates integrity of OS bootloader • First support was Windows 8 (~2012) Trusted Boot • Each component of early windows boot process is verified by signature Intel Boot Guard • Root of trust in hardware (CPU) Intel BIOS Guard • Secure BIOS Updates EVOLUTION
BRING YOUR OWN VULN Uroburos / Turla • Exploit VBox driver • Disable DSE by modifying g_CiEnabled • Disable PatchGuard via RtlCaptureContext hook Derusbi • Exploit Novell driver • Disable DSE by modifying CiOptions • Also used stolen certificates Slingshot • Exploit Sandra driver • Hide network traffic Bring a signed, vulnerable driver. Use it to bootstrap into kernel. EVOLUTION
DUQU 2.0 • Main payload used 0day in win32k.sys for kernel execution (CVE-2015-2360) • Hooked IAT of Kaspersky driver to spoof process information • Allowed user mode component to become trusted ksp process • Separate driver used for persistence in DMZ • Used stolen Foxconn certificate • Redirect traffic with NDIS filtering EVOLUTION
• Volatile kernel mode implant • Loaded via remote ring0 exploit (ex ETERNALBLUE) • Evade PatchGuard by hooking srv!SrvTransactionNotImplemented pointer • Injects DLLs into usermode via APCs DOUBLEPULSAR EVOLUTION
VIRTUALIZATION BASED SECURITY • VTL1 – new Secure Kernel, trustlets • VTL0 – normal Kernel, drivers • Extended Page Tables (SLAT/EPT) to guard access • IOMMU to protect from DMA access • Hypervisor Code Integrity (HVCI) • All kernel code must be signed, (W^X) • Credential Guard EVOLUTION
Attacker Initial Kernel Malware – Rustock, TDSS, ZeroAccess Defender First Kernel Defenses – Patchguard and Driver Signature Enforcement (DSE) Defender Countering Bootkits – SecureBoot, Trusted Boot, Boot Guard, etc. Defender Virtualization Based Security (VBS) Attacker BootKit Malware – Sinowal, TDL4, Xpaj Attacker Exploit To Load Driver – Uroburos, Duqu2, DoublePulsar EVOLUTION
KERNEL MITIGATIONS ACROSS WINDOWS VERSIONS EVOLUTION
Adoption Rate Windows 10 is less than half of worldwide installations. How many are HVCI? EVOLUTION
AGENDA PART 1 Evolution of kernel mode threats and platform protections PART 2 Offensive tradecraft to evade platform protections PART 3 Augmenting OS defenses
INTERNAL RvB FILELESS KERNEL MODE IMPLANT • Evade Blue Team by moving to the kernel • Kernel dev environment • VS 2015, Windows Driver Kit (WDK) 10 • Virtual KD / Windbg • Turla Driver Loader (TDL) EVASION
IMPLANT DESIGN • Kernel mode ONLY • Winsock Kernel (WSK) for C2 • Triggerable (no beacons) • Basic backdoor functionality EVASION
Confidential and Proprietary 19 IMPLANT LOADER Script .NET Native Squiblydoo XSL / Jscript PowerShell DotNetToJS .NET MemoryModule TDL / Exploit EVASION
STAYING DISKLESS NETWORK DRIVER LOAD • Avoid dropping driver to disk by loading it with WebDAV: • ZwLoadDriver(DeviceWebDavRedirector;127.0.0.1@8000exploitable.sys) • Sysmon path conversion bug EVASION
STEALTHY NETWORK COMMS EVASION
STEALTHY NETWORK COMMS EVASION
DEMO EVASION
• Virtual box driver vulnerability is a no-go, won't even load under HVCI • Step one was to find a vulnerable driver which could load under HVCI. www.greyhathacker.net has tons of POCs (Parvez Anwar) • BYOV – Bring your own vulnerability. Choose wisely! • Static 1-byte write vs • Write *what where EVADING VBS / HVCI EVASION
• Modification of kernel memory can significantly compromise the integrity of the system • IAT patching • Even if IAT was protected by VBS, there are many other targets • Disable EDR kernel-user communications • Disable security focused kernel ETW providers • Microsoft-Windows-Threat-Intelligence • Elevate Privileges – Token or Handle • Data / Data Corruption EVADING VBS / HVCI DATA DRIVEN ATTACKS EVASION
EVASION
EVASION
EVASION
• Create a "surrogate" thread, put it to sleep • Find location of stack [_ETHREAD] • Build rop chain • Hook stack -> overwrite NtWaitForSingleObject pointer with pivot gadget • Resume thread (ReleaseMutex) EVADING VBS / HVCI CODE RE-USE EVASION
• Dynamically build chain based on number of arguments in target function • We have 10 gadgets for full N-Argument function call • Pivot (pop rsp, ret) • Restore the 16 bytes overwritten on the stack • Setup arguments in registers/stack • Call target function • Save return value (rax) • Restore R14 (mutex object) • Unpivot EVADING VBS / HVCI CODE RE-USE EVASION
EXAMPLE - WriteProcessMemory EVASION
EVASION DEMO
AGENDA PART 3 Augmenting OS defenses PART 1 Evolution of kernel mode threats and platform protections PART 2 Offensive tradecraft to evade platform protections
• You should very carefully monitor driver load events • Look for low prevalence drivers • Identify known-exploited drivers (blacklist) • Free Instrumentation: • Sysmon Event ID 6: Driver loaded • Windows Defender Application Control (DG) Audit Mode DRIVER EVENTING EVOLUTION DEFENSES
• Limit kernel drivers to WHQL REDUCING ATTACK SURFACE EVOLUTION DEFENSES
• Blacklisting Exploitable Drivers • Default in Win10 RS5 HVCI • Endgame Kernel Attack Surface Reduction (KASR) • No configuration required • Free. Available at www.endgame.com REDUCING ATTACK SURFACE EVOLUTION DEFENSES
Full memory acquisition and offline analysis does not scale Problem Leverage the same techniques to read kernel memory at the endpoint and perform analysis on the endpoint • DevicePhysicalMemory • MmMapIoSpace • MmMapMemoryDumpMdl • Page Table Entry (PTE) Remapping Solution EVOLUTIN DEFENSES KERNEL MEMORY COLLECTION
• Page Table Entry (PTE) remapping • Invented by Stüttgen and Cohen • Most performant in testing • More resilient to tampering from rootkits (No API to hook) • Based on CPU architecture, so it is cross-OS-compatible • Modify the PTE of a controlled chunk of memory to point to where you want to read KERNEL MEMORY COLLECTION EVOLUTION DEFENSES
• Generically detect function pointer hook • Locate function pointers by walking relocation tables • Endgame Marta • Free. Available at www.endgame.com FUNCTION POINTER INTEGRITY SCAN Originally pointed to +X section in on- disk copy of driver Does not point to a loaded driver in memory Points to executable memory Consider a hit if… EVOLUTION DEFENSES
Performance Monitoring Unit (PMU) • Built into most CPUs in the last decade • Programmable to count specific events • Can generate an interrupt when a certain number of events occur Detect unbacked kernel shellcode / unbacked drivers • Program PMU to fire interrupts on some event likely to occur inside unbacked driver. • When interrupt fires, validate IP belongs to a driver REALTIME DETECTION OF UNBACKED KERNEL CODE DEFENSES
DEFENSESDEMO DEFENSESDEMO
Weaknesses • FP from unbacked drivers (including PatchGuard) • Vulnerable to PMU disablement via MSR • Detection driver is susceptible to data attacks EVOLUTION DEFENSES REALTIME DETECTION OF UNBACKED KERNEL CODE
• MemoryMon • Leverage EPT to detected unbacked kernel code execution • AllMemPro • Mitigates data attacks by isolating driver data with hypervisor • Based on same platform as MemoryMon • SecVisor • CMU research from 2007 • Early implementation of hypervisor enforced code integrity HYPERVISOR APPROACHES EVOLUTION DEFENSES
HARDENING THE WINDOWS KERNEL AGAINST ROP EVOLUTION DEFENSES
• CFG provides forward-edge CFI, but there is no reverse-edge CFI • RFG was cancelled • Intel CET requires future hardware HARDENING THE WINDOWS KERNEL AGAINST ROP IDEA Provide reverse-edge kernel CFI using the PMU EVOLUTION DEFENSES
ROP tends to generate lots of mispredictions • Scan drivers to identify call/return sites • Configure LBR to record CPL0 near returns • Configure PMU fire PMI when BR_MISP_RETIRED counter overflows • Validate every new LBR entry is call-preceded Performance • Protection tunable from deterministic to probabilistic • JetStream benchmark on Intel Skylake 6700K: ~1.1% overhead EVOLUTION DEFENSES HARDENING THE WINDOWS KERNEL AGAINST ROP
DEFENSESDEMO
• Limitations • Vulnerable to malicious drivers. Hypervisor protection needed. • wrmsr IA32_PERF_GLOBAL_CTRL, 0 • Data attack against policy bitmap • Requires available PMU and LBR • No VMware/Hyper-V support • Incompatible with obfuscated drivers • Windows ships with two: clipsp.sys and peauth.sys • Something similar exists on Linux EVOLUTION DEFENSES HARDENING THE WINDOWS KERNEL AGAINST ROP
• Windows platform security has gotten much better in the last decade. However, kernel mode threats are still a big concern • Use Windows 10 with SecureBoot and HVCI • Require EV/WHQL drivers via code integrity policy • Monitor and hunt on driver load events CONCLUSION
QUESTIONS?
• https://www.virusbulletin.com/virusbulletin/2008/08/yet-another-rustock-analysis • https://securelist.com/rustock-and-all-that/36217/ • https://securelist.com/tdss/36314/ • https://people.eecs.berkeley.edu/~pearce/papers/zeroaccess_tr_2013.pdf • https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-zeroaccess-infection-analysis-12-en.pdf • https://nakedsecurity.sophos.com/zeroaccess/ • https://msdn.microsoft.com/en-us/library/bb530195.aspx • https://securelist.com/tdss-tdl-4/36339/ • https://www.coseinc.com/en/index.php?rt=download&act=publication&file=TDL4_Carrier_to_Glupteba.pdf • https://resources.infosecinstitute.com/uefi-and-tpm/ • http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf • https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf • https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf • https://www.sekoia.fr/blog/windows-driver-signing-bypass-by-derusbi/ EVOLUTION REFERENCES REFERENCES
• https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf • https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf • https://securelist.com/the-duqu-2-0-persistence-module/70641/ • https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html • http://www.alex-ionescu.com/blackhat2015.pdf • http://gs.statcounter.com/windows-version-market-share/desktop/worldwide/ • https://github.com/hfiref0x/TDL • http://www.greyhathacker.net • https://posts.specterops.io/threat-detection-using-windows-defender-application-control-device-guard-in-audit-mode-602b48cd1c11 • https://www.dfrws.org/sites/default/files/session-files/pres-anti-forensic_resilient_memory_acquisition.pdf • https://www.cs.cmu.edu/~arvinds/pubs/secvisor.pdf • https://github.com/tandasat/MemoryMon • https://igorkorkin.blogspot.com/2018/03/hypervisor-based-active-data-protection.html • https://infocon.org/cons/SyScan/SyScan%202013%20Singapore/SyScan%202013%20Singapore%20presentations/SyScan2013_DAY1_SPEAKER05_Georg_WIcherski_Taming_ROP _ON_SANDY_BRIDGE_syscan.pdf • https://recon.cx/2015/slides/recon2015-05-peter-hlavaty-jihui-lu-This-Time-Font-hunt-you-down-in-4-bytes.pdf EVOLUTION REFERENCES REFERENCES

Recommended

XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorThe Linux Foundation
 
µ-Xen
µ-Xenµ-Xen
µ-XenLars Kurth
 
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsXPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsThe Linux Foundation
 
LFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project HypervisorLFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project HypervisorThe Linux Foundation
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat Security Conference
 
Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013The Linux Foundation
 

Recommended

XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
 
Scale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorScale 12x Securing Your Cloud with The Xen Hypervisor
Scale 12x Securing Your Cloud with The Xen HypervisorThe Linux Foundation
 
µ-Xen
µ-Xenµ-Xen
µ-XenLars Kurth
 
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsXPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE Systems
XPDS16: The OpenXT Project in 2016 - Christopher Clark, BAE SystemsThe Linux Foundation
 
LFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project HypervisorLFNW2014 Advanced Security Features of Xen Project Hypervisor
LFNW2014 Advanced Security Features of Xen Project HypervisorThe Linux Foundation
 
BlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat v18 || Massive scale usb device driver fuzz without device
BlueHat v18 || Massive scale usb device driver fuzz without deviceBlueHat Security Conference
 
Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013Securing your Cloud with Xen - SUSECon 2013
Securing your Cloud with Xen - SUSECon 2013The Linux Foundation
 
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICXPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICThe Linux Foundation
 
Intel update
Intel updateIntel update
Intel updateThe Linux Foundation
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationThe Linux Foundation
 
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...The Linux Foundation
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Stefano Stabellini
 
LCA13: Xen on ARM
LCA13: Xen on ARMLCA13: Xen on ARM
LCA13: Xen on ARMLinaro
 
BlueHat v18 || An ice-cold boot to break bit locker
BlueHat v18 || An ice-cold boot to break bit lockerBlueHat v18 || An ice-cold boot to break bit locker
BlueHat v18 || An ice-cold boot to break bit lockerBlueHat Security Conference
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
 
Build-a-Cloud Day - Securing Your Cloud with Xen
Build-a-Cloud Day - Securing Your Cloud with XenBuild-a-Cloud Day - Securing Your Cloud with Xen
Build-a-Cloud Day - Securing Your Cloud with XenThe Linux Foundation
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine IntrospectionTamas K Lengyel
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
 
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
 
XPDDS18: Xen Project Weather Report 2018
XPDDS18: Xen Project Weather Report 2018XPDDS18: Xen Project Weather Report 2018
XPDDS18: Xen Project Weather Report 2018The Linux Foundation
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
 
Xen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XTXen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XTThe Linux Foundation
 
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixXPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixThe Linux Foundation
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the LineThe Linux Foundation
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMTamas K Lengyel
 
The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...NETWAYS
 

More Related Content

What's hot

XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICXPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICThe Linux Foundation
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationThe Linux Foundation
 
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...The Linux Foundation
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Stefano Stabellini
 
LCA13: Xen on ARM
LCA13: Xen on ARMLCA13: Xen on ARM
LCA13: Xen on ARMLinaro
 
BlueHat v18 || An ice-cold boot to break bit locker
BlueHat v18 || An ice-cold boot to break bit lockerBlueHat v18 || An ice-cold boot to break bit locker
BlueHat v18 || An ice-cold boot to break bit lockerBlueHat Security Conference
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...The Linux Foundation
 
Build-a-Cloud Day - Securing Your Cloud with Xen
Build-a-Cloud Day - Securing Your Cloud with XenBuild-a-Cloud Day - Securing Your Cloud with Xen
Build-a-Cloud Day - Securing Your Cloud with XenThe Linux Foundation
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine IntrospectionTamas K Lengyel
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...The Linux Foundation
 
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...The Linux Foundation
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018The Linux Foundation
 
XPDDS18: Xen Project Weather Report 2018
XPDDS18: Xen Project Weather Report 2018XPDDS18: Xen Project Weather Report 2018
XPDDS18: Xen Project Weather Report 2018The Linux Foundation
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat Security Conference
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
 
Xen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XTXen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XTThe Linux Foundation
 
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixXPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixThe Linux Foundation
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the LineThe Linux Foundation
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMTamas K Lengyel
 

What's hot (20)

XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGICXPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
XPDS16: Hypervisor Enforced Data Loss Prevention - Neil Sikka, A1LOGIC
 
Intel update
Intel updateIntel update
Intel update
 
Rootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project VirtualisationRootlinux17: An introduction to Xen Project Virtualisation
Rootlinux17: An introduction to Xen Project Virtualisation
 
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
XPDS16: AMD's virtualization memory encryption technology - Brijesh Singh, A...
 
Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)Xen and the art of embedded virtualization (ELC 2017)
Xen and the art of embedded virtualization (ELC 2017)
 
LCA13: Xen on ARM
LCA13: Xen on ARMLCA13: Xen on ARM
LCA13: Xen on ARM
 
BlueHat v18 || An ice-cold boot to break bit locker
BlueHat v18 || An ice-cold boot to break bit lockerBlueHat v18 || An ice-cold boot to break bit locker
BlueHat v18 || An ice-cold boot to break bit locker
 
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
XPDS16: XSM-Flask, current limitations and Ongoing work. - Anshul Makkar, Ct...
 
Build-a-Cloud Day - Securing Your Cloud with Xen
Build-a-Cloud Day - Securing Your Cloud with XenBuild-a-Cloud Day - Securing Your Cloud with Xen
Build-a-Cloud Day - Securing Your Cloud with Xen
 
31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection31c3 Presentation - Virtual Machine Introspection
31c3 Presentation - Virtual Machine Introspection
 
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
CIF16/Scale14x: The latest from the Xen Project (Lars Kurth, Chairman of Xen ...
 
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
XPDS14: OpenXT - Security and the Properties of a Xen Virtualisation Platform...
 
Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018Platform Security Summit 18: Xen Security Weather Report 2018
Platform Security Summit 18: Xen Security Weather Report 2018
 
XPDDS18: Xen Project Weather Report 2018
XPDDS18: Xen Project Weather Report 2018XPDDS18: Xen Project Weather Report 2018
XPDDS18: Xen Project Weather Report 2018
 
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
BlueHat v18 || Return of the kernel rootkit malware (on windows 10)
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
 
Xen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XTXen and Client Virtualization: the case of XenClient XT
Xen and Client Virtualization: the case of XenClient XT
 
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, CitrixXPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
XPDS14 - Xen on ARM: Status and Performance - Stefano Stabellini, Citrix
 
Xen Project 15 Years down the Line
Xen Project 15 Years down the LineXen Project 15 Years down the Line
Xen Project 15 Years down the Line
 
Virtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARMVirtual Machine Introspection with Xen on ARM
Virtual Machine Introspection with Xen on ARM
 

Similar to Kernel Mode Threats and Practical Defenses

The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldDevOps.com
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...NETWAYS
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenTamas K Lengyel
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoAkash Mahajan
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & dockerejlp12
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsAntiy Labs
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationzeroSteiner
 
Bridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized EnvironmentBridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized EnvironmentAndy Lee
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel ExploitationzeroSteiner
 
Qinghai Tang, pacsec english-version-final
Qinghai Tang, pacsec english-version-finalQinghai Tang, pacsec english-version-final
Qinghai Tang, pacsec english-version-finalPacSecJP
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxssusere142fe
 
Implementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migrationImplementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migrationYan Vugenfirer
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Sysdig
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
 
DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't drive
DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't driveDEF CON 27 - JESSE MICHAEL - get off the kernel if you can't drive
DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't driveFelipe Prado
 

Similar to Kernel Mode Threats and Practical Defenses (20)

The Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote WorldThe Future of Security and Productivity in Our Newly Remote World
The Future of Security and Productivity in Our Newly Remote World
 
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
stackconf 2020 | Replace your Docker based Containers with Cri-o Kata Contain...
 
OffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with XenOffensiveCon2022: Case Studies of Fuzzing with Xen
OffensiveCon2022: Case Studies of Fuzzing with Xen
 
Fuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdfFuzzing_with_Xen.pdf
Fuzzing_with_Xen.pdf
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Linux container & docker
Linux container & dockerLinux container & docker
Linux container & docker
 
Security Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and SystemsSecurity Challenges of Antivirus Engines, Products and Systems
Security Challenges of Antivirus Engines, Products and Systems
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
Bridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized EnvironmentBridging the Semantic Gap in Virtualized Environment
Bridging the Semantic Gap in Virtualized Environment
 
Practical Windows Kernel Exploitation
Practical Windows Kernel ExploitationPractical Windows Kernel Exploitation
Practical Windows Kernel Exploitation
 
Qinghai Tang, pacsec english-version-final
Qinghai Tang, pacsec english-version-finalQinghai Tang, pacsec english-version-final
Qinghai Tang, pacsec english-version-final
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Review of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptxReview of Hardware based solutions for trusted cloud computing.pptx
Review of Hardware based solutions for trusted cloud computing.pptx
 
Container Security Mmanagement
Container Security MmanagementContainer Security Mmanagement
Container Security Mmanagement
 
Implementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migrationImplementing SR-IOv failover for Windows guests during live migration
Implementing SR-IOv failover for Windows guests during live migration
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
 
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...Lions, Tigers and Deers: What building zoos can teach us about securing micro...
Lions, Tigers and Deers: What building zoos can teach us about securing micro...
 
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesLarson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
 
DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't drive
DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't driveDEF CON 27 - JESSE MICHAEL - get off the kernel if you can't drive
DEF CON 27 - JESSE MICHAEL - get off the kernel if you can't drive
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 

Recently uploaded (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 

Kernel Mode Threats and Practical Defenses

  • 1. KERNEL MODE THREATS AND PRACTICAL DEFENSES Joe Desimone Gabriel Landau
  • 2. ABOUT US Joe Desimone Senior Malware Researcher Interests include offensive security research, reverse engineering, threat intelligence, and development of endpoint protections. Gabriel Landau Principal Software Engineer Past work includes product & DRM evaluation, malware RE, and offensive security research. Interests include Windows internals, with a focus development of endpoint protections. @gabriellandau @dez_
  • 3. AGENDA PART 1 Evolution of kernel mode threats and platform protections PART 2 Offensive tradecraft to evade platform protections PART 3 Augmenting OS defenses
  • 4. WHY THE KERNEL? Defense Evasion • Hide processes, files, registry keys, network activity • Entrenchment/Persistence • Lack of visibility into kernel Privilege Escalation • Same privilege as security software EVOLUTION
  • 5. FIRST GENERATION KERNEL MALWARE Rustock (~2007) • Infect Windows drivers on disk • Standard rootkit functionality TDSS/TDL-1 (~2008) • Reg/File/Process/Network hiding • Infect driver ZeroAccess (~2009) • Overwrite random driver • Hidden encrypted NTFS volume • x86 only EVOLUTION
  • 6. PatchGuard • Detect kernel patching/hooks à BSOD • First on XP SP3 x64 (~2005) Driver Signature Enforcement (DSE) • All drivers must be digitally signed • First on Vista x64 (~2007) Both defenses became more important as x64 market share grew NEW OS DEFENSES EVOLUTION
  • 7. BOOTKITS EEye Bootroot (2005) • First public POC Mebroot AKA Sinowal (~2008) • NDIS hook to evade FW TLD4 (~2010) • Replace kdcom.dll to gain early execution • Modify Boot Config Data (BCD) to disable DSE Replace MBR (or VBR), gain execution before OS. Xpaj (~2012) • Set hooks before PG initialization EVOLUTION
  • 8. COUNTERING BOOTKITS Secure Boot • UEFI validates integrity of OS bootloader • First support was Windows 8 (~2012) Trusted Boot • Each component of early windows boot process is verified by signature Intel Boot Guard • Root of trust in hardware (CPU) Intel BIOS Guard • Secure BIOS Updates EVOLUTION
  • 9. BRING YOUR OWN VULN Uroburos / Turla • Exploit VBox driver • Disable DSE by modifying g_CiEnabled • Disable PatchGuard via RtlCaptureContext hook Derusbi • Exploit Novell driver • Disable DSE by modifying CiOptions • Also used stolen certificates Slingshot • Exploit Sandra driver • Hide network traffic Bring a signed, vulnerable driver. Use it to bootstrap into kernel. EVOLUTION
  • 10. DUQU 2.0 • Main payload used 0day in win32k.sys for kernel execution (CVE-2015-2360) • Hooked IAT of Kaspersky driver to spoof process information • Allowed user mode component to become trusted ksp process • Separate driver used for persistence in DMZ • Used stolen Foxconn certificate • Redirect traffic with NDIS filtering EVOLUTION
  • 11. • Volatile kernel mode implant • Loaded via remote ring0 exploit (ex ETERNALBLUE) • Evade PatchGuard by hooking srv!SrvTransactionNotImplemented pointer • Injects DLLs into usermode via APCs DOUBLEPULSAR EVOLUTION
  • 12. VIRTUALIZATION BASED SECURITY • VTL1 – new Secure Kernel, trustlets • VTL0 – normal Kernel, drivers • Extended Page Tables (SLAT/EPT) to guard access • IOMMU to protect from DMA access • Hypervisor Code Integrity (HVCI) • All kernel code must be signed, (W^X) • Credential Guard EVOLUTION
  • 13. Attacker Initial Kernel Malware – Rustock, TDSS, ZeroAccess Defender First Kernel Defenses – Patchguard and Driver Signature Enforcement (DSE) Defender Countering Bootkits – SecureBoot, Trusted Boot, Boot Guard, etc. Defender Virtualization Based Security (VBS) Attacker BootKit Malware – Sinowal, TDL4, Xpaj Attacker Exploit To Load Driver – Uroburos, Duqu2, DoublePulsar EVOLUTION
  • 14. KERNEL MITIGATIONS ACROSS WINDOWS VERSIONS EVOLUTION
  • 15. Adoption Rate Windows 10 is less than half of worldwide installations. How many are HVCI? EVOLUTION
  • 16. AGENDA PART 1 Evolution of kernel mode threats and platform protections PART 2 Offensive tradecraft to evade platform protections PART 3 Augmenting OS defenses
  • 17. INTERNAL RvB FILELESS KERNEL MODE IMPLANT • Evade Blue Team by moving to the kernel • Kernel dev environment • VS 2015, Windows Driver Kit (WDK) 10 • Virtual KD / Windbg • Turla Driver Loader (TDL) EVASION
  • 18. IMPLANT DESIGN • Kernel mode ONLY • Winsock Kernel (WSK) for C2 • Triggerable (no beacons) • Basic backdoor functionality EVASION
  • 19. Confidential and Proprietary 19 IMPLANT LOADER Script .NET Native Squiblydoo XSL / Jscript PowerShell DotNetToJS .NET MemoryModule TDL / Exploit EVASION
  • 20. STAYING DISKLESS NETWORK DRIVER LOAD • Avoid dropping driver to disk by loading it with WebDAV: • ZwLoadDriver(DeviceWebDavRedirector;127.0.0.1@8000exploitable.sys) • Sysmon path conversion bug EVASION
  • 24. • Virtual box driver vulnerability is a no-go, won't even load under HVCI • Step one was to find a vulnerable driver which could load under HVCI. www.greyhathacker.net has tons of POCs (Parvez Anwar) • BYOV – Bring your own vulnerability. Choose wisely! • Static 1-byte write vs • Write *what where EVADING VBS / HVCI EVASION
  • 25. • Modification of kernel memory can significantly compromise the integrity of the system • IAT patching • Even if IAT was protected by VBS, there are many other targets • Disable EDR kernel-user communications • Disable security focused kernel ETW providers • Microsoft-Windows-Threat-Intelligence • Elevate Privileges – Token or Handle • Data / Data Corruption EVADING VBS / HVCI DATA DRIVEN ATTACKS EVASION
  • 29. • Create a "surrogate" thread, put it to sleep • Find location of stack [_ETHREAD] • Build rop chain • Hook stack -> overwrite NtWaitForSingleObject pointer with pivot gadget • Resume thread (ReleaseMutex) EVADING VBS / HVCI CODE RE-USE EVASION
  • 30. • Dynamically build chain based on number of arguments in target function • We have 10 gadgets for full N-Argument function call • Pivot (pop rsp, ret) • Restore the 16 bytes overwritten on the stack • Setup arguments in registers/stack • Call target function • Save return value (rax) • Restore R14 (mutex object) • Unpivot EVADING VBS / HVCI CODE RE-USE EVASION
  • 33. AGENDA PART 3 Augmenting OS defenses PART 1 Evolution of kernel mode threats and platform protections PART 2 Offensive tradecraft to evade platform protections
  • 34. • You should very carefully monitor driver load events • Look for low prevalence drivers • Identify known-exploited drivers (blacklist) • Free Instrumentation: • Sysmon Event ID 6: Driver loaded • Windows Defender Application Control (DG) Audit Mode DRIVER EVENTING EVOLUTION DEFENSES
  • 35. • Limit kernel drivers to WHQL REDUCING ATTACK SURFACE EVOLUTION DEFENSES
  • 36. • Blacklisting Exploitable Drivers • Default in Win10 RS5 HVCI • Endgame Kernel Attack Surface Reduction (KASR) • No configuration required • Free. Available at www.endgame.com REDUCING ATTACK SURFACE EVOLUTION DEFENSES
  • 37. Full memory acquisition and offline analysis does not scale Problem Leverage the same techniques to read kernel memory at the endpoint and perform analysis on the endpoint • DevicePhysicalMemory • MmMapIoSpace • MmMapMemoryDumpMdl • Page Table Entry (PTE) Remapping Solution EVOLUTIN DEFENSES KERNEL MEMORY COLLECTION
  • 38. • Page Table Entry (PTE) remapping • Invented by Stüttgen and Cohen • Most performant in testing • More resilient to tampering from rootkits (No API to hook) • Based on CPU architecture, so it is cross-OS-compatible • Modify the PTE of a controlled chunk of memory to point to where you want to read KERNEL MEMORY COLLECTION EVOLUTION DEFENSES
  • 39. • Generically detect function pointer hook • Locate function pointers by walking relocation tables • Endgame Marta • Free. Available at www.endgame.com FUNCTION POINTER INTEGRITY SCAN Originally pointed to +X section in on- disk copy of driver Does not point to a loaded driver in memory Points to executable memory Consider a hit if… EVOLUTION DEFENSES
  • 40. Performance Monitoring Unit (PMU) • Built into most CPUs in the last decade • Programmable to count specific events • Can generate an interrupt when a certain number of events occur Detect unbacked kernel shellcode / unbacked drivers • Program PMU to fire interrupts on some event likely to occur inside unbacked driver. • When interrupt fires, validate IP belongs to a driver REALTIME DETECTION OF UNBACKED KERNEL CODE DEFENSES
  • 42. Weaknesses • FP from unbacked drivers (including PatchGuard) • Vulnerable to PMU disablement via MSR • Detection driver is susceptible to data attacks EVOLUTION DEFENSES REALTIME DETECTION OF UNBACKED KERNEL CODE
  • 43. • MemoryMon • Leverage EPT to detected unbacked kernel code execution • AllMemPro • Mitigates data attacks by isolating driver data with hypervisor • Based on same platform as MemoryMon • SecVisor • CMU research from 2007 • Early implementation of hypervisor enforced code integrity HYPERVISOR APPROACHES EVOLUTION DEFENSES
  • 44. HARDENING THE WINDOWS KERNEL AGAINST ROP EVOLUTION DEFENSES
  • 45. • CFG provides forward-edge CFI, but there is no reverse-edge CFI • RFG was cancelled • Intel CET requires future hardware HARDENING THE WINDOWS KERNEL AGAINST ROP IDEA Provide reverse-edge kernel CFI using the PMU EVOLUTION DEFENSES
  • 46. ROP tends to generate lots of mispredictions • Scan drivers to identify call/return sites • Configure LBR to record CPL0 near returns • Configure PMU fire PMI when BR_MISP_RETIRED counter overflows • Validate every new LBR entry is call-preceded Performance • Protection tunable from deterministic to probabilistic • JetStream benchmark on Intel Skylake 6700K: ~1.1% overhead EVOLUTION DEFENSES HARDENING THE WINDOWS KERNEL AGAINST ROP
  • 48. • Limitations • Vulnerable to malicious drivers. Hypervisor protection needed. • wrmsr IA32_PERF_GLOBAL_CTRL, 0 • Data attack against policy bitmap • Requires available PMU and LBR • No VMware/Hyper-V support • Incompatible with obfuscated drivers • Windows ships with two: clipsp.sys and peauth.sys • Something similar exists on Linux EVOLUTION DEFENSES HARDENING THE WINDOWS KERNEL AGAINST ROP
  • 49. • Windows platform security has gotten much better in the last decade. However, kernel mode threats are still a big concern • Use Windows 10 with SecureBoot and HVCI • Require EV/WHQL drivers via code integrity policy • Monitor and hunt on driver load events CONCLUSION
  • 51. • https://www.virusbulletin.com/virusbulletin/2008/08/yet-another-rustock-analysis • https://securelist.com/rustock-and-all-that/36217/ • https://securelist.com/tdss/36314/ • https://people.eecs.berkeley.edu/~pearce/papers/zeroaccess_tr_2013.pdf • https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-zeroaccess-infection-analysis-12-en.pdf • https://nakedsecurity.sophos.com/zeroaccess/ • https://msdn.microsoft.com/en-us/library/bb530195.aspx • https://securelist.com/tdss-tdl-4/36339/ • https://www.coseinc.com/en/index.php?rt=download&act=publication&file=TDL4_Carrier_to_Glupteba.pdf • https://resources.infosecinstitute.com/uefi-and-tpm/ • http://www.uefi.org/sites/default/files/resources/UEFI_Secure_Boot_in_Modern_Computer_Security_Solutions_2013.pdf • https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/security-technologies-4th-gen-core-retail-paper.pdf • https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf • https://www.sekoia.fr/blog/windows-driver-signing-bypass-by-derusbi/ EVOLUTION REFERENCES REFERENCES
  • 52. • https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf • https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205202/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf • https://securelist.com/the-duqu-2-0-persistence-module/70641/ • https://zerosum0x0.blogspot.com/2017/04/doublepulsar-initial-smb-backdoor-ring.html • http://www.alex-ionescu.com/blackhat2015.pdf • http://gs.statcounter.com/windows-version-market-share/desktop/worldwide/ • https://github.com/hfiref0x/TDL • http://www.greyhathacker.net • https://posts.specterops.io/threat-detection-using-windows-defender-application-control-device-guard-in-audit-mode-602b48cd1c11 • https://www.dfrws.org/sites/default/files/session-files/pres-anti-forensic_resilient_memory_acquisition.pdf • https://www.cs.cmu.edu/~arvinds/pubs/secvisor.pdf • https://github.com/tandasat/MemoryMon • https://igorkorkin.blogspot.com/2018/03/hypervisor-based-active-data-protection.html • https://infocon.org/cons/SyScan/SyScan%202013%20Singapore/SyScan%202013%20Singapore%20presentations/SyScan2013_DAY1_SPEAKER05_Georg_WIcherski_Taming_ROP _ON_SANDY_BRIDGE_syscan.pdf • https://recon.cx/2015/slides/recon2015-05-peter-hlavaty-jihui-lu-This-Time-Font-hunt-you-down-in-4-bytes.pdf EVOLUTION REFERENCES REFERENCES