Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009

•

0 likes•448 views

The document discusses two simple anti-forensics attacks that can fool live memory forensics. The first attack modifies the CR3 register to point to a malicious page table instead of the real one. The second attack modifies the IDTR and IA32_SYSENTER_EIP registers to hook system calls. Most memory acquisition tools do not collect system register values, making these attacks difficult to detect. To prevent these attacks, forensic tools need to acquire system register values and check that the physical and logical memory layouts match the register values.

Technology Business

Lack of System Registers
and two simple anti-forensic attacks

Tsukasa Ooi <li@livegrid.org>
Lead Analyst, Livegrid Incorporated

Related Topics
• Live Memory Forensics
• Anti-forensics
• Rootkits

What is “anti-forensics”?
• The way to prevent forensics
• Not only attackers!
– Anti-forensics is also useful for bad guys
to prevent OWN MACHINE to be forensically analyzed
• But forget it.
– I’m not talking about this…

I will be Taking at:
• PacSec 2009
Stealthy Rootkit – How bad guy fools live memory forensics?

Live Memory Forensics/Imaging
• Forensics based on memory of running machine
• Done by Memory Acquisition Tools
– EnCase
– dd
–…

What Physical Memory Acquisition Tools Do?
• Acquire contents of Physical Memory
• Acquire System Registers (optional)
Really, “optional”?

What rootkits can do?
• Can fake forensics software without acquiring
contents of System Registers.

Really?
• Many software does!
– EnCase
– (RAW) dd
– Memoryze
– WinEN
– FastDump
– …

Way to attack – part one (1)
• Modify CR3 Registers (Pointer to Paging Structure)

Way to attack – part one (2)
CR3 that forensic software recognized

Kernel

Kernel Kernel
(unmodified) (malicious)

real CR3

Way to attack – part one (3)
• If System Registers are missing,
forensic software finds signatures of system.
• But these mechanism are very easy to fool.

Way to attack – part one (4)
• Keep system (physical) memory range unmodified
• Create backup region
• Copy part of kernel and patch backup
• Change CR3 to rootkit’s one

Way to attack – part one (5)
CR3 that forensic software recognized

Kernel

Kernel Kernel
(unmodified) (malicious)

real CR3

Way to attack – part one (6)
• But this attack is a bit difficult because
rootkit must manage its own page table.
• There is one more way that is very easy!

Way to attack – part two (1)
IDTR/IA32_SYSENTER_EIP recognized

Kernel

Kernel Rootkit
(unmodified) Code

real IDTR/IA32_SYSENTER_EIP

Way to attack – part two (2)
• IDTR is a system register managing
interrupts and exceptions
– Including page faults
• IA32_SYSENTER_EIP MSR / LSTAR_MSR
is a pointer to system call entry
– Can hook/modify system calls

Way to attack – part two (3)
• Way to implement:
<Begin> Change these registers <End>
Very easy right?
• These are widely used by current rootkits
but also useful for anti-forensics
– If attacker hide rootkit somewhere in the memory,
there are no general ways to detect these attacks!

Way to prevent these attacks (1)
• Acquire these system registers
– CR3
– IDTR
– IA32_SYSENTER_EIP MSR
– LSTAR_MSR
• (If rootkit use CR3/IDTR)
Check physical and logical memory layout

Way to prevent these attacks (2)
• Interrupt Descriptor Table layout and
Page Table layout are easy to detect
• So…
– Find these tables
– Check if these tables are “malicious”

Conclusion
• Acquire system registers as possible
• New approach for forensics is needed

Have any questions?

THANK YOU
Tsukasa Ooi <li@livegrid.org>
Livegrid Incorporated, Lead Analyst

Technical Articles and Sources
• … will be available December, 2009
• at http://a4lg.com/

The document proposes a hardware-based scheme called Secure Proactive Recovery to improve mission assurance of long-running applications. It uses redundant hardware replicas running the same workload and periodically checkpoints states and generates hardware signatures to detect any anomalies or attacks. The scheme was evaluated using a multi-step simulation approach and Java benchmark workloads. Results show it adds a small overhead in the absence of failures but improves survivability against failures and attacks.

MNSEC 2018 - Windows forensics

MNCERT

This document discusses forensic analysis on Windows systems. It provides an overview of important Windows artifacts for forensic investigation including the registry, event logs, file system metadata and memory analysis. Specific tools are also mentioned for acquiring disk and memory images, parsing timelines, analyzing the registry and memory, including FTK Imager, SIFT, Redline, Volatility and REGRIPPER. An example case is described where crypto-mining malware was found running on a system through analysis of process listings, file system metadata and logs.

Os introduction

Kanika Garg

This document provides an overview of operating system basics. It defines an operating system as an intermediary between the computer user and hardware that manages system resources and makes the hardware convenient to use. It describes the basic components of a computer system including the CPU, memory, disk, and I/O devices. It also covers operating system concepts such as multitasking, interrupts, system calls, startup process, and OS philosophies regarding microkernels vs macrokernels.

Os introduction

Ravi Ramchandani

This document provides an overview of operating system basics. It defines an operating system as an intermediary between the computer user and hardware that manages system resources and makes the hardware convenient to use. It describes the basic components of a computer system including the CPU, memory, disk, and I/O devices. It also explains key operating system concepts such as multitasking, interrupts, system calls, boot process, and protection and security.

Introduction to forensic imaging

Marco Alamanni

This is a draft presentation of a video lesson taken from the course "Digital forensics with Kali Linux" published by Packt Publishing in May 2017: https://www.packtpub.com/networking-and-servers/digital-forensics-kali-linux This presentation introduces the fundamentals of the forensic image acquisition process, explaining concepts like hardware and software write blocking, the physical and logical structure of hard disks and the different forensic image formats.

Live Forensics

CTIN

The document discusses the importance of live forensics, including analyzing RAM during an investigation. It notes that federal judges are now briefed on the need for live forensics, and that not analyzing RAM could result in missing important evidence. The document recommends tools for remote collection and analysis of RAM such as F-Response and X-Ways Forensics. It also provides resources on Windows forensics including books, conferences, and free and commercial software options.

SANS Windows Artifact Analysis 2012

Rian Yulian

This document summarizes several Windows registry keys and artifacts that can provide information about a user's digital activities. It describes keys that track recently opened files, installed applications, browser history and search terms, network connections, and more. Examining these locations can reveal details like the files and websites a user accessed, when they were accessed, and from where they originated.

Forensic imaging

DINESH KAMBLE

This document discusses forensic imaging. It describes how forensic imaging creates an exact copy of a hard drive or other media that can be used as digital evidence. It outlines different types of forensic imaging like physical, logical, and targeted collection. It also lists several tools that are commonly used for forensic imaging like FTK Imager, DriveImage XML, and EnCase forensic imager. Finally, it provides guidance on initial response when encountering shut down machines or live machines at a crime scene.

This document provides an overview of operating system basics. It defines an operating system as an intermediary between the computer user and hardware that manages system resources and makes the hardware convenient to use. It describes the basic components of a computer system including the CPU, memory, disk, and I/O devices. It also explains key operating system concepts such as multitasking, interrupts, system calls, boot process, and protection and security.

Introduction to forensic imaging

Marco Alamanni

Live Forensics

CTIN

SANS Windows Artifact Analysis 2012

Rian Yulian

Forensic imaging

DINESH KAMBLE

システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009Tsukasa Oi

A New Tracer for Reverse Engineering - PacSec 2010

Tsukasa Oi

This document discusses a new tracer for reverse engineering based on record and replay. It aims to make reverse engineering more efficient by overcoming issues with existing instruction tracers like slow speed and large data generation. The proposed tracer is implemented as a virtual machine monitor (VMM) on x64 platforms using binary translation. By classifying elements as deterministic or nondeterministic inputs and interrupts, it can generate small trace logs and have overhead under 100% by leveraging record and replay techniques. It also discusses challenges in modeling x86 elements and implementing lazy evaluation for EFLAGS to further improve efficiency.

Mr201309 automated on-execute test using virtualbox jpnFFRI, Inc.

Windows をより安全にする SafeSEH on MinGWTsukasa Oi

PHPにないセキュリティ機能

Yasuo Ohgaki

さらば、Stagefright 脆弱性

Tsukasa Oi

90% 以上の Android 端末に直接深刻な影響を及ぼし、まず間違いなく過去最大規模のセキュリティアップデートを引き起こすであろう Stagefright 脆弱性。しかしその情報の伝えられ方には数々の問題が存在し、結果としてかなりの混乱を引き起こしてしまった。このセッションでは、Stagefright 脆弱性がどういうものなのかを解説しつつ、引き起こされた騒動全体を振り返り、反省点と将来への展望を見出す。

セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009Tsukasa Oi

Unity Solution Conference 2015 Asset Touch and Try List

Takashi Jona

Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009

Tsukasa Oi

This document discusses how rootkits can fool live memory forensics through shadow paging. It explains that rootkits can take control of the page table to redirect memory mappings and hide malicious processes and data from forensic software. It acknowledges weaknesses in current forensic tools and outlines approaches like destroying the rootkit's context or acquiring memory directly to obtain correct contents. The conclusion is that live memory forensics is flawed if the system may be infected, and local detection tools should be used instead.

Hacking Question and Answer

Greater Noida Institute Of Technology

This document provides an overview of hacking, including definitions of common hacking terms, a brief history of hacking, types of hacking activities, reasons why people hack, and tips for protecting systems from hackers. It defines hackers and crackers, describes early forms of hacking like phone and computer hacking. It also outlines common hacker activities after gaining access like installing backdoors, and how system administrators can help prevent hacking by patching systems, using encryption, and installing firewalls and intrusion detection systems.

You suck at Memory Analysis

Francisco Ribeiro

From the current offensive and defensive technique arsenal, memory analysis applied to volatile memory is far from being the most explored channel. It is more likely to hear about input validation attacks or attacks against the protocol & cryptography while keys, passphrases, credit card numbers and other precious artifacts are kept unsafely in memory. This analysis arises as a mine waiting to be explored since it is sustained by one of the most vulnerable and unavoidable resource to systems, memory. From Java to Stuxnex, as well as Windows but without forgetting the Cloud, I will try to show some scenarios where these techniques can be applied, its impact as a threat and bring an important and fun subject not just to those who work in forensics but also to penetration testers as myself. Finally, I will also try to show how can this be used for defensive technologies as tools for monitoring and protection in networks with systems in production.

Oleksyk applied-anti-forensics

DefconRussia

The document discusses exploiting vulnerabilities in the Windows registry and kernel to execute malicious code without detection. It describes how vulnerabilities in functions like RtlQueryRegistryValues and win32k.sys that improperly read registry values can be triggered to cause a buffer overflow and gain kernel code execution. The goal is to store malicious code in the registry and have it execute by exploiting these vulnerabilities during system startup before detection can occur.

Disk forensics

Chiawei Wang

The document provides an overview of disk forensics concepts and tools used for analyzing disk images. It discusses locating the NTFS partition, inspecting the master boot record and partition table. It also covers the NTFS file system structures like the master file table, file attributes, alternate data streams, and methods for recovering deleted files. Timestamp analysis and registry forensics are also briefly introduced. Various forensic tools like The Sleuth Kit, Autopsy, and samdump2 are demonstrated.

Automated defense from rootkit attacks

UltraUploader

The document proposes an approach for automated defense against rootkit attacks through early detection and containment. It tracks dependencies between files and processes to automatically undo any damage caused by intrusions. The approach detects intrusions when malicious processes illegally access protected system zones. A prototype was developed demonstrating detection of a user-level rootkit, kernel-level rootkit, and stealth worm. Future work includes intrusion detection through system call and network anomalies.

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...

Kuniyasu Suzaki

Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx

smile790243

Lecture 09 - Memory Forensics.pdf L E C T U R E 9 B Y : D R . I B R A H I M B A G G I L I Memory Forensic Analysis P A R T 1 RAM overview Volatility overview http://www.bsatroop780.org/skills/images/ComputerMemory.gif Understanding RAM •  Two main types of RAM –  Static •  Not refreshed •  Is still volatile –  Dynamic •  Modern computers •  Made up of a collection of cells •  Each cell contains a transistor and a capacitor •  Capacitors charge and discharge (1 and zeros) •  Periodically refreshed RAM logical organization •  Programs run on computers •  Programs are made up of processes –  Processes are a set of resources used when executing an instance of a program –  Processes do not generally access the physical memory directly –  Each process has a �virtual memory space� •  Allows operating system to stay in control of allocating memory –  Virtual memory space is made up of •  Pages (default size 4K) •  References (used to map virtual address to physical address) •  May also have a reference to data on the disk (Page file) – used to free up RAM memory RAM logical organization !  Each process is represented by an EPROCESS Block: Normal memory • Each process is represented by an _EPROCESS block. • Contained within each _EPROCESS block is both a pointer to the next process (fLink – Forward Link) and a pointer to the previous process (bLink – Back Link). •  When OS is operating, the _EPROCESS blocks and their pointers come together to resemble a chain, which is known as a doubly-linked list. • Chain is stored in kernel memory and is updated every time a process is launched or terminated. • Windows API walks this list from head to tail when enumerating processes via Task Manager, for example. Not so normal • Hides processes from windows API • Known as Direct Kernel Object Manipulation (DKOM) • Involves manipulating the list of _EPROCESS blocks to �unlink� a given process from the list • By changing the forward link of process 1 to point to the third process, and changing the �bLink� of process 3 to point to process 1, the attacker�s process is no longer part of the list of _EPROCESS blocks. • Since the Windows API uses this list to enumerate processes, the malicious process will be hidden from the user but still able to operate normally. P A R T 2 Introduction to Memory forensics Before & Now !  Traditionally !  We have always been told to �pull the plug� on a live system !  This is done so that the reliability of the digital evidence is not questioned !  Now !  People are considering live memory forensics "  Data relevant to the investigation may lie in memory "  Whole Disk Encryption…. Challenges in traditional method •  High volume of data (Aldestein, 2006) –  Increases the time in an investigation –  Increases storage capacity needed for forensic images –  Number of machines that could be included in th ...

Live Memory Forensics on Android devices

Nikos Gkogkos

Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...

Lastline, Inc.

This document discusses techniques for achieving successful automated dynamic analysis of evasive malware through full system emulation. It begins by introducing the speaker and their background in malware research. It then discusses the goals of automated malware analysis, different analysis approaches (such as system call hooking and process emulation), and how full system emulation provides the highest visibility and fidelity while maintaining good performance. The document also covers challenges posed by malware evasion techniques and ways analysis systems can work to bypass triggers and detect stalling code.

A Hypervisor IPS based on Hardware Assisted Virtualization Technology

FFRI, Inc.

This document describes Viton, a hypervisor-based intrusion prevention system (IPS) developed by Fourteenforty Research Institute. Viton runs as a hypervisor using hardware-assisted virtualization technology to monitor the guest operating system for malicious activity. It protects persistent system resources by blocking all VMX instructions, monitoring registers like IDTR and MSR, and protecting read-only code sections of the kernel from modification. Viton aims to enforce immutability of critical system structures to detect rootkits and other malware running inside the guest OS.

Monolithic kernel

ARAVIND18MCS1004

This document discusses monolithic kernels. It defines a kernel as the core component of an operating system that controls processes, memory management, I/O devices, and acts as an interface between hardware and applications. A monolithic kernel runs all basic system services like process management and I/O communication within the kernel space. While monolithic kernels provide rich hardware access and fast execution, they are difficult to maintain and debug due to their large size and lack of modularity.

AOS Lab 5: System calls

Zubair Nabi

The document discusses system calls and how they are handled in operating systems. It explains that system calls allow user processes to request services from the kernel by generating an interrupt that switches the processor into kernel mode. On x86 processors, the interrupt handler saves process state and routes the call to the appropriate kernel code based on an interrupt descriptor table with 256 entries. The document provides details on how Linux/x86 implements system calls, exceptions, and interrupts using the IDT, and switches between user and kernel mode to maintain isolation.

The Hacking Games - Operation System Vulnerabilities Meetup 29112022

lior mazor

Viewers also liked

システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009Tsukasa Oi

A New Tracer for Reverse Engineering - PacSec 2010

Tsukasa Oi

Mr201309 automated on-execute test using virtualbox jpnFFRI, Inc.

Windows をより安全にする SafeSEH on MinGWTsukasa Oi

PHPにないセキュリティ機能

Yasuo Ohgaki

さらば、Stagefright 脆弱性

Tsukasa Oi

セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009Tsukasa Oi

Unity Solution Conference 2015 Asset Touch and Try List

Takashi Jona

Viewers also liked (8)

システムレジスタの不足と2つのシンプルなアンチフォレンジック攻撃 - AVTokyo 2009

A New Tracer for Reverse Engineering - PacSec 2010

Mr201309 automated on-execute test using virtualbox jpn

Windows をより安全にする SafeSEH on MinGW

PHPにないセキュリティ機能

さらば、Stagefright 脆弱性

セキュアVMの構築 (IntelとAMDの比較、あともうひとつ...) - AVTokyo 2009

Unity Solution Conference 2015 Asset Touch and Try List

Similar to Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009

Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009

Tsukasa Oi

Hacking Question and Answer

Greater Noida Institute Of Technology

You suck at Memory Analysis

Francisco Ribeiro

Oleksyk applied-anti-forensics

DefconRussia

Disk forensics

Chiawei Wang

Automated defense from rootkit attacks

UltraUploader

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...

Kuniyasu Suzaki

Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx

smile790243

Live Memory Forensics on Android devices

Nikos Gkogkos

Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...

Lastline, Inc.

A Hypervisor IPS based on Hardware Assisted Virtualization Technology

FFRI, Inc.

Monolithic kernel

ARAVIND18MCS1004

AOS Lab 5: System calls

Zubair Nabi

The Hacking Games - Operation System Vulnerabilities Meetup 29112022

lior mazor

openioc_scan - IOC scanner for memory forensics

Takahiro Haruyama

Indicator of Compromise (IOC) is a piece of information that can be used to search for or identify potentially compromised systems. openioc_scan is an open-source IOC scanner for memory forensics and implemented as a plugin of Volatility Framework. By checking IOCs in RAM images (e.g., code injection sign, used/hooked API functions, unpacked code sequences), we can detect malware faster and deeper than disk-based traditional IOCs. In this presentation, I explain how to define and improve IOCs for openioc_scan, introduce IOC examples including not only IOCs for specific malware but also ones focusing on generic traits of malware. I also show remote malware triage automation combining with F-Response.

Memory Forensics

Anshul Tayal

Android App Security Fundamentals

AndreaCioccarelli

This document provides an overview of Android app security fundamentals, including app anatomy and lifecycle, protection use cases, tradeoffs, attack vectors, security countermeasures, external protection systems, and passive security mechanisms. It discusses how apps can be attacked via tampering, emulated execution, custom OS, runtime attacks, repackaging, code injection, and data editing. It also outlines various security countermeasures like root detection, emulator detection, and integrity checks. Finally, it mentions external systems and passive security techniques that can help protect Android apps.

One-Byte Modification for Breaking Memory Forensic Analysis

Takahiro Haruyama

The document proposes a one-byte modification method to potentially abort memory forensic analysis tools without impacting the running system or hiding specific objects. It identifies three sensitive operations in memory analysis: 1) virtual address translation in kernel space, 2) guessing the OS version and architecture, and 3) getting kernel objects like processes. For each operation, it outlines how top tools like Volatility and Memoryze perform the operation and identifies specific "abort factors", or one-byte values that could be modified to abort the analysis without direct detection. Modifying these factors could stop analysis tools from functioning properly without blue screening the system or hiding specific objects.

A methodology to detect and characterize kernel level rootkit exploits involv...

UltraUploader

This document proposes a methodology to detect and characterize kernel-level rootkit exploits that involve redirection of the system call table. It begins with background on rootkits and their threat. It then presents a mathematical framework to classify rootkit exploits as existing, modifications to existing, or entirely new. The framework analyzes differences between original programs and rootkit versions to derive signatures. Finally, it discusses existing detection methods and their limitations for detecting kernel-level rootkits, proposing new detection methods be developed based on the characterization analysis.

CarolinaCon 2008 Rootkits Then and Now

Tyler Shields

This document discusses the history and evolution of rootkits from the 1980s to present day. It defines rootkits as software designed to take control of a system without authorization and hide its presence. The document outlines different classes of rootkits including application, library, kernel, and firmware level rootkits. It also discusses techniques for detecting rootkits at each level, noting that kernel and firmware level rootkits are the most difficult to detect.

Similar to Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009 (20)

Stealthy Rootkit : How bad guy fools live memory forensics? - PacSec 2009

Hacking Question and Answer

You suck at Memory Analysis

Oleksyk applied-anti-forensics

Disk forensics

Automated defense from rootkit attacks

Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...

Lecture 09 - Memory Forensics.pdfL E C T U R E 9 B Y .docx

Live Memory Forensics on Android devices

Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...

A Hypervisor IPS based on Hardware Assisted Virtualization Technology

Monolithic kernel

AOS Lab 5: System calls

The Hacking Games - Operation System Vulnerabilities Meetup 29112022

openioc_scan - IOC scanner for memory forensics

Memory Forensics

Android App Security Fundamentals

One-Byte Modification for Breaking Memory Forensic Analysis

A methodology to detect and characterize kernel level rootkit exploits involv...

CarolinaCon 2008 Rootkits Then and Now

Recently uploaded

UiPath Test Automation using UiPath Test Suite series, part 6

DianaGray10

Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI. UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities. Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes. What will you get from this session? 1. Insights into integrating generative AI. 2. Understanding how this integration enhances test automation within the UiPath platform 3. Practical demonstrations 4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath Topics covered: What is generative AI Test Automation with generative AI and Open AI. UiPath integration with generative AI Speaker: Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP

Essentials of Automations: The Art of Triggers and Actions in FME

Safe Software

In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation. We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios. Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!

Artificial Intelligence for XMLDevelopment

Octavian Nadolu

In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject. We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup. Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved. The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring. The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise. By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.

Presentation of the OECD Artificial Intelligence Review of Germany

innovationoecd

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Neo4j

Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Neo4j

Leonard Jayamohan, Partner & Generative AI Lead, Deloitte This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

名前です男

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

Mariano G Tinti - Decoding SpaceX

Mariano Tinti

“I’m still / I’m still / Chaining from the Block”

Claudio Di Ciccio

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

Malak Abu Hammad

Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers: * What is Vector Search? * Importance and benefits of vector search * Practical use cases across various industries * Step-by-step implementation guide * Live demos with code snippets * Enhancing LLM capabilities with vector search * Best practices and optimization strategies Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications. #MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

Neo4j

Dr. Sean Tan, Head of Data Science, Changi Airport Group Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

RESUME BUILDER APPLICATION Project for students

KAMESHS29

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

SOFTTECHHUB

The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing. One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.

National Security Agency - NSA mobile device best practices

Quotidiano Piemontese

TrustArc Webinar - 2024 Global Privacy Survey

TrustArc

How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024? In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores. See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe. This webinar will review: - The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey - The top challenges for privacy leaders, practitioners, and organizations in 2024 - Key themes to consider in developing and maintaining your privacy program

Mind map of terminologies used in context of Generative AI

Kumud Singh

20240605 QFM017 Machine Intelligence Reading List May 2024

Matthew Sinclair

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence

IndexBug

Recently uploaded (20)

UiPath Test Automation using UiPath Test Suite series, part 6

Essentials of Automations: The Art of Triggers and Actions in FME

Artificial Intelligence for XMLDevelopment

Presentation of the OECD Artificial Intelligence Review of Germany

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...

Removing Uninteresting Bytes in Software Fuzzing

Mariano G Tinti - Decoding SpaceX

“I’m still / I’m still / Chaining from the Block”

Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf

GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...

20240609 QFM020 Irresponsible AI Reading List May 2024

RESUME BUILDER APPLICATION Project for students

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...

National Security Agency - NSA mobile device best practices

TrustArc Webinar - 2024 Global Privacy Survey

Mind map of terminologies used in context of Generative AI

20240605 QFM017 Machine Intelligence Reading List May 2024

AI 101: An Introduction to the Basics and Impact of Artificial Intelligence

Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009

1. Lack of System Registers and two simple anti-forensic attacks Tsukasa Ooi <li@livegrid.org> Lead Analyst, Livegrid Incorporated

2. Related Topics • Live Memory Forensics • Anti-forensics • Rootkits

3. What is “anti-forensics”? • The way to prevent forensics • Not only attackers! – Anti-forensics is also useful for bad guys to prevent OWN MACHINE to be forensically analyzed • But forget it. – I’m not talking about this…

4. I will be Taking at: • PacSec 2009 Stealthy Rootkit – How bad guy fools live memory forensics?

5. Live Memory Forensics/Imaging • Forensics based on memory of running machine • Done by Memory Acquisition Tools – EnCase – dd –…

6. What Physical Memory Acquisition Tools Do? • Acquire contents of Physical Memory • Acquire System Registers (optional) Really, “optional”?

7. What rootkits can do? • Can fake forensics software without acquiring contents of System Registers.

8. Really? • Many software does! – EnCase – (RAW) dd – Memoryze – WinEN – FastDump – …

9. Way to attack – part one (1) • Modify CR3 Registers (Pointer to Paging Structure)

10. Way to attack – part one (2) CR3 that forensic software recognized Kernel Kernel Kernel (unmodified) (malicious) real CR3

11. Way to attack – part one (3) • If System Registers are missing, forensic software finds signatures of system. • But these mechanism are very easy to fool.

12. Way to attack – part one (4) • Keep system (physical) memory range unmodified • Create backup region • Copy part of kernel and patch backup • Change CR3 to rootkit’s one

13. Way to attack – part one (5) CR3 that forensic software recognized Kernel Kernel Kernel (unmodified) (malicious) real CR3

14. Way to attack – part one (6) • But this attack is a bit difficult because rootkit must manage its own page table. • There is one more way that is very easy!

15. Way to attack – part two (1) IDTR/IA32_SYSENTER_EIP recognized Kernel Kernel Rootkit (unmodified) Code real IDTR/IA32_SYSENTER_EIP

16. Way to attack – part two (2) • IDTR is a system register managing interrupts and exceptions – Including page faults • IA32_SYSENTER_EIP MSR / LSTAR_MSR is a pointer to system call entry – Can hook/modify system calls

17. Way to attack – part two (3) • Way to implement: <Begin> Change these registers <End> Very easy right? • These are widely used by current rootkits but also useful for anti-forensics – If attacker hide rootkit somewhere in the memory, there are no general ways to detect these attacks!

18. Way to prevent these attacks (1) • Acquire these system registers – CR3 – IDTR – IA32_SYSENTER_EIP MSR – LSTAR_MSR • (If rootkit use CR3/IDTR) Check physical and logical memory layout

19. Way to prevent these attacks (2) • Interrupt Descriptor Table layout and Page Table layout are easy to detect • So… – Find these tables – Check if these tables are “malicious”

20. Conclusion • Acquire system registers as possible • New approach for forensics is needed

21. Have any questions? THANK YOU Tsukasa Ooi <li@livegrid.org> Livegrid Incorporated, Lead Analyst

22. Technical Articles and Sources • … will be available December, 2009 • at http://a4lg.com/

Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (8)

Similar to Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009

Similar to Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009 (20)

Recently uploaded

Recently uploaded (20)

Lack of System Registers and two simple anti-forensic attacks - AVTokyo 2009