TOPPERS SSP is a very safe Operating system which is not rich on network functions. You can make some functions if you need. Please contact us for IoT safety and security design and operation.
TOPPERS SSP is a very safe Operating system which is not rich on network functions. You can make some functions if you need. Please contact us for IoT safety and security design and operation.
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
In 2017, Microsoft announced the ARM version of Windows. The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities. In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM. The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers? As far as we know, this point has not even been discussed much at this point. Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries. All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track. In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis. Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations. We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
S2E: A Platform for In Vivo Multi-Path Analysis of Software Systems. Vitaly Chipounov, Volodymyr Kuznetsov, George Candea. 16th Intl. Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Newport Beach, CA, March 2011.
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
In 2017, Microsoft announced the ARM version of Windows. The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities. In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM. The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers? As far as we know, this point has not even been discussed much at this point. Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries. All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track. In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis. Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations. We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
S2E: A Platform for In Vivo Multi-Path Analysis of Software Systems. Vitaly Chipounov, Volodymyr Kuznetsov, George Candea. 16th Intl. Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Newport Beach, CA, March 2011.
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiKuniyasu Suzaki
Side of "Reboot-Oriented IoT: Life Cycle Management in Trusted Execution Environment for Disposable IoT devices" ACSAC (Annual Computer Security Applications Conference) 2020
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
This document discusses hardware-assisted isolated execution environments (HIEE) and trusted execution environments (TEE) on RISC-V processors. It describes how TEEs are implemented using privileges worlds on ARM TrustZone and Intel SGX. For RISC-V, it summarizes proposals for TEEs including Sanctum, MultiZone, and using seL4 microkernel to implement OP-TEE. It also briefly discusses TEE implementations on FPGAs, GPUs, virtualization, and the IETF's TEE provisioning protocol.
The document discusses Trusted Execution Environments (TEEs) and running the Open Portable Trusted Execution Environment (OP-TEE) trusted operating system on RISC-V. It provides an overview of TEEs, describes OP-TEE and the requirements to implement it on RISC-V, including developing a boot sequence, kernel driver, and libraries. The document also compares TEE implementations on ARM TrustZone and Intel SGX and covers memory mapping when running OP-TEE on ARM-based boards.
BMC: Bare Metal Container @Open Source Summit Japan 2017Kuniyasu Suzaki
The document introduces Bare Metal Containers (BMC), which allow applications running in containers to customize the kernel and select the machine architecture in order to optimize performance and power consumption. BMC measures power usage for each application running on different hardware to provide incentives for developing low power applications. It discusses the current implementation of the BMC manager and evaluations of the boot performance overhead on various machine types.
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
IWSEC2014(The 9th International Workshop on Security 弘前) で"Kernel Memory Protection by an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints"
This document describes a protocol test generator that uses nested virtual machines and rollback mechanisms to perform exhaustive fuzz testing of protocol implementations. It proposes using a virtual test protocol to encapsulate test packets and control the target virtual machine. Special packets allow taking snapshots of the target VM state and rolling back to previous snapshots to repeatedly test protocol states with different fuzzed packets. The current prototype implements this approach with KVM and QEMU virtual machines to find bugs in TLS/SSL protocol implementations through fuzz testing of the handshake process.
USENIX OSDI 2012 Poster "Nested Virtual Machines and Proxies for Easily Implementable Rollback of Secure Communication" by Kuniyasu Suzaki, Kengo Iijima, Akira Tanaka, and Yutaka Oiwa, AIST: National Institute of Advanced Industrial Science and Technology; Etsuya Shibayama, The University of Tokyo
Security on cloud storage and IaaS (NSC: Taiwan - JST: Japan workshop)Kuniyasu Suzaki
The document discusses security issues with cloud storage and proposes a solution called Virtual Jail Storage System (VJSS). VJSS aims to prevent information leaks from servers and clients by encrypting and splitting data across multiple providers. It also seeks to address concerns about information erasure and loss through error correction and an append-only file system.
sosp2011 socc2011 plos2011 Report
23rd ACM Symposium on Operating Systems Principles (SOSP)October 23-26, 2011, Cascais, Portugal
http://sosp2011.gsd.inesc-id.pt/
2nd ACM Symposium on Cloud Computing October 26-28, 2011, Cascais, Portugal
http://socc2011.gsd.inesc-id.pt/
6th Workshop on Programming Languages and Operating Systems, October 23, 2011, Cascais, Portugal
http://plosworkshop.org/2011/
「進化するアプリ イマ×ミライ ~生成AIアプリへ続く道と新時代のアプリとは~」Interop24Tokyo APPS JAPAN B1-01講演
Report for S4x14 (SCADA Security Scientific Symposium 2014)
1. あなた 知らな キ 世界あなたの知らないセキュリティの世界
S4x14報告S4x14報告
(2014/1/14‐17 )
@Miami International University
http://www.cvent.com/events/s4x14/agenda‐5454e261d84146aebb78361954f3e5f8.aspxp // / / / g p
産業技術総合研究所産業技術総合研究所
須崎有康
2. What is S4x14?What is S4x14?
は• S4x14 は “SCADA Scientific Security
Symposium 2014”の略です。
• つまりSCADAに関するセキュリティシ
ンポジュウムです。
で、SCADAってご存知ですか?
3. What’s SCADA?!!What s SCADA?!!
• SCADA は“Supervisory Control And
D t A i iti ” 略 すData Acquisition”の略です。
• なぞは解けましたね。
• えっ まだ?では具体的にどういうものかお• えっ、まだ?では具体的にどういうものかお
見せしましょう。
5. What is SCADA’s problem?What is SCADA s problem?
• SCADA は制御システムで使われています• SCADA は制御システムで使われています。
– 発電設備、ガスプラント、水管理システム、 etc.
• SCADA製品はWindows上で動いています。それ
ほど製品は多くありません。ほど製品は多くありません。
– RSView (Rockwell)
I T h (W d )– InTouch (Wonderware)
– iFix (GE)
– FA‐Panel (国産:株式会社ロボティクスウェア)
• 問題はSCADA が制御システムの攻撃エントリー問題はSCADA が制御システムの攻撃エントリ
ポイントになってることです!
8. S4x14 プログラム
• 1/14 OT (Operations Technology) Day
• 1/15 16 S4x14 main symposium• 1/15‐16 S4x14 main symposium
• 1/16 ICSage (Non‐technical Talks)
Advanced Training:Advanced Training:
(1) Introduction to Hardware Hacking for ICS
ProfessionalsProfessionals
(2) Response and Serial Fuzzing of ICS Protocol
Stacks
• ICS Village
制御 機 を 意 参 者 攻撃を– 制御システム用の機器を用意し、参加者に攻撃を許したイベント。
– 福森さんのブログに体験記が書かれています。 「私が制御システム
に根こそぎ侵入した方法」に根こそぎ侵入した方法」
• http://blog.f‐secure.jp/archives/50719640.html
9. OT (Operations Technology) DayOT (Operations Technology) Day
• ここで発表しました• ここで発表しました。
• Title:Process Whitelisting And Resource Access
lControl For ICS Computers
• スライド資料
http://www.slideshare.net/dgpeters/5‐suzaki113‐
30731969
• 参加者が想定より多かったため、部屋を2つ借りて
午前・午後の2回発表させられました。前 発表 。
– スケジュールも当日知らされ、戸惑いました。また、自分
の裏のセッションが聞けないなど問題も。
10. OS LockdownOS Lockdown
• Lockdown for attacker.
• Legitimate applications work well, if necessary computing
resources are registered.
(1) Process Creation ( )
(2) Computing Resources Access from a process
11. Example of OS LockdownExample of OS Lockdown
Normal OS on HMI Lockdo n OS on HMINormal OS on HMI Lockdown OS on HMI
White List for Process Creation
Applications have vulnerabilities, and
resources have no limitation to use.
(1) A creates B,D, and G. (2) D creates E.
(3) E and G cannot run at same time.
White List for Resource Access
is opened by A and B. is opened by E and G
A B C
Attack creates malicious C process.
A B C
Attack creates malicious C process.
No rule for the process
creationA B C
D E
Attack
creates G
t
A B C
D E
creation
Attack
creates G
t
No rule to access the file
D E
Attack
accesses the green
file.
process to
access the
disk.
D E Attack
accesses the green
file.
G can be created by A and can access
to the disk However G cannot run
process to
access the
disk.
G G
to the disk. However, G cannot run
along with E at the same time to
protect same resource access.
12. Current Implementationp
• Process White List is implemented in a Kernel of Windows.
– It used hook function offered by Windows.y
• PsSetCreateProcessNotifyRoutineEX()
• Resource Access Control is implemented as Filter Manager.
Parent
Process
Child
Process
PWC and RAC are implemented on
Windows OS as device driver
User Space
Kernel Space
Request to create process
(system Call)
Request to access resources
(system Call)
E i API
ocess ocessWindows OS as device driver.
Kernel Space
Hook create process system call by
PsSetCreateProcessNotifyRoutine I/O Manger
Executive API
File
White List for
Resource Access
Executive API
Process Manger
Process
white list
module
White List for
Process Creation
Child
(SHA1)―Parent
…
Access is denied
if target resource is
listed and the access
i t ll d
Filter Manager
(Resource Access
Control)
File S stem Device Driver
Network
Device
Creation is denied if
no statement on
Process White List.
Return
“CreationStatus” to
allow or disallow
is not allowed.File System Device Driver
Resource
If process creation is allowed,
a child process is created.
13. Sample: White List for
Child process SHA-1 of child process binary Parent process
C ¥Wi d ¥S t 32¥ d34f33130393425d3d4 671 0d4488 d8d1b6 S t
Process Creation
C:¥Windows¥System32¥smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,System
C:¥Windows¥System32¥autochk.exe,1bd90caff9f3ab1d3cb7136ce9146c1c2e69368b,C:¥Windows¥System32¥smss.exe
C:¥Windows¥System32¥smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:¥Windows¥System32¥smss.exe
C:¥Windows¥System32¥csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:¥Windows¥System32¥smss.exe
C:¥Windows¥System32¥smss.exe,ad34f33130393425d3d4ce671e0d4488ed8d1b6c,C:¥Windows¥System32¥smss.exe
C:¥Windows¥System32¥wininit exe c7bba9840c44e7739fb314b7a3efe30e6b25cc48 C:¥Windows¥System32¥smss exeC:¥Windows¥System32¥wininit.exe,c7bba9840c44e7739fb314b7a3efe30e6b25cc48,C:¥Windows¥System32¥smss.exe
C:¥Windows¥System32¥csrss.exe,53bc9b2ae89fcad6197ec519ae588f926c88e460,C:¥Windows¥System32¥smss.exe
C:¥Windows¥System32¥services.exe,54a90c371155985420f455361a5b3ac897e6c96e,C:¥Windows¥System32¥wininit.exe
C:¥Windows¥System32¥lsass.exe,d49245356dd4dc5e8f64037e4dc385355882a340,C:¥Windows¥System32¥wininit.exe
C:¥Windows¥System32¥lsm.exe,e16beae2233832547bac23fbd82d5321cfc5d645,C:¥Windows¥System32¥wininit.exe
C:¥Windows¥System32¥winlogon.exe,b8561be07a37c7414d6e059046ab0ad2c24bd2ad,C:¥Windows¥System32¥smss.exe
Parent‐Child relation SHA‐1 of binary is used for
the integrity check.g y
– It works as Tripwire.
17. ICSage 1/2
• 最終日の技術課題以外の報告会(各インデントなど)。
• Thomas Rid (King‘s College London)による講演あり• Thomas Rid (King s College London)による講演あり。
– 出版した本“Cyber War will not Take Place” の解説。
昼食時に無料で本が提供され サインして貰いました その他– 昼食時に無料で本が提供され、サインして貰いました。その他
の本やグッズももらえました。
• “SCADA and ME” は子供むけの啓蒙書SCADA and ME は子供むけの啓蒙書