The document discusses various sandbox mitigations introduced in Windows since Windows 8, including:
- Explicit mitigations that can be enabled through the SetProcessMitigationPolicy API or during process creation, including dynamic code policy, binary signature policy, and image load policy.
- Implicit mitigations that are enabled by default for sandboxed processes, focusing on breaking exploitation chains and increasing costs.
- Technical details of how several mitigation policies work under the hood, including dynamic code policy, binary signature policy, and font disable policy.
- Examples are provided for testing different mitigation policies and potential ways to bypass some of the restrictions.
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
In our recent work we targeted also win32k, what seems to be fruit giving target. @promised_lu made our own TTF-fuzzer which comes with bunch of results in form of gigabytes of crashes and various bugs. Fortunately windows make great work and in February most of our bugs was dead - patched, but not all of them…
Whats left were looking as seemingly unexploitable kernel bugs with ridiculous conditions. We decided to check it out, and finally combine it with our user mode bug & emet bypass. Through IE & flash we break down system and pointed out at weak points in defensive mechanism.
In this talk we will present our research dedicated for pwn2own event this year. We will describe kernel part of exploit in detail*, including bug description, resulting memory corruption conditions & caveats up to final pwn via one of our TTF bugs.
Throughout the talk we will describe how to break various exploit mitigations in windows kernel and why it is possible. We will introduce novel kernel exploitation techniques breaking all what stands { KASLR, SMEP, even imaginary SMAP or CFG } and bring you SYSTEM exec (from kernel driver to system calc).
* unfortunately bug was not fixed at the time of talk, so we do not exposed details about TTF vulnerability, and we skipped directly to some challenges during exploitation, and demonstrate how OS design can overpower introduced exploit mitigations.
Crash (or) Hang dump analysis using WinDbg in Windows platform by K.S.Shanmug...Shanmuga KS
This training comprises of 2 sessions
Session -1 (Theory)
1. Understanding Dump File
2. Varieties of Dump File
3. Creation of Dump File
4. Terminologies for analyzing of Dump File
5. Introduction to WinDbg
Session -2 ( Lab)
1. Postmortem Debugger Settings
2. WinDbg Setup
3. Dump File creation using Tools
4. Dump File creation using Win32 API
5. Dump File Analyzing case study
For Download, drop mail to contactshanmugaks@gmail.com
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
In our recent work we targeted also win32k, what seems to be fruit giving target. @promised_lu made our own TTF-fuzzer which comes with bunch of results in form of gigabytes of crashes and various bugs. Fortunately windows make great work and in February most of our bugs was dead - patched, but not all of them…
Whats left were looking as seemingly unexploitable kernel bugs with ridiculous conditions. We decided to check it out, and finally combine it with our user mode bug & emet bypass. Through IE & flash we break down system and pointed out at weak points in defensive mechanism.
In this talk we will present our research dedicated for pwn2own event this year. We will describe kernel part of exploit in detail*, including bug description, resulting memory corruption conditions & caveats up to final pwn via one of our TTF bugs.
Throughout the talk we will describe how to break various exploit mitigations in windows kernel and why it is possible. We will introduce novel kernel exploitation techniques breaking all what stands { KASLR, SMEP, even imaginary SMAP or CFG } and bring you SYSTEM exec (from kernel driver to system calc).
* unfortunately bug was not fixed at the time of talk, so we do not exposed details about TTF vulnerability, and we skipped directly to some challenges during exploitation, and demonstrate how OS design can overpower introduced exploit mitigations.
Crash (or) Hang dump analysis using WinDbg in Windows platform by K.S.Shanmug...Shanmuga KS
This training comprises of 2 sessions
Session -1 (Theory)
1. Understanding Dump File
2. Varieties of Dump File
3. Creation of Dump File
4. Terminologies for analyzing of Dump File
5. Introduction to WinDbg
Session -2 ( Lab)
1. Postmortem Debugger Settings
2. WinDbg Setup
3. Dump File creation using Tools
4. Dump File creation using Win32 API
5. Dump File Analyzing case study
For Download, drop mail to contactshanmugaks@gmail.com
OSNoise Tracer: Who Is Stealing My CPU Time?ScyllaDB
In the context of high-performance computing (HPC), the Operating System Noise (osnoise) refers to the interference experienced by an application due to activities inside the operating system. In the context of Linux, NMIs, IRQs, softirqs, and any other system thread can cause noise to the application. Moreover, hardware-related jobs can also cause noise, for example, via SMIs.
HPC users and developers that care about every microsecond stolen by the OS need not only a precise way to measure the osnoise but mainly to figure out who is stealing cpu time so that they can pursue the perfect tune of the system. These users and developers are the inspiration of Linux's osnoise tracer.
The osnoise tracer runs an in-kernel loop measuring how much time is available. It does it with preemption, softirq and IRQs enabled, thus allowing all the sources of osnoise during its execution. The osnoise tracer takes note of the entry and exit point of any source of interferences. When the noise happens without any interference from the operating system level, the tracer can safely point to a hardware-related noise. In this way, osnoise can account for any source of interference. The osnoise tracer also adds new kernel tracepoints that auxiliaries the user to point to the culprits of the noise in a precise and intuitive way.
At the end of a period, the osnoise tracer prints the sum of all noise, the max single noise, the percentage of CPU available for the thread, and the counters for the noise sources, serving as a benchmark tool.
Your Linux AMI: Optimization and Performance (CPN302) | AWS re:Invent 2013Amazon Web Services
Your AMI is one of the core foundations for running applications and services effectively on Amazon EC2. In this session, you'll learn how to optimize your AMI, including how you can measure and diagnose system performance and tune parameters for improved CPU and network performance. We'll cover application-specific examples from Netflix on how optimized AMIs can lead to improved performance.
Linux 4.x Tracing: Performance Analysis with bcc/BPFBrendan Gregg
Talk about bcc/eBPF for SCALE15x (2017) by Brendan Gregg. "BPF (Berkeley Packet Filter) has been enhanced in the Linux 4.x series and now powers a large collection of performance analysis and observability tools ready for you to use, included in the bcc (BPF Complier Collection) open source project. BPF nowadays can do system tracing, software defined networks, and kernel fast path: much more than just filtering packets! This talk will focus on the bcc/BPF tools for performance analysis, which make use of other built in Linux capabilities: dynamic tracing (kprobes and uprobes) and static tracing (tracepoints and USDT). There are now bcc tools for measuring latency distributions for file system I/O and run queue latency, printing details of storage device I/O and TCP retransmits, investigating blocked stack traces and memory leaks, and a whole lot more. These lead to performance wins large and small, especially when instrumenting areas that previously had zero visibility. Tracing superpowers have finally arrived, built in to Linux."
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Pre-auth SYSTEM RCE on Windows Is more common than you think
----
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
A Fast Intro to Fast Query with ClickHouse, by Robert HodgesAltinity Ltd
Slides for the Webinar, presented on March 6, 2019
For the webinar video visit https://www.altinity.com/
Extracting business insight from massive pools of machine-generated data is the central analytic problem of the digital era. ClickHouse data warehouse addresses it with sub-second SQL query response on petabyte-scale data sets. In this talk we'll discuss the features that make ClickHouse increasingly popular, show you how to install it, and teach you enough about how ClickHouse works so you can try it out on real problems of your own. We'll have cool demos (of course) and gladly answer your questions at the end.
Speaker Bio:
Robert Hodges is CEO of Altinity, which offers enterprise support for ClickHouse. He has over three decades of experience in data management spanning 20 different DBMS types. ClickHouse is his current favorite. ;)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
This presentation goes more in depth on some key points from the NDC (2017) presentation.
OSNoise Tracer: Who Is Stealing My CPU Time?ScyllaDB
In the context of high-performance computing (HPC), the Operating System Noise (osnoise) refers to the interference experienced by an application due to activities inside the operating system. In the context of Linux, NMIs, IRQs, softirqs, and any other system thread can cause noise to the application. Moreover, hardware-related jobs can also cause noise, for example, via SMIs.
HPC users and developers that care about every microsecond stolen by the OS need not only a precise way to measure the osnoise but mainly to figure out who is stealing cpu time so that they can pursue the perfect tune of the system. These users and developers are the inspiration of Linux's osnoise tracer.
The osnoise tracer runs an in-kernel loop measuring how much time is available. It does it with preemption, softirq and IRQs enabled, thus allowing all the sources of osnoise during its execution. The osnoise tracer takes note of the entry and exit point of any source of interferences. When the noise happens without any interference from the operating system level, the tracer can safely point to a hardware-related noise. In this way, osnoise can account for any source of interference. The osnoise tracer also adds new kernel tracepoints that auxiliaries the user to point to the culprits of the noise in a precise and intuitive way.
At the end of a period, the osnoise tracer prints the sum of all noise, the max single noise, the percentage of CPU available for the thread, and the counters for the noise sources, serving as a benchmark tool.
Your Linux AMI: Optimization and Performance (CPN302) | AWS re:Invent 2013Amazon Web Services
Your AMI is one of the core foundations for running applications and services effectively on Amazon EC2. In this session, you'll learn how to optimize your AMI, including how you can measure and diagnose system performance and tune parameters for improved CPU and network performance. We'll cover application-specific examples from Netflix on how optimized AMIs can lead to improved performance.
Linux 4.x Tracing: Performance Analysis with bcc/BPFBrendan Gregg
Talk about bcc/eBPF for SCALE15x (2017) by Brendan Gregg. "BPF (Berkeley Packet Filter) has been enhanced in the Linux 4.x series and now powers a large collection of performance analysis and observability tools ready for you to use, included in the bcc (BPF Complier Collection) open source project. BPF nowadays can do system tracing, software defined networks, and kernel fast path: much more than just filtering packets! This talk will focus on the bcc/BPF tools for performance analysis, which make use of other built in Linux capabilities: dynamic tracing (kprobes and uprobes) and static tracing (tracepoints and USDT). There are now bcc tools for measuring latency distributions for file system I/O and run queue latency, printing details of storage device I/O and TCP retransmits, investigating blocked stack traces and memory leaks, and a whole lot more. These lead to performance wins large and small, especially when instrumenting areas that previously had zero visibility. Tracing superpowers have finally arrived, built in to Linux."
CNIT 126: 10: Kernel Debugging with WinDbgSam Bowne
Slides for a college course at City College San Francisco. Based on "Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software", by Michael Sikorski and Andrew Honig; ISBN-10: 1593272901.
Instructor: Sam Bowne
Class website: https://samsclass.info/126/126_F19.shtml
Pre-auth SYSTEM RCE on Windows Is more common than you think
----
With minimal to no effort, we can gain SYSTEM level access to hundreds, if not, thousands of machines on the internet [remotely]. No, this is not a new super 1337 exploit and no this is not even a new technique. No super fancy website with poorly designed logo is necessary, there is nothing new here. Tim and Dennis have discovered that something only stupid sysadmins would do turns out to be much more prevalent than expected. What starts off as a sysadmin's innocent attempt to fix an issue, turns into complete compromise of entire servers/workstations with no effort needed from the attacker. Tim and Dennis will discuss how we came to this realization and explain how we automated looking for these issues in order to find hundreds of vulnerable machines over the internet. Tim and Dennis explain the tool developed for automation, provide statistics discovered from our research, and go over ways to protect yourself from falling victim to the issue.
A Fast Intro to Fast Query with ClickHouse, by Robert HodgesAltinity Ltd
Slides for the Webinar, presented on March 6, 2019
For the webinar video visit https://www.altinity.com/
Extracting business insight from massive pools of machine-generated data is the central analytic problem of the digital era. ClickHouse data warehouse addresses it with sub-second SQL query response on petabyte-scale data sets. In this talk we'll discuss the features that make ClickHouse increasingly popular, show you how to install it, and teach you enough about how ClickHouse works so you can try it out on real problems of your own. We'll have cool demos (of course) and gladly answer your questions at the end.
Speaker Bio:
Robert Hodges is CEO of Altinity, which offers enterprise support for ClickHouse. He has over three decades of experience in data management spanning 20 different DBMS types. ClickHouse is his current favorite. ;)
Linux Security APIs and the Chromium Sandbox (SwedenCpp Meetup 2017)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
This presentation goes more in depth on some key points from the NDC (2017) presentation.
HKG18-TR14 - Postmortem Debugging with CoresightLinaro
Session ID: HKG18-TR14
Session Name: HKG18-TR14 - Postmortem Debugging with Coresight
Speaker: Leo Yan
Track: Training
★ Session Summary ★
For most cases we can easily debug with kernel's oops dumping info, but sometimes we need to know more information for program execution flow before the issue happens. So we can rely on two tracing methods to reproduce the program execution flow, one method is using software tracing which is kernel's pstore method; another method is to rely on Coresight hardware tracing, this method also can avoid extra workload introduced by tracing itself. Coresight has provided two mechanisms for Postmortem debugging, one method is Coresight CPU debug module so we can extract CPU program counter info, this is quite straightforward to debug CPU lockup issue; Another is Coresight panic kdump, we connect kernel kdump mechanism to extract Coresight tracing data so we can reproduce the last execution flow before panic (even hang issue with some tweaking in kernel). This session wants to go through these topics and demonstrate the debugging tools on 96boards Hikey in 25 minutes session.
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/hkg18/hkg18-tr14/
Presentation: http://connect.linaro.org.s3.amazonaws.com/hkg18/presentations/hkg18-tr14.pdf
Video: http://connect.linaro.org.s3.amazonaws.com/hkg18/videos/hkg18-tr14.mp4
---------------------------------------------------
★ Event Details ★
Linaro Connect Hong Kong 2018 (HKG18)
19-23 March 2018
Regal Airport Hotel Hong Kong
---------------------------------------------------
Keyword: Training
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
Too many database queries, too much data loaded into memory, overloaded html pages, bad architectural decisions, ...
These are all reasons why Java Applications are slow. In this presentation - first given at Boston Java Meetup - shows 6 real life examples on why Java-based Applications failed - and you may even heard about this in the news.
All examples and the technical details were captured using Dynatrace which is available as a 30 Day Free Trial - http://bit.ly/dttrial - with an option to extend it for another 180 Days in case you share some of your results with us
Embedded Recipes 2019 - RT is about to make it to mainline. Now what?Anne Nicolas
The PREEMPT_RT (aka real-time patch) started back in 2004. Since then, a lot of it has made it into the kernel. The only part left is the change of turning spinning locks into mutexes, then the merge of the PREEMPT_RT patch will be complete. This is expected to happen no later than the Q1 of 2020. But once it is in, how can you take advantage of it? This talk will discuss the basics of writing a real-time application, and some tricks to play with Linux configured with PREEMPT_RT.
Steven Rostedt
Accelerated .NET Memory Dump Analysis training public slidesDmitry Vostokov
The slides from Software Diagnostics Services .NET memory dump analysis training. The training description: "Covers 22 .NET memory dump analysis patterns plus additional 11 unmanaged patterns. Learn how to analyze CLR 4 .NET application and service crashes and freezes, navigate through memory dump space (managed and unmanaged code) and diagnose corruption, leaks, CPU spikes, blocked threads, deadlocks, wait chains, resource contention, and much more. The training consists of practical step-by-step exercises using Microsoft WinDbg debugger to diagnose patterns in 64-bit and 32-bit process memory dumps. The training uses a unique and innovative pattern-oriented analysis approach to speed up the learning curve. The third edition was fully reworked to use the latest WinDbg version and Windows 10. It also includes 9 optional legacy exercises from the previous editions covering CLR 2 and 4, Windows Vista and Windows 7. Prerequisites: Basic .NET programming and debugging. Audience: Software technical support and escalation engineers, system administrators, DevOps, performance and reliability engineers, software developers and quality assurance engineers."
Provide training on how to troubleshoot Rocket® D3 DBMS on both Windows and UNIX platforms. Focusing on utilities and commands utilized to troubleshoot D3 in areas of performance, license management, overflow management, process locking, D3 server failures and error reporting and management.
Linux Security and How Web Browser Sandboxes Really Work (Security Researcher...Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
This presentation goes more in depth on some key points from the NDC (2017) presentation.
Video: https://www.youtube.com/watch?v=JRFNIKUROPE . Talk for linux.conf.au 2017 (LCA2017) by Brendan Gregg, about Linux enhanced BPF (eBPF). Abstract:
A world of new capabilities is emerging for the Linux 4.x series, thanks to enhancements that have been included in Linux for to Berkeley Packet Filter (BPF): an in-kernel virtual machine that can execute user space-defined programs. It is finding uses for security auditing and enforcement, enhancing networking (including eXpress Data Path), and performance observability and troubleshooting. Many new open source tools that have been written in the past 12 months for performance analysis that use BPF. Tracing superpowers have finally arrived for Linux!
For its use with tracing, BPF provides the programmable capabilities to the existing tracing frameworks: kprobes, uprobes, and tracepoints. In particular, BPF allows timestamps to be recorded and compared from custom events, allowing latency to be studied in many new places: kernel and application internals. It also allows data to be efficiently summarized in-kernel, including as histograms. This has allowed dozens of new observability tools to be developed so far, including measuring latency distributions for file system I/O and run queue latency, printing details of storage device I/O and TCP retransmits, investigating blocked stack traces and memory leaks, and a whole lot more.
This talk will summarize BPF capabilities and use cases so far, and then focus on its use to enhance Linux tracing, especially with the open source bcc collection. bcc includes BPF versions of old classics, and many new tools, including execsnoop, opensnoop, funcccount, ext4slower, and more (many of which I developed). Perhaps you'd like to develop new tools, or use the existing tools to find performance wins large and small, especially when instrumenting areas that previously had zero visibility. I'll also summarize how we intend to use these new capabilities to enhance systems analysis at Netflix.
Netronome's half-day tutorial on host data plane acceleration at ACM SIGCOMM 2018 introduced attendees to models for host data plane acceleration and provided an in-depth understanding of SmartNIC deployment models at hyperscale cloud vendors and telecom service providers.
Presenter Bio
Jaco Joubert is a Software Engineer at Netronome focusing on P4 and its applications on the Netronome SmartNIC. He recently started investigating network acceleration for Deep Learning on distributed systems. Prior to Netronome he worked on mobile application development and was a researcher at Telkom SA focusing on the mobile core after completing his Masters Degree in Computer, Electronic Engineering in 2014.
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context. This is the sandbox used in the Vivaldi, Brave, Chrome and Opera browsers among others. The Chromium Sandbox has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox in detail and go through how the Linux implementation fulfills these requirements.
Your Peripheral Has Planted Malware—An Exploit of NXP SOCs VulnerabilityPriyanka Aash
"There are billions of ARM Cortex M based SOC being deployed in embedded systems. Most of these devices are Internet ready and definitely security is always the main concern. Vendors would always apply security measurements into the ARM Cortex M product for few major reasons: 1) People will not be able to copy and replicate the product; 2) License control for the hardware and software; 3) Prevent malicious code injection in to the firmware. Vendors normally rely on the security measurements built within the chip (unique ID number/signature) or security measurements built around the chip (secure boot).
In this talk, we will share the ARM Cortex M SOC vulnerability that we discovered and it will be two parts:
The first is security measurement build within the SOC and how we break it. We could gain control of changing the SOC unique ID and write the firmware or even turn the device into a trojan or bot.
The second is security measure built around the SOC and how we break the Secure Boot elements and write into the firmware."
Three tricks how to understand what's happening inside of .NET Core app running on Linux: perf, lttng and lldb. As unrelated bonus, last slides have a brief intro into Google Cloud Platform
Enhancing Project Management Efficiency_ Leveraging AI Tools like ChatGPT.pdfJay Das
With the advent of artificial intelligence or AI tools, project management processes are undergoing a transformative shift. By using tools like ChatGPT, and Bard organizations can empower their leaders and managers to plan, execute, and monitor projects more effectively.
top nidhi software solution freedownloadvrstrong314
This presentation emphasizes the importance of data security and legal compliance for Nidhi companies in India. It highlights how online Nidhi software solutions, like Vector Nidhi Software, offer advanced features tailored to these needs. Key aspects include encryption, access controls, and audit trails to ensure data security. The software complies with regulatory guidelines from the MCA and RBI and adheres to Nidhi Rules, 2014. With customizable, user-friendly interfaces and real-time features, these Nidhi software solutions enhance efficiency, support growth, and provide exceptional member services. The presentation concludes with contact information for further inquiries.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
Paketo Buildpacks : la meilleure façon de construire des images OCI? DevopsDa...Anthony Dahanne
Les Buildpacks existent depuis plus de 10 ans ! D’abord, ils étaient utilisés pour détecter et construire une application avant de la déployer sur certains PaaS. Ensuite, nous avons pu créer des images Docker (OCI) avec leur dernière génération, les Cloud Native Buildpacks (CNCF en incubation). Sont-ils une bonne alternative au Dockerfile ? Que sont les buildpacks Paketo ? Quelles communautés les soutiennent et comment ?
Venez le découvrir lors de cette session ignite
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Large Language Models and the End of ProgrammingMatt Welsh
Talk by Matt Welsh at Craft Conference 2024 on the impact that Large Language Models will have on the future of software development. In this talk, I discuss the ways in which LLMs will impact the software industry, from replacing human software developers with AI, to replacing conventional software with models that perform reasoning, computation, and problem-solving.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Prosigns: Transforming Business with Tailored Technology SolutionsProsigns
Unlocking Business Potential: Tailored Technology Solutions by Prosigns
Discover how Prosigns, a leading technology solutions provider, partners with businesses to drive innovation and success. Our presentation showcases our comprehensive range of services, including custom software development, web and mobile app development, AI & ML solutions, blockchain integration, DevOps services, and Microsoft Dynamics 365 support.
Custom Software Development: Prosigns specializes in creating bespoke software solutions that cater to your unique business needs. Our team of experts works closely with you to understand your requirements and deliver tailor-made software that enhances efficiency and drives growth.
Web and Mobile App Development: From responsive websites to intuitive mobile applications, Prosigns develops cutting-edge solutions that engage users and deliver seamless experiences across devices.
AI & ML Solutions: Harnessing the power of Artificial Intelligence and Machine Learning, Prosigns provides smart solutions that automate processes, provide valuable insights, and drive informed decision-making.
Blockchain Integration: Prosigns offers comprehensive blockchain solutions, including development, integration, and consulting services, enabling businesses to leverage blockchain technology for enhanced security, transparency, and efficiency.
DevOps Services: Prosigns' DevOps services streamline development and operations processes, ensuring faster and more reliable software delivery through automation and continuous integration.
Microsoft Dynamics 365 Support: Prosigns provides comprehensive support and maintenance services for Microsoft Dynamics 365, ensuring your system is always up-to-date, secure, and running smoothly.
Learn how our collaborative approach and dedication to excellence help businesses achieve their goals and stay ahead in today's digital landscape. From concept to deployment, Prosigns is your trusted partner for transforming ideas into reality and unlocking the full potential of your business.
Join us on a journey of innovation and growth. Let's partner for success with Prosigns.
2. James Forshaw @tiraniddo
What I’m Going to Talk About
● Sandbox related mitigations added to Windows since Windows 8
● Hardcore reverse engineering of the implementation
● What’s supported and how you can use them yourself
● What is blocked if you’re investigating sandbox attack surface
● Weird bugs and edge cases with the implementation
● Research on Windows 8.1 and 10 build 10586
2
5. James Forshaw @tiraniddo
The External Attacker’s Viewpoint
5
Mitigations:
DEP
ASLR
SafeSEH
Stack Cookies
Control Flow Guard (CFG)
etc.
System Services
Kernel Services Device Drivers
Prevent RCETarget Process
7. James Forshaw @tiraniddo
Sandboxing to the Rescue?
7
Sandboxed Target Process
User Applications
System Services
Kernel Services Device Drivers
Prevent RCE
PreventEoP
11. James Forshaw @tiraniddo
Categories of Windows Sandbox Mitigations
Implicit Mitigations
● On by default when running
sandboxed code
● Applies to select features
which shouldn’t affect typical
backwards compatibility
support
● Focus more on breaking
chains and making
exploitation harder
11
Explicit Mitigations
● Mitigations which must be
actively enabled
● Usually more disruptive,
requires changes to existing
code to support
● Aim to reduce attack surface
or increase exploitation costs
16. James Forshaw @tiraniddo
Under the Hood
const int ProcessMitigationPolicy = 52;
struct PROCESS_MITIGATION {
PROCESS_MITIGATION_POLICY Policy;
DWORD Flags;
};
PROCESS_MITIGATION m = {ProcessSignaturePolicy, 1};
NtSetInformationProcess(GetCurrentProcess(),
ProcessMitigationPolicy, &m, sizeof(m));
16
17. James Forshaw @tiraniddo
Under the Hood
const int ProcessMitigationPolicy = 52;
struct PROCESS_MITIGATION {
PROCESS_MITIGATION_POLICY Policy;
DWORD Flags;
};
PROCESS_MITIGATION m = {ProcessSignaturePolicy, 1};
NtSetInformationProcess(GetCurrentProcess(),
ProcessMitigationPolicy, &m, sizeof(m));
17
Can’t specify anything other
than current process, it will fail.
18. James Forshaw @tiraniddo
Apply During Create Process
LPPROC_THREAD_ATTRIBUTE_LIST attr_list = ... // Allocated
InitializeProcThreadAttributeList(attr_list, 1, 0, &size);
DWORD64 policy = PROCESS_CREATION_MITIGATION_POLICY_...;
UpdateProcThreadAttribute(attr_list, 0,
PROC_THREAD_ATTRIBUTE_MITIGATION_POLICY, &policy,
sizeof(policy), nullptr, nullptr);
startInfo.StartupInfo.cb = sizeof(startInfo);
startInfo.lpAttributeList = attr_list;
// Create Process with EXTENDED_STARTUPINFO_PRESENT flag
18
I’ll abbreviate PROCESS_CREATION_MITIGATION_POLICY to PCMP otherwise it gets too long
Process Attribute for Mitigation Policy
19. James Forshaw @tiraniddo
Image File Execution Options
● Specify REG_QWORD value MitigationOptions with same bit fields
as used at process creation.
19
Registry Value
Executable Name
23. James Forshaw @tiraniddo
What Does it Disable?
● Calling VirtualAlloc with PAGE_EXECUTE_*
● MapViewOfFile with FILE_MAP_EXECUTE option
● Calling VirtualProtect with PAGE_EXECUTE_* etc.
● Reconfiguring the CFG bitmap via SetProcessValidCallTargets
23
It doesn’t disable loading
DLLs/Image Sections!
24. James Forshaw @tiraniddo
Under the Hood
NTSTATUS MiArbitraryCodeBlocked(EPROCESS *Process) {
if (Process->Flags2 & DYNAMIC_CODE_BLOCKED_FLAG)
return STATUS_DYNAMIC_CODE_BLOCKED;
return STATUS_SUCCESS;
}
24
Might assume the Process
argument is the target process.
You’d be wrong of course!
It’s the calling process.
25. James Forshaw @tiraniddo
Fun Use Case
25
Sandboxed ProcessUnsandboxed Process
void InjectExecutableCode(DWORD dwPid, PBYTE pData, SIZE_T nSize) {
HANDLE hProcess = OpenProcess(dwPid,
PROCESS_VM_WRITE| PROCESS_VM_OPERATION);
LPVOID pMem = VirtualAllocEx(hProcess,
PAGE_EXECUTE_READWRITE, nSize);
WriteProcessMemory(hProcess, pMem, pData, nSize);
}
New Executable
Memory
VirtualAllocEx
Create With Dynamic
Code Mitigation
26. James Forshaw @tiraniddo
Binary Signature Policy
struct PROCESS_MITIGATION_BINARY_SIGNATURE_POLICY {
union {
DWORD Flags;
struct {
DWORD MicrosoftSignedOnly : 1;
DWORD StoreSignedOnly : 1; // Win10 Only.
DWORD MitigationOptIn : 1; // Win10 Only.
DWORD ReservedFlags : 29;
};
};
};
PCMP_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON (1 << 44)
26
Category: Increase Exploit Cost, Reduce Reliability
Can only specify Microsoft Signed at Process Creation
27. James Forshaw @tiraniddo
Under the Hood
case ProcessSignaturePolicy:
if (policy.MicrosoftSignedOnly) {
process->SignatureLevel = 8;
process->SectionSignatureLevel = 8;
} else if (policy.StoreSignedOnly) {
process->SignatureLevel = 6;
process->SectionSignatureLevel = 6;
}
process->Flags2 |= 0x2000;
27
MitigationOptIn is used to set the Flags2 flag, which opts into Store Signing
checks if an image is loaded which requires code signing.
28. James Forshaw @tiraniddo
Fun Use Case
28
Unsigned
Sandboxed Process
Unsandboxed Process
void* InjectExecutableImage(DWORD dwPid, HANDLE hMap) {
LPVOID lpMap = NULL;
HANDLE hProcess = OpenProcess(dwPid,
PROCESS_VM_WRITE| PROCESS_VM_OPERATION);
NtMapViewOfSection(hMap, hProcess, &lpMap, 0,
4096, nullptr, &viewsize,
ViewUnmap, 0, PAGE_EXECUTE_READWRITE);
return lpMap;
}
New Executable
Image Section
NtMapViewOfSection
Create With Process
Mitigation
Signature check
NOT enforced on
main executable.
NtMapViewOfSection can
take a process handle
34. James Forshaw @tiraniddo
Under the Hood
● Win32k shouldn’t have insider knowledge of EPROCESS Flags
34
int GetCurrentProcessFontLoadingOption()
{
PROCESS_MITIGATION_FONT_DISABLE_POLICY policy;
ZwQueryInformationProcess((HANDLE)-1,
ProcessMitigationPolicy, &policy, sizeof(policy), 0);
if (policy.DisableNonSystemFonts)
return 2;
else
return policy.AuditNonSystemFontLoading;
}
35. James Forshaw @tiraniddo
How it Works
35
int WIN32K::bLoadFont(...) {
int load_option = GetCurrentProcessFontLoadingOption();
bool system_font = true;
if (load_option) {
HANDLE hFile = hGetHandleFromFilePath(FontPath);
BOOL system_font = bIsFileInSystemFontsDir(hFile);
ZwClose(hFile);
if (!system_font) {
LogFontLoadAttempt(FontPath);
if (load_option == 2)
return 0;
}
}
HANDLE hFont = hGetHandleFromFilePath(FontPath);
// Map font as section
}
38. James Forshaw @tiraniddo
Win32k Syscall Disable Implementation?
SyscallEnter() {
// Setup entry.
if (IsWin32kSyscall(SyscallNumber) &&
CurrentProcess->Flags2 & WIN32K_SYSCALL_DISABLE) {
return STATUS_ACCESS_DENIED;
}
// Continue normal system call dispatch.
}
38
39. James Forshaw @tiraniddo
Win32k Syscall Disable
SyscallEnter() {
SERVICE_TABLE* table =
KeGetCurrentThread()->ServiceTable;
// Setup entry.
if (IsWin32Syscall(SyscallNo) &&
SyscallNo & 0xFFF > table->Shadow.Length)
if (PsConvertToGuiThread() != STATUS_SUCCESS)
return GetWin32kResult(SyscallNo);
}
// Continue normal system call dispatch.
}
39
40. James Forshaw @tiraniddo
Win32k Syscall Disable is Per Thread
NTSTATUS PsConvertToGuiThread() {
KTHREAD *thread = KeGetCurrentThread();
EPROCESS *process = thread->Process;
if (thread->ServiceTable != &KeServiceDescriptorTable)
return STATUS_ALREADY_WIN32;
if (process->Flags2 & WIN32K_SYSCALL_DISABLE)
return STATUS_ACCESS_DENIED;
thread->ServiceTable = &KeServiceDescriptorTableShadow;
NTSTATUS result = PsInvokeWin32Callout(THREAD_INIT,
&thread);
if (result < 0)
thread->ServiceTable = &KeServiceDescriptorTable;
return result;
}
40
41. James Forshaw @tiraniddo
Late Enable Initial Thread Problem
41
Sandboxed Process
Ntdll.dll
LdrxCallInitRoutine
Load
user32.dll
UserClientDllInitialize()
gdi32.dll
GdiDllInitialize()
combase.dll
ComBaseInitialize()
Kernel/Win32k
Initial Thread now a GUI Thread!
42. James Forshaw @tiraniddo
Disable Dynamically
case ProcessSystemCallDisablePolicy:
PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY policy;
if (!policy.DisallowWin32kSystemCalls
&& process->Flags2 & WIN32K_SYSCALL_DISABLE) {
return STATUS_ACCESS_DENIED;
}
process->Flags2 |= WIN32K_SYSCALL_DISABLE;
if (thread->ServiceTable != &KeServiceDescriptorTable) {
return STATUS_TOO_LATE;
}
42
We are too late for this thread, but it’
ll still enable the mitigation for the
process
43. James Forshaw @tiraniddo
Set at Process Creation
43
Sandboxed Process
Ntdll.dll
LdrxCallInitRoutine
Load
user32.dll
UserClientDllInitialize()
gdi32.dll
GdiDllInitialize()
combase.dll
ComBaseInitialize()
Kernel/Win32k
44. James Forshaw @tiraniddo
Set at Process Creation
44
Sandboxed Process
Ntdll.dll
LdrxCallInitRoutine
Load
user32.dll
UserClientDllInitialize()
gdi32.dll
GdiDllInitialize()
combase.dll
ComBaseInitialize()
Kernel/Win32k
45. James Forshaw @tiraniddo
How Does Chrome Do It?
● Chrome hooks the NtMapViewOfSection system call in NTDLL.
● Patches GdiDllInitialize before anything has a chance to call it.
45
BOOL WINAPI TargetGdiDllInitialize (
GdiDllInitializeFunction orig_gdi_dll_initialize ,
HANDLE dll ,
DWORD reason ) {
return TRUE;
}
HGDIOBJ WINAPI TargetGetStockObject (
GetStockObjectFunction orig_get_stock_object ,
int object) {
return reinterpret_cast <HGDIOBJ>(NULL);
}
ATOM WINAPI TargetRegisterClassW (
RegisterClassWFunction orig_register_class_function ,
const WNDCLASS* wnd_class) {
return TRUE;
}
46. James Forshaw @tiraniddo
Syscall Return Values
46
Expect NULL on error
Really NtGdiCreateCompatibleDC System Call
Expect a valid HDC on success
Really NtUserGetDC System Call
48. James Forshaw @tiraniddo
Handling Return Code
INT32 GetWin32kResult(DWORD SyscallNo) {
if (SyscallNo & 0xFFF < ShadowTableLength) {
INT8* ReturnCodes =
(INT8*)&ShadowTable[ShadowTableLength];
INT32 Result = ReturnCodes[SyscallNo & 0xFFF];
if (Result <= 0)
return Result;
}
return STATUS_INVALID_SYSTEM_SERVICE;
}
48
Just happens to equal 0xC000001C,
returned if Result > 0
Return code map at end of shadow table
Pass through value is <= 0
49. James Forshaw @tiraniddo
● No policies can be disabled once set in-process.
● However only a small subset of mitigations are inherited
● See PspApplyMitigationOptions.
● we need to block new process creation.
Process Mitigations Inheritance
49
Policy Inherited
Dynamic Code No
System Call Disable Yes
Signature No
Font Disable No
Image Load Yes
50. James Forshaw @tiraniddo
Job Objects to the Rescue
50
1 Active Process
No Breakout Allowed
Can’t create new process
51. James Forshaw @tiraniddo
Job Object
The Trouble with Job Objects
51
WMI Service
Win32_Process::Create
User Process
Console Driver
AllocConsole
Kernel
52. James Forshaw @tiraniddo
Job Object
The Trouble with Job Objects
52
WMI Service
Win32_Process::Create
User Process
Console Driver
AllocConsole
Kernel
notepad.exe
53. James Forshaw @tiraniddo
Job Object
The Trouble with Job Objects
53
WMI Service
Win32_Process::Create
User Process
Console Driver
AllocConsole
Kernel
conhost.exe
https://bugs.chromium.org/p/project-zero/issues/detail?id=213
Kernel can specify to breako
of job object, normally
required TCB privilege.
54. James Forshaw @tiraniddo
Job Object
The Trouble with Job Objects
54
WMI Service
Win32_Process::Create
User Process
Console Driver
AllocConsole
Kernel
conhost.exe
notepad.exe
Open Process and Inject Code
55. James Forshaw @tiraniddo
New Process Attribute for Win10 TH2
const int ProcThreadAttributeChildProcessPolicy = 14;
//
// Define Attribute to disable creation of child process
//
#define PROCESS_CREATION_CHILD_PROCESS_RESTRICTED 0x01
#define PROCESS_CREATION_CHILD_PROCESS_OVERRIDE 0x02
#define PROC_THREAD_ATTRIBUTE_CHILD_PROCESS_POLICY
ProcThreadAttributeValue(
ProcThreadAttributeChildProcessPolicy,
FALSE, TRUE, FALSE)
55
56. James Forshaw @tiraniddo
Pretty Effective Mitigation
56
WMI Service
Win32_Process::Create
User Process
Console Driver
AllocConsole
Kernel
conhost.exe
notepad.exe
PROCESS_CREATION_RESTRICTED
57. James Forshaw @tiraniddo
Inside SeSubProcessToken
DWORD ChildProcessPolicyFlag = // From process attribute.
BOOLEAN ChildProcessAllowed = TokenObject->TokenFlags &
CHILD_PROCESS_RESTRICTED;
if (!ChildProcessAllowed) {
if (!(ChildProcessPolicyFlag &
PROCESS_CREATION_CHILD_PROCESS_OVERRIDE)
|| !SeSinglePrivilegeCheck(SeTcbPrivilege))
return STATUS_ACCESS_DENIED;
}
SepDuplicateToken(TokenObject, ..., &NewTokenObject);
if (ChildProcessPolicyFlag &
PROCESS_CREATION_CHILD_PROCESS_RESTRICTED)
NewTokenObject->TokenFlags |= CHILD_PROCESS_RESTRICTED;
57
Mitigation is on Token not Process
58. James Forshaw @tiraniddo
Low Box Tokens (AppContainers)
● Many specific checks in the kernel for lowbox tokens
○ No NULL DACL access
○ Limited access to ATOM tables
● Capabilities which prevent access to things like network stack
● No read-up by default
● COM marshaling mitigations
○ Marshaled objects from AppContainers are untrusted
● Driver Traversal Check
○ Undocumented
FILE_DEVICE_ALLOW_APPCONTAINER_TRAVERSAL device
characteristic
58
60. James Forshaw @tiraniddo
ExIsRestrictedCaller
● Kernel function introduced in Windows 8.1
● Indicates whether the caller is “restricted”, what this actually means
in practice is whether the caller has an IL < Medium or is a Low Box
Token
● Only used to filter out sensitive kernel addresses to limit KASLR
leaks
○ Blocks profiling kernel addresses
○ Limits access to handle list which contains object addresses
○ Limits access to object type information
○ Limits thread and process information which leaks kernel addresses
● More information on Alex Ionescu’s blog:
○ http://www.alex-ionescu.com/?p=82
60
61. James Forshaw @tiraniddo
RtlIsSandboxedToken
● Very similar function to ExIsRestrictedCaller, but passes an token
● Introduced in Windows 10 but backported to Windows 7
61
BOOLEAN RtlIsSandboxedToken(PSECURITY_SUBJECT_CONTEXT
SubjectSecurityContext) {
SECURITY_SUBJECT_CONTEXT SecurityContext;
if (!SubjectSecurityContext) {
SeCaptureSubjectContext(&SecurityContext);
SubjectSecurityContext = &SecurityContext;
}
return !SeAccessCheck(
SeMediumDaclSd,
SubjectSecurityContext,
0x20000u);
}
65. James Forshaw @tiraniddo
Blocking NTFS Mount Points
NTSTATUS IopXxxControlFile(...) {
if (ControlCode == FSCTL_SET_REPARSE_POINT &&
RtlIsSandboxedToken()) {
status = FsRtlValidateReparsePointBuffer(buffer);
if (status < 0)
return status;
if (buffer.ReparseTag == IO_REPARSE_TAG_MOUNT_POINT) {
InitializeObjectAttributes(&ObjAttr,
reparse_buffer.PathBuffer, ...);
status = ZwOpenFile(&FileHandle, FILE_GENERIC_WRITE,
&ObjAttr, ..., FILE_DIRECTORY_FILE);
if (status < 0)
return status;
// Continue.
}
}
}
65
Checks target is a directory and
writable
66. James Forshaw @tiraniddo
TOCTOU Setting Mount Point
66
Sandboxed ProcessUnsandboxed Process
Mount Point
Non-Writable
Directory
Writable
Directory
Set Mount Point
67. James Forshaw @tiraniddo
TOCTOU Setting Mount Point
67
Sandboxed ProcessUnsandboxed Process
Mount Point
Non-Writable
Directory
Writable
Directory
Same Path,
Different Target.
68. James Forshaw @tiraniddo
TOCTOU Setting Mount Point
68
Sandboxed ProcessUnsandboxed Process
Mount Point
Non-Writable
Directory
Writable
Directory
Write me a file!
69. James Forshaw @tiraniddo
Blocking NTFS Mount Points
69
?? C: windows
Per-User DeviceHarddiskVolume1 windows
Device Map Directory Drive Letter Symbolic Link Volume Path
70. James Forshaw @tiraniddo
Blocking NTFS Mount Points
70
?? C: windows
Per-User DeviceHarddiskVolume1 windows
Device Map Directory Drive Letter Symbolic Link Volume Path
71. James Forshaw @tiraniddo
Per-Process Device Map
71
const int ProcessDeviceMap = 23;
struct PROCESS_DEVICEMAP_INFORMATION {
HANDLE DirectoryHandle;
};
bool SetProcessDeviceMap(HANDLE hDir) {
PROCESS_DEVICEMAP_INFORMATION DeviceMap = {hDir};
NTSTATUS status = NtSetInformationProcess(
GetCurrentProcess(),
ProcessDeviceMap,
&DeviceMap,
sizeof(DeviceMap));
return status == 0;
}
72. James Forshaw @tiraniddo
Blocking NTFS Mount Points
72
?? C: windows
Per-Process Object Directory C: Symlink windows
Device Map Directory Fake Drive Letter Symbolic
Link
Fake Volume
Path
Writable Directory
73. James Forshaw @tiraniddo
Blocking Process Device Map
NTSTATUS NtSetInformationProcess(...) {
// ...
case ProcessDeviceMap:
HANDLE hDir = *(HANDLE*)Data;
if (RtlIsSandboxedToken())
return STATUS_ACCESS_DENIED;
return ObSetDeviceMap(ProcessObject, hDir);
// ...
}
73
https://bugs.chromium.org/p/project-zero/issues/detail?id=486
74. James Forshaw @tiraniddo
Bypass Using Anonymous Token
74
?? C: windows
Anonymous User Object Directory C: Symlink windows
Device Map Directory Fake Drive Letter Symbolic
Link
Fake Volume
Path
Writable Directory
Call ImpersonateAnonymousToken()
https://bugs.chromium.org/p/project-zero/issues/detail?id=573
https://bugs.chromium.org/p/project-zero/issues/detail?id=589
79. James Forshaw @tiraniddo
Blocking NTFS Hardlinks
NTSTATUS NtSetInformationFile(...) {
case FileLinkInformation:
ACCESS_MASK RequiredAccess = 0;
if(RtlIsSandboxedToken()) {
RequiredAccess |= FILE_WRITE_ATTRIBUTES;
}
ObReferenceObjectByHandle(FileHandle, RequiredAccess);
}
79
Default, no access requires
In sandbox needs write
access
https://bugs.chromium.org/p/project-zero/issues/detail?id=531
80. James Forshaw @tiraniddo
The Ultimate Set of Options for Win10
● At least run with a lowbox token, ideally lowbox+restricted
○ Kicks in implicit sandbox mitigations
● Disable dynamic code
● Only allow Microsoft signed images to be loaded
● Disable child process creation
● Win32k Lockdown or at least block custom fonts
● Prevent loading DLLs from untrusted locations
80
82. James Forshaw @tiraniddo
Conclusions
● Microsoft adding more and more sandbox related mitigations to the
core of Windows. Still a lot more could be done though.
● They’re actively fixing issues with the mitigations, something they’
ve never really done before.
● You can make a fairly secure sandbox, especially with attack
surface reduction.
82
83. James Forshaw @tiraniddo
References and Source Code
● Sandbox Analysis Tools
○ https://github.com/google/sandbox-attacksurface-analysis-tools
● Symbolic Link Testing Tools
○ https://github.com/google/symboliclink-testing-tools
● Chrome Windows Sandbox Code
○ https://code.google.
com/p/chromium/codesearch#chromium/src/sandbox/win/src/
83
