DOCSLIB.ORG

Exploring New Host-Based Intrusion Detection, Recovery, and Response Approaches

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

THÈSE DE DOCTORAT DE CENTRALESUPELEC, RENNES COMUE UNIVERSITÉ BRETAGNE LOIRE ÉCOLE DOCTORALE N° 601 Mathématiques et Sciences et Technologies de l'Information et de la Communication Spécialité : Informatique Par Ronny Chevalier Detecting and Surviving Intrusions Exploring New Host-Based Intrusion Detection, Recovery, and Response Approaches Thèse présentée et soutenue à Rennes, le 17 décembre 2019 Unité de recherche : IRISA Thèse N° : 2019CSUP0003 Rapporteurs avant soutenance : Joaquin Garcia-Alfaro Professeur, Telecom SudParis Herbert Bos Full Professor, Vrije Universiteit Amsterdam Composition du Jury : Présidente : Laurence Pierre Professeur, Université Grenoble Alpes Examinateurs : Joaquin Garcia-Alfaro Professeur, Telecom SudParis Herbert Bos Full Professor, Vrije Universiteit Amsterdam Karine Heydemann Maître de conférences, Université Pierre et Marie Curie Guillaume Hiet Maître de conférences, CentraleSupélec Rennes David Plaquin Senior Research Scientist, HP Dir. de thèse : Ludovic Mé Advanced Research Position, Inria ABSTRACT Computing platforms, such as embedded systems or laptops, are built with layers of preventive security mechanisms to help reduce the likelihood of attackers successfully compromising them. Nevertheless, given time and despite decades of improvements in preventive security, intrusions still happen. Therefore, systems should expect intrusions to occur, thus they should be built to detect and to survive them. Systems are monitored with intrusion detection solutions, but their ability to survive them is limited. State-of-the-art approaches from in- dustry or academia either involve manual procedures, loss of availabil- ity, coarse-grained responses, or non-negligible performance overhead. Moreover, low-level components, such as the BIOS, are increasingly targeted by sophisticated attackers to implant stealthy and resilient malware. State-of-the-art solutions, however, mainly focus on boot time security, leaving the most privileged part of the BIOS—known as the System Management Mode(SMM)—a prime target. The introduction of new solutions raises various challenges such as the security of the monitor, its ability to gather information about its target, the detection models, responding to intrusions and maintaining the availability of the system despite the presence of an adversary. Our contribution is two-fold: • At theOS-level, we introduce an intrusion survivability approach aimed at commodity OSs. We combine intrusion recovery and The initial idea behind this contribution was presented as a fine-grained cost-sensitive intrusion response to leverage asafe short-paper at RESSI’18 then the degraded mode when an intrusion is detected. Such a degraded final work was published at mode prevents attackers to reinfect the system or to achieve their ACSAC’19. goals if they managed to reinfect it. It maintains the availability of core functions while waiting for patches to be deployed. • At the BIOS level, we introduce an event-based and co-processor- based behavior monitoring approach to detect intrusions target- ing the SMM on x86 platforms. We isolate the monitor using This contribution has been published at ACSAC’17. a co-processor to ensure its security and we bridge the seman- tic gap resulting from it by using a dedicated communication channel. This channel is used to send relevant information about the SMM code behavior that we compare with the model of its expected behavior—using invariants of its control-flow and relevant CPU registers. Keywords: Information Security, Intrusion Detection, Intrusion Re- sponse, Intrusion Recovery, Intrusion Survivability iii PUBLICATIONS This thesis is based on previously published papers written jointly with several collabo- rators: international conference papers • Ronny Chevalier, David Plaquin, Chris Dalton, and Guillaume Hiet. “Survivor: A Fine-Grained Intrusion Response and Recovery Approach for Commodity Op- erating Systems”. In: Proceedings of the 35th Annual Computer Security Applications Conference. ACSAC’19. ACM, Dec. 2019. doi: 10.1145/3359789.3359792. • Ronny Chevalier, Maugan Villatel, David Plaquin, and Guillaume Hiet. “Co- processor-based Behavior Monitoring: Application to the Detection of Attacks Against the System Management Mode”. In: Proceedings of the 33rd Annual Computer Security Applications Conference. ACSAC’17. ACM, Dec. 2017, pp. 399– 411. doi: 10.1145/3134600.3134622. national conference papers • Ronny Chevalier, David Plaquin, and Guillaume Hiet. “Intrusion Survivabil- ity for Commodity Operating Systems and Services: A Work in Progress”. In: Rendez-vous de la Recherche et de l’Enseignement de la Sécurité des Systèmes d’Information. RESSI’18. May 2018. In addition, during the three years of this Ph.D. I was employed by HP, patent applications related to the work, ideas, or solutions presented in this document were filed: patent applications • Ronny Chevalier, David Plaquin, Guillaume Hiet, and Adrian Baldwin. “Miti- gating Actions”. Pat. req. Hewlett-Packard Development Company, L.P. May 2018. • Ronny Chevalier, David Plaquin, Maugan Villatel, and Guillaume Hiet. “Intru- sion Detection Systems”. Pat. req. Hewlett-Packard Development Company, L.P. June 2017. v • Ronny Chevalier, David Plaquin, Maugan Villatel, and Guillaume Hiet. “Monitor- ing Control-Flow Integrity”. Pat. req. Hewlett-Packard Development Company, L.P. June 2017. Finally, during these years I also contributed to another related area, but the following publication is not discussed in this thesis: international conference paper • Ronny Chevalier, Stefano Cristalli, Christophe Hauser, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, Danilo Bruschi, and Andrea Lanzi. “BootKeeper: Validating Software Integrity Properties on Boot Firmware Images”. In: Proceedings of the 9th ACM Conference on Data and Application Security and Privacy. CODASPY’19. ACM, Mar. 2019, pp. 315–325. doi: 10.1145/3292006. 3300026. vi ACKNOWLEDGMENTS–REMERCIEMENTS No one does everything alone. Many people contributed—sometimes even without knowing it—to this research and dissertation either intellectually, financially, logis- tically, or personally. This is my attempt at acknowledging their help, interest, and contributions over the years. First and foremost, I would like to thank Herbert Bos, Joaquin Garcia-Alfaro, Karine Heydemann, and Laurence Pierre for taking an interest in my work and for accepting to be members of the jury. Especially Herbert and Joaquin for their detailed review of this manuscript. I was fortunate to be advised by Boris Balacheff, Guillaume Hiet, Ludovic Mé, and David Plaquin. They all shared different responsibilities and duties during this work, but they all provided me with their expertise, helpful criticism, and time. I want to thank in particular Guillaume and David whose advice, comments, and discussions helped shape this dissertation and my research in many respects. During these three years I was also part of two teams: the CIDRE team at Centrale- Supélec and the Security Lab at HP. I want to thank them for giving me an academic and industry perspective on research. I would like to thank the members of CIDRE for the scientific and technical discussions that I had with them over the years, butalso all the "team building" we had at lUnchTime with the PhD students and interns. So thanks to all of them, especially to David Lanoë with his unrelenting force when hitting the cue ball, Pierre Graux with his nice collection of little orange men, Cédric Herzog with his love for Germany, Benoît Fournier who likes to keep a log of what we say, and Aïmad Berady le malicieux. I also want to thank HP and especially the Security Lab at Bristol. Working with them gave me an insight at what it is like to work with a competent industry research lab. In particular, I would like to thank Philippa Bayley and Boris who worked hard to make sure that I could work at HP for my PhD. I would also like to acknowledge the expertise and time that Chris Dalton and Maugan Villatel provided me over the years; I was fortunate to have them as co-authors on some of my papers. I would also like to thank Vali Ali, Pierre Belgarric, Rick Bramley, Carey Huscroft, Jeff Jeansonne, and Thalia Laing for their feedback and technical discussions on my work. I am also grateful to Daniel Ellam, Jonathan Griffin, and Stuart Lees for their help in setting up and running some experiments in their malware lab, and Josh Schiffman for giving me opportunities to present my work at HP. I would also like to thank François Bourdon and Laurent Jeanpierre. They were teachers of mine respectively in operating system and computer architecture during the first two years of my higher education. Both motivated me—probably without vii knowing it—to think about pursuing a career in research. François is also the reason why I went to Rennes for my studies. He told me that there was a research team in Rennes working on computer security, and he pointed me towards someone called Ludovic Mé. Unaware at the time that four years later I would be doing a PhD in this team and with Ludovic as my doctoral advisor. I would also like to thank Jérémy and Martin who went from classmates, to friends, to best men at my wedding, and who also happened to follow a similar career path as PhD students. Je vais terminer par remercier, en français, ma famille. En particulier, mes parents, qui m’ont toujours soutenu même s’ils ne réalisaient probablement pas que tout ce temps passé sur un ordinateur à l’époque allait être utile un jour. Puis, Léni, sans qui je ne me serais problablement jamais intéressé à l’informatique à l’origine. Enfin, Agathe, qui a relu le résumé français de ce manuscrit, et qui a surtout accepté de faire partie de ma vie. viii CONTENTS abstract iii publications v acknowledgments – remerciements vii acronyms xv i prologue 1 introduction3 1.1 Problem Statement . 3 1.1.1 Preventive Security is not Sufficient . 4 1.1.2 Commodity OSs Can Detect but Cannot Survive Intrusions . 5 1.1.3 Low-Level Components Increasingly Targeted . 6 1.2 Thesis . 7 1.3 Evaluation Approach . 8 1.4 Outline . 8 2 background: from x86 power-on to login prompt9 2.1 BIOS and UEFI-Compliant Boot Firmware .
Recommended publications
  • The Seeds of Rural Resilience

    The Seeds of Rural Resilience

    NEWS & VIEWS FROM THE SUSTAINABLE SOUTHWEST Growing a Regional Food System THE SEEDS OF RURAL RESILIENCE October 2017 NORTHERN NEW MEXICO’S LARGEST DISTRIBUTION NEWSPAPER Vol. 9 No. 10 2 Green Fire Times • October 2017 www.GreenFireTimes.com Is Your Roof Winter Ready? Whether your roof is currently leaking or you’d like to restore your roof before it fails, Fix My Roof is the right choice. Call today for a free roof assessment! www.GreenFireTimes.com Green Fire Times • October 2017 3 YOU’LL LOVE WHAT YOU SEE! PROGRAM PARTNERS: FRIDAY SATURDAY OCT 27 NOV 14 7:30 PM 7:30 PM Sponsored by The L.A. Grow the Growers Browns Dance Farm Training 5 Project Business Incubation A CULTIVATING BERNALILLO COUNTY INITIATIVE bernalillo Applications for the 2018 Opencounty Space internships now available Lensic.org 505-988-1234 For more information NONPROFIT • COMMUNITY FUNDED SERVICE CHARGES APPLY AT ALL POINTS OF PURCHASE A special thanks to our www.bernco.gov/growthegrowers 2017/2018 sponsor: Find Your Future in ENGINEERING @Northern New Mexico College NORTHERN The most affordable 4-year now offering college in the Southwest classes at Santa Fe HEC! Northern Engineering programs include: n ABET-accredited Bachelor in INFORMATION ENGINEERING Tech (IET) n Ask about our new CYBERSECURITY concentration in IET Schedule your campus visit today! n Bachelor in ELECTROMECHANICAL Engineering/Solar Energy Concentration CALL 505.747.2111 or visit nnmc.edu n Associate of Applied Science degrees in RENEWABLE ENERGY and ELECTRICAL TECH 4 Green Fire Times Oc tober 2017 www.GreenFireTimes.com Vol. 9, No. 10 October 2017 Issue No.
  • AD Bridge User Guide

    AD Bridge User Guide

    AD Bridge User Guide May 2019 Legal Notice © Copyright 2019 Micro Focus or one of its affiliates. The only warranties for products and services of Micro Focus and its affiliates and licensors (“Micro Focus”) are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information contained herein is subject to change without notice. For additional information, such as certification-related notices and trademarks, see http://www.microfocus.com/about/legal/. Contents About This Guide 5 1 Getting Started 7 2 Installing AD Bridge 9 Linux Requirements and Supported Platforms . 9 Linux Requirements . 9 Supported Linux Platforms. 10 Installing the AD Bridge Linux Agent. 11 Licensing the Linux Agent . 12 Joining Active Directory - Post Installation . 13 Installing the AD Bridge GPEdit Extension . 13 3 Managing Linux GPO Settings 15 Accessing or Creating Group Policy Objects . 15 Configuring Linux GPO Settings . 16 Managing Linux Agent Services with GPOs . 17 Importing Custom Configuration File Settings. 18 Managing Linux Applications with GPOs . 18 Managing User Logins with GPOs . 19 Viewing Policy Injection on a Linux Agent. 20 A Appendix 21 Linux Agent GPO Settings . 21 Linux Agent Commands and Lookups . 22 GPO Best Practices . 23 Contents 3 4 About This Guide The AD Bridge User Guide provides information to help you understand, install, configure, and employ the Micro Focus AD Bridge product to help manage your enterprise environment. Audience This guide is written for administrators and users who will use Micro Focus AD Bridge to more effectively manage Active Directory and group policies in a cross-platform environment.
  • Introduction to UEFI Technology

    Introduction to UEFI Technology

    Introduction to UEFI Technology Abd El-Aziz, Mostafa Tarek, Aly [email protected] [email protected] Eldefrawy, Amr [email protected] December 3, 2013 Contents 1 BIOS 1 1.1 Introduction to System BIOS . .1 1.1.1 BIOS Operations . .3 1.1.2 BIOS Service Routines . .3 1.2 BIOS Limitations . .4 2 UEFI 5 2.1 Introduction to Unified Extensible Firmware Interface . .5 2.2 UEFI Components . .6 2.2.1 Boot Manager . .6 2.2.2 UEFI Services . .7 2.3 UEFI vs BIOS . .9 2.3.1 UEFI is properly standardized . .9 2.3.2 UEFI can work in either 32-bit or 64-bit mode . .9 2.3.3 A simple boot procedure . .9 3 Code Examples 10 3.1 BIOS Code Example . 10 3.2 UEFI Code Example . 12 1 BIOS 1.1 Introduction to System BIOS In the wonderful world of computing, it is well known that the operating system is an essential component of the computer system. Not only does the OS drive the computer hardware and control software programs, but it also provides complicated services and routines that can be used by programs to facilitate their job. Most computers today are based on Von Neumenn architecture. This implies that a program should be first loaded to some memory, which is directly accessible by the processing unit, before execution. The operating system, like any other program, abides by that rule. We note that an 1 operating system is not a single piece of code; large operating systems (like openBSD and IBM AIX) consist of hundreds of programs.
  • List of New Applications Added in ARL #2517

    List of New Applications Added in ARL #2517

    List of New Applications Added in ARL #2517 Application Name Publisher ActiveEfficiency 1.10 1E ACL Add-In 14.0 ACL Services ACL for Windows 14.2 ACL Services ACL for Windows 14.1 ACL Services Direct Link 7.5 ACL Services ACL Add-In 1.1 ACL Services Creative Cloud Connection 5 Adobe Experience Manager forms 6.5 Adobe Elements Auto Analyzer 12.0 Adobe Token Resolver 3.4 Adobe Token Resolver 3.6 Adobe LogTransport 1.6 Adobe LogTransport 2.4 Adobe IPC Broker 5.6 Adobe Data Workbench Adobe Token Resolver 3.5 Adobe Token Resolver 3.7 Adobe Dimension 3.2 Adobe Photo Downloader 8.0 Adobe LogTransport 2.2 Adobe GC Invoker Utility 4.5 Adobe GC Client 5.0 Adobe Crash Reporter 2.0 Adobe Crash Reporter 2.1 Adobe GC Invoker Utility 6.4 Adobe Dynamic Link Media Server 12.1 Adobe Token Resolver 3.3 Adobe Token Resolver 4.7 Adobe GC Client 4.4 Adobe Genuine Software Integrity Service 6.4 Adobe Creative Cloud Libraries 3 Adobe Token Resolver 3.9 Adobe Token Resolver 5.0 Adobe Genuine Software Integrity Service 6.5 Adobe Create PDF 17.1 Adobe Crash Reporter 1.5 Adobe Notification Client 4.9 Adobe GC Client 6.4 Adobe GC Client 6.5 Adobe Crash Reporter 1.6 Adobe Crash Reporter 2.2 Adobe Crash Reporter 2.4 Adobe GPU Sniffer 19.0 Adobe Token Generator 7.0 Adobe Token Resolver 3.8 Adobe LogTransport 1.5 Adobe InDesign Server CC (2020) Adobe GC Invoker Utility 5.0 Adobe GC Invoker Utility 6.5 Adobe RED Importer Plugin Unspecified Adobe Token Generator 8.0 Adobe GC Client 1.2 Adobe GC Client 4.5 Adobe EmailNotificationPlugin 11.0 Apple BatteryUIKit 1.0 Apple
  • Bringing Virtualization to the X86 Architecture with the Original Vmware Workstation

    Bringing Virtualization to the X86 Architecture with the Original Vmware Workstation

    12 Bringing Virtualization to the x86 Architecture with the Original VMware Workstation EDOUARD BUGNION, Stanford University SCOTT DEVINE, VMware Inc. MENDEL ROSENBLUM, Stanford University JEREMY SUGERMAN, Talaria Technologies, Inc. EDWARD Y. WANG, Cumulus Networks, Inc. This article describes the historical context, technical challenges, and main implementation techniques used by VMware Workstation to bring virtualization to the x86 architecture in 1999. Although virtual machine monitors (VMMs) had been around for decades, they were traditionally designed as part of monolithic, single-vendor architectures with explicit support for virtualization. In contrast, the x86 architecture lacked virtualization support, and the industry around it had disaggregated into an ecosystem, with different ven- dors controlling the computers, CPUs, peripherals, operating systems, and applications, none of them asking for virtualization. We chose to build our solution independently of these vendors. As a result, VMware Workstation had to deal with new challenges associated with (i) the lack of virtual- ization support in the x86 architecture, (ii) the daunting complexity of the architecture itself, (iii) the need to support a broad combination of peripherals, and (iv) the need to offer a simple user experience within existing environments. These new challenges led us to a novel combination of well-known virtualization techniques, techniques from other domains, and new techniques. VMware Workstation combined a hosted architecture with a VMM. The hosted architecture enabled a simple user experience and offered broad hardware compatibility. Rather than exposing I/O diversity to the virtual machines, VMware Workstation also relied on software emulation of I/O devices. The VMM combined a trap-and-emulate direct execution engine with a system-level dynamic binary translator to ef- ficiently virtualize the x86 architecture and support most commodity operating systems.
  • Snap Vs Flatpak Vs Appimage: Know the Differences | Which Is Better

    Snap Vs Flatpak Vs Appimage: Know the Differences | Which Is Better

    Published on Tux Machines (http://www.tuxmachines.org) Home > content > Snap vs Flatpak vs AppImage: Know The Differences | Which is Better Snap vs Flatpak vs AppImage: Know The Differences | Which is Better By Rianne Schestowitz Created 08/12/2020 - 8:29pm Submitted by Rianne Schestowitz on Tuesday 8th of December 2020 08:29:48 PM Filed under Software [1] Every Linux distribution has its own package manager tool or command-line based repository system to update, install, remove, and manage packages on the system. Despite having a native package manager, sometimes you may need to use a third-party package manager on your Linux system to get the latest version of a package to avoid repository errors and server errors. In the entire post, we have seen the comparison between Snap, AppImage, and Flatpak. Snap, Flatpak, and AppImage; all have their pros and cons. In my opinion, I will always prefer the Flatpak package manager in the first place. If I can?t find any packages on Flatpak, then I?ll go for the AppImage. And finally, Snap is an excellent store of applications, but it still requires some development. I would go to the Snap store for proprietary or semi-proprietary applications than main applications. Please share it with your friends and the Linux community if you find this post useful and informative. Let us know which package manager do you prefer to use on your Linux system. You can write also write down your opinions regarding this post in the comment section. [2] Software Source URL: http://www.tuxmachines.org/node/145224 Links: [1] http://www.tuxmachines.org/taxonomy/term/38 [2] https://www.ubuntupit.com/snap-vs-flatpak-vs-appimage-know-the-difference/.
  • Ubuntu Server Guide Basic Installation Preparing to Install

    Ubuntu Server Guide Basic Installation Preparing to Install

    Ubuntu Server Guide Welcome to the Ubuntu Server Guide! This site includes information on using Ubuntu Server for the latest LTS release, Ubuntu 20.04 LTS (Focal Fossa). For an offline version as well as versions for previous releases see below. Improving the Documentation If you find any errors or have suggestions for improvements to pages, please use the link at thebottomof each topic titled: “Help improve this document in the forum.” This link will take you to the Server Discourse forum for the specific page you are viewing. There you can share your comments or let us know aboutbugs with any page. PDFs and Previous Releases Below are links to the previous Ubuntu Server release server guides as well as an offline copy of the current version of this site: Ubuntu 20.04 LTS (Focal Fossa): PDF Ubuntu 18.04 LTS (Bionic Beaver): Web and PDF Ubuntu 16.04 LTS (Xenial Xerus): Web and PDF Support There are a couple of different ways that the Ubuntu Server edition is supported: commercial support and community support. The main commercial support (and development funding) is available from Canonical, Ltd. They supply reasonably- priced support contracts on a per desktop or per-server basis. For more information see the Ubuntu Advantage page. Community support is also provided by dedicated individuals and companies that wish to make Ubuntu the best distribution possible. Support is provided through multiple mailing lists, IRC channels, forums, blogs, wikis, etc. The large amount of information available can be overwhelming, but a good search engine query can usually provide an answer to your questions.
  • Referência Debian I

    Referência Debian I

    Referência Debian i Referência Debian Osamu Aoki Referência Debian ii Copyright © 2013-2021 Osamu Aoki Esta Referência Debian (versão 2.85) (2021-09-17 09:11:56 UTC) pretende fornecer uma visão geral do sistema Debian como um guia do utilizador pós-instalação. Cobre muitos aspetos da administração do sistema através de exemplos shell-command para não programadores. Referência Debian iii COLLABORATORS TITLE : Referência Debian ACTION NAME DATE SIGNATURE WRITTEN BY Osamu Aoki 17 de setembro de 2021 REVISION HISTORY NUMBER DATE DESCRIPTION NAME Referência Debian iv Conteúdo 1 Manuais de GNU/Linux 1 1.1 Básico da consola ................................................... 1 1.1.1 A linha de comandos da shell ........................................ 1 1.1.2 The shell prompt under GUI ......................................... 2 1.1.3 A conta root .................................................. 2 1.1.4 A linha de comandos shell do root ...................................... 3 1.1.5 GUI de ferramentas de administração do sistema .............................. 3 1.1.6 Consolas virtuais ............................................... 3 1.1.7 Como abandonar a linha de comandos .................................... 3 1.1.8 Como desligar o sistema ........................................... 4 1.1.9 Recuperar uma consola sã .......................................... 4 1.1.10 Sugestões de pacotes adicionais para o novato ................................ 4 1.1.11 Uma conta de utilizador extra ........................................ 5 1.1.12 Configuração
  • Hacking Toshiba Laptops Or How to Mess up Your Firmware Security

    Hacking Toshiba Laptops Or How to Mess up Your Firmware Security

    Hacking Toshiba Laptops Or how to mess up your firmware security REcon Brussels 2018 whois Serge Bazanski Michał Kowalczyk Freelancer in devops & (hardware) security. Vice-captain @ Dragon Sector Researcher @ Invisible Things Lab Twitter: @q3k Reverse engineer, amateur cryptanalyst IRC: q3k @ freenode.net Twitter: @dsredford IRC: Redford @ freenode.net Toshiba Portégé R100 Intel Pentium M 1 GHz 256MB RAM But there’s a catch... Quite the catch, actually. CMOS clear jumper? None to be found. Yank out the battery? Password still there. Take a door key and pass it over the pins of things that look like flash chips hopefully causing a checksum failure and resetting the password? Nice try. No luck, though. A-ha! BIOS analysis How to get the BIOS code? Physical memory? Not with a locked-down laptop. Dump of the flash chip? Ugh. Unpack some updates? Let’s see. Unpacking the updates https://support.toshiba.com/ 7-Zip + 254 KB of compressed data Decompression Unknown format Default unpacker is a 16-bit EXE There’s an alternative one, 32-bit! Decompression BuIsFileCompressed BuGetFileSize BuDecodeFile Decompression Just ~50 lines of C! ... BuIsFileCompressed(compressed, &is_compressed); if (is_compressed) { BuDecodeFile(compressed, fsize, decompressed); } ... The result Dumping the BIOS flash Where to start looking Chip Safari RAM Flash Google it Interfacing to flash chips In-circuit: test pads or protocol that permits multi-master access Out-of-circuit (?): desolder, attach to breakout/clip, use main communication interface Custom breakout board KiCAD (or $whatever, really) PCB design. Thermal transfer for DIY PCB manufacturing. Hot air gun to desolder, soldering station to re-solder.
  • Professional Xen® Virtualization

    Professional Xen® Virtualization

    Professional Xen® Virtualization William von Hagen Wiley Publishing, Inc. fffirs.inddfirs.indd iiiiii 112/14/072/14/07 44:35:46:35:46 PPMM fffirs.inddfirs.indd iiii 112/14/072/14/07 44:35:46:35:46 PPMM Professional Xen® Virtualization Acknowledgments .........................................................................................ix Introduction ................................................................................................ xix Chapter 1: Overview of Virtualization .............................................................. 1 Chapter 2: Introduction to Xen ..................................................................... 27 Chapter 3: Obtaining and Installing Xen........................................................ 57 Chapter 4: Booting and Configuring a Xen Host ............................................ 87 Chapter 5: Configuring and Booting Virtual Machines ................................. 117 Chapter 6: Building Filesystems for Virtual Machines ................................. 141 Chapter 7: Managing and Monitoring Virtual Machines ............................... 175 Chapter 8: Xen Networking ........................................................................ 201 Chapter 9: Advanced Virtual Machine Configuration ................................... 231 Chapter 10: Using Xen in the Data Center .................................................. 283 Appendix A: xm Command and Option Reference ........................................ 339 Appendix B: Xen Virtual Machine Configuration File Reference
  • Edgex Foundry Snap Package.Pdf

    Edgex Foundry Snap Package.Pdf

    CanSnap Package Tech Talks - Session 11 November 2018 edgexfoundry.org | @edgexfoundry Agenda ● Introduction to snaps ● Overview of the edgexfoundry snap ● How to install ● How to configure/manage/update ● How to use with additional device services ● Further references ● Upcoming tech talks ● Q&A edgexfoundry.org | @edgexfoundry Ian Johnson <[email protected]> ● Canonical / Software Engineer Field Engineering - Devices & IoT ● Primary snap developer for Dehli release ● Contributed CI work for snap build ● Contributed code to security to decouple Docker-isms ● Involved in testing most services for Dehli ● Contributed bug fixes to SMA ● Member of the DevOps working group edgexfoundry.org | @edgexfoundry Tony Espy <[email protected]> ● Canonical / Technical Architect Field Engineering - Devices & IoT ● Technical Steering Committee member ● Former Device Services WG chair ● Author of Device Services SDK Requirements ● Original developer of device-sdk-go ● Active member of Core, Device Services & Security working groups ● Created first EdgeX snap prototype edgexfoundry.org | @edgexfoundry Introduction What's a snap? Snaps are containerised software packages that work on all major Linux distributions without modification. Simple to create and publish, they automatically update safely. edgexfoundry.org | @edgexfoundry Introduction Snaps are... ● Self-contained squashfs-based software packages ● Containing one or more applications or services ● Cryptographically-signed by publisher and tamper-proof ● Published to risk-based update channels
  • Automated Malware Analysis Report for Sqlninja 0

    Automated Malware Analysis Report for Sqlninja 0

    ID: 130390 Sample Name: sqlninja_0.2.6- r1-1raring0_all.deb Cookbook: defaultlinuxfilecookbook.jbs Time: 20:49:43 Date: 09/05/2019 Version: 26.0.0 Aquamarine Table of Contents Table of Contents 2 Analysis Report sqlninja_0.2.6-r1-1raring0_all.deb 4 Overview 4 General Information 4 Detection 4 Classification 4 Mitre Att&ck Matrix 5 Signature Overview 5 AV Detection: 6 Networking: 6 System Summary: 6 Persistence and Installation Behavior: 6 Malware Analysis System Evasion: 6 Runtime Messages 6 Behavior Graph 6 Yara Overview 7 Initial Sample 7 PCAP (Network Traffic) 7 Dropped Files 7 Joe Sandbox View / Context 7 IPs 7 Domains 8 ASN 8 JA3 Fingerprints 8 Dropped Files 8 Antivirus and Machine Learning Detection 8 Initial Sample 8 Dropped Files 8 Domains 9 URLs 9 Screenshots 9 Thumbnails 9 Startup 9 Created / dropped Files 10 Domains and IPs 12 Contacted Domains 12 Contacted IPs 12 Public 12 Static File Info 12 General 12 Network Behavior 13 Network Port Distribution 13 TCP Packets 13 UDP Packets 13 DNS Queries 13 DNS Answers 13 HTTPS Packets 13 System Behavior 14 Analysis Process: gnome-software PID: 20951 Parent PID: 20139 14 General 14 File Activities 14 File Deleted 14 File Read 14 File Written 14 Directory Enumerated 14 Directory Created 14 Owner / Group Modified 14 Permission Modified 14 Analysis Process: gnome-software PID: 20974 Parent PID: 20951 14 General 14 Copyright Joe Security LLC 2019 Page 2 of 19 File Activities 15 Directory Enumerated 15 Analysis Process: dbus-launch PID: 20974 Parent PID: 20951 15 General 15 File Activities