DOCSLIB.ORG

TRICKING HARDWARE INTO EFFICIENTLY SECURING SOFTWARE Koen Koning VRIJE UNIVERSITEIT

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
TRICKING HARDWARE INTO EFFICIENTLY SECURING SOFTWARE Koen Koning VRIJE UNIVERSITEIT TRICKING HARDWARE INTO EFFICIENTLY SECURING SOFTWARE Koen Koning VRIJE UNIVERSITEIT TRICKING HARDWARE INTO EFFICIENTLY SECURING SOFTWARE PH.D. THESIS Koen Koning The research reported in this dissertation was conducted at the Faculty of Science, at the Department of Computer Science, of the Vrije Universiteit Amsterdam. This work is part of the research programme Vici with project number 639.023.309 titled “Dowsing”, which is funded by the Dutch Research Council (NWO). Copyright © 2020 by Koen Koning Cover: illustration by Mei-Li Nieuwland, typography by Gabor Roozen VRIJE UNIVERSITEIT TRICKING HARDWARE INTO EFFICIENTLY SECURING SOFTWARE ACADEMISCH PROEFSCHRIFT ter verkrijging van de graad Doctor aan de Vrije Universiteit Amsterdam, op gezag van de rector magnificus prof.dr. V. Subramaniam, in het openbaar te verdedigen ten overstaan van de promotiecommissie van de Faculteit der Bètawetenschappen op dinsdag 26 januari 2021 om 15.45 uur in de aula van de universiteit, De Boelelaan 1105 door Koen Koning geboren te Alkmaar promotor: prof.dr.ir. H.J. Bos copromotor: dr. C. Giuffrida /* * "Sam sat on the ground and put his head in his hands. ’I wish I had never * come here, and I don’t want to see no more magic,’ he said, and fell silent." */ 400.perlbench/src/mg.c, SPEC CPU2006 Acknowledgements This thesis would not have been possible without the support of family, friends and colleagues. I am grateful to you all for giving me both a great environment to work and learn in, and for helping me maintain my sanity during it all. Herbert, thank you for being a great supervisor, and for giving me the opportu- nity to do a PhD in the first place. You taught me a lot about research, and always allowed me to pursue work in areas I was interested in. Moreover, you were always accommodating and supportive when I needed it.1 I could not have wished for a better (co)promoter than Cristiano. Your energy and infinite optimism are awesome, and always gave me motivation to persevere. I greatly appreciate how you somehow always seemed to make time for me, be it to help out with a project or to despair together about the state of academia. I would also like to express my gratitude towards my committee, Pramod Bha- totia, Fabio Massacci, Nele Mentens, Mathias Payer, and Frank Piessens, for taking the time to review this thesis. During my PhD I had the great pleasure of working together with Taddeüs, both directly on Delta Pointers, and helping me out on other projects (including this thesis!). You taught me most of what I know about compilers, and I am grateful I had someone to share the pain of debugging SPEC with. But moreover, I am happy to have you as a friend. Alyssa, you are one of the smartest, most helpful and kindest people I know, and you have been supporting me even before joining VUSec. Be it debugging a kernel, fixing a printer, designing a custom GameBoy CPU/PCB, or acquiring cute animal pictures, you were always there to help. I would also like to thank my former office mate, Kaveh, not only for putting up with this young and naive PhD student back then, but for teaching me so much about academia and research. And of course for the healthy(?) supply of alcoholic beverages. There are many more (former) VUSec colleagues I would like to thank, for our work together and being there to chat with over lunch or beers. Thank you Andrea, 1Just too bad about that whole Emacs thing. vii ACKNOWLEDGEMENTS Andrei B, Andrei T, Angelos, Ben, Brian, Chen, Dennis, Elia, Elias, Emanuele, Enes, Enrico, Erik B, Erik vdK, Hany, Istvan, Jakob, Koustubha, Lucian, Manolis, Manuel, Marco, Marius, Michael, Natalie, Pietro, Radhesh, Sanjay, Sebastian, Stephan, Vic- tor D, and Victor vdV. And Caroline and Mojca for shielding me from the dangers of VU bureaucracy, During my PhD I also had the opportunity to do two amazing internships. Thank you Manuel and others at Microsoft Research Cambridge for teaching me about practical security research, and the wonder of UK pubs. And thank you Sanjay, Philip and the rest of the SAL team at Intel Labs for making me feel part of the team and teaching me so much. Also thank you Dmitrii, Gurunath, Marcela, Palak, and others for the hiking trips and game nights in Oregon. I count myself lucky to have so many wonderful friends who support me and distract me from work. Thank you Jos for getting me into this computer mess all those years ago, and the beautiful trips to Sweden. Thanks Koen for always looking out for me, and the many evenings of gaming (and sharing this beautiful name of ours). Thank you Arjen, Bas, Cédric, Floris (for so much, including unborking of my Dutch in this thesis), Rex (you were an awesome neighbor), and Victor for the countless evenings and beers we shared the past ten years, may there be many more. Vera, your emotional support has been invaluable, and I can always count on you to cheer me up. Thank you Raphael for giving me my first taste of doing research, and for imparting wisdom on me ever since. Thank you Mei-Li for being able to bring my research to life through illustrations, including the beautiful cover design. Last but not least, for my parents and sister: mijn hele leven lang hebben jullie mij geholpen, in mij geloofd, en voor mij gevochten. Ik kan altijd op jullie rekenen, en zonder jullie was ik hier zeker nooit gekomen. Thank you! Koen Koning Amsterdam, The Netherlands, December 2020 Contents Acknowledgements vii Contents ix List of Figures xi List of Tables xiii Publications xv 1 Introduction 1 1.1 Memory errors and attacks . 3 1.1.1 Partial defenses . 5 1.1.2 Protecting binaries . 6 1.2 Contributions and roadmap . 7 2 No Need to Hide: Protecting Safe Regions on Commodity Hardware 9 2.1 Introduction . 10 2.2 Memory isolation in review . 12 2.2.1 Deterministic vs probabilistic isolation . 12 2.2.2 Defenses that rely on isolation . 13 2.2.3 Threat model . 15 2.3 Deterministic memory isolation . 16 2.3.1 Domain-based isolation . 18 2.3.2 Address-based isolation . 21 2.4 MemSentry applications . 22 2.5 Implementation . 23 2.5.1 VMFUNC . 24 2.5.2 MPK . 24 2.5.3 Encryption . 25 2.5.4 MPX and SFI . 25 2.5.5 LLVM & points-to analysis . 26 2.6 Evaluation . 27 ix x CONTENTS 2.6.1 Microbenchmarks . 28 2.6.2 Real-world performance . 29 2.6.3 Discussion . 32 2.7 Related work . 34 2.8 Conclusion . 35 3 Delta Pointers: Buffer Overflow Checks Without the Checks 37 3.1 Introduction . 38 3.2 Background . 39 3.3 Threat model . 41 3.4 Delta Pointers . 41 3.5 Pointer tagging . 45 3.5.1 C pointer operations . 46 3.5.2 Compiler support . 47 3.5.3 Coverage considerations . 49 3.5.4 Performance considerations . 50 3.6 Implementation . 51 3.6.1 Address space reduction . 51 3.6.2 Instrumentation . 52 3.6.3 Coverage . 52 3.6.4 Optimization . 54 3.7 Evaluation . 55 3.7.1 Runtime performance . 55 3.7.2 Security . 58 3.8 Discussion . 60 3.9 Relatedwork ............................... 62 3.10 Conclusion . 64 Appendices . 67 4 Secure and Efficient Multi-variant Execution Using Hardware-assisted Process Virtualization 67 4.1 Introduction . 68 4.2 Background . 70 4.2.1 Monitor . 70 4.2.2 Variant generation . 72 4.3 Threat model . 73 4.4 Overview . 73 4.5 MvArmor: fast and secure MVX . 75 4.5.1 Variant generator . 75 4.5.2 Security manager . 77 4.5.3 Syscall frontend . 77 CONTENTS xi 4.5.4 Variant manager . 78 4.5.5 Syscall backend . 79 4.5.6 Namespace manager . 80 4.5.7 Detector . 81 4.5.8 Implementation . 81 4.6 Limitations . 82 4.7 Evaluation . 82 4.7.1 Server performance . 83 4.7.2 SPEC performance . 86 4.7.3 Microbenchmark performance . 87 4.7.4 Security . 88 4.8 Related work . 90 4.9 Conclusion . 91 5 kMVX: Detecting Kernel Information Leaks with Multi-variant Execution 93 5.1 Introduction . 94 5.2 Background . 95 5.3 Threat model . 97 5.4 kMVX: Kernel multi-variant execution . 98 5.4.1 Syscall synchronization . 99 5.4.2 I/O sync . 100 5.4.3 Variant generation . 100 5.5 Implementation . 102 5.5.1 Variant generation . 103 5.5.2 Syscall sync . 104 5.5.3 I/O sync . 105 5.6 Evaluation . 108 5.6.1 Performance evaluation . 108 5.6.2 Security analysis . 114 5.7 Related work . 116 5.8 Conclusion . 117 6 Conclusion 119 6.1 Future directions . 120 References 123 Summary 139 Samenvatting.
Load more

Recommended publications
  • Crypto Ransomware Analysis and Detection Using
    CRYPTO RANSOMWARE ANALYSIS AND DETECTION USING PROCESS MONITOR by ASHWINI BALKRUSHNA KARDILE Presented to the Faculty of the Graduate School of The University of Texas at Arlington in Partial Fulfillment of the Requirements for the Degree of MASTER OF SCIENCE IN COMPUTER SCIENCE THE UNIVERSITY OF TEXAS AT ARLINGTON December 2017 Copyright © by Ashwini Balkrushna Kardile 2017 All Rights Reserved ii Acknowledgements I would like to thank Dr. Ming for his timely guidance and motivation. His insights for this research were valuable. I would also like to thank my committee members Dr. David Levine and Dr. David Kung for taking out time from their schedule and attending my dissertation. I am grateful to John Podolanko; it would not have been possible without his help and support. Thank you, John, for helping me and foster my confidence. I would like to thank my colleagues for supporting me directly or indirectly. Last but not the least; I would like to thank my parents, my family and my friends for encouraging me and supporting me throughout my research. November 16, 2017 iii Abstract CRYPTO RANSOMWARE ANALYSIS AND DETECTION USING PROCESS MONITOR Ashwini Balkrushna Kardile, MS The University of Texas at Arlington, 2017 Supervising Professor: Jiang Ming Ransomware is a faster growing threat that encrypts user’s files and locks the computer and holds the key required to decrypt the files for ransom. Over the past few years, the impact of ransomware has increased exponentially. There have been several reported high profile ransomware attacks, such as CryptoLocker, CryptoWall, WannaCry, Petya and Bad Rabbit which have collectively cost individuals and companies well over a billion dollars according to FBI.
    [Show full text]
  • Development Environment
    BLUESPAWN BLUESPAWN Dev Team Apr 28, 2021 CONTENTS 1 Our Mission 3 2 What is BLUESPAWN 5 3 Get Involved & Contribute to the project7 4 Why we made BLUESPAWN9 4.1 Contact Us................................................9 4.2 Sponsoring................................................9 4.3 Licensing.................................................9 4.4 Project Authors.............................................. 10 4.5 Publications............................................... 11 4.6 Hunts................................................... 11 4.7 Scan Mode................................................ 11 4.8 Mitigations................................................ 11 4.9 Reactions................................................. 11 4.10 Logging and Output........................................... 11 4.11 Agent7 Integration............................................ 11 4.12 Getting Started.............................................. 11 4.13 Examples of BLUESPWAN in Action.................................. 13 4.14 Using Mitigations............................................ 14 4.15 Getting Involved............................................. 18 4.16 Setting up your Development Environment............................... 18 4.17 Software Architecture Info........................................ 19 4.18 Project Roadmap............................................. 21 i ii BLUESPAWN CONTENTS 1 BLUESPAWN 2 CONTENTS CHAPTER ONE OUR MISSION BLUESPAWN helps blue teams monitor systems in real-time against active attackers by detecting
    [Show full text]
  • Multiband Plasma-Process Monitor C10346-01
    Multiband plasma-process monitor C10346-01 C10346-01 is a multiband plasma process monitor designed for real-time, monitoring of wide spectrum. Monitoring Plasma (Emission Spectrum) in Real-Time C10346-01 is a monitoring system to detect wide spectrum plasma emission during the process of etching, spattering and CVD in semiconductor manufacturing . With the various analysis functions, it can be used for setting up end-point detection conditions and automatic detection of etching and cleaning, estimation of plasma species and monitoring (plasma) contamination and abnormal discharges. Features Simultaneous measurements of wide (plasma) spectrum Easy measurement using optical fibers Captures wide spectrum (emission) from (plasma) radicals or ions. The equipped optical fiber can be easily attached to plasma C10346-01 : 200 nm to 950 nm chambers through a SMA connector widely used. Real-time plasma (emission) measurement Operation with multiple chambers Continuously measures up to 15 000 spectra at an interval of 20 ms A single analysis unit can control up to four C10346-01 (50 ms with concurrent running of detection software) Multiband plasma-process monitor via a USB 2.0 interface. Highly accurate and reliable measurements Data acquisition software A high resolution spectrometer and a ultra-high sensitive photo The data acquisition software stores the spectrum data into detector are firmly locked in position to assure the acquisition of the database during plasma process. This stored data can accurate spectrum and precise spectrum responsivity data then be used for spectrum data calculations. through sharply focused plasma emission spectrum images. Optional software High-sensitivity detection in UV spectrum region High sensitive endpoint detection and real-time monitoring of Detects the UV spectrum region from 200 nm with high process abnormality are achieved by creating ''detection model''.
    [Show full text]
  • Process Monitor
    Моим коллегам — специалистам по устранению неполадок Windows. Никогда не отступайте и не сдавайтесь! – Марк Руссинович Элизе, благодаря ей сбываются самые прекрасные мечты! (И она гораздо круче меня!) – Аарон Маргозис SIN_Titul.indd I 29.12.2011 13:41:15 Mark Russinovich Aaron Margosis Windows® Sysinternals Administrator's Reference SIN_Titul.indd II 29.12.2011 13:41:15 Марк Руссинович Аарон Маргозис Предисловие Дэвида Соломона Утилиты Sysinternals Справочник администратора 2012 SIN_Titul.indd III 29.12.2011 13:41:15 УДК 004.738.5 ББК 32.973.202 P89 Руссинович Марк, Маргозис Аарон P89 Утилиты Sysinternals. Справочник администратора. / Пер. с англ. — М. : Издательство «Русская редакция» ; СПб. : БХВ-Петербург, 2012. — 480 стр. : ил. ISBN 978-5-7502-0411-3 («Русская редакция») ISBN 978-5-9775-0826-1 («БХВ-Петербург») Эта книга — исчерпывающее руководство по использованию утилит Sysin- ternals. Авторы книги — создатель утилит Sysinternals Марк Руссинович и при- знанный эксперт по Windows Аарон Маргозис — подробно разбирают многочис- ленные функции утилит для диагностики и управления файлами, дисками, си- стемой безопасности и встроенным инструментарием Windows. Рекомендации авторов проиллюстрированы многочисленными примерами из реальной жизни. Изучив их, вы сможете справиться с неполадками в ИТ-системах так, как это делают настоящие профессионалы. Книга состоит из 18 глав и предметного указателя. Она предназначена для ИТ-специалистов и опытных пользователей Windows, которые хотят применять утилиты Sysinternals с максимальной эффективностью. УДК 004.738.5 ББК 32.973.202 © 2011-2012, Translation Russian Edition Publishers. Authorized Russian translation of the English edition of Windows® Sysinternals Administrator’s Reference, ISBN 978- 0-7356-5672-7 © Aaron Margosis and Mark Russinovich. This translation is published and sold by permission of O’Reilly Media, Inc., which owns or controls all rights to publish and sell the same.
    [Show full text]
  • JTB Process Monitor
    JTB Process Monitor About JTB Process Monitor makes it possible to monitor usage of more applications than the core JTB FlexReport handles. There is a service part and a client part of Process Monitor. You need to first install the service and configure it and then install the client and configure it. The data is saved into the JTB FlexReport core database and reports on the usage can be done in the normal way. This means that JTB FlexReport Core and JTB FlexReport Chart Service/Client also need to be installed. The client computer to monitor does not need to be connected to the network all the time. It still can monitor the usage and when connected again it will send back the data to the server. The client-server solution is based on WCF (Windows Communication Foundation) and XML Web services. System requirements .NET Framework 4.0 or newer is needed for the service and client. Other than that most Windows operating systems are supported like Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016. Both 32-bit and 64-bit systems are supported. One limitation is that processes that run in Windows compatibility mode cannot be monitored. Installation of Service The service needs to be installed on one location and it is recommended to be on the same computer where JTB FlexReport’s other services are installed as it needs to save the usage to the JTB FlexReport database. For a trial it can be installed on a workstation if that is easier for the evaluation.
    [Show full text]
  • Windows Rootkit Analysis Report
    Windows Rootkit Analysis Report HBGary Contract No: NBCHC08004 SBIR Data Rights November 2008 Page 1 Table of Contents Introduction ................................................................................................................................... 4 Clean Monitoring Tool Logs......................................................................................................... 5 Clean System PSList ................................................................................................................. 5 Clean System Process Explorer ................................................................................................ 6 Vanquish......................................................................................................................................... 7 PSList Vanquish ........................................................................................................................ 7 Vanquish Process Monitor (Process Start – Exit) .................................................................. 8 Process Explorer Thread Stack Vanquish .............................................................................. 8 Process Monitor Events Vanquish ........................................................................................... 9 Vanquish Log File (Created by rootkit, placed in root directory “C:”) ............................. 21 Process Explorer Memory Strings Vanquish ........................................................................ 23 NTIllusion....................................................................................................................................
    [Show full text]
  • Application Help for SAP Business Planning and Consolidation, Version for SAP Netweaver Company
    PUBLIC SAP Business Planning and Consolidation for SAP NetWeaver 10.1 Document Version: 1.0 – 2021-06-09 Application Help for SAP Business Planning and Consolidation, version for SAP NetWeaver company. All rights reserved. All rights company. affiliate THE BEST RUN 2021 SAP SE or an SAP SE or an SAP SAP 2021 © Content 1 SAP Business Planning and Consolidation, version for SAP NetWeaver...................4 1.1 Getting Started..............................................................10 Preferences..............................................................10 Grid....................................................................11 1.2 Home Page and Navigation......................................................11 1.3 Business Process Flows........................................................12 My Activities.............................................................13 1.4 Process Monitor.............................................................15 1.5 Library....................................................................16 1.6 Documents (Standard only).....................................................17 1.7 Run Consolidation (Standard only)................................................18 Consolidation Monitor (Standard only)...........................................19 Controls Monitor (Standard only)..............................................24 Journals (Standard only)....................................................30 Ownership Manager (Standard only)............................................41 1.8 Run
    [Show full text]
  • Prmon: Process Monitor
    prmon: Process Monitor Serhan Mete (Argonne) and Graeme A Stewart (CERN) Grid Deployment Board Meeting September 9, 2020 What is Process Monitor (prmon)? ● “... a small stand alone program that can monitor the resource consumption of a process and its children.” ○ An open source HSF project, completely application agnostic and self-contained ■ The only external library dependency is nlohmann/json (and only for the build) ○ Tracks (process-level) CPU/GPU, memory, disk I/O, and (device-level) network I/O usage ■ Metrics are primarily collected from ProcFS (except for GPU which comes from nvidia-smi) ● Adding support for additional hardware is in the future plans ○ It produces two main outputs: ■ Time-series text file that contains the measurements at each capture ■ JSON file that contains averages and maxima along with some hardware information ○ It includes python-based software to visualize the time-series data https://github.com/HSF/prmon 2 Building/Distributing/Using prmon... ● prmon has been used in ATLAS distributed computing for many years ○ Predecessor was named MemoryMonitor, which was the starting point for prmon ● There are two main build/deployment options: ○ Integrating prmon as an external software and building it from scratch ■ Primarily requires C++11, Cmake 3.3+, and nlohmann/json ■ For GPU support, needs nvidia-smi installed ○ Using statically built prmon (published for each release, approx. 1 MB) ○ In either case, the binaries can be (are) distributed via CVMFS ○ More information can be found at https://github.com/HSF/prmon#build-and-deployment ● There are two main ways to execute: ○ Attach to an existing process w/ PID : prmon --pid PID ○ Start the program with prmon : prmon [prmon options] -- program [program options] ○ More information can be found at https://github.com/HSF/prmon#running Latest Release: v2.1.0 on Sep 8 3 Available options, monitors, and output formats..
    [Show full text]
  • Legoos: a Disseminated, Distributed OS for Hardware Resource
    LegoOS: A Disseminated, Distributed OS for Hardware Resource Disaggregation Yizhou Shan, Yutong Huang, Yilun Chen, and Yiying Zhang, Purdue University https://www.usenix.org/conference/osdi18/presentation/shan This paper is included in the Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI ’18). October 8–10, 2018 • Carlsbad, CA, USA ISBN 978-1-939133-08-3 Open access to the Proceedings of the 13th USENIX Symposium on Operating Systems Design and Implementation is sponsored by USENIX. LegoOS: A Disseminated, Distributed OS for Hardware Resource Disaggregation Yizhou Shan, Yutong Huang, Yilun Chen, Yiying Zhang Purdue University Abstract that can fit into monolithic servers and deploying them in datacenters is a painful and cost-ineffective process that The monolithic server model where a server is the unit often limits the speed of new hardware adoption. of deployment, operation, and failure is meeting its lim- We believe that datacenters should break mono- its in the face of several recent hardware and application lithic servers and organize hardware devices like CPU, trends. To improve resource utilization, elasticity, het- DRAM, and disks as independent, failure-isolated, erogeneity, and failure handling in datacenters, we be- network-attached components, each having its own con- lieve that datacenters should break monolithic servers troller to manage its hardware. This hardware re- into disaggregated, network-attached hardware compo- source disaggregation architecture is enabled by recent nents. Despite the promising benefits of hardware re- advances in network technologies [24, 42, 52, 66, 81, 88] source disaggregation, no existing OSes or software sys- and the trend towards increasing processing power in tems can properly manage it.
    [Show full text]
  • Brno University of Technology Vysoké Učení Technické V Brně
    BRNO UNIVERSITY OF TECHNOLOGY VYSOKÉ UČENÍ TECHNICKÉ V BRNĚ FACULTY OF INFORMATION TECHNOLOGY FAKULTA INFORMAČNÍCH TECHNOLOGIÍ DEPARTMENT OF INTELLIGENT SYSTEMS ÚSTAV INTELIGENTNÍCH SYSTÉMŮ AUTOMATED SECURITY COMPLIANCE SCANNING OF MS WINDOWS OPERATING SYSTEM USING OPENSCAP PROJECT AUTOMATIZOVANÉ OVĚŘOVÁNÍ KONFIGURACE OPERAČNÍHO SYSTÉMU MS WINDOWS POMOCÍ PROJEKTU OPENSCAP MASTER’S THESIS DIPLOMOVÁ PRÁCE AUTHOR Bc. JAN ČERNÝ AUTOR PRÁCE SUPERVISOR Ing. ALEŠ SMRČKA, Ph.D. VEDOUCÍ PRÁCE BRNO 2018 Abstract This work deals with security compliance of computer systems, namely operating systems, applications and system services. Concept of security policies, their evaluation and their enforcement is described. Security compliance automation and the SCAP standard are presented. OpenSCAP project, which is used as an SCAP scanner, is described together with its tools and its usage. An idea to add support of Microsoft Windows within Open- SCAP, which was previously unsupported, is presented. The core part of the thesis is to identify necessary changes of OpenSCAP and to design an extension of this project. All these modifications are implemented. The solution is demonstrated on security policies for Windows. The solution is evaluated and further improvements are discussed. Abstrakt Tato práce se zabývá problematikou bezpečné konfigurace výpočetních systémů, jako jsou operační systémy, aplikace a služby. Seznamuje čtenáře s konceptem bezpečnostních poli- tik a jejich ověřováním. Soustředí se na problematiku automatizace bezpečné konfigurace s důrazem na standard SCAP. Popisuje projekt OpenSCAP, který se používá jako SCAP scanner, jeho aplikace a jejich použití. Navrhuje rozšířit OpenSCAP i na operační sys- tém Microsoft Windows, který doposud nebyl podporován. Těžištěm práce je identifikace nutných změn projektu OpenSCAP a návrh jeho rozšíření.
    [Show full text]
  • Sysinternals Learning Resources
    THE PERSONAL COMPUTER SPECIALIST Sysinternals Learning Resources Help and Support Sysinternals Learning Resources Help Desk Books Windows Internals Book Homepage The official updates and errata page for the definitive book on Windows internals, by Mark Russinovich and David Solomon. Windows Sysinternals Administrator's Reference The official guide to the Sysinternals utilities by Mark Russinovich and Aaron Margosis, including descriptions of all the tools, their features, how to use them for troubleshooting, and example real-world cases of their use. Articles Inside the Windows Vista Kernel: Part 1 Inside the Windows Vista Kernel: Part 2 Inside the Windows Vista Kernel: Part 3 Inside Windows Vista User Account Control Inside Windows Server 2008 Kernel Changes Mark's Blog Articles Hunting Down and Killing Ransomware Scareware, a type of malware that mimics antimalware software, has been around for a decade and shows no sign of going away. The goal of scareware is to fool a user into thinking that their computer is heavily infected with malware and the most convenient...(read more) Monday, Jan 7 The Case of the Unexplained FTP Connections A key part of any cybersecurity plan is “continuous monitoring”, or enabling auditing and monitoring throughout a network environment and configuring automated analysis of the resulting logs to identify anomalous behaviors that merit investigation. This...(read more) Tuesday, Oct 30 Windows Azure Host Updates: Why, When, and How Windows Azure’s compute platform, which includes Web Roles, Worker Roles, and Virtual Machines, is based on machine virtualization. It’s the deep access to the underlying operating system that makes Windows Azure’s Platform-as-a-Service (PaaS) uniquely...(read more) Wednesday, Aug 22 The Case of the Veeerrry Slow Logons This case is my favorite kind of case, one where I use my own tools to solve a This case is my favorite kind of case, one where I use my own tools to solve a problem affecting me personally.
    [Show full text]
  • Finding Privesc with Procmon
    FINDING PRIVESC WITH PROCMON Vetle Økland ::1 • Pentester @ Nagarro • Live here in Oslo • Too young to understand why Windows does anything • Twitter: @bordplate • Blog: https://bordplate.no/blog/en What is Procmon? Process Monitor Boot logging • Consider disabling anti-virus scanning for smaller log files What are we looking for? Image from: https://krbtgt.pw/dacl-permissions-overwrite-privilege-escalation- cve-2019-0841/ DACL Permissions Overwrite Privilege Escalation (CVE-2019-0841) by Nabeel Ahmed Paths and Files • PATH NOT FOUND • NAME NOT FOUND Both of these in a user-writable folder indicate you can influence the program. Will wary based on file type and the program handling the files. Image from a vulnerability found by Florian Bogner at bogner.sh: https://bogner.sh/2018/02/local-privilege-escalation-in-crashplans-windows-client/ SetSecurityFile / Permission Overwrite CVE-2019-8452 – Permission Overwrite Hard links to any file • Courtesy of James Forshaw from Google’s Project Zero • Normal mklink tool does not allow hard links to files you don’t have write-access to • ZwSetInformationFile does not enforce that check • CreateHardLinkW does however • Native-HardLink.ps1 from https://github.com/ FuzzySecurity/PowerShell-Suite/blob/master/Native- HardLink.ps1 by @fuzzysec (Ruben Boonen) Unquoted service paths DLL search order hijacking Configuration • Need to have local admin Useful filters • SYSTEM • NAME NOT FOUND / PATH NOT FOUND • SetSecurityFilter (by its own) Exporting for other tools • Exports to CSV and XML • Exporting for XML with stack traces can create *really* big files Exploring in Procmon Hunting in registry • Not seen any potential for abuse • Include SYSTEM user • Exclude starting with HKLM and HKCU AccessEnum .
    [Show full text]