SlideShare una empresa de Scribd logo

Under the hood of modern HIPS-es and Windows access control mechanisms

ReCrypt
ReCrypt

The slides of our talk at 17-th Defcon Russia Group meeting.

Tecnología
1 de 35
Descargar para leer sin conexión
Under the hood of modern HIPS-es and Windows access control mechanisms 02/11/2014 Defcon Russia (DCG #7812)
Who we are /* Vasily Bukasov – Security researcher, ReCrypt LLC CTO and co-founder Dmitry Schelkunov – PhD, Security researcher, ReCrypt LLC CEO and co-founder */ Defcon Russia (DCG #7812) 2
Agenda /* • HIPS – Host-Based Intrusion Prevention System • HIPS implementation approaches for Windows: – Virtualization – Hooks-based (old school) – Based on Windows access control mechanisms (new trend) – Mix of the previous two (pizza ) */ Defcon Russia (DCG #7812) 3
Part I. Introduction to the Windows access control mechanisms Defcon Russia (DCG #7812) 4
Security identifier /* • SID (security identifier) is an unique identifier within a single machine, which identifies a subject • Logon SID is a SID which is created by Winlogon for each interactive logon session (S-15-5-0-xxxxx) */ Defcon Russia (DCG #7812) 5
Integrity Level /* • Untrusted – 0x0000 • Low – 0x1000 • Medium – 0x2000 • High – 0x3000 • System – 0x4000 */ Defcon Russia (DCG #7812) 6
Access token /* • Identifies the security context of a process or thread • Contents or references to information: session ID, integrity level, account, groups, privileges associated with the process or thread, etc */ Defcon Russia (DCG #7812) 7
Access token /* • Restricted token – Some privileges can be removed – SIDs in the token can be marked as deny-only – SIDs in the token can be marked as restricted •Filtered admin token (Restricted token variation) – Integrity level is set to medium – Administrator-like SIDs are marked as deny-only – Most of privileges are stripped – Is used by UAC */ Defcon Russia (DCG #7812) 8
Security descriptor /* • Security information associated with an object, which specifies who can perform what actions on the object • Includes two access control lists (ACLs): discretionary (DACL) and system (SACL) */ Defcon Russia (DCG #7812) 9
Access checks /* • Mandatory access control (uses integrity levels) • Discretionary access control (uses DACL-es) */ Defcon Russia (DCG #7812) 10
Mandatory policies /* • No-Write-Up (on all objects) – used to restrict write access coming from a lower integrity level process to the object • No-Read-Up (on process objects) – used to restrict read access coming from a lower integrity level process to the object • No-Execute-Up (on binaries implementing COM classes) – used to restrict execute access coming from a lower integrity level process to the object */ Defcon Russia (DCG #7812) 11
Mandatory access control /* With the default integrity policies, processes can open any object—with the exception of process, thread and token objects—for read access as long as the object’s DACL grants them read access */ Defcon Russia (DCG #7812) 12
Discretionary access control /* • For each object there is a list of entries. Each entry specifies access rights allowed or denied for a subject • Order of the entries does matter */ Defcon Russia (DCG #7812) 13
Impersonation /* • Roughly, impersonation is a mechanism which provides a possibility to execute a code with a security context of a target process • Two interesting impersonation properties – Integrity level of the current thread must be more or equal to the target process's one – A target process’s token must be read-accessible from the current thread */ Defcon Russia (DCG #7812) 14
Part II. Existing sandboxing techniques Defcon Russia (DCG #7812) 15
HIPS implementation approaches /* • Virtualization • Hooks-based (old school) • Based on Windows access control mechanisms (new trend) • Mix of the previous two (pizza ) */ Defcon Russia (DCG #7812) 16
Windows access control mechanisms /* • Restricted token – Disabled SIDs – Restricted SIDs – Integrity level • Another user • Job restrictions • Separate desktop */ Defcon Russia (DCG #7812) 17
AppContainer /* • Lowbox token • Low integrity level • Capabilities • Separate local NamedObjects directory */ Defcon Russia (DCG #7812) 18
Part III. Common pitfalls and vulnerabilities Defcon Russia (DCG #7812) 19
Logon SID and broken Run As /* If we use Run As to start a process under another user, it will be started with Logon SID of the current one */ Defcon Russia (DCG #7812) 20
Logon SID and broken Run As /* 1. Run Process Explorer 2. Run notepad.exe 3. Double click on notepad.exe in the Process Explorer window 4. Go to Security tab and click Permissions button */ Defcon Russia (DCG #7812) 21
Logon SID and broken Run As Defcon Russia (DCG #7812) 22
Logon SID and broken Run As /* • Process permissions for Logon SID are: Query limited information, Query information, Read memory, Terminate, Synchronize and Read permissions • Token permissions for Logon SID are: Assign as primary token, Duplicate, Impersonate, Query, Query source, and Read permissions • Thread permissions for Logon SID are: Query limited information, Query information, Get context, Synchronize and Read permissions */ Defcon Russia (DCG #7812) 23
Logon SID and broken Run As /* So, if a process was started under another user using Run As, then a thread of this process in most of cases can: • get another user’s process token (target process) • impersonate target’s security context • get all access rights of the target process */ Defcon Russia (DCG #7812) 24
Crossroads or how to make Run As secure /* 1. CreateProcessWithLogonW. We can’t modify default user token. Insecure 2. CreateProcessAsUser. Creates a process with the same Logon SID. Insecure 3. CreateProcessWithTokenW. That seems to be the only solution. But … creates a process in the current session only (MSDN lies ) */ Defcon Russia (DCG #7812) 25
Desktop is a security boundary /* • A lot of applications work incorrectly if DESKTOP_HOOKCONTROL access right is not set because runtime libraries use windows hooks quite often • If DESKTOP_HOOKCONTROL access right is set, then an application even if it was started under another user can set window hooks on the other application's windows and possibly execute arbitrary code in the context of other application */ Defcon Russia (DCG #7812) 26
Up to XP /* * Is the app hooking another user without access? * If so return an error. Note that this check is done * for global hooks every time the hook is called. */ if ((!RtlEqualLuid(&ptiThread->ppi->luidSession, &ptiCurrent->ppi->luidSession)) && !(ptiThread->TIF_flags & TIF_ALLOWOTHERACCOUNTHOOK)) { RIPERR0(ERROR_ACCESS_DENIED, RIP_WARNING, "Access denied to other user in zzzSetWindowsHookEx"); return NULL; } Defcon Russia (DCG #7812) 27
Vista and above Defcon Russia (DCG #7812) 28
Other pitfalls /* • protection from neighbours • screenshots • keylogging • network access • clipboard access • webcam access • microphone access */ Defcon Russia (DCG #7812) 29
Part IV. Escape from sandbox Defcon Russia (DCG #7812) 30
Competition of HIPS-es /* • This research was done some time ago • 8 participants • 1 recent but public injection technique */ Defcon Russia (DCG #7812) 31
Competition of HIPS-es /* • 3 participants resisted well – The first one is x86 version only (hooks-based) – The second one (hooks-based) is discontinued – The third one was quite raw */ Defcon Russia (DCG #7812) 32
Competition of HIPS-es /* • 2 resisted in the default configuration (but gave up after ring3 unhooking ) • 1 just virtualizes hard drive and doesn’t prevent drivers loading. But it’s marketed as antimalware product • 1 started a process with an admin token instead of filtered admin token (it seems like these guys have their own understanding of security ) */ Defcon Russia (DCG #7812) 33
References /* Microsoft.Press.Windows.Internals.Part.1.6th.Edition http://vallejo.cc/48 http://dev.chromium.org/developers/design-documents/sandbox http://news.saferbytes.it/analisi/2013/07/securing-microsoft-windows-8-appcontainers/ https://ssl.exelab.ru/f/index.php?action=vthread&forum=1&topic=18837&page=0 http://www.osronline.com/showthread.cfm?link=232226 http://rsdn.ru/forum/winapi/3865326.flat https://bromiumlabs.files.wordpress.com/2013/07/application_sandboxes_a_pen_tester_s_perspective2.pdf */ Defcon Russia (DCG #7812) 34
Contacts /* fixer@re-crypt.com Vasily Bukasov schelkunov@re-crypt.com Dmitry Schelkunov */ Defcon Russia (DCG #7812) 35

Recomendados

Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machinesintertelinvestigations
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsJames Forshaw
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Attacking Windows NDIS Drivers
Attacking Windows NDIS DriversAttacking Windows NDIS Drivers
Attacking Windows NDIS DriversKique Nissim
 

Recomendados

Malware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual MachinesMalware Analysis and Defeating using Virtual Machines
Malware Analysis and Defeating using Virtual Machinesintertelinvestigations
 
Volatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseVolatile IOCs for Fast Incident Response
Volatile IOCs for Fast Incident ResponseTakahiro Haruyama
 
IDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaIDA Vulnerabilities and Bug Bounty  by Masaaki Chida
IDA Vulnerabilities and Bug Bounty  by Masaaki ChidaCODE BLUE
 
openioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsopenioc_scan - IOC scanner for memory forensics
openioc_scan - IOC scanner for memory forensicsTakahiro Haruyama
 
The Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsThe Joy of Sandbox Mitigations
The Joy of Sandbox MitigationsJames Forshaw
 
How to drive a malware analyst crazy
How to drive a malware analyst crazyHow to drive a malware analyst crazy
How to drive a malware analyst crazyMichael Boman
 
One-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisOne-Byte Modification for Breaking Memory Forensic Analysis
One-Byte Modification for Breaking Memory Forensic AnalysisTakahiro Haruyama
 
Attacking Windows NDIS Drivers
Attacking Windows NDIS DriversAttacking Windows NDIS Drivers
Attacking Windows NDIS DriversKique Nissim
 
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainProtected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainIgor Korkin
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)Security Bootcamp
 
DevDay: Managing Private Algorithms in SGX Enclaves, University of Oxford
DevDay: Managing Private Algorithms in SGX Enclaves, University of OxfordDevDay: Managing Private Algorithms in SGX Enclaves, University of Oxford
DevDay: Managing Private Algorithms in SGX Enclaves, University of OxfordR3
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXTakahiro Haruyama
 
Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]RootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
 
Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Sarod Paichayonrittha
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsWindows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsNullbyte Security Conference
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USAAlexandre Borges
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSESPriyanka Aash
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
 
Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 

Más contenido relacionado

La actualidad más candente

[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareTakahiro Haruyama
 
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainProtected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainIgor Korkin
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginTakahiro Haruyama
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)Security Bootcamp
 
DevDay: Managing Private Algorithms in SGX Enclaves, University of Oxford
DevDay: Managing Private Algorithms in SGX Enclaves, University of OxfordDevDay: Managing Private Algorithms in SGX Enclaves, University of Oxford
DevDay: Managing Private Algorithms in SGX Enclaves, University of OxfordR3
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXTakahiro Haruyama
 
Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]RootedCON
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Igor Korkin
 
Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Sarod Paichayonrittha
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들GangSeok Lee
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationMichael Boman
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsWindows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsNullbyte Security Conference
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USAAlexandre Borges
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processesDavid Jorm
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSESPriyanka Aash
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...CODE BLUE
 

La actualidad más candente (20)

[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...
 
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesBruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
Bruh! Do you even diff?—Diffing Microsoft Patches to Find Vulnerabilities
 
Malicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic SoftwareMalicious File for Exploiting Forensic Software
Malicious File for Exploiting Forensic Software
 
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap AgainProtected Process Light will be Protected – MemoryRanger Fills the Gap Again
Protected Process Light will be Protected – MemoryRanger Fills the Gap Again
 
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility PluginFast and Generic Malware Triage Using openioc_scan Volatility Plugin
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
SBC 2012 - Malware Memory Forensics (Nguyễn Chấn Việt)
 
DevDay: Managing Private Algorithms in SGX Enclaves, University of Oxford
DevDay: Managing Private Algorithms in SGX Enclaves, University of OxfordDevDay: Managing Private Algorithms in SGX Enclaves, University of Oxford
DevDay: Managing Private Algorithms in SGX Enclaves, University of Oxford
 
I Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugXI Know You Want Me - Unplugging PlugX
I Know You Want Me - Unplugging PlugX
 
Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning t...
 
Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]Building HMI with VB Tutorial [1998]
Building HMI with VB Tutorial [1998]
 
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
[2010 CodeEngn Conference 04] window31 - Art of Keylogging 키보드보안과 관계없는 키로거들
 
Indicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradicationIndicators of compromise: From malware analysis to eradication
Indicators of compromise: From malware analysis to eradication
 
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objectsWindows Internals: fuzzing, hijacking and weaponizing kernel objects
Windows Internals: fuzzing, hijacking and weaponizing kernel objects
 
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USARing 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
Ring 0/-2 Rootkits: bypassing defenses -- DEF CON 2018 USA
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES RING 0/-2 ROOKITS : COMPROMISING DEFENSES
RING 0/-2 ROOKITS : COMPROMISING DEFENSES
 
International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...International collaborative efforts to share threat data in a vetted member c...
International collaborative efforts to share threat data in a vetted member c...
 

Similar a Under the hood of modern HIPS-es and Windows access control mechanisms

Hack any website
Hack any websiteHack any website
Hack any websitesunil kumar
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Apostolos Giannakidis
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinJonnathan Griffin
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMApostolos Giannakidis
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfSouvikRoy114738
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
CI/CD for everyone else
CI/CD for everyone elseCI/CD for everyone else
CI/CD for everyone elseVictor Morales
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsSam Bowne
 
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)Ron Munitz
 
Stage 1 Tradecraft
Stage 1 TradecraftStage 1 Tradecraft
Stage 1 Tradecraftmatt806068
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackAjinkya Nikam
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxGiuseppe Paterno'
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyVlad Savitsky
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPLnitinscribd
 
Dropwizard Spring - the perfect Java REST server stack
Dropwizard Spring - the perfect Java REST server stackDropwizard Spring - the perfect Java REST server stack
Dropwizard Spring - the perfect Java REST server stackJacek Furmankiewicz
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Opersys inc.
 
Ygoltsev dcg 21_08_wifiineapple
Ygoltsev dcg 21_08_wifiineappleYgoltsev dcg 21_08_wifiineapple
Ygoltsev dcg 21_08_wifiineappleygoltsev
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Android Security, From the Ground Up
Android Security, From the Ground UpAndroid Security, From the Ground Up
Android Security, From the Ground UpOpersys inc.
 

Similar a Under the hood of modern HIPS-es and Windows access control mechanisms (20)

Hack any website
Hack any websiteHack any website
Hack any website
 
Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)Mitigating Java Deserialization attacks from within the JVM (improved version)
Mitigating Java Deserialization attacks from within the JVM (improved version)
 
Automating cloud security - Jonny Griffin
Automating cloud security - Jonny GriffinAutomating cloud security - Jonny Griffin
Automating cloud security - Jonny Griffin
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
 
Mitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVMMitigating Java Deserialization attacks from within the JVM
Mitigating Java Deserialization attacks from within the JVM
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
CI/CD for everyone else
CI/CD for everyone elseCI/CD for everyone else
CI/CD for everyone else
 
CNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android ApplicationsCNIT 128 9. Writing Secure Android Applications
CNIT 128 9. Writing Secure Android Applications
 
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
The Ultimate Android Security Checklist (Codemotion Tel-Aviv, 2014)
 
Stage 1 Tradecraft
Stage 1 TradecraftStage 1 Tradecraft
Stage 1 Tradecraft
 
Stuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attackStuxnet mass weopan of cyber attack
Stuxnet mass weopan of cyber attack
 
Remote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise LinuxRemote security with Red Hat Enterprise Linux
Remote security with Red Hat Enterprise Linux
 
Looking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad SavitskyLooking for Vulnerable Code. Vlad Savitsky
Looking for Vulnerable Code. Vlad Savitsky
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Dropwizard Spring - the perfect Java REST server stack
Dropwizard Spring - the perfect Java REST server stackDropwizard Spring - the perfect Java REST server stack
Dropwizard Spring - the perfect Java REST server stack
 
Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013Android Internals at Linaro Connect Asia 2013
Android Internals at Linaro Connect Asia 2013
 
Ygoltsev dcg 21_08_wifiineapple
Ygoltsev dcg 21_08_wifiineappleYgoltsev dcg 21_08_wifiineapple
Ygoltsev dcg 21_08_wifiineapple
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Android Security, From the Ground Up
Android Security, From the Ground UpAndroid Security, From the Ground Up
Android Security, From the Ground Up
 

Último

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Último (20)

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Under the hood of modern HIPS-es and Windows access control mechanisms

  • 1. Under the hood of modern HIPS-es and Windows access control mechanisms 02/11/2014 Defcon Russia (DCG #7812)
  • 2. Who we are /* Vasily Bukasov – Security researcher, ReCrypt LLC CTO and co-founder Dmitry Schelkunov – PhD, Security researcher, ReCrypt LLC CEO and co-founder */ Defcon Russia (DCG #7812) 2
  • 3. Agenda /* • HIPS – Host-Based Intrusion Prevention System • HIPS implementation approaches for Windows: – Virtualization – Hooks-based (old school) – Based on Windows access control mechanisms (new trend) – Mix of the previous two (pizza ) */ Defcon Russia (DCG #7812) 3
  • 4. Part I. Introduction to the Windows access control mechanisms Defcon Russia (DCG #7812) 4
  • 5. Security identifier /* • SID (security identifier) is an unique identifier within a single machine, which identifies a subject • Logon SID is a SID which is created by Winlogon for each interactive logon session (S-15-5-0-xxxxx) */ Defcon Russia (DCG #7812) 5
  • 6. Integrity Level /* • Untrusted – 0x0000 • Low – 0x1000 • Medium – 0x2000 • High – 0x3000 • System – 0x4000 */ Defcon Russia (DCG #7812) 6
  • 7. Access token /* • Identifies the security context of a process or thread • Contents or references to information: session ID, integrity level, account, groups, privileges associated with the process or thread, etc */ Defcon Russia (DCG #7812) 7
  • 8. Access token /* • Restricted token – Some privileges can be removed – SIDs in the token can be marked as deny-only – SIDs in the token can be marked as restricted •Filtered admin token (Restricted token variation) – Integrity level is set to medium – Administrator-like SIDs are marked as deny-only – Most of privileges are stripped – Is used by UAC */ Defcon Russia (DCG #7812) 8
  • 9. Security descriptor /* • Security information associated with an object, which specifies who can perform what actions on the object • Includes two access control lists (ACLs): discretionary (DACL) and system (SACL) */ Defcon Russia (DCG #7812) 9
  • 10. Access checks /* • Mandatory access control (uses integrity levels) • Discretionary access control (uses DACL-es) */ Defcon Russia (DCG #7812) 10
  • 11. Mandatory policies /* • No-Write-Up (on all objects) – used to restrict write access coming from a lower integrity level process to the object • No-Read-Up (on process objects) – used to restrict read access coming from a lower integrity level process to the object • No-Execute-Up (on binaries implementing COM classes) – used to restrict execute access coming from a lower integrity level process to the object */ Defcon Russia (DCG #7812) 11
  • 12. Mandatory access control /* With the default integrity policies, processes can open any object—with the exception of process, thread and token objects—for read access as long as the object’s DACL grants them read access */ Defcon Russia (DCG #7812) 12
  • 13. Discretionary access control /* • For each object there is a list of entries. Each entry specifies access rights allowed or denied for a subject • Order of the entries does matter */ Defcon Russia (DCG #7812) 13
  • 14. Impersonation /* • Roughly, impersonation is a mechanism which provides a possibility to execute a code with a security context of a target process • Two interesting impersonation properties – Integrity level of the current thread must be more or equal to the target process's one – A target process’s token must be read-accessible from the current thread */ Defcon Russia (DCG #7812) 14
  • 15. Part II. Existing sandboxing techniques Defcon Russia (DCG #7812) 15
  • 16. HIPS implementation approaches /* • Virtualization • Hooks-based (old school) • Based on Windows access control mechanisms (new trend) • Mix of the previous two (pizza ) */ Defcon Russia (DCG #7812) 16
  • 17. Windows access control mechanisms /* • Restricted token – Disabled SIDs – Restricted SIDs – Integrity level • Another user • Job restrictions • Separate desktop */ Defcon Russia (DCG #7812) 17
  • 18. AppContainer /* • Lowbox token • Low integrity level • Capabilities • Separate local NamedObjects directory */ Defcon Russia (DCG #7812) 18
  • 19. Part III. Common pitfalls and vulnerabilities Defcon Russia (DCG #7812) 19
  • 20. Logon SID and broken Run As /* If we use Run As to start a process under another user, it will be started with Logon SID of the current one */ Defcon Russia (DCG #7812) 20
  • 21. Logon SID and broken Run As /* 1. Run Process Explorer 2. Run notepad.exe 3. Double click on notepad.exe in the Process Explorer window 4. Go to Security tab and click Permissions button */ Defcon Russia (DCG #7812) 21
  • 22. Logon SID and broken Run As Defcon Russia (DCG #7812) 22
  • 23. Logon SID and broken Run As /* • Process permissions for Logon SID are: Query limited information, Query information, Read memory, Terminate, Synchronize and Read permissions • Token permissions for Logon SID are: Assign as primary token, Duplicate, Impersonate, Query, Query source, and Read permissions • Thread permissions for Logon SID are: Query limited information, Query information, Get context, Synchronize and Read permissions */ Defcon Russia (DCG #7812) 23
  • 24. Logon SID and broken Run As /* So, if a process was started under another user using Run As, then a thread of this process in most of cases can: • get another user’s process token (target process) • impersonate target’s security context • get all access rights of the target process */ Defcon Russia (DCG #7812) 24
  • 25. Crossroads or how to make Run As secure /* 1. CreateProcessWithLogonW. We can’t modify default user token. Insecure 2. CreateProcessAsUser. Creates a process with the same Logon SID. Insecure 3. CreateProcessWithTokenW. That seems to be the only solution. But … creates a process in the current session only (MSDN lies ) */ Defcon Russia (DCG #7812) 25
  • 26. Desktop is a security boundary /* • A lot of applications work incorrectly if DESKTOP_HOOKCONTROL access right is not set because runtime libraries use windows hooks quite often • If DESKTOP_HOOKCONTROL access right is set, then an application even if it was started under another user can set window hooks on the other application's windows and possibly execute arbitrary code in the context of other application */ Defcon Russia (DCG #7812) 26
  • 27. Up to XP /* * Is the app hooking another user without access? * If so return an error. Note that this check is done * for global hooks every time the hook is called. */ if ((!RtlEqualLuid(&ptiThread->ppi->luidSession, &ptiCurrent->ppi->luidSession)) && !(ptiThread->TIF_flags & TIF_ALLOWOTHERACCOUNTHOOK)) { RIPERR0(ERROR_ACCESS_DENIED, RIP_WARNING, "Access denied to other user in zzzSetWindowsHookEx"); return NULL; } Defcon Russia (DCG #7812) 27
  • 28. Vista and above Defcon Russia (DCG #7812) 28
  • 29. Other pitfalls /* • protection from neighbours • screenshots • keylogging • network access • clipboard access • webcam access • microphone access */ Defcon Russia (DCG #7812) 29
  • 30. Part IV. Escape from sandbox Defcon Russia (DCG #7812) 30
  • 31. Competition of HIPS-es /* • This research was done some time ago • 8 participants • 1 recent but public injection technique */ Defcon Russia (DCG #7812) 31
  • 32. Competition of HIPS-es /* • 3 participants resisted well – The first one is x86 version only (hooks-based) – The second one (hooks-based) is discontinued – The third one was quite raw */ Defcon Russia (DCG #7812) 32
  • 33. Competition of HIPS-es /* • 2 resisted in the default configuration (but gave up after ring3 unhooking ) • 1 just virtualizes hard drive and doesn’t prevent drivers loading. But it’s marketed as antimalware product • 1 started a process with an admin token instead of filtered admin token (it seems like these guys have their own understanding of security ) */ Defcon Russia (DCG #7812) 33
  • 35. Contacts /* fixer@re-crypt.com Vasily Bukasov schelkunov@re-crypt.com Dmitry Schelkunov */ Defcon Russia (DCG #7812) 35