An introduction to the principle of least privilege, ring architecture and access compartmentalization. Multiple examples for vertical and horizontal PE are given. The lecture was given to the Israeli Tech Challenge students from around the world.

1. Thinking in rings
Michael Shalyt
Malware Research Team Leader @ Check Point
PRIVILEGE ESCALATION

2. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research

3. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)

4. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)

5. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
IPHO 2005

6. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
IPHO 2005
BSc. Physics + EE

7. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
Cyber Cyber
IPHO 2005
BSc. Physics + EE

8. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
IPHO 2005
BSc. Physics + EE

9. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
Research TL
IPHO 2005
BSc. Physics + EE

10. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
Research TL
IPHO 2005
BSc. Physics + EE
MSc. Quantum Information

11. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
Research TL
IPHO 2005
BSc. Physics + EE
MSc. Quantum Information
Malware Research TL @CP

12. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
Matlab
Javascript
Actionscript
Mathematica
C
Scheme
Cyber Cyber
Reverse Engineering
Research TL
Python
IPHO 2005
BSc. Physics + EE
MSc. Quantum Information
Malware Research TL @CP
Pascal
AutoIT

13. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
Lifeinagraph.blogspot.com
ASM (13yo)
Matlab
Javascript
Actionscript
Mathematica
C
Scheme
Cyber Cyber
Reverse Engineering
Research TL
Python
IPHO 2005
BSc. Physics + EE
MSc. Quantum Information
Malware Research TL @CP
Pascal
AutoIT
Catapults
Humans

14. WHAT’S A HACKER?

15. WHAT’S A HACKER?
• People committed to circumvention of computer
security.

16. WHAT’S A HACKER?
• People committed to circumvention of computer
security.
• RFC 1392: “A person who delights in having an
intimate understanding of the internal workings of a
system”. (1960s around MIT's Tech Model Railroad
Club)

17. WHAT’S A HACKER?
• People committed to circumvention of computer
security.
• RFC 1392: “A person who delights in having an
intimate understanding of the internal workings of a
system”. (1960s around MIT's Tech Model Railroad
Club)
• Vs. “user” (like “script kiddies”)

18. PRIVILEGE

19. PRIVILEGE

20. RINGS AND GATEKEEPERS

21. RINGS AND GATEKEEPERS

22. RINGS AND GATEKEEPERS

23. PRINCIPAL OF LEAST PRIVILEGE

24. PRINCIPAL OF LEAST PRIVILEGE
• System stability.

25. PRINCIPAL OF LEAST PRIVILEGE
• System stability.
• Security.

26. PRINCIPAL OF LEAST PRIVILEGE
• System stability.
• Security.
• Ease of deployment.

27. PRINCIPAL OF LEAST PRIVILEGE
• System stability.
• Security.
• Ease of deployment.
• In RL: Compartmentalization / Encapsulation.

28. X86 RINGS
Most privileged
Least privileged

29. VERTICAL PE - WHAT

30. VERTICAL PE - WHAT
• User -> admin.

31. VERTICAL PE - WHAT
• User -> admin.
• User -> system/root.

32. VERTICAL PE - WHAT
• User -> admin.
• User -> system/root.
• Javascript -> shellcode.

33. VERTICAL PE - WHAT
• User -> admin.
• User -> system/root.
• Javascript -> shellcode.
• Username -> access.

34. VERTICAL PE - WHAT
• User -> admin.
• User -> system/root.
• Javascript -> shellcode.
• Username -> access.
• Hypervisor instance traversal.

35. VERTICAL PE - WHAT
• User -> admin.
• User -> system/root.
• Javascript -> shellcode.
• Username -> access.
• Hypervisor instance traversal.
• Access to restricted places/documents/data.

36. VERTICAL PE - WHAT
• User -> admin.
• User -> system/root.
• Javascript -> shellcode.
• Username -> access.
• Hypervisor instance traversal.
• Access to restricted places/documents/data.
• Etc.

37. HORIZONTAL PE - WHAT

38. HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).

39. HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).

40. HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
• Hypervisor instance spying.

41. HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
• Hypervisor instance spying.
• Framing someone else.

42. HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
• Hypervisor instance spying.
• Framing someone else.
• Etc.

43. PE – BATTLE PLAN

44. PE – BATTLE PLAN
• You already have limited capabilities.

45. PE – BATTLE PLAN
• You already have limited capabilities.
• Use them to:
• Gather info (profiling).

46. PE – BATTLE PLAN
• You already have limited capabilities.
• Use them to:
• Gather info (profiling).
• Pass through the guard mechanism (appear as
legitimate low ring-high ring interaction).

47. PE – BATTLE PLAN
• You already have limited capabilities.
• Use them to:
• Gather info (profiling).
• Pass through the guard mechanism (appear as
legitimate low ring-high ring interaction).
• Trick the higher ring to do as you wish.

48. VERTICAL PE - HOW

49. VERTICAL PE - HOW
• XSS.

50. VERTICAL PE - HOW
• XSS.
• Password guessing/brute forcing.

51. VERTICAL PE - HOW
• XSS.
• Password guessing/brute forcing.
• Driver vulnerabilities.

52. VERTICAL PE - HOW
• XSS.
• Password guessing/brute forcing.
• Driver vulnerabilities.
• Service privileges.

53. VERTICAL PE - HOW
• XSS.
• Password guessing/brute forcing.
• Driver vulnerabilities.
• Service privileges.
• Design bug-features.

54. VERTICAL PE - HOW
• XSS.
• Password guessing/brute forcing.
• Driver vulnerabilities.
• Service privileges.
• Design bug-features.
• SE.

55. VERTICAL PE - HOW
• XSS.
• Password guessing/brute forcing.
• Driver vulnerabilities.
• Service privileges.
• Design bug-features.
• SE.
• Etc. Etc.

56. HORIZONTAL PE - HOW

57. HORIZONTAL PE - HOW
• XSS.

58. HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.

59. HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.

60. HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.

61. HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
• Hypervisor/driver data leakage.

62. HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
• Hypervisor/driver data leakage.
• SE.

63. HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
• Hypervisor/driver data leakage.
• SE.
• Etc. Etc.

64. EXAMPLES – LOOK MOM NO VULNS

65. EXAMPLES – LOOK MOM NO VULNS
• Service EXE overwriting.

66. EXAMPLES – LOOK MOM NO VULNS
• Service EXE overwriting.
• Unprotected autorun directories.

67. EXAMPLES – LOOK MOM NO VULNS
• Service EXE overwriting.
• Unprotected autorun directories.
• Misconfigurations.

68. EXAMPLES – LOOK MOM NO VULNS
• Service EXE overwriting.
• Unprotected autorun directories.
• Misconfigurations.
• Plain text passwords.

69. EXAMPLE – DLL HIJACKING

70. EXAMPLE – API EXPLOITATION

71. EXAMPLE – API EXPLOITATION
• User -> kernel.

72. EXAMPLE – API EXPLOITATION
• User -> kernel.
• Ntdll.dll – wrapper and guard.

73. EXAMPLE – API EXPLOITATION
• User -> kernel.
• Ntdll.dll – wrapper and guard.
• Wealth of info before attack.

74. EXAMPLE – API EXPLOITATION
• User -> kernel.
• Ntdll.dll – wrapper and guard.
• Wealth of info before attack.
• Kernel bug exploitation.

75. EXAMPLE – API EXPLOITATION
• User -> kernel.
• Ntdll.dll – wrapper and guard.
• Wealth of info before attack.
• Kernel bug exploitation.
• Often – make kernel mode run code from user mode.

76. QUESTIONS?