An introduction to the principle of least privilege, ring architecture and access compartmentalization. Multiple examples for vertical and horizontal PE are given.
The lecture was given to the Israeli Tech Challenge students from around the world.
3. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
4. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
5. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
IPHO 2005
6. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
IPHO 2005
BSc. Physics + EE
7. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
Cyber Cyber
IPHO 2005
BSc. Physics + EE
8. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
IPHO 2005
BSc. Physics + EE
9. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
Research TL
IPHO 2005
BSc. Physics + EE
10. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
Research TL
IPHO 2005
BSc. Physics + EE
MSc. Quantum Information
11. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
Cyber Cyber
Reverse Engineering
Research TL
IPHO 2005
BSc. Physics + EE
MSc. Quantum Information
Malware Research TL @CP
12. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
ASM (13yo)
Matlab
Javascript
Actionscript
Mathematica
C
Scheme
Cyber Cyber
Reverse Engineering
Research TL
Python
IPHO 2005
BSc. Physics + EE
MSc. Quantum Information
Malware Research TL @CP
Pascal
AutoIT
13. MICHAEL SHALYT – BIO-IN-A-GRAPH
Technology
Research
First program (8yo)
Lifeinagraph.blogspot.com
ASM (13yo)
Matlab
Javascript
Actionscript
Mathematica
C
Scheme
Cyber Cyber
Reverse Engineering
Research TL
Python
IPHO 2005
BSc. Physics + EE
MSc. Quantum Information
Malware Research TL @CP
Pascal
AutoIT
Catapults
Humans
15. WHAT’S A HACKER?
• People committed to circumvention of computer
security.
16. WHAT’S A HACKER?
• People committed to circumvention of computer
security.
• RFC 1392: “A person who delights in having an
intimate understanding of the internal workings of a
system”. (1960s around MIT's Tech Model Railroad
Club)
17. WHAT’S A HACKER?
• People committed to circumvention of computer
security.
• RFC 1392: “A person who delights in having an
intimate understanding of the internal workings of a
system”. (1960s around MIT's Tech Model Railroad
Club)
• Vs. “user” (like “script kiddies”)
38. HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
39. HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
40. HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
• Hypervisor instance spying.
41. HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
• Hypervisor instance spying.
• Framing someone else.
42. HORIZONTAL PE - WHAT
• User impersonation (bank app credentials).
• User data theft (credit card).
• Hypervisor instance spying.
• Framing someone else.
• Etc.
44. PE – BATTLE PLAN
• You already have limited capabilities.
45. PE – BATTLE PLAN
• You already have limited capabilities.
• Use them to:
• Gather info (profiling).
46. PE – BATTLE PLAN
• You already have limited capabilities.
• Use them to:
• Gather info (profiling).
• Pass through the guard mechanism (appear as
legitimate low ring-high ring interaction).
47. PE – BATTLE PLAN
• You already have limited capabilities.
• Use them to:
• Gather info (profiling).
• Pass through the guard mechanism (appear as
legitimate low ring-high ring interaction).
• Trick the higher ring to do as you wish.
50. VERTICAL PE - HOW
• XSS.
• Password guessing/brute forcing.
51. VERTICAL PE - HOW
• XSS.
• Password guessing/brute forcing.
• Driver vulnerabilities.
52. VERTICAL PE - HOW
• XSS.
• Password guessing/brute forcing.
• Driver vulnerabilities.
• Service privileges.
53. VERTICAL PE - HOW
• XSS.
• Password guessing/brute forcing.
• Driver vulnerabilities.
• Service privileges.
• Design bug-features.
54. VERTICAL PE - HOW
• XSS.
• Password guessing/brute forcing.
• Driver vulnerabilities.
• Service privileges.
• Design bug-features.
• SE.
55. VERTICAL PE - HOW
• XSS.
• Password guessing/brute forcing.
• Driver vulnerabilities.
• Service privileges.
• Design bug-features.
• SE.
• Etc. Etc.
59. HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
60. HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
61. HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
• Hypervisor/driver data leakage.
62. HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
• Hypervisor/driver data leakage.
• SE.
63. HORIZONTAL PE - HOW
• XSS.
• Session cookies theft.
• Cross-tab data leakage.
• Password guessing/brute forcing.
• Hypervisor/driver data leakage.
• SE.
• Etc. Etc.
72. EXAMPLE – API EXPLOITATION
• User -> kernel.
• Ntdll.dll – wrapper and guard.
73. EXAMPLE – API EXPLOITATION
• User -> kernel.
• Ntdll.dll – wrapper and guard.
• Wealth of info before attack.
74. EXAMPLE – API EXPLOITATION
• User -> kernel.
• Ntdll.dll – wrapper and guard.
• Wealth of info before attack.
• Kernel bug exploitation.
75. EXAMPLE – API EXPLOITATION
• User -> kernel.
• Ntdll.dll – wrapper and guard.
• Wealth of info before attack.
• Kernel bug exploitation.
• Often – make kernel mode run code from user mode.