February 20, 2006 - Abusing the Foundation
by Jeff Moss
Wowwe are entering a new era. Over time we have seen attacks and backdoors move from applications to system services to operating system kernels, but now it is a whole new level.
A few years ago we saw researchers turn some attention towards embedded OS and the CPUs they run on, like FX poking at Cisco IOS. Barnaby Jack continues the trend, but this time looking at ARM on-chip architectures. Barnaby promises to kick some Fu on a popular hardware router to demonstrate exploitation of such embedded devices. Your firmware isn't looking so firm anymore.
John Heasman will be presenting a second showing of his presentation on using the PC BIOS Advanced Configuration and Power Interface to subvert both Windows and Linux kernels and allow the development of cross-install and cross-OS rootkits. John breaks the subject down so it is easy to understand, which should scare you at least a little. He also discusses defenses against BIOS subversion and what affects the TCPA initiatives will have on rootkit deployment.
I would like to take a second to point out that the threat of kernel subversion through the BIOS has been long talked about, and counter-measures like cryptographic integrity checks of firmware and trusted boot paths have been developed to protect against such attacks. However, such defenses are not widely adopted. This is another case where the industry and vendors are waiting until an actual, demonstrable risk is publicized before deploying a fix that was proposed long ago. But what about the really bad actors that don't publicize their techniques and work? There is a lot of academic work published related to trusted boot--it is not out of the realm of possibility that techniques like the ones Heasman discloses have already been put into practice by those suitably motivated. When is our industry going to start trying to get ahead of the curve?
Exploiting Embedded Systems
by Barnaby Jack posted February 20, 2006
I’ve always been fascinated by hardware. We live in a world that revolves around being “connected”. From automobiles to home appliances, there is no shortage of Internet-connected devices. Has anyone ever thought about the possible mayhem that could ensue with a remote “oven overflow”? The concept of remotely compromising an electric oven may sound ridiculous, but these Internet-connected embedded systems are all running code To Err is Human.
Information on exploiting embedded systems is scarce -- in fact, almost non-existent. If not for the knowledge of fellow eEye employee Yuji Ukai, I probably wouldn’t have even stepped into this arena. Thanks, buddy.
In my talk, I’m going to explain how to interface with an embedded system, from ripping the firmware image off the flash chip through to in-circuit debugging of the ROM code via the JTAG interface.
And of course, I’ll drop some hardware 0day.
Disclaimer: I am not liable for any damage caused as a result of this demonstration.
Implementing and Detecting An ACPI BIOS Rootkit
by Philippe Biondi & Fabrice Desclaux posted February 20, 2006
It is a piece of software with many layers of obfuscation, that can bypass firewalls, record your microphone, find your proxy credentials in your profiles, whose communications are encrypted and benefit from a peer to peer architecture, that can be found on many computers of governmental organisations or research laboratories. What is it? The latest backdoor? A spyware from an evil organisation?
No. It is used by your grandmother to call her sister. It's a VOIP program. It's Skype.
Many things have been said on Skype. The level of obfuscation suggests the existence of hidden dark secrets and has given birth to so many myths that we needed to go and see what was really was on. This presentation is about what we found in the belly of the beast.
Taking Apart Black Boxes
There is growing emphasis on reverse engineering in the security community. There is also an increasing interest in hardware hacking. As more people gain understanding of the art and techniques of these disciplines, they are collectively revealing soft spots in the security of what were previously opaque systems. From closed-sourced, proprietary software to peripheral devices, we are finally seeing in-depth, third-party security reviews... read more
Information in Unusual Places
I agree with Mariusz Burdach when he says that volatile memory analysis will be used more often in the future to find evidence. This is often the only place where advanced code resides. At Black Hat Federal he will release two tools to analyze Windows and Linux memory images, which is a great step forward in the effort to bring these techniques to a wider audience... read more
The Black Page is always looking for concise and interesting comments from researchers and experts about issues that affect the security community. Contact us here to learn more about submission rules