Windows Kernel Internals for Security Researchers
|
|
- Maria McKenzie
- 8 years ago
- Views:
Transcription
1 Windows Kernel Internals for Security Researchers Overview This course takes a deep dive into the internals of the Windows kernel from a security perspective. Attendees learn about behind the scenes working of various components of the windows kernel with emphasis on internal algorithms, data structures and debugger usage. Every topic in this course is accompanied by hands-on labs that involve extensive use of the kernel debugger (WinDBG/KD) with emphasis on interpreting the debugger output and using this information to understand the state and health of the system. Attendees also analyze pre-captured memory dumps to identify kernel rootkits and dissect rootkit behavior. Course Prerequisites Attendees must have a solid understanding of operating system concepts and have a working knowledge of Windows. This course does not require you to have any programming knowledge. Learning Objectives Understand the major components in the Windows Kernel and the functionality they provide. Understand the key principles behind the design and implementation of the Windows kernel. Understand the internal workings of the kernel and how to peer into it using the debugger Be able to investigate system data structure using kernel debugger extension commands. Be able to interpret the output of debugger commands and correlate them to the state of the system. Be able to navigate between different data structures in the kernel, using debugger commands. Be able to locate indicators of compromise while hunting for kernel mode malware. Understand how kernel mode rootkits and commercial anti-malware interact with the system. Topics DAY 1 Architectural Overview: Privilege Rings, HAL, Kernel, Executive, Device Drivers, Win32k.sys, NTDLL, System Process, User and Kernel Threads. Hardware Support: CPU Registers, Segment Registers, Global Descriptor Table (GDT), Interrupts, Interrupt Descriptor Table (IDT), Task State Segment (TSS), Call Gates, Local Descriptor Table (LDT), Model Specific Registers (MSR). DAY 2 Critical Data Structures: Process and Thread Data Structures (EPROCESS, ETHREAD, KPROCESS, KTHREAD), KSHARED_USER_DATA, Kernel Process and Module List, Processor Control Region (KPCR). System Mechanisms: Interrupt Request Levels (IRQL), interrupts, traps, system calls, service descriptor tables, Native API calls (Zw vs Nt), read/write probes, exception handling, kernel-user callbacks. DAY 3 CodeMachine Inc All Rights Reserved. 1
2 Kernel Execution Environment: Interrupt service routines (ISR), deferred procedure calls (DPC), asynchronous procedure calls (APC), system threads, work items, worker threads, timers. Memory Management: Kernel virtual address space, page table entries (PTE), virtual address descriptors (VAD), page frame number (PFN) database, kernel mode thread stacks, pools, memory mapping and memory descriptor lists (MDL). DAY 4 Objects and Handles: Object manager, object header, object types and procedures, object layout, object security checks, handle tables, handle table entries, kernel handles, object reference counting. Windowing Subsystem: CSRSS, Win32K.sys, DirectX, GUI threads, Win32K.sys data structures, session space, session pool, keyboard and mouse input. DAY 5 Device Drivers: Driver architecture, I/O manager data structures (driver object, device object, file object, symbolic link), I/O requests (IRP and I/O stack location), I/O processing, IOCTL requests, data buffering mechanisms. Kernel Security Mitigations: Kernel mode code signing (KMCS), kernel patch protection (PatchGuard), KASLR, supervisor mode execution prevention (SMEP), non-executable (NX) pools, safe pool unlinking, pool integrity checks, NULL page allocation protection, GS cookie, integrity level restrictions. CodeMachine Inc All Rights Reserved. 2
3 Windows Kernel and Filter Driver Development Overview Most security software on Windows run in kernel mode. This course starts with the basics of kernel mode software development and debugging and then progressively dives into the APIs, filtering mechanisms and advanced programming techniques required to implement kernel mode security software. Every topic in the course is accompanied by hands-on labs that involve extensive coding and debugging of kernel mode software to understand the programming model, the interfaces (APIs), their use cases and common pitfalls. This is a security focused course which does NOT cover development of drivers for hardware devices like PCI and USB, Bluetooth. This does NOT cover the Kernel Mode Driver Framework (KMDF). Course Prerequisites Attendees must be proficient in C/C++ programming. In addition, attendees are expected to have good working knowledge of the windows kernel. CodeMachine s Windows Internals for Security Researchers course provides the Windows kernel knowledge required to attend this course. Learning Objectives Get a jump start into Windows kernel mode software development and debugging Be able to perform common programming tasks required by kernel mode drivers. Understand the intricacies of kernel mode software development. Be able to use different filtering mechanisms provided by Windows to intercept and modify operations in the system. Be able to use kernel mode APIs to develop reasonably complex security functionality. Be able to use the debugger effectively to perform live debugging of kernel mode drivers. Be able to use tools other than the debugger to debug issues with kernel mode software. Understand how kernel mode rootkits and commercial anti-malware implement their functionality. Topics DAY 1 Driver Development Environment: Driver development with Visual Studio, Windows driver kit (WDK), WDK headers and libraries, WDK sample code, driver installation and updating, VM debug environment, debug prints Kernel Debugging: Live debugging with WinDBG/KD, breakpoint techniques, execution control, runtime patching, driver code analysis (PREfast), run-time verification (Driver Verifier), kernel tracing DAY 2 Driver Programming Basics: Driver entry points, IRP processing, IOCTL requests, interfacing with usermode applications, application-driver data transfers (buffering methods), kernel memory allocation (pools and lookaside lists), Unicode string handling. CodeMachine Inc All Rights Reserved. 3
4 Asynchronous Execution: Interrupt request levels (IRQL), DPC routines, kernel timers, worker routines and work items, custom driver threads, APC routines, code injection, queuing and kernel linked list manipulation. DAY 3 Locking & Serialization: Kernel mode synchronization, mutexes, ERESOURCES, critical and guarded regions, locking granularity, interlocked operations, events, spin locks and queued spin locks. Advanced Driver Programming: Locking and mapping memory, building custom I/O requests, object attributes, object reference counting, rundown protection, executive callbacks and capturing stack back-traces. DAY 4 IRP Filter Drivers: Driver layering, device attachment and detachment, pre-filtering and post-filtering, I/O request processing, filter and control device objects. Kernel Callbacks: Image load notifications, process and thread creation and deletion callbacks, object callbacks, image verification callbacks, session callbacks, PnP and power callbacks. DAY 5 Complex Filtering: Registry callbacks, file system mini-filter drivers (FltMgr filters), early load antimalware (ELAM) drivers. Network Filters: Network stack architecture, kernel network interfaces, packet data structure (NBL, NB, MDL) manipulation, Windows filtering platform (WFP) drivers, NDIS lightweight filters (LWF) drivers. CodeMachine Inc All Rights Reserved. 4
5 Windows Kernel Exploitation and Rootkits Overview To achieve maximum stealth and obtain unabated access to the system, rootkits execute in kernel mode. This course focuses on the kernel interfaces (APIs), data structures and mechanisms that are exploited by rootkits to achieve their goals at every stage of their execution. Kernel security enhancements that have been progressively added from Windows 7 to the latest version of Windows are discussed along with some circumvention techniques. Every topic in this course is accompanied by hands-on labs where attendees get to implement key components of a rootkit and test them on 64-bit Windows systems to reinforce their understanding of the theory. By learning how rootkits actually work, attendees are able to detect and defend against them. Course Prerequisites Attendees must be proficient in C/C++ programming. In addition, attendees are expected to have good understanding of Windows kernel internals and APIs. CodeMachine s Windows Internals for Security Researchers and Windows Kernel and Filter Driver Development courses provide the Windows kernel knowledge required to attend this course. Learning Objectives Understand vulnerabilities in the Windows kernel and device drivers. Be able to write and modify kernel mode exploits. Understand the security enhancements that have been added to recent versions of Windows. Be able to bypass some of the security mitigations in recent versions of Windows. Understand the post-exploitation steps performed by kernel mode rootkits. Understand the techniques used by popular real world rootkits. Understand how rootkits hide their presence in the system. Understand how rootkits communicate with command and control (C&C) servers. Be able to identify malicious behavior and defend against rootkits. Topics DAY 1 Kernel Architecture Overview: Kernel components, x86 and x64 differences, kernel virtual address space, kernel pools, object layout, tokens and privileges, Native APIs, system calls. Kernel Vulnerabilities: Types of kernel vulnerabilities, arbitrary memory writes, race conditions, type confusion, pool overflows and stack overflows. DAY 2 Hooking Techniques: Types of hooking, code flow subversion, inline hooking, dispatch table hooking, import address table (IAT) hooks, kernel callbacks and filtering mechanisms, hook detection. CodeMachine Inc All Rights Reserved. 5
6 Kernel Security Mitigations: Kernel mode code signing (KMCS), kernel patch protection (PatchGuard), KASLR, supervisor mode execution prevention (SMEP), non-executable (NX) pools, safe pool unlinking, pool integrity checks, NULL page allocation protection, GS cookie, integrity level restrictions. DAY 3 Driver Exploitation: Version verification, privilege escalation, vulnerable functions, user controlled input, IOCTL fuzzing, pool grooming, weaponizing exploits. Kernel Security Bypass: Stack pivots, ROP gadgets, KASLR & address leaks, SMEP bypass, kernel execution vectors, big pool manipulation. DAY 4 Kernel Programming Techniques: Process attach and detach, code injection, bypassing memory protection, kernel mode shell coding techniques, execution affinity, kernel crypto, persistence mechanisms. Stealth Behavior: Kernel structure manipulation, rootkit self-defense, anti-debugging techniques, anti- VM techniques, stealth user mode communication, stealth filtering, detection bypass. DAY 5 Covert Communications: NDIS driver types, NDIS internal data structures, Net Buffer Lists (NBL), Net Buffers (NB), intermediate drivers (NDIS IM), lightweight filters (NDIS LWF), NDIS hooking, host firewall bypass. Detection Tools & Case Studies: Volatility framework, rootkit detectors, endpoint security products, Rustock, TDSS/TDL4, ZeroAccess Carberp, Regin. CodeMachine Inc All Rights Reserved. 6
7 Windows Kernel Debugging and Memory Dump Analysis Overview This course is targeted at kernel software developers, support engineers and software QA engineers. It starts with the building blocks required to do effective kernel debugging like kernel internals concepts, key data structures used by drivers and debugger commands to examine the state and health of the system. It then dives into various techniques and strategies that can be applied to perform triaging, fault isolation, analysis and root causing of crashes and hangs caused by kernel mode drivers. Every topic in the course is accompanied by hands-on labs that involve extensive usage of the Debugging Tools for Windows (WinDBG) as well as other tools that ship with the WDK. These hands-on labs provide attendees with real life experience of debugging kernel mode issues. Course Prerequisites Attendees must be able to read C/C++ source code. In addition, attendees are expected to have basic working level knowledge of WinDBG and should be familiar with the Windows device driver (WDK) APIs. Learning Objectives Understand the internal workings of the kernel and how to peer into it using the debugger. Understand the kernel data structures that are used by drivers and how to navigate between them. Be able to use the kernel debugger commands and extensions and interpret debugger output. Be able to apply the knowledge of kernel internals and debugger commands to identify. symptoms of system failure/instability, perform bug triaging and perform fault isolation. Be able to analyze and root cause problems down to a code change in the driver. Be able to debug hard-to-reproduce hangs and crashes. DAY 1 Kernel Architecture Overview: NTOSKRNL, HAL & Drivers, Processes and Threads, System & System Idle Process, Process and Thread Data Structures, System Calls, System Service Dispatching, Kernel Processor Control Region (KPCR) Kernel Execution Environment: Interrupt Request Levels (IRQL), Interrupt Service Routines (ISR), Deferred Procedure Calls (DPC), Asynchronous Procedure Calls (APC), System Worker Threads DAY 2 Kernel Synchronization: Dispatcher Objects, Interlocked Operations, Mutexes, Executive Resources, Spin Locks Memory Management: Kernel VAS Layout, Page Table Entries (PTEs), Page Frame Number, (PFN) Database, System Cache, Kernel Mode Stacks, Kernel Pools, Memory Descriptor Lists (MDL), Memory Mapping CodeMachine Inc All Rights Reserved. 7
8 DAY 3 I/O Management: Hardware Device Tree, Driver Types (Bus, Function, Filter), Device Types (FDO, PDO, FiDO), Filter Drivers, Driver Architecture, Driver Entry Points, I/O Request Flow IRPs & I/O Stack Locations, IRP Processing, IRP Completion, IRP Data Buffering Crash Dump Analysis: System Bugchecks, Crash Dump Generation, Types of Bugchecks, Automated Analysis, Module Identification, Context Switching, Hardware Failures, Examining System State DAY 4 Calling Convention and Call Stacks: Kernel Stack Layout, Calling Convention, x64 Call Stacks, Kernel Stack Overflow, Debugging Double Faults, Debugging Corrupt Stacks Debugging Deadlocks and Hangs: Causes of Hangs, Classic Deadlock, Deadlock Debugging Driver Power State Failure, I/O Request Stalls, Pool Depletion, SysPTE Depletion DAY 5 Advanced Analysis Techniques: Debugging Strategies, Root Cause Analysis, Stack Patterns, Invalid Memory Access, Pool Corruption Patterns, Structure Corruption, Mapping Data Structures to Modules, Code Flow Analysis Debugging Tools: Driver Verifier, Special Pool, Unloaded Modules, Run Time Stack Capture, Gflags, Object Reference Tracking, Pool Tag Breakpoints, PTE Tracking, Checked Builds CodeMachine Inc All Rights Reserved. 8
The Windows NT Device Driver Book: A Guide for Programmers
- The Windows NT Device Driver Book: A Guide for Programmers Art Baker Cydonix Corporation To join a Prentice Hall PTR Internet mailing list, point to: http://www.prenhall.com/register Prentice Hall PTR
More informationRed Hat Linux Internals
Red Hat Linux Internals Learn how the Linux kernel functions and start developing modules. Red Hat Linux internals teaches you all the fundamental requirements necessary to understand and start developing
More informationWindows8 Internals, Sixth Edition, Part 1
Microsoft Windows8 Internals, Sixth Edition, Part 1 Mark Russinovich David A. Solomon Alex lonescu Windows Internals, Sixth Edition, Part i Introduction xvii Chapter 1 Concepts and Tools 1 Windows Operating
More informationUsing a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement. MJ0011 th_decoder@126.com
Using a Patched Vulnerability to Bypass Windows 8 x64 Driver Signature Enforcement MJ0011 th_decoder@126.com Agenda Background A Patched Vulnerability: CVE-2010-4398 Bypass DSE on Windows7 x64 Windows8
More informationA Hypervisor IPS based on Hardware assisted Virtualization Technology
A Hypervisor IPS based on Hardware assisted Virtualization Technology 1. Introduction Junichi Murakami (murakami@fourteenforty.jp) Fourteenforty Research Institute, Inc. Recently malware has become more
More informationWindows Internals, Fifth Edition
Windows Internals, Fifth Edition Mark E. Russinovich David A. Solomon with Alex lonescu Foreword xix Acknowledgments " xxi Introduction xxiii 1 Concepts and Tools 1 Windows Operating System Versions 1
More informationMicrosoft Windows Internals, Fourth Edition: Microsoft Windows Server 2003, Windows XR and Windows 2000
Microsoft* Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server 2003, Windows XR and Windows 2000 Mark E. Russinovich David A. Solomon Historical Perspective Foreword Acknowledgments Introduction
More informationFRONT FLYLEAF PAGE. This page has been intentionally left blank
FRONT FLYLEAF PAGE This page has been intentionally left blank Abstract The research performed under this publication will combine virtualization technology with current kernel debugging techniques to
More informationHypervisor-Based, Hardware-Assisted System Monitoring
Horst Görtz Institute for IT-Security, Chair for System Security VMRay GmbH Hypervisor-Based, Hardware-Assisted System Monitoring VB2013 October 2-4, 2013 Berlin Carsten Willems, Ralf Hund, Thorsten Holz
More informationPlug and Play for Windows 2000
Operating System Plug and Play for Windows 2000 White Paper Abstract This paper describes the Microsoft Windows 2000 operating system implementation of Plug and Play. Plug and Play is one of a number of
More informationStorm Worm & Botnet Analysis
Storm Worm & Botnet Analysis Jun Zhang Security Researcher, Websense Security Labs June 2008 Introduction This month, we caught a new Worm/Trojan sample on ours labs. This worm uses email and various phishing
More informationChapter 3 Operating-System Structures
Contents 1. Introduction 2. Computer-System Structures 3. Operating-System Structures 4. Processes 5. Threads 6. CPU Scheduling 7. Process Synchronization 8. Deadlocks 9. Memory Management 10. Virtual
More informationCOS 318: Operating Systems
COS 318: Operating Systems OS Structures and System Calls Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Outline Protection mechanisms
More informationThe Native AFS Client on Windows The Road to a Functional Design. Jeffrey Altman, President Your File System Inc.
The Native AFS Client on Windows The Road to a Functional Design Jeffrey Altman, President Your File System Inc. 14 September 2010 The Team Peter Scott Principal Consultant and founding partner at Kernel
More informationOperating Systems. Lecture 03. February 11, 2013
Operating Systems Lecture 03 February 11, 2013 Goals for Today Interrupts, traps and signals Hardware Protection System Calls Interrupts, Traps, and Signals The occurrence of an event is usually signaled
More informationReview from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture
Review from last time CS 537 Lecture 3 OS Structure What HW structures are used by the OS? What is a system call? Michael Swift Remzi Arpaci-Dussea, Michael Swift 1 Remzi Arpaci-Dussea, Michael Swift 2
More informationChapter 6, The Operating System Machine Level
Chapter 6, The Operating System Machine Level 6.1 Virtual Memory 6.2 Virtual I/O Instructions 6.3 Virtual Instructions For Parallel Processing 6.4 Example Operating Systems 6.5 Summary Virtual Memory General
More informationChapter 2 System Structures
Chapter 2 System Structures Operating-System Structures Goals: Provide a way to understand an operating systems Services Interface System Components The type of system desired is the basis for choices
More informationWindows Server Virtualization & The Windows Hypervisor
Windows Server Virtualization & The Windows Hypervisor Brandon Baker Lead Security Engineer Windows Kernel Team Microsoft Corporation Agenda - Windows Server Virtualization (WSV) Why a hypervisor? Quick
More informationRun-Time Deep Virtual Machine Introspection & Its Applications
Run-Time Deep Virtual Machine Introspection & Its Applications Jennia Hizver Computer Science Department Stony Brook University, NY, USA Tzi-cker Chiueh Cloud Computing Center Industrial Technology Research
More informationCOS 318: Operating Systems. Virtual Machine Monitors
COS 318: Operating Systems Virtual Machine Monitors Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall10/cos318/ Introduction Have been around
More informationIntroduction. What is an Operating System?
Introduction What is an Operating System? 1 What is an Operating System? 2 Why is an Operating System Needed? 3 How Did They Develop? Historical Approach Affect of Architecture 4 Efficient Utilization
More informationMobile Application Hacking for Android and iphone. 4-Day Hands-On Course. Syllabus
Mobile Application Hacking for Android and iphone 4-Day Hands-On Course Syllabus Android and iphone Mobile Application Hacking 4-Day Hands-On Course Course description This course will focus on the techniques
More informationCSE 120 Principles of Operating Systems. Modules, Interfaces, Structure
CSE 120 Principles of Operating Systems Fall 2000 Lecture 3: Operating System Modules, Interfaces, and Structure Geoffrey M. Voelker Modules, Interfaces, Structure We roughly defined an OS as the layer
More informationThe Microsoft Windows Hypervisor High Level Architecture
The Microsoft Windows Hypervisor High Level Architecture September 21, 2007 Abstract The Microsoft Windows hypervisor brings new virtualization capabilities to the Windows Server operating system. Its
More informationVICE Catch the hookers! (Plus new rootkit techniques) Jamie Butler Greg Hoglund
VICE Catch the hookers! (Plus new rootkit techniques) Jamie Butler Greg Hoglund Agenda Introduction to Rootkits Where to Hook VICE detection Direct Kernel Object Manipulation (DKOM) No hooking required!
More informationExploiting the x86 Architecture to Derive Virtual Machine State Information
2010 Fourth International Conference on Emerging Security Information, Systems and Technologies Exploiting the x86 Architecture to Derive Virtual Machine State Information Jonas Pfoh, Christian Schneider,
More informationOSes. Arvind Seshadri Mark Luk Ning Qu Adrian Perrig SOSP2007. CyLab of CMU. SecVisor: A Tiny Hypervisor to Provide
SecVisor: A Seshadri Mark Luk Ning Qu CyLab of CMU SOSP2007 Outline Introduction Assumption SVM Background Design Problems Implementation Kernel Porting Evaluation Limitation Introducion Why? Only approved
More informationWorkshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC. Host based Analysis. {Himanshu Pareek, himanshup@cdac.
Workshop on Network Traffic Capturing and Analysis IITG, DIT, CERT-In, C-DAC Host based Analysis {Himanshu Pareek, himanshup@cdac.in} {C-DAC Hyderabad, www.cdachyd.in} 1 Reference to previous lecture Bots
More informationCSC 2405: Computer Systems II
CSC 2405: Computer Systems II Spring 2013 (TR 8:30-9:45 in G86) Mirela Damian http://www.csc.villanova.edu/~mdamian/csc2405/ Introductions Mirela Damian Room 167A in the Mendel Science Building mirela.damian@villanova.edu
More informationMobile Application Hacking for ios. 3-Day Hands-On Course. Syllabus
Mobile Application Hacking for ios 3-Day Hands-On Course Syllabus Course description ios Mobile Application Hacking 3-Day Hands-On Course This course will focus on the techniques and tools for testing
More informationReactOS is (not) Windows. Windows internals and why ReactOS couldn t just use a Linux kernel
ReactOS is (not) Windows Windows internals and why ReactOS couldn t just use a Linux kernel ReactOS is (not) Windows ReactOS is Windows Runs Windows applications Runs Windows drivers Looks like Windows
More informationOperating Systems 4 th Class
Operating Systems 4 th Class Lecture 1 Operating Systems Operating systems are essential part of any computer system. Therefore, a course in operating systems is an essential part of any computer science
More informationExploiting nginx chunked overflow bug, the undisclosed attack vector
Exploiting nginx chunked overflow bug, the undisclosed attack vector Long Le longld@vnsecurity.net About VNSECURITY.NET CLGT CTF team 2 VNSECURITY.NET In this talk Nginx brief introduction Nginx chunked
More informationIntroduction. Current personal firewalls are focused on combating usermode malware. Overview. What about protection against rootkits?
Introduction Current personal firewalls are focused on combating usermode malware What about protection against rootkits? Overview i386 Windows NT+ network subsystem overview What malware authors usually
More informationCompromise-as-a-Service
ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg 3/31/14 Compromise-as-a-Service Our PleAZURE Felix Wilhelm & Matthias Luft {fwilhelm, mluft}@ernw.de ERNW GmbH Carl-Bosch-Str. 4 D-69115 Heidelberg Agenda
More informationCS161: Operating Systems
CS161: Operating Systems Matt Welsh mdw@eecs.harvard.edu Lecture 2: OS Structure and System Calls February 6, 2007 1 Lecture Overview Protection Boundaries and Privilege Levels What makes the kernel different
More informationSYSTEM ecos Embedded Configurable Operating System
BELONGS TO THE CYGNUS SOLUTIONS founded about 1989 initiative connected with an idea of free software ( commercial support for the free software ). Recently merged with RedHat. CYGNUS was also the original
More informationOverview of Operating Systems Instructor: Dr. Tongping Liu
Overview of Operating Systems Instructor: Dr. Tongping Liu Thank Dr. Dakai Zhu and Dr. Palden Lama for providing their slides. 1 Lecture Outline Operating System: what is it? Evolution of Computer Systems
More informationHotpatching and the Rise of Third-Party Patches
Hotpatching and the Rise of Third-Party Patches Alexander Sotirov asotirov@determina.com BlackHat USA 2006 Overview In the next one hour, we will cover: Third-party security patches _ recent developments
More informationWindows NT. Chapter 11 Case Study 2: Windows 2000. Windows 2000 (2) Windows 2000 (1) Different versions of Windows 2000
Chapter 11 Case Study 2: Windows 2000 11.1 History of windows 2000 11.2 Programming windows 2000 11.3 System structure 11.4 Processes and threads in windows 2000 11.5 Memory management 11.6 Input/output
More informationRecon 2011 - Montreal
How to develop a rootkit for Broadcom NetExtreme network cards Guillaume Delugré Sogeti / ESEC R&D guillaume(at)security-labs.org Recon 2011 - Montreal . Delugré How to develop a rootkit for Broadcom NetExtreme
More informationwww.securityxploded.com
Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions of any kind. Also the views/ideas/knowledge expressed here are solely of the
More informationComputer-System Architecture
Chapter 2: Computer-System Structures Computer System Operation I/O Structure Storage Structure Storage Hierarchy Hardware Protection General System Architecture 2.1 Computer-System Architecture 2.2 Computer-System
More informationCenter of Academic Excellence Cyber Operations Program 2013 Application
Center of Academic Excellence Cyber Operations Program 2013 Application Name of Institution: Mailing Address of Institution: Date: Institution s President s Name and Official Email Address: Department
More informationFrontiers in Cyber Security: Beyond the OS
2013 DHS S&T/DoD ASD (R&E) CYBER SECURITY SBIR WORKSHOP Frontiers in Cyber Security: Beyond the OS Clear Hat Consulting, Inc. Sherri Sparks 7/23/13 Company Profile CHC was founded in 2007 by S. Sparks
More informationFull System Emulation:
Full System Emulation: Achieving Successful Automated Dynamic Analysis of Evasive Malware Christopher Kruegel Lastline, Inc. chris@lastline.com 1 Introduction Automated malware analysis systems (or sandboxes)
More informationDebugging with TotalView
Tim Cramer 17.03.2015 IT Center der RWTH Aachen University Why to use a Debugger? If your program goes haywire, you may... ( wand (... buy a magic... read the source code again and again and...... enrich
More informationSecuring your Virtual Datacenter. Part 1: Preventing, Mitigating Privilege Escalation
Securing your Virtual Datacenter Part 1: Preventing, Mitigating Privilege Escalation Before We Start... Today's discussion is by no means an exhaustive discussion of the security implications of virtualization
More informationCHAPTER 6 TASK MANAGEMENT
CHAPTER 6 TASK MANAGEMENT This chapter describes the IA-32 architecture s task management facilities. These facilities are only available when the processor is running in protected mode. 6.1. TASK MANAGEMENT
More informationPOACHER TURNED GATEKEEPER: LESSONS LEARNED FROM EIGHT YEARS OF BREAKING HYPERVISORS. Rafal Wojtczuk <rafal@bromium.com>
POACHER TURNED GATEKEEPER: LESSONS LEARNED FROM EIGHT YEARS OF BREAKING HYPERVISORS Rafal Wojtczuk Agenda About the speaker Types of hypervisors Attack surface Examples of past and
More informationAdvanced Endpoint Protection Overview
Advanced Endpoint Protection Overview Advanced Endpoint Protection is a solution that prevents Advanced Persistent Threats (APTs) and Zero-Day attacks and enables protection of your endpoints by blocking
More informationExample of Standard API
16 Example of Standard API System Call Implementation Typically, a number associated with each system call System call interface maintains a table indexed according to these numbers The system call interface
More informationOperating System Tutorial
Operating System Tutorial OPERATING SYSTEM TUTORIAL Simply Easy Learning by tutorialspoint.com tutorialspoint.com i ABOUT THE TUTORIAL Operating System Tutorial An operating system (OS) is a collection
More informationChapter 5 Cloud Resource Virtualization
Chapter 5 Cloud Resource Virtualization Contents Virtualization. Layering and virtualization. Virtual machine monitor. Virtual machine. Performance and security isolation. Architectural support for virtualization.
More informationSandbox Roulette: Are you ready for the gamble?
Sandbox Roulette: Are you ready for the gamble? Rafal Wojtczuk rafal@bromium.com Rahul Kashyap rahul@bromium.com What is a sandbox? In computer security terminology, a sandbox is an environment designed
More informationArchitecture of the Kernel-based Virtual Machine (KVM)
Corporate Technology Architecture of the Kernel-based Virtual Machine (KVM) Jan Kiszka, Siemens AG, CT T DE IT 1 Corporate Competence Center Embedded Linux jan.kiszka@siemens.com Copyright Siemens AG 2010.
More informationDeveloping File System Mini-Filters for Windows
Developing File System Mini-Filters for Windows Overview This class provides a hands-on lab for those that need to build a file system filter driver using the "minifilter" architecture. The focus is on
More informationFreescale Semiconductor, I
nc. Application Note 6/2002 8-Bit Software Development Kit By Jiri Ryba Introduction 8-Bit SDK Overview This application note describes the features and advantages of the 8-bit SDK (software development
More informationOperating Systems Overview
Operating Systems Overview No single definition, but many perspectives: Role in an overall system: Intermediary between computer hardware and everything else User view: Provides an environment, preferably
More informationSecurity Overview of the Integrity Virtual Machines Architecture
Security Overview of the Integrity Virtual Machines Architecture Introduction... 2 Integrity Virtual Machines Architecture... 2 Virtual Machine Host System... 2 Virtual Machine Control... 2 Scheduling
More informationOPERATING SYSTEMS STRUCTURES
S Jerry Breecher 2: OS Structures 1 Structures What Is In This Chapter? System Components System Calls How Components Fit Together Virtual Machine 2: OS Structures 2 SYSTEM COMPONENTS These are the pieces
More informationNios II Software Developer s Handbook
Nios II Software Developer s Handbook Nios II Software Developer s Handbook 101 Innovation Drive San Jose, CA 95134 www.altera.com NII5V2-13.1 2014 Altera Corporation. All rights reserved. ALTERA, ARRIA,
More informationInside Windows Rootkits
Chris Ries Security Research Engineer VigilantMinds Inc. 4736 Penn Avenue Pittsburgh, PA 15224 info@vigilantminds.com Introduction Although they have been around for quite some time, rootkits have become
More informationUsing the CoreSight ITM for debug and testing in RTX applications
Using the CoreSight ITM for debug and testing in RTX applications Outline This document outlines a basic scheme for detecting runtime errors during development of an RTX application and an approach to
More informationDetecting the Presence of Virtual Machines Using the Local Data Table
Detecting the Presence of Virtual Machines Using the Local Data Table Abstract Danny Quist {chamuco@gmail.com} Val Smith {mvalsmith@metasploit.com} Offensive Computing http://www.offensivecomputing.net/
More information10.04.2008. Thomas Fahrig Senior Developer Hypervisor Team. Hypervisor Architecture Terminology Goals Basics Details
Thomas Fahrig Senior Developer Hypervisor Team Hypervisor Architecture Terminology Goals Basics Details Scheduling Interval External Interrupt Handling Reserves, Weights and Caps Context Switch Waiting
More informationUNCLASSIFIED Version 1.0 May 2012
Secure By Default: Platforms Computing platforms contain vulnerabilities that can be exploited for malicious purposes. Often exploitation does not require a high degree of expertise, as tools and advice
More informationTroubleshooting.NET Applications - Knowing Which Tools to Use and When
Troubleshooting.NET Applications - Knowing Which Tools to Use and When Document Version 1.0 Abstract There are three fundamental classifications of problems encountered with distributed applications deployed
More informationIvan Medvedev Principal Security Development Lead Microsoft Corporation
Ivan Medvedev Principal Security Development Lead Microsoft Corporation Session Objectives and Takeaways Session Objective(s): Give an overview of the Security Development Lifecycle Discuss the externally
More informationReview and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU
Review and Exploit Neglected Attack Surface in ios 8 Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU BlackHat 2015 Agenda ios Security Background Review of Attack Surfaces Fuzz More IOKit and MIG System
More informationHow To Write A Windows Operating System (Windows) (For Linux) (Windows 2) (Programming) (Operating System) (Permanent) (Powerbook) (Unix) (Amd64) (Win2) (X
(Advanced Topics in) Operating Systems Winter Term 2009 / 2010 Jun.-Prof. Dr.-Ing. André Brinkmann brinkman@upb.de Universität Paderborn PC 1 Overview Overview of chapter 3: Case Studies 3.1 Windows Architecture.....3
More informationChapter 15 Windows Operating Systems
Understanding Operating Systems, Fifth Edition 15-1 Chapter 15 Windows Operating Systems At a Glance Instructor s Manual Table of Contents Overview Objectives s Quick Quizzes Class Discussion Topics Additional
More informationKVM: A Hypervisor for All Seasons. Avi Kivity avi@qumranet.com
KVM: A Hypervisor for All Seasons Avi Kivity avi@qumranet.com November 2007 Virtualization Simulation of computer system in software Components Processor: register state, instructions, exceptions Memory
More informationEugene Tsyrklevich. Ozone HIPS: Unbreakable Windows
Eugene Tsyrklevich Eugene Tsyrklevich has an extensive security background ranging from designing and implementing Host Intrusion Prevention Systems to training people in research, corporate, and military
More informationData on Kernel Failures and Security Incidents
Data on Kernel Failures and Security Incidents Ravishankar K. Iyer (W. Gu, Z. Kalbarczyk, G. Lyle, A. Sharma, L. Wang ) Center for Reliable and High-Performance Computing Coordinated Science Laboratory
More informationCompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001
CompTIA Mobile App Security+ Certification Exam (ios Edition) Live exam IOS-001 Beta Exam IO1-001 INTRODUCTION This exam will certify that the successful candidate has the knowledge and skills required
More informationFATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory p.1/11
FATKit: A Framework for the Extraction and Analysis of Digital Forensic Data from Volatile System Memory DFRWS 2006: Work in Progress (WIP) Aug 16, 2006 AAron Walters 4TΦ Research Nick L. Petroni Jr. University
More informationGoing Linux on Massive Multicore
Embedded Linux Conference Europe 2013 Going Linux on Massive Multicore Marta Rybczyńska 24th October, 2013 Agenda Architecture Linux Port Core Peripherals Debugging Summary and Future Plans 2 Agenda Architecture
More informationFastboot Techniques for x86 Architectures. Marcus Bortel Field Application Engineer QNX Software Systems
Fastboot Techniques for x86 Architectures Marcus Bortel Field Application Engineer QNX Software Systems Agenda Introduction BIOS and BIOS boot time Fastboot versus BIOS? Fastboot time Customizing the boot
More informationx86 ISA Modifications to support Virtual Machines
x86 ISA Modifications to support Virtual Machines Douglas Beal Ashish Kumar Gupta CSE 548 Project Outline of the talk Review of Virtual Machines What complicates Virtualization Technique for Virtualization
More informationVirtual Machine Security
Virtual Machine Security CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07/ 1 Operating System Quandary Q: What is the primary goal
More informationSupporting OS: Windows 2000 Windows XP Windows 2003 Server Windows Vista Windows 2008 Server Windows 7
Profense SDK User Manual Profense SDK is a professional software kit for fast developing of any kind of security applications for Microsoft Windows. Simple APIs of Profense SDK include powerful functions:
More informationwindows maurizio pizzonia roma tre university
windows maurizio pizzonia roma tre university 1 references M. Russinovich, D. A. Solomon Windows Internals: Including Windows Server 2008 and Windows Vista 5 th ed. Microsoft Press 2 architecture overview
More informationMelde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE)
Melde- und Analysestelle Informationssicherung MELANI Torpig/Mebroot Reverse Code Engineering (RCE) Andreas Greulich, MELANI Swiss Cyber Storm, 18 April 2009 Agenda Part 1: Introduction (~5 ) Infection
More informationNotes and terms of conditions. Vendor shall note the following terms and conditions/ information before they submit their quote.
Specifications for ARINC 653 compliant RTOS & Development Environment Notes and terms of conditions Vendor shall note the following terms and conditions/ information before they submit their quote. 1.
More informationSecure In-VM Monitoring Using Hardware Virtualization
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif Georgia Institute of Technology Atlanta, GA, USA msharif@cc.gatech.edu Wenke Lee Georgia Institute of Technology Atlanta, GA, USA wenke@cc.gatech.edu
More informationOPERATING SYSTEM SERVICES
OPERATING SYSTEM SERVICES USER INTERFACE Command line interface(cli):uses text commands and a method for entering them Batch interface(bi):commands and directives to control those commands are entered
More informationSubverting the Xen hypervisor
Subverting the Xen hypervisor Rafał Wojtczuk Invisible Things Lab Black Hat USA 2008, August 7th, Las Vegas, NV Xen 0wning Trilogy Part One Known virtulizationbased rootkits Bluepill and Vitriol They install
More informationChapter 11 I/O Management and Disk Scheduling
Operating Systems: Internals and Design Principles, 6/E William Stallings Chapter 11 I/O Management and Disk Scheduling Dave Bremer Otago Polytechnic, NZ 2008, Prentice Hall I/O Devices Roadmap Organization
More informationChapter 3: Operating-System Structures. System Components Operating System Services System Calls System Programs System Structure Virtual Machines
Chapter 3: Operating-System Structures System Components Operating System Services System Calls System Programs System Structure Virtual Machines Operating System Concepts 3.1 Common System Components
More informationOperating System Structure
Operating System Structure Lecture 3 Disclaimer: some slides are adopted from the book authors slides with permission Recap Computer architecture CPU, memory, disk, I/O devices Memory hierarchy Architectural
More informationINtime 4.0 Software. 31001-6 September 2009
U S E R S M A N U A L INtime 4.0 Software 31001-6 September 2009 TenAsys Corporation 1400 NW Compton Drive, Suite 301 Beaverton, OR 97006 USA +1 503 748-4720 FAX: +1 503 748-4730 info@tenasys.com www.tenasys.com
More informationI Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich
I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation Mathias Payer, ETH Zurich Motivation Applications often vulnerable to security exploits Solution: restrict application
More informationVirtdbg. Using virtualization features for debugging the Windows 7 kernel. Damien Aumaitre. Recon 2011
Virtdbg Using virtualization features for debugging the Windows 7 kernel Damien Aumaitre Recon 2011 D. Aumaitre Virtdbg 2/42 Roadmap How it began Designing a kernel debugger Debugging Windows 7 x64 1 How
More informationIOActive Security Advisory
IOActive Security Advisory Title Severity Discovered by Admin ACL Bypass and Double Fetch Issue in F-Secure Internet Security 2015 High/Important Ilja van Sprundel Advisory Date September 3, 2015 Affected
More informationTEGRA X1 DEVELOPER TOOLS SEBASTIEN DOMINE, SR. DIRECTOR SW ENGINEERING
TEGRA X1 DEVELOPER TOOLS SEBASTIEN DOMINE, SR. DIRECTOR SW ENGINEERING NVIDIA DEVELOPER TOOLS BUILD. DEBUG. PROFILE. C/C++ IDE INTEGRATION STANDALONE TOOLS HARDWARE SUPPORT CPU AND GPU DEBUGGING & PROFILING
More informationLinux Driver Devices. Why, When, Which, How?
Bertrand Mermet Sylvain Ract Linux Driver Devices. Why, When, Which, How? Since its creation in the early 1990 s Linux has been installed on millions of computers or embedded systems. These systems may
More informationChapter 14 Virtual Machines
Operating Systems: Internals and Design Principles Chapter 14 Virtual Machines Eighth Edition By William Stallings Virtual Machines (VM) Virtualization technology enables a single PC or server to simultaneously
More informationANDROID DEVELOPER TOOLS TRAINING GTC 2014. Sébastien Dominé, NVIDIA
ANDROID DEVELOPER TOOLS TRAINING GTC 2014 Sébastien Dominé, NVIDIA AGENDA NVIDIA Developer Tools Introduction Multi-core CPU tools Graphics Developer Tools Compute Developer Tools NVIDIA Developer Tools
More information