Current mobile gadgets includes of rich devices (high resolution video camera, microphone, GPS, etc) which enable high quantity communication (Video conference, current location data, etc). Unfortunately, the rich devices make easy to conduct cyber espionage. For example, a high resolution video is used to read the text on a display. A GPS device is used to track the user's location ("Cerberus" and "mSpy" are famous. Japanese application named "karelog" became social issues). These devices are not used in company's office or factory and computer administrators want to prohibit these devices. Unfortunately, the devices are embedded in a mobile gadget and most of them cannot be disenabled by BIOS or EFI.
In order to In order to solve this problem, we propose a thin hypervisor called "DeviceDisEnabler (DDE)", which hides some devices from OS. DDE is a lightweight hypervisor and can be inserted to a pre-installed OS. Although the OS uses "IN" instruction to get the device information on PCI and USB (Vendor ID, Device Class, etc), the "IN" instruction is hooked by DDE and the device information is hidden if the devices is prohibited in the company.
Unfortunately, not only attackers but also employees want to bypass the DDE because they want to use the devices. In order to protect bypassing the DDE, it encrypts the disk image of the OS. It means the OS cannot be used without the help of DDE. In order to hide the encryption key, the DDE has three types of key managements (A technique gets a key from the Internet with a secure communication. A technique hides the key into a TPM chip and obtains it at a certain state of boot time only. A technique obfuscates the key into the code using Whitebox Cryptography technique).
Current implementation is based on BitVisor 1.4 and the target is a mobile gadget which has Intel CPU. I will talk about the requirements for ARM CPU based implementation.
Cracking Into Embedded Devices - Hack in The Box Dubai 2008guest642391
This document discusses GNUCITIZEN, a UK-based think tank and ethical hacker outfit led by Adrian Pastor. The organization conducts research on compromising embedded devices and other systems through remote exploits. Their goal is to draw attention to security issues in these commonly overlooked areas and encourage more public research to improve defenses.
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
A Security Barrier Device protects PC and other control devices by relaying every port between the motherboard and the peripherals. The SBD is totally transparent from the PC and can be installed regardless of OS or application. At this presentation I will discuss the storage securing function achieved by the SBD relaying the SATA port.
The SBD has a security information disk only accessible to itself where it stores the access privilege information of the original disk in the PC. When the PC issues a data access request to the original disk, the SBD will reference the access privileges of that particular sector, if the sector is read-deny then returns dummy data of 0 , if the sector is write-deny then it won’t write to that sector. The SBD not only allows for sector based protection but also a file based protection. In case of a file write-deny, there were some issues with the disc related cache in memory not being synchronised or the pointer’s position to the file in regards to its directory being shifted , but I will show how it was solved.
I will also talk about the fact that a SBD is an effective protection against any malware that attempts to manipulate the boot data sector or system files, once it detects any access right violations it can shutdown the ethernet port remotely and thwart the spreading of malware.
Kenji Toda
At the National Institute of Advanced Industrial Science and Technology conducted research and development of 30 Gbps intrusion detection systems , 60 Gbps URL filtering systems and or network devices testing equipment for such systems. Currently co-developing security barrier devices with the Research and Development Control System Security Center. (Presented at international conferences regarding MST and real-time systems)
http://codeblue.jp/en-speaker.html#KenjiToda
This document discusses various aspects of cloud, API, and hardware penetration testing:
- It outlines the different types of cloud services: Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS).
- It provides an overview of tools used for cloud and API penetration testing such as SOASTA CloudTest, LoadStorm, BlazeMeter, Nexpose, and AppThwack.
- It discusses firmware analysis, including extracting firmware from devices, identifying file systems and architectures, and searching for hardcoded credentials or certificates. Tools mentioned include Binwalk, Readelf, and Strings.
- It provides an overview of hardware penetration
The document provides an overview of how to start exploring IoT security as a beginner. It defines IoT and OT, discusses common attack vectors like networks, wireless communication, and applications. It then provides guidance on how to perform security testing for these vectors, including tools to use for tasks like network pentesting, radio communication testing, and mobile application testing. The goal is to help beginners learn about IoT security challenges and how to start assessing vulnerabilities.
SoftBank Robotics NAO and Pepper robots, UBTech Alpha 1S and Alpha 2 robots, and ROBOTIS OP2 and THORMANG3 robots were analyzed for vulnerabilities. Many vulnerabilities were found including authentication bypass issues, lack of encryption for transmitted data, and ability to disable safety features. These issues could allow an attacker to hijack the robot's functions or sensors, turn friendly robots into potential dangers, or use them for espionage purposes. Physical access to robots also poses risks as connectivity ports and removable storage were found to be insecure in some cases.
Man in the NFC by Haoqi Shan and Qing YangCODE BLUE
NFC (Near Field Communication) technology is widely used in security, bank, payment and personal information exchange field now, which is highly well-developed. Corresponding, the attacking methods against NFC are also emerged in endlessly. What if we want to “steal” from someone’s EMV. QuickPass, VisaPay bank card without “get” his wallet? To solve this problem, we build a hardware tool which we called “UniProxy”. This tool contains two self-modified high frequency card readers and two radio transmitters, which is a master-salve way. The master part can help people easily and successfully read almost all ISO 14443A type cards no matter what kind of this card is, bank card, ID card, Passport, access card, or whatever, no matter what security protocol this card uses, as long as it meets the ISO 14443A standard, meanwhile replaying this card to corresponding legal card reader via slave part to achieve our “evil” goals. The master and slave communicates with radio transmitters and can be part between 50 – 200 meters.
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюPositive Hack Days
Ведущий: Маттео Беккаро (Matteo Beccaro)
Доклад посвящен общим вопросам транспортной безопасности, мошенничества и технологических сбоев и будет интересен как профессиональным пентестерам, так и любителям. Докладчик рассмотрит несколько серьезных уязвимостей в реальных транспортных системах, в которых используется технология NFC, и продемонстрирует открытое приложение для тестирования таких систем со смартфона.
Wireless security testing with attack by Keiichi Horiai - CODE BLUE 2015CODE BLUE
We are in the IoT era. In this session, the function of GNURadio will be introduced with demonstration. GNURadio is a SDR (Software Defined Radio) tool to analyze wireless security such as Bluetooth LE. As an example of a SDR usage, I will demonstrate the replay attack for RF signal of ADS-B (Automatic Dependent Surveillance Broadcast) mounted on an aircraft and sniffer for wireless keyboards. Ideas of the counter measurement will also be discussed.
Presentation at DFRWS 2014, Denver, Colorado - The application of reverse engineering techniques against the Arduino microcontrollers to acquire uploaded applications.
This document discusses attacks on wearable-mobile communication over Bluetooth Low Energy (BLE). It notes that while BLE uses encryption, any app on a device can subscribe to the same BLE channels and characteristics as legitimate apps to access sensitive data or send commands. This poses a risk as malware could obtain private data like heart rate or put devices into recovery mode. The document proposes mitigations like app-to-device pairing to restrict access to only registered apps and using application-specific keys to protect command integrity and data confidentiality. Future enhancements to mobile platforms and BLE specifications are needed to better support authentication and encryption between apps and devices.
A Hypervisor IPS based on Hardware Assisted Virtualization TechnologyFFRI, Inc.
This document describes Viton, a hypervisor-based intrusion prevention system (IPS) developed by Fourteenforty Research Institute. Viton runs as a hypervisor using hardware-assisted virtualization technology to monitor the guest operating system for malicious activity. It protects persistent system resources by blocking all VMX instructions, monitoring registers like IDTR and MSR, and protecting read-only code sections of the kernel from modification. Viton aims to enforce immutability of critical system structures to detect rootkits and other malware running inside the guest OS.
Android forensics an Custom Recovery ImageMohamed Khaled
Mobile Forensic Process
Different Mobile Forensic Scenario
Acquisition Guide
Challenges of Android Forensics
How to Circumvent the Pass Code
Types Of Analyses(Logical analysis)
Types Of Analyses(Physical analysis)
Android Partition Layout
Custom Recovery Modifications
How Data are Stored In Android
Example of Useful Data extracted from Android Image
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
Windows 10 IoT was released as a platform for IoT.
Windows 10 IoT Core, which is the lightest among Windows 10 IoT, is usable without charge, and can be run on single board computers like Raspberry Pi. So far, Linux-based platforms were considered as the platform for IoT devices, but now there is another option.
We conducted research on security system of Windows 10 IoT Core to judge whether it could be used safely.
We investigated the security design, the security functions, and default services, such as Web, FTP, and SSH, served by this OS. Furthermore, we also analyzed risks of intrusion and malware infection.
As a result of the investigation, like the newest Windows, we found that DEP, ASLR and CFG are also effective as countermeasures for being attacked vulnerabilities that affect the main memory. These countermeasures are not omitted from Windows 10 IoT Core.
On the other hand, we also found some designs and default settings of services and components are insecure.
For example, Windows update is disabled, Windows Firewall is disabled by default settings, Web interface is served on HTTP, and its authentication is basic authentication.
Moreover, we found a problem in the design of the remote debug service. This problem allows an attacker to create any user account and intrude using the web interface or SSH. Therefore, this problem might be abused by worm malware.
Lastly, we will introduce recommended security measures such as disabling unused services, changing settings, enabling the firewall, enabling web interface on HTTPS, etc.
How security broken? - Android internals and malware infection possibilitiesFFRI, Inc.
This document discusses security issues in the Android operating system and possibilities for malware infection. It begins by covering kernel-level protections like DEP and ASLR, which are not fully effective in Android due to issues like prelinking neutralizing ASLR. It then discusses the application layer, explaining Android application internals involving packages, permissions, and intent-based features like activities and broadcasts. Finally, it outlines the evolution of Android malware, characteristics like using intents and premium services, issues with anti-virus software's limited privileges, and how rooting breaks security by enabling malware to gain higher privileges.
HITBSecConf 2016-Create Your Own Bad UsbSeunghun han
This document describes IRON-HID, a project for creating custom USB devices that can exploit system vulnerabilities. It discusses using a modified portable charger called PowerShock to test vulnerabilities in smartphones, POS systems, and PCs. The PowerShock uses a Teensy or Arduino board running IRON-HID firmware to emulate a keyboard or mass storage device. It can automatically enter PINs, log keystrokes, capture screenshots, and execute commands on connected devices. Demo attacks show exploiting backup PIN locks on Android phones and grabbing card data from vulnerable POS systems. Additional ideas include modifying USB keyboards and card readers to secretly run the IRON-HID tests on colleague's devices.
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
Slides from Defcon IoT Village Workshop
Ever wondered how people get shells via hooking up to chips or pins on a board? Or how to dump the firmware off a device you own at home? How chips that send those bits, bytes, and nibbles flying across traces on a board can be analyzed for profit? The Pwning IoT Devices via Hardware Attacks workshop is focused on a hands-on learning experience, of how people use hardware attacks to get initial access IoT Devices for security research. This workshop is designed for people new to hardware hacking, looking to have fun exploiting the Internet of (broken) Things. So come on out if you're looking to join the embedded system & IoT exploitation party!
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorSeunghun han
This document presents Shadow-box, a lightweight hypervisor-based kernel protector developed by the authors to defend the Linux kernel from security threats in real-world environments. The authors describe Shadow-box's architecture, which uses virtualization technology to separate the system into a secure host and normal guest. Shadow-box shares kernel memory between the two worlds to reduce overhead. It monitors the guest to detect unauthorized kernel object modifications or rootkit activity. The authors discuss lessons learned from deploying Shadow-box, such as dealing with false positives, performance issues, and aspects of real-world systems not addressed in previous research.
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent SandboxSeunghun han
The document presents Shadow-Box, a lightweight hypervisor-based kernel protector designed for real world deployment. Shadow-Box uses virtualization technology to separate the machine into a secure host (Ring -1) and normal guest (Ring 0-3). It shares kernel memory between the two worlds to reduce overhead. The host can monitor the guest to detect rootkits and other attacks modifying kernel objects or function pointers. The author discusses lessons learned from deploying Shadow-Box, such as handling mutable kernel code and properly configuring cache types in the extended page table.
Este documento describe diferentes herramientas digitales para la educación, incluyendo generadores de cuadernos, libros y publicaciones digitales, generadores de cuestionarios y ejercicios, y generadores de mapas conceptuales y mentales. También discute el potencial educativo de los videojuegos y proporciona ejemplos como "Pancho y la máquina de hacer cuentos" y "Wikinmindmap".
El documento resume el tema de Internet y sociedad en 3 oraciones. Explica que Internet comenzó como un proyecto militar estadounidense pero se expandió más allá de eso, transformándose en una herramienta clave para la globalización e interconexión mundial. Internet redujo las barreras del tiempo y el espacio, permitiendo la comunicación instantánea entre personas en cualquier parte del mundo. El documento también analiza los orígenes, evolución y efectos de Internet en la sociedad.
2014 University of Kentucky Writing Center Crisis PlanOlivia M. McCoy
The document provides a crisis management plan for the Robert E. Hemenway Writing Center at the University of Kentucky. The plan defines a crisis, outlines potential crises and protocols, and establishes a crisis management team and rehearsal dates. It also includes forms for incident reports, proprietary information guidelines, and initial contact worksheets for different crisis scenarios.
This is a presentation I made outlining revision and editing strategies based on the 6 Traits and other approaches. The workshop was part of the National High School Journalism Conference on 10 November 2016 in Indianapolis. Co-presented with Steve Peha. For more writing tips, download the companion packet at http://bit.ly/TWFReviseEdit, or buy Be a Better Writer (co-written by Steve and me) at www.babw.me.
1. The document discusses an outsourcing firm called Bewayco that provides business management solutions like payroll administration, staffing, recruitment, coaching, and outplacement to simplify business management for clients.
2. Bewayco focuses on productivity, cutting-edge technology, tailored solutions, an experienced team, and continuous improvement.
3. The solutions aim to generate value for customers through unique customized solutions according to industry dynamics.
This document contains a list of 11 photo credits attributed to various photographers. It ends by advertising the ability to create Haiku Deck presentations on SlideShare.
Mustafa Helmi Zaki Sayed is an Egyptian national with over 17 years of experience in turf and landscape maintenance. He holds a Bachelor's degree in Horticulture from Cairo University and a Master's degree in Ornamental Plants from Cairo University. Currently he works as the Golf Course and Agronomy Manager for EMAAR MISR, overseeing the construction and maintenance of two 18-hole golf courses in Egypt. Previously he has held positions as Golf Course Superintendent and Project Manager in Egypt, Qatar, and the UAE, managing the maintenance of golf courses, soccer fields, and landscaping projects.
BKK16-100K2 ARM Research - Sensors to SupercomputersLinaro
From Sensors to Supercomputers discusses ARM's research focus areas including applied silicon, memory and interconnect, design integrity, and large scale systems. The document outlines how ARM research is looking 3-7 years ahead of product teams to enable future ARM technologies. It also discusses how even basic sensor data from IoT devices can produce large amounts of big data and how ARM is interested in high performance computing including supercomputing to help process and analyze this data.
CODE BLUE 2014 : [Keynote] The 5 biggest problems of cyber security - and how...CODE BLUE
Keren is a TED conference speaker this year, talked about the hackers are immune system. In her talk, she explained that the world actually needs hackers, and they play in an important role in this world.She said, "Hackers are my heroes, and the perspective I’d like to offer you today is that hackers represent an exceptional force for change with the power to literally save our digital future – and we need to think like hackers and take actions today. That’s why I’m here today. You might say I am naïve, a romantic - or worse of all, you could say I’m not 1337. But I really believe that hackers have the power to change a grim reality. I want to show you why now is the time – because every one of us in on the front lines, so it’s time to be the heroes!".
IoT security is a nightmare. But what is the real risk?Zoltan Balazs
1) IoT security is a major issue as many devices have poor security and will never receive patches. This leaves them vulnerable to attacks over the internet or through home networks.
2) There are many risks even for devices that are behind routers or firewalls due to issues like UPnP, IPv6, cloud connections, and protocol tunneling that can bypass network protections.
3) Home users should take steps like disconnecting devices when not in use, changing passwords, filtering incoming connections, and monitoring their network to improve their security, but there are no complete solutions given flaws in IoT design and updates.
OWASP – Internet of Things (IoT) – Top 10 Vulnerabilities ListBishop Fox
This presentation will encompass the following:
• An overview of the OWASP IoT Top 10: Understanding IoT Vulnerabilities and Risks to Offices / Homes
• Smart home wireless communication standards and their weaknesses: Bluetooth, Z-Wave, ZigBee, Wi-Fi, NFC, RFID
• Exploiting vulnerable networked smart devices (e.g. smart TVs, refrigerators, etc.) as a means to get foot in the door and attack core infrastructure (laptops, workstations, servers)
• Attacks against smart products connected to your network or controlled directly via your mobile device
• Performing security evaluations of smart products using frameworks like the OWASP Application Security Verification Standard (ASVS)
• Tools and resources for securing smart devices and their implementations
• DEMOs – vulnerabilities and most common issues in smart devices – real examples of the OWASP IoT Top 10
• Exploiting smart devices, such as: TVs, media streaming devices, refrigerators, thermostats, smart plugs, security locks and cameras, health/fitness devices, wearables, office smart hubs, home automation products, and more…
Originally presented at IT Audits & Control Conference 2015.
The document discusses various security challenges at different levels of IoT architecture. At the sensor level, authentication of small devices with limited resources is challenging. GPS spoofing and hardware attacks are also risks. Networking components like the baseband processor can be vulnerable if firmware exploits exist. Hardening devices like Raspberry Pi that act as IoT hubs is important. When integrating with cloud services and APIs, authentication, privacy, and security configurability need attention.
Hacktivity 2016: The real risks of the IoT security-nightmare: Hacking IP cam...Zoltan Balazs
IoT security poses serious risks due to vulnerabilities in many IoT devices that are never patched by manufacturers. Common excuses for the poor security of IoT devices are shown to be invalid, as attacks can bypass passwords, networks, and firewalls using techniques like UPnP, IPv6, WebRTC, and DNS rebinding. Lessons for home users include disconnecting devices when not in use, changing passwords, filtering connections and protocols, and monitoring networks. Lessons for vendors are to implement secure development practices, automatic updates, and optional cloud connections. Governments should regulate vendors to protect users and incentivize more secure practices.
Luiz eduardo. introduction to mobile snitchYury Chemerkin
Mobile devices broadcast information passively through protocols like mDNS and NetBios that can be used to profile and fingerprint individuals. This metadata includes a person's name, device details, social media profiles, locations visited and more. While concerning for privacy, there are some mitigation tips like disabling WiFi when not in use. In the future, passive profiling may become more advanced through integration with other tools and online databases to create detailed profiles of individuals based solely on information broadcast from their mobile devices.
Web application-security-and-why-you-should-review-yoursDavid Busby, CISSP
In this talk we will cover what is an attack surface and what you can do to limit it.
Acronym hell what does all these acronyms associated with security products mean and what do they mean?
Vulnerability media naming stupidity or driving the message home ?
Detection or Prevention avoiding the boy who cried wolf.
Emerging technologies to keep an eye on or even implement yourself to help improve your security posture.
2014 -> 2017 what's been going on, why have there been so many compromises ?
This presentation aims to share working knowledge on how attackers are taking an advantage of connected (IOT) devices for scaling attacks. From hardware to repeatable software exploitation that scale. X-ray on the current security resilience of some of today's connected devices. Typically challenges developers are facing today and a proof of concept attack on a "secure" connected camera with critical consequences. Finally we give valuable takeaways for improving the security of your solutions and avoid these horrible mistakes.
NUS-ISS Learning Day 2019-Building IoT solutions with the PiNUS-ISS
This document provides an overview of a hands-on workshop on building IoT solutions with Raspberry Pi. It introduces Raspberry Pi and the GrovePi+ starter kit for connecting sensors. It describes how AWS services like IoT Core and Alexa can be used to build IoT systems. The workshop demonstrates setting up a basic IoT system with Raspberry Pi, testing sensors connected to it, and broadcasting sensor data to the AWS cloud. It aims to help participants understand how to create synergy between sensors, devices, and cloud services to develop health and other applications.
Rajarshi Gupta at AI Frontiers : Security is AI’s biggest challenge, AI is Se...AI Frontiers
The progress of AI in the last decade has seemed almost magical. But we will discuss the unique challenges posed by Security and what makes this domain the biggest challenge for AI. Reporting from the frontlines, we will describe the deployment of large-scale production-grade AI systems to combat security breaches, using lessons learned at Avast from defending over 400 million consumers every single day. Topics will cover the recent AI advancements in file-based anti-malware solutions, behavior-based on-device solutions, and network-based IoT security solutions.
An overview of security and privacy challenges that must be faced and solved when creating new Things for the Internet of Things. We discussed why are Things inherently insecure together with examples of attack vectors and learned some risk mitigation strategies. We realized why should users be wary of Things violating their privacy and gained awareness of upcoming EU privacy legislation that affects providers of IoT-based solutions. Talk given at Pixels Camp 2017, Lisbon.
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kuniyasu Suzaki
IWSEC2014(The 9th International Workshop on Security 弘前) で"Kernel Memory Protection by an Insertable Hypervisor which has VM Introspection and Stealth Breakpoints"
This document describes an IOT-based anti-theft flooring mat system. The system uses piezo sensors embedded in floor tiles that detect intruders stepping on the tiles. When pressure is applied, the sensors activate a transmitter to send a notification to the IOT system. The system is powered by a NodeMCU processor and includes an OLED display and solenoid lock. It provides real-time intruder alerts to homeowners through mobile phone updates. The system aims to effectively identify human intruders and reduce response time compared to existing solutions.
OSGi Technology and IP-Based Video Surveillance in HomeSecurity, Access Contr...mfrancis
This document discusses using OSGi technology and IP-based video surveillance for home security, access control, and personal care. It describes how IP cameras are better suited than analog solutions for integration into OSGi platforms. The connected home market for security, access control, and personal care is growing and offers opportunities for IP video surveillance integrated through OSGi. The document calls for action to make OSGi the standard for integrated connected home solutions and provides an example of an Integrated Home Security Service.
This document discusses Internet of Things (IoT) security. It defines IoT as interconnecting physical devices via communication technologies. It categorizes IoT devices and lists common technology vendors. It then describes why IoT devices are vulnerable in terms of cost, processing power, history of neglecting security, proprietary technologies, and inability to update. Examples of IoT attacks are also provided such as using webcams for DDoS attacks and hacking home routers and cars. The document concludes with recommended countermeasures like leveraging existing frameworks, segmentation, not relying on users, and building in automatic updates.
DEFCON 23 - Ian Latter - remote access the aptFelipe Prado
The document discusses a proof of concept for using a computer screen to extract and transmit data through encoding it in quick response (QR) codes displayed on the screen. It proposes a transport protocol called TGXf that could transmit binary data in a one-way flow between devices by encoding it using QR codes with error correction and embedding transport control frames and counters. The concept is presented as a potential security risk for unauthorized data extraction from remote access or offshore partners.
Open Moko And Ubiquitous Computing Presentationridgeway137
Openmoko is an open source Linux distribution and company that produces the Neo family of mobile computing devices. The goal of Openmoko is to create an open platform that allows developers to freely develop innovative applications for mobile and ubiquitous computing. Openmoko devices run open source software and use open hardware designs that can be modified or reprogrammed without restrictions. This open approach aims to encourage more development and new ideas than restricted proprietary platforms by reducing barriers to entry and allowing expansion.
LST Toolkit: Exfiltration Over Sound, Light, TouchDimitry Snezhkov
The document discusses offensive and defensive strategies around exfiltrating sensitive data from secured environments. It describes observing defenses that focus on network-level exfiltration and lack behavioral context. Custom threat modeling and solutions may be needed. Tactics discussed include exploiting existing facilities, avoiding defenses, and transforming data to bypass monitoring. The document also outlines fictional scenarios where innovative techniques like encoding data in screen pixels or QR codes are used to exfiltrate information despite strengthened defenses.
This document discusses Internet of Things (IoT) security. It begins by defining IoT and describing common IoT applications in consumer, commercial, industrial, and infrastructure sectors. It then defines IoT security and explains that security is an important area due to the rapid growth of connected devices. The document outlines four layers of IoT security: device, communication, cloud, and lifecycle management. It identifies some of the main security issues like default passwords, unpatched systems, and access to APIs and data. Finally, it discusses best practices for IoT security including authentication, encryption, privacy controls, and firmware updates.
Similar to CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to protect cyber espionage by KUNIYASU SUZAKI (20)
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
An expert in mobile network security provided a summary of hacking 5G networks. Some key points include:
1) Standard IT security techniques uncovered issues when applied to upgraded legacy 4G networks, such as unpatched operating systems, weak configurations, and lack of encryption.
2) Future 5G networks introduce new security risks due to increased complexity from virtualization and automation layers, as well as a continuously evolving attack surface extending into cloud infrastructure.
3) Red team exercises show that hacking mobile networks has become a multi-step process, where initial access through one vulnerability can enable lateral movement and privilege escalation to compromise critical systems or customer data.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
Nokia HMD Crest and Crest Max launched in India 2024saxenabhumi49
Discover everything you need to know about HMD Crest. From detailed specs to hidden features, this guide covers it all. Find out why “HMD Crest includes all details” for your ultimate experience!
In this concise communication, the effectiveness of hetero-core arrangement is outlined. The criteria
of hetero core arrangement are briefly highlighted, supplemented by brief appraisal of interrogation
schemes. Apart from this, the sensing implementations are also appraised. Of late, there is a growing surge
in the sensing as well as communication industry. With the advent of electronics as well as photonics, the
sensing implementations have come a long way. Through integrated photonics, newer developments have
been emerging every day, thereby outsmarting their counterparts in their own field. During the last two
decades, the communications as well as sensing field have been widely using hetero-core arrangements.
Owing to their considerable tunability a well as ease fabrication procedures, they are preferred to the
conventional adoptions. Hetero core in general refers to dissimilar step index/graded index fiber cores or
photonic crystal fibers aligned together for a specific purpose. For instance, we can cite about single mode
multimode single mode fiber arrangement [1-4].
Cal Girls Jaipur Railway Station | 8445551418 | Sweet Girls Call With Hotels
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to protect cyber espionage by KUNIYASU SUZAKI
1. National Institute of Advanced Industrial Science and Technology
DeviceDisEnabler: a lightweight
hypervisor which hides devices to
t t b i d t iprotect cyber espionage and tampering
Kuniyasu Suzakiy
National Institute of Advanced Industrial Science and Technology
Research Institute for Secure Systemsy
Research Institute
for Secure Systems
CodeBlue 2014, Tokyo, 19/December/2014
2. National Institute of Advanced Industrial Science and Technology
Who am I?Who am I?
• A researcher for computer security
N ti l I tit t f Ad d I d t i l S i d– National Institute of Advanced Industrial Science and
Technology (AIST)
– Research Institute for Secure Systems (RISEC)
Research Institute
for Secure Systems Here is my
office
C i• Current interests https://staff.aist.go.jp/k.suzaki/
– Security on hypervisor (finding vulnerability and
hardening OS security)hardening OS security)
– Whitelisting Security on control systems
– KNOPPIX Japanese version
2
3. National Institute of Advanced Industrial Science and Technology
OutlineOutline
C b i hi h hi h l i d i• Cyber espionage which uses high resolution devices on
mobile gadgets.
• DeviceDisEanbler: a hypervisor which hides devices
– Key management using TPM
• Expansion plan for DeviceDisEanbler
• DemoDemo
3
4. National Institute of Advanced Industrial Science and Technology
QuestionQuestion
• Do you know how many cameras in this room?y y
• Is there anyone who DOESN’T have a camera?• Is there anyone who DOESN T have a camera?
Legacy Digital Camera
Smart phone
Tablet
4
Laptop PC
6. National Institute of Advanced Industrial Science and Technology
Do you know how many devicesDo you know how many devices
included in a mobile gadget?
• Digital Camera
• Microphone, Speakerp , p
• GPS
• GyroscopeGyroscope
• etc. (Many sensors)
• It is not a long time ago that these devices are included in mobileIt is not a long time ago that these devices are included in mobile
gadgets.
– Around 2000, PDA(e.g., Palm Pilot, Apple Newton) did not, ( g , , pp )
have such devices. First iPod does not have a digital camera!
• CURRENT mobile gadgets are not traditional computers. They
are an aggregation of sensor devices.
6
7. National Institute of Advanced Industrial Science and Technology
D k th l ti f th d i ?Do you know the resolution of these devices?
• Digital camera
– More than 1M pixel.
Hi h l ti• Microphone, Speaker
– More than CD (44.1 kHz)
High resolution
devices are
t t f b
( )
• GPS
Resolution is less than 10 m
target for cyber
espionarge.
– Resolution is less than 10 m.
• Gyroscope
S li i th 20 H– Sampling is more than 20 Hz.
7
8. National Institute of Advanced Industrial Science and Technology
Facial Reflection
KeyloggerKeylogger
[T.Fiebig, WOOT’14]
The front camera takesThe front camera takes
shot of user’s face (eye).
Put on a keyboardDetect thumbZooming
8
T.fiebig, j.krissler and r.hanesch, “Security Impact of High Resolution Smartphone Cameras" woot 2014.
https://www.usenix.org/conference/woot14/workshop-program/presentation/fiebig
9. National Institute of Advanced Industrial Science and Technology
Facial Reflection
KeyloggerKeylogger
[T.Fiebig, WOOT’14]
The front camera takesThe front camera takes
shot of user’s face (eye).
Put on a keyboardDetect thumbZooming
9
T.fiebig, j.krissler and r.hanesch, “Security Impact of High Resolution Smartphone Cameras" woot 2014.
https://www.usenix.org/conference/woot14/workshop-program/presentation/fiebig
10. National Institute of Advanced Industrial Science and Technology
Eavesdropping caused by GyroscopeEavesdropping caused by Gyroscope
• Gyroscope is not a microphone, but it turns to be a speech logger.y p p , p gg
• It is called Gyrophone [USENIX Security 14, BlackHat Europe 14].
– Merit: Access to microphone requires permission, but access to gyroscope
does not. It makes easy to use for cyber espionage.
– Problem: The sampling rate of gyroscope (20-200Hz) does not fit speech
(male 85 - 180 Hz female 165 - 255 Hz)(male 85 180 Hz, female 165 255 Hz).
– ALIASING helps to understand speech.
10
Y.Michalevsky, D.Boneh, and Gabi Nakibly, “Gyrophone: Recognizing Speech from Gyroscope Signals”,
https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/michalevsky
11. National Institute of Advanced Industrial Science and Technology
Eavesdropping caused by microphoneEavesdropping caused by microphone
• “Bundestrojaner” (Federal Trojan) had high impact on• Bundestrojaner (Federal Trojan) had high impact on
society.
• It is also named “R2D2” because the code has the string "C3PO-r2d2-POE"It is also named R2D2 because the code has the string C3PO r2d2 POE .
All dl th l R2D2 i t ll d b ffi• Allegedly, the malware R2D2 was installed by an officer
at a German Airport.
d k di i d d h d– R2D2 records Skype audio conversations and sends the data to a
remote website.
R2D2 di d b Ch C t Cl b (CCC) i 2011– R2D2 was discovered by Chaos Computer Club (CCC) in 2011.
• WikiLeaks says that German authorities ordered the cyber
i lespionage malware.
11
12. National Institute of Advanced Industrial Science and Technology
Malicious location tracking by GPSMalicious location tracking by GPS
• “Cerberus” and “mSpy” are normal applications (anti theft• Cerberus and mSpy are normal applications (anti-theft
application), but they are used to track employee.
• Japanese application named “karelog” (Boyfriend Log) was sold byJapanese application named karelog (Boyfriend Log) was sold by
the name of “GPS Control manager”, but it steals data of GPS
without permission.
– It became social a problem in Japan and the company had to terminate the
service.
12
13. National Institute of Advanced Industrial Science and Technology
Mobile gadgets are used in a restricted areaMobile gadgets are used in a restricted area.
• Mobile gadgets are commonly used in factories, meeting
rooms, hospitals, where treat important information.
• The administrator wants to prohibit devices which arep
not used for work.
– Devices are embedded in a mobile gadget and non-removable.g g
13Factory Meeting
14. National Institute of Advanced Industrial Science and Technology
Extra ThreatExtra Threat
• Not only attackers but also users (workers) want to use• Not only attackers but also users (workers) want to use
the devices on mobile gadgets.
• The users may circumvent countermeasures.
• Administrators have to deal with attackers as well as
workers.
14
15. National Institute of Advanced Industrial Science and Technology
Current CountermeasuresCurrent Countermeasures
S BIOS/EFI di bl d i• Some BIOS/EFI can disenable devices.
– It is useful, but all mobile gadgets do not
have such function.have such function.
Protect cap
• Security goods
p
Security seal (for a camera)
15
They depend on user’s conscience.
16. National Institute of Advanced Industrial Science and Technology
My ProposalMy Proposal
• “DeviceDisEnabler (DDE)”: a lightweight hypervisor( ) g g yp
which hides devices to protect cyber espionage and
tamperingtampering
• Features
i h i h d i bl i i OS1. Lightweight and insertable to an existing OS on many
mobile gadgets
2. Hiding PCI devices from an OS
3. Tamper resident (prevention of circumvention)p (p )
• The OS cannot boot without the DDE because a part
of the disk is encrypted by the DDEof the disk is encrypted by the DDE.
• The encryption key is hidden from the user. 16
17. National Institute of Advanced Industrial Science and Technology
Targets of DDETargets of DDE
• Mobile gadgets (Note PC, Tablet, etc.) with x86/AMD64
architecture CPU.
• DDE is developed on open source hypervisor “BitVisor”.p p yp
• http://www.bitvisor.org/
• DDE disenables PCI devices which are not used for work.
– Current implementation does not treat USB devices.
L t PC d f t ti t id f ffi T bl t d i h it l
Camera
Laptop PC used for presentation outside of a office Tablet used in hospital
Camera
Microphone GPS
Bluetooth
Gyroscope
17
18. National Institute of Advanced Industrial Science and Technology
Division of roles between DDE and OSDivision of roles between DDE and OS
• DDE manages physical devices• DDE manages physical devices.
– The DDE is independent of the OS and hides some physical
devices from the OSdevices from the OS.
• OS has responsibility for the user account.
DDE is independent of login a thentication– DDE is independent of login authentication.
• DDE’s Disk encryption is independent of the OS’s
tiencryption.
– The DDE’s Disk encryption can coexist with OS’s disk
ti ( Wi d ’ BitL k )encryption (e.g., Windows’s BitLocker).
18
19. National Institute of Advanced Industrial Science and Technology
(1) Insertable Hypervisor on an existing OS(1) Insertable Hypervisor on an existing OS
• Thin type-I (bare-metal) hypervisor
P th h hit t (BitVi [VEE’09])– Para-passthrough architecture (BitVisor[VEE’09])
• No Device Model. Guest OS can access devices directly.
Small Trusted Computing Base (TCB)– Small Trusted Computing Base (TCB)
• BitVisor does not require a host OS and makes a small TCB.
• DDE is inserted using chainload function of boot loader• DDE is inserted using chainload function of boot-loader.
Existing System BIOS
Applications
(User Space)
GRUB D i Di E bl
Go back to GRUB
Preinstalled OS
DeviceDisEnabler
(hypervisor) Insert at boot time
GRUB DeviceDisEnabler
(resides in memory)
chain loader
(hypervisor)
Hardware
19
NTLDR Windows
(Windows Bootloader)
20. National Institute of Advanced Industrial Science and Technology
(2) Hiding PCI devices from an OS(2) Hiding PCI devices from an OS
• A mobile gadget has many devices on PCI.
• Tool: PCI-Z
http://www pci z com/
(ThinkPad Helix)
– http://www.pci-z.com/
20
21. National Institute of Advanced Industrial Science and Technology
H OS i d i PCI
Device classes
How an OS recognizes a device on PCI
• An OS gets the information of devices on PCI from
“PCI configuration space”.g p
– The information includes Vendor ID, Device ID, and Device
Class Code, etc.
• Vendor ID and Device Class code are defined by PCI-SIG.
21
22. National Institute of Advanced Industrial Science and Technology
PCI Configuration SpacePCI Configuration Space
• PCI configuration space is the underlying way that the• PCI configuration space is the underlying way that the
Conventional PCI, PCI-X, and PCI Express perform
auto configuration of the devicesauto configuration of the devices.
• PCI configuration space has 2 registers (I/O ports).
1. PCI Address Register I/O port: 0x0cf8
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 09 08 07 06 05 04 03 02 01 00
E
N
Reserved Bus No Dev No Fun No Register Address 0 0 0x00
2. PCI Configuration Register I/O port: 0x0cfc
22
23. National Institute of Advanced Industrial Science and Technology
PCI Configuration RegisterPCI Configuration Register
• I/O port: 0x0cfc
31 30 29 28 27 26 25 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 09 08 07 06 05 04 03 02 01 00
Device ID Vendor ID 0x00
Device Status Device Control 0x04
p
Device Status Device Control 0x04
Class Code Revision ID 0x08
Header Type 0x0c
Base Address 0 0x10
Base Address 1 0x14
Base Address 2 0x18
Base Address 3 0x1c
Base Address 4 0x20Base Address 4 0x20
Base Address 5 0x24
0x28
Subsystem ID Subsystem Vendor ID 0x2c
0x30
Reserved 0x34
Reserved 0x38
Interrupt Pin Interrupt Line 0x3cp p
Undefined
0x40
~
0xfc 23
24. National Institute of Advanced Industrial Science and Technology
Device recognition of Normal OSDevice recognition of Normal OS
• In order to get device information on the PCI, the OS accesses to the
I/O (PCI fi i i )I/O ports (PCI configuration register).
• The OS running on Intel CPU uses I/O instructions (i.e., IN or
OUT) to access the I/O portsOUT) to access the I/O ports.
OS
Visible devices from OS Invisible devices from OS
OS recognizes no device.
CVideo
Vendor ID #8086 #0101 #04A9 #1033 #FFFFF
Device ID #0013 #0024 #5031 #7623 #FFFFF
24
Disk GPSCPU Mem LAN CameraVideo
Card
???
PCI Configuration Register
25. National Institute of Advanced Industrial Science and Technology
DDE hides devices (1/2)DDE hides devices. (1/2)
• The DDE inter enes in I/O operations sing Intel&AMD• The DDE intervenes in I/O operations using Intel&AMD
virtualization architecture.
A I/O i t ti (i IN OUT) i d b th OS i t d– An I/O instruction (i.e., IN or OUT) issued by the OS is trapped
by Intel&AMD virtualization. Then the control is transferred to
the hypervisor(DDE)the hypervisor(DDE).
• When an I/O instruction is issued to PCI configuration
space the DDE checks the contentsspace, the DDE checks the contents.
25
26. National Institute of Advanced Industrial Science and Technology
DDE hides devices (2/2)DDE hides devices. (2/2)
• If the DDE found the PCI configuration Register for the device that must be hidden,
the DDE replaces the Vendor ID and Device ID with “#FFFF”.the DDE replaces the Vendor ID and Device ID with #FFFF .
• The OS recognizes that there is no device, and the device is not used.
– This effect is same to the hiding by BIOS.
OS
Invisible devices
from OS
Visible devices
from OS
Vendor ID #8086 #0101 #FFFF #FFFF
Hypervisor
DeviceDisEnabler Decryption
Device ID #0013 #0024 #FFFF #FFFF
Vendor ID #8086 #0101 #04A9 #1033
Device ID #0013 #0024 #5031 #7623
Video
26
Encrypted
Disk
GPSCPU Mem LAN Camera
Video
Card
PCI Configuration register
27. National Institute of Advanced Industrial Science and Technology
Hidden device by DDEHidden device by DDE
• DDE has 2 types to hide devices.
F d t d i (V d ID d D i ID)– For a product device (Vendor ID and Device ID)
• It does not mean an individual device. It means a certain product.
– For a category (defined by PCI device class code)
Class code Class Name
0x00 Unclassified device
0x01 Mass storage controller
0x02 Network controller
0 03 Di l t ll
Vendor ID Vendor name
0x05ac Apple, Inc.
0x04B3 IBM
0 1010 Vid L i Ltd 0x03 Display controller
0x04 Multimedia controller
0x05 Memory controller
0x06 Bridge
0x07 Communication controller
0x1010 Video Logic Ltd.
0x104D Sony Corporation
0x1061 8x8 Inc.
0x106B Apple Inc.
0 13B5 ARM L d 0x08 Generic system peripheral
0x09 Input device controller
0x0a Docking station
0x0b Processor
0x0c Serial bus controller
0x13B5 ARM Ltd
0x12E1 Nintendo Co. Ltd.
0x13B5 ARM Ltd
0x15AD VMware Inc.
h i l i i f d 0x0d Wireless controller
0x0e Intelligent controller
0x0f Satellite communications controller
0x10 Encryption controller
0x11 Signal processing controller
0x15C6 Technical University Of Budapest
0x8086 Intel Corporation
0x8087 Intel
0xA304 Sony
27
0x11 Signal processing controller
0x12 Processing accelerators
0x13 Non-Essential Instrumentation
0xff Unassigned class
0xF5F5 F5 Networks Inc.
28. National Institute of Advanced Industrial Science and Technology
(3) Tamper resident (prevention of circumvention)(3) Tamper resident (prevention of circumvention)
• Unfort natel e can't r le o t the possibilit that• Unfortunately, we can't rule out the possibility that
users try to bypass the DDE because they want to use
the devicesthe devices.
• DDE’s countermeasure
– The DDE encrypts a part of the disk and tries to make
impossible to boot the OS without the DDE.
• Problem
– However, it is not easy to stop booting OS (Windows) using
28
However, it is not easy to stop booting OS (Windows) using
simple disk-block encryption.
29. National Institute of Advanced Industrial Science and Technology
Difficulty to stop booting OSDifficulty to stop booting OS
• BitVisor (the base of DDE) has a function to encrypt a( ) yp
region (blocks) of hard-disk.
– It is useful to protect the data when the disk is stolen.p
• Unfortunately, BitVisor’s encryption is not applied to a
whole partition of Windows because a part of the bootwhole partition of Windows because a part of the boot
sequence can access the disk without a hypervisor.
– Maybe the booting of a kernel uses BIOS to access the diskMaybe, the booting of a kernel uses BIOS to access the disk.
BitVisor cannot intercept the BIOS’s disk access.
– Even if the DDE decrypts the partition correctly, OS cannotyp p y,
boot.
• (Note) If I can use Linux, I can separate the disk image into 2 partitions: miniroot and
tFS Th i i t i d f b ti Li k l d tFS i d f tirootFS. The miniroot is used for booting Linux kernel and rootFS is used for mounting
root file system. The DDE encrypts the partition of rootFS and stops the booting of the
Linux properly. 29
30. National Institute of Advanced Industrial Science and Technology
Stop Windows bootingStop Windows booting
• I give up stopping kernel booting. I tried to stop the boot sequence in
user space.
• I analyzed the boot sequence in user space of Windows, and tried to
fil hi h d d b i dencrypt a file which was needed to boot Windows.
• I chose “smss.exe” file to be encrypted by the DDE.
If h fil i d d b h DDE Wi d d ’ b l– If the file is not decrypted by the DDE, Windows don’t not boot properly.
30
31. National Institute of Advanced Industrial Science and Technology
Finding blocks allocated for a fileFinding blocks allocated for a file
• (Problem) It is not easy to find disk-blocks allocated for(Problem) It is not easy to find disk blocks allocated for
a file on NTFS.
– I used a tool offered by Mark RoddyI used a tool offered by Mark Roddy.
• getFileExtents.exe
• http://www.wd-3.com/archive/luserland.htm
– The getFileExtents worked well in Windows7. However,
Windows8 has a harder security mechanism and the
getFileExtents does not work well.
• Hander “initFileTranslation” is not available in Windows 8.
F i d 8 I k di k i h “dd” d d– For windows8, I make a disk copy with “dd” command and
mount the disk image on Window7. It makes possible to find
disk-blocks for a file using getFileExtentsdisk-blocks for a file using getFileExtents.
31
32. National Institute of Advanced Industrial Science and Technology
Stop Window boot by DDEStop Window boot by DDE
Windows cannot boot
Windows because the file used for
booting is not decrypted.
Hypervisor
If the DDE is removed, …
Hypervisor
DeviceDisEnabler
Decryption
File used for This file is This file isFile used for
booting
smss.exe
This file is
encrypted by
DDE.
This file is
encrypted by
DDE.
booting
smss.exe
• It makes tamper resistance for the DDE, but …
32
33. National Institute of Advanced Industrial Science and Technology
Struggle with recovery mechanismStruggle with recovery mechanism
• C rrent OS has automatic recovery mechanism• Current OS has automatic recovery mechanism.
– Automatic recovery mechanism can fix a broken file.
Wi d RE (R E i t)• e.g., Windows RE (Recovery Environment)
• On current implementation of DDE, administrator must halt
th h i i Wi d 8the recovery mechanism in Windows 8.
• This problem has not solved yet. However, the situation is
same to re-install attack.
– When a user tries to re-install the OS on the target machine, most
countermeasure mechanisms cannot prevent it.
33
34. National Institute of Advanced Industrial Science and Technology
Hiding an encryption keyHiding an encryption key
• The encryption key of DDE must be unknown to theThe encryption key of DDE must be unknown to the
user.
• Original BitVisor only includes the key in the binary• Original BitVisor only includes the key in the binary.
– Attacker can get the key by comparing the binaries of DDE.
DDE h h i hid h i k i• DDE has a mechanism to hide the encryption key in a
secure chip TPM (Trusted Platform Module).
– It utilizes Trusted boot and TPM non-volatile storage.
34
35. National Institute of Advanced Industrial Science and Technology
Hiding encryption key in the TPM (1/3)Hiding encryption key in the TPM (1/3)
• TPM offers a mechanism of Trusted Boot. Trusted Boot measures
boot sequence and keeps the log. It makes possible to certify the
integrity of the boot sequence (i.e., Chain of Trust).
Th SHA 1 f h ( BIOS i h l b tl d t ) i t d– The SHA-1 of each sequence (e.g., BIOS, peripherals, bootloader, etc.) is stored
to a PCR (Platform Configuration Register) in a TPM with “extend” operation.
• PCR=SHA-1(PCR + SHA-1(Component))
– It means that PCR shows the stage of the boot sequence.
I t it M t Option
Peripherals
CRTM TCG‐BIOS Boot Loader
(TrustedBRUB)
Integrity Measurement Option
ROMs
Hypervisor
(DDE) OS
TPM
Storing SHA‐1
l t PCR
PCR0
…
PCR23
Each PCR represents
a category of action.
35
value to PCR
Root of Trust
KEY
Extracting a disk
encryption key from TPM
at certain PCR’s values.
36. National Institute of Advanced Industrial Science and Technology
Hiding encryption key in the TPM (2/3)Hiding encryption key in the TPM (2/3)
• In order to keep “Chain of Trust”, each component must
have a function to measure next component.
– The mobile gadget must have TCG-BIOS as well as TPM.
– The boot loader must support measurement function.
• Trusted GRUB http://sourceforge.net/projects/trustedgrub
I t it M t Option
Peripherals
CRTM TCG‐BIOS Boot Loader
(TrustedBRUB)
Integrity Measurement Option
ROMs
Hypervisor
(DDE) OS
TPM
Storing SHA‐1
l t PCR
PCR0
…
PCR23
Each PCR represents
a category of action.
36
value to PCR
Root of Trust
KEY
Extracting a disk
encryption key from TPM
at certain PCR’s values.
37. National Institute of Advanced Industrial Science and Technology
Hiding encryption key in the TPM (3/3)Hiding encryption key in the TPM (3/3)
• The encryption key is stored to a TPM. It can be set to
extract at certain PCR values.
– If PCR values are changed (the binary of DDE is customized),
the key is not extracted.
• It means that the users MUST use the valid DDE.
I t it M t Option
Peripherals
CRTM TCG‐BIOS Boot Loader
(TrustedBRUB)
Integrity Measurement Option
ROMs
Hypervisor
(DDE) OS
TPM
Storing SHA‐1
l t PCR
PCR0
…
PCR23
Each PCR represents
a category of action.
37
value to PCR
Root of Trust
KEY
Extracting a disk
encryption key from TPM
at certain PCR’s values.
38. National Institute of Advanced Industrial Science and Technology
Chain of TrustChain of Trust
• Boot sequence in ThinkPad HelixBoot sequence in ThinkPad Helix
– Software and devices used in the boot sequence are measured in a TPM.
• PCR=SHA-1(PCR + SHA-1(Component))
0 4b81c044c1472a34c73da87d7ad3a64ba62e9047 08 [S-CRTM Version]
6 fcad787f7771637d659638d92b5eee9385b3d7b9 05 [Wake Event 6]
PCR SHA1 Event
↓ ↓ ↓
0 8841e9e7d8eb4c753d2ef7dc9f89a07c756cb30b 07 [S-CRTM Contents]
0 3d9766e45814d6374d9a85aa519071dc82574017 01 [POST CODE]
1 b83f6c64a1727add477a94874f3f11f29d531c47 09 [CPU Microcode]
4 9069ca78e7450a285173431b3e52c5c25299e473 04 []
2 199804c152f10535cd88f8f5d607ae55e9e2f3ef 06 [Option ROM]
5 cd0fdb4531a6ec41be2753ba042637d6e5f7f256 80000007 []
Each PCR represents a
category of action. 5 cd0fdb4531a6ec41be2753ba042637d6e5f7f256 80000007 []
0 afbf30b554a35d0ba6a469934d35cf9f58eec6af 80000009 []
1 8de522ea7b732f0bf261ed931245c5c7e75fedbb 80000009 []
0 9069ca78e7450a285173431b3e52c5c25299e473 04 []
1 9069ca78e7450a285173431b3e52c5c25299e473 04 []
2 9069ca78e7450a285173431b3e52c5c25299e473 04 []
3 9069 78 7450 285173431b3 52 5 25299 473 04 []
g y
3 9069ca78e7450a285173431b3e52c5c25299e473 04 []
5 9069ca78e7450a285173431b3e52c5c25299e473 04 []
6 9069ca78e7450a285173431b3e52c5c25299e473 04 []
7 9069ca78e7450a285173431b3e52c5c25299e473 04 []
1 1f3c97f0b6d45a46ec1aa91e5868322dea94d76c 80000002 []
4 c1e25c3f6b0dc78d57296aa2870ca6f782ccf80f 05 [Calling INT 19h]
38
4 d564bb707b030e193fdd3ddae8818703225c49c3 05 [Booting BCV Hard
Disk]
4 f2e7a20ef1397308f937841b55040905ff7cabca 0d [IPL]
5 c358aaa78d400ad539f90d542e5519aa4e403714 0e [IPL Partition Data]
4 e479a239ff8d17b2391782a86e19ca873ec6536c 0d [IPL]
39. National Institute of Advanced Industrial Science and Technology
TPM non volatile storageTPM non-volatile storage
• TPM has storage system named “TPM non-volatileTPM has storage system named TPM non volatile
storage”, which allows access when PCRs has certain
values.values.
• The disk encryption key of DDE is stored on the
storage which prevents the circumvention of DDEstorage, which prevents the circumvention of DDE.
– PCR values are changed when the binary of DDE is
customized The encryption key in the TPM is not exposedcustomized. The encryption key in the TPM is not exposed.
R f• Reference
– TPM Main Part 3 Commands, Specification Version 1.2, Level 2
Revision 116, 1 March 2011,
http://www.trustedcomputinggroup.org/files/static_page_files/72C33D71-1A4B-B294-D02C7DF86630BE7C/TPM_Main-Part_3_Commands_v1.2_rev116_01032011.pdf
39
40. National Institute of Advanced Industrial Science and Technology
I t f f TPM l til tInterface of TPM non-volatile storage
• The “TPM non-volatile storage” is accessed by the API
offered by TCG-BIOS.
API of TCG BIOS Description
TPM NV DefineSpace •API to reserve a region of TPM non volatile storageTPM_NV_DefineSpace •API to reserve a region of TPM non-volatile storage.
•The region has “index” number to access.
•The access can be limited by certain vales of PCRs.
TPM NV W it V l API t it d t t th TPM l til tTPM_NV_WriteValue •API to write data to the TPM non-volatile storage.
•The region is accessed when PCRs are same to
registered values.
TPM_NV_ReadValue •API to read data from the TPM non-volatile storage.
•The region is accessed when PCRs are same to
registered values.
40
41. National Institute of Advanced Industrial Science and Technology
Example of TPM non volatile storageExample of TPM non-volatile storage
• A region of TPM non-volatile storage has an index to access.
h i b d/ i h h h h f• The region can be read/written when the hash of PCR[0-7,12-14]
is the registered hash value.
On ThinkPad Helix
# tpm_nvinfo
NVRAM index : 0x00010016 (65558)
PCR read selection:
PCRs : 0, 1, 2, 3, 4, 5, 6, 7, 12, 13, 14
Localities : 0x7
Hash : bcea2524269cafd359d69caa850e209481feeec4 Hash of values
PCRs to verify
Hash : bcea2524269cafd359d69caa850e209481feeec4
PCR write selection:
PCRs : 0, 1, 2, 3, 4, 5, 6, 7, 12, 13, 14
Localities : 0x7
Hash of values
of PCRs
PCRs to verify
Hash : bcea2524269cafd359d69caa850e209481feeec4
Permissions : 0x00000000 ()
bReadSTClear : FALSE
bWriteSTClear : FALSE
Hash of values
of PCRs
bWriteSTClear : FALSE
bWriteDefine : FALSE
Size : 32 (0x20)
41
42. National Institute of Advanced Industrial Science and Technology
Example of PCRs on TPMExample of PCRs on TPM
On ThinkPad Helix
Trusted GRUB uses PCR[12-14]
Original DDE
PCR 00: 27 CD 64 2F DA 95 EA 09 3B 8C AE BC 68 9F FA C7PCR-00: 27 CD 64 2F DA 95 EA 09 3B 8C AE BC 68 9F FA C7
2A 59 76 01
PCR-01: E2 60 C4 57 A9 DC 8B C1 3C 5D E8 23 9F 2B 6B 71
86 19 72 19
PCR-02: F2 E5 65 2A DC 7F 57 8A F0 89 9D F1 0F 6B AE A1
13 08 19 E2
PCR-03: B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9
55 AD 72 36
PCR-04: AA C6 8F 43 8F 5C 23 4E BD 70 F7 46 7D 51 18 4E
BD A3 CA 55
PCR-05: 01 C2 F5 26 13 11 B9 6F 4B BF A4 39 14 AC CA 6B
CD A2 65 41
PCR[0-7, 12-14] are used to get the
encryption key from the TPM non- CD A2 65 41
PCR-06: EE 1B 0F 99 7D 75 17 B2 86 BC 9D 73 A4 CF 74 2C
65 A7 69 BE
PCR-07: B2 A8 3B 0E BF 2F 83 74 29 9A 5B 2B DF C3 1E A9
55 AD 72 36
PCR-08: 93 41 C4 1A 6D EA 42 08 65 16 B8 4B AF AF 48 3C
CD 96 36 91
PCR[0-7] are used to certify the true
yp y
volatile storage.
CD 96 36 91
PCR-09: 1B 60 78 EA 42 8E FA 3A 2A D2 A9 7E 22 04 90 7C
1A E6 33 A9
PCR-10: 3D C7 DF C4 CB B0 EC D3 9F B2 75 14 4B 41 E0 42
52 AF C1 17
PCR-11: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
PCR[12-14] are changed when the
DDE is customized
boot sequence before Trusted GRUB.
42
00 00 00 00
PCR-12: 98 CB C3 5A 43 22 54 CB CB DD E6 04 30 B1 89 D9
54 E4 E7 F8
PCR-13: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00
PCR-14: FB 17 F0 8C C8 E0 1F D6 8B 96 62 14 63 54 70 A4
DDE is customized.
43. National Institute of Advanced Industrial Science and Technology
Failing the bootFailing the boot
• If the DDE is c stomi ed it fails to get the encr ption• If the DDE is customized, it fails to get the encryption
key from TPM non-volatile storage.
43
44. National Institute of Advanced Industrial Science and Technology
Current ImplementationCurrent Implementation
• C rrent DDE is applied to laptop PC and tablet hich• Current DDE is applied to laptop PC and tablet which
satisfy the following requirements.
86/AMD64 hit t CPU– x86/AMD64 architecture CPU
– DDE uses128MB memory.
TPM 1 2– TPM 1.2
– TCG BIOS (Current DDE does not support EFI.)
– Only PCI devices are controlled.
– OS independent (I have tried Windows 7,8, and Linux)
44
45. National Institute of Advanced Industrial Science and Technology
Expansion plan for DeviceDisEanblerExpansion plan for DeviceDisEanbler
• Apply to widely used mobile gadgets.
– Atom CPUAtom CPU
– ARM CPU
• Apply to mobile gadgets without TPM• Apply to mobile gadgets without TPM
45
46. National Institute of Advanced Industrial Science and Technology
Mobile gadgets with Atom CPUMobile gadgets with Atom CPU
• Current DeviceDisEnabler can be applied However• Current DeviceDisEnabler can be applied. However, …
• Virtualization may be trouble in Mobile gadgets with
At CPUAtom CPU.
– Atom CPU has virtualization, but the BIOS/EFI disables the
virtualization in many mobile gadgetsvirtualization in many mobile gadgets.
– Some home pages tell methods to enable virtualization.
TPM i t b dd d• TPM is not embedded.
– It is not clear that the BIOS is based on TCG-BIOS.
– EFI is not supported by current DeviceDisEnabler
• Example:MS Surface
46
47. National Institute of Advanced Industrial Science and Technology
Mobile gadgets with ARM CPUMobile gadgets with ARM CPU
• Lack of a hypervisor for ARM was a problem, but …
– ARM’s virtualization extension
• ARM Architecture Virtualization Extension and Large Physical Address
E i (LPAE) i d dExtension(LPAE)are introduced.
– Development DeviceDisEabler for ARM.
• Xen 4 4(official support from 2014 3 10) ARM/KVM Xvisor etc We• Xen 4.4(official support from 2014.3.10), ARM/KVM, Xvisor etc. We
will plan to develop DeviceDisEabler based on these hypervisors.
• Less TPM supportpp
– Exception:Samsung Chromebook2 has a TPM. It is not clear it supports TCG-
BIOS.
• Possibility of Installation
– Bootloader is not supported as PC environment.
47
48. National Institute of Advanced Industrial Science and Technology
Without TPMWithout TPM
1. Network download
– Easy to implement, but it requires Internet connection as
ChromeOS.
2. Embedded an encryption key using code obfuscation
– We can use White-box cryptography and other obfuscation
techniques, but they are theoretically breakable.
cipher textkey cipher text
Traditional White-box cryptography
48plain text plain text
49. National Institute of Advanced Industrial Science and Technology
Demo VideoDemo Video
Th ki d f b ti• Three kinds of booting
– Standalone boot of Windows8
• smss.exe is encrypted by the DDE and it fails to boot.
– Customized DDE
I h i k d f il b• It cannot get the encryption key and fails to boot.
– DDE and Windows8
• It works well• It works well.
!Just Fun!
49
50. National Institute of Advanced Industrial Science and Technology
Trusted GRUB has 3 boot options • Windows 8
• Hacked DDE (Customized DeviceDisEnabler)( )
• DDE
50
51. National Institute of Advanced Industrial Science and Technology
ConclusionConclusion
• High-resolution devices on mobile gadgets may be used for
cyber espionagecyber espionage.
– Administrators want to disenable unnecessary devices on their working
place.
• I proposed a thin hypervisor “DeviceDisEnabler” which hides
devices from an OS.
D i Di E bl h i h i hi h• DeviceDisEnabler has a tamper resistance mechanism which
uses a. TPM. It prevents the circumvention caused by users.
–
• As future work
– Supporting EFI boot (for Microsoft Surface)Supporting EFI boot (for Microsoft Surface).
– Hiding USB device.
– Supporting ARM CPU. 51
52. National Institute of Advanced Industrial Science and Technology
Special ThanksSpecial Thanks
• Toshiki Yagi AIST• Toshiki Yagi, AIST
• Michitaka Yoshimoto, AIST
• Kazukuni Kobara, AIST
• Developers for BitVisor
http://www bitvisor org/– http://www.bitvisor.org/
52