Security challanges in virtualized enviroments (keynote)

Security challanges in virtualized enviroments (keynote)

Security challanges in virtualized enviroments (new research)

Hands-on Training: Understanding Stealth Malware (updated for 2008)

A 2-day hands-on training class on stealth malware, taught together with Alexander Tereshkin. More on the blog here. You can register at the Black Hat website here.

Security challanges in virtualized enviroments (keynote)

1. Security Challenges in Virtualized Environments

2. Human Factor vs. Technology

Security challanges in virtualized enviroments (keynote)

Human factor vs. Technology (keynote)

This lecture will try to present current challenges in operating systems security, from both human as well as technical perspective and author's thoughts about how we should address those problems in the future.

Hands-on Training: Understanding Stealth Malware

Two 2-day hands-on training classes on stealth malware, taught together with Alexander Tereshkin. More on the blog here. You can register at the Black Hat website here.

IsGameOver(), anyone? (new research)

We will present new, practical methods for compromising Vista x64 kernel on the fly and discuss the irrelevance of TPM/Bitlocker technology in protecting against such non-persistent attacks. A significant amount of time will also be devoted to presenting new details about virtualization-based malware [...]

Beyond The CPU: Defeating Hardware Based RAM Acquisition Tools (Part I: AMD case)

Stealth malware - can good guys win? (keynote)

Beyond The CPU: Defeating Hardware Based RAM Acquisition Tools (Part I: AMD case)

Human factor vs. Technology (keynote)

This lecture will try to present current challenges in operating systems security, from both human as well as technical perspective and author's thoughts about how we should address those problems in the future.

"A la carte"

A choice of several of my current talks will be "offered" and the audience will vote for the presentation they want to see...

Update: May 13th 2007 - Due to temporarily illness I couldn't make it to the conference and the lecture has been cancelled :(

Virtualization - The other side of the coin (keynote)

Fighting Stealth Malware: Towards Verifiable Systems

Inside the Mind of a Hacker (panel)

A panel with a few other secuirty resaerchers about state of the art in security today...

Beyond The CPU: Defeating Hardware Based RAM Acquisition Tools (Part I: AMD case) (new research)

Many people believe that using a hardware based acquisition method, like e.g. a PCI card or a FireWire bus, is the most reliable and secure way to obtain the image of the volatile memory (RAM) for forensic purposes. This presentation is aimed at changing this belief by demonstrating how to cheat such hardware based solutions, so that the image obtained using e.g. a FireWire connection can be made different from the real contents of the physical memory as seen by the CPU. The attack does not require system reboot. The presented technique has been designed and implement to work against AMD64 based systems, but it does not rely on hardware virtualization extensions.

Stealth malware - can good guys win? (keynote)

Fighting Stealth Malware: Towards Verifiable Systems

The presentation first debunks The 4 Myths About Stealth Malware Fighting that surprisingly many people believe in. Then my stealth malware classification is briefly described, presenting the malware of type 0, I and II and challenges with their detection (mainly with type II). Finally I talk about what changes into the OS design are needed to make our systems verifiable. If the OS were designed in such a way, then detection of type I and type II malware would be a trivial task...

Subverting Vista Kernel for Fun and Profit

1. Stealth malware - can good guys win? (keynote)

The presentation will try to present current challenges in detecting advanced forms of stealth malware and explain why current detection approaches, as used in commercial A/V or IDS products, are insufficient. The author will try to convince the audience that detection is no less important then prevention and that we need a systematic approach to implement a good compromise detector, instead of a bunch of "hacks" as we have today.

2. Subverting Vista Kernel for Fun and Profit

Subverting Vista Kernel for Fun and Profit

Subverting Vista Kernel for Fun and Profit

Subverting Vista Kernel for Fun and Profit

Subverting Vista Kernel for Fun and Profit (new research)

The presentation will first present how to generically (i.e. not relaying on any implementation bug) insert arbitrary code into the latest Vista Beta 2 kernel (x64 edition), thus effectively bypassing the (in)famous Vista policy for allowing only digitally singed code to be loaded into kernel. The presented attack does not requite system reboot.

Next, the new technology for creating stealth malware, code-named Blue Pill, will be presented. Blue Pill utilizes the latest virtualization technology from AMD - Pacifica - to achieve unprecedented stealth.

The ultimate goal is to demonstrate that is possible (or soon will be) to create an undetectable malware which is not based on a concept, but, similarly to modern cryptography, on the strength of the 'algorithm'.

Rootkits vs. Stealth by Design Malware

Rootkits vs. Stealth by Design Malware

Slightly modified version of Rootkit Hunting vs. Compromise Detection talk.

Rootkit Hunting vs. Compromise Detection

Rootkit Hunting vs. Compromise Detection (new research)

Recently we can observe increased interest in rootkit technology all over the world. Eventually many AV companies started working on commercial rootkit hunting tools for the Smith family... But is rootkit detection the same as compromise detection? What about backdoors, key stroke loggers and other malware which is “stealth by design” and do not require rootkit technology as a protection? How does the current anti-rootkit technology work here? [...]

Explicit Compromise Detection

System Virginity Verifier: Defining the Roadmap for Malware Detection on Windows System (new research)

The presentation aims towards defining a detailed list of vital operating system parts as well as a methodology for malware detection. The list will start on such basic levels as actions needed for file system and registry integrity verification, go through user-mode memory validating (detecting additional processes, hooked DLLs, injected threads, etc…) and finally end on such advanced topics as defining vital kernel parts which can be altered by modern rootkit-based malware (with techniques like Raw IRP hooking, various DKOM based manipulations or VMM cheating) [...]

Implementation of Passive Covert Channels in the Linux Kernel (new research)

The presentation will describe the idea of passive covert channels (PCC). By passive covert channels, one means a specific kind of CC, which does not generate its own traffic. A PCC only changes some fields in the packets generated by a legitimate user (or processes) of the compromised host. For example, a PCC can be implemented as a kernel module which will change the Initial Sequence Number (ISN) in all (or only some) outgoing TCP connections. The new ISNs will carry the secret message, which could be, for example, the password sniffed by malicious software running on the compromised machine. [...]

1. Rootkits Detection on Windows Systems

2. Linux Kernel Backdoors And Their Detection