Last-minute paper: Killing the rootkit - perfect physical memory process detection

Thursday 25 September 14:30 - 15:00, Green room.

Shane Macaulay IOActive

  download slides (PDF)

To know if your system is compromised, you need to find everything that could run (or otherwise change state), and then verify its integrity (is it what you expect it to be?).

'Finding everything' is a bold statement, particularly in the realm of computer security, rootkits and advanced threats. How is that possible? The short answer is, sadly, that it's not. Strangely, the long answer is that it is, in fact, possible to find everything.

The typical iterative attack <=> defence loop in the wake of rootkit technologies, DKOM, shadow walker and the like, has come to an end with the discovery of a cross-platform, cross-architecture hardware-defined process detection technique.

When the OS starts up a process, it establishes the ability for virtual memory to be used (to enable memory protection), by creating a page table. The so-called page table is itself a single page of physical memory (0x1000 bytes); it is usually allocated by way of some cache optimized mechanism which makes locating it somewhat complicated. Fortunately, we do have a method for identifying a page table by understanding several established (hardware) requirements for its construction.

By identifying the absolute minimum amount of bit testing, evasive methods are limited if not comprehensively blocked. Detection of all process/kernel memory is now possible, DKOM-style rootkits are rendered obsolete by this detection method.

The presentation will discuss hypervisor device verifiability, physical memory dump assurances and how leveraging these techniques combined with process detection can effectively detect TLB (shadow walker) or hardware (UEFI)-based rootkits.

Click here for more details about the conference.

Shane Macaulay

Shane 'K2' Macaulay has over 15 years of low-level system security experience in attack and defensive techniques. He has developed exploit code for several architectures, investigated and reverse engineered complex malware with an unrelenting thirst for devising elegant and comprehensive solutions for his customers. Shane has worked with top industry experts dating back from his time with Core Security, @amp;Stake, IBM, Bloomberg and (currently) IOActive. He continues to learn and advance the state of the art of system security. Shane's previous projects include ADMmutate (polymorphic shellcode), KARMA (client wireless assessment platform) and BlockWatch (memory integrity monitoring). Shane is also an alumni member of 'The Honeynet Project', having supplied several of the attack challenges. He is also a long-time industry speaker from DefCon, CanSecWest, BlueHat and other conferences.