Country Fair at [ Intel Security Conference 2011 ] ;)
Carlos Rozas, Hormuzd Khosravi, Divya Kolar Sunder, Yuriy Bulygin
Researchers and industry have found novel uses for cloud computing to detect malware. We present a cloud-computing-based architecture that improves the resiliency of the existing solutions, and we describe our prototype that is based on existing Intel platforms.
Chipset Based Detection and Removal of Virtualization Malware [ Intel Virtualization Security Summit 2008 ]
Insane Detection of Insane Rootkits: Chipset Based Detection and Removal of Virtualization Malware [ Black Hat USA 2008 ]
This work introduces an approach to detect hardware-assisted virtualization malware different from currently developed techniques. It uses hardware capabilities of an embedded microcontroller inside chipset's north-bridge to detect virtualization malware, and to go beyond detection and remove it from the system. We will discuss advantages and other potential applications of the approach, possible attacks evading detection and solutions.
It also includes a demo of DeepWatch, a proof of concept detector of VT-x based virtualization rootkits implemented in north-bridge firmware.
CPU side-channels vs. virtualization rootkits: the good, the bad, or the ugly [ ToorCon Seattle 2008 ]
Side-channels that use CPU resources are bad. Everyone knows that. Rootkits that use CPU virtualization aren't any better. Security researchers mentioned theoretical possibility of using new developments in CPU side-channel cryptanalysis to detect virtualization rootkits. The purpose of this talk is to demonstrate actual implementation of detector that uses recently discovered RSB based micro-architectural side-channel to detect CPU virtualization rootkits. We will also describe essentials of the RSB-based side-channel analysis used by our detector.
Remote and Local Exploitation of Network Drivers [ Black Hat USA 2007 ]
During 2006 vulnerabilities in wireless LAN drivers gained an increasing attention in security community. One can explain this by the fact that any hacker can take control over every vulnerable laptop without having any "visible" connection with those laptops and execute a malicious code in kernel.
This work describes the process behind hunting remote and local vulnerabilities in wireless LAN drivers as well as in other types of network drivers. The first part of the work describes simple and much more advanced examples of remote execution vulnerabilities in wireless device drivers that should be considered during vulnerabilities search. We demonstrate an example design of kernel-mode payload and construct a simple wireless frames fuzzer. The second part of the work explains local privilege escalation vulnerabilities in I/O Control device driver interface on Microsoft® Windows®, introduces a technique to uncover them. The third part of the work describes specific examples of local vulnerabilities in network drivers that can be exploited remotely and an exploitation technique. In the last part of the work we present case studies of remote and local vulnerabilities mitigated in Intel® Centrino® wireless LAN device drivers.