12:53 Black hat 2009 slides team invisible things lab | |
Today ends the world-famous conference of experts on information security Black Hat 2009 (Las Vegas, USA). In this connection became available to the expert team slides Invisible Things Lab (in English). Alexander Tereshkin and Rafal Voytchuk reveals the following topics: 1. Meet the rootkit ring-level 3 (orig.: Introducing «Ring -3» rootkits). 2. We attack Intel BIOS (orig.: Attacking Intel BIOS). Meet the rootkit ring-level 3The presentation showcased the results of studies on how malware can use the technology of Intel AMT (part of the brand vPro), to secretly take control of the machine. Technology Intel AMT offers attractive opportunities for an attacker: the code of AMT is performed by an independent processor, which is located in the chipset (vPro-compliant MCH), memory AMT is separated from the host memory (the insulation provided by the chipset), the AMT package contains a special link to the network card (regardless of the host OS and drivers), and finally, AMT remains active even when the computer is in sleep mode (S3). The paper shows how malware can bypass AMT'shnuyu memory protection and, consequently, compromise the code AMT, running on the chipset. Additionally discloses methods used for reverse engineering AMT'shnogo code. They were required to create rootkits that can access host memory (the rootkit is running on the chipset, but has full access to the host OS - for example, Windows). This study underlines the need for more detailed studies on the safety key system components, including firmware (firmware) and hardware. Slides: invisiblethingslab.com/resources/bh09usa/Ring% 20-3% 20Rootkits.pdf Code: in the near future We attack Intel BIOSThis presentation discusses and demonstrates how to flash the Intel BIOS on desktop systems based on the latest microchip Intel Q45. This work focuses on the most secure vPro-compliant BIOSes that allow you to use only the firmware that are digitally signed by the provider. The paper demonstrates how to bypass this check by using the exploit, which uses a complicated heap overflow. To carry out the attack will need administrator rights, as well as a reboot. Performance of any specific action or consent from the user is not required, as well as physical access to the machine. This attack underlines the importance of other means to ensure reliable load (eg, TPM), as well as the importance of more detailed study of the basic system software and mikroprogram (firmware). Slides: invisiblethingslab.com/resources/bh09usa/Attacking% 20Intel% 20BIOS.pdf Code: in the near future | |
|
Total comments: 0 | |