At the beginning of August, as every year, two of our security analysts attended the most renowned IT security conferences Black Hat USA and DEF CON to learn about the latest trends and research. This year’s Black Hat conference, the 19th edition, took place at the Mandalay Bay Conference Center while DEF CON 24 was located in Paris and Bally’s in Las Vegas.
In the following, we are going to summarize a selection of thetalks attended.
Black Hat USA 2016 KeynoteThis year’s keynote was presented by Dan Kaminsky, probably best known for his DNS cache poisoning attacks.He identified the growing complexity and the need for speed as the main trends in IT. The only way to tackle complexity is simplicity. Speed is important in several areas. Being able to implement fixes after a breach in a timely manner is crucial. While it takes the fastest companies 2 days to clean up, the slower companies need one week. Fast software release cycles may help to stay ahead of attackers, a strategy chosen by Facebook. By the time an attacker has reverse-engineered a specific software version, it has already been obsoleted.
Having gained track in recent years, virtualization and cloud computing are still hot topics. Since many users are overwhelmed with security concepts or configuration options, a move to a cloud environment could help those users to stay safe. First, the environment is managed by security specialists and second, if a breach occurs, it is not their personal computer that is compromised, but an instance in the datacenter.
It is a fact that many people write insecure code. Dan Kaminsky urged the audience not to compete on security. It is important to release fixes so others will notdo the same mistakes over and over again. Furthermore, otherscan assess the counter measures and thus improve them.
The linux kernel hidden in windows 10
Alex Ionescu, probably best known as co-author of the Windows Internals books and main kernel developer of ReactOS, presented his talk “The Linux kernel hidden in Windows 10”.
After revealing that there is no hidden Linux kernel in Windows 10 but a Windows Subsystem for Linux (WSL), the talk started with an Architectural Overview over the different components used and began with the Minimal and Pico Processes. Minimal Processes are implemented since Windows 8.1 and are bare-bone processes with a token, protection level, name and parent only. Important to note here is that they have an empty address space. A Pico Process is a Minimal Process with a given Pico Provider. The Pico Provider handles system calls, user-mode exceptions, opening of handles and similar.
As a side-note, Pico Processes were originally the foundation for “Project Astoria” which was supposed to bring a full Android runtime to Windows 10 Mobile. Instead of running Android, the chosen user-space environment now consists of Ubuntu 14.
https://blogs.msdn.microsoft.com/wsl/2016/05/23/pico-process-overview/
Essentially these Pico Providers are kernel modules that implement the necessary callbacks and currently only a single Pico Provider can exist.
To have the Linux system calls protected by PatchGuard the Pico Provider “registers” itself with PatchGuard. This will also protect the state and callbacksof the Pico Provider from being tampered with. Furthermore, only core drivers can be Pico Providers and therefore need to be signed by Microsoft.
The Windows Subsystem for Linux consists of such a Pico Provider driver “LXSS.sys / LXCORE.sys”, a user-mode management service (LxssManager), a Linux “init” daemon, as well as a Windows management process (LxRun.exe) and a Windows launcher service.
The LXCORE.sys itself is a large (800KB) kernel-mode Ring 0 driver that implements all required functionality that a Linux application inside a Pico Processwill see. This functionality is either fully implemented from scratch or wrapped on top of existing NT kernel functionality.
The same principle is applied for the file systemssuch as VolFs thatrely on existing mechanisms such as Alternate Data Streams (ADS) and Extended Attributes of NTFS. As such, the / file system is stored in %LocalAppData%\lxss\rootfs while /root and /home are stored in %LocalAppData%\lxss\root or %LocalAppData%\lxss\home respectively.
https://blogs.msdn.microsoft.com/wsl/2016/06/15/wsl-file-system-support/
The talk then went on to describe the details of the Win32 architectural overview covering the LxssManager, LXRun and bash.exe interfacesbefore showing the Linux side with the init daemon and the LXSS IPC interface for the Win32 Linux communication.
In the last section of the presentation, Alex Ionescu went into the Security Design considerations of the solution and the design issues that existed in the preview builds. Many of these issues have been addressed in the current release version. However, a few ones still remain due to the design, such as AppLocker not being able to restrict the execution of ELF binaries, as they are no PE files and do not contain image sections.
Furthermore, the attack surface is increased by 216 additional system calls, full network and file system access via WSL.
It should be noted however that Windows Subsystem for Linux is still an optional feature and requires administrative privileges to be enabled.
Resources: Slides
$hell on Earth: From Browser to System CompromiseThe shell on earth talk highlighted the results of the latest PWN2OWN exploit competition. The presenters explained that since 2014 the contest requires full attack chains, which spawned the creation of new mitigation techniques and concepts.Afterwardsthey proceeded to present the submittedexploits to the audience.
Resources: Slides
GATTacking Bluetooth Smart Devices Introducing a new BLE Proxy ToolThis was only a short 25-minutes presentation during which Slawomir Jasek highlighted his research into devices using theBluetooth Low Energy standard and presented a new tool that can help security researchers to assess these devices.
In his introduction, Slawomir pointed out that even if the BLE (v4.0) standard defines secure pairing mechanisms and BLE-layer encryption, 8 out of 10 analyzed devices did not use them. So in practice the security is implemented in the application layer (GATT), often using a challenge / response system.
As performing jamming and MITM attacks using isolation / stronger signalson Bluetooth is hard, Slawomir developed a tool to automate the attack. The MITM device advertises more frequently than the original device to ensure the target Smartphone will connect. By keeping connected to the original device, it does not advertise itself any further.
Slawomir then proceeded to show various demonstrations where the tool has been su
