Supervisor Mode Execution Protection (SMEP)

"Like most mainstream operating systems, the vanilla Linux kernel does not leverage x86 segmentation, instead defining flat segment descriptors with limits encompassing the entire 4gb address space. Additionally, each process has the kernel’s page table entries replicated, resulting in the kernel address space being mapped in the upper 1gb of every user process. (...) The result of this is that the kernel is free to incorrectly access data residing in userspace, as well as execute code in the user region. In addition to enabling the exploitation of many bugs that rely on the kernel incorrectly using user data, this allows kernel exploits to simply map a suitable payload in userspace and divert kernel execution to that payload. (...)

The PaX project solves this problem in a general way with a feature called PAX_UDEREF. When this feature is enabled, PaX leverages segmentation to isolate user and kernel addresses, such that a fault will be generated when the kernel incorrectly accesses user data or code. Unfortunately, due to the performance hit associated with reloading segment registers and the fact that this touches mission-critical code, it’s unlikely that this solution would be accepted into the upstream Linux kernel. (...)

Enter SMEP. Now, the mainline Linux kernel can take advantage of a subset of this protection at essentially no performance cost, as the functionality is presumably implemented in hardware in a way that’s similar to existing CPL checks. With SMEP enabled, it’s no longer possible to map exploit payloads in userland, as the CPU will trigger a fault if it attempts to execute those user pages in kernel mode. Note that this is still only a subset of what UDEREF protects against, as it does nothing to prevent the kernel from incorrectly accessing user *data* as opposed to code. But it’s certainly a start."

Artigo completo: SMEP: What is It, and How to Beat It on Linux

nomeados para os Pwnie Awards 2011 

Interessantes os nomeados para "Best Server-Side Bug", "Best Client-Side Bug", "Best Privilege Escalation Bug". Engraçados, ou não, os "Lamest Vendor Response". E o prémio para as mais interessantes nomeações vai para... "Most Innovative Research":
  • Stackjacking
    Credit: Jon Oberheide, Dan Rosenberg
    Jon Oberheide and Dan Rosenberg presented a set of techniques for exploiting Linux kernel vulnerabilities on grsec systems and inadvertantly started an arms race with spender and PaX Team. This work is a great example of research targeting one of the most difficult system to exploit.
  • Understanding and Exploiting Flash ActionScript Vulnerabilities
    Author: Haifei Li
    This research mainly answered two questions: 1) What are the inner mechanisms that cause Flash JIT-level vulnerabilities? 2) How to exploit them on modern operating systems? The answer to the first question lies in the way JIT engine performs the "verification process" (or the "bytecode verifier") of the program flow, which is not error-proof. Those errors enable potential exploitation situations. To answer the second question, the author introduced a situation deemed "Type/Atom Confusion". Then a novel technique called "IEEE-754 trick" was provided to read memory from the process when type confusion happens. Armed with those, Haifei Li was able to exploit Flash ActionScript JIT-level vulnerabilities on modern operating systems like Windows 7, bypassing both ASLR and DEP.

  • Black Box Auditing Adobe Shockwave
    Author: Aaron Portnoy, Logan Brown
    This presentation provides a very thorough review of the SmartHeap memory allocator in Adobe Shockwave. The talk focused on the methodology for reversing a large code base with no symbols and included many useful reverse engineering techniques.

  • Securing the Kernel via Static Binary Rewriting and Program Shepherding
    Author: Piotr Bania
    To implement some of the ideas from pax-future.txt is one thing, to implement them through static analysis on Windows, rewriting drivers automagically, and have it all work preserving binary compatibility across a wide range of Windows versions: that's deserving of respect.

  • Understanding the LFH heap
    Author: Chris Valasek
    This seminal paper provides the most details overview of the Low Fragmentation Heap in Vista and Windows 7. Its importance to exploitation cannot be overstated!

contornar protecções contra injecção de SQL

É surpreendente a quantidade de ataques que conseguiram contornar a, supunha eu, bem afinada protecção do ModSecurity contra SQL injection.

ModSecurity SQL Injection Challenge: Lessons Learned

Ataque que faz MacBooks explodir?

A notícia é que para o mês que vem vai ser revelado na Black Hat que asbaterias dos MacBooks têm uma vulnerabilidade que permite fazê-las explorir à distância. Se for verdade e a vulnerabilidade for explorável, pode ser um problema.

Apple laptops can be hacked to self-destruct; flaw to be detailed by  hacker next month
Fonte: BGR

Correcção: detalhes estão disponíveis no site da ArsTechnica:
How a security researcher discovered the Apple battery "hack"

Stuxnet: o artigo

A Wired publicou um artigo longo mas muito interessante sobre o Stuxnet. Como diz um comentário, lê-se como se fosse um livro do Tom Clancy. O artigo:

How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History

Passaportes clonados

"Portugal é um dos países que está a ser afectado pela clonagem de passaportes biométricos, segundo confirma ao Dinheiro Vivo fonte da empresa de segurança Kaspersky Lab. Ainda não há números disponíveis sobre a extensão deste novo tipo de cibercrime. 

A empresa emitiu um alerta sobre o crescimento explosivo da clonagem de passaportes biométricos na internet, apesar dos elementos de segurança que os novos modelos incluem. A Kaspersky Lab já detectou passaportes clonados de 139 nacionalidades diferentes, incluindo portugueses. "

Notícia completa:
Passaportes biométricos estão a ser clonados na internet e Portugal é um dos países afectados

O perigo dos servidores Web embebidos

Nos velhos tempos a interface standard para um dispositivo como uma impressora ou uma placa de hardware era algo como uma porta RC-232C e um software modo texto que copiava bytes para trás e para a frente. Agora é todo um servidor Web, com uma complexidade incrivelmente superior. Em termos de segurança nem se fala na diferença. E acontece o óbvio:

Jul 21, 2011, Kelly Jackson Higgins, Dark Reading

Michael Sutton, vice president of security research for Zscaler Labs, at Black Hat USA 2011 next month will demonstrate his findings: Ricoh and Sharp copiers, HP scanners, and Snom voice-over-IP (VoIP) phones were the most commonly discovered devices, all accessible via the Internet. "It was pretty shocking to me: Virtually none of these should be exposed to the Internet. There's not a good reason that an HP scanner should be exposed to the Net," Sutton says.

It's a recipe for disaster: Embedded Web servers with little or no security get misconfigured when they're installed. Most likely, the potential victims are small to midsize businesses or consumers with less technical expertise who misconfigure their devices and have no idea they're showing up online. "They're taking this device, plugging it into the wall, and making a mistake on a router or access point ... and suddenly things are exposed to the Web," he says.

Sutton used Amazon EC2 computing resources to constantly scan large blocks of addresses and to detect any embedded Web servers. Sharp and Ricoh copiers digitally archive past photocopies, he notes, so if that feature is enabled and the copier is sitting on the Net unsecured, an attacker could retrieve any previously photocopied documents, he says. Even the fax-forwarding feature in some HP scanners could be abused if the scanner were open to the Internet: An attacker could access any faxed documents to the user by having them forwarded to his fax machine, for example.

Mais hacking ou são só os media?

O Bruce Schneier escreveu no blog dele:

“The apparent recent hacking epidemic is more a function of news reporting than an actual epidemic. Like shark attacks or school violence, natural fluctuations in data become press epidemics, as more reporters write about more events, and more people read about them. Just because the average person reads more articles about more events doesn’t mean that there are more events—just more articles.”

Será verdade? Da lista que compilei há dias, parece-me que foram demasiados ataques com demasiada visibilidade para serem só os media…

Google avisa computadores infectados

A Google descobriu que certos padrões de busca são gerados por malware e começou a avisar os utilizadores dos computadores de onde estes vêm:

Using data to protect people from malware 
Tuesday, July 19, 2011 4:57 PM 
Posted by Damian Menscher, Security Engineer    
Google Online Security Blog

Trusted Integrated Chips Program


Trusted Integrated Chips (TIC) Program

"Recent developments in the semiconductor industry show tremendous opportunity for the realization of integrated circuits and systems-on-a-chip derived from state-of-the art foundry processes. The ability of semiconductor foundries to realize multiple types of integrated circuits, MEMS, and other More-Than-Moore capabilities will likely continue in the future. In particular, such foundry processes are not only demonstrating exceptionally high performance in several technology areas, but also demonstrating low-cost, fast turn-around time, and high yield. In addition to maintaining our supply and access to integrated circuits derived from the U.S. Trusted Foundry, it is important for both the Intelligence Community and other government agencies to have access to other state-of-the art manufacturing capabilities derived from world foundries with assurance that such chips are safe and secure without malicious circuitry or reliability concerns. In addition, the protection of design intent and systems performance is an important goal to be realized in TIC.

The TIC Program aims to develop new approaches to chip fabrication where security and intellectual property concerns would otherwise prohibit the use of off-shore manufacturing foundries. Specifically, TIC seeks to address secure foundry manufacturing of chips in several ways: (...)"

Cloud vs malicious insider

Um artigo do Francisco Rocha e meu recentemente apresentado:

- explicação:

- artigo:

"The paper “Lucy in the Sky without Diamonds: Stealing Confidential Data in the Cloud” that Francisco Rocha will present at the First International Workshop on Dependability of Clouds, Data Centers and Virtual Computing Environments, shows that a malicious insider can steal confidential data of the cloud user, so the user is mostly left with trusting the cloud provider. In the author’s opinion, “the paper achieves this goal by showing a set of attacks that demonstrate how a malicious insider can easily obtain passwords, cryptographic keys, files and other confidential data.” Additionally, the paper shows that recent research results that might be useful to protect data in the cloud, are still not enough to deal with the problem."