|
PRESENTATION:
|
Less is More, Exploring Code/Process-less Techniques and Other Weird Machine Methods to Hide Code (and How to Detect Them)
|
|
PRESENTERS:
|
Shane Macauley
|
|
CONFERENCE:
|
CanSecWest
|
|
LOCATION:
|
Vancouver, Canada
|
|
DATE & TIME:
|
March 13, 2014 at 14:00 PM
|
In this presentation, Shane Macaulay will discuss the impact of Windows 8 kernel changes that enable a precise accounting of kernel virtual address space executable regions, including areas for BIOS, HAL, and ACPI. With Windows 8 in virtual mode, Shane will show a correlation with physical page table security (physical PTE tables) and logical mappings (VAD tree) to effectively demonstrate a memory based ‘rootkit revealer’.
Shane will show the audience detection techniques for codeless hiding places, such as page tables, thread jumping, and general Return-Orientated Programming (RoP) attack code patterns.
“This talk will show how the advancements made by Microsoft in Windows 8 enable us to demonstrate a generic rootkit detection technique. We have implemented this in our new BlockWatch cloud forensic service offering at IOActive,” said Macaulay.
About Shane Macaulay
Shane Macaulay is the Director of Cloud Services for IOActive and is experienced in enterprise-level network and application assessment and consultation.
Macaulay takes a deep, broad approach to security and has worked with every major UNIX distribution, Microsoft platform, and networking operating system. He has contributed to the security community by way of various papers, books, and technical applications, and he has discovered numerous compiler bugs (both native and managed), one of which was used to win the non-obvious source code backdoor contest at DefCon 2010.
Macaulay is an alumni member of the international security group The Honeynet Project and has worked with IBM, Bloomberg, @Stake/Symantec, financial exchanges/firms, and many high-tech industry giants.
About CanSecWest
CanSecWest, the world’s most advanced conference focusing on applied digital security, is about bringing the industry luminaries together in a relaxed environment which promotes collaboration and social networking. The conference lasts for three days and features a single track of thought provoking presentations, each prepared by an experienced professional and talented educator who is at the cutting edge of his or her field. We give preference to new and innovative material, highlighting important, emergent technologies, techniques, or best industry practices.
About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established pedigree in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment through to semiconductor reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.
-###-