|
PRESENTATION:
|
Killing the Rootkit – Perfect Physical Memory Process Detection
|
|
PRESENTER(S):
|
Shane Macaulay, Director Of Incident Readiness for IOActive
|
|
CONFERENCE:
|
VB2014
|
|
LOCATION:
|
The Westin Hotel, Seattle, Washington USA
|
|
DATE & TIME:
|
September 23, 2014 at 14:30 PM
|
To know if your system has been compromised, you need to find everything that could run or otherwise change state on your system and verify its integrity (that is, check that the state is what you expect it to be). “Finding everything” is a bold statement, particularly when it comes to computer security, rootkits, and advanced threats. Is it possible to find everything? Sadly, the short answer is no, it’s not. Strangely, the long answer is yes, it is. By defining the execution environment at any point in time, predominantly through the use of hardware-based hypervisor or virtualisation facilities, you can verify the integrity of that specific environment using cryptographically secure hashing.
In his presentation, Shane will discuss hypervisor device verifiability, physical memory dump assurances, and how leveraging these techniques combined with process detection can effectively detect TLB (shadow walker) or hardware (UEFI)-based rootkits.
About Shane Macaulay
Shane Macaulay is the Director of Incident Readiness at IOActive, experienced in enterprise-level network and application assessment and consultation. Shane takes a deep, broad approach to security and has worked with every major UNIX distribution, Microsoft platform, and networking operating system. He has contributed to the security community by way of various papers, books, and technical applications, and he has discovered numerous compiler bugs (both native and managed), one of which was used to win the non-obvious source code backdoor contest at DEF CON 2010.
Shane spends considerable time investigating systems type applications, APT by reverse engineering and devising techniques to protect and disrupt them.
About VB2014
The VB Conference is an annual event at which the brains of IT security from around the world gather to learn, debate, pass on their knowledge and move the industry forward. The event provides three full days of learning opportunities and networking with industry experts and covers all aspects of the global threat landscape.
Whether you are an IT professional charged with defending your organisation’s systems and data or a vendor-based security researcher, VB2014 offers opportunities to learn from the best in the industry, discuss methods and technologies, and build contacts.
About IOActive
IOActive is a comprehensive, high-end information security services firm with a long and established track record in delivering elite security services to its customers. Our world-renowned consulting and research teams deliver a portfolio of specialist security services ranging from penetration testing and application code assessment to chip reverse engineering. Global 500 companies across every industry continue to trust IOActive with their most critical and sensitive security issues. Founded in 1998, IOActive is headquartered in Seattle, USA, with global operations through the Americas, EMEA, and Asia Pac regions. Visit www.ioactive.com for more information. Follow IOActive on Twitter: http://twitter.com/ioactive.
-###-