Friday, January 27, 2006

Black Hat Federal 2006 Wrap-Up, Part 3

Please see part 1 for an introduction if you are reading this article separately.

Staying on the rootkit theme, I next heard Joanna Rutkowska discuss "Rootkit Hunting vs. Compromise Detection." She has done some impressive work on network-based covert channels, but she is also a rootkit guru. Joanna talked about "Explicit Compromise Detection," and the need to scan kernel memory for integrity checking. She challenged many of the ideas of traditional rootkits, such as the need to survive a reboot, the desire to hide processes, open sockets, and so on. It seems like her new DeepDoor rootkit is an all-in-one package that hooks the Windows Network Driver Interface Specification (NDIS) code by modifying four words in the NDIS data section of memory.

She demonstrated her ddcli client talking to a DeepDoor'd victim. The client communicated with the server over port 445 TCP. Fair enough, but port 445 TCP was also able to handle normal SMB traffic, even with the rootkit active! That is insane. She showed how her rootkit could still function even with Zone Alarm denying access.

Joanna emphasized that there is no safe way to read kernel memory on Windows. She said that even reading physical memory can be tough. She requested that Microsoft implement a means to let third party vendors reliably read kernel memory. She said that such a new feature would not aid attackers, since they do not care if their unreliable methods end up crashing a target. A security vendor, however, must take extra care. Joanna noted that next generations operating systems should ship with more than two CPU privilege modes, and that Trusted Computing will not prevent the attacks she described. She mentioned the introduction of a hypervisor that runs at ring -1 (todays systems descend to ring 0). Joanna also postulated that there may be a finite number of places for malware to hook an OS, so perhaps it would be helpful to enumerate them in a public place. A related project is her Open Methodology for Compromise Detection.

Joanna was not able to release her DeepDoor rootkit for reasons of "NDAs." She was also not able to discuss ongoing work on network covert channels for the same reason. On a personal note, I spoke with Dave Aitel (note he has cut his hair WAY back from what's shown in the photo!) who had a tough time pronouncing my name. I guessed that as a fellow Eastern European (I'm American but my ancestors are from that area), Joanna (who is Polish) would be able to pronounce "bate-lik." Joanna was sitting nearby, and sure enough, she could!

After hearing about rootkits for three straight talks, I took a break by hearing Simson Garfinkel discuss new directions for disk forensics. (He reminded the audience of his company Sandstorm Enterprises, and I learned by speaking with him that he sells a laptop version of NetIntercept for consultants like me. )

Simson spoke for a long time discussing his ongoing used hard drive analysis project. He introduced his cross-drive forensic analysis methodology, which involves finding interesting data on groups of hard drives. One of the most powerful techniques was building histograms of email addresses. On a single hard drive, the most frequently seen email address is usually the address of the hard drive owner. He also searched hard drives for patterns associated with credit cards. The interesting aspect of this sort of analysis is that he is reviewing raw data in all cases, such that he can even review something like an Oracle data drive that has no conventional partitions.

I was most excited to hear about Simson's Advanced Forensic Format project. He noted that images produced by dd are big and contain no metadata. Proprietary formats like the Encase E01 are "bad an undocumented." Simson promotes AFF as an open standard that will be intergrated into a future release of Brian Carrier's Sleuth Kit. AFF contains tools that do more than efficiently image and describe drives. They acquisition tools can even help bring old drives to life by pulsing and otherwise manipulating them.

The most thought-provoking aspect of Simson's presentation was his discussion of the market for used hard drives on eBay. He says people pay unreasonable amounts for small old hard drives, and defintely odd amounts for hard drives reported as broken. The implication is that those hard drives might be bought by criminals hunting for sensitive information. (Simson gave examples of such data during his presentation.) He is working to educate people that "format" does not mean "erase," and he hopes Microsoft will replace the current format command with a tool that truly zeroes out a drive. Simson also said he is unaware of any technique to retrieve data from a zeroed-out hard drive, saying that Peter Gutmann's 1996 techniques would no longer work on drives built since then due to the density of modern drives.

No comments: