�ݺ�ߣshows by User: IgorKorkin

�ݺ�ߣshows by User: IgorKorkin / http://www.slideshare.net/images/logo.gif �ݺ�ߣshows by User: IgorKorkin / Wed, 03 Nov 2021 17:43:06 GMT �ݺ�ߣShare feed for �ݺ�ߣshows by User: IgorKorkin Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning talk) /IgorKorkin/your-linux-passwords-are-in-danger-mimidove-meets-the-challenge-lightning-talk slides-your-linux-passwords-are-in-danger-mimidove-meets-the-challenge-211103174307
GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.]]>
GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.]]> Wed, 03 Nov 2021 17:43:06 GMT /IgorKorkin/your-linux-passwords-are-in-danger-mimidove-meets-the-challenge-lightning-talk IgorKorkin@slideshare.net(IgorKorkin) Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning talk) IgorKorkin GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/slides-your-linux-passwords-are-in-danger-mimidove-meets-the-challenge-211103174307-thumbnail.jpg?width=120&height=120&fit=bounds" /> GNOME desktop environment stores user’s credentials in process memory, which poses an obvious danger and needs to be fixed. The competitive advantage of the proposed security tool (MimiDove) includes its ability to quickly detect and remove passwords containing both ASCII characters and Unicode characters.

Your Linux Passwords Are in Danger: MimiDove Meets the Challenge (lightning talk) from Igor Korkin

]]> 1477 0 https://cdn.slidesharecdn.com/ss_thumbnails/slides-your-linux-passwords-are-in-danger-mimidove-meets-the-challenge-211103174307-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Protected Process Light will be Protected – MemoryRanger Fills the Gap Again /slideshow/protected-process-light-will-be-protected-memoryranger-fills-the-gap-again/250564326 slides-texas-protected-process-light-will-be-protected-memoryranger-fills-the-gap-again-211031144435
Windows OS issued a newly updated security mechanism to prevent illegal access to the memory of critical processes as well as for Digital Rights Management (DRM) requirements. It is Protected Process Light (PPL). Intruders can disable PPL to access the memory content of protected processes using a kernel driver. Also, they can illegally enable PPL for the malware apps to provide self-protection and access memory of protected processes, without disabling their PPL. PatchGuard does not check the integrity of PPL. This kind of attack is crucial for OS security and has to be prevented. This paper presents some undocumented internals of PPL during the creation of the protected process as well as accessing the protected process memory to analyze how the PPL can be tampered with. In this contribution, the hypervisor-based solution called MemoryRanger is applied to prevent such type of kernel attacks on PPL. MemoryRanger can prevent both types of attacks on PPL: disabling and enabling PPL in run time. MemoryRanger has been successfully tested on the recent Windows 10, version 20H2 Build 19042.631 x64. ]]>
Windows OS issued a newly updated security mechanism to prevent illegal access to the memory of critical processes as well as for Digital Rights Management (DRM) requirements. It is Protected Process Light (PPL). Intruders can disable PPL to access the memory content of protected processes using a kernel driver. Also, they can illegally enable PPL for the malware apps to provide self-protection and access memory of protected processes, without disabling their PPL. PatchGuard does not check the integrity of PPL. This kind of attack is crucial for OS security and has to be prevented. This paper presents some undocumented internals of PPL during the creation of the protected process as well as accessing the protected process memory to analyze how the PPL can be tampered with. In this contribution, the hypervisor-based solution called MemoryRanger is applied to prevent such type of kernel attacks on PPL. MemoryRanger can prevent both types of attacks on PPL: disabling and enabling PPL in run time. MemoryRanger has been successfully tested on the recent Windows 10, version 20H2 Build 19042.631 x64. ]]> Sun, 31 Oct 2021 14:44:34 GMT /slideshow/protected-process-light-will-be-protected-memoryranger-fills-the-gap-again/250564326 IgorKorkin@slideshare.net(IgorKorkin) Protected Process Light will be Protected – MemoryRanger Fills the Gap Again IgorKorkin Windows OS issued a newly updated security mechanism to prevent illegal access to the memory of critical processes as well as for Digital Rights Management (DRM) requirements. It is Protected Process Light (PPL). Intruders can disable PPL to access the memory content of protected processes using a kernel driver. Also, they can illegally enable PPL for the malware apps to provide self-protection and access memory of protected processes, without disabling their PPL. PatchGuard does not check the integrity of PPL. This kind of attack is crucial for OS security and has to be prevented. This paper presents some undocumented internals of PPL during the creation of the protected process as well as accessing the protected process memory to analyze how the PPL can be tampered with. In this contribution, the hypervisor-based solution called MemoryRanger is applied to prevent such type of kernel attacks on PPL. MemoryRanger can prevent both types of attacks on PPL: disabling and enabling PPL in run time. MemoryRanger has been successfully tested on the recent Windows 10, version 20H2 Build 19042.631 x64. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/slides-texas-protected-process-light-will-be-protected-memoryranger-fills-the-gap-again-211031144435-thumbnail.jpg?width=120&height=120&fit=bounds" /> Windows OS issued a newly updated security mechanism to prevent illegal access to the memory of critical processes as well as for Digital Rights Management (DRM) requirements. It is Protected Process Light (PPL). Intruders can disable PPL to access the memory content of protected processes using a kernel driver. Also, they can illegally enable PPL for the malware apps to provide self-protection and access memory of protected processes, without disabling their PPL. PatchGuard does not check the integrity of PPL. This kind of attack is crucial for OS security and has to be prevented. This paper presents some undocumented internals of PPL during the creation of the protected process as well as accessing the protected process memory to analyze how the PPL can be tampered with. In this contribution, the hypervisor-based solution called MemoryRanger is applied to prevent such type of kernel attacks on PPL. MemoryRanger can prevent both types of attacks on PPL: disabling and enabling PPL in run time. MemoryRanger has been successfully tested on the recent Windows 10, version 20H2 Build 19042.631 x64.

Protected Process Light will be Protected – MemoryRanger Fills the Gap Again from Igor Korkin

]]> 1924 0 https://cdn.slidesharecdn.com/ss_thumbnails/slides-texas-protected-process-light-will-be-protected-memoryranger-fills-the-gap-again-211031144435-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again /IgorKorkin/kernel-hijacking-is-not-an-option-memoryranger-comes-to-the-rescue-again-237365279 d1t2-kernelhijackingisnotanoption-memoryrangercomestotherescueagain-igorkorkin-200729114646
The security of a computer system depends on the OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, which can be used by hackers. The idea of this paper is to continue the research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the opportunities of MemoryRanger to prevent these attacks. This paper demonstrates three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to the files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts issue new protection features, access attempts to the dynamically allocated data in kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64. ]]>
The security of a computer system depends on the OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, which can be used by hackers. The idea of this paper is to continue the research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the opportunities of MemoryRanger to prevent these attacks. This paper demonstrates three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to the files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts issue new protection features, access attempts to the dynamically allocated data in kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64. ]]> Wed, 29 Jul 2020 11:46:46 GMT /IgorKorkin/kernel-hijacking-is-not-an-option-memoryranger-comes-to-the-rescue-again-237365279 IgorKorkin@slideshare.net(IgorKorkin) Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again IgorKorkin The security of a computer system depends on the OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, which can be used by hackers. The idea of this paper is to continue the research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the opportunities of MemoryRanger to prevent these attacks. This paper demonstrates three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to the files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts issue new protection features, access attempts to the dynamically allocated data in kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/d1t2-kernelhijackingisnotanoption-memoryrangercomestotherescueagain-igorkorkin-200729114646-thumbnail.jpg?width=120&height=120&fit=bounds" /> The security of a computer system depends on the OS kernel protection. It is crucial to reveal and inspect new attacks on kernel data, which can be used by hackers. The idea of this paper is to continue the research into attacks on dynamically allocated data in the Windows OS kernel and demonstrate the opportunities of MemoryRanger to prevent these attacks. This paper demonstrates three new hijacking attacks on kernel data, which are based on bypassing OS security mechanisms. The first two hijacking attacks result in illegal access to the files open in exclusive access. The third attack escalates process privileges, without applying token swapping. Although Windows security experts issue new protection features, access attempts to the dynamically allocated data in kernel are not fully controlled. MemoryRanger hypervisor is designed to fill this security gap. The updated MemoryRanger prevents these new attacks as well as supporting the Windows 10 1903 x64.

Kernel Hijacking Is Not an Option: MemoryRanger Comes to The Rescue Again from Igor Korkin

]]> 2009 0 https://cdn.slidesharecdn.com/ss_thumbnails/d1t2-kernelhijackingisnotanoption-memoryrangercomestotherescueagain-igorkorkin-200729114646-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel /slideshow/memoryranger-prevents-hijacking-fileobject-structures-in-windows-kernel-147094297/147094297 cdfsl2019korkinslides-190522135711
I have presented that files open in an exclusive mode can be illegally accessed without any security reaction. After that, I’ve presented my MemoryRanger, which can prevent such unauthorized memory access. All the details are here - https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html]]>
I have presented that files open in an exclusive mode can be illegally accessed without any security reaction. After that, I’ve presented my MemoryRanger, which can prevent such unauthorized memory access. All the details are here - https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html]]> Wed, 22 May 2019 13:57:11 GMT /slideshow/memoryranger-prevents-hijacking-fileobject-structures-in-windows-kernel-147094297/147094297 IgorKorkin@slideshare.net(IgorKorkin) MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel IgorKorkin I have presented that files open in an exclusive mode can be illegally accessed without any security reaction. After that, I’ve presented my MemoryRanger, which can prevent such unauthorized memory access. All the details are here - https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/cdfsl2019korkinslides-190522135711-thumbnail.jpg?width=120&height=120&fit=bounds" /> I have presented that files open in an exclusive mode can be illegally accessed without any security reaction. After that, I’ve presented my MemoryRanger, which can prevent such unauthorized memory access. All the details are here - https://igorkorkin.blogspot.com/2019/04/memoryranger-prevents-hijacking.html

MemoryRanger Prevents Hijacking FILE_OBJECT Structures in Windows Kernel from Igor Korkin

]]> 3618 4 https://cdn.slidesharecdn.com/ss_thumbnails/cdfsl2019korkinslides-190522135711-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces /slideshow/divide-et-impera-memoryranger-runs-drivers-in-isolated-kernel-spaces-125548311/125548311 eu-18-korkin-divide-et-impera-memoryranger-runs-drivers-in-isolated-kernel-spaces-181210212738
MemoryRanger is a hypervisor-based project, which isolates kernel-mode drivers and their allocated data by running drivers in isolated kernel enclaves. All the details are here - bit.ly/MemoryRanger]]>
MemoryRanger is a hypervisor-based project, which isolates kernel-mode drivers and their allocated data by running drivers in isolated kernel enclaves. All the details are here - bit.ly/MemoryRanger]]> Mon, 10 Dec 2018 21:27:38 GMT /slideshow/divide-et-impera-memoryranger-runs-drivers-in-isolated-kernel-spaces-125548311/125548311 IgorKorkin@slideshare.net(IgorKorkin) Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces IgorKorkin MemoryRanger is a hypervisor-based project, which isolates kernel-mode drivers and their allocated data by running drivers in isolated kernel enclaves. All the details are here - bit.ly/MemoryRanger <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/eu-18-korkin-divide-et-impera-memoryranger-runs-drivers-in-isolated-kernel-spaces-181210212738-thumbnail.jpg?width=120&height=120&fit=bounds" /> MemoryRanger is a hypervisor-based project, which isolates kernel-mode drivers and their allocated data by running drivers in isolated kernel enclaves. All the details are here - bit.ly/MemoryRanger

Divide et Impera: MemoryRanger Runs Drivers in Isolated Kernel Spaces from Igor Korkin

]]> 3843 3 https://cdn.slidesharecdn.com/ss_thumbnails/eu-18-korkin-divide-et-impera-memoryranger-runs-drivers-in-isolated-kernel-spaces-181210212738-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel /slideshow/hypervisorbased-active-data-protection-for-integrity-and-confidentiality-of-dynamically-allocated-memory-in-windows-kernel-97494811/97494811 cdfsl18slideskorkin-180518131718
All the details are here - http://bit.ly/AllMemPro One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users’ private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64. ]]>
All the details are here - http://bit.ly/AllMemPro One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users’ private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64. ]]> Fri, 18 May 2018 13:17:18 GMT /slideshow/hypervisorbased-active-data-protection-for-integrity-and-confidentiality-of-dynamically-allocated-memory-in-windows-kernel-97494811/97494811 IgorKorkin@slideshare.net(IgorKorkin) Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel IgorKorkin All the details are here - http://bit.ly/AllMemPro One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users’ private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/cdfsl18slideskorkin-180518131718-thumbnail.jpg?width=120&height=120&fit=bounds" /> All the details are here - http://bit.ly/AllMemPro One of the main issues in the OS security is providing trusted code execution in an untrusted environment. During executing, kernel-mode drivers dynamically allocate memory to store and process their data: Windows core kernel structures, users’ private information, and sensitive data of third-party drivers. All this data can be tampered with by kernel-mode malware. Attacks on Windows-based computers can cause not just hiding a malware driver, process privilege escalation, and stealing private data but also failures of industrial CNC machines. Windows built-in security and existing approaches do not provide the integrity and confidentiality of the allocated memory of third-party drivers. The proposed hypervisor-based system (AllMemPro) protects allocated data from being modified or stolen. AllMemPro prevents access to even 1 byte of allocated data, adapts for newly allocated memory in real time, and protects the driver without its source code. AllMemPro works well on newest Windows 10 1709 x64.

Hypervisor-Based Active Data Protection for Integrity and Confidentiality of Dynamically Allocated Memory in Windows Kernel from Igor Korkin

]]> 5016 6 https://cdn.slidesharecdn.com/ss_thumbnails/cdfsl18slideskorkin-180518131718-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access /slideshow/detect-kernelmode-rootkits-via-real-time-logging-controlling-memory-access/76004598 cdfsl17slidestandakorkin-170516014823
The demo is here - https://www.youtube.com/watch?v=vi9TzLrO_pE All details and source code are here - http://www.bit.ly/MemoryMonRWX Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation. ]]>
The demo is here - https://www.youtube.com/watch?v=vi9TzLrO_pE All details and source code are here - http://www.bit.ly/MemoryMonRWX Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation. ]]> Tue, 16 May 2017 01:48:23 GMT /slideshow/detect-kernelmode-rootkits-via-real-time-logging-controlling-memory-access/76004598 IgorKorkin@slideshare.net(IgorKorkin) Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access IgorKorkin The demo is here - https://www.youtube.com/watch?v=vi9TzLrO_pE All details and source code are here - http://www.bit.ly/MemoryMonRWX Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/cdfsl17slidestandakorkin-170516014823-thumbnail.jpg?width=120&height=120&fit=bounds" /> The demo is here - https://www.youtube.com/watch?v=vi9TzLrO_pE All details and source code are here - http://www.bit.ly/MemoryMonRWX Modern malware and spyware platforms attack existing antivirus solutions and even Microsoft PatchGuard. To protect users and business systems new technologies developed by Intel and AMD CPUs may be applied. To deal with the new malware we propose monitoring and controlling access to the memory in real time using Intel VT-x with EPT. We have checked this concept by developing MemoryMonRWX, which is a bare-metal hypervisor. MemoryMonRWX is able to track and trap all types of memory access: read, write, and execute. MemoryMonRWX also has the following competitive advantages: fine-grained analysis, support of multi-core CPUs and 64-bit Windows 10. MemoryMonRWX is able to protect critical kernel memory areas even when PatchGuard has been disabled by malware. Its main innovative features are as follows: guaranteed interception of every memory access, resilience, and low performance degradation.

Detect Kernel-Mode Rootkits via Real Time Logging & Controlling Memory Access from Igor Korkin

]]> 7666 13 https://cdn.slidesharecdn.com/ss_thumbnails/cdfsl17slidestandakorkin-170516014823-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware /slideshow/acceleration-of-statistical-detection-of-zeroday-malware-in-the-memory-dump-using-cudaenabled-gpu-hardware/62555685 cdfsl16slideskorkinnesterow-160531012211
This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we present new detection methods, which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the Zipf–Mandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA-enabled GPU hardware to speed-up memory forensics. All three ideas are currently a work in progress.]]>
This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we present new detection methods, which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the Zipf–Mandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA-enabled GPU hardware to speed-up memory forensics. All three ideas are currently a work in progress.]]> Tue, 31 May 2016 01:22:11 GMT /slideshow/acceleration-of-statistical-detection-of-zeroday-malware-in-the-memory-dump-using-cudaenabled-gpu-hardware/62555685 IgorKorkin@slideshare.net(IgorKorkin) Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware IgorKorkin This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we present new detection methods, which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the Zipf–Mandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA-enabled GPU hardware to speed-up memory forensics. All three ideas are currently a work in progress. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/cdfsl16slideskorkinnesterow-160531012211-thumbnail.jpg?width=120&height=120&fit=bounds" /> This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we present new detection methods, which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the Zipf–Mandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA-enabled GPU hardware to speed-up memory forensics. All three ideas are currently a work in progress.

Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware from Igor Korkin

]]> 5232 8 https://cdn.slidesharecdn.com/ss_thumbnails/cdfsl16slideskorkinnesterow-160531012211-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations /slideshow/two-challenges-of-stealthy-hypervisors-detection-time-cheating-and-data-fluctuations/48662298 cdfsl15korkinslideswithsupplementary-150527145915-lva1-app6892
Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs.]]>
Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs.]]> Wed, 27 May 2015 14:59:14 GMT /slideshow/two-challenges-of-stealthy-hypervisors-detection-time-cheating-and-data-fluctuations/48662298 IgorKorkin@slideshare.net(IgorKorkin) Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations IgorKorkin Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs. <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/cdfsl15korkinslideswithsupplementary-150527145915-lva1-app6892-thumbnail.jpg?width=120&height=120&fit=bounds" /> Hardware virtualization technologies play a significant role in cyber security. On the one hand these technologies enhance security levels, by designing a trusted operating system. On the other hand these technologies can be taken up into modern malware which is rather hard to detect. None of the existing methods is able to efficiently detect a hypervisor in the face of countermeasures such as time cheating, temporary self uninstalling, memory hiding etc. New hypervisor detection methods which will be described in this paper can detect a hypervisor under these countermeasures and even count several nested ones. These novel approaches rely on the new statistical analysis of time discrepancies by examination of a set of instructions, which are unconditionally intercepted by a hypervisor. Reliability was achieved through the comprehensive analysis of the collected data despite its fluctuation. These offered methods were comprehensively assessed in both Intel and AMD CPUs.

Two Challenges of Stealthy Hypervisors Detection: Time Cheating and Data Fluctuations from Igor Korkin

]]> 7316 14 https://cdn.slidesharecdn.com/ss_thumbnails/cdfsl15korkinslideswithsupplementary-150527145915-lva1-app6892-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Applying Memory Forensics to Rootkit Detection /slideshow/applying-memory-forensics-to-rootkit-detection/35420527 korkin-140603030702-phpapp01
Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools. Applying Memory Forensics to Rootkit Detection #adfsl #Virginia #USA http://bit.ly/cdfsl_paper http://bit.ly/cdfsl_slides http://bit.ly/cdfsl_speech]]>
Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools. Applying Memory Forensics to Rootkit Detection #adfsl #Virginia #USA http://bit.ly/cdfsl_paper http://bit.ly/cdfsl_slides http://bit.ly/cdfsl_speech]]> Tue, 03 Jun 2014 03:07:02 GMT /slideshow/applying-memory-forensics-to-rootkit-detection/35420527 IgorKorkin@slideshare.net(IgorKorkin) Applying Memory Forensics to Rootkit Detection IgorKorkin Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools. Applying Memory Forensics to Rootkit Detection #adfsl #Virginia #USA http://bit.ly/cdfsl_paper http://bit.ly/cdfsl_slides http://bit.ly/cdfsl_speech <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/korkin-140603030702-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds" /> Volatile memory dump and its analysis is an essential part of digital forensics. Among a number of various software and hardware approaches for memory dumping there are authors who point out that some of these approaches are not resilient to various anti-forensic techniques, and others that require a reboot or are highly platform dependent. New resilient tools have certain disadvantages such as low speed or vulnerability to rootkits which directly manipulate kernel structures e.g. page tables. A new memory forensic system – Malware Analysis System for Hidden Knotty Anomalies (MASHKA) is described in this paper. It is resilient to popular anti-forensic techniques. The system can be used for doing a wide range of memory forensics tasks. This paper describes how to apply the system for research and detection of kernel mode rootkits and also presents analysis of the most popular anti-rootkit tools. Applying Memory Forensics to Rootkit Detection #adfsl #Virginia #USA http://bit.ly/cdfsl_paper http://bit.ly/cdfsl_slides http://bit.ly/cdfsl_speech

Applying Memory Forensics to Rootkit Detection from Igor Korkin

]]> 6698 12 https://cdn.slidesharecdn.com/ss_thumbnails/korkin-140603030702-phpapp01-thumbnail.jpg?width=120&height=120&fit=bounds presentation 000000 http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Korkin how-to /slideshow/korkin-howto/11784578 korkin-how-to-120228095216-phpapp02
]]>
]]> Tue, 28 Feb 2012 09:52:14 GMT /slideshow/korkin-howto/11784578 IgorKorkin@slideshare.net(IgorKorkin) Korkin how-to IgorKorkin <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/korkin-how-to-120228095216-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" />

Korkin how-to from Igor Korkin

]]> 759 2 https://cdn.slidesharecdn.com/ss_thumbnails/korkin-how-to-120228095216-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation Black http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 Igor Korkin dissertation presentation /slideshow/igor-korkin-dissertation-presentation/11503192 korkiniydissertationpresentation-120209140247-phpapp02
sites.google.com/site/igorkorkin]]>
sites.google.com/site/igorkorkin]]> Thu, 09 Feb 2012 14:02:46 GMT /slideshow/igor-korkin-dissertation-presentation/11503192 IgorKorkin@slideshare.net(IgorKorkin) Igor Korkin dissertation presentation IgorKorkin sites.google.com/site/igorkorkin <img style="border:1px solid #C3E6D8;float:right;" alt="" src="https://cdn.slidesharecdn.com/ss_thumbnails/korkiniydissertationpresentation-120209140247-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds" /> sites.google.com/site/igorkorkin

Igor Korkin dissertation presentation from Igor Korkin

]]> 1149 4 https://cdn.slidesharecdn.com/ss_thumbnails/korkiniydissertationpresentation-120209140247-phpapp02-thumbnail.jpg?width=120&height=120&fit=bounds presentation White http://activitystrea.ms/schema/1.0/post

http://activitystrea.ms/schema/1.0/posted

0 https://cdn.slidesharecdn.com/profile-photo-IgorKorkin-48x48.jpg?cb=1728854833 An expert in digital security, full of passion and curiosity, I have ambitions to improve anti-malware protection systems utilizing machine learning techniques and to hunt zero-day exploits. Cybersecurity is my life: my job, and also my hobby and lifestyle. My areas of expertise are kernel mode rootkits detection, Windows internals, and hardware virtualization technologies (Intel VT-x, EPT, PT). I have published more than 20 research papers; six recent papers are double-blind peer-reviewed, see my blog - igorkorkin.blogspot.com. sites.google.com/site/igorkorkin https://cdn.slidesharecdn.com/ss_thumbnails/slides-your-linux-passwords-are-in-danger-mimidove-meets-the-challenge-211103174307-thumbnail.jpg?width=320&height=320&fit=bounds IgorKorkin/your-linux-passwords-are-in-danger-mimidove-meets-the-challenge-lightning-talk Your Linux Passwords A... https://cdn.slidesharecdn.com/ss_thumbnails/slides-texas-protected-process-light-will-be-protected-memoryranger-fills-the-gap-again-211031144435-thumbnail.jpg?width=320&height=320&fit=bounds slideshow/protected-process-light-will-be-protected-memoryranger-fills-the-gap-again/250564326 Protected Process Ligh... https://cdn.slidesharecdn.com/ss_thumbnails/d1t2-kernelhijackingisnotanoption-memoryrangercomestotherescueagain-igorkorkin-200729114646-thumbnail.jpg?width=320&height=320&fit=bounds IgorKorkin/kernel-hijacking-is-not-an-option-memoryranger-comes-to-the-rescue-again-237365279 Kernel Hijacking Is No...