About The Hague Security Delta
What's happening in the
Dutch Security Domain?
Het maandelijkse gratis te bezoeken Guest Hacker Program van KPN komt terug in 2018! Met als eerst spreker op 25 januari Ben Gras, PhD student aan de Vrije Universiteit. Ben zal spreken over 'Betrouwbare infiltratiedetectie door packet tagging'. Zorg dat je je aanmeldt via [email protected]
Ben is a PhD student in the systems security research group of prof. Herbert Bos of the VU University in Amsterdam, working on software reliability, defensive research projects, and most recently, offensive research, most noticeably publishing on making cross-VM Rowhammer exploitation reliable and a microarchitectural MMU cache side channel attack. He is pursuing a PhD in mischief there. This work was developed during a 6 months internship with Cisco in Knoxville, TN, with their security research, evaluation and forensics group.
Reliable router malware detection. Infrastructure compromise (i.e. hacking into routers and switches) is the purview of very advanced attackers, commonly assumed to be Advanced Persistent Threat (APT) groups. These are frequently cyber-capability units of military or intelligence branches of nation states governments. As recently leaked documents show, NSA spends a significant amount of resources to be able to intercept traffic, and implanting switches and routers is one of the strategies.
We propose a cryptographic tagging based system that can reliably detect malware packets originating from a router (after router compromise), without any cooperation (i.e. trust) from the possibly-compromised devices themselves. We evaluate the classification reliability and performance overhead in the lab.
As a side effect of doing the lab evaluation of this talk at Cisco, I was able to access real malware collected in the field from customers' routers memory, and we did significant binary analysis on one of the samples. This work also includes deep technical details of cryptographic properties and packet processing mechanics and capabilities of one of the malware samples. I'm not allowed to speculate which threat actor this was, but from context we can infer this is a "Very advanced adversary" - some of the fingerprints one of them is known to leave are public knowledge, so that adds some excitement to this talk - this malware was not supposed to be discovered yet we can talk about a lot of the details.