Seven deadliest usb attacks phần 6
- 23 trang
- file .pdf
102 CHAPTER 4 USB Device Overflow
In Figure 4.1, text is a segment that usually contains the program’s code used for
executing instructions. The following segment contains initialized and uninitialized
data, which is provided during the assembly process.S Diving deeper into the struc-
ture, we move to the higher addresses where the portions allocated at run time are
shared by the stack and heap. In this scenario, the heap retains the dynamic variables
and uses the malloc (memory allocation) or the new operator function. A simple
code sample is included below that exemplifies the vulnerable nature of this memory
area.T
{
vulnerable(argv[1]);
return 0;
}
int vulnerable(char *buf)
{
HANDLE hp = HeapCreate(0, 0, 0);
HLOCAL chunk = HeapAlloc(hp, 0, 260);
strcpy(chunk, buf); '''Vulnerability'''
return 0;
}
In the above example, if the buffer surpasses 260 bytes, then the pointers will
be overwritten in the adjacent boundary tag. This will assist the overwriting of an
arbitrary memory location with 4 bytes of code when the heap-management cycle
initiates.
Recently, there has been an increase of heap-type overflows found in AV librar-
ies.U Some of these variants can use a combination of copy operations and integer
overflow on the heap. The below example shows vulnerable code responsible for
processing TNEF files from Clam AVV tnef.c and tnefmessage function.
string = cli_malloc(length + 1); '''Vulnerability'''
if(fread(string, 1, length, fp) != length) {'''Vulnerability'''
free(string);
return −1;
}
In line 1 above, the malloc statement will allocate memory based on the length
of a 32-bit integer. With this example, the length is capable of being manipulated
by the user and a malicious file can be constructed setting the length to “−1,”
resulting in a “0” malloc. This would allocate a small heap buffer of 16 bytes on
most 32-bit platforms. In line 2, an overflow occurs in the fread call while the third
Swww.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt
Twww.owasp.org/index.php/Testing_for_Heap_Overflow
Uwww.kaspersky.com/technews?id=203038694
Vwww.clamav.net/index.php?s=vulnerability
Analyzing This Attack 103
argument requiring length is expecting the size_t variable. Since this variable is indi-
cated as “−1,” the argument wraps 0xFFFFFFFF, which in turn copies this into the
16-byte buffer.
There are many techniques that can be employed to attack heap areas of memory.
Like the stack area, NOP-sled techniques are commonly used to exploit these issues.
Heap spraying is another method used to facilitate arbitrary code execution.W This
type of attack sprays the heap with code in an attempt to place a sequence of bytes
in a predetermined memory location. The advantage gained by making use of this
is the fact that these heap blocks are commonly in the same location each time the
spray is run.
If you are seeking to learn how to create your own buffer overflow, there are entire
books dedicated to this subject. Buffer Overflow Attacks: Detect, Exploit, Prevent,
by James C. Foster (ISBN: 978-1-932266-67-2, Syngress), is one that comes highly
recommended. Recent publications are usually the best bet, as the buffer landscape
is constantly transforming and techniques can grow stale quickly. Commonly sug-
gested crafting tools include a hex editor, assembler, and disassembler (HIEWX), as
well as real-time debuggers (SyserY) and C++ tools such as DUMPBIN.
USB Development and the Hole in the Heap
“Plug and Root: The USB Key to the Kingdom” is the title of the presentation given
by Darrin Barral and David Dewey at the Black Hat convention in Las Vegas, NV, in
2005.Z Media speculation surrounding this finding described the liable component in
this exposure as the USB specification. It seems like a reasonable assumption given
the simplistic nature of USB and the supported device. What most fail to understand
are the number of complex components and interdependencies required to make
this happen. Much like an automobile or major appliance, there are numerous ele-
ments working in unison to provide you with the desired result. The drivers were
the targets in this strike, which, once overrun, provide an avenue for arbitrary code
injection. Autorun is again a helpful factor in that it enables the dynamic nature of
this creature.
In their testing, they acquired a development kit from Digi-KeyAA to combine
the essential components. They used an SL811 controllerBB to provide the key func-
tion for emulation of alternate devices for host enumeration testing. This chip relies
heavily on the controller CPU and ultimately indicates the type of device being con-
nected to the host system. Making use of this allowed them to alter the VID and PID,
which are sent to the host from the device once inserted to emulate a nonremovable
Whttp://securityevaluators.com/files/papers/isewoot08.pdf
Xwww.hiew.ru/
Ywww.sysersoft.com/
Zwww.blackhat.com/presentations/bh-usa-05/BH_US_05-Barrall-Dewey.pdf
AAhttp://dkc1.digikey.com/us/en/mkt/C_Profile.html?WT.z_homepage_link=hp_aboutus
BBwww.cypress.com/?docID=5037
104 CHAPTER 4 USB Device Overflow
DVD drive. USB devices may only have a single-device descriptor, but they can have
multiple subdescriptors defined such as endpoint, interface, and configuration, as
shown in Figure 4.2 below.CC
The VID and PID are important here because they determine which drivers are
loaded when the device is inserted. A single VID can correspond to many PIDs, and an
example of this would be any typical multifunction printer on the market that has scan,
fax, and copy capabilities. In their research, they were able to locate specific drivers
that were vulnerable to arbitrary input and thereby executing any code of choice.
USB defines a set of class codes that are used to identify the functions a device is
to serve.DD It uses these codes to load the necessary drivers so the operating system
can engage it when called upon. The researchers made several enhancements to the
board to speed up the testing process. A transistor was added to provide a switch-
ing mechanism that would simulate a device insertion. Fuzzing techniquesEE were
employed to alter the VID and PID on the fly and provide status updates of the SL811
controller. Once in place, they were able to run rigorous tests against the plethora of
default drivers included on every operating system.
The researchers notified Microsoft about the susceptible drivers, but a patch was
not released before the presentation, so these details were not made known. During the
research for this book, no additional information could be found indicating a patch issu-
ance related to this, although the bugtraq report previously mentioned in the “Device
Drivers” section was initiated in the exact time frame in which this hack was released.
Device
Descriptor
Configuration Configuration
Descriptor Descriptor
Interface Interface Interface Interface
Descriptor Descriptor Descriptor Descriptor
Endpoint Endpoint Endpoint Endpoint Endpoint Endpoint Endpoint Endpoint
Descriptor Descriptor Descriptor Descriptor Descriptor Descriptor Descriptor Descriptor
Figure 4.2
USB Descriptors
CCwww.beyondlogic.org/usbnutshell/usb5.htm
DDwww.usb.org/developers/defined_class
EEhttp://msdn.microsoft.com/en-us/library/cc162782.aspx
Ever-Present Exposures 105
To build and accomplish an attack of this sort, one would need to be well versed
in both hardware and software. In this example, the researchers used a low-cost hard-
ware solution combining the necessary components from multiple vendors to pro-
duce their final product. There are more expensive options for those less inclined
from the hardware perspective. Cypress is a silicon-processing fabricator that pro-
vides solutions for development and engineering activities including manufacturing,
specialty processing, custom development, and support for their customers.FF They
have several kits available that provide the components and software templates to
ease the learning curve for most. The CY3684 EZ USB FX2LP kit is one of these and
can be purchased online from the Cypress Web site.GG Be sure to contact their sales
team to ensure this will meet your testing requirements.HH
Ever-Present Exposures
Confidentiality, integrity, and availability all can be severely jeopardized if one of
these were crafted and deployed against a critical system. An assault of this sort
could severely tarnish one’s reputation, resulting in loss of customer or partner trust,
and potentially devastating a company’s bottom line. The code deployed with the
heap overflow can be used to gain access to a locked workstation and make use of
the current authentication context. With this in mind, if an attacker targets a system
used by a network, application, or system administrators, the damage rendered could
be disastrous.
EPIC Fail
Screen saver passwords are no match for an attack with kernel mode access. Even
whitelisting certain devices will not protect a system from these attacks, as the controller on
the USB device can be altered to emulate the authorized component.
Remote buffer overflow attacks will continue to remain a concern, although we
are just beginning to understand the localized aspects of these types of exploits. Most
of these errors in buffers are said to be poor software design and lazy coding practices,
while others speculate these are intentional backdoors and even conspiracies.II This
attack can be much more brutal than those defined in Chapter 1, “USB Hacksaw,”
Chapter 2, “USB Switchblade,” and Chapter 3, “USB-Based Virus/Malicious Code
Launch.” A crucial difference here is that the entire attack operates in the kernel
space, while the previous three stay in user mode.
FFwww.cypress.com/?id=2080&source=header
GGwww.cypress.com/?rID=14321
HHwww.cypress.com/?id=7
IIwww.angelfire.com/space/netcensus/backdoors.html
106 CHAPTER 4 USB Device Overflow
The picture painted by the researchers in the “Plug and Root” presentation described
a scenario using the buffer overflow to drop a rootkit payload onto a typical point-of-
sale computer. Merchants often leave these units in the open and unattended, making
them ripe for a USB’s picking. Some newer models of LCD screens also include USB
ports for ease of everyone’s access. The researchers go on to describe how the rootkits
could be designed to phone home, or the attacker could just return at a later time to
extract the credit card goodies with another USB flash drive.
Many vendors have started publically releasing vulnerabilities as they are made
known. On the surface, this seems like a good action, but it ultimately can have a nega-
tive effect on the computing masses. When these alerts are released, criminals use this
information to quickly craft an attack aimed at unpatched or stale systems. A 2009
study indicated that major organizations monitored by Qualys take twice as long on
average to patch application vulnerabilities versus the base operating system.JJ
Overflow Outlook
The Morris worm is a great early example of a buffer-type worm gone awry. In
November of 1988, this malicious code targeted the finger service on UNIX-based
platforms.KK The finger service was designed to provide query results for system
users, accounts attributes, and other identification-related data. This malicious code
exploited the daemon used in the forinput routine without checking the bounds of
the involved buffers.LL The Morris worm is considered by many to be the first major
attack on the Internet.
At DefCon 17 in the summer of 2009, Rafael Dominguez Vega presented a USB
attack similar to Plug and Root that could be used to exploit Linux drivers. His pre-
sentation, called “USB Attacks: Fun with Plug and 0wn,” used a slightly different
approach to establish the same outcome that Darrin and David did. Here, he used
a Programmable Interface ControllerMM (PIC18) flashed with their own shell code
to exploit a vulnerable driver on a Linux system. They also used Quick Emulator
virtualizationNN with a combination of fuzzing techniques in their demonstration.
Mobile devices are far from immune to these types of vulnerabilities. In February
of 2009, an alert was released regarding a buffer overflow in an ActiveX control for an
application Web loader on the Blackberry platform.OO The iPhone is a favorite target
for hackers, and heap-based buffers exploits are no exception.PP Chapter 6, “Pod
Slurping,” will reveal how to jailbreak an iPhone and discuss the potential impacts of
a Phone Siphoning data-theft scenario. With Windows 7, USB 3.0, and x64 systems
JJhttp://redmondmag.com/articles/2009/09/16/unpatched-apps-growing-target-for-hackers.aspx
KKwww.cert.org/homeusers/buffer_overflow.html
LLwww.cso.com.au/article/265692/morris_worm_turns_20_look_what_it_done
MMwww.piclist.com/techref/piclist/begin.htm
NNwww.qemu.org/user-doc.html
OOhttp://secunia.com/Advisories/33847/
PPhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2206
Defensive Strategies 107
already above the horizon, a new age has dawned for finding fresh flaws in these
developments. Buffer overflows continue to be the major force behind the most
common exposures. These threats will continue to increase in variety, complexity,
and severity as driver developers and operating system vendors struggle to meet basic
qualifications for market release.
Defensive Strategies
Guarding against device-based overflows can be a tricky undertaking, although
the requirement of autorun makes the measures outlined in the final sections of
Chapter 1, “USB Hacksaw,” Chapter 2, “USB Switchblade,” and Chapter 3, “USB-
Based Virus/Malicious Code Launch” quite relevant. In this section, we will explore
some additional alternates that can be applied in conjunction with or in replacement
of existing strategies prescribed.
Drivers
A quick way to snatch the feet out from under this attack is to prevent the USB
drivers from being able to load. These procedures will allow preexisting USB devices
to remain installed but prevent any new devices from being initialized. This comes
with a price, as the installation of all new USB devices will be disabled from this
point forward. Ensure you have all authorized USB devices installed and active on
the system before performing these procedures.
Note
These procedures assume that personnel using the system do not have administrative
privileges. If this is not the case, then these changes could be reverted.
These procedures have been tested against Windows 2000, 2003, and XP sys-
tems. Use the following procedures to restrict the access of the USB drivers moving
forward.QQ
1. Open My Computer or Windows Explorer and locate %SystemRoot%\Inf folder.
For most default Windows installations, this will be c:\Windows\Inf.
2. Locate the Usbstore.pnf file, right-click, and then select Properties.
3. Go to the Security tab, under Group or username click edit, and then in the new
pane click Add.
4. Type the group or username you want to prevent from having USB access, and
then select OK.
5. Ensure the newly added object is highlighted in the Group or username section,
and check the Deny box next to Full Control in the Permissions for section.
QQhttp://support.microsoft.com/default.aspx?scid=kb;EN-US;823732
108 CHAPTER 4 USB Device Overflow
6. Highlight the System account in the Group or username section and check the
Deny box in the same location as indicated in the previous step.
7. Click OK to apply the settings and acknowledge any additional information or
warning dialogues that may be invoked.
8. Repeat steps 2 to 7 on the Usbstor.inf to complete the access restriction.
For those of you who can’t handle going through the panes of Windows or just
wish to script this same action, it can be performed from the command line. The
cacls command can be used to perform a number of file and directory-level permis-
sions functions. To view the permissions of the users on the target computer, the
following command can be run.
cacls c:\windows\inf\usbstor.inf
You can choose to edit the current access control list (ACL) or replace it with
your choice of credentials and privileges. In the below example, the /e switch is used
to edit the permissions on the file. Running the command without the /e switch will
replace the entire existing ACL with what you specify.
cacls c:\windows\inf\usbstor.inf /e /p system:n
cacls c:\windows\inf\usbstor.pnf /e /p "UserOrGroupNameHere":n
If a USB device had previously been installed on the system, these changes will
not affect them. To halt all drivers from loading, even for those currently connected
components, you can simply disable the service on the desired systems. A registry
backup or restore point should be created before performing these steps.RR
1. Click Start, then Run. (In Vista, just click Start.)
2. In the Open box, type regedit and then press Enter.
3. Locate and highlight the following registry key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
4. In the right-hand pane, double-click Start.
5. In the Value data box, type 4, click Hexadecimal (if it is not already selected),
and then click OK.
6. Exit Registry Editor.
Command-line options are available to adjust this setting. The sc and reg com-
mands can be used to modify a multitude of service parameters. The below example
uses the reg command to adjust the start value for the usbstor service.
reg add hklm\SYSTEM\CurrentControlSet\Services\usbstor /v start /t
REG_DWORD /d 0x4 /f
Group Policy
If you are an administrator of a Windows environment, you may decide that the best
approach for your workplace would be to disable drivers of external components on
all machines without having to make a change to each system. You may also want
RRhttp://support.microsoft.com/kb/322756/)
Defensive Strategies 109
to disable certain drives types only for specific groups of computers within your
network. Windows 2003 server does not include this policy by default, and you will
need to create a custom administrative template. The procedures outlined below were
performed on a Windows Vista Ultimate system but should be similar to those expe-
rienced on a Windows 2003 domain environment.
Tip
You must authenticate with administrative privileges in order to use Group Policy Editor.
Open Notepad and enter the following text to the file, saving it with an adm exten-
sion (for example, File.adm). If you would like to cut and paste this information into
notepad, this information is available on the Microsoft Web site.SS
CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED
SShttp://support.microsoft.com/kb/555324
110 CHAPTER 4 USB Device Overflow
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the
usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the
cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling
the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive
by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"
The steps below outline how to add a template allowing the disablement of typi-
cal removable device drivers using Group Policy editor. These procedures assume
you already have Group Policy editor installed on the target machine.
Defensive Strategies 111
1. Click Start, then Run, and type gpedit.msc.
2. Browse to locate the Computer Configuration object, as seen in Figure 4.3.
3. Right-click Administrative templates and choose Add/Remove template.
4. Click the Add button in the lower-left corner of the pane provided, as seen in
Figure 4.4.
5. Browse to locate the .adm file you just created and select Open.
6. Highlight Administrative Templates again and then in the View menu click
Filtering.
7. Clear the check mark next to Only show policy settings that can be fully man-
aged, as seen in Figure 4.5, and then press OK.
8. Under Computer Configuration, go to Administrative Templates\Classic Admin-
istrative Templates\Custom Policy Settings\Restrict Drives. You should now see
the policies entries that were just created in the right pane, as seen in Figure 4.6.
9. Double-click to select which drive type you would like to disable. Click Enabled,
then select Enabled to disable the USB port in the policy setting, as seen in
Figure 4.7.
You have now created a custom policy that will allow you to regulate the
computers who are members of your domain. Apply the policy to the appropriate
Figure 4.3
Group Policy Editor
112 CHAPTER 4 USB Device Overflow
Figure 4.4
Group Policy Editor: Add/Remove Templates
Figure 4.5
Group Policy Editor: Filtering
Defensive Strategies 113
Figure 4.6
Group Policy Editor: Restrict Drives
Figure 4.7
Group Policy Editor: Disable USB Properties
114 CHAPTER 4 USB Device Overflow
containers that contain the target systems in order to enable the enforcement.TT
Be mindful when making such a sudden and drastic change to your environment.
Proper requirements gathering should be done prior to implementing any sort of
corporate- or domain-wide policy to ensure you don’t break functionality that is
deemed critical to the business.UU Rigorous testing should also be done on all
relevant systems to ensure compliance and compatibility. Also keep in mind, this
policy will not be enforced on standalone systems or alternate operating systems
that are not part of the domain. It will also not apply to the respective devices that
are currently installed on the target systems.
Physical Protection Mechanisms
Ideally, the most effective physical protection solution is to keep the system in your
possession while in use and adequately secured when left unattended. These may seem
like reasonable requirements capable of being understood by all. Unfortunately, each
user has an innate ability to interpret policies and stipulations differently. Humans
also have a natural inability to accurately assess risk, especially under hectic condi-
tions. These alone can be enough reason to apply and enforce additional stringent
measures to supplement best practices and policies.
Top Lockdown
Desktop and laptop locks are well-known deterrents that can actually prove quite
valuable for static systems. Some desktop systems now come with latches or brackets,
while others can have adhesive anchors, screw controls, and other types of fasteners
applied. Kensington produces numerous types of locking devices designed to suite a
variety of needs.VV
A T-bar locking mechanism is included on a vast majority of existing desktop
and laptop systems that are cross compatible with a multitude of vendor products
in this space. These locks won’t prevent someone from imagining or dismantling
your system, but they will deter a thief of opportunity. Mobile employees often find
these cumbersome, especially those constantly on the move. Ensure you have a strict
policy mandating the use of these locks, if applicable, to aid in deterring negligent
behavior.
Racks, Cabinets, or Strongboxes
These physical protection devices are widely recognized as a necessity for criti-
cal desktop and server systems. Racks and cabinets are often found on server room
floors, closets, or storage areas.WW Strongboxes are most commonly found in the
TTwww.microsoft.com/downloads/details.aspx?FamilyID=e7d72fa1-62fe-4358-8360-8774ea8db847
&displaylang=en
UUhttps://confluence.uhi.ac.uk/confluence/display/INTPUB/Requirements+Gathering+Methodology
VVhttp://us.kensington.com/html/1434.html
WWwww.presidentenclosures.com/
Summary 115
video security realm to prevent Digital Video Recorder equipment tampering.XX
These can also be considered as a cheaper alternative to a rack or cabinet where
computer hardware expansion is not expected.
Warning
Ventilation is a key aspect that needs to be considered when deciding on the type and
location of the rack or cabinet unit. If the required location has preexisting aeration issues,
consider additional venting of the environment and adding fans to the enclosure. Excessive
dust can also be a crippling factor, especially when additional obstructions are included.
The last thing you want is to induce a thermal outage while trying to enhance the security
of your system. Be cautious of purchasing cheap products for physical protection, as you
often get what you pay for.
Physical Port Protection
Another product from Kensington aims to prevent folks from using epoxy or other
permanent disablement methods. Their USB Port Lock with Cable GuardYY prod-
uct is designed to protect one active USB device and block multiple adjacent ports
(horizontal or vertical orientation). This allows continued use of authorized devices
while securing additional ports in close proximity.
No technical experience is required for installation, and these will provide a
visible deterrent to enhance your protection. If a USB port is locked from the com-
puter attached side, this will not prevent the opposite end from being accessed if
applicable for the associated device. Mouses and keyboard connections should be
safe, but nodes such as hard drives, printers, and others have loose ends that could be
used for access into a secured system. Also keep in mind that FireWire and PCMCIA
(PCI Express) slots are still exposed components that can be utilized to perform
similar attacks.
Summary
A crucial factor in keeping these buffer pirates at bay is frequent updates to all system
software. By default, Windows update and Microsoft update (includes Office suite
and other programs updates) services will be set to automatic and should be left in this
state. Most third-party applications and system utilities provide automatic updates for
their components, and these should be enabled where applicable. Beware that some
applications, plug-ins, and drivers are not automatically updated, and these will need
to be managed using alternative methods.
XXwww.mbelectronics.com/view.aspx?id=439
YYhttp://us.kensington.com/html/17085.html
116 CHAPTER 4 USB Device Overflow
Creating the platform for this attack is not an easy undertaking, but it can and has
been accomplished by subject matter experts. While this doesn’t qualify as a script
kiddie crack available for the masses, it has a creative quality that demands attention.
There are many reasonable countermeasures that can be engaged to mitigate these
types of attacks. Those outlined here are sufficient, but one must remain ever-vigilant
as this threat landscape continues to transform.
Endnote
1. http://dictionary.reference.com/browse/buffer. Accessed November 2009.
chapter
RAM dump
5
Information in This Chapter
• Gadgets Gone Astray
• Digital Forensic Acquisition Examination
• Mind Your Memory
• Advancements in Memory Analysis
• Hindering the Gatherers
Innovative software technologies continue to evolve rapidly, driven by market
demands. Memory-isolated programs launched from removable media (U3), random
access memory (RAM) resident rootkits, encryption prevalence, and Web 2.0 are just
a few of the new software challenges that face the digital investigators of today. In
the last few years, there have been considerable development and advances in tools
focused on memory acquisition and analysis.
This chapter will peer into the forensic aspects of memory collection and analy-
sis practices. Recent developments in these areas have lead to improved methods
and tools and increased speculation into how these can be abused by an attacker.
Evidence handling is a fundamental phase in the field of computer forensics and con-
tinues to be the driving force behind the development of volatile memory acquisition
and analysis. The days of unplugging a system before gathering digital evidence for
forensic analysis are nearly gone. Live forensics is now a necessity for first respond-
ers as it appears to have finally emerged from the legacy era throughout the security
community.
We will gaze into a USB-based RAM-gathering scenario (dynamic RAM and
synchronous dynamic RAM specifically) and recreate the attack, which waspublished
by Princeton researchers, Electronic Frontier Foundation, and Wind River Systems
and titled “Lest We Remember: Cold Boot Attacks on Encryption Keys.”A The later
sections of the chapter will delve into the threats these techniques pose, evolving
aspects of the analysis arena, and methods to help you hinder the gatherers.
Ahttp://citp.princeton.edu/pub/coldboot.pdf
117
118 CHAPTER 5 RAM dump
Gadgets Gone Astray
While you won’t find many RAM-dumping scenarios in the media, there are plenty
of relevant situations where this tactic is a plausible concern. Throughout the last
decade, computer theft has been a growing issue around the world, and this is a
prime situation where RAM analysis could prove valuable. In response, there has
also been a dramatic increase in full-disk encryption implementations, especially
those containing data that can produce a financial gain for the attacker. Those seeking
to exploit the information contained on these stolen devices instead of redeeming the
hardware value could potentially execute a memory analysis given the appropriate
circumstances.
In February of 2007, a report released from the FBI indicated that over 300
laptop computers had been lost or stolen over a 4-year span.B A report issued
from the Department of Justice Inspector General revealed that 10 of the laptops
stolen during that period were known to contain sensitive or classified informa-
tion. The contents were said to include badge-creation software, security plans,
and personally identifiable information of FBI employees. This statement was
released in a follow-up to a 2002 audit of the FBI internal controls governing
computers and guns.
The above story is a perfect example of an attack situation where a RAM-analysis
technique seems worthy. While the report doesn’t indicate if encryption was present
or enabled, it does show the type of information for which a foreign or criminal entity
might be willing to pay top dollar. An attacker would need simply to image the target
system memory before stealing it for later analysis.
Surprisingly, there has been a steady decline in the number of reported computer
thefts since February of 2009.C There are likely many reasons behind this decrease in
reports. The safe harbor provided by state and government regulations for lost or sto-
len equipment that are encrypted might play a large part. One might conclude this is
because of the advancements in endpoint security controls and betterment of enforce-
ment policies. Then, again the decline could also be attributed to the lack of reports
required per the notification stipulations in regulations for encrypted systems.
Digital Forensic Acquisition Examination
The traditional approach to digital evidence acquisition is primarily limited to live
response scenarios. Historically, first responders would typically look for rogue con-
nections or peculiar processes on the suspect system. Tools used during this time were
often common application programming interfaces (APIs) with which most admin-
istrators are familiar, as seen in Table 5.1. Hidden threads, terminated processes, and
Bhttp://blogs.abcnews.com/theblotter/2007/02/hundreds_of_fbi.html
Chttp://datalossdb.org/incident_highlights/38-has-data-loss-jumped-the-shark
Digital Forensic Acquisition Examination 119
Table 5.1 Windows live forensics
Commands commonly used
arp.exe hunt.exe ntfsinfo.exe pulist.exe
attrib.exe ipconfig.exe ntlast.exe reg.exe
auditpol.exe iplist.exe openports.exe regdmp.exe
autorunsc.exe ipxroute.exe pclip.exe RootkitRevealer.exe
cmd.exe listdlls.exe promiscdetect.exe route.exe
cmdline.exe mac.exe ps.exe sc.exe
dd.exe mdmchk.exe psfile.exe servicelist.exe
drivers.exe mem.exe psinfo.exe sniffer.exe
dumpel.exe nbtstat.exe pslist.exe streams.exe
efsinfo.exe net.exe psloggedon.exe strings.exe
fport.exe netsh.exe psloglist.exe tlist.exe
handle.exe netstat.exe psservice.exe uname.exe
hfind.exe netusers.exe pstat.exe uptime.exe
hostname.exe now.exe psuptime.exe whoami.exe
kernel modules were often inaccessible in these specific circumstances.D This type of
information gathering can be risky, as inadvertent resource alterations can occur on
the subject’s system, rendering potentially critical evidence worthless.E
Computer Online Forensic Evidence Extractor or Detect and
Eliminate Computer-Assisted Forensics?
Microsoft appears to have finally taken notice of the open-source movements in
this field and has been serving the law enforcement community Computer Online
Forensic Evidence Extractor (COFEE) since 2007.F This is a suite of 150 bundled
scripts created to aid law enforcement agencies in gathering digital evidence. It was
designed to run from removable media, USB specifically, before the computer is con-
fiscated from the scene. The first iteration of this tool works best with Windows XP,
but another version will be available for Vista and 7 very soon if it is not already. This
tool has already been leaked to the user community and can be found on Rapidshare
or your favorite Torrent site. The media has overhyped this tool, although it does
provide some handy features. It does not seem to do much more than the USB
Switchblade, but its modular design also allows for development.
The hacking community has taken action against Microsoft on this front by releas-
ing a countermeasure called Detect and Eliminate Computer-Assisted Forensics
Dwww.cert.org/archive/pdf/08tn017.pdf
Ewww.dfrws.org/2007/proceedings/p114-arasteh.pdf
Fwww.microsoft.com/industry/government/solutions/cofee/default.aspx
In Figure 4.1, text is a segment that usually contains the program’s code used for
executing instructions. The following segment contains initialized and uninitialized
data, which is provided during the assembly process.S Diving deeper into the struc-
ture, we move to the higher addresses where the portions allocated at run time are
shared by the stack and heap. In this scenario, the heap retains the dynamic variables
and uses the malloc (memory allocation) or the new operator function. A simple
code sample is included below that exemplifies the vulnerable nature of this memory
area.T
{
vulnerable(argv[1]);
return 0;
}
int vulnerable(char *buf)
{
HANDLE hp = HeapCreate(0, 0, 0);
HLOCAL chunk = HeapAlloc(hp, 0, 260);
strcpy(chunk, buf); '''Vulnerability'''
return 0;
}
In the above example, if the buffer surpasses 260 bytes, then the pointers will
be overwritten in the adjacent boundary tag. This will assist the overwriting of an
arbitrary memory location with 4 bytes of code when the heap-management cycle
initiates.
Recently, there has been an increase of heap-type overflows found in AV librar-
ies.U Some of these variants can use a combination of copy operations and integer
overflow on the heap. The below example shows vulnerable code responsible for
processing TNEF files from Clam AVV tnef.c and tnefmessage function.
string = cli_malloc(length + 1); '''Vulnerability'''
if(fread(string, 1, length, fp) != length) {'''Vulnerability'''
free(string);
return −1;
}
In line 1 above, the malloc statement will allocate memory based on the length
of a 32-bit integer. With this example, the length is capable of being manipulated
by the user and a malicious file can be constructed setting the length to “−1,”
resulting in a “0” malloc. This would allocate a small heap buffer of 16 bytes on
most 32-bit platforms. In line 2, an overflow occurs in the fread call while the third
Swww.blackhat.com/presentations/win-usa-04/bh-win-04-litchfield/bh-win-04-litchfield.ppt
Twww.owasp.org/index.php/Testing_for_Heap_Overflow
Uwww.kaspersky.com/technews?id=203038694
Vwww.clamav.net/index.php?s=vulnerability
Analyzing This Attack 103
argument requiring length is expecting the size_t variable. Since this variable is indi-
cated as “−1,” the argument wraps 0xFFFFFFFF, which in turn copies this into the
16-byte buffer.
There are many techniques that can be employed to attack heap areas of memory.
Like the stack area, NOP-sled techniques are commonly used to exploit these issues.
Heap spraying is another method used to facilitate arbitrary code execution.W This
type of attack sprays the heap with code in an attempt to place a sequence of bytes
in a predetermined memory location. The advantage gained by making use of this
is the fact that these heap blocks are commonly in the same location each time the
spray is run.
If you are seeking to learn how to create your own buffer overflow, there are entire
books dedicated to this subject. Buffer Overflow Attacks: Detect, Exploit, Prevent,
by James C. Foster (ISBN: 978-1-932266-67-2, Syngress), is one that comes highly
recommended. Recent publications are usually the best bet, as the buffer landscape
is constantly transforming and techniques can grow stale quickly. Commonly sug-
gested crafting tools include a hex editor, assembler, and disassembler (HIEWX), as
well as real-time debuggers (SyserY) and C++ tools such as DUMPBIN.
USB Development and the Hole in the Heap
“Plug and Root: The USB Key to the Kingdom” is the title of the presentation given
by Darrin Barral and David Dewey at the Black Hat convention in Las Vegas, NV, in
2005.Z Media speculation surrounding this finding described the liable component in
this exposure as the USB specification. It seems like a reasonable assumption given
the simplistic nature of USB and the supported device. What most fail to understand
are the number of complex components and interdependencies required to make
this happen. Much like an automobile or major appliance, there are numerous ele-
ments working in unison to provide you with the desired result. The drivers were
the targets in this strike, which, once overrun, provide an avenue for arbitrary code
injection. Autorun is again a helpful factor in that it enables the dynamic nature of
this creature.
In their testing, they acquired a development kit from Digi-KeyAA to combine
the essential components. They used an SL811 controllerBB to provide the key func-
tion for emulation of alternate devices for host enumeration testing. This chip relies
heavily on the controller CPU and ultimately indicates the type of device being con-
nected to the host system. Making use of this allowed them to alter the VID and PID,
which are sent to the host from the device once inserted to emulate a nonremovable
Whttp://securityevaluators.com/files/papers/isewoot08.pdf
Xwww.hiew.ru/
Ywww.sysersoft.com/
Zwww.blackhat.com/presentations/bh-usa-05/BH_US_05-Barrall-Dewey.pdf
AAhttp://dkc1.digikey.com/us/en/mkt/C_Profile.html?WT.z_homepage_link=hp_aboutus
BBwww.cypress.com/?docID=5037
104 CHAPTER 4 USB Device Overflow
DVD drive. USB devices may only have a single-device descriptor, but they can have
multiple subdescriptors defined such as endpoint, interface, and configuration, as
shown in Figure 4.2 below.CC
The VID and PID are important here because they determine which drivers are
loaded when the device is inserted. A single VID can correspond to many PIDs, and an
example of this would be any typical multifunction printer on the market that has scan,
fax, and copy capabilities. In their research, they were able to locate specific drivers
that were vulnerable to arbitrary input and thereby executing any code of choice.
USB defines a set of class codes that are used to identify the functions a device is
to serve.DD It uses these codes to load the necessary drivers so the operating system
can engage it when called upon. The researchers made several enhancements to the
board to speed up the testing process. A transistor was added to provide a switch-
ing mechanism that would simulate a device insertion. Fuzzing techniquesEE were
employed to alter the VID and PID on the fly and provide status updates of the SL811
controller. Once in place, they were able to run rigorous tests against the plethora of
default drivers included on every operating system.
The researchers notified Microsoft about the susceptible drivers, but a patch was
not released before the presentation, so these details were not made known. During the
research for this book, no additional information could be found indicating a patch issu-
ance related to this, although the bugtraq report previously mentioned in the “Device
Drivers” section was initiated in the exact time frame in which this hack was released.
Device
Descriptor
Configuration Configuration
Descriptor Descriptor
Interface Interface Interface Interface
Descriptor Descriptor Descriptor Descriptor
Endpoint Endpoint Endpoint Endpoint Endpoint Endpoint Endpoint Endpoint
Descriptor Descriptor Descriptor Descriptor Descriptor Descriptor Descriptor Descriptor
Figure 4.2
USB Descriptors
CCwww.beyondlogic.org/usbnutshell/usb5.htm
DDwww.usb.org/developers/defined_class
EEhttp://msdn.microsoft.com/en-us/library/cc162782.aspx
Ever-Present Exposures 105
To build and accomplish an attack of this sort, one would need to be well versed
in both hardware and software. In this example, the researchers used a low-cost hard-
ware solution combining the necessary components from multiple vendors to pro-
duce their final product. There are more expensive options for those less inclined
from the hardware perspective. Cypress is a silicon-processing fabricator that pro-
vides solutions for development and engineering activities including manufacturing,
specialty processing, custom development, and support for their customers.FF They
have several kits available that provide the components and software templates to
ease the learning curve for most. The CY3684 EZ USB FX2LP kit is one of these and
can be purchased online from the Cypress Web site.GG Be sure to contact their sales
team to ensure this will meet your testing requirements.HH
Ever-Present Exposures
Confidentiality, integrity, and availability all can be severely jeopardized if one of
these were crafted and deployed against a critical system. An assault of this sort
could severely tarnish one’s reputation, resulting in loss of customer or partner trust,
and potentially devastating a company’s bottom line. The code deployed with the
heap overflow can be used to gain access to a locked workstation and make use of
the current authentication context. With this in mind, if an attacker targets a system
used by a network, application, or system administrators, the damage rendered could
be disastrous.
EPIC Fail
Screen saver passwords are no match for an attack with kernel mode access. Even
whitelisting certain devices will not protect a system from these attacks, as the controller on
the USB device can be altered to emulate the authorized component.
Remote buffer overflow attacks will continue to remain a concern, although we
are just beginning to understand the localized aspects of these types of exploits. Most
of these errors in buffers are said to be poor software design and lazy coding practices,
while others speculate these are intentional backdoors and even conspiracies.II This
attack can be much more brutal than those defined in Chapter 1, “USB Hacksaw,”
Chapter 2, “USB Switchblade,” and Chapter 3, “USB-Based Virus/Malicious Code
Launch.” A crucial difference here is that the entire attack operates in the kernel
space, while the previous three stay in user mode.
FFwww.cypress.com/?id=2080&source=header
GGwww.cypress.com/?rID=14321
HHwww.cypress.com/?id=7
IIwww.angelfire.com/space/netcensus/backdoors.html
106 CHAPTER 4 USB Device Overflow
The picture painted by the researchers in the “Plug and Root” presentation described
a scenario using the buffer overflow to drop a rootkit payload onto a typical point-of-
sale computer. Merchants often leave these units in the open and unattended, making
them ripe for a USB’s picking. Some newer models of LCD screens also include USB
ports for ease of everyone’s access. The researchers go on to describe how the rootkits
could be designed to phone home, or the attacker could just return at a later time to
extract the credit card goodies with another USB flash drive.
Many vendors have started publically releasing vulnerabilities as they are made
known. On the surface, this seems like a good action, but it ultimately can have a nega-
tive effect on the computing masses. When these alerts are released, criminals use this
information to quickly craft an attack aimed at unpatched or stale systems. A 2009
study indicated that major organizations monitored by Qualys take twice as long on
average to patch application vulnerabilities versus the base operating system.JJ
Overflow Outlook
The Morris worm is a great early example of a buffer-type worm gone awry. In
November of 1988, this malicious code targeted the finger service on UNIX-based
platforms.KK The finger service was designed to provide query results for system
users, accounts attributes, and other identification-related data. This malicious code
exploited the daemon used in the forinput routine without checking the bounds of
the involved buffers.LL The Morris worm is considered by many to be the first major
attack on the Internet.
At DefCon 17 in the summer of 2009, Rafael Dominguez Vega presented a USB
attack similar to Plug and Root that could be used to exploit Linux drivers. His pre-
sentation, called “USB Attacks: Fun with Plug and 0wn,” used a slightly different
approach to establish the same outcome that Darrin and David did. Here, he used
a Programmable Interface ControllerMM (PIC18) flashed with their own shell code
to exploit a vulnerable driver on a Linux system. They also used Quick Emulator
virtualizationNN with a combination of fuzzing techniques in their demonstration.
Mobile devices are far from immune to these types of vulnerabilities. In February
of 2009, an alert was released regarding a buffer overflow in an ActiveX control for an
application Web loader on the Blackberry platform.OO The iPhone is a favorite target
for hackers, and heap-based buffers exploits are no exception.PP Chapter 6, “Pod
Slurping,” will reveal how to jailbreak an iPhone and discuss the potential impacts of
a Phone Siphoning data-theft scenario. With Windows 7, USB 3.0, and x64 systems
JJhttp://redmondmag.com/articles/2009/09/16/unpatched-apps-growing-target-for-hackers.aspx
KKwww.cert.org/homeusers/buffer_overflow.html
LLwww.cso.com.au/article/265692/morris_worm_turns_20_look_what_it_done
MMwww.piclist.com/techref/piclist/begin.htm
NNwww.qemu.org/user-doc.html
OOhttp://secunia.com/Advisories/33847/
PPhttp://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2206
Defensive Strategies 107
already above the horizon, a new age has dawned for finding fresh flaws in these
developments. Buffer overflows continue to be the major force behind the most
common exposures. These threats will continue to increase in variety, complexity,
and severity as driver developers and operating system vendors struggle to meet basic
qualifications for market release.
Defensive Strategies
Guarding against device-based overflows can be a tricky undertaking, although
the requirement of autorun makes the measures outlined in the final sections of
Chapter 1, “USB Hacksaw,” Chapter 2, “USB Switchblade,” and Chapter 3, “USB-
Based Virus/Malicious Code Launch” quite relevant. In this section, we will explore
some additional alternates that can be applied in conjunction with or in replacement
of existing strategies prescribed.
Drivers
A quick way to snatch the feet out from under this attack is to prevent the USB
drivers from being able to load. These procedures will allow preexisting USB devices
to remain installed but prevent any new devices from being initialized. This comes
with a price, as the installation of all new USB devices will be disabled from this
point forward. Ensure you have all authorized USB devices installed and active on
the system before performing these procedures.
Note
These procedures assume that personnel using the system do not have administrative
privileges. If this is not the case, then these changes could be reverted.
These procedures have been tested against Windows 2000, 2003, and XP sys-
tems. Use the following procedures to restrict the access of the USB drivers moving
forward.QQ
1. Open My Computer or Windows Explorer and locate %SystemRoot%\Inf folder.
For most default Windows installations, this will be c:\Windows\Inf.
2. Locate the Usbstore.pnf file, right-click, and then select Properties.
3. Go to the Security tab, under Group or username click edit, and then in the new
pane click Add.
4. Type the group or username you want to prevent from having USB access, and
then select OK.
5. Ensure the newly added object is highlighted in the Group or username section,
and check the Deny box next to Full Control in the Permissions for section.
QQhttp://support.microsoft.com/default.aspx?scid=kb;EN-US;823732
108 CHAPTER 4 USB Device Overflow
6. Highlight the System account in the Group or username section and check the
Deny box in the same location as indicated in the previous step.
7. Click OK to apply the settings and acknowledge any additional information or
warning dialogues that may be invoked.
8. Repeat steps 2 to 7 on the Usbstor.inf to complete the access restriction.
For those of you who can’t handle going through the panes of Windows or just
wish to script this same action, it can be performed from the command line. The
cacls command can be used to perform a number of file and directory-level permis-
sions functions. To view the permissions of the users on the target computer, the
following command can be run.
cacls c:\windows\inf\usbstor.inf
You can choose to edit the current access control list (ACL) or replace it with
your choice of credentials and privileges. In the below example, the /e switch is used
to edit the permissions on the file. Running the command without the /e switch will
replace the entire existing ACL with what you specify.
cacls c:\windows\inf\usbstor.inf /e /p system:n
cacls c:\windows\inf\usbstor.pnf /e /p "UserOrGroupNameHere":n
If a USB device had previously been installed on the system, these changes will
not affect them. To halt all drivers from loading, even for those currently connected
components, you can simply disable the service on the desired systems. A registry
backup or restore point should be created before performing these steps.RR
1. Click Start, then Run. (In Vista, just click Start.)
2. In the Open box, type regedit and then press Enter.
3. Locate and highlight the following registry key.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UsbStor
4. In the right-hand pane, double-click Start.
5. In the Value data box, type 4, click Hexadecimal (if it is not already selected),
and then click OK.
6. Exit Registry Editor.
Command-line options are available to adjust this setting. The sc and reg com-
mands can be used to modify a multitude of service parameters. The below example
uses the reg command to adjust the start value for the usbstor service.
reg add hklm\SYSTEM\CurrentControlSet\Services\usbstor /v start /t
REG_DWORD /d 0x4 /f
Group Policy
If you are an administrator of a Windows environment, you may decide that the best
approach for your workplace would be to disable drivers of external components on
all machines without having to make a change to each system. You may also want
RRhttp://support.microsoft.com/kb/322756/)
Defensive Strategies 109
to disable certain drives types only for specific groups of computers within your
network. Windows 2003 server does not include this policy by default, and you will
need to create a custom administrative template. The procedures outlined below were
performed on a Windows Vista Ultimate system but should be similar to those expe-
rienced on a Windows 2003 domain environment.
Tip
You must authenticate with administrative privileges in order to use Group Policy Editor.
Open Notepad and enter the following text to the file, saving it with an adm exten-
sion (for example, File.adm). If you would like to cut and paste this information into
notepad, this information is available on the Microsoft Web site.SS
CLASS MACHINE
CATEGORY !!category
CATEGORY !!categoryname
POLICY !!policynameusb
KEYNAME "SYSTEM\CurrentControlSet\Services\USBSTOR"
EXPLAIN !!explaintextusb
PART !!labeltextusb DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamecd
KEYNAME "SYSTEM\CurrentControlSet\Services\Cdrom"
EXPLAIN !!explaintextcd
PART !!labeltextcd DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 1 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynameflpy
KEYNAME "SYSTEM\CurrentControlSet\Services\Flpydisk"
EXPLAIN !!explaintextflpy
PART !!labeltextflpy DROPDOWNLIST REQUIRED
SShttp://support.microsoft.com/kb/555324
110 CHAPTER 4 USB Device Overflow
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
POLICY !!policynamels120
KEYNAME "SYSTEM\CurrentControlSet\Services\Sfloppy"
EXPLAIN !!explaintextls120
PART !!labeltextls120 DROPDOWNLIST REQUIRED
VALUENAME "Start"
ITEMLIST
NAME !!Disabled VALUE NUMERIC 3 DEFAULT
NAME !!Enabled VALUE NUMERIC 4
END ITEMLIST
END PART
END POLICY
END CATEGORY
END CATEGORY
[strings]
category="Custom Policy Settings"
categoryname="Restrict Drives"
policynameusb="Disable USB"
policynamecd="Disable CD-ROM"
policynameflpy="Disable Floppy"
policynamels120="Disable High Capacity Floppy"
explaintextusb="Disables the computers USB ports by disabling the
usbstor.sys driver"
explaintextcd="Disables the computers CD-ROM Drive by disabling the
cdrom.sys driver"
explaintextflpy="Disables the computers Floppy Drive by disabling
the flpydisk.sys driver"
explaintextls120="Disables the computers High Capacity Floppy Drive
by disabling the sfloppy.sys driver"
labeltextusb="Disable USB Ports"
labeltextcd="Disable CD-ROM Drive"
labeltextflpy="Disable Floppy Drive"
labeltextls120="Disable High Capacity Floppy Drive"
Enabled="Enabled"
Disabled="Disabled"
The steps below outline how to add a template allowing the disablement of typi-
cal removable device drivers using Group Policy editor. These procedures assume
you already have Group Policy editor installed on the target machine.
Defensive Strategies 111
1. Click Start, then Run, and type gpedit.msc.
2. Browse to locate the Computer Configuration object, as seen in Figure 4.3.
3. Right-click Administrative templates and choose Add/Remove template.
4. Click the Add button in the lower-left corner of the pane provided, as seen in
Figure 4.4.
5. Browse to locate the .adm file you just created and select Open.
6. Highlight Administrative Templates again and then in the View menu click
Filtering.
7. Clear the check mark next to Only show policy settings that can be fully man-
aged, as seen in Figure 4.5, and then press OK.
8. Under Computer Configuration, go to Administrative Templates\Classic Admin-
istrative Templates\Custom Policy Settings\Restrict Drives. You should now see
the policies entries that were just created in the right pane, as seen in Figure 4.6.
9. Double-click to select which drive type you would like to disable. Click Enabled,
then select Enabled to disable the USB port in the policy setting, as seen in
Figure 4.7.
You have now created a custom policy that will allow you to regulate the
computers who are members of your domain. Apply the policy to the appropriate
Figure 4.3
Group Policy Editor
112 CHAPTER 4 USB Device Overflow
Figure 4.4
Group Policy Editor: Add/Remove Templates
Figure 4.5
Group Policy Editor: Filtering
Defensive Strategies 113
Figure 4.6
Group Policy Editor: Restrict Drives
Figure 4.7
Group Policy Editor: Disable USB Properties
114 CHAPTER 4 USB Device Overflow
containers that contain the target systems in order to enable the enforcement.TT
Be mindful when making such a sudden and drastic change to your environment.
Proper requirements gathering should be done prior to implementing any sort of
corporate- or domain-wide policy to ensure you don’t break functionality that is
deemed critical to the business.UU Rigorous testing should also be done on all
relevant systems to ensure compliance and compatibility. Also keep in mind, this
policy will not be enforced on standalone systems or alternate operating systems
that are not part of the domain. It will also not apply to the respective devices that
are currently installed on the target systems.
Physical Protection Mechanisms
Ideally, the most effective physical protection solution is to keep the system in your
possession while in use and adequately secured when left unattended. These may seem
like reasonable requirements capable of being understood by all. Unfortunately, each
user has an innate ability to interpret policies and stipulations differently. Humans
also have a natural inability to accurately assess risk, especially under hectic condi-
tions. These alone can be enough reason to apply and enforce additional stringent
measures to supplement best practices and policies.
Top Lockdown
Desktop and laptop locks are well-known deterrents that can actually prove quite
valuable for static systems. Some desktop systems now come with latches or brackets,
while others can have adhesive anchors, screw controls, and other types of fasteners
applied. Kensington produces numerous types of locking devices designed to suite a
variety of needs.VV
A T-bar locking mechanism is included on a vast majority of existing desktop
and laptop systems that are cross compatible with a multitude of vendor products
in this space. These locks won’t prevent someone from imagining or dismantling
your system, but they will deter a thief of opportunity. Mobile employees often find
these cumbersome, especially those constantly on the move. Ensure you have a strict
policy mandating the use of these locks, if applicable, to aid in deterring negligent
behavior.
Racks, Cabinets, or Strongboxes
These physical protection devices are widely recognized as a necessity for criti-
cal desktop and server systems. Racks and cabinets are often found on server room
floors, closets, or storage areas.WW Strongboxes are most commonly found in the
TTwww.microsoft.com/downloads/details.aspx?FamilyID=e7d72fa1-62fe-4358-8360-8774ea8db847
&displaylang=en
UUhttps://confluence.uhi.ac.uk/confluence/display/INTPUB/Requirements+Gathering+Methodology
VVhttp://us.kensington.com/html/1434.html
WWwww.presidentenclosures.com/
Summary 115
video security realm to prevent Digital Video Recorder equipment tampering.XX
These can also be considered as a cheaper alternative to a rack or cabinet where
computer hardware expansion is not expected.
Warning
Ventilation is a key aspect that needs to be considered when deciding on the type and
location of the rack or cabinet unit. If the required location has preexisting aeration issues,
consider additional venting of the environment and adding fans to the enclosure. Excessive
dust can also be a crippling factor, especially when additional obstructions are included.
The last thing you want is to induce a thermal outage while trying to enhance the security
of your system. Be cautious of purchasing cheap products for physical protection, as you
often get what you pay for.
Physical Port Protection
Another product from Kensington aims to prevent folks from using epoxy or other
permanent disablement methods. Their USB Port Lock with Cable GuardYY prod-
uct is designed to protect one active USB device and block multiple adjacent ports
(horizontal or vertical orientation). This allows continued use of authorized devices
while securing additional ports in close proximity.
No technical experience is required for installation, and these will provide a
visible deterrent to enhance your protection. If a USB port is locked from the com-
puter attached side, this will not prevent the opposite end from being accessed if
applicable for the associated device. Mouses and keyboard connections should be
safe, but nodes such as hard drives, printers, and others have loose ends that could be
used for access into a secured system. Also keep in mind that FireWire and PCMCIA
(PCI Express) slots are still exposed components that can be utilized to perform
similar attacks.
Summary
A crucial factor in keeping these buffer pirates at bay is frequent updates to all system
software. By default, Windows update and Microsoft update (includes Office suite
and other programs updates) services will be set to automatic and should be left in this
state. Most third-party applications and system utilities provide automatic updates for
their components, and these should be enabled where applicable. Beware that some
applications, plug-ins, and drivers are not automatically updated, and these will need
to be managed using alternative methods.
XXwww.mbelectronics.com/view.aspx?id=439
YYhttp://us.kensington.com/html/17085.html
116 CHAPTER 4 USB Device Overflow
Creating the platform for this attack is not an easy undertaking, but it can and has
been accomplished by subject matter experts. While this doesn’t qualify as a script
kiddie crack available for the masses, it has a creative quality that demands attention.
There are many reasonable countermeasures that can be engaged to mitigate these
types of attacks. Those outlined here are sufficient, but one must remain ever-vigilant
as this threat landscape continues to transform.
Endnote
1. http://dictionary.reference.com/browse/buffer. Accessed November 2009.
chapter
RAM dump
5
Information in This Chapter
• Gadgets Gone Astray
• Digital Forensic Acquisition Examination
• Mind Your Memory
• Advancements in Memory Analysis
• Hindering the Gatherers
Innovative software technologies continue to evolve rapidly, driven by market
demands. Memory-isolated programs launched from removable media (U3), random
access memory (RAM) resident rootkits, encryption prevalence, and Web 2.0 are just
a few of the new software challenges that face the digital investigators of today. In
the last few years, there have been considerable development and advances in tools
focused on memory acquisition and analysis.
This chapter will peer into the forensic aspects of memory collection and analy-
sis practices. Recent developments in these areas have lead to improved methods
and tools and increased speculation into how these can be abused by an attacker.
Evidence handling is a fundamental phase in the field of computer forensics and con-
tinues to be the driving force behind the development of volatile memory acquisition
and analysis. The days of unplugging a system before gathering digital evidence for
forensic analysis are nearly gone. Live forensics is now a necessity for first respond-
ers as it appears to have finally emerged from the legacy era throughout the security
community.
We will gaze into a USB-based RAM-gathering scenario (dynamic RAM and
synchronous dynamic RAM specifically) and recreate the attack, which waspublished
by Princeton researchers, Electronic Frontier Foundation, and Wind River Systems
and titled “Lest We Remember: Cold Boot Attacks on Encryption Keys.”A The later
sections of the chapter will delve into the threats these techniques pose, evolving
aspects of the analysis arena, and methods to help you hinder the gatherers.
Ahttp://citp.princeton.edu/pub/coldboot.pdf
117
118 CHAPTER 5 RAM dump
Gadgets Gone Astray
While you won’t find many RAM-dumping scenarios in the media, there are plenty
of relevant situations where this tactic is a plausible concern. Throughout the last
decade, computer theft has been a growing issue around the world, and this is a
prime situation where RAM analysis could prove valuable. In response, there has
also been a dramatic increase in full-disk encryption implementations, especially
those containing data that can produce a financial gain for the attacker. Those seeking
to exploit the information contained on these stolen devices instead of redeeming the
hardware value could potentially execute a memory analysis given the appropriate
circumstances.
In February of 2007, a report released from the FBI indicated that over 300
laptop computers had been lost or stolen over a 4-year span.B A report issued
from the Department of Justice Inspector General revealed that 10 of the laptops
stolen during that period were known to contain sensitive or classified informa-
tion. The contents were said to include badge-creation software, security plans,
and personally identifiable information of FBI employees. This statement was
released in a follow-up to a 2002 audit of the FBI internal controls governing
computers and guns.
The above story is a perfect example of an attack situation where a RAM-analysis
technique seems worthy. While the report doesn’t indicate if encryption was present
or enabled, it does show the type of information for which a foreign or criminal entity
might be willing to pay top dollar. An attacker would need simply to image the target
system memory before stealing it for later analysis.
Surprisingly, there has been a steady decline in the number of reported computer
thefts since February of 2009.C There are likely many reasons behind this decrease in
reports. The safe harbor provided by state and government regulations for lost or sto-
len equipment that are encrypted might play a large part. One might conclude this is
because of the advancements in endpoint security controls and betterment of enforce-
ment policies. Then, again the decline could also be attributed to the lack of reports
required per the notification stipulations in regulations for encrypted systems.
Digital Forensic Acquisition Examination
The traditional approach to digital evidence acquisition is primarily limited to live
response scenarios. Historically, first responders would typically look for rogue con-
nections or peculiar processes on the suspect system. Tools used during this time were
often common application programming interfaces (APIs) with which most admin-
istrators are familiar, as seen in Table 5.1. Hidden threads, terminated processes, and
Bhttp://blogs.abcnews.com/theblotter/2007/02/hundreds_of_fbi.html
Chttp://datalossdb.org/incident_highlights/38-has-data-loss-jumped-the-shark
Digital Forensic Acquisition Examination 119
Table 5.1 Windows live forensics
Commands commonly used
arp.exe hunt.exe ntfsinfo.exe pulist.exe
attrib.exe ipconfig.exe ntlast.exe reg.exe
auditpol.exe iplist.exe openports.exe regdmp.exe
autorunsc.exe ipxroute.exe pclip.exe RootkitRevealer.exe
cmd.exe listdlls.exe promiscdetect.exe route.exe
cmdline.exe mac.exe ps.exe sc.exe
dd.exe mdmchk.exe psfile.exe servicelist.exe
drivers.exe mem.exe psinfo.exe sniffer.exe
dumpel.exe nbtstat.exe pslist.exe streams.exe
efsinfo.exe net.exe psloggedon.exe strings.exe
fport.exe netsh.exe psloglist.exe tlist.exe
handle.exe netstat.exe psservice.exe uname.exe
hfind.exe netusers.exe pstat.exe uptime.exe
hostname.exe now.exe psuptime.exe whoami.exe
kernel modules were often inaccessible in these specific circumstances.D This type of
information gathering can be risky, as inadvertent resource alterations can occur on
the subject’s system, rendering potentially critical evidence worthless.E
Computer Online Forensic Evidence Extractor or Detect and
Eliminate Computer-Assisted Forensics?
Microsoft appears to have finally taken notice of the open-source movements in
this field and has been serving the law enforcement community Computer Online
Forensic Evidence Extractor (COFEE) since 2007.F This is a suite of 150 bundled
scripts created to aid law enforcement agencies in gathering digital evidence. It was
designed to run from removable media, USB specifically, before the computer is con-
fiscated from the scene. The first iteration of this tool works best with Windows XP,
but another version will be available for Vista and 7 very soon if it is not already. This
tool has already been leaked to the user community and can be found on Rapidshare
or your favorite Torrent site. The media has overhyped this tool, although it does
provide some handy features. It does not seem to do much more than the USB
Switchblade, but its modular design also allows for development.
The hacking community has taken action against Microsoft on this front by releas-
ing a countermeasure called Detect and Eliminate Computer-Assisted Forensics
Dwww.cert.org/archive/pdf/08tn017.pdf
Ewww.dfrws.org/2007/proceedings/p114-arasteh.pdf
Fwww.microsoft.com/industry/government/solutions/cofee/default.aspx