Nano-Scale Red Teaming: Making REs Cry With Device-Specific Opaque Execution presented at t2 2016

by Jacob Torrey,

Summary : This talk will begin by examining architectural “tells” that can be utilized to detect the presence of analysis tools, even those with higher privilege/stealth capabilities than the attacker. These tells can be combined in a way to prove (attest) to the attacker the system is not under inspection before continuing the campaign or dropping sensitive data/code to the host. After the theory has been described, a demonstration of this will be provided to remotely attest the presence (or lack there of) of tampering with the binary, introspection from a VMM or SMM, etc.
Once you can be confident that you’re not being monitored, the second part of this talk will provide some techniques for using nano-scale hardware artifacts for use as a root-of-trust. Physically un-clonable functions (PUFs) can be used to attest the system has not been changed or emulated and provide good sources of device-specific keying material. A few PUFs present on COTS systems will be discussed and demonstrated to provide you with additional assurances that your implants remain unmolested.
TL;DR: With these tools/techniques you can work towards realizing “trusted” implant networks that can detect observation and evade analysis or theft of sensitive data/code.
Jacob Torrey is an Advising Research Engineer at Assured Information Security, Inc. where he leads the Computer Architectures group and acts as the site lead for the Colorado branch. Jacob has worked extensively with low-level x86 and MCU architectures, having written a BIOS, OS, hypervisor and SMM handler. His major interest is how to (mis)use an existing architecture to implement a capability currently beyond the limitations of the architecture. In addition to his research, Jacob volunteers his time organizing conferences in Denver (RMISC & BSidesDenver) and regular meet-ups across the front range. Twitter: @JacobTorrey