KIDS – Kernel Intrusion Detection System.ppt

Future Some advanced hardware, like pSeries support firmware services to abstract portions of the hardware of the operating system pSeries for example has the RTAS (run-time abstraction service) to easily access NVRAM and heartbeat mechanics This operating system running in the firmware maybe modified to offer integrity verification Other approaches PaX KernSeal – compiler modifications – not released yet Maryland Info-Security Labs Co-pilot and others (firewire, tribble, etc) – PCI Card to analyze the system integrity – cache/relocation attacks, Joanna ideas, hardware based Intel System Integrity Services – SMM-based implementation – depends on external hardware (also uses client/server signed heartbeats) Microsoft PatchGuard – Self-encryption and kernel instrumentation – many problems spotted by articles Who wanna test? Everyone uses KIDS ;) If someone wants to join these guys from the Carnival land: Acknowledges Spender for help into many portions of the model PaX Team for solving doubts about PaX and giving many help point directly to the pax implementation code XCon crew: Thanks for the good time in Beijing and HCMC! Hope to be with you in Sao Paulo :D REFERENCES Spender public exploit: /dailydave/2007/q1/0227.html Pax Project: Joanna Rutkowska: Julio Auto @ H2HC – Hackers 2 Hackers Conference: .br A Tamper-Resistant, Platform-Based, Bilateral - INTEL Approach to Worm Containment Runtime Integrity and Presence Verification for Software Agents - INTEL BIOS and Kernel Developer′s Guide for AMD Athlon 64 and AMD Opteron Processors - AMD Intel Architecture Software Developer′s Manual Volume 3: System Programming Security Issues Related to Pentium System Management Mode Lo?c Duflot Questions?Thank you :D Rodrigo Rubira Branco rodrigo@ Domingo Montanaro conferences@ * Julio Auto at H2HC III proposed an IDT hooking to bypass StMichael – in Vietnam we showed a working sample of this proposal (he just give a theorical idea to bypass it) Also, he has pr