A Dive into Windows User and Kernel Mode Exploit Mitigations

  • Wednesday, 10 Aug 2022 11:30AM SST (10 Aug 2022 03:30 UTC)
  • Speaker: Stephen Sims

This webcast will be presented in English, and will also be available to watch in Bahasa Indonesian, Japanese, Korean, Thai, and Vietnamese via simultaneous audio translation.

Webcast times:
03:30 a.m. UTC
09:00 a.m. UTC+05:30 (India)
10:30 a.m. UTC+07:00 (Indonesia / Thailand / Vietnam)
11:30 a.m. UTC+08:00 (Singapore / Philippines)
12:30 p.m. UTC+09:00 (Japan / Korea)
01:30 p.m. UTC+10:00 (Australia Eastern Daylight Time)
03:30 p.m. UTC+12:00 (New Zealand)
08:30 p.m. UTC-07:00 (Pacific Time Zone – Tuesday, 9 July 2022)

Webcast Abstract

English

As a penetration tester, red teamer, or exploit developer, you will often be up against a varying number of exploit mitigations aimed at thwarting your attack. In the past, the majority of these mitigations focused on user mode vulnerabilities; however, the Kernel is now well-protected. There are mature mitigations, such as Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), and Control Flow Guard (CFG), as well as newer mitigations associated with Windows Defender Exploit Guard. We will take a look at the most effective mitigations, and venture into Kernel mitigations such as Virtualization Based Security (VBS) and others.

Stephen Sims began working on computers at a young age with a fellow enthusiast: his father. Amazed by how easy it was to change an application's intended behavior, Stephen was quickly hooked. Today, he's an industry expert with over 15 years of experience in information technology and security. He's authored SANS most advanced course, SEC760: Advanced Exploit Development for Penetration Testers, was the 9th person in the world to earn the GIAC Security Expert certification (GSE), and co-author of the Gray Hat Hacking book series, as well as a keynote speaker who's appeared at RSA USA and APJ, OWASP AppSec, BSides events and more. On top of all this, Stephen is Curriculum Lead for both SANS Cyber Defense and SANS Penetration Testing.

Bahasa Indonesian

Sebagai penguji penetrasi, anggota “tim merah”, atau pengembang eksploit, Anda akan sering menghadapi sejumlah mitigasi eksploit yang ditujukan untuk menggagalkan serangan Anda. Dulu, sebagian besar mitigasi ini berfokus pada kerentanan mode pengguna; namun, Kernel sekarang terlindungi dengan baik. Ada mitigasi yang matang, seperti Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), dan Control Flow Guard (CFG), serta mitigasi baru terkait Windows Defender Exploit Guard. Kita akan melihat mitigasi yang paling efektif, dan menjelajah ke mitigasi Kernel seperti Virtualization Based Security (VBS) dan lainnya.

Stephen Sims mulai bekerja di bidang komputer pada usia muda dengan sesama penggemar computer, yakni ayahnya sendiri. Kagum dengan betapa mudahnya mengubah perilaku aplikasi yang diinginkan, Stephen dengan cepat terpikat. Saat ini, ia adalah pakar industri dengan pengalaman lebih dari 15 tahun di bidang teknologi informasi dan keamanan. Ia menulis panduan pelatihan SANS yang paling canggih, yakni SEC760: Pengembangan Eksploit Tingkat Lanjut untuk Penguji Penetrasi. Ia adalah orang kesembilan di dunia yang mendapatkan sertifikasi Ahli Keamanan GIAC (GSE), dan menjadi penulis Bersama seri buku Gray Hat Hacking, serta pembicara utama yang muncul di RSA USA dan APJ, OWASP AppSec, acara BSides dan banyak lagi. Di samping itu, Stephen adalah Kepala Bidang Kurikulum untuk SANS Cyber Defense dan SANS Penetration Testing.

Japanese

ペネトレーションテスター、REDチームメンバー、エクスプロイト開発者は、攻撃を阻止するためのさまざまなエクスプロイト対策技術に直面します。以前は、これらの対策技術の大部分はユーザーモードの脆弱性のためのものでしたが、現在ではカーネルモードの脆弱性に対する保護も多く実装されています。アドレス空間配置のランダム化(Address Space Layout Randomization, ASLR)、データ実行防止(Data Execution Prevention,DEP)、制御フローガード(Control Flow Guard, CFG)などの広く使われるようになってきた対策技術もあれば、Windows Defender Exploit Guardのような新しい対策技術もあります。このWebcastでは、効果的な対策技術を紹介し、仮想化ベースのセキュリティ(Virtualization Based Security, VBS)などのカーネルモードに関する対策技術にも踏み込んでいきます。

Stephen Sims は、幼い頃から父親と一緒にコンピュータに親しんできました。アプリケーション本来の動作を簡単に細工できることに驚き、すぐにその魅力に取り付かれました。現在では、情報技術とセキュリティの分野で15年以上の経験を持つ業界の専門家です。彼は、SANSの中でも最も高度なコースである「 SEC760: Advanced Exploit Development for Penetration Testers」の開発者です。また、最も高度なGIAC認定資格の「GIAC Security Expert certification (GSE)」を世界で9人目に取得しました。Gray Hat Hacking bookシリーズの共著者でもあり、RSA USAやAPJ、OWASP AppSec、BSidesなど多くのイベントの基調講演で登壇しています。SANS Cyber DefenseとSANS Penetration Testingのカリキュラムリーダーも務めています。

Korean

펜테스터(Pen Tester), 레드팀 멤버 또는 익스플로잇 개발자들은 종종 공격을 무력화 하기위한 다양한 방법의 exploit mitigation 조치 혹은 방어기법들을 마주해야만 합니다.

과거에는 대부분의 위협 대응기법들이 사용자 모드(user mode) 취약점들을 찾아서 강화하고 관리하는 것이 전부였지만, 최근에는 커널 자체의 보호수준이 상당히 높아졌고, 메모리 보호 기법(Address Space Layout Randomization, ASLR), 데이터 실행 방지(Data Execution Prevention, DEP), 흐름 보호(Control Flow Guard, CFG) 및 Window Defender 익스플로잇 가드(WDEG) 등 다양한 고급 기법들이 나와있습니다.

이번 웹 캐스트에서는 효과적으로 커널 보안 위협을 완화시키는 방법들에 대해 이야기 나누고 대표적으로 VBS(가상화 기반 보안) 기술에 대해서 살펴보도록 하겠습니다.

Stephen Sims는 어린 시절 컴퓨터 애호가인 아버지와 함께 컴퓨터 세계에 입문했고, 생각보다 너무 쉽게 애플리케이션의 동작이나 결과를 원하는 대로 바꿀 수 있음에 흥미를 느낀 Stephen은 컴퓨터 보안에 더욱 빠져들었습니다.

Stephen Sims는 IT 및 정보보안 분야에서 15년 이상의 풍부한 경험을 보유한 전문가로, SANS의 가장 고급 코스 중 하나인 SEC760: Advanced Exploit Development for Penetration Testers의 저자이며, 세계 9번째로 GIAC 보안 전문가 인증 (GSE)을 획득했고, 현재 SANS의 사이버 보안 및 침투테스팅(Penetration Testing) 커리큘럼 책임자 입니다.

Stephen Sims는 보안분야 베스트셀러인 Gray Hat Hacking 책 시리즈의 공동 저자이며, RSA USA 및 APJ, OWASP AppSec, BSides 등 글로벌 보안 컨퍼런스에서 기조연설자로 초청을 받는 고 있습니다.

이번 웹 캐스트에서 최신 윈도우즈의 커널모드 & 유저모드 보안기법에 대해서 알아보세요

Thai

ผู้ที่ทำงานในสายงาน Penetration Tester, Red teamer หรือ พัฒนา Exploit มักจะเจออุปสรรคเกี่ยวกับมาตรการป้องกันการ Exploit ที่จะทำให้การโจมตีของคุณไม่สำเร็จ ในอดีตมาตรการป้องกันถูกพัฒนาสำหรับป้องกันการโจมตีโดย User แต่ปัจจุบันมาตรการป้องกันถูกขยายไปยัง Kernel ด้วย มาตรการป้องกันที่มีมานานแล้วเช่น Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) และ Control Flow Guard (CFG) และ มาตรการป้องกันใหม่ที่เป็นส่วนหนึ่งของ Windows Defender Exploit Guard ในการบรรยายนี้เราจะพูดถึงมาตรการป้องกันที่ได้ผลที่สุด และเกริ่นนำเกี่ยวกับมาตรการป้อกัน Kernel เช่น Virtualization Based Security (VBS) เป็นต้น

Stephen Sims เริ่มทำงานเกี่ยวกับคอมพิวเตอร์ตั้งแต่อายุยังน้อยกับคุณพ่อ Stephen รู้สึกประหลาดใจมากว่าเราสามารถเปลี่ยนพฤติกรรมของโปรแกรมได้โดยง่ายทำให้เขาสนใจงานด้านนี้ตั้งแต่นั้นเป็นต้นมา ปัจจุบันเข้าเป็นผู้เชี่ยวชาญด้าน IT และ security ที่มีประสบการณ์มากกว่า 15 ปี เขาเป็นผู้แต่งคอร์ส SEC760: Advanced Exploit Development for Penetration Testers ซึ่งเป็นคอร์สที่ advanced ที่สุดของสถาบัน SANS เขาเป็นคนที่ 9 ที่ได้รับใบรับรอง GIAC Security Expert (GSE) และเป็นผู้แต่งร่วมหนังสือชุด Gray Hat Hacking และยังเป็น keynote speaker ที่งาน RSA USA และ APJ, OWASP AppSec, BSides และ งานอื่น ๆ อีกหลายงาน นอกจากนั้น Stephen ยังเป็นผู้กำกับดูแลคอร์สในสาขา SANS Cyber Defense และ SANS Penetration Testing

Vietnamese

Nếu công việc của bạn là người kiểm thử thâm nhập, tấn công thử nghiệm, nhà phát triển phần mềm khai thác lỗ hổng, chắc hẳn bạn sẽ gặp phải nhiều biện pháp giảm thiểu tấn công khai thác được thiết kế để cản trở bước tiến của mình. Trước đây, phần lớn các biện pháp giảm thiểu này đều tập trung vào các lỗ hổng của chế độ người dùng (user mode), tuy nhiên, giờ đây nhân hệ điều hành (kernel) cũng đã được bảo vệ nghiêm ngặt. Trong các biện pháp giảm thiểu, có một số đã hoàn thiện như Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP), vaf Control Flow Guard (CFG), và những biện pháp khác mới hơn có liên quan đến Windows Defender Exploit Guard. Chúng ta sẽ cùng phân tích những biện pháp giảm thiểu hiệu quả nhất, sau đó đi sâu vào các biện pháp giảm thiểu tấn công Kernel, trong đó có Virtualization Based Security (VBS) cũng như các biện pháp khác.

Giảng viên Stephen Sims bắt đầu tìm hiểu sử dụng máy tính từ khi còn nhỏ, cùng với người chung đam mê là cha mình. Từ chỗ ngạc nhiên vì hành vi mặc định của ứng dụng có thể bị thay đổi quá dễ dàng, Stephen đã nhanh chóng bị cuốn hút bởi máy tính. Đến nay, ông đã trở thành một chuyên gia với trên 15 năm kinh nghiệm trong ngành công nghệ thông tin và bảo mật. Ông là tác giả của một trong những khoá học nâng cao nhất của SANS, SEC760: Advanced Exploit Development for Penetration Testers, là người thứ 9 trên thế giới nhận được chứng chỉ Chuyên gia Bảo mật (GSE) của GIAC. Ông cũng là đồng tác giả của loạt sách Gray Hat Hacking và là diễn giả thông điệp chính tại các hội thảo RSA Hoa Kỳ, RSA khu vực Châu Á - TBD và Nhật Bản, sự kiện AppSec của OWASP, hội thảo BSides và các sự kiện khác. Ngoài ra, Stephen còn giữ vai trò Chủ trì Chương trình đào tạo cho hai khóa học của SANS về bảo vệ không gian mạng (SANS Cyber Defense) và kiểm thử xâm nhập (SANS Penetration Testing).