2. Agenda
Introduction to the problem
What is data exfiltration?
Why is it more difficult to catch than regular network based intrusions?
Hardware based Trojans
Huawei case
Greek phone tapping case
Software based trojans
Rootkits
Proposed approach
Multiple stacks/layered detection
Parameters to watch
Challenges
3. What is data exfiltration?
Unauthorized extraction of data from a system
Can be locally or remotely initiated
Is hard to catch because:
May leave no fingerprint
Insider attack
Can go at great lengths to hide itself using kernel level
device drivers
4. Hardware based trojans
Use cases:
Huawei case
Greek phone tapping case
Special challenges in catching HW Trojans
Special circuits with an extremely small footprint
Most come shipped with their own software
Most circuit based testing methods too expensive and
impractical to check for each possible circuit flow
5. Rootkits and other Trojans
Device driver way to get in
Kernel mode access
Can hide processes
Can auto run on restart
Stuxnet: the most famous example
6. Multi layered approach
• Hidden processes
• New hardware insertion event
Application layer • New device driver registration
• Change in outgoing packet patterns
Network layer • Connection to an unknown address
• Change in the power consumption patterns
• Change in the instruction set patterns
Hardware layer
7. Justification for a multi
stacked solution
No such thing as the perfect defense
Idea is to make it really hard for the attacker to avoid
detection
Certain techniques on the network and application
layer are state of the art, just never used together
Sophisticated hardware Trojans not just sections of
mala fide circuits, but come with their own custom
software
8. Parameters to monitor
New Hardware detection
New device driver registration
Sudden increase in packet size going out
Type of data going out
Key file hashes being changed
9. Parameters to monitor
Memory traces
CPU utilization
Hidden processes
Power pattern changes
Instruction set pattern changes
10. Relevance of parameters
matrix
Parameter/Alar Ways to monitor reliable reliable reliable
m on its with a few with many
own? other other
alarms? alarms?
New hardware lsusb, udevd, No Yes Yes
detection udevadm, lshw
New device Lspci, lsmod, No Yes Yes
driver detection modprobe
Increase in Wire shark, tcpdump No Yes Yes
outgoing packet
size
Change in type Wireshark, tcpdump No No Yes
of data going out
Change in file tripwire No Yes Yes
hashes
11. Relevance of parameters
matrix
Parameter/Alar Ways to monitor reliable reliable reliable
m on its with a with many
own? few other
other alarms?
alarms?
Memory traces /proc file system No No Yes
CPU utilization mpstat, top, sysstat No No Yes
Hidden unhide, proc/exe Yes Yes Yes
processes
Power pattern Yes Yes Yes
changes
Instruction set Yes Yes Yes
changes
12. Challenges
Most Metasploit exploits on windows
Exploits to test all alarms/parameters
Creating a hardware exploit which involves minimum user
interaction
Detecting the system parameters on windows