Loading 5 Votes - +

Multi-processing Permits Bypass of Security Software

30_article_3538_thumb_figure_1

Matousec has recently shaken up the security software industry with a paper and demonstration showing how to bypass (or kill) the products using nothing more than user-mode code. Called KHOBE, the program makes possible a vulnerability theorized back in the ‘90s by exploiting a race condition in parameters passing through Win32 / NT API hooks. Hooking is a method where code replaces pointer entries in the SSDT with its own pointers, allowing other functions to run “in the middle” between an application calling the API and the actual API’s code being executed. It’s a technique used for both good (anti-virus) and evil (rootkits). The attack in question utilizes the concurrency of multi-processing to allow parallel threads to modify parameter structures before they are processed by the real API. In essence, innocuous parameters are passed during the API call which gets intercepted by the hook but before the middleware passes the parameters on to the native API, a concurrent thread alters them back into a malicious version. As for which security products are vulnerable to their KHOBE, “the researchers said that the only reason that they found exploits in only 34 products was that they only had time to test 34 products.”

Similarly tagged OmniNerd content:

Thread parent sort order:
Thread verbosity:
0 Votes  - +
TOCTTOU by Anonymous

http://en.wikipedia.org/wiki/Time-of-check-to-time-of-use

(too lazy to login btw)

Share & Socialize

What is OmniNerd?

Omninerd_icon Welcome! OmniNerd's content is generated by nerds like you. Learn more.

Voting Booth

The most important factor in buying my next car is?

7 votes, 1 comment