#HITB2016AMS D1T1 - Using The Observer Effect And Cyber Feng Shui - Jacob Torrey

The observer effect (commonly confused with Heisenberg’s Uncertainty principle) tells us that in particle physics, the act of observing an event changes its behavior. This is true in computer systems as well, and can be used by an attacker to determine if they are being monitored or introspected upon from on high.

This talk will begin by examining architectural “tells” that can be utilized to detect the presence of analysis tools, even those with higher privilege/stealth capabilities than the attacker. These tells can be combined in a way to prove (attest) to the attacker the system is not under inspection before continuing the campaign or dropping sensitive data/code to the host. After the theory has been described, a demonstration of this will be provided to remotely attest the presence (or lack there of) of tampering with the binary, introspection from a VMM or SMM, etc.

Once you can be confident that you’re not being monitored, the second part of this talk will provide some handy Feng Shui techniques for making your new home more cozy. Physically un-clonable functions (PUFs) can be used to attest the system has not been changed or emulated and provide good sources of device-specific keying material. A few PUFs present on COTS systems will be discussed and demonstrated to provide you with additional assurances that your new home remains safe and your implants unmolested.

The combination of these two techniques will let you be the Martha Stewart of your system: tidy, safe and feeling slightly guilty for your insider access; with these tools you can work towards realizing “trusted” implant networks that can detect observation and evade analysis or theft of sensitive data/code.

======

Jacob Torrey is an Advising Research Engineer at Assured Information Security, Inc. where he leads the Computer Architectures group and acts as the site lead for the Colorado branch. Jacob has worked extensively with low-level x86 and MCU architectures, having written a BIOS, OS, hypervisor and SMM handler. His major interest is how to (mis)use an existing architecture to implement a capability currently beyond the limitations of the architecture. He can be found posting goofy stuff to his Twitter: @JacobTorrey when not out in the mountains or tending to his critters.