Weaponizing Hypervisors to Fight and Beat Car and Medical Devices Attacks

DEF CON 27

Presented by: Ali Islam, Daniel Regalado
Date: Saturday August 10, 2019
Time: 10:00 - 10:45
Location: Track 1

Historically, hypervisors have existed in the cloud for efficient utilization of resources, space, and money. The isolation feature is one of the reasons hypervisors are heavily moving to other ecosystems, like Automobiles, so that for example, if an Infotainment crashes, it does not affect other sensitive ECUs like ADAS. Blackberry QNX and AGL announced the use of hypervisors in their deployments on Cars.

The trending is real, but there is a big challenge! Most of the systems in Cars and Medical devices run on ARM, plus, protection at the hypervisor level is still limited. So, is it possible to have a framework that runs at the hypervisor level, able to monitor at the OS level and most important, capable to identify and kill threats coming into the monitored devices?

During this talk we will walk you through the steps needed to setup a framework running on Xilinx ZCU102 board able to monitor ARM-based devices and to kill malicious threats identified. Also will discuss challenges on syscall monitoring, single-stepping limitations, techniques to stay stealthy, techniques to detect and kill traditional malware seen in enterprise like Ransomware, Heap Exploits and capabilities on VM Escape attacks and feasibilty to detect Spectre-like exploits.

Ali Islam

Ali Islam Khan is the Chief Executive Officer (CEO) and Co-Founder of Numen Inc. He is also an avid C programmer and has developed the core set of Numen’s Virtual Machine Introspection (VMI) capabilities. Before quitting his job to work full time on Numen, Ali was Director R&D at FireEye where he was leading the R&D efforts for FireEye’s flagship email and network products. He is the founding member of FireEye Labs where he invented & developed some of the key detection technologies used in FireEye products today. Ali has multiple patents to his name and has over 13 years’ experience in a wide range of cyber security disciplines, including cryptography, malware analysis, cyber-espionage and product development. He has successfully created and led global teams from scratch. Ali has spoken at conferences such as RSA and worked with various government agencies such as DHS, KISA on intelligence sharing efforts to counter nation-state level threats. Khan holds an MBA from UC Berkeley and a Master’s degree in network security from Monash University, Australia. He is an AUSAID scholar and the recipient of the prestigious Golden Key Award. Twitter: @Ali_Islam_Khan LinkedIn: https://www.linkedin.com/in/aliislam/

Daniel Regalado

Daniel Regalado aka DanuX is the CTO and Co-Founder of Numen Inc. He is a Mexican security researcher with more than 17 years in the scene. He has worked reversing malware and exploits at Symantec Security Response Team and FireEye Labs and lately focused on IoT threats at Zingbox. He is credited with the discovery of most of the ATM malware worldwide. He is the co-author of famous book Gray Hat Hacking and he likes to present his discoveries in major security conferences like RECon, RSA, DEF CON IoT/Car Hacking villages, BSIDES. Twitter: @danuxx LinkedIn: https://www.linkedin.com/in/daniel-regalado-200aa414/


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats