Thursday 25 September 14:30 - 15:00, Green room.Shane Macaulay IOActive download slides (PDF) To know if your system is compromised, you need to find everything that could run (or otherwise change state), and then verify its integrity (is it what you expect it to be?). 'Finding everything' is a bold statement, particularly in the realm of computer security, rootkits and advanced threats. How is that possible? The short answer is, sadly, that it's not. Strangely, the long answer is that it is, in fact, possible to find everything. The typical iterative attack <=> defence loop in the wake of rootkit technologies, DKOM, shadow walker and the like, has come to an end with the discovery of a cross-platform, cross-architecture hardware-defined process detection technique. When the OS starts up a process, it establishes the ability for virtual memory to be used (to enable memory protection), by creating a page table. The so-called page table is itself a single page of physical memory (0x1000 bytes); it is usually allocated by way of some cache optimized mechanism which makes locating it somewhat complicated. Fortunately, we do have a method for identifying a page table by understanding several established (hardware) requirements for its construction. By identifying the absolute minimum amount of bit testing, evasive methods are limited if not comprehensively blocked. Detection of all process/kernel memory is now possible, DKOM-style rootkits are rendered obsolete by this detection method. The presentation will discuss hypervisor device verifiability, physical memory dump assurances and how leveraging these techniques combined with process detection can effectively detect TLB (shadow walker) or hardware (UEFI)-based rootkits.