Update state tampering: A novel adversary post-compromise technique on cyber threats

Sung Jin Kim; Byung Joon Kim; Hyoung Chun Kim; Dong Hoon Lee

doi:10.1007/978-3-319-93411-2_7

Update state tampering: A novel adversary post-compromise technique on cyber threats

Sung Jin Kim, Byung Joon Kim, Hyoung Chun Kim, Dong Hoon Lee

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

With modern cyber threats, attackers should gain persistency in target systems to achieve attack objectives. Once an attacker’s zero-day vulnerabilities on target systems are patched, the attacker may lose control over the system. However, systems remain vulnerable when an attacker manipulates the component resources on a Windows system. We found methods to generate invisible vulnerabilities on a victim’s system. Our findings are as follows: first, we found ways to replace a component to an old vulnerable version while maintaining the current update records; second, we found that the Windows system does not recognize the replaced components. We define the first issue as a package-component mismatch and the second issue as a blind spot issue on the Windows update management. They have been identified on all version of Vista and later, including desktop platforms and server platforms. Based on our findings, we reveal an Update State Tampering technique that can generate invisible security holes on target systems. We also offer corresponding countermeasures to detect and correct package-component mismatches. In this paper, we introduce the problems with the current Windows update management mechanism, the Update State Tampering technique from the attacker’s point of view, and an Update State Check scheme that detects and recovers the package-component mismatches. We stress that our proposed Update State Check scheme should be deployed immediately in order to mitigate large-scale exploitation of the proposed technique.

Original language	English
Title of host publication	Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings
Publisher	Springer Verlag
Pages	141-161
Number of pages	21
ISBN (Print)	9783319934105
DOIs	https://doi.org/10.1007/978-3-319-93411-2_7
Publication status	Published - 2018 Jan 1
Event	15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018 - Saclay, France Duration: 2018 Jun 28 → 2018 Jun 29

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	10885 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Other

Other	15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018
Country/Territory	France
City	Saclay
Period	18/6/28 → 18/6/29

Keywords

Cyber threat
Post-compromise
Windows update

ASJC Scopus subject areas

Theoretical Computer Science
General Computer Science

Access to Document

10.1007/978-3-319-93411-2_7

Cite this

Kim, S. J., Kim, B. J., Kim, H. C., & Lee, D. H. (2018). Update state tampering: A novel adversary post-compromise technique on cyber threats. In Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings (pp. 141-161). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10885 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-93411-2_7

Update state tampering: A novel adversary post-compromise technique on cyber threats. / Kim, Sung Jin; Kim, Byung Joon; Kim, Hyoung Chun et al.
Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings. Springer Verlag, 2018. p. 141-161 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10885 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kim, SJ, Kim, BJ, Kim, HC & Lee, DH 2018, Update state tampering: A novel adversary post-compromise technique on cyber threats. in Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10885 LNCS, Springer Verlag, pp. 141-161, 15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018, Saclay, France, 18/6/28. https://doi.org/10.1007/978-3-319-93411-2_7

Kim SJ, Kim BJ, Kim HC, Lee DH. Update state tampering: A novel adversary post-compromise technique on cyber threats. In Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings. Springer Verlag. 2018. p. 141-161. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-319-93411-2_7

Kim, Sung Jin ; Kim, Byung Joon ; Kim, Hyoung Chun et al. / Update state tampering : A novel adversary post-compromise technique on cyber threats. Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings. Springer Verlag, 2018. pp. 141-161 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{cbe7701e47b54a69a77667f321c5442f,

title = "Update state tampering: A novel adversary post-compromise technique on cyber threats",

abstract = "With modern cyber threats, attackers should gain persistency in target systems to achieve attack objectives. Once an attacker{\textquoteright}s zero-day vulnerabilities on target systems are patched, the attacker may lose control over the system. However, systems remain vulnerable when an attacker manipulates the component resources on a Windows system. We found methods to generate invisible vulnerabilities on a victim{\textquoteright}s system. Our findings are as follows: first, we found ways to replace a component to an old vulnerable version while maintaining the current update records; second, we found that the Windows system does not recognize the replaced components. We define the first issue as a package-component mismatch and the second issue as a blind spot issue on the Windows update management. They have been identified on all version of Vista and later, including desktop platforms and server platforms. Based on our findings, we reveal an Update State Tampering technique that can generate invisible security holes on target systems. We also offer corresponding countermeasures to detect and correct package-component mismatches. In this paper, we introduce the problems with the current Windows update management mechanism, the Update State Tampering technique from the attacker{\textquoteright}s point of view, and an Update State Check scheme that detects and recovers the package-component mismatches. We stress that our proposed Update State Check scheme should be deployed immediately in order to mitigate large-scale exploitation of the proposed technique.",

keywords = "Cyber threat, Post-compromise, Windows update",

author = "Kim, {Sung Jin} and Kim, {Byung Joon} and Kim, {Hyoung Chun} and Lee, {Dong Hoon}",

year = "2018",

month = jan,

day = "1",

doi = "10.1007/978-3-319-93411-2_7",

language = "English",

isbn = "9783319934105",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "141--161",

booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings",

note = "15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018 ; Conference date: 28-06-2018 Through 29-06-2018",

}

TY - GEN

T1 - Update state tampering

T2 - 15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018

AU - Kim, Sung Jin

AU - Kim, Byung Joon

AU - Kim, Hyoung Chun

AU - Lee, Dong Hoon

PY - 2018/1/1

Y1 - 2018/1/1

N2 - With modern cyber threats, attackers should gain persistency in target systems to achieve attack objectives. Once an attacker’s zero-day vulnerabilities on target systems are patched, the attacker may lose control over the system. However, systems remain vulnerable when an attacker manipulates the component resources on a Windows system. We found methods to generate invisible vulnerabilities on a victim’s system. Our findings are as follows: first, we found ways to replace a component to an old vulnerable version while maintaining the current update records; second, we found that the Windows system does not recognize the replaced components. We define the first issue as a package-component mismatch and the second issue as a blind spot issue on the Windows update management. They have been identified on all version of Vista and later, including desktop platforms and server platforms. Based on our findings, we reveal an Update State Tampering technique that can generate invisible security holes on target systems. We also offer corresponding countermeasures to detect and correct package-component mismatches. In this paper, we introduce the problems with the current Windows update management mechanism, the Update State Tampering technique from the attacker’s point of view, and an Update State Check scheme that detects and recovers the package-component mismatches. We stress that our proposed Update State Check scheme should be deployed immediately in order to mitigate large-scale exploitation of the proposed technique.

AB - With modern cyber threats, attackers should gain persistency in target systems to achieve attack objectives. Once an attacker’s zero-day vulnerabilities on target systems are patched, the attacker may lose control over the system. However, systems remain vulnerable when an attacker manipulates the component resources on a Windows system. We found methods to generate invisible vulnerabilities on a victim’s system. Our findings are as follows: first, we found ways to replace a component to an old vulnerable version while maintaining the current update records; second, we found that the Windows system does not recognize the replaced components. We define the first issue as a package-component mismatch and the second issue as a blind spot issue on the Windows update management. They have been identified on all version of Vista and later, including desktop platforms and server platforms. Based on our findings, we reveal an Update State Tampering technique that can generate invisible security holes on target systems. We also offer corresponding countermeasures to detect and correct package-component mismatches. In this paper, we introduce the problems with the current Windows update management mechanism, the Update State Tampering technique from the attacker’s point of view, and an Update State Check scheme that detects and recovers the package-component mismatches. We stress that our proposed Update State Check scheme should be deployed immediately in order to mitigate large-scale exploitation of the proposed technique.

KW - Cyber threat

KW - Post-compromise

KW - Windows update

UR - http://www.scopus.com/inward/record.url?scp=85049311468&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85049311468&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-93411-2_7

DO - 10.1007/978-3-319-93411-2_7

M3 - Conference contribution

AN - SCOPUS:85049311468

SN - 9783319934105

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 141

EP - 161

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings

PB - Springer Verlag

Y2 - 28 June 2018 through 29 June 2018

ER -

Update state tampering: A novel adversary post-compromise technique on cyber threats

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this