Update state tampering

A novel adversary post-compromise technique on cyber threats

Sung Jin Kim, Byung Joon Kim, Hyoung Chun Kim, Dong Hoon Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

With modern cyber threats, attackers should gain persistency in target systems to achieve attack objectives. Once an attacker’s zero-day vulnerabilities on target systems are patched, the attacker may lose control over the system. However, systems remain vulnerable when an attacker manipulates the component resources on a Windows system. We found methods to generate invisible vulnerabilities on a victim’s system. Our findings are as follows: first, we found ways to replace a component to an old vulnerable version while maintaining the current update records; second, we found that the Windows system does not recognize the replaced components. We define the first issue as a package-component mismatch and the second issue as a blind spot issue on the Windows update management. They have been identified on all version of Vista and later, including desktop platforms and server platforms. Based on our findings, we reveal an Update State Tampering technique that can generate invisible security holes on target systems. We also offer corresponding countermeasures to detect and correct package-component mismatches. In this paper, we introduce the problems with the current Windows update management mechanism, the Update State Tampering technique from the attacker’s point of view, and an Update State Check scheme that detects and recovers the package-component mismatches. We stress that our proposed Update State Check scheme should be deployed immediately in order to mitigate large-scale exploitation of the proposed technique.

Original languageEnglish
Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings
PublisherSpringer Verlag
Pages141-161
Number of pages21
ISBN (Print)9783319934105
DOIs
Publication statusPublished - 2018 Jan 1
Event15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018 - Saclay, France
Duration: 2018 Jun 282018 Jun 29

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10885 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018
CountryFrance
CitySaclay
Period18/6/2818/6/29

Fingerprint

Update
Servers
Vulnerability
Target
Countermeasures
Exploitation
Immediately
Server
Attack
Resources
Zero

Keywords

  • Cyber threat
  • Post-compromise
  • Windows update

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Kim, S. J., Kim, B. J., Kim, H. C., & Lee, D. H. (2018). Update state tampering: A novel adversary post-compromise technique on cyber threats. In Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings (pp. 141-161). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10885 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-93411-2_7

Update state tampering : A novel adversary post-compromise technique on cyber threats. / Kim, Sung Jin; Kim, Byung Joon; Kim, Hyoung Chun; Lee, Dong Hoon.

Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings. Springer Verlag, 2018. p. 141-161 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10885 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kim, SJ, Kim, BJ, Kim, HC & Lee, DH 2018, Update state tampering: A novel adversary post-compromise technique on cyber threats. in Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 10885 LNCS, Springer Verlag, pp. 141-161, 15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018, Saclay, France, 18/6/28. https://doi.org/10.1007/978-3-319-93411-2_7
Kim SJ, Kim BJ, Kim HC, Lee DH. Update state tampering: A novel adversary post-compromise technique on cyber threats. In Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings. Springer Verlag. 2018. p. 141-161. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-319-93411-2_7
Kim, Sung Jin ; Kim, Byung Joon ; Kim, Hyoung Chun ; Lee, Dong Hoon. / Update state tampering : A novel adversary post-compromise technique on cyber threats. Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings. Springer Verlag, 2018. pp. 141-161 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{cbe7701e47b54a69a77667f321c5442f,
title = "Update state tampering: A novel adversary post-compromise technique on cyber threats",
abstract = "With modern cyber threats, attackers should gain persistency in target systems to achieve attack objectives. Once an attacker’s zero-day vulnerabilities on target systems are patched, the attacker may lose control over the system. However, systems remain vulnerable when an attacker manipulates the component resources on a Windows system. We found methods to generate invisible vulnerabilities on a victim’s system. Our findings are as follows: first, we found ways to replace a component to an old vulnerable version while maintaining the current update records; second, we found that the Windows system does not recognize the replaced components. We define the first issue as a package-component mismatch and the second issue as a blind spot issue on the Windows update management. They have been identified on all version of Vista and later, including desktop platforms and server platforms. Based on our findings, we reveal an Update State Tampering technique that can generate invisible security holes on target systems. We also offer corresponding countermeasures to detect and correct package-component mismatches. In this paper, we introduce the problems with the current Windows update management mechanism, the Update State Tampering technique from the attacker’s point of view, and an Update State Check scheme that detects and recovers the package-component mismatches. We stress that our proposed Update State Check scheme should be deployed immediately in order to mitigate large-scale exploitation of the proposed technique.",
keywords = "Cyber threat, Post-compromise, Windows update",
author = "Kim, {Sung Jin} and Kim, {Byung Joon} and Kim, {Hyoung Chun} and Lee, {Dong Hoon}",
year = "2018",
month = "1",
day = "1",
doi = "10.1007/978-3-319-93411-2_7",
language = "English",
isbn = "9783319934105",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
publisher = "Springer Verlag",
pages = "141--161",
booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings",

}

TY - GEN

T1 - Update state tampering

T2 - A novel adversary post-compromise technique on cyber threats

AU - Kim, Sung Jin

AU - Kim, Byung Joon

AU - Kim, Hyoung Chun

AU - Lee, Dong Hoon

PY - 2018/1/1

Y1 - 2018/1/1

N2 - With modern cyber threats, attackers should gain persistency in target systems to achieve attack objectives. Once an attacker’s zero-day vulnerabilities on target systems are patched, the attacker may lose control over the system. However, systems remain vulnerable when an attacker manipulates the component resources on a Windows system. We found methods to generate invisible vulnerabilities on a victim’s system. Our findings are as follows: first, we found ways to replace a component to an old vulnerable version while maintaining the current update records; second, we found that the Windows system does not recognize the replaced components. We define the first issue as a package-component mismatch and the second issue as a blind spot issue on the Windows update management. They have been identified on all version of Vista and later, including desktop platforms and server platforms. Based on our findings, we reveal an Update State Tampering technique that can generate invisible security holes on target systems. We also offer corresponding countermeasures to detect and correct package-component mismatches. In this paper, we introduce the problems with the current Windows update management mechanism, the Update State Tampering technique from the attacker’s point of view, and an Update State Check scheme that detects and recovers the package-component mismatches. We stress that our proposed Update State Check scheme should be deployed immediately in order to mitigate large-scale exploitation of the proposed technique.

AB - With modern cyber threats, attackers should gain persistency in target systems to achieve attack objectives. Once an attacker’s zero-day vulnerabilities on target systems are patched, the attacker may lose control over the system. However, systems remain vulnerable when an attacker manipulates the component resources on a Windows system. We found methods to generate invisible vulnerabilities on a victim’s system. Our findings are as follows: first, we found ways to replace a component to an old vulnerable version while maintaining the current update records; second, we found that the Windows system does not recognize the replaced components. We define the first issue as a package-component mismatch and the second issue as a blind spot issue on the Windows update management. They have been identified on all version of Vista and later, including desktop platforms and server platforms. Based on our findings, we reveal an Update State Tampering technique that can generate invisible security holes on target systems. We also offer corresponding countermeasures to detect and correct package-component mismatches. In this paper, we introduce the problems with the current Windows update management mechanism, the Update State Tampering technique from the attacker’s point of view, and an Update State Check scheme that detects and recovers the package-component mismatches. We stress that our proposed Update State Check scheme should be deployed immediately in order to mitigate large-scale exploitation of the proposed technique.

KW - Cyber threat

KW - Post-compromise

KW - Windows update

UR - http://www.scopus.com/inward/record.url?scp=85049311468&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85049311468&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-93411-2_7

DO - 10.1007/978-3-319-93411-2_7

M3 - Conference contribution

SN - 9783319934105

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 141

EP - 161

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings

PB - Springer Verlag

ER -