Update state tampering: A novel adversary post-compromise technique on cyber threats

Sung Jin Kim, Byung Joon Kim, Hyoung Chun Kim, Dong Hoon Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

With modern cyber threats, attackers should gain persistency in target systems to achieve attack objectives. Once an attacker’s zero-day vulnerabilities on target systems are patched, the attacker may lose control over the system. However, systems remain vulnerable when an attacker manipulates the component resources on a Windows system. We found methods to generate invisible vulnerabilities on a victim’s system. Our findings are as follows: first, we found ways to replace a component to an old vulnerable version while maintaining the current update records; second, we found that the Windows system does not recognize the replaced components. We define the first issue as a package-component mismatch and the second issue as a blind spot issue on the Windows update management. They have been identified on all version of Vista and later, including desktop platforms and server platforms. Based on our findings, we reveal an Update State Tampering technique that can generate invisible security holes on target systems. We also offer corresponding countermeasures to detect and correct package-component mismatches. In this paper, we introduce the problems with the current Windows update management mechanism, the Update State Tampering technique from the attacker’s point of view, and an Update State Check scheme that detects and recovers the package-component mismatches. We stress that our proposed Update State Check scheme should be deployed immediately in order to mitigate large-scale exploitation of the proposed technique.

Original languageEnglish
Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings
PublisherSpringer Verlag
Pages141-161
Number of pages21
ISBN (Print)9783319934105
DOIs
Publication statusPublished - 2018 Jan 1
Event15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018 - Saclay, France
Duration: 2018 Jun 282018 Jun 29

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume10885 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other15th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2018
CountryFrance
CitySaclay
Period18/6/2818/6/29

Keywords

  • Cyber threat
  • Post-compromise
  • Windows update

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint Dive into the research topics of 'Update state tampering: A novel adversary post-compromise technique on cyber threats'. Together they form a unique fingerprint.

  • Cite this

    Kim, S. J., Kim, B. J., Kim, H. C., & Lee, D. H. (2018). Update state tampering: A novel adversary post-compromise technique on cyber threats. In Detection of Intrusions and Malware, and Vulnerability Assessment - 15th International Conference, DIMVA 2018, Proceedings (pp. 141-161). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 10885 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-319-93411-2_7