The observer effect (commonly confused with Heisenberg’s Uncertainty principle) tells us that in particle physics, the act of observing an event changes its behavior. This is true in computer systems as well, and can be used by an attacker to determine if they are being monitored or introspected upon from on high.
This talk will begin by examining architectural “tells” that can be utilized to detect the presence of analysis tools, even those with higher privilege/stealth capabilities than the attacker. These tells can be combined in a way to prove (attest) to the attacker the system is not under inspection before continuing the campaign or dropping sensitive data/code to the host. After the theory has been described, a demonstration of this will be provided to remotely attest the presence (or lack there of) of tampering with the binary, introspection from a VMM or SMM, etc.
Once you can be confident that you’re not being monitored, the second part of this talk will provide some handy Feng Shui techniques for making your new home more cozy. Physically un-clonable functions (PUFs) can be used to attest the system has not been changed or emulated and provide good sources of device-specific keying material. A few PUFs present on COTS systems will be discussed and demonstrated to provide you with additional assurances that your new home remains safe and your implants unmolested.
The combination of these two techniques will let you be the Martha Stewart of your system: tidy, safe and feeling slightly guilty for your insider access; with these tools you can work towards realizing “trusted” implant networks that can detect observation and evade analysis or theft of sensitive data/code.