Phantom Attack: Evading System Call Monitoring

Presented at DEF CON 29 (2021), Aug. 6, 2021, 5 p.m. (45 minutes)

Phantom attack is a collection of attacks that evade Linux system call monitoring. A user mode program does not need any special privileges or capabilities to reliably evade system call monitoring using Phantom attack by exploiting insecure tracing implementations. After adversaries gain an initial foothold on a Linux system, they typically perform post-exploitation activities such as reconnaissance, execution, privilege escalation, persistence, etc. It is extremely difficult if not impossible to perform any non-trivial adversarial activities without using Linux system calls. Security monitoring solutions on Linux endpoints typically offer system call monitoring to effectively detect attacks. Modern solutions often use either ebpf-based programs or kernel modules to monitor system calls through tracepoint and/or kprobe. Any adversary operations including abnormal and/or suspicious system calls reveal additional information to the defenders and can trigger detection alerts. We will explain the generic nature of the vulnerabilities exploited by Phantom attack. We will demonstrate Phantom attack on two popular open source Linux system call monitoring solutions Falco (Sysdig) and Tracee (Aquasecurity). We will also explain the differences between Phantom v1 and v2 attacks. Finally, we will discuss mitigations for Phantom attack and secure tracing in the broader context beyond system call tracing. REFERENCES: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33505 https://i.blackhat.com/USA-20/Thursday/us-20-Lee-Exploiting-Kernel-Races-Through-Taming-Thread-Interleaving.pdf https://www.youtube.com/watch?v=MIJL5wLUtKE https://dl.packetstormsecurity.net/1005-advisories/khobe-earthquake.pdf

Presenters:

• Junyuan Zeng - Senior Software Engineer, Linkedin
  Junyuan Zeng is Senior Software Engineer at Linkedin. Before Linkedin, he was Staff Security Architect at JD.com where he designed and architected container security monitoring solutions. Before that he was Staff Software Engineer for mobile payment security at Samsung and a security researcher at FireEye where he worked on mobile malware analysis. He has published in ACM CCS, USENIX ATC, and other top academic conferences. He obtained his PhD in Computer Science from The University of Texas at Dallas. https://www.linkedin.com/in/junyuanzeng/
• Rex Guo - Head of Research, Confluera
  Rex Guo works as Head of Research at Confluera where he leads the security research and development of the cloud XDR product which includes the real-time threat storyboarding capabilities (a.k.a. attack narrative). Before joining Confluera, he was an engineering manager at Cisco Tetration where his team bootstrapped the server EDR product deployed on millions of cloud endpoints. Before that, Rex worked at both Intel Security and Qualcomm. In these positions, he has worked on application security, infrastructure security, malware analysis, and mobile/ IoT platform security. He has presented at Blackhat multiple times. He has 30+ patents and publications. He received a PhD from New York University. @Xiaofei_REX https://www.linkedin.com/in/xiaofeiguo/

Links:

• https://defcon.org/html/defcon-29/dc-29-speakers.html#guo
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Rex Guo Junyuan Zeng - Phantom Attack - Evading System Call Monitoring.mp4
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 presentations/Rex Guo Junyuan Zeng - Phantom Attack - Evading System Call Monitoring.pdf (slides)
• https://infocon.org/cons/DEF CON/DEF CON 29/DEF CON 29 video and slides/DEF CON 29 - Rex Guo Junyuan Zeng - Phantom Attack - Evading System Call Monitoring.srt (subtitles)
• https://www.youtube.com/watch?v=yaAdM8pWKG8

Similar Presentations:

• DEF CON 12 (2004) / Program Semantics- Aware Intrusion Detection
• DEF CON 21 (2013) / Phantom Network Surveillance UAV / Drone
• DEF CON 30 (2022) / Trace me if you can: Bypassing Linux Syscall Tracing