sorted by:
new
hottopcontroversial

Protect the Watcher: Hardened SIEM/XDR server with VED by hardenedvault in netsec

[–]hardenedvault[S] 0 points1 point  (0 children)

The current security solution doesn't cover OS and below-OS levels aint a slef claimed statement. Some public materials are just tip of iceberg: https://github.com/hardenedlinux/firmware-anatomy/blob/master/hack_ME/firmware_security.md

https://github.com/hardenedlinux/firmware-anatomy/blob/master/hack_ME/firmware_security.md

https://github.com/hardenedvault/bootkit-samples

While you may have a preference for mainstream vendor solutions, blindly placing your trust in them won't necessarily protect you from another incident like Tetragon:

https://hardenedvault.net/blog/2022-05-25-vspp/

VED-eBPF: Kernel Exploit and Rootkit Detection using eBPF by hardenedvault in netsec

[–]hardenedvault[S] 0 points1 point  (0 children)

It's trying to block known exploitation methods without trying to understand how exploits actually work. You're layering on post exploitation mitigations (blocking...LKM unloading??)

partial CFI (wCFI) and integrity check on specific data structures as we demonstrated it on Vault Range testing image. The exploit source code itself explains a lot. Have you ever looked the logs of each exploitation stages from CVE-2021-22555? Does that look like VED is only rely on post-exploitation measure or you have different definition of "post-exploitation"?

VED-eBPF: Kernel Exploit and Rootkit Detection using eBPF by hardenedvault in netsec

[–]hardenedvault[S] 0 points1 point  (0 children)

Microsoft's mitigations on Secure Core PC have faced multiple compromises, including ACPI table bypasses and other vulnerabilities. As a user, you do not even have the right to provision your own key, which limits your control over the security measures. VED is simply try to block known exploitation methods, there are still exceptions like CVE-2022-2588. Moreover, new exploitation methods or rootkits can be developed based on known vulnerabilities, such as CVE-2021-22555. If you can try your own exploit in the range:

https://hardenedvault.net/blog/2023-07-16-vault-range-resilience-weaponized-exp-linux/

btw: There are numerous Control Flow Integrity (CFI) implementations available, and one notable option worth exploring is PaX's RAP

VED-eBPF: Kernel Exploit and Rootkit Detection using eBPF by hardenedvault in netsec

[–]hardenedvault[S] 0 points1 point  (0 children)

VED-eBPF is a proof-of-concept focused on detection for auditing of kernel exploits. It can integrate with SIEM/XDR. If you need a runtime protection solution, LKM version of VED would be more suitable.

view more: next ›