lecture: Hiding @ Depth
Exploring & Subverting NAND Flash memory
In the world of digital storage, gone are the days of spinning platters and magnetic residue. These technologies have been replaced with electron trapping, small voltage monitoring and a lot of magic. These NAND devices are ubiquitous across our culture; from smart phones to laptops to USB memory sticks to GPS navigation devices. We carry many of these devices in our pockets daily without considering the security implications.
The NAND-Xplore project is an attempt to explain how NAND Flash storage functions and to expose logical weaknesses in the hardware and implementation architectures. The project also showcases how the vulnerable underpinnings of NAND hardware can be subverted to hide and persist files on mobile devices. The project will release two open source POC tools for Android, one to inject and hide files on raw NAND based devices and another to find those files. The tools will showcase how advanced malware or other offensive tools could be using NAND to hide persistant files on your devices and how you would go about discovering them. The project also consideres how typical forensic software interacts with NAND devices and how those tools can be subverted. (Hint: your current tools probably don't work as well as you would like to believe). Lastly, the project will showcase how easy it is to brick a deployed device beyond repair, be it SCADA or Smartphones.
Outline - This should show the logical progression of your presentation.
* Who am I
* What is NAND Flash and how does it work at the physical layer
* How does the linux (and Android) kernel interact with NAND Flash
* Enumerate the logical inconsistencies of the NAND architecture, show the logical holes in the design
* Walk through a POC on how to subvert the NAND architecture to deeply hide files on devices (introduce and publicly release the NAND-Hide open source tool)
* Walk through a POC on how to detect hidden files on embedded NAND. (introduce and publicly release the NAND-Find open source tool)
* Walk through the forensics implications of NAND analysis and why we might want to re-evaluate the current practices.
* How advanced malware / rootkits could utilize the tools
* Walk through covert exfil implications of NAND
* Walk through bricking any NAND based device
Start time: 15:00