Login Papers Register

Need an account to vote? Register to attend at gsec.hitb.org/sg2018/
Deadline is 30th June 2018!

<< previous next >>

FOCUS ON OTHER FEATURES: Hiding Tasks via Task Switching

Kyeong Joo Jung

0 vote(s)

Recently, new vulnerabilities of the CPUs from Intel or AMD have become an issue. Vulnerabilities found recently were new things. However, we also need to keep attention to the features that aren't much focused. One of them is called the task switching method.

We think normal task switching as a way of making the computer to look like 'Multitasking'. However, actually the tasks are executed alternately from one to another. There are 2 kinds of task switching methods. One is called 'Hardware Task Switching', and the other is called 'Software Task Switching'. Currently, most of the method the computers are using is Software Task switching.

Our team have tried to use these features to hide a task. Hardware task switching is a feature that uses the CPU directly to execute the tasks which were used previously but not used now. Instead, we use software task switching which uses OS to execute the tasks. We succeeded in using Hardware task switching method to hide tasks from 32-bit OS, and Software task switching method to hide tasks from 64-bit OS.

Have you any thought of creating another scheduler besides OS? Probably no. However, by operating task switching methods manually through the drive, it is possible to make it act like having another scheduler. To be specific, OS won’t be able to detect the created scheduler. With this scheduler, it will be possible to intrude the users’ PC and use as mining, access to networks, files unnoticed. Furthermore, this kind of creation can be deadly because somehow if the schedulers coexists, reliability of the OS timer, event log will be all untrustful.

Also, another point to consider is that it is difficult to defend against the attack through such method currently because there are no tools that detects the modified GDT.

In order to make task switching method work manually, installing drivers to modify system values is needed. For the hardware task switching method, accessing the GDT (Global Descriptor Table) is needed. Loaded driver will achieve ring 0 authority which will make GDT modification to be possible and all 32-bit Linux and Windows are available to make hardware task switching work. For the software task switching method, OS takes care of stacks which has the tasks to be executed. We install driver to allocate another space for the stack of a task to operate a hidden task.

We created the scheduler that is undetectable through the existing tools. Up to now, we have succeeded in 32-bit OS and at the last minute of 64-bit OS as well. It would be great if our team can show what we have done to the world.

Followings are the possible contents of the Presentation:

1. Introduction about the vulnerability of the CPUs

- This will raise the problem of our proposed method.

2. Introduction of the H/W and S/W task switching

- Show basic information and how it actually operates. When the features were used and why it isn’t used now will be discussed. We will show how the H/W switching method operate using the diagram. Then we show how the S/W task switching works. Relatively easier to understand than the H/W task swithcing.

3. Show how to manually operate the H/W task switching and S/W task switching

- To manually operate the proposed method from H/W, we need the access to the GDT (Global Descriptor Table). To access the GDT, we need the ring 0 authority. To get the ring 0 authority, we used the driver to achieve it. Then, we will show what happens when the hardware task switching is operated manually by executing our own created task through hardware scheduler. At this moment, we will show our video for better understanding.

- To manually operate the proposed method from S/W, we first need to understand how the task switching is operated. OS uses stacks to execute tasks and switch tasks. Our team allocated another space in the memory for a hidden task through driver. We will show figures and videos for better understanding.

4. Discussion about the proposed method

- We will show what can be done through this method. Proposed method can be proven by the CPU usage of the task management because the CPU usage of the created scheduler won’t be displayed. Then, explain that malicious mining can also be done, and dominating the server’s CPU as well.

Then, we show experiment done by using the proposed method. We will show Figures for better intuition. To explain, when the sum of the CPU usage of OS scheduler and Hardware scheduler reaches over 100%, the OS will begin to stop during the switch of the tasks. This will show the unreliability of the OS. This is because the OS is supposed to work continuously when the PC is on.

5. Limitation and further research needed

- Proposed method was possible because the system values were able to be modified. We will claim the need for the ring 0 authority having less authority than it should have. Just by installing driver, you can achieve ring 0 authority that can lead to creation of the new scheduler. Also, claim for the need of the detection method of the proposed method should be researched in order to prevent this method actually being used. Limitation is that it can be detected if we scan the memory. Using the state-of-art detection tools won't find the tasks but if we intend to find that specific task, it is possible through scanning the memory. However, if we make unnoticeable to the users, this won't be a big problem.

6. Live Demo

- We will show a task executed without being noticed through the proposed method.


Kyeong Joo Jung is currently enrolled in the Masters program for computer science in Stonybrook University, SUNY Korea and is a member of B.o.B (Best of the Best) – Korea’s next generation security leader education program. He has interests in malware and rootkits and the team he is affiliated in is ‘Ajae.dll’ – a team built for researching rootkits and malware. He has presented previous of the work in 2018HITBAMS as well.