A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors - TIB AV-Portal

A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors

00:00

119

Cui, Ang Charbonneau, Francois Kataria, Jatin

Formal Metadata

Title

A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors

Title of Series

Part Number

14

Number of Parts

20

Author

Charbonneau, Francois

License

CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/32747 (DOI)

Publisher

Release Date

Language

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

There are multiple x86 processors in your monitor! OSD, or on-screen-display controllers are ubiquitous components in nearly all modern monitors. OSDs are typically used to generate simple menus on the monitor, allowing the user to change settings like brightness, contrast and input source. However, OSDs are effectively independent general-purpose computers that can: read the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels. We demonstrate multiple methods of loading and executing arbitrary code in a modern monitor and discuss the security implication of this novel attack vector. We also present a thorough analysis of an OSD system used in common Dell monitors and discuss attack scenarios ranging from active screen content manipulation and screen content snooping to active data exfiltration using Funtenna-like techniques. We demonstrate a multi-stage monitor implant capable of loading arbitrary code and data encoded in specially crafted images and documents through active monitor snooping. This code infiltration technique can be implemented through a single pixel, or through subtle variations of a large number of pixels. We discuss a step-by-step walk-through of our hardware and software reverse-analysis process of the Dell monitor. We present three demonstrations of monitoring exploitation to show active screen snooping, active screen content manipulation and covert data exfiltration using Funtenna. Lastly, we discuss realistic attack delivery mechanisms, show a prototype implementation of our attack using the USB Armory and outline potential attack mitigation options. We will release sample code related to this attack prior to the presentation date.

Speech

Text

Image

00:00

Revision controlJSONXMLUML

00:33

Event horizonWater vaporComputer animation

01:13

Casting (performing arts)Metropolitan area networkAreaPhysical lawMereologyInternetworkingSharewareEmailObject (grammar)Computer animation

01:53

Information securityVideo gameOffice suiteSpeech synthesisVirtual machineKernel (computing)Degree (graph theory)Bit rateWeb browserMultiplication signPhysical systemMusical ensembleTraffic reportingHacker (term)PixelCryptographyMaxima and minimaEncryptionEndliche ModelltheorieAreaRight angleComputer iconDevice driverForm (programming)WindowSphereRouter (computing)GoogolTouchscreenGreen's functionBootingSuite (music)Metropolitan area networkFirmwareInternet forumComputer animationMeeting/Interview

04:43

Right angleMultiplication signStandard deviationComputer programThermal radiationCommunications protocolString (computer science)Endliche ModelltheorieType theoryMereologyProcess (computing)Information securityOpen sourceQuicksortSoftware protection dongleControl engineeringFood energyBit rateTouchscreenDependent and independent variablesPole (complex analysis)Computer hardwareWordData transmissionSoftwareParallel portMetropolitan area networkParameter (computer programming)SpacetimeMedical imagingComputer fileFigurate numberPower (physics)WhiteboardReading (process)File formatSanitary sewerStaff (military)Data structureInformationPlotterMonster groupOffice suiteSCSIRevision controlVariable (mathematics)Motion captureSerial portBus (computing)CASE <Informatik>FirmwareGoogolInheritance (object-oriented programming)Mobile appMass storageCodeRadio-frequency identificationVirtualizationService (economics)Computer wormBitComputer animation

10:58

CodeRight angleLogikanalysatorGreatest elementBus (computing)Copyright infringementControl engineeringStandard deviationMereologyGradientPower (physics)Bit rateMicrocontrollerDifferent (Kate Ryan album)Message passingRaw image formatFrequencyAsynchronous Transfer ModeControl flowFile formatSCSIFlash memoryInheritance (object-oriented programming)WhiteboardPlastikkarteEngineering drawing

13:02

Medical imagingRight angleFlash memoryVolumenvisualisierungEntropiecodierungGradientData structureQuicksortDifferent (Kate Ryan album)CodeTable (information)BitWhiteboardDevice driverFirmwareFunktionalanalysisSocial classBit rateString (computer science)HexagonComputer animationSource code

14:04

BitQuicksortRight angleOpen sourcePhysical systemTurbo-CodeComputer fileWordDependent and independent variablesComputer animationJSON

14:59

Hand fanComputerWritingSemiconductor memorySoftware testingRectangleCalculationCodeMobile appTurbo-CodeStandard deviationBitRight angleSpywareFunktionalanalysisComputer programWordTelecommunicationCartesian coordinate systemSheaf (mathematics)RadiusStudent's t-testLine (geometry)Computer fileUser interfaceComputer animation

17:09

Point (geometry)Message passingBit rateCore dumpSystem callRange (statistics)Sign (mathematics)Touch typingQuicksortEigenvalues and eigenvectorsComputer hardwareMereologyProcess (computing)Bus (computing)Personal identification numberSystem on a chipReading (process)FirmwareComputer animation

18:46

Directed graphFunktionalanalysisPoint (geometry)Personal identification numberSerial portReal-time operating systemString (computer science)Water vaporComputer animationJSON

19:23

Link (knot theory)Core dumpMicrocontrollerBridging (networking)ComputerBit rateMedical imagingSoftwareSpacetimeSemiconductor memoryControl engineeringPeg solitaireDevice driverRight angleFile formatRevision controlMereologyWeightFlow separationSystem callUniform resource locatorTouchscreenPixelSingle-precision floating-point formatBitHeat transferCodePhysicalismComputer animation

21:44

FirmwarePower (physics)BootingAreaProduct (business)Fluid staticsComputer animation

22:20

Data structureStability theoryHeat transferControl engineeringControl flowDynamical systemInformationComputer fontCoordinate systemCuboidMedical imagingWater vaporBitPoint (geometry)Form (programming)

24:02

Bit rateCuboidPoint (geometry)Cellular automatonMountain passComputer animation

24:38

Buffer solutionCountingForm (programming)Right angleMultiplication signBitComputer animation

25:13

PixelFinitismusEndliche ModelltheorieFigurate numberCellular automatonPattern languageSingle-precision floating-point formatComputer animation

26:01

BitSharewarePixelString (computer science)WordTouchscreen

26:42

Synchronous dynamic random-access memoryFirmwareTable (information)Procedural programmingStructural loadAlpha (investment)FunktionalanalysisNumbering schemeProcess (computing)BitMultiplication signAxiom of choiceRight angleMedical imagingLinearizationLogicBit ratePhysical systemOptical disc driveWeb pageGreen's functionParsingCore dumpMappingPoint (geometry)InferenceNominal numberComputer animation

28:44

Mathematical analysisVertex (graph theory)Data managementMaxima and minimaMedical imagingMultiplication signStapeldateiAddress spaceMatching (graph theory)Figurate numberPoint (geometry)System callSelf-organizationArithmetic meanException handlingRight angleString (computer science)Control flowTouchscreenWeb pageDynamical systemPixelBitOverlay-NetzProcess (computing)Thread (computing)SoftwareStructural loadPower (physics)CodeBit rateExpected valueNP-hardLevel (video gaming)CryptographyForm (programming)TrailComputer hardwareProbability density functionSlide ruleFunktionalanalysisComputer animation

31:44

CASE <Informatik>Table (information)TouchscreenSparse matrixMetadataContent (media)Bit ratePower (physics)CodeComputerSystem callOrder (biology)MetreWhiteboardPersonal identification numberSharewareComputer hardwareSingle-precision floating-point formatComputer animation

32:49

Bit ratePresentation of a groupSharewareAreaMetropolitan area networkCode2 (number)WebsiteInformationComputer animation

34:28

WebsiteProcess (computing)Graphical user interfaceTouchscreenLink (knot theory)WordRight angleUniformer RaumComputerState of matterFactory (trading post)Speech synthesisEndliche ModelltheorieSharewareBit rateVector spaceRadical (chemistry)Order (biology)Touch typingOnline helpSoftware testingMultiplication signMenu (computing)Control engineeringType theoryPlotterPoint (geometry)Revision controlProof theoryDifferent (Kate Ryan album)User interfaceBridging (networking)10 (number)WhiteboardPixelCodeMedical imagingPolygonSet (mathematics)SoftwareTheoryTrailGraph (mathematics)Physical systemGoodness of fitMereologyPattern languageCurveUser interfaceInformation securityFirmwareBus (computing)PhysicalismGreen's functionVirtual machineBitProper mapComputer animation

40:25

Information securityPresentation of a groupBit rateControl engineeringComputer programSet (mathematics)TwitterSystem callWordGoodness of fitProcess (computing)Video cardOpen setComputer animation

42:22

Computer animation

Transcript: English(auto-generated)