Research

Clear Hat has extensive knowledge and experience in the areas of low level vulnerability assessment and sophisticated, covert malware. Prior to founding Clear Hat, Ms. Sparks and Mr. Embleton taught the Black Hat course Offensive Aspects of Rootkit Technology and spoke repeatedly at Black Hat and other academic security conferences about their research and development of several cutting edge, covert attack techniques. These projects included the development of the Shadow Walker and Deeper Door rootkits as well as the development of a prototype vulnerability analysis tool capable of leveraging runtime control flow data for input crafting using genetic algorithms. The Shadow Walker rootkit exploited a quirk of the Intel x86 TLB architecture to hide virtual memory while the Deeper Door rootkit exploited the Intel NIC hardware to covertly send and receive data in a manner that bypasses current host based firewall technologies. This covert network capability was also integrated into a prototype System Management Mode (SMM) rootkit for the purposes of demonstrating advanced, chipset level exploitation techniques. Ms. Sparks and Mr. Embleton’s publications have included a variety of industry and academic publications including USENIX, ACSAC, Security Focus, SecureComm, and Phrack.

We have proof-of-concept ideas available and are interested in partnering opportunities for transition through development to production.

Publications:

[1] Sherri Sparks, Shawn Embleton, and Cliff C. Zou, "A Chipset Level Network Backdoor: Bypassing Host-Based Firewall & IDS", In ASIACCS. 2009.

[2] Sherri Sparks and Shawn Embleton. “Deeper Door: Exploiting the NIC Chipset”.
Presentation. Black Hat USA, 2008.

[3] Shawn Embleton and Sherri Sparks. “A New Breed of Malware: The SMM Rootkit”. Presentation. Black Hat USA, 2008.

[4] Shawn Embleton, Sherri Sparks, and Cliff Zou. “SMM Rootkits: A New Breed of OS Independent Malware”. In SecureComm. 2008.

[5] Sherri Sparks, Shawn Embleton, Ryan Cunningham, and Cliff Zou. “Automated Vulnerability Analysis: Leveraging Control Flow for Evolutionary Input Crafting”. In Annual Computer Security Applications Conference (ACSAC). 2007.

[6] Ping Wang, Sherri Sparks, and Cliff C. Zou, "An Advanced Hybrid Peer-to-Peer Botnet", In USENIX Workshop on Hot Topics in Understanding Botnets (HotBots'07), 2007.

[7] Shawn Embleton, Sherri Sparks and Ryan Cunningham. “Sidewinder - An Evolutionary Guideance System for Malicious Input Crafting", Black Hat Presentation. 2006.

[8] Sherri Sparks and James Butler. “Windows Rootkits in 2005: Part 3” In Security Focus. 2005.

[9] Sherri Sparks and James Butler. “Windows Rootkits in 2005: Part 2” In Security Focus. 2005.

[10] Sherri Sparks and James Butler. “Windows Rootkits in 2005: Part 1” In Security Focus. 2005.

[11] Sherri Sparks and James Butler. “Shadow Walker: Raising the Bar for Rootkit Detection”. In Phrack, Vol X. 2005. see also: Black Hat Japan 2005

[12] Sherri Sparks and James Butler. “Sypware and Rootkits: The Future Convergence”. In USENIX Login; 2004.