07.04.2017 / by maximios / Беллетристика и филология / No Comments

DarkSeaSkies_1_0_CONOP

SECRET//NOFORN

Engineering Development Group

DarkSeaSkies 1.0 Concept of Operations

Rev. New

26 January 2009

CL BY: 2348366

CL REASON: 1.4(c)

DECL ON: 20331105

DRV FROM: COL S-06

Change Log

   Authority/

   Approval Date

New   11/05/2008   TWC   Initial Release

ii

Table of Contents

1. SCOPE…………………………………………………………………………………………………………….1

…………………………………………………………………..1

APPLICABLE DOCUMENTS………………………………………………………………………….1

SION OVERVIEW (NOT APPLICABLE)…………………………………………………2

USER CONOPS……………………………………………………………………………………………….2

………………………………………….3

NOTES…………………………………………………………………………………………………………….3

…………………………………………………………………………………………………3

List of Tables

1 ACRONYMS/ABBREVIATIONS…………………………………………………..3

TABLE 6.2-2 DEFINITION…………………………………………………………………………………4

iii

 

1.   Scope

This document describes the user and system Concept of Operations for DarkSeaSkies 1.0.

1.1   System Overview and Description

DarkSeaSkies is an implant that persists in the EFI firmware of an Apple MacBook Air computer, installs a Mac OSX 10.5 kernel-space implant and executes a user-space implant.

DarkSeaSkies consists of three different tools:

DarkMatter: An EFI driver that persists in firmware and installs the other two tools.

that executes, and provides stealth and privilege to user-space implants.

: A Mac OSX user-space implant that beacons to a listening post and provides command and control.

for further information on NightSkies CONOP.

1.2   Assumptions and Constraints

It is assumed that the target system is a MacBook Air version 1,1 with firmware version MBA11.0088.B03 running Mac OSX 10.5.2-10.5.x.

It is assumed that an operator or asset has one-time physical access to the target system and can boot the target system to an external flash drive.

A constraint is that the DarkSeaSkies will not persist in the event of a firmware update.

2.   Applicable Documents

The following documents may be found within S:\DO\IOC\EDG ALL\EDG AE\Projects\:

2.0, November 2008

• NightSkies CONOPS, Rev. 1.2, November 2008

3.   Mission Overview (Not Applicable)

   User CONOPS

The DarkSeaSkies User CONOPS is primarily the combined CONOPS of SeaPea and NightSkies, with the following additions.

DarkSeaSkies is installed from a bootable flash drive. The target system is booted while holding down the “option” key until the screen displays a boot drive selection menu. Select the flash drive. Once the DarkSeaSkies installer has started the screen will blank and a ‘:’ will appear in the upper left corner of the screen. On a successful installation a ‘)’ will follow the ‘:’. On an unsuccessful installation a ‘(‘ will follow the ‘:’.

Once installed, DarkSeaSkies will wait for the configured enable date to begin operation. The configured enable date is saved in the file “enable.time”.

Once operational, DarkSeaSkies will examine the following NVRAM variables at each boot to determine the action to take for this boot. All variables have configurable names and randomized GUIDs. Each delivery of DarkSeaSkies has different randomized GUIDs for firmware variables and EFI drivers.

“Status” indicates the status of the payload from the previous boot. The name of the “Status” variable is saved in the file “status.name” and the GUID in the file “status.guid”. It has the following values.

o ‘2’ is reserved for future use

o Any other value is equivalent to ‘5’.

• “Count” maintains a counter used to track the number of cautious boots. A cautious boot is defined fully below. If “Count” does not exist then it is assumed to be zero. The name of the “Count” variable is saved in the file “warning_count.name” and the GUID in the file “warning_count.guid”.

“Limit” indicates the value of “Count” at which DarkSeaSkies will uninstall itself and its payload. If “Limit” does not exist then a pre-configured value will be used. The name of the “Limit” variable is saved in the file “warning_threshold.name” and the GUID in the file “warning_threshold.guid”.

DarkSeaSkies also determines if a kernel panic occurred. If a panic did occur then the NVRAM variables associated with the panic are deleted so that it is not reported to the operating system.

Based on this input DarkSeaSkies updates “Count” as follows.

a kernel panic

• Caution count NVRAM variable “Count” is set to zero.

Increment the caution count NVRAM variable “Count” by one. If the variable “Count” does not exist then it is assumed to be zero.

Increment the caution count NVRAM variable “Count” by one. If the variable “Count” does not exist then it is assumed to be zero.

ment the caution count NVRAM variable “Count” by two.

o Set the caution count NVRAM variable “Count” to the value of “Limit”.

a temporary file, execute NightSkies, and secure delete the NightSkies tool.

with the addition that NightSkies must set the “Status” NVRAM variable at each boot appropriate to its status. NightSkies may also read and report the “Count” NVRAM variable to the operator, and allow the operator to set the “Limit” NVRAM variable.

5.   System CONOPS (Not Applicable)

   Notes

6.1   Acronyms/Abbreviations

are shown in Table 6.1 -1.

Table 6.1-1 Acronyms/Abbreviations

Extensible Firmware Interface

   Globally Unique IDentifier

6.2   Definitions

Definitions of common terms used within this document may be found in the Engineering Development Group Program Management Lexicon.

The terms and definitions unique to this As-Built Specification are shown in Table 6.2 -2.

Table 6.2-2 Definition

 

 

darkmatter+darkmatter+docs+DarkSeaSkies 1.0 CONOP_Rev New_2009-01-26.doc

SECRET//NOFORN

Добавить комментарий

Ваш e-mail не будет опубликован. Обязательные поля помечены *