OSX/Flashback
El sistema operativo Apple OS X, al igual que todos los sistemas operativos, puede convertirse en una víctima de software malicioso. Antes de la aparición de OSX/Flashback, hubo varios casos documentados de malware dirigido a OS X; pero hasta ahora, OSX/Flashback fue el que cobró la mayor cantidad de víctimas. En este artículo se describen las características técnicas más interesantes de la amenaza, en especial el método utilizado para espiar las comunicaciones de red y los algoritmos para la generación dinámica de nombres de dominio. También se incluye una línea de tiempo con los puntos más importantes del malware, cuyo ciclo de vida persistió durante tantos meses.
[DefCon 2016] I got 99 Problems, but Little Snitch ain’t one!Synack
Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail
OSX/Flashback
El sistema operativo Apple OS X, al igual que todos los sistemas operativos, puede convertirse en una víctima de software malicioso. Antes de la aparición de OSX/Flashback, hubo varios casos documentados de malware dirigido a OS X; pero hasta ahora, OSX/Flashback fue el que cobró la mayor cantidad de víctimas. En este artículo se describen las características técnicas más interesantes de la amenaza, en especial el método utilizado para espiar las comunicaciones de red y los algoritmos para la generación dinámica de nombres de dominio. También se incluye una línea de tiempo con los puntos más importantes del malware, cuyo ciclo de vida persistió durante tantos meses.
[DefCon 2016] I got 99 Problems, but Little Snitch ain’t one!Synack
Security products should make our computers more secure, not less. Little Snitch is the de facto personal firewall for OS X that aims to secure a Mac by blocking unauthorized network traffic. Unfortunately bypassing this firewall's network monitoring mechanisms is trivial...and worse yet, the firewall's kernel core was found to contain an exploitable ring-0 heap-overflow. #fail
The security of an application is a continuous struggle between solid proactive controls and quality in SDLC versus human weakness and resource restrictions. As the pentester's experience confirms, unfortunatelly even in high-risk (e.g. banking) applications, developed by recognized vendors, the latter often wins - and we end up with critical vulnerabilities.
One of the primary reasons is lack of mechanisms enforcing secure code by default, as opposed to manual adding security per each function. Whenever the secure configuration is not default, there will almost inevitably be bugs, especially in complex systems.
I will pinpoint what should be taken into consideration in the architecture and design process of the application. I will show solutions that impose security in ways difficult to circumvent unintentionally by creative developers. I will also share with the audience the pentester's (=attacker's) perspective, and a few clever tricks that made the pentest
(=attack) painful, or just rendered the scenarios irrelevant.
https://www.youtube.com/watch?v=VNmtmz3mJN4&
Deep dive into InjectionTDD - how to perform iOS unit tests realtime, without rebuilding entire Xcode project.
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
In a world of high volume malware and limited researchers, we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately, what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the white hat community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool in this arms race.
Linux has this great tool called strace, on OSX there’s a tool called dtruss - based on dtrace. Dtruss is great in functionality, it gives pretty much everything you need. It is just not as nice to use as strace. However, on Linux there is also ltrace for library tracing. That is arguably more useful because you can see much more granular application activity. Unfortunately, there isn’t such a tool on OSX. So, I decided to make one - albeit a simpler version for now. I called it objc_trace.
Client Side Exploitation Techniques for attack client-side then access into intranet for fun, Additional latest Microsoft vulnerability that never patch for year (MS was Suck...)
After four years of quiet growth and development, the Bitcoin cryptocurrency leaped into prominence during 2013. Much of the current discourse around Bitcoin focuses on its viability as currency and its valuation. However, to appreciate its potential as the “Internet of ownership transfer”, a deeper understanding of its technical underpinnings is needed.
In this colloquium, Prof G-J van Rooyen gives a technological primer on the nuts and bolts of the cryptocurrency. The talk will demonstrate how the cunning use of hashes makes it possible to transfer ownership in such a way that cheating (double-spending) is impossible in a correctly functioning network. This is shown to be the most successful solution to the long-standing Byzantine Generals Problem, and a breakthrough in distributed information management.
The talk will also show how the Bitcoin peer-to-peer network forms the first widespread use of triple-entry accounting, and consider the applications of such technology. We will briefly dip into the scripting language built into the protocol: “DUP HASH160 EQUALVERIFY CHECKSIG” turns the Bitcoin protocol into Bitcoin the currency. More advanced scripts can make arbitrarily complex contracts and interactions possible.
Troubleshooting tips and tricks for Oracle Database Oct 2020Sandesh Rao
This talk presents 15 different tips and tricks using tools to better troubleshoot and debug problems with Database , Oracle RAC and Oracle Clusterware , ASM and how to get the right pieces of data with the least of commands which today most people do manually. This session will cover tools from the Oracle Autonomous Health Framework (AHF) like Trace file Analyzer (TFA) to collect , organize and analyze log data , Exachk and orachk to perform mass best practices analysis and automation , Cluster Health Advisor to debug node evictions and calibrate the framework , OSWatcher and its analysis engine , oratop for pinpointing performance issues and many others to make one feel like a rockstar DBA.
Almost all security research has a question often left unanswered: what would be the financial consequence, if a discovered vulnerability is maliciously exploited? The security community almost never knows, unless a real attack takes place and the damage becomes known to the public. Development of the cryptocurrencies made it even more difficult to control the impact of an attack since all the security relies on a single wallet's private key which needs to stay secure. Multiple breaches of private wallets and public currency exchange services are well-known, and to address the issue a few companies have come up with secure hardware storage devices to preserve the wallet's secrets at all costs.
But, how secure are they? In this research, we show how software attacks can be used to break in the most protected part of the hardware wallet, the Secure Element, and how it can be exploited by an attacker. The number of identified vulnerabilities in the hardware wallet show how software vulnerabilities in the TEE operating system can lead to a compromise of the memory isolation and a reveal of secrets of the OS and other user applications. Finally, based on the identified vulnerabilities an attack is proposed which allows anyone with only physical access to the hardware wallet to retrieve secret keys and data from the device. Additionally, a supply chain attack on a device allowing an attacker to bypass security features of the device and have full control of the installed wallets on the device.
The security of an application is a continuous struggle between solid proactive controls and quality in SDLC versus human weakness and resource restrictions. As the pentester's experience confirms, unfortunatelly even in high-risk (e.g. banking) applications, developed by recognized vendors, the latter often wins - and we end up with critical vulnerabilities.
One of the primary reasons is lack of mechanisms enforcing secure code by default, as opposed to manual adding security per each function. Whenever the secure configuration is not default, there will almost inevitably be bugs, especially in complex systems.
I will pinpoint what should be taken into consideration in the architecture and design process of the application. I will show solutions that impose security in ways difficult to circumvent unintentionally by creative developers. I will also share with the audience the pentester's (=attacker's) perspective, and a few clever tricks that made the pentest
(=attack) painful, or just rendered the scenarios irrelevant.
https://www.youtube.com/watch?v=VNmtmz3mJN4&
Deep dive into InjectionTDD - how to perform iOS unit tests realtime, without rebuilding entire Xcode project.
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
In a world of high volume malware and limited researchers, we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately, what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the white hat community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool in this arms race.
Linux has this great tool called strace, on OSX there’s a tool called dtruss - based on dtrace. Dtruss is great in functionality, it gives pretty much everything you need. It is just not as nice to use as strace. However, on Linux there is also ltrace for library tracing. That is arguably more useful because you can see much more granular application activity. Unfortunately, there isn’t such a tool on OSX. So, I decided to make one - albeit a simpler version for now. I called it objc_trace.
Client Side Exploitation Techniques for attack client-side then access into intranet for fun, Additional latest Microsoft vulnerability that never patch for year (MS was Suck...)
After four years of quiet growth and development, the Bitcoin cryptocurrency leaped into prominence during 2013. Much of the current discourse around Bitcoin focuses on its viability as currency and its valuation. However, to appreciate its potential as the “Internet of ownership transfer”, a deeper understanding of its technical underpinnings is needed.
In this colloquium, Prof G-J van Rooyen gives a technological primer on the nuts and bolts of the cryptocurrency. The talk will demonstrate how the cunning use of hashes makes it possible to transfer ownership in such a way that cheating (double-spending) is impossible in a correctly functioning network. This is shown to be the most successful solution to the long-standing Byzantine Generals Problem, and a breakthrough in distributed information management.
The talk will also show how the Bitcoin peer-to-peer network forms the first widespread use of triple-entry accounting, and consider the applications of such technology. We will briefly dip into the scripting language built into the protocol: “DUP HASH160 EQUALVERIFY CHECKSIG” turns the Bitcoin protocol into Bitcoin the currency. More advanced scripts can make arbitrarily complex contracts and interactions possible.
Troubleshooting tips and tricks for Oracle Database Oct 2020Sandesh Rao
This talk presents 15 different tips and tricks using tools to better troubleshoot and debug problems with Database , Oracle RAC and Oracle Clusterware , ASM and how to get the right pieces of data with the least of commands which today most people do manually. This session will cover tools from the Oracle Autonomous Health Framework (AHF) like Trace file Analyzer (TFA) to collect , organize and analyze log data , Exachk and orachk to perform mass best practices analysis and automation , Cluster Health Advisor to debug node evictions and calibrate the framework , OSWatcher and its analysis engine , oratop for pinpointing performance issues and many others to make one feel like a rockstar DBA.
Almost all security research has a question often left unanswered: what would be the financial consequence, if a discovered vulnerability is maliciously exploited? The security community almost never knows, unless a real attack takes place and the damage becomes known to the public. Development of the cryptocurrencies made it even more difficult to control the impact of an attack since all the security relies on a single wallet's private key which needs to stay secure. Multiple breaches of private wallets and public currency exchange services are well-known, and to address the issue a few companies have come up with secure hardware storage devices to preserve the wallet's secrets at all costs.
But, how secure are they? In this research, we show how software attacks can be used to break in the most protected part of the hardware wallet, the Secure Element, and how it can be exploited by an attacker. The number of identified vulnerabilities in the hardware wallet show how software vulnerabilities in the TEE operating system can lead to a compromise of the memory isolation and a reveal of secrets of the OS and other user applications. Finally, based on the identified vulnerabilities an attack is proposed which allows anyone with only physical access to the hardware wallet to retrieve secret keys and data from the device. Additionally, a supply chain attack on a device allowing an attacker to bypass security features of the device and have full control of the installed wallets on the device.
Beyond php - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just wrting PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
What really happens when your Java program runs? After the transformation from Java source through bytecode and machine code to microcode, and the various optimizations that take place along the way, the instructions that are actually executed may be very different from what you imagined when you wrote the program. This session shows what a simple program actually looks like when it really hits the hardware.
We all make mistakes while programming and spend a lot of time fixing them.
One of the methods which allows for quick detection of defects is source code static analysis.
We all make mistakes while programming and spend a lot of time fixing them.
One of the methods which allows for quick detection of defects is source code static analysis.
Beyond php - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just wrting PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
Many JavaScript roles are advertised as "Full Stack", but what does that really mean?
This talk takes a look at what could be meant by a stack and discusses the reasons to focus on first-principles rather than specific technologies.
Highlighted key points on the following concepts of C Language,I/O Functions,Bitwise operators, preincrement operator,post increment operator ,storage class,functions,Sample Code Snippets
C++ Code as Seen by a Hypercritical ReviewerAndrey Karpov
We all do code reviews. Who doesn't admit this – does it twice as often. C++ code reviewers look like a sapper. .. except that they can make a mistake more than once. But sometimes the consequences are painful . Brave code review world.
C++ code is fraught with perils and pitfalls. That's why a thorough and meticulous code review is very important. The purpose of this talk is to (hopefully) improve your ability to take on such a task. We'll take a look at some error patterns easily overlooked. In all honesty, many people just don't know about them. Meet a dangerous emplace_back, an unexpected integer overflow, a skipped memset, perils of noexcept functions, and so on.
Yuri is a C++ developer at PVS-Studio. Currently working on the core features of the C++ static analyser made by the company.
YouTube: https://youtu.be/f1_Iwh33f9I
Un aperçu du format Mach-O, en particulier où sont situées les chaînes de caractères constantes et où sont définies les classes, méthodes ObjC 1.0/2.0. Mais tout cela avec un besoin concret effectivement rencontré : pouvoir réusiner du code après sa compilation.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
13. Are they similarJ
Comparison River Dam Passive Fuzz
Basic
FuncHon
Stream intercept ExecuNon intercept
Up Stream User mode data
Down Stream Kernel mode data
Create
Chaos
Poisoning upstream Fuzzing user data
Downstream fish die Kernel crash
Track the poison’s origin Reproduce
…… ……
15. Origianl function
Hooker
IOAcceleratorFamily2.kext
Targeted application from apple store
Suspicious
module/function
manifest
IOThunderboltFamily.kext IOUSBFamily.kext
AppleGraphicsPowerManagement.kext AppleHDA.kext … …
I. is_io_connect_method
II. is_io_connect_async_method
III. iokit_user_client_trap
IV. IOMemoryDescriptor::createMappingInTask
V. ipc_kmsg_get
VI. ipc_kmsg_send
VII. Copyio
…...
Conditon Checker
Ring3
Ring0
Target
drivers
XNU/
IOKit
Tamper
StackFrame,
Process,
UserClient,
MsgID,
…...
Context Matcher
Implementation – Architecture
Overview
17. • Hooker
• Directly accessible by user
• One hook for many processes
• Inline hook in kernel mode.
• Tamper
• Only fuzz buffer content accessible by user
• e.g. Inband_input, scalar_input, ool_input
• NOT size! (bypass getTargetAndMethodForIndex check)
Implementation – Hook & Tamper
21. Keep fuzzing stable
• Get rid of noise
o busy call, black screen call, hung call,
o reproduced crashes
Hunt according to vulnerability context
• Kernel heap address leak
• Map user data into kernel and read as buffer size
• …
Implementation – Why Condition
Checker?
22. • &&, ||, *(wild match), white(black)
• Process
• User id (root/Non-root)
• Process Name (e.g. Safari, RCE, sandbox-evasion)
• Module
• Module Name
• Function
• Symbol Name/Address
• Offset range
Implementation – Dimension of
Condition 1/3
24. • Data
• is_address_RWX
• Copy direction(in/out)
• Kernel or User space (SMAP noise)
• Call-Stack
• Function ret
• Stack Level (from bottom to top)
• Level range[,]
Implementation – Dimension of
Condition 2/3
25. stack_match_item_t stack_matcher_for_copyio[]={
//If any item in list match, then match
//{routineName, cache}, routineAddress, offSetFrom, offsetTo, levelLow, levelHigh
{{"_shim_io_connect_method_scalarI_scalarO",STACK_ANY_INTEGER},STACK_ANY_INTEGE
R,0, 0xC120-0xB8B0, STACK_ALL_LEVEL_RANGE},
{{"_shim_io_connect_method_scalarI_structureO",STACK_ANY_INTEGER},STACK_ANY_INTE
GER,0, 0xDB94-0xD5C0, STACK_ALL_LEVEL_RANGE},
{{"_shim_io_connect_method_scalarI_structureI",STACK_ANY_INTEGER},STACK_ANY_INTEG
ER,0, 0xEA97-0xE490, STACK_ALL_LEVEL_RANGE},
{{"_shim_io_connect_method_structureI_structureO",STACK_ANY_INTEGER},STACK_ANY_IN
TEGER,0, 0xF588-0xF270, STACK_ALL_LEVEL_RANGE},
{{"_is_io_connect_method",STACK_ANY_INTEGER},STACK_ANY_INTEGER,0,
0xb2a9-0xaf10,STACK_ALL_LEVEL_RANGE},
}
Implementation – Stack Frame
Sample
29. • Enlightenment for code review
• Buggy module, interface for RE……
• The Pattern accumulated in bug hunting
activities
• No vulnerability but indicates
suspicious vulnerability
• Implemented through condition checker
Implementation – What Is Context?
30. • Some IOKit related memory corruption
vulnerabilities may happen in the following
context:
• Call IOMemoryDescriptor :: createMappingInTask
to mapping user mode buffer space to kernel
mode.
• Read a value from the buffer and use it as a size to
read or write a buffer.
• Some kernel information leak vulnerability
may happen in the following context:
• The output buffer’s content has 0xFFFFFF prefix.
Implementation – Context Sample
31. • Fuzzing Source:
• Multiple applications
• AppStore (MMORPG games, FaceTime,USB hardisk, BlueTooth, Wifi,
VM,DirectX…)
• Virus Total, Apple OpenSource UT, github sample code
• Combination of rich kind of fuzzing source
• Active fuzzing, Python watchdog, browsing WebGL
• Fuzzing Stability:
• Bypass active hang, black screen, reproduced cases using
condition checker(nvTestlaSurfaceTesla, IGAccelGLContext,
IGAccelSurface…)
Best Practice – For Passive 1/3
32. • Reproduction:
• Log through network
• Log to NVRAM? Log to memory and kdp_panic_dump
callback?
• Core dump server
• sh-3.2# nvram boot-args=”pmuflags=1 debug=0xd44 kext-dev-mode=1 kcsuffix=development –
v _panicd_ip=10.64.80.106”
• Thunderbolt+fwkdp+lldb
• Automation
• kdp_panic_dump callback+dump+reboot?
Best Practice – For Passive 2/3
33. Miscellaneous Tips
• Occasional fuzz activities recommended
• Normal program running – sudden fuzz
• Keep OS version updated with latest KDK
Best Practice – For Passive 3/3
35. Best Practice – For Active Fuzz 1/4
Active Fuzz Passive Fuzz
Researcher
[1]Provide more IOKit call
[2]Suspicious moudle/function manifest
[3]Context Pattern
[2]Suspicious moudle/function manifest
Code Reviewer
36. • Statistical data from passive fuzz
• Accessible user client, non-root, non-sandbox,
crash frequencies, crash types(UAF, OOB)…
• Contact API in lower level to bypass
unnecessary checks (if possible)
• Resolve Mac-O format, find symbol, hard-code offset
• e.g. IOServiceGetMatchingServices(mach_port_t, CFDictionaryRef, io_iterator_t
*)
->io_service_get_matching_services_bin(mach_port_t, char*,int, void*)
Best Practice – For Active 1/4
37. • Reproduce:
• No need to record your random call/random
parameter - just record your pseudorandom
number seed (E.g. Mt19937-64/Mt19937-32)
• The kernel crash is easily reproduced, no matter
how randomly you call API and fuzz parameters
Best Practice – For Active 2/4
38. seed = CrahsedCases[i]
for(randomSelect every kernel module)
for(randomSelect every interface)
APICall( randomByte() )
Best Practice – For Active 2/4
Pseudo code for reproduce
39. for (every fuzz session)
seed = generate()
sendSeedOutside()
for(randomSelect every kernel module)
for(randomSelect every interface)
APICall( randomByte() )
Best Practice – For Active 3/4
Pseudo code for active fuzzing
40. • Reproduce:
• Web seed server for multiple connections
• One pseudorandom seed for a relatively short
fuzz cycle
Best Practice – For Active 4/4
41.
42. What We Will Cover
• Security Mitigation
§ Exploit Methods
• Exploit Practice
44. • Bypass KASLR
– Using vulnerability to leak kernel code segment
address in run time
– Build up payload with leaked API
(e.g. thread_exception_return)
• Bypass SMAP
– Using vulnerability to leak kernel heap address
– Build up ROP chain in kernel heap
– Kernel heap address would be needed
• Bypass SMEP
– Using vulnerability to execute RIP in kernel
– Execute ROP chain to disable SMEP/SMAP
– Payload execution
Exploit Methods
45. • The OSX/iOS hacking guru Stefan Esser
(@i0n1c) propose OSUnserializeXML is a
good way in SyScan 2012
h"ps://reverse.put.as/wp-content/uploads/2011/06/
SyScan2012_StefanEsser_iOS_Kernel_Heap_Armageddon.pdf
Tips of Heap FengShui
OSUnerializeXML()
46. • In most cases, the OSDictionary allocated by
OSUnserializeXML will be freed by
OSObject::release in one system call
。。。
However…
47. • If the allocated object is referenced by
another component, it will not be released
even if call object::release to it.
• IORegistry is a good choice for Heap
Fengshui
• So we find OSUnserializeXML invoking
nearby IORegistry method calling …
However…
48. • In IOKIT service IOMProotDomain , slector 7
(kPMSleepSystemOptions)
RootDomainUserClient::secureSleepSystemOptions
。。。
Always an exceptionJ
50. • CVE-2016-xxx :
This is typical UAF vulnerability in
AppleHDAEngineInput kernel module.
• CVE-2016-xxxx:
Another bug in the Disk image module can
leak an object address. The address exists in
kernel heap.
Bugs
51. payload
Ring3
Ring0
kernel
SMAP
SMEP
KASLR
kslide
Driver
Memory address – Disk Address
Call current_proc
Call proc_ucred
Call posix_cred_get
Call thread_exception_return
IOCommand
Exploit App
ROP Gadgets
mov cr4 rax; ret
Call payload
StackPivot
0x68
Object
0x108
AppleHDAEngineInput
IOHDIXHDDriveOutKernel
vtable_addr +0
+8
call [vtable+0]
[1]Leak kernel buffer IOCommand address
[3]Spray freed IOCommand
with OSData(StackPivot)
[2]Free IOCommand
[4]Free Object
[5]Spray freed Object with
OSData(leaked IOCommand and
ROP)
[0]Leak kslide to
build up payload
[6]Trigger execution
by use Object
Exploit Process 1/2