This document discusses EFI (Extensible Firmware Interface) and potential threats from EFI rootkits. It begins with an introduction to EFI and how it has replaced BIOS. It describes how EFI initializes systems at a low level and provides modular and feature-rich access. It then discusses potential malicious actions such as persisting across operating system reinstalls and bypassing full-disk encryption. It provides examples of real EFI rootkits and vulnerabilities discovered. It discusses tools and techniques for dumping and analyzing EFI contents, including the different regions stored in flash memory. Finally, it outlines the EFI boot process and programming interfaces.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Richard wartell malware is hard. let's go shopping!!Shakacon
Writing a successful, protected, targeted, malicious binary is a software development task that requires great skill. A well-written piece of targeted malware should evade anti-virus solutions, hide its network communications, protect itself against reverse engineering, and clean up any forensic evidence of its existence on the system. However, writing a mediocre piece of targeted malware that works most of the time is easy. There are many publicly available backdoors, downloaders, and keyloggers that require little to no expertise to use, and poorly trained malware authors try to roll their own all the time.
Working in malware detection and reverse engineering, I see some of the intelligent choices malware authors make, but more often I see the hilariously poor code they write. During this talk I will demonstrate how to reverse engineer real world malware. I will focus on samples with interesting and comical mistakes, as well as samples that are impressive and well written.
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker.
The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.
How to Make Android's Bootable Recovery Work For You by Drew SuarezShakacon
Android bootable recovery mode is a self-contained alternative boot mode that loads a tiny Linux environment onto a mobile device. While most stock devices are shipped with recoveries that fairly limited in nature, their use can be greatly extended with a little bit of effort. In this presentation, I will show you how to build your own custom recovery for your Android device. This can be used towards a number of interesting security related goals such as: penetration testing, forensics, data acquisition, bypassing security controls, modifying software, Android development and in some cases provides a direct exploitation route into a device. Using a variety of commonly available tools, attendees will learn how to deconstruct and inspect a number of different boot and recovery software implementations and rapidly begin compiling their own custom tools.
The intent is for an attendee to understand the scope and capabilities of Android bootable firmware and learn how to rapidly develop their own custom software for a variety of different purposes. Additionally, it teaches attendees how to look for flaws in bootable firmware which help undermine the security of Android devices. Security research, vulnerability testing, data acquisition and modification, bypassing security controls and platform testing are all intended goals and uses of a custom Android recovery firmware. By the end of the talk, an attendee should have acquired enough knowledge to start making useful tools for security's many needs.
“The call to kill Adobe’s Flash in favour of HTML5 is rising...” This and similar statements mean that many web applications might now contain old and vulnerable SWF files as their developers have to concentrate on developing non-Flash contents. We may all hope that we never have to see Flash files ever again! However, as long as web browsers continue their support for Flash, web applications can be vulnerable to client-side issues and it is important for a penetration tester or a bug bounty hunter to have the right skills to find vulnerable SWF files. This presentation aids eager testers to identify security issues in the SWF files manually and automatically using certain techniques and tools.
PowerPoint File:
https://soroush.secproject.com/downloadable/flash_it_baby_v2.0.pptx
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disastersinfodox
This talk discusses vulnerabilities involving poor implementations of the TR-069 and TR-064 protocols on both the CPE (Consumer Premises Equipment) end and on the ISP's end of the whole flaming pile of crap - the ACS (Auto Configuration Service) system.
Topics discussed include the TR-064 "TR-06FAIL" command injection vulnerability exploited by the "Annie" Mirai variant in late 2016, with a nod to previous issues discovered such as Misfortune Cookie. It then goes on to discuss the total shit show that is the entire TR-XXX ecosystem of protocols by demonstrating that there is also a complete and total disregard for software security and proper development practices on the other end, by showing off an (zero day at time of talk) exploit in the FreeACS implementation of an ACS server which allows for total remote compromise of the ACS, along with abusing it as a command and control system to hijack all of the CPE devices associated with it.
This is the first in a series of talks on the matter. There will be sequels. There will be more bugs. There will be ISP engineers working massive overtime. There will be tears, and blood, and whiskey.
Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015CODE BLUE
A few months ago I publicly disclosed an Apple EFI firmware zero day. It was a very powerful bug allowing direct access to the EFI firmware from the operating system. EFI rootkits are some of the most powerful and most interesting rootkits. Because they work at a very low level they can play a lot of tricks to hide themselves from forensics and persist for a long time. EFI monsters are a bit like jaguars, stealthy and rarely seen by humans. This doesn't mean they do not exist. EFI monsters are most certainly part of spy agencies rootkits catalog. Very few tools exist to chase them.
This talk is about introducing you to the EFI world so you can also start to chase these monsters. EFI world might look scary but it's a bit easier than you think and a lot of fun.
Thunderstrike 2 (to be presented at BlackHat) is a fine example of the power of EFI rootkits and the problems they present.
The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
One of the most insidious actions of malware is abusing the video and audio capabilities of an infected host to record an unknowing user. Macs of course, are not immune; malware such as OSX/Eleanor, OSX/Crisis, and others, all attempt to spy on OS X users.
And as was recently shown by the author, more advanced malware could piggyback into legitimate webcam sessions in order to covertly record the local user. As there are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection.
After examining various ‘webcam-aware’ OS X malware samples and describing the technical details of the piggyback attack, the talk will dive into OverSight.
OverSight is a free tool that implements various novel protection mechanisms in order to alert Mac users of any code that attempts to access the mic or webcam (even via the stealthy piggyback attack). We’ll dive into the design and technical details of tool, describing various components for the first time.
Following this, we’ll look at an interesting case study, where OverSight discovered that a popular mac application was continuing to record, even when the user turned it off. Yikes! Finally, the talk will conclude by discussing future trends of both webcam/mic aware macOS malware and defensive detection methodologies. With such insights, we’ll strive to keep macOS users protected and secure!
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Richard wartell malware is hard. let's go shopping!!Shakacon
Writing a successful, protected, targeted, malicious binary is a software development task that requires great skill. A well-written piece of targeted malware should evade anti-virus solutions, hide its network communications, protect itself against reverse engineering, and clean up any forensic evidence of its existence on the system. However, writing a mediocre piece of targeted malware that works most of the time is easy. There are many publicly available backdoors, downloaders, and keyloggers that require little to no expertise to use, and poorly trained malware authors try to roll their own all the time.
Working in malware detection and reverse engineering, I see some of the intelligent choices malware authors make, but more often I see the hilariously poor code they write. During this talk I will demonstrate how to reverse engineer real world malware. I will focus on samples with interesting and comical mistakes, as well as samples that are impressive and well written.
Breaking Vaults - Stealing Lastpass Protected Secrets by Martin VigoShakacon
LastPass is a popular password manager that integrates with browsers through plugins. One of the most interesting features is the fact that the encrypted vault is stored in LastPass' servers but they have no access to the content since the master password never leaves the user's machine. All encryption and decryption happens locally. Password managers are a single point of failure by design and therefore they need to be secure. A tool with the sole purpose of storing all your secrets is a important target for any attacker.
The most valuable piece of information is the master password. It is the key to decrypt the data and gain complete access. Research has been done on different attack vectors but the focus is on leaking passwords stored in the vault. This presentation will focus on how it is possible to steal and decrypt the master password. In addition, I will also demonstrate an additional attack vector that results in full access to the vault without the need of the master password. Two different attacks to achieve the same goal, full access to the vault. But given that LastPass supports 2 factor authentication, I will also demonstrate how to bypass it. Last but not least, I will release a Metasploit module that will automate the whole process. Stealing the master password, leaking the encryption key and bypassing 2 factor authentication.
How to Make Android's Bootable Recovery Work For You by Drew SuarezShakacon
Android bootable recovery mode is a self-contained alternative boot mode that loads a tiny Linux environment onto a mobile device. While most stock devices are shipped with recoveries that fairly limited in nature, their use can be greatly extended with a little bit of effort. In this presentation, I will show you how to build your own custom recovery for your Android device. This can be used towards a number of interesting security related goals such as: penetration testing, forensics, data acquisition, bypassing security controls, modifying software, Android development and in some cases provides a direct exploitation route into a device. Using a variety of commonly available tools, attendees will learn how to deconstruct and inspect a number of different boot and recovery software implementations and rapidly begin compiling their own custom tools.
The intent is for an attendee to understand the scope and capabilities of Android bootable firmware and learn how to rapidly develop their own custom software for a variety of different purposes. Additionally, it teaches attendees how to look for flaws in bootable firmware which help undermine the security of Android devices. Security research, vulnerability testing, data acquisition and modification, bypassing security controls and platform testing are all intended goals and uses of a custom Android recovery firmware. By the end of the talk, an attendee should have acquired enough knowledge to start making useful tools for security's many needs.
“The call to kill Adobe’s Flash in favour of HTML5 is rising...” This and similar statements mean that many web applications might now contain old and vulnerable SWF files as their developers have to concentrate on developing non-Flash contents. We may all hope that we never have to see Flash files ever again! However, as long as web browsers continue their support for Flash, web applications can be vulnerable to client-side issues and it is important for a penetration tester or a bug bounty hunter to have the right skills to find vulnerable SWF files. This presentation aids eager testers to identify security issues in the SWF files manually and automatically using certain techniques and tools.
PowerPoint File:
https://soroush.secproject.com/downloadable/flash_it_baby_v2.0.pptx
BSides Edinburgh 2017 - TR-06FAIL and other CPE Configuration Disastersinfodox
This talk discusses vulnerabilities involving poor implementations of the TR-069 and TR-064 protocols on both the CPE (Consumer Premises Equipment) end and on the ISP's end of the whole flaming pile of crap - the ACS (Auto Configuration Service) system.
Topics discussed include the TR-064 "TR-06FAIL" command injection vulnerability exploited by the "Annie" Mirai variant in late 2016, with a nod to previous issues discovered such as Misfortune Cookie. It then goes on to discuss the total shit show that is the entire TR-XXX ecosystem of protocols by demonstrating that there is also a complete and total disregard for software security and proper development practices on the other end, by showing off an (zero day at time of talk) exploit in the FreeACS implementation of an ACS server which allows for total remote compromise of the ACS, along with abusing it as a command and control system to hijack all of the CPE devices associated with it.
This is the first in a series of talks on the matter. There will be sequels. There will be more bugs. There will be ISP engineers working massive overtime. There will be tears, and blood, and whiskey.
Is there an EFI monster inside your apple? by Pedro Vilaça - CODE BLUE 2015CODE BLUE
A few months ago I publicly disclosed an Apple EFI firmware zero day. It was a very powerful bug allowing direct access to the EFI firmware from the operating system. EFI rootkits are some of the most powerful and most interesting rootkits. Because they work at a very low level they can play a lot of tricks to hide themselves from forensics and persist for a long time. EFI monsters are a bit like jaguars, stealthy and rarely seen by humans. This doesn't mean they do not exist. EFI monsters are most certainly part of spy agencies rootkits catalog. Very few tools exist to chase them.
This talk is about introducing you to the EFI world so you can also start to chase these monsters. EFI world might look scary but it's a bit easier than you think and a lot of fun.
Thunderstrike 2 (to be presented at BlackHat) is a fine example of the power of EFI rootkits and the problems they present.
The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
One of the most insidious actions of malware is abusing the video and audio capabilities of an infected host to record an unknowing user. Macs of course, are not immune; malware such as OSX/Eleanor, OSX/Crisis, and others, all attempt to spy on OS X users.
And as was recently shown by the author, more advanced malware could piggyback into legitimate webcam sessions in order to covertly record the local user. As there are no visible indications of this malicious activity (as the LED light is already on), the malware can record both audio and video without fear of detection.
After examining various ‘webcam-aware’ OS X malware samples and describing the technical details of the piggyback attack, the talk will dive into OverSight.
OverSight is a free tool that implements various novel protection mechanisms in order to alert Mac users of any code that attempts to access the mic or webcam (even via the stealthy piggyback attack). We’ll dive into the design and technical details of tool, describing various components for the first time.
Following this, we’ll look at an interesting case study, where OverSight discovered that a popular mac application was continuing to record, even when the user turned it off. Yikes! Finally, the talk will conclude by discussing future trends of both webcam/mic aware macOS malware and defensive detection methodologies. With such insights, we’ll strive to keep macOS users protected and secure!
Introduction to SDN: Software Defined NetworkingAnkita Mahajan
SDN is the next big thing in networking. It focuses on separating the intelligence from the hardware. OpenFlow is one of the ways (currently the open standard followed by all Datacenters) to implement SDN.
Introduction to Software Defined Networking (SDN)rjain51
Class lecture by Prof. Raj Jain on Introduction to . The talk covers Origins of SDN, What is SDN?, Original Definition of SDN, What = Why We need SDN?, SDN Definition, XMPP, XMPP in Data Centers, Path Computation Element, PCE, Forwarding and Control Element, Sample ForCES Exchanges, Application Layer Traffic Optimization, ALTO, ALTO Extension, Current SDN Debate: What vs. How?, SDN Controller Functions, RESTful APIs, OSGi Framework, Open Daylight SDN Controller, OpenDaylight Tools, Affinity Metadata Service, SDN Related Organizations and Projects, SDN Web Sites, Hierarchy of Operations, Introduction to, Origins of SDN, What is SDN?, Original Definition of SDN, What = Why We need SDN?, SDN Definition, XMPP, XMPP in Data Centers, Path Computation Element, PCE, Forwarding and Control Element, Sample ForCES Exchanges, Application Layer Traffic Optimization, ALTO, ALTO Extension, Current SDN Debate: What vs. How?, SDN Controller Functions, RESTful APIs, OSGi Framework, Open Daylight SDN Controller, OpenDaylight Tools, Affinity Metadata Service, SDN Related Organizations and Projects, SDN Web Sites. Video recording available in YouTube.
Software-Defined Networking SDN - A Brief IntroductionJason TC HOU (侯宗成)
Internet Research Lab at NTU, Taiwan.
Software-Defined Networking overview and framework introduction. (ppt slide for download.) Comparing server virtualization and network virtualization, take Onix controller as an example. A quick view to LightRadio from Alcetel-Lucent.
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇACODE BLUE
You got root access in OS X and now what?
Apple introduced mandatory code signing for kernel extensions in the new Yosemite version.
You are too cheap to buy a code signing certificate, or your OPSEC is against this?
You can't or don't want to steal someone's else certificate?
This presentation is about solving these problems with techniques that allow you to bypass all code signing requirements and regular kernel extensions loading interfaces.
The goal is to convince you that code signing isn't a serious obstacle in OS X, especially when its design is flawed and public known vulnerabilities remain "unpatched".
And if bad designs and vulnerabilities aren't enough then I'll also show you how to (ab)use an OS X feature for the same evil purposes.
The only requirement for this talk is uid=0(root). Well, the world isn't perfect!
My presentation for Google Developer Group San Francisco. Step-by-step guide to turning a ThinkPad X220 into a Chromium OS Android development machine. Covers flashing modified Coreboot firmware, building and installing Chromium OS from source, and hardware upgrades.
Updated slides at https://goo.gl/ivaugY
Slide deck for my presentation at the Google Developer Group San Francisco. Step-by-step guide to turning a ThinkPad X220 into a Chromium OS Android development machine. Covers hardware, firmware and software upgrades. Dynamic up-to-date slides at https://goo.gl/ivaugY
No locked doors, no windows barred: hacking OpenAM infrastructureAndrew Petukhov
One of the main functional components of enterprise applications and Internet portals is an authentication and access control system (AuthC/Z). In this presentation, we describe a popular access control system called ForgeRock OpenAM from the external security point of view. We show the scenarios of full enterprise application compromise through complex attacks which employ both LFI and SSRF.
You're Off the Hook: Blinding Security SoftwareCylance
User-mode hooking is dead. It’s also considered harmful due to interference with OS-level exploit mitigations like Control Flow Guard (CFG). At BlackHat US 2016, the “Captain Hook” talk revealed there were multiple serious security issues in AV hooking — we will put the final nail in the coffin by showing how trivial it is to bypass user-mode hooks. We will demonstrate a universal user-mode unhooking approach that can be included in any binary to blind security software from monitoring code execution and perform heuristic analysis. The tool and source code will be released on GitHub after the talk.
Alex Matrosov | Principal Research Scientist
Jeff Tang | Senior Security Researcher
Wherein I install OpenWRT on to an inexpensive TP-Link pocket router, install perl and attempt to smoke CPAN.
I also introduce OpenWRT in possibly too much detail, and dont really explain what smoking CPAN is.
Karl Grzeszczak: September Docker Presentation at MediaflyMediafly
Karl Grzeszczak's deck from the September Chicago Docker meetup. Karl explains how he has explored some of the pros and cons of CoreOS, and using CoreOS in tandem with Docker.
They're All Scorpions - Successful SecOps in a Hostile Workplace - Pete Herzo...44CON
Your job is to secure operations. But nobody listens to you. There’s no budget. Management keeps making bad security decisions that seem to sabotage your efforts. Do you flee or do you try harder? The security books, blogs, and tweeting pundits out there tell us we need to learn the language of business. We need to put risk in terms of money that management understands. We need to be like the management we’re trying to protect. And that’s where it all falls apart. The security to business relationship is often textbook abusive codependency. You do well and nobody notices. You fail and you get fired or worse- shamed by your peers over social media for whatever the company releases as the statement for the breach. So how do you do SecOps under those conditions? This talk will focus on new ways to approach SecOps to face the challenges you have today with business demands. We will look at new security research that will make a difference for how you do your job. Most of all we will show you technical security practices to help you sustain your new found stance.
How to Explain Post-Quantum Cryptography to a Middle School Student - Klaus S...44CON
One of the hottest topics in current crypto research is Post-Quantum Cryptography. This branch of cryptography addresses asymmetric crypto systems that are not prone to quantum computers.
Virtually all asymmetric crypto systems currently in use (Diffie-Hellman, RSA, DSA, and Elliptic Curve Crypto Systems) are not Post-Quantum. They will be useless, once advanced quantum computers will be available. Quantum computer technology has made considerable progress in recent years, with major organisations, like Google, NSA, and NASA, investing in it.
Post-Quantum Cryptography uses advanced mathematical concepts. Even if one knows the basics of current asymmetric cryptography (integer factorisation, discrete logarithms, …), Post-Quantum algorithms are hard to understand.
The goal of this presentation is to explain Post-Quantum Cryptography in a way that is comprehensible for non-mathematicians. Five families of crypto systems (as good as all known Post-Quantum algorithms belong to these) will be introduced:
Lattice-based systems:
The concept of lattice-based asymmetric encryption will be explained with a two-dimensional grid (real-world implementations use 250 dimensions and more). Some lattice-based ciphers (e.g., New Hope) make use of the Learning with Error (LWE) concept. I will demonstrate LWE encryption in a way that is understandable to somebody who knows Gaussian elimination (this is taught at middle school). Other lattice-based systems (especially NTRU) use truncated polynomials, which I will also explain in a simple way.
Code-based systems:
McEliece and a few other asymmetric ciphers are based on error correction codes. While teaching the whole McEliece algorithm might be too complex for a 44CON presentation, it is certainly possible to explain error correction codes and the main McEliece fundamentals.
Non-commutative systems:
There are nice ways to explain non-commutative groups and the crypto systems based on these, using everyday-life examples. Especially, twisting a Rubik’s Cube and plaiting a braid are easy-to-understand group operations a crypto system can be built on.
Multivariate systems:
Multivariate crypto can be explained to somebody who knows Gaussian elimination.
Hash-based signatures: If properly explained, Hash-based signatures are easier to understand than any other asymmetric crypto scheme.
I will explain these systems with cartoons, drawings, photographs, a Rubik’s Cube and other items.
In addition, I will give a short introduction to quantum computers and the current Post-Quantum Crypto Competition (organised by US authority NIST).
Using SmartNICs to Provide Better Data Center Security - Jack Matheson - 44CO...44CON
Data Center security has been forced to reinvent itself as software complexity increases, networking capabilities grow more agile, and attack complexity turns unmanageable. With this change, the need for security policy enforcement to be handled at the edge has pushed functionality onto host compute systems, resulting in inherent performance loss and security weakness due to consolidation of resources.
In the first part of the talk we will be presenting a SmartNIC-based model for data-center security that solves both the performance problem and the security problems of edge-centric policy models. The model features a more robust isolation of responsibilities, superior offload capabilities, significantly better scaling of policy, and unique visibility opportunities.
To illustrate this, we present a SmartNIC-based reference architecture for network layout, as well as examples of SmartNIC security controls and their resulting threat models.
The second part of the talk will unveil a new innovative technique for tamper proof host introspection as SmartNICs are in a unique position to analyze and inspect the memory of the host to which they are attached. Normally, this functionality is reserved for a hypervisor, where it is known as ‘guest introspection’ or ‘virtual-machine introspection’. With host introspection, security controls no longer live in the hypervisor, but on the SmartNIC itself, on a separate trust domain. In this way, the visibility normally achieved with guest introspection can be performed for the entire host memory in an isolated and secure area. In order for host introspection to work in the same way as guest introspection, memory is DMA transferred in bursts over the PCI-e bus that attaches the SmartNIC to the host. As this method can be subverted to hide unwanted software, we will demonstrate a novel approach to tamper proof the acquisition of memory and for performing live introspection.
Host introspection complements the network controls implemented using the SmartNIC by enabling the measurement of the integrity and the behavior of workloads (virtual machines, containers, bare metal servers) to identify possible indicators of compromise. The visibility and context gained also enhances the granularity of network controls, resulting in measurably better security for the data center compared to traditional software-only based controls.
JARVIS never saw it coming: Hacking machine learning (ML) in speech, text and...44CON
Exploits, Backdoors, and Hacks: words we do not commonly hear when speaking of Machine Learning (ML). In this talk, I will present the relatively new field of hacking and manipulate machine learning systems and the potential these techniques pose for active offensive research.
The study of Adversarial ML allows us to leverage the techniques used by these algorithms to find weak points and exploit them in order to achieve:
Unexpected consequences (why did it decide this rifle is a banana?)
Data leakage (how did they know Joe has diabetes)
Memory corruption and other exploitation techniques (boom! RCE)
Influence the output
In other words, while ML is great at identifying and classifying patterns, an attacker can take advantage of this and take control of the system.
This talk is an extension of research made by many people, including presenters at DefCon, CCC, and others – a live demo will be shown on stage!
Garbage In, RCE Out :)
Reverse Engineering and Bug Hunting on KMDF Drivers - Enrique Nissim - 44CON ...44CON
Numerous technical articles, presentations, and even books exists about reverse engineering the Windows Driver Model (WDM) for purposes that vary from simply understanding how a specific driver works, to malware analysis and bug hunting. On the other hand, Microsoft has been providing the Kernel Mode Driver Framework (KMDF) for quite a while and we now see more and more drivers shifting to this framework instead of interacting directly with the OS like in the old WDM times. Yet, there is close to no information on how to approach this model from a reverse engineering and offensive standpoint.
In this presentation, I will first do a quick recap on WDM drivers, its common structures, and how to identify its entry points. Then I’ll introduce KMDF with all its relevant functions for reverse engineering through a set of case-studies. I’ll describe how to interact with a KMDF device object through SetupDI api and how to find and analyze the different IO queues dispatch routines. Does the framework actually enhances security? We’ll come to a conclusion after revealing some major vendor implementation problems.
Armed with this knowledge, you will be able to run your own bug hunting session over any KMDF driver.
The UK's Code of Practice for Security in Consumer IoT Products and Services ...44CON
In March 2018, the UK launched its Secure by Design report in order to help defend against security threats, especially for consumer Internet of Things products and services. Over the past few years, poorly secured IoT devices have been hijacked in both targeted as well as large-scale DDoS attacks such as Mirai. In addition to this, poor security can threaten both privacy and safety.
The speaker, David Rogers authored the UK’s ‘Code of Practice for Security in Consumer IoT Products and Associated Services’, in collaboration with DCMS, NCSC, ICO and industry colleagues with extensive support from the security research community. David will discuss the guidelines within the Code of Practice, why these were prioritised and why the top three became dealing with the password problem, implementing vulnerability disclosure and acting on it and addressing software updates. David will also look at what’s next: what will the challenges be and will the Code of Practice succeed in its aims? How can IoT products possibly be certified and how will the threat landscape change in response to improving security?
Weak analogies make poor realities – are we sitting on a Security Debt Crisis...44CON
Cyber Security is often framed in terms of ‘Risk’- the possibility of suffering harm or loss – and the ‘Management’ of Risk to reduce uncertainty. This is familiar territory for businesses. Cyber Security falls in neatly under Risk Management, is assigned a suitable place on the organigramme, tossed some spare budget and granted a few paragraphs in the board report. NIST defines Risk as a ‘function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organisation’.
Key theme:
This presentation explores the idea that making cyber security analogous to risk is holding us back. How about we talk about security ‘debt’ instead? Technical Debt is already a well understood concept in software development – the cost of additional rework caused by choosing an easy solution now instead of using a better approach that would take longer or cost more. Changing our language changes how we think and how we behave. This presentation argues that such a change could have a significant impact on software security.
In this presentation we will comment on the power of ‘analogies’ and how they’ve shaped our industry. We’ll then consider the difference between the ‘security as risk’ and the ‘security as debt’ paradigms and explore how changing paradigms may change the way we think about, talk about and measure software security. We believe this could have a very empowering effect on development managers and other security professionals who are struggling to articulate the relative benefits of security (or a lack of security) to a software product.
Con speakers fear the Nerf gun. Overrun your talk time at your peril; Steve will shoot your arse with extreme prejudice until you STFU. We had to find a way to pwn the gun and shoot him back.
That’s when we found the Nerf Terrascout: a remote tank gun controlled over 2.4GHz, with a video feed to the remote, complete with crosshairs.
At first, we thought this would be a trivial job: figure out the RF and take control. It turned in to a mammoth hardware, firmware and RF reversing project.
This puppy is so over-specced it would drive you to tears.
The talk will cover the fails, hair loss and eventual success. There won’t be any smart dildos in it, though some of the techniques used are equally suited to teledildonics exploitation, if that’s your thing.
Reversing RF in a high frequency environment using SDRs is challenging. We’ll discuss how we worked around these issues using hardware reversing skills.
We had to import hardware from China for this project, which we could then programme ourselves using SPI, impersonate the legitimate controller and ‘jack the tank gun.
This talk will of course include a live demonstration of hijacking the tank gun and (possibly) shooting Steve.
Security module for php7 – Killing bugclasses and virtual-patching the rest! ...44CON
Presented by: Julien Voisin and Thibault Koechlin
Suhosin is a great PHP module, but unfortunately, it’s getting old, new ways have been found to compromise PHP applications, and some aren’t working anymore; and it doesn’t play well with the shiny new PHP 7. As a secure web-hosting company, we needed a reliable and future-proof solution to address the flow of new vulnerabilities that are published every day. This is why we developed Snuffleupagus, a new (and open-source!) PHP security module, that provides several features that we needed: passively killing several PHP-specific bug classes, but also implementing virtual-patching at the PHP level, allowing to patch vulnerabilities in a precise, false-positive-free, ultra-low overhead way, without even touching the applications’ code.
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe FitzPatrick
Most dismiss power side channel attacks as difficult, expensive and unlikely, and are therefore out of scope for many security evaluations. Recent presentations have demonstrated how to get this cost down to a few hundred dollars using low-cost, high performance analog components alongside current high performance FPGAs.
By simplifying both the target hardware and the analysis, I aim to present a series of simple examples of timing and power analysis attacks on microcontroller hardware that require no advanced math and can be done in the comfort of your home for less than $20 in parts
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Welocme to ViralQR, your best QR code generator.ViralQR
Welcome to ViralQR, your best QR code generator available on the market!
At ViralQR, we design static and dynamic QR codes. Our mission is to make business operations easier and customer engagement more powerful through the use of QR technology. Be it a small-scale business or a huge enterprise, our easy-to-use platform provides multiple choices that can be tailored according to your company's branding and marketing strategies.
Our Vision
We are here to make the process of creating QR codes easy and smooth, thus enhancing customer interaction and making business more fluid. We very strongly believe in the ability of QR codes to change the world for businesses in their interaction with customers and are set on making that technology accessible and usable far and wide.
Our Achievements
Ever since its inception, we have successfully served many clients by offering QR codes in their marketing, service delivery, and collection of feedback across various industries. Our platform has been recognized for its ease of use and amazing features, which helped a business to make QR codes.
Our Services
At ViralQR, here is a comprehensive suite of services that caters to your very needs:
Static QR Codes: Create free static QR codes. These QR codes are able to store significant information such as URLs, vCards, plain text, emails and SMS, Wi-Fi credentials, and Bitcoin addresses.
Dynamic QR codes: These also have all the advanced features but are subscription-based. They can directly link to PDF files, images, micro-landing pages, social accounts, review forms, business pages, and applications. In addition, they can be branded with CTAs, frames, patterns, colors, and logos to enhance your branding.
Pricing and Packages
Additionally, there is a 14-day free offer to ViralQR, which is an exceptional opportunity for new users to take a feel of this platform. One can easily subscribe from there and experience the full dynamic of using QR codes. The subscription plans are not only meant for business; they are priced very flexibly so that literally every business could afford to benefit from our service.
Why choose us?
ViralQR will provide services for marketing, advertising, catering, retail, and the like. The QR codes can be posted on fliers, packaging, merchandise, and banners, as well as to substitute for cash and cards in a restaurant or coffee shop. With QR codes integrated into your business, improve customer engagement and streamline operations.
Comprehensive Analytics
Subscribers of ViralQR receive detailed analytics and tracking tools in light of having a view of the core values of QR code performance. Our analytics dashboard shows aggregate views and unique views, as well as detailed information about each impression, including time, device, browser, and estimated location by city and country.
So, thank you for choosing ViralQR; we have an offer of nothing but the best in terms of QR code services to meet business diversity!
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
8. Why EFI?
§ BIOS replacement.
§ Initially developed by Intel.
§ http://www.intel.com/content/www/us/en/
architecture-and-technology/unified-extensible-
firmware-interface/efi-specifications-general-
technology.html
§ Now UEFI, managed by UEFI consortium.
§ http://www.uefi.org
9. Why EFI?
§ Initializes your machine.
§ Access to low level features.
§ Modular.
§ Feature rich.
§ Rather easy development.
10.
11. What evil things can we do?
§ Diskless rootkits.
§ Persist across operating system reinstalls.
§ Bypass full-disk encryption.
§ And so on...
12. What evil things can we do?
§ Rootkit data resident in flash chip.
§ Unpack and patch kernel on boot.
§ RAM only, never touch hard-disk.
§ “Hard” to detect with some anti-forensics.
§ Check Snare’s 2012 presentation.
13. What evil things can we do?
§ HackingTeam built a UEFI rootkit.
§ https://github.com/hackedteam/vector-edk
§ https://github.com/informationextraction/
vector-edk/blob/master/MdeModulePkg/
Application/fsbg/fsbg.c
§ Goal was persistence across reinstalls.
14. What evil things can we do?
§ Attack full-disk encryption
§ Install a keylogger.
§ Recover FileVault2 password.
15. What evil things can we do?
§ Attack “secure” operating systems
§ For example, Tails.
§ Recover PGP keys and/or passphrases.
§ https://www.youtube.com/watch?
v=sNYsfUNegEA.
16. What evil things can we do?
§ Bootloader
§ Redirect to a custom bootloader.
§ SMM backdoors
§ http://blog.cr4.sh/2015/07/building-reliable-
smm-backdoor-for-uefi.html
17.
18.
19.
20.
21.
22. A zero day story…
§ Firmware related zero day.
§ Disclosed a few months ago.
§ https://reverse.put.as/2015/05/29/the-
empire-strikes-back-apple-how-your-mac-
firmware-security-is-completely-broken/
23. A zero day story…
§ Failure to lock the flash.
§ Write to the flash from userland.
§ Similar to Thunderstrike but better.
§ Thunderstrike requires physical access.
§ Prince Harming allows remote attack.
24.
25. A zero day story…
§ Extremely simple to trigger.
§ Put machine to sleep.
§ Close, wait for fans to stop, and reopen.
§ Or force sleep with “pmset sleepnow”.
26. A zero day story…
§ Sandy Bridge and Ivy Bridge Macs are
vulnerable.
§ Haswell or newer are not.
§ All older machines are vulnerable
§ Core 2 Duo or older.
§ No flash protections at all.
27. A zero day story…
§ Available updates:
MacBook Air MacBook Pro Mac Mini Mac Pro iMac
4,1 8,1 5,1 6,1 12,1
5,1 9,1 6,1 13,1
6,1 10,1 7,1 14,1
7,1 10,2 14,2
11,1 14,3
11,2 14,4
11,4 15,1
12,1
28. A zero day story…
§ Reversing and understanding the
vulnerability.
§ https://reverse.put.as/2015/07/01/reversing-
prince-harmings-kiss-of-death/
§ Contains links to relevant EFI
documentation.
29. A zero day story…
§ Venamis aka Dark Jedi was also patched.
§ http://events.ccc.de/congress/2014/Fahrplan/
events/6129.html
§ http://blog.cr4.sh/2015/02/exploiting-uefi-
boot-script-table.html
§ Slightly more complex, same results.
30. A zero day story…
§ The story doesn’t end here.
§ Check ThunderStrike 2 slides.
§ Other unpatched remote attack vectors.
35. Where is EFI?
§ Usually stored in a CMOS serial flash.
§ Two popular chips
§ Macronix MX25L6406E.
§ Micron N25Q064A.
§ SPI compatible.
§ Most are 64 Mbits/8 Mbytes.
41. Where is EFI?
§ Easy access on some models.
§ Retinas 15” are the easiest.
§ Extensive disassembly required on others.
§ Still, a MacBook Pro 8,1 can be
disassembled in 5 mins or less.
42. Where is EFI?
§ Most chips are 8 pin SOIC.
§ SMD or BGA versions used?
§ Retinas 13”?
§ New MacBook 12”?
43. Where is EFI?
§ Newer machines flash chip(s)
§ Winbond W25Q64FV.
§ Chip list from EfiFlasher.efi:
SST 25VF080 Macronix 25L1605 ST Micro M25P16 WinBond 25X32
SST 25VF016 Macronix 25L3205 ST Micro M25P32 Winbond 25X64
SST 25VF032 Macronix 25L6436E Eon M25P32 Winbond 25X128
SST 25VF064 Atmel 45DB321 Eon M25P16 Numonyx N25Q064
44. Where is EFI?
§ You can buy the chips bulk and cheap.
§ Useful for flashing experiments.
§ Good results from Aliexpress.com.
§ Around $14 for 10 N25Q064A.
§ Around $8 for 10 MX25L640E.
45.
46. How to dump EFI
§ Hardware
§ The best and most reliable way.
§ Trustable.
§ Software
§ Possible if chip supported by flashrom.
§ Not (very) trustable.
47. Hardware
§ Any SPI compatible programmer.
§ http://flashrom.org/Supported_programmers
§ I use Trammell Hudson’s SPI flasher.
§ https://trmm.net/SPI
57. Hardware
§ Linux works best to write the flash.
§ Some issues with OS X version.
§ pv or serial driver issues?
§ http://www.ivarch.com/programs/pv.shtml
59. Software
§ DarwinDumper.
§ Contains binary versions of flashrom and
DirectHW.kext.
§ Kernel extension is not code signed.
§ (Still) Whitelisted by Apple.
65. Software
§ Good enough to play around.
§ Mostly useless to chase (U)EFI rootkits.
§ Unless it is made by HackingTeam.
§ Their version makes no attempt to hide itself
from software dumps.
71. Descriptor region
§ Location of other regions.
§ Access permissions.
§ OS/BIOS shouldn’t access ME region.
§ VSCC configures ME flash access.
72. Intel ME region
§ A CPU inside your CPU J.
§ Runs Java.
§ Can be active with system powered off.
§ Out of band network access!
§ No access from BIOS and OS.
73. Intel ME region
§ Mostly a blackbox.
§ Three presentations by Igor Skochinsky.
§ Definitely requires more research!
§ Unpacker
§ http://io.smashthestack.org/me/
74. Intel ME region
§ Rootkit in your laptop: Hidden code in
your chipset and how to discover what
exactly it does
§ Intel ME Secrets
§ Intel ME: Two years later
§ https://github.com/skochinsky/papers
75. BIOS region
§ Contains
§ EFI binaries for different phases.
§ NVRAM.
§ Microcode (not for some models).
§ Each on its own firmware volume (FVH).
76.
77.
78. BIOS region
§ Everything is labeled with a GUID.
§ No filenames.
§ Many GUID can be found in EFI specs.
§ Others are vendor specific/private.
79.
80.
81. EFI Boot Phases
§ Different initialization phases.
§ Make resources available to next phase.
§ Memory for example.
85. The PEI/DXE Dispatchers
§ PEI and DXE phases have a dispatcher.
§ Guarantees dependencies and load
order.
§ Dependency expressions.
§ Available as a section.
90. EFI file types
§ Two executable file types.
§ PE32/PE32+ (as in Windows).
§ TE – Terse Executable.
§ 16/32/64 bit code, depending on phase.
91. TE file format
§ TE is just a stripped version of PE.
§ Unnecessary PE headers are removed.
§ To save space.
§ Used by SEC and PEI phase binaries.
92. TE file format
§ IDA unable to correctly disassemble.
§ Fails to parse the TE headers.
§ Afaik, still not fixed in 6.8.
§ Solution is to build your own TE loader.
§ Easier than you think J.
93.
94. EFI Services
§ No standard libraries to link against.
§ Instead there are services.
§ Basic functions made available on each
phase.
§ Access via function pointers.
101. Calling conventions
§ 32-bit binaries use standard C convention
§ Arguments passed on the stack.
§ SEC/PEI phase binaries.
102.
103. Calling conventions
§ 64-bit binaries use Microsoft’s x64
§ First four arguments: RCX, RDX, R8, R9.
§ Remaining on the stack.
§ 32-byte shadow space on stack.
§ First stack argument starts at offset 0x20.
§ DXE phase binaries.
104.
105.
106. Protocols & PPIs
§ The basic services aren’t enough.
§ How are more services made available?
§ Via Protocols and PPIs.
§ Installed (published) by EFI binaries.
§ Others can locate and use them.
107. Protocols & PPIs
§ Protocol (and PPI) is a data structure.
§ Contains an identification, GUID.
§ Optionally, function pointers and data.
108.
109. Protocols & PPIs
§ Protocols exist in DXE phase.
§ PPIs exist in PEI phase.
§ In practice we can assume they are
equivalent.
116. Apple EFI customizations
§ Apple specific modifications.
§ To reserved fields.
§ Must be taken care of.
§ Else bricked firmware.
§ UEFITool v0.27+ handles everything.
117.
118. Apple EFI customizations
§ The first 8 bytes.
§ Constant between firmware volumes with
the same GUID.
§ Changes between versions?
§ Unknown meaning, doesn’t seem
relevant.
119. Apple EFI customizations
§ Next 4 bytes.
§ CRC32 value.
§ Of the firmware volume contents.
§ By spec, header got its own 16-bit
checksum.
120.
121.
122. Apple EFI customizations
§ Last 4 bytes.
§ Total space used by firmware files.
§ Must be updated if there are any
modifications to volume free space.
§ Bricked firmware if wrong.
127. How to find EFI monsters
§ Dump the flash contents.
§ Via hardware, if possible.
§ Have a known good image.
§ A previously certified/trusted dump.
§ Or firmware updates.
128. How to find EFI monsters
§ Firmware updates available from Apple.
§ Direct downloads.
§ https://support.apple.com/en-us/HT201518
§ Or combined with OS installer or updates.
§ No hashes from Apple available (yet).
129. How to find EFI monsters
§ Only useful for machines with available
updates.
§ Newly released machines need to wait
for a firmware update.
130. How to find EFI monsters
§ Firmware & signatures vault
§ https://github.com/gdbinit/firmware_vault
§ Signed by my PGP key.
§ Extracted from available Apple updates.
§ Soon, the SMC updates.
131. How to find EFI monsters
§ Two file formats used for updates.
§ SCAP (most common).
§ FD (some newer and older models).
§ UEFITool can process both.
132. SCAP
§ EFI Capsule.
§ Used to deliver updates.
§ Recommended delivery mechanism.
§ Composed by firmware volumes.
§ Flash dumps parser can be reused.
137. SCAP
§ SCAP is signed.
§ RSA2048 SHA256.
§ Apple backported from UEFI.
§ First reported by Trammell Hudson.
138.
139. How to find EFI monsters
§ Compare the flash dump against SCAP.
§ Locate all EFI binaries in the dump.
§ Checksum against SCAP contents.
140. How to find EFI monsters
§ We also need to verify:
§ New files.
§ Missing files.
§ Free/padding space?
141. How to find EFI monsters
§ Verify NVRAM contents!
§ Boot device is stored there.
§ HackingTeam had a new variable there.
§ A simple “fuse” to decide to infect or not
target system.
144. How to find EFI monsters
§ Don’t forget boot.efi.
§ Not very stealth.
§ Always keep in mind that sophistication is
not always required!
§ If it works, why not?
145. How to find EFI monsters
§ SCAP is used by EfiFlasher.
§ We can stitch our own firmware.
§ Extract files from SCAP and build it.
§ Reflash via SPI.
§ Assumption that SCAP is legit.
146. How to find EFI monsters
§ Stitch utility still in TODO list.
§ Potential issues:
§ NVRAM contents?
§ Serial numbers?
§ Use current dump and just replace
binaries?
147.
148. Conclusions
§ (U)EFI rootkits aren’t unicorns.
§ Although they are very rare.
§ Honestly, we don’t know what’s out there.
§ HackingTeam developed one in 2014.
§ Although it was too simple and not
advanced.
149. Conclusions
§ Chasing them requires hardware.
§ Disassembling computers monthly is not
scalable/efficient/viable.
§ How to deal with this at enterprise level?
150. Conclusions
§ Vendors are usually slow releasing
updates.
§ If they ever do it.
§ Check legbacore.com work.
151. Conclusions
§ SMC is another interesting chip.
§ Alex Ionescu and Andrea Barisani did
some work in this area.
§ Great rootkit possibilities?
163. Conclusions
§ Acer C720 & C720P Chromebook.
§ https://www.chromium.org/chromium-os/
developer-information-for-chrome-os-
devices/acer-c720-chromebook
§ #7 is a write-protect screw.
164. Conclusions
§ Might require new hardware design?
§ NVRAM needs to be writable.
§ An independent flash chip for writable
regions?
§ BOM/space restrictions?
165. Conclusions
§ Apple has a great opportunity here.
§ Full control of design and supply chain.
§ Can improve designs.
§ Can force faster updates.
§ Only matched by Chromebook?
169. A day full of possibilities!
Let's go exploring!
170. References
§ Images from images.google.com. Credit due to all their authors.
§ Thunderstrike presentation
§ https://trmm.net/Thunderstrike_31c3
§ Thunderstrike 2 presentation
§ https://trmm.net/Thunderstrike_2
§ Snare EFI rootkits presentations
§ https://reverse.put.as/wp-content/uploads/2011/06/
De_Mysteriis_Dom_Jobsivs_-_Syscan.pdf
§ https://reverse.put.as/wp-content/uploads/2011/06/
De_Mysteriis_Dom_Jobsivs_Black_Hat_Slides.pdf
§ Legbacore.com papers and presentations
§ http://legbacore.com/Research.html
171. References
§ Alex Ionescu, Ninjas and Harry Potter: “Spell”unking in Apple SMC
Land
§ http://www.nosuchcon.org/talks/2013/D1_02_Alex_Ninjas_and_Harry_Potter.pdf
§ Alex Ionescu, Apple SMC The place to be definitely For an implant
§ https://www.youtube.com/watch?v=nSqpinjjgmg
§ Andrea Barisani, Daniele Bianco, Practical Exploitation of Embedded
Systems
§ http://dev.inversepath.com/download/public/
embedded_systems_exploitation.pdf
172. References
§ fG!, The Empire Strikes Back Apple – how your Mac firmware
security is completely broken
§ https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-
mac-firmware-security-is-completely-broken/
§ fG!, Reversing Prince Harming’s kiss of death
§ https://reverse.put.as/2015/07/01/reversing-prince-harmings-kiss-of-death/
§ Cr4sh, Exploiting UEFI boot script table vulnerability
§ http://blog.cr4.sh/2015_02_01_archive.html
173. References
§ Cr4sh, Building reliable SMM backdoor for UEFI based platforms
§ http://blog.cr4.sh/2015/07/building-reliable-smm-backdoor-for-uefi.html
§ Firmware papers and presentations timeline
§ http://timeglider.com/timeline/5ca2daa6078caaf4
§ Archive of OS X/iOS and firmware papers & presentations
§ https://reverse.put.as/papers/