The document summarizes a study on consumer IoT device vulnerability disclosure and patch release practices in Japan and the United States. Key findings include:
- Japanese vendors tended to release patches before or concurrently with public disclosures, while over a third of patches in the US were released after disclosure.
- Over half of patches were released before disclosure overall, but a third were released post-disclosure. High severity vulnerabilities took over a year to patch in many cases.
- Practices like incremental and unsynchronized patching across regions can leave devices vulnerable for months or years in some cases.
These slides give an introduction to the device driver structure of the Android/Linux operating system. They are based on a talk that was given in a seminar for National Taiwan University of Science and Technology on Dec. 2011. It can be useful for people who are not familiar with the Android software architecture but want to get an initial understanding about it.
This document describes a protocol test generator that uses nested virtual machines and rollback mechanisms to perform exhaustive fuzz testing of protocol implementations. It proposes using a virtual test protocol to encapsulate test packets and control the target virtual machine. Special packets allow taking snapshots of the target VM state and rolling back to previous snapshots to repeatedly test protocol states with different fuzzed packets. The current prototype implements this approach with KVM and QEMU virtual machines to find bugs in TLS/SSL protocol implementations through fuzz testing of the handshake process.
An Introduction to the Android Framework -- a core architecture view from app...William Liang
This presentation, following the previous "An Introduction to the Linux Kernel and Device Drivers", is for another 3-hours lecture in the "Open Source System Software & Practice" class, organized and hosted by Prof. Shih-Hao Hung, in the Department of Computer Science and Information Engineering, National Taiwan University.
The slides cover the architecture of the Android Framework, including the Android architecture overview, system integration of the Android operating system, the Activity and Service framework components, life cycles, inter-component communication methods, how the framework works, the Android device control model, core system services, hardware abstraction layer, and related important issues, etc.
The document discusses Trusted Execution Environments (TEEs) and running the Open Portable Trusted Execution Environment (OP-TEE) trusted operating system on RISC-V. It provides an overview of TEEs, describes OP-TEE and the requirements to implement it on RISC-V, including developing a boot sequence, kernel driver, and libraries. The document also compares TEE implementations on ARM TrustZone and Intel SGX and covers memory mapping when running OP-TEE on ARM-based boards.
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
This document discusses hardware-assisted isolated execution environments (HIEE) and trusted execution environments (TEE) on RISC-V processors. It describes how TEEs are implemented using privileges worlds on ARM TrustZone and Intel SGX. For RISC-V, it summarizes proposals for TEEs including Sanctum, MultiZone, and using seL4 microkernel to implement OP-TEE. It also briefly discusses TEE implementations on FPGAs, GPUs, virtualization, and the IETF's TEE provisioning protocol.
The document discusses porting Linux to microcontrollers with low memory and storage. It describes how Linux can leverage the microcontroller development environment and avoid fragmentation by using the device tree to describe hardware instead of coding it directly into the kernel. The document recommends starting with a known Linux configuration like stm32_defconfig and using the Kconfig menuconfig tool to customize it for the specific microcontroller.
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
Ever wondered how to find bug fixes residing in Microsoft patches? In this presentation we will take a look at the tools and techniques used to reverse engineer Microsoft security patches. Many organizations take weeks to push out patches to their domains. If an attacker can locate the fix and get a working exploit going, they can use it to compromise your organization.
(Source: RSA USA 2016-San Francisco)
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiKuniyasu Suzaki
Side of "Reboot-Oriented IoT: Life Cycle Management in Trusted Execution Environment for Disposable IoT devices" ACSAC (Annual Computer Security Applications Conference) 2020
These slides give an introduction to the device driver structure of the Android/Linux operating system. They are based on a talk that was given in a seminar for National Taiwan University of Science and Technology on Dec. 2011. It can be useful for people who are not familiar with the Android software architecture but want to get an initial understanding about it.
This document describes a protocol test generator that uses nested virtual machines and rollback mechanisms to perform exhaustive fuzz testing of protocol implementations. It proposes using a virtual test protocol to encapsulate test packets and control the target virtual machine. Special packets allow taking snapshots of the target VM state and rolling back to previous snapshots to repeatedly test protocol states with different fuzzed packets. The current prototype implements this approach with KVM and QEMU virtual machines to find bugs in TLS/SSL protocol implementations through fuzz testing of the handshake process.
An Introduction to the Android Framework -- a core architecture view from app...William Liang
This presentation, following the previous "An Introduction to the Linux Kernel and Device Drivers", is for another 3-hours lecture in the "Open Source System Software & Practice" class, organized and hosted by Prof. Shih-Hao Hung, in the Department of Computer Science and Information Engineering, National Taiwan University.
The slides cover the architecture of the Android Framework, including the Android architecture overview, system integration of the Android operating system, the Activity and Service framework components, life cycles, inter-component communication methods, how the framework works, the Android device control model, core system services, hardware abstraction layer, and related important issues, etc.
The document discusses Trusted Execution Environments (TEEs) and running the Open Portable Trusted Execution Environment (OP-TEE) trusted operating system on RISC-V. It provides an overview of TEEs, describes OP-TEE and the requirements to implement it on RISC-V, including developing a boot sequence, kernel driver, and libraries. The document also compares TEE implementations on ARM TrustZone and Intel SGX and covers memory mapping when running OP-TEE on ARM-based boards.
Hardware-assisted Isolated Execution Environment to run trusted OS and applic...Kuniyasu Suzaki
This document discusses hardware-assisted isolated execution environments (HIEE) and trusted execution environments (TEE) on RISC-V processors. It describes how TEEs are implemented using privileges worlds on ARM TrustZone and Intel SGX. For RISC-V, it summarizes proposals for TEEs including Sanctum, MultiZone, and using seL4 microkernel to implement OP-TEE. It also briefly discusses TEE implementations on FPGAs, GPUs, virtualization, and the IETF's TEE provisioning protocol.
The document discusses porting Linux to microcontrollers with low memory and storage. It describes how Linux can leverage the microcontroller development environment and avoid fragmentation by using the device tree to describe hardware instead of coding it directly into the kernel. The document recommends starting with a known Linux configuration like stm32_defconfig and using the Kconfig menuconfig tool to customize it for the specific microcontroller.
Bruh! Do you even diff?—Diffing Microsoft Patches to Find VulnerabilitiesPriyanka Aash
Ever wondered how to find bug fixes residing in Microsoft patches? In this presentation we will take a look at the tools and techniques used to reverse engineer Microsoft security patches. Many organizations take weeks to push out patches to their domains. If an attacker can locate the fix and get a working exploit going, they can use it to compromise your organization.
(Source: RSA USA 2016-San Francisco)
ACSAC2020 "Return-Oriented IoT" by Kuniyasu SuzakiKuniyasu Suzaki
Side of "Reboot-Oriented IoT: Life Cycle Management in Trusted Execution Environment for Disposable IoT devices" ACSAC (Annual Computer Security Applications Conference) 2020
ZeroVM backgroud: Introduction to some of the concept behind zerovm. Little discussion of google native client project, Software based fault isolation is also provided.
Linux Kernel , BSP, Boot Loader, ARM Engineer - Satish profileSatish Kumar
Satish Kumar has over 11 years of experience in software development and testing with a focus on Linux device driver development and kernel programming. He has worked extensively with MontaVista on kernel maintenance and development for various architectures. Some of his areas of expertise include writing drivers, board bring-up, kernel debugging, and working with ARM SoCs and microcontrollers. He is proficient in C/C++, Linux, and tools like GDB and has experience porting operating systems to different hardware platforms.
(Embedded Linux Conference Europe 2014)
Linux uses many kind of embedded products. The products include not only consumer electronics but also control systems such as programmable logic controllers. There are many type of infrastructure systems and each system has different technical requirements. The requirements include not only real-time performance but also reliability-related functions. The infrastructure systems have to meet all the requirements. This presentation gives a summary of our study and development to adapt the Linux to infrastructure systems. Then we discuss the direction of future development. Please note, this presentation doesn't focus on a specific product.
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
A Security Barrier Device protects PC and other control devices by relaying every port between the motherboard and the peripherals. The SBD is totally transparent from the PC and can be installed regardless of OS or application. At this presentation I will discuss the storage securing function achieved by the SBD relaying the SATA port.
The SBD has a security information disk only accessible to itself where it stores the access privilege information of the original disk in the PC. When the PC issues a data access request to the original disk, the SBD will reference the access privileges of that particular sector, if the sector is read-deny then returns dummy data of 0 , if the sector is write-deny then it won’t write to that sector. The SBD not only allows for sector based protection but also a file based protection. In case of a file write-deny, there were some issues with the disc related cache in memory not being synchronised or the pointer’s position to the file in regards to its directory being shifted , but I will show how it was solved.
I will also talk about the fact that a SBD is an effective protection against any malware that attempts to manipulate the boot data sector or system files, once it detects any access right violations it can shutdown the ethernet port remotely and thwart the spreading of malware.
Kenji Toda
At the National Institute of Advanced Industrial Science and Technology conducted research and development of 30 Gbps intrusion detection systems , 60 Gbps URL filtering systems and or network devices testing equipment for such systems. Currently co-developing security barrier devices with the Research and Development Control System Security Center. (Presented at international conferences regarding MST and real-time systems)
http://codeblue.jp/en-speaker.html#KenjiToda
The document provides an overview of reverse engineering concepts and techniques. It discusses reverse engineering jargon like zero-day attacks and rootkits. It covers analyzing software from both an attacker and defensive perspective through static and dynamic analysis. Tools discussed include IDA Pro, OllyDbg, Windbg, and Sysinternals utilities. Techniques like anti-debugging, anti-dumping, and code obfuscation used to hinder reverse engineering are also summarized. Specific malware examples like FATMAL and analyzing packed executables and memory are examined. The document concludes with resources for analyzing mobile threats on Android.
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
This presentation covers a real-world case study of Bitdefender Hypervisor Introspection (HVI) that is based on Xen Project software. On April 14th, The Shadow Brokers released the Eternalblue exploit toolkit, which exploited an SMBv1 vulnerability across a wide range of Windows operating systems. The exploit was most famously used as a propagation mechanism for the WannaCryransomware. HVI prevented exploitation attempts with no prior knowledge of the exploit or underlying vulnerability. This talk will cover the exploit mechanism, how HVI detects its actions, and illustrate some of the advantages of HVI built through open source collaboration. Audience members will takeaway a better understanding of this type of exploit and how something like hypervisor introspection and security through a hypervisor approach can help companies avoid these types of new exploits.
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
The document discusses cyber attacks by the Lazarus Group targeting Japan, including Operation Dream Job and details of their tactics, techniques, and procedures. It provides an overview of the Lazarus Group, describes how they used LinkedIn to target a defense company, the malware used including Torisma and LazarusMTB, and encryption methods like RC4 and VEST ciphers for communication with command and control servers.
The document discusses various IPv6 security issues including vulnerabilities found in the Linux kernel's IPv6 stack, risks of exposing interface identifiers that could contain embedded information, and ways attackers could abuse router advertisements like setting a low hop limit or flooding networks with router advertisements. It also provides examples of analyzing IPv6 addresses and scanning for special interface identifiers.
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
Windows 10 IoT was released as a platform for IoT.
Windows 10 IoT Core, which is the lightest among Windows 10 IoT, is usable without charge, and can be run on single board computers like Raspberry Pi. So far, Linux-based platforms were considered as the platform for IoT devices, but now there is another option.
We conducted research on security system of Windows 10 IoT Core to judge whether it could be used safely.
We investigated the security design, the security functions, and default services, such as Web, FTP, and SSH, served by this OS. Furthermore, we also analyzed risks of intrusion and malware infection.
As a result of the investigation, like the newest Windows, we found that DEP, ASLR and CFG are also effective as countermeasures for being attacked vulnerabilities that affect the main memory. These countermeasures are not omitted from Windows 10 IoT Core.
On the other hand, we also found some designs and default settings of services and components are insecure.
For example, Windows update is disabled, Windows Firewall is disabled by default settings, Web interface is served on HTTP, and its authentication is basic authentication.
Moreover, we found a problem in the design of the remote debug service. This problem allows an attacker to create any user account and intrude using the web interface or SSH. Therefore, this problem might be abused by worm malware.
Lastly, we will introduce recommended security measures such as disabling unused services, changing settings, enabling the firewall, enabling web interface on HTTPS, etc.
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]APNIC
JPCERT/CC conducts an "IPv6 Security Test" to evaluate IPv6 network gear for security vulnerabilities. The test includes 15 cases that are automated using open source tools. Vendors can request the test package and submit results to JPCERT/CC, who will publish a list of secure products. The goal is to work with vendors to produce secure IPv6 implementations and help users identify robust options, with the tests re-evaluated every few years. JPCERT/CC is looking to expand the program internationally with additional participants and feedback.
1) Express Logic produces the real-time operating system ThreadX which is known for its source code quality and lack of bugs.
2) The presentation will examine ThreadX source code using the static code analysis tools Coverity and Structure101 to analyze code quality and detect any potential bugs or defects.
3) A live demo will show the results of analyzing ThreadX code and identifying any issues, as well as demonstrating the simple ThreadX application programming interface.
Slides of my inaugural lecture as professor of Software Engineering at IT University of Copenhagen. An attempt to explain what software engineering research is (for me) by example. Presented on December 1st, 2016 at IT University.
The document discusses security issues and threats in operating systems. It covers several topics:
1) Security must consider threats from outside the system and protect system resources from intruders attempting to breach security.
2) Common security violations include breaches of confidentiality, integrity, availability, and denial of service attacks.
3) Effective security requires measures at the physical, human, operating system, and network levels as the system is only as secure as its weakest link.
Reviewing the Security of ASoC Drivers in Android KernelShakacon
The ALSA System on Chip (ASoC) provides a common architecture for chip vendors to develop drivers for their sound SoCs and codecs. It is also the core management of sound drivers in Android kernel. Compare with the well-known libstagefright library, the ASoC driver works in kernel space and talk to up level media libraries through HAL, thus it plays a much more important role, it is the real heart of the whole Android media service.
However, few vulnerabilities have been disclosed on this part on Android before our research (starting from the middle of 2016). There are multiple reasons: The ALSA project has almost twenty years history and most bugs may have been killed in the past few years in main linux kernel; Developers become more and more familiar with the project thus not easy to introduce bunch of new bugs; The standard of coding style, testing flow and code review processes guaranteed the quality, and this is often what the open source projects benefits.
But what if this old project meets with the much younger Android OS? The situation is really out of my expectation. With a total review of the ASoC implementation and combining effective fuzzing tools, I was able to disclose dozens of bugs in Android ASoC drivers. These bugs includes the type of normal OOBs, the stack overflows, the heap overflows, race conditions and the use-after-free/double-frees. And what comes out more interesting is that, these bugs were introduced from several different channels: chip vendors, device manufacturers, and the ALSA project maintainers.
This proves me the fact that the ASoC driver in Android kernel is a completely vulnerable but overlooked attack surface.
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
In this presentation Stephan will discuss some recent research that emerged he was asked to build malicious applications that bypassed custom security controls. He will walk through some of the basics of reversing malicious apps for android as well as common android malware techniques and methodologies. From the analysis of the wild android malware, he will discuss techniques and functionality to include when penetration testing against 3rd-party android security controls.
BIO
Stephan Chenette is the Director of Security Research and Development at IOActive where he conducts ongoing research to support internal and external security initiatives within the IOActive Labs. Stephan has been in involved in security research for the last 10 years and has presented at numerous conferences including: Blackhat, CanSecWest, RSA, EkoParty, RECon, AusCERT, ToorCon, SecTor, SOURCE, OWASP, B-Sides and PacSec. His specialty is in writing research tools for both the offensive and defensive front as well as investigating next generation emerging threats. He has released public analyses on various vulnerabilities and malware. Prior to joining IOActive, Stephan was the head security researcher at Websense for 6 years and a security software engineer for 4 years working in research and product development at eEye Digital Security.
This document provides an overview and summary of a training on analyzing malicious RDP usage. It begins with an introduction to the common use of RDP in attacks. It then covers RDP protocols, vulnerabilities, and common attack vectors like exploiting pre-authentication vulnerabilities. The document discusses analyzing RDP event logs and connections to detect malicious activity. It concludes with recommendations for securing RDP, such as enabling Network Level Authentication, using an RDP gateway, and implementing two-factor authentication.
This document discusses security risks to industrial control systems (ICS) and strategies to protect them. It begins by providing examples of security incidents that impacted real-world critical infrastructure facilities. These include production line stoppages due to malware infections and temporary loss of control from unauthorized access. The document then notes that ICS environments are becoming more open and connected, increasing risk. It argues that security approaches for ICS must focus on integrity, availability and confidentiality to account for their mission-critical nature of continuously operating specialized systems. The document advocates implementing network segmentation, carefully managing external devices and updating systems without interrupting operations.
The document summarizes a panel discussion on service provider architecture and NFV held by Cisco Systems in April 2015. It includes presentations from NTT Communications, KDDI, and SoftBank Mobile on their NFV strategies and experiences. Some key points discussed are:
- NFV promises benefits like reduced CAPEX/OPEX but challenges remain around performance, maintenance costs, and immature standards.
- Telecom operators are working to automate testing and operations through techniques like DevOps, model-driven management, and abstracting existing networks.
- While NFV offers opportunities, realities of the technology include issues meeting throughput demands on commercial off-the-shelf hardware, increased maintenance complexity, and a lack of inter
ZeroVM backgroud: Introduction to some of the concept behind zerovm. Little discussion of google native client project, Software based fault isolation is also provided.
Linux Kernel , BSP, Boot Loader, ARM Engineer - Satish profileSatish Kumar
Satish Kumar has over 11 years of experience in software development and testing with a focus on Linux device driver development and kernel programming. He has worked extensively with MontaVista on kernel maintenance and development for various architectures. Some of his areas of expertise include writing drivers, board bring-up, kernel debugging, and working with ARM SoCs and microcontrollers. He is proficient in C/C++, Linux, and tools like GDB and has experience porting operating systems to different hardware platforms.
(Embedded Linux Conference Europe 2014)
Linux uses many kind of embedded products. The products include not only consumer electronics but also control systems such as programmable logic controllers. There are many type of infrastructure systems and each system has different technical requirements. The requirements include not only real-time performance but also reliability-related functions. The infrastructure systems have to meet all the requirements. This presentation gives a summary of our study and development to adapt the Linux to infrastructure systems. Then we discuss the direction of future development. Please note, this presentation doesn't focus on a specific product.
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...CODE BLUE
A Security Barrier Device protects PC and other control devices by relaying every port between the motherboard and the peripherals. The SBD is totally transparent from the PC and can be installed regardless of OS or application. At this presentation I will discuss the storage securing function achieved by the SBD relaying the SATA port.
The SBD has a security information disk only accessible to itself where it stores the access privilege information of the original disk in the PC. When the PC issues a data access request to the original disk, the SBD will reference the access privileges of that particular sector, if the sector is read-deny then returns dummy data of 0 , if the sector is write-deny then it won’t write to that sector. The SBD not only allows for sector based protection but also a file based protection. In case of a file write-deny, there were some issues with the disc related cache in memory not being synchronised or the pointer’s position to the file in regards to its directory being shifted , but I will show how it was solved.
I will also talk about the fact that a SBD is an effective protection against any malware that attempts to manipulate the boot data sector or system files, once it detects any access right violations it can shutdown the ethernet port remotely and thwart the spreading of malware.
Kenji Toda
At the National Institute of Advanced Industrial Science and Technology conducted research and development of 30 Gbps intrusion detection systems , 60 Gbps URL filtering systems and or network devices testing equipment for such systems. Currently co-developing security barrier devices with the Research and Development Control System Security Center. (Presented at international conferences regarding MST and real-time systems)
http://codeblue.jp/en-speaker.html#KenjiToda
The document provides an overview of reverse engineering concepts and techniques. It discusses reverse engineering jargon like zero-day attacks and rootkits. It covers analyzing software from both an attacker and defensive perspective through static and dynamic analysis. Tools discussed include IDA Pro, OllyDbg, Windbg, and Sysinternals utilities. Techniques like anti-debugging, anti-dumping, and code obfuscation used to hinder reverse engineering are also summarized. Specific malware examples like FATMAL and analyzing packed executables and memory are examined. The document concludes with resources for analyzing mobile threats on Android.
OSSEU17: How Open Source Project Xen Puts Security Software Vendors Ahead of ...The Linux Foundation
This presentation covers a real-world case study of Bitdefender Hypervisor Introspection (HVI) that is based on Xen Project software. On April 14th, The Shadow Brokers released the Eternalblue exploit toolkit, which exploited an SMBv1 vulnerability across a wide range of Windows operating systems. The exploit was most famously used as a propagation mechanism for the WannaCryransomware. HVI prevented exploitation attempts with no prior knowledge of the exploit or underlying vulnerability. This talk will cover the exploit mechanism, how HVI detects its actions, and illustrate some of the advantages of HVI built through open source collaboration. Audience members will takeaway a better understanding of this type of exploit and how something like hypervisor introspection and security through a hypervisor approach can help companies avoid these types of new exploits.
[CB21] The Lazarus Group's Attack Operations Targeting Japan by Shusei Tomona...CODE BLUE
The document discusses cyber attacks by the Lazarus Group targeting Japan, including Operation Dream Job and details of their tactics, techniques, and procedures. It provides an overview of the Lazarus Group, describes how they used LinkedIn to target a defense company, the malware used including Torisma and LazarusMTB, and encryption methods like RC4 and VEST ciphers for communication with command and control servers.
The document discusses various IPv6 security issues including vulnerabilities found in the Linux kernel's IPv6 stack, risks of exposing interface identifiers that could contain embedded information, and ways attackers could abuse router advertisements like setting a low hop limit or flooding networks with router advertisements. It also provides examples of analyzing IPv6 addresses and scanning for special interface identifiers.
Threat Analysis on Win10 IoT Core and Recommaended Security Measures by Naohi...CODE BLUE
Windows 10 IoT was released as a platform for IoT.
Windows 10 IoT Core, which is the lightest among Windows 10 IoT, is usable without charge, and can be run on single board computers like Raspberry Pi. So far, Linux-based platforms were considered as the platform for IoT devices, but now there is another option.
We conducted research on security system of Windows 10 IoT Core to judge whether it could be used safely.
We investigated the security design, the security functions, and default services, such as Web, FTP, and SSH, served by this OS. Furthermore, we also analyzed risks of intrusion and malware infection.
As a result of the investigation, like the newest Windows, we found that DEP, ASLR and CFG are also effective as countermeasures for being attacked vulnerabilities that affect the main memory. These countermeasures are not omitted from Windows 10 IoT Core.
On the other hand, we also found some designs and default settings of services and components are insecure.
For example, Windows update is disabled, Windows Firewall is disabled by default settings, Web interface is served on HTTP, and its authentication is basic authentication.
Moreover, we found a problem in the design of the remote debug service. This problem allows an attacker to create any user account and intrude using the web interface or SSH. Therefore, this problem might be abused by worm malware.
Lastly, we will introduce recommended security measures such as disabling unused services, changing settings, enabling the firewall, enabling web interface on HTTPS, etc.
Introducing JPCERT/CC's activity for securing IPv6 gears [APRICOT 2015]APNIC
JPCERT/CC conducts an "IPv6 Security Test" to evaluate IPv6 network gear for security vulnerabilities. The test includes 15 cases that are automated using open source tools. Vendors can request the test package and submit results to JPCERT/CC, who will publish a list of secure products. The goal is to work with vendors to produce secure IPv6 implementations and help users identify robust options, with the tests re-evaluated every few years. JPCERT/CC is looking to expand the program internationally with additional participants and feedback.
1) Express Logic produces the real-time operating system ThreadX which is known for its source code quality and lack of bugs.
2) The presentation will examine ThreadX source code using the static code analysis tools Coverity and Structure101 to analyze code quality and detect any potential bugs or defects.
3) A live demo will show the results of analyzing ThreadX code and identifying any issues, as well as demonstrating the simple ThreadX application programming interface.
Slides of my inaugural lecture as professor of Software Engineering at IT University of Copenhagen. An attempt to explain what software engineering research is (for me) by example. Presented on December 1st, 2016 at IT University.
The document discusses security issues and threats in operating systems. It covers several topics:
1) Security must consider threats from outside the system and protect system resources from intruders attempting to breach security.
2) Common security violations include breaches of confidentiality, integrity, availability, and denial of service attacks.
3) Effective security requires measures at the physical, human, operating system, and network levels as the system is only as secure as its weakest link.
Reviewing the Security of ASoC Drivers in Android KernelShakacon
The ALSA System on Chip (ASoC) provides a common architecture for chip vendors to develop drivers for their sound SoCs and codecs. It is also the core management of sound drivers in Android kernel. Compare with the well-known libstagefright library, the ASoC driver works in kernel space and talk to up level media libraries through HAL, thus it plays a much more important role, it is the real heart of the whole Android media service.
However, few vulnerabilities have been disclosed on this part on Android before our research (starting from the middle of 2016). There are multiple reasons: The ALSA project has almost twenty years history and most bugs may have been killed in the past few years in main linux kernel; Developers become more and more familiar with the project thus not easy to introduce bunch of new bugs; The standard of coding style, testing flow and code review processes guaranteed the quality, and this is often what the open source projects benefits.
But what if this old project meets with the much younger Android OS? The situation is really out of my expectation. With a total review of the ASoC implementation and combining effective fuzzing tools, I was able to disclose dozens of bugs in Android ASoC drivers. These bugs includes the type of normal OOBs, the stack overflows, the heap overflows, race conditions and the use-after-free/double-frees. And what comes out more interesting is that, these bugs were introduced from several different channels: chip vendors, device manufacturers, and the ALSA project maintainers.
This proves me the fact that the ASoC driver in Android kernel is a completely vulnerable but overlooked attack surface.
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
In this presentation Stephan will discuss some recent research that emerged he was asked to build malicious applications that bypassed custom security controls. He will walk through some of the basics of reversing malicious apps for android as well as common android malware techniques and methodologies. From the analysis of the wild android malware, he will discuss techniques and functionality to include when penetration testing against 3rd-party android security controls.
BIO
Stephan Chenette is the Director of Security Research and Development at IOActive where he conducts ongoing research to support internal and external security initiatives within the IOActive Labs. Stephan has been in involved in security research for the last 10 years and has presented at numerous conferences including: Blackhat, CanSecWest, RSA, EkoParty, RECon, AusCERT, ToorCon, SecTor, SOURCE, OWASP, B-Sides and PacSec. His specialty is in writing research tools for both the offensive and defensive front as well as investigating next generation emerging threats. He has released public analyses on various vulnerabilities and malware. Prior to joining IOActive, Stephan was the head security researcher at Websense for 6 years and a security software engineer for 4 years working in research and product development at eEye Digital Security.
This document provides an overview and summary of a training on analyzing malicious RDP usage. It begins with an introduction to the common use of RDP in attacks. It then covers RDP protocols, vulnerabilities, and common attack vectors like exploiting pre-authentication vulnerabilities. The document discusses analyzing RDP event logs and connections to detect malicious activity. It concludes with recommendations for securing RDP, such as enabling Network Level Authentication, using an RDP gateway, and implementing two-factor authentication.
This document discusses security risks to industrial control systems (ICS) and strategies to protect them. It begins by providing examples of security incidents that impacted real-world critical infrastructure facilities. These include production line stoppages due to malware infections and temporary loss of control from unauthorized access. The document then notes that ICS environments are becoming more open and connected, increasing risk. It argues that security approaches for ICS must focus on integrity, availability and confidentiality to account for their mission-critical nature of continuously operating specialized systems. The document advocates implementing network segmentation, carefully managing external devices and updating systems without interrupting operations.
The document summarizes a panel discussion on service provider architecture and NFV held by Cisco Systems in April 2015. It includes presentations from NTT Communications, KDDI, and SoftBank Mobile on their NFV strategies and experiences. Some key points discussed are:
- NFV promises benefits like reduced CAPEX/OPEX but challenges remain around performance, maintenance costs, and immature standards.
- Telecom operators are working to automate testing and operations through techniques like DevOps, model-driven management, and abstracting existing networks.
- While NFV offers opportunities, realities of the technology include issues meeting throughput demands on commercial off-the-shelf hardware, increased maintenance complexity, and a lack of inter
This document discusses the development of a cross-platform penetration testing suite that compiles standard penetration testing tools into a single mobile application. The suite aims to provide easy access to penetration testing tools on any Android device, improving portability for ethical hackers. It does not require root access of the user's phone. The suite is designed to perform tasks like port scanning, vulnerability scanning, payload generation, and more. It consolidates typical tools used for information gathering, vulnerability assessment, exploitation, and covering tracks into a single interface. This allows ethical hackers to conduct basic penetration tests using only their mobile device.
Nothing like starting off the new decade with rumors your computer cryptography has a vulnerability which can result in a lack of trust for almost everything you do! The reality is that this vulnerability has not been publicly disclosed nor exploited and our friends at Microsoft have a solution. Besides the Crypto vulnerability, the most notable news is still the final public patch release for Windows 7, Server 2008, and Server 2008 R2. Apply the updates soon; major security vulnerabilities are exploited quickly!
IRJET- A Study on Penetration Testing using Metasploit FrameworkIRJET Journal
1) The document describes a study on penetration testing using the Metasploit framework. It outlines the various phases of a penetration test - information gathering, scanning, vulnerability discovery, exploitation, and report generation.
2) Specific techniques used in the study include the wafw00f tool to check for firewalls, xhydra for brute force password cracking, Nmap for scanning systems, and Metasploit modules like smb_ms17_010 and psexec for exploiting vulnerabilities.
3) The study was able to gain remote access to a Windows 7 system by exploiting the Eternalblue vulnerability using Metasploit and obtain a meterpreter session, demonstrating a successful penetration test.
Penetration testing using metasploit frameworkPawanKesharwani
1) The document describes a study on penetration testing using the Metasploit framework. It outlines the various phases of a penetration test - information gathering, scanning, vulnerability discovery, exploitation, and report generation.
2) Specific techniques used in the study include the WAFW00F tool to check for firewalls, Nmap for scanning systems to identify services and operating systems, and Metasploit modules like smb_ms17_010 and psexec for discovering and exploiting vulnerabilities.
3) The study was able to gain remote access to a Windows 7 system by exploiting the Eternalblue vulnerability using Metasploit and obtain a meterpreter session, demonstrating a successful penetration test.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
March is most definitely full of madness as Microsoft resolves 115 unique vulnerabilities! The good news is you can predict what to do much easier than your basketball picks. Patch the OS and browsers and you take care of 97 CVEs from the 115 contenders.
Advance security in cloud computing for military weaponsIRJET Journal
This document proposes a system to securely transmit military weapon launch codes through cloud storage using multiple security techniques. The system uses steganography to hide launch codes in image captchas. Visual cryptography is then used to split the captcha images into shares distributed to authorized users. Each share undergoes image encryption and watermarking before being sent via email. To obtain the launch code, users decrypt their shares, verify the watermarks through de-watermarking, and use visual cryptography to reconstruct the original captcha and extract the hidden launch code text. The proposed multi-layered approach aims to securely transmit sensitive military information through cloud storage.
Whether you patch monthly or every six months, the time and resource overhead is significant.... And are you even secure?
In this real-life patch test, one of our Solution Architects put a simple virtual machine through it’s paces, with fascinating results. Understand more about typical vulnerabilities and security updates found in even the most simple of servers, learn about the typical decisions being faced by organisations trying to balance operational efficiency with security and see how you can implement same-day protection for vulnerabilities in critical systems, even without patching or during a change freeze.
On the Security of Application Installers & Online Software RepositoriesMarcus Botacin
My presentation for the DIMVA 2020 conference about the security of application installers. I show the operation dynamics of the repositories and reverse engineer some application installers to show their vulnerabilities, such as to man-in-the-middle attacks.
This project is subset to Project SHINE (SHodan Intelligence Extraction), providing one example of what would happen if a device was to be directly connected to the Internet.
At no point in time was this project intended to identify any shortcomings of the manufacturer’s efforts in remediating any of the known vulnerabilities, nor was it intended to place any blame or negligence towards the manufacturer in any manner whatsoever. The choosing of the specific device was to provide a simplified example which could be easily demonstrated as a form of substantiation of our position provided through Project SHINE. It should be noted that the device utilized has an out-of-date version of its firmware that is subject to one or more known vulnerabilities that currently exist. The manufacturer has taken steps previously to remediate those versions of firmware by providing updates; it is strongly suggested that any asset owners running this specific version of firmware update or upgrade to the latest version as a precautionary effort.
The objective of this project is to provide some form of substantiation that directly connecting an ICS device onto the Internet could have consequences. As such, the premise of this project was to:
(1) Obtain current ICS equipment through public sources (eBay), and deploy this equipment as actual cyber assets controlling perceived critical infrastructure environments;
(2) Ascertain any pertinent threat or attack vectors, as well as scope and magnitude of any attacks against the perceived critical infrastructure environments;
(3) Record network access attempts, and analyze captured network packets for any patterns; and,
(4) Report redacted findings for public awareness to governments and media outlets.
Join us this month as we recap the Microsoft and 3rd Party security patches released on Patch Tuesday. We will discuss things to watch out for, products to be sure to test adequately, and which patches should be highest priority to roll out.
This document proposes a method for secure distributed data mining across multiple sites that hold consistent information distributed horizontally. It aims to mine association rules from the unified data while minimizing disclosure of private data from each site. The method uses cryptographic techniques like RSA encryption during the distributed mining process to calculate the global frequent itemsets without revealing private itemsets from each site. It implements a distributed version of the Apriori algorithm to efficiently find globally frequent itemsets in a privacy-preserving manner.
NXP's portfolio addresses IoT security across the entire device lifecycle from edge to cloud. [NXP's portfolio includes] secure elements, microcontrollers, application processors, device management software, and solutions that provide security from device procurement through decommissioning. NXP products offer hardware-protected keys, secure boot, tamper resistance, and cryptographic accelerators to establish trust from the edge to the cloud.
Yokogawa & NextNine – Lessons Learned: Global Cybersecurity Management System...Honeywell
A joint presentation of Yokogawa and NextNine about a 60-site global cybersecurity deployment, including what went right, what went wrong, necessary changes to the processes and technology, and the new technology was developed.
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.
1. The document discusses malware activity in South Korea, describing various malware groups like Lazarus, Tick, and keyloggers and tools used by them.
2. It outlines different malware families used by the Tick group to target organizations in South Korea, including Bisodown, Ghostdown, Gofarer, Daserf, Netboy, and others.
3. It examines the Tickusb tool used to infect systems using modified Korean secure USB flash drives, detailing the stages and payloads used in the infection process.
For all of you who have asked for a pause to Patch Tuesday, you did not get exactly what you wanted for Christmas, but close. December Patch Tuesday is the lightest of 2020. Only 58 unique CVEs were resolved, nine of which are rated as Critical. There is also one advisory (ADV200013), which provides guidance for addressing a spoofing vulnerability in DNS Resolver. There were no publicly disclosed or exploited vulnerabilities this month on the Microsoft side. Adobe released a couple of low severity updates for Adobe Reader for Android and Adobe Connect. The Adobe Reader release (APSB20-67) from December 3 resolved 14 vulnerabilities, four of which were Critical. This is the more urgent release from Adobe for the month. Adobe Flash had an update for December Patch Tuesday, but it did not include any resolved vulnerabilities.
Similar to [AsiaCCS2019] A Pilot Study on Consumer IoT Device Vulnerability Disclosure and Patch Release in Japan and the United States (20)
Lecture slides that I used in Advanced Information Security Summer School (AIS3, 2016 & 2018) in Taiwan. https://ais3.org/
台湾の高度セキュリティ人材育成プログラム(AIS3, 2016/2018)の講義で利用した講義資料です。
[Dagstuhl Seminar 17281] Similarity Calculation Method for Binary ExecutablesAsuka Nakajima
https://www.dagstuhl.de/de/programm/kalender/semhp/?semnr=17281
[Abstract]
This talk first gives an overview of the main ideas, challenges, and the major research papers in this area. Then we introduce our research on a method that can identify the similar function in two given binary executables, even the target binary executables that have some modifications. Lastly, we introduce the state-of-the-art research in this area, and discuss how it can be applied in today’s malware analysis.
S2E: A Platform for In Vivo Multi-Path Analysis of Software Systems. Vitaly Chipounov, Volodymyr Kuznetsov, George Candea. 16th Intl. Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS), Newport Beach, CA, March 2011.
The document summarizes the steps taken to analyze and exploit a DEFCON CTF binary file called "annyong". It describes using various Linux commands like file, strings, hexdump, readelf, and checksec to gather information about the binary. The analysis revealed the binary is position independent and has NX, PIE, and partial RELRO protections. The exploit uses return oriented programming (ROP) to execute a system call and spawn an interactive shell, bypassing protections by overwriting return addresses on the stack.
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
[Abstract]
When developing a 1-day exploit code, patch diffing (binary diffing) is one of the major techniques to identify the part that security fixes are applied. This technique is well-known since long ago among reverse engineers, and thus to support the diffing, various tools such as BinDiff, TurboDiff, and Diaphora have been developed. However, although those fantastic tools greatly support the analysis, patch diffing is still a difficult task because it requires deep knowledge and experience. In order to address this issue, we conducted a pilot study with the goal to achieve a semi-automated patch diffing by applying machine-learning techniques. Based on the hypothesis that “similar types of vulnerabilities will be fixed in a similar manner,” we have applied the unsupervised machine learning technique to extract those patterns and considered the way to achieve semi-automated patch diffing. In the talk, we will show the details of our pilot study and share the insights that we have gained it. We believe that our insights will help other researchers who will conduct similar research in the future.
Build the Next Generation of Apps with the Einstein 1 Platform.
Rejoignez Philippe Ozil pour une session de workshops qui vous guidera à travers les détails de la plateforme Einstein 1, l'importance des données pour la création d'applications d'intelligence artificielle et les différents outils et technologies que Salesforce propose pour vous apporter tous les bénéfices de l'IA.
Supermarket Management System Project Report.pdfKamal Acharya
Supermarket management is a stand-alone J2EE using Eclipse Juno program.
This project contains all the necessary required information about maintaining
the supermarket billing system.
The core idea of this project to minimize the paper work and centralize the
data. Here all the communication is taken in secure manner. That is, in this
application the information will be stored in client itself. For further security the
data base is stored in the back-end oracle and so no intruders can access it.
Null Bangalore | Pentesters Approach to AWS IAMDivyanshu
#Abstract:
- Learn more about the real-world methods for auditing AWS IAM (Identity and Access Management) as a pentester. So let us proceed with a brief discussion of IAM as well as some typical misconfigurations and their potential exploits in order to reinforce the understanding of IAM security best practices.
- Gain actionable insights into AWS IAM policies and roles, using hands on approach.
#Prerequisites:
- Basic understanding of AWS services and architecture
- Familiarity with cloud security concepts
- Experience using the AWS Management Console or AWS CLI.
- For hands on lab create account on [killercoda.com](https://killercoda.com/cloudsecurity-scenario/)
# Scenario Covered:
- Basics of IAM in AWS
- Implementing IAM Policies with Least Privilege to Manage S3 Bucket
- Objective: Create an S3 bucket with least privilege IAM policy and validate access.
- Steps:
- Create S3 bucket.
- Attach least privilege policy to IAM user.
- Validate access.
- Exploiting IAM PassRole Misconfiguration
-Allows a user to pass a specific IAM role to an AWS service (ec2), typically used for service access delegation. Then exploit PassRole Misconfiguration granting unauthorized access to sensitive resources.
- Objective: Demonstrate how a PassRole misconfiguration can grant unauthorized access.
- Steps:
- Allow user to pass IAM role to EC2.
- Exploit misconfiguration for unauthorized access.
- Access sensitive resources.
- Exploiting IAM AssumeRole Misconfiguration with Overly Permissive Role
- An overly permissive IAM role configuration can lead to privilege escalation by creating a role with administrative privileges and allow a user to assume this role.
- Objective: Show how overly permissive IAM roles can lead to privilege escalation.
- Steps:
- Create role with administrative privileges.
- Allow user to assume the role.
- Perform administrative actions.
- Differentiation between PassRole vs AssumeRole
Try at [killercoda.com](https://killercoda.com/cloudsecurity-scenario/)
Applications of artificial Intelligence in Mechanical Engineering.pdfAtif Razi
Historically, mechanical engineering has relied heavily on human expertise and empirical methods to solve complex problems. With the introduction of computer-aided design (CAD) and finite element analysis (FEA), the field took its first steps towards digitization. These tools allowed engineers to simulate and analyze mechanical systems with greater accuracy and efficiency. However, the sheer volume of data generated by modern engineering systems and the increasing complexity of these systems have necessitated more advanced analytical tools, paving the way for AI.
AI offers the capability to process vast amounts of data, identify patterns, and make predictions with a level of speed and accuracy unattainable by traditional methods. This has profound implications for mechanical engineering, enabling more efficient design processes, predictive maintenance strategies, and optimized manufacturing operations. AI-driven tools can learn from historical data, adapt to new information, and continuously improve their performance, making them invaluable in tackling the multifaceted challenges of modern mechanical engineering.
Accident detection system project report.pdfKamal Acharya
The Rapid growth of technology and infrastructure has made our lives easier. The
advent of technology has also increased the traffic hazards and the road accidents take place
frequently which causes huge loss of life and property because of the poor emergency facilities.
Many lives could have been saved if emergency service could get accident information and
reach in time. Our project will provide an optimum solution to this draw back. A piezo electric
sensor can be used as a crash or rollover detector of the vehicle during and after a crash. With
signals from a piezo electric sensor, a severe accident can be recognized. According to this
project when a vehicle meets with an accident immediately piezo electric sensor will detect the
signal or if a car rolls over. Then with the help of GSM module and GPS module, the location
will be sent to the emergency contact. Then after conforming the location necessary action will
be taken. If the person meets with a small accident or if there is no serious threat to anyone’s
life, then the alert message can be terminated by the driver by a switch provided in order to
avoid wasting the valuable time of the medical rescue team.
Determination of Equivalent Circuit parameters and performance characteristic...pvpriya2
Includes the testing of induction motor to draw the circle diagram of induction motor with step wise procedure and calculation for the same. Also explains the working and application of Induction generator
AI in customer support Use cases solutions development and implementation.pdfmahaffeycheryld
AI in customer support will integrate with emerging technologies such as augmented reality (AR) and virtual reality (VR) to enhance service delivery. AR-enabled smart glasses or VR environments will provide immersive support experiences, allowing customers to visualize solutions, receive step-by-step guidance, and interact with virtual support agents in real-time. These technologies will bridge the gap between physical and digital experiences, offering innovative ways to resolve issues, demonstrate products, and deliver personalized training and support.
https://www.leewayhertz.com/ai-in-customer-support/#How-does-AI-work-in-customer-support