This document discusses reversing the Apple sandbox security mechanism. It provides an overview of reversing the default "container" sandbox profile used for third-party iOS apps. The goal is to better understand Apple's security rules and how they could potentially be bypassed. The methodology involves extracting the builtin binary profile, reversing the binary format to the original sandbox profile language (SBPL) format, and analyzing the security rules defined in the profile. Challenges include reversing the regular expression format and properly handling different node types in the binary action trees that represent the security rules.
This document summarizes an approach for automatically generating documentation for exceptions in Java programs. It presents the motivation for exception documentation, describes an algorithm for static analysis of programs to determine which exceptions can be thrown from each method and under what conditions, and evaluates the approach on 10 Java benchmarks comparing the automatically generated documentation to existing human-written documentation. The results found that on average, the automatic documentation was of equal or better quality than the human documentation 83% of the time.
Removal of Website from Google database which is not following Google’s quality guidelines is Google de-indexing and this presentation provides the techniques to beat google deindexing.
[Cluj] Information Security Through GamificationOWASP EEE
This document discusses using gamification for information security training and learning. It proposes a gamified online platform called CTF365 that would approach information security training as a hands-on journey and challenge. Some key benefits mentioned are improving motivation, retention rates, and speeding up the learning curve through approaches like badges, ranks, and points to showcase skills in different hacking techniques. The goal is to make security training more engaging and effective through gamification.
Publico24 - DIGITAL PUBLISHING REINVENTEDPublico24
Publico24 to nowy model biznesowy. Korzystając z Publico24 zarabiasz pieniądze z wydań cyfrowych bez pośredników. Obniż swoje koszty. Płać tylko raz. Publico24 zajmie się wszystkim od składu do obsługi sklepu w AppStore czy GooglePlay.
[Russia] Building better product securityOWASP EEE
The document discusses an engineering approach to building better product security. It outlines the duties of a product security team, including trainings, audits, and developing security tools. Several automated security tools are described, including Molly for web application scanning, Crasher for production environment testing, CAT for static application security testing, and Vulnman for vulnerability notifications. The summary emphasizes automating processes to free up time for more complex security tasks, while still retaining manual oversight of activities.
This document summarizes a presentation about security on the dark web. It discusses how the Tor network allows for improved privacy and anonymity online. It notes that while the dark web is often portrayed as a place for illegal activities, in reality most sites claiming to offer such content are fake. The presentation then examines vulnerabilities found on dark web sites like unrestricted file uploads, SQL injection, and having /server-status exposed, which can compromise users' privacy. It provides examples of sites that should be more secure like Riseup and cautions against blindly trusting organizations that control many dark web sites. The document encourages considering how authentication and security measures rely on IP addresses, which can be bypassed on the dark web.
[Lithuania] Cross-site request forgery: ways to exploit, ways to preventOWASP EEE
This document discusses cross-site request forgery (CSRF) attacks and ways to both carry them out and prevent them. It explains that CSRF forces a victim's logged-in browser to generate requests appearing legitimate to the application. Examples are given using HTML forms, JSON requests, Flash, and clickjacking. Countermeasures recommended include using synchronizer tokens, checking the Origin header, configuring CORS headers properly, using short sessions, and implementing framebusting.
[Bucharest] Your intents are dirty, droid!OWASP EEE
This document discusses intent fuzzing for Android applications. It presents Fuzzinozer, a Drozer module for fuzzing intents. Fuzzinozer allows fuzzing intents by package name, broadcasting intents, running seed files, and more. Examples are provided for running Fuzzinozer. Results show execution time increasing with number of intents tested. Common crashes found include NullPointerExceptions, ClassCastExceptions, and others.
This document summarizes an approach for automatically generating documentation for exceptions in Java programs. It presents the motivation for exception documentation, describes an algorithm for static analysis of programs to determine which exceptions can be thrown from each method and under what conditions, and evaluates the approach on 10 Java benchmarks comparing the automatically generated documentation to existing human-written documentation. The results found that on average, the automatic documentation was of equal or better quality than the human documentation 83% of the time.
Removal of Website from Google database which is not following Google’s quality guidelines is Google de-indexing and this presentation provides the techniques to beat google deindexing.
[Cluj] Information Security Through GamificationOWASP EEE
This document discusses using gamification for information security training and learning. It proposes a gamified online platform called CTF365 that would approach information security training as a hands-on journey and challenge. Some key benefits mentioned are improving motivation, retention rates, and speeding up the learning curve through approaches like badges, ranks, and points to showcase skills in different hacking techniques. The goal is to make security training more engaging and effective through gamification.
Publico24 - DIGITAL PUBLISHING REINVENTEDPublico24
Publico24 to nowy model biznesowy. Korzystając z Publico24 zarabiasz pieniądze z wydań cyfrowych bez pośredników. Obniż swoje koszty. Płać tylko raz. Publico24 zajmie się wszystkim od składu do obsługi sklepu w AppStore czy GooglePlay.
[Russia] Building better product securityOWASP EEE
The document discusses an engineering approach to building better product security. It outlines the duties of a product security team, including trainings, audits, and developing security tools. Several automated security tools are described, including Molly for web application scanning, Crasher for production environment testing, CAT for static application security testing, and Vulnman for vulnerability notifications. The summary emphasizes automating processes to free up time for more complex security tasks, while still retaining manual oversight of activities.
This document summarizes a presentation about security on the dark web. It discusses how the Tor network allows for improved privacy and anonymity online. It notes that while the dark web is often portrayed as a place for illegal activities, in reality most sites claiming to offer such content are fake. The presentation then examines vulnerabilities found on dark web sites like unrestricted file uploads, SQL injection, and having /server-status exposed, which can compromise users' privacy. It provides examples of sites that should be more secure like Riseup and cautions against blindly trusting organizations that control many dark web sites. The document encourages considering how authentication and security measures rely on IP addresses, which can be bypassed on the dark web.
[Lithuania] Cross-site request forgery: ways to exploit, ways to preventOWASP EEE
This document discusses cross-site request forgery (CSRF) attacks and ways to both carry them out and prevent them. It explains that CSRF forces a victim's logged-in browser to generate requests appearing legitimate to the application. Examples are given using HTML forms, JSON requests, Flash, and clickjacking. Countermeasures recommended include using synchronizer tokens, checking the Origin header, configuring CORS headers properly, using short sessions, and implementing framebusting.
[Bucharest] Your intents are dirty, droid!OWASP EEE
This document discusses intent fuzzing for Android applications. It presents Fuzzinozer, a Drozer module for fuzzing intents. Fuzzinozer allows fuzzing intents by package name, broadcasting intents, running seed files, and more. Examples are provided for running Fuzzinozer. Results show execution time increasing with number of intents tested. Common crashes found include NullPointerExceptions, ClassCastExceptions, and others.
Power Up Your Build - Omer van Kloeten @ Wix 2018-04Omer van Kloeten
I was invited to give this talk at the Wix Backend Guild Day, an internal event which was broadcast live internationally, on 2018-04-12
Video: https://youtu.be/cQ7UvUybceA
These days sbt is the de-facto build tool for Scala, but most of us just write the minimum viable build.sbt file, import the libraries we need (and maybe throw in some sbt-assembly) and forget about it.
In this Good Practices session, you will learn about making your build safer and more robust by making the Scala compiler work for you and through using some sbt plugins.
This talk will be quite high-level. There will be no need for prior knowledge of sbt and it should be beneficial for you even if you don’t use sbt.
The document provides information about high performance Android app development. It begins with a history of Android performance features from early versions through Jellybean and Project Butter. It then compares the three Android programming models (SDK, NDK, RenderScript) in terms of workflow, execution model, and performance. A case study on the performance features of the Google Chrome browser for Android is presented, covering its multi-process architecture, hardware acceleration, networking, and VSync scheduling. The document concludes with a questionnaire on topics like multi-core vs GPU, Android vs Chrome, and developments beyond Android.
End-to-end pipeline agility - Berlin Buzzwords 2024Lars Albertsson
We describe how we achieve high change agility in data engineering by eliminating the fear of breaking downstream data pipelines through end-to-end pipeline testing, and by using schema metaprogramming to safely eliminate boilerplate involved in changes that affect whole pipelines.
A quick poll on agility in changing pipelines from end to end indicated a huge span in capabilities. For the question "How long time does it take for all downstream pipelines to be adapted to an upstream change," the median response was 6 months, but some respondents could do it in less than a day. When quantitative data engineering differences between the best and worst are measured, the span is often 100x-1000x, sometimes even more.
A long time ago, we suffered at Spotify from fear of changing pipelines due to not knowing what the impact might be downstream. We made plans for a technical solution to test pipelines end-to-end to mitigate that fear, but the effort failed for cultural reasons. We eventually solved this challenge, but in a different context. In this presentation we will describe how we test full pipelines effectively by manipulating workflow orchestration, which enables us to make changes in pipelines without fear of breaking downstream.
Making schema changes that affect many jobs also involves a lot of toil and boilerplate. Using schema-on-read mitigates some of it, but has drawbacks since it makes it more difficult to detect errors early. We will describe how we have rejected this tradeoff by applying schema metaprogramming, eliminating boilerplate but keeping the protection of static typing, thereby further improving agility to quickly modify data pipelines without fear.
This document provides an overview of iOS app development fundamentals including Objective-C, the building blocks of iOS apps like classes and objects, architectural patterns like MVC, and connecting interfaces to code. It covers key concepts like properties, protocols, delegates, app states, and using Interface Builder to connect user interfaces to code using outlets and actions. The document is intended as training for a beginner iOS developer to learn iOS and Objective-C fundamentals on their first day.
Bekket McClane gave a presentation on moving from the Android NDK to AOSP. The presentation covered the Android NDK introduction and JNI programming. It provided an overview of AOSP including the zygote process and Binder IPC. An example was shown for controlling the vibrator using C/C++ Binder APIs by accessing libraries from AOSP. The steps included building AOSP libraries, creating an Android.mk file, and interacting with the vibrator service via a fake AIDL interface. Questions were invited via the speaker's online accounts.
Given that the reference Sightly implementation is now available in Apache Sling, this slide-deck focuses on best practices, modularity and on reducing application complexity by taking advantage of reusable components.
- The document discusses serialization and deserialization of objects for transfer between systems. It compares JSON and optimized JSON formats.
- JSON is more human-readable but has greater memory overhead and reduced compressibility compared to optimized formats like protocol buffers which can improve performance.
- The document recommends designing data transfer objects (DTOs) to optimize for smaller size and better compression when communicating with servers.
Kamailio World 2018 - Workshop: kamailio-testsGiacomo Vacca
This document discusses kamailio-tests, a testing framework for Kamailio. It aims to provide unit tests for Kamailio's core and module functionality to reduce the need for end-to-end testing. The framework uses Docker to allow tests to run across different operating systems and distributions. Unit tests are contained in directories and test scripts, and a control script can run all tests or specific ones. The document outlines the project structure, current test units, and future development plans to expand testing.
The document describes an exploratory case study of a programmer using the Solo Iterative Process (SIP) to develop changes to an open source file explorer application. The study examined 9 change requests implemented over 144 hours. Key findings included that the SIP and change request (SC) models were effective but could be improved, such as defining impact analysis exit criteria. The programmer's productivity of 31 lines of code per hour compared favorably to other models. The study uncovered opportunities to enhance tools and processes to support SIP when used by individuals or teams.
Custom CI/CD pipelines often don’t adapt well to existing platforms. OCluster is a cluster management system that’s currently deployed on thousands of cores powering various CI systems for the OCaml community. It composes recognized software components, from snapshotting filesystems to containers and virtualization management, in order to provide a lightweight and highly portable execution environment across operating systems and architectures. In this talk, we’ll present OCluster use cases, and how it fits into the OCurrent framework.
The document discusses Macpaul Lin's experience porting U-boot to the NDS32 architecture and sharing lessons learned from open source embedded software development. It covers the software architecture of U-boot, the boot process, code commit rules, patch workflow, and coding style guidelines. The presentation provides an introduction and technical overview of porting U-boot to a new CPU architecture.
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]Wong Hoi Sing Edison
By using Ansible for DevOps, we could manage both VM, Docker image provision, Kubernetes and CephFS provision, or even Kubernetes Pod runtime management.
This document provides information about an Object Oriented Programming course, including its objectives, schedule, references, and an introduction to OOP. The course aims to help students understand OOP design principles and be able to design, develop, and implement OOP software systems. It will cover topics like inheritance, polymorphism, Java packages and networking over several weeks. Students are provided reading assignments from listed references to prepare for lectures.
Simple Build Tool (sbt) is an open source build tool , It is a best choice for Scala projects that aims to do the basics well. It requires Java 1.6 or later.
This document provides an overview of the Globus project, which aims to develop a service that digitizes POD (Product, Organization, and Delivery) frameworks. It outlines topics to be covered such as development environment, server-side development, and testing. It describes setting up the development environment in IntelliJet IDEA and SBT. It also details next steps such as creating a project structure in SBT, using appropriate Scala constructs to build the model, integrating with Travis CI for continuous integration, defining the business logic layer in collaboration with teammates, and writing the business logic in Scala.
- Automated cloud infrastructure setups using tools like Chef, Puppet, and Cfengine can help enable continuous delivery by ensuring development, test, and production environments are standardized and equalized.
- Describing infrastructure as code allows environments to be dynamically provisioned in the cloud, eliminating differences between environments.
- There are different approaches to the deployment artifact - it can be the software package, a virtual machine image, or a container. The appropriate solution depends on factors like whether the application is stateless.
- Open source tools like Jenkins, Docker, OpenStack, and configuration management solutions can be combined to implement continuous delivery pipelines that provision standardized environments for development and production in the cloud.
Ansiblefest 2018 Network automation journey at robloxDamien Garros
In December 2017, Roblox’s network was managed in a traditional way without automation.
To sustained its growth, the team had to deploy 2 datacenters, a global network and multiple point of presence around the world in few months, the only solution to be able to achieve that was to automate everything.
6 months later, the team has made tremendous progress and many aspects of the network lifecycle has been automated from the routers, switches to the load balancers.
Synopsis
This talk is a retrospective of Roblox’s journey into Network automation:
How we got started and how we automated an existing network.
How we organized the project around Github and an DCIM/IPAM solution (netbox),
How Docker helped us to package Ansible and create a consistent environment.
How we managed many roles and variations of our design in single project
How we have automated the provisioning of our F5 Load Balancers.
For each point, we’ll cover what was successful, what was more challenging and what limitations we had to deal with.
(1) c sharp introduction_basics_dot_netNico Ludwig
This presentation comes with many additional notes (pdf): http://de.slideshare.net/nicolayludwig/1-c-sharp-introductionbasicsdotnet-38638887
- History
- Bird's Eye View of Features
The document provides 8 steps to run MOSES machine translation software using CYGWIN on Windows: it includes installing CYGWIN, preparing the environment, checking the Demo folder contents, preprocessing input files, building a language model, training a phrase model, translating a file, and checking the results. The steps cover tasks like copying files, running preprocessing scripts, building an n-gram language model with SRILM, and training a phrase-based model with Moses scripts. The goal is to provide instructions for setting up Moses through Cygwin to translate between English and Arabic as a sample workflow.
This manual is “How to Build” manual for OpenCV with OpenCL for Android.
If you want to “Use OpenCL on OpenCV” ONLY,
Please see
http://github.com/noritsuna/OpenCVwithOpenCL4AndroidNDKSample
Sebastian Strobl presented on exploiting vulnerabilities in Zigbee, a wireless communication standard. He discussed Zigbee's security measures but noted flaws introduced by application profiles that mandate interoperability. He demonstrated attacks against real Zigbee devices, including sniffing network keys during pairing, jamming communication, and hijacking devices to join his own network. In summary, while Zigbee defines appropriate security measures, vulnerabilities arise from weak implementation and prioritization of usability over security by vendors.
This document discusses security principles for designing secure systems. It defines security as confidentiality, integrity, and availability. The principles discussed include defense in depth, least privilege, open design, economy of mechanism, compartmentalization, secure defaults, separation of duties, and fail secure. It emphasizes that security is not absolute and must balance usability, functionality, and cost. Social engineering is discussed as a challenge to technical security measures.
More Related Content
Similar to [Bucharest] Reversing the Apple Sandbox
Power Up Your Build - Omer van Kloeten @ Wix 2018-04Omer van Kloeten
I was invited to give this talk at the Wix Backend Guild Day, an internal event which was broadcast live internationally, on 2018-04-12
Video: https://youtu.be/cQ7UvUybceA
These days sbt is the de-facto build tool for Scala, but most of us just write the minimum viable build.sbt file, import the libraries we need (and maybe throw in some sbt-assembly) and forget about it.
In this Good Practices session, you will learn about making your build safer and more robust by making the Scala compiler work for you and through using some sbt plugins.
This talk will be quite high-level. There will be no need for prior knowledge of sbt and it should be beneficial for you even if you don’t use sbt.
The document provides information about high performance Android app development. It begins with a history of Android performance features from early versions through Jellybean and Project Butter. It then compares the three Android programming models (SDK, NDK, RenderScript) in terms of workflow, execution model, and performance. A case study on the performance features of the Google Chrome browser for Android is presented, covering its multi-process architecture, hardware acceleration, networking, and VSync scheduling. The document concludes with a questionnaire on topics like multi-core vs GPU, Android vs Chrome, and developments beyond Android.
End-to-end pipeline agility - Berlin Buzzwords 2024Lars Albertsson
We describe how we achieve high change agility in data engineering by eliminating the fear of breaking downstream data pipelines through end-to-end pipeline testing, and by using schema metaprogramming to safely eliminate boilerplate involved in changes that affect whole pipelines.
A quick poll on agility in changing pipelines from end to end indicated a huge span in capabilities. For the question "How long time does it take for all downstream pipelines to be adapted to an upstream change," the median response was 6 months, but some respondents could do it in less than a day. When quantitative data engineering differences between the best and worst are measured, the span is often 100x-1000x, sometimes even more.
A long time ago, we suffered at Spotify from fear of changing pipelines due to not knowing what the impact might be downstream. We made plans for a technical solution to test pipelines end-to-end to mitigate that fear, but the effort failed for cultural reasons. We eventually solved this challenge, but in a different context. In this presentation we will describe how we test full pipelines effectively by manipulating workflow orchestration, which enables us to make changes in pipelines without fear of breaking downstream.
Making schema changes that affect many jobs also involves a lot of toil and boilerplate. Using schema-on-read mitigates some of it, but has drawbacks since it makes it more difficult to detect errors early. We will describe how we have rejected this tradeoff by applying schema metaprogramming, eliminating boilerplate but keeping the protection of static typing, thereby further improving agility to quickly modify data pipelines without fear.
This document provides an overview of iOS app development fundamentals including Objective-C, the building blocks of iOS apps like classes and objects, architectural patterns like MVC, and connecting interfaces to code. It covers key concepts like properties, protocols, delegates, app states, and using Interface Builder to connect user interfaces to code using outlets and actions. The document is intended as training for a beginner iOS developer to learn iOS and Objective-C fundamentals on their first day.
Bekket McClane gave a presentation on moving from the Android NDK to AOSP. The presentation covered the Android NDK introduction and JNI programming. It provided an overview of AOSP including the zygote process and Binder IPC. An example was shown for controlling the vibrator using C/C++ Binder APIs by accessing libraries from AOSP. The steps included building AOSP libraries, creating an Android.mk file, and interacting with the vibrator service via a fake AIDL interface. Questions were invited via the speaker's online accounts.
Given that the reference Sightly implementation is now available in Apache Sling, this slide-deck focuses on best practices, modularity and on reducing application complexity by taking advantage of reusable components.
- The document discusses serialization and deserialization of objects for transfer between systems. It compares JSON and optimized JSON formats.
- JSON is more human-readable but has greater memory overhead and reduced compressibility compared to optimized formats like protocol buffers which can improve performance.
- The document recommends designing data transfer objects (DTOs) to optimize for smaller size and better compression when communicating with servers.
Kamailio World 2018 - Workshop: kamailio-testsGiacomo Vacca
This document discusses kamailio-tests, a testing framework for Kamailio. It aims to provide unit tests for Kamailio's core and module functionality to reduce the need for end-to-end testing. The framework uses Docker to allow tests to run across different operating systems and distributions. Unit tests are contained in directories and test scripts, and a control script can run all tests or specific ones. The document outlines the project structure, current test units, and future development plans to expand testing.
The document describes an exploratory case study of a programmer using the Solo Iterative Process (SIP) to develop changes to an open source file explorer application. The study examined 9 change requests implemented over 144 hours. Key findings included that the SIP and change request (SC) models were effective but could be improved, such as defining impact analysis exit criteria. The programmer's productivity of 31 lines of code per hour compared favorably to other models. The study uncovered opportunities to enhance tools and processes to support SIP when used by individuals or teams.
Custom CI/CD pipelines often don’t adapt well to existing platforms. OCluster is a cluster management system that’s currently deployed on thousands of cores powering various CI systems for the OCaml community. It composes recognized software components, from snapshotting filesystems to containers and virtualization management, in order to provide a lightweight and highly portable execution environment across operating systems and architectures. In this talk, we’ll present OCluster use cases, and how it fits into the OCurrent framework.
The document discusses Macpaul Lin's experience porting U-boot to the NDS32 architecture and sharing lessons learned from open source embedded software development. It covers the software architecture of U-boot, the boot process, code commit rules, patch workflow, and coding style guidelines. The presentation provides an introduction and technical overview of porting U-boot to a new CPU architecture.
[HKOSCon x COSCUP 2020][20200801][Ansible: From VM to Kubernetes]Wong Hoi Sing Edison
By using Ansible for DevOps, we could manage both VM, Docker image provision, Kubernetes and CephFS provision, or even Kubernetes Pod runtime management.
This document provides information about an Object Oriented Programming course, including its objectives, schedule, references, and an introduction to OOP. The course aims to help students understand OOP design principles and be able to design, develop, and implement OOP software systems. It will cover topics like inheritance, polymorphism, Java packages and networking over several weeks. Students are provided reading assignments from listed references to prepare for lectures.
Simple Build Tool (sbt) is an open source build tool , It is a best choice for Scala projects that aims to do the basics well. It requires Java 1.6 or later.
This document provides an overview of the Globus project, which aims to develop a service that digitizes POD (Product, Organization, and Delivery) frameworks. It outlines topics to be covered such as development environment, server-side development, and testing. It describes setting up the development environment in IntelliJet IDEA and SBT. It also details next steps such as creating a project structure in SBT, using appropriate Scala constructs to build the model, integrating with Travis CI for continuous integration, defining the business logic layer in collaboration with teammates, and writing the business logic in Scala.
- Automated cloud infrastructure setups using tools like Chef, Puppet, and Cfengine can help enable continuous delivery by ensuring development, test, and production environments are standardized and equalized.
- Describing infrastructure as code allows environments to be dynamically provisioned in the cloud, eliminating differences between environments.
- There are different approaches to the deployment artifact - it can be the software package, a virtual machine image, or a container. The appropriate solution depends on factors like whether the application is stateless.
- Open source tools like Jenkins, Docker, OpenStack, and configuration management solutions can be combined to implement continuous delivery pipelines that provision standardized environments for development and production in the cloud.
Ansiblefest 2018 Network automation journey at robloxDamien Garros
In December 2017, Roblox’s network was managed in a traditional way without automation.
To sustained its growth, the team had to deploy 2 datacenters, a global network and multiple point of presence around the world in few months, the only solution to be able to achieve that was to automate everything.
6 months later, the team has made tremendous progress and many aspects of the network lifecycle has been automated from the routers, switches to the load balancers.
Synopsis
This talk is a retrospective of Roblox’s journey into Network automation:
How we got started and how we automated an existing network.
How we organized the project around Github and an DCIM/IPAM solution (netbox),
How Docker helped us to package Ansible and create a consistent environment.
How we managed many roles and variations of our design in single project
How we have automated the provisioning of our F5 Load Balancers.
For each point, we’ll cover what was successful, what was more challenging and what limitations we had to deal with.
(1) c sharp introduction_basics_dot_netNico Ludwig
This presentation comes with many additional notes (pdf): http://de.slideshare.net/nicolayludwig/1-c-sharp-introductionbasicsdotnet-38638887
- History
- Bird's Eye View of Features
The document provides 8 steps to run MOSES machine translation software using CYGWIN on Windows: it includes installing CYGWIN, preparing the environment, checking the Demo folder contents, preprocessing input files, building a language model, training a phrase model, translating a file, and checking the results. The steps cover tasks like copying files, running preprocessing scripts, building an n-gram language model with SRILM, and training a phrase-based model with Moses scripts. The goal is to provide instructions for setting up Moses through Cygwin to translate between English and Arabic as a sample workflow.
This manual is “How to Build” manual for OpenCV with OpenCL for Android.
If you want to “Use OpenCL on OpenCV” ONLY,
Please see
http://github.com/noritsuna/OpenCVwithOpenCL4AndroidNDKSample
Similar to [Bucharest] Reversing the Apple Sandbox (20)
Sebastian Strobl presented on exploiting vulnerabilities in Zigbee, a wireless communication standard. He discussed Zigbee's security measures but noted flaws introduced by application profiles that mandate interoperability. He demonstrated attacks against real Zigbee devices, including sniffing network keys during pairing, jamming communication, and hijacking devices to join his own network. In summary, while Zigbee defines appropriate security measures, vulnerabilities arise from weak implementation and prioritization of usability over security by vendors.
This document discusses security principles for designing secure systems. It defines security as confidentiality, integrity, and availability. The principles discussed include defense in depth, least privilege, open design, economy of mechanism, compartmentalization, secure defaults, separation of duties, and fail secure. It emphasizes that security is not absolute and must balance usability, functionality, and cost. Social engineering is discussed as a challenge to technical security measures.
[Austria] How we hacked an online mobile banking TrojanOWASP EEE
The document describes how mobile security researchers analyzed and cracked an Android banking Trojan called Hesperbot. They found the malware on an infected smartphone and analyzed its behavior and encryption methods. Through static and dynamic analysis, they determined how the malware abused device administration permissions and communicated with its operator. The researchers then developed an exploit to manipulate the malware's code at runtime and extract the password needed to decrypt the device, removing the malware from the system. They provided lessons learned around thoroughly analyzing malware behavior before removal to avoid unintended consequences.
This document summarizes techniques for attacking the frontend security of websites. It discusses DOM-based cross-site scripting using sinks like document.write and sources like document.URL. It also covers information leaks through JavaScript, CSS, and framework templates. Other topics include JSONP, Flash, HTML5 features like postMessage, and mitigations like content security policy. The presentation encourages keeping frameworks updated and checking for newer attacks on older vulnerabilities. It provides examples of complex cross-domain policy and JSONP attacks.
[Poland] SecOps live cooking with OWASP appsec toolsOWASP EEE
This document outlines the agenda and demos for a presentation on securing the software delivery pipeline using open source security tools. The presentation covers setting up a continuous delivery pipeline using tools like Ansible, Jenkins and Docker to automate security testing with OWASP tools like ZAP and Dependency Check. It includes demos of manual testing with these tools, integrating them into a delivery pipeline using automation, and approaches like containerization to improve the speed and feedback loop of security testing. The overall goal is to discuss how to shorten software development cycles while maintaining security by automating testing within the delivery pipeline.
This document discusses SSL/TLS protocols and how to set up your own certificate authority (CA) or use Let's Encrypt for free SSL certificates.
It provides a brief history of SSL and TLS protocols, outlines the key differences between versions, and lists common TLS implementations like OpenSSL. It then explains how to set up your own CA by generating root and intermediate certificates and signing server/client certificates.
Finally, it introduces Let's Encrypt as a free and automated CA that aims to promote SSL security. It explains how Let's Encrypt validates domain ownership and issues certificates to ensure communications are private, integrity is maintained, and parties can be trusted.
This document discusses Content Security Policy (CSP), an HTTP header that allows restricting what resources a website can load or execute. CSP Report Only mode sends violation reports to a specified endpoint without blocking content. The document provides an overview of CSP and Report Only mode, demonstrates generating a CSP header and receiving reports, and discusses potential issues and stats on real-world CSP usage.
[Cluj] A distributed - collaborative client certification systemOWASP EEE
This document proposes a distributed-collaborative client certification system to help fight cybercriminality. It would involve different entities like email providers, banks, and companies collaborating to identify clients through assigned certificates in degrees of 1 or 2. Degree 1 certificates could be issued by email providers to weakly identify individuals, while degree 2 certificates from entities like banks could strongly identify individuals. This system aims to detect sources of spam, malware, and compromised certificates through big data analysis, empowering legitimate users while hindering criminal activity. However, challenges include widespread adoption and getting companies to collaborate in a neutral way.
[Russia] Node.JS - Architecture and VulnerabilitiesOWASP EEE
1. The document summarizes the architecture and vulnerabilities of Node.js. It describes how Node.js uses an event loop on a single thread to handle I/O bound operations asynchronously.
2. It discusses two vulnerabilities: denial of service attacks due to Node.js' single-threaded model, and weak cryptographic pseudo-random number generation. An attacker could infer future "random" values after observing only a few previous ones.
3. The document demonstrates how an attacker could use the weak crypto to determine future passwords after registering a few fake users and observing their initial passwords.
The document discusses various techniques for exploiting out-of-band SQL injections in MySQL, including using the LOAD_FILE, LOAD_DATA, and SELECT...INTO OUTFILE functions to retrieve files from the database server or operating system. It also covers using the FEDERATED and CONNECT storage engines to execute queries against remote databases.
The document discusses techniques for rapidly testing web applications through automation to find security vulnerabilities within a limited time frame (T) and network requests (Q). It proposes prioritizing testing based on features like platform, number of inputs, and response status. Algorithmic approaches are suggested like using polyglot payloads to check for multiple issues simultaneously, building a decision tree to classify hackability, and calculating page priorities to guide the scan. Whitebox testing techniques like custom grep scripts to find code vulnerabilities are also covered. The goal is to build an efficient automated web application scanner that traverses the "pwning paths graph" to find bugs within the constraints.
This document discusses hacking techniques that can be used on various devices and systems. It describes a hacker's curiosity and enjoyment in understanding internal systems. It then outlines rules of not harming systems and leaving things as found. Various inputs, techniques, and results are listed for locations in different countries targeting devices like kiosks, ATMs, and more. Security is often found to be lacking on these internet-connected devices.
I Am The Cavalry is an organization that aims to improve cyber safety for connected technologies that can impact public safety and human life. Their mission is to ensure these technologies are trustworthy. They do this by collecting research on vulnerabilities, connecting researchers with industry and policymakers, and catalyzing positive action. Their goal is to address issues sooner than would otherwise happen through education, outreach, and advocating for "safety by design", security updates, and other principles. They have started collaborating with medical device companies and aim to expand to other areas like automotive to help establish security best practices.
[Lithuania] DigiCerts and DigiID to Enterprise appsOWASP EEE
This document discusses digital certificates and their uses in enterprise applications. It mentions different types of digital certificates like Certificate Authority certificates, server certificates, and user certificates. It promotes automation and how automation can provide benefits like speed, cost reduction, increased performance, and innovation. It also discusses how digital certificates can provide integrity, confidentiality, and non-repudiation. The document describes Digi ID and Digi Sign capabilities and mentions different digital signature document formats and container types. It raises concerns about trusting online digital signature services and discusses hardware token options for digital signatures.
[Lithuania] Introduction to threat modelingOWASP EEE
The document introduces threat modeling for software projects. It discusses decomposing a project into components, roles, and data flow. Potential threats are identified by using techniques like STRIDE and threat agent motivations. Risk is determined by threat frequency, loss magnitude, and likelihood of threats resulting in losses. Mitigations work to increase costs for attackers. Experience with threat modeling techniques and reflection on past projects helps improve the process over time.
[Hungary] I play Jack of Information DisclosureOWASP EEE
The document describes how to conduct threat modeling using playing cards. It defines a threat as any circumstance or event with the potential to adversely impact an asset. It discusses guidelines for threat modeling, including considering the target audience, purpose and scope. It then provides an example of using playing cards to gamify the threat modeling process for a vulnerable web application. The steps involve identifying security objectives, surveying the application, decomposing it, identifying threats, documenting threats and rating threats. Various suits and ranks in a deck of cards represent different threats and risk levels.
[Hungary] Survival is not mandatory. The air force one has departured are you...OWASP EEE
The document discusses the HACTIVITY conference 2015. It provides information on several topics that will be covered, including airplanes and how they operate safely through mechanisms like autopilots and testing. It discusses the importance of organizations like OWASP that work to improve software security through frameworks, standards, and knowledge sharing. Specific topics that will be demonstrated include the OWASP Security Knowledge Framework and integrating security into the software development life cycle using tools like Travis CI, Coveralls CI, and Scrutinizer CI. The document concludes by inviting questions from attendees.
[Hungary] Secure Software? Start appreciating your developers!OWASP EEE
This document recommends appreciating developers and provides information about the author's experience, including over 10 years as a developer and in information security, 4 years as an independent security consultant, leading the Dutch OWASP chapter since 2007, and chairing the OWASP AppSec-Eu/Research event in 2015. The author signs off by thanking the reader in both English and Hungarian.
[Bucharest] Catching up with today's malicious actorsOWASP EEE
This document summarizes a presentation about current security challenges and future possibilities. It discusses how malicious actors have advantages over security teams in terms of resources, tools, and lack of bureaucracy. Traditional security tools like antivirus are increasingly ineffective against techniques used by state actors, hackers, and others. The future of security may involve artificial intelligence and self-protecting networks that can autonomously monitor systems, identify threats, and take automated actions like deploying patches. Organizations need to gather and analyze large amounts of data from all devices to better identify malicious patterns and events and automate responses.
[Bucharest] From SCADA to IoT Cyber SecurityOWASP EEE
Bogdan Matache is a cyber security specialist with over 15 years of experience in IT, energy, and industrial control systems. He has penetration tested and hacked several industrial control and IoT systems, including fuel pumps, asphalt stations, cars, drones, and smart home devices. Matache now works as an auditor at EnerSec, focusing on cyber security for the energy sector. He discusses the growth of IoT and risks of attacks against availability, integrity and confidentiality in both SCADA and IoT systems. Matache also outlines common attack types, hardware, software and malware used to target these systems.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Honeypots Unveiled: Proactive Defense Tactics for Cyber Security, Phoenix Sum...APNIC
Adli Wahid, Senior Internet Security Specialist at APNIC, delivered a presentation titled 'Honeypots Unveiled: Proactive Defense Tactics for Cyber Security' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
Securing BGP: Operational Strategies and Best Practices for Network Defenders...APNIC
Md. Zobair Khan,
Network Analyst and Technical Trainer at APNIC, presented 'Securing BGP: Operational Strategies and Best Practices for Network Defenders' at the Phoenix Summit held in Dhaka, Bangladesh from 23 to 24 May 2024.
1. Reversing the Apple Sandbox
OWASP EEE 2015
Razvan Deaconescu
razvan.deaconescu@cs.pub.ro
2. October 9, 2015 Reversing the Apple Sandbox 2
Recent iOS Attacks
Jekyll Attacks
Celebrity Leaks
XcodeGhost
3. October 9, 2015 Reversing the Apple Sandbox 3
Apple iOS Defense Mechanisms
Private/public framework separation
Apple Vetting Process
Privacy Settings
Sandboxing
Trusted BSD security layer
4. October 9, 2015 Reversing the Apple Sandbox 4
Aims
Better understanding of Apple security
mechanisms
Improve security
Part of joint research work with TU Darmstadt (CASED) and North
Carolina State University
5. October 9, 2015 Reversing the Apple Sandbox 5
Apple Sandboxing
● Limit attack surface for a given app
● An app is provided a sandbox profile
● Sandbox profiles consist of sandbox profile
rules
– Scheme-like rules
– SBPL format (Sandbox Profile Language)
– SBPL format is compiled into binary format
● Little documentation on internals
● Default “container” sandbox profile for 3rd party
iOS aps
6. October 9, 2015 Reversing the Apple Sandbox 6
Reversing Apple Sandbox
● Reverse “container” sandbox profile
● Get an understanding of the rules inside the
defaul container
– Analyze how they could be bypassed or improved
● Make use of very little documentation on the
internals
– No official documentation on SBPL operations
– No official documentation on the inner workings
– No official documentation on the binary format
8. October 9, 2015 Reversing the Apple Sandbox 8
How Sandboxing Works
● SBPL consists of rules (operations and filters)
● Each rule is a deny or allow
● Kernel loads profile for an app
● Hooks inside the kernel check the rules inside
the profile and allow or deny acces to the app
● Works similarly for iOS and Mac OS X
● Implemented in the sandbox kernel extension
(Sandbox.kext)
9. October 9, 2015 Reversing the Apple Sandbox 9
Creating an Apple Sandbox Profile
● Write an SBPL file
● Use sandbox-exec command or sandbox_init()
function load an app using given profile
● Use sandbox_compile() to compile a binary
format
● The binary format is used by the app
● sandbox_* functions are fairly undocumented
and used internally
– Implementation in libsandbox.dylib
10. October 9, 2015 Reversing the Apple Sandbox 10
Anatomy of the Apple Sandbox Profile
● Each rule consists of an operation, filter and
action
● Operation is a class of action (file-read*,
network-inbound, process-exec)
● Filter is an argument to the operation (file
name, socket address, process ID)
– Filters may be regular expressions
● Action may be allow or deny
– Flags may be part of it (such as debug)
11. October 9, 2015 Reversing the Apple Sandbox 11
Need to Know
● What is inside an .sb file?
● Where are the builtin binary sandbox profiles
stored?
● What is the format of the binary sandbox profile
file?
● How can one reverse the format?
12. October 9, 2015 Reversing the Apple Sandbox 12
Previous Work
● Dionysus Blazakis (Dion)
– The Apple Sandbox (BlackHat 2011)
– 5th Chapter in “The iOS Hacker's Handbook”
– https://github.com/dionthegod/XNUSandbox/
● Stefan Esser (Stefan)
– “iOS8 Containers, Sandboxes and Entitlements”
(Ruxcon 2014)
– https://github.com/sektioneins/sandbox_toolkit
13. October 9, 2015 Reversing the Apple Sandbox 13
Methodology Overview
● Get complete list of operations and filters
● Get a good understanding of the sandbox
workflow (create/compile, apply)
● Extract builtin binary sandbox profiles
● Thorough understanding of the binary format
● Reverse a binary format sandbox profile file to
its initial SBPL format
14. October 9, 2015 Reversing the Apple Sandbox 14
Building Blocks
● Compile SBPL format file to binary format
● Use sandbox profile
● The intermediary “even more Scheme-like”
format
● Well documented by Dion, though one needs
multiple read throughs to have a good picture
15. October 9, 2015 Reversing the Apple Sandbox 15
Full List of Filters and Operations
● List of operations provided by Dion and Stefan
● Methodology: look into Sandbox.kext
– Updated methodology: extract strings from
libsandbox.dylib and look for “%operations”
● No methodology for filters in previous work
– As with operations, use strings in libsandbox.dylib
16. October 9, 2015 Reversing the Apple Sandbox 16
Intermediary Format
Show samples
17. October 9, 2015 Reversing the Apple Sandbox 17
Intermediary Format
● Slightly updated TinyScheme interpreter inside
libsandbox.dylib
● SBLP → Intermediary Format → Binary Format
● By “hooking” into the interpreter one can dump
the intermediary format
$ cat osx_sbpl_stub.scm osx_sbpl_init.scm
osx_sbpl_v1.scm require-in-require-allow-deny.sb
display_rules.scm | ./as
18. October 9, 2015 Reversing the Apple Sandbox 18
Extract Builtin Binary Sandbox Profiles
● Located in the sandboxd executable file
● Start from the profile string (i.e. “container”)
● Do “offset-based computing” and locate start of
binary profile and region length
● Nice implementation by Stefan
– https://github.com/sektioneins/sandbox_toolkit/tree/
master/extract_sbprofiles
– Stefan's implementation wasn't available at the time
I started this :-(
19. October 9, 2015 Reversing the Apple Sandbox 19
The Apple Sandbox Binary Format
● Initial work by Dion (for iOS v5)
● Updated work by Stefan (for iOS v8)
– All work by Dion
– Insight on regular expressions format and the
operations list
● Methodology: create SBPL format files, compile
and check
20. October 9, 2015 Reversing the Apple Sandbox 20
Binary Format Header
● Header version (2 bytes)
● Offset to regular expression section (2 bytes)
● Number of regular expressions (2 bytes)
● Table of offsets (NUM_OPERATIONS * 2 bytes)
– Offset to action nodes for each operation
● All offsets multipied by 8
22. October 9, 2015 Reversing the Apple Sandbox 22
Liniarized Regular Expression
● regex → NFA (Non-deterministic Finite
Automaton)
● NFA is “binarized”
● Representation for: characters, special
characters (., ^, $), character sets, jumps
● Documented by Stefan (though some parts are
missing)
– Dion had done it, but encoding is different (as
noticed by Stefan)
23. October 9, 2015 Reversing the Apple Sandbox 23
Regex Reversing Steps
● Create NFA from binary representation as a
graph
– Intermediary representation where vertice is a
character and edges are possible “links”
● Use state removal algorithm
– Leave initial and final states for last
– Take care of * and + regex operand
– Take care of ? Operand
– Take care of complex expressions using ( and )
24. October 9, 2015 Reversing the Apple Sandbox 24
Idea for State Removal Algorithm
a b
ab
c
c
d
(ad)*
25. October 9, 2015 Reversing the Apple Sandbox 25
TODOs for Regex Reversing
● Robust reversing when operation uses multiple
regular expressions
– They are part of a single binary representation but
need to “split” them apart
● Remove builtin regular expressions in binary
format
– Sandbox compiler by default adds certain regular
expressions to deny access to certain services
irrespective of the initial file
26. October 9, 2015 Reversing the Apple Sandbox 26
Reminder: Binary Format Header
● Header version (2 bytes)
● Offset to regular expression section (2 bytes)
● Number of regular expressions (2 bytes)
● Table of offsets (NUM_OPERATIONS * 2 bytes)
– Offset to action nodes for each operation
● All offsets multipied by 8
27. October 9, 2015 Reversing the Apple Sandbox 27
Operation Offsets
● Each operation gets and offset to an action
node
– There will always be at least one offset per
operation
● Two types of action nodes (dubbed “operation
nodes” by Dion and Stefan)
– Terminal nodes: allow or deny
● Dubbed result nodes by Stefan
– Non-terminal nodes: do further processing
● Dubbed decision nodes by Stefan
28. October 9, 2015 Reversing the Apple Sandbox 28
Terminal Action Nodes
● Padding (1 byte)
● Action (deny/allow) (2 bytes)
– Flags: debug
29. October 9, 2015 Reversing the Apple Sandbox 29
Non-Terminal Action Nodes
● Filter type (1 byte)
● Filter argument (2 bytes)
● In case of match, offset to next action node (2
bytes)
● In case of unmatch, offset to next action node
(2 bytes)
30. October 9, 2015 Reversing the Apple Sandbox 30
Reversing Filters
● Not fully done/documented by Stefan
● Extract all filters
● Create SBPL file with all of them and compile
– Match filter IDs and filter arguments to actual filters
31. October 9, 2015 Reversing the Apple Sandbox 31
Match/Unmatch Options in Action Nodes
● Match is terminal, unmatch terminal
– Current operation filter is denied/allowed
– Terminate processing of operation
● Match is non-terminal, unmatch is terminal
– Link current action to previous action
● Match is terminal, unmatch is non-terminal
– Current operation filter is denied/allowed
– If no match, link unmatch action to previous action
● Match is non-terminal, unmatch is non-terminal
– “Split” in decision making, link both current and unmatch
action to previous action
33. October 9, 2015 Reversing the Apple Sandbox 33
TODOs for Reversing Action Nodes
● Handle require-not
● Remove default action nodes rules
– Operations not in initial SBPL file use implicit rules
(deny, allow and others)
– These rules need not be present in the reversed
SBPL file
● Handle terminal flags (debug)
34. October 9, 2015 Reversing the Apple Sandbox 34
Current State of Things
● Draft reverse of builtin iOS “container” sandbox
profile
– See demo
● Scripts to do small little things
– README and instructions for advanced user
● Need to make scripts more generic and usable
● Research paper under way
● Will most likely publish tools as open source
35. October 9, 2015 Reversing the Apple Sandbox 35
Lessons Learnt
● Reversing is fun and time consuming
● Previous work has been very helpful
– Though I only figured some things out later
● Graphs are really useful IRL!
● You'll never know what you need to know when
doing reversing: graphs, NFAs, regex,
algorithms, functional programming