We keep on thinking we are living in the future, but native exploitation has a rich history, and many times the vulnerabilities and exploitation techniques are decades old.
We'll look at some of these, how they have surfaced in recent years and how prepared we are today, armed with modern tooling, to find and fix "classic" vulnerabilities.
Linux Security APIs and the Chromium SandboxPatricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.
The document discusses UNIX rootkits and how they can hijack system calls in the Linux kernel to achieve stealth. It explains how rootkits work by loading kernel modules that hook system calls to hide processes, files, network ports and more. The document also provides examples of how rootkits can hijack specific system calls like open, read, write and more to implement stealth and covert functionality.
The document describes a simulated hacking game scenario involving a compromised POS terminal infected with malware. It details the components of the botnet architecture including bot nodes, command and control infrastructure, and social media propagation. Diagrams show the network layout and communication channels. The document also examines the bot's components, capabilities, and protection mechanisms such as bytecode encryption and anti-debugging techniques. Hints are provided to help players progress in the game by bypassing defenses and achieving objectives over multiple days.
This document discusses Cisco IOS shellcoding and reverse engineering. It covers topics like Cisco IOS shellcodes that are image-independent by disassembling or interrupting hijacking. It also discusses Tcl shellcodes, Cisco IOS reverse engineering challenges including lack of modularity and APIs. The document details subsystems, registries, processes, command parser tree, debugging Cisco IOS, and magic numbers used in Cisco IOS.
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used.
The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
This document describes an advanced technique to bypass Control Flow Guard (CFG) protections on Adobe Flash Player 18 and Windows 8.1. It details how the researchers were able to generate indirect call instructions in just-in-time (JIT) compiled Flash code to redirect execution to controlled addresses, bypassing CFG. This was done by manipulating parameters passed between functions to influence the JIT compiler's code generation and produce the desired indirect call opcodes. The technique allowed full control-flow hijacking on the protected systems.
Linux Security APIs and the Chromium SandboxPatricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.
The document discusses UNIX rootkits and how they can hijack system calls in the Linux kernel to achieve stealth. It explains how rootkits work by loading kernel modules that hook system calls to hide processes, files, network ports and more. The document also provides examples of how rootkits can hijack specific system calls like open, read, write and more to implement stealth and covert functionality.
The document describes a simulated hacking game scenario involving a compromised POS terminal infected with malware. It details the components of the botnet architecture including bot nodes, command and control infrastructure, and social media propagation. Diagrams show the network layout and communication channels. The document also examines the bot's components, capabilities, and protection mechanisms such as bytecode encryption and anti-debugging techniques. Hints are provided to help players progress in the game by bypassing defenses and achieving objectives over multiple days.
This document discusses Cisco IOS shellcoding and reverse engineering. It covers topics like Cisco IOS shellcodes that are image-independent by disassembling or interrupting hijacking. It also discusses Tcl shellcodes, Cisco IOS reverse engineering challenges including lack of modularity and APIs. The document details subsystems, registries, processes, command parser tree, debugging Cisco IOS, and magic numbers used in Cisco IOS.
The Anatomy of an Exploit (NDC TechTown 2019))Patricia Aas
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used.
The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Advanced cfg bypass on adobe flash player 18 defcon russia 23DefconRussia
This document describes an advanced technique to bypass Control Flow Guard (CFG) protections on Adobe Flash Player 18 and Windows 8.1. It details how the researchers were able to generate indirect call instructions in just-in-time (JIT) compiled Flash code to redirect execution to controlled addresses, bypassing CFG. This was done by manipulating parameters passed between functions to influence the JIT compiler's code generation and produce the desired indirect call opcodes. The technique allowed full control-flow hijacking on the protected systems.
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
Users of modern Linux containerization technologies are frequently at loss with what kind of security guarantees are delivered by tools they use. Typical questions range from Can these be used to isolate software with known security shortcomings and rich history of security vulnerabilities? to even Can I used such technique to isolate user-generated and potentially hostile assembler payloads?
Modern Linux OS code-base as well as independent authors provide a plethora of options for those who desire to make sure that their computational loads are solidly confined. Potential users can choose from solutions ranging from Docker-like confinement projects, through Xen hypervisors, seccomp-bpf and ptrace-based sandboxes, to isolation frameworks based on hardware virtualization (e.g. KVM).
The talk will discuss available today techniques, with focus on (frequently overstated) promises regarding their strength. In the end, as they say: “Many speed bumps don’t make a wall
Preemptable ticket spinlocks: improving consolidated performance in the cloudJiannan Ouyang, PhD
This slides were presented at the 9th ACM SIGPLAN/SIGOPS international conference on Virtual Execution Environments (VEE '13).
When executing inside a virtual machine environment, OS level synchronization primitives are faced with significant challenges due to the scheduling behavior of the underlying virtual machine monitor. Operations that are ensured to last only a short amount of time on real hardware, are capable of taking considerably longer when running virtualized. This change in assumptions has significant impact when an OS is executing inside a critical region that is protected by a spinlock. The interaction between OS level spinlocks and VMM scheduling is known as the Lock Holder Preemption problem and has a significant impact on overall VM performance. However, with the use of ticket locks instead of generic spinlocks, virtual environments must also contend with waiters being preempted before they are able to acquire the lock. This has the effect of blocking access to a lock, even if the lock itself is available. We identify this scenario as the Lock Waiter Preemption problem. In order to solve both problems we introduce Preemptable Ticket spinlocks, a new locking primitive that is designed to enable a VM to always make forward progress by relaxing the ordering guarantees offered by ticket locks. We show that the use of Preemptable Ticket spinlocks improves VM performance by 5.32X on average, when running on a non paravirtual VMM, and by 7.91X when running on a VMM that supports a paravirtual locking interface, when executing a set of microbenchmarks as well as a realistic e-commerce benchmark.
The document discusses weaknesses in random number generation and pseudorandom number generation (PRNG) that can be exploited by attackers. It provides examples of programs that used weak PRNGs, allowing session IDs and keys to be guessed. Lessons learned are that numbers used to derive keys and IDs must be truly random and unpredictable, and PRNGs must be cryptographically secure. Two types of randomness are defined: true randomness from unpredictable sources, and pseudorandomness from cryptographically secure PRNGs seeded with true randomness.
The document discusses the "Hello World" program in C and assembly languages. It provides the C code, compiles and runs it using GCC and LLVM, and examines the output assembly code, object file and executable using various Linux tools like objdump, readelf, nm, and strace. It explains concepts like sections, segments, symbol tables, relocation records, and the role of linker and loader.
The document discusses various techniques for anti-debugging including API based detection, process and thread block detection, hardware and register based detection, exception based detection, and modified code based detection. It provides examples of API based anti-debugging methods like FindWindow, IsDebuggerPresent, CheckRemoteDebuggerPresent, OutputDebugString, NtQueryInformationProcess, and NtSetInformationThread. The purpose of anti-debugging is to protect intellectual property by making reversing software more difficult through detection and hindering of debuggers.
Don't mention TLB (at all?!?), just confuses people. Was just put so people
were aware that it was being set up for deterministic behaviour (the side
channel is the cache exclusively, not the TLB missing).
Don't mention the privilege level arch stuff until *after* Variant 1 has been
discussed, rather prior to Variant 2, and especially 3/Meltdown.
To explain the victim vs. attacker domains better in Variant 1, the example of
two threads in a process should be given, where one thread is the
'parent'/'governor' of the other(s), and has privileged information, e.g., a
valid TLS session key for a bank account login in another thread/tab in a
browser. One thread should not be able to 'see' another's private data.
Items such as the AntiVirus report could easily be omitted...
Thanks,
Kim Phillips
The document discusses the Dtrace tool for debugging, profiling, and monitoring systems. It provides an overview of Dtrace's key components like the D language, probes, consumers, and providers. Examples are given for using Dtrace for debugging issues by tracing function calls, gathering statistics on memory allocation, and visualizing process flow.
This document analyzes the $BOARDNAME.h file in U-boot. It describes the contents and purpose of this important file that defines board-specific configurations for U-boot. It provides examples of definitions for the Mango100 board related to memory layout, boot settings, Ethernet/USB configurations, and NAND support.
The document discusses various UNIX system calls and functions related to file operations like linking, unlinking, renaming files, getting file attributes, changing permissions and ownership, and modifying timestamps. Code snippets are provided to demonstrate the implementation and usage of functions like link(), unlink(), stat(), chmod(), chown(), and utime().
The document contains information about various digital circuits that can be used for a VHDL practical exam, including code and simulations for:
1. A 4-bit by 4-bit multiplier circuit with VHDL code and a simulation forcing inputs and displaying outputs.
2. An 8-bit by 8-bit multiplier circuit with similar VHDL code and simulation.
3. A 128-bit by 8-bit RAM circuit with 1024 bits of memory, VHDL code, and a simulation storing values and reading them back out.
Kernel-Level Programming: Entering Ring NaughtDavid Evans
University of Virginia
cs4414: Operating Systems
http://rust-class.org
Leslie Lamport wins the Turing Award!
Hardware-Based Memory Isolation
Software-Based Memory Isolation
Kernel-Level Programming
Which came first, programming languages or operating systems?
Programming without other programs
Kernel development
IronKernel
For embedded notes, see:
http://rust-class.org/class-14-entering-ring-naught.html
2013-02-21 - .NET UG Rhein-Neckar: JavaScript Best PracticesJohannes Hoppe
The document provides JavaScript best practices focusing on code quality, avoiding antipatterns like implied globals and eval, and recommendations for style like indentation and naming conventions. It also discusses testing with Jasmine including writing tests, making them pass, refactoring code, and repeating the test-driven development process. Modular code organization techniques like revealing module pattern and event publishing are also covered.
The Ring programming language version 1.5.3 book - Part 93 of 184Mahmoud Samir Fayed
CURL provides functions for transferring data with URLs using various protocols like HTTP, FTP, and more. It supports options like setting URLs, headers, authentication, proxies, SSL certificates, callbacks, and more. Common functions include curl_easy_setopt to set options, curl_easy_perform to perform a request, and curl_easy_getinfo to retrieve result info.
The document provides an overview of various user-space system programming concepts in Linux including processes, signals, scheduling, and inter-process communication. It discusses APIs for process creation and management, signal handling techniques, and scheduling priorities. Examples of using processes, signals and waitpid are provided from SSH and BusyBox code.
The Ring programming language version 1.10 book - Part 38 of 212Mahmoud Samir Fayed
The document provides information about SQLite and PostgreSQL database functions in Ring programming language. It describes functions for initializing and connecting to databases, executing SQL statements, and retrieving and manipulating result sets. Examples are given showing how to create, insert, and select data from database tables using these functions.
Crypto Complete is a software product that provides encryption and key management capabilities on IBM i systems. It allows users to establish encryption policies, generate and manage encryption keys, encrypt database fields, libraries, objects and files, and retrieve encrypted values. The software integrates symmetric key management and allows encryption of data without requiring changes to applications or databases.
The ring 0 facade: awakening the processor's inner demonsPriyanka Aash
In this talk, we walk through how we discovered a privilege escalation backdoor in a family of x86 CPUs, that allows an unprivileged user, on an unmodified system, to circumvent all processor security checks and escalate from ring 3 to ring 0 – permitting an unprivileged, arbitrary userland program to directly modify and execute code inside of the kernel, regardless of the operating system, security patches, antivirus, firmware, etc.
Speakers:
Christopher Domas, Cyber Security Researcher
This document describes techniques for creating rootkits on Linux x86 systems. It discusses obtaining the system call table, hooking system calls through various methods like direct modification of the table, inline hooking of system call code, and patching the system call handler. It also presents the idea of abusing debug registers to generate exceptions and intercept system calls. The goal is to conceal running processes, files, and other system data from detection.
Secure Programming Practices in C++ (NDC Security 2018)Patricia Aas
This talk is for programmers wishing to feel more comfortable navigating the C++ landscape. We will explore the programming culture that has developed around the C++ language. Specifically, we will look at programming patterns that navigate around or through some of the dangerous parts of the C++ language. The goal is to build a set of programming practices based in the “smaller and cleaner language” inside C++. And by doing so, we will also build an awareness around code constructs that can potentially “blows your whole leg off”.
This document discusses various techniques for securing and encrypting Android devices. It describes setting up encryption on the device storage and external storage using LUKS encryption. It also covers methods for modifying device settings and firmware to achieve different levels of security and control over the device, ranging from basic to recommended. The recommended approach involves fully encrypting the device data and storage, along with disabling debugging and unknown sources for maximum security.
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
Users of modern Linux containerization technologies are frequently at loss with what kind of security guarantees are delivered by tools they use. Typical questions range from Can these be used to isolate software with known security shortcomings and rich history of security vulnerabilities? to even Can I used such technique to isolate user-generated and potentially hostile assembler payloads?
Modern Linux OS code-base as well as independent authors provide a plethora of options for those who desire to make sure that their computational loads are solidly confined. Potential users can choose from solutions ranging from Docker-like confinement projects, through Xen hypervisors, seccomp-bpf and ptrace-based sandboxes, to isolation frameworks based on hardware virtualization (e.g. KVM).
The talk will discuss available today techniques, with focus on (frequently overstated) promises regarding their strength. In the end, as they say: “Many speed bumps don’t make a wall
Preemptable ticket spinlocks: improving consolidated performance in the cloudJiannan Ouyang, PhD
This slides were presented at the 9th ACM SIGPLAN/SIGOPS international conference on Virtual Execution Environments (VEE '13).
When executing inside a virtual machine environment, OS level synchronization primitives are faced with significant challenges due to the scheduling behavior of the underlying virtual machine monitor. Operations that are ensured to last only a short amount of time on real hardware, are capable of taking considerably longer when running virtualized. This change in assumptions has significant impact when an OS is executing inside a critical region that is protected by a spinlock. The interaction between OS level spinlocks and VMM scheduling is known as the Lock Holder Preemption problem and has a significant impact on overall VM performance. However, with the use of ticket locks instead of generic spinlocks, virtual environments must also contend with waiters being preempted before they are able to acquire the lock. This has the effect of blocking access to a lock, even if the lock itself is available. We identify this scenario as the Lock Waiter Preemption problem. In order to solve both problems we introduce Preemptable Ticket spinlocks, a new locking primitive that is designed to enable a VM to always make forward progress by relaxing the ordering guarantees offered by ticket locks. We show that the use of Preemptable Ticket spinlocks improves VM performance by 5.32X on average, when running on a non paravirtual VMM, and by 7.91X when running on a VMM that supports a paravirtual locking interface, when executing a set of microbenchmarks as well as a realistic e-commerce benchmark.
The document discusses weaknesses in random number generation and pseudorandom number generation (PRNG) that can be exploited by attackers. It provides examples of programs that used weak PRNGs, allowing session IDs and keys to be guessed. Lessons learned are that numbers used to derive keys and IDs must be truly random and unpredictable, and PRNGs must be cryptographically secure. Two types of randomness are defined: true randomness from unpredictable sources, and pseudorandomness from cryptographically secure PRNGs seeded with true randomness.
The document discusses the "Hello World" program in C and assembly languages. It provides the C code, compiles and runs it using GCC and LLVM, and examines the output assembly code, object file and executable using various Linux tools like objdump, readelf, nm, and strace. It explains concepts like sections, segments, symbol tables, relocation records, and the role of linker and loader.
The document discusses various techniques for anti-debugging including API based detection, process and thread block detection, hardware and register based detection, exception based detection, and modified code based detection. It provides examples of API based anti-debugging methods like FindWindow, IsDebuggerPresent, CheckRemoteDebuggerPresent, OutputDebugString, NtQueryInformationProcess, and NtSetInformationThread. The purpose of anti-debugging is to protect intellectual property by making reversing software more difficult through detection and hindering of debuggers.
Don't mention TLB (at all?!?), just confuses people. Was just put so people
were aware that it was being set up for deterministic behaviour (the side
channel is the cache exclusively, not the TLB missing).
Don't mention the privilege level arch stuff until *after* Variant 1 has been
discussed, rather prior to Variant 2, and especially 3/Meltdown.
To explain the victim vs. attacker domains better in Variant 1, the example of
two threads in a process should be given, where one thread is the
'parent'/'governor' of the other(s), and has privileged information, e.g., a
valid TLS session key for a bank account login in another thread/tab in a
browser. One thread should not be able to 'see' another's private data.
Items such as the AntiVirus report could easily be omitted...
Thanks,
Kim Phillips
The document discusses the Dtrace tool for debugging, profiling, and monitoring systems. It provides an overview of Dtrace's key components like the D language, probes, consumers, and providers. Examples are given for using Dtrace for debugging issues by tracing function calls, gathering statistics on memory allocation, and visualizing process flow.
This document analyzes the $BOARDNAME.h file in U-boot. It describes the contents and purpose of this important file that defines board-specific configurations for U-boot. It provides examples of definitions for the Mango100 board related to memory layout, boot settings, Ethernet/USB configurations, and NAND support.
The document discusses various UNIX system calls and functions related to file operations like linking, unlinking, renaming files, getting file attributes, changing permissions and ownership, and modifying timestamps. Code snippets are provided to demonstrate the implementation and usage of functions like link(), unlink(), stat(), chmod(), chown(), and utime().
The document contains information about various digital circuits that can be used for a VHDL practical exam, including code and simulations for:
1. A 4-bit by 4-bit multiplier circuit with VHDL code and a simulation forcing inputs and displaying outputs.
2. An 8-bit by 8-bit multiplier circuit with similar VHDL code and simulation.
3. A 128-bit by 8-bit RAM circuit with 1024 bits of memory, VHDL code, and a simulation storing values and reading them back out.
Kernel-Level Programming: Entering Ring NaughtDavid Evans
University of Virginia
cs4414: Operating Systems
http://rust-class.org
Leslie Lamport wins the Turing Award!
Hardware-Based Memory Isolation
Software-Based Memory Isolation
Kernel-Level Programming
Which came first, programming languages or operating systems?
Programming without other programs
Kernel development
IronKernel
For embedded notes, see:
http://rust-class.org/class-14-entering-ring-naught.html
2013-02-21 - .NET UG Rhein-Neckar: JavaScript Best PracticesJohannes Hoppe
The document provides JavaScript best practices focusing on code quality, avoiding antipatterns like implied globals and eval, and recommendations for style like indentation and naming conventions. It also discusses testing with Jasmine including writing tests, making them pass, refactoring code, and repeating the test-driven development process. Modular code organization techniques like revealing module pattern and event publishing are also covered.
The Ring programming language version 1.5.3 book - Part 93 of 184Mahmoud Samir Fayed
CURL provides functions for transferring data with URLs using various protocols like HTTP, FTP, and more. It supports options like setting URLs, headers, authentication, proxies, SSL certificates, callbacks, and more. Common functions include curl_easy_setopt to set options, curl_easy_perform to perform a request, and curl_easy_getinfo to retrieve result info.
The document provides an overview of various user-space system programming concepts in Linux including processes, signals, scheduling, and inter-process communication. It discusses APIs for process creation and management, signal handling techniques, and scheduling priorities. Examples of using processes, signals and waitpid are provided from SSH and BusyBox code.
The Ring programming language version 1.10 book - Part 38 of 212Mahmoud Samir Fayed
The document provides information about SQLite and PostgreSQL database functions in Ring programming language. It describes functions for initializing and connecting to databases, executing SQL statements, and retrieving and manipulating result sets. Examples are given showing how to create, insert, and select data from database tables using these functions.
Crypto Complete is a software product that provides encryption and key management capabilities on IBM i systems. It allows users to establish encryption policies, generate and manage encryption keys, encrypt database fields, libraries, objects and files, and retrieve encrypted values. The software integrates symmetric key management and allows encryption of data without requiring changes to applications or databases.
The ring 0 facade: awakening the processor's inner demonsPriyanka Aash
In this talk, we walk through how we discovered a privilege escalation backdoor in a family of x86 CPUs, that allows an unprivileged user, on an unmodified system, to circumvent all processor security checks and escalate from ring 3 to ring 0 – permitting an unprivileged, arbitrary userland program to directly modify and execute code inside of the kernel, regardless of the operating system, security patches, antivirus, firmware, etc.
Speakers:
Christopher Domas, Cyber Security Researcher
This document describes techniques for creating rootkits on Linux x86 systems. It discusses obtaining the system call table, hooking system calls through various methods like direct modification of the table, inline hooking of system call code, and patching the system call handler. It also presents the idea of abusing debug registers to generate exceptions and intercept system calls. The goal is to conceal running processes, files, and other system data from detection.
Secure Programming Practices in C++ (NDC Security 2018)Patricia Aas
This talk is for programmers wishing to feel more comfortable navigating the C++ landscape. We will explore the programming culture that has developed around the C++ language. Specifically, we will look at programming patterns that navigate around or through some of the dangerous parts of the C++ language. The goal is to build a set of programming practices based in the “smaller and cleaner language” inside C++. And by doing so, we will also build an awareness around code constructs that can potentially “blows your whole leg off”.
This document discusses various techniques for securing and encrypting Android devices. It describes setting up encryption on the device storage and external storage using LUKS encryption. It also covers methods for modifying device settings and firmware to achieve different levels of security and control over the device, ranging from basic to recommended. The recommended approach involves fully encrypting the device data and storage, along with disabling debugging and unknown sources for maximum security.
This document discusses various techniques for securing and accessing Android devices, including:
1. Encrypting the device's data partition and external storage for added security.
2. Methods for modifying settings and firmware to gain root access or disable security features like encryption.
3. Recommended security practices for Android devices ranging from basic to moderate to recommended approaches.
seccomp is a computer security facility in the Linux kernel, pledge is a similar security facility in the OpenBSD kernel. In this presentation Giovanni Bechis will review the development story and progress of both kernel interfaces and will analyze the main differences. There will be some examples of implementations of security patches made for some important open source projects.
Container: is it safe enough to run you application?Aleksey Zalesov
In this talk I explore technologies that empower containerisation and look at several cases when container was able to break the walls around it. Talk was given at LinuxPiter at Nov 21, 2015
The document discusses code for serial port (com) device drivers in FreeBSD. It shows code from the comstart() function, which is called by the tty layer when there is outgoing data to transmit. Comstart() grabs the data from the tty queue and sets up the com_softc structure to start transmission. It then calls the chip-specific transmit function. The com_softc structure contains a pointer to the associated tty structure.
The Anatomy of an Exploit (NDC TechTown 2019)Patricia Aas
This document provides an overview of an exploit development process. It begins by discussing how exploits program the "weird machine" of vulnerable programs through memory manipulation. It then walks through developing a stack buffer overflow exploit against a vulnerable C program. Various compiler protections like stack canaries and ASLR are bypassed. The document generates a pattern to find the offset and writes an exploit program to automate writing an exploit string to trigger the vulnerability and redirect execution.
Secure Programming Practices in C++ (NDC Oslo 2018)Patricia Aas
Bjarne Stroustrup, the creator of C++, once said : “C makes it easy to shoot yourself in the foot; C++ makes it harder, but when you do it blows your whole leg off.” He has also said : “Within C++, there is a much smaller and cleaner language struggling to get out.” Both are true.
This talk is for programmers wishing to feel more comfortable navigating the C++ landscape. Motivated by going through well known vulnerability patterns that have been used in exploits for decades, we will explore the programming culture that has developed around the C++ language. Specifically, we will look at programming patterns that navigate around or through some of the dangerous parts of the C++ language. The goal is to build a set of programming practices based in the “smaller and cleaner language” inside C++. And by doing so, we will also build an awareness around code constructs that can potentially “blow your whole leg off”.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through a simple exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as another programming tool. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Return Oriented Programming, an introductionPatricia Aas
Return Oriented Programming (ROP) is an exploitation technique that folks have often heard of, but don't know the mechanics of.
In this talk you will learn how it works, and we will go through how it can be used to execute code in contexts where the stack is not executable.
Davide Berardi - Linux hardening and security measures against Memory corruptionlinuxlab_conf
The exploding popularity of Embedded/IoT computing facilitate this security problems using low or non-existent security policies and exploits countermeasures. So why not explore some security measures that are widely available in the Linux world? We will focus on memory corruption techniques.
The Linux kernel was always focused on security features and giving bad times to the exploiters. This talk will introduce some common exploits and techniques, showing the mitigations employed by the kernel. By focusing on the major threats that affects modern Linux boxes, we will see which are the main features that can give problems to the system administator and how a preliminary penetration test can be done, ensuring that the system is in a sane state. The talk will also focus on problematics of embedded/IoT Unix systems, showing how some recent attacks gained control over a big network of devices and how a simple embedded system can be analyzed, hunting for bugs. Talk outline: Penetration testing, Linux, netfilter/bpf, memory corruption, ASLR, Spectre/Meltdown.
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNoSuchCon
This document discusses defeating Windows 8.1's Kernel Patch Protection. It begins with introductions and definitions. It then explains how Patchguard and driver signing enforcement work in Windows 8.1, providing more protection than previous versions. The implementation of Kernel Patch Protection is described, including how it initializes, verifies the kernel, and crashes the system if modifications are detected. Previous methods of attacking Patchguard are reviewed, noting they have all been defeated in the latest version. The document aims to provide information to understand and potentially find new ways of attacking Patchguard.
The document provides an introduction to kernel coding and demystifies kernel programming. It discusses key concepts like context of execution, interfaces, registration, interrupts, I/O, and manipulating user memory from the kernel. The key aspects covered are the general patterns for registering interfaces, examples of interrupt handling and deferred work, addressing spaces when calling between user/kernel, and manipulating virtual memory areas. Examples of specific subsystems like filesystems, framebuffers, sound, and storage drivers are provided.
Security vulnerabilities and secure coding is often talked about in the abstract by programmers, but rarely understood. In this talk we will walk through simple exploit attempts, and finally a simple stack buffer overflow exploit, how it’s developed and how it’s used. The goal is to try to get a feeling for the point of view of an "attacker", and to slowly start looking at exploitation as just another programming practice. We will mainly be looking at C and x86_64 assembly, so bring snacks.
Bruce Momjian - Inside PostgreSQL Shared Memory @ Postgres OpenPostgresOpen
PostgreSQL uses shared memory structures to coordinate access to data across multiple database processes. The main shared memory structures include shared buffers for caching data pages, a proc array for tracking server processes, lightweight locks for synchronizing access to shared resources, and lock hashes for coordinating locks on database objects. Other shared structures store information for multi-version concurrency control, two-phase commit, subtransactions, the write-ahead log, and background worker synchronization.
Essentials of Multithreaded System Programming in C++Shuo Chen
This document discusses challenges in multithreaded system programming in C++. It covers topics such as thread safety of libraries, RAII and fork(), signals and threads, and operating file descriptors in threads. The document is intended for C++ programmers familiar with threads and aims to explain interactions between threads and system calls/libraries to avoid common issues.
This document contains the slides from a presentation given by WonoKaerun at the Indonesian Security Conference 2011 in Palembang. The presentation introduces rootkits and techniques for hiding malware at the kernel level on Linux systems. It covers topics like loadable kernel modules, interrupt descriptor table hooking, virtual file system hacking, page fault handler hijacking, debugging register abuse, and kernel instrumentation patching. The goal is to evade detection by security solutions by gaining control of the kernel before anti-rootkit defenses can activate. Throughout, the document emphasizes the cat-and-mouse nature of offensive and defensive security research.
Putting a Fork in Fork (Linux Process and Memory Management)David Evans
The document discusses several topics related to computer science class cs4414 at University of Virginia:
- Updates were due Sunday at 11:59pm including progress updates and scheduling design reviews.
- Tuesday's class will feature a guest lecture on authentication using single sign-on.
- The last class covered translation lookaside buffers and paging/segmentation concepts.
- A code sample is shown and analyzed that causes a segmentation fault due to accessing memory outside the allocated space.
- Details are provided on limiting resources and viewing process limits.
Similar to Classic Vulnerabilities (ACCU Keynote 2022) (20)
NDC TechTown 2023_ Return Oriented Programming an introduction.pdfPatricia Aas
Return Oriented Programming (ROP) is an exploitation technique that folks have often heard of, but don't know the mechanics of. In this talk you will learn how it works, and we will go through some examples to show how it can be used to execute code in contexts where the stack is not executable.
I can't work like this (KDE Academy Keynote 2021)Patricia Aas
Making software products can be fraught with conflicts, where people in different roles may feel sabotaged by others. In this talk I present a model for thinking about the problems we solve and how we solve them, and using that I hope to convince you that team excellence comes from our differences, rather than in spite of them. Hopefully you'll walk away with a deeper understanding of that colleague that never writes tests, or the one that constantly complains that all you do is "make bugs".
Dependency Management in C++ (NDC TechTown 2021)Patricia Aas
C++ has been slow to settle on standardized tools for building and dependency management. In recent years CMake has emerged as the de facto standard for builds, but dependency management still has no clear winner. In this talk I will look into what dependency management might look like in modern C++ projects and how that relates to security.
Introduction to Memory Exploitation (Meeting C++ 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
We keep on thinking we are living in the future, but native exploitation has a rich history, and many times the vulnerabilities and exploitation techniques are decades old. We'll look at some of these, how they have surfaced in recent years and how prepared we are today, armed with modern tooling, to find and fix "classic" vulnerabilities.
Introduction to Memory Exploitation (CppEurope 2021)Patricia Aas
Stack based exploitation has gotten all the fame, but many platform and compiler mitigations have made it very hard to exploit stack vulnerabilities. Heap based exploits are still very relevant, and since this is black magic for most developers I will here give an introduction to the field.
Thoughts On Learning A New Programming LanguagePatricia Aas
How should we teach a new language to folks that already know how to program?
How do we use what we already know to leapfrog the learning process?
Based on my personal experience and snippets of natural language theory, we will try to explore the cheats and pitfalls when learning a new programming language, but also dig into how we can make it easier.
Trying to build an Open Source browser in 2020Patricia Aas
A lot of things have been developed over the last 15 years that should make the process of making a browser easier. In this talk we will explore a bunch of different tools, platforms and libraries that could go into making a browser in 2020.
We will also see a live demo of a simple browser built with these OSS projects. We will also discuss the limitations and future work needed to make this work in practice.
Trying to build an Open Source browser in 2020Patricia Aas
A lot of things have been developed over the last 15 years that should make the process of making a browser easier. In this talk we will explore a bunch of different tools, platforms and libraries that could go into making a browser in 2020.
We will also see a live demo of a simple browser built with these OSS projects. We will also discuss the limitations and future work needed to make this work in practice.
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
How can you squeeze Security into DevOps? Security is often an understaffed function, so how can you leverage what you have in DevOps to improve your security posture?
Often the culture clash between Security and Development is even more prominent than between Development and Operations. Understanding the differences in how these functions work, and leveraging their similarities, will reveal processes already in place that can be used to improve security. This fine tuning of tools and processes can give you DevSecOps on a shoestring.
Elections: Trust and Critical Infrastructure (NDC TechTown 2019)Patricia Aas
Free and correct elections are the linchpin of democracy. For a government to be formed based the will of the people, the will of the people must be heard. Across the world election systems are being classified as critical infrastructure, and they face the same concerns as all other fundamental systems in society.
We are building our critical infrastructure from hardware and software built by nations and companies we can’t expect to trust. How can this be dealt with in Election Security, and can those lessons be applied to other critical systems society depends on today?
Elections, Trust and Critical Infrastructure (NDC TechTown)Patricia Aas
Free and correct elections are the linchpin of democracy. For a government to be formed based the will of the people, the will of the people must be heard. Across the world election systems are being classified as critical infrastructure, and they face the same concerns as all other fundamental systems in society.
We are building our critical infrastructure from hardware and software built by nations and companies we can’t expect to trust. How can this be dealt with in Election Security, and can those lessons be applied to other critical systems society depends on today?
Survival Tips for Women in Tech (JavaZone 2019) Patricia Aas
Being the only woman on your team can be hard. Many times it’s difficult to know what is only your experience and what is common. In this talk we’ll go through 24 tips (and a few bonus tips) based on well over a decade of experience being the only woman in several teams. If you’re a woman hopefully you’ll walk out with some ideas you can put to work right away, if you’re a man hopefully you’ll walk out with a new perspective and start noticing things in your day-to-day that you didn’t notice before.
https://patricia.no/2018/09/06/survival_tips_for_women_in_tech.html
Patricia Aas is a C++ programmer and security expert who currently works for TurtleSec. She is concerned about issues like election security, privacy, and the lack of oversight and regulation in the technology industry. She believes technology has introduced fragility to important systems like democracy. However, most people do not understand the implications of technological issues and journalists struggle to explain the problems to the general public. This leaves the industry unregulated and unable to have meaningful public debates around ethics and social impacts.
Keynote: Deconstructing Privilege (C++ on Sea 2019)Patricia Aas
Can you describe a situation that caused you to realize you were privileged?
I have asked many people that question now, and what I have learned is that privilege is an Unconscious Incompetence. Being privileged is a non-event. When we become conscious of it we realize that our privileged experience is not applicable to less privileged people. What happens to them does not happen to us. Only when we become Consciously Incompetent do we realize the need to listen. We need to learn.
In this talk I hope to make you realize that we all have privilege and to start a journey through self reflection to becoming Consciously Incompetent. I hope also to give some indicators and patterns that you can look for in your daily lives to recognize and maybe even to correct imbalances you see.
The document summarizes Patricia Aas' talk on making software secure and fixable. It discusses common security issues such as being unable to roll out fixes, lack of control over dependencies, teams leaving without documentation, bugs in code, and pressure from management to implement insecure features. It provides recommendations to address each issue, such as maintaining version control, auditing dependencies, bringing work back in-house, rigorous testing and reviews, and protecting developers and users. The document also covers designing security notifications and interfaces with a focus on usability over detailed technical explanations.
The document discusses various programming language concepts and how they are implemented in C# compared to other languages like C++. It provides code examples of concepts like namespaces, operator overloading, optional arguments, structs, properties, and delegates in C# and compares them to their implementation in C++ or other languages. It emphasizes finding the similarities between languages but also pointing out differences or potential "false friends" where the implementation or semantics have drifted from the original.
Why Is Election Security So Hard? (Paranoia 2019) Patricia Aas
What makes the domain and requirements of elections so difficult to solve with computers? In this talk we will go through a lot of the requirements of an election and what motivates them, and show how computers surprisingly often introduce more vulnerabilities than they solve when applied to elections.
Reading Other Peoples Code (NDC Copenhagen 2019)Patricia Aas
Someone else's code. Even worse, thousands of lines, maybe hundreds of files of other peoples code. Is there a way to methodically read and understand other peoples work, build their mental models?
In this talk I will go through techniques I have developed throughout 18 years of programming. Hopefully, you will walk away with a plan on how to approach a new code base. But even more, I hope you walk away with a feeling of curiosity, wanting to get to know your fellow programmers through their code.
Takashi Kobayashi and Hironori Washizaki, "SWEBOK Guide and Future of SE Education," First International Symposium on the Future of Software Engineering (FUSE), June 3-6, 2024, Okinawa, Japan
Top Features to Include in Your Winzo Clone App for Business Growth (4).pptxrickgrimesss22
Discover the essential features to incorporate in your Winzo clone app to boost business growth, enhance user engagement, and drive revenue. Learn how to create a compelling gaming experience that stands out in the competitive market.
Graspan: A Big Data System for Big Code AnalysisAftab Hussain
We built a disk-based parallel graph system, Graspan, that uses a novel edge-pair centric computation model to compute dynamic transitive closures on very large program graphs.
We implement context-sensitive pointer/alias and dataflow analyses on Graspan. An evaluation of these analyses on large codebases such as Linux shows that their Graspan implementations scale to millions of lines of code and are much simpler than their original implementations.
These analyses were used to augment the existing checkers; these augmented checkers found 132 new NULL pointer bugs and 1308 unnecessary NULL tests in Linux 4.4.0-rc5, PostgreSQL 8.3.9, and Apache httpd 2.2.18.
- Accepted in ASPLOS ‘17, Xi’an, China.
- Featured in the tutorial, Systemized Program Analyses: A Big Data Perspective on Static Analysis Scalability, ASPLOS ‘17.
- Invited for presentation at SoCal PLS ‘16.
- Invited for poster presentation at PLDI SRC ‘16.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
E-commerce Development Services- Hornet DynamicsHornet Dynamics
For any business hoping to succeed in the digital age, having a strong online presence is crucial. We offer Ecommerce Development Services that are customized according to your business requirements and client preferences, enabling you to create a dynamic, safe, and user-friendly online store.
Zoom is a comprehensive platform designed to connect individuals and teams efficiently. With its user-friendly interface and powerful features, Zoom has become a go-to solution for virtual communication and collaboration. It offers a range of tools, including virtual meetings, team chat, VoIP phone systems, online whiteboards, and AI companions, to streamline workflows and enhance productivity.
Flutter is a popular open source, cross-platform framework developed by Google. In this webinar we'll explore Flutter and its architecture, delve into the Flutter Embedder and Flutter’s Dart language, discover how to leverage Flutter for embedded device development, learn about Automotive Grade Linux (AGL) and its consortium and understand the rationale behind AGL's choice of Flutter for next-gen IVI systems. Don’t miss this opportunity to discover whether Flutter is right for your project.
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...kalichargn70th171
A dynamic process unfolds in the intricate realm of software development, dedicated to crafting and sustaining products that effortlessly address user needs. Amidst vital stages like market analysis and requirement assessments, the heart of software development lies in the meticulous creation and upkeep of source code. Code alterations are inherent, challenging code quality, particularly under stringent deadlines.
Enterprise Resource Planning System includes various modules that reduce any business's workload. Additionally, it organizes the workflows, which drives towards enhancing productivity. Here are a detailed explanation of the ERP modules. Going through the points will help you understand how the software is changing the work dynamics.
To know more details here: https://blogs.nyggs.com/nyggs/enterprise-resource-planning-erp-system-modules/
What is Augmented Reality Image Trackingpavan998932
Augmented Reality (AR) Image Tracking is a technology that enables AR applications to recognize and track images in the real world, overlaying digital content onto them. This enhances the user's interaction with their environment by providing additional information and interactive elements directly tied to physical images.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
13. TurtleSec
@pati_gallardo 13
● JPEG COM Marker Processing Vulnerability (CVE-2000-0655), Solar Designer,
https://www.openwall.com/articles/JPEG-COM-Marker-Vulnerability
● Vudo malloc tricks, MaXX, 2001-08-11 Phrack Magazine,
http://phrack.org/issues/57/8.html
● Once upon a free()..., anonymous, 2001-08-11 Phrack Magazine,
http://phrack.org/issues/57/9.html
● The Heap: Once upon a free() - bin 0x17, LiveOverflow,
https://youtu.be/gL45bjQvZSU
● The Heap: dlmalloc unlink() exploit - bin 0x18, LiveOverflow,
https://youtu.be/HWhzH--89UQ
● Alexander Peslyak (Solar Designer),
https://en.wikipedia.org/wiki/Solar_Designer
Unlink Vulnerability Resources
24. TurtleSec
@pati_gallardo 24
24
@pati_gallardo
1. static void Z_RemoveBlock(memblock_t * block) {
2. if (block->prev == nullptr) {
3. allocated_blocks[block->tag] = block->next;
4. } else {
5. block->prev->next = block->next;
6. }
7. if (block->next != nullptr) {
8. block->next->prev = block->prev;
9. }
10. }
where
where what
If we control block->prev
we control the where this write will happen
(adjusted for the offset of next)
If we control block->next
we control what to write there
src/z_native.cpp
Write-What-Where
31. TurtleSec
@pati_gallardo 31
31
@pati_gallardo
Heap Grooming
to overwrite adjacent memory
1. struct memblock_t {
2. int id;
3. int tag;
4. int size;
5. void ** user;
6. memblock_t * prev;
7. memblock_t * next;
8. };
memblock_t *next
void ** user
Overflow block
To be freed
memblock_t *prev
Overflow block
Overflow block
To be freed
padding
int tag
int id
int size
32. TurtleSec
@pati_gallardo 32
32
@pati_gallardo
Heap Grooming
to overwrite adjacent memory
1. struct memblock_t {
2. int id;
3. int tag;
4. int size;
5. void ** user;
6. memblock_t * prev;
7. memblock_t * next;
8. };
&what
void ** user
Overflow block
To be freed
&where - distance
Overflow block
Overflow block
To be freed
padding
int tag
int id
int size
40. TurtleSec
@pati_gallardo 40
TurtleSec
@pati_gallardo 40
NSO Group is an Israeli
technology firm.
They have a product
called Pegasus
that enables
remote surveillance
of smartphones.
The Bad Binder Android
exploit was attributed to
NSO Group.
When it was reported it was
being used in the wild.
Threat Actor: NSO Group
54. TurtleSec
@pati_gallardo 54
Copying buffers
first second
buf
first second
first_len second_len buf_len
Is it safe to copy first and second into buf?
1. if(first_len + second_len < buf_len)
2. copy(first, second, buf);
65. TurtleSec
@pati_gallardo 65
@pati_gallardo
Guint numSyms;
numSyms = 0;
for (i = 0; i < nRefSegs; ++i) {
if ((seg = findSegment(refSegs[i]))) {
if (seg->getType() == jbig2SegSymbolDict) {
numSyms += ((JBIG2SymbolDict *)seg)->getSize();
} else if (seg->getType() == jbig2SegCodeTable) {
codeTables->append(seg);
}
} else {
error(errSyntaxError, getPos(),
"Invalid segment reference in JBIG2 text region");
delete codeTables;
return;
}
}
// ...
// get the symbol bitmaps
syms = (JBIG2Bitmap **)gmallocn(numSyms, sizeof(JBIG2Bitmap *));
kk = 0;
for (i = 0; i < nRefSegs; ++i) {
if ((seg = findSegment(refSegs[i]))) {
if (seg->getType() == jbig2SegSymbolDict) {
symbolDict = (JBIG2SymbolDict *)seg;
for (k = 0; k < symbolDict->getSize(); ++k) {
syms[kk++] = symbolDict->getBitmap(k);
}
}
}
}
32 bit uint
Increment with
attacker controlled
data
Allocate a buffer
too small based
on wrapped uint
Overflow too small
buffer
66. TurtleSec
@pati_gallardo 66
● A deep dive into an NSO zero-click iMessage exploit: Remote Code
Execution, Project Zero team at Google,
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zer
o-click.html
● FORCEDENTRY, https://en.wikipedia.org/wiki/FORCEDENTRY
● CVE-2021-30860,
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30860
● FORCEDENTRY: Sandbox Escape, Ian Beer & Samuel Groß,
https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-esc
ape.html
CVE-2021-30860 Resources