Manuel Wiesinger in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
The document discusses whether the Rust programming language is truly safe. It begins by defining safety as protection from harm. It then provides examples of bugs in other systems that caused major issues like erroneous website classifications, radiation overdoses in medical machines, and multimillion dollar losses. The document outlines some key features of Rust like memory safety guarantees and lack of data races that aim to prevent these issues. However, it notes that unsafe code blocks allow bypassing some checks and could lead to memory corruption if used incorrectly. Therefore, while Rust aims to be safe, vulnerabilities may still be possible through its unsafe capabilities or limitations of compile-time checks.
Ведущие: Дмитрий Частухин и Дмитрий Юдин
Бла-бла-бла SAP. Бла-бла-бла крупные компании. Бла-бла-бла взлом на миллионы долларов. Вот так обычно начинается любой доклад о SAP. Но в этот раз все будет по-другому. Давненько не было рассказов о жестокой эксплуатации и необычных уязвимостях. Пришло время пуститься во все тяжкие! Докладчики расскажут (и покажут), как получить полный контроль над системой, используя ряд незначительных уязвимостей в службах SAP.
The document discusses the "Hello World" program in C and assembly languages. It provides the C code, compiles and runs it using GCC and LLVM, and examines the output assembly code, object file and executable using various Linux tools like objdump, readelf, nm, and strace. It explains concepts like sections, segments, symbol tables, relocation records, and the role of linker and loader.
Palestra realizada por Toronto Garcez aka torontux durante a 3a. edição da Nullbyte Security Conference em 26 de novembro de 2016.
Resumo:
O objetivo da apresentação é demonstrar de forma prática, o passo-a-passo para criar uma botnet com roteadores wi-fi e/ou embarcados em geral. Será demonstrado o desenvolvimento de um comando e controle e a utilização de firmwares "backdorados" para tornar dispositivos em bots.
העתיד כבר כאן - שימוש בטכנולוגיות החדשות כבר היוםRonny Orbach
מצגת מההרצאה שלי ביום עיון "ממשל זמין" בירושלים, 25 ביולי 2012.
הנושאים המרכזיים הם תאימות לדפדפנים, Progressive Enhancement / Graceful Degradation, שימוש ב-Modernizr וסקירה של Polyfills.
I'd like to thank Nicholas Zakas & Addy Osmani for their awesome presentations about these topics, from which I took (lots of) inspiration. You guys rock.
Old pirates, yes, they rob I,
Sold I to the merchant ships,
Minutes after they took I
From the bottomless pit.
But my hand was made strong
By the hand of the Almighty.
We forward in this generation
Triumphantly.
Won't you help to sing
These songs of freedom?
'Cause all I ever have,
Redemption songs,
Redemption songs.
Emancipate yourself from mental slavery,
None but ourselves can free our minds.
Have no fear for atomic energy,
'Cause none of them can stop the time.
How long shall they kill our prophets,
While we stand aside and look?
Some say it's just a part of it,
We've got to fulfill the book.
Won't you help to sing
These songs of freedom?
'Cause all I ever have,
Redemption songs,
Redemption songs,
Redemption songs.
Emancipate yourself from mental slavery,
None but ourselves can free our mind.
Have no fear for atomic energy,
'Cause none of them can stop the time.
How long shall they kill our prophets,
While we stand aside and look?
Some say it's just a part of it,
We've got to fulfill the book.
Won't you help to sing,
These songs of freedom?
'Cause all I ever had,
Redemption songs.
All I ever had,
Redemption songs
These songs of freedom
Songs of freedom
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]RootedCON
This document discusses dual stack IPv4 and IPv6 threat analysis. It notes that firewalls and intrusion detection systems may not recognize IPv6 traffic and could be bypassed. It also lists security considerations like vulnerabilities in IPv6, lack of vendor support, and lack of knowledge by security teams. Unauthorized deployment of IPv6 is highlighted as a risk since most current operating systems support IPv6 by default. The document provides information on analyzing IPv6 prefixes and addresses to identify threats and indicates various categories of malware, fraud, and anonymization threats that could be investigated.
This document discusses continuous testing and the Test::Continuous module. It summarizes that Test::Continuous continuously runs tests on modified files to catch errors early. It works by scanning for modified files, finding which tests need rerunning, running those tests, and reporting the results in a loop. The document also discusses ways to improve Test::Continuous, such as better detecting test dependencies and supporting notifications to other platforms.
The document discusses whether the Rust programming language is truly safe. It begins by defining safety as protection from harm. It then provides examples of bugs in other systems that caused major issues like erroneous website classifications, radiation overdoses in medical machines, and multimillion dollar losses. The document outlines some key features of Rust like memory safety guarantees and lack of data races that aim to prevent these issues. However, it notes that unsafe code blocks allow bypassing some checks and could lead to memory corruption if used incorrectly. Therefore, while Rust aims to be safe, vulnerabilities may still be possible through its unsafe capabilities or limitations of compile-time checks.
Ведущие: Дмитрий Частухин и Дмитрий Юдин
Бла-бла-бла SAP. Бла-бла-бла крупные компании. Бла-бла-бла взлом на миллионы долларов. Вот так обычно начинается любой доклад о SAP. Но в этот раз все будет по-другому. Давненько не было рассказов о жестокой эксплуатации и необычных уязвимостях. Пришло время пуститься во все тяжкие! Докладчики расскажут (и покажут), как получить полный контроль над системой, используя ряд незначительных уязвимостей в службах SAP.
The document discusses the "Hello World" program in C and assembly languages. It provides the C code, compiles and runs it using GCC and LLVM, and examines the output assembly code, object file and executable using various Linux tools like objdump, readelf, nm, and strace. It explains concepts like sections, segments, symbol tables, relocation records, and the role of linker and loader.
Palestra realizada por Toronto Garcez aka torontux durante a 3a. edição da Nullbyte Security Conference em 26 de novembro de 2016.
Resumo:
O objetivo da apresentação é demonstrar de forma prática, o passo-a-passo para criar uma botnet com roteadores wi-fi e/ou embarcados em geral. Será demonstrado o desenvolvimento de um comando e controle e a utilização de firmwares "backdorados" para tornar dispositivos em bots.
העתיד כבר כאן - שימוש בטכנולוגיות החדשות כבר היוםRonny Orbach
מצגת מההרצאה שלי ביום עיון "ממשל זמין" בירושלים, 25 ביולי 2012.
הנושאים המרכזיים הם תאימות לדפדפנים, Progressive Enhancement / Graceful Degradation, שימוש ב-Modernizr וסקירה של Polyfills.
I'd like to thank Nicholas Zakas & Addy Osmani for their awesome presentations about these topics, from which I took (lots of) inspiration. You guys rock.
Old pirates, yes, they rob I,
Sold I to the merchant ships,
Minutes after they took I
From the bottomless pit.
But my hand was made strong
By the hand of the Almighty.
We forward in this generation
Triumphantly.
Won't you help to sing
These songs of freedom?
'Cause all I ever have,
Redemption songs,
Redemption songs.
Emancipate yourself from mental slavery,
None but ourselves can free our minds.
Have no fear for atomic energy,
'Cause none of them can stop the time.
How long shall they kill our prophets,
While we stand aside and look?
Some say it's just a part of it,
We've got to fulfill the book.
Won't you help to sing
These songs of freedom?
'Cause all I ever have,
Redemption songs,
Redemption songs,
Redemption songs.
Emancipate yourself from mental slavery,
None but ourselves can free our mind.
Have no fear for atomic energy,
'Cause none of them can stop the time.
How long shall they kill our prophets,
While we stand aside and look?
Some say it's just a part of it,
We've got to fulfill the book.
Won't you help to sing,
These songs of freedom?
'Cause all I ever had,
Redemption songs.
All I ever had,
Redemption songs
These songs of freedom
Songs of freedom
Rafa Sánchez & Fran Gomez - IoCker - When IPv6 met malware [rooted2019]RootedCON
This document discusses dual stack IPv4 and IPv6 threat analysis. It notes that firewalls and intrusion detection systems may not recognize IPv6 traffic and could be bypassed. It also lists security considerations like vulnerabilities in IPv6, lack of vendor support, and lack of knowledge by security teams. Unauthorized deployment of IPv6 is highlighted as a risk since most current operating systems support IPv6 by default. The document provides information on analyzing IPv6 prefixes and addresses to identify threats and indicates various categories of malware, fraud, and anonymization threats that could be investigated.
This document discusses continuous testing and the Test::Continuous module. It summarizes that Test::Continuous continuously runs tests on modified files to catch errors early. It works by scanning for modified files, finding which tests need rerunning, running those tests, and reporting the results in a loop. The document also discusses ways to improve Test::Continuous, such as better detecting test dependencies and supporting notifications to other platforms.
This document discusses hardware hacking techniques for reverse engineering devices on a budget. It introduces tools like logic analyzers, JTAG debuggers, and open source software that can be used to identify chip components, access device interfaces, extract file systems, and perform reverse engineering. Specific tips are provided for using tools like Saleae logic analyzers and OpenOCD to access UART, JTAG, and file systems on example router and chip components. The document aims to demonstrate affordable methods for hardware analysis and modification.
This document discusses the setup and architecture of a MySQL Spider configuration. It describes installing multiple MySQL instances on a single server, including 4 MariaDB 10.1 nodes and 6 MySQL 5.7 nodes. It then configures the Spider storage engine to partition tables across these nodes for both data sharding and high availability. Examples are provided of creating servers, tables, and inserting/selecting data to demonstrate the federated and sharded architecture.
This document provides instructions for compiling and installing the VT6655 and VT6656 Linux driver and configuring it for various wireless security modes. Key steps include:
1. Unpacking the driver source code and dependencies.
2. Compiling the driver, wpa_supplicant, and OpenSSL.
3. Configuring the driver for open, WEP, WPA-PSK, and WPA2-PSK networks through iwconfig commands and editing the wpa_supplicant.conf file.
The document discusses using proxy ARP to allow multiple containers and VMs to share a single network interface on the host machine. It notes some limitations of alternative approaches like Linux bridges, Open vSwitch, and MACVLAN. It also describes some issues with proxy ARP like stealing MAC addresses and requiring static routing. The proposed solution is to use arptables to selectively allow ARP requests from specific IP addresses to prevent MAC address conflicts while enabling network access for containers and VMs.
Palestra realizada por Neal Mokrane aka nil0x42 durante a 3a. ediação da Nullbyte Security Conference em 26 de novembro de 2016
Resumo
PhpSloit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes. This talk will present common use cases of the framework from an offensive pentester point of view, on realistic cases, including: - post-exploitation with IDS/WAF bypass - persistent backdooring - log analysis evasion - stealth privilege escalation The final part will be dedicated to present a selection of the best plugins (imho) and the versatility of the tool on very specific use cases.
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
This document discusses hacking routers by exploiting vulnerabilities in their web interfaces. It begins by introducing the author and their background in security research. Several common vulnerabilities are then outlined, including default credentials, authentication bypass, XSS, CSRF and command injection issues. The document provides examples of exploiting these flaws in various router models. A methodology is proposed for analyzing router firmware to find and exploit vulnerabilities, potentially achieving remote code execution. It emphasizes chaining multiple issues together for increased access. Finally, the document suggests that support software, internet service providers, and router developers themselves can also be targeted.
The document discusses hardening Linux servers against security threats. It begins by introducing the speaker and explaining the importance of hardening systems assuming an attacker has gained access. It then provides recommendations for various hardening techniques including: updating systems, removing unnecessary packages and users, securing SSH access, configuring firewalls and remote logging, auditing systems, and restricting access to things like temporary directories and compilers. The document is a guide that walks through steps to harden a Linux server across several areas.
Cisco adaptive security appliance (asa) firewalls lifeline of today’s data ce...IT Tech
This document contains questions and answers about Cisco Adaptive Security Appliance (ASA) firewalls. Some key points addressed include:
- Real-world throughput specifications for various ASA models
- Features supported in ASA clustering configurations
- How the ASA can integrate with IPS modules to detect intrusion threats
- Options for blocking specific traffic types like HTTPS, Facebook, and torrents
- Compatibility of features like site-to-site VPNs and remote access in clustered or multi-context modes
The document discusses honeypots, which are computer resources dedicated to being probed, attacked, or compromised. Honeypots can be used to detect internal attacks, identify scans and automated attacks, identify trends, keep attackers away from important systems, and collect signatures of attacks and malicious code. They work by emulating known vulnerabilities to collect information about attacks. Honeypots include low and high interaction varieties. Popular honeypot software includes Honeyd, which simulates virtual networks, and Nepenthes, which emulates vulnerabilities to capture binaries and commands executed by worms. Logs from honeypots can be analyzed to identify attack sources and collect malware samples.
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
This document discusses asynchronous vulnerabilities and callback-oriented hacking techniques. It describes how asynchronous issues are often invisible and outlines solutions using callbacks, such as through DNS requests. It provides examples of payload techniques for issues like SQL injection, command injection, and XSS that call out to an external domain to confirm exploitation. Finally, it notes hazards like friendly fire and ways adversaries may detect the callbacks.
Tim Hsu is the founder of CHROOT and HITCON. He previously worked as the security manager for Taiwan Mobile and currently works for VARMOUR, an American cybersecurity company. The document discusses AppArmor security profiles for Docker containers, the VulApps tool for testing container vulnerabilities, the Pornhub bug bounty program, Docker security best practices, and links to resources about remote code execution vulnerabilities in WordPress plugins and Apache Struts.
This document contains an agenda for a presentation that includes topics such as exploit development, web application hacking methodology, SQLMap, vulnerability assessment, malware analysis, reverse engineering, and cybersecurity conferences. It also addresses frequently asked questions about capture the flag events, bug bounty programs, and security certifications. Resources like exploit code examples, tool documentation, hacking forums, and malware repositories are listed.
The patent application describes a method for detecting and preventing fraud in online transactions. Sensitive information such as credit card numbers and expiration dates are obscured during entry, and the transaction is cancelled if the data does not match records associated with the user's identity. This helps protect against theft of financial information while allowing legitimate purchases to be completed.
Kernel Recipes 2016 - Wo needs a real-time operating system (not you!)Anne Nicolas
A Real-Time Operating System (RTOS) is used for mission critical projects that require a deterministic response time for external stimuli. Many times project managers request an RTOS even though they don’t fully understand what exactly an RTOS gives them. And many times, a normal OS would do just fine, and perhaps even better, as an RTOS sacrifices throughput for determinism.
This talk will discuss exactly what an RTOS is and what it is good for. What types of requirements that require having an RTOS will be explained, as well as requirements where not having on RTOS would be more appropriate. You do not need to be a programmer to enjoy this talk. It will be discussed at a very high level but still contain enough information for a seasoned developer to get something out of it too.
Steven Rostedt, Red Hat
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
The document summarizes the Post Memory Corruption Memory Analysis (PMCMA) tool. PMCMA allows finding and testing exploitation scenarios resulting from invalid memory accesses. It provides a roadmap to exploitation without generating exploit code. The tool analyzes programs after crashes to overwrite memory locations in forked processes and test impact on execution flow.
Sangam 18 - Database Development: Return of the SQL JediConnor McDonald
A look at the techniques that middle tier developers can employ to get greater value out of their applications, simply by having an understanding of how the database works and how to make it sing.
This document discusses hardware hacking techniques for reverse engineering devices on a budget. It introduces tools like logic analyzers, JTAG debuggers, and open source software that can be used to identify chip components, access device interfaces, extract file systems, and perform reverse engineering. Specific tips are provided for using tools like Saleae logic analyzers and OpenOCD to access UART, JTAG, and file systems on example router and chip components. The document aims to demonstrate affordable methods for hardware analysis and modification.
This document discusses the setup and architecture of a MySQL Spider configuration. It describes installing multiple MySQL instances on a single server, including 4 MariaDB 10.1 nodes and 6 MySQL 5.7 nodes. It then configures the Spider storage engine to partition tables across these nodes for both data sharding and high availability. Examples are provided of creating servers, tables, and inserting/selecting data to demonstrate the federated and sharded architecture.
This document provides instructions for compiling and installing the VT6655 and VT6656 Linux driver and configuring it for various wireless security modes. Key steps include:
1. Unpacking the driver source code and dependencies.
2. Compiling the driver, wpa_supplicant, and OpenSSL.
3. Configuring the driver for open, WEP, WPA-PSK, and WPA2-PSK networks through iwconfig commands and editing the wpa_supplicant.conf file.
The document discusses using proxy ARP to allow multiple containers and VMs to share a single network interface on the host machine. It notes some limitations of alternative approaches like Linux bridges, Open vSwitch, and MACVLAN. It also describes some issues with proxy ARP like stealing MAC addresses and requiring static routing. The proposed solution is to use arptables to selectively allow ARP requests from specific IP addresses to prevent MAC address conflicts while enabling network access for containers and VMs.
Palestra realizada por Neal Mokrane aka nil0x42 durante a 3a. ediação da Nullbyte Security Conference em 26 de novembro de 2016
Resumo
PhpSloit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes. This talk will present common use cases of the framework from an offensive pentester point of view, on realistic cases, including: - post-exploitation with IDS/WAF bypass - persistent backdooring - log analysis evasion - stealth privilege escalation The final part will be dedicated to present a selection of the best plugins (imho) and the versatility of the tool on very specific use cases.
Defcon Moscow #0x0A - Mikhail Firstov "Hacking routers as Web Hacker"Defcon Moscow
This document discusses hacking routers by exploiting vulnerabilities in their web interfaces. It begins by introducing the author and their background in security research. Several common vulnerabilities are then outlined, including default credentials, authentication bypass, XSS, CSRF and command injection issues. The document provides examples of exploiting these flaws in various router models. A methodology is proposed for analyzing router firmware to find and exploit vulnerabilities, potentially achieving remote code execution. It emphasizes chaining multiple issues together for increased access. Finally, the document suggests that support software, internet service providers, and router developers themselves can also be targeted.
The document discusses hardening Linux servers against security threats. It begins by introducing the speaker and explaining the importance of hardening systems assuming an attacker has gained access. It then provides recommendations for various hardening techniques including: updating systems, removing unnecessary packages and users, securing SSH access, configuring firewalls and remote logging, auditing systems, and restricting access to things like temporary directories and compilers. The document is a guide that walks through steps to harden a Linux server across several areas.
Cisco adaptive security appliance (asa) firewalls lifeline of today’s data ce...IT Tech
This document contains questions and answers about Cisco Adaptive Security Appliance (ASA) firewalls. Some key points addressed include:
- Real-world throughput specifications for various ASA models
- Features supported in ASA clustering configurations
- How the ASA can integrate with IPS modules to detect intrusion threats
- Options for blocking specific traffic types like HTTPS, Facebook, and torrents
- Compatibility of features like site-to-site VPNs and remote access in clustered or multi-context modes
The document discusses honeypots, which are computer resources dedicated to being probed, attacked, or compromised. Honeypots can be used to detect internal attacks, identify scans and automated attacks, identify trends, keep attackers away from important systems, and collect signatures of attacks and malicious code. They work by emulating known vulnerabilities to collect information about attacks. Honeypots include low and high interaction varieties. Popular honeypot software includes Honeyd, which simulates virtual networks, and Nepenthes, which emulates vulnerabilities to capture binaries and commands executed by worms. Logs from honeypots can be analyzed to identify attack sources and collect malware samples.
44CON London 2015 - Hunting Asynchronous Vulnerabilities44CON
This document discusses asynchronous vulnerabilities and callback-oriented hacking techniques. It describes how asynchronous issues are often invisible and outlines solutions using callbacks, such as through DNS requests. It provides examples of payload techniques for issues like SQL injection, command injection, and XSS that call out to an external domain to confirm exploitation. Finally, it notes hazards like friendly fire and ways adversaries may detect the callbacks.
Tim Hsu is the founder of CHROOT and HITCON. He previously worked as the security manager for Taiwan Mobile and currently works for VARMOUR, an American cybersecurity company. The document discusses AppArmor security profiles for Docker containers, the VulApps tool for testing container vulnerabilities, the Pornhub bug bounty program, Docker security best practices, and links to resources about remote code execution vulnerabilities in WordPress plugins and Apache Struts.
This document contains an agenda for a presentation that includes topics such as exploit development, web application hacking methodology, SQLMap, vulnerability assessment, malware analysis, reverse engineering, and cybersecurity conferences. It also addresses frequently asked questions about capture the flag events, bug bounty programs, and security certifications. Resources like exploit code examples, tool documentation, hacking forums, and malware repositories are listed.
The patent application describes a method for detecting and preventing fraud in online transactions. Sensitive information such as credit card numbers and expiration dates are obscured during entry, and the transaction is cancelled if the data does not match records associated with the user's identity. This helps protect against theft of financial information while allowing legitimate purchases to be completed.
Kernel Recipes 2016 - Wo needs a real-time operating system (not you!)Anne Nicolas
A Real-Time Operating System (RTOS) is used for mission critical projects that require a deterministic response time for external stimuli. Many times project managers request an RTOS even though they don’t fully understand what exactly an RTOS gives them. And many times, a normal OS would do just fine, and perhaps even better, as an RTOS sacrifices throughput for determinism.
This talk will discuss exactly what an RTOS is and what it is good for. What types of requirements that require having an RTOS will be explained, as well as requirements where not having on RTOS would be more appropriate. You do not need to be a programmer to enjoy this talk. It will be discussed at a very high level but still contain enough information for a seasoned developer to get something out of it too.
Steven Rostedt, Red Hat
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
The document summarizes the Post Memory Corruption Memory Analysis (PMCMA) tool. PMCMA allows finding and testing exploitation scenarios resulting from invalid memory accesses. It provides a roadmap to exploitation without generating exploit code. The tool analyzes programs after crashes to overwrite memory locations in forked processes and test impact on execution flow.
Sangam 18 - Database Development: Return of the SQL JediConnor McDonald
A look at the techniques that middle tier developers can employ to get greater value out of their applications, simply by having an understanding of how the database works and how to make it sing.
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
Joe FitzPatrick gave a presentation on exploiting PCIe (Peripheral Component Interconnect Express) buses for hardware attacks. He discussed using DMA (direct memory access) over PCIe to read and write system memory, modify firmware, and potentially bypass mitigations like IOMMU (input-output memory management unit). FitzPatrick demonstrated proof-of-concept attacks on Macs and Windows PCs using custom PCIe devices and software. However, he noted that fully bypassing protections like VT-d on Macbooks had not yet been achieved and more work is needed to build attacks without imitating a genuine device.
The document discusses the Post Memory Corruption (PMCMA) tool, which allows analyzing memory corruption bugs by testing different memory overwrite scenarios in a process. PMCMA uses a technique called "mk_fork()" to efficiently fork a process multiple times and overwrite different memory locations in each offspring to test for exploitation possibilities. It discusses challenges like dealing with zombie processes and invalid system calls caused by forking, and how PMCMA addresses these through techniques like process grouping and ignoring SIGCHILD signals.
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
The document discusses exploiting TrueType font (TTF) vulnerabilities to achieve kernel code execution on Windows systems. It begins by describing the discovery of exploitable bugs in a TTF fuzzer. Despite mitigations like KASLR, NX, SMAP, and CFG, the researchers were able to bypass these protections through techniques like controlled overflows, abusing plain kernel structures, and function-driven attacks. They show how to leverage wild overflows, control kernel memory layout, and hijack control flow to achieve arbitrary code execution. The document emphasizes that OS design weaknesses allow bypassing modern defenses through clever bug chaining and memory manipulation.
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
The document introduces PMCMA, a debugger tool that analyzes memory corruption bugs by forcing processes to fork, overwriting memory locations in the offspring processes, and monitoring execution to map exploitable scenarios. PMCMA aims to provide a roadmap for exploitation by identifying vulnerabilities and possible exploitation techniques like truncating function pointers or exploiting 4-byte aligned memory writes. The tool is available online and has received over 10,000 downloads in its first two months.
Metasepi team meeting #16: Safety on ATS language + MCUKiwamu Okabe
This document summarizes the key topics from meeting #16 of the Metasepi team:
1. The meeting discussed using the ATS programming language for developing Metasepi, an operating system designed with strong typing.
2. A demonstration showed running ATS code on an Arduino and mbed microcontroller platform.
3. ATS is a strongly typed language like ML that uses dependent types, linear types, and optional garbage collection to promote safe systems programming without runtime errors.
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
The document summarizes Maycon Vitali's presentation on hacking embedded devices. It includes an agenda covering extracting firmware from devices using tools like BusPirate and flashrom, decompressing firmware to view file systems and binaries, emulating binaries using QEMU, reverse engineering code to find vulnerabilities, and details four vulnerabilities discovered in Ubiquiti networking devices designated as CVEs. The presentation aims to demonstrate common weaknesses in embedded device security and how tools can be used to analyze and hack these ubiquitous connected systems.
The document discusses exploiting a buffer overflow vulnerability in Internet Explorer's VML implementation (MS06-055) to execute arbitrary code. It describes overwriting the structured exception handler to gain control of the instruction pointer, using heap spraying to load a buffer in memory, and having the instruction pointer jump to the buffer to execute shellcode and spawn a command shell. Metasploit is introduced as an open-source framework for developing exploits.
This document summarizes a three-part challenge involving cracking a MIPS binary, exploiting a Python/XXE vulnerability in a web application, and decrypting messages from a SecureDrop-like system. The MIPS binary is cracked by inverting its password checking algorithm. The web app is exploited via XXE to retrieve files containing an admin URL and view state details. Python code is modified at runtime to decrypt an AES key and access a "secret.key" file. This key reveals a tarball containing a SecureDrop implementation. A buffer overflow in SecDrop's service is used to run shellcode. Timing attacks via the CPU cache are then used to retrieve the private RSA key and decrypt messages stored by the SecureDrop-
Copy Protection Wars: Analyzing Retro and Modern Schemes (RSA 2007)Nate Lawson
This document discusses copy protection schemes used for retro systems like the Commodore 64 as well as modern consoles like the Xbox 360. It analyzes the asymmetries exploited in copy protection methods and how those same techniques are still used today. Specific techniques covered include checking for sector errors, gap bytes, and track alignment. The document also provides a side-by-side comparison of cracking a protected Commodore 64 disk and a hacked Xbox 360 drive, illustrating the similarities in their approaches. Finally, it evaluates the current status of Xbox 360 security and provides recommendations for strengthening protection by leveraging asymmetries between legitimate and copied media.
Know your platform. 7 things every scala developer should know about jvmPawel Szulc
The document discusses the importance for Scala developers to understand the basics of the Java Virtual Machine (JVM) platform that Scala code runs on. It provides examples of Java bytecode produced from simple Scala code snippets to demonstrate how code is executed by the JVM. Key points made include that the JVM is a stack-based virtual machine that compiles source code to bytecode instructions, and that understanding the level below the code helps developers write more efficient, robust and performant code.
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
The boom of AI brought to the market a set of impressive solutions both on the hardware and software side. On the other hand, massive implementation of AI in various areas brings about problems, and security is one of the greatest concerns.
In this talk we will present results of hands-on vulnerability research of different components of AI infrastructure including NVIDIA DGX GPU servers, ML frameworks such as Pytorch, Keras and Tensorflow, data processing pipelines and specific applications, including Medical Imaging and face recognition powered CCTV. Updated Internet Census toolkit based on the Grinder framework will be introduced.
Look inside the portal and applications running on it. Learn how to do monitoring on different levels, how to attach and use debugger and profiler with Liferay portal and portal applications. Check Garbage Collector activity, how to get heap dump and locate memory leaks, deadlocks and much more. All of these will be presented on free open-source tools.
XCon 2014 => http://xcon.xfocus.org/
In the past was quite common to exploit heap / pool manager vulnerabilities attacking its internal linked structures. However current memory management improve a lot and at current date it is quite ineffective to attack heap in this way. But still those techniques come into hand when we start to looking at linked structures widespread throughout kernel that are unfortunately not hardened enough.
In this presentation we will examine power of these vulnerabilities by famous example “CVE – 2013 - 3660”. Showing bypass on ‘lazy’ assertions of _LIST_ENTRY, present exploitation after party and teleport to kernel.
All Your IOPS Are Belong To Us - A Pinteresting Case Study in MySQL Performan...Ernie Souhrada
Have you ever thought that your SSD storage just doesn't seem anywhere near as fast as advertised? What if I told you that a couple of small changes to your Linux servers had the potential to more than double the amount of throughput your MySQL servers could handle while simultaneously reducing query response time by around 50 percent? It's not a dream, Neo.
If you're still in a traditional data center and/or your MySQL footprint lives on spinning rust, then you might want to take the blue pill, attend a different session, and believe whatever you want to believe.
However, if your server footprint runs inside Amazon Web Services or if you use SSDs in any fashion, I invite you to take the red pill and come with me on a journey down the rabbit hole, where we'll discuss such things as the Linux block IO driver, CPU starvation, and interrupt handling, using real-world query performance data from the primary MySQL data stores at Pinterest to illustrate the effect.
This document discusses techniques for bypassing antivirus software to execute malicious payloads. It begins by explaining reasons for needing antivirus bypassing such as bypassing firewalls during client-side attacks. It then discusses signature-based antivirus detection and techniques for bypassing it, including crypters that encrypt malware to avoid detection, and shellcode injection directly into processes. Specific crypters and tools for shellcode injection are mentioned. The document encourages questions and further discussion on antivirus bypassing techniques.
Рахманов Александр "Что полезного в разборе дампов для .NET-разработчиков?"Yulia Tsisyk
Сегодня на .NET-конференциях мы все чаще мы слышим про WinDBG, но в тоже время он все еще остается в стороне среди .NET-разработчиков, считается крайне специфичным и даже ненужным инструментом.
В докладе мы попробуем привнести альтернативный взгляд. Покажем как выстроить процесс сбора дампов, их анализа и исправления, встроить его в жизненный цикл разработки вашего приложения, сделав неотъемлемой частью для диагностики как рядовых, так и уникальных случаев. Затем рассмотрим группы основных проблем (deadlocks, out of memory, access violation, logical errors, etc.), которые могут произойти с вашим приложением, и инструменты для их анализа. И, конечно же, разберем примеры каждой из проблем, которые встретились нам на практике в наших продуктах, в коде .NET и WPF:
— Как при помощи флэшки «повесить» WPF-приложение?
— Безопасно ли вызывать DateTime.Now?
и другие жизненные ситуации.
Moscow .Net Meetup #4·14 ноября 2016
Similar to CPU vulnerabilities - where are we now? (20)
Stephan Gerling in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Stefan Zarinschi in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Bridging the gap between CyberSecurity R&D and UXDefCamp
(1) The document discusses bridging the gap between research and development (R&D) and user experience (UX) in product development.
(2) It emphasizes the importance of asking questions to understand user needs, focusing on user feelings over features, and ensuring users understand how to use products easily.
(3) The key lessons are to thoroughly question requirements, balance R&D and UX priorities, focus on satisfying core users, understand what users truly value, and make products feel intuitive and fast to use.
Drupalgeddon 2 – Yet Another Weapon for the AttackerDefCamp
Radu-Emanuel Chiscariu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
This document discusses multi-factor authentication (MFA) and methods for bypassing it. It defines MFA as requiring more than one validation procedure to authenticate individuals. It describes the different factors of authentication as something you know, something you have, and something you are. It outlines various deployment modules for each factor type, including passwords, tokens, biometrics. It also covers challenges of MFA implementation and methods attackers could use to bypass MFA security, such as email filtering or legacy protocol exploitation.
Threat Hunting: From Platitudes to Practical ApplicationDefCamp
This document discusses threat hunting and practical approaches to threat hunting. It defines threat hunting as proactively searching through data to detect threats that evaded traditional security measures. It argues that threat hunting is more effective than reacting to incidents. The document provides guidance on log collection, developing situational awareness, hunting hosts and networks, maintaining a flexible mindset, and sharing findings. It suggests starting with small data collection and focusing on important systems and network areas. The goal is to understand normal behavior and detect anomalies.
Building application security with 0 money downDefCamp
Muhammad Mudassar Yamin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Implementation of information security techniques on modern android based Kio...DefCamp
Muhammad Mudassar Yamin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
The challenge of building a secure and safe digital environment in healthcareDefCamp
Jelena Milosevic in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Timing attacks against web applications: Are they still practical?DefCamp
This document discusses the practicality of timing attacks against web applications. It begins by explaining what a timing attack is and detailing the author's plan to conduct one against a target application. The plan involved studying the application's code, pinpointing an exploitable function, collecting timing data, filtering noise, and reducing the search space. The author was able to measure response times and identify spikes but encountered challenges averaging server performance. They demonstrate conducting a timing attack to recover hashed credentials over many requests. Ultimately, while timing attacks can be efficient, they are difficult to execute remotely and most applications and servers have protections that render the attacks impractical. Constant-time algorithms and rate limiting are presented as solutions to prevent these types of attacks.
Tor .onions: The Good, The Rotten and The Misconfigured DefCamp
Ionut-Cristian Bucur in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...DefCamp
Ioan Constantin in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
We will charge you. How to [b]reach vendor’s network using EV charging station.DefCamp
This document summarizes a presentation about vulnerabilities found in electric vehicle charging stations. The presentation covered:
1) Several vulnerabilities were found in the Bluetooth and Wi-Fi stacks that could allow access to the vendor's internal network, including arbitrary file writes, command injection, and buffer overflows.
2) The vulnerabilities were disclosed responsibly to the vendor, who developed a detailed plan and released updated firmware within a few months to address all issues.
3) Electric vehicles and charging stations are an important area for continued security research given the protocols for wireless communication, transactions, and vehicle-to-charger interfaces.
Cristian Pațachia-Sultănoiu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.
The videos and other presentations can be found on https://def.camp/archive
This document discusses watering hole attacks, a type of cyber attack where hackers compromise frequently visited websites to infect visitors' devices through drive-by exploits. It describes how watering hole attacks work, why they are difficult to detect, and introduces DEKENEAS, an AI-based solution developed by the author to detect watering hole attacks through analyzing obfuscated JavaScript. DEKENEAS trains on over 40,000 malicious redirect samples to recognize behavioral patterns and classify code as malicious or not. When tested on 10,000 new samples and top websites, it achieved 100% detection of unknown implants with no false negatives and a very low false positive rate of 0.00023%.
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
Your One-Stop Shop for Python Success: Top 10 US Python Development Providersakankshawande
Simplify your search for a reliable Python development partner! This list presents the top 10 trusted US providers offering comprehensive Python development services, ensuring your project's success from conception to completion.
Monitoring and Managing Anomaly Detection on OpenShift.pdfTosin Akinosho
Monitoring and Managing Anomaly Detection on OpenShift
Overview
Dive into the world of anomaly detection on edge devices with our comprehensive hands-on tutorial. This SlideShare presentation will guide you through the entire process, from data collection and model training to edge deployment and real-time monitoring. Perfect for those looking to implement robust anomaly detection systems on resource-constrained IoT/edge devices.
Key Topics Covered
1. Introduction to Anomaly Detection
- Understand the fundamentals of anomaly detection and its importance in identifying unusual behavior or failures in systems.
2. Understanding Edge (IoT)
- Learn about edge computing and IoT, and how they enable real-time data processing and decision-making at the source.
3. What is ArgoCD?
- Discover ArgoCD, a declarative, GitOps continuous delivery tool for Kubernetes, and its role in deploying applications on edge devices.
4. Deployment Using ArgoCD for Edge Devices
- Step-by-step guide on deploying anomaly detection models on edge devices using ArgoCD.
5. Introduction to Apache Kafka and S3
- Explore Apache Kafka for real-time data streaming and Amazon S3 for scalable storage solutions.
6. Viewing Kafka Messages in the Data Lake
- Learn how to view and analyze Kafka messages stored in a data lake for better insights.
7. What is Prometheus?
- Get to know Prometheus, an open-source monitoring and alerting toolkit, and its application in monitoring edge devices.
8. Monitoring Application Metrics with Prometheus
- Detailed instructions on setting up Prometheus to monitor the performance and health of your anomaly detection system.
9. What is Camel K?
- Introduction to Camel K, a lightweight integration framework built on Apache Camel, designed for Kubernetes.
10. Configuring Camel K Integrations for Data Pipelines
- Learn how to configure Camel K for seamless data pipeline integrations in your anomaly detection workflow.
11. What is a Jupyter Notebook?
- Overview of Jupyter Notebooks, an open-source web application for creating and sharing documents with live code, equations, visualizations, and narrative text.
12. Jupyter Notebooks with Code Examples
- Hands-on examples and code snippets in Jupyter Notebooks to help you implement and test anomaly detection models.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...DanBrown980551
This LF Energy webinar took place June 20, 2024. It featured:
-Alex Thornton, LF Energy
-Hallie Cramer, Google
-Daniel Roesler, UtilityAPI
-Henry Richardson, WattTime
In response to the urgency and scale required to effectively address climate change, open source solutions offer significant potential for driving innovation and progress. Currently, there is a growing demand for standardization and interoperability in energy data and modeling. Open source standards and specifications within the energy sector can also alleviate challenges associated with data fragmentation, transparency, and accessibility. At the same time, it is crucial to consider privacy and security concerns throughout the development of open source platforms.
This webinar will delve into the motivations behind establishing LF Energy’s Carbon Data Specification Consortium. It will provide an overview of the draft specifications and the ongoing progress made by the respective working groups.
Three primary specifications will be discussed:
-Discovery and client registration, emphasizing transparent processes and secure and private access
-Customer data, centering around customer tariffs, bills, energy usage, and full consumption disclosure
-Power systems data, focusing on grid data, inclusive of transmission and distribution networks, generation, intergrid power flows, and market settlement data
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
"Choosing proper type of scaling", Olena SyrotaFwdays
Imagine an IoT processing system that is already quite mature and production-ready and for which client coverage is growing and scaling and performance aspects are life and death questions. The system has Redis, MongoDB, and stream processing based on ksqldb. In this talk, firstly, we will analyze scaling approaches and then select the proper ones for our system.
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
The Department of Veteran Affairs (VA) invited Taylor Paschal, Knowledge & Information Management Consultant at Enterprise Knowledge, to speak at a Knowledge Management Lunch and Learn hosted on June 12, 2024. All Office of Administration staff were invited to attend and received professional development credit for participating in the voluntary event.
The objectives of the Lunch and Learn presentation were to:
- Review what KM ‘is’ and ‘isn’t’
- Understand the value of KM and the benefits of engaging
- Define and reflect on your “what’s in it for me?”
- Share actionable ways you can participate in Knowledge - - Capture & Transfer
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
4. What happened so far?
2018
Spectre
V1,V2,V3
(M
eltdow
n)
Jan.
Firstreportsofexperim
entalexploitation
Feb.
5. What happened so far?
2018
Spectre
V1,V2,V3
(M
eltdow
n)
Jan.
Firstreportsofexperim
entalexploitation
Feb.
BranchScope
M
ar.
Spectre
V3a,Spectre
V4
M
ay
LazyFP,SGX
Spectre
Jun.
Spectre1.1,Spectre1.2,NetSpectre,ret2spec,SpectreRSB
Jul.
L1TFSGX,L1TFOS/SM
M
,L1TFVM
M
,Labeled
Aug.
6. What happened so far?
2018
Spectre
V1,V2,V3
(M
eltdow
n)
Jan.
Firstreportsofexperim
entalexploitation
Feb.
BranchScope
M
ar.
Spectre
V3a,Spectre
V4
M
ay
LazyFP,SGX
Spectre
Jun.
Spectre1.1,Spectre1.2,NetSpectre,ret2spec,SpectreRSB
Jul.
L1TFSGX,L1TFOS/SM
M
,L1TFVM
M
,Labeled
Aug.
Yetanotherone!
Oct.
2
8. Impact
• Allows data extraction from arbitrary local memory (!)
• Exploitable from JavaScript environments (websites!!)
3
9. Impact
• Allows data extraction from arbitrary local memory (!)
• Exploitable from JavaScript environments (websites!!)
• Via the network (!!!)
3
10. Impact
• Allows data extraction from arbitrary local memory (!)
• Exploitable from JavaScript environments (websites!!)
• Via the network (!!!)
3
11. Who can feel safe?
• Nobody using computers built after 1995.
◦ Any CPU manufacturer
◦ Any operating system
◦ Any Device type
• Don’t trust the memory!
4
16. Attack Limitations
• Difficult — conventional attacks typically easier
• Via the network
◦ Works only under laboratory conditions
◦ Slow (15 bit / hour)
7
17. Attack Limitations
• Difficult — conventional attacks typically easier
• Via the network
◦ Works only under laboratory conditions
◦ Slow (15 bit / hour) — Still: extract a 256 bit key in ∼ 17 hours
7
18. Attack Limitations
• Difficult — conventional attacks typically easier
• Via the network
◦ Works only under laboratory conditions
◦ Slow (15 bit / hour) — Still: extract a 256 bit key in ∼ 17 hours
• Mitigations on the way
◦ Partly already deployed via microcode and OS upgrades
7
40. Hands on! — Meltdown
1. Access data D at an illegal address — get’s executed
speculatively
2. Make an address A of the data D — just a shl
3. Load data at address A
4. Program crashes
5. Do some tricks (e.g. fork)
6. Probe access time to A to learn if it is cached
7. Now we know that an address based on D is cached
8. Revert step 2 to get the data
14
42. How can you protect yourself?
• As always: Apply Security-Updates!
15
43. How can you protect yourself?
• As always: Apply Security-Updates!
• Don’t trust the memory!
15
44. How can you protect yourself?
• As always: Apply Security-Updates!
• Don’t trust the memory!
◦ Overwrite critical data!
15
45. How can you protect yourself?
• As always: Apply Security-Updates!
• Don’t trust the memory!
◦ Overwrite critical data!
◦ C: explicit_bzero()
15
46. How can you protect yourself?
• As always: Apply Security-Updates!
• Don’t trust the memory!
◦ Overwrite critical data!
◦ C: explicit_bzero()
◦ Java: char[]
15
47. How can you protect yourself?
• As always: Apply Security-Updates!
• Don’t trust the memory!
◦ Overwrite critical data!
◦ C: explicit_bzero()
◦ Java: char[]
◦ Python, Go, and co. (essentially all garbage collecting languages
with immutable strings): No guaranteed solution.
15