This document discusses exploiting Qualcomm WLAN and modem chips over-the-air. It begins with introductions to the researchers and Tencent Blade Team. It then outlines the agenda and provides background on Qualcomm chips, including the WLAN firmware, modem firmware loading process, and attack surfaces. It details a vulnerability in the WLAN firmware that allows overwriting memory and escalating privileges to the modem and kernel. It demonstrates exploiting this vulnerability over-the-air to achieve remote code execution on Android devices. The document concludes with discussions on stability of exploitation and delivering payloads across different devices.
Talk given in Hackware about the details behind my PCB business card. More detailed information can be found in my blog post:
http://yeokhengmeng.com/2015/09/pcb-businessname-card/
or Github repo
https://github.com/yeokm1/pcb-name-card
How to Root 10 Million Phones with One ExploitJiahong Fang
This document discusses how to root 107 different phone models using a single exploit from 2014. It begins by introducing the author and their background in rooting phones. It then provides historical context on Android rooting methods over time, from early hidden root consoles to exploits of OTA updates, daemons, and kernels. The document focuses on a technique called DKOM (Direct Kernel Object Manipulation) to achieve root access by manipulating kernel objects like task structures even with only write-anywhere capabilities. It analyzes an exploit from 2013 that enabled this technique to root 42% of phones at the time.
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
#Codemotion Rome 2018 - Attraverso un "IoT pentester's diary", analizzeremo i passaggi chiave di un penetration test su una IP webcam, che ci porterà dall'analisi delle superfici di attacco, all'individuazione di una vulnerabilità reale. Un'introduzione all'exploitation, per spostarci dall'overflow di un buffer all'esecuzione remota di codice.
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
The document discusses 5 ways to exploit JTAG (Joint Test Action Group) interfaces to gain unauthorized access or privileges on a system. The 5 techniques are: 1) Accessing non-volatile storage like flash memory via boundary scan, 2) Scraping memory for offline forensic analysis, 3) Patching boot arguments to change how the system boots, 4) Directly patching the kernel by modifying code or function pointers in memory, and 5) Patching a specific process by searching memory for its code and modifying it. While some techniques like memory scraping are slow, others like boot argument patching or kernel patching can be done quickly and provide privileged access. JTAG interfaces provide I/O, execution control, and memory access that enable
Designed keeping in mind the latest technology on a single board. It is really easy to design, experiment with, and test circuitry without soldering. Students can explore a wide variety of electronic concepts simply by placing components on to the breadboard. It is very useful in electronics laboratories for performing IoT experiments. It is also useful to build and test circuits as well as making projects related to IoT integrating with the cloud platform. visit https://researchdesignlab.com/esp32-development-board-trainer-kit.html for more details
Talk given in Hackware about the details behind my PCB business card. More detailed information can be found in my blog post:
http://yeokhengmeng.com/2015/09/pcb-businessname-card/
or Github repo
https://github.com/yeokm1/pcb-name-card
How to Root 10 Million Phones with One ExploitJiahong Fang
This document discusses how to root 107 different phone models using a single exploit from 2014. It begins by introducing the author and their background in rooting phones. It then provides historical context on Android rooting methods over time, from early hidden root consoles to exploits of OTA updates, daemons, and kernels. The document focuses on a technique called DKOM (Direct Kernel Object Manipulation) to achieve root access by manipulating kernel objects like task structures even with only write-anywhere capabilities. It analyzes an exploit from 2013 that enabled this technique to root 42% of phones at the time.
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
#Codemotion Rome 2018 - Attraverso un "IoT pentester's diary", analizzeremo i passaggi chiave di un penetration test su una IP webcam, che ci porterà dall'analisi delle superfici di attacco, all'individuazione di una vulnerabilità reale. Un'introduzione all'exploitation, per spostarci dall'overflow di un buffer all'esecuzione remota di codice.
44CON London 2015 - Jtagsploitation: 5 wires, 5 ways to root44CON
The document discusses 5 ways to exploit JTAG (Joint Test Action Group) interfaces to gain unauthorized access or privileges on a system. The 5 techniques are: 1) Accessing non-volatile storage like flash memory via boundary scan, 2) Scraping memory for offline forensic analysis, 3) Patching boot arguments to change how the system boots, 4) Directly patching the kernel by modifying code or function pointers in memory, and 5) Patching a specific process by searching memory for its code and modifying it. While some techniques like memory scraping are slow, others like boot argument patching or kernel patching can be done quickly and provide privileged access. JTAG interfaces provide I/O, execution control, and memory access that enable
Designed keeping in mind the latest technology on a single board. It is really easy to design, experiment with, and test circuitry without soldering. Students can explore a wide variety of electronic concepts simply by placing components on to the breadboard. It is very useful in electronics laboratories for performing IoT experiments. It is also useful to build and test circuits as well as making projects related to IoT integrating with the cloud platform. visit https://researchdesignlab.com/esp32-development-board-trainer-kit.html for more details
Introduction to ESP32 Programming [Road to RIoT 2017]Alwin Arrasyid
Introduction to ESP32 programming using official development framework, ESP-IDF and Arduino for ESP32.
Every demo code is published in this github repository:
https://github.com/alwint3r/RTR_Surabaya2017
My slide at the Milan Codemotion 2015, a session called "An Adventure with ESP8266 and IOT" about using the esp8266 with NodeMCU, mosquitto, nodejs and an accelerometer. All the sourcecode will be available at http://pestohacks.blogspot.com soon
This document provides instructions for compiling and installing the VT6655 and VT6656 Linux driver and configuring it for various wireless security modes. Key steps include:
1. Unpacking the driver source code and dependencies.
2. Compiling the driver, wpa_supplicant, and OpenSSL.
3. Configuring the driver for open, WEP, WPA-PSK, and WPA2-PSK networks through iwconfig commands and editing the wpa_supplicant.conf file.
This document provides a summary of an ESP8266 workshop covering:
- Introduction to the ESP8266 hardware and software
- Setting up ESP-01 and ESP-12 modules for development
- Flashing firmware using esptool
- Introduction to NodeMCU and Lua
- Using the ESPlorer IDE
- Examples of using buttons, LEDs, WiFi, UDP, and MQTT with the ESP8266
This document provides an overview of cryptocurrency mining. It begins with introductions to the speaker and relevant communities. It then covers topics like building a mining rig, infrastructure, monitoring tools, crypto wallets, and profit calculations. Tips are provided for planning equipment, GPU performance tuning, and choosing between AMD and Nvidia cards. Monitoring software like Cacti, Awesome Miner, and PRTG are reviewed. Different types of wallets like online, mobile, hardware and paper are outlined. The document stresses the importance of calculating costs and profits over both short and long term investments. Photos and a video interview are referenced at the end.
The prevalence of computers in form of so called "smart" devices embedded in our everyday environment is inevitable. From pentester's perspective, the adjective "smart" at first glance can hardly be used to describe their inventors and ambassadors.
Based on a few examples (i.a. BTLE beacons, smart meters, security cameras...) I will show how easily "smart" devices can be outsmarted. Sometimes you don't even need any 'hacking' skills, or the default configuration is wide-open. But are we doomed? What are the conditions for real threat? Can the vulnerabilities be exploited anonymously and as easily as in web application? Where is the physical border the intruder would be likely to cross? The risks involved are usually different, but does it mean we don't have to worry? Are we sure how to use securely the emerging technology?
The document discusses using proxy ARP to allow multiple containers and VMs to share a single network interface on the host machine. It notes some limitations of alternative approaches like Linux bridges, Open vSwitch, and MACVLAN. It also describes some issues with proxy ARP like stealing MAC addresses and requiring static routing. The proposed solution is to use arptables to selectively allow ARP requests from specific IP addresses to prevent MAC address conflicts while enabling network access for containers and VMs.
The NodeMCU is an ESP8266 development board that contains a 32-bit RISC CPU, 64KB of instruction RAM, 96KB of data RAM, and external flash memory. It supports WiFi, GPIO pins, SPI, I2C, PWM and ADC interfaces. Official firmware includes Lua, Micropython, and Espruino scripting languages as well as support for Arduino IDE. It is inexpensive, functional, and has a large community supporting its use and development.
The project uses ultrasonic sensor and ESP8266 to monitor tank water level at any point of time.
The monitoring aspect has 2 objectives:
To check water level at any given point (achieved with the help of cloud connectivity through Thingspeak)
To send an alert message when tank is filled or empty (achieved with the help of Notify My Android app)
The document discusses setting up FreeBSD on DigitalOcean virtual private servers (VPS). It provides details on DigitalOcean's pricing plans and features for droplets. It then describes the author's experience deploying FreeBSD 10.1 and FreeBSD AMP 10.1 droplets on DigitalOcean, including summaries of dmesg output and installed packages.
The document provides an overview of connecting and communicating with an ESP8266 WiFi module via serial. It discusses the hardware connections needed, including using an FTDI or Arduino board. It then demonstrates some basic AT commands to check the module status, list available networks, connect to a network, and act as both a TCP client and server.
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
The document describes vulnerabilities found in the Windows kernel trap handlers and NTVDM subsystem. It provides a case study of vulnerabilities disclosed in MS13-063, including CVE-2013-3196 which allowed a write-what-where condition in the nt!PushInt handler due to improper validation of operands during emulation of 16-bit instructions. The document also covers prior research on NTVDM vulnerabilities and the architecture of legacy software execution in Windows, highlighting the complex kernel interfaces and large attack surface involved in supporting older programs.
You have one of those fruity *Pi arm boards and cheep sensor from China? Some buttons and LEDs? Do I really need to learn whole new scripting language and few web technologies to read my temperature, blink a led or toggle a relay? No, because your Linux kernel already has drivers for them and all you need is device tree and cat.
The document discusses analyzing Linux kernel crash dumps. It covers various ways to gather crash data like serial console, netconsole, kmsg dumpers, Kdump, and Pstore. It then discusses analyzing the crashed kernel using tools like ksymoops, crash utility, and examining the backtrace, kernel logs, processes, and file descriptors. The document provides examples of gathering data from Pstore and using commands like bt, log, and ps with the crash utility to extract information from a crash dump.
Project ACRN USB mediator introductionProject ACRN
This document introduces the ACRN USB Mediator, which provides USB virtualization for the Intel Apollo Lake platform. It discusses:
1. The native USB architecture of Apollo Lake, which includes an integrated xHCI and xDCI controller sharing USB PHY ports.
2. The device model architecture in ACRN, which virtualizes the xHCI and DRD controllers through emulators to assign isolated USB resources to each VM.
3. The xHCI virtualization implementation, which exposes multiple virtual xHCI instances to VMs and maps their virtual USB ports to physical ports.
4. The DRD virtualization, which emulates the dual role device functionality of Apollo Lake to
The document discusses Linux I2C and its subsystems. It describes the Linux I2C bus driver which provides an API for I2C and SMBus transactions. It also covers I2C adapter drivers that interface between the bus driver and physical I2C controllers, the I2C-dev driver which provides a character device interface, and I2C client drivers.
A talk I gave at Hackware v1.9 about my experience in using an Intel Edison in my company's product.
The video of my talk can be found here: https://engineers.sg/v/828
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
"In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their own smart speaker products. Most of these smart speakers have natural language recognition, chat, music playback, IoT device control, shopping, and so on. Manufacturers use artificial intelligence technology to make smart speakers have similar human capabilities in the chat conversation. However, with the smart speakers coming into more and more homes, and the function is becoming more powerful, its security has been questioned by many people. People are worried that smart speakers will be hacked to leak their privacy, and our research proves that this concern is very necessary.
In this talk, we will present how to use multiple vulnerabilities to achieve remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice."
IoT exploitation: from memory corruption to code execution - Marco Romano - C...Codemotion
Attraverso un "IoT pentester's diary", analizzeremo i passaggi chiave di un penetration test su una IP webcam, che ci porterà dall'analisi delle superfici di attacco, all'individuazione di una vulnerabilità reale. Un'introduzione all'exploitation, per spostarci dall'overflow di un buffer all'esecuzione remota di codice.
Introduction to ESP32 Programming [Road to RIoT 2017]Alwin Arrasyid
Introduction to ESP32 programming using official development framework, ESP-IDF and Arduino for ESP32.
Every demo code is published in this github repository:
https://github.com/alwint3r/RTR_Surabaya2017
My slide at the Milan Codemotion 2015, a session called "An Adventure with ESP8266 and IOT" about using the esp8266 with NodeMCU, mosquitto, nodejs and an accelerometer. All the sourcecode will be available at http://pestohacks.blogspot.com soon
This document provides instructions for compiling and installing the VT6655 and VT6656 Linux driver and configuring it for various wireless security modes. Key steps include:
1. Unpacking the driver source code and dependencies.
2. Compiling the driver, wpa_supplicant, and OpenSSL.
3. Configuring the driver for open, WEP, WPA-PSK, and WPA2-PSK networks through iwconfig commands and editing the wpa_supplicant.conf file.
This document provides a summary of an ESP8266 workshop covering:
- Introduction to the ESP8266 hardware and software
- Setting up ESP-01 and ESP-12 modules for development
- Flashing firmware using esptool
- Introduction to NodeMCU and Lua
- Using the ESPlorer IDE
- Examples of using buttons, LEDs, WiFi, UDP, and MQTT with the ESP8266
This document provides an overview of cryptocurrency mining. It begins with introductions to the speaker and relevant communities. It then covers topics like building a mining rig, infrastructure, monitoring tools, crypto wallets, and profit calculations. Tips are provided for planning equipment, GPU performance tuning, and choosing between AMD and Nvidia cards. Monitoring software like Cacti, Awesome Miner, and PRTG are reviewed. Different types of wallets like online, mobile, hardware and paper are outlined. The document stresses the importance of calculating costs and profits over both short and long term investments. Photos and a video interview are referenced at the end.
The prevalence of computers in form of so called "smart" devices embedded in our everyday environment is inevitable. From pentester's perspective, the adjective "smart" at first glance can hardly be used to describe their inventors and ambassadors.
Based on a few examples (i.a. BTLE beacons, smart meters, security cameras...) I will show how easily "smart" devices can be outsmarted. Sometimes you don't even need any 'hacking' skills, or the default configuration is wide-open. But are we doomed? What are the conditions for real threat? Can the vulnerabilities be exploited anonymously and as easily as in web application? Where is the physical border the intruder would be likely to cross? The risks involved are usually different, but does it mean we don't have to worry? Are we sure how to use securely the emerging technology?
The document discusses using proxy ARP to allow multiple containers and VMs to share a single network interface on the host machine. It notes some limitations of alternative approaches like Linux bridges, Open vSwitch, and MACVLAN. It also describes some issues with proxy ARP like stealing MAC addresses and requiring static routing. The proposed solution is to use arptables to selectively allow ARP requests from specific IP addresses to prevent MAC address conflicts while enabling network access for containers and VMs.
The NodeMCU is an ESP8266 development board that contains a 32-bit RISC CPU, 64KB of instruction RAM, 96KB of data RAM, and external flash memory. It supports WiFi, GPIO pins, SPI, I2C, PWM and ADC interfaces. Official firmware includes Lua, Micropython, and Espruino scripting languages as well as support for Arduino IDE. It is inexpensive, functional, and has a large community supporting its use and development.
The project uses ultrasonic sensor and ESP8266 to monitor tank water level at any point of time.
The monitoring aspect has 2 objectives:
To check water level at any given point (achieved with the help of cloud connectivity through Thingspeak)
To send an alert message when tank is filled or empty (achieved with the help of Notify My Android app)
The document discusses setting up FreeBSD on DigitalOcean virtual private servers (VPS). It provides details on DigitalOcean's pricing plans and features for droplets. It then describes the author's experience deploying FreeBSD 10.1 and FreeBSD AMP 10.1 droplets on DigitalOcean, including summaries of dmesg output and installed packages.
The document provides an overview of connecting and communicating with an ESP8266 WiFi module via serial. It discusses the hardware connections needed, including using an FTDI or Arduino board. It then demonstrates some basic AT commands to check the module status, list available networks, connect to a network, and act as both a TCP client and server.
Mateusz 'j00ru' Jurczyk - Windows Kernel Trap Handler and NTVDM Vulnerabiliti...DefconRussia
The document describes vulnerabilities found in the Windows kernel trap handlers and NTVDM subsystem. It provides a case study of vulnerabilities disclosed in MS13-063, including CVE-2013-3196 which allowed a write-what-where condition in the nt!PushInt handler due to improper validation of operands during emulation of 16-bit instructions. The document also covers prior research on NTVDM vulnerabilities and the architecture of legacy software execution in Windows, highlighting the complex kernel interfaces and large attack surface involved in supporting older programs.
You have one of those fruity *Pi arm boards and cheep sensor from China? Some buttons and LEDs? Do I really need to learn whole new scripting language and few web technologies to read my temperature, blink a led or toggle a relay? No, because your Linux kernel already has drivers for them and all you need is device tree and cat.
The document discusses analyzing Linux kernel crash dumps. It covers various ways to gather crash data like serial console, netconsole, kmsg dumpers, Kdump, and Pstore. It then discusses analyzing the crashed kernel using tools like ksymoops, crash utility, and examining the backtrace, kernel logs, processes, and file descriptors. The document provides examples of gathering data from Pstore and using commands like bt, log, and ps with the crash utility to extract information from a crash dump.
Project ACRN USB mediator introductionProject ACRN
This document introduces the ACRN USB Mediator, which provides USB virtualization for the Intel Apollo Lake platform. It discusses:
1. The native USB architecture of Apollo Lake, which includes an integrated xHCI and xDCI controller sharing USB PHY ports.
2. The device model architecture in ACRN, which virtualizes the xHCI and DRD controllers through emulators to assign isolated USB resources to each VM.
3. The xHCI virtualization implementation, which exposes multiple virtual xHCI instances to VMs and maps their virtual USB ports to physical ports.
4. The DRD virtualization, which emulates the dual role device functionality of Apollo Lake to
The document discusses Linux I2C and its subsystems. It describes the Linux I2C bus driver which provides an API for I2C and SMBus transactions. It also covers I2C adapter drivers that interface between the bus driver and physical I2C controllers, the I2C-dev driver which provides a character device interface, and I2C client drivers.
A talk I gave at Hackware v1.9 about my experience in using an Intel Edison in my company's product.
The video of my talk can be found here: https://engineers.sg/v/828
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
"In the past two years, smart speakers have become the most popular IoT device, Amazon_ Google and Apple have introduced their own smart speaker products. Most of these smart speakers have natural language recognition, chat, music playback, IoT device control, shopping, and so on. Manufacturers use artificial intelligence technology to make smart speakers have similar human capabilities in the chat conversation. However, with the smart speakers coming into more and more homes, and the function is becoming more powerful, its security has been questioned by many people. People are worried that smart speakers will be hacked to leak their privacy, and our research proves that this concern is very necessary.
In this talk, we will present how to use multiple vulnerabilities to achieve remote attack some of the most popular smart speakers. Our final attack effects include silent listening, control speaker speaking content and other demonstrations. And we're also going to talk about how to extract firmware from BGA packages Flash chips such as EMMC, EMCP, NAND Flash, etc. In addition, it contains how to turn on debug interfaces and get root privileges by modifying firmware content and Re-soldering Flash chips, which can be of great help for subsequent vulnerability analysis and debugging. Finally, we will play several demo videos to demonstrate how we can remotely access some Smart Speaker Root permissions and use smart speakers for eavesdropping and playing voice."
IoT exploitation: from memory corruption to code execution - Marco Romano - C...Codemotion
Attraverso un "IoT pentester's diary", analizzeremo i passaggi chiave di un penetration test su una IP webcam, che ci porterà dall'analisi delle superfici di attacco, all'individuazione di una vulnerabilità reale. Un'introduzione all'exploitation, per spostarci dall'overflow di un buffer all'esecuzione remota di codice.
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
As time goes on operating systems keep evolving, like Microsoft Windows do, it ships new designs, features and codes from time to time. However sometimes it also ships more than bit of codes for complex subsystems residing in its kernel ... and at some future point it starts implementing new designs to prevent unnecessary access to it. However is it safe enough?
As we can see from security bulletins, win32k subsystem attracts lots of attention. It looks that with efforts of many security researchers who has dug into this area, finding bugs here shall becomes pretty tough and almost fruitless. But unfortunately this is not true, as win32k is backed up by very complex logic and large amount of code by nature..
We will present our point of view to Windows graphic subsystem, as well as schema of our fuzzing strategies. We will introduce some unusual areas of win32k, its extensions and how it can breaks even locked environments.
Part of our talk will be dedicated to CVE-2016-0176, the bug we used for this year's Pwn2Own Edge sandbox bypass, from its discovery to its exploitation techniques, which could serves as an example for universal DirectX escape which is independent of graphics vendors.
Analyzing the Performance of Mobile WebAriya Hidayat
This document discusses techniques for analyzing the performance of mobile web applications. It covers challenges like network variability, different device hardware, and continuous integration. Approaches mentioned include benchmarking, injecting instrumentation, emulation, and remote inspection. Strategies suggested are reducing complexity, replicating analysis on desktop, and tweaking at the system level. Tools mentioned include the Nexus One, Gingerbread, PhantomJS, and headless WebKit. The document provides examples and caveats for analyzing areas like network traffic, graphics commands, garbage collection, and JavaScript parsing.
This document discusses Cisco IOS shellcoding and reverse engineering. It covers topics like Cisco IOS shellcodes that are image-independent by disassembling or interrupting hijacking. It also discusses Tcl shellcodes, Cisco IOS reverse engineering challenges including lack of modularity and APIs. The document details subsystems, registries, processes, command parser tree, debugging Cisco IOS, and magic numbers used in Cisco IOS.
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
Joe FitzPatrick gave a presentation on exploiting PCIe (Peripheral Component Interconnect Express) buses for hardware attacks. He discussed using DMA (direct memory access) over PCIe to read and write system memory, modify firmware, and potentially bypass mitigations like IOMMU (input-output memory management unit). FitzPatrick demonstrated proof-of-concept attacks on Macs and Windows PCs using custom PCIe devices and software. However, he noted that fully bypassing protections like VT-d on Macbooks had not yet been achieved and more work is needed to build attacks without imitating a genuine device.
Developing Applications for Beagle Bone Black, Raspberry Pi and SoC Single Bo...ryancox
This document discusses using Go to build applications for ARM-based single board computers like Raspberry Pi and BeagleBone. It provides an overview of the ARM architecture and popular boards, as well as how Go's toolchain supports cross-compilation to ARM. Libraries like embd for interacting with hardware are introduced. Examples of IoT projects built on these boards running Go code are also mentioned.
MicroPython is a lean and efficient implementation of Python 3 that runs on microcontrollers and embedded systems. The document discusses installing MicroPython on an ESP8266 board, connecting sensors like a DHT11 temperature and humidity sensor to the board, and communicating sensor data to a Home Assistant server using MQTT messaging to build an IoT system with end-to-end Python code.
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Bhavin Chandarana
This is the second part of the presentation used for the workshop I conducted at Sinhagad University on Thursday 4th Feb, 2016. A lot of the content has been taken from freely available existing sources and these slides are just for reference for those who attended the workshop
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopSaumil Shah
Learn how to build your own testing and debugging environment for analysing IoT firmware images. Bug hunting in IoT firmware requires access to debugging, instrumentation and reverse engineering tools.
In this workshop, we shall learn how to extract firmware from a few ARM IoT devices, deploy the extracted filesystems on an ARM QEMU environment, and emulate the firmware as close to the original hardware environment as possible. We shall also learn how to intercept and emulate NVRAM access to faithfully reproduce the exact configuration available on the actual device. Participants are required to bring a laptop capable of running VMware Workstation/Fusion/Player. We shall distribute a virtual machine with ARM QEMU along with firmware images extracted on the spot from a few SoHo routers and IP Cameras.
The methodology discussed in this workshop is put together from the author’s own beats. While we use ARM as the base platform, the same methodology can also work for MIPS or other embedded architectures.
[db tech showcase Tokyo 2017] A11: SQLite - The most used yet least appreciat...Insight Technology, Inc.
More instances of SQLite are used every day, by more people, than all other database engines combined. An yet, SQLite does not get much attention. Many developers hardly know anything about it. This session will review the features of SQLite, how it is different from other database engines, its strengths and its weaknesses, and when SQLite is an appropriate technology and when some other database engine might be a better choice.
Feasibility of Security in Micro-Controllersardiri
Is it possible to secure micro-controllers used within IoT?
With the introduction of micro controllers such as the Arduino, Raspberry Pi and BeagleBone – it has become easy to connect sensors to gather information and utilise network connections to build an IoT ecosystem. Strong encryption schemes like RSA/AES/SHA and ecliptic curves cryptography (ECC) have been difficult to introduce due to limited performance and memory capabilities of the micro controllers used and using standard libraries just isn’t feasible – we find that designated and optimised software is the only feasible way forward.
The document discusses RenderScript on LLVM. It describes RenderScript as a way to perform 3D rendering and compute tasks portably and with high performance on Android. It outlines the main components: an offline compiler that optimizes scripts, an online JIT compiler, and a runtime library. It provides an example of using RenderScript to convert an image to grayscale and discusses how scripts are compiled and executed to provide fast launch times.
This document discusses various tools and techniques for improving the quality of robotics software, including ROS 2 code. It covers using compiler instrumentation like AddressSanitizer and ThreadSanitizer to detect memory bugs and concurrency issues. It also discusses annotating code with thread safety annotations, fuzz testing ROS 2 to find crashes, and integrating these techniques into continuous integration systems to catch issues early. The goal is to help the robotics community build more robust, secure software.
BKK16-211 Internet of Tiny Linux (io tl)- Status and ProgressLinaro
This document discusses methods for reducing the size of Linux kernels and user space binaries to make them suitable for small IoT applications. It describes how the Linux kernel is well-suited for IoT due to its large developer community and features, but can be bloated. Methods discussed to reduce kernel size include compiling out unused features, using Link Time Optimization (LTO), and trimming unused exported kernel symbols. For user space, it suggests statically compiled applications and shared libraries with minimal dependencies. The presentation provides size reduction numbers when applying these techniques and suggests areas for further work like code profiling and improved modularization.
Hardware backdooring is practical : slidesMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
Meder Kydyraliev - Mining Mach Services within OS X SandboxDefconRussia
This document discusses OS X sandboxing and the OS X sandbox implementation called Seatbelt. It provides an overview of sandboxing concepts like why it is used and how it works through hooks in the kernel. It describes the TrustedBSD MAC framework that Seatbelt is based on and how it uses extensions. It also examines some of the attack surface exposed in the BSD system calls and Mach services that are allowed by the sandbox.
This document provides an introduction to Windows IoT using a Raspberry Pi 3 device. It discusses what IoT is, provides an overview of hardware options like the Raspberry Pi 3 and MinnowBoard Max, and how to set up a development environment. It demonstrates connecting devices through methods like SignalR, Azure IoT, and AllJoyn. It also shows controlling GPIO pins and building a remote controlled car prototype. Resources for further learning and hardware access are provided.
This document summarizes a presentation given by Blair Leduc on Windows 10 IoT Core. It introduces Windows 10 IoT Core and compares development boards like the Raspberry Pi 2, DragonBoard 410c, and MinnowBoard MAX. It discusses setting up Windows 10 IoT Core using the IoT Dashboard or Image Helper, configuring devices using the Device Portal or PowerShell, and connecting devices to services like Azure IoT Hub or data.sparkfun.com. The presentation provided an overview of Windows 10 IoT Core and resources for developing IoT solutions.
Similar to DEF CON 27 - XILING GONG PETER PI - exploiting qualcom wlan and modem over the air (20)
DEF CON 24 - Sean Metcalf - beyond the mcse red teaming active directoryFelipe Prado
The document discusses strategies for red teaming Active Directory security. It begins with an overview of Active Directory components and how they can be exploited by attackers. It then covers offensive PowerShell techniques and how PowerShell security can be bypassed. The document also provides methods for effective Active Directory reconnaissance, including discovering administrator accounts and network assets without port scanning. Finally, it discusses some Active Directory defenses that can be deployed and potential bypass techniques.
DEF CON 24 - Bertin Bervis and James Jara - exploiting and attacking seismolo...Felipe Prado
The document discusses vulnerabilities found in seismological network devices that could allow remote exploitation. It begins with a disclaimer and agenda. The speakers are then introduced as researchers from Costa Rica who were interested in these networks due to potential attack scenarios. Through a search engine, they discovered vulnerabilities in devices from multiple vendors. The talk demonstrates taking control of a device and outlines impacts such as sabotage. Recommendations are made to vendors to improve security of these critical scientific instruments.
DEF CON 24 - Tamas Szakaly - help i got antsFelipe Prado
The document discusses the benefits of exercise for mental health. Regular physical activity can help reduce anxiety and depression and improve mood and cognitive function. Exercise causes chemical changes in the brain that may help protect against mental illness and improve symptoms for those who already suffer from conditions like anxiety and depression.
DEF CON 24 - Ladar Levison - compelled decryptionFelipe Prado
This document appears to be a preview of slides for a presentation at DEF CON 24 about compelled decryption. The slides discuss the difference between first and third parties in communications and the Communications Assistance for Law Enforcement Act. It also lists several third parties like technology companies and individuals that could potentially be compelled to decrypt communications. The document indicates that it is a preliminary version and the slides may be altered before the actual presentation.
Deep learning systems are susceptible to adversarial manipulation through techniques like generating adversarial samples and substitute models. By making small, targeted perturbations to inputs, an attacker can cause misclassifications or reduce a model's confidence without affecting human perception of the inputs. This is possible due to blind spots in how models learn representations that are different from human concepts. Defending against such attacks requires training models with adversarial techniques to make them more robust.
DEF CON 24 - Chris Rock - how to overthrow a governmentFelipe Prado
This document outlines various strategies and tactics for overthrowing a government through covert and clandestine means, including cyber espionage, propaganda, agitation of public unrest, sabotage of critical infrastructure, and manipulation of financial systems. It discusses using mercenaries and private intelligence agencies to carry out these activities at an arm's length from sponsorship by nation states. Specific examples from Kuwait in 2011 are referenced to illustrate techniques for fomenting revolution through cyber and information operations.
DEF CON 24 - Fitzpatrick and Grand - 101 ways to brick your hardwareFelipe Prado
This document discusses various ways that hardware can become "bricked", or rendered unusable, through both software and hardware issues. It covers 101 different bricking scenarios across firmware, printed circuit boards, connectors, integrated circuits, and unexpected situations. Examples include wiping firmware, damaging traces on PCBs, breaking solder joints on connectors, applying too much voltage to ICs, and devices being bricked by environmental factors. The document provides tips for both bricking and avoiding bricking hardware, as well as techniques for potentially unbricking devices.
DEF CON 24 - Rogan Dawes and Dominic White - universal serial aBUSe remote at...Felipe Prado
This document provides an overview of a talk on novel USB attacks that can provide remote command and control of even air-gapped machines with minimal forensic footprint. It describes building an open-source toolset using freely available hardware that implements a stealthy bi-directional communication channel over USB using a keyboard/mouse and generic HID profiles to deploy payloads and proxy traffic without touching the network. The talk will demonstrate attacking Windows systems by staging payloads in memory to avoid disk artifacts and establishing a VNC session without user interaction or malware deployment. Source code and documentation for the toolset, called USaBUSe, will be released on GitHub at Defcon.
DEF CON 24 - Jay Beale and Larry Pesce - phishing without frustrationFelipe Prado
The document discusses common challenges and failures that can occur when conducting phishing campaigns professionally. It outlines eleven stories of phishing failures caused by issues like poor scheduling, spam filters blocking emails, not having enough target email addresses, domain name choices being too obvious, and lack of communication. For each failure, it provides recommendations on how to avoid the problem by improving collaboration, communication, planning and negotiation with the client organization. The overall message is that success requires treating phishing engagements as multi-party negotiations and managing expectations through clear communication and involvement of all stakeholders.
The document discusses vulnerabilities found in human-machine interface (HMI) solutions used for industrial control systems. It details a case study of multiple stack-based buffer overflow vulnerabilities found in Advantech WebAccess through an RPC service that could allow remote code execution. The vulnerabilities were caused by improper validation of user-supplied input to functions like sprintf and strcpy. While patches were released, analysis showed the fixes did not fully address the underlying problems with input handling.
DEF CON 24 - Allan Cecil and DwangoAC - tasbot the perfectionistFelipe Prado
This document summarizes tool-assisted speedruns (TAS) of video games. It discusses how emulators and tools are used to play games faster than humanly possible by deterministically recording every input. Advanced techniques like memory searching and scripting push games to their limits. Console verification devices were developed to play back TAS movies on original hardware. The document argues that TAS tools are like penetration testing tools and can be used to find and exploit vulnerabilities in games. It demonstrates an arbitrary code execution in Pokemon Red using an unintended opcode execution.
DEF CON 24 - Rose and Ramsey - picking bluetooth low energy locksFelipe Prado
This document shows a graph with distance on the x-axis ranging from 0 to 35 meters and Received Signal Strength (RSS) in dBm on the y-axis ranging from -100 to -40 dBm. The graph contains a line for a model with a path loss exponent of 2.0 as well as scattered data points representing collected RSS measurements.
This document provides an overview of a hands-on, turbocharged pragmatic cloud security training that covers topics in a fraction of the normal time by slimming down four days of material into four hours. It will cover configuring production-quality AWS accounts, building deployment pipelines, and automating security controls. Most examples will use Ruby and Python. Nearly all labs will be in AWS. There will be minimal slides and hand-holding. Participants are responsible for their own AWS bills after the training.
DEF CON 24 - Grant Bugher - Bypassing captive portalsFelipe Prado
The document discusses the results of a study on the impact of COVID-19 lockdowns on air pollution. Researchers analyzed data from dozens of countries and found that lockdowns led to an average decline of nearly 30% in nitrogen dioxide levels over cities. However, they also observed that this improvement was temporary and air pollution rebounded once lockdowns were lifted as vehicle traffic increased again. The short-term reductions could help policymakers design better emission control strategies in the future.
DEF CON 24 - Patrick Wardle - 99 problems little snitchFelipe Prado
Little Snitch is a host-based firewall for macOS that intercepts connection attempts and allows the user to approve or deny them. The document discusses understanding, bypassing, and reversing Little Snitch. It provides an overview of Little Snitch's components and architecture, describes several methods for bypassing its network filtering, and examines techniques for interacting with and disabling Little Snitch's kernel extension through the I/O Kit framework.
DEF CON 24 - Plore - side -channel attacks on high security electronic safe l...Felipe Prado
The document summarizes two presentations on cracking electronic safe locks. It discusses cracking a Sargent & Greenleaf 6120 safe lock by using a power analysis side-channel attack to recover the keycode stored in clear in the lock's EEPROM. It also discusses cracking a Sargent & Greenleaf Titan PivotBolt safe lock by using a timing side-channel attack to recover the keycode, and defeating the lock's incorrect code lockout feature.
DEF CON 24 - Six Volts and Haystack - cheap tools for hacking heavy trucksFelipe Prado
This document discusses hacking heavy trucks and related networking protocols. It describes building a "Truck-in-a-Box" simulator to experiment with truck electronics and protocols like J1939 and J1708. The document outlines adventures in truck hacking, including modifying engine parameters, impersonating an engine control module, and exploiting bad cryptography. Details are provided on new hardware tools like the Truck Duck for analyzing truck communication networks.
DEF CON 24 - Dinesh and Shetty - practical android application exploitationFelipe Prado
The document provides an overview of a workshop on practical Android application exploitation. The workshop aims to teach skills for performing reverse engineering, static and dynamic testing, and binary analysis of Android applications. It will use demonstrations and hands-on exercises with custom applications like InsecureBankv2. The workshop focuses on discovery and remediation, targeting intermediate to advanced skill levels. It will cover tools, techniques, and common vulnerabilities to exploit Android applications.
DEF CON 24 - Klijnsma and Tentler - stargate pivoting through vncFelipe Prado
The document discusses vulnerabilities in VNC implementations that allow unauthenticated access. It notes that a scan of the internet found over 335,000 VNC servers, with around 8,000 having no authentication. This lack of authentication allows attackers to access and "pivot" into internal networks. The document provides statistics on different VNC protocol versions found and describes exploits that could allow compromising devices to access additional internal systems through insecure VNC implementations and proxies.
DEF CON 24 - Antonio Joseph - fuzzing android devicesFelipe Prado
Droid-FF is an Android fuzzing framework that aims to automate the fuzzing process on Android devices. It uses Python scripts and integrates fuzzing tools like Peach and radamsa to generate test case data. The framework runs fuzzing campaigns on Android devices, processes the logs to identify crashes, verifies the crashes are unique, maps crashes to source code locations, and analyzes crashes for exploitability using a GDB plugin. The goal of Droid-FF is to make fuzzing easier on mobile devices and help find more crashes and potential vulnerabilities in Android applications and frameworks.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
2. About Us
Xiling Gong (@GXiling)
Senior security researcher at Tencent Blade Team.
Focus on Android Security, Qualcomm Firmware Security.
Speaker of BlackHat, CanSecWest.
Peter Pi(@tencent_blade)
Senior security researcher at Tencent Blade Team.
Find many vulnerabilities of vendors like Google, Microsoft, Apple, Qualcomm, Adobe and Tesla.
The #1 Researcher of Google Android VRP in year 2016.
Speaker of BlackHat, CanSecWest, HITB, GSEC and Hitcon.
3. About Tencent Blade Team
• Founded by Tencent Security Platform Department in 2017
• Focus on security research in the areas of AIoT, Mobile devices, Cloud
virtualization, Blockchain, etc
• Report 200+ vulnerabilities to vendors such as Google, Apple, Microsoft, Amazon
• We talked about how to break Amazon Echo at DEFCON26
• Blog: https://blade.tencent.com
4. Agenda
• Introduction and Related Work
• The Debugger
• Reverse Engineering and Attack Surface
• Vulnerability and Exploitation
• Escaping into Modem
• Escaping into Kernel
• Stability of Exploitation
• Conclusions
5. Agenda
• Introduction and Related Work
• The Debugger
• Reverse Engineering and Attack Surface
• Vulnerability and Exploitation
• Escaping into Modem
• Escaping into Kernel
• Stability of Exploitation
• Conclusions
6. Introduction
• Broadcom WIFI Chip
• 2017, Gal Beniamini
• Over The Air: Exploiting Broadcom’s Wi-Fi Stack
• 2017, Nitay Artenstein, BlackHat USA 2017
• BROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN
BROADCOM'S WI-FI CHIPSETS
• Marvel WIFI Chip
• 2019, Denis Selyanin
• Zero Nights 2018 , Researching Marvell Avastar Wi-Fi: from zero knowledge to over-
the-air zero-touch RCE
• Blog 2019, Remotely compromise devices by using bugs in Marvell Avastar Wi-Fi: from
zero knowledge to zero-click RCE
• How about Qualcomm WIFI?
7. Qualcomm WLAN (MSM8998)
WLAN FirmwareBaseband Subsystem
Linux Kernel QCACLD2/3Full MAC Layer
Application Android Framework Wifi Demon
Modem Firmware
8. Agenda
• Introduction and Related Work
• The Debugger
• Reverse Engineering and Attack Surface
• Vulnerability and Exploitation
• Escaping into Modem
• Escaping into Kernel
• Stability of Exploitation
• Conclusions
9. MBA and Modem images
• Modem Boot Authenticator
• mba.mbn
• modem.mdt
• modem.b00 – modem.b20
• Image format
11. pil_boot
• The pil_boot function in Linux Kernel describes the boot flow of
modem.
• Load mba.mbn, modem.mdt and modem.bxx to physical memory.
• Trigger MBA and modem images to be verified and run in
Modem Processor.
• Linux Kernel can restart Modem Processor at any time, will hit
pil_boot each time when restart.
12. pil_boot
pil_boot start
Load modem.mdt, use
the info to setup modem
pa region
Call pil_mss_mem_setup to register
modem pa region to TZ
Call pil_msa_mss_reset_mba_load_auth_mdt
to load msa.mbn and auth modem.mdt
Call pil_assign_mem_to_subsys_and_linux
to make Linux Kernel and MBA both can
access the pa region
Call pil_load_seg to load
modem.bxx to the pa region
Call pil_msa_mba_auth to auth
modem.bxx and start modem
Call pil_reclaim_mem to make Linux
Kernel can’t access the pa region
any more
16. Agenda
• Introduction and Related Work
• The Debugger
• Reverse Engineering and Attack Surface
• Vulnerability and Exploitation
• Escaping into Modem
• Escaping into Kernel
• Stability of Exploitation
• Conclusions
17. Qualcomm WLAN
WLAN Firmware
Baseband Subsystem
Hexagon
Linux KernelQCACLD2/3Full MAC Layer
Application Android Framework Wifi Demon
Modem Firmware
18. Qualcomm WLAN Architecture
WMI Handler
Non-Data Handler Data Handler
Physical Layer OTA Packet
Offload MAC Layer
WLAN Firmware
Linux KernelQCACLD2/3Full MAC Layer
Application Android Framework Wifi Demon
19. Example - Management Beacon
Non-Data Handler
80211 Management Beacon
WLAN Firmware
Linux KernelQCACLD2/3Full MAC Layer
Wifi Demon
Offload Table
Parse
Discard
SSID
Management BeaconForward
21. Reverse Engineering – Hint From Qualcomm
Import Function
WMI Handler
drivers/staging/fw-api-fw/wmi_unified.h
String Table
22. Reverse Engineering
• Targets To Reverse
• WMI Handlers
• Handle WMI commands from Linux Kernel
• Send back WMI indication to Linux Kernel
• Offload Handlers
• Handle OTA Packets
WMI Handler
Non-Data Handler Data Handler
Offload MAC Layer
Physical Layer OTA Packet
26. Agenda
• Introduction and Related Work
• The Debugger
• Reverse Engineering and Attack Surface
• Vulnerability and Exploitation
• Escaping into Modem
• Escaping into Kernel
• Stability of Exploitation
• Conclusions
28. Mitigation Table (WLAN & Modem)
Mitigation Status
Heap ASLR Y
Heap Cookie Y
Stack Cookie Y
W^X Y
FRAMELIMIT* Y
FRAMEKEY** Y
Code & Global Data ASLR N
CFI N
*FRAMELIMIT Register - If SP < FRAMELIMIT throw exception
**FRAMEKEY Register - Return Address XOR FRAMEKEY. A random integer different for every thread
30. The Vulnerability (CVE-2019-10540)
[GLOBAL] char *GlobalBuffer[10 * 0xB0 + 6];
unsigned int itemCount = 0;
for (unsigned int i = 0; i < Length; i += 0x44) {
memcpy (GlobalBuffer + 6 + itemCount * 0xB0,
OTA_DataPtr + i,
0x44);
itemCount++;
}
* Translated and simplified the code flow
Copy items from packet into Global Static Buffer.
Max Item Count = 10
Send 11 items -> Overflow!
34. Usage Of Smart Pointer
Char **AddressOfSmartPointer = GlobalBuffer + 6 + 0xB0 * 11 + 0xC;
char *SmartPointer = *AddressOfSmartPointer; // Overwrite with vulnerability
char *MacAddress = OTA_DataPtr + 0x10;
char *BYTE_C = OTA_ DataPtr + 0x10 + 0x20;
char *BYTE_D = OTA_ DataPtr + 0x10 + 0x21;
char *BYTE_14 = OTA_ DataPtr + 0x10 + 0x22;
if (TestBit(SmartPointer, 0) == 1) { // The only constraint, Bit0 == 1
if (memcmp(SmartPointer + 6, MacAddress, 6) == 0) {
// From OTA Data, could be bypass
*(SmartPointer + 0xC) = *BYTE_C; // Overwrite 0xC
*(SmartPointer + 0xD) = *BYTE_D; // Overwrite 0xD
*(SmartPointer + 0x14) = *BYTE_14;
}
}
* Translated and simplified the code flow
35. Global Write With Constraint
0xXXXXXXXX
SmartPointer
00 00 00 01
00 00 00 00
00 00 00 00
12 34 56 78
0xXXXXXXXX
+4
+8
+C
00 00 00 01
MA CA 00 00
AD DR ES SS
12 34 ?? ??
+4
+8
+C
+0 Bit 0
Write
MAC
Step 1 Overwrite SmartPointer Step 2 Global Write (Using SmartPointer)
36. Global Write With Constraint
How to write 4 bytes?
MACA 00 00
AD DR ES SS
12 34 ?? ??
+4
+8
+C
+0 Bit 0
MAC
0xXXXXXXXXSmartPointer
Step 1 Overwrite SmartPointer
Write Low 2 Bytes
00 01 00 01
00 00 00 00
MA CA DD RE
?? ?? SS SS
+4
+8
+C
+0 Bit 16
MAC
Write High 2 Bytes
00 01 00 01
Step 4 Global Write (Using SmartPointer)
0xXXXXXXXX+2SmartPointer
Step 3 Overflow SmartPointer
Step 2 Global Write (Using SmartPointer)
37. Global Write With Constraint
The Bit0 != 1?
MACA 00 00
AD DR ES SS
12 34 ?? ??
Bit0 != 1
MAC
00 00 00 00
Target
00 00 00 00
00 00 00 01
Bit0 == 1?
MAC
00 00 00 01
+4
+8
+C
+0
-8
-4
-C
39. Transform To Arbitrary Write
TARGET PC
TARGET R0
Item1
Payload1
Item2
Payload2
…
FOP Gadget
40. Run Useful FOP Gadget
Function Pointer(PC)
Data Pointer (R0)
Step 1 Arbitrary Write Overwrite function pointer
Step 2 Arbitrary Write Overwrite data pointer
Item1
Payload1
Item2
Payload2
…
Step 3 Send payload packet and trigger the PC
45. Agenda
• Introduction and Related Work
• The Debugger
• Reverse Engineering and Attack Surface
• Vulnerability and Exploitation
• Escaping into Modem
• Escaping into Kernel
• Stability of Exploitation
• Conclusions
47. From WLAN to Modem
WLAN
Kernel
Modem
* TLB is a Hexagon Instruction to modify the Memory Page Attribute
** Complex Function uses the resource of Modem, or calls System Call
*** Simple Code Snippet mean code has only register operation
QURT OS
Actions From WLAN Eligible?
TLB Set* N
Write Modem Data N
Call Modem Complex Function** N
Call Modem Simple Code Snippet*** Y
Map Modem Memory Y
Userspace
49. Agenda
• Introduction and Related Work
• The Debugger
• Reverse Engineering and Attack Surface
• Vulnerability and Exploitation
• Escaping into Modem
• Escaping into Kernel
• Stability of Exploitation
• Conclusions
51. The Attack Surfaces
Linux Kernel Modem
Userspace APP
TrustZone
AT Command
Glink
DIAG
QMI
WMI
APR
Share Memory
52. • We’ve found
An arbitrary memory read/write vulnerability
Could bypass all the mitigations of Linux Kernel
From Modem into Linux Kernel
• In these attack surfaces
• But we are unable to disclose the detail now
53. Agenda
• Introduction and Related Work
• The Debugger
• Reverse Engineering and Attack Surface
• Vulnerability and Exploitation
• Escaping into Modem
• Escaping into Kernel
• Stability of Exploitation
• Conclusions
58. Future Works
• There are still lots of mystery in the WLAN.
• We were only reversed a small part of the code
• Lots of functions are unknown
• How to fuzz the WLAN Firmware?
• Reverse engineering is quite…
• How to fuzz closed source target and Hexagon architecture effectively?
• Translate Hexagon Instruction to C?
• IDA/Ghidra F5 plugin?
59. Timeline
• 2019-2-14 Find the Modem debug vulnerability on MSM8998
• 2019-3-24 Find the WLAN issue and report to Google
• 2019-3-28 Google forwards the issue to Qualcomm
• 2019-4-24 Google confirms the WLAN issue as Critical
• 2019-5-08 Report the WLAN into Linux Kernel issue to Google
• 2019-5-24 Google confirms the WLAN into Linux Kernel issue
• 2019-5-28 Submit the full exploit chain to Google
• 2019-6-04 Google reply unable to reproduce the full exploit chain
• 2019-6-17 Improve the stability and submit to Google
• 2019-7-19 CVE Assigned by Google
• 2019-7-20 Qualcomm confirms issues will be fixed before October
• 2019-8-0? Google release the fix for Google Pixel2/Pixel3