SlideShare a Scribd company logo

DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Michael Smith
Michael Smith

"Embedded Device Firmware Vulnerability Hunting Using FRAK, the Firmware Reverse Analysis Konsole -- FRAK is a framework for unpacking, analyzing, modifying and repacking the firmware images of proprietary embedded devices. The FRAK framework provides a programmatic environment for the analysis of arbitrary embedded device firmware as well as an interactive environment for the disassembly, manipulation and re-assembly of such binary images. We demonstrate the automated analysis of Cisco IOS, Cisco IP phone and HP LaserJet printer firmware images. We show how FRAK can integrate with existing vulnerability analysis tools to automate bug hunting for embedded devices. We also demonstrate how FRAK can be used to inject experimental host-based defenses into proprietary devices like Cisco routers and HP printers. "

Technology
1 of 33
Download to read offline
RED BALLOON Security FRAK: Firmware Reverse Analysis Konsole Ang Cui a@redballoonsecurity.com 7.27.2012   Defcon  20  
5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University W h o a m I What do I DO 7.27.2012   Defcon  20  
5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University Co-Founder and CEO Red Balloon Security Inc. W h o a m www.redballoonsecurity.com I What do I DO 7.27.2012   Defcon  20  
5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University Co-Founder and CEO Red Balloon Security Inc. W h o a m www.redballoonsecurity.com I Past publications: •  What do I Pervasive Insecurity of Embedded Network Devices. [RAID10] •  A Quantitative Analysis of the Insecurity DO of Embedded Network Devices. [ACSAC10] •  Killing the Myth of Cisco IOS Diversity: Towards Reliable Large-Scale Exploitation of Cisco IOS. [USENIX WOOT 11] •  Defending Legacy Embedded Systems with Software Symbiotes. [RAID11] •  From Prey to Hunter: Transforming Legacy Embedded Devices Into Exploitation Sensor Grids. [ACSAC11] 7.27.2012   Defcon  20  
5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University Co-Founder and CEO Red Balloon Security Inc. W h o a m www.redballoonsecurity.com I Past Embedded Tinkerings: •  What do I •  Interrupt-Hijack Cisco IOS Rootkit HP LaserJet Printer Rootkit DO 7.27.2012   Defcon  20  
Interrupt-Hijack Shellcode [blackhat USA 2011] 7.27.2012   Defcon  20  
HP-RFU Vulnerability HP LaserJet 2550 Rootkit [28c3] Attacker 4. Win: Reverse Shell Server -> Kitteh 1. Reverse Proxy Printer -> Attacker Firewall 2. Reverse Proxy Printer -> Victim Server Network Printer 3. Attacker -> Server Via Reverse Proxy 7.27.2012   Defcon  20  
WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: Binary Firmware Image Analysis and Manipulation Firmware Re-Packing Process 7.27.2012   Defcon  20  
WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: Binary Firmware Image Parse Analysis and Manipulation Package Manifest Firmware Re-Packing Process 7.27.2012   Defcon  20  
WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} Binary Firmware Image For each "Record" Record Parse In Firmware Record Record Record Digitally Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Firmware Re-Packing Process 7.27.2012   Defcon  20  
WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For each Binary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware Re-Packing Process 7.27.2012   Defcon  20  
WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For each Binary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware Re-Packing Process 7.27.2012   Defcon  20  
WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For each Binary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware For each "unpacked Record" Re-Pack Modified In Firmware File System Known Format or Proprietary Format? Re-Packing Process 7.27.2012   Defcon  20  
WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For each Binary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware For each "unpacked Re-{cript,compress}, Recalculate Checksum, etc Record" Re-Pack Modified In Firmware Record Record Record Record Digitally File System Encrypted? Compressed? Checksummed? Signed? Known Format or Proprietary Format? Known Algorithm or Proprietary Algorithm? Re-Packing Process 7.27.2012   Defcon  20  
WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For each Binary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware For each "unpacked Re-{cript,compress}, Recalculate Checksum, etc Record" Re-Pack Modified In Firmware Repack Record Record Record Record Digitally File System All Binary Encrypted? Compressed? Checksummed? Signed? "records" Known Format or Proprietary Format? Known Algorithm or Proprietary Algorithm? Re-Packing Process 7.27.2012   Defcon  20  
WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For each Binary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware For each "unpacked Re-{cript,compress}, Recalculate Checksum, etc Record" Re- Re-Pack Modified In Firmware Repack Record generate Record Record Record Digitally File System All Binary Encrypted? Compressed? Checksummed? Package Signed? "records" Manifest Known Format or Proprietary Format? Known Algorithm or Proprietary Algorithm? Re-Packing Process 7.27.2012   Defcon  20  
Payload Design Reasons why Ang stays home on Friday night 7.27.2012   Defcon  20  
Payload Design Reasons why Ang stays home on Friday night Payload Developement 7.27.2012   Defcon  20  
Payload Design Reasons why Ang stays home on Friday night Payload Developement Payload Testing 7.27.2012   Defcon  20  
Payload Design Reasons why Ang stays home on Friday night Payload Developement Payload Testing STARE @ BINARY BLOB 7.27.2012   Defcon  20  
Payload Design Reasons why Ang stays home on Friday night Payload DevelopementDesign Payload Payload Design Payload Payload Testing Developement STARE THIS PART @ BINARY L   BLOB 7.27.2012   Defcon  20  
F R A K irmware everse nalysis onsole [Better Living Through Software Engineering] 7.27.2012   Defcon  20  
F R A K irmware everse nalysis onsole Firmware Unpacking Firmware Analysis Engine Engine Firmware Modification Firmware Repacking Engine Engine Programmatic API Interactive Console 7.27.2012   ACCESS Defcon  20   Access
F R A K irmware everse nalysis onsole HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary Module Module Module Module Firmware Image of Unknown Format Firmware Unpacking Firmware Unpacking Firmware Analysis Engine Engine Engine Firmware Modification Firmware Modification Firmware Repacking Engine Engine Engine Programmatic API Programmatic Interactive Console 7.27.2012   ACCESS ACCESS Defcon  20   Access
F R A K irmware everse nalysis onsole HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary Module Module Module Module Firmware Image of Unknown Format Firmware Unpacking Firmware Unpacking Firmware Analysis Engine Engine Engine Unpacked Firmware Binary Firmware Modification Firmware Modification Firmware Repacking Engine Engine Engine Programmatic API Programmatic Interactive Console 7.27.2012   ACCESS ACCESS Defcon  20   Access
F R A K irmware everse nalysis onsole HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary Module Module Module Module Firmware Image of Unknown Format Firmware Unpacking Firmware Unpacking Firmware Analysis Engine Engine Engine Unpacked XYZ Dynamic Firmware Software Instrumentation Binary Symbiotes & Rootkit Firmware Modification Firmware Modification Firmware Repacking Engine Engine Engine Programmatic API Programmatic Interactive Console 7.27.2012   ACCESS ACCESS Defcon  20   Access
F R A K irmware everse nalysis onsole HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary Module Module Module Module Firmware Image of Unknown Format Firmware Unpacking Firmware Unpacking Firmware Analysis Engine Engine Engine Unpacked XYZ Dynamic Firmware Software Instrumentation Binary Symbiotes & Rootkit Firmware Modification Firmware Modification Firmware Repacking Engine Engine Engine Programmatic API Programmatic Interactive Console 7.27.2012   ACCESS ACCESS Defcon  20   Access
F R A K irmware everse nalysis onsole Unpack, Analyze, Modify, Repack: Cisco IOS 7.27.2012   Defcon  20  
Payload Design Payload Reasons why Ang stays Developement home on Friday night Payload Developement Payload Testing Payload Design Payload Testing STARE @ BINARY BLOB ? STARE THIS PART @ BINARY L   BLOB Thanks FRAK! 7.27.2012   Defcon  20  
Demos •  Packer/Repacker for Cisco IOS, HP-RFU •  Automagic Binary Analysis •  IDA-Pro Integration •  Entropy-related Analysis •  Automated IOS/RFU Rootkit Injection 7.27.2012   Defcon  20  
FRAK Konsole 7.27.2012   Defcon  20  
FRAK is still WIP. For Early Access Contact Frak-request@redballoonsecurity.com 7.27.2012   Defcon  20  
7.27.2012   Defcon  20  

Recommended

Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
The Top Skills That Can Get You Hired in 2017
The Top Skills That Can Get You Hired in 2017The Top Skills That Can Get You Hired in 2017
The Top Skills That Can Get You Hired in 2017
LinkedIn
 
Design and Concepts of Android Graphics
Design and Concepts of Android GraphicsDesign and Concepts of Android Graphics
Design and Concepts of Android Graphics
National Cheng Kung University
 
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Lacoon Mobile Security
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroud
UT, San Antonio
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
ht-f02-inside-the-world-of-java-applets_final
ht-f02-inside-the-world-of-java-applets_finalht-f02-inside-the-world-of-java-applets_final
ht-f02-inside-the-world-of-java-applets_final
Abhishek Singh
 

Recommended

Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.
 
Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device Firmware
Malachi Jones
 
The Top Skills That Can Get You Hired in 2017
The Top Skills That Can Get You Hired in 2017The Top Skills That Can Get You Hired in 2017
The Top Skills That Can Get You Hired in 2017
LinkedIn
 
Design and Concepts of Android Graphics
Design and Concepts of Android GraphicsDesign and Concepts of Android Graphics
Design and Concepts of Android Graphics
National Cheng Kung University
 
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...
Lacoon Mobile Security
 
Zerovm backgroud
Zerovm backgroudZerovm backgroud
Zerovm backgroud
UT, San Antonio
 
Shift Left Security
Shift Left SecurityShift Left Security
Shift Left Security
BATbern
 
ht-f02-inside-the-world-of-java-applets_final
ht-f02-inside-the-world-of-java-applets_finalht-f02-inside-the-world-of-java-applets_final
ht-f02-inside-the-world-of-java-applets_final
Abhishek Singh
 
Security model-of-sip-d2-05 at kishore
Security model-of-sip-d2-05 at kishoreSecurity model-of-sip-d2-05 at kishore
Security model-of-sip-d2-05 at kishore
AT Kishore
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
Albert Hui
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
Source Conference
 
Don't Judge a Website by its Icon - Read the Label!
Don't Judge a Website by its Icon - Read the Label!Don't Judge a Website by its Icon - Read the Label!
Don't Judge a Website by its Icon - Read the Label!
Dinis Cruz
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
Stephan Chenette
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
Aditya K Sood
 
Large scale automation with jenkins
Large scale automation with jenkinsLarge scale automation with jenkins
Large scale automation with jenkins
Kohsuke Kawaguchi
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
MindShare_kk
 
Software Composition Analysis in PHP
Software Composition Analysis in PHP Software Composition Analysis in PHP
Software Composition Analysis in PHP
Piotr Horzycki
 
Build Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMBuild Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVM
National Cheng Kung University
 
Breaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsBreaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial Robots
Speck&Tech
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
A taxonomy of obfuscating transformations
A taxonomy of obfuscating transformationsA taxonomy of obfuscating transformations
A taxonomy of obfuscating transformations
emanuele_nl
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
Black Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)
Michael Scovetta
 
2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS Security2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS Security
Raleigh ISSA
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
Symantec
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security Products
DaveEdwards12
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 
DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsDHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
Michael Smith
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
Michael Smith
 

More Related Content

Similar to DefCon 2012 - Firmware Vulnerability Hunting with FRAK

Security model-of-sip-d2-05 at kishore
Security model-of-sip-d2-05 at kishoreSecurity model-of-sip-d2-05 at kishore
Security model-of-sip-d2-05 at kishore
AT Kishore
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
Albert Hui
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
Source Conference
 
Don't Judge a Website by its Icon - Read the Label!
Don't Judge a Website by its Icon - Read the Label!Don't Judge a Website by its Icon - Read the Label!
Don't Judge a Website by its Icon - Read the Label!
Dinis Cruz
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
Stephan Chenette
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
Aditya K Sood
 
Large scale automation with jenkins
Large scale automation with jenkinsLarge scale automation with jenkins
Large scale automation with jenkins
Kohsuke Kawaguchi
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
MindShare_kk
 
Software Composition Analysis in PHP
Software Composition Analysis in PHP Software Composition Analysis in PHP
Software Composition Analysis in PHP
Piotr Horzycki
 
Build Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMBuild Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVM
National Cheng Kung University
 
Breaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsBreaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial Robots
Speck&Tech
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
Marakana Inc.
 
A taxonomy of obfuscating transformations
A taxonomy of obfuscating transformationsA taxonomy of obfuscating transformations
A taxonomy of obfuscating transformations
emanuele_nl
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
Black Duck by Synopsys
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
IBM Security
 
DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)
Michael Scovetta
 
2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS Security2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS Security
Raleigh ISSA
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
Symantec
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security Products
DaveEdwards12
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
Priyanka Aash
 

Similar to DefCon 2012 - Firmware Vulnerability Hunting with FRAK (20)

Security model-of-sip-d2-05 at kishore
Security model-of-sip-d2-05 at kishoreSecurity model-of-sip-d2-05 at kishore
Security model-of-sip-d2-05 at kishore
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware Analysis
 
Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011Dan Guido SOURCE Boston 2011
Dan Guido SOURCE Boston 2011
 
Don't Judge a Website by its Icon - Read the Label!
Don't Judge a Website by its Icon - Read the Label!Don't Judge a Website by its Icon - Read the Label!
Don't Judge a Website by its Icon - Read the Label!
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 
OWASP App Sec US - 2010
OWASP App Sec US - 2010OWASP App Sec US - 2010
OWASP App Sec US - 2010
 
Large scale automation with jenkins
Large scale automation with jenkinsLarge scale automation with jenkins
Large scale automation with jenkins
 
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...
 
Software Composition Analysis in PHP
Software Composition Analysis in PHP Software Composition Analysis in PHP
Software Composition Analysis in PHP
 
Build Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVMBuild Programming Language Runtime with LLVM
Build Programming Language Runtime with LLVM
 
Breaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial RobotsBreaking the Laws of Robotics: Attacking Industrial Robots
Breaking the Laws of Robotics: Attacking Industrial Robots
 
Deep Dive Into Android Security
Deep Dive Into Android SecurityDeep Dive Into Android Security
Deep Dive Into Android Security
 
A taxonomy of obfuscating transformations
A taxonomy of obfuscating transformationsA taxonomy of obfuscating transformations
A taxonomy of obfuscating transformations
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
Empowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOpsEmpowering Application Security Protection in the World of DevOps
Empowering Application Security Protection in the World of DevOps
 
DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)
 
2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS Security2012 04 Analysis Techniques for Mobile OS Security
2012 04 Analysis Techniques for Mobile OS Security
 
Symantec Endpoint Protection 12
Symantec Endpoint Protection 12Symantec Endpoint Protection 12
Symantec Endpoint Protection 12
 
Vulnerability in Security Products
Vulnerability in Security ProductsVulnerability in Security Products
Vulnerability in Security Products
 
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming NextThe Seven Most Dangerous New Attack Techniques, and What's Coming Next
The Seven Most Dangerous New Attack Techniques, and What's Coming Next
 

More from Michael Smith

DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsDHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
Michael Smith
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
Michael Smith
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
Michael Smith
 
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
Michael Smith
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)
Michael Smith
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency Security
Michael Smith
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerDefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
Michael Smith
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeDefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
Michael Smith
 
DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)Michael Smith
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
Michael Smith
 
DefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersDefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water Meters
Michael Smith
 
Defcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesDefcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over Powerlines
Michael Smith
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsDefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
Michael Smith
 
DefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksDefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM Attacks
Michael Smith
 
DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPY
Michael Smith
 
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingDefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingMichael Smith
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO Routers
Michael Smith
 
DefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesDefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware Vulnerabilities
Michael Smith
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
Michael Smith
 
DefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingDefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter Hacking
Michael Smith
 

More from Michael Smith (20)

DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsDHS - Recommendations for Securing Zigbee Networks in Process Control Systems
DHS - Recommendations for Securing Zigbee Networks in Process Control Systems
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (white paper)
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
 
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)
 
DefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityDefCon 2012 - Sub-1 GHz Radio Frequency Security
DefCon 2012 - Sub-1 GHz Radio Frequency Security
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerDefCon 2012 - Near-Field Communication / RFID Hacking - Miller
DefCon 2012 - Near-Field Communication / RFID Hacking - Miller
 
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeDefCon 2012 - Near-Field Communication / RFID Hacking - Lee
DefCon 2012 - Near-Field Communication / RFID Hacking - Lee
 
DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)DefCon 2012 - Hardware Backdooring (White Paper)
DefCon 2012 - Hardware Backdooring (White Paper)
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
 
DefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water MetersDefCon 2011 - Vulnerabilities in Wireless Water Meters
DefCon 2011 - Vulnerabilities in Wireless Water Meters
 
Defcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesDefcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over Powerlines
 
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsDefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
DefCon 2012 - Anti-Forensics and Anti-Anti-Forensics
 
DefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM AttacksDefCon 2012 - Subterfuge - Automated MITM Attacks
DefCon 2012 - Subterfuge - Automated MITM Attacks
 
DefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPYDefCon 2012 - Bluetooth Monitoring With SCAPY
DefCon 2012 - Bluetooth Monitoring With SCAPY
 
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows HackingDefCon 2012 - Owned In 60 Seconds - Windows Hacking
DefCon 2012 - Owned In 60 Seconds - Windows Hacking
 
DefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO RoutersDefCon 2012 - Rooting SOHO Routers
DefCon 2012 - Rooting SOHO Routers
 
DefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware VulnerabilitiesDefCon 2012 - Finding Firmware Vulnerabilities
DefCon 2012 - Finding Firmware Vulnerabilities
 
DefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android DataDefCon 2012 - Gaining Access to User Android Data
DefCon 2012 - Gaining Access to User Android Data
 
DefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter HackingDefCon 2012 - Power Smart Meter Hacking
DefCon 2012 - Power Smart Meter Hacking
 

Recently uploaded

20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Alpen-Adria-Universität
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Jeffrey Haguewood
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
fredae14
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
Federico Razzoli
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
Tatiana Kojar
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
Jakub Marek
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 

Recently uploaded (20)

20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing InstancesEnergy Efficient Video Encoding for Cloud and Edge Computing Instances
Energy Efficient Video Encoding for Cloud and Edge Computing Instances
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 
Recommendation System using RAG Architecture
Recommendation System using RAG ArchitectureRecommendation System using RAG Architecture
Recommendation System using RAG Architecture
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Webinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data WarehouseWebinar: Designing a schema for a Data Warehouse
Webinar: Designing a schema for a Data Warehouse
 
Skybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoptionSkybuffer SAM4U tool for SAP license adoption
Skybuffer SAM4U tool for SAP license adoption
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)Main news related to the CCS TSI 2023 (2023/1695)
Main news related to the CCS TSI 2023 (2023/1695)
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 

DefCon 2012 - Firmware Vulnerability Hunting with FRAK

  • 1. RED BALLOON Security FRAK: Firmware Reverse Analysis Konsole Ang Cui a@redballoonsecurity.com 7.27.2012   Defcon  20  
  • 2. 5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University W h o a m I What do I DO 7.27.2012   Defcon  20  
  • 3. 5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University Co-Founder and CEO Red Balloon Security Inc. W h o a m www.redballoonsecurity.com I What do I DO 7.27.2012   Defcon  20  
  • 4. 5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University Co-Founder and CEO Red Balloon Security Inc. W h o a m www.redballoonsecurity.com I Past publications: •  What do I Pervasive Insecurity of Embedded Network Devices. [RAID10] •  A Quantitative Analysis of the Insecurity DO of Embedded Network Devices. [ACSAC10] •  Killing the Myth of Cisco IOS Diversity: Towards Reliable Large-Scale Exploitation of Cisco IOS. [USENIX WOOT 11] •  Defending Legacy Embedded Systems with Software Symbiotes. [RAID11] •  From Prey to Hunter: Transforming Legacy Embedded Devices Into Exploitation Sensor Grids. [ACSAC11] 7.27.2012   Defcon  20  
  • 5. 5th Year Ph.D. Candidate Intrusion Detection Systems Lab Columbia University Co-Founder and CEO Red Balloon Security Inc. W h o a m www.redballoonsecurity.com I Past Embedded Tinkerings: •  What do I •  Interrupt-Hijack Cisco IOS Rootkit HP LaserJet Printer Rootkit DO 7.27.2012   Defcon  20  
  • 6. Interrupt-Hijack Shellcode [blackhat USA 2011] 7.27.2012   Defcon  20  
  • 7. HP-RFU Vulnerability HP LaserJet 2550 Rootkit [28c3] Attacker 4. Win: Reverse Shell Server -> Kitteh 1. Reverse Proxy Printer -> Attacker Firewall 2. Reverse Proxy Printer -> Victim Server Network Printer 3. Attacker -> Server Via Reverse Proxy 7.27.2012   Defcon  20  
  • 8. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: Binary Firmware Image Analysis and Manipulation Firmware Re-Packing Process 7.27.2012   Defcon  20  
  • 9. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: Binary Firmware Image Parse Analysis and Manipulation Package Manifest Firmware Re-Packing Process 7.27.2012   Defcon  20  
  • 10. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} Binary Firmware Image For each "Record" Record Parse In Firmware Record Record Record Digitally Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Firmware Re-Packing Process 7.27.2012   Defcon  20  
  • 11. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For each Binary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware Re-Packing Process 7.27.2012   Defcon  20  
  • 12. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For each Binary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware Re-Packing Process 7.27.2012   Defcon  20  
  • 13. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For each Binary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware For each "unpacked Record" Re-Pack Modified In Firmware File System Known Format or Proprietary Format? Re-Packing Process 7.27.2012   Defcon  20  
  • 14. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For each Binary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware For each "unpacked Re-{cript,compress}, Recalculate Checksum, etc Record" Re-Pack Modified In Firmware Record Record Record Record Digitally File System Encrypted? Compressed? Checksummed? Signed? Known Format or Proprietary Format? Known Algorithm or Proprietary Algorithm? Re-Packing Process 7.27.2012   Defcon  20  
  • 15. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For each Binary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware For each "unpacked Re-{cript,compress}, Recalculate Checksum, etc Record" Re-Pack Modified In Firmware Repack Record Record Record Record Digitally File System All Binary Encrypted? Compressed? Checksummed? Signed? "records" Known Format or Proprietary Format? Known Algorithm or Proprietary Algorithm? Re-Packing Process 7.27.2012   Defcon  20  
  • 16. WORKFLOW [XYZ Embedded {Offense|Defense}] Unpacking Process: De{cript,compress} For each Binary Firmware Image For each "Record" "unpacked Record" Record In Firmware Parse In Firmware Record Record Record Digitally FileSystem Extraction Encrypted? Compressed? Checksummed? Analysis and Manipulation Package Signed? Manifest Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format? Firmware For each "unpacked Re-{cript,compress}, Recalculate Checksum, etc Record" Re- Re-Pack Modified In Firmware Repack Record generate Record Record Record Digitally File System All Binary Encrypted? Compressed? Checksummed? Package Signed? "records" Manifest Known Format or Proprietary Format? Known Algorithm or Proprietary Algorithm? Re-Packing Process 7.27.2012   Defcon  20  
  • 17. Payload Design Reasons why Ang stays home on Friday night 7.27.2012   Defcon  20  
  • 18. Payload Design Reasons why Ang stays home on Friday night Payload Developement 7.27.2012   Defcon  20  
  • 19. Payload Design Reasons why Ang stays home on Friday night Payload Developement Payload Testing 7.27.2012   Defcon  20  
  • 20. Payload Design Reasons why Ang stays home on Friday night Payload Developement Payload Testing STARE @ BINARY BLOB 7.27.2012   Defcon  20  
  • 21. Payload Design Reasons why Ang stays home on Friday night Payload DevelopementDesign Payload Payload Design Payload Payload Testing Developement STARE THIS PART @ BINARY L   BLOB 7.27.2012   Defcon  20  
  • 22. F R A K irmware everse nalysis onsole [Better Living Through Software Engineering] 7.27.2012   Defcon  20  
  • 23. F R A K irmware everse nalysis onsole Firmware Unpacking Firmware Analysis Engine Engine Firmware Modification Firmware Repacking Engine Engine Programmatic API Interactive Console 7.27.2012   ACCESS Defcon  20   Access
  • 24. F R A K irmware everse nalysis onsole HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary Module Module Module Module Firmware Image of Unknown Format Firmware Unpacking Firmware Unpacking Firmware Analysis Engine Engine Engine Firmware Modification Firmware Modification Firmware Repacking Engine Engine Engine Programmatic API Programmatic Interactive Console 7.27.2012   ACCESS ACCESS Defcon  20   Access
  • 25. F R A K irmware everse nalysis onsole HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary Module Module Module Module Firmware Image of Unknown Format Firmware Unpacking Firmware Unpacking Firmware Analysis Engine Engine Engine Unpacked Firmware Binary Firmware Modification Firmware Modification Firmware Repacking Engine Engine Engine Programmatic API Programmatic Interactive Console 7.27.2012   ACCESS ACCESS Defcon  20   Access
  • 26. F R A K irmware everse nalysis onsole HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary Module Module Module Module Firmware Image of Unknown Format Firmware Unpacking Firmware Unpacking Firmware Analysis Engine Engine Engine Unpacked XYZ Dynamic Firmware Software Instrumentation Binary Symbiotes & Rootkit Firmware Modification Firmware Modification Firmware Repacking Engine Engine Engine Programmatic API Programmatic Interactive Console 7.27.2012   ACCESS ACCESS Defcon  20   Access
  • 27. F R A K irmware everse nalysis onsole HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary Module Module Module Module Firmware Image of Unknown Format Firmware Unpacking Firmware Unpacking Firmware Analysis Engine Engine Engine Unpacked XYZ Dynamic Firmware Software Instrumentation Binary Symbiotes & Rootkit Firmware Modification Firmware Modification Firmware Repacking Engine Engine Engine Programmatic API Programmatic Interactive Console 7.27.2012   ACCESS ACCESS Defcon  20   Access
  • 28. F R A K irmware everse nalysis onsole Unpack, Analyze, Modify, Repack: Cisco IOS 7.27.2012   Defcon  20  
  • 29. Payload Design Payload Reasons why Ang stays Developement home on Friday night Payload Developement Payload Testing Payload Design Payload Testing STARE @ BINARY BLOB ? STARE THIS PART @ BINARY L   BLOB Thanks FRAK! 7.27.2012   Defcon  20  
  • 30. Demos •  Packer/Repacker for Cisco IOS, HP-RFU •  Automagic Binary Analysis •  IDA-Pro Integration •  Entropy-related Analysis •  Automated IOS/RFU Rootkit Injection 7.27.2012   Defcon  20  
  • 31. FRAK Konsole 7.27.2012   Defcon  20  
  • 32. FRAK is still WIP. For Early Access Contact Frak-request@redballoonsecurity.com 7.27.2012   Defcon  20  
  • 33. 7.27.2012   Defcon  20