"Embedded Device Firmware Vulnerability Hunting Using FRAK, the Firmware Reverse Analysis Konsole -- FRAK is a framework for unpacking, analyzing, modifying and repacking the firmware images of proprietary embedded devices. The FRAK framework provides a programmatic environment for the analysis of arbitrary embedded device firmware as well as an interactive environment for the disassembly, manipulation and re-assembly of such binary images.
We demonstrate the automated analysis of Cisco IOS, Cisco IP phone and HP LaserJet printer firmware images. We show how FRAK can integrate with existing vulnerability analysis tools to automate bug hunting for embedded devices. We also demonstrate how FRAK can be used to inject experimental host-based defenses into proprietary devices like Cisco routers and HP printers. "
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing number of the analog things with which we used to interact every day have been replaced with connected devices. The increasingly-complex systems that drive these devices have one thing in common – they must all communicate to carry out their intended functionality. Such communication is handled by firmware embedded in the device. And firmware, like any piece of software, is susceptible to a wide range of errors and vulnerabilities.
Automating Analysis and Exploitation of Embedded Device FirmwareMalachi Jones
Dynamic binary analysis tools utilize a combination of techniques that include fuzzing, symbolic execution, and concolic execution to discover exploitable code in sophisticated binaries. Much work has been dedicated to developing automated analysis tools to target mainstream processor architectures (e.g. x86 and x86_64. ). An often overlooked and inadequately addressed area is the development of tools that target embedded systems processors that include PowerPC, MIPS, and SuperH. Historically, a challenge with targeting multiple embedded architectures was that it was often necessary to write an analysis tool for each architecture.
In this talk, we'll discuss an approach for decoupling the architecture specifics from the analysis by utilizing intermediate representation (IR) languages. Intermediate representation languages provide a method to abstract out machine specifics in order to aid in the analysis of computer programs. In particular, the LLVM IR language provides an extensive set of analysis and optimization libraries, along with a JIT engine, that can be collectively utilized to develop architecture-independent automated analysis and exploitation tools.
The Top Skills That Can Get You Hired in 2017LinkedIn
We analyzed all the recruiting activity on LinkedIn this year and identified the Top Skills employers seek. Starting Oct 24, learn these skills and much more for free during the Week of Learning.
#AlwaysBeLearning https://learning.linkedin.com/week-of-learning
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Lacoon Mobile Security
This document discusses practical attacks against virtual desktop infrastructure (VDI) solutions. It begins with introductions to the presenters and an overview of mobile VDI. It then outlines four threats: 1) using a remote access Trojan to keylog credentials, 2) directly grabbing credentials from an Android device, 3) screen scraping on Android, and 4) man-in-the-middle session hijacking on iOS. It argues that a layered mobile security approach is needed to protect VDI, including device assessment, reducing attack surfaces, threat detection, and risk mitigation.
ZeroVM backgroud: Introduction to some of the concept behind zerovm. Little discussion of google native client project, Software based fault isolation is also provided.
The presentation focuses on the responsibilities, practices, processes, tools, and techniques that systematically increase security in the software development lifecycle (SSDLC). Software should be provisioned uniformly declarative regardless of whether software artifacts are produced in-house or purchased. This is the foundation for effective quality and security standardization, which are key facilitators of reliability engineering.
1. JAR attacks are complex and use obfuscation and reflection to evade static analysis, posing challenges for detection.
2. Executing JAR files within sandbox environments requires correct input parameters, an active internet connection, and the appropriate Java version, which sandboxes still struggle with.
3. An effective detection model requires multi-vector and multi-flow analysis to correlate static, dynamic, and network behaviors and detect sophisticated unknown JAR attacks.
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
Over the last few years, as the world has moved closer to realizing the idea of the Internet of Things, an increasing number of the analog things with which we used to interact every day have been replaced with connected devices. The increasingly-complex systems that drive these devices have one thing in common – they must all communicate to carry out their intended functionality. Such communication is handled by firmware embedded in the device. And firmware, like any piece of software, is susceptible to a wide range of errors and vulnerabilities.
Automating Analysis and Exploitation of Embedded Device FirmwareMalachi Jones
Dynamic binary analysis tools utilize a combination of techniques that include fuzzing, symbolic execution, and concolic execution to discover exploitable code in sophisticated binaries. Much work has been dedicated to developing automated analysis tools to target mainstream processor architectures (e.g. x86 and x86_64. ). An often overlooked and inadequately addressed area is the development of tools that target embedded systems processors that include PowerPC, MIPS, and SuperH. Historically, a challenge with targeting multiple embedded architectures was that it was often necessary to write an analysis tool for each architecture.
In this talk, we'll discuss an approach for decoupling the architecture specifics from the analysis by utilizing intermediate representation (IR) languages. Intermediate representation languages provide a method to abstract out machine specifics in order to aid in the analysis of computer programs. In particular, the LLVM IR language provides an extensive set of analysis and optimization libraries, along with a JIT engine, that can be collectively utilized to develop architecture-independent automated analysis and exploitation tools.
The Top Skills That Can Get You Hired in 2017LinkedIn
We analyzed all the recruiting activity on LinkedIn this year and identified the Top Skills employers seek. Starting Oct 24, learn these skills and much more for free during the Week of Learning.
#AlwaysBeLearning https://learning.linkedin.com/week-of-learning
Black Hat USA 2014 - A Practical Attack Against Virtual Desktop Infrastructur...Lacoon Mobile Security
This document discusses practical attacks against virtual desktop infrastructure (VDI) solutions. It begins with introductions to the presenters and an overview of mobile VDI. It then outlines four threats: 1) using a remote access Trojan to keylog credentials, 2) directly grabbing credentials from an Android device, 3) screen scraping on Android, and 4) man-in-the-middle session hijacking on iOS. It argues that a layered mobile security approach is needed to protect VDI, including device assessment, reducing attack surfaces, threat detection, and risk mitigation.
ZeroVM backgroud: Introduction to some of the concept behind zerovm. Little discussion of google native client project, Software based fault isolation is also provided.
The presentation focuses on the responsibilities, practices, processes, tools, and techniques that systematically increase security in the software development lifecycle (SSDLC). Software should be provisioned uniformly declarative regardless of whether software artifacts are produced in-house or purchased. This is the foundation for effective quality and security standardization, which are key facilitators of reliability engineering.
1. JAR attacks are complex and use obfuscation and reflection to evade static analysis, posing challenges for detection.
2. Executing JAR files within sandbox environments requires correct input parameters, an active internet connection, and the appropriate Java version, which sandboxes still struggle with.
3. An effective detection model requires multi-vector and multi-flow analysis to correlate static, dynamic, and network behaviors and detect sophisticated unknown JAR attacks.
This document introduces tools and techniques for preliminary malware analysis. It discusses examining malware behavior through static analysis, behavioral tracing, and sandboxing. Specific tools are presented for observing malware snapshots, tracing its behavior, and containing it in a sandbox. Process-based and stealthy malware are discussed, along with vulnerabilities of rootkits and tools for rootkit detection. The goal is to present a model for beginning reverse engineering of malware through observation and experimentation in a contained environment.
Don't Judge a Website by its Icon - Read the Label!Dinis Cruz
Jeff Williams presentation at OWASP AppSecDC 2010. see https://www.owasp.org/index.php/Don%27t_Judge_a_Website_by_its_Icon_-_Read_the_Label! for more details
This document summarizes a presentation on the web forensics and analysis tool Fireshark. It discusses how Fireshark allows automated browsing and passive logging of connection data, source content, JavaScript calls and page links to help analyze malicious websites and mass injection attacks. Specific use cases covered include analyzing website architectures, redirection chains, and profiling compromised content. The document also provides examples of analyzing real injection campaigns using Fireshark to gain insights into exploitation techniques and patterns used by attackers on the web.
This document discusses various web vulnerabilities and exploitation techniques. It begins with an overview of trends in web vulnerabilities and exploitation shifting towards client-side attacks. It then details several exemplary web vulnerability hunting techniques, including cross-interface attacks exploiting backend login consoles, SQLXSSI attacks that fuse SQL injection and XSS, document rendering attacks, flaws in web widget interfaces, persistent redirection attacks, and declarative security manipulation. The goal is to understand different attack methods and surfaces for testing web applications.
1. The document discusses various ways to configure complex workflows in Jenkins using plugins like the Parameterized Trigger Plugin, Multi-Configuration Project, Promoted Builds Plugin, and Fingerprint Plugin.
2. Key aspects covered include passing parameters between jobs, running jobs in parallel configurations, promoting builds between stages like testing and production, and tracking artifacts and dependencies between jobs.
3. Advanced workflow capabilities in Jenkins allow automating multi-step build, test, and deployment processes in a flexible and reusable manner.
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...MindShare_kk
Adobe's interpretation of sandboxing is called Adobe Reader X Protected Mode. Inspired by Microsoft's Practical Windows Sandboxing techniques, it was introduced in July 2010. So far, it had been doing a good job at limiting the impact of exploitable bugs in Adobe Reader X, as escaping the sandbox after successful exploitation turned to be particularly challenging, and hasn't been witnessed in the wild, yet.
This paper exposes how we did just this: By leveraging some broker APIs, a policy flaw, and a little more, we were able to break free from Adobe's sandbox.
The particular vulnerability we used was patched by Adobe in September 2011 (CVE-2011-1353), as a result of our responsible disclosure action; yet, this demonstrates that Adobe's sandbox cannot be considered a panacea against security flaws exploitation in Adobe Reader X, and paves the way toward further interesting discoveries for security researchers.
Indeed, beyond this particular vulnerability, this paper dives deep into the sandbox implementation of Adobe Reader X, and debates ways to audit its broker APIs, which, to our minds, offer a major attack surface. In particular, the paper details how we configured an open-source fuzzing tool to audit them through the IPC Framework.
The document discusses software composition and dependency management in PHP projects. It provides information on project dependencies, managing third-party code and licenses, monitoring code quality and vulnerabilities, and maintaining a product lifecycle for updates and security fixes. Key aspects covered include dependency trees, release roadmaps, vulnerability analysis tools, outdated packages, license checks, and OWASP recommendations for component analysis.
The document discusses LLVM and its use in building programming language compilers and runtimes. It provides an overview of LLVM, including its core components like its intermediate representation (IR), optimizations, and code generation capabilities. It also discusses how LLVM is used in various applications like Android, browsers, and graphics processing. Examples are given of using Clang and LLVM to compile and run a simple C program.
Breaking the Laws of Robotics: Attacking Industrial RobotsSpeck&Tech
ABSTRACT: Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory. These robots aren't just electromechanical devices but include complex embedded controllers, which are often interconnected with other computers in the factory network, safety systems, and to the Internet for remote monitoring and maintenance. In this scenario, industrial routers also play a key role, because they directly expose the robot's controller. Therefore, the impact of a single, simple vulnerability can grant attackers an easy entry point. The talk will discuss how remote attackers are able to attack such robots up to the point where they can alter the manufactured product, physically damage the robot, steal industry secrets, or injure humans.
BIO: Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently a full professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on malware analysis, cyber-physical security, and cybersecurity in general. Besides teaching “Computer Security” and “Digital Forensics and Cybercrime” at Politecnico, he has extensive speaking and training experience in Italy and abroad. He co-authored over 100 scientific papers and books. He is a Senior Member of the IEEE and the IEEE Computer Society, which has named him a Distinguished Lecturer and Distinguished Contributor; he is a lifetime senior member of the ACM, which has named him a Distinguished Speaker; and has been named a Fellow of the ISSA (Information System Security Association). Stefano is also a co-founder and chairman of Secure Network, a leading cybersecurity assessment firm, and a co-founder of BankSealer, a startup in the FinTech sector that addresses fraud detection through machine learning techniques.
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
A taxonomy of obfuscating transformationsemanuele_nl
The document describes techniques for obfuscating software code to prevent reverse engineering attacks. It introduces code obfuscation as the most viable method for protecting software secrets. The paper then outlines a taxonomy of code transformations that can be used for obfuscation, classifying them based on their potency, resilience against deobfuscation, and performance overhead. It also discusses potential deobfuscation techniques and countermeasures an obfuscator could employ.
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
The document discusses several challenges facing cyber security, including:
1) Attackers were able to easily compromise a fully patched DoD system within days through multiple remote accesses and local privilege escalations.
2) Users are often the weak link as many fall victim to hijacked websites and infected documents.
3) Integrated circuits and hardware used in systems may have been compromised in the supply chain as many are manufactured overseas.
4) Physical systems like cars and industrial control systems are vulnerable to cyber attacks which could disable brakes or take control of acceleration.
5) While defensive cyber spending is rising, the number of reported cyber incidents continues to grow and attackers require far less resources and code
2012 04 Analysis Techniques for Mobile OS SecurityRaleigh ISSA
The document discusses security analysis techniques for mobile operating systems. It covers how smartphones differ from traditional computing in their usage model and risk profile. It also discusses rethinking host security for smartphones by defining permissions that applications can access and focusing on what permissions applications ask for and how they use those permissions. The document uses Kirin, a modified Android application installer, as an example to evaluate application policies and permissions at install time to determine if they pose security risks.
Symantec Endpoint Protection 12 provides a single agent and console for antivirus, antispyware, firewall, and other protections across Windows and Mac devices. It uses a new Insight technology powered by data from over 175 million endpoints to detect emerging and mutated threats that evade traditional signature-based scanning. Insight analyzes factors like file age, frequency, location, and community reputation ratings to proactively protect against new threats. Testing shows Symantec provides the most effective security with fewer false positives than competitors like Sophos, Kaspersky, Trend Micro, Microsoft, and McAfee.
The document discusses security vulnerabilities that have been found in security products. It notes that security products are high-value targets for hackers as they are present on most systems. It then summarizes several past attacks on major security companies and products that have allowed compromise, including the RSA SecurID token theft and vulnerabilities in antivirus software. The document analyzes trends in vulnerabilities found across security product categories and vendors.
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
Which are the most dangerous new attack techniques for 2016/2017? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced session provides answers from the three people best positioned know: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the U.S., and the top expert on cyberattacks on industrial control systems.
(Source: RSA USA 2016-San Francisco)
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsMichael Smith
This document provides recommendations for securing ZigBee wireless networks used in industrial process control systems. It begins with an introduction to ZigBee and discusses the underlying IEEE 802.15.4 standard. The document then examines ZigBee network topologies, security features, design principles and best practices. It concludes with considerations for implementing ZigBee networks in industrial environments.
This document discusses exploiting vulnerabilities in Siemens Simatic S7 programmable logic controllers (PLCs). It describes how PLCs have evolved to use open communication protocols like PROFINET over Ethernet without sufficient security. The document demonstrates how an attacker could perform reconnaissance against PLCs using Metasploit and custom modules to run replay attacks, memory dumps, and other exploits remotely. It stresses the need for vendors and researchers to work together to promote responsible vulnerability disclosure and mitigation.
More Related Content
Similar to DefCon 2012 - Firmware Vulnerability Hunting with FRAK
This document introduces tools and techniques for preliminary malware analysis. It discusses examining malware behavior through static analysis, behavioral tracing, and sandboxing. Specific tools are presented for observing malware snapshots, tracing its behavior, and containing it in a sandbox. Process-based and stealthy malware are discussed, along with vulnerabilities of rootkits and tools for rootkit detection. The goal is to present a model for beginning reverse engineering of malware through observation and experimentation in a contained environment.
Don't Judge a Website by its Icon - Read the Label!Dinis Cruz
Jeff Williams presentation at OWASP AppSecDC 2010. see https://www.owasp.org/index.php/Don%27t_Judge_a_Website_by_its_Icon_-_Read_the_Label! for more details
This document summarizes a presentation on the web forensics and analysis tool Fireshark. It discusses how Fireshark allows automated browsing and passive logging of connection data, source content, JavaScript calls and page links to help analyze malicious websites and mass injection attacks. Specific use cases covered include analyzing website architectures, redirection chains, and profiling compromised content. The document also provides examples of analyzing real injection campaigns using Fireshark to gain insights into exploitation techniques and patterns used by attackers on the web.
This document discusses various web vulnerabilities and exploitation techniques. It begins with an overview of trends in web vulnerabilities and exploitation shifting towards client-side attacks. It then details several exemplary web vulnerability hunting techniques, including cross-interface attacks exploiting backend login consoles, SQLXSSI attacks that fuse SQL injection and XSS, document rendering attacks, flaws in web widget interfaces, persistent redirection attacks, and declarative security manipulation. The goal is to understand different attack methods and surfaces for testing web applications.
1. The document discusses various ways to configure complex workflows in Jenkins using plugins like the Parameterized Trigger Plugin, Multi-Configuration Project, Promoted Builds Plugin, and Fingerprint Plugin.
2. Key aspects covered include passing parameters between jobs, running jobs in parallel configurations, promoting builds between stages like testing and production, and tracking artifacts and dependencies between jobs.
3. Advanced workflow capabilities in Jenkins allow automating multi-step build, test, and deployment processes in a flexible and reusable manner.
BlackHat EU 2012 - Zhenhua Liu - Breeding Sandworms: How To Fuzz Your Way Out...MindShare_kk
Adobe's interpretation of sandboxing is called Adobe Reader X Protected Mode. Inspired by Microsoft's Practical Windows Sandboxing techniques, it was introduced in July 2010. So far, it had been doing a good job at limiting the impact of exploitable bugs in Adobe Reader X, as escaping the sandbox after successful exploitation turned to be particularly challenging, and hasn't been witnessed in the wild, yet.
This paper exposes how we did just this: By leveraging some broker APIs, a policy flaw, and a little more, we were able to break free from Adobe's sandbox.
The particular vulnerability we used was patched by Adobe in September 2011 (CVE-2011-1353), as a result of our responsible disclosure action; yet, this demonstrates that Adobe's sandbox cannot be considered a panacea against security flaws exploitation in Adobe Reader X, and paves the way toward further interesting discoveries for security researchers.
Indeed, beyond this particular vulnerability, this paper dives deep into the sandbox implementation of Adobe Reader X, and debates ways to audit its broker APIs, which, to our minds, offer a major attack surface. In particular, the paper details how we configured an open-source fuzzing tool to audit them through the IPC Framework.
The document discusses software composition and dependency management in PHP projects. It provides information on project dependencies, managing third-party code and licenses, monitoring code quality and vulnerabilities, and maintaining a product lifecycle for updates and security fixes. Key aspects covered include dependency trees, release roadmaps, vulnerability analysis tools, outdated packages, license checks, and OWASP recommendations for component analysis.
The document discusses LLVM and its use in building programming language compilers and runtimes. It provides an overview of LLVM, including its core components like its intermediate representation (IR), optimizations, and code generation capabilities. It also discusses how LLVM is used in various applications like Android, browsers, and graphics processing. Examples are given of using Clang and LLVM to compile and run a simple C program.
Breaking the Laws of Robotics: Attacking Industrial RobotsSpeck&Tech
ABSTRACT: Industrial robots are complex cyber-physical systems used for manufacturing, and a critical component of any modern factory. These robots aren't just electromechanical devices but include complex embedded controllers, which are often interconnected with other computers in the factory network, safety systems, and to the Internet for remote monitoring and maintenance. In this scenario, industrial routers also play a key role, because they directly expose the robot's controller. Therefore, the impact of a single, simple vulnerability can grant attackers an easy entry point. The talk will discuss how remote attackers are able to attack such robots up to the point where they can alter the manufactured product, physically damage the robot, steal industry secrets, or injure humans.
BIO: Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently a full professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on malware analysis, cyber-physical security, and cybersecurity in general. Besides teaching “Computer Security” and “Digital Forensics and Cybercrime” at Politecnico, he has extensive speaking and training experience in Italy and abroad. He co-authored over 100 scientific papers and books. He is a Senior Member of the IEEE and the IEEE Computer Society, which has named him a Distinguished Lecturer and Distinguished Contributor; he is a lifetime senior member of the ACM, which has named him a Distinguished Speaker; and has been named a Fellow of the ISSA (Information System Security Association). Stefano is also a co-founder and chairman of Secure Network, a leading cybersecurity assessment firm, and a co-founder of BankSealer, a startup in the FinTech sector that addresses fraud detection through machine learning techniques.
Video at http://mrkn.co/andsec
With Android activations reaching a million devices per day, it is no surprise that security threats against our favorite mobile platform have been on the rise.
In this session, you will learn all about Android's security model, including application isolation (sandboxing) and provenance (signing), its permission system and enforcement, data protection features and encryption, as well as enterprise device administration.
Together, we will dig into Android's own internals to see how its security model is applied through the entire Android stack - from the Linux kernel, to the native layers, to the Application Framework services, and to the applications themselves.
Finally, you’ll learn about some of the weaknesses in the Android's model (including rooting, tap-jacking, malware, social-engineering) as well as what can be done to mitigate those threats, such as SE-Linux, memory protection, anti-malware, firewall, and developer best practices.
By the end of this session you will have a better understanding of what it takes to make Android a more trusted component of our personal and professional lives.
A taxonomy of obfuscating transformationsemanuele_nl
The document describes techniques for obfuscating software code to prevent reverse engineering attacks. It introduces code obfuscation as the most viable method for protecting software secrets. The paper then outlines a taxonomy of code transformations that can be used for obfuscation, classifying them based on their potency, resilience against deobfuscation, and performance overhead. It also discusses potential deobfuscation techniques and countermeasures an obfuscator could employ.
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
Empowering Application Security Protection in the World of DevOpsIBM Security
Watch on-demand now: https://securityintelligence.com/events/application-security-protection-world-of-devops/
How do organizations build secure applications, given today's rapidly moving and evolving DevOps practices? Development teams are aware of the shifting security challenges they face. However, they're by no means security experts, nor do they have spare time on their hands to learn new tools.
What can development teams do to keep pace with rapidly-evolving application security threats?
The answer lies in automation. By making application security part of the continuous build processes, organizations can protect against these major risks.
In this session, you will learn:
- New security challenges facing today’s popular DevOps and Continuous Integration (CI) practices, including managing custom code and open source risks with containers and traditional environments.
- Best practices for designing and incorporating an automated approach to application security into your existing development environment.
- Future development and application security challenges organizations will face and what they can do to prepare.
The document discusses several challenges facing cyber security, including:
1) Attackers were able to easily compromise a fully patched DoD system within days through multiple remote accesses and local privilege escalations.
2) Users are often the weak link as many fall victim to hijacked websites and infected documents.
3) Integrated circuits and hardware used in systems may have been compromised in the supply chain as many are manufactured overseas.
4) Physical systems like cars and industrial control systems are vulnerable to cyber attacks which could disable brakes or take control of acceleration.
5) While defensive cyber spending is rising, the number of reported cyber incidents continues to grow and attackers require far less resources and code
2012 04 Analysis Techniques for Mobile OS SecurityRaleigh ISSA
The document discusses security analysis techniques for mobile operating systems. It covers how smartphones differ from traditional computing in their usage model and risk profile. It also discusses rethinking host security for smartphones by defining permissions that applications can access and focusing on what permissions applications ask for and how they use those permissions. The document uses Kirin, a modified Android application installer, as an example to evaluate application policies and permissions at install time to determine if they pose security risks.
Symantec Endpoint Protection 12 provides a single agent and console for antivirus, antispyware, firewall, and other protections across Windows and Mac devices. It uses a new Insight technology powered by data from over 175 million endpoints to detect emerging and mutated threats that evade traditional signature-based scanning. Insight analyzes factors like file age, frequency, location, and community reputation ratings to proactively protect against new threats. Testing shows Symantec provides the most effective security with fewer false positives than competitors like Sophos, Kaspersky, Trend Micro, Microsoft, and McAfee.
The document discusses security vulnerabilities that have been found in security products. It notes that security products are high-value targets for hackers as they are present on most systems. It then summarizes several past attacks on major security companies and products that have allowed compromise, including the RSA SecurID token theft and vulnerabilities in antivirus software. The document analyzes trends in vulnerabilities found across security product categories and vendors.
The Seven Most Dangerous New Attack Techniques, and What's Coming NextPriyanka Aash
Which are the most dangerous new attack techniques for 2016/2017? How do they work? How can you stop them? What's coming next and how can you prepare? This fast-paced session provides answers from the three people best positioned know: the head of the Internet Storm Center, the top hacker exploits expert/teacher in the U.S., and the top expert on cyberattacks on industrial control systems.
(Source: RSA USA 2016-San Francisco)
Similar to DefCon 2012 - Firmware Vulnerability Hunting with FRAK (20)
DHS - Recommendations for Securing Zigbee Networks in Process Control SystemsMichael Smith
This document provides recommendations for securing ZigBee wireless networks used in industrial process control systems. It begins with an introduction to ZigBee and discusses the underlying IEEE 802.15.4 standard. The document then examines ZigBee network topologies, security features, design principles and best practices. It concludes with considerations for implementing ZigBee networks in industrial environments.
This document discusses exploiting vulnerabilities in Siemens Simatic S7 programmable logic controllers (PLCs). It describes how PLCs have evolved to use open communication protocols like PROFINET over Ethernet without sufficient security. The document demonstrates how an attacker could perform reconnaissance against PLCs using Metasploit and custom modules to run replay attacks, memory dumps, and other exploits remotely. It stresses the need for vendors and researchers to work together to promote responsible vulnerability disclosure and mitigation.
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)Michael Smith
The document discusses vulnerabilities in Siemens Simatic S7 PLCs that communicate over ISO-TSAP on TCP port 102. It describes how the protocol was designed without security in mind and transmits packets in plaintext. This allows attackers to send crafted packets to disable protections, control operational states, modify logic, and shutdown connected processes on the PLCs. The document provides an introduction on testing various PLC models and analyzing their potential for exploitation.
BlackHat 2010 - Electricity for Free - The Dirty Underbelly of SCADA and Smar...Michael Smith
This document discusses vulnerabilities in SCADA and smart meter systems used for electricity generation, transmission, and distribution. It provides an overview of how electricity is generated, transmitted through high-voltage lines, and distributed through lower voltage lines to consumers. The document then details the methodology used to assess SCADA systems, common vulnerabilities found, and examples of vulnerabilities in programmable logic controllers and smart meters. The goal is to raise awareness of security issues in these critical infrastructure systems.
BlackHat 2009 - Hacking Zigbee Chips (slides)Michael Smith
This document discusses a 16-bit rootkit and second generation Zigbee chips. It describes how the rootkit works by proxying a microcontroller's interrupt vector table to gain control of incoming packets. It also examines vulnerabilities in early Zigbee chips like the EM250 and CC2430 that exposed cryptographic keys due to debug interfaces and memory layout issues. Later generations of chips aim to address these security flaws.
DefCon 2012 - Sub-1 GHz Radio Frequency SecurityMichael Smith
This document provides an overview of sub-GHz radio frequencies and frequency hopping spread spectrum (FHSS) communications. It discusses FCC regulations for industrial, scientific, and medical (ISM) bands, popular frequencies used, common modulations, and technical details of radio configuration registers for the Chipcon CC1111 radio chip. It also summarizes the goals and capabilities of the RfCat toolkit for analyzing and interacting with sub-GHz radio protocols.
DefCon 2012 - Near-Field Communication / RFID Hacking - MillerMichael Smith
The document explores the NFC attack surface by examining NFC protocols and fuzzing the NFC stack on two devices. It finds that some phones can be forced to parse content like images, contacts, and open web pages without user interaction through NFC technologies. In some cases, full control of the phone is possible, allowing theft of data and sending of messages/calls. Proper understanding of NFC and its protocols is needed to analyze risks introduced by the inclusion of NFC functionality on mobile devices.
DefCon 2012 - Near-Field Communication / RFID Hacking - LeeMichael Smith
This document summarizes Eddie Lee's presentation on NFC hacking at DEFCON 20. It introduces the NFCProxy tool, which allows analyzing NFC protocols by proxying transactions between an NFC reader and card. The tool works by relaying APDUs between the two devices over WiFi. It can save, export, and replay transactions. The presentation demonstrates using NFCProxy in proxy mode to observe live transactions and in replay mode to simulate card behaviors. Future work may include generic frameworks for different NFC technologies and fuzzing NFC protocols.
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
Hardware backdooring by state actors is practical according to the speaker. The speaker demonstrates a proof of concept called Rakshasa that can backdoor computer firmware like BIOS and network cards to achieve persistent remote access. Rakshasa leverages existing free and open source software like Coreboot and iPXE to make the backdoor stealthy and hard to detect. It also discusses challenges with attribution and detection of such backdoors, and argues that strong protections are not currently possible given vulnerabilities in computer hardware and supply chains.
DefCon 2011 - Vulnerabilities in Wireless Water MetersMichael Smith
This document provides an overview of vulnerabilities in wireless water meter networks. It begins with background on the author and their experience in water infrastructure and cybersecurity. The main points covered include:
- Wireless water meters allow for automated reading but introduce cybersecurity risks
- Meters function as electronic cash registers, and accurate readings are important for utility revenue and operations
- Potential issues include theft of water service, revenue loss from inaccurate meters, and lack of proper management of meter infrastructure and billing systems
- The talk aims to raise awareness of security for water infrastructure, which is critical but receives less attention than other utilities like electricity
Defcon 2011 - Penetration Testing Over PowerlinesMichael Smith
This document discusses social engineering techniques for penetration testing over power lines. It begins with introductions of the speakers and their backgrounds in security. It then provides an overview of the IEEE standards for broadband over power lines and home automation protocols like X10 and Z-Wave. The document demonstrates using a Teensy device to deliver payloads over keyboard emulation and discusses leveraging tools in the Social Engineer Toolkit for jamming and sniffing X10 and Z-Wave traffic. It announces new releases in SET and previews future work on encryption key sniffing and traffic injection capabilities. Overall it covers the technical basics and practical application of assessing connected home and building automation security over power line networks.
DefCon 2012 - Anti-Forensics and Anti-Anti-ForensicsMichael Smith
These slides discuss anti-forensic techniques and how to mitigate them. The document outlines 10 techniques such as data saturation, non-standard RAIDs, file signature masking, rendering the National Software Reference Library useless, scrambled MAC times, restricted filenames, circular references using Lotus Notes, hash collisions, dummy hard drives, and questions for discussion. It then provides recommendations for mitigating each technique, such as parallelizing acquisition, ignoring dates, searching instead of filtering, and checking for USB drives.
DefCon 2012 - Subterfuge - Automated MITM AttacksMichael Smith
Christopher Shields and Matthew Toussain are developing a new man-in-the-middle attack tool with an intuitive interface that is easy to use, silent, and stealthy. The tool will have a server/client architecture with MITM utilities, a module builder, and configuration options. It aims to provide credential harvesting, HTTP code injection, denial of service attacks, and network visibility.
DefCon 2012 - Bluetooth Monitoring With SCAPYMichael Smith
This document discusses passive Bluetooth monitoring using Scapy. It begins with an overview of Bluetooth essentials like the Bluetooth baseband (BTBB). It then covers fundamental Bluetooth projects like Libbtbb and Ubertooth that Scapy-btbb builds upon. Scapy-btbb adds Bluetooth baseband support to Scapy, including helper methods for address analysis. The goals are to analyze Bluetooth baseband traffic in Python. A demo is provided and references list related Bluetooth projects.
The document discusses vulnerabilities in Netgear SOHO routers that allow remote code execution. It describes analyzing the firmware of a Netgear WNDR3700 router to find SQL injection vulnerabilities in the MiniDLNA media server. These vulnerabilities can be chained to extract passwords from the router's filesystem and execute arbitrary code by manipulating the database and triggering a buffer overflow. The talk will include a live demonstration exploiting these issues to gain a root shell on the router.
DefCon 2012 - Finding Firmware VulnerabilitiesMichael Smith
Ang Cui is a 5th year PhD candidate at Columbia University and co-founder and CEO of Red Balloon Security Inc. She is presenting FRAK, a firmware reverse analysis console, at Defcon 20. FRAK allows unpacking, analyzing, modifying and repacking of firmware from various formats including Cisco IOS, HP-RFU and others. It includes automated binary analysis, IDA Pro integration, and tools for firmware rootkit injection. A demonstration of FRAK's capabilities on Cisco IOS and HP-RFU is provided.
DefCon 2012 - Gaining Access to User Android DataMichael Smith
This document provides a summary of a presentation about gaining access to Android user data. The presentation discusses challenges like encryption and screen locks that prevent access. It then covers techniques for defeating bootloaders, building forensic boot images, using JTAG and serial debug cables, cracking pins and passwords, dealing with encryption, and other desperate techniques to gain access like chip-off or exploiting race conditions during updates. The goal is to provide tools and knowledge to both defend access and gain access for purposes like device seizure or digital forensics examinations.
DefCon 2012 - Power Smart Meter HackingMichael Smith
"When you look at a Smart Meter, it practically winks at you. Their Optical Port calls to you. It calls to criminals as well. But how do criminals interact with it? We will show you how they look into the eye of the meter. More specifically, this presentation will show how criminals gather information from meters to do their dirty work. From quick memory acquisition techniques to more complex hardware bus sniffing, the techniques outlined in this presentation will show how authentication credentials are acquired. Finally, a method for interacting with a meter's IR port will be introduced to show that vendor specific software is not necessary to poke a meter in the eye."
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc
How does your privacy program stack up against your peers? What challenges are privacy teams tackling and prioritizing in 2024?
In the fifth annual Global Privacy Benchmarks Survey, we asked over 1,800 global privacy professionals and business executives to share their perspectives on the current state of privacy inside and outside of their organizations. This year’s report focused on emerging areas of importance for privacy and compliance professionals, including considerations and implications of Artificial Intelligence (AI) technologies, building brand trust, and different approaches for achieving higher privacy competence scores.
See how organizational priorities and strategic approaches to data security and privacy are evolving around the globe.
This webinar will review:
- The top 10 privacy insights from the fifth annual Global Privacy Benchmarks Survey
- The top challenges for privacy leaders, practitioners, and organizations in 2024
- Key themes to consider in developing and maintaining your privacy program
OpenID AuthZEN Interop Read Out - AuthorizationDavid Brossard
During Identiverse 2024 and EIC 2024, members of the OpenID AuthZEN WG got together and demoed their authorization endpoints conforming to the AuthZEN API
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Salesforce Integration for Bonterra Impact Management (fka Social Solutions A...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on integration of Salesforce with Bonterra Impact Management.
Interested in deploying an integration with Salesforce for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Webinar: Designing a schema for a Data WarehouseFederico Razzoli
Are you new to data warehouses (DWH)? Do you need to check whether your data warehouse follows the best practices for a good design? In both cases, this webinar is for you.
A data warehouse is a central relational database that contains all measurements about a business or an organisation. This data comes from a variety of heterogeneous data sources, which includes databases of any type that back the applications used by the company, data files exported by some applications, or APIs provided by internal or external services.
But designing a data warehouse correctly is a hard task, which requires gathering information about the business processes that need to be analysed in the first place. These processes must be translated into so-called star schemas, which means, denormalised databases where each table represents a dimension or facts.
We will discuss these topics:
- How to gather information about a business;
- Understanding dictionaries and how to identify business entities;
- Dimensions and facts;
- Setting a table granularity;
- Types of facts;
- Types of dimensions;
- Snowflakes and how to avoid them;
- Expanding existing dimensions and facts.
Skybuffer SAM4U tool for SAP license adoptionTatiana Kojar
Manage and optimize your license adoption and consumption with SAM4U, an SAP free customer software asset management tool.
SAM4U, an SAP complimentary software asset management tool for customers, delivers a detailed and well-structured overview of license inventory and usage with a user-friendly interface. We offer a hosted, cost-effective, and performance-optimized SAM4U setup in the Skybuffer Cloud environment. You retain ownership of the system and data, while we manage the ABAP 7.58 infrastructure, ensuring fixed Total Cost of Ownership (TCO) and exceptional services through the SAP Fiori interface.
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxSitimaJohn
Ocean Lotus cyber threat actors represent a sophisticated, persistent, and politically motivated group that poses a significant risk to organizations and individuals in the Southeast Asian region. Their continuous evolution and adaptability underscore the need for robust cybersecurity measures and international cooperation to identify and mitigate the threats posed by such advanced persistent threat groups.
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Main news related to the CCS TSI 2023 (2023/1695)Jakub Marek
An English 🇬🇧 translation of a presentation to the speech I gave about the main changes brought by CCS TSI 2023 at the biggest Czech conference on Communications and signalling systems on Railways, which was held in Clarion Hotel Olomouc from 7th to 9th November 2023 (konferenceszt.cz). Attended by around 500 participants and 200 on-line followers.
The original Czech 🇨🇿 version of the presentation can be found here: https://www.slideshare.net/slideshow/hlavni-novinky-souvisejici-s-ccs-tsi-2023-2023-1695/269688092 .
The videorecording (in Czech) from the presentation is available here: https://youtu.be/WzjJWm4IyPk?si=SImb06tuXGb30BEH .
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
DefCon 2012 - Firmware Vulnerability Hunting with FRAK
1. RED
BALLOON
Security
FRAK: Firmware Reverse Analysis Konsole
Ang Cui
a@redballoonsecurity.com
7.27.2012
Defcon
20
2. 5th Year Ph.D. Candidate
Intrusion Detection Systems Lab
Columbia University
W h o a m
I
What do I
DO
7.27.2012
Defcon
20
3. 5th Year Ph.D. Candidate
Intrusion Detection Systems Lab
Columbia University
Co-Founder and CEO
Red Balloon Security Inc.
W h o a m www.redballoonsecurity.com
I
What do I
DO
7.27.2012
Defcon
20
4. 5th Year Ph.D. Candidate
Intrusion Detection Systems Lab
Columbia University
Co-Founder and CEO
Red Balloon Security Inc.
W h o a m www.redballoonsecurity.com
I Past publications:
•
What do I Pervasive Insecurity of Embedded Network
Devices. [RAID10]
• A Quantitative Analysis of the Insecurity
DO
of Embedded Network Devices. [ACSAC10]
• Killing the Myth of Cisco IOS Diversity:
Towards Reliable Large-Scale Exploitation
of Cisco IOS. [USENIX WOOT 11]
• Defending Legacy Embedded Systems with
Software Symbiotes. [RAID11]
• From Prey to Hunter: Transforming
Legacy Embedded Devices Into
Exploitation Sensor Grids. [ACSAC11]
7.27.2012
Defcon
20
5. 5th Year Ph.D. Candidate
Intrusion Detection Systems Lab
Columbia University
Co-Founder and CEO
Red Balloon Security Inc.
W h o a m www.redballoonsecurity.com
I Past Embedded Tinkerings:
•
What do I •
Interrupt-Hijack Cisco IOS Rootkit
HP LaserJet Printer Rootkit
DO
7.27.2012
Defcon
20
10. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress}
Binary Firmware Image
For each
"Record"
Record
Parse In Firmware Record Record Record
Digitally
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm?
Firmware
Re-Packing Process
7.27.2012
Defcon
20
11. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
Re-Packing Process
7.27.2012
Defcon
20
12. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
Re-Packing Process
7.27.2012
Defcon
20
13. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
For each
"unpacked
Record"
Re-Pack Modified In Firmware
File System
Known Format or Proprietary Format?
Re-Packing Process
7.27.2012
Defcon
20
14. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
For each
"unpacked
Re-{cript,compress}, Recalculate Checksum, etc Record"
Re-Pack Modified In Firmware
Record
Record Record Record
Digitally File System
Encrypted? Compressed? Checksummed?
Signed?
Known Format or Proprietary Format?
Known Algorithm or Proprietary Algorithm?
Re-Packing Process
7.27.2012
Defcon
20
15. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
For each
"unpacked
Re-{cript,compress}, Recalculate Checksum, etc Record"
Re-Pack Modified In Firmware
Repack Record
Record Record Record
Digitally File System
All Binary Encrypted? Compressed? Checksummed?
Signed?
"records"
Known Format or Proprietary Format?
Known Algorithm or Proprietary Algorithm?
Re-Packing Process
7.27.2012
Defcon
20
16. WORKFLOW
[XYZ Embedded {Offense|Defense}]
Unpacking Process:
De{cript,compress} For each
Binary Firmware Image
For each
"Record" "unpacked Record"
Record In Firmware
Parse In Firmware Record Record Record
Digitally FileSystem Extraction
Encrypted? Compressed? Checksummed?
Analysis and Manipulation
Package Signed?
Manifest
Known Algorithm or Proprietary Algorithm? Known Format or Proprietary Format?
Firmware
For each
"unpacked
Re-{cript,compress}, Recalculate Checksum, etc Record"
Re- Re-Pack Modified In Firmware
Repack Record
generate Record Record Record
Digitally File System
All Binary Encrypted? Compressed? Checksummed?
Package Signed?
"records"
Manifest Known Format or Proprietary Format?
Known Algorithm or Proprietary Algorithm?
Re-Packing Process
7.27.2012
Defcon
20
17. Payload Design
Reasons why Ang stays
home on Friday night
7.27.2012
Defcon
20
18. Payload Design
Reasons why Ang stays
home on Friday night
Payload
Developement
7.27.2012
Defcon
20
19. Payload Design
Reasons why Ang stays
home on Friday night
Payload
Developement
Payload Testing
7.27.2012
Defcon
20
20. Payload Design
Reasons why Ang stays
home on Friday night
Payload
Developement
Payload Testing
STARE
@
BINARY
BLOB
7.27.2012
Defcon
20
21. Payload Design
Reasons why Ang stays
home on Friday night
Payload
DevelopementDesign
Payload
Payload Design
Payload
Payload Testing
Developement
STARE
THIS PART
@
BINARY L
BLOB
7.27.2012
Defcon
20
22. F R A K
irmware everse nalysis onsole
[Better Living Through Software Engineering]
7.27.2012
Defcon
20
23. F R A K
irmware everse nalysis onsole
Firmware Unpacking Firmware Analysis
Engine Engine
Firmware Modification Firmware Repacking
Engine Engine
Programmatic API Interactive Console
7.27.2012
ACCESS Defcon
20
Access
24. F R A K
irmware everse nalysis onsole
HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary
Module Module Module Module Firmware Image
of Unknown
Format
Firmware Unpacking
Firmware Unpacking Firmware Analysis
Engine
Engine Engine
Firmware Modification
Firmware Modification Firmware Repacking
Engine
Engine Engine
Programmatic API
Programmatic Interactive Console
7.27.2012
ACCESS
ACCESS Defcon
20
Access
25. F R A K
irmware everse nalysis onsole
HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary
Module Module Module Module Firmware Image
of Unknown
Format
Firmware Unpacking
Firmware Unpacking Firmware Analysis
Engine
Engine Engine
Unpacked
Firmware
Binary
Firmware Modification
Firmware Modification Firmware Repacking
Engine
Engine Engine
Programmatic API
Programmatic Interactive Console
7.27.2012
ACCESS
ACCESS Defcon
20
Access
26. F R A K
irmware everse nalysis onsole
HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary
Module Module Module Module Firmware Image
of Unknown
Format
Firmware Unpacking
Firmware Unpacking Firmware Analysis
Engine
Engine Engine
Unpacked XYZ Dynamic
Firmware Software Instrumentation
Binary Symbiotes &
Rootkit
Firmware Modification
Firmware Modification Firmware Repacking
Engine
Engine Engine
Programmatic API
Programmatic Interactive Console
7.27.2012
ACCESS
ACCESS Defcon
20
Access
27. F R A K
irmware everse nalysis onsole
HP-RFU Cisco IOS Cisco-CNU XYZ-Format Arbitrary
Module Module Module Module Firmware Image
of Unknown
Format
Firmware Unpacking
Firmware Unpacking Firmware Analysis
Engine
Engine Engine
Unpacked XYZ Dynamic
Firmware Software Instrumentation
Binary Symbiotes &
Rootkit
Firmware Modification
Firmware Modification Firmware Repacking
Engine
Engine Engine
Programmatic API
Programmatic Interactive Console
7.27.2012
ACCESS
ACCESS Defcon
20
Access
28. F R A K irmware everse nalysis onsole
Unpack, Analyze, Modify, Repack: Cisco IOS
7.27.2012
Defcon
20
29. Payload Design
Payload Reasons why Ang stays
Developement
home on Friday night
Payload
Developement
Payload Testing
Payload Design
Payload Testing
STARE @ BINARY
BLOB
?
STARE
THIS PART
@
BINARY L
BLOB Thanks FRAK!
7.27.2012
Defcon
20