Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
In many targeted attack cases, once the attacker gains entry into the network, malware infection will spread laterally. In incident responses, investigating this lateral movement activity is very important. Methods for investigating lateral movement include log analysis of infected hosts and forensic analysis of disk images. However, in many cases, useful logs for incident investigation are not recorded in infected hosts, making it difficult to trace the attackers' behavior. This often results in not being able to get a clear picture of how the infection spreads across the network.
Therefore, we conducted investigation on attackers' C2 servers and malware to gain insight into their actives. By decoding the malware's communication logs and C2 server logs, we were able to understand the attackers’ activity after the network intrusion. We also found common patterns in how infection spread laterally. Also, even in different campaigns with different malware deployed, many common tools were used by attackers.
Taking advantage of the similarity, we figured that tracking these tools is effective in understanding lateral movements. In Windows PCs, which are the main target of APT attacks, certain
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
In many targeted attack cases, once the attacker gains entry into the network, malware infection will spread laterally. In incident responses, investigating this lateral movement activity is very important. Methods for investigating lateral movement include log analysis of infected hosts and forensic analysis of disk images. However, in many cases, useful logs for incident investigation are not recorded in infected hosts, making it difficult to trace the attackers' behavior. This often results in not being able to get a clear picture of how the infection spreads across the network.
Therefore, we conducted investigation on attackers' C2 servers and malware to gain insight into their actives. By decoding the malware's communication logs and C2 server logs, we were able to understand the attackers’ activity after the network intrusion. We also found common patterns in how infection spread laterally. Also, even in different campaigns with different malware deployed, many common tools were used by attackers.
Taking advantage of the similarity, we figured that tracking these tools is effective in understanding lateral movements. In Windows PCs, which are the main target of APT attacks, certain
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
Industroyer is the first ever malware specifically designed to attack power grids. This unique and extremely dangerous malware framework was involved in the December 2016 blackout in Ukraine. What sets Industroyer apart from other malware targeting infrastructure, such as BlackEnergy (a.k.a. SandWorm), is its ability to control switches and circuit breakers directly via 4 different industrial communication protocols.
In addition to explaining why Industroyer can be considered the biggest threat to industrial control systems since the infamous Stuxnet worm, we will take a look at the 2016 power outage in the context of the other numerous cyberattacks against Ukrainian critical infrastructure in the recent years.
As the protocols and hardware targeted by Industroyer are employed in power supply infrastructure, transportation control systems, and other critical infrastructure systems, like water and gas, worldwide, the malware can be re-purposed to target vital services in other countries. This discovery should serve as a wake-up call for those responsible for security of these critical systems.
Anton Cherepanov
Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research was presented on numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on reverse engineering and malware analysis automation.
Róbert Lipovský
Róbert Lipovský is Senior Malware Researcher in ESET’s Security Research Laboratory, with 10 years’ experience with malware research. He is responsible for malware intelligence and analysis and leads the Malware Research team in ESET’s HQ in Bratislava. He is a regular speaker at security conferences, including Black Hat, Virus Bulletin, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater and the Comenius University. When not bound to a keyboard, he enjoys sports, playing guitar and flying an airplane.
Detection index learning based on cyber threat intelligence and its applicati...CODE BLUE
While the importance of sharing cyber threat intelligence (CTI) and considering countermeasures in advance as cyber attacks become more sophisticated is increasing, IP addresses and domains as detection indices included in CTI are attacked by attackers in short cycles Dispose (change or disappear). As a countermeasure on the defender side, we are moving towards increasing the cost of attackers by improving the sharing speed of CTI, and we receive large amounts of CTI every day. As a result, the situation is such that the CTI is also disposable in a short cycle. In this report, we built a detection index learning method based on CTI that is accumulated day by day and implemented a detection index learning engine learning how detection indices are used by attackers Report on the learning result. We also report on the possibility of reconstructing and combining the result of learning the detection index and applying it to mid- to long-term advanced protection in combination with another data source.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
Ross Bevington, Microsoft
In ‘The Matrix’ sentient machines subdue the population by developing a highly sophisticated simulation. High interaction honeypots are a lot like The Matrix, designed to convince an attacker to execute an attack so we can monitor them. But these honeypots are flawed!
Attackers are continually adapting in order to evade our defenses - meaning that it’s often not enough to just set up a honeypot and watch the results roll in. Is a new approach better?
Did you know that 40% of IaaS VMs in Azure are Linux? For Microsoft to protect itself and its customers Linux is a priority.
At MSTIC we’ve developed a new type of Linux honeypot that allows us to deceive and control the behavior of an attacker. We are using this to understand the person behind the attack, examining them as they examine us. Using these techniques, we are able to better track the person behind the threat, build better protections and ultimately protect more Linux users - whether they are using Azure or not.
In this presentation I’ll show some of the successes of running a Matrix like environment, failures where a glitch was spotted as well as deception approaches that could be applied to other domains. Finally I’ll show how easy it is to leverage Azure’s big data capabilities to build and ultimately query all this data at scale as well as how you can immediately reap the benefits of this work by connecting your Linux box to Azure Security Center.
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
In this presentation, I present an automatically disarmament system for armed malware with anti-sandboxing. The system targets on 1) Host-fingerprinting malware like citadel, 2) armed malware with general anti-sandboxng for automated sandbox analyzer. An approach of disarmament focuses on exit reason and exit before activity in malware execution. I have developing CPU emulator-based disarmament system with instrumentation. The system suggests a suitable environment for dynamic analysis for individual malware.
RootedCON 2020 talk. In this talk, we showed the research about software dependencies that led us to rule the world for a day. Surprisingly, we could take control of more than 800 developer machines in less than 24 hours with the collusion of the most famous software dependency repositories... And with the "collaboraiton" of the developers ;)
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.
The security landscape has changed such that simply focusing on preventing is no longer an effective strategy. This talk will look at the idea of Assume Breach and how detection and response to threats aligns to an attacker methodology. Demonstrations and research will highlight how organizations can achieve more finely tuned detection capabilities through threat simulation and war-game exercises.
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
Industroyer is the first ever malware specifically designed to attack power grids. This unique and extremely dangerous malware framework was involved in the December 2016 blackout in Ukraine. What sets Industroyer apart from other malware targeting infrastructure, such as BlackEnergy (a.k.a. SandWorm), is its ability to control switches and circuit breakers directly via 4 different industrial communication protocols.
In addition to explaining why Industroyer can be considered the biggest threat to industrial control systems since the infamous Stuxnet worm, we will take a look at the 2016 power outage in the context of the other numerous cyberattacks against Ukrainian critical infrastructure in the recent years.
As the protocols and hardware targeted by Industroyer are employed in power supply infrastructure, transportation control systems, and other critical infrastructure systems, like water and gas, worldwide, the malware can be re-purposed to target vital services in other countries. This discovery should serve as a wake-up call for those responsible for security of these critical systems.
Anton Cherepanov
Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research was presented on numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on reverse engineering and malware analysis automation.
Róbert Lipovský
Róbert Lipovský is Senior Malware Researcher in ESET’s Security Research Laboratory, with 10 years’ experience with malware research. He is responsible for malware intelligence and analysis and leads the Malware Research team in ESET’s HQ in Bratislava. He is a regular speaker at security conferences, including Black Hat, Virus Bulletin, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater and the Comenius University. When not bound to a keyboard, he enjoys sports, playing guitar and flying an airplane.
Detection index learning based on cyber threat intelligence and its applicati...CODE BLUE
While the importance of sharing cyber threat intelligence (CTI) and considering countermeasures in advance as cyber attacks become more sophisticated is increasing, IP addresses and domains as detection indices included in CTI are attacked by attackers in short cycles Dispose (change or disappear). As a countermeasure on the defender side, we are moving towards increasing the cost of attackers by improving the sharing speed of CTI, and we receive large amounts of CTI every day. As a result, the situation is such that the CTI is also disposable in a short cycle. In this report, we built a detection index learning method based on CTI that is accumulated day by day and implemented a detection index learning engine learning how detection indices are used by attackers Report on the learning result. We also report on the possibility of reconstructing and combining the result of learning the detection index and applying it to mid- to long-term advanced protection in combination with another data source.
Hunting for APT in network logs workshop presentationOlehLevytskyi1
Nonamecon 2021 presentation.
Network logs are one of the most efficient sources to hunt adversaries, but building good analytics capabilities require a deep understanding of benign activity and attacker behavior. This training focuses on detecting real-case attacks, tools and scenarios by the past year.
The training is highly interactive and retains a good balance between theory and a lot of hands-on exercises for the students to get used to the detection engineering methodology and prepare them to start implementing this at their organizations.
Presentation topics:
- Netflow Mitre Matrix view
- Full packet captures vs Netflow
- Zeek
- Zeek packages
- RDP initial comprometation
- Empire Powershell and CobaltStrike or what to expect after initial loader execution.
- Empire powershell initial connection
- Beaconing. RITA
- Scanning detection
- Internal enumeration detection
- Lateral movement techniques widely used
- Kerberos attacks
- PSExec and fileless ways of delivering payloads in the network
- Zerologon detection
- Data exfiltration
- Data exfiltration over C2 channel
- Data exfiltration using time size limits (data chunks)
- DNS exfiltration
- Detecting ransomware in your network
- Real incident investigation
Authors:
Oleh Levytskyi (https://twitter.com/LeOleg97)
Bogdan Vennyk (https://twitter.com/bogdanvennyk)
Ross Bevington, Microsoft
In ‘The Matrix’ sentient machines subdue the population by developing a highly sophisticated simulation. High interaction honeypots are a lot like The Matrix, designed to convince an attacker to execute an attack so we can monitor them. But these honeypots are flawed!
Attackers are continually adapting in order to evade our defenses - meaning that it’s often not enough to just set up a honeypot and watch the results roll in. Is a new approach better?
Did you know that 40% of IaaS VMs in Azure are Linux? For Microsoft to protect itself and its customers Linux is a priority.
At MSTIC we’ve developed a new type of Linux honeypot that allows us to deceive and control the behavior of an attacker. We are using this to understand the person behind the attack, examining them as they examine us. Using these techniques, we are able to better track the person behind the threat, build better protections and ultimately protect more Linux users - whether they are using Azure or not.
In this presentation I’ll show some of the successes of running a Matrix like environment, failures where a glitch was spotted as well as deception approaches that could be applied to other domains. Finally I’ll show how easy it is to leverage Azure’s big data capabilities to build and ultimately query all this data at scale as well as how you can immediately reap the benefits of this work by connecting your Linux box to Azure Security Center.
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
In this presentation, I present an automatically disarmament system for armed malware with anti-sandboxing. The system targets on 1) Host-fingerprinting malware like citadel, 2) armed malware with general anti-sandboxng for automated sandbox analyzer. An approach of disarmament focuses on exit reason and exit before activity in malware execution. I have developing CPU emulator-based disarmament system with instrumentation. The system suggests a suitable environment for dynamic analysis for individual malware.
RootedCON 2020 talk. In this talk, we showed the research about software dependencies that led us to rule the world for a day. Surprisingly, we could take control of more than 800 developer machines in less than 24 hours with the collusion of the most famous software dependency repositories... And with the "collaboraiton" of the developers ;)
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
Japan is recently experiencing a rise in targeted attacks. However, it is rare that details of such attacks are revealed. Under this circumstance, JPCERT/CC has been investigating the attack operations targeting Japanese organizations including the government and leading enterprises. We have especially been tracking two distinct cases over a prolonged period.
The first case, which became public in 2015, drew nationwide attention for victimizing several Japanese organizations. In this case, the attacker conducts sophisticated attacks through network intrusion and targeting weak points of the organizations.
The second case has been continuously targeting certain Japanese organizations since 2013. Although this case has not drawn as much attention, the attacker has advanced techniques and uses various interesting attack methods.
This presentation will introduce the above two attack operations, including attack techniques we revealed through prolonged investigation, the malware/tools being used, as well as useful techniques/tools for analyzing related malware.
The security landscape has changed such that simply focusing on preventing is no longer an effective strategy. This talk will look at the idea of Assume Breach and how detection and response to threats aligns to an attacker methodology. Demonstrations and research will highlight how organizations can achieve more finely tuned detection capabilities through threat simulation and war-game exercises.
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
Slides from my ROOTCON12 training. This material contains an introduction to stack-based buffer overflow. This is also helpful for those who are doing OSCP and wanted to learn exploit development.
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...Priyanka Aash
"Though many security mechanisms are deployed in Apple's macOS and iOS systems, some old-fashioned or poor-quality kernel code still leaves the door widely open to attackers. Especially, as kernel's critical components, device drivers are frequently exploited to attack Apple systems. In fact, bug hunting in Apple kernel drivers is not easy since they are mostly closed-source and heavily relying on object-oriented programming. In this talk, we will share our experience of analyzing and attacking Apple kernel drivers. In specific, we will introduce a new tool called Ryuk. Ryuk employs static analysis techniques to discover bugs by itself or assist manual review.
In addition, we further combine static analysis with dynamic fuzzing for bug hunting in Apple drivers. In specific, we will introduce how we integrate Ryuk to the state-of-art Apple driver fuzzer, PassiveFuzzFrameworkOSX, for finding exploitable bugs.
Most importantly, we will illustrate Ryuk's power with several new vulnerabilities that are recently discovered by Ryuk. In specific, we will show how we exploit these vulnerabilities for privilege escalation on macOS 10.13.3 and 10.13.2. We will not only explain why these bugs occur and how we find them, but also demonstrate how we exploit them with innovative kernel exploitation techniques."
Frank Brockners, OPNFV TSC member and distinguished engineer with Cisco, presented "Deploy it, test it, run your VNF" during the OPNFV mini-summit as part of the 2015 NFV World Congress.
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
In this session we begin with modelling the attack surface of Java deserialization, which often leads to remote code execution (RCE), by showcasing vulnerabilities we found in modern and widely used applications and frameworks. We extend existing research about risks of deserialization broadening the attack surface. After a live demo of getting a Meterpreter shell in a modern Java endpoint setup we delve into the exploitation styles for this vulnerability to lay the foundation of the first of three key takeaways for the attendees:
The first key takeaway is identification of test types that should be executed during a dynamic assessment of an application in order to find this kind of vulnerability. This includes analyzing the deserialization interface and using blackbox tests to create payloads with gadgets matching the application’s classpath to verify the RCE. Discussion extends to cover indirect deserialization interfaces that use non-binary data formats, such as XML-based interfaces, which can also act as a driver for deserialization within the application.
The next key takeaway covers the realm of static code analysis (SAST). We present code patterns security reviewers should look for when doing whitebox assessments of applications or frameworks. This is especially interesting for code offering dynamic functionality including AOP, generic mappings, reflection, interceptors, etc. - all of which have a high probability of including code that can facilitate as deserialization gadgets and thus help the attackers in exploiting deserialization vulnerabilities. In this section we present the techniques used to find the vulnerabilities within the popular frameworks showcased during the live demo at the session’s start.
Finally we conclude with tips on implementing different techniques of hardening measures for applications offering deserialisation interfaces (either direct binary deserialization interfaces or indirect XML-based ones) to give the attendees the third key takeaway: protecting applications properly. This includes ways to verify data integrity prior to deserialization and ways to properly inspect the data before it’s handled by the Java deserialization process.
--
This talk was presented by Christian Schneider & Alvaro Muñoz at the OWASP BeNeLux Day 2016.
There is a problem of finding the correct operating services In a distributed systems with dynamic configuration. Currently, there are designed one and more solutions for the ever-changing storage configuration. It should be mentioned at least Netflix Eureka, Consul, etcd or good old Zookeeper. Spring Cloud project allows to integrate some of these solutions to your project and provides powerful solutions for typical problems. However, on the way to unicorns not the most obvious subtleties of implementation and associated problems of use in real projects wait for a developer.
This talk will review the internal structure SpringCloud, implementation of Client-Side Service Discovery pattern, and specific details of concrete implementations on the example of the official libraries and the author's own library.
It is the material that I use for artificial intelligence exercise.
From Linux installation to tensor flow practice environment.
1. Prepare the virtual development environment.
2. Installing Linux (ubuntu)
3. Installing the Python Development Environment (Python, Pyenv + Virtualenv)
4. Installing the Python web development environment (Jupyter notebook, Numpy, Matplot, BS4 ...)
5. Tensor flow installation (TensorFlow)
6. Tensor Flow Practice (Python & Tensorflow tutorial)
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksAnne Nicolas
lash devices introduced a sudden shift in the performance profile of direct attached storage. With IOPS rates orders of magnitude higher than rotating storage, it became clear that Linux needed a re-design of its storage stack to properly support and get the most out of these new devices.
This talk will detail the architecture of blk-mq, the redesign of the core of the Linux storage stack, and the later set of changes made to adapt the SCSI stack to this new queuing model. Early results of running Facebook infrastructure production workloads on top of the new stack will also be shared.
Jense Axboe, Facebook
"Instead of simply emulating old and slow hardware, modern hypervisors use paravirtualized devices to provide guests access to virtual hardware. Bugs in the privileged backend components can allow an attacker to break out of a guest, making them quite an interesting target.
In this talk, I'll present the results of my research on the security of these backend components and discuss Xenpwn, a hypervisor based memory access tracing tool used to discover multiple critical vulnerabilities in paravirtualized drivers of the Xen hypervisor. "
(Source: Black Hat USA 2016, Las Vegas)
This presentation briefs about the Linux Kernel Module and Character Device Driver. This also contains sample code snippets. Also briefs about character driver registration and access.
System Device Tree and Lopper: Concrete Examples - ELC NA 2022Stefano Stabellini
System Device Tree is an extension to Device Tree to describe all the hardware on an SoC, including heterogeneous CPU clusters and secure resources not typically visible to an Operating System like Linux. This full view allows the System Device Tree to be the "One true source" of the entire hardware description and helps to prevent the common (and hard-to-debug) problem of conflicting resources and system consistency. Lopper is an Open Source framework to parse and manipulate System Device Tree. With Lopper, it is possible to generate multiple traditional Device Trees from a single larger System Device Tree. This presentation will provide an overview of System Device Tree and will discuss the latest updates of the specification and tooling. The talk will illustrate multiple use-cases for System Device Tree with concrete examples, such as Linux running on the more powerful CPU cluster and Zephyr running on a smaller Cortex-R cluster. It will also show how to use Lopper to generate multiple traditional Device Trees targeting different OSes, not just Linux but also Zephyr/other RTOSes. Finally, an end-to-end demo based on Yocto to build a complete heterogeneous system with multiple OSes and RTOSes running on different clusters on a single reference board will be shown.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1. The Art of Exploiting Unconventional
Use-after-free Bugs in Android Kernel
Di Shen a.k.a. Retme (@returnsme)
Keen Lab of Tencent
2. whoami
• Di Shen a.k.a. Retme (@returnsme)
• Member of Keen Lab
• Android Kernel vulnerability hunting and exploitation since 2014
• Aim: to make out universal rooting exploit for Android
• Trophy:
• CVE-2016-6787 & CVE-2017-0403 (kernel/events/core.c)
• CVE-2015-1805 (fs/pipe.c) ’s first working exploit
• CVE-2015-4421,4422 (Huawei TrustZone)
• KNOX Bypassing on Samsung Galaxy S7 (BHUSA 17’)
• Exploiting Wireless Extension for all common Wi-Fi chipsets (BHEU 16’)
• And more To Be Announced in the future
• Available on https://github.com/retme7/My-Slides
3. Agenda
• Rooting Android: Current situation
• Overview of exploiting UAF in kernel
• Conventional approach
• Afterwards: Gain root
• The Unconventional UAFs
• Implementation of perf system
• Exploiting CVE-2017-0403
• Exploiting CVE-2016-6787
• Conclusion
4. Rooting Android: Current situation
• Universal exploitable vulnerability is rare
• Available attack surface:
• Generic Linux syscalls
• Android universal drivers like Binder, ION, Ashmem
5. Rooting Android: Current situation
• Enforced SELinux policy
• Most of device drivers are inaccessible
• Many syscalls are not reachable from untrusted
Application
• Sockets ioctl commands are partially restricted
6. Rooting Android: Current situation
• Verified Boot through dm-verity kernel feature
• The gained root privilege is nonpersistent
8. Overview of exploiting UAF in kernel
• An easily exploitable UAF bug normally has following
features:
• Has a function pointer in freed object
• Attacker has plenty of time to refill the freed object.
9. Conventional approach of UAF exploitation
struct socket
(freed)
ops->ioctl(…)
struct socket
(refilled)
ops->ioctl(…)
JOP gadgets
• Free the victim object
• Refill the object with malformed data by heap
spraying or ret2dir
• Let the function pointer point to ROP/JOP gadgets in
kernel
• Ask kernel reference this function pointer to achieve
arbitrary kernel code execution
ioctl(sockfd,…) kernel_sock_ioctl() JOP gadgets
11. However…
• Not every UAF bug in kernel is so that idealized
• More unconventional situation to deal with…
• The victim object may don’t have a function pointer
• The kernel may crash soon after UAF triggered
• The attacker may cannot fully controlled the freed object
12. The unconventional UAFs I found
• All found in sys_perf_event_open()
• Perf system is pretty buggy
• Reachable by application last year
• But now it’s restricted by a feature called “perf_event_paranoid”
13. The unconventional UAFs I found
• CVE-2017-0403
• Ever affected all devices shipped with 3.10 or earlier Linux kernel
• More than 14 million users of KingRoot gain root privilege on their
smart phones
• CVE-2016-6787
• Ever affected all Qualcomm-based devices. (Only Qucalcomm
enabled hardware perf event…)
• A part of my exploit chain to bypass Samsung KNOX 2.6
14. sys_perf_event_open()
• Will create a perf_event
• Input: perf_event_attr
• A description of what kind of performance event
you need
• Input: group_fd (optional)
• Specify the group leader of new perf_event
• Return the fd of perf_event to user space
15. Key kernel objects in perf system
• perf_event
• A performance event which is registered by user
• perf_event_context
• The container of all perf events created in one process
• Each process has two contexts, one for software events, other one for
hardware events
• Perf group and group leader
• Multiple events can form a group
• One event is the leader
perf_sw_context
perf_hw_context
task_struct
event event event
event_list
event (group_leader)
event (group_leader)
17. CVE-2016-6787
Remove the group_leader from origin software context and
then install it to hardware context
Remove every event from software context,
and then install it to new hardware context
’move_group‘ leads to reducing
context’s refcont by one
18. CVE-2016-6787
• move_group ignored the concurrency issues
• UAF happens due to race condition
• Attacker trigger the move_group on same group leader
simultaneously,
• The ref count of group_leader->ctx may be reduced to zero
• task_struct->perf_event_ctxp[perf_sw_context] will be freed
accidently
The object is freed
20. Kernel crashed instantly
• Kernel crashed soon after we
freed the perf_event_context
• Thread scheduler need to
reference this object
consecutively
• We don‘t have plenty of time to
refill the object L
21. Solution: freeze thread after free
• Keep thread scheduler away from me
• Switch the status of attacker’s thread from
running to (un)interruptible
• The thread will be frozen and kernel won’t
crash as soon as perf_event_context freed
22. How to freeze a thread from user land?
• Sleep() ? Not working
• Use futex_wait_queue_me()
switch to interrupAble
freezable_schedule()
24. A brief summary of CVE-2016-6787
• Easy to win the race, and trigger the bug
• Hard to refill the freed object (no time)
• Easy to control the code flow (corrupted object has
function pointer)
• Proposed an approach of thread freezing to gain more
time to refill object
25. Review: relationship of perf event, group and group leader
• Group leader has a sibling_list
• sibling_list is a list of perf events which belongs this
group
perf_sw_context
perf_hw_context
task_struct
event event event
event_list
event (group_leader)
event (group_leader)
26. CVE-2017-0403 (PoC)
• Create a perf event as ‘A’
• Create another perf event as ‘B’, specify ‘A’ as its group
leader
• Free ‘A’,the group leader
• Free ‘B’, a sibling of group ß---- UAF happens here
27. Root cause
• Now group leader ‘A’ is freed
• Kernel doesn’t empty its sibling list
• Leads to leaving a dangling pointer in
sibling’s event->group_entry
28. Root cause
• Later on the sibling ‘B’ is freed
• list_del_event()
• list_del_init(&event->group_entry);
• overwrite a pointer to the freed group
leader.
29. • Slub poinson infomation
• 0xfffffc00fc2b1a0 is overwritten
to (group_leader+ 0x20)
30. The unconventional scenario
• The only thing I can do is overwritting the freed object as
following
*(size_t*)(freed_object + 0x20) = (freed_object + 0x20)
31. Pipe subsystem in Linux
• readv() & writev(): read/write multiple buffers through pipe
• Use an array of struct iovec{iov_base,iov_len} to describe
user buffers
• When no contents available from the write end, readv() may
block in kernel
• Then an array of struct iovec{} may stay in kernel’s heap
32. Compromise pipe system
• Call readv()
• rw_copy_check_uvector() confirm every iov_base must points to
userland space.
• An array of struct iovec{} now is in heap. Nothing comes from
the write end of pipe, so readv() block.
• If you can somehow overwrite the iovec{}, modify the iov_base
to a kernel address. Emmm…
iov_base iov_len iov_base iov_len iov_base iov_len
…..
kernel_addr iov_len kernel_addr iov_len kernel_addr iov_len
33. Compromise pipe system
• Now write something to
another end of pipe
• pipe_iov_copy_to_user()
won’t check the iov_base
again.
• Buffers you wrote to pipe
will be copied to the
kernel address
34. ········
Trigger UAF, write two 8-bytes value“A+0x20”to address = A+0x20
↓ the 1st freed object, address is A
Solution: convert UAF to arbitrary R/W
↓the 2nd freed object, address is B = A + 0x400
Use iovec to spray the heap
Freed Data Freed Data Freed Freed Data Freed Data ·········
base len base len base base len base len ···················
base len A + 0x20 A+0x20 base
··········
base len base len
Write a buffer to pipe ,the buffer will be copied to (A + 0x20)
·········
base len KADDR 8 KADDR ·········· KADDR 8 KADDR 8 ·········
Write a buffer to pipe again,it will be copied to KADDR
KADDR can be any address value, we achieved arbitrary kernel memory overwriting
1
2
3
4
5
35. A brief summary of CVE-2017-0403
• Attacker lost the file descriptor of freed object
• Cannot achieve code execution via refilling object’s
function pointer
• Only be able to write the address value of freed object
twice to freed object
• Proposed a new approach: compromising pipe system
36. Conclusion
• Most UAF bugs looks not exploitable, but there may be
another way
• No idea? Put it down for a while, but do not let it go…
• Be familiar with kernel’s source code, kernel’s own
feature may help your exploitation (e.g. pipe for
CVE-2017-0403)