This document introduces EMBA, a free and open-source firmware analysis tool. It describes EMBA's extraction and analysis modules that can extract firmware components like Linux filesystems, decrypt images, and analyze the firmware using tools like binwalk and Yara rules. EMBA aims to automate common firmware analysis tasks and identify security issues like outdated components, weak configurations, and potential 0-day vulnerabilities through static and dynamic analysis techniques.
EMBA - Firmware analysis - Black Hat Arsenal USA 2022MichaelM85042
IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area, the used operating systems are summarized with the term firmware. The devices themselves, also called embedded devices, are essential in the private and industrial environments as well as in the so-called critical infrastructure.
Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection: With EMBA you always know which public exploits are available for the target firmware. Besides the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this, EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more.
EMBA is the open-source firmware scanner, created by penetration testers for penetration testers.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://www.blackhat.com/us-22/arsenal/schedule/index.html#emba--open-source-firmware-security-testing-26596
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
Penetration testing of current embedded devices is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify, optimize and automate the complex task of firmware security analysis.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://forum.defcon.org/node/242109
This document discusses Linux device drivers. It provides an overview of the history and purpose of Linux and device drivers. It explains that device drivers connect hardware and software by communicating at both the logical and physical layers. It also describes the difference between kernel and user modes, and discusses how device drivers are developed by utilizing Linux system calls and supporting development environments within the Linux kernel programming interface.
The document discusses PowerShell Empire, a PowerShell post-exploitation framework that aims to provide a flexible and extensible platform for integrating offensive PowerShell capabilities. It provides an overview of Empire's architecture, including its client-server design with a backend database, listeners for command and control, and modules for additional functionality. The document demonstrates Empire's capabilities through modules for process injection, privilege escalation, credential dumping, and lateral movement. It also discusses considerations for detecting and analyzing Empire agents on compromised systems.
Video: https://www.youtube.com/watch?v=FJW8nGV4jxY and https://www.youtube.com/watch?v=zrr2nUln9Kk . Tutorial slides for O'Reilly Velocity SC 2015, by Brendan Gregg.
There are many performance tools nowadays for Linux, but how do they all fit together, and when do we use them? This tutorial explains methodologies for using these tools, and provides a tour of four tool types: observability, benchmarking, tuning, and static tuning. Many tools will be discussed, including top, iostat, tcpdump, sar, perf_events, ftrace, SystemTap, sysdig, and others, as well observability frameworks in the Linux kernel: PMCs, tracepoints, kprobes, and uprobes.
This tutorial is updated and extended on an earlier talk that summarizes the Linux performance tool landscape. The value of this tutorial is not just learning that these tools exist and what they do, but hearing when and how they are used by a performance engineer to solve real world problems — important context that is typically not included in the standard documentation.
This document discusses shells and shell scripting in Linux. It provides information on common Linux shells like Bash, Bourne shell, C shell, etc. It describes the basic functions of shells like command interpretation, I/O redirection, variables, parameters and more. Shell scripts allow automating tasks and complex series of commands. The document also covers shell script basics, special parameters, variables, I/O redirection operators and more shell scripting concepts.
This document introduces EMBA, a free and open-source firmware analysis tool. It describes EMBA's extraction and analysis modules that can extract firmware components like Linux filesystems, decrypt images, and analyze the firmware using tools like binwalk and Yara rules. EMBA aims to automate common firmware analysis tasks and identify security issues like outdated components, weak configurations, and potential 0-day vulnerabilities through static and dynamic analysis techniques.
EMBA - Firmware analysis - Black Hat Arsenal USA 2022MichaelM85042
IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area, the used operating systems are summarized with the term firmware. The devices themselves, also called embedded devices, are essential in the private and industrial environments as well as in the so-called critical infrastructure.
Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection: With EMBA you always know which public exploits are available for the target firmware. Besides the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this, EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more.
EMBA is the open-source firmware scanner, created by penetration testers for penetration testers.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://www.blackhat.com/us-22/arsenal/schedule/index.html#emba--open-source-firmware-security-testing-26596
EMBA - Firmware analysis DEFCON30 demolabs USA 2022MichaelM85042
Penetration testing of current embedded devices is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify, optimize and automate the complex task of firmware security analysis.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://forum.defcon.org/node/242109
This document discusses Linux device drivers. It provides an overview of the history and purpose of Linux and device drivers. It explains that device drivers connect hardware and software by communicating at both the logical and physical layers. It also describes the difference between kernel and user modes, and discusses how device drivers are developed by utilizing Linux system calls and supporting development environments within the Linux kernel programming interface.
The document discusses PowerShell Empire, a PowerShell post-exploitation framework that aims to provide a flexible and extensible platform for integrating offensive PowerShell capabilities. It provides an overview of Empire's architecture, including its client-server design with a backend database, listeners for command and control, and modules for additional functionality. The document demonstrates Empire's capabilities through modules for process injection, privilege escalation, credential dumping, and lateral movement. It also discusses considerations for detecting and analyzing Empire agents on compromised systems.
Video: https://www.youtube.com/watch?v=FJW8nGV4jxY and https://www.youtube.com/watch?v=zrr2nUln9Kk . Tutorial slides for O'Reilly Velocity SC 2015, by Brendan Gregg.
There are many performance tools nowadays for Linux, but how do they all fit together, and when do we use them? This tutorial explains methodologies for using these tools, and provides a tour of four tool types: observability, benchmarking, tuning, and static tuning. Many tools will be discussed, including top, iostat, tcpdump, sar, perf_events, ftrace, SystemTap, sysdig, and others, as well observability frameworks in the Linux kernel: PMCs, tracepoints, kprobes, and uprobes.
This tutorial is updated and extended on an earlier talk that summarizes the Linux performance tool landscape. The value of this tutorial is not just learning that these tools exist and what they do, but hearing when and how they are used by a performance engineer to solve real world problems — important context that is typically not included in the standard documentation.
This document discusses shells and shell scripting in Linux. It provides information on common Linux shells like Bash, Bourne shell, C shell, etc. It describes the basic functions of shells like command interpretation, I/O redirection, variables, parameters and more. Shell scripts allow automating tasks and complex series of commands. The document also covers shell script basics, special parameters, variables, I/O redirection operators and more shell scripting concepts.
Slide yang kupresentasikan di PyCon 2019 (Surabaya, 23/11/2019)
Red-Teaming is a simulation of real world hacking against organization. It has little to no limit of time, location, and method to attack. Only results matter. This talk gives insight about how “hacker” works and how python can be used for sophisticated series of attack.
ATF(ARM Trusted Firmware)は、ARMv8では重要なソフトウェア。
全体を利用するのではなく、その一部を利用可能。
この資料では、BL31(EL3 Runtime Firmware)を単体で使う場合、どうすればいいのかを、Xilinx社のZynq UltraScale+ MPSoCを例に説明しています。
ATF (ARM Trusted Firmware) is an important software in ARMv8.
Instead of using the whole, part of it is available.
This document explains how to do when using BL31 (EL3 Runtime Firmware) alone, for example, with Xilinx's Zynq UltraScale + MPSoC.
Metasploit is an open source framework for penetration testing that allows users to perform vulnerability scanning, exploit development, and post-exploitation. It provides tools for information gathering, vulnerability scanning, pre-exploitation and post-exploitation tasks. Metasploit has modules for exploits and payloads that are used together, with payloads being the code executed on the target and encoders ensuring payloads reach their destination. The msfconsole interface provides centralized access to Metasploit's options like finding vulnerabilities through open ports and setting the listener, payload, and target for exploitation. Meterpreter is an advanced payload included in Metasploit that has additional features for tasks like keylogging and taking screenshots.
This document provides an overview of QEMU, including its use of dynamic translation and Tiny Code Generator (TCG) to emulate target CPUs on the host system. It discusses how QEMU translates target instructions into a RISC-like intermediate representation (TCG ops), optimizes and converts them to host instructions. The document also mentions Linaro's work with QEMU and a QEMU monitor tool for debugging ARM systems emulated by QEMU.
LCU13: An Introduction to ARM Trusted FirmwareLinaro
Resource: LCU13
Name: An Introduction to ARM Trusted Firmware
Date: 28-10-2013
Speaker: Andrew Thoelke
Video: http://www.youtube.com/watch?v=q32BEMMxmfw
The document summarizes how to write a character device driver in Linux. It covers the anatomy of a device driver including the user interface via device files, and kernel interfaces via file operations and major/minor numbers. It describes registering a character driver by defining file operations, reserving major/minor numbers, and associating them. Open and release functions handle initialization and cleanup. Read/write functions transfer data between userspace and hardware. Ioctl allows extending functionality.
Kernel Recipes 2015 - Kernel dump analysisAnne Nicolas
Kernel dump analysis
Cloud this, cloud that…It’s making everything easier, especially for web hosted services. But what about the servers that are not supposed to crash ? For applications making the assumption the OS won’t do any fault or go down, what can you write in your post-mortem once the server froze and has been restarted ? How to track down the bug that lead to service unavailability ?
In this talk, we’ll see how to setup kdump and how to panic a server to generate a coredump. Once you have the vmcore file, how to track the issue with “crash” tool to find why your OS went down. Last but not least : with “crash” you can also modify your live kernel, the same way you would do with gdb.
Adrien Mahieux – System administrator obsessed with performance and uptime, tracking down microseconds from hardware to software since 2011. The application must be seen as a whole to provide efficiently the requested service. This includes searching for bottlenecks and tradeoffs, design issues or hardware optimization.
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Cristofaro Mune
This talk has been presented at Microsoft BlueHat IL 2019 security conference, by Niek Timmers, Albert Spruyt and Cristofaro Mune.
Secure boot is the fundamental building block of the security implemented in a large variety of devices. From mobile phones, to Internet of Things (IoT) or Electronic Control Units (ECUs) found in modern cars.
In this talk we focus on software and hardware attacks that may be carried on against Secure Boot implementations. We leverage our decade long experience in reviewing and attacking secure boot on embedded devices from different industries
After a brief introduction, an overview of common attack patterns is provided, by discussing real vulnerabilities, exploits and attacks as case studies.
We then discuss two new attacks, not discussed or demonstrated before, with the purpose of bringing new insights.
The first one, takes place before CPU is even started, showing that a larger attack surface than usually explored is available.
This also shows that FI can affect pure HW implementations, with no SW involved.
The second one is an Encrypted Secure Boot bypass, yielding direct code execution. It is performed by using Fault Injection only and with a single glitch.
Contrary to common beliefs, we show that FI-only attacks are possible against an Encrypted Secure Boot implementation, without requiring any encryption key.
This shows that the need of reconsidering FI attacks impact and that encrypting boot stages alone is not a sufficient FI countermeasure.
We also discuss countermeasures and possible mitigations throughout the whole presentation.
With this talk, we hope to bring innovative and fresh material to a topic, which is a cornerstone of modern Product Security.
The presentation at BlueHat IL 2019 featured the live demo of an Encrypted Secure Boot bypass attack.
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
This document discusses keyloggers, malware detection, and forensic investigation of infected systems. It defines keyloggers as hardware or software that captures keystrokes and malware as malicious software like viruses and Trojans. It provides tips for detecting keyloggers and malware through artifacts in the system, registry, prefetch files, and suspicious files and entries. It outlines methods for determining the infection source and timeline, and identifying captured data, attacker information, and next steps for investigators.
This document summarizes a research paper that presents FIRMADYNE, an automated dynamic analysis system for analyzing Linux-based embedded firmware. FIRMADYNE extracts firmware filesystems, emulates the firmware using QEMU, and performs dynamic analysis by hooking system calls, testing for vulnerabilities, and crawling accessible webpages. The researchers applied FIRMADYNE to a dataset of firmware images from 42 vendors and found that emulation enabled discovery of vulnerabilities, with original equipment manufacturers having the most.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Debugging linux kernel tools and techniquesSatpal Parmar
This document discusses tools and techniques for debugging the Linux kernel, including debuggers like gdb, built-in debugging facilities, system logs, and crash dump analysis tools like LKCD. It outlines common issues like kernel crashes and hangs, and provides an example of analyzing an "oops" crash dump to identify the failing line of code through tools like ksymoops. It also covers generating a full system memory dump using LKCD for thorough crash investigation.
A Hacker's perspective on AEM applications securityMikhail Egorov
Mikhail Egorov gave a presentation on security vulnerabilities in Adobe Experience Manager (AEM) applications. He discussed three vulnerabilities - CVE-2019-8086, CVE-2019-8087, and CVE-2019-8088 - which involved XML external entity injection, JavaScript code injection, and ways to exploit them. He explained the technical details of each vulnerability and provided examples of payloads and steps required for exploitation. Egorov concluded by recommending keeping AEM updated, blocking anonymous write access to certain paths, and removing demo content to help prevent security issues.
The document provides an overview of kernel crash dump analysis including:
- The tools and data required such as the crash utility, kernel symbol files, vmcore files
- How to install and use these components
- Basic crash commands to analyze system, memory, storage, and network subsystems
- How to dynamically load crash extension modules to add custom commands
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
Talk for USENIX/LISA2014 by Brendan Gregg, Netflix. At Netflix performance is crucial, and we use many high to low level tools to analyze our stack in different ways. In this talk, I will introduce new system observability tools we are using at Netflix, which I've ported from my DTraceToolkit, and are intended for our Linux 3.2 cloud instances. These show that Linux can do more than you may think, by using creative hacks and workarounds with existing kernel features (ftrace, perf_events). While these are solving issues on current versions of Linux, I'll also briefly summarize the future in this space: eBPF, ktap, SystemTap, sysdig, etc.
Perf is a Linux profiler tool that uses performance monitoring hardware to count various events like CPU cycles, instructions, and cache misses. It can count events for a single thread, entire process, specific CPUs, or system-wide. Perf stat is used to count events during process execution, while perf record collects profiling data in a file for later analysis with perf report.
Faults inside system software were analyzed, with a focus on diagnosing faults in device drivers. Approaches to deal with faulty drivers included runtime isolation and static analysis. Runtime isolation involves running each driver in a separate process or virtual machine to isolate failures. Static analysis techniques inspect source code for issues like concurrency errors, protocol violations, and invalid register values without needing to execute the code. The talk provided statistics on driver faults, discussed the Linux driver model and common bug causes, and outlined techniques like instrumentation and specification-based development to improve driver correctness and security.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
Slide yang kupresentasikan di PyCon 2019 (Surabaya, 23/11/2019)
Red-Teaming is a simulation of real world hacking against organization. It has little to no limit of time, location, and method to attack. Only results matter. This talk gives insight about how “hacker” works and how python can be used for sophisticated series of attack.
ATF(ARM Trusted Firmware)は、ARMv8では重要なソフトウェア。
全体を利用するのではなく、その一部を利用可能。
この資料では、BL31(EL3 Runtime Firmware)を単体で使う場合、どうすればいいのかを、Xilinx社のZynq UltraScale+ MPSoCを例に説明しています。
ATF (ARM Trusted Firmware) is an important software in ARMv8.
Instead of using the whole, part of it is available.
This document explains how to do when using BL31 (EL3 Runtime Firmware) alone, for example, with Xilinx's Zynq UltraScale + MPSoC.
Metasploit is an open source framework for penetration testing that allows users to perform vulnerability scanning, exploit development, and post-exploitation. It provides tools for information gathering, vulnerability scanning, pre-exploitation and post-exploitation tasks. Metasploit has modules for exploits and payloads that are used together, with payloads being the code executed on the target and encoders ensuring payloads reach their destination. The msfconsole interface provides centralized access to Metasploit's options like finding vulnerabilities through open ports and setting the listener, payload, and target for exploitation. Meterpreter is an advanced payload included in Metasploit that has additional features for tasks like keylogging and taking screenshots.
This document provides an overview of QEMU, including its use of dynamic translation and Tiny Code Generator (TCG) to emulate target CPUs on the host system. It discusses how QEMU translates target instructions into a RISC-like intermediate representation (TCG ops), optimizes and converts them to host instructions. The document also mentions Linaro's work with QEMU and a QEMU monitor tool for debugging ARM systems emulated by QEMU.
LCU13: An Introduction to ARM Trusted FirmwareLinaro
Resource: LCU13
Name: An Introduction to ARM Trusted Firmware
Date: 28-10-2013
Speaker: Andrew Thoelke
Video: http://www.youtube.com/watch?v=q32BEMMxmfw
The document summarizes how to write a character device driver in Linux. It covers the anatomy of a device driver including the user interface via device files, and kernel interfaces via file operations and major/minor numbers. It describes registering a character driver by defining file operations, reserving major/minor numbers, and associating them. Open and release functions handle initialization and cleanup. Read/write functions transfer data between userspace and hardware. Ioctl allows extending functionality.
Kernel Recipes 2015 - Kernel dump analysisAnne Nicolas
Kernel dump analysis
Cloud this, cloud that…It’s making everything easier, especially for web hosted services. But what about the servers that are not supposed to crash ? For applications making the assumption the OS won’t do any fault or go down, what can you write in your post-mortem once the server froze and has been restarted ? How to track down the bug that lead to service unavailability ?
In this talk, we’ll see how to setup kdump and how to panic a server to generate a coredump. Once you have the vmcore file, how to track the issue with “crash” tool to find why your OS went down. Last but not least : with “crash” you can also modify your live kernel, the same way you would do with gdb.
Adrien Mahieux – System administrator obsessed with performance and uptime, tracking down microseconds from hardware to software since 2011. The application must be seen as a whole to provide efficiently the requested service. This includes searching for bottlenecks and tradeoffs, design issues or hardware optimization.
Blue Hat IL 2019 - Hardening Secure Boot on Embedded Devices for Hostile Envi...Cristofaro Mune
This talk has been presented at Microsoft BlueHat IL 2019 security conference, by Niek Timmers, Albert Spruyt and Cristofaro Mune.
Secure boot is the fundamental building block of the security implemented in a large variety of devices. From mobile phones, to Internet of Things (IoT) or Electronic Control Units (ECUs) found in modern cars.
In this talk we focus on software and hardware attacks that may be carried on against Secure Boot implementations. We leverage our decade long experience in reviewing and attacking secure boot on embedded devices from different industries
After a brief introduction, an overview of common attack patterns is provided, by discussing real vulnerabilities, exploits and attacks as case studies.
We then discuss two new attacks, not discussed or demonstrated before, with the purpose of bringing new insights.
The first one, takes place before CPU is even started, showing that a larger attack surface than usually explored is available.
This also shows that FI can affect pure HW implementations, with no SW involved.
The second one is an Encrypted Secure Boot bypass, yielding direct code execution. It is performed by using Fault Injection only and with a single glitch.
Contrary to common beliefs, we show that FI-only attacks are possible against an Encrypted Secure Boot implementation, without requiring any encryption key.
This shows that the need of reconsidering FI attacks impact and that encrypting boot stages alone is not a sufficient FI countermeasure.
We also discuss countermeasures and possible mitigations throughout the whole presentation.
With this talk, we hope to bring innovative and fresh material to a topic, which is a cornerstone of modern Product Security.
The presentation at BlueHat IL 2019 featured the live demo of an Encrypted Secure Boot bypass attack.
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
The document discusses various techniques attackers can use to launch executables remotely on Windows systems by leveraging compromised credentials and built-in OS functionality. It describes how to detect remotely launched executables using Windows Event and Sysmon logs. Specific techniques covered include remote file copy over SMB, remote execution via WMI, WinRM, Powershell Remoting, scheduled tasks, services, the registry, and WMI subscriptions. The document provides the event sequences and most interesting events to look for when hunting for evidence of each technique.
This document discusses keyloggers, malware detection, and forensic investigation of infected systems. It defines keyloggers as hardware or software that captures keystrokes and malware as malicious software like viruses and Trojans. It provides tips for detecting keyloggers and malware through artifacts in the system, registry, prefetch files, and suspicious files and entries. It outlines methods for determining the infection source and timeline, and identifying captured data, attacker information, and next steps for investigators.
This document summarizes a research paper that presents FIRMADYNE, an automated dynamic analysis system for analyzing Linux-based embedded firmware. FIRMADYNE extracts firmware filesystems, emulates the firmware using QEMU, and performs dynamic analysis by hooking system calls, testing for vulnerabilities, and crawling accessible webpages. The researchers applied FIRMADYNE to a dataset of firmware images from 42 vendors and found that emulation enabled discovery of vulnerabilities, with original equipment manufacturers having the most.
My slides for PHDays 2018 Threat Hunting Hands-On Lab - https://www.phdays.com/en/program/reports/build-your-own-threat-hunting-based-on-open-source-tools/
Virtual Machines for lab are available here - https://yadi.sk/d/qB1PNBj_3ViWHe
Debugging linux kernel tools and techniquesSatpal Parmar
This document discusses tools and techniques for debugging the Linux kernel, including debuggers like gdb, built-in debugging facilities, system logs, and crash dump analysis tools like LKCD. It outlines common issues like kernel crashes and hangs, and provides an example of analyzing an "oops" crash dump to identify the failing line of code through tools like ksymoops. It also covers generating a full system memory dump using LKCD for thorough crash investigation.
A Hacker's perspective on AEM applications securityMikhail Egorov
Mikhail Egorov gave a presentation on security vulnerabilities in Adobe Experience Manager (AEM) applications. He discussed three vulnerabilities - CVE-2019-8086, CVE-2019-8087, and CVE-2019-8088 - which involved XML external entity injection, JavaScript code injection, and ways to exploit them. He explained the technical details of each vulnerability and provided examples of payloads and steps required for exploitation. Egorov concluded by recommending keeping AEM updated, blocking anonymous write access to certain paths, and removing demo content to help prevent security issues.
The document provides an overview of kernel crash dump analysis including:
- The tools and data required such as the crash utility, kernel symbol files, vmcore files
- How to install and use these components
- Basic crash commands to analyze system, memory, storage, and network subsystems
- How to dynamically load crash extension modules to add custom commands
Linux Performance Analysis: New Tools and Old SecretsBrendan Gregg
Talk for USENIX/LISA2014 by Brendan Gregg, Netflix. At Netflix performance is crucial, and we use many high to low level tools to analyze our stack in different ways. In this talk, I will introduce new system observability tools we are using at Netflix, which I've ported from my DTraceToolkit, and are intended for our Linux 3.2 cloud instances. These show that Linux can do more than you may think, by using creative hacks and workarounds with existing kernel features (ftrace, perf_events). While these are solving issues on current versions of Linux, I'll also briefly summarize the future in this space: eBPF, ktap, SystemTap, sysdig, etc.
Perf is a Linux profiler tool that uses performance monitoring hardware to count various events like CPU cycles, instructions, and cache misses. It can count events for a single thread, entire process, specific CPUs, or system-wide. Perf stat is used to count events during process execution, while perf record collects profiling data in a file for later analysis with perf report.
Faults inside system software were analyzed, with a focus on diagnosing faults in device drivers. Approaches to deal with faulty drivers included runtime isolation and static analysis. Runtime isolation involves running each driver in a separate process or virtual machine to isolate failures. Static analysis techniques inspect source code for issues like concurrency errors, protocol violations, and invalid register values without needing to execute the code. The talk provided statistics on driver faults, discussed the Linux driver model and common bug causes, and outlined techniques like instrumentation and specification-based development to improve driver correctness and security.
This presentation was given at PSConfEU and covers common privilege escalation vectors for Windows systems, as well as how to enumerate these issues with PowerUp.
1. The document discusses various techniques for confining untrusted code, including chroot jails, virtual machines, and system call interposition.
2. System call interposition monitors applications' system calls and blocks unauthorized ones, implementing fine-grained access control policies. However, specifying the right policy for each application can be difficult.
3. Virtual machines isolate applications by running them within isolated guest operating systems. However, covert channels still allow some information to leak between virtual machines.
With the focus on security, most organisations test the security defenses via pen-testing. But what about after the network has been compromised. Is there an Advance Persistent Threat (APT) sitting on the network? Will the defenses be able to detect this?
This talk will discuss some of the open source tools that can help simulate this threat. So as to test the security defenses if an APT makes it onto the network.
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
This document discusses techniques for achieving successful automated dynamic analysis of evasive malware through full system emulation. It begins by introducing the speaker and their background in malware research. It then discusses the goals of automated malware analysis, different analysis approaches (such as system call hooking and process emulation), and how full system emulation provides the highest visibility and fidelity while maintaining good performance. The document also covers challenges posed by malware evasion techniques and ways analysis systems can work to bypass triggers and detect stalling code.
Common Pitfalls of Functional Programming and How to Avoid Them: A Mobile Gam...gree_tech
This material is presented on CUFP 2013.
Functional programming is already an established technology is many areas. However, the lack of skilled developers has been a challenging hurdle in the adoption of such languages. It is easy for an inexperienced programmer to fall into the many traps of functional programming, resulting in a loss of productivity and bad software quality. Resource leaks caused by Haskell's lazy evaluation, for instance, are only the tip of the iceberg. Knowledge sharing and a mature tool-assisted development process are ways to avoid such pitfalls. At GREE, one of the largest mobile gaming companies, we use Haskell and Scala to develop major components of our platform, such as a distributed NoSQL solution, or an image storage infrastructure. However, only 11 programmers use functional programming on their daily task. In this talk, we will describe some unexpected functional programming issues we ran into, how we solved them and how we hope to avoid them in the future. We have developed a system testing framework to enhance regression testing, spent lots of time documenting pitfalls and introduced technical reviews. Recently, we even started holding lunchtime presentations about functional programming in order to attract beginners and prevent them from falling into the same traps.
This document discusses various aspects of cloud, API, and hardware penetration testing:
- It outlines the different types of cloud services: Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS).
- It provides an overview of tools used for cloud and API penetration testing such as SOASTA CloudTest, LoadStorm, BlazeMeter, Nexpose, and AppThwack.
- It discusses firmware analysis, including extracting firmware from devices, identifying file systems and architectures, and searching for hardcoded credentials or certificates. Tools mentioned include Binwalk, Readelf, and Strings.
- It provides an overview of hardware penetration
This document provides an overview of metasploitation and using the Metasploit framework. It discusses basics like vulnerabilities, exploits, payloads and encoders. It then covers using the msfconsole interface, exploit modules, auxiliary modules like scanners, databases integration, automation, client-side exploits, payload generation, backdooring files, Linux backdoors, Meterpreter, pivoting, and post-exploitation techniques. The document includes several screenshots and links resources for further information.
Building your macOS Baseline Requirements MacadUK 2018Henry Stamerjohann
Slides from 2018 MacAD.UK confernce
Synopsis: https://www.macad.uk/speaker/henry-stamerjohann/
When tasked with (re)building a security baseline for macOS clients, where do you start?
There’s obviously decisions to be made about what’s feasible in your organization (beyond if admin privileges should be the default). You need to weigh system stability and security with end-user productivity. Luckily for the macOS platform a rich ecosystem of tools exist to fill in the gaps and general guidance is available. The crucial part of making mindful and informed decisions is to first aggregate data from your IT environment. You can then decide what configurations to deploy and run recurring compliance checks based on an appropriate strategy. This session will cover fundamentals, highlight advanced considerations, and outline practical examples to apply when you’re conducting a (new) baseline for macOS clients.
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
Today most networks present one “gateway” to the whole network – The SSL-VPN. A vector that is often overlooked and considered “secure”, we decided to take apart an industry leading SSL-VPN appliance and analyze it to bits to thoroughly understand how secure it really is. During this talk we will examine the internals of the F5 FirePass SSL-VPN Appliance. We discover that even though many security protections are in-place, the internals of the appliance hides interesting vulnerabilities we can exploit. Through processes ranging from reverse engineering to binary planting, we decrypt the file-system and begin examining the environment. As we go down the rabbit hole, our misconceptions about “security appliances” are revealed.
Using a combination of web vulnerabilities, format string vulnerabilities and a bunch of frustration, we manage to overcome the multiple limitations and protections presented by the appliance to gain a remote unauthenticated root shell. Due to the magnitude of this vulnerability and the potential for impact against dozens of fortune 500 companies, we contacted F5 and received one of the best vendor responses we’ve experienced – EVER!
https://www.hackitoergosum.org
EMBEDDED SYSTEMS SYBSC IT SEM IV UNIT V Embedded Systems Integrated Developme...Arti Parab Academics
Design and Development: Embedded system development Environment – IDE, types of file generated on cross compilation, disassembler/ de-compiler, simulator, emulator and debugging, embedded product development life-cycle, trends in embedded industry.
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
This presentation will detail a practical approach to memory introspection of virtual machines running on the Xen hypervisor with no in-guest footprint. The functionality makes use of the mem-event API with a number of improvements which enable the proper tracking of guest OS activity. The technology created on top of this Xen API opens the door for several immediate applications, including: rootkit detection and prevention, detection and action on several categories of malware, and event source information for low-level post-event forensics and correlation based on real event data during events.
It is comprised of the five classical components (input, output, processor, memory, and datapath). The processor is divided into an arithmetic logic unit (ALU) and control unit, a method of organization that persists to the present.
NSC #2 - D3 02 - Peter Hlavaty - Attack on the CoreNoSuchCon
This document discusses kernel exploitation techniques. It begins by explaining the KernelIo technique for reading and writing kernel memory on Windows and Linux despite protections like SMAP and SMEP. It then discusses several vulnerability cases that can enable KernelIo like out of bounds writes, kmalloc overflows, and abusing KASLR. Next, it analyzes design flaws in kernels like linked lists, hidden pointers, and callback mechanisms. It evaluates the state of exploitation on modern systems and envisions future hardened operating system designs. It advocates moving to C++ for exploitation development rather than shellcoding and introduces a C++ exploitation framework. The document was presented by Peter Hlavaty of the Keen Team and encourages recruitment for vulnerability research.
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson
The document discusses advanced persistent threats and techniques used by attackers both historically and currently. It covers topics like out-of-band analysis techniques to gain "perfect knowledge" of attackers through reverse engineering, using telemetry and signatures to detect malware, and challenges with scanning techniques due to polymorphism and evasion methods used by attackers.
This document discusses attacking embedded systems and analyzing firmware. It begins by explaining why embedded system vulnerabilities are important, as these devices often have weak security and are on critical network paths. It then covers techniques for detecting devices, including active scanning with Nmap and Nessus. Firmware analysis methods like strings, hexdump and grep are presented for initial examination. The document introduces tools for extracting filesystems from firmware and analyzing file contents. It emphasizes that emulation with Qemu allows debugging binaries from extracted firmware.
This document provides an introduction to mobile security. It discusses how mobile security differs from traditional security due to factors like hardware architecture, device capabilities, and software ecosystems. It covers topics like processor architecture, device capabilities, malware types, software ecosystems, and case studies. The overview section summarizes that mobile security faces challenges from architectural complexity, new attack vectors, mobile operating systems, common software problems like cryptographic misuse, and current research techniques.
System-level Threats: Dangerous Assumptions in modern Product SecurityCristofaro Mune
Current devices are complex products: a result of an ecosystem effort, with HW and SW components provided by several manufacturers, across long supply chains.
System-level threats may materialize in the interaction of diverse sub-systems and components, due to assumptions occurring at different stages of the production chain. This encompasses not only the design phase, but also (HW & SW) development, threat modeling and even security testing.
This presentation explores some classes of such assumptions, as distilled by presenter’s experience.
Relevant attacks such as "Timing Attacks against IoT devices" or "Bypassing an encrypted Secure Boot with Fault Injection" are also discussed.
If you are involved in securing modern digital products, as a Developer, HW or SW System Architect, Product Security Manager or as a Security Researcher, you may find them interesting
This talk has been presented at HITB Dubai 2018 security conference.
This lecture discusses principles of secure coding and lessons learned from past security incidents. It covers topics like:
- Design principles like least privilege and complete mediation.
- Common coding errors that led to vulnerabilities like buffer overflows.
- The importance of input validation, logging, and avoiding risky functions.
- Lessons from fuzz testing programs and the need for secure development practices.
- Authentication techniques like hashing passwords and limiting privileges.
- The role of policy, usability, and social aspects in security.
Understanding User Behavior with Google Analytics.pdfSEO Article Boost
Unlocking the full potential of Google Analytics is crucial for understanding and optimizing your website’s performance. This guide dives deep into the essential aspects of Google Analytics, from analyzing traffic sources to understanding user demographics and tracking user engagement.
Traffic Sources Analysis:
Discover where your website traffic originates. By examining the Acquisition section, you can identify whether visitors come from organic search, paid campaigns, direct visits, social media, or referral links. This knowledge helps in refining marketing strategies and optimizing resource allocation.
User Demographics Insights:
Gain a comprehensive view of your audience by exploring demographic data in the Audience section. Understand age, gender, and interests to tailor your marketing strategies effectively. Leverage this information to create personalized content and improve user engagement and conversion rates.
Tracking User Engagement:
Learn how to measure user interaction with your site through key metrics like bounce rate, average session duration, and pages per session. Enhance user experience by analyzing engagement metrics and implementing strategies to keep visitors engaged.
Conversion Rate Optimization:
Understand the importance of conversion rates and how to track them using Google Analytics. Set up Goals, analyze conversion funnels, segment your audience, and employ A/B testing to optimize your website for higher conversions. Utilize ecommerce tracking and multi-channel funnels for a detailed view of your sales performance and marketing channel contributions.
Custom Reports and Dashboards:
Create custom reports and dashboards to visualize and interpret data relevant to your business goals. Use advanced filters, segments, and visualization options to gain deeper insights. Incorporate custom dimensions and metrics for tailored data analysis. Integrate external data sources to enrich your analytics and make well-informed decisions.
This guide is designed to help you harness the power of Google Analytics for making data-driven decisions that enhance website performance and achieve your digital marketing objectives. Whether you are looking to improve SEO, refine your social media strategy, or boost conversion rates, understanding and utilizing Google Analytics is essential for your success.
Instagram has become one of the most popular social media platforms, allowing people to share photos, videos, and stories with their followers. Sometimes, though, you might want to view someone's story without them knowing.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
4. What the firmware analysis
• Firmware is the operating system
• Firmware is most exploited *
• 32% of firmware has more then 10 critical KNOWN vulnerabilities **
• Firmware analysis is more
important than ever
* Source https://eclypsium.com/2022/06/28/know-your-enemy-and-yourself-a-deep-dive-on-cisa-kev/
** Source https://www.microsoft.com/en-us/security/business/microsoft-digital-defense-report-2022
5. The typical workflow
• Do some strings
• Do some binwalk/unblob
• Do some find
• Do some regex
• Do a lot of research (aka Google it)
• Load something into IDA/Ghidra
• Find weaknesses, vulnerabilities, interesting
areas
6. EMBA to the rescue
Get the firmware (vendor, hardware)
Extract the firmware (e.g., Linux filesystem, Kernel)
Analyze the firmware
Report all the things
7. Get the firmware
• Updates from vendor / web site
• Shell access – copy the filesystem via scp, ftp, tftp, nc or to storage device
• Other vulnerabilities e.g., command injection
• JTAG / SWD
• Communication sniffing (e.g., SPI)
• Desolder Flash memory and extract the content
9. The EMBA extraction process
EMBA
extraction
classifier
Identify Linux
root
filesystem
Ext/UFS
filesystems
VMWare
images
Encrypted
images
Special
images
Other
systems
Mount &
copy
Mount &
copy
Decrypt
(leaked keys)
Custom
tool
Binwalk
EMBA
analyzer
Deep
extraction
Ext/UFS filesystems
VMWare images
Encrypted images
Special images
Other systems
Mount & copy
Mount & copy
Decrypt (leaked keys)
Custom
tool (e.g. Freetz NG)
Binwalk
Identify Linux
root
filesystem
OK
Not OK
Always
Basic
compression
Extract
(patool)
10. Finally, we have something extracted
Which files and directories are there?
Which binaries, configuration files, …
Which architecture are we dealing with?
Which binary protections are in use?
Which Software versions in use?
Is some outdated software in use?
Which areas are from the vendor, which are open source?
Where are possible weak spots or interesting functions used?
Which kernel?
Are there hard-coded passwords?
Scripting issues (shell, python, php, …)?
Insecure permissions?
Weak configurations?
Public exploits?
Dynamic analysis?
Reporting
EMBA
analyzer
modules
12. What is emulation?
In computing, an emulator is hardware or software that enables
one computer system (called the host) to behave like another
computer system (called the guest).
An emulator typically enables the host system to run software or
use peripheral devices designed for the guest system.*
* https://en.wikipedia.org/wiki/Emulator
13. Modes of emulation
• User-mode emulation
QEMU can launch Linux processes compiled for one CPU on another
CPU, translating syscalls on the fly.
14. Modes of emulation
• System-mode emulation
QEMU emulates a full system, including a processor and various
peripherals such as disk, ethernet controller etc.
Challenges:
• Architecture
• Kernel
• Filesystem
• Peripherals
• Furthermore
15. EMBA live tester modules
• Full system mode emulation goes to automated firmware analysis
• Based on firmadyne and FirmAE*
• Both projects are not actively maintained anymore
• Complete re-implementation as EMBA modules
• Automated testing of emulation and basic checks as additional testing modules
• Multiple improvements of emulation capabilities are already in place
• NEW: Metasploit integration
• NEW: Enhanced architecture support (ARM64, MIPS64, x86)
• Further room for future improvements (e.g., more architectures)
* https://github.com/firmadyne/firmadyne and https://github.com/pr0v3rbs/FirmAE/
16. EMBA live tester modules - Benchmark*
* https://github.com/pr0v3rbs/FirmAE/#dataset