This document discusses return-oriented programming (ROP) techniques for exploiting systems with non-executable memory pages. It provides an overview of ROP, describes algorithms for automatically finding "gadgets" (snippets of code) within a binary that can be chained together to perform tasks, and introduces a ROP compiler called The Wolf that helps chain gadgets while accounting for side effects. The goal is to execute attacker-controlled code on systems with protections like code signing and sandboxing enabled.
This talk is about the release of Triton, a concolic execution framework based on Pin. It provides components like a taint engine, a dynamic symbolic execution engine, a snapshot engine, translation of x64 instruction to SMT2, a Z3 interface to solve constraints and Python bindings. Based on these components, Triton offers the possibility to build tools for vulnerabilities research or reverse-engineering assistance.
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.
This talk is about the release of Triton, a concolic execution framework based on Pin. It provides components like a taint engine, a dynamic symbolic execution engine, a snapshot engine, translation of x64 instruction to SMT2, a Z3 interface to solve constraints and Python bindings. Based on these components, Triton offers the possibility to build tools for vulnerabilities research or reverse-engineering assistance.
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.
Introducing Data Types & Operators
Skills gained:
1- Familiarity with data types
2- Modeling Memories
3- More on Expressions & Operators
This is part of VHDL 360 course
Encryption is key to safety online, but also important offline. But how does it work? This presentation will cover the basics and help you to be safer.
Media parsing is known as one of the weakest components of every consumer system. It often operates complex data structures in the most performant way possible, which is at odds with security requirements, such as attack surface minimization, compartmentalization, and privilege separation. Compared to other operating systems, video decoding on MacOS/iOS is an interesting case for two different reasons. First, instead of running in usermode, a considerable portion of format parsing is implemented in a kernel extension called AppleAVD, exposing the kernel to additional remote attack vectors. Second, recent anonymous reports suggest that AppleAVD may have been exploited in the wild. Our talk investigates AppleAVD kernel extension in-depth, covering video decoding subsystem internals, analysis of vulnerabilities, and ways to exploit them.
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
At this presentation we will talk about how a DBA (Dynamic Binary Analysis) may help a reverse engineer to reverse obfuscated code. We will first introduce some basic obfuscation techniques and then expose how it's possible to break some stuffs (using our open-source DBA framework - Triton) like detect opaque predicates, reconstruct CFG, find the original algorithm, isolate sensible data and many more... Then, we will conclude with a demo and few words about our future work.
Introducing Data Types & Operators
Skills gained:
1- Familiarity with data types
2- Modeling Memories
3- More on Expressions & Operators
This is part of VHDL 360 course
Encryption is key to safety online, but also important offline. But how does it work? This presentation will cover the basics and help you to be safer.
Media parsing is known as one of the weakest components of every consumer system. It often operates complex data structures in the most performant way possible, which is at odds with security requirements, such as attack surface minimization, compartmentalization, and privilege separation. Compared to other operating systems, video decoding on MacOS/iOS is an interesting case for two different reasons. First, instead of running in usermode, a considerable portion of format parsing is implemented in a kernel extension called AppleAVD, exposing the kernel to additional remote attack vectors. Second, recent anonymous reports suggest that AppleAVD may have been exploited in the wild. Our talk investigates AppleAVD kernel extension in-depth, covering video decoding subsystem internals, analysis of vulnerabilities, and ways to exploit them.
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
At this presentation we will talk about how a DBA (Dynamic Binary Analysis) may help a reverse engineer to reverse obfuscated code. We will first introduce some basic obfuscation techniques and then expose how it's possible to break some stuffs (using our open-source DBA framework - Triton) like detect opaque predicates, reconstruct CFG, find the original algorithm, isolate sensible data and many more... Then, we will conclude with a demo and few words about our future work.
Protocol T50: Five months later... So what?Nelson Brito
T50 (an Experimental Mixed Packet Injector) new features added to version 5.3 (Chaos Maker).
Check the original demonstration videos:
- https://www.youtube.com/playlist?list=PLda9TmFadx_m2qdd-euUf4zhQ-5juTVEx
For further source codes, please, refer to:
- http://t50.sourceforge.net/
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
This is a light training/presentation talk.
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.
https://www.iotvillage.org/#schedule
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfPeter Spielvogel
Building better applications for business users with SAP Fiori.
• What is SAP Fiori and why it matters to you
• How a better user experience drives measurable business benefits
• How to get started with SAP Fiori today
• How SAP Fiori elements accelerates application development
• How SAP Build Code includes SAP Fiori tools and other generative artificial intelligence capabilities
• How SAP Fiori paves the way for using AI in SAP apps
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
1. Everybody be cool, this is a roppery!
Vincenzo Iozzo (vincenzo.iozzo@zynamics.com) zynamics GmbH
Tim Kornau (tim.kornau@zynamics.com) zynamics GmbH
Ralf-Philipp Weinmann (ralf-philipp.weinmann@uni.lu) Université du Luxembourg
BlackHat Vegas 2010
6. But life is hard
Code signing
Sandboxing
ROP
We were lucky!
7. Code Signing
Used to make sure that only signed
(Apple verified) binaries can be executed
• If a page has write permissions it can’t
have executable permissions
• No executable pages on the heap
• Only signed pages can be executed
8. ROP
Instructions Variables for the gadget
return sequence Address of the next gadget
Instructions Variables for the gadget
return sequence Address of the next gadget
Instructions Variables for the gadget
return sequence Address of the next gadget
Instructions Variables for the gadget
return sequence Address of the next gadget
Instruction sequences Attacker controlled
within the attacked binary memory
9. ROP - Workflow
1. Find the gadgets
2. Chain them to form a payload
3. Test the payload on your target
11. Goal definition
Build an algorithm which is
capable of locating gadgets
within a given binary
automatically without major
side effects.
12. Motivation I
Little spirits need access to a wide range of devices.
Because what is a device without a spirit?
13. Motivation II
We want to be able to execute our code:
• in the presents of non-executable protection (AKA
NX bit)
• when code signing of binaries is enabled.
• but we do not aim at ASLR.
14. Strategy I
• Build a program from parts of another program
• These parts are named gadgets
• A gadget is a sequence of (useable) instructions
• Gadget combination must be possible
• end in a “free-branch”
• Gadgets must provide a useful operation
• for example A + B
15. Strategy II
• The subset of useful gadgets must be locatable in
the set of all gadgets
• Only the “simplest” gadget for an operation
should be used
• Side effects of gadgets must be near to zero to
avoid destroying results of previous executed code
sequences.
• Use the REIL meta language to be platform
independent.
16. Strategy III
A small introduction to the REIL meta language
• small RISC instruction set (17 instructions)
• Arithmetic instructions (ADD, SUB, MUL, DIV, MOD, BSH)
• Bitwise instructions (AND, OR, XOR)
• Logical instructions (BISZ, JCC)
• Data transfer instructions (LDM, STM, STR)
• Other instructions (NOP, UNDEF, UNKN)
• register machine
• unlimited number of temp registers
• side effect free
• no exceptions, floating point, 64Bit, ..
17. Algorithms
• Stage I → Collect data from the binary
• Stage II → Merge the collected data
• Stage III → Locate useful gadgets in merged data
18. Algorithms stage I (I)
Goal of the stage I algorithms:
• Collect data from the binary
1. Extract expression trees from native
instructions
A
2. Extract path information
B
+
D
C
R0 15
E
19. Algorithms stage I (II)
Details of the stage I algorithms:
1. Expression tree extraction
• Handlers for each possible REIL instruction
1. Most of the handlers are simple transformations
2. STM and JCC need to be treated specially
2. Path extraction
• Path is extracted in reverse control flow order
+ *
*
OP
BISZ
OP
COND
COND
20. Algorithms stage II (I)
Goal of the stage II algorithms:
• Merge the collected data from stage I
1. Combine the expression trees for single
native instructions along a path
2. Determine jump conditions on the path
3. Simplify the result
21. Algorithms stage II (II)
Details of the stage II algorithms:
• Combine the expression trees for single native
instructions along a path
1. 0x00000001 ADD R0, R1, R2
2. 0x00000002 STR R0, R4
3. 0x00000003 LDMFD SP! {R4,LR}
4. 0x00000004 BX LR
22. Algorithms stage II (III)
Details of the stage II algorithms:
• Determine jump conditions on the path:
Z FLAG MUST BE FALSE
1. 0x00000001 SOME INSTRUCTION
2. 0x00000002 BEQ 0xADDRESS
Generate condition tree
3. 0x00000003 SOME INSTRUCTION
4. 0x00000004 SOME INSTRUCTION
• Simplify the result:
R0 = ((((((R2+4)+4)+4)+4) OR 0) AND 0xFFFFFFFF)
R0 = R2+16
23. Algorithms stage III (I)
Goal of the stage III algorithms:
• Search for useful gadgets in the merged data
Use a tree match handler for each
operation.
• Select the simplest gadget for each operation
Use a complexity value to determine the
gadget which is least complex. (side-
effects)
24. Algorithms stage III (II)
Details of the stage III algorithms:
• Search for useful gadgets in the merged data
Trees of a gadget candidate
are compared to the tree of a
specific operation.
Can you spot the match ?
25. Algorithms stage III (III)
Details of the stage III algorithms:
• Select the simplest gadget for each operation
There are in most cases
more instruction
sequences which
provide a specific
operation. The overall
complexity of all trees
is used to determine
which gadget is the
simplest.
26. Results of gadget finding
• Algorithms for automatic return-oriented
programming gadget search are possible.
• The described algorithms automatically find the
necessary parts to build the return-oriented
program.
• Searching for gadgets is not only platform but also
very compiler dependent.
27. So what is next
After automatic gadget extraction
we need a simple and effective way
to combine them.
29. Chaining gadgets
… by hand is like playing Tetris
With very ugly blocks
Each gadget set defines custom ISA
We have better scores that at...
37. Hired help: STP
Mr. Wolf is a high-level problem solver:
he likes to delegate
Menial work: let someone else do it
In this case STP
[Simple Theorem Prover]
38. What is STP?
Constraint solver for problems involving bit-
vectors and arrays
Open-source, written by Vijay Ganesh
Used for model-checking, theorem proving,
EXE, etc.
Gives Boolean answer whether formula is
satisfiable & assignment if it is
40. High-level algorithm
For multi-assignments:
1. Find all gadgets assigning to targets
2. Verify constraints for each
(protect/memread/memcorrupt)
3. Find all gadgets for expressions on RHS
4. Chain expression gadgets
5. Connect LHS and RHS
41. Notes on chaining algorithm
Chaining for arithmetic/logical expressions
may use registers/memory locations for
temporary results
Multi-assignments give us freedom
Algorithm sometimes may fail because
constraints cannot be satisfied [insufficient
gadgets]
42. K got the payload, now?
You could test it on a jailbroken phone
• Does not match reality!
• No code signing for instance
• Still an option if exploit reliability is not
your primary concern
43. K got the payload, now?
You could test it on a developer phone
• Have a small application to reproduce a
“ROP scenario”
• Depending on the application you’re
targeting the sandbox policy is different
• Still closer to reality
44. Simple plan
• Allocate a buffer on the heap
• Fill the buffer with the shellcode
• Point the stack pointer to the beginning
of the attacker controlled memory
• Execute the payload
• Restore
45. Future work
• Port to other platforms (eg: x86)
• Abstract language to describe gadgets
• Try to avoid “un-decidable” constraints
• Make it more flexible to help when
ASLR is in place