The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
At this presentation we will talk about how a DBA (Dynamic Binary Analysis) may help a reverse engineer to reverse obfuscated code. We will first introduce some basic obfuscation techniques and then expose how it's possible to break some stuffs (using our open-source DBA framework - Triton) like detect opaque predicates, reconstruct CFG, find the original algorithm, isolate sensible data and many more... Then, we will conclude with a demo and few words about our future work.
https://2018.zeronights.ru/en/reports/reverse-proxies-inconsistency/
Modern websites are growing more complex with different reverse proxies and balancers covering them. They are used for various purposes: request routing, caching, putting additional headers, restricting access. In other words, reverse proxies must both parse incoming requests and modify them in a particular way. However, path parsing may turn out to be quite a challenge due to mismatches in the parsing of different web servers. Moreover, request converting may imply a wide range of different consequences from a cybersecurity point of view. I have analyzed different reverse proxies with different configurations, the ways they parse requests, apply rules, and perform caching. In this talk, I will both speak about general processes and the intricacies of proxy operation and demonstrate the examples of bypassing restrictions, expanding access to a web application, and new attacks through the web cache deception and cache poisoning.
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
Dynamic Binary Analysis and Obfuscated Codes Jonathan Salwan
At this presentation we will talk about how a DBA (Dynamic Binary Analysis) may help a reverse engineer to reverse obfuscated code. We will first introduce some basic obfuscation techniques and then expose how it's possible to break some stuffs (using our open-source DBA framework - Triton) like detect opaque predicates, reconstruct CFG, find the original algorithm, isolate sensible data and many more... Then, we will conclude with a demo and few words about our future work.
https://2018.zeronights.ru/en/reports/reverse-proxies-inconsistency/
Modern websites are growing more complex with different reverse proxies and balancers covering them. They are used for various purposes: request routing, caching, putting additional headers, restricting access. In other words, reverse proxies must both parse incoming requests and modify them in a particular way. However, path parsing may turn out to be quite a challenge due to mismatches in the parsing of different web servers. Moreover, request converting may imply a wide range of different consequences from a cybersecurity point of view. I have analyzed different reverse proxies with different configurations, the ways they parse requests, apply rules, and perform caching. In this talk, I will both speak about general processes and the intricacies of proxy operation and demonstrate the examples of bypassing restrictions, expanding access to a web application, and new attacks through the web cache deception and cache poisoning.
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix
Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.
Follow Jason on Twitter: http://twitter.com/jhaddix
Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd
Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
Goals of this Presentation:
- Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications
- Cover common vulnerability classes/types/categories from a high level
- Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the history of SSRF attack, or Server Side Request Forgery, its types and different kinds of attacks on SAP.
GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUsPriyanka Aash
Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they're buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors.
Escalating Privileges in Linux using Fault Injection - FDTC 2017Cristofaro Mune
FDTC 2017 presentation slides from our work, performed by me and Niek Timmers from @Riscure, on Fault Injection attacks applied to Linux.
Our work points out how Fault Injection (FI) techniques can be used for escalating privileges in large code bases, like the Linux OS.
Escalation of privilege can be obtained in minutes, after setup preparation and target characterization.
We also discuss the impacts of a new FI attack technique that allows reliable loading of arbitrary values into registers. We show that control of kernel space Program Counter can be obtained by a userspace application, potentially leading to arbitrary code execution, even in absence of known SW vulnerabilities.
Finally, we discuss possible mitigations, showing how, for this new class of attacks, classical FI countermeasures implemented in SW are insufficient, while modern SW exploit mitigations become applicable.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...bugcrowd
WATCH JASON'S TALK LIVE, 8/14 @ 11AM PDT - Register Here: http://bgcd.co/DEFCON23-haddix
Jason Haddix explores successful tactics and tools used by himself and the best bug hunters. Practical methodologies, tools and tips that make you better at hacking websites and mobile apps to claim those bounties.
Follow Jason on Twitter: http://twitter.com/jhaddix
Follow Bugcrowd on Twitter: http://twitter.com/bugcrowd
Check out the latest bug bounties on Bugcrowd: https://bugcrowd.com/programs
Ekoparty 2017 - The Bug Hunter's Methodologybugcrowd
Goals of this Presentation:
- Outline and provide an actionable methodology for effectively and efficiently testing for, and finding security vulnerabilities in web applications
- Cover common vulnerability classes/types/categories from a high level
- Provide useful tools and processes that you can take right out into the world to immediately improve your own bug hunting abilities
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
SSRF vs. Business-critical applications. XXE tunneling in SAPERPScan
Any information an attacker might want is stored in a company’s ERP. This information can include financial, customer or public relations, intellectual property, personally identifiable information and more. Industrial espionage, sabotage and fraud or insider embezzlement may be very effective if targeted at the victim’s ERP system and cause significant damage to the business.
The presentation describes the history of SSRF attack, or Server Side Request Forgery, its types and different kinds of attacks on SAP.
GOD MODE UNLOCKED - Hardware Backdoors in x86 CPUsPriyanka Aash
Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in some x86 processors, and they're buried deeper than we ever imagined possible. While this research specifically examines a third-party processor, we use this as a stepping stone to explore the feasibility of more widespread hardware backdoors.
Escalating Privileges in Linux using Fault Injection - FDTC 2017Cristofaro Mune
FDTC 2017 presentation slides from our work, performed by me and Niek Timmers from @Riscure, on Fault Injection attacks applied to Linux.
Our work points out how Fault Injection (FI) techniques can be used for escalating privileges in large code bases, like the Linux OS.
Escalation of privilege can be obtained in minutes, after setup preparation and target characterization.
We also discuss the impacts of a new FI attack technique that allows reliable loading of arbitrary values into registers. We show that control of kernel space Program Counter can be obtained by a userspace application, potentially leading to arbitrary code execution, even in absence of known SW vulnerabilities.
Finally, we discuss possible mitigations, showing how, for this new class of attacks, classical FI countermeasures implemented in SW are insufficient, while modern SW exploit mitigations become applicable.
PANDEMONIUM: Automated Identification of Cryptographic Algorithms using Dynam...CODE BLUE
Malware utilize many cryptographic algorithms.
To fight against malware, analysts have to reveal details on malware activities.
Accordingly, it is important to identify cryptographic algorithms used in malware.
In this track, I propose a faster and extensible method to automatically detect known cryptographic algorithms in malware using dynamic binary instrumentation and fuzzy hashing.
GOD MODE Unlocked: Hardware backdoors in x86 CPUsPriyanka Aash
Complexity is increasing. Trust eroding. In the wake of Spectre and Meltdown, when it seems that things cannot get any darker for processor security, the last light goes out. This talk will demonstrate what everyone has long feared but never proven: there are hardware backdoors in x86 processors, and they’re buried deeper than we ever imagined possible.
In this talk, we walk through how we discovered a privilege escalation backdoor in a family of x86 CPUs, that allows an unprivileged user, on an unmodified system, to circumvent all processor security checks and escalate from ring 3 to ring 0 – permitting an unprivileged, arbitrary userland program to directly modify and execute code inside of the kernel, regardless of the operating system, security patches, antivirus, firmware, etc.
Speakers:
Christopher Domas, Cyber Security Researcher
Mingbo Zhang, Rutgers University
Saman Zonouz, Rutgers University
Time-of-check-to-time-of-use (TOCTOU) also known as “race condition” or “double fetch” is a long standing problem. Since memory read/write is so common an operation, it barely triggers no security mechanisms. We leverage a CPU feature called SMAP(Supervisor Mode Access Prevention) to efficiently monitor the events of kernel accessing user-mode memory. When user pages being accessed by kernel, our mitigation kicks in and protect them against further modifications from other user-mode threads. We also leverage the same CPU feature to find double fetch errors in kernel modules. A simple hypervisor is used to confine a system wide CPU feature such as SMAP to particular process.
Finding Xori: Malware Analysis Triage with Automated DisassemblyPriyanka Aash
In a world of high volume malware and limited researchers, we need a dramatic improvement in our ability to process and analyze new and old malware at scale. Unfortunately, what is currently available to the community is incredibly cost prohibitive or does not rise to the challenge. As malware authors and distributors share code and prepackaged tool kits, the white hat community is dominated by solutions aimed at profit as opposed to augmenting capabilities available to the broader community. With that in mind, we are introducing our library for malware disassembly called Xori as an open source project. Xori is focused on helping reverse engineers analyze binaries, optimizing for time and effort spent per sample.
Xori is an automation-ready disassembly and static analysis library that consumes shellcode or PE binaries and provides triage analysis data. This Rust library emulates the stack, register states, and reference tables to identify suspicious functionality for manual analysis. Xori extracts structured data from binaries to use in machine learning and data science pipelines.
We will go over the pain-points of conventional open source disassemblers that Xori solves, examples of identifying suspicious functionality, and some of the interesting things we've done with the library. We invite everyone in the community to use it, help contribute and make it an increasingly valuable tool in this arms race.
The Java Memory Model describes how threads in the Java programming language interact through memory. Together with the description of single-threaded execution of code, the memory model provides the semantics of the Java programming language.
It is crucial for a programmer to know how, according to Java Language Specification, write correctly synchronized, race free programs.
The presentation in great details explains how modern CPUs work, what is instruction pipeline, cache, superscalar CPUs, out of order execution, speculative execution, branch misses and what is branch predictor.
Then the presentation explains step-by-step how the spectre attack works and why it was possible.
Next it touches process isolation, system calls and privilege levels, explains step-by-step how the meltdown attack works and why it was possible.
At the very end there is a source code for Spectre-based Meltdown attack (i.e. 2-in-1) in just 99 lines of code.
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesChristina Lin
Traditionally, dealing with real-time data pipelines has involved significant overhead, even for straightforward tasks like data transformation or masking. However, in this talk, we’ll venture into the dynamic realm of WebAssembly (WASM) and discover how it can revolutionize the creation of stateless streaming pipelines within a Kafka (Redpanda) broker. These pipelines are adept at managing low-latency, high-data-volume scenarios.
Water billing management system project report.pdfKamal Acharya
Our project entitled “Water Billing Management System” aims is to generate Water bill with all the charges and penalty. Manual system that is employed is extremely laborious and quite inadequate. It only makes the process more difficult and hard.
The aim of our project is to develop a system that is meant to partially computerize the work performed in the Water Board like generating monthly Water bill, record of consuming unit of water, store record of the customer and previous unpaid record.
We used HTML/PHP as front end and MYSQL as back end for developing our project. HTML is primarily a visual design environment. We can create a android application by designing the form and that make up the user interface. Adding android application code to the form and the objects such as buttons and text boxes on them and adding any required support code in additional modular.
MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software. It is a stable ,reliable and the powerful solution with the advanced features and advantages which are as follows: Data Security.MySQL is free open source database that facilitates the effective management of the databases by connecting them to the software.
Forklift Classes Overview by Intella PartsIntella Parts
Discover the different forklift classes and their specific applications. Learn how to choose the right forklift for your needs to ensure safety, efficiency, and compliance in your operations.
For more technical information, visit our website https://intellaparts.com
We have compiled the most important slides from each speaker's presentation. This year’s compilation, available for free, captures the key insights and contributions shared during the DfMAy 2024 conference.
HEAP SORT ILLUSTRATED WITH HEAPIFY, BUILD HEAP FOR DYNAMIC ARRAYS.
Heap sort is a comparison-based sorting technique based on Binary Heap data structure. It is similar to the selection sort where we first find the minimum element and place the minimum element at the beginning. Repeat the same process for the remaining elements.
Understanding Inductive Bias in Machine LearningSUTEJAS
This presentation explores the concept of inductive bias in machine learning. It explains how algorithms come with built-in assumptions and preferences that guide the learning process. You'll learn about the different types of inductive bias and how they can impact the performance and generalizability of machine learning models.
The presentation also covers the positive and negative aspects of inductive bias, along with strategies for mitigating potential drawbacks. We'll explore examples of how bias manifests in algorithms like neural networks and decision trees.
By understanding inductive bias, you can gain valuable insights into how machine learning models work and make informed decisions when building and deploying them.
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
NUMERICAL SIMULATIONS OF HEAT AND MASS TRANSFER IN CONDENSING HEAT EXCHANGERS...ssuser7dcef0
Power plants release a large amount of water vapor into the
atmosphere through the stack. The flue gas can be a potential
source for obtaining much needed cooling water for a power
plant. If a power plant could recover and reuse a portion of this
moisture, it could reduce its total cooling water intake
requirement. One of the most practical way to recover water
from flue gas is to use a condensing heat exchanger. The power
plant could also recover latent heat due to condensation as well
as sensible heat due to lowering the flue gas exit temperature.
Additionally, harmful acids released from the stack can be
reduced in a condensing heat exchanger by acid condensation. reduced in a condensing heat exchanger by acid condensation.
Condensation of vapors in flue gas is a complicated
phenomenon since heat and mass transfer of water vapor and
various acids simultaneously occur in the presence of noncondensable
gases such as nitrogen and oxygen. Design of a
condenser depends on the knowledge and understanding of the
heat and mass transfer processes. A computer program for
numerical simulations of water (H2O) and sulfuric acid (H2SO4)
condensation in a flue gas condensing heat exchanger was
developed using MATLAB. Governing equations based on
mass and energy balances for the system were derived to
predict variables such as flue gas exit temperature, cooling
water outlet temperature, mole fraction and condensation rates
of water and sulfuric acid vapors. The equations were solved
using an iterative solution technique with calculations of heat
and mass transfer coefficients and physical properties.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
Student information management system project report ii.pdfKamal Acharya
Our project explains about the student management. This project mainly explains the various actions related to student details. This project shows some ease in adding, editing and deleting the student details. It also provides a less time consuming process for viewing, adding, editing and deleting the marks of the students.
CW RADAR, FMCW RADAR, FMCW ALTIMETER, AND THEIR PARAMETERSveerababupersonal22
It consists of cw radar and fmcw radar ,range measurement,if amplifier and fmcw altimeterThe CW radar operates using continuous wave transmission, while the FMCW radar employs frequency-modulated continuous wave technology. Range measurement is a crucial aspect of radar systems, providing information about the distance to a target. The IF amplifier plays a key role in signal processing, amplifying intermediate frequency signals for further analysis. The FMCW altimeter utilizes frequency-modulated continuous wave technology to accurately measure altitude above a reference point.
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
How Triton can help to reverse virtual machine based software protections
1. How Triton can help to reverse virtual machine based
software protections
How to don’t kill yourself when you reverse obfuscated codes.
Jonathan Salwan and Romain Thomas
CSAW SOS in NYC, November 10, 2016
2. About us
Romain Thomas
• Security Research Engineer at Quarkslab
• Working on obfuscation and software protection
Jonathan Salwan
• Security Research Engineer at Quarkslab
• Working on program analysis and software verification
2
3. Roadmap of this talk
Part 1 Short introduction to the Triton framework
Part 2 Short introduction to virtual machine based software protections
Part 3 Demo - Triton vs VMs
3
5. Triton in a nutshell
• A Dynamic Binary Analysis Framework
• Deals with the Intel x86 and x86 64 Instruction Set Architecture (ISA)
• Contains:
• Dynamic Symbolic Execution (DSE) engine [4, 7]
• Taint analysis engine
• Emulation engine
• Representation of the ISA behaviour into an Abstract Syntax Tree (AST)
• AST simplification engine
• Two syntax representations of the AST
• Python
• SMT2
5
13. The API’s input - Symbolic Emulation
API
Instruction 1
Instruction 2
Instruction 3
Instruction 4
Symbolic
Emulation
13
14. Example - How to define an opcode and context
>>> inst = Instruction("x48x31xD0") # xor rax, rdx
>>> inst.setAddress(0x400000)
>>> inst.updateContext(Register(REG.RAX, 0x1234))
>>> inst.updateContext(Register(REG.RDX, 0x5678))
>>> processing(inst)
14
15. Example - How to get semantics expressions
>>> processing(inst)
>>> print inst
400000: xor rax, rdx
>>> for expr in inst.getSymbolicExpressions():
... print expr
...
ref_0 = (0x1234 ^ 05678) # XOR operation
ref_1 = 0x0 # Clears carry flag
ref_2 = 0x0 # Clears overflow flag
ref_3 = ((0x1 ^ [... skipped ...] & 0x1)) # Parity flag
ref_4 = ((ref_0 >> 63) & 0x1) # Sign flag
ref_5 = (0x1 if (ref_0 == 0x0) else 0x0) # Zero flag
ref_6 = 0x400003 # Program Counter 15
16. Example - How to get implicit and explicit read registers
>>> for r in inst.getReadRegisters():
... print r
...
(rax:64 bv[63..0], 0x1234)
(rdx:64 bv[63..0], 0x5678)
16
17. Example - How to get implicit and explicit written registers
>>> for w in inst.getWrittenRegisters():
... print w
...
(rax:64 bv[63..0], (0x1234 ^ 0x5678))
(rip:64 bv[63..0], 0x400003)
(cf:1 bv[0..0], 0x0)
(of:1 bv[0..0], 0x0)
(pf:1 bv[0..0], ... skipped ...)
(sf:1 bv[0..0], ((ref_0 >> 63) & 0x1))
(zf:1 bv[0..0], (0x1 if (ref_0 == 0x0) else 0x0))
17
18. To resume: What kind of information can I get from an instruction?
• All implicit and explicit semantics of an instruction
• GET, PUT, LOAD, STORE
• Semantics (side effects included) representation via an abstract syntax tree based
on the Static Single Assignment (SSA) form
18
20. Ok, but what can I do with all of this?
• Use taint analysis to help during reverse engineering
• Use symbolic execution to cover code
• Use symbolic execution to know what value(s) can hold a register or memory cell
• Simplify expressions for deobfuscation
• Transform expressions for obfuscation
• Match behaviour models for vulnerabilities research
• Be imaginative :)
20
21. Mmmmh, and where instruction sequences can come from?
• From dynamic tracers like Pin, Valgrind, Qemu, ...
• From a memory dump
• From static tools like IDA or whatever...
21
22. Cool, but how many instruction semantics are supported by Triton?
• Development:
• 256 Intel x86 64 instructions 1
• Included 116 SSE/MMX/AVX instructions
• Testing:
• The tests suite 2
of the Qemu TCG 3
• Traces differential 4
1
http://triton.quarkslab.com/documentation/doxygen/SMT Semantics Supported page.html
2
http://github.com/qemu/qemu/tree/master/tests/tcg
3
http://wiki.qemu.org/Documentation/TCG
4
http://triton.quarkslab.com/blog/What-kind-of-semantics-information-Triton-can-provide/#4
22
24. VM Based Software Protections
Definition:
It’s a kind of obfuscation which transforms an original instruction set (e.g. x86) into
another custom instruction set (VM implementation).
24
28. VM abstract architecture
Fetch Instruction:
Fetch the instruction which will be executed by the VM.
Decode Instruction:
Decode the instruction according to the VM instruction set.
Example:
decode(01 11 12):
• Opcode: 0x01
• Operand 1: 0x11
• Operand 2: 0x12
28
29. VM abstract architecture
Dispatcher:
Jump to the right handler according to opcode and/or operands.
Handlers:
Handlers are the implementation of the VM instruction set.
For instance, the handler for the instruction
mov REG, IMM
could be:
xor REG, REG
or REG, IMM
Terminator:
Finishes the VM execution or continues its execution.
29
37. Tigress challenges
Problem: Given a very secret algorithm obfuscated with a VM. How can we recover
the algorithm without fully reversing the VM?
37
39. Step 2: Define the user input as symbolic variable
π
39
40. Step 3: Concretize everything which is not related to user input
+
x
π +
3 4
-
1 x
2 5
+
x
π 7
9
40
41. Step 4: Use a better canonical representation of expressions
• Arybo [2] uses the Algebraic Normal Form (ANF) representation
ππ
Triton AST Arybo AST
41
42. Step 5: Possible use of symbolic simplifications
ππ
Arybo AST Arybo AST
on steroids
8
https://pythonhosted.org/arybo/concepts.html
42
43. Step 6: From Arybo to LLVM-IR
π
Arybo AST LLVM-IR
43
44. Step 7: Recompile with -O2 optimization and win!
LLVM-IR
Deobfuscated binary
44
49. Let me try by myself
Release: Everything related to this analysis is available on github 9.
9
https://github.com/JonathanSalwan/Tigress protection
49
58. Conclusion
• Symbolic execution is powerful against obfuscations
• Use mathematical complexity expressions against such attacks
• The goal is to imply a timeout on SMT solvers side
58
60. Acknowledgements
• Thanks to Brendan Dolan-Gavitt for his invitation to the S.O.S workshop!
• Kudos to Adrien Guinet for his Arybo 10 framework!
10
https://github.com/quarkslab/arybo
60
61. Contact us
• Romain Thomas
• rthomas at quarkslab com
• @rh0main
• Jonathan Salwan
• jsalwan at quarkslab com
• @JonathanSalwan
• Triton team
• triton at quarkslab com
• @qb triton
• irc: #qb triton@freenode.org
61
62. References I
C. Collberg, S. Martin, J. Myers, and J. Nagra.
Distributed application tamper detection via continuous software updates.
In Proceedings of the 28th Annual Computer Security Applications Conference,
ACSAC ’12, pages 319–328, New York, NY, USA, 2012. ACM.
N. Eyrolles, A. Guinet, and M. Videau.
Arybo: Manipulation, canonicalization and identification of mixed
boolean-arithmetic symbolic expressions.
GreHack, France, Grenoble, 2016.
Y. Kanzaki, A. Monden, and C. Collberg.
Code artificiality: A metric for the code stealth based on an n-gram model.
In SPRO 2015 International Workshop on Software Protection, 2015.
62
63. References II
J. C. King.
Symbolic execution and program testing.
Communications of the ACM, 19(7):385–394, 1976.
C. Lattner and V. Adve.
LLVM: A compilation framework for lifelong program analysis and
transformation.
pages 75–88, San Jose, CA, USA, Mar 2004.
63
64. References III
F. Saudel and J. Salwan.
Triton: A dynamic symbolic execution framework.
In Symposium sur la s´ecurit´e des technologies de l’information et des
communications, SSTIC, France, Rennes, June 3-5 2015, pages 31–54. SSTIC,
2015.
K. Sen, D. Marinov, and G. Agha.
Cute: a concolic unit testing engine for c.
In ACM SIGSOFT Software Engineering Notes, volume 30, pages 263–272. ACM,
2005.
64