TOPPERS SSP is a very safe Operating system which is not rich on network functions. You can make some functions if you need. Please contact us for IoT safety and security design and operation.
TOPPERS SSP is a very safe Operating system which is not rich on network functions. You can make some functions if you need. Please contact us for IoT safety and security design and operation.
Fighting advanced malware using machine learning (Japanese)FFRI, Inc.
Â
n this paper, behavioral-based detection powered by machine learning is introduced. As the result, detection ratio is dramatically improved by comparison with traditional detection.
Needless to say that malware detection is getting harder today. Everybody knows signature-based detection reaches its limit, so that most anti-virus vendors use heuristic, behavioral and reputation-based detections altogether. About targeted attack, basically attackers use undetectable malware, so that reputation-based detection doesn't work well because it needs other victims beforehand. And it is a fact that detection ratio is not enough though we use heuristic and behavioral-based detections. In our research using the Metascan, average detection ratio of newest malware by most anti-virus scanner is about 30 %( the best is about 60 %).
By the way, heuristic and behavioral-based detections are developed by knowledge and experience of malware analyst. For example, most analysts know that following features are indicator that those programs are malicious.
- A file imports VirtualAlloc, VirtualProtect and LoadLibrary only and has a strange section name
- An entry point that does not fall within declared text or code section
- Creating remote threads into a legitimate process like explore.exe
- After unpacking, calling OpenMutex and CreateMutex to avoid multiple infections
- Register itself to auto start extension points like services and registry
- Creating a .bat file and try to delete own itself through executing the file with cmd.exe
- Setting global hook to capture keystroke using SetWindowsHookEx
Heuristic and behavioral-based detections are developed based on those pre-determined features like above. Analysts are finding those features day by day. But, this kind of work is not appropriate for human. Therefore we classified programs as malware or benign by machine learning through dynamic analysis results. Thereby, detection ratio is dramatically improved and we could recognize that which features are strongly related to malware by numeric score. And then, we could find the features which weâve never found by this method. Finally, the outlook and challenges of this method will be tackled.
ãInterop tokyo 2014ããããã°ããŒã¿ã掻çšãã被害ãäºèŠ! ã·ã¹ã³ã®æ°ããªã»ãã¥ãªãã£éçšã¢ãã«ã·ã¹ã³ã·ã¹ãã ãºååäŒç€Ÿ
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
Â
In 2017, Microsoft announced the ARM version of Windows. The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities. In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM. The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers? As far as we know, this point has not even been discussed much at this point. Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries. All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track. In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis. Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations. We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
Â
In 2017, Microsoft announced the ARM version of Windows. The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities. In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM. The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers? As far as we know, this point has not even been discussed much at this point. Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries. All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track. In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis. Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations. We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
Fighting advanced malware using machine learning (Japanese)FFRI, Inc.
Â
n this paper, behavioral-based detection powered by machine learning is introduced. As the result, detection ratio is dramatically improved by comparison with traditional detection.
Needless to say that malware detection is getting harder today. Everybody knows signature-based detection reaches its limit, so that most anti-virus vendors use heuristic, behavioral and reputation-based detections altogether. About targeted attack, basically attackers use undetectable malware, so that reputation-based detection doesn't work well because it needs other victims beforehand. And it is a fact that detection ratio is not enough though we use heuristic and behavioral-based detections. In our research using the Metascan, average detection ratio of newest malware by most anti-virus scanner is about 30 %( the best is about 60 %).
By the way, heuristic and behavioral-based detections are developed by knowledge and experience of malware analyst. For example, most analysts know that following features are indicator that those programs are malicious.
- A file imports VirtualAlloc, VirtualProtect and LoadLibrary only and has a strange section name
- An entry point that does not fall within declared text or code section
- Creating remote threads into a legitimate process like explore.exe
- After unpacking, calling OpenMutex and CreateMutex to avoid multiple infections
- Register itself to auto start extension points like services and registry
- Creating a .bat file and try to delete own itself through executing the file with cmd.exe
- Setting global hook to capture keystroke using SetWindowsHookEx
Heuristic and behavioral-based detections are developed based on those pre-determined features like above. Analysts are finding those features day by day. But, this kind of work is not appropriate for human. Therefore we classified programs as malware or benign by machine learning through dynamic analysis results. Thereby, detection ratio is dramatically improved and we could recognize that which features are strongly related to malware by numeric score. And then, we could find the features which weâve never found by this method. Finally, the outlook and challenges of this method will be tackled.
ãInterop tokyo 2014ããããã°ããŒã¿ã掻çšãã被害ãäºèŠ! ã·ã¹ã³ã®æ°ããªã»ãã¥ãªãã£éçšã¢ãã«ã·ã¹ã³ã·ã¹ãã ãºååäŒç€Ÿ
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
Â
In 2017, Microsoft announced the ARM version of Windows. The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities. In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM. The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers? As far as we know, this point has not even been discussed much at this point. Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries. All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track. In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis. Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations. We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
Â
In 2017, Microsoft announced the ARM version of Windows. The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities. In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM. The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers? As far as we know, this point has not even been discussed much at this point. Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries. All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track. In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis. Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations. We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
Â
Table of Contents
⢠About TrustZone
â Use case of TrustZone
â Cortex-A TrustZone
â Cortex-M TrustZone
â TEE implementation
⢠Vulnerability of TEE implementation
⢠Conclusions
⢠References
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
Â
Table of Contents
⢠Background ⢠Use case and Weave
⢠Android Things Security Considerations
⢠Android Things Version Information
⢠File system information ⢠Firewall setting
⢠ADB port setting
⢠SELinux setting
⢠Conclusions
⢠Reference
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
Â
⢠Security incidents related to IoT devices
⢠About the Android Things
⢠Major features
⢠Installation and Settings
⢠Accessible network service
⢠Security configurations
⢠Conclusions
⢠References
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) FFRI, Inc.
Â
⢠About Black Hat
⢠Intriguing reports â Breaking BHAD: Abusing Belkin Home Automation Devices â (PEN)TESTING VEHICLES WITH CANTOOLZ YACHT â YET ANOTHER CAR HACKING TOOL â Mobile Espionage in the Wild: Pegasus and Nation-State Level Attacks
⢠Conclusions
⢠References
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
Â
⢠About threat analysis support tool
⢠Examples of tools
⢠Analysis target system
⢠Analysis result
â How to read result
â Overview of threats
⢠Effective usage
â About template
â Additional definition of threat information
⢠Conclusions
⢠References
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
Â
⢠About Black Hat USA
⢠Hot Research
⢠Vehicle
â CANSPY: A Platform For Auditing CAN Devices
â Advanced CAN Injection Techniques For Vehicle Networks
â Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-driving Vehicle
⢠IoT
â Into The Core â In-Depth Exploration of Windows 10 IoT Core
â GATTAttacking Bluetooth Smart Devices
â Introducing A New BLE Proxy Tool
â GreatFET: Making GoodFET Great Again
⢠Conclusions
⢠References
About security assessment framework âCHIPSECâ (FFRI Monthly Research 2016.7) FFRI, Inc.
Â
Outline
⢠About CHIPSEC
⢠Inspection menu
⢠How to install
⢠Usage
⢠Check of inspection result
⢠Data analysis
⢠Conclusion
⢠References
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)FFRI, Inc.
Â
The document summarizes key presentations from Black Hat Asia 2016 on mobile, IoT, and Windows security. It discusses research on detecting Android commercial spyware, demonstrating iOS malware techniques on non-jailbroken phones, mapping vulnerabilities in wireless IoT devices, hacking a professional drone via MITM attacks, and a novel Windows DSC attack framework to persistently infect systems. The document provides context and the researcher's comments on each presentation.
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
Â
In this slide, we introduce the TrustZone of information that has published at this time in relation to ARMv8-M.
It is possible to separate/isolate the security level by adding the security state.
ARMv8-M architecture has a different mechanism than TrustZone to provide traditional ARMv8-A architecture, which is optimized for embedded systems.
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)FFRI, Inc.
Â
â¢CODE BLUE 2015 had over 600 visitors from many countries.
âIt had started two track presentation and youth track.
âTwo teenagers and a student were on stage.
â¢IoT Security
âMedical equipment and social infrastructure were studied.
âThe white hackers reported these vulnerabilities.
â¢Bug Bounty
âJapanese bug hunters are active in the world.
âThere are things to learn from their way.
â¢APT
âAPT would have invaded various organizations in Japan.
âForum for information exchange, such as the CODE BLUE is required to counter APT.
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
Â
â¢Automobile security is hot topic in many conferences.
â¢Cyber security measures are essential for the automobile.
â¢We summarize the following topics based on the above background.
âPresentations at the conferences other than Black Hat USA 2015 and DEF CON 23.
âIntroduction of vulnerability assessment methods of automobile security by CVSS v3.
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)FFRI, Inc.
Â
This document summarizes security research presented at the Black Hat USA 2015 conference. Several talks demonstrated remote attacks against vehicles, including exploiting vulnerabilities in Chrysler Jeeps and Tesla Model S vehicles. Other research targeted IoT devices, like hacking a Linux-powered rifle and exploiting vulnerabilities in ZigBee wireless protocols. Additional briefings covered mobile and malware attacks, like exploiting the TrustZone security architecture on Android and using return-oriented programming for antivirus evasion. The document provides high-level overviews and comments on many of the featured talks from Black Hat USA 2015 and related conferences.
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
Â
This document provides an overview of threats to OS X and iOS. It summarizes recent malware cases like iWorm and WireLurker that infected devices through pirated software or sync functions. It also describes vulnerabilities like those allowing denial of service attacks or unauthorized access. The document outlines infection routes like drive-by downloads and recommends security settings for Macs and iPhones like installing updates, using passwords, and adjusting privacy and firewall settings.
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
Â
â¢Windows 10 IoT is successor platform of Windows Embedded that optimized for embedded devices.
â¢Windows 10 IoT Core Insider Preview has been provided for single-board computers such as the Raspberry Pi 2.
â¢We show tutorial about security of Windows 10 IoT Core using the Raspberry Pi 2.
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...FFRI, Inc.
Â
Background
â¢Automobiles equip a lot of ECUs which communicate mutually on In-Vehicle Network to control engine, power window, and so on
â¢IVI devices such as navigation system and ADAS*known-as lane-keeping or brake-assist systems often are connected in the same network
â¢BecauseIn-Vehicle network becoming complicated by various devices, next-generation In-Vehicle network attracts interest as feasible technology at low cost
â¢This slide summarized about following topics
âEthernet prospective as next-generation In-Vehicle network
âRecent security research about conventional In-Vehicle network andproposal of measures for the CAN