Dynamic Instrumentation- OpenEBS Golang Meetup July 2017OpenEBS
The slides were presented by Jeffry Molanus who is the CTO of OpenEBS in Golang Meetup. OpenEBS is an open source cloud native storage. OpenEBS delivers storage and storage services to containerized environments. OpenEBS allows stateful workloads to be managed more like stateless containers. OpenEBS storage services include: per container (or pod) QoS SLAs, tiering and replica policies across AZs and environments, and predictable and scalable performance.Our vision is simple: let’s let storage and storage services for persistent workloads be so fully integrated into the environment and hence managed automatically that is almost disappears into the background as just yet another infrastructure service that works.
A talk I gave at iOS Dev Scout on 23 Nov 2016 about a desktop Swift chat app I wrote that uses the Serial Port. It uses the Swift Serial library which I also wrote.
Code for both library and the example app can be found here: https://github.com/yeokm1/SwiftSerial
Video of my talk can be found here: https://engineers.sg/v/1275
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)Balazs Bucsay
XFLTReaT presentation from Shakacon 2017
https://www.youtube.com/watch?v=AfqNVXHz0hU
This presentation will sum up how to do tunneling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunneling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunneling on your network or to bypass misconfigured filters.
Our new tool XFLTReaT is an open-source tunneling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customized on all traffic and it is also worth mentioning that the framework was designed to be easy to configure, use and develop. In case there is a need to send packets over ICMP type 0 or HTTPS TLS v1.2 with a special header, then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 33000ft on an airplane.
This framework is not just a tool; it unites different technologies in the field of tunneling. While we needed to use different tunnels and VPNs for different protocols in the past like OpenVPN for TCP and UDP, ptunnel for ICMP or iodined for DNS tunneling, it changes now. After taking a look at these tools it was easy to see some commonality, all of them are doing the same things only the means of communication are different. We simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunneling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, there is no need for any low-level packet fu and hassle. I guarantee that you won’t be disappointed with the tool and the talk, actually you will be richer with an open-source tool.
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017OpenEBS
The slides were presented by Jeffry Molanus who is the CTO of OpenEBS in Golang Meetup. OpenEBS is an open source cloud native storage. OpenEBS delivers storage and storage services to containerized environments. OpenEBS allows stateful workloads to be managed more like stateless containers. OpenEBS storage services include: per container (or pod) QoS SLAs, tiering and replica policies across AZs and environments, and predictable and scalable performance.Our vision is simple: let’s let storage and storage services for persistent workloads be so fully integrated into the environment and hence managed automatically that is almost disappears into the background as just yet another infrastructure service that works.
A talk I gave at iOS Dev Scout on 23 Nov 2016 about a desktop Swift chat app I wrote that uses the Serial Port. It uses the Swift Serial library which I also wrote.
Code for both library and the example app can be found here: https://github.com/yeokm1/SwiftSerial
Video of my talk can be found here: https://engineers.sg/v/1275
XFLTReaT: A New Dimension in Tunneling (Shakacon 2017)Balazs Bucsay
XFLTReaT presentation from Shakacon 2017
https://www.youtube.com/watch?v=AfqNVXHz0hU
This presentation will sum up how to do tunneling with different protocols and will have different perspectives detailed. For example, companies are fighting hard to block exfiltration from their network: they use http(s) proxies, DLP, IPS technologies to protect their data, but are they protected against tunneling? There are so many interesting questions to answer for users, abusers, companies and malware researchers. Mitigation and bypass techniques will be shown you during this presentation, which can be used to filter any tunneling on your network or to bypass misconfigured filters.
Our new tool XFLTReaT is an open-source tunneling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customized on all traffic and it is also worth mentioning that the framework was designed to be easy to configure, use and develop. In case there is a need to send packets over ICMP type 0 or HTTPS TLS v1.2 with a special header, then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 33000ft on an airplane.
This framework is not just a tool; it unites different technologies in the field of tunneling. While we needed to use different tunnels and VPNs for different protocols in the past like OpenVPN for TCP and UDP, ptunnel for ICMP or iodined for DNS tunneling, it changes now. After taking a look at these tools it was easy to see some commonality, all of them are doing the same things only the means of communication are different. We simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunneling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, there is no need for any low-level packet fu and hassle. I guarantee that you won’t be disappointed with the tool and the talk, actually you will be richer with an open-source tool.
Steelcon 2014 - Process Injection with Pythoninfodox
This is the slides to accompany the talk given by Darren Martyn at the Steelcon security conference in July 2014 about process injection using python.
Covers using Python to manipulate processes by injecting code on x86, x86_64, and ARMv7l platforms, and writing a stager that automatically detects what platform it is running on and intelligently decides which shellcode to inject, and via which method.
The Proof of Concept code is available at https://github.com/infodox/steelcon-python-injection
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
Walk through the basics of asynchronous web server programming using tornado. After reviewing the basics of async servers, step by step we’ll build an application that can asynchronously gather quotes from one of the best bad movies of all time. Visit http://medium.com/@skyscannercodevoyagers for more learnings,
Reid Wightman's presentation at AppSec DC 2012. Reid provides background and the lates on Digital Bond's Project Basecamp. New PLC exploit modules include a Stuxnet-type attack on the Modicon Quantum.
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
XFLTReaT presentation from Hack In The Box GSEC 2017
https://www.youtube.com/watch?v=6EU_RLb2YxI
XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic and it is also worth mentioning that the framework was designed to be easy to configure, use and develop. In case there is a need to send packets over ICMP type 0 or HTTPS TLS v1.2 with a special header, then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 33000ft on an airplane.
This framework is not just a tool; it unites different technologies in the field of tunnelling. While we needed to use different tunnels and VPNs for different protocols in the past like OpenVPN for TCP and UDP, ptunnel for ICMP or iodined for DNS tunnelling, it changes now. After taking a look at these tools it was easy to see some commonality, all of them are doing the same things only the means of communication are different. We simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunnelling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, there is no need for any low-level packet fu and hassle. I guarantee that you won’t be disappointed with the tool and the talk, actually you will be richer with an open-source tool.
This is the slides accompanying the talk I gave at BSides Hannover 2015, discussing the reverse engineering and exploitation of numerous vulnerabilities in Icomera Moovmanage products along with the post exploitation of such, including the potential creation of a firmware rootkit
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...CODE BLUE
One of the most prevalent methods used by attackers to exploit vulnerabilities is ROP - Return Oriented Programming. Many times during the exploitation process, code will run very differently than it does usually - calls will be made to the middle of functions, functions won’t return to their callers, etc. These anomalies in control flow could be detected if a log of all instructions executed by the processor were available.
In the past, tracing the execution of a processor incurred a significant slowdown, rendering such an anti-exploitation method impractical. However, recent Intel processors, such as Broadwell and Skylake, are now able to trace execution with low overhead, via a feature called Processor Trace. A similar feature called CoreSight exists on new ARM processors.
The lecture will discuss an anti-exploitation system we built which scans files and detects control flow violations by using these new processor features.
--- Ron Shina
Ron has been staring at binary code for over the past decade, occasionally running it. Having spent a lot of his time doing mathematics, he enjoys searching for algorithmic opportunities in security research and reverse engineering. He is a graduate of the Israel Defense Forces’ Talpiot program. In his spare time he works on his jump shot.
--- Shlomi Oberman
Shlomi Oberman is an independent security researcher with over a decade of experience in security research. Shlomi spent many years in the attacker’s shoes for different companies and knows too well how hard it is to stop a determined attacker. In the past years his interest has shifted from breaking things to helping stop exploits – while software is written and after it has shipped. Shlomi is a veteran of the IDF Intelligence Corps and used to head the security research efforts at NSO Group and other companies.
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
In order to harden kernel exploitation as much as possible was introduced variety of features including KASLR, SMEP and sometimes also SMAP.
Even those are powerful techniques their effectiveness rely on their cooperation, environment and their implementation.
We will present new and some not so new exploitation techniques, show ideas behind breaking trough before mentioned security features and why it is possible, and we will take a look at pool spraying on x64 as well.
This is a presentation that Eric Gazoni (CEO Adimian) gave at the first edition of FOSDEMx, at the University of Brussels on May, 3rd 2018.
The intent is to scratch the surface of what it takes to do CPU performance optimisation in Python, and give students a few first tools to get started.
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
As computer systems become more sophisticated, process injection techniques also evolve. These techniques are notorious for their use by "malicious software" to hide code execution and avoid detection. In this presentation we dive deep into the Windows runtime and we demonstrate these techniques. Besides, we also learn how to code construction and design patterns that relate to perform hidden code can recognize.
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Walk through the basics of asynchronous web server programming using tornado. After reviewing the basics of async servers, step by step we’ll build an application that can asynchronously gather quotes from one of the best bad movies of all time. Visit http://medium.com/@skyscannercodevoyagers for more learnings,
Reid Wightman's presentation at AppSec DC 2012. Reid provides background and the lates on Digital Bond's Project Basecamp. New PLC exploit modules include a Stuxnet-type attack on the Modicon Quantum.
XFLTReaT: A New Dimension in Tunnelling (HITB GSEC 2017)Balazs Bucsay
XFLTReaT presentation from Hack In The Box GSEC 2017
https://www.youtube.com/watch?v=6EU_RLb2YxI
XFLTReaT is an open-source tunnelling framework that handles all the boring stuff and gives users the capability to take care of only the things that matter. It provides significant improvements over existing tools. From now on there is no need to write a new tunnel for each and every protocol or to deal with interfaces and routing. Any protocol can be converted to a module, which works in a plug-and-play fashion; authentication and encryption can be configured and customised on all traffic and it is also worth mentioning that the framework was designed to be easy to configure, use and develop. In case there is a need to send packets over ICMP type 0 or HTTPS TLS v1.2 with a special header, then this can be done in a matter of minutes, instead of developing a new tool from scratch. The potential use (or abuse) cases are plentiful, such as bypassing network restrictions of an ISP, the proxy of a workplace or obtaining Internet connectivity through bypassing captive portals in the middle of the Atlantic Ocean or at an altitude of 33000ft on an airplane.
This framework is not just a tool; it unites different technologies in the field of tunnelling. While we needed to use different tunnels and VPNs for different protocols in the past like OpenVPN for TCP and UDP, ptunnel for ICMP or iodined for DNS tunnelling, it changes now. After taking a look at these tools it was easy to see some commonality, all of them are doing the same things only the means of communication are different. We simplified the whole process and created a framework that is responsible for everything but the communication itself, we rethought the old way of tunnelling and tried to give something new to the community. After the initial setup the framework takes care of everything. With the check functionality we can even find out, which module can be used on the network, there is no need for any low-level packet fu and hassle. I guarantee that you won’t be disappointed with the tool and the talk, actually you will be richer with an open-source tool.
This is the slides accompanying the talk I gave at BSides Hannover 2015, discussing the reverse engineering and exploitation of numerous vulnerabilities in Icomera Moovmanage products along with the post exploitation of such, including the potential creation of a firmware rootkit
[CB16] COFI break – Breaking exploits with Processor trace and Practical cont...CODE BLUE
One of the most prevalent methods used by attackers to exploit vulnerabilities is ROP - Return Oriented Programming. Many times during the exploitation process, code will run very differently than it does usually - calls will be made to the middle of functions, functions won’t return to their callers, etc. These anomalies in control flow could be detected if a log of all instructions executed by the processor were available.
In the past, tracing the execution of a processor incurred a significant slowdown, rendering such an anti-exploitation method impractical. However, recent Intel processors, such as Broadwell and Skylake, are now able to trace execution with low overhead, via a feature called Processor Trace. A similar feature called CoreSight exists on new ARM processors.
The lecture will discuss an anti-exploitation system we built which scans files and detects control flow violations by using these new processor features.
--- Ron Shina
Ron has been staring at binary code for over the past decade, occasionally running it. Having spent a lot of his time doing mathematics, he enjoys searching for algorithmic opportunities in security research and reverse engineering. He is a graduate of the Israel Defense Forces’ Talpiot program. In his spare time he works on his jump shot.
--- Shlomi Oberman
Shlomi Oberman is an independent security researcher with over a decade of experience in security research. Shlomi spent many years in the attacker’s shoes for different companies and knows too well how hard it is to stop a determined attacker. In the past years his interest has shifted from breaking things to helping stop exploits – while software is written and after it has shipped. Shlomi is a veteran of the IDF Intelligence Corps and used to head the security research efforts at NSO Group and other companies.
Security research over Windows #defcon chinaPeter Hlavaty
Past several years Microsoft Windows undergo lot of fundamental security changes. Where one can argue still imperfect and bound to tons of legacy issues, on the other hand those changes made important shifts in attacker perspective. From tightened sandboxing, restricting attack surface, introducing mitigations, applying virtualization up to stronger focus even on win32k. In our talk we will go trough those changes, how it affects us and how we tackle them from choosing targets, finding bugs up to exploitation primitives we are using. While also empathize that windows research is not only about sandbox, and there are many more interesting target to look for.
In order to harden kernel exploitation as much as possible was introduced variety of features including KASLR, SMEP and sometimes also SMAP.
Even those are powerful techniques their effectiveness rely on their cooperation, environment and their implementation.
We will present new and some not so new exploitation techniques, show ideas behind breaking trough before mentioned security features and why it is possible, and we will take a look at pool spraying on x64 as well.
This is a presentation that Eric Gazoni (CEO Adimian) gave at the first edition of FOSDEMx, at the University of Brussels on May, 3rd 2018.
The intent is to scratch the surface of what it takes to do CPU performance optimisation in Python, and give students a few first tools to get started.
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
As computer systems become more sophisticated, process injection techniques also evolve. These techniques are notorious for their use by "malicious software" to hide code execution and avoid detection. In this presentation we dive deep into the Windows runtime and we demonstrate these techniques. Besides, we also learn how to code construction and design patterns that relate to perform hidden code can recognize.
Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device.
This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried.
Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon
Pipiot - the double-architecture shellcode constructorMoshe Zioni
Presentation Abstract:
When compiling shellcode - it is always constrained to what architecture you are intended it to run on. So with that thought in mind - I started my latest challenge/research/journey into assembly polyglotism - focusing on the two top main architectures around - x86 and ARM.
Through research, sleepless nights and a lot of coffee (thank you, coffee) I found out that it is, indeed, possible - and, while exploring different routes and directions, devised a constructive, repeatable method.
The Pipiot method is a constructuive way to break the limitation enforced by previously known shellcode construction and make a payload that can run on more than only one architecture of choice.
In this session you will learn on how this system works and how to apply its logic to your exploit payload construction, discuss possible impacts, strong and weak points of the method and of course - all provided with a follow-through live demo.
"The secure enclave processor (SEP) was introduced by Apple as part of the A7 SOC with the release of the iPhone 5S, most notably to support their fingerprint technology, Touch ID. SEP is designed as a security circuit configured to perform secure services for the rest of the SOC, with with no direct access from the main processor. In fact, the secure enclave processor runs it own fully functional operating system - dubbed SEPOS - with its own kernel, drivers, services, and applications. This isolated hardware design prevents an attacker from easily recovering sensitive data (such as fingerprint information and cryptographic keys) from an otherwise fully compromised device.
Despite almost three years have passed since its inception, little is still known about the inner workings of the SEP and its applications. The lack of public scrutiny in this space has consequently led to a number of misconceptions and false claims about the SEP.
In this presentation, we aim to shed some light on the secure enclave processor and SEPOS. In particular, we look at the hardware design and boot process of the secure enclave processor, as well as the SEPOS architecture itself. We also detail how the iOS kernel and the SEP exchange data using an elaborate mailbox mechanism, and how this data is handled by SEPOS and relayed to its services and applications. Last, but not least, we evaluate the SEP attack surface and highlight some of the findings of our research, including potential attack vectors."
(Source: Black Hat USA 2016, Las Vegas)
Messaging, interoperability and log aggregation - a new frameworkTomas Doran
In this talk, I will talk about why log files are horrible, logging log lines, and more structured performance metrics from large scale production applications as well as building reliable, scaleable and flexible large scale software systems in multiple languages.
Why (almost) all log formats are horrible will be explained, and why JSON is a good solution for logging will be discussed, along with a number of message queuing, middleware and network transport technologies, including STOMP, AMQP and ZeroMQ.
The Message::Passing framework will be introduced, along with the logstash.net project which the perl code is interoperable with. These are pluggable frameworks in ruby/java/jruby and perl with pre-written sets of inputs, filters and outputs for many many different systems, message formats and transports.
They were initially designed to be aggregators and filters of data for logging. However they are flexible enough to be used as part of your messaging middleware, or even as a replacement for centralised message queuing systems.
You can have your cake and eat it too - an architecture which is flexible, extensible, scaleable and distributed. Build discrete, loosely coupled components which just pass messages to each other easily.
Integrate and interoperate with your existing code and code bases easily, consume from or publish to any existing message queue, logging or performance metrics system you have installed.
Simple examples using common input and output classes will be demonstrated using the framework, as will easily adding your own custom filters. A number of common messaging middleware patterns will be shown to be trivial to implement.
Some higher level use-cases will also be explored, demonstrating log indexing in ElasticSearch and how to build a responsive platform API using webhooks.
Interoperability is also an important goal for messaging middleware. The logstash.net project will be highlighted and we'll discuss crossing the single language barrier, allowing us to have full integration between java, ruby and perl components, and to easily write bindings into libraries we want to reuse in any of those languages.
Reverse Engineering the TomTom Runner pt. 2Luis Grangeia
Second presentation of my research into reverse engineering a TomTom Runner GPS watch. In this I explain how I got running code inside an unfamiliar device and proceeded to bypass its security measures and extract firmware keys and code from the device.
More details on my personal blog, at http://grangeia.io
Presented in October 2015 at "Confraria de Segurança da Informação" in Lisbon
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing.
Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached.
The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.
Caches are used in many layers of applications that we develop today, holding data inside or outside of your runtime environment, or even distributed across multiple platforms in data fabrics. However, considerable performance gains can often be realized by configuring the deployment platform/environment and coding your application to take advantage of the properties of CPU caches.
In this talk, we will explore what CPU caches are, how they work and how to measure your JVM-based application data usage to utilize them for maximum efficiency. We will discuss the future of CPU caches in a many-core world, as well as advancements that will soon arrive such as HP's Memristor.
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
As the internet of things becomes less a buzzword, and more a reality, we're noticing that it's growing increasingly common to see embedded software which runs across different architectures -whether that's the same router firmware running across different models, or the operating system for a smart TV being used by different manufacturers. In a world where even your toaster might have internet access, we suspect that the ability to write cross-platform shellcode is going transition from being a merely neat trick, to a viable tool for attackers.
Writing cross-platform shellcode is tough, but there's a few techniques you can use to simplify the problem. We discuss one such method, which we used to great success during the DEFCON CTF qualifiers this year.
Presented by Tinfoil Security founder Michael Borohovski and engineer Shane Wilton at Secuinside 2014, in Seoul.
https://www.tinfoilsecurity.com/blog/cross-platform-exploitation
Lightning talk showing various aspectos of software system performance. It goes through: latency, data structures, garbage collection, troubleshooting method like workload saturation method, quick diagnostic tools, famegraph and perfview
Bits of Advice for the VM Writer, by Cliff Click @ Curry On 2015curryon
http://curry-on.org/2015/sessions/bits-of-advice-for-vm-writers.html
This is a talk about the choices one makes when building a Virtual Machine. Many of these choices aren’t even obviously being made when you first get the machine running - it’s not until years later when you look at your limitations that you even realize there was a choice. There’s the obvious Big VM (server, desktop, laptop, cell phone?) vs Small VM (embedded device, cell phone?) choice. But also: GC-or-no-GC. Portable or not (X86 vs ARM? vs Power/Sparc/tiny-DSP)? Multi-threaded or not? Run any “native” code - or only highly cooperative code? Run inside a pre-emptive multi-tasking OS? Or bare metal? Interpret bytecodes/p-codes vs dumb template-JIT vs Multi-tier-highly-optimizing-JIT? The set of choices goes on and on.
Most of these choices interact in Bad Ways… and usually the interactions are not obvious until long after the design decisions are made and locked in. And worse: most of the choices have to be made from the start, when you don’t really know the answers. Coding for yourself & your PhD advisor? Coding for a fortune-1000 company? Coding for the Internet-Scale-Masses? All different scenarios, with radically different goals. While the talk is based on my experience with the HotSpot Java VM, the bits of advice only loosely tied to Java, and can equally be applied to a host of other (VM) hosted languages.
Bio:
Cliff Click is the CTO and Co-Founder of H2O, makers of H2O, the open source math and machine learning engine for Big Data. Cliff wrote his first compiler when he was 15 (Pascal to TRS Z-80!), although Cliff’s most famous compiler is the HotSpot Server Compiler (the Sea of Nodes IR). Cliff helped Azul Systems build an 864 core pure-Java mainframe that keeps GC pauses on 500Gb heaps to under 10ms, and worked on all aspects of that JVM. Before that he worked on HotSpot at Sun Microsystems, and was at least partially responsible for bringing Java into the mainstream. Cliff is invited to speak regularly at industry and academic conferences and has published many papers about HotSpot technology. He holds a PhD in Computer Science from Rice University and about 20 patents.
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
This is a light training/presentation talk.
My name is Lyon Yang and I am an IoT hacker. I live in sunny Singapore where IoT is rapidly being deployed – in production. This walkthrough will aim to shed light on the subject of IoT, from finding vulnerabilities in IoT devices to getting shiny hash prompts.
Our journey starts with a holistic view of IoT security, the issues faced by IoT devices and the common mistakes made by IoT developers. Things will then get technical as we progress into a both ARM and MIPS exploitation, followed by a ‘hack-along-with-us’ workshop where you will be exploiting a commonly found IoT daemon. If you are new to IoT or a seasoned professional you will likely learn something new in this workshop.
https://www.iotvillage.org/#schedule
Cloud Managed Router merupakan hasil dari kombinasi antara perangkat router konvensional dengan teknologi cloud management, yang dikembangkan agar memudahkan pengguna untuk dapat mengatur perangkat router dari jarak jauh. Namun tentu saja dengan penerapan yang kurang tepat, maka hal ini bisa dimanfaatkan oleh orang yang tidak bertanggung jawab, bahkan dapat beresiko akses perangkat router diambil alih. Pada topik ini saya akan sedikit menceritakan bagaimana resiko tersebut bisa terjadi.
idsecconf2023 - Neil Armstrong - Leveraging IaC for Stealthy Infrastructure A...idsecconf
Kesiapan infrastruktur terkadang menjadi kendala dalam melaksanakan red team exercise secara internal. Guna memperoleh hasil yang optimal terdapat beberapa strong points yang perlu diadopsi dalam pengembangan infrastruktur yakni rapid deployment, stealth, dan scalability. Melalui Infrastructure as code (IaC) yang dapat mendukung proses automation infrastruktur red team, operator dapat mereduksi waktu deployment dengan komponen yang bersifat disposable per engagement. Infrastruktur terbagi menjadi 4 segmen yakni segmen network memanfaatkan WireGuard yang disederhanakan melalui Headscale “Zero Config”. Segmen C2 dan Segmen Phishing merupakan core sections. Segmen SIEM bertujuan mengagregasi dan memproses log dari berbagai komponen seperti reverse proxy pada redirector ataupun C2 server. Manajemen multi-cloud environment memanfaatkan Terraform dengan provisioning yang di-handle menggunakan Ansible. Python sebagai wrapper kedua platform sehingga penggunaan tetap sederhana. Operator dapat secara fleksibel mendeskripsikan segmen yang hendak di deploy melalui sebuah YAML file.
Dalam dunia keamanan siber, sinergi antara berbagai proses memiliki peran yang sangat penting. Salah satu proses atau framework yang tengah menjadi sorotan dan menarik perhatian luas adalah Detection Engineering. Proses Detection Engineering ini bertujuan untuk meningkatkan struktur dan pengorganisasian dalam pembuatan detection use case atau rules di Security Operation Center (SOC). Detection Engineering bisa dikatakan masih baru dalam dunia keamanan siber, sehingga terdapat banyak peluang untuk membuat keseluruhan prosesnya menjadi lebih baik. Salah satu hal yang masih terlupakan adalah integrasi antara proses Detection Engineering dan Threat Modeling. Biasanya, Threat Modeling lebih berfokus pada solusi pencegahan dan mitigasi resiko secara langsung dan melupakanan komponen deteksi ketika pencegahan dan mitigasi tersebut gagal dalam menjalankan fungsinya. Dalam makalah ini, kami memperkenalkan paradigma baru dengan mengintegrasikan Detection Engineering ke dalam proses Threat Modeling. Pendekatan ini menjadikan Detection sebagai langkah proaktif tambahan, yang dapat menjadi lapisan pertahanan ekstra ketika kontrol pencegahan dan mitigasi akhirnya gagal dalam menghadapi ancaman sesungguhnya.
idsecconf2023 - Rama Tri Nanda - Hacking Smart Doorbell.pdfidsecconf
Smart doorbell atau bel pintar telah menjadi populer dalam sistem keamanan rumah pintar. Namun, banyak dari perangkat ini masih menggunakan protokol yang tidak aman untuk berkomunikasi, protokol yang rentan terhadap serangan keamanan seperti jamming, sniffing dan replay attack. Penelitian ini bertujuan untuk menganalisis kelemahan penggunaan protokol komunikasi pada smart doorbell, serta menginvestigasi potensi pemanfaatan Software Defined Radio (SDR) dan modul arduino dalam mengamati komunikasi gelombang elektronik pada frekuensi 433 MHz. Selain itu penelitian ini ditujukan untuk mengidentifikasi potensi risiko yang dihadapi oleh pengguna pengkat IoT, serta memberikan pandangan tentang perlindungan yang lebih baik.
Modern organizations are facing the severe challenge of effectively countering threats and mitigating Indicators of Compromise (IOCs) within their network environments. The increasing complexity and volume of cyber threats has highlighted the urgency of building robust mechanisms to block specific IOCs independently. While some organizations have adopted Endpoint Detection and Response (EDR) systems, these solutions often have limitations and require manual processes to collect and examine IOCs from multiple sources. These operational barriers prevent organizations from achieving a proactive and efficient defense posture, an obstacle that is particularly important due to the critical role that IOC blocking plays in containing the spread of threats and limiting potential damage. Hence, the need for a solution that orchestrates automated IOC blocking, utilizing tools such as AlienVault Open Threat Exchange (OTX), VirusTotal, CrowdStrike, and Slack. In this presentation, we examine the importance of automated IOC blocking and its potential to strengthen network security, while highlighting the critical role that these tools play in mitigating evolving cyber threats.
idsecconf2023 - Aan Wahyu - Hide n seek with android app protections and beat...idsecconf
Pembahasan ini bertujuan untuk memberikan edukasi tentang mekanisme perlindungan yang diterapkan pada aplikasi android seperti root detection, ssl pinning, anti emulation, tamper detection dan bagaimana teknik yang digunakan untuk melakukan mekanisme bypass proteksi yang diimplementasikan dengan bantuan reverse engineering menggunakan tool seperti frida, ghidra, objection, magisk, dan sebagainya.
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf
Adversary Simulation pada lingkungan cloud memiliki karakteristik unik sehingga memerlukan pendekatan khusus. Stratus menawarkan fleksibilitas dalam melakukan simulasi attack secara native pada lingkungan cloud. Presentasi ini akan memberikan penjelasan tentang penggunaan Stratus dalam adversary simulation dan bagaimana mengembangkan skenario khusus sesuai kebutuhan.
Ali - The Journey-Hack Electron App Desktop (MacOS).pdfidsecconf
Semakin berkembangnya teknologi di aplikasi Desktop terdapat celah keamanan yang dapat menyebabkan dampak langsung atau tidak langsung pada kerahasiaan, Integritas Data yang di bangun menggunakan Framework dari Electron khusus nya aplikasi Desktop di Sistem Operasi MAC. Dalam materi yang di persentasikan akan membahas celah keamanan Security Misconfiguration,RCE,Code Injection, Bypass File Quarantine dan juga bagaiman cara intercept Aplikasi Electron Desktop di system operasi macOS
Muh. Fani Akbar - Infiltrate Into Your AWS Cloud Environment Through Public E...idsecconf
Amazon Web Service (AWS) menjadi pemain besar dalam industri provider cloud, AWS menawarkan berbagai macam layanan yang mempermudah pengguna untuk operasional dan manajemen administrasi cloud computing. Dengan banyaknya layanan yang disediakan oleh Amazon Web Service membuat pengguna lupa akan keamanan dari service yang digunakan, karena bukan hanya Simple Storage Service (S3) saja yang bisa secara tidak sengaja mengekspos data sentitif seperti kredensial Database, SSH Private Key, Source code aplikasi atau bahkan data pribadi lain yang bersifat rahasia. Terdapat banyak service yang secara tidak sengaja terekspos ke public seperti EBS Snapshot, RDS Snapshot, SSM Document, SNS topic dan sebagainya. Malicious Actor bisa memanfaatkan Public shared atau exposed untuk melakukan Initial Access ke lingkungan Amazon Web Service pengguna lalu melakukan eksfiltrasi data internal yang rahasia.
Rama Tri Nanda - NFC Hacking Hacking NFC Reverse Power Supply Padlock.pdfidsecconf
Near Field Communication (NFC) saat ini adalah teknologi yang umumnya di gunakan untuk media pembayaran serta akses kontrol untuk keamanan ruangan dan gedung. Tidak terbatas untuk hal itu saja, teknologi NFC juga kerap di implementasikan untuk perangkat IoT. Beberapa perangkat menggunakan NFC tag untuk menyimpan informasi guna sinkronisasi dengan perangkat smartphone. Penggunaan teknologi NFC awalnya dianggap aman karna mengharuskan alat baca dengan tag berada dalam poisisi yang sangat dekat. Sehingga dianggap sulit untuk melakukan penyadapan informasinya. Seiring waktu banyak penilitian mengungkapkan bahwa komunikasi ISO 1443-3 ini bisa di intip dan di terjemahkan ke dalam bentuk perintah serta respon aslinya. Proxmark3 adalah salah satu alat yang dikembangkan untuk keperluan tersebut. Namun ada kondisi dimana perangkat proxmark tidak dapat di fungsikan maksimal lantaran berkurangnya sensititifitas pembaca dan tag ketika ada objek berada diantara keduanya. Di paper ini saya ingin menyajikan hasil penelitian saya tentang penggunaan Dynamic Instrumentation Frida untuk memantau penggunaan modul java nfc dalam platform Android dan menggunakannya untuk melakukan lockpicking pada gembok pintar berbasis NFC.
Arief Karfianto - Proposed Security Model for Protecting Patients Data in Ele...idsecconf
This paper is a documentation of proposed security management for Electronic Health Records which includes security planning and policy, security program, risk management, and protection mechanism. Planning and policy are developed to provide a basic principle of security management at a hospital. The security program in this document includes Risk-Adaptable Access Control (RAdAC) and the implementation of security education, training and awareness (SETA). Regarding risk management, we perform risk identification, inventory of assets, information assets classification, and information assets value assessment, threat identification, and vulnerability assessment. For protection mechanism, we propose biometrics and signature as the authentication methods. The use of firewalls, intrusion detection system and encrypted data transmission is also suggested for securing data, application and network.
Nosa Shandy - Clickjacking That Worthy-Google Bug Hunting Story.pdfidsecconf
Menceritakan pengalaman bug hunting kerentanan clickjacking pada beberapa produk Google dan membahas beberapa teknik untuk melakukan bypass terhadap kerentanan tersebut. Serta menjelaskan clickjacking yang benar berdasarkan pengalaman pribadi
Baskoro Adi Pratomo - Evaluasi Perlindungan Privasi Pengguna pada Aplikasi-Ap...idsecconf
Pelanggaran privasi merupakan suatu hal yang sering ditemui dewasa ini. Salah satu penyebab pelanggaran privasi adalah adanya data privat milik pengguna yang dikirimkan pada server milik aplikasi tanpa seizin pengguna atau adanya pengumpulan data tertentu tanpa izin. Pada penelitian ini, kami menganalisis aplikasi-aplikasi yang didapatkan dari Google Play Store Indonesia untuk dicari apakah ada data privat milik pengguna yang dilanggar privasinya. Penelitian ini menggunakan tiga jenis metode yang utamanya berbasis static analysis; pendekatan reverse-engineering dengan static analysis untuk melihat apakah ada data yang berpotensi mengganggu privasi pengguna, analisis perizinan dan tracker yang dimiliki oleh aplikasi untuk melihat apakah perizinan dan tracker yang dimiliki oleh aplikasi memang tepat sesuai dengan use-case dari aplikasi tersebut, dan analisis regulasi data dengan mengambil data mengenai keamanan data yang diberikan developer ke Google Play Store. Hasil studi menunjukkan bahwa ada beberapa aplikasi yang memang mengambil data privat pengguna yang tidak relevan dengan use-case aplikasi dan mengirimnya ke server milik aplikasi dan pihak ketiga
Utian Ayuba - Profiling The Cloud Crime.pdfidsecconf
Cloud service is often part of broader strategic initiatives, principally digital transformation (DX) and cloud-first. Despite the continued rapid adoption of cloud services, security remains a crucial issue for cloud users. A majority of organizations confirm they are at least moderately concerned about cloud security. However, there is still a gap between using the cloud and the implementation of cloud security by organizations, so retains the rate of cloud crime high. Eliminating or narrowing the gap is necessary so that organizations can continue to take advantage of the cloud securely. Understanding cloud crime would aid in both cloud crime prevention and protection. The purpose of this presentation is to identify how cloud security incidents can occur from both attacker and victim sides. Organizations can use this presentation's results as a reference to develop or improve cloud security programs and eliminate or narrow the gap between cloud utilization and cloud security implementation.
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
Organization using Adversary Emulation plan to develop an attack emulation and/or simulation and execute it against enterprise infrastructure. These activities leverage real-world attacks and TTPs by Threat Actor, so you can identify and finding the gaps in your defense before the real adversary attacking your infrastructure. Adversary Emulation also help security team to get more visibility into their environment. Performing Adversary Emulation continuously to strengthen and improve your defense over the time.
Perkembangan infrastruktur kunci publik di indonesia - Andika Triwidadaidsecconf
UU-ITE pasal 11 melegalkan Tanda Tangan Elektronik, membuat kedudukannya setara dengan tanda tangan basah. Implementasinya mengandalkan Infrastruktur Kunci Publik yang melibatkan beberapa organisasi dan jalinan trust. Akan di bahas gambaran umum implementasi IKP di Indonesia dan berbagai layanan yang telah beroperasi, serta sebagian aspek keamanannya.
Pentesting react native application for fun and profit - Abdullahidsecconf
React Native merupakan framework yang digunakan untuk membuat aplikasi mobile baik itu Android maupun IOS (multi platform). Framework ini memungkinkan developer untuk membuat aplikasi untuk berbagai platform dengan menggunakan basis kode yang sama, yaitu JavaScript.
Dikarenakan aplikasi ini berbasis JavaScript (client side), banyak developer yang tidak memperhatikan celah keamanan pada aplikasi. Terdapat berbagai macam celah keamanan meliputi client side dan server side. Presentasi ini memuat pengalaman saya dalam menemukan celah keamanan pada saat melakukan Penetration Testing pada aplikasi mobile berbasis React Native
Hacking oximeter untuk membantu pasien covid19 di indonesia - Ryan fabellaidsecconf
Pandemi covid-19 melonjak pada gelombang ke-2 di. Untuk mengantisipasi itu pemerintah membagikan oximeter ke puskesmas. Oximeter yang ada dipasaran mengharuskan tenaga kesehatan untuk kontak langsung dengan pasien. Dengan menggunakan Hacked Oxymeter ini dapat mengurangi intensitas bertemu dengan pasien dan mengurangi resiko terpapar covid-19. Secara metodologi, hacking oximeter ini membaca output komunikasi serial pada alat oximeter untuk kemudian diolah oleh mikrokontroler dan dikirim ke MQTT broker untuk diteruskan ke klien yang membutuhkan. Alat ini digunakan oleh pasien yang sedang isoman di hotel, fasilitas Kesehatan atau rumah sakit darurat/lapangan
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
Eksploitasi kerentanan pada hypervisor semakin banyak diperbincangkan di beberapa tahun ini, dimulai dari kompetisi hacking Pwn2Own pada 2017 yang mengadakan kategori Virtual Machine dalam ajang lombanya, dan juga teknologi-teknologi terkini yang banyak menggunakan hypervisor seperti Cloud Computing, Malware Detection, dll. Hal tersebut menjadi ketertarikan bagi sebagian hacker, security researcher untuk mencari kelemahan dan mengeksploitasi hypervisor. Tulisan ini menjelaskan mengenai proses Vulnerability Research dan VM Escape exploitation pada VirtualBox.
Devsecops: membangun kemampuan soc di dalam devsecops pipeline - Dedi Dwiantoidsecconf
Proses DevSecOps saat ini banyak digunakan dikalangan industri yang membutuhkan kecepatan baik dalam pengembangan maupun implementasi. Setiap tahapan pada pipeline DevSecOps merupakan tahapan yang harus diperhatikan dan masuk kedalam pantauan SOC (Security Operation Center). Untuk itu diperlukan kemampuan SOC untuk bisa memantau setiap pipeline DevSecOps sehingga dapat memberikan gambaran kondisi keamanan pada organisasi
3. What’s this uC thing all about?
• Single integrated computer
• Processor, volatile, non-volatile storage
▫ All In One
• Can drive many peripherals
• Easily programmable
• Field update/upgrade capability
• Personalization (EEPROM)
4. No, really… Why do I care?
• Your car
• Implanted medical devices
▫ WBAN (Wireless Body Area Network)
• Crops monitoring (hydro/aero/enviro-ponics)
• Infrastructure monitoring (SCADA, etc)
• “Smart Dust”
• Access controls (RFID, biometrics, etc)
5. Now with More Networking!
• Bluetooth
• USB
• 802.11
• 802.15.4
• RFID
• DECT
• GSM
6. Security?
• Some tamper resistance
• Hardware security
• From a software point of view?
▫ Crypto support
▫ …?
7. OODA Loop?
• Field upgrades are rare
▫ But getting more common
▫ ST M24LR64 Dual EEPROM (Leet!!)
• Most firmware is legacy code
• Spot updates for new functionality / peripherals
• Mostly written in C, C++, and/or ASM
11. Lots of uC out there, but…
• Popular with hackers and engineers
• Free toolchain (gcc based)
• Free IDE (AVR Studio 4)
• No Soldering necessary
• Relatively cheap dev tools
▫ AVRISP mkII (~30 USD)
▫ AVR JTAGICE mkII
(good deals from Arrow Electronics)
14. Typically included in AVR8
• ALU
• Flash
• SRAM
• EEPROM
• Peripheral support (USART, SPI, I2C, TWI, etc)
15.
16. That’s right, it’s Harvard
• Separate Data and Code lines
• Code always retrieved from Flash
• Data always retrieved from SRAM
• Flash can be written in software
▫ Typically Boot Loader Support
▫ Fuses determine this
▫ Some AVR8 don‟t support this
17. Point?
• Attack data, not instructions
• Return-to-whatever (ROP :-P)
• Easier! Less data to inject (typically)
• Takes longer
• That‟s what GoodFET is for
▫ Snatch one Smart Dust sensor
▫ GoodFET
▫ Analyze code
▫ Build ROP strategy
▫ Own 100 more remotely
23. On startup
• AVR sets PC to OxOO in Flash
• OxOO = Reset Vector
• JMP to init in crtO
• Init does stuff…
• Call main
• Do stuff…
• Call somefunc
• Do more stuff…
34. Four Main Points Demonstrated…
• Function conventions are typical
▫ Optimization may minimize this
• Code Layout
• Data Layout
• Atomic Code Sections
35. Code Layout in Flash
• Interrupt Vectors at OxOO
• RESET Vector at OxOO
• Main Application Code
• Data (???)
• Boot Loader Section
▫ Can write to Flash (if Fuses allow) for field
updates
36. Data Layout in SRAM
• Registers at OxOO
• I/O Memory at Ox2O
• Extended I/O Memory
• Data (copied from Flash) at Ox1OO
• BSS
• Heap
• Stack
• ??? ;-)
37. Atomicity
• CLI used
• SREG can be accessed via SRAM (I/O memory)
• 1 CPU Cycle to write to SREG
• Flow:
▫ Save a copy of SREG
▫ Clear Interrupt Bit in SREG
▫ Perform uninterrupted action
Write to low byte of SP
Write to SREG (old state with interrupt bit set)
Write to high byte of SP
39. Entropy? What entropy?
• Randomness is very weak
• Crypto hurt as a result
• Pools can be accumulated
▫ “True Random Number Generator On an Atmel
uC” – IEEE Paper
• 8 Random Bits using RC oscillator
▫ Per second!!!
40. Race Conditions
• No semblance of context switching
▫ TinyOS/Contiki simulate it
• Critical Sections secured through CLI
• Attack these sections
▫ Overwrite SREG; enable Interrupts
• Use Interrupts to cause unexpected behavior
41. Return Value Checks
• Snprintf returning <=O or >= sizeof buf?
• Logic Issue
• Always a problem
42. memcpy and Friends
• Latest avr-libc
• Don‟t test for negative size values
• No option to “secure” with CLI
▫ Interruptable
▫ Oops…Where‟d my SP go?! ;-)
43. Buffer Overflows
• Easy as pie
• Instruction address in mem is /2
• Return Oriented Programming
▫ Get those Registers set up correctly!
• Force a jump to the Boot Loader
• Instant Flash update (simulate field update)
• Can be triggered remotely
• AVR doesn‟t know the difference between you
and developer
44. Frame Pointer Overwrite
• Standard FP overwrite
• Point stack to attacker controlled data
• Next frame has the RET
• FP saved LSB first
45. Setjmp
• Obvious target
• Often used
• Makes up for lack of exceptions
• Saves entire program state
• Overwrite all registers
• Overwrite PC
46. Integer Overflows
• Work as expected
• 8-bit registers
• 16-bit native instructions
• Easy to wrap OxFFFF
47. Integer Promotion
• Normal integer promotion
• Unsigned -> Signed = No Sign Extension
• Signed -> Signed = Sign Extension
• Stop using „char‟ for everything ;-)
• Lots of 8-bit networking protocols
▫ 8-bit size fields
▫ Promoted to int during packet ingestion
▫ Oops!!
48. Heap Overflows
• Heap Struct consists of { size, Next* }
• Next* points to the next free heap chunk
• Adjacent chunks are combined
• No function pointers
• Easily mangle data
• Next* doesn‟t have to point to Heap
• Heap data isn‟t zeroed on free()
• Easy way to create pseudo stack frames
• ROP Helper!
49. Double Free
• Latest avr-libc free() doesn‟t check
• Any address can be used (except NULL)
• Free() will happily overwrite first 2 bytes with
▫ Next*
• Add it to the free list ;-)
• Can stealthily force malloc() to return
(void*)OxOO
• Write direct to Registers, I/O memory, etc
• ROP Helper!!
50. “Segment” Collision
• Heap is allocated slightly under stack
• Stack is dynamic!!!
• BSS is adjacent to Heap
• .rodata isn‟t Read Only! Adjacent to BSS
• One big happy family!
51. Uninitialized Variables
• Allocate a large Heap chunk
• Spray with OxAABB
• Stack decends into Heap
• Bewm!
• Example code at:
▫ http://pa-ri.sc/uC/dangle.tar.bz2
53. NULL Pointer Dereferences
• There are no privilege rings, but still useful
• Functions like malloc() still return NULL
• (void*)OxOO points to Registers in SRAM
• NULL deref is a very good thing
• Like free() bug, instant access to Regs, I/O Mem
• On the flip side…
▫ ??? ;-)
54. Beyond Memory
• Deref beyond physical memory addresses?
• Example: ATmega644P
▫ 4096 bytes SRAM
▫ Total 4196 addressable bytes
With registers, I/O memory
• Ox1OFF should be highest addressible address
55.
56.
57.
58. There is no Page Fault on AVR8
• Memory faults cannot occur
• For program safety, don‟t RESET
• Read AND Write support
• Just wrap addresses back to (void*)OxOO
• Overwriting past end of PHYSMEM = start of
PHYSMEM
• i.e. Ox11OO = OxO1OO
• How convenient ;-)
• Overwrite EVERYTHING ANYWHERE
59. Example code?
• See the memdump application
▫ Runs on any AVR8 with USART
▫ http://pa-ri.sc/uC/memdump.tar.bz2
• Code tested on 10 different uCs in the AVR
family
▫ ATtiny
▫ ATmega
61. Summary?
• Ripe environment for application vulnerabilities
• Little protection schemes
▫ Except solid auditing and a tight SDLC
• Lots of legacy code in the field
• Lots of important devices
62. Special thanks…
• Jim Geovedi
• Y3dips
• Kendi Demonic
• Abdul Azis
• Dhillon Kannabhiran
• iSEC Partners
• Nick DePetrillo
• Mike Kershaw
• Travis Goodspeed
• Josh Wright