This document describes an automated method for on-execute malware testing using Oracle VM VirtualBox. It discusses copying malware into a guest VM, executing it, analyzing the results, reverting the guest to its original state, and then repeating the process. Tools like VBoxManage are used to automate functions like file copying, program execution, snapshotting and reverting. The FFRI AutoMonkey scripts automate the end-to-end process using these VirtualBox APIs. Performance when testing 20,000 samples showed a throughput of around 9 malwares per minute under the described hardware configuration.
Zhuo Ma, Tencent
USB is one of the most common interface supported on modern computer. Modern OSes offer tons of USB drivers to support frequently used USB device classes. For other 3rd party USB device, Microsoft provide automatic driver downloading and installation via Windows AutoUpdate Service. In this talk, we consider this as a novel attacking surface exposed by Windows.
We are trying to assess the vulnerability in those USB drivers provided via Windows AutoUpdate Service, which can be automatic installed and run after device plugged in. Obviously, these drivers are all designed for real USB device, which have to talk to device during running.
So, the biggest obstacle for assessing these drivers is we can not prepare real USB devices for all of these drivers. To overcome this, We developed a system to emulate these USB device, further, we are trying to fuzz these drivers against our emulated USB device. By using this system, we can fuzz device drivers without the real USB device. In further, we can also precisely fuzz every stage of driver loading. We can feed any custom data to the drivers to trigger vulnerabilities. Also, this system supports IO Control Code fuzz as well. And all in all, all of this progress can be done automatically.
We tested about 6000 drivers, yielded hundreds of crash by fuzzing. IO Control Fuzz also gave a reasonable result. We are going to divide our talk into three parts: the first part is about how we get the list of automatic installed USB drivers, and how to analyze these drivers in automatic ways; the second part is about the fuzzing system we designed, including the architecture of system, ways to emulating devices, key points for designing; the last part will show some vulnerabilities we found by this system.
[CB19] Attacking DRM subsystem to gain kernel privilege on Chromebooks by Di ...CODE BLUE
Chromebook is one of the most secure laptops so far. It is running the Linux-based Chrome OS as its operation system. Google Chrome team has applied many effective mitigations on Chrome OS and will also release security updates for it every a few weeks.
At the beginning of this year, my colleagues planned to build a full exploit chain to achieve code execution on Chromebook remotely and persistently, which is very challenging. I joined their project in middle stage,attempted to find bugs for local privilege escalation in limited time, and finally contributed a kernel vulnerability on Chrome OS to finish the full chain.
The Direct Rendering Manager (DRM) is a subsystem of the Linux kernel, exposes an API that user-space programs can use to send commands and data to the GPU, and to perform operations such as configuring the mode setting of the display. Meanwhile,DRM is also an awesome attack surface for attackers to escalate local privilege on Linux.
In this talk, I’m going to share the full story of exploiting a new DRM vulnerability on Chrome OS. First, I’ll introduce the implementation of DRM subsystem briefly,and explain why a kernel exploit is helpful for us to bypass some mitigations like ‘Verified Boot’ on Chrome OS. Second, I’ll describe how I found the kernel bug on DRM in very limited time. After that, I’ll show you how to exploit an integer overflow, bypass the annoying mitigation “HARDENED_USERCOPY” in Linux kernel and successfully gain root privilege. At the end there will also be a demonstration of this exploit, as a proof of content.
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
In our recent work we targeted also win32k, what seems to be fruit giving target. @promised_lu made our own TTF-fuzzer which comes with bunch of results in form of gigabytes of crashes and various bugs. Fortunately windows make great work and in February most of our bugs was dead - patched, but not all of them…
Whats left were looking as seemingly unexploitable kernel bugs with ridiculous conditions. We decided to check it out, and finally combine it with our user mode bug & emet bypass. Through IE & flash we break down system and pointed out at weak points in defensive mechanism.
In this talk we will present our research dedicated for pwn2own event this year. We will describe kernel part of exploit in detail*, including bug description, resulting memory corruption conditions & caveats up to final pwn via one of our TTF bugs.
Throughout the talk we will describe how to break various exploit mitigations in windows kernel and why it is possible. We will introduce novel kernel exploitation techniques breaking all what stands { KASLR, SMEP, even imaginary SMAP or CFG } and bring you SYSTEM exec (from kernel driver to system calc).
* unfortunately bug was not fixed at the time of talk, so we do not exposed details about TTF vulnerability, and we skipped directly to some challenges during exploitation, and demonstrate how OS design can overpower introduced exploit mitigations.
Ведущий: Макс Мороз
Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
In this presentation, I present an automatically disarmament system for armed malware with anti-sandboxing. The system targets on 1) Host-fingerprinting malware like citadel, 2) armed malware with general anti-sandboxng for automated sandbox analyzer. An approach of disarmament focuses on exit reason and exit before activity in malware execution. I have developing CPU emulator-based disarmament system with instrumentation. The system suggests a suitable environment for dynamic analysis for individual malware.
Freeze Drying for Capturing Environment-Sensitive Malware AliveFFRI, Inc.
We propose a set of techniques for "freeze drying" malware and restoring the captured malware to enable live process migration. Our system can capture environment-sensitive malware in-process and run it in an environment other than the infected host.
Sophisticated malware, such as Citadel and ZeuS/GameOver, are armed with anti-analysis techniques to prevent running except on an infected host. These malwares detect the execution environment and do not engage in malicious behavior when the current host differs from the infected host.
We developed a malware capture system called Sweetspot that can capture malware in-process by using process live migration and mimicking the infected host's environment on the analyzer by means of system call proxies. In addition, Sweetspot can serve as a honeypot and provide dummy data when the malware requests sensitive information. In briefings, we will demonstrate freeze-drying and instant dynamic analysis of real malware.
Zhuo Ma, Tencent
USB is one of the most common interface supported on modern computer. Modern OSes offer tons of USB drivers to support frequently used USB device classes. For other 3rd party USB device, Microsoft provide automatic driver downloading and installation via Windows AutoUpdate Service. In this talk, we consider this as a novel attacking surface exposed by Windows.
We are trying to assess the vulnerability in those USB drivers provided via Windows AutoUpdate Service, which can be automatic installed and run after device plugged in. Obviously, these drivers are all designed for real USB device, which have to talk to device during running.
So, the biggest obstacle for assessing these drivers is we can not prepare real USB devices for all of these drivers. To overcome this, We developed a system to emulate these USB device, further, we are trying to fuzz these drivers against our emulated USB device. By using this system, we can fuzz device drivers without the real USB device. In further, we can also precisely fuzz every stage of driver loading. We can feed any custom data to the drivers to trigger vulnerabilities. Also, this system supports IO Control Code fuzz as well. And all in all, all of this progress can be done automatically.
We tested about 6000 drivers, yielded hundreds of crash by fuzzing. IO Control Fuzz also gave a reasonable result. We are going to divide our talk into three parts: the first part is about how we get the list of automatic installed USB drivers, and how to analyze these drivers in automatic ways; the second part is about the fuzzing system we designed, including the architecture of system, ways to emulating devices, key points for designing; the last part will show some vulnerabilities we found by this system.
[CB19] Attacking DRM subsystem to gain kernel privilege on Chromebooks by Di ...CODE BLUE
Chromebook is one of the most secure laptops so far. It is running the Linux-based Chrome OS as its operation system. Google Chrome team has applied many effective mitigations on Chrome OS and will also release security updates for it every a few weeks.
At the beginning of this year, my colleagues planned to build a full exploit chain to achieve code execution on Chromebook remotely and persistently, which is very challenging. I joined their project in middle stage,attempted to find bugs for local privilege escalation in limited time, and finally contributed a kernel vulnerability on Chrome OS to finish the full chain.
The Direct Rendering Manager (DRM) is a subsystem of the Linux kernel, exposes an API that user-space programs can use to send commands and data to the GPU, and to perform operations such as configuring the mode setting of the display. Meanwhile,DRM is also an awesome attack surface for attackers to escalate local privilege on Linux.
In this talk, I’m going to share the full story of exploiting a new DRM vulnerability on Chrome OS. First, I’ll introduce the implementation of DRM subsystem briefly,and explain why a kernel exploit is helpful for us to bypass some mitigations like ‘Verified Boot’ on Chrome OS. Second, I’ll describe how I found the kernel bug on DRM in very limited time. After that, I’ll show you how to exploit an integer overflow, bypass the annoying mitigation “HARDENED_USERCOPY” in Linux kernel and successfully gain root privilege. At the end there will also be a demonstration of this exploit, as a proof of content.
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
In our recent work we targeted also win32k, what seems to be fruit giving target. @promised_lu made our own TTF-fuzzer which comes with bunch of results in form of gigabytes of crashes and various bugs. Fortunately windows make great work and in February most of our bugs was dead - patched, but not all of them…
Whats left were looking as seemingly unexploitable kernel bugs with ridiculous conditions. We decided to check it out, and finally combine it with our user mode bug & emet bypass. Through IE & flash we break down system and pointed out at weak points in defensive mechanism.
In this talk we will present our research dedicated for pwn2own event this year. We will describe kernel part of exploit in detail*, including bug description, resulting memory corruption conditions & caveats up to final pwn via one of our TTF bugs.
Throughout the talk we will describe how to break various exploit mitigations in windows kernel and why it is possible. We will introduce novel kernel exploitation techniques breaking all what stands { KASLR, SMEP, even imaginary SMAP or CFG } and bring you SYSTEM exec (from kernel driver to system calc).
* unfortunately bug was not fixed at the time of talk, so we do not exposed details about TTF vulnerability, and we skipped directly to some challenges during exploitation, and demonstrate how OS design can overpower introduced exploit mitigations.
Ведущий: Макс Мороз
Обзор системы ClusterFuzz, позволяющей осуществить проверку браузера Chrome на наличие уязвимостей в режиме реального времени и получить воспроизводимые результаты исследования каждого конкретного сбоя. Будут продемонстрированы преимущества использования различных санитайзеров и LibFuzzer, библиотеки для направленного фаззинга. Будет приведена подробная статистика видов уязвимостей, найденных в Chrome. Слушатели узнают о подводных камнях распределенного фаззинга; о том, как можно запустить свои собственные фаззеры в инфраструктуре Google и получить вознаграждение за найденные уязвимости.
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
In this presentation, I present an automatically disarmament system for armed malware with anti-sandboxing. The system targets on 1) Host-fingerprinting malware like citadel, 2) armed malware with general anti-sandboxng for automated sandbox analyzer. An approach of disarmament focuses on exit reason and exit before activity in malware execution. I have developing CPU emulator-based disarmament system with instrumentation. The system suggests a suitable environment for dynamic analysis for individual malware.
Freeze Drying for Capturing Environment-Sensitive Malware AliveFFRI, Inc.
We propose a set of techniques for "freeze drying" malware and restoring the captured malware to enable live process migration. Our system can capture environment-sensitive malware in-process and run it in an environment other than the infected host.
Sophisticated malware, such as Citadel and ZeuS/GameOver, are armed with anti-analysis techniques to prevent running except on an infected host. These malwares detect the execution environment and do not engage in malicious behavior when the current host differs from the infected host.
We developed a malware capture system called Sweetspot that can capture malware in-process by using process live migration and mimicking the infected host's environment on the analyzer by means of system call proxies. In addition, Sweetspot can serve as a honeypot and provide dummy data when the malware requests sensitive information. In briefings, we will demonstrate freeze-drying and instant dynamic analysis of real malware.
As organizations assess the security of their information systems, the need for automation has become more and more apparent. Not only are organizations attempting to automate their assessments, the need is becoming more pressing to perform assessments centrally against large numbers of enterprise systems. Penetration testers can use this automation to make their post-exploitation efforts more thorough, repeatable, and efficient. Defenders need to understand the techniques attackers are using once an initial compromise has occurred so they can build defenses to stop the attacks. Microsoft's PowerShell scripting language has become the defacto standard for many organizations looking to perform this level of distributed automation. In this presentation James Tarala, of Enclave Security, will describe to students the enterprise capabilities PowerShell offers and show practical examples of how PowerShell can be used to perform large scale penetration tests of Microsoft Windows systems.
XPDS14 - Zero-Footprint Guest Memory Introspection from Xen - Mihai Dontu, Bi...The Linux Foundation
This presentation will detail a practical approach to memory introspection of virtual machines running on the Xen hypervisor with no in-guest footprint. The functionality makes use of the mem-event API with a number of improvements which enable the proper tracking of guest OS activity. The technology created on top of this Xen API opens the door for several immediate applications, including: rootkit detection and prevention, detection and action on several categories of malware, and event source information for low-level post-event forensics and correlation based on real event data during events.
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
In theory, post-exploitation after having remote access is easy. Also in theory, there is no difference between theory and practice. In practice, there is. Imagine a scenario, where the hacker/penetration-tester has deployed a malware on a user's workstation, but the target information is on a secure server accessed via two-factor authentication, with screen access only (e.g. RDP, Citrix, etc.) On top of that, the server runs application white-listing, and only the inbound port to the screen server (e.g. 3389) is allowed through the hardware firewall. But you also need persistent interactive C&C communication (e.g. Netcat, Meterpreter, RAT) to this server through the user's workstation.
I developed (and will publish) two tools that help the community in these situations. The first tool can drop malware to the server through the screen while the user is logged in. The second tool can help to circumvent the hardware firewall after one can execute code on the server with admin privileges (using a signed kernel driver). My tools have been tested against Windows server 2012 and Windows 8, and they work with RDP or other remote desktops (e.g. Citrix). The number of problems one can solve with them are endless, e.g., communicating with bind-shell on webserver behind restricted DMZ. Beware, live demo and fun included!
Metasploit @ 2010 Utah Open Source ConferenceJason Wood
Metasploit is a powerful application to use in a penetration test. It is an application that all security professionals and systems administrators should be familiar with. This presentation goes over the basics of Metasploit and some of its many capabilities.
This workshop was given at Crikeycon 2019 in Brisbane. It introduces Velociraptor and explains some of the design goals and implementation.
Note - this slide deck is outdated but might still be useful. The tool has evolved significantly since Crikeycon.
One commit, one release. Continuously delivering a Symfony project.Javier López
For the last few months we've been implementing a Continuous Delivery pipeline for the redesign of Time Out. In this talk I will demonstrate a real life example of what our pipeline looks like, the different tools we've used to get it done (phing, github, jenkins, ansible, AWS S3, ...), and peculiarities for PHP and Symfony2 projects. Most importantly, I'll be looking at things we've struggled with along the way and the lessons we've learnt.
Project: Malware Analysis
CS 6262 Project 3
Agenda
• Part 1: Analyzing Windows Malware
• Part 2: Analyzing Android Malware
Scenario
• Analyzing Windows Malware
• You got a malware sample from the wild. Your task is to discover what
malware does by analyzing it
• How do you discover the malware’s behaviors?
• Static Analysis
• Manual Reverse Engineering
• Programming binary analysis
• Dynamic Analysis
• Network behavioral tracing
• Run-time system behavioral tracing(File/Process/Thread/Registry)
• Symbolic Execution
• Fuzzing
Scenario
• In our scenario, you are going to analyze the given malware with tools
that we provide.
• The tools help you to analyze the malware with static and dynamic
analysis.
• Objective
1. Find which server controls the malware (the command and control (C2)
server)
2. Discover how the malware communicates with the command and control
(C2) server
• URL and Payload
3. Discover what activities are done by the malware payload
• Attack Activities
Scenario
• Requirement
• Make sure that no malware traffic goes out from the virtual machine
• But, updating of malware (stage 2), and downloading payload (stage 3) are required to
be allowed (set as default option)
• The command and control server is dead. You need to reconstruct it
• Use tools to reconstruct the server, then reveal hidden behaviors of the malware
• Analyze network traffic on the host, and figure out the list of available
commands for the malware
• Analyze network traffic trace of the host, and figure out what malware does
• Write down your answer into assignment-questionnaire.txt
Project Structure
• A Virtual Machine for Malware analysis
• Please download and install the latest version or update your virtual box.
• https://www.virtualbox.org/wiki/Downloads
• Download the VM
• Download links
• http://ironhide.gtisc.gatech.edu/vm_2018.7z
• http://bombshell.gtisc.gatech.edu/vm_2018.7z
• Verify the md5 hash of the 7z file: 537e70c4cb4662d3e3b46af5d8223fd
• Please install 7zip or p7zip
• Windows, Linux and MacOs: http://www.7-zip.org/download.html
• Unarchive the 7z file
• Password: GTVM!
https://www.virtualbox.org/wiki/Downloads
http://ironhide.gtisc.gatech.edu/vm_2018.7z
http://bombshell.gtisc.gatech.edu/vm_2018.7z
http://www.7-zip.org/download.html
Project Structure
• Open VirtualBox
• Go to File->Import Appliance.
• Select the ova file and import it.
• For detailed information on how to import the VM, see:
• https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
• VM user credentials
• Username: analysis
• Password: analysis
https://docs.oracle.com/cd/E26217_01/E26796/html/qs-import-vm.html
Project Structure
• In the Virtual Machine (VM)
• Files
• init.py
• This initializes the project environment
• Type your Georgia Tech username (same login name as Canvas) after running this
• update.sh
• This script updates the VM if any further update has been made by TA
• DO NOT execute the scri.
Bridging the Semantic Gap in Virtualized EnvironmentAndy Lee
In virtualization, it is difficult to interpreting the low level state of a VM into high level semantic state of guest OS.
This will be a obstacle for system administrator to real-time observe, inspect and detect the runtime execution of a VM.
Similar to Mr201309 automated on-execute_test_using_virtual_box_eng (20)
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
In 2017, Microsoft announced the ARM version of Windows. The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities. In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM. The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers? As far as we know, this point has not even been discussed much at this point. Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries. All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track. In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis. Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations. We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
In 2017, Microsoft announced the ARM version of Windows. The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities. In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM. The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers? As far as we know, this point has not even been discussed much at this point. Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries. All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track. In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis. Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations. We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
Table of Contents
• About TrustZone
– Use case of TrustZone
– Cortex-A TrustZone
– Cortex-M TrustZone
– TEE implementation
• Vulnerability of TEE implementation
• Conclusions
• References
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
Table of Contents
• Background • Use case and Weave
• Android Things Security Considerations
• Android Things Version Information
• File system information • Firewall setting
• ADB port setting
• SELinux setting
• Conclusions
• Reference
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
• Security incidents related to IoT devices
• About the Android Things
• Major features
• Installation and Settings
• Accessible network service
• Security configurations
• Conclusions
• References
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) FFRI, Inc.
• About Black Hat
• Intriguing reports – Breaking BHAD: Abusing Belkin Home Automation Devices – (PEN)TESTING VEHICLES WITH CANTOOLZ YACHT – YET ANOTHER CAR HACKING TOOL – Mobile Espionage in the Wild: Pegasus and Nation-State Level Attacks
• Conclusions
• References
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
• About threat analysis support tool
• Examples of tools
• Analysis target system
• Analysis result
– How to read result
– Overview of threats
• Effective usage
– About template
– Additional definition of threat information
• Conclusions
• References
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
• About Black Hat USA
• Hot Research
• Vehicle
– CANSPY: A Platform For Auditing CAN Devices
– Advanced CAN Injection Techniques For Vehicle Networks
– Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-driving Vehicle
• IoT
– Into The Core – In-Depth Exploration of Windows 10 IoT Core
– GATTAttacking Bluetooth Smart Devices
– Introducing A New BLE Proxy Tool
– GreatFET: Making GoodFET Great Again
• Conclusions
• References
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)FFRI, Inc.
In this report, we pick up briefings of Black Hat Asia 2016
• Mobile Security
– Android Commercial Spyware Disease and Medication, Mustafa Saad
– Su-a-Cyder: Home-Brewing iOS Malware Like a B0$$!, Chilik Tamir
• IoT Security
– Lets See Whats Out There Mapping The Wireless IOT, Tobias Zillner
– Hacking a Professional Drone, Nils Rodday
• Windows Security
– DSCompromised:A Windows DSC Attack Framework, Ryan Kazanciyan & Matt Hastings
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
In this slide, we introduce the TrustZone of information that has published at this time in relation to ARMv8-M.
It is possible to separate/isolate the security level by adding the security state.
ARMv8-M architecture has a different mechanism than TrustZone to provide traditional ARMv8-A architecture, which is optimized for embedded systems.
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)FFRI, Inc.
•CODE BLUE 2015 had over 600 visitors from many countries.
–It had started two track presentation and youth track.
–Two teenagers and a student were on stage.
•IoT Security
–Medical equipment and social infrastructure were studied.
–The white hackers reported these vulnerabilities.
•Bug Bounty
–Japanese bug hunters are active in the world.
–There are things to learn from their way.
•APT
–APT would have invaded various organizations in Japan.
–Forum for information exchange, such as the CODE BLUE is required to counter APT.
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
•Automobile security is hot topic in many conferences.
•Cyber security measures are essential for the automobile.
•We summarize the following topics based on the above background.
–Presentations at the conferences other than Black Hat USA 2015 and DEF CON 23.
–Introduction of vulnerability assessment methods of automobile security by CVSS v3.
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
Recently, OS X and iOS are becoming target of cyber attacks.
–As a result, attack technique peculiar to OS X and iOS comes up.(e.g. Abuse of sync function, malware distribution by AdHocetc.)
We recommend some security settings for Mac and iPhone based on current state of threats.
–Target system is OS X 10.10.x (Yosemite) and iOS 8.x.
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
•Windows 10 IoT is successor platform of Windows Embedded that optimized for embedded devices.
•Windows 10 IoT Core Insider Preview has been provided for single-board computers such as the Raspberry Pi 2.
•We show tutorial about security of Windows 10 IoT Core using the Raspberry Pi 2.
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...FFRI, Inc.
Background
•Automobiles equip a lot of ECUs which communicate mutually on In-Vehicle Network to control engine, power window, and so on
•IVI devices such as navigation system and ADAS*known-as lane-keeping or brake-assist systems often are connected in the same network
•BecauseIn-Vehicle network becoming complicated by various devices, next-generation In-Vehicle network attracts interest as feasible technology at low cost
•This slide summarized about following topics
–Ethernet prospective as next-generation In-Vehicle network
–Recent security research about conventional In-Vehicle network andproposal of measures for the CAN
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
1. FFRI,Inc.
Fourteenforty Research Institute, Inc.
FFRI,Inc.
http://www.ffri.jp
Automated on-execute test using VirtualBox
Junichi Murakami
Executive Officer, Director of Advanced Development Division
Ver2.00.01
2. FFRI,Inc.
1. Background and motivation
2. Overview of a test
– automated on-execute test
– virtualization software and automation methods
– Oracle VM VirtualBox and its automation
– example of VBoxManage
3. Automation script
– FFRI AutoMonkey
– design concept
– throughput
– performance
4. References
5. Contact information
Agenda
2
3. FFRI,Inc.
• Automated test against a large amount of malware is required to evaluate a
malware detection engine
• Testing methods are classified into on-demand and on-access testing
• on-execute test which is a kind of on-access test has to execute malware one
by one
• Therefore automation based on virtualization is required
• This slides describes automated on-execute test method using VirtualBox
1.Background and motivation
3
malware scanning on-demand
on-access on-read/write
on-execute
* type of malware scanning
4. FFRI,Inc.
• Basic steps are following
1. Copy malware into a guest
2. Execute copied malware in the guest
3. Analyze or detect malware in the guest
4. Preserve the result after execution is terminated
5. Revert the guest back to original condition
6. Go to 1.
• Required functions to execute above are following
a. Copying a file to a guest from a host (copy-to)
b. Executing arbitrary a program in a guest from a host(exec)
c. Copying a file from guest to a host (copy-from)
d. Reverting a guest condition based on a snapshot(revert)
2.1.Automated on-execute testing
4
→ All functions can be achieved by making a communication interface between a host
and a guest using TCP/IP. We considered the way we do not need to involve
developing software as possible as we could
5. FFRI,Inc.
software Licence copy-to copy-from exec revert method
VMware Workstation Proprietary ○ ○ ○ ○ VIX API
VMware ESX(#1) Proprietary ○ ○ ○ ○ VIX API
Oracle VM VirtualBox GPL2 ○ ○ ○ ○ VBoxManage
QEMU + KVM GPL2(#2) × × × ○ Libvirt
2.2.virtualization software and automation methods
5
#1 ESXi can also use VIX API for 60days by registering a evaluation license.
#2 KVM's parts are licensed under various GNU licenses(GPL, GPL2, LGPL2, etc.)
• Use functions which virtualization software has natively
• VMware(licensed) and VritualBox have all the features we need
→ We considered using VirtualBox because of the cost advantage
• QEMU+KVM can be used by 3rd party software(ex: libguestfs + winexe)
– “Malware Analysis: Collaboration, Automation & Tuning”, Shmoocon 2013
http://www.slideshare.net/xabean/malware-analysis-16674048
6. FFRI,Inc.
• A kind of x86 virtualization software, currently developed by Oracle
• Version 4.0 and later, fully open source software (GPL2)
• Supporting various host and guest environments
– HostOS:Windows, Linux, Mac OS X, Solaris
– GuestOS:Windows, Linux, FreeBSD, OpenBSD, Mac OS X Server, Solaris,etc.
• CLI is available (VBoxManage), friendly to automation
– startvm , pause, resume, poweroff, clonevm, showvinfo
– copyto, copyfrom, exec
– taking snapshot and reverting
– control virtual machine devices status, etc.
2.3.Oracle VM VirtualBox and its automation
6
7. FFRI,Inc.
2.4.Example of VBoxManage
7
% vboxmanage startvm vm
% vboxmanage controlvm vm poweroff
% vboxmanage snapshot vm restore snapshot-1
% vboxmanage guestcontrol exec vm --image “c:/windows/system32/calc.exe” ¥
--username admin --timeout 60000 --wait-exit
% vboxmanage guestcontrol vm copyto “/some/file” “c:/file.txt” --username admin
* starting a guest
* power off a guest
* reverting a guest based on a snapshot
* execute a program in a guest from a host
* copying a file to a guest from a host
8. FFRI,Inc.
• Automation script using VBoxManage, just a shell script
– auto-monkey.sh:automation for copy, exec, copy, revert steps
– watch-monkey.sh:watch dog script for the monkey
• It can execute multiple test simultaneously, works individually
• Published at our website below, see README for the detail (License: BSD)
– http://www.ffri.jp/research/freeware.htm
3.1.FFRI AutoMonkey
8
VirtualBox(guest)
malware
log
auto-monkey.sh
watch-monkey.sh
VirtualBox(guest)
malware
log
auto-monkey.sh
watch-monkey.sh
image
snapshot
image
snapshot
9. FFRI,Inc.
• conform to KISS principle
• Estimation of remaining time is important for this kind of test
– we cannot determine when it would finish if the script hangs up
• Stability of VBoxManage (and VIX API) is the lifeline for the automation
• In fact, error occurs when it runs long time
– Failure by error
• exits immediately
• resumed a test automatically by watch-monkey.sh
– Hanging up(stuck) by error
• watch-monkey.sh monitors lifetime of a VirtualBox process
• if it is stuck, kill and resume
3.2.Design concept
9
10. FFRI,Inc.
• Testing under 1host and 7guest environment
• Processed 20,000 malware, each execution time was 60 seconds
– total elapsed time: 37h15m
– throughput:8.95 malware/minute
# if malware execution terminated less than 60 seconds, the script processes next item.
• Host and guest environment is following
3.3.Throughput
10
Hardware CPU: Intel(R) Core(TM) i5-4570 CPU @ 3.20GHz
Memory: 8GB
HDD: 1.8TB x 1
Host OS Ubuntu 13.04 + VirtualBox 4.2
Guest OS Windows XP SP3(x86) + FFR yarai 2.3
CPU:1 CPU
Memory:750MB
11. FFRI,Inc.
• About 70% of total processor is idle state(each core also indicates same trend)
3.4.performance - processor
11
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
0:05
0:55
1:45
2:35
3:25
4:15
5:05
5:55
6:45
7:35
8:25
9:15
10:05
10:55
11:45
12:35
13:25
14:15
15:05
15:55
16:45
17:35
18:25
19:15
20:05
20:55
21:45
22:35
23:25
load
all processsor statistics
%idle
%steal
%iowait
%system
%nice
%user
13. FFRI,Inc.
• Disk busy ratio(%util) stays around 30% steadily
• The number of queued requests is between 4 and 8
3.4.performance – Disk IO
13
0
10
20
30
40
50
60
70
80
90
0
2
4
6
8
10
12
0:05
0:55
1:45
2:35
3:25
4:15
5:05
5:55
6:45
7:35
8:25
9:15
10:05
10:55
11:45
12:35
13:25
14:15
15:05
15:55
16:45
17:35
18:25
19:15
20:05
20:55
21:45
22:35
23:25
0:00
Usage of block device(/dev/sda)
avgqu-sz
%util
14. FFRI,Inc.
• None of CPU, memory and IO wasn’t bottleneck under 1host and 7guest
environment
• It seems we can add some more guests up to around 10 VMs according to
memory usage
• However, we have to consider requirement of a process which is executed in
a guest (cpu, memory)
3.4.performance - consideration
14