This document summarizes a presentation about finding vulnerabilities in the Windows kernel network stack. It discusses how exploiting complex and uncommon features like IPv6 packet fragmentation can lead to vulnerabilities. Specifically, it describes CVE-2014-9383, a remote code execution vulnerability discovered in a Bitdefender NDIS filter driver through an IPv6 packet defragmentation bug. The presentation outlines techniques for kernel bug hunting such as intercepting packets and overwriting packet data buffers to cause memory overflows. It also notes tools that can help with reverse engineering NDIS drivers like NDISaster.
The document discusses attacking Windows NDIS drivers. It begins with an introduction to NDIS and the different types of NDIS drivers. It then outlines the attack surface for NDIS drivers, including both remote and local attack vectors. The document demonstrates crashing miniport drivers by sending invalid OID requests. It provides details on the registration and initialization of miniport and filter drivers. It analyzes the OID request flow and different IOCTLs that can be used to interact with NDIS drivers, outlining potential issues. The document concludes by discussing fuzzing OIDs and potential bugs in NDIS drivers and third-party vendors.
This document provides an overview and introduction to the Advanced Web Attacks and Exploitation (AWAE) course offered by Offensive Security. The course covers tools and methodologies for analyzing web applications, finding vulnerabilities, and conducting attacks. It includes 14 chapters that walk through real-world examples like authentication bypass, remote code execution, SQL injection, and other attacks against web applications. Labs are provided to allow hands-on learning and practice with attacking techniques.
This document summarizes a presentation on reverse engineering OS X drivers. It discusses the structure of the OS X kernel, drivers, and kernel extensions. It outlines some of the challenges in reverse engineering OS X drivers, such as parsing C++ code and dependencies, and describes approaches to address these challenges like processing relocation information and parsing DWARF files to build a kernel type library in IDA.
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
This document discusses techniques for injecting code into processes without directly writing code to the target process's memory. It introduces a technique called "Trap Frame Injection" which hijacks the CPU's user mode state that is stored in trap frames during system calls. It also presents a "Codeless Code Injection" technique which builds ROP chains on the user stack and manipulates the stack pointer to trigger execution without direct code writes. Challenges with this approach like getting return values and avoiding deadlocks are also outlined along with solutions like using a device handle callback or creating a dedicated thread.
linux device drivers: Role of Device Drivers, Splitting The Kernel, Classes of
Devices and Modules, Security Issues, Version Numbering, Building and Running Modules
Kernel Modules Vs. Applications, Compiling and Loading, Kernel Symbol Table,
Preliminaries, Interaction and Shutdown, Module Parameters, Doing It in User Space.
The document discusses various vulnerabilities in the Metasploitable virtual machine that can be exploited to gain unauthorized access. It describes how backdoors in FTP, IRC, and other services can be used to obtain root shells. It also explains how unintended access points like DistCC and Samba shares are misconfigured, allowing command execution and access to the file system.
Cryptography 101 for Java Developers - Devoxx 2019Michel Schudel
So you're logging in to your favorite crypto currency exchange over https using a username and password, executing some transactions, and you're not at all surprised that, security wise, everything's hunky dory...
The amount of cryptography to make all this happen is staggering. In order to appreciate and understand what goes on under the hood, as a developer, it's really important to dive into the key concepts of cryptography.
In this session, we discover what cryptography actually is, and will use the JCA (Java Cryptography API) en JCE (Java Cryptography Extensions) in the JDK to explain and demo key concepts such as: - Message digests (hashing) - Encryption, both symmetric and asymmetric - Digital signatures, both symmetric and asymmetric.
Furthermore, we'll show how these concepts find their way into a variety of practical applications such as: - https and certificates - salted password checking - block chain technology After this session, you'll have a better understanding of basic cryptography, its applications, and how to use the cryptography APIs in Java.
This document provides an overview of Linux device drivers. It discusses what a device driver is, the Linux driver architecture, different driver classes like character and block drivers, kernel modules, driver initialization and cleanup functions, compiling and loading modules, module parameters, differences between modules and applications, and key concepts like major/minor numbers and file operations.
The document discusses attacking Windows NDIS drivers. It begins with an introduction to NDIS and the different types of NDIS drivers. It then outlines the attack surface for NDIS drivers, including both remote and local attack vectors. The document demonstrates crashing miniport drivers by sending invalid OID requests. It provides details on the registration and initialization of miniport and filter drivers. It analyzes the OID request flow and different IOCTLs that can be used to interact with NDIS drivers, outlining potential issues. The document concludes by discussing fuzzing OIDs and potential bugs in NDIS drivers and third-party vendors.
This document provides an overview and introduction to the Advanced Web Attacks and Exploitation (AWAE) course offered by Offensive Security. The course covers tools and methodologies for analyzing web applications, finding vulnerabilities, and conducting attacks. It includes 14 chapters that walk through real-world examples like authentication bypass, remote code execution, SQL injection, and other attacks against web applications. Labs are provided to allow hands-on learning and practice with attacking techniques.
This document summarizes a presentation on reverse engineering OS X drivers. It discusses the structure of the OS X kernel, drivers, and kernel extensions. It outlines some of the challenges in reverse engineering OS X drivers, such as parsing C++ code and dependencies, and describes approaches to address these challenges like processing relocation information and parsing DWARF files to build a kernel type library in IDA.
Injection on Steroids: Codeless code injection and 0-day techniquesenSilo
This document discusses techniques for injecting code into processes without directly writing code to the target process's memory. It introduces a technique called "Trap Frame Injection" which hijacks the CPU's user mode state that is stored in trap frames during system calls. It also presents a "Codeless Code Injection" technique which builds ROP chains on the user stack and manipulates the stack pointer to trigger execution without direct code writes. Challenges with this approach like getting return values and avoiding deadlocks are also outlined along with solutions like using a device handle callback or creating a dedicated thread.
linux device drivers: Role of Device Drivers, Splitting The Kernel, Classes of
Devices and Modules, Security Issues, Version Numbering, Building and Running Modules
Kernel Modules Vs. Applications, Compiling and Loading, Kernel Symbol Table,
Preliminaries, Interaction and Shutdown, Module Parameters, Doing It in User Space.
The document discusses various vulnerabilities in the Metasploitable virtual machine that can be exploited to gain unauthorized access. It describes how backdoors in FTP, IRC, and other services can be used to obtain root shells. It also explains how unintended access points like DistCC and Samba shares are misconfigured, allowing command execution and access to the file system.
Cryptography 101 for Java Developers - Devoxx 2019Michel Schudel
So you're logging in to your favorite crypto currency exchange over https using a username and password, executing some transactions, and you're not at all surprised that, security wise, everything's hunky dory...
The amount of cryptography to make all this happen is staggering. In order to appreciate and understand what goes on under the hood, as a developer, it's really important to dive into the key concepts of cryptography.
In this session, we discover what cryptography actually is, and will use the JCA (Java Cryptography API) en JCE (Java Cryptography Extensions) in the JDK to explain and demo key concepts such as: - Message digests (hashing) - Encryption, both symmetric and asymmetric - Digital signatures, both symmetric and asymmetric.
Furthermore, we'll show how these concepts find their way into a variety of practical applications such as: - https and certificates - salted password checking - block chain technology After this session, you'll have a better understanding of basic cryptography, its applications, and how to use the cryptography APIs in Java.
This document provides an overview of Linux device drivers. It discusses what a device driver is, the Linux driver architecture, different driver classes like character and block drivers, kernel modules, driver initialization and cleanup functions, compiling and loading modules, module parameters, differences between modules and applications, and key concepts like major/minor numbers and file operations.
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !Pierre-jean Texier
The document discusses adding new platform support for SWUpdate in 30 minutes using Yocto/OE. It provides an overview of SWUpdate and the update process. It then demonstrates how to generate a clean Yocto/OE setup for the Microchip SAMA5D27-SOM1-EK1 board using KAS. Specific steps are outlined for creating a partition scheme, machine configuration, and deployment/testing of SWUpdate on the target board.
The document describes the data structures used to represent I2C buses, devices, drivers, and clients in the Linux kernel. It explains how a new I2C bus instance is recognized, how devices are added to the I2C bus, and how an I2C device driver is added and bound to devices. Key data structures include i2c_adapter, i2c_client, i2c_driver, and the device/driver model links between them.
Embitude's Linux SPI Drivers Training Slides. Contains the details of AM335X specific low level programming, SPI components such as SPI Master Driver, SPI Client Driver, Device Tree for SPI
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
This document discusses abusing Microsoft Kerberos authentication. It provides an overview of how Kerberos authentication works, obtaining users' Kerberos keys from Active Directory or client memory, and using those keys to authenticate as the user without their password through techniques like Pass-the-Hash and Overpass-the-Hash. It also demonstrates these techniques live using mimikatz to dump keys and authenticate with captured keys.
This course gets you started with writing device drivers in Linux by providing real time hardware exposure. Equip you with real-time tools, debugging techniques and industry usage in a hands-on manner. Dedicated hardware by Emertxe's device driver learning kit. Special focus on character and USB device drivers.
Insecure direct object reference (null delhi meet)Abhinav Mishra
This document discusses insecure direct object references (IDOR), a type of access control vulnerability. IDOR occurs when an application exposes references to unauthorized resources, such as allowing access to another user's account, through direct manipulation of the reference URL or parameter. The document explains how IDOR works using examples, how attackers can discover and exploit IDOR vulnerabilities, and considerations for when it may not be critical even if present. It also provides resources for further information on testing and remediating IDOR issues.
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
UEFI Firmware Rootkits: Myths and RealitySally Feller
Earlier this month, we teased a proof of concept for UEFI ransomware which was presented at RSA Conference 2017. The HackingTeam, Snowden, Shadow Brokers, and Vault7 leaks have revealed that UEFI/BIOS implants aren't just a theoretical concept but have actually been weaponized by nation states to conduct cyber espionage. Physical access requirements are a thing of the past, these low level implants can be installed remotely by exploiting vulnerabilities in the underlying UEFI system.
Today at BlackHat Asia 2017, we are disclosing two vulnerabilities in two different models of the GIGABYTE BRIX platform:
GB-BSi7H-6500 – firmware version: vF6 (2016/05/18)
GB-BXi7-5775 – firmware version: vF2 (2016/07/19)
The document discusses various inter-process communication (IPC) mechanisms in Android, including intents, binder transactions, AIDL interfaces, ashmem shared memory, and system properties. It provides code examples and describes how these IPC methods allow processes to communicate and share data.
The document discusses finding and analyzing iOS kernel bugs through fuzzing techniques. It begins by providing background on the iOS kernel structure based on XNU and OSX. It then summarizes two known iOS kernel bugs from the past that involved integer overflows and type conversions. The document goes on to describe passive and active fuzzing approaches that can be used to find new bugs, including hooking kernel functions to fuzz parameters. It also provides tips on reversing iOS kernel extensions and debugging the kernel. Finally, it analyzes examples of bugs found through fuzzing and how to understand the crash causes and trigger paths through static analysis and debugging.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
The document discusses Linux I2C and its subsystems. It describes the Linux I2C bus driver which provides an API for I2C and SMBus transactions. It also covers I2C adapter drivers that interface between the bus driver and physical I2C controllers, the I2C-dev driver which provides a character device interface, and I2C client drivers.
Page cache mechanism in Linux kernel.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
This document discusses a new iOS kernel exploitation technique that involves manipulating mach ports. It fills the kernel heap with pointers to mach ports, then overwrites those pointers to fake ports that point to attacker-controlled data structures. This allows calling kernel APIs and the Mach API using the fake ports to potentially execute arbitrary code or escalate privileges. The technique was previously private but was leaked in late 2016 and used in the Yalu jailbreak.
This document summarizes a presentation on pentesting like a grandmaster chess player. It discusses how chess grandmasters focus on individual skill through early and relentless practice, preparation through extensive study of opponents and scenarios, and performance through maintaining health and discipline. Specific chess players are discussed as examples, such as how Kasparov outprepared his opponent through thorough research. The document advocates pentesters similarly focus on individual hacking skills, in-depth target preparation, and optimized performance.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)Alexandre Borges
Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious codes, try to make the static and dynamic analysis really hard by heavily obfuscating and, eventually, virtualizing codes using techniques such as CFG, call stack manipulation, dead code, opaque predicate and so on. Understanding these concepts and how they are used with virtualized packers is an advantage to learn the main anti-reversing techniques.
Therefore, to manage complex scenarios as exposed above, we are able to use frameworks such as METASM, MIASM and several dynamic static emulation techniques to make code simpler. At end, the goal is to reduce the code (most of time by using symbolic analysis), making us able to get a better understanding about the threat. Additionally, the introduction of dynamic tracing (DTrace) on Windows can help us to having a better understanding about programs and their behavior.
This presentation aims to show concepts and a practical approach on how to handle these reverse engineering challenges and techniques
This document provides an overview of Unix rootkits, including their functionality, types, usage trends, and case studies of captured rootkits. Rootkits aim to maintain access, attack other systems, and conceal evidence. They are implemented through binary, kernel, and library techniques. Case studies examine the SA binary kit, the W00tkit kernel kit, and the RK library kit to illustrate rootkit techniques and evolution over time. The document concludes that rootkits combine tools to establish hidden, persistent access and attack other machines while avoiding detection.
Diving into SWUpdate: adding new platform support in 30minutes with Yocto/OE !Pierre-jean Texier
The document discusses adding new platform support for SWUpdate in 30 minutes using Yocto/OE. It provides an overview of SWUpdate and the update process. It then demonstrates how to generate a clean Yocto/OE setup for the Microchip SAMA5D27-SOM1-EK1 board using KAS. Specific steps are outlined for creating a partition scheme, machine configuration, and deployment/testing of SWUpdate on the target board.
The document describes the data structures used to represent I2C buses, devices, drivers, and clients in the Linux kernel. It explains how a new I2C bus instance is recognized, how devices are added to the I2C bus, and how an I2C device driver is added and bound to devices. Key data structures include i2c_adapter, i2c_client, i2c_driver, and the device/driver model links between them.
Embitude's Linux SPI Drivers Training Slides. Contains the details of AM335X specific low level programming, SPI components such as SPI Master Driver, SPI Client Driver, Device Tree for SPI
Abusing Microsoft Kerberos - Sorry you guys don't get itBenjamin Delpy
This document discusses abusing Microsoft Kerberos authentication. It provides an overview of how Kerberos authentication works, obtaining users' Kerberos keys from Active Directory or client memory, and using those keys to authenticate as the user without their password through techniques like Pass-the-Hash and Overpass-the-Hash. It also demonstrates these techniques live using mimikatz to dump keys and authenticate with captured keys.
This course gets you started with writing device drivers in Linux by providing real time hardware exposure. Equip you with real-time tools, debugging techniques and industry usage in a hands-on manner. Dedicated hardware by Emertxe's device driver learning kit. Special focus on character and USB device drivers.
Insecure direct object reference (null delhi meet)Abhinav Mishra
This document discusses insecure direct object references (IDOR), a type of access control vulnerability. IDOR occurs when an application exposes references to unauthorized resources, such as allowing access to another user's account, through direct manipulation of the reference URL or parameter. The document explains how IDOR works using examples, how attackers can discover and exploit IDOR vulnerabilities, and considerations for when it may not be critical even if present. It also provides resources for further information on testing and remediating IDOR issues.
OWASP SD: Deserialize My Shorts: Or How I Learned To Start Worrying and Hate ...Christopher Frohoff
Object deserialization is an established but poorly understood attack vector in applications that is disturbingly prevalent across many languages, platforms, formats, and libraries.
In January 2015 at AppSec California, Chris Frohoff and Gabe Lawrence gave a talk on this topic, covering deserialization vulnerabilities across platforms, the many forms they take, and places they can be found. It covered, among other things, somewhat novel techniques using classes in commonly used libraries for attacking Java serialization that were subsequently released in the form of the ysoserial tool. Few people noticed until late 2015, when other researchers used these techniques/tools to exploit well known products such as Bamboo, WebLogic, WebSphere, ApacheMQ, and Jenkins, and then services such as PayPal. Since then, the topic has gotten some long-overdue attention and great work is being done by many to improve our understanding and developer awareness on the subject.
This talk will review the details of Java deserialization exploit techniques and mitigations, as well as report on some of the recent (and future) activity in this area.
http://www.meetup.com/Open-Web-Application-Security-Project-San-Diego-OWASP-SD/events/226242635/
UEFI Firmware Rootkits: Myths and RealitySally Feller
Earlier this month, we teased a proof of concept for UEFI ransomware which was presented at RSA Conference 2017. The HackingTeam, Snowden, Shadow Brokers, and Vault7 leaks have revealed that UEFI/BIOS implants aren't just a theoretical concept but have actually been weaponized by nation states to conduct cyber espionage. Physical access requirements are a thing of the past, these low level implants can be installed remotely by exploiting vulnerabilities in the underlying UEFI system.
Today at BlackHat Asia 2017, we are disclosing two vulnerabilities in two different models of the GIGABYTE BRIX platform:
GB-BSi7H-6500 – firmware version: vF6 (2016/05/18)
GB-BXi7-5775 – firmware version: vF2 (2016/07/19)
The document discusses various inter-process communication (IPC) mechanisms in Android, including intents, binder transactions, AIDL interfaces, ashmem shared memory, and system properties. It provides code examples and describes how these IPC methods allow processes to communicate and share data.
The document discusses finding and analyzing iOS kernel bugs through fuzzing techniques. It begins by providing background on the iOS kernel structure based on XNU and OSX. It then summarizes two known iOS kernel bugs from the past that involved integer overflows and type conversions. The document goes on to describe passive and active fuzzing approaches that can be used to find new bugs, including hooking kernel functions to fuzz parameters. It also provides tips on reversing iOS kernel extensions and debugging the kernel. Finally, it analyzes examples of bugs found through fuzzing and how to understand the crash causes and trigger paths through static analysis and debugging.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
The document discusses Linux I2C and its subsystems. It describes the Linux I2C bus driver which provides an API for I2C and SMBus transactions. It also covers I2C adapter drivers that interface between the bus driver and physical I2C controllers, the I2C-dev driver which provides a character device interface, and I2C client drivers.
Page cache mechanism in Linux kernel.
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
Memory Mapping Implementation (mmap) in Linux KernelAdrian Huang
Note: When you view the the slide deck via web browser, the screenshots may be blurred. You can download and view them offline (Screenshots are clear).
CanSecWest 2017 - Port(al) to the iOS CoreStefan Esser
This document discusses a new iOS kernel exploitation technique that involves manipulating mach ports. It fills the kernel heap with pointers to mach ports, then overwrites those pointers to fake ports that point to attacker-controlled data structures. This allows calling kernel APIs and the Mach API using the fake ports to potentially execute arbitrary code or escalate privileges. The technique was previously private but was leaked in late 2016 and used in the Yalu jailbreak.
This document summarizes a presentation on pentesting like a grandmaster chess player. It discusses how chess grandmasters focus on individual skill through early and relentless practice, preparation through extensive study of opponents and scenarios, and performance through maintaining health and discipline. Specific chess players are discussed as examples, such as how Kasparov outprepared his opponent through thorough research. The document advocates pentesters similarly focus on individual hacking skills, in-depth target preparation, and optimized performance.
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
MODERN MALWARE: OBFUSCATION AND EMULATION DEF CON CHINA 1.0 (2019)Alexandre Borges
Modern advanced malware samples are used to infect countries and they make part of the current cyber war, cyber espionage and financial attacks. Furthermore, critical actors, who write these malicious codes, try to make the static and dynamic analysis really hard by heavily obfuscating and, eventually, virtualizing codes using techniques such as CFG, call stack manipulation, dead code, opaque predicate and so on. Understanding these concepts and how they are used with virtualized packers is an advantage to learn the main anti-reversing techniques.
Therefore, to manage complex scenarios as exposed above, we are able to use frameworks such as METASM, MIASM and several dynamic static emulation techniques to make code simpler. At end, the goal is to reduce the code (most of time by using symbolic analysis), making us able to get a better understanding about the threat. Additionally, the introduction of dynamic tracing (DTrace) on Windows can help us to having a better understanding about programs and their behavior.
This presentation aims to show concepts and a practical approach on how to handle these reverse engineering challenges and techniques
This document provides an overview of Unix rootkits, including their functionality, types, usage trends, and case studies of captured rootkits. Rootkits aim to maintain access, attack other systems, and conceal evidence. They are implemented through binary, kernel, and library techniques. Case studies examine the SA binary kit, the W00tkit kernel kit, and the RK library kit to illustrate rootkit techniques and evolution over time. The document concludes that rootkits combine tools to establish hidden, persistent access and attack other machines while avoiding detection.
LinuxLabs 2017 talk: Container monitoring challengesXavier Vello
A technical talk about some challenges we had to solve with our containerized agent:
- handling memory limits
- retrieving host network metrics
- enabling easier discovery via unix domain sockets
- securing our access to the Docker socket
The document discusses dynamic port scanning (DPS), which integrates ARP poisoning into port scanning to dynamically spoof the source IP address of scan packets. DPS works by poisoning the ARP cache of the target host or gateway so that scan replies are delivered to the scanning machine regardless of the spoofed source IP. This allows the scan to appear as if it is coming from many machines, improving stealth, while still obtaining results unlike traditional IP spoofing techniques. The document outlines how DPS works, current spoofing methods, advantages over other techniques, and limitations.
The document discusses a technique called Dynamic Port Scanning (DPS) that integrates ARP poisoning into port scanning to dynamically spoof the source IP address of scan packets. It allows scan packets to appear to come from many different IP addresses, making detection more difficult. The document provides an overview of current spoofing techniques, explains how ARP poisoning can be used to spoof IPs during scanning, lists advantages and limitations, and discusses various one-packet scanning techniques that can be used with DPS. It also introduces a tool called Dynamic Port Scanner that implements the DPS technique.
Cyberattacks on a marine context (NATO Congress 2011)flagsolutions
The document discusses how pirates could become an advanced persistent threat through cyberattacks on vessels. It outlines potential scenarios like compromising communications, sabotaging PLC systems, and discovering precise fleet positions through GPS. The document then explains how asset-oriented hacking techniques could allow pirates to conduct intelligence gathering and target specific vessels. This could enable pirates to hijack ships more easily using communications interception, sabotage of systems, or GPS manipulation. The document demonstrates how inexpensive these cyberattacks can be. It concludes that pirates have the capability and intent to persistently target vessels, and should be considered an emerging advanced threat through virtual means.
This document summarizes how to exploit vulnerabilities in fixed wireless terminals to remotely root the devices. It describes examining the hardware components and boot process to find entry points. Exploits discussed include using removable media to gain root access, cracking weak passwords, and exploiting unpickle serialization and remote code execution via eval. A demonstration shows using these techniques to remotely root a terminal via its management interface and UDP vulnerabilities. Potential further attacks discussed include installing backdoors, intercepting data and calls, and creating botnets.
ADVANCED MALWARE THREATS -- NO HAT 2019 (BERGAMO / ITALY)Alexandre Borges
Malware threats have been impacting the way that companies make and protect their business. In general, most of companies have bought several different products to compose their infrastructure and defense line, but they are only efficient against known and simple threats. Curiously, most infections start through simple vector such as a malicious document or a simple fishing. However, the problem is another one: what kind of malware a simple dropper can download in the system? Most ring 3 threats are visible, but some of them are not. Additionally, ring 0 threats are usually very dangerous because they work under the radar, compromising deeply the system and bypassing my protection. Worse, they can make the monitoring tools useless and open the way to advanced threats like BIOS/UEFI malware. What kind of techniques are used by these threats? What protections do we have? This presentation aims to show and explain some techniques used by malware advanced threats and protections against them.
Wireless Kernel Tweaking
or how B.A.T.M.A.N. learned to fly
Kernel hacking definitely is the queen of coding but in order to bring mesh routing that one vital step further we had to conquer this, for us, unchartered territory. Working in the kernel itself is a tough and difficult task to manage, but the results and effectivity to be gained justify the long and hard road to success. We took on the mission to go down that road and the result is B.A.T.M.A.N. advanced which is a kernel land implementation of the B.A.T.M.A.N. mesh routing protocol specifically designed to manage Wireless MANs.
This talk will focus on a brief history, including a demo and overview of how we at Superbalist use Kubernetes, and how Kubernetes uses Docker, does load balancing, deployments, and data migrations.
Talk from Cape Town DevOps meetup on Jun 21, 2016:
https://www.meetup.com/Cape-Town-DevOps/events/231530172/
Code: https://github.com/zoidbergwill/kubernetes-examples
Slides as markdown: http://www.zoidbergwill.com/presentations/2016/kubernetes-1.2-and-spread/index.md
Linux containers provide isolation between applications using namespaces and cgroups. While containers appear similar to VMs, they do not fully isolate applications and some security risks remain. To improve container security, Docker recommends: 1) not running containers as root, 2) dropping capabilities like CAP_SYS_ADMIN, 3) enabling user namespaces, and 4) using security modules like SELinux. However, containers cannot fully isolate applications that need full hardware or kernel access, so virtual machines may be needed in some cases.
1. The document discusses modern techniques used by malware to obfuscate code, such as virtualization, encryption, and anti-reversing tricks.
2. Packers and protectors like VMProtect, Themida, and Arxan use virtual machines and other techniques to transform and encrypt code, making static analysis very difficult.
3. Reversing obfuscated code involves understanding how the virtual machine works, including how it fetches, decodes, and dispatches instructions to handlers. The document provides examples of how virtualized code is structured and executed.
Security as Code in Docker Ecosystem for Cloud Native Appsenlamp
Talk given at TechnoPark in Casablanca, Morocco for the Docker meetup on 21st Feb, 2018. As the DevOps saying goes "You build it, you run it". Usable security is an interesting field for developers to focus on, so that's what this talk is about : clear actionable content, git-based ops, easy security practices. original meetup url : https://www.meetup.com/Docker-Morocco/events/247506286/
Fire & Ice: Making and Breaking macOS FirewallsPriyanka Aash
"In the ever raging battle between malicious code and anti-malware tools, firewalls play an essential role. Many a malware has been generically thwarted thanks to the watchful eye of these products.
However on macOS, firewalls are rather poorly understood. Apple's documentation surrounding it's network filter interfaces is rather lacking and all commercial macOS firewalls are closed source.
This talk aims to take a peek behind the proverbial curtain revealing how to both create and 'destroy' macOS firewalls.
In this talk, we'll first dive into what it takes to create an effective firewall for macOS. Yes we'll discuss core concepts such as kernel-level socket filtering—but also how to communicate with user-mode components, install privileged code in a secure manner, and simple ways to implement self-defense mechanisms (including protecting the UI from synthetic events).
Of course any security tool, including firewalls, can be broken. After looking at various macOS malware specimens that proactively attempt to detect such firewalls, we'll don our 'gray' (black?) hats to discuss various attacks against these products. And while some attacks are well known, others are currently undisclosed and can generically bypass even today's most vigilant Mac firewalls.
But all is not lost. By proactively discussing such attacks, combined with our newly-found understandings of firewall internals, we can improve the existing status quo, advancing firewall development. With a little luck, such advancements may foil, or at least complicate the lives of tomorrow's sophisticated Mac malware!"
SnakeGX is a framework that implants a persistent backdoor in SGX enclaves without being detected by the host OS. It works by exploiting SGX isolation to avoid memory inspection, leaving minimal traces. The key aspects are: (1) analyzing enclave memory to find a trusted thread for payload installation, (2) installing ROP chains and a fake ocall context trigger, (3) designing the backdoor with split payload chains that interact inside and outside the enclave via context switching. An evaluation on StealthDB shows the trigger is much smaller than the payload, making it harder to detect through memory forensics.
This document introduces MQTT (MQ Telemetry Transport), a publish-subscribe messaging protocol designed for low-bandwidth, high-latency or unreliable networks. MQTT is optimized for constrained devices and mobile applications, enabling ubiquitous connectivity for the Internet of Things. It supports asynchronous messaging with publish/subscribe semantics and different levels of quality of service. MQTT has a small code footprint and lightweight implementation making it suitable for sensor applications and resource-constrained devices. It has gained popularity for use in home automation, gardening, transportation, and other Internet of Things applications.
This document provides an agenda and overview for a hands-on lab on using DPDK in containers. It introduces Linux containers and how they use fewer system resources than VMs. It discusses how containers still use the kernel network stack, which is not ideal for SDN/NFV usages, and how DPDK can be used in containers to address this. The hands-on lab section guides users through building DPDK and Open vSwitch, configuring them to work with containers, and running packet generation and forwarding using testpmd and pktgen Docker containers connected via Open vSwitch.
A hitchhiker‘s guide to the cloud native stackQAware GmbH
Container Days 2017, Hamburg: Vortrag von Mario-Leander Reimer (@LeanderReimer, Cheftechnologe bei QAware).
Abstract: Cloud-Größen wie Google, Twitter und Netflix haben die Kernbausteine ihrer Infrastruktur quelloffen verfügbar gemacht. Das Resultat aus vielen Jahren Cloud-Erfahrung ist nun frei zugänglich, und jeder kann seine eigenen Cloud-nativen Anwendungen entwickeln – Anwendungen, die in der Cloud zuverlässig laufen und fast beliebig skalieren. Die einzelnen Bausteine wachsen zu einem großen Ganzen zusammen, dem Cloud Native Stack.
In dieser Session stellen wir die wichtigsten Konzepte und Schlüsseltechnologien vor und bringen dann eine Spring-Cloud-basierte Beispielanwendung schrittweise auf Kubernetes und DC/OS zum Laufen. Dabei diskutieren wir verschiedene praktikable Architekturalternativen.
Discover top-tier mobile app development services, offering innovative solutions for iOS and Android. Enhance your business with custom, user-friendly mobile applications.
Generating privacy-protected synthetic data using Secludy and MilvusZilliz
During this demo, the founders of Secludy will demonstrate how their system utilizes Milvus to store and manipulate embeddings for generating privacy-protected synthetic data. Their approach not only maintains the confidentiality of the original data but also enhances the utility and scalability of LLMs under privacy constraints. Attendees, including machine learning engineers, data scientists, and data managers, will witness first-hand how Secludy's integration with Milvus empowers organizations to harness the power of LLMs securely and efficiently.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/temporal-event-neural-networks-a-more-efficient-alternative-to-the-transformer-a-presentation-from-brainchip/
Chris Jones, Director of Product Management at BrainChip , presents the “Temporal Event Neural Networks: A More Efficient Alternative to the Transformer” tutorial at the May 2024 Embedded Vision Summit.
The expansion of AI services necessitates enhanced computational capabilities on edge devices. Temporal Event Neural Networks (TENNs), developed by BrainChip, represent a novel and highly efficient state-space network. TENNs demonstrate exceptional proficiency in handling multi-dimensional streaming data, facilitating advancements in object detection, action recognition, speech enhancement and language model/sequence generation. Through the utilization of polynomial-based continuous convolutions, TENNs streamline models, expedite training processes and significantly diminish memory requirements, achieving notable reductions of up to 50x in parameters and 5,000x in energy consumption compared to prevailing methodologies like transformers.
Integration with BrainChip’s Akida neuromorphic hardware IP further enhances TENNs’ capabilities, enabling the realization of highly capable, portable and passively cooled edge devices. This presentation delves into the technical innovations underlying TENNs, presents real-world benchmarks, and elucidates how this cutting-edge approach is positioned to revolutionize edge AI across diverse applications.
The Microsoft 365 Migration Tutorial For Beginner.pptxoperationspcvita
This presentation will help you understand the power of Microsoft 365. However, we have mentioned every productivity app included in Office 365. Additionally, we have suggested the migration situation related to Office 365 and how we can help you.
You can also read: https://www.systoolsgroup.com/updates/office-365-tenant-to-tenant-migration-step-by-step-complete-guide/
What is an RPA CoE? Session 1 – CoE VisionDianaGray10
In the first session, we will review the organization's vision and how this has an impact on the COE Structure.
Topics covered:
• The role of a steering committee
• How do the organization’s priorities determine CoE Structure?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
Programming Foundation Models with DSPy - Meetup SlidesZilliz
Prompting language models is hard, while programming language models is easy. In this talk, I will discuss the state-of-the-art framework DSPy for programming foundation models with its powerful optimizers and runtime constraint system.
How information systems are built or acquired puts information, which is what they should be about, in a secondary place. Our language adapted accordingly, and we no longer talk about information systems but applications. Applications evolved in a way to break data into diverse fragments, tightly coupled with applications and expensive to integrate. The result is technical debt, which is re-paid by taking even bigger "loans", resulting in an ever-increasing technical debt. Software engineering and procurement practices work in sync with market forces to maintain this trend. This talk demonstrates how natural this situation is. The question is: can something be done to reverse the trend?
Ivanti’s Patch Tuesday breakdown goes beyond patching your applications and brings you the intelligence and guidance needed to prioritize where to focus your attention first. Catch early analysis on our Ivanti blog, then join industry expert Chris Goettl for the Patch Tuesday Webinar Event. There we’ll do a deep dive into each of the bulletins and give guidance on the risks associated with the newly-identified vulnerabilities.
Have you ever been confused by the myriad of choices offered by AWS for hosting a website or an API?
Lambda, Elastic Beanstalk, Lightsail, Amplify, S3 (and more!) can each host websites + APIs. But which one should we choose?
Which one is cheapest? Which one is fastest? Which one will scale to meet our needs?
Join me in this session as we dive into each AWS hosting service to determine which one is best for your scenario and explain why!
Fueling AI with Great Data with Airbyte WebinarZilliz
This talk will focus on how to collect data from a variety of sources, leveraging this data for RAG and other GenAI use cases, and finally charting your course to productionalization.
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Taking AI to the Next Level in Manufacturing.pdfssuserfac0301
Read Taking AI to the Next Level in Manufacturing to gain insights on AI adoption in the manufacturing industry, such as:
1. How quickly AI is being implemented in manufacturing.
2. Which barriers stand in the way of AI adoption.
3. How data quality and governance form the backbone of AI.
4. Organizational processes and structures that may inhibit effective AI adoption.
6. Ideas and approaches to help build your organization's AI strategy.
Conversational agents, or chatbots, are increasingly used to access all sorts of services using natural language. While open-domain chatbots - like ChatGPT - can converse on any topic, task-oriented chatbots - the focus of this paper - are designed for specific tasks, like booking a flight, obtaining customer support, or setting an appointment. Like any other software, task-oriented chatbots need to be properly tested, usually by defining and executing test scenarios (i.e., sequences of user-chatbot interactions). However, there is currently a lack of methods to quantify the completeness and strength of such test scenarios, which can lead to low-quality tests, and hence to buggy chatbots.
To fill this gap, we propose adapting mutation testing (MuT) for task-oriented chatbots. To this end, we introduce a set of mutation operators that emulate faults in chatbot designs, an architecture that enables MuT on chatbots built using heterogeneous technologies, and a practical realisation as an Eclipse plugin. Moreover, we evaluate the applicability, effectiveness and efficiency of our approach on open-source chatbots, with promising results.
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...Alex Pruden
Folding is a recent technique for building efficient recursive SNARKs. Several elegant folding protocols have been proposed, such as Nova, Supernova, Hypernova, Protostar, and others. However, all of them rely on an additively homomorphic commitment scheme based on discrete log, and are therefore not post-quantum secure. In this work we present LatticeFold, the first lattice-based folding protocol based on the Module SIS problem. This folding protocol naturally leads to an efficient recursive lattice-based SNARK and an efficient PCD scheme. LatticeFold supports folding low-degree relations, such as R1CS, as well as high-degree relations, such as CCS. The key challenge is to construct a secure folding protocol that works with the Ajtai commitment scheme. The difficulty, is ensuring that extracted witnesses are low norm through many rounds of folding. We present a novel technique using the sumcheck protocol to ensure that extracted witnesses are always low norm no matter how many rounds of folding are used. Our evaluation of the final proof system suggests that it is as performant as Hypernova, while providing post-quantum security.
Paper Link: https://eprint.iacr.org/2024/257
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
NDIS Packet of Death
1.
2. Windows Kernel, the final frontier
Our mission: to explore strange new attack surfaces, to
seek out new bugs and new 0-days. To boldly go where
(almost) no security researcher has gone before
3. NDIS PACKET OF DEATH
TURNING WINDOWS’ COMPLEXITY AGAINST ITSELF
NITAY ARTENSTEIN
CHECK POINT
4.
5. AGENDA
1. INTO THE KERNEL
2. FINDING VULNERABILITIES
3. PWNAGE: CVE-2014-9383
6. AGENDA
1. INTO THE KERNEL
2. FINDING VULNERABILITIES
3. PWNAGE: CVE-2014-9383
7. USS WINTERPRISE PACKET FLOW
USERlAND
KERNEL
bridge /
APPLICATION
NETWORK CARD
WINSOCK API
WINSOCK KERNEL
?
9. Filter Drivers
• Handle all packets,
regardless of configuration
• Massive attack surface
• Small, easy to reverse
engineer
“Being stuck in the middle is
not THAT bad!”
13. The Windows network driver layers
absolutely horrendous messes of
conflicting layers of backward-compatible
cruft
emotional trauma
the Windows network stack
🙀
14. Hostile Programming Environments
• Bad API design
• Complicated memory
management
• Inadequate documentation
• No helper functions
“They said kernel programming
is good money”
15. NETWORK DRIVER INTERFACE SPECIFICATION
NETWORK CARD
MINIPORT DRIVER
FILTER DRIVER
PROTOCOL DRIVER
NDIS
SECURiTY
1. Third party
code
2. Too much
complexity
3. API quality
16.
17. AGENDA
1. INTO THE KERNEL
2. FINDING VULNERABILITIES
3. PWNAGE: CVE-2014-9383
25. FIRST ATTACK: PACKET CONFUSION
EVIL
API DOCUMENTATION SAMPLE CODE
STACKOVERFLOW.COM SITES FROM THE 90’s
26. FIRST ATTACK: PACKET CONFUSION
If we need to queue this packet we will
also have to copy over the per-packet
information. This is because
data is available only for the duration
of this receive indication call
EVIL
33. SECOND ATTACK: PACKET OVERWRITE
EVIL
API DOCUMENTATION SAMPLE CODE
Remove all MDLs [memory buffers] from
the end of the chain, where the last byte
of the MDL isn’t part of the packet
buffer
40. THIRD ATTACK: death by protocol
GOOD
RFC 2460 (IPv6)
RFC 790 (IPv4)
RFC 791 (IPv4)
RFC 826 (ARP)
RFC 1034 (DNS)
RFC 768 (UDP)
RFC 793 (TCP)
RFC 792 (ICMP)
41. GOOD EVIL
0 3
“I keep this around for when Spock is not on board”
42. AGENDA
1. INTO THE KERNEL
2. FINDING VULNERABILITIES
3. PWNAGE: CVE-2014-9383
43. PREMISE:
1. MORE COMPLEXITY == MORE BUGS
2. EDGE CASES ARE THE MOST DIFFICULT
TO TEST
CONCLUSION:
LOOK FOR BUGS IN COMPLICATED AND
UNCOMMON USE CASES
BUG HUNTING 101
EVIL
44. A Word About IPv6
• Insanely complicated protocol
• Nobody’s using it
• Has isoteric features that
REALLY nobody uses
• NDIS drivers still have to
support those features
“Anybody order pizza?”
45. BONUS: YOU GET TO SET
THE SIZE OF THE
EXTENSION HEADER
SECURiTY
1. Complicated!
46. RFC 2460
A node may use the IPv6 Fragment
header to fragment the packet at the
source and have it reassembled at the
destination.
However,
is discouraged
EVIL
SECURiTY
2. Unused!
47. About CVE-2014-9383
• RCE vulnerability in Bitdefender
NDIS filter driver
• Patched last month
• Disclaimer: No ASLR bypass
(requires another vuln)
• Another disclaimer: Statistical
attack, works 50% of the time
“Next time Iet me write a Linux
driver”
54. Bonus: DIY with NDISaster
• Identifies the main handler functions in NDIS drivers
• Generates a Windbg script for packet capture
• Incorporates the output from Windbag back to IDA
• Identifies the main functions per protocol
• Still no support for NDIS 6!