ISIS (Now OSIRIS) Lab at NYU Tandon school hosts weekly sessions for young hackers. They excelled at developing this talent. This week I gave a talk discussing where vulnerabilities occur, how people handle them as well as a deep dive into various technical aspects of the Application Binary Interface (ABI) for the XNU derived kernels. The deep dive also included covering the loading mechanisms for Mach-O though the kernel and DYLD.
For the second part, I did a walk through which is recorded on youtube (https://www.youtube.com/watch?v=yg9svg9xE8g). It is about how we can use GCC to help you write assembly for your shellcode. It is especially useful for complex logic and for getting you bootstrapped on architectures you might not be familiar with. We use GCC to build up concise code for executing a system call. Just be aware that using GCC for this purpose will usually be enough to buildup ~90% of the work, you'd be responsible to shape it into something that meets all the requirements of your exploit.
At the end, there is a challenge given. It is to build shellcode which downloads and loads a dylib into a process without touch disk. There is a template on github (https://github.com/nologic/shellcc) for downloading and loading from disk.
Hardware hacking hit the news quite often in 2017, and a lot of pentesters tried to jump into the band wagon and discover the joy of hacking things rather than servers or applications. But most of them are only looking for rootz shellz and p0wning embedded Linux operating systems rather than doing what we really call "hardware hacking". In this talk, we are going to hack a Bluetooth Low Energy smartlock, from its printed circuit board to a fully working exploit, as well as its (wait for it) associated mobile application you need to install to operate this thing.
This talk is not only an introduction into the field of hardware hacking, but also a good way to dive into electronics and its specific protocols, and of course into microcontrollers and System-on-chip reverse engineering. We will cover some electronics basic knowledge as well as tools and classic methodologies when it comes at analyzing an IoT device and will provide tips and tricks based on our experience but our failures too.
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...Codemotion
Cyber security is one of the most challenging topics in the current era. Cyber attacks are becoming day by day more sophisticated and difficult to be detected by automated systems. People who understand cyber threats and act to block cyber attacks are defined as cyber analysts. But what do they really do? What difficulties do they meet and what background should they have before starting the "neverending" "cyber security" learning path? Why is not enough an automated system? Marco will talk about real experiences on the cyber analyst field.
Esta apresentação é baseada em uma pesquisa que publiquei em 2015 que tratava de malware do tipo mach-o, e o aumento de visibilidade do macOS como novo alvo. Nesta nova pesquisa, a ideia é mostrar algumas dicas sobre internals, kernel e principais ameaças que o macOS vem enfrentando.
En estadística, la distribución binomial es una distribución de probabilidad discreta que cuenta el número de éxitos en una secuencia de n ensayos de Bernoulli independientes entre sí, con una probabilidad fija p de ocurrencia del éxito entre los ensayos. Un experimento de Bernoulli se caracteriza por ser dicotómico, esto es, sólo son posibles dos resultados. A uno de estos se denomina éxito y tiene una probabilidad de ocurrencia p y al otro, fracaso, con una probabilidad q = 1 - p. En la distribución binomial el anterior experimento se repite n veces, de forma independiente, y se trata de calcular la probabilidad de un determinado número de éxitos. Para n = 1, la binomial se convierte, de hecho, en una distribución de Bernoulli.
Hardware hacking hit the news quite often in 2017, and a lot of pentesters tried to jump into the band wagon and discover the joy of hacking things rather than servers or applications. But most of them are only looking for rootz shellz and p0wning embedded Linux operating systems rather than doing what we really call "hardware hacking". In this talk, we are going to hack a Bluetooth Low Energy smartlock, from its printed circuit board to a fully working exploit, as well as its (wait for it) associated mobile application you need to install to operate this thing.
This talk is not only an introduction into the field of hardware hacking, but also a good way to dive into electronics and its specific protocols, and of course into microcontrollers and System-on-chip reverse engineering. We will cover some electronics basic knowledge as well as tools and classic methodologies when it comes at analyzing an IoT device and will provide tips and tricks based on our experience but our failures too.
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...Codemotion
Cyber security is one of the most challenging topics in the current era. Cyber attacks are becoming day by day more sophisticated and difficult to be detected by automated systems. People who understand cyber threats and act to block cyber attacks are defined as cyber analysts. But what do they really do? What difficulties do they meet and what background should they have before starting the "neverending" "cyber security" learning path? Why is not enough an automated system? Marco will talk about real experiences on the cyber analyst field.
Esta apresentação é baseada em uma pesquisa que publiquei em 2015 que tratava de malware do tipo mach-o, e o aumento de visibilidade do macOS como novo alvo. Nesta nova pesquisa, a ideia é mostrar algumas dicas sobre internals, kernel e principais ameaças que o macOS vem enfrentando.
En estadística, la distribución binomial es una distribución de probabilidad discreta que cuenta el número de éxitos en una secuencia de n ensayos de Bernoulli independientes entre sí, con una probabilidad fija p de ocurrencia del éxito entre los ensayos. Un experimento de Bernoulli se caracteriza por ser dicotómico, esto es, sólo son posibles dos resultados. A uno de estos se denomina éxito y tiene una probabilidad de ocurrencia p y al otro, fracaso, con una probabilidad q = 1 - p. En la distribución binomial el anterior experimento se repite n veces, de forma independiente, y se trata de calcular la probabilidad de un determinado número de éxitos. Para n = 1, la binomial se convierte, de hecho, en una distribución de Bernoulli.
From the user’s perspective Android and iOS are not too dissimilar. One is cheaper than the other and pretty much everyone makes their apps for both types of phones. However, from the security testing perspective things are very different. Android is open and has lots of standard mechanisms to assist with testing. On the other hand, iOS is closed and requires lots of non standard methods for black box testing. The caveat is, of course, unless you own and control the build of the application but, that not completely black box. If you do then you can use any number of tools: Appium, Apple UI Automation, etc.
This talk will cover reasons for why we constrain ourselves to this type of testing as well as various tools and techniques for instrumenting iOS apps to do UI automation. Specifically, we are constrained to no source code and no way to make a special build. The jailbreak community has developed many of these building blocks that if used in concert can provide for a powerful testing automation framework. This talk will also demonstrate a reference implementation of an extensible tool that brings all the primitives together to automate the testing of iOS application.
A FORÇA QUE O LOGO TEM EM SEU NEGÓCIO O primeiro contato que seu cliente tem com a sua empresa, é seu LOGO. Ele é a porta de entrada para transmitir visualmente quem você é, o que produz ou vende. Muitos ignoram sua força e por isso não desfrutam dos resultados inegáveis que ele oferece. Por isso daremos 7 dicas imbatíveis para lhe ajudar na hora de redesenhar ou pensar seu logo do zero!
iOS holds some of our most important data. So, it is important to understand how it works and hopefully get a better sense of how to protect it. In this talk we will start with some relatively high level attacker perspectives. Then, we will dive deep into some of the tools and techniques we can use to analyze most sensitive phone apps.
From the user’s perspective Android and iOS are not too dissimilar. One is cheaper than the other and pretty much everyone makes their apps for both types of phones. However, from the security testing perspective things are very different. Android is open and has lots of standard mechanisms to assist with testing. On the other hand, iOS is closed and requires lots of non standard methods for black box testing. The caveat is, of course, unless you own and control the build of the application but, that not completely black box. If you do then you can use any number of tools: Appium, Apple UI Automation, etc.
This talk will cover reasons for why we constrain ourselves to this type of testing as well as various tools and techniques for instrumenting iOS apps to do UI automation. Specifically, we are constrained to no source code and no way to make a special build. The jailbreak community has developed many of these building blocks that if used in concert can provide for a powerful testing automation framework. This talk will also demonstrate a reference implementation of an extensible tool that brings all the primitives together to automate the testing of iOS application.
A FORÇA QUE O LOGO TEM EM SEU NEGÓCIO O primeiro contato que seu cliente tem com a sua empresa, é seu LOGO. Ele é a porta de entrada para transmitir visualmente quem você é, o que produz ou vende. Muitos ignoram sua força e por isso não desfrutam dos resultados inegáveis que ele oferece. Por isso daremos 7 dicas imbatíveis para lhe ajudar na hora de redesenhar ou pensar seu logo do zero!
iOS holds some of our most important data. So, it is important to understand how it works and hopefully get a better sense of how to protect it. In this talk we will start with some relatively high level attacker perspectives. Then, we will dive deep into some of the tools and techniques we can use to analyze most sensitive phone apps.
Lab Handson: Power your Creations with Intel Edison!Codemotion
by Francesco Baldassarri - Come along and play with Intel Edison, for the Internet of Things? Learn about the Developer Kit for IoT, chose your preferred environment and test it – or test all the possibilities? We will be providing information and hands on training for developers interested in testing our solutions in C/C++, Javascript, Arduino, Wyliodrin and Python. Just bring you laptop and we will help you to get started. We will also provide information about our Cloud Analytics platform, and test hardware samples with the Grove Starter Kit – Intel IoT Edition. Visit us anytime and start making! What will you make?
The purpose of this presentation is to explain the basic resources to understand how a programmer can create malware, insides about the theme, and brainstorms following practical codes and many exotic ideas for security mitigations for defense.
"If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle." ― Sun Tzu, The Art of War
[CONFidence 2016] Sławomir Kosowski - Introduction to iOS Application Securit...PROIDEA
Practical introduction to iOS Application Security Testing. This presentation covers fundamentals of iOS and its security mechanisms, basic life cycle of a penetration test, setting up testing environment, static and dynamic analysis with some real-world examples. Presentation targeted for those interested in security testing of iOS apps.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Providing Globus Services to Users of JASMIN for Environmental Data AnalysisGlobus
JASMIN is the UK’s high-performance data analysis platform for environmental science, operated by STFC on behalf of the UK Natural Environment Research Council (NERC). In addition to its role in hosting the CEDA Archive (NERC’s long-term repository for climate, atmospheric science & Earth observation data in the UK), JASMIN provides a collaborative platform to a community of around 2,000 scientists in the UK and beyond, providing nearly 400 environmental science projects with working space, compute resources and tools to facilitate their work. High-performance data transfer into and out of JASMIN has always been a key feature, with many scientists bringing model outputs from supercomputers elsewhere in the UK, to analyse against observational or other model data in the CEDA Archive. A growing number of JASMIN users are now realising the benefits of using the Globus service to provide reliable and efficient data movement and other tasks in this and other contexts. Further use cases involve long-distance (intercontinental) transfers to and from JASMIN, and collecting results from a mobile atmospheric radar system, pushing data to JASMIN via a lightweight Globus deployment. We provide details of how Globus fits into our current infrastructure, our experience of the recent migration to GCSv5.4, and of our interest in developing use of the wider ecosystem of Globus services for the benefit of our user community.
Designing for Privacy in Amazon Web ServicesKrzysztofKkol1
Data privacy is one of the most critical issues that businesses face. This presentation shares insights on the principles and best practices for ensuring the resilience and security of your workload.
Drawing on a real-life project from the HR industry, the various challenges will be demonstrated: data protection, self-healing, business continuity, security, and transparency of data processing. This systematized approach allowed to create a secure AWS cloud infrastructure that not only met strict compliance rules but also exceeded the client's expectations.
TROUBLESHOOTING 9 TYPES OF OUTOFMEMORYERRORTier1 app
Even though at surface level ‘java.lang.OutOfMemoryError’ appears as one single error; underlyingly there are 9 types of OutOfMemoryError. Each type of OutOfMemoryError has different causes, diagnosis approaches and solutions. This session equips you with the knowledge, tools, and techniques needed to troubleshoot and conquer OutOfMemoryError in all its forms, ensuring smoother, more efficient Java applications.
Advanced Flow Concepts Every Developer Should KnowPeter Caitens
Tim Combridge from Sensible Giraffe and Salesforce Ben presents some important tips that all developers should know when dealing with Flows in Salesforce.
Into the Box Keynote Day 2: Unveiling amazing updates and announcements for modern CFML developers! Get ready for exciting releases and updates on Ortus tools and products. Stay tuned for cutting-edge innovations designed to boost your productivity.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
Modern design is crucial in today's digital environment, and this is especially true for SharePoint intranets. The design of these digital hubs is critical to user engagement and productivity enhancement. They are the cornerstone of internal collaboration and interaction within enterprises.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
Multiple Your Crypto Portfolio with the Innovative Features of Advanced Crypt...Hivelance Technology
Cryptocurrency trading bots are computer programs designed to automate buying, selling, and managing cryptocurrency transactions. These bots utilize advanced algorithms and machine learning techniques to analyze market data, identify trading opportunities, and execute trades on behalf of their users. By automating the decision-making process, crypto trading bots can react to market changes faster than human traders
Hivelance, a leading provider of cryptocurrency trading bot development services, stands out as the premier choice for crypto traders and developers. Hivelance boasts a team of seasoned cryptocurrency experts and software engineers who deeply understand the crypto market and the latest trends in automated trading, Hivelance leverages the latest technologies and tools in the industry, including advanced AI and machine learning algorithms, to create highly efficient and adaptable crypto trading bots
Climate Science Flows: Enabling Petabyte-Scale Climate Analysis with the Eart...Globus
The Earth System Grid Federation (ESGF) is a global network of data servers that archives and distributes the planet’s largest collection of Earth system model output for thousands of climate and environmental scientists worldwide. Many of these petabyte-scale data archives are located in proximity to large high-performance computing (HPC) or cloud computing resources, but the primary workflow for data users consists of transferring data, and applying computations on a different system. As a part of the ESGF 2.0 US project (funded by the United States Department of Energy Office of Science), we developed pre-defined data workflows, which can be run on-demand, capable of applying many data reduction and data analysis to the large ESGF data archives, transferring only the resultant analysis (ex. visualizations, smaller data files). In this talk, we will showcase a few of these workflows, highlighting how Globus Flows can be used for petabyte-scale climate analysis.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
We describe the deployment and use of Globus Compute for remote computation. This content is aimed at researchers who wish to compute on remote resources using a unified programming interface, as well as system administrators who will deploy and operate Globus Compute services on their research computing infrastructure.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Listen to the keynote address and hear about the latest developments from Rachana Ananthakrishnan and Ian Foster who review the updates to the Globus Platform and Service, and the relevance of Globus to the scientific community as an automation platform to accelerate scientific discovery.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Globus Connect Server Deep Dive - GlobusWorld 2024Globus
We explore the Globus Connect Server (GCS) architecture and experiment with advanced configuration options and use cases. This content is targeted at system administrators who are familiar with GCS and currently operate—or are planning to operate—broader deployments at their institution.
Globus Connect Server Deep Dive - GlobusWorld 2024
NYU Hacknight: iOS and OSX ABI
1. iOS and OS X ABI
(Hacking in context)
Mikhail Sosonkin
2. Security Researcher at SYNACK
Working on low level emulation with QEMU and iPhone automation.
Graduate of Polytechnic University
a.k.a Polytechnic Institute of New York University
a.k.a New York University Polytechnic School of Engineering
a.k.a New York University Tandon School of Engineering
5. Amazon Apple
“In short, the very four digits that Amazon considers
unimportant enough to display in the clear on the web are
precisely the same ones that Apple considers secure enough
to perform identity verification.”
- http://www.wired.com/2012/08/apple-amazon-mat-
honan-hacking/all/
6. It is not enough to just be careful with your interfaces. You
must also have have mitigations and continuous analysis that
includes “outsiders”.
Security considerations and reviews should be part of every
step of development lifecycle.
7. Where are the vulns?!
Memory corruption - just won’t go away!
That’s what a lot of CTFs seem to be focusing on.
History thereof
Memory Errors
“Special feature”
Backdooring yourself.
Someone will eventually discover it.
8. Network
man on the side
http://www.wired.com/2015/04/researchers-uncover-method-detect-nsa-quantum-insert-hacks/
web
where did I leave that session key again?
https://www.owasp.org/index.php/Top_10_2013-Table_of_Contents
9. Miscommunications
The root of all bugs.
Don’t be too paranoid
It’s not healthy, but always ask:
“what do you do if someone compromises
this component?”
13. Infect
Run shell code
Might have some ROPing to do
And, stack pivoting
Find the egg
Bigger shellcode.
Download implant
Gain persistence i.e. launch daemon
15. Black Market Bug Bounties:
Zerodium, Vupen
Cosinc (link)
HackingTeam (Probably defunct)
MitnickSecurity
Lots of secretive companies (link)
A few not so secretive (link)
16. SYNACK
Private Targets
Think easy targets
Fortune 500 Companies
Several Categories
Host, Web, Mobile
Average payout: $690
We provide a cyber platform, Hydra!
https://www.synack.com/red-team/
17. Requires passing an assessment
SYNACK Red Team entry
If unable to pass try
BugCrowd or HackerOne
28. Calling Convention
On ARM64:
X0 … X8 Contain function parameters
X16 has the system call number
Positive for Posix
Negative for Mach Ports
0x80000000 for thread_set_self
SVC 0x80; jumps to kernel
33. Who does what?
- Kernel:
- Maps the main executable
- Maps the loader
- Passes control to the loader
- DYLD:
- “Maps” itself and the main executable
- Maps and links dependency libraries.
36. Mach-O commands
- LC_SEGMENT and LC_SEGMENT_64
- From file to virtual memory: __DATA, __TEXT, etc.
- LC_UNIXTHREAD
- Sets up initial registers and stack
- Entry point
- LC_LOAD_DYLINKER
- Specifies the loader i.e. /usr/lib/dyld
- LC_MAIN
- Sets up the stack
- etc
37.
38. Setting up the stack
OSX
Arguments
Environment variables
Apple variable
Generated by the kernel
(LC_UNIXTHREAD)
39. Setting up the stack
iOS
Arguments
Environment variables
Apple variable
Generated by the kernel
(LC_UNIXTHREAD)
43. Build it using GCC
- Easy to represent complex logic
- Excellent way to learn assembly skills
- Assist with reverse engineering
- Port to different architectures
- Optimization hints
- Does 90% of the work for you
44. Cons of using GCC
- Can get hard to make GCC avoid outputting certain bytes.
- Give up a level of control
- Can get into dependency hell
- All the usual problems with C.
- Optimizer could get too aggressive
46. ShellCC
- https://github.com/nologic/shellcc
- shellcode
- extractshell.py: Gets the bytecodes from the macho as raw shellcode
- Makefile has build commands for shellcode ARM/x86_64
- shellharness
- reads a file and executes the buffer.
47. The challenge
- Understand injectdyld_file.c
- Figure out how to dynamically load a dylib
- Can use injectdyld_file.c as a base
- Hint: you will need to read the DYLD sourcecode.
48. Where to learn about security?
- https://seccasts.com/
- http://www.opensecuritytraining.info/
- https://www.corelan.be
- youtube for conference
- Security meetups
- Just practice
- Read/follow walkthroughs
- follow the reddits:
- netsec
- reverseengineering
- malware
- lowlevel
- blackhat
- securityCTF
- rootkit
- vrd
49. Getting started with iOS
- Get iPhone 5s
- Swappa
- Apply Jailbreak
- Install OpenSSH via Cydia
- Use tcprelay to SSH over USB
- Start exploring
- debugserver
- https://github.com/iosre/iOSAppReverseEngineering
- https://nabla-c0d3.github.io/blog/2014/12/30/tcprelay-multiple-devices/