Describing various attack methods on Android/iOS apps. This time I decided to take a quick dive into actual analysis session on the a-bit-hardened InsecureBankV2 with Trueseeing (for OWASP Sendai Meetup #29.) Roughly the same content with the talk I gave in #kyusec18.
Describing various attack methods on Android/iOS apps. This time I decided to take a quick dive into actual analysis session on the a-bit-hardened InsecureBankV2 with Trueseeing (for #kyusec, Kyushu Security Conference 2018)
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
In 2017, Microsoft announced the ARM version of Windows. The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities. In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM. The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers? As far as we know, this point has not even been discussed much at this point. Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries. All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track. In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis. Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations. We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
Describing various attack methods on Android/iOS apps. This time I decided to take a quick dive into actual analysis session on the a-bit-hardened InsecureBankV2 with Trueseeing (for #kyusec, Kyushu Security Conference 2018)
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
In 2017, Microsoft announced the ARM version of Windows. The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities. In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM. The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers? As far as we know, this point has not even been discussed much at this point. Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries. All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track. In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis. Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations. We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
Quick evaluation on the current status of fingerprinting resistance between vanilla Mozilla Firefox and the Tor Browser (OWASP Saitama MTG #12, talk #1)
今夜わかるWebアプリケーション脆弱性診断 (OWASP Day 758 / 2018)Sen Ueno
2018年9月15日(土) 名古屋で開催したOWASP Day 758にて発表した「今夜わかるWebアプリケーション脆弱性診断」の資料です。
脆弱性診断士スキルマッププロジェクトの話やペネトレーションテスト(Penetration testing / Red Team)、SQLインジェクション、脆弱性診断の実施手順などを紹介しています。
Quick evaluation on the current status of fingerprinting resistance between vanilla Mozilla Firefox and the Tor Browser (OWASP Saitama MTG #12, talk #1)
今夜わかるWebアプリケーション脆弱性診断 (OWASP Day 758 / 2018)Sen Ueno
2018年9月15日(土) 名古屋で開催したOWASP Day 758にて発表した「今夜わかるWebアプリケーション脆弱性診断」の資料です。
脆弱性診断士スキルマッププロジェクトの話やペネトレーションテスト(Penetration testing / Red Team)、SQLインジェクション、脆弱性診断の実施手順などを紹介しています。
With our recent work, asynchronous super parallel grabber, we show how one should work with networks that have very high RTTs -- the dark web for example. We then look how well it applies for the mass-scraping of clear/dark web services, getting some impressive results -- all of the scraping works done from the dark web as a bonus. (Hacker's Party 2019 The Conference talk) #hackersparty
Trueseeing: Effective Dataflow Analysis over Dalvik OpcodesTakahiro Yoshimura
This document describes Trueseeing, a static dataflow analysis tool for analyzing Android Dalvik bytecode without using decompilers. Trueseeing marks up constants, invocations, and stored values in SQLite databases during disassembly. It then traces dataflow statically by matching getter/setter calls and instance field accesses to solve constants. This allows Trueseeing to analyze the dataflow and identify potential vulnerabilities in applications related to most of the OWASP top 10 mobile risks without suffering from the problems of dynamic analysis or dependency on decompilers.
The document discusses the Effy application for Android, which allows drawing on a canvas using finger gestures. It describes the DrawActivity class which handles touch events and drawing, and compares it to the FingerPaint sample application. The document also provides a link to download the Effy source code from GitHub under the GPL-3 license.
Effy is an Android drawing app that allows users to customize pen settings like width and color through preference settings. It uses XML configuration files and preference activities to define and access preference keys for pen properties. When the app starts or preference values change, it retrieves the preference values from shared preferences and applies them by re-styling the paint object used for drawing. This allows pen settings to persist and be updated dynamically.
This document contains snippets of code and discussions around Android development. It discusses topics like Android NDK, Eclipse, RelativeLayout, and provides code examples and tutorials. Stack Overflow is also mentioned as a resource. The snippets seem to be from a tutorial or set of notes on learning Android development.
2. WHO I AM
➤ 吉村 孝広(@alterakey)
https://keybase.io/alterakey
➤ Monolith Works Inc.
Co-founder
3. WHAT I DO
➤ Security research and development
➤ iOS/Android Apps
→Financial, Games, IoT related,
etc. (>200)
→trueseeing: Non-decompiling
Android Application Vulnerability
Scanner [2017]
➤ Windows/Mac/Web/HTML5 Apps
→POS, RAD tools etc.
➤ Network/Web penetration testing
→PCI-DSS etc.
➤ Search engine reconnaissance
(aka. Google Hacking)
➤ Whitebox testing
➤ Forensic analysis
4. WHAT I DO
➤ CTF
➤ Enemy10, Sutegoma2
➤ METI CTFCJ 2012 Qual.: 優勝
➤ METI CTFCJ 2012: 3位
➤ DEF CON 21 CTF: 6位
➤ DEF CON 22 OpenCTF: 4位
➤ 講演:
DEF CON 25 Demo Labs (2017)
CODE BLUE (2017)
Kyushu Security Conference
(2018) etc.
DEFCON 2016 by Wiyre Media on flickr, CC-BY 2.0
12. .. OH YOU CAN’T SEE ME
➤ 難読化による妨害
➤ フローの攪乱
➤ 共通コードパターンの攪乱
(e.g. function prologue/
epilogue)
Bitscuits by Barnet LIvingston on flickr, CC-BY-SA 2.0