Case Study Based Presentation - Emerging Opportunities and Diversification Dilemma in Information Technology (IT) Business.
Presented at the ICER BRIC Conference, IIM Bangalore
Este documento describe diferentes tipos de software. Explica que el software se divide en tres categorías principales: software de sistema, software de programación y software de aplicación. También describe varios navegadores web populares como Internet Explorer, Firefox, Safari, Opera y sus características clave.
Case Study Based Presentation - Emerging Opportunities and Diversification Dilemma in Information Technology (IT) Business.
Presented at the ICER BRIC Conference, IIM Bangalore
Este documento describe diferentes tipos de software. Explica que el software se divide en tres categorías principales: software de sistema, software de programación y software de aplicación. También describe varios navegadores web populares como Internet Explorer, Firefox, Safari, Opera y sus características clave.
This document discusses waste heat sources in sugar factories that can be utilized for cooling condenser water. It identifies the various stages of sugar manufacture that produce waste heat, such as extraction, clarification, evaporation, and concentration. The authors propose a new cooling system model that would make use of these waste heat sources to cool condenser water, providing energy savings and reducing costs for sugar factories.
Aoide covers a new method in browsing materials that helps users to explore other similar materials. By creating a separate interface, Aoide focuses specifically on the explore and information visualization component. Also, users who uses this system will be able to collect different sorts of data and can make decisions that the MLibrary interface does not offer. This includes the ability to compare similar genre of artists or album in relationship to other artists by genre. Users will also be able to save browsing history for future use. This is designed, because users often compare and contrast information before making the ultimate decision to check out an item. Therefore, browsing history is a major component in our design. Furthermore, the ultimate objective is for users to build their own browsing history that invites them to come back, therefore increasing a higher use of the MLibrary. We entered this design into the iDesign competition for the University of Michigan.
The document discusses analyzing Android malware. It describes setting up a lab with an Android SDK virtual machine. Tools for static and dynamic analysis are outlined. The document then demonstrates analyzing a malware sample that sends SMS messages to a premium rate number, extracting the APK, decompiling the code, and identifying the malicious behavior. By reversing the malware, the author was able to determine the phone number and text messages it was sending, thus "having" the malware and being able to control it.
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
In 2017, Microsoft announced the ARM version of Windows. The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities. In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM. The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers? As far as we know, this point has not even been discussed much at this point. Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries. All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track. In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis. Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations. We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
In 2017, Microsoft announced the ARM version of Windows. The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities. In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM. The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers? As far as we know, this point has not even been discussed much at this point. Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries. All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track. In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis. Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations. We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
Table of Contents
• About TrustZone
– Use case of TrustZone
– Cortex-A TrustZone
– Cortex-M TrustZone
– TEE implementation
• Vulnerability of TEE implementation
• Conclusions
• References
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
Table of Contents
• Background • Use case and Weave
• Android Things Security Considerations
• Android Things Version Information
• File system information • Firewall setting
• ADB port setting
• SELinux setting
• Conclusions
• Reference
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
• Security incidents related to IoT devices
• About the Android Things
• Major features
• Installation and Settings
• Accessible network service
• Security configurations
• Conclusions
• References
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) FFRI, Inc.
• About Black Hat
• Intriguing reports – Breaking BHAD: Abusing Belkin Home Automation Devices – (PEN)TESTING VEHICLES WITH CANTOOLZ YACHT – YET ANOTHER CAR HACKING TOOL – Mobile Espionage in the Wild: Pegasus and Nation-State Level Attacks
• Conclusions
• References
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
• About threat analysis support tool
• Examples of tools
• Analysis target system
• Analysis result
– How to read result
– Overview of threats
• Effective usage
– About template
– Additional definition of threat information
• Conclusions
• References
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
• About Black Hat USA
• Hot Research
• Vehicle
– CANSPY: A Platform For Auditing CAN Devices
– Advanced CAN Injection Techniques For Vehicle Networks
– Can You Trust Autonomous Vehicles: Contactless Attacks against Sensors of Self-driving Vehicle
• IoT
– Into The Core – In-Depth Exploration of Windows 10 IoT Core
– GATTAttacking Bluetooth Smart Devices
– Introducing A New BLE Proxy Tool
– GreatFET: Making GoodFET Great Again
• Conclusions
• References
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)FFRI, Inc.
The document summarizes key presentations from Black Hat Asia 2016 on mobile, IoT, and Windows security. It discusses research on detecting Android commercial spyware, demonstrating iOS malware techniques on non-jailbroken phones, mapping vulnerabilities in wireless IoT devices, hacking a professional drone via MITM attacks, and a novel Windows DSC attack framework to persistently infect systems. The document provides context and the researcher's comments on each presentation.
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
In this slide, we introduce the TrustZone of information that has published at this time in relation to ARMv8-M.
It is possible to separate/isolate the security level by adding the security state.
ARMv8-M architecture has a different mechanism than TrustZone to provide traditional ARMv8-A architecture, which is optimized for embedded systems.
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)FFRI, Inc.
•CODE BLUE 2015 had over 600 visitors from many countries.
–It had started two track presentation and youth track.
–Two teenagers and a student were on stage.
•IoT Security
–Medical equipment and social infrastructure were studied.
–The white hackers reported these vulnerabilities.
•Bug Bounty
–Japanese bug hunters are active in the world.
–There are things to learn from their way.
•APT
–APT would have invaded various organizations in Japan.
–Forum for information exchange, such as the CODE BLUE is required to counter APT.
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
•Automobile security is hot topic in many conferences.
•Cyber security measures are essential for the automobile.
•We summarize the following topics based on the above background.
–Presentations at the conferences other than Black Hat USA 2015 and DEF CON 23.
–Introduction of vulnerability assessment methods of automobile security by CVSS v3.
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)FFRI, Inc.
This document summarizes security research presented at the Black Hat USA 2015 conference. Several talks demonstrated remote attacks against vehicles, including exploiting vulnerabilities in Chrysler Jeeps and Tesla Model S vehicles. Other research targeted IoT devices, like hacking a Linux-powered rifle and exploiting vulnerabilities in ZigBee wireless protocols. Additional briefings covered mobile and malware attacks, like exploiting the TrustZone security architecture on Android and using return-oriented programming for antivirus evasion. The document provides high-level overviews and comments on many of the featured talks from Black Hat USA 2015 and related conferences.
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
This document provides an overview of threats to OS X and iOS. It summarizes recent malware cases like iWorm and WireLurker that infected devices through pirated software or sync functions. It also describes vulnerabilities like those allowing denial of service attacks or unauthorized access. The document outlines infection routes like drive-by downloads and recommends security settings for Macs and iPhones like installing updates, using passwords, and adjusting privacy and firewall settings.
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
•Windows 10 IoT is successor platform of Windows Embedded that optimized for embedded devices.
•Windows 10 IoT Core Insider Preview has been provided for single-board computers such as the Raspberry Pi 2.
•We show tutorial about security of Windows 10 IoT Core using the Raspberry Pi 2.
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...FFRI, Inc.
Background
•Automobiles equip a lot of ECUs which communicate mutually on In-Vehicle Network to control engine, power window, and so on
•IVI devices such as navigation system and ADAS*known-as lane-keeping or brake-assist systems often are connected in the same network
•BecauseIn-Vehicle network becoming complicated by various devices, next-generation In-Vehicle network attracts interest as feasible technology at low cost
•This slide summarized about following topics
–Ethernet prospective as next-generation In-Vehicle network
–Recent security research about conventional In-Vehicle network andproposal of measures for the CAN
論文紹介:Deep Learning-Based Human Pose Estimation: A Survey
Inside winnyp
1. Fourteenforty Research Institute, Inc.
1
Fourteenforty Research Institute, Inc.
PacSec 2008 Conference
Inside "Winnyp"
- Winnypの内部動作とネットワーク
クローリングシステムの全貌
Fourteenforty Research Institute, Inc.
株式会社 フォティーンフォティ技術研究所
http://www.fourteenforty.jp
シニアソフトウェアエンジニア 石山 智祥
2. Fourteenforty Research Institute, Inc.
2
はじめに
• Winnypとは、情報漏えいや著作権法違反などで社会問題となったWinnyを
改造したP2P型ファイル交換ソフト
• Winnypは、Winnyとの互換性を持ち、設定を行うことでWinnyとの通信を行
うことができる
• Winnyp単体では、暗号鍵生成処理がWinnyに比べて複雑になっている
• 今までWinnypを解析したという報告はあがっていない
• 今回は、Winnypの暗号アルゴリズムについての解析結果と、クローリング
システム(WinnypRadar)の概要を報告
5. Fourteenforty Research Institute, Inc.
5
Winnypの動作概要
• WinnypはWinny.exeを改造することよって作成されたP2Pファイル共有ソフ
ト
• Winnyと互換性を持ち、Winnyプロトコルを使用しているが、パケットの暗号
アルゴリズムに独自のアルゴリズムを使用している
Winnyプロトコル
Winnypアルゴリズ
ムで暗号化
6. Fourteenforty Research Institute, Inc.
6
Winnypの動作概要
• Winnypは、Winnyの実行ファイルに対して、独自に作成したWinnyp.dllを読
み込ませることにより動作する
• 修正したファイルからは、Winnyp.dllのinit関数のみを呼び出すようになっ
ている
8. Fourteenforty Research Institute, Inc.
8
Winnypの初期化処理
• Winnyp専用の設定ファイルを読み込み(disper.ini)
• 暗号鍵生成処理で使用するパラメータの生成(固定値が生成)
• パケット送信時に使用するパラメータ生成
• Winnyp.exeのコード領域へのパッチ処理
9. Fourteenforty Research Institute, Inc.
9
Winnypの初期化処理
• Winnyp.exeへのパッチ処理では、約200箇所の書き換え処理を実行
• 書き換え処理の大半は、参照する文字列の変更
例) Noderef.txt → Noderefp.txt など
10. Fourteenforty Research Institute, Inc.
10
Winnypの暗号鍵生成処理
• Winnyでは、暗号鍵生成処理が簡単だったため(RC4の初期化処理)、解
析を行うことで簡単に暗号鍵生成処理を解明することができた
• Winnypでは、パケットの暗号アルゴリズムとしてRC4を採用しているが、暗
号鍵生成処理に複数の暗号アルゴリズムを使用し解析が困難になってい
る
Winnyp暗号鍵生成処理
?????
Winny暗号鍵生成処理
RC4
21. Fourteenforty Research Institute, Inc.
インターネットとは切り離した環境
21
解析環境の構築
• 通常のネットワークにP2Pアプリケーションを接続した場合、コネクションが
多く、解析が困難
• そのため、1対1で通信を行うような環境を構築
解析環境 接続ノード
22. Fourteenforty Research Institute, Inc.
22
デバッガ対策、難読化の回避
• 匿名P2Pアプリケーションには、匿名性を高めるためデバッグ対策や難読
化が施されている
• これらを回避するため、デバッガで起動させるのではなく、P2Pアプリケー
ション起動後にデバッガでアタッチさせる
• 通信処理を解析する場合は、初期化処理の解析はある程度飛ばしても問
題ないため、この方法での解析が可能
23. Fourteenforty Research Institute, Inc.
23
通信処理の解析
• 実行ファイルがIDA Proで読み込むことができないので、通信処理を特定
することが困難
• APIに対してブレークポイントを設定し、スタックをトレースすることで、通信
処理を行っている個所を特定する
• 同様の方法で、ファイルアクセス箇所等の特定も可能
24. Fourteenforty Research Institute, Inc.
24
暗号アルゴリズムの推測
• 暗号アルゴリズムのアセンブリコードを解析しても、アルゴリズムの特定は
困難
• 暗号アルゴリズム内で使用されている特定の数値を用いてコードサーチ
エンジンを使用
26. Fourteenforty Research Institute, Inc.
26
WinnypRadar
• Winnypノードのひとつとして、Winnypネットワークに接続
• Winnypプロトコルを使用して、接続したノードからキー情報を収集
• 本クローラでは、Winnyノード/Winnypノードの両方に接続することが可能
WinnypRadar
WinnypRadar
WinnypRadar
27. Fourteenforty Research Institute, Inc.
27
WinnyノードとWinnypノードの判別
• Winnypネットワークには、Winnyとの互換性があるため、Winnyノードが含
まれている可能性がある
• WinnypRadarでは、接続したノードの初期パケットを元に接続ノードのバー
ジョンを特定している
初期パケットから複数の鍵を生成。
それぞれの鍵で復号を試み、接続
ノードのバージョンを特定
WinnypRadar
Winny
Winnyp
28. Fourteenforty Research Institute, Inc.
28
収集情報
• 収集したキー情報には、公開しているファイルと公開元のIPアドレスが含
まれる
• これらの情報を収集し、どのIPアドレスがどんなファイルを公開しているか
を調査することが可能
IPアドレス
ポート番号
ファイルサイズ(バイト数)
ファイルタイムスタンプ
ファイル名
ハッシュ
…
29. Fourteenforty Research Institute, Inc.
29
クローリング
• キー情報の中から、公開元のIPアドレスを取得し、新しい接続先とする
• 新しい接続先に接続し、キー情報を取得する
• これらの動作を繰り返し、ネットワーク内をクローリングする
WinnypRadar
Winny
Winnyp
30. Fourteenforty Research Institute, Inc.
30
観測結果
• Winnyネットワーク内のWinnypノードの割合
• WinnypRadarを使用し、1日間計測した結果
ノード数 19.8万ノード(Port0を除く)
Winnypノードの割合 8%(1.6万ノード)
Winnypクローラが接続する際に、接続ノードがWinnypかどうかを判定し、
記録
全接続ノード数からWinnypの割合を算出
※P2P研究会、クロスワープ社の調査結果より
http://www.scat.or.jp/stnf/contents/p2p/p2p080910_4.pdf
31. Fourteenforty Research Institute, Inc.
31
まとめ
• 今回Winnyp 2.1b7.28の暗号鍵生成処理とパケット送受信処理についての
解析を行った
• Winnypでは、解析を困難にさせるため暗号鍵生成処理が複雑となってい
る
• 解析結果をもとにWinnypネットワーククローラ WinnypRadarを開発
• WinnypRadarを使用することにより、今まで検出できなかったWinnypノード
に関する調査が可能になった
32. Fourteenforty Research Institute, Inc.
32
今後の課題
• 今回、十分なノード調査期間が取れなかったので、長期的にノード調査を
行う必要がある
• 今回の調査では、Winnyネットワークに接続可能なWinnypノードを調査した
が、Winnypのみでの接続を行うノードの調査を行うことでWinnypノードのよ
り正確な数が計測できると思われる
33. Fourteenforty Research Institute, Inc.
33
ありがとうございました
Fourteenforty Research Institute, Inc.
株式会社 フォティーンフォティ技術研究所
http://www.fourteenforty.jp
シニアソフトウェアエンジニア 石山智祥
ishiyama@fourteenforty.jp