SlideShare a Scribd company logo

reductio [ad absurdum]

Shakacon
Shakacon

Programmers naturally assume that different programs require different code. Minesweeper is not the same as AES, Windows is not the same as Linux, and Notepad is not the same as malware. But what if this were not the case? We'll walk through how we can convert all programs into the exact same code - allowing the CPU to execute the same sequence of instructions, to run any possible application. By fundamentally changing our ideas about what it means to "compute", we'll outline the unsettling implications for malware detection, and open some fascinating new doors in exploitation.

Technology
1 of 101
Download to read offline
{ reductio [ad absurdum] domas / @xoreaxeaxeax / Shakacon 2017
 Christopher Domas  Cyber Security Researcher @ Battelle Memorial Institute ./bio
 Observation:  Different paths can produce the same result.  Thought experiment:  Can the inverse be true?  Can one path produce different results? ./intro
 Observation:  Groups of (machine) instructions can often be reduced x = x * 2 x = x + x vs. x = x * 4  Thought experiment:  How much could one program be reduced? ./intro
 (bear with me) Let’s backtrack a bit…
4004e9: mov dword [rbp-8], 0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add dword [rbp-8], 1 400500: cmp dword [rbp-8], 100 400507: jle 4004f2 Assembly…
 mov is Turing-complete  Stephen Dolan  www.cl.cam.ac.uk/~sd601/papers/mov.pdf mov
mov destination, source mov
 Any code we write …  … can be written as a set of movs instead  … and nothing else  Really? Turing Complete?
4004e9: mov dword [rbp-8], 0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add dword [rbp-8], 1 400500: cmp dword [rbp-8], 100 400507: jle 4004f2
80515bc: mov eax,ds:0x835d81a 80515c1: mov ebx,DWORD PTR [eax+0x835d6fc] 80515c7: mov edx,DWORD PTR ds:0x835d7da 80515cd: mov eax,0x0 80515d2: mov al,BYTE PTR [ebx+edx*1] 80515d5: mov al,BYTE PTR [eax+0x835dc7e] 80515db: mov BYTE PTR [ebx+edx*1],al 80515de: mov eax,ds:0x835d81a 80515e3: mov ebx,DWORD PTR [eax+0x835d6fc] 80515e9: mov edx,DWORD PTR ds:0x835d7da 80515ef: mov eax,0x0 80515f4: mov al,BYTE PTR [ebx+edx*1]
Removing all but the mov instruction from future iterations of the x86 architecture would have many advantages: the instruction format would be greatly simplified, the expensive decode unit would become much cheaper, and silicon currently used for complex functional units could be repurposed as even more cache. As long as someone else implements the compiler. - Stephen Dolan
 Where to begin…? Key Ideas
 mov can check equality Key Ideas
 mov [x], 0  mov [y], 1  mov R, [x] x==y
 x=3, y=3  mov [x], 0  mov [y], 1  mov R, [x] x==y
 x=2, y=3  mov [x], 0  mov [y], 1  mov R, [x] x==y
 Requires a single jmp instruction to loop back to the beginning  Incidental  We fixed this later Key Ideas
 start:  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  jmp start
 Build on Dolan’s ideas  Adapt primitive TM operations for higher level logic  Work on actual data, not abstract symbols  Add new operations  If/else  Arithmetic  Logic  Jumps  Loops  Etc…  Bring it closer to something we can use Idea…
Implementing if
 IF X == Y THEN  X = 100 Implementing if
 The catch:  We have no branches  All paths execute, no matter what  Solution:  Force a path to operate on “dummy” data, if we don’t want its results Implementing if
 IF X == Y THEN  X = 100 Implementing if Selector Data Scratch
 IF X == Y THEN  X = 100 Implementing if Data Scratch ⇐ ⇐ Selector
 IF X == Y THEN  X = 100 Implementing if Data Scratch Selector
 IF X == Y THEN  X = 100 Implementing if Data Scratch ⇐ ⇐ Selector
 IF X == Y THEN  X = 100 Implementing if Data Scratch Selector
; X == Y mov eax, [X] mov [eax], 0 mov eax, [Y] mov [eax], 4 mov eax, [X] ; X = 100 mov eax, [SELECT_X + eax] mov [eax], 100 Implementing if
Simple extensions give us if/else if/elseif/else Inequality checks Implementing if
%macro eq 3 mov eax, 0 mov al, [%2] mov byte [e+eax], 0 mov byte [e+%3], 4 mov al, [e+eax] mov [%1], al %endmacro
%macro neq 3 mov eax, 0 mov al, [%2] mov byte [e+eax], 4 mov byte [e+%3], 0 mov al, [e+eax] mov [%1], al %endmacro
; create selector %macro c_s 1 %1: dd 0 d_%1: dd 0 s_%1: dd d_%1, %1 %endmacro
 Extend the if/else idea Loops and branches
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov …  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov …  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ← Implement a branch from here…  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ← Implement a branch from here…  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ←  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start Store target Switch to dummy data 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov … ← Check if branch target  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov … ← Check if branch target  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov … ← Check if branch target  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov … ← Check if target  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov … ← Check if target  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov … ← Check if target  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ←  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFFTarget match Switch to real data
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ←  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c ONTarget match Switch to real data
 Look up tables!  One byte versions are easy. Arithmetic
unsigned char inc[]={ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99,100,101,102,103,104,105,106,107,108,109,110,111,112, 113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128, 129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144, 145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160, 161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176, 177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192, 193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208, 209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224, 225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240, 241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,0 };
incb: %assign y 1 %rep 256 db y&0xff %assign y y+1 %endrep
; increment eax with mov mov eax, [inc + eax] Arithmetic
%macro add32 4 mov eax, 0 mov ebx, 0 mov ecx, 0 mov edx, 0 mov dword [%4], 0 add8 %1+0, %2+0, %3+0, %4 add8 %1+1, %2+1, %3+1, %4 add8 %1+2, %2+2, %3+2, %4 add8 %1+3, %2+3, %3+3, %4 %endmacro
mov eax,0x0 mov ebx,0x0 mov ecx,0x0 mov edx,0x0 mov dword [dword 0x8049576],0x0 mov al,[0x804956a] mov bl,[dword 0x804956e] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049572],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956b] mov bl,[dword 0x804956f] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049573],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956c] mov bl,[dword 0x8049570] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049574],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956d] mov bl,[dword 0x8049571] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049575],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov eax,[0x8049572]
mov dword [q], 0 mov dword [r], 0 %assign bb 31 %rep 32 bit c, n, bb shl32 r, c mov dword [c], 0 gte32 t, r, d, c mov eax, [t] mov edx, [sel_r+4*eax] mov [psr], edx mov edx, [sel_q+4*eax] mov [psq], edx mov eax, [psr] mov eax, [eax] mov [dummy_r], eax sub32 dummy_r, dummy_r, d, c mov eax, [psr] mov edx, [dummy_r] mov [eax], edx mov eax, [psq] mov eax, [eax] mov [dummy_q], eax set32 dummy_q, bb mov eax, [psq] mov edx, [dummy_q] mov [eax], edx %assign bb bb-1 %endrep mov eax, [q]
 lcc  esi/edi  Calling convention  Emulated stack  32 bit ALU  Simplified dummy selectors  102 IL instructions  Not bad! The M/o/Vfuscator
 mov-only C Compiler  https://github.com/xoreaxeaxeax  First single instruction C compiler! The M/o/Vfuscator
 prime  Cube  M/o/Vfuscator The M/o/Vfuscator
 How much can we simplify a program?  We’ve gotten rid of…  Functions  Loops  Branches  Arithmetic  … it’s an okay start. Reduction
 We have all the same instructions  mov  But they’re not all the ”same”  mov eax, edx  mov [100], bl  mov di, 0x1337  mov eax, [edx + 2 * ecx + 0x1094801] Reduction
 Eliminate register to register transfers  mov eax, edx becomes  mov [0x1000], edx  mov eax, [0x1000] x86 addressing
 Eliminate constant to register transfers  mov eax, 12345 becomes  _temp: .dword 12345  mov eax, [_temp] x86 addressing
 All instructions now either read or write to memory. x86 addressing
 Eliminate 8 and 16 bit addressing  mov al, [100] becomes  mov [200], eax  mov eax, [100 - 3]  mov [200 - 3], eax  mov eax, [200] x86 addressing 200 100
 Simplify memory addressing  mov eax, [0x1234 + ecx + 8 * edx]  Use the M/o/Vfuscator ALU!  Calculate ecx + 8 * edx  Accumulate results in ecx  Result:  (dozens of mov ALU instructions)  mov eax, [0x1234 + ecx] x86 addressing
 No more register to register transfers.  No more constant to register transfers.  No more 8 or 16 bit instructions.  All memory accesses are of the form [reg + constant]  mov instructions are now all mov reg, [reg + constant] or mov [reg + constant], reg Almost there.
 We still use 8 registers!  Decrease to 2 by storing extras to scratchpad memory  All mov instructions now mov esi/edi, [esi/edi + constant] or mov [esi/edi + constant], esi/edi Registers
 Writes: mov [esi/edi + constant], esi/edi  Reads: mov esi/edi, [esi/edi + constant]  Alternate reads and writes  1 read, followed by 1 write, followed by 1 read, followed by 1 write…  Insert dummy (unused) accesses Alternating memory
mov esi,[edi+0x816d0e8] mov [edi+0x816d104],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0ec],esi mov esi,[edi+0x816d0eb] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d10c],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d0f8],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi The result…
 Can we take it further?
Psuedo-registers  Instead of registers, use memory to hold the register contents  esi becomes [0x890100]  edi becomes [0x890200]  Let’s call these memory locations “psuedo-registers”
A ‘synthetic’ mov  With psuedo-registers, our movs look like mov [0x890100],[[0x890200]+0x816d0e8]  At this point, we’re just moving values to/from different locations in memory  … but this is no longer a valid x86 instruction
A ‘synthetic’ mov  Let’s invent a new instruction, “MOVE”  MOVE [ *address_1 + offset_1 ] , [ *address_2 + offset_2 ]  Our broken x86 instruction mov [0x890100],[[0x890200]+0x816d0e8]  Becomes  MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]
A ‘synthetic’ mov  Translate the old mov instructions into the more generic MOVE instruction  mov esi,[edi+0x816d0e8] becomes MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]  mov [edi+0x816d0e8], esi becomes MOVE [ *0x890200 + 0x816d0e8 ], [ *0x890100 + 0 ]
A ‘synthetic’ mov  Why is this useful?  All instructions now have exactly the same form.
Extracting the essence MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ] { 0x890100, 0, 0x890200, 0x816d0e8 }  Extract all of the MOVE operands into a table.
 We’ve distilled our entire C program into a table describing a long list of simple data transfers  Let’s write a program to perform the actions described in the table So now what?
Load the table into esi…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov esi, table
Execute a memory read…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov ebx, [esi] ; load addr of psuedo-reg 1  mov ebx, [ebx] ; load psuedo-reg 1  add ebx, [esi+4] ; add offset  mov ebx, [ebx] ; perform memory read
Execute a memory write…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov edx, [esi+8] ; load addr of psuedo-reg 2  mov edx, [edx] ; load psuedo-reg 2  add edx, [esi+12]; add offset  mov [edx], ebx ; perform memory write
Rinse, repeat.  table:  0x890100, 0, 0x890200, 0x816d0e8  0x990010 ; pointer to next table entry  mov esi, [esi+16] ; move to next entry  jmp loop ; repeat the whole process
mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop table: 0x890100, 0, 0x890200, 0x816d0e8 ... With the reductio toolchain, a C program compiles to ->
 Thought experiment:  How far can we reduce a program? So…?
 Every program ever written can be reduced to exactly this -> So…? mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
 Thought experiment:  Can one sequence of instructions produce entirely different results? So…?
 This instruction stream simultaneously implements everything. So…? mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
AES Minesweeper
 (Can’t show compiling ) ./demo
 The instruction sequence executed by the processor is the same for every program. mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
 1.  If every program is the same, malware detection gets a whole lot harder. (demo)  Doing the same thing  (In practice) Implications
 2.  Exploitation  “AVROP” (Mark Barnes, MWR Labs)  https://github.com/mwrlabs/avrop  AVR microcontroller (Raspberry Pi)  Harvard architecture: limited to ROP  Small memory: very few gadgets  Fortunately, all we need is mov. Implications
 The AVROP machine Implications
 3.  It’s cool!  A philosophical conclusion…  If the code makes no difference, what does it mean ‘to program’? Implications
github.com/xoreaxeaxeax  reductio  M/o/Vfuscator  REpsych  x86 0-day PoC  Etc. Feedback? Ideas? domas  @xoreaxeaxeax  xoreaxeaxeax@gmail.com
reductio [ad absurdum]

Recommended

Command GM
Command GMCommand GM
Command GM
Rafa Muadz
 
Programação assíncrona utilizando Coroutines
Programação assíncrona utilizando CoroutinesProgramação assíncrona utilizando Coroutines
Programação assíncrona utilizando Coroutines
Diego Gonçalves Santos
 
Behind the Performance of Quake 3 Engine: Fast Inverse Square Root
Behind the Performance of Quake 3 Engine: Fast Inverse Square RootBehind the Performance of Quake 3 Engine: Fast Inverse Square Root
Behind the Performance of Quake 3 Engine: Fast Inverse Square Root
Maksym Zavershynskyi
 
The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196
Mahmoud Samir Fayed
 
Sine Wave Generator with controllable frequency displayed on a seven segment ...
Sine Wave Generator with controllable frequency displayed on a seven segment ...Sine Wave Generator with controllable frequency displayed on a seven segment ...
Sine Wave Generator with controllable frequency displayed on a seven segment ...
Karthik Rathinavel
 
Itty bittypresentation lrug
Itty bittypresentation lrugItty bittypresentation lrug
Itty bittypresentation lrug
Tom Crinson
 
The Ring programming language version 1.5.4 book - Part 25 of 185
The Ring programming language version 1.5.4 book - Part 25 of 185The Ring programming language version 1.5.4 book - Part 25 of 185
The Ring programming language version 1.5.4 book - Part 25 of 185
Mahmoud Samir Fayed
 
かとうの Kotlin 講座 こってり版
かとうの Kotlin 講座 こってり版かとうの Kotlin 講座 こってり版
かとうの Kotlin 講座 こってり版
Yutaka Kato
 

Recommended

Command GM
Command GMCommand GM
Command GM
Rafa Muadz
 
Programação assíncrona utilizando Coroutines
Programação assíncrona utilizando CoroutinesProgramação assíncrona utilizando Coroutines
Programação assíncrona utilizando Coroutines
Diego Gonçalves Santos
 
Behind the Performance of Quake 3 Engine: Fast Inverse Square Root
Behind the Performance of Quake 3 Engine: Fast Inverse Square RootBehind the Performance of Quake 3 Engine: Fast Inverse Square Root
Behind the Performance of Quake 3 Engine: Fast Inverse Square Root
Maksym Zavershynskyi
 
The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196
Mahmoud Samir Fayed
 
Sine Wave Generator with controllable frequency displayed on a seven segment ...
Sine Wave Generator with controllable frequency displayed on a seven segment ...Sine Wave Generator with controllable frequency displayed on a seven segment ...
Sine Wave Generator with controllable frequency displayed on a seven segment ...
Karthik Rathinavel
 
Itty bittypresentation lrug
Itty bittypresentation lrugItty bittypresentation lrug
Itty bittypresentation lrug
Tom Crinson
 
The Ring programming language version 1.5.4 book - Part 25 of 185
The Ring programming language version 1.5.4 book - Part 25 of 185The Ring programming language version 1.5.4 book - Part 25 of 185
The Ring programming language version 1.5.4 book - Part 25 of 185
Mahmoud Samir Fayed
 
かとうの Kotlin 講座 こってり版
かとうの Kotlin 講座 こってり版かとうの Kotlin 講座 こってり版
かとうの Kotlin 講座 こってり版
Yutaka Kato
 
DEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliksDEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliks
Felipe Prado
 
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsychDEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
Felipe Prado
 
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperTokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Connor McDonald
 
Python Peculiarities
Python PeculiaritiesPython Peculiarities
Python Peculiarities
noamt
 
Tetcon2016 160104
Tetcon2016 160104Tetcon2016 160104
Tetcon2016 160104
Bordeaux I
 
Hacklu11 Writeup
Hacklu11 WriteupHacklu11 Writeup
Hacklu11 Writeup
nkslides
 
05 2 관계논리비트연산
05 2 관계논리비트연산05 2 관계논리비트연산
05 2 관계논리비트연산
Changwon National University
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)
if kakao
 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good Packages
Saumil Shah
 
There are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docxThere are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docx
relaine1
 
Elixir and OTP Apps introduction
Elixir and OTP Apps introductionElixir and OTP Apps introduction
Elixir and OTP Apps introduction
Gonzalo Gabriel Jiménez Fuentes
 
An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)
Julien SIMON
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the code
Wim Godden
 
CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations
Rob LaPlaca
 
Emuladores
EmuladoresEmuladores
Emuladores
Bayoch
 
Actor Concurrency
Actor ConcurrencyActor Concurrency
Actor Concurrency
Alex Miller
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
Asuka Nakajima
 
"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural Net"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural Net
Ken'ichi Matsui
 
Maze solving app listing
Maze solving app listingMaze solving app listing
Maze solving app listing
Chris Worledge
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
Shakacon
 
Macdoored
MacdooredMacdoored
Macdoored
Shakacon
 

More Related Content

Similar to reductio [ad absurdum]

DEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliksDEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliks
Felipe Prado
 
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsychDEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
Felipe Prado
 
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperTokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Connor McDonald
 
Python Peculiarities
Python PeculiaritiesPython Peculiarities
Python Peculiarities
noamt
 
Tetcon2016 160104
Tetcon2016 160104Tetcon2016 160104
Tetcon2016 160104
Bordeaux I
 
Hacklu11 Writeup
Hacklu11 WriteupHacklu11 Writeup
Hacklu11 Writeup
nkslides
 
05 2 관계논리비트연산
05 2 관계논리비트연산05 2 관계논리비트연산
05 2 관계논리비트연산
Changwon National University
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)
if kakao
 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good Packages
Saumil Shah
 
There are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docxThere are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docx
relaine1
 
Elixir and OTP Apps introduction
Elixir and OTP Apps introductionElixir and OTP Apps introduction
Elixir and OTP Apps introduction
Gonzalo Gabriel Jiménez Fuentes
 
An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)
Julien SIMON
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the code
Wim Godden
 
CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations
Rob LaPlaca
 
Emuladores
EmuladoresEmuladores
Emuladores
Bayoch
 
Actor Concurrency
Actor ConcurrencyActor Concurrency
Actor Concurrency
Alex Miller
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
Asuka Nakajima
 
"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural Net"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural Net
Ken'ichi Matsui
 
Maze solving app listing
Maze solving app listingMaze solving app listing
Maze solving app listing
Chris Worledge
 

Similar to reductio [ad absurdum] (20)

DEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliksDEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliks
 
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsychDEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
 
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperTokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java Developer
 
Python Peculiarities
Python PeculiaritiesPython Peculiarities
Python Peculiarities
 
Tetcon2016 160104
Tetcon2016 160104Tetcon2016 160104
Tetcon2016 160104
 
Hacklu11 Writeup
Hacklu11 WriteupHacklu11 Writeup
Hacklu11 Writeup
 
05 2 관계논리비트연산
05 2 관계논리비트연산05 2 관계논리비트연산
05 2 관계논리비트연산
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)
 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good Packages
 
There are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docxThere are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docx
 
Elixir and OTP Apps introduction
Elixir and OTP Apps introductionElixir and OTP Apps introduction
Elixir and OTP Apps introduction
 
An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the code
 
CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations
 
Emuladores
EmuladoresEmuladores
Emuladores
 
Actor Concurrency
Actor ConcurrencyActor Concurrency
Actor Concurrency
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
 
"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural Net"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural Net
 
Maze solving app listing
Maze solving app listingMaze solving app listing
Maze solving app listing
 

More from Shakacon

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
Shakacon
 
Macdoored
MacdooredMacdoored
Macdoored
Shakacon
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
Shakacon
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back together
Shakacon
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
Shakacon
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
Shakacon
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
Shakacon
 
Shamoon
ShamoonShamoon
Shamoon
Shakacon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
Shakacon
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Shakacon
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
Shakacon
 
Silent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkSilent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest Network
Shakacon
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
Shakacon
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareSad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving Malware
Shakacon
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
Shakacon
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
Shakacon
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
Shakacon
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
Shakacon
 
Swift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzSwift Reversing by Ryan Stortz
Swift Reversing by Ryan Stortz
Shakacon
 

More from Shakacon (20)

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
 
Macdoored
MacdooredMacdoored
Macdoored
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back together
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Shamoon
ShamoonShamoon
Shamoon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
 
Silent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkSilent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest Network
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareSad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving Malware
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
 
Swift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzSwift Reversing by Ryan Stortz
Swift Reversing by Ryan Stortz
 

Recently uploaded

Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
Zilliz
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
Zilliz
 

Recently uploaded (20)

Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Generating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and MilvusGenerating privacy-protected synthetic data using Secludy and Milvus
Generating privacy-protected synthetic data using Secludy and Milvus
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Programming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup SlidesProgramming Foundation Models with DSPy - Meetup Slides
Programming Foundation Models with DSPy - Meetup Slides
 

reductio [ad absurdum]

  • 1. { reductio [ad absurdum] domas / @xoreaxeaxeax / Shakacon 2017
  • 2.  Christopher Domas  Cyber Security Researcher @ Battelle Memorial Institute ./bio
  • 3.  Observation:  Different paths can produce the same result.  Thought experiment:  Can the inverse be true?  Can one path produce different results? ./intro
  • 4.  Observation:  Groups of (machine) instructions can often be reduced x = x * 2 x = x + x vs. x = x * 4  Thought experiment:  How much could one program be reduced? ./intro
  • 5.  (bear with me) Let’s backtrack a bit…
  • 6. 4004e9: mov dword [rbp-8], 0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add dword [rbp-8], 1 400500: cmp dword [rbp-8], 100 400507: jle 4004f2 Assembly…
  • 7.  mov is Turing-complete  Stephen Dolan  www.cl.cam.ac.uk/~sd601/papers/mov.pdf mov
  • 9.  Any code we write …  … can be written as a set of movs instead  … and nothing else  Really? Turing Complete?
  • 10. 4004e9: mov dword [rbp-8], 0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add dword [rbp-8], 1 400500: cmp dword [rbp-8], 100 400507: jle 4004f2
  • 11. 80515bc: mov eax,ds:0x835d81a 80515c1: mov ebx,DWORD PTR [eax+0x835d6fc] 80515c7: mov edx,DWORD PTR ds:0x835d7da 80515cd: mov eax,0x0 80515d2: mov al,BYTE PTR [ebx+edx*1] 80515d5: mov al,BYTE PTR [eax+0x835dc7e] 80515db: mov BYTE PTR [ebx+edx*1],al 80515de: mov eax,ds:0x835d81a 80515e3: mov ebx,DWORD PTR [eax+0x835d6fc] 80515e9: mov edx,DWORD PTR ds:0x835d7da 80515ef: mov eax,0x0 80515f4: mov al,BYTE PTR [ebx+edx*1]
  • 12. Removing all but the mov instruction from future iterations of the x86 architecture would have many advantages: the instruction format would be greatly simplified, the expensive decode unit would become much cheaper, and silicon currently used for complex functional units could be repurposed as even more cache. As long as someone else implements the compiler. - Stephen Dolan
  • 13.
  • 14.  Where to begin…? Key Ideas
  • 15.  mov can check equality Key Ideas
  • 16.  mov [x], 0  mov [y], 1  mov R, [x] x==y
  • 17.  x=3, y=3  mov [x], 0  mov [y], 1  mov R, [x] x==y
  • 18.  x=2, y=3  mov [x], 0  mov [y], 1  mov R, [x] x==y
  • 19.  Requires a single jmp instruction to loop back to the beginning  Incidental  We fixed this later Key Ideas
  • 20.  start:  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  jmp start
  • 21.  Build on Dolan’s ideas  Adapt primitive TM operations for higher level logic  Work on actual data, not abstract symbols  Add new operations  If/else  Arithmetic  Logic  Jumps  Loops  Etc…  Bring it closer to something we can use Idea…
  • 23.  IF X == Y THEN  X = 100 Implementing if
  • 24.  The catch:  We have no branches  All paths execute, no matter what  Solution:  Force a path to operate on “dummy” data, if we don’t want its results Implementing if
  • 25.  IF X == Y THEN  X = 100 Implementing if Selector Data Scratch
  • 26.  IF X == Y THEN  X = 100 Implementing if Data Scratch ⇐ ⇐ Selector
  • 27.  IF X == Y THEN  X = 100 Implementing if Data Scratch Selector
  • 28.  IF X == Y THEN  X = 100 Implementing if Data Scratch ⇐ ⇐ Selector
  • 29.  IF X == Y THEN  X = 100 Implementing if Data Scratch Selector
  • 30. ; X == Y mov eax, [X] mov [eax], 0 mov eax, [Y] mov [eax], 4 mov eax, [X] ; X = 100 mov eax, [SELECT_X + eax] mov [eax], 100 Implementing if
  • 31. Simple extensions give us if/else if/elseif/else Inequality checks Implementing if
  • 32. %macro eq 3 mov eax, 0 mov al, [%2] mov byte [e+eax], 0 mov byte [e+%3], 4 mov al, [e+eax] mov [%1], al %endmacro
  • 33. %macro neq 3 mov eax, 0 mov al, [%2] mov byte [e+eax], 4 mov byte [e+%3], 0 mov al, [e+eax] mov [%1], al %endmacro
  • 34. ; create selector %macro c_s 1 %1: dd 0 d_%1: dd 0 s_%1: dd d_%1, %1 %endmacro
  • 35.  Extend the if/else idea Loops and branches
  • 36.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov …  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
  • 37.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov …  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ← Implement a branch from here…  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
  • 38.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ← Implement a branch from here…  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
  • 39.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ←  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start Store target Switch to dummy data 0x100c OFF
  • 40.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov … ← Check if branch target  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 41.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov … ← Check if branch target  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 42.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov … ← Check if branch target  0x1030 jmp start 0x100c OFF
  • 43.  start:  0x1000 mov … ← Check if target  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 44.  start:  0x1000 mov …  0x1004 mov … ← Check if target  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 45.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov … ← Check if target  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 46.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ←  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFFTarget match Switch to real data
  • 47.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ←  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c ONTarget match Switch to real data
  • 48.  Look up tables!  One byte versions are easy. Arithmetic
  • 49. unsigned char inc[]={ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99,100,101,102,103,104,105,106,107,108,109,110,111,112, 113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128, 129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144, 145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160, 161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176, 177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192, 193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208, 209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224, 225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240, 241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,0 };
  • 50. incb: %assign y 1 %rep 256 db y&0xff %assign y y+1 %endrep
  • 51. ; increment eax with mov mov eax, [inc + eax] Arithmetic
  • 52. %macro add32 4 mov eax, 0 mov ebx, 0 mov ecx, 0 mov edx, 0 mov dword [%4], 0 add8 %1+0, %2+0, %3+0, %4 add8 %1+1, %2+1, %3+1, %4 add8 %1+2, %2+2, %3+2, %4 add8 %1+3, %2+3, %3+3, %4 %endmacro
  • 53. mov eax,0x0 mov ebx,0x0 mov ecx,0x0 mov edx,0x0 mov dword [dword 0x8049576],0x0 mov al,[0x804956a] mov bl,[dword 0x804956e] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049572],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956b] mov bl,[dword 0x804956f] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049573],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956c] mov bl,[dword 0x8049570] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049574],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956d] mov bl,[dword 0x8049571] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049575],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov eax,[0x8049572]
  • 54. mov dword [q], 0 mov dword [r], 0 %assign bb 31 %rep 32 bit c, n, bb shl32 r, c mov dword [c], 0 gte32 t, r, d, c mov eax, [t] mov edx, [sel_r+4*eax] mov [psr], edx mov edx, [sel_q+4*eax] mov [psq], edx mov eax, [psr] mov eax, [eax] mov [dummy_r], eax sub32 dummy_r, dummy_r, d, c mov eax, [psr] mov edx, [dummy_r] mov [eax], edx mov eax, [psq] mov eax, [eax] mov [dummy_q], eax set32 dummy_q, bb mov eax, [psq] mov edx, [dummy_q] mov [eax], edx %assign bb bb-1 %endrep mov eax, [q]
  • 55.
  • 56.  lcc  esi/edi  Calling convention  Emulated stack  32 bit ALU  Simplified dummy selectors  102 IL instructions  Not bad! The M/o/Vfuscator
  • 57.  mov-only C Compiler  https://github.com/xoreaxeaxeax  First single instruction C compiler! The M/o/Vfuscator
  • 58.  prime  Cube  M/o/Vfuscator The M/o/Vfuscator
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.  How much can we simplify a program?  We’ve gotten rid of…  Functions  Loops  Branches  Arithmetic  … it’s an okay start. Reduction
  • 65.  We have all the same instructions  mov  But they’re not all the ”same”  mov eax, edx  mov [100], bl  mov di, 0x1337  mov eax, [edx + 2 * ecx + 0x1094801] Reduction
  • 66.  Eliminate register to register transfers  mov eax, edx becomes  mov [0x1000], edx  mov eax, [0x1000] x86 addressing
  • 67.  Eliminate constant to register transfers  mov eax, 12345 becomes  _temp: .dword 12345  mov eax, [_temp] x86 addressing
  • 68.  All instructions now either read or write to memory. x86 addressing
  • 69.  Eliminate 8 and 16 bit addressing  mov al, [100] becomes  mov [200], eax  mov eax, [100 - 3]  mov [200 - 3], eax  mov eax, [200] x86 addressing 200 100
  • 70.  Simplify memory addressing  mov eax, [0x1234 + ecx + 8 * edx]  Use the M/o/Vfuscator ALU!  Calculate ecx + 8 * edx  Accumulate results in ecx  Result:  (dozens of mov ALU instructions)  mov eax, [0x1234 + ecx] x86 addressing
  • 71.  No more register to register transfers.  No more constant to register transfers.  No more 8 or 16 bit instructions.  All memory accesses are of the form [reg + constant]  mov instructions are now all mov reg, [reg + constant] or mov [reg + constant], reg Almost there.
  • 72.  We still use 8 registers!  Decrease to 2 by storing extras to scratchpad memory  All mov instructions now mov esi/edi, [esi/edi + constant] or mov [esi/edi + constant], esi/edi Registers
  • 73.  Writes: mov [esi/edi + constant], esi/edi  Reads: mov esi/edi, [esi/edi + constant]  Alternate reads and writes  1 read, followed by 1 write, followed by 1 read, followed by 1 write…  Insert dummy (unused) accesses Alternating memory
  • 74. mov esi,[edi+0x816d0e8] mov [edi+0x816d104],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0ec],esi mov esi,[edi+0x816d0eb] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d10c],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d0f8],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi The result…
  • 75.  Can we take it further?
  • 76. Psuedo-registers  Instead of registers, use memory to hold the register contents  esi becomes [0x890100]  edi becomes [0x890200]  Let’s call these memory locations “psuedo-registers”
  • 77. A ‘synthetic’ mov  With psuedo-registers, our movs look like mov [0x890100],[[0x890200]+0x816d0e8]  At this point, we’re just moving values to/from different locations in memory  … but this is no longer a valid x86 instruction
  • 78. A ‘synthetic’ mov  Let’s invent a new instruction, “MOVE”  MOVE [ *address_1 + offset_1 ] , [ *address_2 + offset_2 ]  Our broken x86 instruction mov [0x890100],[[0x890200]+0x816d0e8]  Becomes  MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]
  • 79. A ‘synthetic’ mov  Translate the old mov instructions into the more generic MOVE instruction  mov esi,[edi+0x816d0e8] becomes MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]  mov [edi+0x816d0e8], esi becomes MOVE [ *0x890200 + 0x816d0e8 ], [ *0x890100 + 0 ]
  • 80. A ‘synthetic’ mov  Why is this useful?  All instructions now have exactly the same form.
  • 81. Extracting the essence MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ] { 0x890100, 0, 0x890200, 0x816d0e8 }  Extract all of the MOVE operands into a table.
  • 82.  We’ve distilled our entire C program into a table describing a long list of simple data transfers  Let’s write a program to perform the actions described in the table So now what?
  • 83. Load the table into esi…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov esi, table
  • 84. Execute a memory read…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov ebx, [esi] ; load addr of psuedo-reg 1  mov ebx, [ebx] ; load psuedo-reg 1  add ebx, [esi+4] ; add offset  mov ebx, [ebx] ; perform memory read
  • 85. Execute a memory write…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov edx, [esi+8] ; load addr of psuedo-reg 2  mov edx, [edx] ; load psuedo-reg 2  add edx, [esi+12]; add offset  mov [edx], ebx ; perform memory write
  • 86. Rinse, repeat.  table:  0x890100, 0, 0x890200, 0x816d0e8  0x990010 ; pointer to next table entry  mov esi, [esi+16] ; move to next entry  jmp loop ; repeat the whole process
  • 87. mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop table: 0x890100, 0, 0x890200, 0x816d0e8 ... With the reductio toolchain, a C program compiles to ->
  • 88.  Thought experiment:  How far can we reduce a program? So…?
  • 89.  Every program ever written can be reduced to exactly this -> So…? mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
  • 90.  Thought experiment:  Can one sequence of instructions produce entirely different results? So…?
  • 91.  This instruction stream simultaneously implements everything. So…? mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
  • 93.  (Can’t show compiling ) ./demo
  • 94.  The instruction sequence executed by the processor is the same for every program. mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
  • 95.  1.  If every program is the same, malware detection gets a whole lot harder. (demo)  Doing the same thing  (In practice) Implications
  • 96.  2.  Exploitation  “AVROP” (Mark Barnes, MWR Labs)  https://github.com/mwrlabs/avrop  AVR microcontroller (Raspberry Pi)  Harvard architecture: limited to ROP  Small memory: very few gadgets  Fortunately, all we need is mov. Implications
  • 97.  The AVROP machine Implications
  • 98.  3.  It’s cool!  A philosophical conclusion…  If the code makes no difference, what does it mean ‘to program’? Implications
  • 99.
  • 100. github.com/xoreaxeaxeax  reductio  M/o/Vfuscator  REpsych  x86 0-day PoC  Etc. Feedback? Ideas? domas  @xoreaxeaxeax  xoreaxeaxeax@gmail.com