It describes exactly how iOS devices can be remotely compromised over Wi-Fi without user interaction or complicity. iOS Wi-Fi attacks bypass all built in mitigations and sandboxes.
Video: https://www.youtube.com/watch?v=JRFNIKUROPE . Talk for linux.conf.au 2017 (LCA2017) by Brendan Gregg, about Linux enhanced BPF (eBPF). Abstract:
A world of new capabilities is emerging for the Linux 4.x series, thanks to enhancements that have been included in Linux for to Berkeley Packet Filter (BPF): an in-kernel virtual machine that can execute user space-defined programs. It is finding uses for security auditing and enforcement, enhancing networking (including eXpress Data Path), and performance observability and troubleshooting. Many new open source tools that have been written in the past 12 months for performance analysis that use BPF. Tracing superpowers have finally arrived for Linux!
For its use with tracing, BPF provides the programmable capabilities to the existing tracing frameworks: kprobes, uprobes, and tracepoints. In particular, BPF allows timestamps to be recorded and compared from custom events, allowing latency to be studied in many new places: kernel and application internals. It also allows data to be efficiently summarized in-kernel, including as histograms. This has allowed dozens of new observability tools to be developed so far, including measuring latency distributions for file system I/O and run queue latency, printing details of storage device I/O and TCP retransmits, investigating blocked stack traces and memory leaks, and a whole lot more.
This talk will summarize BPF capabilities and use cases so far, and then focus on its use to enhance Linux tracing, especially with the open source bcc collection. bcc includes BPF versions of old classics, and many new tools, including execsnoop, opensnoop, funcccount, ext4slower, and more (many of which I developed). Perhaps you'd like to develop new tools, or use the existing tools to find performance wins large and small, especially when instrumenting areas that previously had zero visibility. I'll also summarize how we intend to use these new capabilities to enhance systems analysis at Netflix.
Video: https://www.youtube.com/watch?v=JRFNIKUROPE . Talk for linux.conf.au 2017 (LCA2017) by Brendan Gregg, about Linux enhanced BPF (eBPF). Abstract:
A world of new capabilities is emerging for the Linux 4.x series, thanks to enhancements that have been included in Linux for to Berkeley Packet Filter (BPF): an in-kernel virtual machine that can execute user space-defined programs. It is finding uses for security auditing and enforcement, enhancing networking (including eXpress Data Path), and performance observability and troubleshooting. Many new open source tools that have been written in the past 12 months for performance analysis that use BPF. Tracing superpowers have finally arrived for Linux!
For its use with tracing, BPF provides the programmable capabilities to the existing tracing frameworks: kprobes, uprobes, and tracepoints. In particular, BPF allows timestamps to be recorded and compared from custom events, allowing latency to be studied in many new places: kernel and application internals. It also allows data to be efficiently summarized in-kernel, including as histograms. This has allowed dozens of new observability tools to be developed so far, including measuring latency distributions for file system I/O and run queue latency, printing details of storage device I/O and TCP retransmits, investigating blocked stack traces and memory leaks, and a whole lot more.
This talk will summarize BPF capabilities and use cases so far, and then focus on its use to enhance Linux tracing, especially with the open source bcc collection. bcc includes BPF versions of old classics, and many new tools, including execsnoop, opensnoop, funcccount, ext4slower, and more (many of which I developed). Perhaps you'd like to develop new tools, or use the existing tools to find performance wins large and small, especially when instrumenting areas that previously had zero visibility. I'll also summarize how we intend to use these new capabilities to enhance systems analysis at Netflix.
Organizations looking to use a NoSQL data store based on Big Table face a challenge when deciding between alternatives. Often superficial differences are overblown or worse, subtle differences aren't discovered until it's too late. In this talk we compare and contrast Apache Accumulo against Apache Cassandra and Apache HBase, diving deep into design differences and subtleties that may hinder a project only after reaching a certain amount of usage or data storage.
– Speaker –
Aaron Cordova
Co-founder and CTO, Koverse
Aaron has built multiple, large-scale, big data systems that are used by the intelligence, defense, finance and healthcare industries. Aaron co-founded Koverse Inc. Prior to that, Aaron spent five years as a researcher for the National Security Agency (NSA) where he developed and deployed into operations dozens of advanced analytical techniques. He is the founder of Apache Accumulo, a scalable and secure data store on top of Apache Hadoop and the author of the recently released O’Reilly book, Accumulo: Application Development, Table Design, and Best Practices.
— More Information —
For more information see http://www.accumulosummit.com/
Pegasus: Designing a Distributed Key Value System (Arch summit beijing-2016)涛 吴
This slide delivered by Zuoyan Qin, Chief engineer from XiaoMi Cloud Storage Team, was for talk at Arch summit Beijing-2016 regarding how Pegasus was designed.
Differences between MariaDB 10.3 & MySQL 8.0Colin Charles
MySQL and MariaDB are becoming more divergent. Learn what is different from a high level. It is also a good idea to ensure that you use the correct database for the correct job.
Talk by Brendan Gregg for USENIX LISA 2019: Linux Systems Performance. Abstract: "
Systems performance is an effective discipline for performance analysis and tuning, and can help you find performance wins for your applications and the kernel. However, most of us are not performance or kernel engineers, and have limited time to study this topic. This talk summarizes the topic for everyone, touring six important areas of Linux systems performance: observability tools, methodologies, benchmarking, profiling, tracing, and tuning. Included are recipes for Linux performance analysis and tuning (using vmstat, mpstat, iostat, etc), overviews of complex areas including profiling (perf_events) and tracing (Ftrace, bcc/BPF, and bpftrace/BPF), and much advice about what is and isn't important to learn. This talk is aimed at everyone: developers, operations, sysadmins, etc, and in any environment running Linux, bare metal or the cloud."
The original Explaining Explain talk, focused on how the Postgres query optimizer works, and how to use the Explain command to better tune queries. This was delivered at OSCon ~2005, though the fundamentals still mostly apply today.
Slides from my talk at Citus Con on Optimizing Autovacuum: PostgreSQL's vacuum cleaner.
Talk Abstract below:
If you have run PostgreSQL for any serious OLTP workload, you have heard of autovacuum. Autovacuum is PostgreSQL’s way of running vacuum regularly to clear bloat from your tables and indexes. However, in spite of having autovacuum on, a large number of PostgreSQL users still see their database bloat increasing. What’s going on?
In the last decade, I have personally worked with 50+ Postgres customers who have struggled to figure out why autovacuum isn’t working how they expect. In this talk, we will walk through what I’ve learned from analyzing and improving these production Postgres databases. In this talk you will learn how autovacuum works, how to figure out why it is not working as you expect, and what you can do to fix it.
This is the presentation delivered by Karthik.P.R at MySQL User Camp Bangalore on 09th June 2017. ProxySQL is a high performance MySQL Load Balancer Designed to scale database servers.
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...Priyanka Aash
Writing a working exploit for a vulnerability is generally challenging, time-consuming, and labor-intensive. To address this issue, automated exploit generation techniques can be adopted. In practice, existing techniques however exhibit an insufficient ability to craft exploits, particularly for the kernel vulnerabilities. On the one hand, this is because their technical approaches explore exploitability only in the context of a crashing process whereas generating an exploit for a kernel vulnerability typically needs to vary the context of a kernel panic. On the other hand, this is due to the fact that the program analysis techniques used for exploit generation are suitable only for simple programs but not the OS kernel which has higher complexity and scalability.
In this talk, we will introduce and release a new exploitation framework to fully automate the exploitation of kernel vulnerabilities. Technically speaking, our framework utilizes a kernel fuzzing technique to diversify the contexts of a kernel panic and then leverages symbolic execution to explore exploitability under different contexts. We demonstrate that this new exploitation framework facilitates exploit crafting from many aspects.
First, it augments a security analyst with the ability to automate the identification of system calls that he needs to take advantages for vulnerability exploitation. Second, it provides security analysts with the ability to achieve security mitigation bypassing. Third, it allows security analysts to automatically generate exploits with different exploitation objectives (e.g., privilege escalation or data leakage). Last but not least, it equips security analysts with an ability to generate exploits even for those kernel vulnerabilities for which the exploitability has not yet been confirmed or verified.
Along with this talk, we will also release many unpublished working exploits against several kernel vulnerabilities. It should be noted that, the vulnerabilities we experimented cover primarily Use-After-Free and heap overflow. Among all these test cases, more than 50% of them do not have working exploits publicly available. To illustrate this release, I have already disclosed one working exploit at my personal website (http://ww9210.cn/). The exploit released on my site pertains to CVE-2017-15649 for which there has not yet been an exploit publicly available with the demonstration of bypassing SMAP.
Organizations looking to use a NoSQL data store based on Big Table face a challenge when deciding between alternatives. Often superficial differences are overblown or worse, subtle differences aren't discovered until it's too late. In this talk we compare and contrast Apache Accumulo against Apache Cassandra and Apache HBase, diving deep into design differences and subtleties that may hinder a project only after reaching a certain amount of usage or data storage.
– Speaker –
Aaron Cordova
Co-founder and CTO, Koverse
Aaron has built multiple, large-scale, big data systems that are used by the intelligence, defense, finance and healthcare industries. Aaron co-founded Koverse Inc. Prior to that, Aaron spent five years as a researcher for the National Security Agency (NSA) where he developed and deployed into operations dozens of advanced analytical techniques. He is the founder of Apache Accumulo, a scalable and secure data store on top of Apache Hadoop and the author of the recently released O’Reilly book, Accumulo: Application Development, Table Design, and Best Practices.
— More Information —
For more information see http://www.accumulosummit.com/
Pegasus: Designing a Distributed Key Value System (Arch summit beijing-2016)涛 吴
This slide delivered by Zuoyan Qin, Chief engineer from XiaoMi Cloud Storage Team, was for talk at Arch summit Beijing-2016 regarding how Pegasus was designed.
Differences between MariaDB 10.3 & MySQL 8.0Colin Charles
MySQL and MariaDB are becoming more divergent. Learn what is different from a high level. It is also a good idea to ensure that you use the correct database for the correct job.
Talk by Brendan Gregg for USENIX LISA 2019: Linux Systems Performance. Abstract: "
Systems performance is an effective discipline for performance analysis and tuning, and can help you find performance wins for your applications and the kernel. However, most of us are not performance or kernel engineers, and have limited time to study this topic. This talk summarizes the topic for everyone, touring six important areas of Linux systems performance: observability tools, methodologies, benchmarking, profiling, tracing, and tuning. Included are recipes for Linux performance analysis and tuning (using vmstat, mpstat, iostat, etc), overviews of complex areas including profiling (perf_events) and tracing (Ftrace, bcc/BPF, and bpftrace/BPF), and much advice about what is and isn't important to learn. This talk is aimed at everyone: developers, operations, sysadmins, etc, and in any environment running Linux, bare metal or the cloud."
The original Explaining Explain talk, focused on how the Postgres query optimizer works, and how to use the Explain command to better tune queries. This was delivered at OSCon ~2005, though the fundamentals still mostly apply today.
Slides from my talk at Citus Con on Optimizing Autovacuum: PostgreSQL's vacuum cleaner.
Talk Abstract below:
If you have run PostgreSQL for any serious OLTP workload, you have heard of autovacuum. Autovacuum is PostgreSQL’s way of running vacuum regularly to clear bloat from your tables and indexes. However, in spite of having autovacuum on, a large number of PostgreSQL users still see their database bloat increasing. What’s going on?
In the last decade, I have personally worked with 50+ Postgres customers who have struggled to figure out why autovacuum isn’t working how they expect. In this talk, we will walk through what I’ve learned from analyzing and improving these production Postgres databases. In this talk you will learn how autovacuum works, how to figure out why it is not working as you expect, and what you can do to fix it.
This is the presentation delivered by Karthik.P.R at MySQL User Camp Bangalore on 09th June 2017. ProxySQL is a high performance MySQL Load Balancer Designed to scale database servers.
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...Priyanka Aash
Writing a working exploit for a vulnerability is generally challenging, time-consuming, and labor-intensive. To address this issue, automated exploit generation techniques can be adopted. In practice, existing techniques however exhibit an insufficient ability to craft exploits, particularly for the kernel vulnerabilities. On the one hand, this is because their technical approaches explore exploitability only in the context of a crashing process whereas generating an exploit for a kernel vulnerability typically needs to vary the context of a kernel panic. On the other hand, this is due to the fact that the program analysis techniques used for exploit generation are suitable only for simple programs but not the OS kernel which has higher complexity and scalability.
In this talk, we will introduce and release a new exploitation framework to fully automate the exploitation of kernel vulnerabilities. Technically speaking, our framework utilizes a kernel fuzzing technique to diversify the contexts of a kernel panic and then leverages symbolic execution to explore exploitability under different contexts. We demonstrate that this new exploitation framework facilitates exploit crafting from many aspects.
First, it augments a security analyst with the ability to automate the identification of system calls that he needs to take advantages for vulnerability exploitation. Second, it provides security analysts with the ability to achieve security mitigation bypassing. Third, it allows security analysts to automatically generate exploits with different exploitation objectives (e.g., privilege escalation or data leakage). Last but not least, it equips security analysts with an ability to generate exploits even for those kernel vulnerabilities for which the exploitability has not yet been confirmed or verified.
Along with this talk, we will also release many unpublished working exploits against several kernel vulnerabilities. It should be noted that, the vulnerabilities we experimented cover primarily Use-After-Free and heap overflow. Among all these test cases, more than 50% of them do not have working exploits publicly available. To illustrate this release, I have already disclosed one working exploit at my personal website (http://ww9210.cn/). The exploit released on my site pertains to CVE-2017-15649 for which there has not yet been an exploit publicly available with the demonstration of bypassing SMAP.
Democratizing Fuzzing at Scale by Abhishek Aryaabh.arya
Presented at NUS: Fuzzing and Software Security Summer School 2024
This keynote talks about the democratization of fuzzing at scale, highlighting the collaboration between open source communities, academia, and industry to advance the field of fuzzing. It delves into the history of fuzzing, the development of scalable fuzzing platforms, and the empowerment of community-driven research. The talk will further discuss recent advancements leveraging AI/ML and offer insights into the future evolution of the fuzzing landscape.
A 50 min talk at OWASP AppSec USA including demos Zest (a new security scripting language from Mozilla) and Plug-n-Hack (including fuzzing postMessages in the browser to find DOM XSS vulnerabilities). A video of this talk is available here: http://www.youtube.com/watch?v=pYFtLA2yTR8
This talk will be focused on discussing war stories from a product architect/engineer who lives within an information security department and is passionate about driving change. Attendees will get to experience a few different routes that have lead to success and others that might need to avoided. As an ever-evolving space, when reducing risk and deploy safe products to the market, we all have to find the correct gear to get us down the road.
In this presentation, Jared Atkinson and Jonathan Johnson discuss the problem that many security professionals are facing today. How exactly do I know if my detection will actually detect the thing I want to detect? We discuss the importance of testing telemetry coverage and using abstraction to build a representative sample set of Atomic tests to validate detection coverage.
Scripts used in presentation can be found below:
Process Access: https://gist.github.com/jaredcatkinson/9c7a1af2261a752432230a4148ecfe02
Process Read: https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/Windows/TestHarnesses/T1003.001_DumpLSASS/DumpLSASS.ps1
Watch this talk on YouTube: https://youtu.be/-3K74I7t7CQ
Securing the Software Supply Chain has become a focus of cybersecurity efforts the world over. One aspect of this is with the generation and verification of a Software Bill of Materials (SBOM). But what is an SBOM and how would you go about setting this up for your cloud native container/applications/pipeline?
The Flux team recently published a blog on this very topic and how they’ve gone about implementing these measures. During this session, Dan Luhring, OSS Engineering Manager at Anchore, will dive into SBOMs - what they are, why you need them, some common use cases and how to get your pipeline ready for SBOM generation and verification using the Flux SBOM as an example.
Resources
Anchore: A comprehensive, continuous security and compliance platform to protect your cloud-native applications.
Anchore’s OSS tools featured during this session:
- Syft: A CLI tool for generating a Software Bill of Materials (SBOM) from container images and file systems
- Grype: An easy-to-integrate open source vulnerability scanning tool for container images and file systems.
Speaker Bios:
Dan Luhring heads up OSS at Anchore, where he leads the software engineering team that develops Syft and Grype. Dan is drawn deeply into the cloud native security space, where he focuses on container workflows and developer experience. Dan believes in making software more secure by making life better for software engineers and security practitioners. Dan is a maintainer of Sigstore’s Cosign project, and he loves partnering with other people to find solutions to daunting challenges.
Priyanka (aka “Pinky”) is a Developer Experience Engineer at Weaveworks. She has worked on a multitude of topics including front end development, UI automation for testing and API development. Previously she was a software developer at State Farm where she was on the delivery engineering team working on GitOps enablement. She was instrumental in the multi-tenancy migration to utilize Flux for an internal Kubernetes offering. Outside of work, Priyanka enjoys hanging out with her husband and two rescue dogs as well as traveling around the globe.
Test Driven Development, or a "test first" approach, requires both time and effort to manage, but the benefits are clear. Join KidoZen’s Vice President of Engineering, Gustavo Machado as he shares important best practices and real-life approaches to Unit Testing on the Xamarin Platform.
IoT (Internet of Things) and OT (Operational Technology) are the current buzzwords for networked devices on which our modern society is based on. In this area the used operating systems are summarized with the term firmware. The devices by themself, so called embedded devices, are essential in the private, as well as in the industrial environment and in the so-called critical infrastructure. Penetration testing of these systems is quite complex as we have to deal with different architectures, optimized operating systems and special protocols. EMBA is an open-source firmware analyzer with the goal to simplify and optimize the complex task of firmware security analysis. EMBA supports the penetration tester with the automated detection of 1-day vulnerabilities on binary level. This goes far beyond the plain CVE detection. With EMBA you always know which public exploits are available for the target firmware. Beside the detection of already known vulnerabilities, EMBA also supports the tester on the next 0-day. For this EMBA identifies critical binary functions, protection mechanisms and services with network behavior on a binary level. There are many other features built into EMBA, such as fully automated firmware extraction, finding file system vulnerabilities, hard-coded credentials, and more. EMBA is an open-source firmware scanner, created by penetration testers for penetration testers.
Project page: https://github.com/e-m-b-a/emba
Conference page: https://troopers.de/troopers22/agenda/tr22-1042-emba-open-source-firmware-security-testing/
Similar to Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox (20)
How Your DRAM Becomes a Security Problemmark-smith
Since our attack methodology targets the DRAM, it is mostly independent of software flaws, operating system, virtualization technology and even CPU. The attack is based on the presence of a row buffer in all DRAM modules. While this buffer is of vital importance to the way DRAM works physically, they also provide an attack surface for a side channel attack.
Applied Machine Learning for Data exfil and other fun topicsmark-smith
The goal of this presentation is to help researchers, analyst, and security enthusiast get their hands dirty applying machine learning to security problems. We will walk the entire pipeline from idea to functioning tool on several diverse security related problems, including offensive and defensive use cases for machine learning.
In this talk we focus on challenges that Fried Apple team solved in a process of making untethered 9.0-9.3.x jailbreak. We will reveal the internal structure of modern jailbreaks, including low level details such as achieving jailbreak persistence, creating a patchfinder to support all device types and finally bypassing kernel patch protection.
The linux kernel hidden inside windows 10mark-smith
we'll take a look at the internals of this entirely new paradigm shift in the Windows OS, and touch the boundaries of the undocumented and unsupported to discover interesting design flaws and abusable assumptions, which lead to a wealth of new security challenges on Windows 10 Anniversary Update ("Redstone") machines.
People's work effectiveness may decrease, as they will have to be suspicious of practically every message they receive. This may also seriously hamper social relationships within the organization, promoting the atmosphere of distrust.
Greed for Fame Benefits Large Scale Botnetsmark-smith
A criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose 2.0 that conducts social media fraud. The hunt was fastidious since Linux/Moose 2.0 has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated.
How your smartphone cpu breaks software level security and privacymark-smith
We will discuss how two apps on a system can communicate with each other, circumventing the permission system and show how we can attack Bouncy Castles AES implementation.
Attacking Network Infrastructure to Generate a 4 Tbs DDoSmark-smith
As bandwidth, computing power, and software advancements have improved over the years, we've begun to see larger and larger DDoS attacks against organizations. Often times these attacks employ techniques such as DNS Amplification to take advantage of servers with very large uplinks.
How to Make People Click on a Dangerous Link Despite their Security Awareness mark-smith
It is possible to make virtually any person click on a link, as any person will be curious about something, or interested in some topic, or find the message plausible because they know the sender, or because it fits their expectations (context).
Technologies and Policies for a Defensible Cyberspacemark-smith
Whether curious or malicious hackers, organized criminals, or national spies or soldiers, for decades, those who want to use cyberspace to attack have held nearly all the cards. Cyber attack has been, for decades, far easier than cyber defense.
Technologies and Policies for a Defensible Cyberspacemark-smith
Whether curious or malicious hackers, organized criminals, or national spies or soldiers, for
decades, those who want to use cyberspace to attack have held nearly all the cards. Cyber attack
has been, for decades, far easier than cyber defense.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
2. About Us
• Marco Grassi
• Senior Security Researcher @ Tencent KEEN Lab
• Main Focus: Vulnerability Research, Android, OS X/iOS, Sandboxes
• Qidan He
• Senior Security Researcher @ Tencent KEEN Lab
• Main Focus: Bug huntingand exploitingon *nix platform
3. Tencent KEEN Security Lab
• Previously known as KeenTeam
• All the researchers moved to Tencent for business requirements
• New name: TencentKEEN Security Lab
• In March of this year our union team with Tencent PC Manager
(Tencent Security Team Sniper) won the title of “Master Of Pwn” at
Pwn2Own 2016
4. Agenda
• Introduction to Sandboxes
• Safari Sandbox on OS X (WebContent Sandbox)
• Google Chrome Sandbox on Android (Isolated Process)
• Comparison of the Sandbox implementation of the 2 platforms
• Auditing Sandboxes and Case Studies
• Full Sandbox Escape demo from the browser renderer process
• Summary and Conclusions
13. WebContent sandbox
• Regular OS X sandbox implemented on top of Sandbox.kext
• The sandbox profile definition is currently located at:
“/System/Library/Frameworks/WebKit.framework/Versions/A/Resour
ces/com.apple.WebProcess.sb”
• Sandbox.kext specifies callbacks for a lot of TrustedBSD MAC
framework, which places hooks in the kernel where decisions has to
be made, to authorize access to a resource or not (for example, on file
access, the sandbox profile is used to decide if access should be
granted or not)
25. How to audit a sandbox profile? (3)
• “allow-iokit-open” (iokit-connection
"IOAccelerator") is definetely interesting
• iokit-connection allows the sandboxed process
to open all the userclient under the target
IOService(much less restrictive than iokit-user-
client-class )
• In the table on the left we see the Userclients
that we can obtain on the IntelAccelerator
(default driver in most of the recent Apple
machines)
UserClient Name Type
IGAccelSurface 0
IGAccelGLContext 1
IGAccel2DContext 2
IOAccelDisplayPipeUserClient2 4
IGAccelSharedUserClient 5
IGAccelDevice 6
IOAccelMemoryInfoUserClient 7
IGAccelCLContext 8
IGAccelCommandQueue 9
IGAccelVideoContext 0x100
26. IOKit vulnerability: CVE-2016-1744
• Race condition in an externalMethod in AppleIntelBDWGraphics.
• Affects every recent Mac with Intel Broadwell CPU/Graphics.
• Discovered by code auditing when looking for sandbox escapes into IOKit
UserClients reachable from the Safari WebProcess sandbox.
• Unfortunately it got partially patched 1-2 weeks before Pwn2Own! LLL .
A replacement was needed. L
• Unpatched in OSX 10.11.3, only partial fix in 10.11.4 beta6.
• Reliably exploitable.
• Finally it came out that we had a bug collision with Ian Beer of Google
Project Zero, which reported the bug to Apple.
28. IOKit vulnerability: CVE-2016-1744
• IGAccelCLContext and
IGAccelGLContext are 2 UserClients
that can be reached from the
WebProcess Safari sandbox.
• The locking mechanisms in these
UserClients is not too good, some
methods expects only a well
behaved single threaded access.
• First we targeted
unmap_user_memory
30. Race condition – How to trigger it?
1. Open your target UserClient (IGAccelCLContext)
2. Call map_user_memory to insert one element into the IGHashTable
3. Call with 2 racing threads unmap_user_memory.
4. Repeat 2 and 3 until you are able to exploit the race window.
5. Double free on first hand
6. PROFIT!