The document introduces PMCMA, a debugger tool that analyzes memory corruption bugs by forcing processes to fork, overwriting memory locations in the offspring processes, and monitoring execution to map exploitable scenarios. PMCMA aims to provide a roadmap for exploitation by identifying vulnerabilities and possible exploitation techniques like truncating function pointers or exploiting 4-byte aligned memory writes. The tool is available online and has received over 10,000 downloads in its first two months.
Hardware backdooring is practical : slidesMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
[Defcon] Hardware backdooring is practicalMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
[Defcon24] Introduction to the Witchcraft Compiler CollectionMoabi.com
With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code ‘reuse’ by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it.
The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turning PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses) exclusively at DEF CON 24.
Jonathan Brossard is a computer whisperer from France, although he's been living in Brazil, India, Australia and now lives in San Francisco. For his first conference at DEF CON 16, he hacked Microsoft Bitlocker, McAffee Endpoint and a fair number of BIOS Firmwares. During his second presentation at DEF CON 20, he presented Rakshasa, a BIOS malware based on open source software, the MIT Technology review labeled "incurable and undetectable".
This year will be his third DEF CON ... Endrazine is also known in the community for having run the Hackito Ergo Sum and NoSuchCon conferences in France, participating to the Shakacon Program Committee in Hawaii, and authoring a number of exploits over the past decade. Including the first remote Windows 10 exploit and several hardcore reverse engineering tools and whitepapers. Jonathan is part of the team behind MOABI.COM, and acts as the Principal Engineer of Product Security at Salesforce.
Twitter: @endrazine
Facebook: toucansystem
https://moabi.com
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
Analysis of virtualized rootkit detection methods. Introduces "Samsara", our framework for detecting virtualization and an implementation of data/instruction TLB sizing, HPET timer, and VT errata tests. We predict the future will be cat-and-mouse, where each side analyzes and responds to the behavior of their opponent, ad infinitum. Joint talk given with Thomas Ptacek and Peter Ferrie.
Hardware backdooring is practical : slidesMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
[Defcon] Hardware backdooring is practicalMoabi.com
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
[Defcon24] Introduction to the Witchcraft Compiler CollectionMoabi.com
With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code ‘reuse’ by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it.
The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turning PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses) exclusively at DEF CON 24.
Jonathan Brossard is a computer whisperer from France, although he's been living in Brazil, India, Australia and now lives in San Francisco. For his first conference at DEF CON 16, he hacked Microsoft Bitlocker, McAffee Endpoint and a fair number of BIOS Firmwares. During his second presentation at DEF CON 20, he presented Rakshasa, a BIOS malware based on open source software, the MIT Technology review labeled "incurable and undetectable".
This year will be his third DEF CON ... Endrazine is also known in the community for having run the Hackito Ergo Sum and NoSuchCon conferences in France, participating to the Shakacon Program Committee in Hawaii, and authoring a number of exploits over the past decade. Including the first remote Windows 10 exploit and several hardcore reverse engineering tools and whitepapers. Jonathan is part of the team behind MOABI.COM, and acts as the Principal Engineer of Product Security at Salesforce.
Twitter: @endrazine
Facebook: toucansystem
https://moabi.com
Don't Tell Joanna the Virtualized Rootkit is Dead (Blackhat 2007)Nate Lawson
Analysis of virtualized rootkit detection methods. Introduces "Samsara", our framework for detecting virtualization and an implementation of data/instruction TLB sizing, HPET timer, and VT errata tests. We predict the future will be cat-and-mouse, where each side analyzes and responds to the behavior of their opponent, ad infinitum. Joint talk given with Thomas Ptacek and Peter Ferrie.
Agenda:
This talk will provide an in-depth review of the usage of canaries in the kernel and the interaction with userspace, as well as a short review of canaries and why they are needed in general so don't be afraid if you never heard of them.
Speaker:
Gil Yankovitch, CEO, Chief Security Researcher from Nyx Security Solutions
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Anne Nicolas
The traditional KISS principle says that you are stupid if you can’t keep it simple. However, keeping it simple is actually very, very hard. But my lasting impression after reading a lot of code (linux kernel and otherwise) over the years is that there is no excuse for not keeping your code short. And usually, keeping it short is a very good first step towards keeping it simple. This presentation will give some simple tricks and pointers to keep your code short and I will also give some guidelines how to do design and implementation from a high-level point of view. These simple rules should make it easier for you to get your code accepted in open source projects such as the linux kernel.
Hans Verkuil
Have you ever heard of FreeBSD? Probably.
Have you ever interacted with its kernel? Probably not.
In this talk, Gili Yankovitch (nyxsecuritysolutions.com) will talk about the FreeBSD operating system, its network stack and how to write network drivers for it.
The talk will cover the following topics:
* Kernel/User interation in FreeBSD
* The FreeBSD Network Stack
* Network Buffers API
* L2 and L3 Hooking
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
The DRM and KMS APIs have won in the Linux graphics ecosystem. Long gone are the days when KMS meant only a handful of desktop graphics drivers. As a side effect, new problems have been uncovered, and API extensions are being designed to address advanced use cases. Atomic updates is the latest significant of such extensions.
While the userspace API extension is simple, a lot of work went under the hood and the in-kernel KMS helpers went through major changes that are not trivial to implement in drivers. This talk will present KMS atomic updates and explain how to update KMS drivers to take advantage of the new API, using the Renesas rcar-du-drm driver as an example.
Laurent Pinchart, Ideas on Board
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
Users of modern Linux containerization technologies are frequently at loss with what kind of security guarantees are delivered by tools they use. Typical questions range from Can these be used to isolate software with known security shortcomings and rich history of security vulnerabilities? to even Can I used such technique to isolate user-generated and potentially hostile assembler payloads?
Modern Linux OS code-base as well as independent authors provide a plethora of options for those who desire to make sure that their computational loads are solidly confined. Potential users can choose from solutions ranging from Docker-like confinement projects, through Xen hypervisors, seccomp-bpf and ptrace-based sandboxes, to isolation frameworks based on hardware virtualization (e.g. KVM).
The talk will discuss available today techniques, with focus on (frequently overstated) promises regarding their strength. In the end, as they say: “Many speed bumps don’t make a wall
Agenda:
In this session, Shmulik Ladkani discusses the kernel's net_device abstraction, its interfaces, and how net-devices interact with the network stack. The talk covers many of the software network devices that exist in the Linux kernel, the functionalities they provide and some interesting use cases.
Speaker:
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Agenda:
In this talk we will present various locking mechanisms implemented in the linux kernel.
From System V locks to raw spinlocks and the RT patch.
Speaker:
Mark Veltzer - CTO of Hinbit and a senior instructor at John Bryce. Mark is also a member of the Free Source Foundation and contributes to many free projects.
https://github.com/veltzer
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesAnne Nicolas
UAVs are becoming more and more present in our everyday life and there are lots of different projects that are being currently developed in order to control their flight, handle their stability, make it possible to edit automatic missions that the drones will execute and anything that the developers can think of.
On October 2014, the Linux Foundation announced the creation of the DroneCode Project which is to become “a common, shared open source platform for Unmanned Aerial Vehicles (UAVs)”. Parrot started to sell Linux based drones in 2010 and obviously needed to take part in that adventure.
This Lightning Talk will try to give a quick overview of the projects that are developed by the Dronecode community and explain why and how I started a few months ago to port an open source autopilot name Ardupilot to Parrot’s drones. This Lightning Talk will also present the current status of this project, and the many possibilities that can come from it.
Julien BERAUD
New Zephyr features: LWM2M / FOTA Framework - SFO17-113Linaro
Session ID: SFO17-113
Session Name: New Zephyr features: LWM2M / FOTA Framework - SFO17-113
Speaker: Marti Bolivar - David Brown - Ricardo Salveti - Mike Scott
Track: LTD
★ Session Summary ★
Zephyr is changing at an alarming pace and we would like to provide some insights to a few of the areas we have been working. MCUBOOT Secure bootloader integration, FOTA, DeviceTree and LWM2M enabling secure client to cloud capabilities
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/sfo17/sfo17-113/
Presentation:
Video: https://www.youtube.com/watch?v=VOv0-d5T99o
---------------------------------------------------
★ Event Details ★
Linaro Connect San Francisco 2017 (SFO17)
25-29 September 2017
Hyatt Regency San Francisco Airport
---------------------------------------------------
Keyword:
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
Agenda:
This talk will provide an in-depth review of the usage of canaries in the kernel and the interaction with userspace, as well as a short review of canaries and why they are needed in general so don't be afraid if you never heard of them.
Speaker:
Gil Yankovitch, CEO, Chief Security Researcher from Nyx Security Solutions
Kernel Recipes 2014 - Writing Code: Keep It Short, Stupid!Anne Nicolas
The traditional KISS principle says that you are stupid if you can’t keep it simple. However, keeping it simple is actually very, very hard. But my lasting impression after reading a lot of code (linux kernel and otherwise) over the years is that there is no excuse for not keeping your code short. And usually, keeping it short is a very good first step towards keeping it simple. This presentation will give some simple tricks and pointers to keep your code short and I will also give some guidelines how to do design and implementation from a high-level point of view. These simple rules should make it easier for you to get your code accepted in open source projects such as the linux kernel.
Hans Verkuil
Have you ever heard of FreeBSD? Probably.
Have you ever interacted with its kernel? Probably not.
In this talk, Gili Yankovitch (nyxsecuritysolutions.com) will talk about the FreeBSD operating system, its network stack and how to write network drivers for it.
The talk will cover the following topics:
* Kernel/User interation in FreeBSD
* The FreeBSD Network Stack
* Network Buffers API
* L2 and L3 Hooking
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
The DRM and KMS APIs have won in the Linux graphics ecosystem. Long gone are the days when KMS meant only a handful of desktop graphics drivers. As a side effect, new problems have been uncovered, and API extensions are being designed to address advanced use cases. Atomic updates is the latest significant of such extensions.
While the userspace API extension is simple, a lot of work went under the hood and the in-kernel KMS helpers went through major changes that are not trivial to implement in drivers. This talk will present KMS atomic updates and explain how to update KMS drivers to take advantage of the new API, using the Renesas rcar-du-drm driver as an example.
Laurent Pinchart, Ideas on Board
CONFidence 2017: Escaping the (sand)box: The promises and pitfalls of modern ...PROIDEA
Users of modern Linux containerization technologies are frequently at loss with what kind of security guarantees are delivered by tools they use. Typical questions range from Can these be used to isolate software with known security shortcomings and rich history of security vulnerabilities? to even Can I used such technique to isolate user-generated and potentially hostile assembler payloads?
Modern Linux OS code-base as well as independent authors provide a plethora of options for those who desire to make sure that their computational loads are solidly confined. Potential users can choose from solutions ranging from Docker-like confinement projects, through Xen hypervisors, seccomp-bpf and ptrace-based sandboxes, to isolation frameworks based on hardware virtualization (e.g. KVM).
The talk will discuss available today techniques, with focus on (frequently overstated) promises regarding their strength. In the end, as they say: “Many speed bumps don’t make a wall
Agenda:
In this session, Shmulik Ladkani discusses the kernel's net_device abstraction, its interfaces, and how net-devices interact with the network stack. The talk covers many of the software network devices that exist in the Linux kernel, the functionalities they provide and some interesting use cases.
Speaker:
Shmulik Ladkani is a Tech Lead at Ravello Systems.
Shmulik started his career at Jungo (acquired by NDS/Cisco) implementing residential gateway software, focusing on embedded Linux, Linux kernel, networking and hardware/software integration.
51966 coffees and billions of forwarded packets later, with millions of homes running his software, Shmulik left his position as Jungo’s lead architect and joined Ravello Systems (acquired by Oracle) as tech lead, developing a virtual data center as a cloud service. He's now focused around virtualization systems, network virtualization and SDN.
Agenda:
In this talk we will present various locking mechanisms implemented in the linux kernel.
From System V locks to raw spinlocks and the RT patch.
Speaker:
Mark Veltzer - CTO of Hinbit and a senior instructor at John Bryce. Mark is also a member of the Free Source Foundation and contributes to many free projects.
https://github.com/veltzer
Kernel Recipes 2015 - The Dronecode Project – A step in open source dronesAnne Nicolas
UAVs are becoming more and more present in our everyday life and there are lots of different projects that are being currently developed in order to control their flight, handle their stability, make it possible to edit automatic missions that the drones will execute and anything that the developers can think of.
On October 2014, the Linux Foundation announced the creation of the DroneCode Project which is to become “a common, shared open source platform for Unmanned Aerial Vehicles (UAVs)”. Parrot started to sell Linux based drones in 2010 and obviously needed to take part in that adventure.
This Lightning Talk will try to give a quick overview of the projects that are developed by the Dronecode community and explain why and how I started a few months ago to port an open source autopilot name Ardupilot to Parrot’s drones. This Lightning Talk will also present the current status of this project, and the many possibilities that can come from it.
Julien BERAUD
New Zephyr features: LWM2M / FOTA Framework - SFO17-113Linaro
Session ID: SFO17-113
Session Name: New Zephyr features: LWM2M / FOTA Framework - SFO17-113
Speaker: Marti Bolivar - David Brown - Ricardo Salveti - Mike Scott
Track: LTD
★ Session Summary ★
Zephyr is changing at an alarming pace and we would like to provide some insights to a few of the areas we have been working. MCUBOOT Secure bootloader integration, FOTA, DeviceTree and LWM2M enabling secure client to cloud capabilities
---------------------------------------------------
★ Resources ★
Event Page: http://connect.linaro.org/resource/sfo17/sfo17-113/
Presentation:
Video: https://www.youtube.com/watch?v=VOv0-d5T99o
---------------------------------------------------
★ Event Details ★
Linaro Connect San Francisco 2017 (SFO17)
25-29 September 2017
Hyatt Regency San Francisco Airport
---------------------------------------------------
Keyword:
'http://www.linaro.org'
'http://connect.linaro.org'
---------------------------------------------------
Follow us on Social Media
https://www.facebook.com/LinaroOrg
https://twitter.com/linaroorg
https://www.youtube.com/user/linaroorg?sub_confirmation=1
https://www.linkedin.com/company/1026961
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
The first part of the talk is going to be an introduction to the Triton framework to expose its components and to explain how they work together. Then, the second part will include demonstrations on how it's possible to reverse virtual machine based protections using taint analysis, symbolic execution, SMT simplifications and LLVM-IR optimizations.
Don't mention TLB (at all?!?), just confuses people. Was just put so people
were aware that it was being set up for deterministic behaviour (the side
channel is the cache exclusively, not the TLB missing).
Don't mention the privilege level arch stuff until *after* Variant 1 has been
discussed, rather prior to Variant 2, and especially 3/Meltdown.
To explain the victim vs. attacker domains better in Variant 1, the example of
two threads in a process should be given, where one thread is the
'parent'/'governor' of the other(s), and has privileged information, e.g., a
valid TLS session key for a bank account login in another thread/tab in a
browser. One thread should not be able to 'see' another's private data.
Items such as the AntiVirus report could easily be omitted...
Thanks,
Kim Phillips
The .NET Garbage Collector (GC) is really cool. It helps providing our applications with virtually unlimited memory, so we can focus on writing code instead of manually freeing up memory. But how does .NET manage that memory? What are hidden allocations? Are strings evil? It still matters to understand when and where memory is allocated. In this talk, we’ll go over the base concepts of .NET memory management and explore how .NET helps us and how we can help .NET – making our apps better. Expect profiling, Intermediate Language (IL), ClrMD and more!
IoT exploitation: from memory corruption to code execution by Marco RomanoCodemotion
#Codemotion Rome 2018 - Attraverso un "IoT pentester's diary", analizzeremo i passaggi chiave di un penetration test su una IP webcam, che ci porterà dall'analisi delle superfici di attacco, all'individuazione di una vulnerabilità reale. Un'introduzione all'exploitation, per spostarci dall'overflow di un buffer all'esecuzione remota di codice.
Similar to [Ruxcon 2011] Post Memory Corruption Memory Analysis (20)
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...Moabi.com
Powerpoint of our presentation at Blackhat 2015.
Featuring the first attacks against Windows 10 and Microsoft Edge.
- French Kiss attack against Windows 10.
- Syphilis attack against Microsoft Edge.
- Ménage à trois attack against Windows 10 and Exchange.
- Démos on Amazon AWS and Microsoft Azure.
This presentation will demonstrate that permanent backdooring of hardware is practical. We have built a generic proof of concept malware for the intel architecture, Rakshasa, capable of infecting more than a hundred of different motherboards. The first net effect of Rakshasa is to disable NX permanently and remove SMM related fixes from the BIOS, resulting in permanent lowering of the security of the backdoored computer, even after complete earasing of hard disks and reinstallation of a new operating system. We shall also demonstrate that preexisting work on MBR subvertions such as bootkiting and preboot authentication software bruteforce can be embedded in Rakshasa with little effort. More over, Rakshasa is built on top of free software, including the Coreboot project, meaning that most of its source code is already public. This presentation will take a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard, before detailing the inner workings of Rakshasa and demo its capabilities. It is hoped to raise awareness of the security community regarding the dangers associated with non open source firmwares shipped with any computer and question their integrity. This shall also result in upgrading the best practices for forensics and post intrusion analysis by including the afore mentioned firmwares as part of their scope of work.
[Ruxcon Monthly Sydney 2011] Proprietary Protocols Reverse Engineering : Rese...Moabi.com
This presentation given in 2011 during the first Ruxcon Monthly (Ruxmon) Sydney focuses on proprietary protocols reverse engineering and vulnerability audits.
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...Moabi.com
Pre-boot authentication software, in particular full hard disk encryption software, play a key role in preventing information theft. In this paper, we present a new class of vulnerability affecting multiple high value pre-boot authentication software, including the latest Microsoft disk encryption technology : Microsoft Vista's Bitlocker, with TPM chip enabled. Because Pre-boot authentication software programmers commonly make wrong assumptions about the inner workings of the BIOS interruptions responsible for handling keyboard input, they typically use the BIOS API without flushing or initializing the BIOS internal keyboard buffer. Therefore, any user input including plain text passwords remains in memory at a given physical location. In this article, we first present a detailed analysis of this new class of vulnerability and generic exploits for Windows and Unix platforms under x86 architectures. Unlike current academic research aiming at extracting information from the RAM, our practical methodology does not require any physical access to the computer to extract plain text passwords from the physical memory. In a second part, we will present how this information leakage combined with usage of the BIOS API without careful initialization of the BIOS keyboard buffer can lead to computer reboot without console access and full security bypass of the pre-boot authentication pin if an attacker has enough privileges to modify the bootloader. Other related work include information leakage from CPU caches, reading physical memory thanks to firewire and switching CPU modes.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 3
[Ruxcon 2011] Post Memory Corruption Memory Analysis
1. Post Memory Corruption
Memory Analysis
Jonathan Brossard
CEO – Toucan System
jonathan@
toucan-system.com
2. Who am I ?
- Security Research Engineer at Toucan System
- Speaker at Blackhat, Defcon, HITB, H2HC,
Kiwicon... and Ruxcon :)
- Organiser of the Hackito Ergo Sum conference
(Paris).
- I'm the guy who comes to Ruxcon with 90+
slides...
7. We got 10k downloads+ in
2 less than months...
(Note : Andrewg, thanks for your help,
you can stop your bot now...)
8. What's pmcma ?
It's a debugger, for Linux (maybe one day *NIX) ptrace() based.
Pmcma allows to find and test exploitation scenarios.
Pmcma's output is a roadmap to exploitation, not exploit code.
Tells you if a given bug triggering an invalid memory access is
a vulnerability, if it is exploitable with the state of the art,
and how to exploit it.
16. How do applications
crash ?
* Stack corruptions -> stack overflows,
usually now detected because of SSP |
studied a LOT
* Signal 6 -> assert(),abort():
unexpected execution paths (assert()
in particular), heap corruptions
* Segfault (Signal 11) -> Invalid
memory access
17. How do applications
crash ?
* Stack corruptions -> stack overflows,
usually now detected because of SSP |
studied a LOT
* Signal 6 -> assert(),abort():
unexpected execution paths (assert()
in particular), heap corruptions
* Segfault (Signal 11) -> Invalid
memory access
18. Invalid memory access
- trying to read a page not readable.
often not mapped at all.
- trying to write to a page not writable.
often not mapped at all.
- trying to execute a page not
executable. often not mapped at all.
19. Why do they happen ?
Because of any kind of miscomputation, really :
- integer overflows in loop counters or destination registers when
copying/initializing data, casting errors when extending
registers or
- uninitialised memory, dangling pointers
- variable misuse
- heap overflows (when inadvertently overwriting a function ptr)
- missing format strings
- overflows in heap, .data, .bss, or any other writable section
(including shared libraries).
- stack overflows when no stack cookies are present...
23. Exploiting invalid memory
reads ?
- usually plain not exploitable
- won't allow us to modify the memory
of the mapping directly
- in theory : we could perform a user
controled read, to trigger a second
(better) bug.
25. How to...
To exploit invalid writes, we need to find
ways to transform an arbitray write
into an arbitrary exec.
The most obvious targets are function
pointers.
26. Exploiting invalid memory
writes : scenario
- Target a known function pointer
(typically : .dtors, GOT entry...).
Can be prevented at compile time :
no .dtors, static GOT...
- Target function pointers in the whole
binary ?
- Overwrite a given location to trigger
an other bug (eg : stack overflow)
28. Problems to take into
account
- Kernel : ASLR ? NX ?
- Compilation/linking : RELRO
(partial/full) ? no .dtors section ? SSP ?
FORTIFY_SOURCE ?
=> Pmcma needs to mesure/detect
those features
30. ASLR : not perfect
- Prelinking (default on Fedora) breaks ASLR
- All kernels don't have the same
randomization strength.
- Non PIE binaries
=> Truth is : we need better tools to test it !
31. Testing ASLR
-Run a binary X times (say X=100)
-Stop execution after loading
-Record mappings.
=> Compare mappings, deduce
randomization
34. GOALS
- We want to test overwriting different
memory locations inside a process
and see if they have an influence over
the flow of execution
- We want to scale to big applications
(web browsers, network deamons...)
- We want a decent execution time
35. mk_fork()
The idea :
-We start analysing after a SEGFAULT
-We make the process fork() (many
many times)
-Inside each offspring, we overwrite a
different memory location
36. mk_fork() : benefits
Mapping looks « just like » it will when
actually exploiting a binary
No ASLR/mapping replication problem
Exhaustive and hopefully fast
37. How to force a process to
fork ?
1) Find a +X location mapped in memory.
2) Save registers
3) Use ptrace() to inject fork() shellcode.
4) Modify registers so eip points to shellcode.
5) Execute shellcode.
6) Wait() for both original process and
offspring.
7) Restore bytes in both processes.
8) Restore registers in both processes.
42. mk_fork()
Offspring n
Executable
Writable
Executable
…
43. mk_fork() : PROS
- allows for multiple tests out of a single
process
- fast, efficient (no recording of memory
snapshots)
- no need to use breakpoints
- no single stepping
44. mk_fork() : CONS
- Dealing with offsprings termination ?
(Zombie processes)
- I/O, IPC, network sockets will be in
unpredictable state
- Hence syscalls will get wrong too (!!)
45. Zombie reaping
- Avoid the wait() for a SIGCHILD in the
parent process.
- Kill processes after a given timeout,
including all of their children.
46. Zombie reaping : the
SIGCHILD problem
If we can have the parent process
ignore SIGCHILD signals, we won't
create Zombies.
=> We inject a small shellcode to
perform this via sigaction()
47. Zombie reaping : the
SIGCHILD problem
1) Find a +X location mapped in memory.
2) Save registers
3) Use ptrace() to inject sigaction() shellcode.
4) Modify registers so eip points to shellcode.
5) Execute shellcode.
6) Wait() for the process while executing
shellcode.
7) Restore bytes in +X location.
8) Restore registers in the process.
49. Zombie reaping : killing
the offsprings and their
children
Fortunatly, this is possible using
« process grouping »...
50. Process grouping
setpgid() sets the PGID of the process specified by pid to pgid. If
pid is zero, then the process ID of the calling process is used. If
pgid is zero, then the PGID of the process specified by pid is made the
same as its process ID. If setpgid() is used to move a process from
one process group to another (as is done by some shells when creating
pipelines), both process groups must be part of the same session (see
setsid(2) and credentials(7)). In this case, the pgid specifies an
existing process group to be joined and the session ID of that group
must match the session ID of the joining process.
51. Zombie reaping : forcing
process grouping
1) Find a +X location mapped in memory.
2) Save registers
3) Use ptrace() to inject setpgid() shellcode.
4) Modify registers so eip points to shellcode.
5) Execute shellcode.
6) Wait() for the process while executing
shellcode.
7) Restore bytes in +X location.
8) Restore registers in the process.
52. Force process grouping...
;
; setpgid(0,0); shellcode
;
_start:
nop
nop
nop
nop
mov eax,0x39 ; setpgid
xor ebx,ebx
xor ecx,ecx
int 0x80
db 0xcc, 0xcc
53. Zombie reaping :
final details
From now on, to kill a process and all of
its children :
kill (-pid, SIGTERM) ;
54. IPC, I/O, invalid syscalls
One possibility is to recode correct
execution on the original process
(after clearing signals and ignoring
the SEGFAULT).
Then replay/fake the syscalls on the
offsprings.
=> Minimal userland « virtualization ».
56. Exploiting invalid memory
writes via function pointers
We now want to find all the function
pointers called by the application from
the instruction which triggered the
SEGFAULT until it actually halts.
(including pointers in shared libraries!!)
57. Finding all the function
pointers actually called
1) Parse all the +W memory, look for possible
pointers to any section
1 bis) optionally disassemble the destination
and see if it is a proper prologue.
2) use mk_fork() to create many children
3) in each children, overwrite a different possible
function pointer with a canari value
(0xf1f2f3f4).
4) Monitor execution of the offsprings
58. Finding all the function
pointers actually called
Overwritten pointer leads to execution of
canari address 0xf1f2f3f4
<=> We found a called function pointer.
60. So what can we test now ?
Invalid write anything anywhere :
attacker has full control over data
written and destination where written
=> GAME OVER
61. So what can we test now ?
Overflows (in any writtable section but
the stack) :
Simply limit the results of pmcma to
this section.
62. So what can we test now ?
What if the attacker has little or no
control over the data being
written (arbitrary write non controled
data, anywhere) ?
63. Partial overwrites and
pointers truncation
If we can't properly overwrite a function
pointer, maybe we can still truncate
one (with the data we don't control)
so that it transfers execution to a
controled memory zone ?
64. Exemple :
--[ Function pointers exploitable by truncation with 0x41424344:
At 0xb70ce070 : 0xb70c63c2 will become 0xb70c4142 (lower truncated by 16 bits, dest perms:RW)
At 0xb70e40a4 : 0xb70ca8f2 will become 0xb70c4142 (lower truncated by 16 bits, dest perms:RW)
At 0xb70ec080 : 0xb70e5e02 will become 0xb70e4142 (lower truncated by 16 bits, dest perms:RW)
At 0xb731a030 : 0xb7315da2 will become 0xb7314142 (lower truncated by 16 bits, dest perms:RW)
At 0xb73230a4 : 0xb732003a will become 0xb7324142 (lower truncated by 16 bits, dest perms:RW)
At 0xb732803c : 0xb7325a36 will become 0xb7324142 (lower truncated by 16 bits, dest perms:RW)
At 0xb76a80d8 : 0xb7325bf0 will become 0xb7324142 (lower truncated by 16 bits, dest perms:RW)
65. One more situation...
Sometimes, an attacker has limited
control over the destination of the
write (wether he controls the data
being written or not).
Eg : 4b aligned memory writes.
66. Exploiting 4b aligned
memory writes
We can't attack a function pointer
directly, unless it is unaligned (rare
because of compiler internals).
Pmcma will still let you know if this
happens ;)
67. Exploiting 4b aligned
memory writes : plan B
Find all « normal » variables we can
overwrite/truncate, and attempt to
trigger a second bug because of this
overwrite.
68. Finding all unaligned
memory accesses
Setting the unaligned flag in the
EFLAGS register will trigger a signal 7
uppon next access of unaligned
memory (read/write).
71. Defeating ASLR : Automated
memory mapping leakage
How does WTFuzz did it at CansecWest
2010 to win the pwn2own contest
against IE8/Windows 7 ?
Overwrite the null terminator of a JS
string to perform a mem leak uppon
usage (trailing bytes).
72. Defeating ASLR with an
arbitrary write ?
In the original process :
- use ptrace() PTRACE_SYSCALL
- record the calls to sys_write() and
sys_socketall() (wrapper to sys_send()
or sys_sendto()...), including : where
is the data sent ? How many bytes ?
73. Defeating ASLR with an
arbitrary write ?
Create many offsprings using mk_fork().
-In each of them : overwrite a different
location with dummy data.
-Follow execution using PTRACE_SYSCALL
-Monitor differences : a different address or a
bigger size means a memory leak :)
75. Means of modifying the
flow of execution without
function pointers
Call tables.
Calling [Offset+register]
=> This is also already performed
automatically using pmcma.
76. Pointers and ASLR
If overwritting a given function pointer
isn't practical because of ASLR : is it
possible to overwrite a pointer (in an
other section) to a structure
containing this function pointer ?
Would this « other section » be less
randomised ?
77. Finding pointers to structures
containing function pointers
Executable
Writable (no
ASLR)
Executable
Writable (high
Complex structure
ASLR)
…
Executable void* f(a,b,c)
…
78. Finding pointers to structures
containing function pointers
We'd like to have the debugged process
create a new section, with a given mapping
(to ease identify).
Modify a possible pointer per offspring (use
mk_fork()).
Monitor execution : is the offspring calling a
function pointer from our custom
mapping ?
79. Forcing a process to create
a new mapping :
1) Find a +X location mapped in memory.
2) Save registers
3) Use ptrace() to inject mmap() shellcode.
4) Modify registers so eip points to shellcode.
5) Execute shellcode.
6) Wait() for the process while executing
shellcode.
7) Restore bytes in +X location.
8) Restore registers in the process.
81. Testing exhaustively
arbitrary writes
In case all of the above failed...
Can we trigger secondary bugs by
overwritting specific memory
locations ?
82. Testing exhaustively
arbitrary writes
Complexity is huge !
Still doable with Pmcma, with no
guaranty over the time of execution.
83. Testing exhaustively
arbitrary reads
In the same veine, attacker controled
invalid reads can trigger secondary
bugs, which will be exploitable.
=> We can test the whole 4+ billions
search space (under x86 Intel
architecture), or just a few evenly
chosen ones.
84. Stack desynchronization
W^X is a problem.
Even if we can overwrite fully a
function pointer and modify the flow
of execution... what do we want to
execute in 2011 ?
85. Stack desynchronization
Instead of returning directly to shellcode in
+W section (hence probably not +X) :
-Return to a function epilogue chosen so that
esp will be set to user controled data in the
stack.
- Fake stack frames in the stack itself.
- Use your favorite ROP/ret2plt shellcode
86. Stack desynchronization :
Exemple : sudo
- stack is ~1000 big (at analysis time)
- we find a function pointer to
overwrite (at 0x0806700c)
- we overwrite it with a carefully chosen
prologue (inc esp by more than 1000)
87. Stack desynchronization :
Exemple : sudo
jonathan@blackbox:~$ objdump -Mintel -d
/usr/bin/sudo
...
805277a: 81 c4 20 20 00 00 add esp,0x2020
8052780: 5b pop ebx
8052781: 5e pop esi
8052782: 5d pop ebp
8052783: c3 ret
88. Stack desynchronization :
Exemple : sudo
We can control the destination where
esp is going to point : simply use an
environment variable
TOTO=mydata sudo
89. Stack desynchronization :
Exemple : sudo
We then forge fake stack frames in the stack itself
- « Nop sled » : any pointer to 'ret'
Eg :804997b: c3 ret
- Then copy shellcode to .bss byte per byte using
memcpy via ret2plt
- Use GOT overwrite to get pointer to mprotect() in
the GOT (ROP)
- call mprotect to make .bss +X via ret2plt
- return to shellcode in .bss
91. Future Work
- port to more architectures (Linux
x86_64 on the way, arm...)
- port to more OS (Mac OSX, *BSD)
- port to Windows (hard)
- add tests for other bug classes