During my talk at SyScan 2015 i promised to disclose among all the fail of Apple how their patches for "Patient ALPHA" actually killed a previously unknown 0-day incomplete code signing vulnerability that was just waiting to be used in the next jailbreak.
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPStefan Esser
With the release of OS X El Capitan Apple has introduced a new protection to the OS X kernel called System Integrity Protection (SIP). The purpose of this new mitigation is to lock down the system from attackers who have already gained root access.
In the first part of this session we will elaborate what exactly SIP tries to protect against and how its features are implemented and integrated into the kernel. In the second part of this presentation we will then dive into obvious shortcomings of this implementation and discuss design weaknesses and actual bugs that allow to bypass it. All weaknesses will be demoed to the audience.
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation.
This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
- Cause you aren't ready for 101.
These are the slides I used for my RailsConf 2019 workshop. It contains the lecture and some of the exercises from the workshop, although obviously it's meant to be done in person.
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
iOS 8 specific security talk given at Ruxcon 2014 security conference. Includes description of kernel vulnerability used to break KASLR in Pangu 7.1 + TAIG 8.1.1 jailbreaks.
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
Talk from SyScan 2015 about Apple Security failing to patch vulnerabilities over and over again, because they have apparently no QA at all on security patches.
SyScan360 - Stefan Esser - OS X El Capitan sinking the S\H/IPStefan Esser
With the release of OS X El Capitan Apple has introduced a new protection to the OS X kernel called System Integrity Protection (SIP). The purpose of this new mitigation is to lock down the system from attackers who have already gained root access.
In the first part of this session we will elaborate what exactly SIP tries to protect against and how its features are implemented and integrated into the kernel. In the second part of this presentation we will then dive into obvious shortcomings of this implementation and discuss design weaknesses and actual bugs that allow to bypass it. All weaknesses will be demoed to the audience.
Beyond xp_cmdshell: Owning the Empire through SQL ServerScott Sutherland
During this presentation, we’ll cover interesting techniques for executing operating system commands through SQL Server that can be used to avoid detection and maintain persistence during red team engagements. We’ll also talk about automating attacks through PowerShell Empire and PowerUpSQL. This will include a review of command execution through custom extended stored procedures, CLR assemblies, WMI providers, R scripts, python scripts, agent jobs, and custom ole objects. We’ll also dig into some new integrations with PowerShell Empire. All code and slide decks will be released during the presentation.
This should be interesting to blue teamers looking for a faster way to test their detective control capabilities and red teamers looking for a practical way to avoid detection while trying to maintain access to their target environments.
- Cause you aren't ready for 101.
These are the slides I used for my RailsConf 2019 workshop. It contains the lecture and some of the exercises from the workshop, although obviously it's meant to be done in person.
Ruxcon 2014 - Stefan Esser - iOS8 Containers, Sandboxes and EntitlementsStefan Esser
iOS 8 specific security talk given at Ruxcon 2014 security conference. Includes description of kernel vulnerability used to break KASLR in Pangu 7.1 + TAIG 8.1.1 jailbreaks.
SyScan 2015 - iOS 678 Security - A Study in FailStefan Esser
Talk from SyScan 2015 about Apple Security failing to patch vulnerabilities over and over again, because they have apparently no QA at all on security patches.
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
We, Keen Security Lab of Tencent, have successfully implemented two remote attacks on the Tesla Model S/X in year 2016 and 2017. Last year, at Black Hat USA, we presented the details of our first attack chain. At that time, we showed a demonstration video of our second attack chain, but without technical aspects. This year, we are willing to share our full, in-depth details on this research.
In this presentation, we will explain the inner workings of this technology and showcase the new capability that was developed in the Tesla hacking 2017. Multiple 0-days of different in-vehicle components are included in the new attack chain.
We will also present an in-depth analysis of the critical components in the Tesla car, including the Gateway, BCM(Body Control Modules), and the Autopilot ECUs. For instance, we utilized a code-signing bypass vulnerability to compromise the Gateway ECU; we also reversed and then customized the BCM to play the Model X "Holiday Show" Easter Egg for entertainment.
Finally, we will talk about a remote attack we carried out to successfully gain an unauthorized user access to the Autopilot ECU on the Tesla car by exploiting one more fascinating vulnerability. To the best of our knowledge, this presentation will be the first to demonstrate hacking into an Autopilot module.
We often need to store private data in programs, for example passwords, secret keys, and their derivatives, and we usually need to clear their traces in the memory after using them so that a potential intruder can't gain access to these data. In this article we will discuss why you can't clear private data using memset() function.
This presentation is Part 2 of 3 illustrating ARM® Cortex™ M boot sequence. Hands on illustration uses EFM®32 Zero Gecko starter kit based on Cortex M0+ core from Silicon Labs.
Simplicity Studio IDE from Silicon Labs was used to create a sample project (Bundled with Simplicity Studio), set breakpoints and inspect various entry points and other points of interest to get a introductory look at Cortex boot sequence
A Simple 3D Graphics Engine Written in Python and Allegrosnowfarthing
This document contains the source code of a graphics engine I wrote several years ago. The libraries have changed quite a bit since I first wrote it, and so I can sometimes get it to work, and sometimes I can\'t. For anyone who wishes to try to run the program as-is, good luck! It can also serve as a reference point for future work.
Beyond php - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just wrting PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
This time it was the microcosm that brought us a few interesting bugs. We have checked the open-source project μManager with our analyzer PVS-Studio. This project is a software package for automated microscope image acquisition.
Intrinsics: Low-level engine development with Burst - Unite Copenhagen 2019 Unity Technologies
This session addresses how we are expanding the scope of the Burst Compiler to enable even the most demanding, hand-coded engine and gameplay problems to be expressed in HPC# via direct CPU intrinsics. Andreas shares the reasoning and use cases; as well as discussing implementation challenges, debugging, and performance along with comparisons to C++ code.
Speaker: Andreas Fredriksson - Unity
Watch the session on YouTube: https://youtu.be/BpwvXkoFcp8
Beyond php - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just wrting PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
We all make mistakes while programming and spend a lot of time fixing them.
One of the methods which allows for quick detection of defects is source code static analysis.
We all make mistakes while programming and spend a lot of time fixing them.
One of the methods which allows for quick detection of defects is source code static analysis.
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...PROIDEA
The Intel Management Engine (ME) technology was introduced in 2005. Though more than 10 years have passed, itis still very hard to find any official information about ME on the Internet. In our presentation, we explain in detail how ME 11.x uses platform keys, and about cryptographic primitives that are supported by ME 11.x.
"With over a billion active devices and in-depth security protections spanning every layer from silicon to software, Apple works to advance the state of the art in mobile security with every release of iOS. We will discuss three iOS security mechanisms in unprecedented technical detail, offering the first public discussion of one of them new to iOS 10
HomeKit, Auto Unlock and iCloud Keychain are three Apple technologies that handle exceptionally sensitive user data – controlling devices (including locks) in the user's home, the ability to unlock a user's Mac from an Apple Watch, and the user's passwords and credit card information, respectively. We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.
Data Protection is the cryptographic system protecting user data on all iOS devices. We will discuss the Secure Enclave Processor present in iPhone 5S and later devices and explain how it enabled a new approach to Data Protection key derivation and brute force rate limiting within a small TCB, making no intermediate or derived keys available to the normal Application Processor.
Traditional browser-based vulnerabilities are becoming harder to exploit due to increasingly sophisticated mitigation techniques. We will discuss a unique JIT hardening mechanism in iOS 10 that makes the iOS Safari JIT a more difficult target."
(Source: Black Hat USA 2016, Las Vegas)
Consequences of using the Copy-Paste method in C++ programming and how to dea...Andrey Karpov
I create the PVS-Studio analyzer detecting errors in source code of C/C++/C++0x software. So I have to review a large amount of source code of various applications where we detected suspicious code fragments with the help of PVS-Studio. I have collected a lot of examples demonstrating that an error occurred because of copying and modifying a code fragment. Of course, it has been known for a long time that using Copy-Paste in programming is a bad thing. But let's try to investigate this problem closely instead of limiting ourselves to just saying "do not copy the code".
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
More Related Content
Similar to SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
We, Keen Security Lab of Tencent, have successfully implemented two remote attacks on the Tesla Model S/X in year 2016 and 2017. Last year, at Black Hat USA, we presented the details of our first attack chain. At that time, we showed a demonstration video of our second attack chain, but without technical aspects. This year, we are willing to share our full, in-depth details on this research.
In this presentation, we will explain the inner workings of this technology and showcase the new capability that was developed in the Tesla hacking 2017. Multiple 0-days of different in-vehicle components are included in the new attack chain.
We will also present an in-depth analysis of the critical components in the Tesla car, including the Gateway, BCM(Body Control Modules), and the Autopilot ECUs. For instance, we utilized a code-signing bypass vulnerability to compromise the Gateway ECU; we also reversed and then customized the BCM to play the Model X "Holiday Show" Easter Egg for entertainment.
Finally, we will talk about a remote attack we carried out to successfully gain an unauthorized user access to the Autopilot ECU on the Tesla car by exploiting one more fascinating vulnerability. To the best of our knowledge, this presentation will be the first to demonstrate hacking into an Autopilot module.
We often need to store private data in programs, for example passwords, secret keys, and their derivatives, and we usually need to clear their traces in the memory after using them so that a potential intruder can't gain access to these data. In this article we will discuss why you can't clear private data using memset() function.
This presentation is Part 2 of 3 illustrating ARM® Cortex™ M boot sequence. Hands on illustration uses EFM®32 Zero Gecko starter kit based on Cortex M0+ core from Silicon Labs.
Simplicity Studio IDE from Silicon Labs was used to create a sample project (Bundled with Simplicity Studio), set breakpoints and inspect various entry points and other points of interest to get a introductory look at Cortex boot sequence
A Simple 3D Graphics Engine Written in Python and Allegrosnowfarthing
This document contains the source code of a graphics engine I wrote several years ago. The libraries have changed quite a bit since I first wrote it, and so I can sometimes get it to work, and sometimes I can\'t. For anyone who wishes to try to run the program as-is, good luck! It can also serve as a reference point for future work.
Beyond php - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just wrting PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
This time it was the microcosm that brought us a few interesting bugs. We have checked the open-source project μManager with our analyzer PVS-Studio. This project is a software package for automated microscope image acquisition.
Intrinsics: Low-level engine development with Burst - Unite Copenhagen 2019 Unity Technologies
This session addresses how we are expanding the scope of the Burst Compiler to enable even the most demanding, hand-coded engine and gameplay problems to be expressed in HPC# via direct CPU intrinsics. Andreas shares the reasoning and use cases; as well as discussing implementation challenges, debugging, and performance along with comparisons to C++ code.
Speaker: Andreas Fredriksson - Unity
Watch the session on YouTube: https://youtu.be/BpwvXkoFcp8
Beyond php - it's not (just) about the codeWim Godden
Most PHP developers focus on writing code. But creating Web applications is about much more than just wrting PHP. Take a step outside the PHP cocoon and into the big PHP ecosphere to find out how small code changes can make a world of difference on servers and network. This talk is an eye-opener for developers who spend over 80% of their time coding, debugging and testing.
We all make mistakes while programming and spend a lot of time fixing them.
One of the methods which allows for quick detection of defects is source code static analysis.
We all make mistakes while programming and spend a lot of time fixing them.
One of the methods which allows for quick detection of defects is source code static analysis.
CONFidence 2018: Intel ME: Security keys Genealogy, Obfuscation and other Mag...PROIDEA
The Intel Management Engine (ME) technology was introduced in 2005. Though more than 10 years have passed, itis still very hard to find any official information about ME on the Internet. In our presentation, we explain in detail how ME 11.x uses platform keys, and about cryptographic primitives that are supported by ME 11.x.
"With over a billion active devices and in-depth security protections spanning every layer from silicon to software, Apple works to advance the state of the art in mobile security with every release of iOS. We will discuss three iOS security mechanisms in unprecedented technical detail, offering the first public discussion of one of them new to iOS 10
HomeKit, Auto Unlock and iCloud Keychain are three Apple technologies that handle exceptionally sensitive user data – controlling devices (including locks) in the user's home, the ability to unlock a user's Mac from an Apple Watch, and the user's passwords and credit card information, respectively. We will discuss the cryptographic design and implementation of our novel secure synchronization fabric which moves confidential data between devices without exposing it to Apple, while affording the user the ability to recover data in case of device loss.
Data Protection is the cryptographic system protecting user data on all iOS devices. We will discuss the Secure Enclave Processor present in iPhone 5S and later devices and explain how it enabled a new approach to Data Protection key derivation and brute force rate limiting within a small TCB, making no intermediate or derived keys available to the normal Application Processor.
Traditional browser-based vulnerabilities are becoming harder to exploit due to increasingly sophisticated mitigation techniques. We will discuss a unique JIT hardening mechanism in iOS 10 that makes the iOS Safari JIT a more difficult target."
(Source: Black Hat USA 2016, Las Vegas)
Consequences of using the Copy-Paste method in C++ programming and how to dea...Andrey Karpov
I create the PVS-Studio analyzer detecting errors in source code of C/C++/C++0x software. So I have to review a large amount of source code of various applications where we detected suspicious code fragments with the help of PVS-Studio. I have collected a lot of examples demonstrating that an error occurred because of copying and modifying a code fragment. Of course, it has been known for a long time that using Copy-Paste in programming is a bad thing. But let's try to investigate this problem closely instead of limiting ourselves to just saying "do not copy the code".
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
SyScan 2015 Bonus Slides - death of the vmsize=0 dyld trick
1. death of the vmsize=0 dyld trick
(one more way to persist on your iPhone killed)
SyScan 2015 Bonus Slides
Stefan Esser <stefan.esser@sektioneins.de>
http://www.sektioneins.de
2. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
Who am I?
Stefan Esser
• from Cologne / Germany
• in information security since 1998
• invested in PHP security from 2001 to 20xx
• since 2010 focused on iPhone security (ASLR/jailbreak)
• founder of SektionEins GmbH
2
3. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
Introduction
• at SyScan 2015 I made a talk about
• how Apple failed to fix vulnerabilities used in iOS 678 jailbreaks over and over again
• how and why Chinese jailbreak teams took over the jb scene in 2014
• during the talk I discussed “Patient ALPHA” an incomplete code signing bug that
Apple failed to analyse correctly and therefore had to issue 4 security updates for
• during the talk I also promised to disclose another incomplete code signing
vulnerability that Apple closed by accident with their patches for “Patient ALPHA”
• we should be fair in information security and not only discuss fail, but also
show how they killed a bug (even if they most probably did not know about it)
3
4. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
Incomplete Codesigning
• simplified:
• if a page is not executable a missing code sig is not a problem
• if a page is executable there must be a code sig on first access
• prior to iOS 5 therefore jailbreaks would use ALL DATA dylibs to
exploit dyld via various meta-data structures
• around the end of iOS 4 Apple added checks to dyld to enforce load
commands are in an executable segment
• therefore while header parsing (first access) code sig is required
4
5. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
mach-o dynamic library loading
• mach-o dynamic libraries loaded by dyld
• load commands describe i.a. layout of
segments in memory
• virtual address and
virtual size of segments
• file position and
file size of segment
5
6. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
Wait a second …
• actually it is not that simple
• mach-o header is first loaded into stack
• initial LC parse is performed to collect info
• this info is used to map the file into memory
• segments are touched to enforce code sig
• another LC parse is performed to make dyld
use the mach-o header from paged memory
• more and more parsing
6
7. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
TOCTOU Problems
• this chain of events has some TOCTOU
(Time of Check Time of Use) problems
• attacking the code flow between
sniffLoadCommands and
crashIfInvalidCodesignature
• tricking e.g. mapSegments
• evad3rs tricked that function first, but
they went after replacing segment
mappings or stripping the X flag
• however there was a 0-day that tricked
this whole logic in a different way
7
8. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
mapSegments
• mapSegments goes through the list of known
segments and maps them one by one
• count of segments is calculated inside the
sniffLoadCommands functions
• mapSegments fully relies on that count
• apparently there will be problems if
sniffLoadCommands is counting the segments
wrong
8
9. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
sniffLoadCommands and Segment Counting
• code inside sniffLoadCommands counts LC_SEGMENT_COMMAND commands
• but it ignores segments if their VMSIZE is 0
9
switch (cmd->cmd) {
case LC_DYLD_INFO:
case LC_DYLD_INFO_ONLY:
*compressed = true;
break;
case LC_SEGMENT_COMMAND:
segCmd = (struct macho_segment_command*)cmd;
// ignore zero-sized segments
if ( segCmd->vmsize != 0 )
*segCount += 1;
// <rdar://problem/7942521> all load commands must be in an executable segment
if ( context.codeSigningEnforced && (segCmd->fileoff < mh->sizeofcmds) && (segCmd->filesize != 0) ) {
if ( (segCmd->fileoff != 0) || (segCmd->filesize < (mh->sizeofcmds+sizeof(macho_header))) )
dyld::throwf("malformed mach-o image: segment %s does not span al…”, segCmd->segname);
10. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
ImageLoaderMachO::ImageLoaderMachO (I)
• inside the constructor of ImageLoaderMachO the addresses of the
LC_SEGMENT_COMMAND load commands are put into a cache
• this is done to easier traverse through the list of segments
• the code also ignores segments with a VMSIZE=0
• IMPORTANT: this means that if the segment containing load commands has
vmsize=0 it is not in list of segments and will not be traversed by later code
10
// construct SegmentMachO object for each LC_SEGMENT cmd using "placement new" to put
// each SegmentMachO object in array at end of ImageLoaderMachO object
const uint32_t cmd_count = mh->ncmds;
const struct load_command* const cmds = (struct load_command*)&fMachOData[sizeof(macho_header)];
const struct load_command* cmd = cmds;
for (uint32_t i = 0, segIndex=0; i < cmd_count; ++i) {
if ( cmd->cmd == LC_SEGMENT_COMMAND ) {
const struct macho_segment_command* segCmd = (struct macho_segment_command*)cmd;
// ignore zero-sized segments
if ( segCmd->vmsize != 0 ) {
// record offset of load command
segOffsets[segIndex++] = (uint32_t)((uint8_t*)segCmd - fMachOData);
}
}
cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
}
11. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
ImageLoaderMachO::ImageLoaderMachO (II)
• IMPORTANT: internally all accesses to the mach-o header go through fMachOData
• so initially it is set to the stack
(which is not executable and therefore requires no code signature)
• later on it is supposed to be pointing to the mapped executable segment containing
the load commands
11
// construct SegmentMachO object for each LC_SEGMENT cmd using "placement new" to put
// each SegmentMachO object in array at end of ImageLoaderMachO object
const uint32_t cmd_count = mh->ncmds;
const struct load_command* const cmds = (struct load_command*)&fMachOData[sizeof(macho_header)];
const struct load_command* cmd = cmds;
for (uint32_t i = 0, segIndex=0; i < cmd_count; ++i) {
if ( cmd->cmd == LC_SEGMENT_COMMAND ) {
const struct macho_segment_command* segCmd = (struct macho_segment_command*)cmd;
// ignore zero-sized segments
if ( segCmd->vmsize != 0 ) {
// record offset of load command
segOffsets[segIndex++] = (uint32_t)((uint8_t*)segCmd - fMachOData);
}
}
cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
}
12. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
mapSegments mapping segments
• mapSegments traverses ONLY the cached list of LC_SEGMENT_COMMANDS
• any segment that had a vmsize=0 will never be mapped (because they are not in there)
12
// map in all segments
for(unsigned int i=0, e=segmentCount(); i < e; ++i) {
vm_offset_t fileOffset = segFileOffset(i) + offsetInFat;
vm_size_t size = segFileSize(i);
uintptr_t requestedLoadAddress = segPreferredLoadAddress(i) + slide;
...
void* loadAddress = xmmap((void*)requestedLoadAddress, size, protection,
MAP_FIXED | MAP_PRIVATE, fd, fileOffset);
if ( loadAddress == ((void*)(-1)) ) {
dyld::throwf("mmap() error %d at address=0x%08lX, size=0x%08lX segment=%s in
Segment::map() mapping %s",
errno, requestedLoadAddress, (uintptr_t)size, segName(i), getPath());
}
}
…
}
13. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
crashIfInvalidCodeSignature
• because the executable segment with the load commands had vmsize=0
it is never in the segment list and therefore never touched in here
• therefore there is no crash on invalid code signature
13
int ImageLoaderMachO::crashIfInvalidCodeSignature()
{
// Now that segments are mapped in, try reading from first executable segment.
// If code signing is enabled the kernel will validate the code signature
// when paging in, and kill the process if invalid.
for(unsigned int i=0; i < fSegmentsCount; ++i) {
if ( (segFileOffset(i) == 0) && (segFileSize(i) != 0) ) {
// return read value to ensure compiler does not optimize away load
int* p = (int*)segActualLoadAddress(i);
return *p;
}
}
return 0;
}
14. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
parseLoadCmds
• is called by instantiateFinish
• it should set the fMachOData pointer to the mapped executable segment
• but because our LC segment with vmsize=0 is never in that list this never happens
• this means fMachOData keeps pointing to the stack copy of mach-o header
• there will never be access to an
executable segment = code signing bypassed = WIN !!!
14
void ImageLoaderMachO::parseLoadCmds()
{
// now that segments are mapped in, get real fMachOData, fLinkEditBase, and fSlide
for(unsigned int i=0; i < fSegmentsCount; ++i) {
...
// some segment always starts at beginning of file and contains mach_header and ..
if ( (segFileOffset(i) == 0) && (segFileSize(i) != 0) ) {
fMachOData = (uint8_t*)(segActualLoadAddress(i));
}
}
15. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
Conclusion
• it was trivial to bypass the dynamic linkers security checks
• the trick was to give the load command segment a vmsize=0
• Apple accidentally killed that trick by enforcing that vmsize > filesize
• one less way attackers can use to persist on iDevices to surveil you
• while this fix is most probably an accident Apple did good here :)
15
16. Stefan Esser • death of the vmsize=0 trick - SyScan Bonus Slides • March 2015 •
Questions
?
16