This document provides definitions for various hacking, security, and IT jargon terms in a dictionary-like format. It includes explanations of common hacker terms like cipher, disinformation, drive-by download, dropper, dumpster diving, and others. The creator provides this resource to help people in information security, system administration, and development understand hacking terminology and what various malicious acts mean. Feedback is requested on this new approach of sharing jargon definitions.
Humla workshop on Android Security Testing by Sai Sathya narayan Venkatraman, MWR Infosecurity
This workshop gives you hands on experience in identifying and exploiting the latest categories of vulnerabilities against modern Android applications based on real world examples. You’ll use the latest testing tools to assess, unravel and exploit applications, and learn about vulnerability classes unique to Android.
You will learn:-
-To analyze applications from an attacker’s perspective.
- Basic understanding of the latest attack vectors against Android applications
- To perform black box security assessments against real world applications using the latest and widely used tools
more info here http://www.meetup.com/Null-Singapore-The-Open-Security-Community/events/229931768/
This document provides an overview of VPN penetration testing. It begins with an introduction of the presenter and agenda. It then defines what a VPN is and why they are used. The main types of VPN protocols covered are PPTP, IPSec, SSL, and hybrid VPNs. Details are given about each protocol type. The document also discusses VPN traffic, applications, and potential issues like weak encryption, brute force attacks, lack of data integrity checks, and port failures leading to data leaks. Contact information is provided at the end.
This document provides an overview of setting up an iOS penetration testing environment and common techniques for analyzing iOS applications. It discusses jailbreaking a device and installing useful tools. It also covers understanding the iOS file system and Objective-C runtime, using tools like Cycript and class-dump-z to enable runtime analysis and manipulation. The document describes insecure data storage techniques like plist files, NSUserDefaults, and CoreData that store unencrypted data. It also discusses analyzing network traffic and automated testing.
The document discusses security challenges with the growing Internet of Things. It notes that connected devices are expanding into many areas like homes, healthcare, and cars. However, this increased connectivity also expands the potential attack surface for cybercriminals. The document outlines four dimensions of risk for connected devices - create, recommend, acquire, accommodate - depending on an organization's role. It recommends prioritizing security measures like integrating security early in device design and defining clear liabilities. Most importantly, the document argues that IoT security cannot just apply traditional IT security practices and must account for the unique characteristics of different devices and use cases.
Cross-site scripting (XSS) attacks are a type of injection where malicious scripts are injected into otherwise benign websites. There are three main types of XSS attacks: reflected XSS occurs when scripts are injected via URL parameters and executed when the page is loaded; stored XSS occurs when scripts are saved to a database and executed on page load; DOM-based XSS occurs when scripts modify the DOM environment and execute unexpectedly. XSS can be used to hijack sessions, perform phishing, keylogging, and CSRF attacks. Input validation, output encoding, and content security policies can help prevent XSS.
An Instagram researcher hacked the Instagram server and accessed employee credentials. Juniper firewalls contained an unauthorized code backdoor since 2012. A 19-year-old hacked an airline's website and stole $150,000 by selling fake tickets. 13 million MacKeeper users had their data exposed in an unsecured database. Anonymous declared war on Donald Trump by DDoSing his websites. A Linux vulnerability allowed hacking by pressing backspace 28 times to exploit the Grub2 bootloader.
This document provides definitions for various hacking, security, and IT jargon terms in a dictionary-like format. It includes explanations of common hacker terms like cipher, disinformation, drive-by download, dropper, dumpster diving, and others. The creator provides this resource to help people in information security, system administration, and development understand hacking terminology and what various malicious acts mean. Feedback is requested on this new approach of sharing jargon definitions.
Humla workshop on Android Security Testing by Sai Sathya narayan Venkatraman, MWR Infosecurity
This workshop gives you hands on experience in identifying and exploiting the latest categories of vulnerabilities against modern Android applications based on real world examples. You’ll use the latest testing tools to assess, unravel and exploit applications, and learn about vulnerability classes unique to Android.
You will learn:-
-To analyze applications from an attacker’s perspective.
- Basic understanding of the latest attack vectors against Android applications
- To perform black box security assessments against real world applications using the latest and widely used tools
more info here http://www.meetup.com/Null-Singapore-The-Open-Security-Community/events/229931768/
This document provides an overview of VPN penetration testing. It begins with an introduction of the presenter and agenda. It then defines what a VPN is and why they are used. The main types of VPN protocols covered are PPTP, IPSec, SSL, and hybrid VPNs. Details are given about each protocol type. The document also discusses VPN traffic, applications, and potential issues like weak encryption, brute force attacks, lack of data integrity checks, and port failures leading to data leaks. Contact information is provided at the end.
This document provides an overview of setting up an iOS penetration testing environment and common techniques for analyzing iOS applications. It discusses jailbreaking a device and installing useful tools. It also covers understanding the iOS file system and Objective-C runtime, using tools like Cycript and class-dump-z to enable runtime analysis and manipulation. The document describes insecure data storage techniques like plist files, NSUserDefaults, and CoreData that store unencrypted data. It also discusses analyzing network traffic and automated testing.
The document discusses security challenges with the growing Internet of Things. It notes that connected devices are expanding into many areas like homes, healthcare, and cars. However, this increased connectivity also expands the potential attack surface for cybercriminals. The document outlines four dimensions of risk for connected devices - create, recommend, acquire, accommodate - depending on an organization's role. It recommends prioritizing security measures like integrating security early in device design and defining clear liabilities. Most importantly, the document argues that IoT security cannot just apply traditional IT security practices and must account for the unique characteristics of different devices and use cases.
Cross-site scripting (XSS) attacks are a type of injection where malicious scripts are injected into otherwise benign websites. There are three main types of XSS attacks: reflected XSS occurs when scripts are injected via URL parameters and executed when the page is loaded; stored XSS occurs when scripts are saved to a database and executed on page load; DOM-based XSS occurs when scripts modify the DOM environment and execute unexpectedly. XSS can be used to hijack sessions, perform phishing, keylogging, and CSRF attacks. Input validation, output encoding, and content security policies can help prevent XSS.
An Instagram researcher hacked the Instagram server and accessed employee credentials. Juniper firewalls contained an unauthorized code backdoor since 2012. A 19-year-old hacked an airline's website and stole $150,000 by selling fake tickets. 13 million MacKeeper users had their data exposed in an unsecured database. Anonymous declared war on Donald Trump by DDoSing his websites. A Linux vulnerability allowed hacking by pressing backspace 28 times to exploit the Grub2 bootloader.
Over 1.5 million customer records were stolen from T-Mobile Czech Republic by an employee. The records included names, email addresses, account numbers, but not location or traffic data. T-Mobile claims the perpetrator was caught trying to sell the database.
A hacking group in Russia allegedly used malware called Lurk to steal over 1.7 billion roubles (US $25.4 million) from bank accounts in Russia. Authorities arrested 50 people in connection with the scheme.
Github warned that a number of user accounts had been compromised through a password reuse attack related to recent data breaches at LinkedIn, MySpace, Tumblr and other sites that exposed over 642 million passwords.
Exploitation involves programming the "weird machine" created when memory is corrupted, transforming invalid program states via interactions. Programs can be viewed as implicit state machines, and exploitation is reaching a state violating security assumptions. Static analysis and input generation often ignore these implicit state machines, failing to account for how program state affects control flow and feasibility of paths. Fully automating exploitation requires understanding complex state transitions, which current tools and theory do not address.
Halvar Flake: Why Johnny can’t tell if he is compromisedArea41
This document discusses the difficulty of determining if a computer system is compromised. It outlines several checks that could be done to verify control, such as verifying signatures on software binaries, firmware, and scripts. However, it finds that all of these checks ultimately fail due to issues like a lack of transparency, lack of standardization, and the potential for signing keys to be stolen without detection. It argues that fundamental changes are needed to infrastructure and practices to enable determining control, such as reducing the number of trusted code signing authorities, increasing transparency in software updates and signing processes, and reducing opacity in firmware and coprocessors.
This document discusses OAuth, which is an authorization protocol that allows third-party applications to access user data without requiring username and passwords. It explains key OAuth concepts like clients, resource owners, authorization servers, and resource servers. The document also covers the different grant types in OAuth like authorization code, implicit, resource owner password credentials, and client credentials. It emphasizes that OAuth tokens should be encrypted, random, and signed to ensure security.
Firewalking is a network security technique that uses traceroute principles to determine which layer 4 protocols a firewall will allow by sending packets with incrementing TTL values. It has two phases: first, it discovers the network topology and identifies the target gateway using traceroute; second, it scans the gateway by sending TCP/UDP packets with the TTL set to the gateway plus one, and analyzes the responses to map open ports. Concerns about firewalking include potential false negatives if hosts are down or packets get dropped, while mitigations for networks include disabling ICMP TTL exceeded messages, using NAT/proxy, and tools like Firewalk and Nmap scripts can perform firewalking scans.
The document discusses steganography, which is hiding secret messages within other harmless-looking files or messages. It describes how steganography embeds information in a way that prevents unauthorized parties from even knowing a hidden message has been sent. The document outlines some common techniques for hiding information in digital images, such as modifying least significant bits or using masking and filtering algorithms. It also notes that steganography can be used for confidential communication and secret data storage. Finally, it discusses how Python can be used to implement steganography, listing several Python modules like binascii, getpass, simplecrypt, and Pillow that are useful for steganography applications.
INTELLIGENT FACE RECOGNITION TECHNIQUESChirag Jain
Face recognition is a form of biometric identification. A biometrics is, “Automated methods of recognizing an individual based on their unique physical or behavioral characteristics.” The process of facial recognition involves automated methods to determine identity, using facial features as essential elements of distinction.
The document discusses defining what constitutes an "exploit" in computer security. It begins by noting that while exploits are a central concept, there is no agreed upon definition. It then examines two potential implementations of a simple intended finite state machine (IFSM) for storing passwords and secrets - a flat array implementation and a linked list implementation. It demonstrates how an attacker could exploit the linked list implementation under a chosen-bitflip-once attacker model by corrupting a single bit of memory to rearrange the linked list and retrieve a secret without knowing the correct password. The document aims to introduce a theoretical framework for reasoning about exploits and differentiating between provably exploitable and unexploitable code.
A firewall is a device that controls what gets in and comes out of our network. The firewall is placed between an organization network and the outside world.
This document discusses RESTful web services and provides guidance on testing them. It defines REST and its key aspects, including resources, verbs, media types and status codes. It outlines common problems with REST penetration testing and recommends using tools like cURL and browser add-ons for testing. The document also covers authentication, authorization, input validation, output encoding and other important areas to focus testing on.
The document provides an overview of a presentation on pentesting REST APIs. The presentation will cover basic theory, personal experience, methodology, tools used, test beds, example vulnerabilities, common findings, and include hands-on demos. The presentation will discuss both SOAP and REST APIs, pentesting approaches, tools like Postman and Burp Suite, example test beds like Hackazon and Mutillidae, and common API vulnerabilities like information disclosure, IDOR, and token issues.
This document discusses the history and evolution of computing technologies from ancient mechanical devices to modern electronic systems. It begins with early mechanical computers from ancient Greece and progresses through developments like Babbage's Difference Engine, early electronic computers, and integrated circuits. The document notes that modern computing platforms involve contributions from global teams and enterprises, with most technologies being reused to improve productivity. It argues that businesses must focus on competitive products rather than technology for its own sake, and that designer productivity has become the main driver of technology advancement as complexity increases exponentially with Moore's Law.
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "SBrandon Liu
Implementing a fixed point int16_t integer matrix vector multiplication kernel for Intel processors with AVX-512 and the Xbyak just-in-time compiler (what Intel MKL jit_cgemm uses)
Artificial Intelligence in practice - Gerbert Kaandorp - Codemotion Amsterdam...Codemotion
In this talk Gerbert will give an overview of Artificial Intelligence, outline the current state of the art in research and explain what it takes to actually do an AI project. Using practical cases and tools he will give you insight in the phases of an AI project and explain some of the problems you might encounter along the way and how you might be able to solve them.
Building a Tensorflow-based model that extracts the "best" frames from a video, which are then used as auto-generated thumbnails and thumbstrips. We used transfer learning on Google's Inceptionv3 model, which was pretrained with ImageNet data and retrained on JW Player's thumbnail library.
The document summarizes a talk on future high performance microprocessors. It discusses how multi-core chips came to be due to limitations in improving single core performance. It argues that multi-core is not a true solution and that breaking down abstraction layers between software and hardware is needed to fully utilize increasing transistor counts. The talk proposes designing microprocessors with a few high-performance cores, many simple cores, and specialized accelerators, along with multiple programming interfaces.
JDD 2016 - Jedrzej Dabrowa - Distributed System Fault Injection Testing With ...PROIDEA
Having more than a hundred loosely coupled microservices leads to a big challenge when it comes to resiliency testing. In a probabilistic system a failure is inevitable. With a help of Docker and the environment around we've built a framework which allowed us to test core components of Base for network issues, partitions, etc. Learn how you can build it and sleep well without system outages.
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2pjvrpW.
Joe Duffy talks about the concurrency's explosion onto the mainstream over the past 15 years. He looks at some of today's hottest trends (Cloud, IoT, Microservices) and attempts to predict what lies ahead not only for concurrent programming, but also distributed, from now to 15 years into the future. Filmed at qconlondon.com.
Joe Duffy is Director of Engineering for the Compiler and Language Group at Microsoft. He leads the teams building C++, C#, VB, and F# languages, compilers, and static analysis platforms, across many architectures and platforms.
Chaos Engineering: Injecting Failure for Building Resilience in SystemsYury Roa
This document discusses chaos engineering and building resilient systems. It defines chaos engineering as experimenting in production to reveal weaknesses and build confidence in resilience. Some key principles of chaos engineering are discussed, such as having steady state periods between experiments and formulating hypotheses before experiments. Game days are mentioned where engineers take on roles like master of disaster to experiment with failures. The goal of chaos engineering is to design systems that can withstand failures through practices like circuit breaking and observability.
This document discusses using machine learning to detect ransomware through analyzing microbehaviors rather than static signatures. It introduces the concept of using machine learning for cybersecurity and labeling data to help algorithms learn. The document then discusses modeling ransomware behaviors like file system modifications and callbacks. It outlines a plan to take labeled exploit and benign traffic data, extract microbehaviors, use machine learning to detect anomalies, and generate indicators of compromise.
Over 1.5 million customer records were stolen from T-Mobile Czech Republic by an employee. The records included names, email addresses, account numbers, but not location or traffic data. T-Mobile claims the perpetrator was caught trying to sell the database.
A hacking group in Russia allegedly used malware called Lurk to steal over 1.7 billion roubles (US $25.4 million) from bank accounts in Russia. Authorities arrested 50 people in connection with the scheme.
Github warned that a number of user accounts had been compromised through a password reuse attack related to recent data breaches at LinkedIn, MySpace, Tumblr and other sites that exposed over 642 million passwords.
Exploitation involves programming the "weird machine" created when memory is corrupted, transforming invalid program states via interactions. Programs can be viewed as implicit state machines, and exploitation is reaching a state violating security assumptions. Static analysis and input generation often ignore these implicit state machines, failing to account for how program state affects control flow and feasibility of paths. Fully automating exploitation requires understanding complex state transitions, which current tools and theory do not address.
Halvar Flake: Why Johnny can’t tell if he is compromisedArea41
This document discusses the difficulty of determining if a computer system is compromised. It outlines several checks that could be done to verify control, such as verifying signatures on software binaries, firmware, and scripts. However, it finds that all of these checks ultimately fail due to issues like a lack of transparency, lack of standardization, and the potential for signing keys to be stolen without detection. It argues that fundamental changes are needed to infrastructure and practices to enable determining control, such as reducing the number of trusted code signing authorities, increasing transparency in software updates and signing processes, and reducing opacity in firmware and coprocessors.
This document discusses OAuth, which is an authorization protocol that allows third-party applications to access user data without requiring username and passwords. It explains key OAuth concepts like clients, resource owners, authorization servers, and resource servers. The document also covers the different grant types in OAuth like authorization code, implicit, resource owner password credentials, and client credentials. It emphasizes that OAuth tokens should be encrypted, random, and signed to ensure security.
Firewalking is a network security technique that uses traceroute principles to determine which layer 4 protocols a firewall will allow by sending packets with incrementing TTL values. It has two phases: first, it discovers the network topology and identifies the target gateway using traceroute; second, it scans the gateway by sending TCP/UDP packets with the TTL set to the gateway plus one, and analyzes the responses to map open ports. Concerns about firewalking include potential false negatives if hosts are down or packets get dropped, while mitigations for networks include disabling ICMP TTL exceeded messages, using NAT/proxy, and tools like Firewalk and Nmap scripts can perform firewalking scans.
The document discusses steganography, which is hiding secret messages within other harmless-looking files or messages. It describes how steganography embeds information in a way that prevents unauthorized parties from even knowing a hidden message has been sent. The document outlines some common techniques for hiding information in digital images, such as modifying least significant bits or using masking and filtering algorithms. It also notes that steganography can be used for confidential communication and secret data storage. Finally, it discusses how Python can be used to implement steganography, listing several Python modules like binascii, getpass, simplecrypt, and Pillow that are useful for steganography applications.
INTELLIGENT FACE RECOGNITION TECHNIQUESChirag Jain
Face recognition is a form of biometric identification. A biometrics is, “Automated methods of recognizing an individual based on their unique physical or behavioral characteristics.” The process of facial recognition involves automated methods to determine identity, using facial features as essential elements of distinction.
The document discusses defining what constitutes an "exploit" in computer security. It begins by noting that while exploits are a central concept, there is no agreed upon definition. It then examines two potential implementations of a simple intended finite state machine (IFSM) for storing passwords and secrets - a flat array implementation and a linked list implementation. It demonstrates how an attacker could exploit the linked list implementation under a chosen-bitflip-once attacker model by corrupting a single bit of memory to rearrange the linked list and retrieve a secret without knowing the correct password. The document aims to introduce a theoretical framework for reasoning about exploits and differentiating between provably exploitable and unexploitable code.
A firewall is a device that controls what gets in and comes out of our network. The firewall is placed between an organization network and the outside world.
This document discusses RESTful web services and provides guidance on testing them. It defines REST and its key aspects, including resources, verbs, media types and status codes. It outlines common problems with REST penetration testing and recommends using tools like cURL and browser add-ons for testing. The document also covers authentication, authorization, input validation, output encoding and other important areas to focus testing on.
The document provides an overview of a presentation on pentesting REST APIs. The presentation will cover basic theory, personal experience, methodology, tools used, test beds, example vulnerabilities, common findings, and include hands-on demos. The presentation will discuss both SOAP and REST APIs, pentesting approaches, tools like Postman and Burp Suite, example test beds like Hackazon and Mutillidae, and common API vulnerabilities like information disclosure, IDOR, and token issues.
This document discusses the history and evolution of computing technologies from ancient mechanical devices to modern electronic systems. It begins with early mechanical computers from ancient Greece and progresses through developments like Babbage's Difference Engine, early electronic computers, and integrated circuits. The document notes that modern computing platforms involve contributions from global teams and enterprises, with most technologies being reused to improve productivity. It argues that businesses must focus on competitive products rather than technology for its own sake, and that designer productivity has become the main driver of technology advancement as complexity increases exponentially with Moore's Law.
How I Sped up Complex Matrix-Vector Multiplication: Finding Intel MKL's "SBrandon Liu
Implementing a fixed point int16_t integer matrix vector multiplication kernel for Intel processors with AVX-512 and the Xbyak just-in-time compiler (what Intel MKL jit_cgemm uses)
Artificial Intelligence in practice - Gerbert Kaandorp - Codemotion Amsterdam...Codemotion
In this talk Gerbert will give an overview of Artificial Intelligence, outline the current state of the art in research and explain what it takes to actually do an AI project. Using practical cases and tools he will give you insight in the phases of an AI project and explain some of the problems you might encounter along the way and how you might be able to solve them.
Building a Tensorflow-based model that extracts the "best" frames from a video, which are then used as auto-generated thumbnails and thumbstrips. We used transfer learning on Google's Inceptionv3 model, which was pretrained with ImageNet data and retrained on JW Player's thumbnail library.
The document summarizes a talk on future high performance microprocessors. It discusses how multi-core chips came to be due to limitations in improving single core performance. It argues that multi-core is not a true solution and that breaking down abstraction layers between software and hardware is needed to fully utilize increasing transistor counts. The talk proposes designing microprocessors with a few high-performance cores, many simple cores, and specialized accelerators, along with multiple programming interfaces.
JDD 2016 - Jedrzej Dabrowa - Distributed System Fault Injection Testing With ...PROIDEA
Having more than a hundred loosely coupled microservices leads to a big challenge when it comes to resiliency testing. In a probabilistic system a failure is inevitable. With a help of Docker and the environment around we've built a framework which allowed us to test core components of Base for network issues, partitions, etc. Learn how you can build it and sleep well without system outages.
Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2pjvrpW.
Joe Duffy talks about the concurrency's explosion onto the mainstream over the past 15 years. He looks at some of today's hottest trends (Cloud, IoT, Microservices) and attempts to predict what lies ahead not only for concurrent programming, but also distributed, from now to 15 years into the future. Filmed at qconlondon.com.
Joe Duffy is Director of Engineering for the Compiler and Language Group at Microsoft. He leads the teams building C++, C#, VB, and F# languages, compilers, and static analysis platforms, across many architectures and platforms.
Chaos Engineering: Injecting Failure for Building Resilience in SystemsYury Roa
This document discusses chaos engineering and building resilient systems. It defines chaos engineering as experimenting in production to reveal weaknesses and build confidence in resilience. Some key principles of chaos engineering are discussed, such as having steady state periods between experiments and formulating hypotheses before experiments. Game days are mentioned where engineers take on roles like master of disaster to experiment with failures. The goal of chaos engineering is to design systems that can withstand failures through practices like circuit breaking and observability.
This document discusses using machine learning to detect ransomware through analyzing microbehaviors rather than static signatures. It introduces the concept of using machine learning for cybersecurity and labeling data to help algorithms learn. The document then discusses modeling ransomware behaviors like file system modifications and callbacks. It outlines a plan to take labeled exploit and benign traffic data, extract microbehaviors, use machine learning to detect anomalies, and generate indicators of compromise.
Rust is a systems programming language developed by Mozilla that provides memory safety without garbage collection. It uses concepts of ownership and borrowing to ensure memory safety issues like use-after-free do not occur. Rust offers zero-cost abstractions meaning abstraction mechanisms like generics have little to no performance overhead. It allows high levels of concurrency but requires memory references be valid during their entire lifetime.
Virtual Machines Security Internals: Detection and ExploitationMattia Salvi
This paper is an analysis of the current state of virtual machines’ security, showcasing how features have been turned into attack vectors that can pose threats to real enterprise level infrastructures. Despite the few real world scenarios that have actively exploited security holes, they remain one of the most dangerous threats organizations have to look out for.
This presentation will discuss leveraging analytics and machine learning techniques like deep learning, long short term memory networks, and gradient boosted machines for security applications like threat assessment. The presenter will compare current machine learning technologies and discuss best practices for applying predictive modeling to security problems, including data acquisition, feature selection, and model validation. The talk is part of a security roundtable event and will be followed by a lab exercise on developing predictive models.
This document discusses real-time Linux programming. It defines real-time as systems that must guarantee response times within strict deadlines, from milliseconds to microseconds. Real-time hardware uses a hardware clock to guarantee timing. Real-time software can be written in any language but C and C++ are preferred. Linux supports real-time capabilities through patches that improve scheduling and reduce latency. The document discusses avoiding page faults, limiting interrupts, and measuring latency in real-time systems.
Sharding Containers: Make Go Apps Computer-Friendly Again by Andrey Sibiryov Docker, Inc.
The document discusses how modern hardware has become more complex with multi-core, multi-socket CPUs and deep cache hierarchies. This complexity introduces latency and performance issues for software. The author describes their service that processes millions of requests per second spending a large amount of time on garbage collection, context switching, and CPU stalls. They developed a tool called Tesson that analyzes hardware topology and shards containerized applications across CPU cores, pinning linked components closer together to improve locality and performance. Tesson integrates with a local load balancer to distribute workloads efficiently utilizing the system resources.
The trials and tribulations of providing engineering infrastructure TechExeter
The document discusses lessons learned from running engineering infrastructure at Arm. It discusses several key points:
1) Shared infrastructure can lead to compromise and additional effort with no value if used for multiple disciplines. Specialized environments for each discipline are preferred.
2) Automation is critical to avoid inefficiencies from rapid growth outpacing manual processes. Automate where possible.
3) Ubiquitous shared storage breeds laziness and poor data management practices that do not scale. More controlled use of storage is needed.
4) Educating engineers on responsible infrastructure use is important, as not all have expertise in large-scale systems. Partnership and guidance is preferred over being solely "the police".
HIS'15 website tells us "Our lives increasingly depend on the correct functioning of software". But whilst true in itself, software is just one of the links in a system-chain; each needing to be as strong as the others for a satisfactory outcome. History may have branded software as the weakest link, but can that be said today? A system is an entity complete in its context; and judged subjectively by its black-box behaviour. And when faced with its failure it isn't acceptable to claim that "my bit worked"! All technologies we utilise are fallible, as are the processes we use to create them: Hardware, Software, Optics, Acoustics, RF, Mechanics, Test, Reproduction, Maintenance ... Perfection is still reserved for the gods. Technologies must work together in the system, and historic silos do nothing to encourage this. So how good do systems need to be; how close to achieving it are we; and does one size fit all? And perhaps most challengingly, can the disciplines complement one another so the whole is stronger than the weakest links?
Kernel Recipes 2017 - The state of kernel self-protection - Kees CookAnne Nicolas
The Kernel Self-Protection Project focuses on addressing gaps in Linux’s defensive technologies. With Linux reaching into every corner of modern life, and userspace frequently being very locked-down, the kernel has become an ever-increasing target for attackers and much more needs to be done to harden the kernel so it can protect itself. A quick overview will be shown of what we’re trying to protect Linux against, as well as the state of the art in available technologies. Also presented will be a summary of the last year’s participation by many people over a wide range of technologies, with a review of KSPP attempts, accomplishments, active efforts, and an examination of future projects and goals.
Kees Cook, Google
State-Of-The Art Machine Learning Algorithms and How They Are Affected By Nea...inside-BigData.com
Machine learning algorithms are increasingly being used across many domains and are affected by technology trends. Deep learning techniques have achieved human-level performance in tasks like speech recognition and face recognition. Training machine learning models requires massive parallelism and computational resources that are well-suited to GPU and multi-core architectures. Reduced precision computation can accelerate training but may impact convergence. Specialized hardware continues to evolve for both training and inference.
Talk on sneaky computation to be given at Reykjavik University. Sneaky computation is the using spare CPU cycles with little or no intervention from the user.
Similar to Three things that rowhammer taught me by Halvar Flake (20)
Arun Mane is the founder and director of AmynaSec Labs. He is a security speaker and trainer who has presented at many conferences including Defcon, Blackhat, Nullcon, and HITB. His areas of expertise include security testing of IoT devices, connected vehicles, medical devices, and industrial control systems. Some common issues he finds include devices being publicly accessible, having backdoors, hardcoded credentials, and crypto or web application management problems. His testing methodology involves assessing web and mobile applications, embedded device communications, hardware testing through reverse engineering, and analyzing communication protocols and stored data.
This document outlines an agenda for a presentation on open-source intelligence (OSINT) gathering techniques. The agenda includes an introduction to OSINT, different types of intelligence gathering, a scenario example, OSINT gathering tactics and tools like Shodan, TheHarvester and Google dorks, applications of OSINT, a demonstration, references for OSINT, and a conclusion. Key OSINT tools that will be demonstrated include Twitter, Shodan, TheHarvester and Google dorks for gathering information from public online sources.
This document provides an overview of server-side request forgery (SSRF) vulnerabilities, including what SSRF is, its impact, common attacks, bypassing filters, and mitigations. SSRF allows an attacker to induce the application to make requests to internal or external servers from the server side, bypassing access controls. This can enable attacks on the server itself or other backend systems and escalate privileges. The document discusses techniques for exploiting trust relationships and bypassing blacklists/whitelists to perform SSRF attacks. It also covers blind SSRF and ways to detect them using out-of-band techniques. Mitigations include avoiding user input that can trigger server requests, sanitizing input, whitelist
Nmap is a network scanning tool that can perform port scanning, operating system detection, and version detection among other features. It works by sending TCP and UDP packets to a target machine and examining the response, comparing it to its database to determine open ports and operating system. There are different scanning techniques that can be used like TCP SYN scanning, UDP scanning, and OS detection. Nmap also includes a scripting engine that allows users to write scripts to automate networking tasks. The presentation concludes with demonstrating Nmap's features through some examples.
The document provides an introduction and overview of the Metasploit Framework. It defines key terms like vulnerability, exploit, and payload. It outlines the scenario of testing a subnet to find vulnerabilities. It describes the main features of msfconsole like searching for modules, using specific modules, and configuring options. It promotes understanding and proper use, emphasizing that Metasploit alone does not make someone a hacker.
1) The document provides guidance on testing APIs for security weaknesses, including enumerating the attack surface, common tools to use, what to test for (e.g. authentication, authorization, injections), and demo apps to practice on.
2) It recommends testing authentication and authorization mechanisms like tokens, injections attacks on state-changing requests, and how data is consumed client-side.
3) The document also discusses testing for denial of service conditions, data smuggling through middleware, API rate limiting, and cross-origin requests.
TLS 1.3 is an update to the Transport Layer Security protocol that improves security and privacy. It removes vulnerable optional parts of TLS 1.2 and only supports strong ciphers to implement perfect forward secrecy. The handshake process is also significantly shortened. TLS 1.3 provides security benefits by removing outdated ciphers and privacy benefits by enabling perfect forward secrecy by default, ensuring only endpoints can decrypt traffic even if server keys are compromised in the future.
This document provides an introduction to hacking mainframes in 2020. It begins with an overview of mainframe systems and terminology. It then discusses reconnaissance methods like port scanning and credential theft to gain initial access. Next, it covers conducting internal reconnaissance to escalate privileges by exploiting surrogate users, APF authorized libraries, and UNIX privilege escalation techniques. The document aims to provide enough context for curiosity about hacking mainframe systems.
The document discusses CRLF injection and SSRF vulnerabilities. CRLF injection occurs when user input is directly parsed into response headers without sanitization, allowing special characters to be injected. SSRF is when a server is induced to make HTTP requests to domains of an attacker's choosing, potentially escalating access. Mitigations include sanitizing user input, implementing whitelists for allowed domains/protocols, and input validation.
The document provides an overview of Active Directory, including its components and how it is used to centrally manage users, computers, and other objects within a network. It discusses key Active Directory concepts such as forests, domains, organizational units, users, computers, and domain trusts. It also provides step-by-step instructions for setting up an Active Directory lab environment for red teaming purposes and integrating a client machine into the domain.
A security engineer discusses how logs and passive reconnaissance can reveal sensitive information like AWS credentials. The engineer searched for open Jenkins and SonarQube instances which led to discovering Slack channels containing AWS access keys. Key lessons are to know your boundaries, automate mundane tasks, don't presume systems mask secrets, and persistence is important in security work.
Shodan is a search engine that indexes internet-connected devices and provides information about devices, banners, and metadata. It works by generating random IP addresses and port scans to retrieve banner information from devices. This information is then stored in a searchable database. Users can search Shodan's database using filters like country, city, IP address, operating system, and ports. Shodan can be accessed through its website or command line interface. While useful for security research, Shodan also raises privacy and security concerns by revealing information about unprotected devices.
This document outlines an agenda for discussing cloud security. It begins with an introduction to cloud computing and deployment models. It then discusses challenges of cloud computing and why cloud security is important. Specific threats like data breaches and account hijacking are listed. The document reviews the shared responsibility model and scope of security in public clouds. It describes cloud security penetration testing methods like static and dynamic application testing. Finally, it provides prerequisites and methods for conducting cloud penetration testing, including reconnaissance, threat modeling, and following standard testing methodologies.
This document discusses several techniques for maintaining persistence on Windows systems, including modifying accessibility features, injecting into image file execution options, using AppInit DLLs, application shimming, BITS jobs, registry run keys, and Windows Management Instrumentation event subscriptions. It provides details on how each technique works, common implementations, required privileges, relevant data sources, and example event log entries.
Frida is a dynamic instrumentation toolkit that allows injecting JavaScript into applications. Objection is a runtime mobile exploration toolkit powered by Frida that helps assess the security of mobile apps. It supports iOS and Android. Objection allows exploring apps by listing classes, methods, and injecting scripts to enable dynamic analysis like dumping keychain entries.
Osquery is an open source tool that allows users to perform SQL queries on their system to retrieve information. It supports various platforms and makes it easy to get details about the system. Osquery consists of Osqueryi, Osqueryd, and Osqueryctl components. Basic queries can be run in user context mode to view system information, configuration, and tables. Osqueryd runs in daemon mode and can be configured using packs and decorators to monitor specific events and files. Osqueryctl is used to control the Osquery daemon process.
This document discusses DevSecOps, beginning with an introduction from Tibin Lukose. It then covers some challenges in DevSecOps such as developers lacking security skills, cultural challenges, and difficulties balancing speed, coverage and accuracy in testing. The document proposes a model DevSecOps company, Infosys, and provides a demo and contact information for any further questions.
This document provides an introduction to XML and related technologies like libxml2, XSLT, XPath, and XML attacks. It discusses the basics of XML including elements, tags, attributes, and validation. It also describes common XML libraries and tools like libxml2, xmllint, and xsltproc. Finally, it provides an overview of different types of XML attacks like XML injection, XPath injection, XXE, and XSLT injection.
This document contains the agenda for a presentation on Linux for hackers. The agenda includes discussing the Linux file system, managing virtual machines smartly, command line tools like alias, tee, pipe, grep, cut, uniq, and xargs, Bash scripting, logging, and proxy chaining. It also mentions demonstrating several commands and tools. The presentation aims to be an interactive session where the presenter will answer any questions from attendees.
This document provides an overview of Android penetration testing. It discusses requirements and tools for static and dynamic analysis, including Apptitude, Genymotion, and ADB. It covers analyzing the Android manifest and classes.dex files. It also describes vulnerabilities in WebViews, such as loading cleartext content and improper SSL handling. Best practices for coding securely on Android are also presented.
"NATO Hackathon Winner: AI-Powered Drug Search", Taras KlobaFwdays
This is a session that details how PostgreSQL's features and Azure AI Services can be effectively used to significantly enhance the search functionality in any application.
In this session, we'll share insights on how we used PostgreSQL to facilitate precise searches across multiple fields in our mobile application. The techniques include using LIKE and ILIKE operators and integrating a trigram-based search to handle potential misspellings, thereby increasing the search accuracy.
We'll also discuss how the azure_ai extension on PostgreSQL databases in Azure and Azure AI Services were utilized to create vectors from user input, a feature beneficial when users wish to find specific items based on text prompts. While our application's case study involves a drug search, the techniques and principles shared in this session can be adapted to improve search functionality in a wide range of applications. Join us to learn how PostgreSQL and Azure AI can be harnessed to enhance your application's search capability.
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Keywords: AI, Containeres, Kubernetes, Cloud Native
Event Link: https://meine.doag.org/events/cloudland/2024/agenda/#agendaId.4211
"$10 thousand per minute of downtime: architecture, queues, streaming and fin...Fwdays
Direct losses from downtime in 1 minute = $5-$10 thousand dollars. Reputation is priceless.
As part of the talk, we will consider the architectural strategies necessary for the development of highly loaded fintech solutions. We will focus on using queues and streaming to efficiently work and manage large amounts of data in real-time and to minimize latency.
We will focus special attention on the architectural patterns used in the design of the fintech system, microservices and event-driven architecture, which ensure scalability, fault tolerance, and consistency of the entire system.
Getting the Most Out of ScyllaDB Monitoring: ShareChat's TipsScyllaDB
ScyllaDB monitoring provides a lot of useful information. But sometimes it’s not easy to find the root of the problem if something is wrong or even estimate the remaining capacity by the load on the cluster. This talk shares our team's practical tips on: 1) How to find the root of the problem by metrics if ScyllaDB is slow 2) How to interpret the load and plan capacity for the future 3) Compaction strategies and how to choose the right one 4) Important metrics which aren’t available in the default monitoring setup.
AppSec PNW: Android and iOS Application Security with MobSFAjin Abraham
Mobile Security Framework - MobSF is a free and open source automated mobile application security testing environment designed to help security engineers, researchers, developers, and penetration testers to identify security vulnerabilities, malicious behaviours and privacy concerns in mobile applications using static and dynamic analysis. It supports all the popular mobile application binaries and source code formats built for Android and iOS devices. In addition to automated security assessment, it also offers an interactive testing environment to build and execute scenario based test/fuzz cases against the application.
This talk covers:
Using MobSF for static analysis of mobile applications.
Interactive dynamic security assessment of Android and iOS applications.
Solving Mobile app CTF challenges.
Reverse engineering and runtime analysis of Mobile malware.
How to shift left and integrate MobSF/mobsfscan SAST and DAST in your build pipeline.
What is an RPA CoE? Session 2 – CoE RolesDianaGray10
In this session, we will review the players involved in the CoE and how each role impacts opportunities.
Topics covered:
• What roles are essential?
• What place in the automation journey does each role play?
Speaker:
Chris Bolin, Senior Intelligent Automation Architect Anika Systems
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsDianaGray10
Join us to learn how UiPath Apps can directly and easily interact with prebuilt connectors via Integration Service--including Salesforce, ServiceNow, Open GenAI, and more.
The best part is you can achieve this without building a custom workflow! Say goodbye to the hassle of using separate automations to call APIs. By seamlessly integrating within App Studio, you can now easily streamline your workflow, while gaining direct access to our Connector Catalog of popular applications.
We’ll discuss and demo the benefits of UiPath Apps and connectors including:
Creating a compelling user experience for any software, without the limitations of APIs.
Accelerating the app creation process, saving time and effort
Enjoying high-performance CRUD (create, read, update, delete) operations, for
seamless data management.
Speakers:
Russell Alfeche, Technology Leader, RPA at qBotic and UiPath MVP
Charlie Greenberg, host
Essentials of Automations: Exploring Attributes & Automation ParametersSafe Software
Building automations in FME Flow can save time, money, and help businesses scale by eliminating data silos and providing data to stakeholders in real-time. One essential component to orchestrating complex automations is the use of attributes & automation parameters (both formerly known as “keys”). In fact, it’s unlikely you’ll ever build an Automation without using these components, but what exactly are they?
Attributes & automation parameters enable the automation author to pass data values from one automation component to the next. During this webinar, our FME Flow Specialists will cover leveraging the three types of these output attributes & parameters in FME Flow: Event, Custom, and Automation. As a bonus, they’ll also be making use of the Split-Merge Block functionality.
You’ll leave this webinar with a better understanding of how to maximize the potential of automations by making use of attributes & automation parameters, with the ultimate goal of setting your enterprise integration workflows up on autopilot.
In the realm of cybersecurity, offensive security practices act as a critical shield. By simulating real-world attacks in a controlled environment, these techniques expose vulnerabilities before malicious actors can exploit them. This proactive approach allows manufacturers to identify and fix weaknesses, significantly enhancing system security.
This presentation delves into the development of a system designed to mimic Galileo's Open Service signal using software-defined radio (SDR) technology. We'll begin with a foundational overview of both Global Navigation Satellite Systems (GNSS) and the intricacies of digital signal processing.
The presentation culminates in a live demonstration. We'll showcase the manipulation of Galileo's Open Service pilot signal, simulating an attack on various software and hardware systems. This practical demonstration serves to highlight the potential consequences of unaddressed vulnerabilities, emphasizing the importance of offensive security practices in safeguarding critical infrastructure.
Must Know Postgres Extension for DBA and Developer during MigrationMydbops
Mydbops Opensource Database Meetup 16
Topic: Must-Know PostgreSQL Extensions for Developers and DBAs During Migration
Speaker: Deepak Mahto, Founder of DataCloudGaze Consulting
Date & Time: 8th June | 10 AM - 1 PM IST
Venue: Bangalore International Centre, Bangalore
Abstract: Discover how PostgreSQL extensions can be your secret weapon! This talk explores how key extensions enhance database capabilities and streamline the migration process for users moving from other relational databases like Oracle.
Key Takeaways:
* Learn about crucial extensions like oracle_fdw, pgtt, and pg_audit that ease migration complexities.
* Gain valuable strategies for implementing these extensions in PostgreSQL to achieve license freedom.
* Discover how these key extensions can empower both developers and DBAs during the migration process.
* Don't miss this chance to gain practical knowledge from an industry expert and stay updated on the latest open-source database trends.
Mydbops Managed Services specializes in taking the pain out of database management while optimizing performance. Since 2015, we have been providing top-notch support and assistance for the top three open-source databases: MySQL, MongoDB, and PostgreSQL.
Our team offers a wide range of services, including assistance, support, consulting, 24/7 operations, and expertise in all relevant technologies. We help organizations improve their database's performance, scalability, efficiency, and availability.
Contact us: info@mydbops.com
Visit: https://www.mydbops.com/
Follow us on LinkedIn: https://in.linkedin.com/company/mydbops
For more details and updates, please follow up the below links.
Meetup Page : https://www.meetup.com/mydbops-databa...
Twitter: https://twitter.com/mydbopsofficial
Blogs: https://www.mydbops.com/blog/
Facebook(Meta): https://www.facebook.com/mydbops/
From Natural Language to Structured Solr Queries using LLMsSease
This talk draws on experimentation to enable AI applications with Solr. One important use case is to use AI for better accessibility and discoverability of the data: while User eXperience techniques, lexical search improvements, and data harmonization can take organizations to a good level of accessibility, a structural (or “cognitive” gap) remains between the data user needs and the data producer constraints.
That is where AI – and most importantly, Natural Language Processing and Large Language Model techniques – could make a difference. This natural language, conversational engine could facilitate access and usage of the data leveraging the semantics of any data source.
The objective of the presentation is to propose a technical approach and a way forward to achieve this goal.
The key concept is to enable users to express their search queries in natural language, which the LLM then enriches, interprets, and translates into structured queries based on the Solr index’s metadata.
This approach leverages the LLM’s ability to understand the nuances of natural language and the structure of documents within Apache Solr.
The LLM acts as an intermediary agent, offering a transparent experience to users automatically and potentially uncovering relevant documents that conventional search methods might overlook. The presentation will include the results of this experimental work, lessons learned, best practices, and the scope of future work that should improve the approach and make it production-ready.
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving
What began over 115 years ago as a supplier of precision gauges to the automotive industry has evolved into being an industry leader in the manufacture of product branding, automotive cockpit trim and decorative appliance trim. Value-added services include in-house Design, Engineering, Program Management, Test Lab and Tool Shops.
GlobalLogic Java Community Webinar #18 “How to Improve Web Application Perfor...GlobalLogic Ukraine
Під час доповіді відповімо на питання, навіщо потрібно підвищувати продуктивність аплікації і які є найефективніші способи для цього. А також поговоримо про те, що таке кеш, які його види бувають та, основне — як знайти performance bottleneck?
Відео та деталі заходу: https://bit.ly/45tILxj
JavaLand 2024: Application Development Green Masterplan
Three things that rowhammer taught me by Halvar Flake
1. 3 things that Rowhammer
taught me
… and their implications for future security research
2. Who am I?
● Reverse engineer since 1997, vuln development since 1999
● Started reverse-engineering company “zynamics” in 2004
● BinDiff, BinNavi, VxClass, many other contributions
● Acquired by Google in 2011
● Worked on defending Google & large-scale malware analysis until
2015
● Mathematician by trade, hacker by mentality (like to work on
boundary between theory and practice)
● Currently on a one-year sabbatical to trave, read, and surf
4. The Rowhammer DRAM bug
Repeated row activations can cause bit flips in adjacent rows
● A fault in many DRAM (DDR3) modules, from 2010 onwards
● Bypasses memory protection: One process can affect others
● All three big DRAM manufacturers shipped memory with this
problem
○ A whole generation of machines
○ Particularly bad on Laptops (no ECC)
5. Simplified illustration of Rowhammer issue (hypothesized)
Imagine DRAM as grid of wires, with bits of information stored at the “crossings” as charges
6. Simplified illustration of Rowhammer issue (hypothesized)
Apply current to a “row” so that the values can be read out
7. Simplified illustration of Rowhammer issue (hypothesized)
Apply current to a “row” so that the values can be read out
8. Simplified illustration of Rowhammer issue (hypothesized)
Due to DRAM density, a tiny bit of charge leaks to neighboring “rows”
9. Simplified illustration of Rowhammer issue (hypothesized)
This leads to tiny bits of charge leaking out of the neighboring cells
10. Simplified illustration of Rowhammer issue (hypothesized)
Repeat often enough, and the neighboring bits can “flip”
11. Simplified illustration of Rowhammer issue (hypothesized)
Repeat often enough, and the neighboring bits can “flip”
12. Exploiting Rowhammer
Rowhammer was deemed non-exploitable and only a reliability issue
● We found a way to abuse it generically for local privilege escalation
on x86
● Core idea works on all major OSes (Windows / Linux / OSX)
● We implemented only the Linux variant
(“We” == Mark Seaborn and me)
13. Exploiting Rowhammer: How to exploit a random bit flip
How can a random bitflip be exploited?
● Page tables are 4k pages containing arrays of 512 “PTE”s (page
table entries
● Each PTE is 64 bit and looks like this:
●
● Permission bit - 2% chance
● Physical page base address (20 bits) - 31% chance
14. Exploiting Rowhammer: How to exploit a random bit flip
Basic strategy: Spray most of physical memory with page tables
● mmap() the same file repeatedly (and writeable)
● e.g. To fill 4GB of physical memory, mmap() 2048GB of virtual
address space
○ Works because we have a 64-bit virtual address space
○ Works because major OS have no bounds on page tables
Helps ensure two things:
● That a bit-flipped physical page number will point to a page table
● That a random bit flip will hit a PTE
15. Exploiting Rowhammer: How to exploit a random bit flip
Begin “hammering” memory
Periodically check for bit flip (indirectly):
● Scan virtual address space for a page that now points elsewhere
● If found, does the page look like a page table?
○ If so, deduce which address it controls
■ Modify it
■ Scan virtual address space for a second page that now
points elsewhere
Can be used to exploit completely random bit flips (e.g. from cosmic
rays)
17. One bitflip is enough
… at least when you don’t need 100% reliability
18. One bitflip is enough
2003 paper: “Using Memory Errors to Attack a Virtual Machine”
Connected Heat lamp to RAM,
induced bit flips
2015 Rowhammer.
Common thread: The most
random and obscure issues
can be exploited.
One bit is enough.
20. Deterministic computing is “just” an abstraction
● We think about computers as deterministic machines
● In reality, they are “probabilistically deterministic”
○ Deterministic most of the time
○ Probability of non-determinism in normal operation is made
vanishingly low (“reliability”)
● What about the probability of non-determinism in worst-case
operation?
○ Hardware is not engineered that way - probability of failure
much higher
21. Deterministic computing is “just” an abstraction
● Example: Flash wear leveling
● Example: Speedpath analysis and yield maximization in CPU
design
● Hardware vendors are incentivized to sell chips “just at the border
of working”
● Bigger safety margins mean drastically reduced profit margins
22. Deterministic computing is “just” an abstraction: Cloud
● Cloud computing changes risk calculous
● Even if only 1 in 5000 CPUs can be made to misbehave, Cloud
providers are at risk
● Attackers can rent CPUs until they get lucky
23. “Impenetrable defense” is not
a good concept ...
… because the chip at hand may not implement the spec all the time
24. “Impenetrable defense” is not a good concept
● Realizing that computers are only average-case deterministic
means that “secure enclaves” may be a doomed concept
● A secure enclave (even with formally verified software) is verified
against specified semantics of a chip
● Your particular chip may only honor those semantics 99.999% of
the time
● The 0.001 may be enough for the attacker
25. “Impenetrable defense” is not a good concept
● Trend in recent years has been toward more opaque blocks in
computers
● Intel Management Engine, Trustzone, Intel SGX etc.
● Trending concept is “hard, trusted, inviolable small cores” that are
completely opaque and non-inspectable
● Once an attacker manages to get in, there is no way to tell, and no
way to get him out
27. Implications for fundamental security research
● The three lessons give importance to (at least) three exciting topics
for research - one each in:
○ Theoretical computer science
○ Borders between Electrical engineering, Statistics, Physics
○ IT Systems Engineering (Hardware, Software, Ecosystems)
28. A proper theory of
exploitation
Theoretical Computer Science
29. A proper theory of exploitation
● Theoretical understanding of exploitation is weak
● Misjudgements happen even by seasoned professionals (“a
random bit flip will not be exploitable”)
● No good theoretical framework exists to analyze
○ ... what issues are “exploitable”
○ … what issues are “not exploitable”
○ … where the boundary between them lies
○ … what facilitates exploitability
● Result: Misjudgements, bogus “mitigations”, etc.
30. A proper theory of exploitation: Suggestion
● Assume a tiny toy CPU
○ Finite array of memory cells, a few registers
○ PEEK, POKE, ADD, Jcc, RECV, SEND instructions
○ Read/write memory, add values, recv value, send value
○ Finite (but large) sequence of attacker-provided inputs
● Programmer “emulates” a finite state machine on this CPU - with a
formally describable set of valid states
● Attacker gets to choose an arbitrary valid state as starting point
● Now assume corruption of a random bit - what is the probability that
the attacker can now reach any possible state of the toy CPU given
large enough input sequence?
31. A proper theory of exploitation: Suggestion
● A proper theory of exploitation would help understand many things:
○ Distinguish useful from not-useful mitigations
○ Help identify at what level of complexity of the emulated finite-
state machine single-bit corruptions become exploitable
○ Put “exploitation” on sound footing in academic circles, and
bring it out of obscurity / “magic” territory
I hope to eventually get around to working on this
33. Speed binning, worst-case paths, malicious input
● With cloud computing, virtualization, sandboxing and ubiquitous
JIT, the instruction stream of the CPU is now malicious input
● CPUs are “speed binned” at end of production cycle
● IC manufacturers will optimize for maximum yield without “random”
failures (speed path testing, crosstalk, leakage)
● What about “malicious inputs” (input code designed to cause
pessimal behavior in the IC) ?
34. Speed binning, worst-case paths, malicious input
EE community performs research on speed- and voltage-binning all the
time - but with reliability focus.
Security Research is needed on ...
● Identifying critical speed paths on silicon, identifying critical areas
for crosstalk on silicon
● How to identify input that exercises worst-possible paths
● Can the critical path be made more critical by intentionally causing
transistor degradation? Transistor aging is a thing, and solid-state
is not always solid.
It may become economical to rent 1000 CPUs for 1 year if I can get
one of them to degrade enough to compromise the cloud provider.
35. Speed binning, worst-case paths, malicious input
● This looks like an extremely fruitful area of research!
○ IC manufacturers can’t afford to test every chip for very long.
○ Attackers can profit from small fractions of CPUs being faulty -
even if those faults occur very rarely
○ IC manufacturers can’t be arbitrarily careful (direct impact on
profitability).
Research will need collaboration between security experts and people
familiar with VLSI design, process-induced variations in IC production,
and yield-optimization.
Research may require budget (hardware investigation is expensive)
Would love to investigate this, but need an EE collaborator :-)
36. Speed binning, worst-case paths, malicious input
Side warning: I expect the IC industry to aggressively lobby against this
research being performed out in the open.
It is an incredibly competitive and secretive industry that adheres to the
motto “only the paranoid survive”.
Don’t go there unless you are willing to pick a fight.
38. Building inspectable (and hence defendable) systems
● The real world has the concept of “ownership” and “possession”
● I may be in possession of a rental car, but the car company has
“ownership”.
● IT systems have a third dimension: “Control”
● I can have ownership and possession of an IT system, but I may
not have control over it
In today’s systems, it is impossible to establish who is in control.
Hardware enclaves try to prevent loss-of-control, but this cannot be
100% -- remember PREAM.
39. Building inspectable (and hence defendable) systems
● If we want defendable systems, we need to build systems where it
is possible for the person with ownership and possession to
establish control.
● This implies:
○ Need to engineer systems to provide non-updateable and
tamper-evident hardware paths to calculate & display
checksums over code
○ Need to engineer systems so that every place that may contain
code can be inspected
○ Need to engineer & build a public ledger infrastructure (similar
to Certificate Transparency, but with working Gossip protocols)
for signed code
40. Building inspectable (and hence defendable) systems
● The current approach of allowing (and even furthering) opacity
makes our problems worse, not better
● In a world where all signing keys can be either stolen or coerced,
any code signature scheme without publicly inspectable ledger
needs to be rejected
● Possibility must exist to determine origin of all code within a
machine
41. Building inspectable (and hence defendable) systems
● If you can’t establish who is in control of a machine, all security
discussions devolve into scholasticism
43. Summary :-)
● Rowhammer is an interesting issue, but it is the implications that
are most interesting
● Computer security is full of extremely hard and extremely
interesting questions
● Collaboration across disciplines (EE, Theoretical CS, product
design) will be crucial
● If you find any of these topics interesting, please contact me at
thomas.dullien (at) gmail.com
● I am particularly happy about any information from people with
EE/VLSI/Chip-design/yield-optimization background
45. Summary :-)
● Rowhammer is an interesting issue, but it is the implications that
are most interesting
● Computer security is full of extremely hard and extremely
interesting questions
● Collaboration across disciplines (EE, Theoretical CS, product
design) will be crucial
● If you find any of these topics interesting, please contact me at
thomas.dullien (at) gmail.com
● I am particularly happy about any information from people with
EE/VLSI/Chip-design/yield-optimization background
53. ...
Virtual Address
Space
Physical
Memory
What happens when we repeatedly map a file with
read-write permissions?
PTEs in physical memory help resolve virtual
addresses to physical pages.
We can fill physical memory with PTEs.
54. ...
Virtual Address
Space
Physical
Memory
What happens when we repeatedly map a file with
read-write permissions?
PTEs in physical memory help resolve virtual
addresses to physical pages.
We can fill physical memory with PTEs.
Each of them points to pages in the same physical
file mapping.
55. ...
Virtual Address
Space
Physical
Memory
What happens when we repeatedly map a file with
read-write permissions?
PTEs in physical memory help resolve virtual
addresses to physical pages.
We can fill physical memory with PTEs.
Each of them points to pages in the same physical
file mapping.
If a bit in the right place in the PTE flips ...
56. ...
Virtual Address
Space
Physical
Memory
What happens when we repeatedly map a file with
read-write permissions?
PTEs in physical memory help resolve virtual
addresses to physical pages.
We can fill physical memory with PTEs.
Each of them points to pages in the same physical
file mapping.
If a bit in the right place in the PTE flips …
… the corresponding virtual address now points to
a wrong physical page - with RW access.
57. ...
Virtual Address
Space
Physical
Memory
What happens when we repeatedly map a file with
read-write permissions?
PTEs in physical memory help resolve virtual
addresses to physical pages.
We can fill physical memory with PTEs.
Each of them points to pages in the same physical
file mapping.
If a bit in the right place in the PTE flips …
… the corresponding virtual address now points to
a wrong physical page - with RW access.
Chances are this wrong page contains a page
table itself.
58. ...
Virtual Address
Space
Physical
Memory
What happens when we repeatedly map a file with
read-write permissions?
PTEs in physical memory help resolve virtual
addresses to physical pages.
We can fill physical memory with PTEs.
Each of them points to pages in the same physical
file mapping.
If a bit in the right place in the PTE flips …
… the corresponding virtual address now points to
a wrong physical page - with RW access.
Chances are this wrong page contains a page
table itself.
An attacker that can read / write page tables …
59. ...
Virtual Address
Space
Physical
Memory
What happens when we repeatedly map a file with
read-write permissions?
PTEs in physical memory help resolve virtual
addresses to physical pages.
We can fill physical memory with PTEs.
Each of them points to pages in the same physical
file mapping.
If a bit in the right place in the PTE flips …
… the corresponding virtual address now points to
a wrong physical page - with RW access.
Chances are this wrong page contains a page
table itself.
An attacker that can read / write page tables can
use that to map any memory read-write.