We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

Developing Managed Code Rootkits for Java Runtime Environment

00:00
Untertitel
Aus
Abspielgeschwindigkeit
1
Untertitel
Aus
English (automatisch erzeugt)
Abspielgeschwindigkeit
0.25
0.5
0.75
1
1.25
1.5
1.75
2
Qualität
576p
17
 Zitieren
 Teilen
 Herunterladen Bestellen
Kein Logo verfügbarDEF CON
 Holland , Benjamin (daedared)

Formale Metadaten

Titel
Developing Managed Code Rootkits for Java Runtime Environment
Serientitel
Anzahl der Teile
Autor
Lizenz
CC-Namensnennung 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
Identifikatoren
Herausgeber
Erscheinungsjahr
Sprache

Inhaltliche Metadaten

Fachgebiet
Genre
Abstract
Managed Code Rootlets (MCRs) are terrifying post-exploitation attacks that open the doors for cementing and expanding a foothold in a target network. While the concept isn’t new, practical tools for developing MCRs don’t currently exist. Ere Metula released ReFrameworker in 2010 with the ability to inject attack modules into the C# runtime, paving the way for MCRs, but the tool requires the attacker to have knowledge of intermediate languages, does not support other runtimes, and is no longer maintained. Worse yet, the ‘write once, run anywhere’ motto of managed languages is violated when dealing with runtime libraries, forcing the attacker to write new exploits for each target platform. This talk debuts a free and open source tool called JReFrameworker aimed at solving the aforementioned challenges of developing attack code for the Java runtime while lowering the bar so that anyone with rudimentary knowledge of Java can develop a managed code rootlet. With Java being StackOverflow’s most popular server side language of 2015 the Java runtime environment is a prime target for exploitation. JReFrameworker is an Eclipse plugin that allows an attacker to write simple Java source to develop, debug, and automatically modify the runtime. Best of all, working at the intended abstraction level of source code allows the attacker to ‘write once, exploit anywhere’. When the messy details of developing attack code are removed from the picture the attacker can let his creativity flow to develop some truly evil attacks, which is just what this talk aims to explore. Bio: Ben Holland is a PhD student at Iowa State University with experience working on two high profile DARPA projects. He has extensive experience writing program analyzers to detect novel and sophisticated malware in Android applications and served on the ISU team as a key analyst for DARPA’s Automated Program Analysis for Cybersecurity (APAC) program. He’s lectured on security topics for university courses in program analysis and operating system principles. Ben has given multiple talks at professional clubs as well as security and academic conferences. His past work experience has been in research at Iowa State University, mission assurance at MITRE, government systems at Rockwell Collins, and systems engineering at Wabtec Railway Electronics. Ben holds a M.S. degree in Computer Engineering and Information Assurance, a B.S. in Computer Engineering, and a B.S. in Computer Science. Currently he serves on the ISU team for DARPA’s Space/Time Analysis for Cybersecurity (STAC) program.
00:00
AppletMaschinencodeLaufzeitfehlerRootkitLaufzeitsystemGüte der AnpassungDämon <Informatik>AppletStabLaufzeitsystemSoftwareRootkitMultiplikationsoperatorUnrundheitFlächeninhaltPhysikalisches SystemNP-hartes ProblemMaschinencodet-TestPunktKlasse <Mathematik>Computeranimation
02:15
LaufzeitsystemAppletLaufzeitfehlerMaschinencodeComputerInformationProzessautomationARPANetProgrammAnalysisMinkowski-MetrikSoftwaretestSystemprogrammierungDatentypDatenerfassungInterpretierert-TestAggregatzustandMultiplikationsoperatorBitVirtuelle MaschineProgrammAppletLaufzeitfehlerModulare ProgrammierungBildschirmfensterInterpretiererComputeranimation
03:41
SystemprogrammierungFormation <Mathematik>ProgrammierumgebungSoftwaretestWort <Informatik>MaschinencodeBaum <Mathematik>LaufzeitfehlerAppletLaufzeitsystemRootkitSchreiben <Datenverarbeitung>AppletMaschinencodeCompilerPhysikalisches SystemRechter WinkelProgrammElektronische PublikationLaufzeitfehlerProgrammbibliothekVirtuelle MaschineMAPBitBetriebssystemKlasse <Mathematik>Mailing-ListeByte-CodeDifferentePrimitive <Informatik>Objekt <Kategorie>StandardabweichungMereologieKategorie <Mathematik>InformationsspeicherungQuellcodePortabilitätVerschlingungSystemplattformComputeranimationFlussdiagramm
05:11
EreignishorizontProgrammierungRootkitMaschinencodeLaufzeitfehlerSystemplattformStochastische AbhängigkeitProgrammStandardabweichungFontRechnernetzProgrammGüte der AnpassungSystemverwaltungBildschirmfensterInformationsspeicherungKartesische KoordinatenInformationMereologieRootkitMaschinenschreibenPasswortDatenfeldSchlüsselverwaltungMAPEreignishorizontLaufzeitfehlerExploitsinc-FunktionMaschinencodeProgrammbibliothekAppletQuick-SortVerzeichnisdienstObjektorientierte ProgrammierspracheQuaderObjekt <Kategorie>Formale SpracheStandardabweichung
06:40
MaschinencodeGewicht <Ausgleichsrechnung>Modul <Datentyp>TaskSkriptspracheCASE <Informatik>MagnettrommelspeicherLaufzeitfehlerSkriptspracheFramework <Informatik>RootkitAssemblerMicrosoft dot netSoftwaretestMaschinencodeDatenverwaltungTaskDisassembler
07:27
Open SourceLaufzeitfehlerGewicht <Ausgleichsrechnung>TaskSkriptspracheByte-CodeMaschinencodeLaufzeitsystemIdeal <Mathematik>AppletAppletGewicht <Ausgleichsrechnung>Microsoft dot netRootkitPunktOpen SourceMAPFunktion <Mathematik>ZwischenspracheByte-CodeSelbstrepräsentationMaschinencodeRechter WinkelSoundverarbeitungQuellencodierungÜbersetzer <Informatik>NormalvektorFeuchteleitungProgrammDifferenteSchreiben <Datenverarbeitung>Perfekte GruppeMathematikLaufzeitfehlerGlobale OptimierungCompilerRohdatenApp <Programm>NP-hartes Problem
09:59
LaufzeitfehlerLaufzeitsystemAppletByte-CodeMaschinencodeProgrammierumgebungRootkitEindringerkennungMAPSchreiben <Datenverarbeitung>Mobiles EndgerätLaufzeitfehlerOpen SourceProgrammRechter WinkelNatürliche ZahlAppletMaschinencodeLaufzeitsystemFramework <Informatik>Programm/QuellcodeXML
10:51
MaschinencodeLaufzeitfehlerLaufzeitsystemOpen SourceSchreiben <Datenverarbeitung>AppletRootkitProgrammierumgebungModul <Datentyp>ExploitWurm <Informatik>Mobiles EndgerätFreewareByte-CodeAppletWeb SiteRootkitOpen SourceVirtuelle MaschinePlug inProjektive EbeneFreewareMusterspracheSchreiben <Datenverarbeitung>Wurm <Informatik>Rippen <Informatik>Computeranimation
11:39
MaschinencodeLaufzeitsystemLaufzeitfehlerOpen SourceAppletSchreiben <Datenverarbeitung>RootkitProgrammierumgebungTwitter <Softwareplattform>ExploitModul <Datentyp>Wurm <Informatik>Mobiles EndgerätFreewareByte-CodeWort <Informatik>ProgrammfehlerReverse EngineeringKrümmungsmaßDatentypTypentheorieCMM <Software Engineering>MalwareSoftwareentwicklerInternetworkingRückkopplungTwitter <Softwareplattform>ZeichenketteObjekt <Kategorie>TypentheorieHochdruckStreaming <Kommunikationstechnik>ProgrammKlasse <Mathematik>EinfügungsdämpfungMaschinencodeHook <Programmierung>DifferenteLaufzeitfehlerOpen SourceDatenfeldCASE <Informatik>Demo <Programm>Computeranimation
13:31
MaschinencodeLaufzeitfehlerElektronische PublikationBoolesche AlgebraExistenzsatzVererbungshierarchieSoftwaretestProgrammierumgebungLokales MinimumAppletNotepad-ComputerTypentheorieNeuronales NetzMailing-ListeLaufzeitsystemProgrammfehlerElement <Gruppentheorie>ZeichenketteHydrostatikSystemprogrammierungKlasse <Mathematik>Prozess <Informatik>Rechter WinkelRechenschieberLaufzeitfehlerBitMaschinencodeSchnittmengeHash-AlgorithmusEin-AusgabeElektronische PublikationSoftwaretestp-BlockDemo <Programm>HilfesystemWort <Informatik>AppletNormalvektorHochdruckKlasse <Mathematik>Streaming <Kommunikationstechnik>Konstruktor <Informatik>Framework <Informatik>DatenfeldGanze ZahlObjekt <Kategorie>MultiplikationsoperatorFunktion <Mathematik>InstantiierungVerzeichnisdienstDefaultSystemaufrufArithmetische FolgeProjektive EbeneGrundsätze ordnungsmäßiger DatenverarbeitungBoolesche AlgebraFächer <Mathematik>LastStörungstheorieTypentheorieDeterministischer ProzessComputeranimation
19:41
SoftwareHöhere ProgrammierspracheGesetz der großen ZahlenBootenE-MailEin-AusgabeMaschinencodeLaufzeitfehlerLaufzeitsystemAppletProgrammfehlerElement <Gruppentheorie>ZeichenketteDeterministischer ProzessAppletSoftwaretestKomplex <Algebra>LaufzeitfehlerComputerspielClientComputeranimation
20:14
HydrostatikOvalZeichenketteAppletLaufzeitfehlerLaufzeitsystemMaschinencodeVererbungshierarchieSpezialrechnerHook <Programmierung>LastZeichenketteGraphische BenutzeroberflächeCASE <Informatik>Bildgebendes VerfahrenKlasse <Mathematik>HochdruckObjekt <Kategorie>BewertungstheorieProgrammDatenfeldQuick-SortLaufzeitfehlerBimodulAppletMultiplikationsoperatorNichtlinearer OperatorPRINCE2Computeranimation
22:06
SpezialrechnerModulare ProgrammierungMaschinencodeLaufzeitsystemLaufzeitfehlerAppletPixelEreignishorizontTypentheorieInverseVererbungshierarchieRootkitMittelwertStandardabweichungExistenzsatzElektronische PublikationSoftwaretestProgrammierumgebungHydrostatikOvalProxy ServerComputersicherheitExploitMultiplikationBrowserAnalysisProdukt <Mathematik>SystemplattformStichprobeOpen SourceTotal <Mathematik>ComputervirusMathematikVorzeichen <Mathematik>Klasse <Mathematik>ZeichenketteKontrollflussDisjunktion <Logik>Patch <Software>SystemaufrufPixelMultiplikationsoperatorKlasse <Mathematik>MultiplikationProgrammfehlerEndliche ModelltheorieBitLaufzeitfehlerQuick-SortRechter WinkelGüte der AnpassungSchreiben <Datenverarbeitung>SystemplattformZeichenketteAppletOpen SourceSpieltheorieBeweistheorieVirenscannerReverse EngineeringComputersicherheitVersionsverwaltungSystemaufrufObjekt <Kategorie>Spiegelung <Mathematik>SoftwareschwachstelleGrenzschichtablösungSchlüsselverwaltungPatch <Software>SymboltabelleAssemblerDatenfeldRefactoringHeegaard-ZerlegungVerzweigendes ProgrammHintertür <Informatik>CASE <Informatik>MalwareBootenKontrollstrukturExploitDifferenteMathematische LogikNormalvektorTypentheorieProdukt <Mathematik>SchlussregelHook <Programmierung>BildschirmfensterMittelwertSoftwaretestDemo <Programm>ParametersystemEinsDisjunktion <Logik>ComputervirusTotal <Mathematik>RechenschieberGraphische BenutzeroberflächeEreignishorizontModulare ProgrammierungXMLComputeranimation
29:30
BenutzeroberflächeModul <Datentyp>LaufzeitfehlerLaufzeitsystemMaschinencodeComputersicherheitQuellcodeMailing-ListeAuthentifikationt-TestKartesische KoordinatenProjektive EbeneServerPlastikkarteRückkopplungComputersicherheitQuick-SortQuellencodierungFirewallCASE <Informatik>AppletMathematische LogikGamecontrollerObjekt <Kategorie>MAPTeilbarkeitFront-End <Software>Computeranimation
30:57
BenutzeroberflächeSoftwareentwicklerLaufzeitsystemMaschinencodeAppletLaufzeitfehlerServerFront-End <Software>ClientFirewallExakte SequenzComputersicherheitRootkitAdditionKette <Mathematik>CASE <Informatik>Reelle ZahlKartesische KoordinatenMaschinencodeHumanoider RoboterResultanteFramework <Informatik>BitProjektive EbeneComputeranimation
31:34
ZahlenbereichByte-CodeMaschinencodeLaufzeitfehlerLaufzeitsystemHash-AlgorithmusKlasse <Mathematik>BeschreibungskomplexitätZahlenbereichQuellencodierungElektronische PublikationIndexberechnungMAPResultanteSpieltheorieProgrammbibliothekDefaultMessage-PassingLaufzeitfehlerKlasse <Mathematik>MenütechnikElektronischer FingerabdruckQuaderKomplex <Algebra>DifferenteMusterspracheQuick-SortMetrisches SystemMaschinencodeBitrateCompilerAppletFramework <Informatik>Rechter WinkelMathematikHash-Algorithmus
34:04
LaufzeitfehlerMaschinencodeSoftwareentwicklerLaufzeitsystemProjektive EbenePunktFeuchteleitungKontextbezogenes System
34:48
BootenLaufzeitfehlerMaschinencodeLaufzeitsystemRootkitQuellcodeTransformation <Mathematik>Abstrakte ZustandsmaschineAppletMultiplikationsoperatorBimodulKlasse <Mathematik>Web SiteProxy ServerProzess <Informatik>KonzentrizitätSchlüsselverwaltungQuick-SortProgrammbibliothekService providerRechter WinkelVerzeichnisdienstZahlenbereichPatch <Software>SchlussregelMereologieKartesische KoordinatenGüte der AnpassungSystemaufrufParametersystemVorzeichen <Mathematik>Generator <Informatik>AppletVirtuelle MaschineQuellencodierungCASE <Informatik>LaufzeitfehlerHydrostatikComputersicherheitGebäude <Mathematik>Message-PassingPhysikalisches SystemStandardabweichungBootenFormale SpracheHash-Algorithmusp-BlockVerzweigendes ProgrammKonstruktor <Informatik>ZeichenketteDynamisches SystemExt-FunktorExistenzaussageComputervirusVariableKeller <Informatik>Open SourceComputeranimationProgramm/Quellcode
Transkript: English(automatisch erzeugt)
00:01
good morning deathcon yeah uh how many of you guys went to the demon saw party last night anybody? yeah? one guy? uh the fact that you're here means that you didn't do it quite right I was expecting no hands um did did you see McAfee last night? yeah? I'm sorry
00:25
uh alright so uh one quick announcement uh we're gonna get started uh pretty shortly uh about two minutes we're gonna get this fine gentleman going uh when you leave the room uh please use the back doors not either side they're pretty well marked um but back
00:43
doors uh we had we had some issues yesterday uh the other announcement uh is uh yesterday uh we were told by hotel staff uh that uh there was some unusual traffic on their point of sale network uh they have paid for a very very high class monitoring solution uh just for
01:09
Defcon and we have a very very superb I mean I know it's Defcon but we have a very very good uh standing with all the hotels and conference centers in the area for not messing
01:23
with them too hard um POS system not cool please do not mess conference center or hotels network um at all please uh if you really feel like uh flexing some particular uh gray or black hat muscles uh Defcon network is there for a reason bring it on alright uh so
01:48
we are right about we are right on time that is amazing uh so without further ado Benjamin Hollins our first speaker of the day let's get a round of applause yes alright
02:03
thank you everyone for coming today uh so my name's Ben and um today we're gonna talk about uh a way to develop managed code rootkits for the Java runtime environment uh so just a little background who I am uh I guess I would describe myself as a student I've been a student for a really long time and probably will be for a little longer um so uh I've
02:24
worked a few places um and I I come from Iowa State University I see a few other people from Iowa State here so yeah represent alright um okay so a little background um first I just kinda wanna show you a little a little taste of what's to come so here's our our
02:41
simple hello world program everyone's probably written this program before right um so let's let's go ahead and run it on um our victim machine and see what happens so let's go ahead okay so we've got our just uh it's just a Windows 7 latest Java update um
03:01
as of just so Java 8 as of like a week ago uh we go ahead and run hello world it just prints hello world um but we've got a session on this machine um we've got interpreter running and we're gonna load up this custom post module whoa okay and uh we're gonna go ahead and run this custom post module I've got a uh a dropper here we'll
03:21
explain what that is here we're gonna go ahead and manipulate the runtime a little bit uh and then go back over to the victim machine and see what happens so now when we run hello world it prints backwards right so we have the ability to manipulate the runtime and what are we gonna do with that well we can talk about that today okay so first of
03:46
all um we should probably understand a little something about what the you know the runtime looks like at least from a high level um so we take Java code um just plain Java source files we feed that into the compiler we spit out class files we could run those uh or if we have a bunch of class files we just zip them up and because we're
04:03
Java we call it a jar um so that's just a jar it's just a zip file uh we take that jar file and we run it on our on our host operating system so that's Windows, Mac, Linux and it seems to run the same on each one right so it's cross platform that's really nice but how do we do that right if you write a C program you might have to change things a little bit but with Java at least it's you know it's standard so the way we do
04:24
this is we create a custom virtual machine for each uh host operating system and that interprets the the standard Java byte code and then runs it on the host operating system so let's take a look inside those uh we have the the virtual machine and then we have
04:40
the standard library right we have the definition of what's an object what's a link list all the different um primitives um in store inside this uh runtime jar and what we're going to do today is actually just mess with that runtime jar right and because this runtime jar is actually just Java byte code itself uh at least for the most part um that
05:02
also has this nice property of being cross platform right so we can write one exploit and then run it everywhere ok so there's a few advantages um first of all I just want to make it clear that this is a post exploitation activity so you've already um gained uh
05:21
permission on the box you can write to usually these kind of protected directories so program files on Windows is where they store the Java runtime of course if you didn't store it in a good place someone could just manipulate it without having administrator privileges um but the important part is that we're not manipulating the program itself we're manipulating the runtime so actually we uh can affect every program that's
05:45
running so any that that hello world program we didn't touch that program at all we touched the runtime and then the hello world program behaved differently because we modified the runtime so um you know there's some nice benefits of this typically we audit the the application code we don't audit the runtime um so you know someone might
06:03
overlook this uh and we have a lot of contextual information about the application right so if we wanted to do something like grab the password field uh we don't have to write an entire keylogger we could just keylog maybe just password fields of applications so we have some more contextual information at the application level um
06:21
and of course uh since we're manipulating the runtime and we're doing it you know at an object oriented language these are full featured libraries so we can write object oriented rootkits we can use the standard library um we have lots of access to kind of some low level things that you might not think are in there so we can mess with key events networking all sorts of things okay so there's been some pioneering work um I'm not
06:44
the first to do this and I'm not really expanding on kind of the the main technique I just wanted to expand on a new way to do this um and so Erez Metula um gave me this book um and uh he's done a lot a lot of work on this already um so if you're curious about you know kind of all the things you can do you can check out his book uh it's
07:02
called Managed Code Rootkits um and he also released a tool called reframeworker uh it worked on dot net runtimes uh is able to kind of specify XML uh tasks of how to manipulate the runtime uh and this uses an assembler and disassembler pair to make the modifications and has some deployment scripts so it really kind of laid the
07:22
framework um the groundwork for how how we're gonna do these um but uh when I started thinking about this um I wanted to do this for for Java um because I'm kind of a Java nut as some of my friends know and um well this uh the previous tool was for dot net so I thought well I have to extend this but I have an opportunity to to think about um you
07:45
know how am I gonna modify the runtime um so there's a couple different um ways you could approach this problem we have uh bytecode uh we could just try to manipulate the bytecode right away um but this is this is pretty difficult right uh it would work but say you change a variable name or a method name well that has lots of references in
08:02
the code so we have to kind of change all those those little references and the butterfly effect gets kind of a a pain to manipulate also we you know most people don't speak raw Java bytecode code so um that's just kind of a pain um you know ideally we could just decompile this get the source edit the source recompile it and we're done but if
08:23
anyone's decompiled apps before um if you're lucky it that it even compiles it's probably not even right to start with um so decompiling things is definitely a hard problem um very hard and we're not gonna have perfect decompilers um so people come up with things that are kind of in between so we have these intermediate representations they're used a lot in compiler optimizations um for Java you can think about
08:45
smally or um so it's gimple any of those representations if you played with those um but this is nice because we can decompile it to this kind of halfway point it's not quite source code um but it is text it is like it is a source code but it's not Java source um and we can edit that and then we can recompile it and we and we we come to this
09:04
halfway point because we can guarantee that we can go um back and forth between uh decompiled and compiled output um so you know these the editing the bytecode works it's it's a huge pain um we can't really rely on decompiled source although we'd really like
09:22
to work with that uh and then working with intermediate representations was kind of my first approach um and you know it has been kind of proven people have done this um but it's still tricky um you know we we learn to write code at the normal source level we don't write code at an intermediate level um it's just kind of a you know it's just something we
09:42
can we can write tools for but um yeah but it's still tricky so I thought I really really want to to just be able to you know lower the bar the barrier to entry so that uh if you know how to write basic Java programs then you can write a managed code rootkit too um so that's kind of the new the new goals of the framework right I want to support the Java
10:04
runtime environment and I want this just really low um knowledge prerequisite so uh just quick show of hands like who has ever written just a basic Java program okay yeah so you guys can all write a managed code rootkit now so that's fun and also terrifying
10:20
um alright so the other thing is we want kind of this natural development environment if you've written a Java program you've probably used Eclipse right you at least whether or not you like it maybe maybe you like another uh IDE but um it's it's familiar right you know how to debug your program you know how to um how to easily deploy your program
10:41
and again if we can write something from high level and source we don't we can strive towards this portability um and we don't have to worry about kind of low level details in the the runtime so um I want to oh yeah I forgot I had this slide okay so we want to write rootkits and javasource this is the tool itself I called it JRE
11:02
reframeworker or um and that's kind of a rip off of Erez Metula's uh reframeworker um just because kind of a a common pattern is just to add J in front of a Java project but then I noticed oh J JRE that's nice so I I kept it and I got kind of attached to the name um so uh it's an Eclipse plugin so you can work right inside Eclipse um we have uh an
11:25
ability to uh export a way to drop the payload on the on the victim machine um so that's that's all kind of abstracted away from you uh it's open source it's free so you can play with it hack on it um and uh have fun with it so um there's been some early
11:42
feedback on on Twitter um so some guy said just what the internet is dire need of a malware development tool set um I think he was being uh sarcastic but I'm gonna take that as a compliment because I like the idea of a well engineered uh tool um from me so um I
12:00
want to revisit that hello world program so this is this is all the code that you have to write uh and the idea is what we'll do is we'll extend since it's object oriented we'll extend the object that we want to manipulate um and for now just assume that you can extend any object uh so here I'm extending the print stream yeah okay so I'm extending the the print stream and we have these little annotations that define how we want to
12:23
manipulate the runtime um and these are basically just notes to the tool they won't end up in the final source um so we're gonna say we want to merge these two types so we're creating a new class called backwards print stream we're extending the print stream and we're gonna merge this new behavior in and what we're gonna do is actually uh override the printalend method to just create a new string reverse it and then print that string
12:46
okay um and so we have quite a few uh different annotations not not too many I guess actually um there's two main types there's define and merge um so a define type basically inserts or replaces the old behavior um because sometimes you just want to
13:01
completely blow it away and replace it with something new but sometimes you want to preserve that old behavior and then you know maybe just hook into it or um or add a subtle difference to it but then behave like normal in other cases uh so that's what the merge type is and you can put these on each thing you can put it on a class you can put it on a method you can put it on a field um and then we'll get to why we
13:21
need these later but we can also control the qualifiers and things so if a class is final and you can't extend it well you can basically just say nope no it's not and then extend it okay so uh I'm gonna do just a quick demo here of of how to use the tool um so that if you want to play with it um that you can okay so let's go over here um
13:42
so I have a little bit of test code here uh it creates a new file called secret file it writes to that file just writes the word blah to it and then it checks to see if that file exists or not and then just to clean it up we delete it so if I go ahead and run this um of course it works um I just ran it with the normal runtime nothing's changed um
14:05
but what we can do is actually override this so I'm gonna extend the um file class and um okay so we've extended we can use eclipse to kind of help us out here we need a constructor okay no problem eclipse you can generate that for us um I want to merge
14:24
this let's see uh merge type okay I want to merge this into the file class and what I want to do is override the exist method so that if the file name is secret file I'll just tell you it doesn't exist even though it does we can still write to it we can still read from it okay so I'm gonna use another annotation this is just a basic Java annotation it
14:44
checks to make sure that the method we say we're overriding is actually a method that we're gonna override um and this is the exist method so public boolean exists and we have to return something so I'm just gonna return false for now okay and um so let's let's
15:04
check to see if the file name is a secret file so let's see uh let's let's first say if it's a file um and not a directory for instance um and the name is secret file then
15:21
we'll just say nope no it doesn't exist trust me um otherwise let's just use the default behavior right so the default behavior um is the method that we're going to replace so I'm just gonna return the original method so I'm gonna use the super call for that um so this will later get rewritten so that um all of this works okay uh and then
15:44
we also have to say I want to merge this method into the uh oh there we go okay um now there's an eclipse builder built into it um so yeah I guess I should first say you'll create a new project so you can do new uh other and then there's a jre reframeworker
16:04
project there's support for other things too um and uh that'll set up the class path everything like that so as you're developing here you're not actually you'll be manipulating your runtime but you're not gonna actually affect it we're just gonna do it locally and then we'll just kinda hot swap it at runtime um so I'm gonna go ahead and
16:21
build this project here um don't have a incremental builder yet so you have to do a build clean but things are coming it's a work in progress okay so uh we're building down here the progress um we'll hope it works here uh pray to the demo gods okay so we run it uh with the normal runtime it says true but now we're gonna run it with our manipulated
16:41
runtime and it says false so it worked okay um but we know that that file exists because we wrote to it right so weird okay um now let's take a look at what happened under the hood so I'm gonna load up uh just a uh jtgui just an easy java decompiler here um and let's decompile the modified runtime just to see what's in there so I'm gonna go
17:03
to java file io um go down to file and I will search for let's search for the exists method exists nope okay so here's the original method um and all we did was
17:23
rename it so that we can call it later and then if we can find the other exists okay so here's our new one it's the code that we just wrote and the recall to super now just calls our other method which we um made private so that nobody can see it anymore okay
17:45
so I'm gonna quit that we'll go back to the slides here um so really easy right we can test this we can run it oh I guess I could say um if we don't want if we want to actually debug this uh in our test code we could go back over here instead of invoking the file
18:01
we could just try our our normal one so if we want to set breakpoints stuff like that we can just debug it locally without actually manipulating the runtime uh and then um once we're confident with it we just change the target manipulate the runtime and everything will work fine okay so now we're gonna have a little bit of fun right we have a framework we can just start manipulating things so this is um this is just kind of a fun
18:24
one um what I'm doing is overwriting the print stream object uh yet again um this time we define a new field um it's a integer called beetlejuice and um every time the Prinsolin method is called we look at the stack trace so we're looking to see who
18:40
called us right um and if there was a method named beetlejuice we increment that counter and if the counter is three then we call this call and we'll see what that call does in a minute so we have to now think about what would trigger this code right so we have um a
19:03
method named beetlejuice and we're going to uh invoke it three times and uh we're going inside beetlejuice there's a call to Prinsolin so we'll trigger that code and uh it'll go beetlejuice beetlejuice beetlejuice um if we run this normally it's not very interesting um
19:22
because actually let me skip forward just a little bit since we already explained all that okay uh if we run this normally uh it's not very interesting it just prints the hash code of the tim burton object um I'm a fan of beetlejuice anyway um but if we run this with our modified framework yes so someone has ported uh all of doom to uh pure
19:49
java and uh just as um just as you know a test um of how much complexity we can shove into the runtime why not just shove the whole video game in there um so it about doubles the
20:00
size of your runtime but that's okay um but what's fun is um you know our client can have kind of fun little triggers you know of what of what we want it to um of how we want to trigger it so here's another one um oh okay I'm gonna reordered my examples here okay so um this one is just kind of uh to show off the other things so normally if you call
20:24
the string replace method it doesn't modify the variable that it's operating on uh so the receiver variable it doesn't modify that so in this case demand replace sacrifice with puppy then um you know it wouldn't do anything so the the normal behavior was you know it would just say satan demands a puppy or sorry it demands a sacrifice but if we
20:44
make strings mutable and we make this actually modify the behavior then string replace works like how some people think string replace works uh and actually prince satan demands a puppy so um this one's tricky um because a string is sometimes treated like a
21:01
primitive object so you shouldn't have to extend the string class so they make it a final class um and you want to be able to treat it as mutable so you can make those assumptions when you're programming um so they actually make the the value of the string a protected uh sorry a private field and a final field itself uh so that you can't change it
21:22
but of course we control the runtime so we can easily uh update that we just say nope string's not final nope the value field is not final and hey well let's make it protected so that we can actually manipulate it and play with it um okay so uh we can do all sorts of fun things so I just kind of went crazy there's a whole bunch of modules that
21:41
had to cut from this talk just for time reasons um but I'll release them all on the github repo right after this um so this one uh is it takes whenever someone loads an image like a jpeg or something in the in a java gooey uh they have to access the raw data of the image so this just basically adds a hook that says um before you access
22:03
that image why don't you pixelate it for us um and why would we want to do that well for the glory of satan of course um and of course we control the pixelation so we can just make this as pixelated as we want um here's another fun one I really like um so this was this
22:20
came from a talk and was partially the inspiration for this talk um was I was trying to to say you know what's the difference between you know how do we detect malware if we don't have a definition of malware um so in this case I wrote a spell checker and the spell checker was just a normal spell checker and then I went through and I inverted all the
22:40
logic right so what do we have now something that creates typos right it just creates kind of realistic typos follows the same sort of rules they're just all backwards um and then what we can do is we can hook this into a key event um so that the faster you type the more typos we create and then as you slow down we start to behave again right so it's just kind of killing your productivity um and it's really annoying um in fact
23:04
the first time I I tested this uh I didn't realize that Windows has two different runtimes a 64 bit and a 32 bit and um I was trying this I was trying this and I I just couldn't get it to work uh and I was running on the command line uh and then I went back to eclipse and I realized um it's working it's just working on the run wa wrong runtime
23:24
okay so I have a I have a demo of this um so you can you can tweak the parameters this one's actually better to run um in some sort of test harness so you know what typo is mine and which one's not because I'm trying to type as fast as I can so when it turns red it's typing it's creating typos and then as I slow down it starts to behave
23:41
again um and uh and everything's fine so um you can kind of play with you know with the sliding average to see how devious you want to be there's lots of parameters there um so that one's kind of fun okay back to slides okay um so now um I really liked
24:03
this idea um so people will think about um you know we we have a CVE and um you know we want to create antivirus to detect the CVE or to detect the malware right but what is malware um so I like I like this CVE I I I've gone through this a few times now and and I
24:22
really recommend if it if anyone hasn't just pick a CVE and try to just understand as much about that CVE as you can and you know go through try to recreate it yourself um it's a lot of fun and you learn a lot of things so this one was um really popular there was a mesplate module it worked on basically every platform uh the original bug was in Oracle
24:42
itself so people like Apple uh copied it into their runtimes uh and uh you know it was exploited in the wild and people were just having all sorts of fun with this um and I think that's you know probably one of the reasons Chrome doesn't ever let you run an applet anymore but um so we have an existing exploit for this um and and I wanted you
25:03
know I did an experiment a little while ago uh about two years ago just to see you know how could I you know just change this a little bit just to get past AV so we all know AV is bad right you know it's it's hard to write good AV I've tried um but anyway so let's just see you know what are all the different anti-viruses doing so I
25:21
created um you know I took the original proof of concept um that was reverse engineered from the from the malware in the wild um I upload so this is 2014 I uploaded it to virus total and um you know 30 out of 55 people detected this and this is two years after you know after the exploit was out so you know not not great um but then let's
25:43
just start refactoring a little bit so start changing the class names the variable names and we we lose two people right off the bat right we lose two AV right off the bat uh we start just obfuscating strings so if you know we have a string we just break it up and concatenate it so you know now the AV has to kind of reassemble that or do some
26:01
symbolic execution something like that we can change the control flow so we can start merging methods splitting things into multiple methods add dummy um if branches stuff like that um and that one didn't seem to do too much so nobody was really looking too hard at control flow um but then what we can do is start looking at okay well what are the key APIs that people are um you know that people are keying off of and let's just use
26:26
reflection or another layer of indirection to call those um so that um you know so we throw them off and we lose a bunch of people right away but of course we we can do way better we could just um you know put the whole class into a string XOR with just a
26:41
simple key just a one byte key uh and then load it with a class loader at run time and run it and so nobody gets that um okay so not a big deal uh if you guys want to play with this yourself the all the source there for for all the different versions is online um so I did this two years ago which was two years after the exploit came out I decided
27:01
let's just do it again one more time um so I run it again and uh well we got a new anti-virus in the game um and six more people found it but it's there's still you know like twenty people out there that I can't find this um changing the class names so we actually got a little bit better right um things like changing the class names nobody's keying off of
27:21
those sort of things anymore obfuscating strings still works a little bit um the reflective invocation still helps but still nobody can get the XORing thing and that's that's a hard problem I don't blame them um but it's just that easy right anyway um so why don't you know I was kind of bummed out this this this bug doesn't exist anymore it was used lots
27:42
in Java one seven um they fixed it but hey we control the run time so let's just put it back in right and so I call this the reverse bug patch um so yeah so I I I'd love to automate this um and so someday anyway um so the the fix was really really easy um so I
28:05
started first I started um downloading all the versions of Java um and then uh started doing differencing on them and you see the fix is um they just add uh two calls in um in the class finder uh object to check package access and this was because um basically someone
28:25
was able to use reflection to avoid a security check by um kind of tricking um tricking the run time into thinking that the call was coming from a different origin so we just add this check and we're fixed um there's another another check that was added to method finder this this CVE actually consisted of two different vulnerabilities that were used
28:43
together so we had two separate bug patches um and then they uh removed a a field uh I thought it was a different method that we were using for the exploit um so no big deal we'll just put them back in for you uh and uh of course you know if you want to upload
29:02
malware to a target yeah that's fine but why not just upload a vulnerability and then come back and exploit it again later right because if we know we can't detect the vulnerability then we left ourselves kind of a nice back door uh and we have lots of examples of great vulnerabilities that nobody's looking for um so of course I mean this
29:21
was expected you upload this to virus total the you know this modified run time and nobody's going to detect this so we're not looking for the vulnerabilities we're looking for the exploits um okay so maybe some good uses um for this so this was a um a master's project that um I helped a student with at Iowa State um so he was looking at
29:43
things like can I take old uh SCADA HMI applications and secure them somehow um and so if we have a SCADA HMI application a lot of these happen to be Java applets which would communicate with some back end server um so he started creating things like uh kind of a smart intelligent firewall application level firewall um that would wrap the wrap the
30:04
server but then we need a way to if you know if we want to do something like support two factor authentication we need a way to um give some sort of feedback to the application so that the application can prompt the user for their their token and then feed that back to the firewall um and we can also do some things like add some profiling
30:23
logics we can do something kind of like active defense so um we can we can of course those could be disabled but uh it's just nice to be able to to add another layer of authentication so in this case um we have this this SCADA application we don't have the source code to it um but that's not too hard because we can just find the object
30:41
you know maybe that controls this alarms list and say we want to add additional security around this alarms list we can uh we can add you know um the two factor authentication which uh lets you through the firewall uh just to access the alarms list data um so in this case um it's just a real simple couple lines of code um with some JSON that
31:02
passes the the result back and forth um but we can add this prompt and secure this this um this application so uh I added support to JRE frameworker to modify applications as well um there's some really early basic support for Android stuff um that one's really early because you have to go through some additional tool chains um but let's talk a
31:24
little bit about the mitigations so how are we gonna you know I'm trying to make this project I'm making things a little bit worse by making it easy for everyone to write these um so let's talk about the mitigations um okay so does anybody see anything wrong with this picture this is our file example before okay so um if we look at
31:46
the line numbers these are these are added by the compiler for things like decompilers or debugging um adding to the stack trace you know what line you crashed on um but you can see in my framework I wasn't too too worried about being super stealthy I just wanted it to work um but when I inserted the new the new method you know I didn't go
32:06
back and recalculate the line numbers so you can see at the end we're at the the end of the file and it's like line two thousand something and now we go line to eighteen nineteen twenty one and then we're back to like two thousand something again right so there's lots of fingerprints that um the runtime's gonna get added uh you know if you
32:23
if you're not manipulating byte at the byte level some tool's gonna add some fingerprints um as a as a result of its manipulations um so we can start to look for these things um so the easiest way is probably you know have a baseline of all the files on your system and know when they should be changing did you run java update no then why
32:44
the hash change right um but of course we can you know we've rooted the box so it's kind of game over for you anyway um because maybe I'll just backdoor the java updater and after you update java I'll re-manipulate things again right um so we we can have a lot of fun with this um another kind of fun indicator was um the java runtime is about fifty
33:07
megabytes but after I manipulate it it's about twenty five megabytes which is weird but it's just because I'm using a different compression ratio so I could try to match the compression ratio of the original library um but it doesn't matter the jar file's a zip
33:22
file so it still works um but those these are some of the indicators that you can look for uh when you rename the the methods uh to to kind of preserve the old behavior by just renaming methods so um you could just look for that easy prefix uh I have a preferences menu if you want to change that prefix and not use uh this default
33:41
jref underscore um that's up to you but you know there's still going to be kind of a pattern you could count the number of methods and know the number of methods in each class file and expect you know it's going to kind of grow at this rate with each update um and if you see a huge spike then you should know why right um okay and of course we can use all sorts of code complexity metrics um but yeah we'll have fun with that
34:04
later so the biggest thing is being aware of it right so if you're a forensic investigator um and things are behaving weirdly you might want to look at something like this um and this is generally an awareness project um you know era's talked about this about six years ago and I was really surprised that nobody else had really done
34:24
anything with this sense um so hopefully by you know lowering the barrier to entry people can play with this more uh and will be more aware of it as a as a community um so my biggest point was you know if I could do this as an evening hobby anybody could be doing
34:44
this right and if we're not thinking about it that's a problem okay so I have some Q and A um and if I have tons of time left I have more modules I can go through um but I'm happy to take questions um I just have this this kind of closing poem by Robert Frost which basically is my way of saying um there's a lot of work left to do on this um I'd
35:05
like to support quite a few more things I'd like to look at other languages um so the Java Virtual Machine itself I'll come back to this but the Java Virtual Machine itself um isn't just for Java it supports lots of languages in fact there's you know uh Invoke Dynamic was uh kind of originally added uh to support things like Jython um with all their
35:24
kind of uh dispatching but um if we can manipulate the Java runtime itself we can start to kind of branch out and start to consider other things so things like JRuby will just call into the the Java runtime jars to kind of reuse those languages so you can mix and
35:40
match things so if you have um a JRuby website you can start to manipulate it that way um and so I just want to say that it's not just about Java um there's lots of managed languages out there and they're all gonna have the same sort of issue okay um so the source code's out there um if you're interested please play with it make feature
36:01
requests I'm happy to support it um and I'd like to keep working on this um so thank you very very much for coming I'm happy to take any questions you have um thank you yeah that's
36:41
fine. Hello. Hi. So if you're modifying SCADA devices perhaps to improve the security by playing with their Java runtime libraries then the opposite question comes up how in the
37:18
world is it easier for the good guy than the bad guy? Yeah um so I think this would be
37:27
something you would want to do I mean you would do this in house right you would have a specific need for this application that you you don't have the source code to this for whatever reason and you want to you want to add this feature or add this new building this is a way that you could sorry you could um modify that binary and then sign it and you
37:47
know keep track of that hash in your in your deployment system so it's I mean it's just it's I'm not necessarily advocating that you should do this it's just that you could use it for this purpose. Okay so I'd have to have like um a standardized deployment. Yeah I
38:04
mean if you're deploying this if you're deploying this this already you should have some some system in place for how you're going to deploy it um you know of course if the application's signed you're going to have to re-sign it with your own your own application key and keep track of that because you're not I mean you're not going you're
38:23
going to violate the the hashes and the manifest by doing this. Thank you. Have you tried to circumvent the the requirement that cryptographic providers be signed so you put in your own like key generator class in the uh JRE have you tried to do anything like that?
38:43
No I haven't played with that too much I I basically just got it working then played with a few modules um are you talking about like the the class loader stuff or like applet security? Um where are you talking about with the key the key signing? Okay if you're creating a uh security provider that provides like key generator. Yep. And you want to
39:03
use it that has to be uh signed by Sun Oracle. Right. And so you have that jar in the JRE lib ext directory you have in Java dot security. Yeah no I haven't tried to you know bypass like the key signing on the manifest anything like that um what I did was if
39:21
it was signed basically I just blow away the manifest re-sign it with my own key. Yeah now you're modifying the JRE and not the application jar. Yeah the JRE is actually not signed. Right. Yeah. So you could patch that and if key generator there's key generator and key generator spy which the security security provider provides. Yeah
39:40
that would be interesting I haven't tried that. Yeah that's a good idea. Hopefully not. Hahaha. Do you provide a way to uh modify the static part of the code? To modify the
40:06
stack. So underneath it's using ASM. So um if there's things like uh say you add a parameter to a method you've changed the the stack size on the call. So in that case you have it recomputes the stack when it makes the modifications. So that part is
40:24
handled by the ASM library. It's a pretty pretty robust library it's used in a lot of things. Can you ask it again? So oh if you can't extend it because it's marked final.
40:47
Yeah so in that case there's an annotation I used to just call it sorry I'm losing my voice um I used to just call it not final um but in this case it's just uh define finality true or false. So in that case like string was marked final you can't extend the
41:03
class but now you first run you first mark it as uh not final and then uh compile it once now you can compile it against it again uh and extend it add your feature and then compile it one more time. So there's you can have multiple passes if you want.
41:21
It's not final it's only static so it's. Oh yeah you can you can change the whether or not something's static um oh actually no you can't um because if it's not static you've changed quite a few things. You if you want it to not be static I would either just declare a member variable um that you're gonna use for that uh if you make
41:42
something not static you're gonna impact quite a few things um not sure I'm actually not sure what the use case for that would be um but if you have one I can look into to making that yeah. Yeah so right now I don't handle um the static initializers so um you
42:06
can it just gets kind of tricky when you start playing with the super calls. Um it's it's something there's there's actually this white paper right here um talks about a one way that you can do that if you wanna merge say two constructors or um merge the static
42:21
initializers of two different block uh two different classes um that's something that has been done before um I just haven't I didn't need it for any of the the examples that I did today. Yep okay well thank you guys for coming I appreciate it.