Show filters Hide filters

Refine your search

Publication Year
Publisher
1-36 out of 61 results
Change view
  • Sort by:
27:55 REcon English 2015

Glitching and Side-Channel Analysis for All

The super-cool area of side-channel power analysis and glitching attacks are devious methods of breaking embedded devices. Recent presentations (such as at RECON 2014) have shown that these attacks are possible even with lower-cost hardware, but it still requires a fair amount of hardware setup and experimentation. But we can do better. This presentation sums up the most recent advances in the open-source ChipWhisperer project, which aims to bring side channel power analysis and fault injections into a wider realm than ever before. It provides an open-source base for experimentation in this field. The ChipWhisperer project won 2nd place in the Hackaday Prize in 2014, and in 2015 an even lower-cost version of the hardware was released, costing approximately 200. Attacks on real physical devices is demonstrated including AES peripherals in microcontrollers, Raspberry Pi devices, and more. All of the attacks can be replicated with standard lab equipment – the demos here will use the open-source ChipWhisperer hardware, but it’s not required for your experimentation.
  • Published: 2015
  • Publisher: REcon
  • Language: English
1:02:44 REcon English 2015

Abusing Silent Mitigations

In the summer of 2014, Microsoft silently introduced two new exploit mitigations into Internet Explorer with the goal of disrupting the threat landscape. These mitigations increase the complexity of successfully exploiting a use-after-free vulnerability. June's patch (MS14-035) introduced a separate heap, called Isolated Heap, which handles most of the DOM and supporting objects. July's patch (MS14-037) introduced a new strategy called MemoryProtection for freeing memory on the heap. This talk covers the evolution of the Isolated Heap and MemoryProtection mitigations, examines how they operate, and studies their weaknesses. It outlines techniques and steps an attacker must take to attack these mitigations to gain code execution on use-after-free vulnerabilities where possible. It describes how an attacker can use MemoryProtection as an oracle to determine the address at which a module will be loaded to bypass ASLR. Finally, additional recommended defenses are laid out to further harden Internet Explorer from these new attack vectors.
  • Published: 2015
  • Publisher: REcon
  • Language: English
58:57 REcon English 2016

Breaking Band

In recent years, over-the-air exploitation of cellular baseband vulnerabilities has been a recurring topic in the security community as well as the media. However, since “All Your Baseband Are Belong To Us” in 2010, there has been little public research on exploiting cellular modems directly. Now, Breaking Band is back with a new season by popular demand We will describe our methodology for reverse engineering the RTOS, starting from unpacking proprietary loading formats to understanding the security architecture and the operation of the real-time tasks, identifying attack surfaces, and enabling debugging capabilities. Through this, we’ll give you a complete walkthrough of what it takes to go from zero to zero-day exploit, owning the baseband of a major flagship phone, as we have done at Mobile Pwn2Own 2015.
  • Published: 2016
  • Publisher: REcon
  • Language: English
28:09 REcon English 2016

Monitoring & controlling kernel-mode events by HyperPlatform

We will present a HyperPlatform, which is an advanced system monitoring platform for Windows Operating System (OS). Using Intel VT-x and Extended Page Table (EPT) technologies, this platform provides speedy monitoring of various events. HyperPlatform is hidden and resilient to modern anti-forensics techniques and can be easily extended for day-to-day reverse engineering work. Even nowadays, there are no suitable tools to analyze a kernel-mode code for many of researchers. Steady growth of ring0 rootkits requires a fast, undetectable and resilient tool to monitor OS events for all protection rings. Such a tool will significantly contribute to reverse-engineering. While existing virtualization infrastructures such as VirtualBox and VMware are handy for analysis by themselves, VT-x technology has much more potential for aiding reverse engineering. McAfee Deep Defender, for example, detects modification of system critical memory regions and registers. These tools are, however, proprietary and not available for everyone, or too complicated to extend for most of the engineers. HyperPlatform is a thin hypervisor, which has a potential to monitor the following: access to physical and virtual memory; functions calls from user- and kernel-modes; code execution in instruction granularity. The hypervisor can be used to monitor memory for two typical use cases. The first one is monitoring access to specified memory regions to protect system critical data such as the service descriptor table. The second case is recording any types of memory access from a specified memory region such as a potentially malicious driver to analyze its activities. Also, HyperPlatform is capable of monitoring a broad range of events such as interruptions, various registers and instructions. Tools based on HyperPlatform will be able to trace each instruction and provide dynamic analysis of executable code if necessary. We will demonstrate two examples of adaptation of HyperPlatform: MemoryMon and EopMon. The MemoryMon is able to monitor virtual memory accesses and detect dodgy kernel memory execution using EPT. It can help rootkit analysis by identifying dynamically allocated code. The EopMon is an elevation of privilege (EoP) detector. It can spot and terminate a process with a stolen system token by utilizing hypervisor’s ability to monitor process context-switching. Implementing those functions used to be challenging, but now, it can be achieved easier than ever using HyperPlatform.
  • Published: 2016
  • Publisher: REcon
  • Language: English
1:05:47 REcon English 2015

"One font vulnerability to rule them all" A story of cross-software ownage, shared codebases and advanced exploitation

"Font rasterization software is clearly among the most desirable attack vectors of all time, due to multiple reasons: the wide variety of font file formats, their significant structural and logical complexity, typical programming language of choice (C/C++), average age of the code, ease of exploit delivery and internal scripting capabilities provided by the most commonly used formats (TrueType and OpenType). As every modern widespread browser, document viewer and operating system is exposed to processing external, potentially untrusted fonts, this area of security has a long history of research. As a result, nearly every major vendor releases font-related security advisories several times a year, yet we can still hear news about more 0-days floating in the wild. Over the course of the last few months, we performed a detailed security audit of the implementation of OpenType font handling present in popular libraries, client-side applications and operating systems, which appears to have received much less attention in comparison to e.g. TrueType. During that time, we discovered a number of critical vulnerabilities, which could be used to achieve 100% reliable arbitrary code execution, bypassing all currently deployed exploit mitigations such as ASLR, DEP or SSP. More interestingly, a number of those vulnerabilities were found to be common across various products, enabling an attacker to create chains of exploits consisting of a very limited number of distinct security bugs. In this presentation, we will outline the current state of the art with regards to font security research, followed by an in-depth analysis of the root cause and reliable exploitation process of a number of recently discovered vulnerabilities, including several full exploit chains. In particular, we will demonstrate how a universal PDF file could be crafted to fully compromise the security of a Windows 8.1 x86/x64 operating system via just a single vulnerability found in both Adobe Reader and the Adobe Type Manager Font Driver used by the Windows kernel."
  • Published: 2015
  • Publisher: REcon
  • Language: English
1:07:51 REcon English 2015

Breaking Bad BIOS: Attacking and Defending BIOS in 2015

In this presentation we will demonstrate multiple types of recently discovered BIOS vulnerabilities. We will detail how hardware configuration is restored upon resume from sleep and how BIOS can be attacked when waking up from sleep using "S3 resume boot script" vulnerabilities. Similarly, we will discuss the impact of insufficient protection of persistent configuration data in non-volatile storage and more. We'll also describe how to extract contents of SMRAM using above vulnerabilities and advanced methods such as Graphics aperture DMA to further perform analysis of the SMM code that would otherwise be protected. Additionally, we will detail "SMI input pointer" and other new types of vulnerabilities specific to SMI handlers. Finally, we will describe how each class of issues is mitigated as a whole and introduce new modules to CHIPSEC framework to test systems for these types of issues.
  • Published: 2015
  • Publisher: REcon
  • Language: English
38:12 REcon English 2015

Understaning the Microsoft Office Protected-View Sandbox

The first part of this talk will sketch the Protected-View sandbox internals by discussing about its architecture, its initialization sequence and the system resource restrictions. The second part will discuss the Inter-Process Communication (IPC) mechanism, including the mode of communication, undocumented objects involved, format of IPC messages and the semantics of selected IPC messages.
  • Published: 2015
  • Publisher: REcon
  • Language: English
19:34 REcon English 2017

Your Chakra Is Not Aligned

Microsoft Chakra is the new JavaScript engine on the block, and the bugs are pouring in. This presentation discusses techniques for finding bugs in a ‘fresh’ ECMAScript engine. When standards are implemented, design decisions are made that can affect security for years to come. This talk describes some of the implementation details of Chakra and how they led to specific bugs, as well as some ideas for finding future bugs. Recommended for people who want to find more or better browser bugs!
  • Published: 2017
  • Publisher: REcon
  • Language: English
25:27 REcon English 2017

Contributor analysis

Contributor analysis is a simple cryptanalysis technique which allows detecting and attacking blatantly broken cryptographic algorithms and implementations. Although the technique is inspired by the techniques employed by algebraic approaches it aims at being much simpler to understand and reason with, making it possible not only to automate the testing but also to even run tests using pen and paper. In this talk we will introduce the participants to this technique, explain briefly the theoretic principles that make it work and how it relates to algebraic cryptanalysis and then explain how to handle contributor lists with different common operations. We will explain how these lists can be used to mount an attack therefore proving why a succesfully attacked cipher can be considered broken. Finally we will show some simple examples of ciphers affected by these techniques. No mathematical nor cryptographical knowledge is needed to follow this talk although some programming or computer architecture knowledge is recommended.
  • Published: 2017
  • Publisher: REcon
  • Language: English
1:05:44 REcon English 2017

Baring the system: New vulnerabilities in SMM of Coreboot and UEFI based systems

Previously, we discovered a number of vulnerabilities in UEFI based firmware including software vulnerabilities in SMI handlers that could lead to SMM code execution, attacks on hypervisors like Xen, Hyper-V and bypassing modern security protections in Windows 10 such as Virtual Secure Mode with Credential and Device Guard. These issues led to changes in the way OS communicates with SMM on UEFI based systems and new Windows SMM Security Mitigations ACPI Table (WSMT). This research describes an entirely new class of vulnerabilities affecting SMI handlers on systems with Coreboot and UEFI based firmware. These issues are caused by incorrect trust assumptions between the firmware and underlying hardware which makes them applicable to any type of system firmware. We will describe impact and various mitigation techniques. We will also release a module for open source CHIPSEC framework to automatically detect this type of issues on a running system.
  • Published: 2017
  • Publisher: REcon
  • Language: English
1:05:04 REcon English 2017

Getting Physical with USB Type-C: Windows 10 RAM Forensics and UEFI Attacks

  • Published: 2017
  • Publisher: REcon
  • Language: English
57:44 REcon English 2016

How Do I Crack Satellite and Cable Pay TV?

Follow the steps taken to crack a conditional access and scrambling system used in millions of TV set-top-boxes across North America. From circuit board to chemical decapsulation, optical ROM extraction, glitching, and reverse engineering custom hardware cryptographic features. This talk describes the techniques used to breach the security of satellite and cable TV systems that have remained secure after 15+ years in use. Topics include: chemical decapsulation and delayering of ICs in acids, microphotography and optical bit extraction of ROM, binary analysis using IDA and homebrew CPU simulators, datalogging and injection of SPI and serial TS data, designing and using a voltage glitcher, extracting secret keys from RAM of a battery-backed IC, analyzing hardware-based crypto customizations, studying undocumented hardware peripherals, MPEG transport streams and non-DVB-standards, QPSK demodulation, interleaving, randomization, FEC of OOB (out-of-band) cable data. The result is knowledge of the transport stream scrambling modes and knowledge of the conditional access system used to deliver keys. Strong and weak points are identified, advanced security features implemented nearly 20 years ago are compared to modern security designs. A softcam is designed and tested using free software, working for cable and satellite TV.
  • Published: 2016
  • Publisher: REcon
  • Language: English
57:47 REcon English 2016

Visiting The Bear Den

During the last two years, three cheerful chaps tracked one of the most prolific espionage group out there. The group in question created a complex software ecosystem–composed of tens of different components–and also regularly pulls out 0-day exploits. This talk presents the results of the hunt.
  • Published: 2016
  • Publisher: REcon
  • Language: English
1:00:19 REcon English 2016

Google: Process Failure Modes

Creating processes on Windows is fraught with danger. There are many things that could go wrong. This is even more true when dealing with creating processes in system services under the behest of the user. At best making a mistake could result in creating processes from files the user can’t access, at worst they get system privileges. This presentation will go into detail on how processes are created in Windows and the many ways that it can go horribly wrong. I’ll discuss some of the shortcomings of the Windows process and Session models and how that can be abused to elevate privileges. Throughout I’ll provide examples of vulnerabilities and exploitation techniques I’ve discovered (some of which won’t be fixed any time soon) with clear anti-pattern examples to aid in discovering similar vulnerabilities. One of the issues I’ll discuss is the complexities around one of my most recent project zero blog posts (specifically raising dead) which dealt with session creation and stuck processes. Some of the other topics I’ll include are: Process creation internals Process creation w.r.t. impersonation Session Hopping Dangerous creation patterns
  • Published: 2016
  • Publisher: REcon
  • Language: English
57:38 REcon English 2016

Hardware-Assisted Rootkits and Instrumentation: ARM Edition

Security researchers have limited options when it comes to debuggers and dynamic binary instrumentation tools for ARM-based devices. Hardware-based solutions can be expensive or destructive, while software tools are often restricted to user mode. In this talk, we explore a common but often ignored feature of the ARM debug architecture in search of other options. Digging deeper into this hardware component reveals many interesting use-cases for researchers ranging from debugging and instrumentation to building a novel rootkit. First, we will shine a spotlight on a debug interface that dates back to ARMv6, and demonstrate how to control it from software in order to instrument code in normal world. We will introduce a prototype toolkit with IDA plugin that can perform real-time tracing, code coverage analysis, and more, of the Android kernel on COTS smartphones without requiring virtualization extensions or special hardware. Next, we will compare implementations of this hardware unit across multiple chipset vendors, and discuss applicability to other ARM CPUs found in your phone like WiFi and cellular basebands. The second half of our talk will add new meaning to the phrase “hardware-assisted rootkit”. Abusing this same debug interface we will have some fun with the Krait architecture in order to demonstrate a kernel-level rootkit for Android that can bypass the current state of the art in rootkit detection. We’ll discuss hijacking exceptions, interacting with TrustZone, and methods for detecting this unconventional rootkit. Finally, we will wrap up highlighting a use-case for exploit mitigations on embedded systems.
  • Published: 2016
  • Publisher: REcon
  • Language: English
55:51 REcon English 2016

Shooting the OS X El Capitan Kernel Like a Sniper

OS X El Capitan has introduced new exploit mitigations to the kernel. Such mitigations include “vm map copy” mitigation, System Integrity Protection/Rootless, SMAP (enforced on new model of Macbook Pro), etc. Combining with the existing modern OS exploit mitigations like kASLR, DEP, exploiting OS X El Capitan kernel became harder. Approaches to defeat those new mitigations have been discovered by security researchers in late 2015, but most of them have additional prerequisite to either the bug or the environment. For example, the technology to overwrite the size of vm map copy requires a perfect zone overflow (overflowed length controllable + content controllable), also some of the technology requires creating specific user client which is prohibited by sandboxed processes (Safari WebContent, Chrome sandbox, etc.) In this talk, we will introduce a new approach to exploit the El Capitan kernel from the most restrictive sandboxed process (Safari WebContent). The new approach is universal to all OS X kernel and doesn’t require too much on bug quality. Only a single write (not necessarily arbitrary value) is needed to pwn everything (including info leak, kASLR, DEP, SIP, SMAP bypass). The new technology will be illustrated by a live remote root demo during the talk.
  • Published: 2016
  • Publisher: REcon
  • Language: English
52:15 REcon English 2016

Dangerous Optimizations and the Loss of Causality

Increasingly, compiler writers are taking advantage of undefined behaviors in the C and C++ programming languages to improve optimizations. Frequently, these optimizations are interfering with the ability of developers to perform cause-effect analysis on their source code, that is, analyzing the dependence of downstream results on prior results. Consequently, these optimizations are eliminating causality in software and are increasing the probability of software faults, defects, and vulnerabilities. This presentation describes some common optimizations, describes how these can lead to software vulnerabilities, and identifies applicable and practical mitigation strategies.
  • Published: 2016
  • Publisher: REcon
  • Language: English
34:17 REcon English 2016

Black box reverse engineering for unknown/custom instruction sets

Have you ever come across a firmware image for which you couldn’t find a disassembler? This talk will cover reverse-engineering techniques for extracting an instruction encoding from a raw binary with an unknown/custom instruction set. The main focus is on static techniques and features of firmware images that you can use to your advantage–but some dynamic techniques will be covered as well.
  • Published: 2016
  • Publisher: REcon
  • Language: English
58:43 REcon English 2016

Go Speed Tracer

The past few years have seen a leap in fuzzing technology. The original paradigm established a decade ago resulted in two widely deployed approaches to fuzzing: sample based mutation and model based generation. Thanks to ever-increasing computational performance and better engineering, newer guided fuzzing approaches have proven to be supremely effective with a low cost of deployment. This talk will explore a few different approaches to guided fuzzing through dynamic analysis including code coverage analysis, constraint solving, and sampling/profiling based feedback mechanisms. Novel contributions in this talk include: - Opensource Windows Driver enabling Intel “Processor Trace” - DBI based tracing engine for Windows/Linux/OSX binaries - American Fuzzy Lop with full support for Windows binary targets
  • Published: 2016
  • Publisher: REcon
  • Language: English
59:48 REcon English 2016

Abusing the NT Kernel Shim Engine

The Kernel Shim Engine is the kernel’s analogue to the user-mode shim engine (ShimEng). Although the latter now has had some pretty good research done on it, the KSE remains a mystery. First introduced in Windows XP as merely a Plug-and-Play compatibility layer for custom registry flags, it morphed into a nearly-full blown Shim Engine implementation, with the ability to misuse it for both persistence and stealth hooks in the kernel. In this talk, you’ll learn how to use the KSE for hooking drivers (dispatch tables, IRPs, and entrypoints) as well as kernel APIs both legitimatelly and illegitimately. You’ll also see some WinDBG scripts & techniques for detecting and enumerating installed kernel shims for forensic purposes. Finally, a tool called DriverMon is planned for release at the conference, which uses the KSE to provide ProcMon for Drivers.
  • Published: 2016
  • Publisher: REcon
  • Language: English
59:38 REcon English 2016

Reverse Engineering ISC controllers

  • Published: 2016
  • Publisher: REcon
  • Language: English
43:27 REcon English 2016

A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors

There are multiple x86 processors in your monitor! OSD, or on-screen-display controllers are ubiquitous components in nearly all modern monitors. OSDs are typically used to generate simple menus on the monitor, allowing the user to change settings like brightness, contrast and input source. However, OSDs are effectively independent general-purpose computers that can: read the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels. We demonstrate multiple methods of loading and executing arbitrary code in a modern monitor and discuss the security implication of this novel attack vector. We also present a thorough analysis of an OSD system used in common Dell monitors and discuss attack scenarios ranging from active screen content manipulation and screen content snooping to active data exfiltration using Funtenna-like techniques. We demonstrate a multi-stage monitor implant capable of loading arbitrary code and data encoded in specially crafted images and documents through active monitor snooping. This code infiltration technique can be implemented through a single pixel, or through subtle variations of a large number of pixels. We discuss a step-by-step walk-through of our hardware and software reverse-analysis process of the Dell monitor. We present three demonstrations of monitoring exploitation to show active screen snooping, active screen content manipulation and covert data exfiltration using Funtenna. Lastly, we discuss realistic attack delivery mechanisms, show a prototype implementation of our attack using the USB Armory and outline potential attack mitigation options. We will release sample code related to this attack prior to the presentation date.
  • Published: 2016
  • Publisher: REcon
  • Language: English
46:44 REcon English 2016

When Governments Attack

Targeted malware campaigns against Activists, Lawyers and journalists are becoming extremely commonplace. These attacks range in sophistication from simple spear-phishing campaigns using off the shelf malware, to APT-level attacks employing exploits, large budgets, and increasingly sophisticated techniques. Activists, lawyers and journalists are, for the most part, completely unprepared to deal with cyber-attacks; most of them don’t even have a single security professional on staff. In this session Eva Galperin and Cooper Quintin of the Electronic Frontier Foundation will discuss the technical and operational details of malware campaigns against activists, journalists, and lawyers around the world, including EFF. They will also present brand new research about a threat actor targeting lawyers and activists in Europe and the Post-Soviet States. With targeted malware campaigns, governments have a powerful tool to suppress and silence dissent. As security professionals we are in a unique position to help in this fight.
  • Published: 2016
  • Publisher: REcon
  • Language: English
47:41 REcon English 2016

More Flash, More Fun!

Adobe Flash is a popular target for attackers in the wild. This presentation describes my research into Adobe Flash, which discovered over a hundred vulnerabilities in the software. It details some strategies for finding bugs through code review, fuzzing and reverse engineering and provides examples of bugs discovered using these methods. It also examines recent exploits, and how they bypass new Flash mitigations.
  • Published: 2016
  • Publisher: REcon
  • Language: English
52:10 REcon English 2015

Totally Spies!

For some months now, there were rumors of cartoon-named malware employed in espionage operations. It actually started in March 2014 with a set of slides leaked from the Communications Security Establishment Canada (CSEC) -- Canada equivalent of NSA. CSEC then described to its spook friends a malware dubbed Babar by its authors, which they attributed "with moderate certainty" to a French intelligence agency. The group behind Babar is now commonly referred as "AnimalFarm" in antimalware industry, because Babar was only a small piece of a much bigger puzzle. Since CSEC slides' publication, a group of valorous adventurers, animated by the thrill of understanding complex malware operations, has been relentlessly following AnimalFarm's trail. Along its path, this group found several pieces of AnimalFarm's arsenal, for example stealthy Casper, exotic Bunny and even big ears Babar itself. This presentation aims at presenting the results of this group's research. In particular, we will provide a global picture on AnimalFarm's operations, and also delve into technical quirks of their malware. We will also explain how we assessed the connection between their various piece of software from a code reverse-engineering perspective, and what are the technical hints we found regarding attribution.
  • Published: 2015
  • Publisher: REcon
  • Language: English
40:23 REcon English 2015

Finish Him!

For a decade from the early 90's to the early 2000's, Williams' Digital Compression System (DCS) audio hardware reigned supreme in arcades and casinos, providing amazing sounding music, voice-overs, and effects, blowing competing systems out of the water. This talk will reverse the DSP hardware, firmware, and algorithms powering the DCS audio compression system, used on Midway coin-ops and Williams/Bally pinballs, like Mortal Kombat II/3/4, Killer Instinct 1/2, Cruis'n USA, and Indiana Jones, among others. A tool called DeDCS will be presented, which can extract, decompress, and convert the proprietary compressed audio data from a DCS game's sound ROMs into regular WAV format, taking you back to '92, when you tossed that first quarter into MKII, and Shao Kahn laughed in your face...
  • Published: 2015
  • Publisher: REcon
  • Language: English
45:41 REcon English 2015

This Time Font hunt you down in 4 bytes

In our recent work we targeted also win32k, what seems to be fruit giving target. @promised lu made our own TTF-fuzzer which comes with bunch of results in form of gigabytes of crashes and various bugs. Fortunately windows make great work and in February most of our bugs was dead - patched, but not all of them… Whats left were looking as seemingly unexploitable kernel bugs with ridiculous conditions. We decided to check it out, and finally combine it with our user mode bug & emet bypass. Through IE & flash we break down system and pointed out at weak points in defensive mechanism. In this talk we will present our research dedicated for pwn2own event this year. We will describe kernel part of exploit in detail, including bug description, resulting memory corruption conditions & caveats up to final pwn via one of our TTF bugs. Throughout the talk we will describe how to break various exploit mitigations in windows kernel and why it is possible. We will introduce novel kernel exploitation techniques breaking all what stands and bring you SYSTEM exec (from kernel driver to system calc).
  • Published: 2015
  • Publisher: REcon
  • Language: English
34:25 REcon English 2016

Sol[IDA]rity

Reverse engineering is an exercise of exploration and digital cartography. Researchers slowly unearth bits and pieces of a puzzle, putting them together to better understand the bigger picture. Binaries, like puzzles, can be put together much faster in collaboration with others. And with services such as Google Docs, Office 365, or Etherpad, it is easy to recognize the power and effectiveness of real-time collaboration in the digital space. Unfortunately, reverse engineering as many know it today is almost exclusively an individual experience. Our present reversing tools offer little in the way of collaboration among multiple users. This can make reverse engineering tedious and wasteful in a fast-paced team setting. In this talk we’ll be publicly unveiling Sol[IDA]rity, the newest collaborative solution for the popular disassembler IDA Pro. What started as a simple plugin to sync IDA databases between users in real-time, soon evolved into an interconnectivity platform for IDA with endless potential. Join us for a glimpse at the latest generation of collaborative reverse engineering.
  • Published: 2016
  • Publisher: REcon
  • Language: English
55:22 REcon English 2017

Harnessing Intel Processor Trace on Windows for fuzzing and dynamic analysis

This talk will explore Intel Processor Trace, the new hardware branch tracing feature included in Intel Skylake processors. We will explain the design of Intel Processor trace and detail how the current generation implementation works, including the various filtering modes and output configurations. This year we designed and developed the first open-source Intel PT driver for the Microsoft Windows operating system. We will discuss the architecture of the driver and the large number of low level programming hurdles we had to overcome throughout the development of the driver to program the PMU, including registering Performance Montering Interrupts (PMI), locating the Local Vector Table (LVT), managing physical memory. We will introduce even the new features of the latest version, like the IP filtering, and multi-processor support. We will demonstrate the usage of Intel PT in Windows environments for diagnostic and debugging purposes, showing a “tracing” demo and our new IDA Plugin, able to decode and apply the trace data directly to the visual assembly graph. Finally we discuss how we’ve harnessed this branch tracing engine for guided fuzzing. We have added the Intel PT tracing mode as an engine for targeting Windows binaries in the widely used evolutionary fuzzer, American Fuzzy Lop. This fuzzer is capable of using random mutation fuzzing with a code coverage feedback loop to explore new areas. Using our new Intel PT driver for Windows, we provide the fastest hardware supported engine for targeting binaries with evolutionary fuzzing. In addition we have added new functionality to AFL for guided fuzzing, which allows users to specify targeted areas on a program control flow graph that are of interest. This can be combined with static analysis results or known-vulnerable locations to help automate the creation of trigger inputs to reproduce a vulnerability without the limits of symbolic execution. To keep performance as the highest priority, we have also created new methods for efficiently encoding weighted graphs into an efficiently comparable bytemap.
  • Published: 2017
  • Publisher: REcon
  • Language: English
37:58 REcon English 2017

Reverse Engineering: Satellite Based IP Content Distribution

The presentation will cover reverse engineering a satellite based IP content delivery system. These systems are generally used for moving digital media (such as movies, video on demand) but also can be used for digital signage and any other type of files. The presentation will touch on all aspects of reverse engineering from satellite reception, packet analysis, forward error correction reverse engineering (along with an explanation of the math), to the difficulty dealing with the extremely constant high bitrates on an off the shelf linux PC. The end result of the entire reverse engineering project was a linux based software client that has similar features as the commercial version based solely on an analysis of the protocol and incoming data.
  • Published: 2017
  • Publisher: REcon
  • Language: English
55:38 REcon English 2017

Breaking Code Read Protection on the NXP LPC-family Microcontrollers

A look at bypassing the Code Read Protection in the NXP LPC family of ARM microcontrollers. This is an example of one of the simple security features found in common microcontrollers, and how it is easily bypassed. The Code Read Protection (CRP) is implemented in bootloader software and can be easily read and disassembled, showing the fragility of the CRP mechanism. This talk describes the path to exploiting the bootloader software, developing and using a simple glitcher. A glitcher is designed, the chip is tested for vulnerability to glitch, and an attack is formulated to disable CRP and enable readout of FLASH contents. As glitch attacks go, this is a simple and ‘beginner-level’ attack which should be easily reproducible. The talk will include hardware and software design, including schematics and source code, for a glitcher able to bypass CRP.
  • Published: 2017
  • Publisher: REcon
  • Language: English
38:32 REcon English 2017

Analyzing iOS apps: road from AppStore to security analysis report

The main goal of our work is to find out a sensible way to detect vulnerabilities in binary iOS applications. We present a new fully featured toolset, that constitutes a decompiling and analyzing engine, targeting ARM/AArch64 programs, particularly iOS applications. In general, the analysis workflow consists of four steps: Downloading and decrypting an iOS application from AppStore. We introduce the iOS-crack engine that is capable of automatic downloading, decrypting and dumping memory of AppStore applications using a jailbroken device. Decompiling the iOS application. The toolset is capable of carrying out a completely automated analyses of binary programs, using the LLVM as the intermediate representation language. Unlike known binary code to LLVM translation tools, our decompilation tool aims at a high-level program semantics reconstruction. That is: program CFG reconstruction, advanced analysis and propagation of memory objects and stack pointer tracking, data types reconstructions, program data model construction. Almost all iOS application are written in Objective-C or Swift, so we also take care about precise types reconstruction and use the runtime types information in decompilation process. Static analysis of the iOS application. We introduce our static analysis framework that is able to find all common vulnerabilities of mobile applications, especially iOS applications. Representation of analysis results. The toolset is able to produce a human-readable pseudocode representation of the source binary. During the presentation we will demonstrate our analysis engine in action. We will show real-world examples of the most common security flaws and how they can be found.
  • Published: 2017
  • Publisher: REcon
  • Language: English
35:01 REcon English 2017

Teaching Old Shellcode New Tricks

Metasploit x86 shellcode has been defeated by EMET and other techniques not only in exploit payloads but through using those payloads in non-exploit situations (e.g. binary payload generation, PowerShell deployment, etc..). This talk describes taking Metasploit payloads (minus Stephen Fewer’s hash API call), incorporating techniques to bypass Caller/EAF[+] checks (post ASLR/DEP bypass) and merging those techniques together with automation to make something better. There will be lots of fail and some win.
  • Published: 2017
  • Publisher: REcon
  • Language: English
22:12 REcon English 2017

Legacy Crypto Never Dies

In 2012 I released a DES cracking service with Moxie Marlinspike for cracking MSCHAPv2 and quickly started seeing it being used for cracking other things besides MSCHAPv2.
  • Published: 2017
  • Publisher: REcon
  • Language: English
23:08 REcon English 2017

Keeping your tools safe IDA

  • Published: 2017
  • Publisher: REcon
  • Language: English
21:15 REcon English 2017

When your firewall turns against you

  • Published: 2017
  • Publisher: REcon
  • Language: English
out of 2 pages
Loading...
Feedback

Timings

  209 ms - page object
  159 ms - search
   12 ms - highlighting
    2 ms - highlighting/32746
    2 ms - highlighting/32744
    2 ms - highlighting/32393
    5 ms - highlighting/32810
    3 ms - highlighting/32381
    2 ms - highlighting/32394
    4 ms - highlighting/32738
    3 ms - highlighting/32750
    4 ms - highlighting/32735
    1 ms - highlighting/32382
    1 ms - highlighting/32737
    4 ms - highlighting/32743
    3 ms - highlighting/32736
    1 ms - highlighting/32748
    2 ms - highlighting/32752
    4 ms - highlighting/32392
    4 ms - highlighting/32754
    2 ms - highlighting/32741
    1 ms - highlighting/32742
    1 ms - highlighting/32380
    3 ms - highlighting/32820
    1 ms - highlighting/32804
    1 ms - highlighting/32745
    1 ms - highlighting/32815
    2 ms - highlighting/32383
    1 ms - highlighting/32813
    0 ms - highlighting/32399
    1 ms - highlighting/32398
    1 ms - highlighting/32397
    3 ms - highlighting/32803
    3 ms - highlighting/32807
    2 ms - highlighting/32388
    3 ms - highlighting/32396
    3 ms - highlighting/32751
    2 ms - highlighting/32747
    2 ms - highlighting/32805

Version

AV-Portal 3.8.0 (dec2fe8b0ce2e718d55d6f23ab68f0b2424a1f3f)