Show filters Hide filters

Refine your search

Publication Year
Organisation found in the video
1-14 out of 14 results
Change view
  • Sort by:
58:57 REcon English 2016

Breaking Band

In recent years, over-the-air exploitation of cellular baseband vulnerabilities has been a recurring topic in the security community as well as the media. However, since “All Your Baseband Are Belong To Us” in 2010, there has been little public research on exploiting cellular modems directly. Now, Breaking Band is back with a new season by popular demand We will describe our methodology for reverse engineering the RTOS, starting from unpacking proprietary loading formats to understanding the security architecture and the operation of the real-time tasks, identifying attack surfaces, and enabling debugging capabilities. Through this, we’ll give you a complete walkthrough of what it takes to go from zero to zero-day exploit, owning the baseband of a major flagship phone, as we have done at Mobile Pwn2Own 2015.
  • Published: 2016
  • Publisher: REcon
  • Language: English
28:09 REcon English 2016

Monitoring & controlling kernel-mode events by HyperPlatform

We will present a HyperPlatform, which is an advanced system monitoring platform for Windows Operating System (OS). Using Intel VT-x and Extended Page Table (EPT) technologies, this platform provides speedy monitoring of various events. HyperPlatform is hidden and resilient to modern anti-forensics techniques and can be easily extended for day-to-day reverse engineering work. Even nowadays, there are no suitable tools to analyze a kernel-mode code for many of researchers. Steady growth of ring0 rootkits requires a fast, undetectable and resilient tool to monitor OS events for all protection rings. Such a tool will significantly contribute to reverse-engineering. While existing virtualization infrastructures such as VirtualBox and VMware are handy for analysis by themselves, VT-x technology has much more potential for aiding reverse engineering. McAfee Deep Defender, for example, detects modification of system critical memory regions and registers. These tools are, however, proprietary and not available for everyone, or too complicated to extend for most of the engineers. HyperPlatform is a thin hypervisor, which has a potential to monitor the following: access to physical and virtual memory; functions calls from user- and kernel-modes; code execution in instruction granularity. The hypervisor can be used to monitor memory for two typical use cases. The first one is monitoring access to specified memory regions to protect system critical data such as the service descriptor table. The second case is recording any types of memory access from a specified memory region such as a potentially malicious driver to analyze its activities. Also, HyperPlatform is capable of monitoring a broad range of events such as interruptions, various registers and instructions. Tools based on HyperPlatform will be able to trace each instruction and provide dynamic analysis of executable code if necessary. We will demonstrate two examples of adaptation of HyperPlatform: MemoryMon and EopMon. The MemoryMon is able to monitor virtual memory accesses and detect dodgy kernel memory execution using EPT. It can help rootkit analysis by identifying dynamically allocated code. The EopMon is an elevation of privilege (EoP) detector. It can spot and terminate a process with a stolen system token by utilizing hypervisor’s ability to monitor process context-switching. Implementing those functions used to be challenging, but now, it can be achieved easier than ever using HyperPlatform.
  • Published: 2016
  • Publisher: REcon
  • Language: English
57:47 REcon English 2016

Visiting The Bear Den

During the last two years, three cheerful chaps tracked one of the most prolific espionage group out there. The group in question created a complex software ecosystem–composed of tens of different components–and also regularly pulls out 0-day exploits. This talk presents the results of the hunt.
  • Published: 2016
  • Publisher: REcon
  • Language: English
1:00:19 REcon English 2016

Google: Process Failure Modes

Creating processes on Windows is fraught with danger. There are many things that could go wrong. This is even more true when dealing with creating processes in system services under the behest of the user. At best making a mistake could result in creating processes from files the user can’t access, at worst they get system privileges. This presentation will go into detail on how processes are created in Windows and the many ways that it can go horribly wrong. I’ll discuss some of the shortcomings of the Windows process and Session models and how that can be abused to elevate privileges. Throughout I’ll provide examples of vulnerabilities and exploitation techniques I’ve discovered (some of which won’t be fixed any time soon) with clear anti-pattern examples to aid in discovering similar vulnerabilities. One of the issues I’ll discuss is the complexities around one of my most recent project zero blog posts (specifically raising dead) which dealt with session creation and stuck processes. Some of the other topics I’ll include are: Process creation internals Process creation w.r.t. impersonation Session Hopping Dangerous creation patterns
  • Published: 2016
  • Publisher: REcon
  • Language: English
55:51 REcon English 2016

Shooting the OS X El Capitan Kernel Like a Sniper

OS X El Capitan has introduced new exploit mitigations to the kernel. Such mitigations include “vm map copy” mitigation, System Integrity Protection/Rootless, SMAP (enforced on new model of Macbook Pro), etc. Combining with the existing modern OS exploit mitigations like kASLR, DEP, exploiting OS X El Capitan kernel became harder. Approaches to defeat those new mitigations have been discovered by security researchers in late 2015, but most of them have additional prerequisite to either the bug or the environment. For example, the technology to overwrite the size of vm map copy requires a perfect zone overflow (overflowed length controllable + content controllable), also some of the technology requires creating specific user client which is prohibited by sandboxed processes (Safari WebContent, Chrome sandbox, etc.) In this talk, we will introduce a new approach to exploit the El Capitan kernel from the most restrictive sandboxed process (Safari WebContent). The new approach is universal to all OS X kernel and doesn’t require too much on bug quality. Only a single write (not necessarily arbitrary value) is needed to pwn everything (including info leak, kASLR, DEP, SIP, SMAP bypass). The new technology will be illustrated by a live remote root demo during the talk.
  • Published: 2016
  • Publisher: REcon
  • Language: English
52:15 REcon English 2016

Dangerous Optimizations and the Loss of Causality

Increasingly, compiler writers are taking advantage of undefined behaviors in the C and C++ programming languages to improve optimizations. Frequently, these optimizations are interfering with the ability of developers to perform cause-effect analysis on their source code, that is, analyzing the dependence of downstream results on prior results. Consequently, these optimizations are eliminating causality in software and are increasing the probability of software faults, defects, and vulnerabilities. This presentation describes some common optimizations, describes how these can lead to software vulnerabilities, and identifies applicable and practical mitigation strategies.
  • Published: 2016
  • Publisher: REcon
  • Language: English
34:17 REcon English 2016

Black box reverse engineering for unknown/custom instruction sets

Have you ever come across a firmware image for which you couldn’t find a disassembler? This talk will cover reverse-engineering techniques for extracting an instruction encoding from a raw binary with an unknown/custom instruction set. The main focus is on static techniques and features of firmware images that you can use to your advantage–but some dynamic techniques will be covered as well.
  • Published: 2016
  • Publisher: REcon
  • Language: English
59:48 REcon English 2016

Abusing the NT Kernel Shim Engine

The Kernel Shim Engine is the kernel’s analogue to the user-mode shim engine (ShimEng). Although the latter now has had some pretty good research done on it, the KSE remains a mystery. First introduced in Windows XP as merely a Plug-and-Play compatibility layer for custom registry flags, it morphed into a nearly-full blown Shim Engine implementation, with the ability to misuse it for both persistence and stealth hooks in the kernel. In this talk, you’ll learn how to use the KSE for hooking drivers (dispatch tables, IRPs, and entrypoints) as well as kernel APIs both legitimatelly and illegitimately. You’ll also see some WinDBG scripts & techniques for detecting and enumerating installed kernel shims for forensic purposes. Finally, a tool called DriverMon is planned for release at the conference, which uses the KSE to provide ProcMon for Drivers.
  • Published: 2016
  • Publisher: REcon
  • Language: English
59:38 REcon English 2016

Reverse Engineering ISC controllers

  • Published: 2016
  • Publisher: REcon
  • Language: English
43:27 REcon English 2016

A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors

There are multiple x86 processors in your monitor! OSD, or on-screen-display controllers are ubiquitous components in nearly all modern monitors. OSDs are typically used to generate simple menus on the monitor, allowing the user to change settings like brightness, contrast and input source. However, OSDs are effectively independent general-purpose computers that can: read the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels. We demonstrate multiple methods of loading and executing arbitrary code in a modern monitor and discuss the security implication of this novel attack vector. We also present a thorough analysis of an OSD system used in common Dell monitors and discuss attack scenarios ranging from active screen content manipulation and screen content snooping to active data exfiltration using Funtenna-like techniques. We demonstrate a multi-stage monitor implant capable of loading arbitrary code and data encoded in specially crafted images and documents through active monitor snooping. This code infiltration technique can be implemented through a single pixel, or through subtle variations of a large number of pixels. We discuss a step-by-step walk-through of our hardware and software reverse-analysis process of the Dell monitor. We present three demonstrations of monitoring exploitation to show active screen snooping, active screen content manipulation and covert data exfiltration using Funtenna. Lastly, we discuss realistic attack delivery mechanisms, show a prototype implementation of our attack using the USB Armory and outline potential attack mitigation options. We will release sample code related to this attack prior to the presentation date.
  • Published: 2016
  • Publisher: REcon
  • Language: English
46:44 REcon English 2016

When Governments Attack

Targeted malware campaigns against Activists, Lawyers and journalists are becoming extremely commonplace. These attacks range in sophistication from simple spear-phishing campaigns using off the shelf malware, to APT-level attacks employing exploits, large budgets, and increasingly sophisticated techniques. Activists, lawyers and journalists are, for the most part, completely unprepared to deal with cyber-attacks; most of them don’t even have a single security professional on staff. In this session Eva Galperin and Cooper Quintin of the Electronic Frontier Foundation will discuss the technical and operational details of malware campaigns against activists, journalists, and lawyers around the world, including EFF. They will also present brand new research about a threat actor targeting lawyers and activists in Europe and the Post-Soviet States. With targeted malware campaigns, governments have a powerful tool to suppress and silence dissent. As security professionals we are in a unique position to help in this fight.
  • Published: 2016
  • Publisher: REcon
  • Language: English
47:41 REcon English 2016

More Flash, More Fun!

Adobe Flash is a popular target for attackers in the wild. This presentation describes my research into Adobe Flash, which discovered over a hundred vulnerabilities in the software. It details some strategies for finding bugs through code review, fuzzing and reverse engineering and provides examples of bugs discovered using these methods. It also examines recent exploits, and how they bypass new Flash mitigations.
  • Published: 2016
  • Publisher: REcon
  • Language: English
32:25 REcon English 2016

Keystone: the last missing framework of Reverse Engineering

Assembler framework is a final missing piece of the reverse engineering (RE) community. This talk introduces a new framework named Keystone, which fills this gap and offers unrivalled features: Multi-architecture: Arm, Arm64, Hexagon, Mips, PowerPC, Sparc, SystemZ & X86 (16/32/64 bits) Multi-platform with native compiled for Windows, Linux, Mac OS X, *BSD, Solars, etc Clean/simple/lightweight/intuitive architecture-neutral API. Implemented in C/C++ languages, with bindings for Python available. Thread-safe by design. Open source. We are going to present the motivation, design & implementation of Keystone. The focus will be on technical decisions we made, and the challenges we had to overcome to realise the ideas behind our engine. We expect Keystone will turn a new page and open ways for many next generation RE tools in the future. Some cool tools built on top of Keystone will be shown to demonstrate its power.
  • Published: 2016
  • Publisher: REcon
  • Language: English
27:25 REcon English 2016

M/o/Vfuscator-Be-Gone

After last year’s talk by Christopher Domas titled “The M/o/Vfuscator”, we spent a great amount of time to analyze the inner workings of the famous one-instruction-compiler. We are happy to announce and release the (to our knowledge) first demovfuscator this year at recon0xA. This talk presents a generic way of recovering the control flow of the original program from movfuscated binaries. As our approach makes zero assumptions about register allocations or a particular instruction order, but rather adheres to the high-level invariants that each movfuscated binary needs to conform to. Consequently, our demovfuscator is also not affected by the proposed hardening techniques such as register renaming and instruction reordering. To achieve this, we use a combination of static taint analysis on the movfuscated code and a satisfiable modulo theory (SMT) solver. We successfully used our demovfuscator against several movfuscated binaries that emerged during several CTFs during the last months (Hackover CTF, 0CTF and GoogleCTF) proving that it already can handle real-world binaries different from the synthetic samples created by us. Our demovfuscator is under active development and we are working towards our next, ambitious goal: Generically getting rid of the instruction substitution and generating a much more compact and readable result. We will share our insights on this topic as well.
  • Published: 2016
  • Publisher: REcon
  • Language: English
out of 1 pages
Loading...
Feedback

Timings

   84 ms - page object
   68 ms - search
    2 ms - highlighting
    1 ms - highlighting/32751
    1 ms - highlighting/32738
    0 ms - highlighting/32749
    1 ms - highlighting/32736
    0 ms - highlighting/32745
    1 ms - highlighting/32752
    1 ms - highlighting/32746
    1 ms - highlighting/32747
    2 ms - highlighting/32737
    1 ms - highlighting/32753
    1 ms - highlighting/32741
    1 ms - highlighting/32750
    1 ms - highlighting/32743
    1 ms - highlighting/32742

Version

AV-Portal 3.8.0 (dec2fe8b0ce2e718d55d6f23ab68f0b2424a1f3f)