Show filters Hide filters

Refine your search

Publication Year
1-14 out of 14 results
Change view
  • Sort by:
58:57 REcon English 2016

Breaking Band

In recent years, over-the-air exploitation of cellular baseband vulnerabilities has been a recurring topic in the security community as well as the media. However, since “All Your Baseband Are Belong To Us” in 2010, there has been little public research on exploiting cellular modems directly. Now, Breaking Band is back with a new season by popular demand We will describe our methodology for reverse engineering the RTOS, starting from unpacking proprietary loading formats to understanding the security architecture and the operation of the real-time tasks, identifying attack surfaces, and enabling debugging capabilities. Through this, we’ll give you a complete walkthrough of what it takes to go from zero to zero-day exploit, owning the baseband of a major flagship phone, as we have done at Mobile Pwn2Own 2015.
  • Published: 2016
  • Publisher: REcon
  • Language: English
28:09 REcon English 2016

Monitoring & controlling kernel-mode events by HyperPlatform

We will present a HyperPlatform, which is an advanced system monitoring platform for Windows Operating System (OS). Using Intel VT-x and Extended Page Table (EPT) technologies, this platform provides speedy monitoring of various events. HyperPlatform is hidden and resilient to modern anti-forensics techniques and can be easily extended for day-to-day reverse engineering work. Even nowadays, there are no suitable tools to analyze a kernel-mode code for many of researchers. Steady growth of ring0 rootkits requires a fast, undetectable and resilient tool to monitor OS events for all protection rings. Such a tool will significantly contribute to reverse-engineering. While existing virtualization infrastructures such as VirtualBox and VMware are handy for analysis by themselves, VT-x technology has much more potential for aiding reverse engineering. McAfee Deep Defender, for example, detects modification of system critical memory regions and registers. These tools are, however, proprietary and not available for everyone, or too complicated to extend for most of the engineers. HyperPlatform is a thin hypervisor, which has a potential to monitor the following: access to physical and virtual memory; functions calls from user- and kernel-modes; code execution in instruction granularity. The hypervisor can be used to monitor memory for two typical use cases. The first one is monitoring access to specified memory regions to protect system critical data such as the service descriptor table. The second case is recording any types of memory access from a specified memory region such as a potentially malicious driver to analyze its activities. Also, HyperPlatform is capable of monitoring a broad range of events such as interruptions, various registers and instructions. Tools based on HyperPlatform will be able to trace each instruction and provide dynamic analysis of executable code if necessary. We will demonstrate two examples of adaptation of HyperPlatform: MemoryMon and EopMon. The MemoryMon is able to monitor virtual memory accesses and detect dodgy kernel memory execution using EPT. It can help rootkit analysis by identifying dynamically allocated code. The EopMon is an elevation of privilege (EoP) detector. It can spot and terminate a process with a stolen system token by utilizing hypervisor’s ability to monitor process context-switching. Implementing those functions used to be challenging, but now, it can be achieved easier than ever using HyperPlatform.
  • Published: 2016
  • Publisher: REcon
  • Language: English
57:44 REcon English 2016

How Do I Crack Satellite and Cable Pay TV?

Follow the steps taken to crack a conditional access and scrambling system used in millions of TV set-top-boxes across North America. From circuit board to chemical decapsulation, optical ROM extraction, glitching, and reverse engineering custom hardware cryptographic features. This talk describes the techniques used to breach the security of satellite and cable TV systems that have remained secure after 15+ years in use. Topics include: chemical decapsulation and delayering of ICs in acids, microphotography and optical bit extraction of ROM, binary analysis using IDA and homebrew CPU simulators, datalogging and injection of SPI and serial TS data, designing and using a voltage glitcher, extracting secret keys from RAM of a battery-backed IC, analyzing hardware-based crypto customizations, studying undocumented hardware peripherals, MPEG transport streams and non-DVB-standards, QPSK demodulation, interleaving, randomization, FEC of OOB (out-of-band) cable data. The result is knowledge of the transport stream scrambling modes and knowledge of the conditional access system used to deliver keys. Strong and weak points are identified, advanced security features implemented nearly 20 years ago are compared to modern security designs. A softcam is designed and tested using free software, working for cable and satellite TV.
  • Published: 2016
  • Publisher: REcon
  • Language: English
57:47 REcon English 2016

Visiting The Bear Den

During the last two years, three cheerful chaps tracked one of the most prolific espionage group out there. The group in question created a complex software ecosystem–composed of tens of different components–and also regularly pulls out 0-day exploits. This talk presents the results of the hunt.
  • Published: 2016
  • Publisher: REcon
  • Language: English
57:38 REcon English 2016

Hardware-Assisted Rootkits and Instrumentation: ARM Edition

Security researchers have limited options when it comes to debuggers and dynamic binary instrumentation tools for ARM-based devices. Hardware-based solutions can be expensive or destructive, while software tools are often restricted to user mode. In this talk, we explore a common but often ignored feature of the ARM debug architecture in search of other options. Digging deeper into this hardware component reveals many interesting use-cases for researchers ranging from debugging and instrumentation to building a novel rootkit. First, we will shine a spotlight on a debug interface that dates back to ARMv6, and demonstrate how to control it from software in order to instrument code in normal world. We will introduce a prototype toolkit with IDA plugin that can perform real-time tracing, code coverage analysis, and more, of the Android kernel on COTS smartphones without requiring virtualization extensions or special hardware. Next, we will compare implementations of this hardware unit across multiple chipset vendors, and discuss applicability to other ARM CPUs found in your phone like WiFi and cellular basebands. The second half of our talk will add new meaning to the phrase “hardware-assisted rootkit”. Abusing this same debug interface we will have some fun with the Krait architecture in order to demonstrate a kernel-level rootkit for Android that can bypass the current state of the art in rootkit detection. We’ll discuss hijacking exceptions, interacting with TrustZone, and methods for detecting this unconventional rootkit. Finally, we will wrap up highlighting a use-case for exploit mitigations on embedded systems.
  • Published: 2016
  • Publisher: REcon
  • Language: English
55:51 REcon English 2016

Shooting the OS X El Capitan Kernel Like a Sniper

OS X El Capitan has introduced new exploit mitigations to the kernel. Such mitigations include “vm map copy” mitigation, System Integrity Protection/Rootless, SMAP (enforced on new model of Macbook Pro), etc. Combining with the existing modern OS exploit mitigations like kASLR, DEP, exploiting OS X El Capitan kernel became harder. Approaches to defeat those new mitigations have been discovered by security researchers in late 2015, but most of them have additional prerequisite to either the bug or the environment. For example, the technology to overwrite the size of vm map copy requires a perfect zone overflow (overflowed length controllable + content controllable), also some of the technology requires creating specific user client which is prohibited by sandboxed processes (Safari WebContent, Chrome sandbox, etc.) In this talk, we will introduce a new approach to exploit the El Capitan kernel from the most restrictive sandboxed process (Safari WebContent). The new approach is universal to all OS X kernel and doesn’t require too much on bug quality. Only a single write (not necessarily arbitrary value) is needed to pwn everything (including info leak, kASLR, DEP, SIP, SMAP bypass). The new technology will be illustrated by a live remote root demo during the talk.
  • Published: 2016
  • Publisher: REcon
  • Language: English
58:43 REcon English 2016

Go Speed Tracer

The past few years have seen a leap in fuzzing technology. The original paradigm established a decade ago resulted in two widely deployed approaches to fuzzing: sample based mutation and model based generation. Thanks to ever-increasing computational performance and better engineering, newer guided fuzzing approaches have proven to be supremely effective with a low cost of deployment. This talk will explore a few different approaches to guided fuzzing through dynamic analysis including code coverage analysis, constraint solving, and sampling/profiling based feedback mechanisms. Novel contributions in this talk include: - Opensource Windows Driver enabling Intel “Processor Trace” - DBI based tracing engine for Windows/Linux/OSX binaries - American Fuzzy Lop with full support for Windows binary targets
  • Published: 2016
  • Publisher: REcon
  • Language: English
59:48 REcon English 2016

Abusing the NT Kernel Shim Engine

The Kernel Shim Engine is the kernel’s analogue to the user-mode shim engine (ShimEng). Although the latter now has had some pretty good research done on it, the KSE remains a mystery. First introduced in Windows XP as merely a Plug-and-Play compatibility layer for custom registry flags, it morphed into a nearly-full blown Shim Engine implementation, with the ability to misuse it for both persistence and stealth hooks in the kernel. In this talk, you’ll learn how to use the KSE for hooking drivers (dispatch tables, IRPs, and entrypoints) as well as kernel APIs both legitimatelly and illegitimately. You’ll also see some WinDBG scripts & techniques for detecting and enumerating installed kernel shims for forensic purposes. Finally, a tool called DriverMon is planned for release at the conference, which uses the KSE to provide ProcMon for Drivers.
  • Published: 2016
  • Publisher: REcon
  • Language: English
59:38 REcon English 2016

Reverse Engineering ISC controllers

  • Published: 2016
  • Publisher: REcon
  • Language: English
46:44 REcon English 2016

When Governments Attack

Targeted malware campaigns against Activists, Lawyers and journalists are becoming extremely commonplace. These attacks range in sophistication from simple spear-phishing campaigns using off the shelf malware, to APT-level attacks employing exploits, large budgets, and increasingly sophisticated techniques. Activists, lawyers and journalists are, for the most part, completely unprepared to deal with cyber-attacks; most of them don’t even have a single security professional on staff. In this session Eva Galperin and Cooper Quintin of the Electronic Frontier Foundation will discuss the technical and operational details of malware campaigns against activists, journalists, and lawyers around the world, including EFF. They will also present brand new research about a threat actor targeting lawyers and activists in Europe and the Post-Soviet States. With targeted malware campaigns, governments have a powerful tool to suppress and silence dissent. As security professionals we are in a unique position to help in this fight.
  • Published: 2016
  • Publisher: REcon
  • Language: English
47:41 REcon English 2016

More Flash, More Fun!

Adobe Flash is a popular target for attackers in the wild. This presentation describes my research into Adobe Flash, which discovered over a hundred vulnerabilities in the software. It details some strategies for finding bugs through code review, fuzzing and reverse engineering and provides examples of bugs discovered using these methods. It also examines recent exploits, and how they bypass new Flash mitigations.
  • Published: 2016
  • Publisher: REcon
  • Language: English
34:25 REcon English 2016

Sol[IDA]rity

Reverse engineering is an exercise of exploration and digital cartography. Researchers slowly unearth bits and pieces of a puzzle, putting them together to better understand the bigger picture. Binaries, like puzzles, can be put together much faster in collaboration with others. And with services such as Google Docs, Office 365, or Etherpad, it is easy to recognize the power and effectiveness of real-time collaboration in the digital space. Unfortunately, reverse engineering as many know it today is almost exclusively an individual experience. Our present reversing tools offer little in the way of collaboration among multiple users. This can make reverse engineering tedious and wasteful in a fast-paced team setting. In this talk we’ll be publicly unveiling Sol[IDA]rity, the newest collaborative solution for the popular disassembler IDA Pro. What started as a simple plugin to sync IDA databases between users in real-time, soon evolved into an interconnectivity platform for IDA with endless potential. Join us for a glimpse at the latest generation of collaborative reverse engineering.
  • Published: 2016
  • Publisher: REcon
  • Language: English
32:25 REcon English 2016

Keystone: the last missing framework of Reverse Engineering

Assembler framework is a final missing piece of the reverse engineering (RE) community. This talk introduces a new framework named Keystone, which fills this gap and offers unrivalled features: Multi-architecture: Arm, Arm64, Hexagon, Mips, PowerPC, Sparc, SystemZ & X86 (16/32/64 bits) Multi-platform with native compiled for Windows, Linux, Mac OS X, *BSD, Solars, etc Clean/simple/lightweight/intuitive architecture-neutral API. Implemented in C/C++ languages, with bindings for Python available. Thread-safe by design. Open source. We are going to present the motivation, design & implementation of Keystone. The focus will be on technical decisions we made, and the challenges we had to overcome to realise the ideas behind our engine. We expect Keystone will turn a new page and open ways for many next generation RE tools in the future. Some cool tools built on top of Keystone will be shown to demonstrate its power.
  • Published: 2016
  • Publisher: REcon
  • Language: English
29:20 REcon English 2016

BBS-Era Exploitation for Fun and Anachronism

The bulletin board era was a golden age for those of us who were into computers (and in existence) at the time. Yet, think of how much better it could have been if we’d had today’s exploitation tradecraft to bring to bear back then. In this presentation, we’re taking modern technology back with us a couple decades and aiming it at BBS-era software, possibly to see what we can learn from attacking these scrutable-yet-unusual systems but mostly just because we can. We’ll use tools and techniques that didn’t publicly exist at the time to run, reverse engineer, attack, debug, and exploit old code. Finally, we’ll demonstrate some of the fun we could’ve had, if only we knew then what we know now… Source code and proofs-of-concept will be released.
  • Published: 2016
  • Publisher: REcon
  • Language: English
out of 1 pages
Loading...
Feedback

Timings

   91 ms - page object
   77 ms - search
    4 ms - highlighting
    2 ms - highlighting/32751
    2 ms - highlighting/32735
    2 ms - highlighting/32749
    3 ms - highlighting/32752
    0 ms - highlighting/32745
    2 ms - highlighting/32750
    3 ms - highlighting/32754
    2 ms - highlighting/32737
    1 ms - highlighting/32738
    2 ms - highlighting/32748
    3 ms - highlighting/32742
    1 ms - highlighting/32746
    2 ms - highlighting/32744
    1 ms - highlighting/32740

Version

AV-Portal 3.8.0 (dec2fe8b0ce2e718d55d6f23ab68f0b2424a1f3f)