Show filters Hide filters

Refine your search

Publication Year
1-12 out of 12 results
Change view
  • Sort by:
27:55 REcon English 2015

Glitching and Side-Channel Analysis for All

The super-cool area of side-channel power analysis and glitching attacks are devious methods of breaking embedded devices. Recent presentations (such as at RECON 2014) have shown that these attacks are possible even with lower-cost hardware, but it still requires a fair amount of hardware setup and experimentation. But we can do better. This presentation sums up the most recent advances in the open-source ChipWhisperer project, which aims to bring side channel power analysis and fault injections into a wider realm than ever before. It provides an open-source base for experimentation in this field. The ChipWhisperer project won 2nd place in the Hackaday Prize in 2014, and in 2015 an even lower-cost version of the hardware was released, costing approximately 200. Attacks on real physical devices is demonstrated including AES peripherals in microcontrollers, Raspberry Pi devices, and more. All of the attacks can be replicated with standard lab equipment – the demos here will use the open-source ChipWhisperer hardware, but it’s not required for your experimentation.
  • Published: 2015
  • Publisher: REcon
  • Language: English
1:02:44 REcon English 2015

Abusing Silent Mitigations

In the summer of 2014, Microsoft silently introduced two new exploit mitigations into Internet Explorer with the goal of disrupting the threat landscape. These mitigations increase the complexity of successfully exploiting a use-after-free vulnerability. June's patch (MS14-035) introduced a separate heap, called Isolated Heap, which handles most of the DOM and supporting objects. July's patch (MS14-037) introduced a new strategy called MemoryProtection for freeing memory on the heap. This talk covers the evolution of the Isolated Heap and MemoryProtection mitigations, examines how they operate, and studies their weaknesses. It outlines techniques and steps an attacker must take to attack these mitigations to gain code execution on use-after-free vulnerabilities where possible. It describes how an attacker can use MemoryProtection as an oracle to determine the address at which a module will be loaded to bypass ASLR. Finally, additional recommended defenses are laid out to further harden Internet Explorer from these new attack vectors.
  • Published: 2015
  • Publisher: REcon
  • Language: English
1:05:47 REcon English 2015

"One font vulnerability to rule them all" A story of cross-software ownage, shared codebases and advanced exploitation

"Font rasterization software is clearly among the most desirable attack vectors of all time, due to multiple reasons: the wide variety of font file formats, their significant structural and logical complexity, typical programming language of choice (C/C++), average age of the code, ease of exploit delivery and internal scripting capabilities provided by the most commonly used formats (TrueType and OpenType). As every modern widespread browser, document viewer and operating system is exposed to processing external, potentially untrusted fonts, this area of security has a long history of research. As a result, nearly every major vendor releases font-related security advisories several times a year, yet we can still hear news about more 0-days floating in the wild. Over the course of the last few months, we performed a detailed security audit of the implementation of OpenType font handling present in popular libraries, client-side applications and operating systems, which appears to have received much less attention in comparison to e.g. TrueType. During that time, we discovered a number of critical vulnerabilities, which could be used to achieve 100% reliable arbitrary code execution, bypassing all currently deployed exploit mitigations such as ASLR, DEP or SSP. More interestingly, a number of those vulnerabilities were found to be common across various products, enabling an attacker to create chains of exploits consisting of a very limited number of distinct security bugs. In this presentation, we will outline the current state of the art with regards to font security research, followed by an in-depth analysis of the root cause and reliable exploitation process of a number of recently discovered vulnerabilities, including several full exploit chains. In particular, we will demonstrate how a universal PDF file could be crafted to fully compromise the security of a Windows 8.1 x86/x64 operating system via just a single vulnerability found in both Adobe Reader and the Adobe Type Manager Font Driver used by the Windows kernel."
  • Published: 2015
  • Publisher: REcon
  • Language: English
52:10 REcon English 2015

Totally Spies!

For some months now, there were rumors of cartoon-named malware employed in espionage operations. It actually started in March 2014 with a set of slides leaked from the Communications Security Establishment Canada (CSEC) -- Canada equivalent of NSA. CSEC then described to its spook friends a malware dubbed Babar by its authors, which they attributed "with moderate certainty" to a French intelligence agency. The group behind Babar is now commonly referred as "AnimalFarm" in antimalware industry, because Babar was only a small piece of a much bigger puzzle. Since CSEC slides' publication, a group of valorous adventurers, animated by the thrill of understanding complex malware operations, has been relentlessly following AnimalFarm's trail. Along its path, this group found several pieces of AnimalFarm's arsenal, for example stealthy Casper, exotic Bunny and even big ears Babar itself. This presentation aims at presenting the results of this group's research. In particular, we will provide a global picture on AnimalFarm's operations, and also delve into technical quirks of their malware. We will also explain how we assessed the connection between their various piece of software from a code reverse-engineering perspective, and what are the technical hints we found regarding attribution.
  • Published: 2015
  • Publisher: REcon
  • Language: English
45:41 REcon English 2015

This Time Font hunt you down in 4 bytes

In our recent work we targeted also win32k, what seems to be fruit giving target. @promised lu made our own TTF-fuzzer which comes with bunch of results in form of gigabytes of crashes and various bugs. Fortunately windows make great work and in February most of our bugs was dead - patched, but not all of them… Whats left were looking as seemingly unexploitable kernel bugs with ridiculous conditions. We decided to check it out, and finally combine it with our user mode bug & emet bypass. Through IE & flash we break down system and pointed out at weak points in defensive mechanism. In this talk we will present our research dedicated for pwn2own event this year. We will describe kernel part of exploit in detail, including bug description, resulting memory corruption conditions & caveats up to final pwn via one of our TTF bugs. Throughout the talk we will describe how to break various exploit mitigations in windows kernel and why it is possible. We will introduce novel kernel exploitation techniques breaking all what stands and bring you SYSTEM exec (from kernel driver to system calc).
  • Published: 2015
  • Publisher: REcon
  • Language: English
24:29 REcon English 2015

Reverse Engineering Windows AFD.sys

What happens when you make a socket() call in Windows? This presentation will briefly walk through the rather well documented winsock user mode framework before diving into the turmoil of ring 0. There is no map to guide us here. Our adventure will begin where MSDN ends and our first stop along the way is with an IOCTL to AFD.sys, or the awkwardly named ancillary function driver. This driver is of particular interest because it is so widely used and yet most people that use it do not even know it exists. Nearly every Windows program managing sockets depends on this driver. Even more interesting is that the device created by AFD.sys is accessible from every sandbox Google Project Zero looked at. In fact, there isn't even support to restrict access to this device until Windows 8.1. Staying true to Windows style AFD.sys is a complex driver with over 70 reachable IOCTL’s and support for everything from SAN to TCP. It is no wonder that this driver weighs in at 500KB. This complexity combined with accessibility breed a robust ring 0 attack surface. Current fuzzing efforts will also be shared in this presentation and the time we are done you should have a good idea of what happens when making a socket() call without having to spend hours in IDA to figure it out.
  • Published: 2015
  • Publisher: REcon
  • Language: English
23:28 REcon English 2015

Exploiting Out-of-Order-Execution

Given the rise in popularity of cloud computing and platform-as-a-service, vulnerabilities inherent to systems which share hardware resources will become increasingly attractive targets to malicious software authors. This talk first presents a classification of the possible cloud-based side channels which use hardware virtualization. Additionally, a novel side channel exploiting out-of-order-execution in the CPU pipeline is described and implemented. Finally, this talk will show constructions of several adversarial applications and demo two. These applications are deployed across the novel side channel to prove the viability of each exploit. We then analyze successful detection and mitigation techniques of the side channel attacks.
  • Published: 2015
  • Publisher: REcon
  • Language: English
1:05:02 REcon English 2015

Polyglots and Chimeras in Digital Radio Modes

Ah Matryoshkas, who doesn't like these Russian nesting dolls? But why should the fun of chimeric nesting be limited to just application formats? It is possible to design PHY-layer digital modulation protocols that (1) are backward compatible with existing standards and (2) discretely contain additional information for reception by those who know the right tricks. When properly designed, these polyglot protocols look and sound much like the older protocols, causing an eavesdropping Eve to believe she has sniffed the contents of a transmission when in fact a second, hidden message is hitching a ride on the transmission. Mallory, on the other hand, may use these protocols-in-protocols to smuggle long Russian stories to all who will listen! This fine technical lecture by two neighborly gentlemen describes techniques for designing polyglot modulation protocols, as well as concrete examples of such protocols that are fit for use in international shortwave radio communication.
  • Published: 2015
  • Publisher: REcon
  • Language: English
52:15 REcon English 2015

0x3E9 Ways to DIE

Along the years many attempts have been made to combine static and dynamic analysis results. Some were good, other were bad, however the fact is that those two approaches still remain mostly separated as most analysis tools focus on one of them only. For many years, this lack of integration and mental passing of data between static and dynamic tools has caused lot of frustration among researchers. This was the main motivation in creating DIE. DIE is a new Hex-Rays IDA plugin that crosses the static-dynamic gap directly into the native IDA GUI. It gives the researcher access to runtime values from within his standard dissembler screen. As opposed to previous projects with similar goals, DIE takes a different approach by using an extensive plugin framework which allows the community to constantly add logic in order to better analyze and optimize the retrieved runtime values. With a click of a button, everything is accessible to the researcher: he can inspect handles passed to a function, analyze injected code or runtime strings, enumerate dynamic structures, follow indirect function calls and more (and the list keeps on growing). All of this happens without the researcher ever leaving his comfortable dissembler screen. Even better, as DIE is tightly coupled with IDA, it will basically support any architecture, data type or signature supported by IDA. DIE currently has a small but well-respected community of contributors. Starting with the alpha version, DIE users have been able to cut their research time by 20%-40%. As complex reverse engineering tasks may take several weeks or even several months to complete, DIE has already proved to be a valuable resource and a prominent part of the researcher`s toolkit. My talk introduces DIE for the very first time to the research community. I explain the basic idea behind DIE, describe its architecture, and show live examples of how to use its extensive plugin framework to speed up the research process. The talk includes *live examples* which have been carefully selected from real research projects in various security fields and demonstrate how DIE can be used to speed up bypassing software protections, unpack malware, and super-quickly locate a malware de-obfuscation functions.
  • Published: 2015
  • Publisher: REcon
  • Language: English
46:31 REcon English 2015

From Silicon to Compiler

Programmable logic devices have historically been locked up behind proprietary vendor toolchains and undocumented firmware formats, preventing the creation of a third-party compiler or decompiler. While the vendor typically prohibits reverse engineering of their software in the license agreement, no such ban applies to the silicon. Given the choice between REing gigabytes of spaghetti code and looking at clean, regular die layout, the choice is clear. This talk describes my reverse engineering of the Xilinx XC2C32A, a 180nm 32-macrocell CPLD, at the silicon level and my progress toward a fully open-source toolchain (compiler, decompiler, and floorplanner) for the device. A live demonstration of firmware generated by my tools running on actual hardware is included.
  • Published: 2015
  • Publisher: REcon
  • Language: English
49:14 REcon English 2015

The M/o/Vfuscator

Based on a paper that proves that the "mov" instruction is Turing complete, the M/o/Vfuscator takes source code and compiles it into a program that uses *only* mov instructions - no comparisons, no jumps, no math (and definitely no SMC cheating) - turning the program into one of the most painfully difficult reverse engineering targets you will ever encounter.
  • Published: 2015
  • Publisher: REcon
  • Language: English
24:28 REcon English 2015

Pandora's Cash Box: The Ghost Under Your POS

We're all used to seeing the ubiquitous cash drawer - that steel box, usually under the point-of-sale terminal, which holds the money received from sales - without giving it a second thought. But in recent years, the cash drawer has imploded in complexity into a full-blown appliance: From USB and Bluetooth support to on-board accounting and verification firmware, this innocuous box has quietly turned itself into a central component of the POS. And unsurprisingly, the security of these devices has not improved in lockstep with their feature set. In this talk, we will take apart the design and features of a modern cash drawer, and show why these devices are the proverbial chink in the armour of a POS system. We will discuss how we reverse engineered the firmware and the proprietary protocols used by several cash drawer models, and provide the tools for other reversers interested in following up. Finally, we will demonstrate how, by exploiting several security and design vulnerabilities, we can cause cash to disappear without a trace from a targeted business.
  • Published: 2015
  • Publisher: REcon
  • Language: English
out of 1 pages
Loading...
Feedback

Timings

  120 ms - page object
   70 ms - search
    4 ms - highlighting
    2 ms - highlighting/32809
    4 ms - highlighting/32814
    3 ms - highlighting/32803
    2 ms - highlighting/32811
    2 ms - highlighting/32808
    2 ms - highlighting/32819
    4 ms - highlighting/32817
    3 ms - highlighting/32804
    2 ms - highlighting/32816
    3 ms - highlighting/32807
    2 ms - highlighting/32813
    3 ms - highlighting/32820

Version

AV-Portal 3.8.0 (dec2fe8b0ce2e718d55d6f23ab68f0b2424a1f3f)