2Ø14 V2.Ø - saci is on fire

 

Shikhin Sethi

OPTION ROMS: A HIDDEN (BUT PRIVILEGED) WORLD

Each modern x86 computer uses PCI option ROMs to initialize devices during early boot. The option ROMs not only get privileged and unsupervised access to the machine, but are also typically relied upon by the operating system to provide key device services such as video. 

We show how malicious option ROMs can be executed in the background, "stealing" the host machine resources such as logical cores, memory, and PCI devices. We further show how to man-in-the-middle interrupts from devices, and how to gather useful information without destroying the device state, and how such malicious ROMs can snoop on the OS, especially with poorly designed kernels (or drivers) using the option ROMs themselves. 

Although UEFI attempts to address the issue by using bytecode option ROMs, we show how to bypass its security restriction. We look at how "weird machines" in the boot process could be used to undermine the trust model of the OS, and how these might be prevented. 

Given that option ROMs are ubiquitous, we look at how such malicious ROMs could be detected and protected against. Shikhin Sethi is a systems hacker with a keen interest in using low-level knowledge for exploits. Shikhin writes an article series on the x86 architecture and nifty tricks surrounding it for the International Journal of PoC||GTFO. A student in India, Shikhin is also interested in operating system design and creating standard components for a secure OS.


SERGEY BRATUS

DEMYSTIPHYING 802.15.4 DIGITAL RADIO; OR, HOW TO WEAPONIZE INGERPRINTING FOR PACKETINPACKET MITIGATION BYPASSES

The PHY layer of digital radio is commonly viewed as a black box that takes logical frames on one side of a radio connection and magically pops them out on the other (or doesn't, if control sums don't match). The internals of the black box are shrouded in mystery and magic. Antennas, modulation, and error correction are somehow involved, but they seem to exist in a different dimension that cannot be manipulated digitally at byte-level like call stacks, binaries, or parser bugs. For those of us who can't design radio circuits, it seems to be at best a minecraft game of GnuRadio blocks. 

But in reality this just ain't so. The PHY in fact contains several digital layers and mechanisms, which can be manipulated without software-defined radio. We will demystify these mechanisms for the 802.15.4 PHY and will show them in action for sending arbitrary bytes and frames through the air without a software radio, sending frames that aren't heard by WIDS but heard by targets if they use different radio chips, "borrowing" error-correction logic to bypass defenses, and fingerprinting chipset families. Orson Welles may have beat us to the Packet-in-packet technique, but he has nothing on our one-eighth-of-a-nybble mitigation bypass and make-your-own-packet cut-out paper games!


TRAVIS GOODSPEED

DEMYSTIPHYING 802.15.4 DIGITAL RADIO; OR, HOW TO WEAPONIZE INGERPRINTING FOR PACKETINPACKET MITIGATION BYPASSES

The PHY layer of digital radio is commonly viewed as a black box that takes logical frames on one side of a radio connection and magically pops them out on the other (or doesn't, if control sums don't match). The internals of the black box are shrouded in mystery and magic. Antennas, modulation, and error correction are somehow involved, but they seem to exist in a different dimension that cannot be manipulated digitally at byte-level like call stacks, binaries, or parser bugs. For those of us who can't design radio circuits, it seems to be at best a minecraft game of GnuRadio blocks. 

But in reality this just ain't so. The PHY in fact contains several digital layers and mechanisms, which can be manipulated without software-defined radio. We will demystify these mechanisms for the 802.15.4 PHY and will show them in action for sending arbitrary bytes and frames through the air without a software radio, sending frames that aren't heard by WIDS but heard by targets if they use different radio chips, "borrowing" error-correction logic to bypass defenses, and fingerprinting chipset families. Orson Welles may have beat us to the Packet-in-packet technique, but he has nothing on our one-eighth-of-a-nybble mitigation bypass and make-your-own-packet cut-out paper games!


SERGEY SHEKYAM

HEADLESS BROWSER HIDE AND SEEK

Headless browsers have quietly become indispensable tools for security teams, researchers, and attackers focusing on web applications. Tools like PhantomJS enable anyone to interact with highly dynamic websites to find vulnerabilities, performance bottlenecks, and even automate attacks. 

This presentation will dive into the offensive use of these tools, and how to counteract them in practice. This will include techniques used by attackers to find vulnerabilities in websites, and how security teams can use these techniques to perform their own daily security practice. 

With these base established, we will delve into an extended analysis of techniques that malicious browsers use to impersonate real end-users, and the countermeasures security teams can use to expose them. We will provide examples of how to collect threat forensics and attacker attribution data when malicious browsers are detected on your site. Lastly we will review vulnerabilities in headless browsers themselves and provide recommendations to ensure that your tools aren't turned against you. 

INTRODUCTION TO HEADLESS BROWSERS

  • What it is and how it works
  • Legitimate uses and how you can benefit
  • Malicious Use of PhantomJS
  • Impersonate a legitimate browser
  • Fuzzing a web application
  • Find performance bottlenecks 

EXPLOITING THE EXPLOITER

  • How attackers attempt to hide
  • How to expose them on your site
  • Additional evasion and techniques and countermeasures 

DEMONSTRATIONS

  • Example of attacking with phantomJS with subsequent detection
  • Arbitrary code execution on up-to-date remote PhantomJS
  • Various ways of abusing remote PhantomJS 

COUNTER-ATTACKING AND ATTRIBUTION

  • How to turn a headless browser against the attacker
  • Vulnerabilities in PhantomJS
  • Best practices for using headless browsers safely

ALEX MATROSOV

HEXRAYSCODEXPLORER: OBJECT ORIENTED RE FOR FUN AND PROFIT

HexRaysCodeXplorer - Hex-Rays Decompiler plugin for easier code navigation. Here are the main features of the plugin: 

  • Automatic type REconstruction for C++ objects.
  • C-tree graph visualization - a special tree-like structure representing a decompiled routine in c_itemt terms. Useful feature for understanding how the decompiler works. 
  • Navigation through virtual function calls in HexRays Pseudocode window. 
  • Object Explorer - useful interface for navigation through virtual tables (VTBL) structures.

In this presentation, the authors of HexRaysCodeXplorer will be discussing main functionality of the plugin and its application for reverse engineering. The authors will be presenting the algorithm for C++ type REconstruction. Also a special version of HexRaysCodeXplorer (H2HC edition) will be released with new features developed specially for H2Cconference. New features will be committed to GitHub from the stage


2Ø13 v1.Ø - STRONGER THAN EVER

saci-bombado.png
 

Carlos Carvalho & Savio Sena

LINUX CLUSTERS AND MULTI-CORE BOXES UNDER CONTROL


Peter C. Johnson

FROM DDKS TO BUS DISCIPLINE DEVELOPMENT KITS, OR WHY AREN'T WE FIREWALLING USB AGAIN?

Most bus-facing kernel device drivers have a fairly straightforward (though not always simple) task: take unstructured data from the bus and marshall it into typed data structures before handing it off to the kernel.  Yet for how straightforward this sounds, such device drivers remain fertile ground for vulnerabilities.  I'll be presenting our work-in-progress bus driver development kit whose goal is to programmatically generate driver code directly from a description of the bus protocol written in a domain-specific language.  In addition to code generation, we will be able to use the DSL description to create data structures and hooks to check semantic properties of the protocol not enforced by the syntactic rules.  Finally, due to our choice of DSL, we will be able to verify that the parser does what we want it to do: that data coming in over the bus stays in the appropriate data structures and that those data structures conform to the rules of the protocol. As a proof of concept, we're developing a firewall for USB reminiscent of the Netfilter architecture.


Bratus & Bangert & Shapiro

ELF ECCENTRICITIES

.Bx has demonstrated how to build a Turing machine out of well-formed relocations and symbols of the ELF binary format. Other aspects of the format can be just as twisted. From a language-theoretic standpoint, the ELF format is very context-sensitive: much metadata is stored redundantly and interesting things can happen when metadata is inconsistent. Furthermore, we believe these dependencies are one of the reasons ELF binary manipulation tools are so hard get right and will present a work-in-progress framework in the style of ERESI's elfsh that takes care of metadata-consistency for modified binaries and parsing inconsistencies for untrusted binaries.


Travis Goodspeed

HILLBILLY SCANNING OF SATELLITES IN LOW EARTH ORBIT 

Hobbyist work with satellites has previously been with TV satellites, which stay in geostationary orbit, or with UHF satellites, which can be received without very accurate aim. This lecture describes how to rebuild a Navy Surplus telecom dish with fine position control for tracking satellites in Low Earth Orbit. The resulting ground station, called the Southern Appalachian Space Agency, is able to track objects in both Earth or Solar orbits. A software defined radio then takes raw recordings for later reverse engineering and decoding, much of which is cleartext.


Pax Team

PAX: THE UNTOLD STORY (PART 2)

After last year's presentation on the general kernel self-protection features of PaX, it's time to delve into the details of the more recent compiler based techniques. You'll learn what makes gcc tick and how PaX makes use of its plugin support to implement important security features (that already found a 15 years old bug in Linux and would have protected against one of the Pwnium bugs earlier this year).


Brad Spengler

AT ARMS LENGTH YET SO FAR AWAY

In this talk, I'll discuss how I designed and developed a novel implementation of PaX's KERNEXEC and UDEREF features for ARMv6+ in a way that mimics their implementation and effectiveness on i386 -- using ARM domain support. I'll also talk about LPAE, PXN, and interesting findings encountered along the way. iOS users may find my LPAE discussion informative, as it turns out that the method I proposed (but did not implement due to lack of importance/interest) to implement UDEREF exactly matches Apple's equivalent feature. I'll conclude with some comments on Linux kernel exploit weaponization.


 

2Ø12 vØ.Ø

Sergey Bratus

Beyond main(), Native Code, Magic Buses, and Other Illusions

To most programmers, programming is about the CPU executing compiled code, with some additional OS magic for I/O; most programming is done without paying any attention to the many mechanisms that come into play to set up, load, and help a program run and communicate. Yet these mechanisms are themselves important and interesting programming environments, and can be made to do interesting things unexpected by their designers. Ignoring them is not fair. As programmers, we are taught to believe in well-behaved abstractions, and to "pay no attention to that man behind the curtain" — but what's behind the curtain is really the most interesting part. Hackers know this and have been exploring these machines in both software and hardware, for a better understanding of what a computer system really is beyond the main CPU and its assembly, machines within machines.

In this talk, I will discuss both classic and new examples of creative use of these helper mechanisms, from PaX's use of x86 memory translation and the original Phrack articles on how dynamic linking really worked to our recent research on programming with ELF metadata and USB packet manipulation. I will argue that programmable "weird machines" abound in all kinds of hardware and code that "invisibly" creates trusted layers of abstractions — and that hacker research is the best bet we have so far for understanding them and making computers more trustworthy.


Pipacs

PaX: the untold story (kernel self protection)

PaX Team  This presentation will shed some light on the less well-known but nevertheless very important features of PaX: kernel self-protection. If you don't want to miss out on what the rest of the industry has for almost a decade now, this is the one talk you don't want to miss :)  not to be outdone by spender, here's a few choice quotes:

spender: Btw, glad you're not one of the many egotistical losers I commonly find in the "security community"

Ivan Arce: @sergeybratus preaching to the choir. I've said to some of them that PaX was the most important security innovation of the past decadeS

In more mundane terms, the PaX Team has been developing, you guessed it, PaX for the past 12 years. If you think your butt has been saved by this work in the past, you're welcome to buy us a beer!


Thiago Musa

(In)Security in Mobile Payment Solutions

Brazil is already the fourth biggest international market in credit card payments, with 687 million plastics circulating, adding up to a financial volume of R$670 billions ($330 billions) in 2011. Besides that, the country also has 255 million cellphones, around 1.3 device per inhabitant. Such huge demand opens great opportunities in this market, but also points to growing concern with fraud, information stealing and privacy issues.


There are several models for mobile payment, such as MPayment, Mobile Wallet, P2P Payment, Mobile as POS, among others. However, none of them is consolidated and broadly accepted by the market, neither have thoroughly specified standards. Digital inclusion projects are also emphasizing the migration from desktop to mobile devices, leaving no doubt they are the platform of the future. In this presentation I'll present the main technologies involved, such as USSD, SMS, NFC e S@T, discussing and detailing how they work and the key vulnerabilities found so far, demonstrating the weaknesses of their protection mechanisms.


Philippe Langlois

Private Sector Short Term Security Trade Offs and Countries Race for Cyber Weapons:  What Could Possibly Go Wrong?


Marc Van Hauser Heuse

IPv6 Insecurity Revolutions


Sergey Bratus

Beyond main(), Native Code, Magic Buses, and Other Illusions

To most programmers, programming is about the CPU executing compiled code, with some additional OS magic for I/O; most programming is done without paying any attention to the many mechanisms that come into play to set up, load, and help a program run and communicate. Yet these mechanisms are themselves important and interesting programming environments, and can be made to do interesting things unexpected by their designers. Ignoring them is not fair. As programmers, we are taught to believe in well-behaved abstractions, and to "pay no attention to that man behind the curtain" — but what's behind the curtain is really the most interesting part. Hackers know this and have been exploring these machines in both software and hardware, for a better understanding of what a computer system really is beyond the main CPU and its assembly, machines within machines.

In this talk, I will discuss both classic and new examples of creative use of these helper mechanisms, from PaX's use of x86 memory translation and the original Phrack articles on how dynamic linking really worked to our recent research on programming with ELF metadata and USB packet manipulation. I will argue that programmable "weird machines" abound in all kinds of hardware and code that "invisibly" creates trusted layers of abstractions — and that hacker research is the best bet we have so far for understanding them and making computers more trustworthy.