Markdown
Some Neg9 people attended REcon 2010 - here's their combined notes on the various talks. Enjoy! <!--<<TableOfContents()>>--> # Talks ## 10.00-11.00 : Richard Thieme - Ethical Considarations of Intelligence and Informtion Security Using mathematical proofs and solvers to determine the flow of data throughout instructions. * Tools: * FuzzGrind (Valgrind fuzzing plugin) * SAGE (Microsoft) ## 13.00-14.00 : Alex Ionescu - Debugger-based Target-to-Host Cross-System Attacks Exploiting KD windbg over remote hosts (serial etc) .load \\some\lib.dll Inject any remote command with semicolon to chain commands do_evil_that_breaks; g #break then go silently .secure - disabled .netuse, .load, .readmem/writemem, .shell, detaching/attaching etc [limits functionality] Can do this with -secure on the command line, for remote debugging only All very documented from ReactOS, KDVMWare, Skywing's blog ## 14.00-15.00 : Sebastian Porst - How to really obfuscate your malware PDF files * Common exploit paths - broken pdf sparser, JS engine, external libraries, /Launch Format: obj, id, dictionary id, type, definition, endobj * Julia Wolf's presentation "OMG-WTF-PDF" PDF Obfuscation slides * Can distribute JS among multiple PDF objects, context remains through execution * Additional code can be loaded from Pages, Annotations, and Info Directories * Pages: Do substring operations on the actual document data to build a JS string out of it and eval() later. "ALl of thE wRong Things" == alert if access just the cap. letters. * Info Dictionary: Can store arbitrary strings in here alongside author name etc, and eval later * Store malicious stuff in things that are hard to emulate (Forms system, multimedia system, core rendering engine) * "Callee-trick": message passing * Tools * Oragami open source PDF manipulation library, ruby * jsbeautifier.org * Didier Stevens (lots of PDF tools and blog) ## 15.30-16.30 : Gynvael Coldwind and Unavowed - Syndicate Wars port: how to port a DOS game to modern systems * Disassemble to a recompilable C form * Replace DOS specific parts with portable C code, using open source libraries * Compiled with WATCOM 1995 compiler * No applicable disassembler - wrote their own, swdisasm * Released after 5 years of project start - http://swars.vexillium.org/ ## 10.00-11.00 : Ero Carrera and Jose Duart - Packer Genetics: The Selfish Code * Ero will be visiting Seattle/SF * Created Bochs emulator with Python interface for it's debugging system * Python interface to full instrumentation control of Bochs vs recompiling for any changes * Ero has Ida to SQL code on Zynamix github ## 13.00-14.00 : Igor Skochinsky - Intro to embedded reverse engineering for PC reversers * UART * Timing sensitive * Commonly TTL (0/3.3v or 0/5.5) - PC Serial can be +/- 15v * Look in source, common 115200 8n1 * Find TX/RX pins by trial and error, just hook up ground to any ground source (shielding, etc) and try connecting RX from cable to pins, when TX found, text should be on terminal * RX will likley be near by, can try just echoing input with it * Dump flash mem, typically MTD device * /proc/mtd for devices * /dev/mtdN is block device, dd it * Sony eBook * Use Windows DLL (sony connect) which was used for copying eBooks to/from device, specify full path on device to copy data off of (/dev/mtd0 worked) * Casio EX-Word dictionary * Patch a game "save game" functionality to dump OS memory as save file, get full OS image in chunks * Common embedded filesystems: cramfs, SquashFS, JFFS2, YAFFS; vfat, ext2, minix, UBIFS [Nokia N900]) * cramfs: Read only, zlib (deflate), magic 0x23cd3d45 * SquashFS: RO, zlib or lzma, mainline Linux. Used in Kindle. Magic: SQSH * JFFS2, magic 0x1985 * Igor has python script to unpack this * YAFFS, unyaffs from Google to unpack * Embedded OS * Often no OS, direct instructions * RTOS: Most functionality compiled in, fast task oriented * Linux: complex devices * Tends to need CPU with MMU (memory mapping unit) - can get by without via uCLinux * Das U-Boot often used as bootloader * Nucleus RTOS * C, some CPU specific portions. Used in many mobile phones. Past iPhone baseband firmware was this. * vxWorks * Bought by Intel * Set top systems * Identifying string: "Copyright 1999-2001 Wind River Systems, Inc." * Matasona has blog post on RE'ing toaster with vxWorks * WinCE * Magic is "CECE" at 0x40 offset * ARM and x86 officially supported. Previously MIPS, PPC, SuperH * ThreadX: used in iPhone4 baseband * eCos: OSS RTOS from Redhat * Common processors * Microprocessor: general purpose, interfaces with RAM, ROM, etc * Microcontroller: Specialized, integrates RAM, ROM, flash ROM, serial, etc * Commonly referred to System on Chip * Often ARM processor core * Intel 8051 * Harvard architecture - instructions stored seperately from data * ID CPU * Marking on chip * Logo: http://elnec.com/support/ic-logos/?method=logo * Dumping kernel * ARM: Find gzip header, extract image from that * Disassembling code * Look for jump tables, will have absolute address to code - use this for alignment to determine where code/functions start * Igor has a Python script to extract kernel symbol tables from recent Linux kernels (compressed, see ksymall.c) * Search for "panic" "trace" "exception" "assert" to find crash info and respective functions where they are referred to * Use ida "Edit>Symbols>Rebase Program" to shift memory offset for file. After successful rebase, jmps and calls should be loc_foo instead of 0xdeadbeef * igorsk.blogspot.com, www.lostscews.org, mbed.org ## 14.00-15.00 : Stephan Ridley - Escaping the Sandbox * Chromium Sandboxing * Spy++ from VS; WinSpectorPro for spying on UI events via user32 message system * GlobalAtoms - passing with User32 esentially passes function pointers, dangerous if done over insecured challen obviously * http://msdn.msuiche.net - HTML browsable symbol-ish data * AutoDebugPro - filter on function calls * WinObj sysinternals, objsdump from the MS DDK * Kernel can catch all exceptions, chrome would have itself debug sandbox processes. Watch in kernel debugger to get at those exceptions that otherwise are not visible. * rdtsc register has time since boot * SandKit tool - has util (Sa7Shell) to inject full python interpreter into a running process * http://ste7phen.github.com/SandKit ## 15.00-16.00 : Dino Dai Zovi - Mac OS X return oriented exploitation * OSX * NX only set on stack (e.g. heap is executable) * Library randomization: Cheap ASLR implementation - addresses of libraries and frameworks just shuffled periodically upon new software installation * OSX Tools: * vmmap: dump process memory * nm: list exported symbols from a lib/executable * otool: Various info from machO obj files, shared lib deps, code disass * Spencer Pratt's "Synthesis" technique (Full Disclosure 3/30/2010) * /usr/lib/dyld * nm -arch i386 /usr/lib/dyld * _strcpy, _syscall, etc good stuff * __IMPORT segments are RWX. All dynamically linked machO on osx have this * 32 bit mode only; 64 bit data segments are NX ## 14.00-15.00 : Georg Wicherski - Dirtbox, a highly scalable Windows/x86 emulator * libcpu: bytecode emulator, quite fast * dirtbox: syscall emulator, emulates api calls ## 09.20-09.40 : Stephan Chenette - Using Fireshark to Analyze Malicious Websites * Fuzzing content matching - use similar technique as DNA sequencing. Split into tokens, take hash of tokens, compare some threshhold of tokens together to determine if two pages are similar ## 09.40-10.00 : Yoann Guillot and Alexandre Gazet - Metasm Feelings * Tracing branch path execution with MSR flag - looks helpful alongside IDA to easily determine which branches to examine ## 10.00-11.00 : Assaf Nativ - Memory analysis - looking into the eye of the bits * CheatEngine 5.5 - strings(1) for memory * Mint - python module Assaf wrote for memory manipulation * looks simple * Display dumped memory in dword chunks (%8x) easy to identify pointers and patterns ## 11.00-12.00 : Danny Quist - Reverse engineering with hypervisors * Danny works for Offensive Computing, @ocomputing * Ether: Xen patch that allows for event tracing, syscalls, instruction exec, memory writes, context switches * Intel PIN: Similar, but very detectable and slow * OllyDump * ID unpacking by seeing if memory address that was written to is later executed (check against a hash table to keep track) * OGDF - Open Graph Drawing Framework - handles more nodes than graphviz * Virtual address descriptor - each process has this to define its memory usage. * http://www.shadowserver.org/wiki/ - Repo of malware etc. ## 13.00-14.00 : Travis Goodspeed - Building hardware for exploring deeply embedded systems * 8, 16-bit embedded systems (8051, 6809) * No OS, symbol table, etc. * Very different access controls compared to PCs. Typically none at all. * Very low power radios, 0dBm - 1/1000th the power of a cell phone radio * Wireless targets: ZigBee, ANT, 802.15.4, etc * Wireless sensor networks (motes) * Smart meters (Smart grid) * Sports and medical equipment. ANT Replaces pulse/oximter wire with wireless. ANT Lower levels is proprietery * The next HOPE badge based on Travis' RE work here. * MSP430 microcontroller * Integrated radio - nRF24L01+ (Nordic RF) * Radio chain from reference design * OpenBeacon firmware transmits every 3 sec * Or use Goodfet to do whatever you like * Python interface to it all * GoodFETNRF Client * Broke ECC implementation on all ZigBee hardware commercially available * Bad PRNG lead to nonce recovery. ECMQV exposes it's private keys when the nonce is recoverable. * GoodFET * Similar to Bus Pirate, vendor JTAG devices * Firmware is C, client is Python * Has lots of protocols * Debug of 8051, MSP430, ARM * R/W SPI, I2C memory chips * Clicker * nRF24E1 chip * No OS; and no function symbol names * I/O ports do have names, documented in datasheet. Can quickly import them into IDA. * Registers of interest: SPI_DATA, SPICLK, SPI_CNTRL, EXIF * P1 LED port (to ID set LED function) * P0.0 is SPI EEPROM Slave select * Radio is register 0x80 * Datasheet documents radio setup function and message format * dest mac is in registers 0x1E 0x1f 0x20 (1 byte each, 3 total) * Mike Ossmann wrote spectrum analyzer for "IM-ME" wireless text messaging device * Debuggers can often attach and access data (RAM) but sometimes not code. * Many ECC implementations (per the reference implementation) store key in RAM; which you can dump with a debugger alone. * Aurelien developed AVR Return to libc style attacks * Bus Usurping * Connect a GoodFET to a SPI bus * Boot the target device * Halt target MCU, leaving radio online * Access handles directly * Total Phase Beagle for SPI sniffing * Next HOPE atendee metadata tracking * http://amd.hope.net/ * JTAG Wiggler - mentioned at end of talk, to lookup. * Encrypted bus lines - use what sounds like a homomorphic encryption method to deterministically do branch calculations - find something that fails a check, increment dwords until flow changes * http://goodfet.sf.net/ * http://travisgoodspeed.blogspot.com/ ## 15.00-15.20 : Ricky Lawshae - Picking Electronic Locks Using TCP Sequence Prediction * Targetting infrastructure behind fancy new lock mechanisms (rfid, bio, magstripe) * Standard tcp sequence prediction/packet injection attack. ---- CategoryEvents
Preview