Synthetic Reality; Breaking macOS One Click at a Time.
In today's digital world the mouse, not the pen is arguably mightier than the sword. Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed.Authorize outgoing network connection? click ...allowed. Luckily security conscious users will (hopefully) heed such warning dialogues - stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way? Well, then everything pretty much goes to hell.
Of course OS vendors such as Apple are keenly aware of this 'attack' vector,and thus strive to design their UI in a manner that is resistant againstsynthetic events. Unfortunately they failed.
In this talk we'll discuss a vulnerability found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple's touted 'Secure Kext Loading' security feature,dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And while it may seem that such synthetic interactions with the UI will be visible to the user, we'll discuss an elegant way to ensure they happen completely invisibly!
Patrick Wardle (@patrickwardle) is the Chief Research Officer at Digita Security,and founder of Objective-See. Having worked at NASA and the NSA, and well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of Mac malware. In his personal time, Patrick collects Mac malware and writes free Mac security tools. Both can be found on his site, Objective-See.com
From quantitative change to qualitative change --a new fuzzing method on Android.
Fuzzing has been demonstrated as a highly effective way to identify bugs and security vulnerabilities. It has been extensively studied to use fuzzing methods to find Android security vulnerabilities. Generally, these fuzzing methods have been focusing on how to cover as many paths as possible and offer enough varieties of inputs for one exposed attack surface.
In this presentation, we will introduce a novel fuzzing method targeting Android. Although based on traditional fuzzing methods, the innovation is that it presents the ways to find vulnerabilities from quantitative change to qualitative change and it exploits the combinations of function points to find vulnerabilities. To particular extent, our fuzzing method borrows the ideology of model checking, by generating combinations to drive the exploration of the state space in a comprehensive way.
To demonstrate the effectiveness of our method, we apply it on OEM devices such as Samsung, Huawei and Smartisan OS. We have identified in total 200+ bugs and vulnerabilities, including many severe ones. During the presentation, we will select typical ones to demonstrate, aiming to inspire the community with those vulnerabilities that have yet been identified and shown by other methods.
Zhang Qing is a senior security researcher from Xiaomi. Previously, he was a senior Android security researcher of Qihoo 360 and visiting scholar of Model Checking Lab in National University of Singapore. He currently works as a senior information security engineer of Xiaomi, in charge of account risk control and IoT devices security. His interests include Android security, IoT security and payment security, specializing in reverse engineering and fuzzing.His work has appeared at syscan360 2016, Black Hat Asia 2017, HITB 2017 and so on. In 2016 and 2017, he won whole year’s first-place prizes in vulnerability detection of some major companies, such as Samsung, Huawei, Meizu, Chuizi and Xiaomi.
Dr. Bai Guangdong is a faculty member in Singapore Institute of Technology (SIT). He received his PhD degree from National University of Singapore in 2015. His research interest spans across the broad areas of mobile security, web security, and protocol verification. During his previous research, he has worked on analyzing authentication protocol implementation, online payment, and Android security. His research has helped identify and fix serious security vulnerabilities for major websites like Sina Weibo. His work appears in top security conferences, such as NDSS, Syscan, HITB and Black Hat Europe.
How to root Andorid 8 on PIXEL C.
In recent years with the popularity of mobile platform,the research of mobile security has been in fierce competition for a long time.Due to the Android platform fragmentation is serious and the quality of the security in android platforms differs greatly,which leadding to a large number of vulnerabilities found,and there are some attack surface exposure to public's vision.
We are focusing on the Android driver research and found all vendor's vulnerability,including Qualcomm,MediaTek,NVIDIA,Samsung exynos,Huawei Hisi,Xiaomi,etc.Specially we found a critical vulnerabilities that can lead to a escalation of privilege in our new attack surface.We developed exploits immediately after we found it, rooting the newest system of Google Tablet PC PIXEL C(We rooted the android 8.0 on the second day of it's released).
An android security researcher from Vulpecker Team of Qihoo 360 Technology Co.Ltd. Who is focus on vulnerability automated detection and digging.Have found a lot of mobile phone vulnerabilities.Including Qualcomm,MediaTek,Nvidia,Samsung,Huawei,Xiaomi,etc.Have a speech on the PoC2017.
An android security researcher from Vulpecker Team of Qihoo 360 Technology Co.Ltd. Who is good at android kernel/driver exploit development.Have found about 20 vulnerabilities in Android driver in the first half of this year.A CTF lover in school-days.Have a speech on the PoC2017.
Zhou Ye is the leader of 360Vulpecker Team.He has long been engaged in Android game security and application security research.He is leading the team highly active In the Google, Samsung, Huawei and other major handset vendors list of gratuities, loopholes in mining CVE number and thanks repeatedly received to ensure company's product safety premise, the team continued to export security technology for the Mobile Internet Security Contribute to a force.
CovNavi: Fuzzing-Driven Code Auditing And Vice Versa
Coverage-based fuzzers are all the rage these days, but while usually achieving excellent results,they can get stuck on some problematic code parts like large constant comparisons or checksum calculations. Patching out the problematic code or manually auditing the code fuzzer cannot reach slightly alleviates the problem of code not being covered during audit, but the problem of finding those problematic points in the code remains.
We have developed a tool that combines code coverage information and code property graph analysis to help pinpoint those locations during fuzzing. Bug hunter can then analyze the problematic part of the code and decide to patch it to remove the problem, augment the fuzzer to get past the block, manually audit the unreached code or write a different fuzzing harness that exercises unreached code specifically.
In this talk, we will present the motivation behind this work, the methodology that utilizes the developed tool, implementation of the tool, experimental results and demonstrations as well as public release of the tool.
Aleks is a security researcher mostly interested in reverse engineering, code auditing and program analysis with focus on vulnerability discovery. As part of a Cisco Talos vulnerability research team, his tasks involve developing novel fuzzers, tools and techniques for finding software vulnerabilities as well as triaging and reporting found vulnerabilities to the affected vendors. Aleks has found vulnerabilities in many software packages by major vendors (such as Oracle, Adobe, Google and Microsoft) and a number of open source solutions. He has presented some of his work on a number of international conferences (such as PacSec 2015,FSec 2016 and Hacktivity 2016).
Symbolically Executing the Linux Kernel
Automated run-time testing (or fuzzing) has always been the easiest and most efficient approach (given the time/number of vulnerabilities ratio) accounting for the largest share of discovered kernel vulnerabilities. We have seen several iterations of fuzzers: starting from "dumb" fuzzers to fuzzers guided by code coverage using genetic algorithms combined with compiler instrumentation. The latter approach has been successfully applied in practice resulting in dozens of previously undiscovered vulnerabilities. Even though this has been an advanced step from template-based fuzzing, there are still major shortcomings associated with this approach.
Static analysis, on the other hand, can achieve complete code coverage (in theory) by exploring all possible execution paths. In practice, this approach has significant drawbacks. The number of possible execution paths is exponential in the input size. Given the size and complexity of the kernel, most approaches based on static analysis would suffer from path/state explosion and generally introduce a large number of false positives.
Symbolic execution presents a middle ground between static analysis and run-time testing. It can cover a much larger execution space than run-time testing. The inherent problem associated with symbolic execution is that it can be very expensive: (1) a large set of possible program paths, (2) need to query the solver to decide which paths are feasible and which assertions could be false, and (3) a program state has many bits.
This presentation will start with an introduction to symbolic execution discussing the advantages and drawbacks associated with applying symbolic execution in kernel fuzzing. We will briefly cover available SMT/SAT solvers and existing kernel fuzzers based on symbolic execution and then move on to concolic testing, followed by our kernel fuzzer design and implementation.
Security researcher interested in operating systems and hypervisors.
From 0 to Infinity.
The Baseband Processor in modern Cellphones remains one of the least understood elements, yet is incredibly trusted in order to interact with the Cellular Network as well as with the Application Processor.
This talk aims to shed some light on these dark corner, and provide advice for other reverse engineers trying to explore this area.
This talk focuses on Apple's iPhone Platform, since their recent move back to the Infineon chipset makes research a lot easier, compared to the previous dominating Hexagon chipset.
I will start by describing the preliminary firmware analysis, during which I created rudimentary map of its different parts and their respective role.I will proceed revealing the secrets hidden inside the Baseband. I will conclude by presenting a research environment that I have developed that great simplifies the process of diffing, interacting and fuzzing the Infineon SoC.Side note: Not dropping any 0days, this is a methodology and process talk. A bit late, it took a while to write, (with the help of a few friends),the abstract.
Freelance Security Researcher interested in Low Level and Computer Security.
UEFI BIOS firmware analysis at scale
Vulnerabilities in system firmware allow adversaries to bypass almost any protection used in the operating system, virtual machine manager and other software.System firmware attacks bypass Secure Boot, software based full-disk encryption and virtualization-based security. Threats exploiting such vulnerabilities can extract secrets from operating system memory, subvert secure/trusted VMs and even hypervisors, install stealthy and persistent implants and even brick physical systems. We’ve discovered a number of such vulnerabilities in the past and developed an open source framework to automate analysis. Despite these risks there are still many modern systems which do not protect their main BIOS/UEFI firmware. We decided to analyze thousands of UEFI firmware updates from multiple platform vendors and discovered hundreds of vulnerabilities, indicating that corresponding systems lack any basic firmware protections in ROM or signed firmware updates. We’ll present the process, findings and limitations of such offline analysis of vendor firmware update images.
Eclypsium CTO and Founder Alex Bazhaniuk has been performing security research and product security for a number of years at Intel Corporation. Alex presented his research at well-known security conferences and teaches popular trainings in firmware security. Previously, he co-founded the first DEF CON group in Ukraine.
Advanced Binary Instrumentation Framework
Binary instrumentation is an essential technique for program analysis tasks, with wide application ranging from reverse (such as debugging, taint-tracking), defense (like hot-patching, sandboxing) to offense (examples are rootkit, vulnerability detection). Basically, instrumentation is performed by injecting extra code into a binary application to observe or modify its runtime behaviour. There are few instrumentation frameworks, but unfortunately all of them suffer from some critical drawbacks.
We built Skorpio, a lightweight binary instrumentation framework, which offers some unparalleled features:
- Multi-platform: native build for Windows, iOS, Android & *nix (with Mac OSX, Linux, *BSD & Solaris confirmed).
- Multi-architecture: support for Arm, Arm64 (AArch64/Armv8), Mips, PowerPC, Sparc and X86 (include 16/32/64bit).
- Multi-level: allows instrumentation everywhere, from userspace to OS kernel, from instruction to function level.
- Flexibility: support multiple types of instrumentations, and offer various customized optimization on code relocation & optional trampoline settings.
- Lightweight, so we can instrument real-world complicated applications.
- Implemented in pure C language, with some bindings available.
This talk is going to present the motivation, design & implementation of Skorpio. The focus will be on technical decisions we made, and the challenges we had to overcome to realise the ideas behind our framework.
Skorpio aims to lay the ground for innovative works. To demonstrate its power, we built some exciting tools on top of our framework. Expect some cool live demos during this talk.
Dr.Nguyen Anh Quynh is a regular speaker at industrial information security conferences such as Blackhat USA/Europe/Asia, DEFCON, RECON, Eusecwest. Syscan, HackInTheBox, Shakacon,ZeroNights, Hack.lu, Deepsec, XCon, Confidence, Hitcon, Tetcon, etc. He also presented his researches in academic venues such as Usenix, IEEE, ACM, LNCS, etc. As a passionate coder, Dr. Nguyen is the founder and maintainer of the Reversing trilogy frameworks: Capstone (http://capstone-engine.org),Unicorn (http://unicorn-engine.org) & Keystone (http://keystone-engine.org).
Discovering and Abusing Type Confusion
Type confusion, often combined with use-after-free, is the main attack vector used to compromise modern C++ software like browsers or virtual machines. Typecasting is a core principle that enables modularity in C++. For performance, most typecasts are only checked statically, i.e., the check only tests if a cast is allowed for the given type hierarchy, ignoring the actual runtime type of the object. Casting an object of an incompatible base type down into a derived type results in type confusion. Attackers have been abusing such type confusion vulnerabilities to compromise popular software products including Adobe Flash, PHP, Google Chrome, or Firefox, raising critical securityconcerns.
We discuss the details of this vulnerability type, how such vulnerabilities relate to memory corruption, and how they can be exploited. Based on an LLVM-based sanitizer that we developed, we will show how to discover such vulnerabilities in large software through targeted fuzzing along the type hierarchy. By selecting a subset of the type hierarchy, the fuzzer focuses on finding violations in a constrained space, restricting the setoffalsepositivesandallowingtheresearchertobettertriageactualbugs.
Mathias Payer is a security researcher and an assistant professor in computer science at Purdue university, leading the HexHive group. His research focuses on protecting applications in the presence of vulnerabilities, with a focus on memory corruption. He is interested in system security, binary exploitation, user-space software-based fault isolation,binarytranslation/recompilation,and(application)virtualization.
Neurosurgery for Industrial Routers: Security of Sarian OS
Industrial routers are widely used in factories, power stations, manufacturing automation,ATMs and other industries to provide connectivity between different parts of manufacturing infrastructures. In such crucial areas of use, security is very important, because the cost of experiencing a security flaw is usually high. Industrial routers, just like all other routers, support a lot of network connection protocols: HTTP server for configuration and diagnostics,SSH/Telnet, FTP, SNMP and others. Modern routers also feature cellular support, as their location could be at a remote site or in a vehicle (i.e. a locomotive). Additionally, many industrial routers support vendor-specific proprietary network protocols for solving special tasks. I’m sure everyone knows that vulnerabilities in such network services may allow potential malefactors to gain access to critical industrial networks. This is the reason the decision was taken to take a look at modern industrial routers from the information security perspective.
During the talk, I would like to highlight main reasons why the security of industrial routers is important. I would also like to show the security research of industrial routers using "Digi Wireless Routers" family as an example research target. These routers are managed by the custom proprietary operating system - Sarian OS. I will focus mostly on revealing the internal workings of the OS, including network protocol implementations, security features, and a video demonstration of vulnerabilities identified during the research.
None of the researchers have faced Sarian OS in the context of security or published results of the study. Therefore, the material is fresh, useful and interesting for the security community. This research contains all my way from getting the firmware of the router and analyzing it to finding complex vulnerabilities. I will describe all techniques and tools needed for conducting such research, and explain all technical details.
I am an application security specialist and a reverse engineer. In my work, I mostly study the security of embedded systems, reverse engineer custom protocols and file formats and conduct vulnerability research. Peace and love, comrades!
A Link Between Sandboxes
This is a sequel to my presentation at Syscan’15 about abusing symbolic links on Windows. Since giving that presentation the use of symbolic links on Windows has changed. The biggest of which is Microsoft have added mitigations to block or restrict the use of symbolic links when running in a sandboxed context. This makes many sandbox escapes which were once exploitable fully mitigated.In this new presentation I’ll detail some of the changes MS have made to symbolic links including how they mitigate against attacks from sandboxes. It also includes some of the ways I’ve bypassed their protections over the years. Finally I’ll describe some sandbox escapes that MS won’t fix because symbolic links are mitigated, which could be exploited if only you can find a new way.
James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he’s been listed as the #1 researcher for MSRC, as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate. He’s also the author of the book “Attacking Network Protocols” available from NoStarch Press.
Impersonate a 4G user through LTE IRAT handover vulnerabilities
The LTE standard defines a strong security mechanism and architecture for protecting 4G mobile communications. However, just as the LTE’s name "Long Term Evolution" implies, LTE operators didn't completely deploy a new, isolated global mobile communications network at first, but continuously evolving their networks. On one hand, in order to simplify the network architecture, the LTE standard abandoned the circuit domain responsible for the traditional voice service, leaving only the packet switched domain. On the other hand, telecom operators will not give up their voice services as the main revenue. For a long time in the LTE network construction, operators need to provide voice services by means of GSM / CDMA / UMTS networks, which are called as “Circuit Switched Fallback”. Although the VoLTE voice service based on packet switched domain has been gradually deployed in recent years, it also necessary to introduce SRVCC (Single Radio Voice Call Continuity) mechanism which seamlessly maintains voice calls as mobile users move from LTE to non-LTE coverage areas. These measures increase the complexity of deploying 4G networks and may introduce vulnerabilities.
In this presentation, vulnerabilities introduced by IRAT (Inter-Radio Access Technology) handover mechanism, such as CSFB and SRVCC in 4G LTE network are revealed. These vulnerabilities allow hackers to hijack the victim's communication. We named these attacks as 'Ghost Telephonist.' Through such attacks hackers can impersonate the victim to make phone calls, send SMSes, as well as hijacking the user's incoming phone calls or SMSes. Furthermore, hackers can even gain access to victims 'internet accounts, online banking accounts and even steal victims' assets.Compared with the former presentation of this topic, this time we will introduce more extended research results we did, and our effort on fixing this vulnerability together with operators and terminal manufactures.
Yuwei Zheng is a senior security researcher at Radio Security Department of 360 Technology, core member of UnicornTeam. He cracked the protocols of Blackberry BBM, PIN message, BIS secure mail, and successfully decrypted the messages without keys. He is currently focusing on the security research of cellular network, IoT system, and mobile baseband. He had presented his research works at top level security conferences like BlackHat, DEFCON, HITB etc.
Exploiting Vulnerabilities in AI Applications
This talk presents threats to AI applications caused by a set of vulnerabilities in deep learning frameworks. Contrast to the small code size of deep learning models, these deep learning frameworks are complex and contains heavy dependencies on numerous open source packages. By exploiting these framework implementations, this presentation demonstrates attacks on common deep learning applications such as as voice recognition and imaging classifications.
The talk will present the details of exploiting software vulnerabilities to cause image recognition systems to produce attacker-controlled arbitrary classification results. The goal of this presentation is to draw attention to software implementations and call for collaborative effort to improve the security of deep learning framework.
Kang Li is a professor of computer science and the director of the Institute for Cybersecurity and Privacy at the University of Georgia.His research results have been published at academic venues, such as IEEE S&P, ACM CCS and NDSS, as well as industrial conferences, such as BlackHat, SyScan, and ShmooCon. Dr. Kang Li is the founder and mentor of multiple CTF security teams, including SecDawg and Blue-Lotus. He was a founder and player of Team Disekt, one of the finalist teams in the 2016 DARPA Cyber Grand Challenge.
I free your memory
iOS/macOS are heavily relied on mach message passing. Processing messages is hard,a programming mistake or logic error could lead to unexpected disaster,especially when the messages are handled by higher privileged process.In this talk,we will discuss a dangerous class of vulnerabilities in iOS/macOS.Mishandling of mach messages could lead to very powerful exploitation primitives like deallocating arbitrary memory or port. We will analyze from the bugs used to in Pwn2Own and show how it could be abused to escape from sandbox.
Slipper is a senior security researcher at Pangu Team. He was Pwn2Own winner and leader of CTF team 0ops.