最近のすべてのIntelのマザーボードのチップセットに組み込まれた専用マイクロコントローラであるIntel Management Engine(ME)はシステム電源がオフの場合でもメインCPUから独立して動作しネットワークインターフェースへの専用接続を持っている。その構造分析と攻撃を受ける可能性および対策について解説。 インテルマネージメントエンジン("ME")は最近のインテル系マザーボードチップセットに組み込まれてる専用のマイクロコントローラです。 マザーボードのメインのCPUから完全に独立しており、システムが稼働していなくとも稼働でき、 ネットワークインターフェイスへの専属のコネクションを持っている為メインの CPUとインストールされているOSを回避するout-of-bound通信が可能です。 従来の目的に関連する管理タスクの処理だけに止まらず、Intel Identity Protection Technology(IPT)、Protected Audio-Video Path、Intel Anti-Theft, Intel TPM, NFC 通信などの様々な機能を実装しています。 現在、 このマイクロコントローラがどのように動くかについて関する情報は非常に少なく、本プレゼンテーションでは情報のギャップを埋める共に低レイヤーに関する詳細について話す予定です。 イゴール・スコチンスキー - Igor Skochinsky イゴール・スコチンスキーは、世界的に有名なInteractive DissasemblerとHex-Rays Decompilerの主要開発者の1人として活躍中。 2008年にHex-Raysと合流する以前 からリバースエンジニアリングに興味を持ち、iTunesのDRMを解除するQTFairUse6と初期のアマゾンキンドル端末のハックで名声を得る。 Recon,Breakpointと Hack.LUなどにて講演。
How can you implement a better packet capture? You should consider about "packet drops" and "use Wireshark/tcpdump more safety".
Container Runtime Meetup #3 発表資料 (2021/1/28) https://runtime.connpass.com/event/198071/
10GbE、40GbEなどの極めて高速な通信をサポートするNICが、PCサーバの領域でも使われるようになってきている。 このような速度の通信をソフトウェア(OS)で処理し高い性能を得るには様々な障害があり、ハードウェア・ソフトウェア両面の実装を見直す必要がある。 本セッションでは、ハードウェア・ソフトウェア両面にどのような改良が行われてきており、性能を引き出すにはどのようにこれらを使��したらよいのかについて紹介する。
Docker / Kubernetesのネットワークアーキテクチャの解説と、代表的なCNIプラグインとしてFlannel、Calico、Canal、NSX-T Container Plugin (NCP) を取り上げ、それぞれの実装の比較しています。Japan Container Days v18.12 での講演資料です。
virtio勉強会 #1でしゃべった内容。 未完成版。pdfで上げたのが見えないので上げ直し。
オープンソースカンファレンス2022 Spring https://event.ospn.jp/osc2022-online-spring/ 発表資料です。
Docker の特徴と使い方、簡単なネットワークの仕組みとコンテナ間の連携方法、及び3階層モデルの構築例などを記載しています。
イベント名:オープンソースカンファレンス(OSC) 2013 Kansai@Kyoto 講師:日本仮想化技術 宮原 日時:2012/8/2 アジェンダ: • OpenStack概要 • OpenStack導入手順 – Ubuntu Server 11.10 インストールと設定 – 各種コンポーネント インストールと設定 – イメージ作成 – インスタンス起動 概要: OpenStackはOSSで開発が行われているクラウド環境構築のためのソフトウェアです。本セッションでは、OpenStackの基本的な導入方法について分かりやすく解説します。 セッションを聴講するにあたり、仮想化環境構築の基本的な知識を身につけていることが前提となります。
アジェンダ: ーOpenStackの概要 ーHorizonへのアクセス ーインスタンスにディスクを追加 ー仮想マシンイメージの登録 ーイメージの登録手順 ーSSH認証鍵の作成と登録 ーインスタンスの起動 ーファイアウォールの設定 ーインスタンスにアクセス ーFloating IP
This talk has been presented at Microsoft BlueHat IL 2019 security conference, by Niek Timmers, Albert Spruyt and Cristofaro Mune. Secure boot is the fundamental building block of the security implemented in a large variety of devices. From mobile phones, to Internet of Things (IoT) or Electronic Control Units (ECUs) found in modern cars. In this talk we focus on software and hardware attacks that may be carried on against Secure Boot implementations. We leverage our decade long experience in reviewing and attacking secure boot on embedded devices from different industries After a brief introduction, an overview of common attack patterns is provided, by discussing real vulnerabilities, exploits and attacks as case studies. We then discuss two new attacks, not discussed or demonstrated before, with the purpose of bringing new insights. The first one, takes place before CPU is even started, showing that a larger attack surface than usually explored is available. This also shows that FI can affect pure HW implementations, with no SW involved. The second one is an Encrypted Secure Boot bypass, yielding direct code execution. It is performed by using Fault Injection only and with a single glitch. Contrary to common beliefs, we show that FI-only attacks are possible against an Encrypted Secure Boot implementation, without requiring any encryption key. This shows that the need of reconsidering FI attacks impact and that encrypting boot stages alone is not a sufficient FI countermeasure. We also discuss countermeasures and possible mitigations throughout the whole presentation. With this talk, we hope to bring innovative and fresh material to a topic, which is a cornerstone of modern Product Security. The presentation at BlueHat IL 2019 featured the live demo of an Encrypted Secure Boot bypass attack.
Intel Management Engine ("ME") is a dedicated microcontroller embedded in all recent Intel motherboard chipsets. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. It not only performs the management tasks for which it was originally designed, but also implements features such as Intel Identity Protection Technology (IPT), Protected Audio-Video Path, Intel Anti-Theft, Intel TPM, NFC communication and more. There is not much info available about how exactly it works, and this talk aims to fill the gap and describe the low-level details. Igor Skochinsky Igor Skochinsky is currently one of the main developers of the world-famous Interactive Disassembler and Hex-Rays Decompiler. Even before joining Hex-Rays in 2008 he had been interested in reverse engineering for a long time and had brief periods of Internet fame after releasing a dumper for DRM-ed iTunes files (QTFairUse6) and hacking the original Amazon Kindle. He spoke previously at Recon, Breakpoint and Hack.LU.
The document provides an overview of a presentation on Unity game engine programming. It introduces the presenter and their background and experience. It then outlines the topics to be covered, including Unity engine API model, scripting languages like C# and JavaScript, Unity game object structure, and examples. It lists some advanced programming topics that may not have enough time to cover. It encourages attendees to learn programming on their own and notes the presentation is subject to time limitations. It provides a disclaimer and says to stay tuned for future Unity workshop announcements.
This talk was presented durign European coreboot Conference 2017 in Bochum. In this talk we described our experience during enabling Tianocore payload for PC Engines apu2 (AMD G-series) platform. Video is available here: https://youtu.be/nt0BkqVUu3w
Hardware hacking hit the news quite often in 2017, and a lot of pentesters tried to jump into the band wagon and discover the joy of hacking things rather than servers or applications. But most of them are only looking for rootz shellz and p0wning embedded Linux operating systems rather than doing what we really call "hardware hacking". In this talk, we are going to hack a Bluetooth Low Energy smartlock, from its printed circuit board to a fully working exploit, as well as its (wait for it) associated mobile application you need to install to operate this thing. This talk is not only an introduction into the field of hardware hacking, but also a good way to dive into electronics and its specific protocols, and of course into microcontrollers and System-on-chip reverse engineering. We will cover some electronics basic knowledge as well as tools and classic methodologies when it comes at analyzing an IoT device and will provide tips and tricks based on our experience but our failures too.
This is the part 1 of the series on exploit research and development given as part of the null humla at Singapore. More details at www.meetup.com/Null-Singapore-The-Open-Security-Community/events/230268953/
This document summarizes techniques for exploiting kernel vulnerabilities on OS X systems. It outlines 10 steps to achieve direct kernel object manipulation (DKOM) by leveraging features like TrustedBSD and abusing interfaces like AppleHWAccess. Key steps involve bypassing kernel memory protections, installing a malicious MAC policy, and modifying unused system calls to achieve code execution. The document concludes that OS X security relies heavily on unwritten assumptions and is quite vulnerable due to a lack of mandatory access controls and read-write kernel memory.
Joe FitzPatrick gave a presentation on exploiting PCIe (Peripheral Component Interconnect Express) buses for hardware attacks. He discussed using DMA (direct memory access) over PCIe to read and write system memory, modify firmware, and potentially bypass mitigations like IOMMU (input-output memory management unit). FitzPatrick demonstrated proof-of-concept attacks on Macs and Windows PCs using custom PCIe devices and software. However, he noted that fully bypassing protections like VT-d on Macbooks had not yet been achieved and more work is needed to build attacks without imitating a genuine device.
A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device. This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried. Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon
So, you want to build a hardware product? Every so often, a device comes along that changes the way we live our daily lives and things are never the same again. With today's digital technology, such devices may come more frequently than in the past - personal gadgets you cannot live without. What’s inside? What makes it tick? How do you find out? In this sharing session, Mark will provide an introduction to hardware hacking and why it matters, going through some quick tips on getting cosy with hardware to find out what makes it tick. Mark (MK FX) is a founder of Bazinga! Pte Ltd, a technology development and prototyping company that builds gadgets from ideas. An engineer since birth, because if you can dream it, think it - you can build it.
Materiales utilizados durante el evento virtual del día del programador en córdoba. Trata temas como USB Hacking, desarrollo de apps con Leap Motion, trabajo con Arduinos, Kinect V2, reconocimiento facial, y desarrollo de apps para Lego Mindstorms EV3
ECU software is responsible for various functionality in the vehicle, e.g., engine control and driver assistance systems. Therefore, bugs or vulnerabilities in such systems may have disastrous impacts affecting human life. We consider possible vulnerabilities in ECU software categorized into memory corruption vulnerabilities and non-memory corruption vulnerabilities, and examine attack techniques for such vulnerabilities. Since we did not acquire and reverse-engineer actual ECU software, we first consider in theory how and if attacks are possible under the assumption that there would exist memory corruption vulnerabilities in ECU software. For our investigation, we consider the ECU microcontroller architecture TriCore1797 (TriCore Architecture 1.3.1) from Infineon which exists in a number of ECUs. In contrast to x86 architecture, the return address is not stored on the stack; therefore, we assumed that performing code execution by stack overflow would not be easy. We investigated if it would be possible to perform arbitrary code execution based on approaches from the PC environment and also if other attack approaches could be considered. We considered the following attack approaches: 1) Overwriting a function pointer stored on the stack by performing a buffer overflow to execute code; 2) Overwriting the memory area handling context switching used by TriCore itself to execute code; 3) Overwriting the vector tables used by interrupt and trap functions. Moreover, using a TriCore evaluation board and software created to perform the experiments, we tested the various attack approaches. We confirmed that several attack approaches are not possible due to security mechanisms provided by the microcontroller or differences in the microcontroller architecture compared to traditional CPUs. However, under certain specific conditions, as a result of performing a buffer overflow attack to overwrite a function pointer, we manage to make the TriCore jump to an address of our choosing and execute the code already stored on that location.
An introduction to ACPI for developers. Includes an example tracing a power management event from the hardware up through the OS and back down. Intended to get other kernel developers interested in helping me maintain FreeBSD's ACPI layer. Given at the Bay Area FreeBSD User's Group, May 3, 2006.
The document discusses findings from analyzing the web interfaces and firmware of various VoIP phone models. Several vulnerabilities were found, including: - Cross-site scripting (XSS) in AudioCodes 405HD phone web interface allowing injection of scripts - Information leakage in Gigaset Maxwell Basic phone web interface revealing if an admin is logged in - Authentication bypass in Gigaset Maxwell Basic phone by manipulating the session token The methodology involved analyzing phone web traffic, extracting and emulating firmware, and investigating code like PHP files. Many phones were found to have weaknesses in their cryptography implementation or use of plaintext credentials.
The document discusses transaction-based hardware-software co-verification using emulation. It describes how traditional cycle-based co-verification is slow due to communication overhead between the testbench and emulator. Transaction-based co-verification improves speed by only synchronizing when required and allowing parallel execution. Transactors are used to convert high-level commands from the testbench to a bit-level protocol for the emulator. This allows emulation speeds of tens of MHz, orders of magnitude faster than cycle-based. An example transactor for a virtual memory is presented.
In this slide, I introduced how Gameboy works and how to build a Gameboy emulator using Rust programming language. Also, I introduce how to migrate the Rust emulator to Webassembly, so that we can run the emulator using browser. Video of presentation of this slide: https://www.youtube.com/watch?v=LqcEg3IVziQ
The document discusses fuzzing techniques to find bugs and vulnerabilities in software. It begins by describing different types of targets that can be fuzzed like protocols, applications, and file formats. It then discusses different types of attacks that fuzzers try like sending invalid input involving numbers, characters, metadata, and binary sequences. The document provides an example of a buffer overflow vulnerability and sample exploit code. It demonstrates how to fuzz a vulnerable file format converter application to achieve remote code execution by analyzing the application's memory, finding exploitable modules, generating a payload, and listening for a reverse shell connection. The document shows the full process of discovering and exploiting vulnerabilities through fuzzing.
This document discusses the history and evolution of bootkits from legacy BIOS to UEFI environments. It describes various bootkit techniques used in BIOS and UEFI, including MBR/VBR modification, hidden file systems, and replacing bootloaders. It also covers attacks against secure boot and forensic tools for analyzing firmware like HiddenFsReader and CHIPSEC.
Abstract My work on the Octeon port made possible for OpenBSD to run on the D-Link DSR line of mid-range routers and also improved all supported models through the drivers I wrote. I'm continuing my work on improving the OpenBSD experience on the Octeon products by enhancing network support (including advanced switch support among other things) and adding disk support via USB and CFI. This presentation summarizes the developments I brought and the obstacles I faced. Speaker bio Paul is an OpenBSD developer since 2008, involved in ACPI, suspend and resume, power management, mips64, porting and currently with a keen interest in the Loongson and Octeon platforms. Currently he's a freelancer and also studying for his PhD in Parallel Algorithms for Signal Processing. In the past he worked for a telephony company developing VoIP, Voicemail and related software and after that as an antivirus engine developer and reverse engineer. In his spare time he enjoys a good game of Go, running or hiking.