In the past few years, data only kernel exploitation has been on the rise, since 2011 abusing and attacking Desktop heap objects, to gain a higher exploit primitives, was seen in many exploits. Moving forward to 2015 the focus has changed to GDI subsystem, and the discovery of the GDI Bitmaps objects, abuse, as well as in 2017 the GDI Palettes object abuse technique was released at DefCon 25, all of these techniques aim to, gain arbitrary/relative kernel memory read/write, to further the exploit chain. In this talk we will focus on some of the discovered techniques and objects, and how we were able using Type Isolation released in RS4 to mitigate those exploitation techniques.
Operating System Security
Getting Cozy with Auditing on MacOS … The Good, the Bad, & the Ugly
With the demise of dtrace on macOS and Apple’s push to rid the kernel of 3rd-party kexts, another option is needed to perform effective auditing on macOS. Lucky for us, a few options such as OpenBSM fit the bill. Though quite powerful, these auditing mechanisms are rather poorly documented and suffered from a variety of kernel vulnerabilities.
In this talk, we’ll begin with an introductory overview of such auditing mechanisms, exploring their goals, capabilities, and components, before going ‘behind-the-scenes’ to take a closer look at their kernel-mode implementations. Armed with this understanding, we’ll then detail exactly how to build powerful user-mode macOS monitoring utilities such as file, process, and networking monitors based on the OpenBSM framework and APIs.
Next we’ll don our hacker hats and discuss a handful of kernel bugs discovered during a previous audit of the audit subsystem (yes, quite meta): a subtle off-by-one read error, a blotched patch that turned the off-by-one into a kernel info leak, and finally an exploitable heap overflow. Though now patched, the discussion of these bugs provides an interesting and ‘case-study’ of finding and exploiting several types of bugs that lurked within the macOS kernel for many years.
Vulnerabilities in system firmware allow adversaries to bypass almost any protection used in the operating system, virtual machine manager and other software. System firmware attacks bypass Secure Boot, software based full-disk encryption and virtualization-based security. Threats exploiting such vulnerabilities can extract secrets from operating system memory, subvert secure/trusted VMs and even hypervisors, install stealthy and persistent implants and even brick physical systems.
We’ve discovered a number of such vulnerabilities in the past and developed an open source framework to automate analysis. Despite these risks there are still many modern systems which do not protect their main BIOS/UEFI firmware. We decided to analyze thousands of UEFI firmware updates from multiple platform vendors and discovered hundreds of vulnerabilities, indicating that corresponding systems lack any basic firmware protections in ROM or signed firmware updates. We’ll present the process, findings and limitations of such offline analysis of vendor firmware update images.
Operating System Security
ELF Binary Identification : Recomputing GNU Linker's BuildID
For over a decade, every ELF binary produced by the GNU linker embeds a comment section holding a binary hash of the program, named BuildID. In the words of its own creator, this hash, based on a SHA1 hash of the ELF headers, sections and segments of the binary should be used exclusively for the purpose of locating a matching ELF with the same signature but featuring debug symbols, with the intend to debug the original binary with full debug symbols. In particular, none should ever ever ever ever try to recompute this hash :
"No, there is no such tool because the precise way a build-id is calculated isn't specified. It just has to be universally unique. Even the precise length of the build-id isn't specified. There are various ways using different hashing algorithms a build-id could be calculated to get a universally unique value. And not all data might (still be) in the ELF file to recalculate it even if you knew how it was created originally."
Not being particularly obedient, we'll start this presentation by publishing a tool to recompute the said hashes, before exploring the security benefits of the BuildID feature when attempting to validate integrity of ELF binaries.
This talk first explains how the KRACK attack against WPA2 works, and then discusses several new implementation-specific improvements.
The Key Reinstallation AttaCK (KRACK) works by tricking a victim into reinstalling an already-in-use key. This resets the key's associated parameters such as transmit nonces and receive replay counters. We illustrate the idea behind this attack against the 4-way handshake, and then we discuss its practical impact. Simplified, an adversary can abuse it to replay and decrypt traffic, and possibly forge traffic.
We also present new research where we abuse implementation-specific bugs to further improve the attack. In particular, we first show that certain routers wrongly accept replayed handshake messages. This enables trivial key reinstallation attacks against routers, even if they don't support 802.11r. Second, some clients reuse the old SNonce during a rekey, allowing an attacker to cause a key reinstallation by replaying old 4-way handshake messages. Third, certain devices incorrectly install the group key, making it easy to replay broadcast frames towards the client. Fourth, many devices were found to accept replayed broadcast frames even without triggering a key reinstallation. Finally, we demonstrate how replaying broadcast Wi-Fi frames can be abused to attack smart devices such as Wi-Fi-enabled power plugs.
Demo: We will show a video of the attack against a Wi-Fi enabled power plug. In this demo the ability to replay broadcast frames is abused to replay commands to the power plug, allowing an attacker to turn off or on the device. In case there is enough time left after the talk, a live demo will be performed, with the recorded video as a backup.
Why is it unique ? The KRACK attack is a surprising and impactful attack against WPA2. Even though WPA2 existed for more than a decade, and was even formally proven as secure, we still managed to find an attack against it. This shows that we must keep investigating all systems, even those with formal proofs and those that have been around for a long time.
Tegra is NVIDIA’s embedded Android/Linux development platform featuring a powerful SOC. It is widely used in various types of devices such as smartphones, game consoles, and of course the automotive systems.
Based on the Tegra-powered processors, the Tesla car boasts advanced infotainment and instrument cluster systems. So that during the last two years of Tesla security research, we gained lots of experience related to the Tegra platform.
In this talk, we briefly analyze some known vulnerabilities related to Tegra, and then we will talk about the implementation of NVMAP, which is a unified memory management interface on Tegra. finally, we’ll share some interesting vulnerabilities we found in the NVMAP interface, such as denial of service, sensitive memory leak, and local privilege escalation.
Binary instrumentation is an essential technique for program analysis tasks, with wide application ranging from reverse (such as debugging, taint-tracking), defense (like hot-patching, sandboxing) to offense (examples are rootkit, vulnerability detection). Basically, instrumentation is performed by injecting extra code into a binary application to observe or modify its runtime behaviour. There are few instrumentation frameworks, but unfortunately all of them suffer from some critical drawbacks.
We built Skorpio, a lightweight binary instrumentation framework, which offers some unparalleled features:
- Multi-platform: native build for Windows, iOS, Android & *nix (with Mac OSX, Linux, *BSD & Solaris confirmed).
- Multi-architecture: support for Arm, Arm64 (AArch64/Armv8), Mips, PowerPC, Sparc and X86 (include 16/32/64bit).
- Multi-level: allows instrumentation everywhere, from userspace to OS kernel, from instruction to function level.
- Flexibility: support multiple types of instrumentations, and offer various customized optimization on code relocation & optional trampoline settings.
- Lightweight, so we can instrument real-world complicated applications.
- Implemented in pure C language, with some bindings available.
- Clean/simple/lightweight/intuitive platform-and-architecture-neutral API.
- Open source.
This talk is going to present the motivation, design & implementation of Skorpio. The focus will be on technical decisions we made, and the challenges we had to overcome to realise the ideas behind our framework.
Skorpio aims to lay the ground for innovative works. To demonstrate its power, we built some exciting tools on top of our framework. Expect some cool live demos during this talk.
DPRK's eyes on mobile: Spying on North Korean Defectors
Historically North Korean defectors were victims of cyber attacks for many years. In the past, threat actors used Windows as the main platform to deliver malware to defectors using executable files and office documents, especially Hangul (Korean Word Processor). But threat actors went mobile. We have spotted their mobile operations and tracked what they were doing under the surface hidden from the public eye to successfully implant malware to defectors.
We will present our analysis of 2 threat actors that executed mobile malware operations targeting North Korean defectors.
The Lazarus group is the one of most activate cybercrime groups. We found the activity of the actor in the mobile world. We will explain how we found the activity and what made us reallize that the activity is operated by the Lazarus group. For example, overlapped IP addresses that were used by Laszarus as C2 and code similarities.
Previously unknown group named "Sun Team" has used KakaoTalk, and other SNS services to directly approach defectors and send malware download links. We will explain internal working of the malware samples and how they used cloud services as C2 server. Also we will look into what kind of data were extracted from the victim's device and infer who were the victims of this operations.
Furthermore, we will present about the artifacts we found from the mobile operation that gave us insight of how they operated under the surface like information gathering, creation of fake accounts, malware development, test device models, data encryption etc.
L'art de l'évasion: Modern VMWare Exploitation techniques
By Abdul-Aziz Hariri Vulnerability Analyst at Zero Day Initiative (USA) , Jasiel Spelman Vulnerability Analyst at Zero Day Initiative (USA) , Brian Gorenc Senior Manager of Vulnerability Research at Trend Micro (USA)
15:30 - 16:20
Virtual machines play a crucial role in modern computing. They often are used to isolate multiple customers with instances on the same physical server. Virtual machines are also used by researchers and security practitioners to isolate potentially harmful code for analysis and review. An assumption is made that they are a way of securely containing and isolating potentially malicious code, however we now know this to be incorrect.
Over the past year the Zero Day Initiative (ZDI) program has begun to see submissions targeting VMware Workstation and Fusion that result in guest-to-host escapes. Additionally, at the Pwn2Own 2017 competition earlier this year, two separate teams managed to exploit a guest operating system, escape the virtual environment, and execute code on the host operating system. This represents the first time such a VMware escape was demonstrated at the contest and earned the contestants the highest cash prizes of the competition.
This talk will dive into modern exploitation techniques of VMware vulnerabilities. We start by examining the VMware guest-to-host communications, which occur through the Backdoor channel. Next, we take an in depth look at the available attack surfaces on a virtual machine. These include items such as third-party software, remote procedure calls, and graphics drivers.
Finally, we will dive into the exploitation of different types vulnerabilities on VMware that result in guest-to-host escapes ‚including the two award-winning entries from Pwn2Own.
Supply chain attacks are often long thought about and often overlooked in terms of how well a business prepares itself for any associated compromise or breach. 2017 has truly marked itself as ‘The Year Of The Supply Chain Attack’ and marked a turning point concerning supply chain attacks. Talos was involved in two major campaigns: MeDoc compromise that paralyzed the Ukraine and CCleaner compromise that impacted a reported 2.27M consumers. In this presentation we will firstly present these two cases. In both cases, we will present how the attackers modified a legitimate application and what was the result of the modification. We will explain the purpose of the attackers and the malware used against the victims. For the MeDoc compromise, we were directly involved in the incident response and we will provide a timeline of the events to give an idea of the before, during and after picture associated with Nyetya and MeDoc. Concerning the CCleaner compromise, we will provide some data and statistics from the attacker’s database and the profiles of the targeted organizations. In a second part, we will speak globally about supply chain attacks. We will remember that it’s not the first time in the history that this kind of attacks occurred and we will finally open the discussion on the future of this attacks.