Recon 20132013-06-212013-06-23300:3008:0001:30Grand Salongrand_salon_-_2013-06-21_08:00_-_conference_registration_-_56Conference Registrationother09:3000:30Grand Salongrand_salon_-_2013-06-21_09:30_-_conference_opening_-_55Conference Openinglectureen10:0001:00Grand Salongrand_salon_-_2013-06-21_10:00_-_i_got_99_problems_but_a_kernel_pointer_ain_t_one_-_alex_ionescu_-_26I got 99 problems but a kernel pointer ain't oneThere's an Info Leak Party In Ring 0lectureenWhile Windows has been becoming a tighter and tighter ship with increased mitigations added each release, the local availability of kernel addresses has barely been addressed, except in the context of some ASLR bypasses in Windows 8. This presentation will collect many of the already-known info leaks in one single source, and then proceed by presenting some unknown and novel info leaks in the kernel. Other than documented and undocumented APIs to retrieve kernel pointers, we'll also take a look at static addresses, physical address leaks, as well as architectural leaks (such as TPIDRURO on ARM).Alex Ionescu11:0001:00Grand Salongrand_salon_-_2013-06-21_11:00_-_keep_your_tentacles_off_my_bus_introducing_die_datenkrake_-_dmitry_nedospasov_-_thorsten_schroder_-_10Keep your tentacles off my bus, introducing Die Datenkrake. A Programmable Logic Platform for Hardware Reverse-EngineeringlectureenIn hardware security analysis, success and failure are predetermined by one's tools.
Coping with overwhelming streams of data can be near impossible in software alone.
Implementing accurate timing can also prove to be challenging without a custom logic implementation.
The solution to many of these issues is offloading much of the work to purpose-built dedicated logic.
In this talk we introduce Die Datenkrake (DDK) a low-cost open source hardware project for hardware reverse engineering that implements the best of both worlds.The DDK utilizes two ICs: an Actel Field Programmable Gate Array (FPGA) and a common NXP ARM Cortex-M3 Microcontroller (MCU).
The FPGA is used to implement custom logic and provides several common embedded buses to the target device.
The ARM MCU provides a user interface with a straight-forward configuration of the FPGA as well as a data interface to the PC.
We use the capabilities of both ICs to implement efficient hardware designs with minimal overhead and software data processing.
The talk will cover the features and design decisions made during the DDK?s development and design.
We will cover the limitations of current embedded hardware analysis tools, from low-end to state-of-the art professional equipment.
One of the main goals of the project is to highlight the advantage of offloading certain hardware functions to custom logic.
For this reason, several common hardware attack vectors will be covered and we will present how they can be implemented by utilizing the DDK.
Most importantly, we will be presenting practical examples where hardware analysis would have been hindered significantly absent the DDK.Dmitry NedospasovThorsten Schröder
datenkrake.org
12:0001:00Grand Salongrand_salon_-_2013-06-21_12:00_-_lunch_-_54Lunchother13:0001:00Grand Salongrand_salon_-_2013-06-21_13:00_-_in-depth_reverse_engineering_of_hackingteam_s_remote_control_system_-_nicolas_brulez_-_marta_janus_-_11In-depth Reverse Engineering of HackingTeam's Remote Control SystemlectureenThe Remote Control System (RCS) made by the Italian company "HackingTeam" has been designed to spy/monitor computers. Here is their official description:
"In modern digital communications, encryption is widely employed to protect users from eavesdropping.
Unfortunately, encryption also prevents law enforcement and intelligence agencies from being able to monitor and prevent crimes and threats to the country security.
Remote Control System (RCS) is a solution designed to evade encryption by means of an agent directly installed on the device to monitor. Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable. For Governmental LEAs and Agencies ONLY."
The RCS software is marketed as a special tool to monitor computers supposedly only sold to Governement and Law Enforcement.
However, it has been used over the past months against human rights activists and political dissidents from Africa, South America and the Middle East.
Interestingly, there are connections between Hacking Team and the shady organization known as -OPM-.
Following the publication of Citizen Lab about another similar software (FinSpy), the U.K. government reaffirmed that existing controls restricting the export of cryptographic systems apply to the Gamma International UK (makers of Finspy) exports of FinSpy. The allegations raise concerns about the export of British technology to oppressive regimes.
The situation with the RCS software is similar, and even if the regulations in some countries prevent exporting such softwares, Those spying programs can be easily sold to anyone through umbrella companies in other countries, such as Panama.
Based on existing evidence, the victims of such attacks are human rights activists in countries with poor human rights records.
It is possible that tools such as FinSpy or RCS lead to the arrest and conviction of people in such countries.
The presentation is a technical in-depth Reverse Engineering of the Remote Control System software including, but not limited to, details of the monitoring features, its rootkit technology, anti debugging, obfuscations used etc.
The RCS program is usually installed using 0days exploits, which execute a special downloader / infostealer, using a valid digital signature.
Our presentation will show how both the signed binaries and the RCS software were written by the same developpers, through code profiling.
Points to be discussed during the presentation:
* Abuse of "legal" spying softwares to spy on human rights activists
* In depth analysis of the malicious code (90% of talk)
* Code profiling of the signed binaries and the RCS software
* Connections between Hacking Team and the shady organization known as OPM
* Use of 0days and signed binariesNicolas BrulezMarta Janus14:0001:00Grand Salongrand_salon_-_2013-06-21_14:00_-_taint_nobody_got_time_for_crash_analysis_-_richard_johnson_-_pa_kt_-_19Taint Nobody Got Time for Crash AnalysislectureThe last decade has seen a large focus on vulnerability discovery automation with various methods of fuzzing and input generation, however little has been said about crash analysis or triage. This talk will discuss a powerful toolchain for crash analysis that incorporates the best available approaches for automated reasoning about memory access violation exceptions and overcomes limitations in currently available tools such as !exploitable and crashwrangler.In particular, we will discuss three key areas: dynamic taint analysis to track areas of memory that are influenced by user-controlled data, forward and backward taint slicing to isolate input bytes that lead to the crashing state, and finally forward symbolic execution to determine if the input can be modified to reach an alternate state giving more control over the execution of the program. In other words, our system will isolate the input bytes causing the crash and try to determine if your ReadAV can actually be turned into a WriteAV or code execution.Richard Johnsonpa_kt15:0000:30Grand Salongrand_salon_-_2013-06-21_15:00_-_reversing_p25_radio_scanners_-_gabriel_tremblay_-_40Reversing P25 Radio ScannerslectureWith the ongoing conversion of radio systems from traditional to digital P25 around the world the race is on to find out how to monitor, listen and abuse this technology. Some projects such as OP25 from Osmocom made very good progress enabling users to tune in and listen to them using software defined radios. However, many of the P25 features such as trunking remains to be understood and implemented. Many radio scanners made by Uniden or Grecom licensed the technologies behind P25 some years ago and produced convincing implementation. Up until now their secrets stayed protected under firmware encryption and, probably unwillingly, obscure cpu's.
This talk is a story about the process of reversing such a radio, it covers:
- Hardware analysis
- Firmware file analysis
- Format definition
- Firmware updater reversing
- Firmware encryption bypass (in a clever and utterly lazy way)
- Firmware Flash protocol definition
- Scanner code analysis
- Running custom code (yes, it works)Gabriel Tremblay15:3000:30Grand Salongrand_salon_-_2013-06-21_15:30_-_coffee_break_-_53Coffee Breakother16:0001:00Grand Salongrand_salon_-_2013-06-21_16:00_-_reversing_hlr_hss_and_spr_rooting_the_heart_of_the_network_and_mobile_cores_from_huawei_to_ericsson_-_philippe_langlois_-_52Reversing HLR, HSS and SPR: rooting the heart of the Network and Mobile cores from Huawei to EricssonlectureenThe HLR was the holy grail. We've shown previously how we could crash it
(SCCP and MAP fuzzing) or root it (OAM and proprietary protocols
vulnerabilities). This critical infrastructure component has mutated
into HSS and then into the Subscriber Profile Registry. It's now an
all-encompassing database, access from LTE as well as from 2G and 3G
legacy networks, as well now as a fixed network database.
We will see how all these database can be reversed and which kind of
vulnerabilities can be found and exploited into these software. These
also apply to many other critical equipment such as GGSN, (e)NodeB, STP,
DRA, etc.
We will also see how now concentration of network software at these
manufacturers can enable with one single reverse or vulnerability to
target many different equipments such as WASN, LTE SAE PDN GW, GGSN.
Philippe Langlois17:0001:00Grand Salongrand_salon_-_2013-06-21_17:00_-_haow_do_i_sandbox_-_jurriaan_bremer_-_6Haow do I sandbox?!?!Cuckoo Sandbox InternalslectureenCuckoo Sandbox is an open source automated malware analysis system that enables you to easily automate the process of analyzing your feeds of malware samples and start collecting actionable threat data. This is especially useful in todays world, where simply removing malware artifacts from a network is not enough. Instead, it's important for
corporations, governments, and organizations of any sort to understand how they work and what they might do/have done on their network. Being for incident response, preemptive analysis, or just to collect intelligence.
During this technical talk we'll first give a quick introduction of Cuckoo Sandbox for those of us unfamiliar with it. We will then dig into the design of the Cuckoo, followed by an in-depth technical walk-through of the various low-level techniques that have been employed into Cuckoo in order to analyze & defeat the most recent detection techniques. We will learn how Cuckoo keeps track of multiple processes (e.g., for banking malware which injects into other processes), the advanced hooking scheme for intercepting function calls, tricks we use to tweak huge log files, various anti-anti-debugging tricks, and finally, various advanced techniques we've given a spin but didn't work out in the end.
Jurriaan Bremer
cuckoo homepage
10:0001:00Grand Salongrand_salon_-_2013-06-22_10:00_-_just_keep_trying_unorthodox_ways_to_hack_an_old-school_hardware_-_bacura_-_43Just keep trying ! Unorthodox ways to hack an old-school hardwarelectureNo Official DescriptionBacura11:0001:00Grand Salongrand_salon_-_2013-06-22_11:00_-_the_future_of_re_dynamic_binary_visualization_-_christopher_domas_aka_the_delta_axiom_-_20The Future of RE: Dynamic Binary Visualizationlectureen"Well, you have to... The image translators work for the construct program. But there's way too much information to decode the Matrix..."
Let's run with that. From malware to firmware, memory dumps to steganography, we face an arduous task: making sense of mountains of data, millions of pages of hex. Traditional starting points are file headers and signatures, but anti-RE has become the norm, and conventional approaches prove increasingly useless. We can't hack what we can't understand, we can't fix what we can't see, and we can't analyze what we can't find. We need a new way to sift through data, an efficient means of finding a needle in a haystack.
Introducing 'visual' RE with ..cantor.dust.., a breakthrough interactive visualization tool for rapid binary analysis. By translating binary information to visual abstractions, the reverser can comb through megabytes of arbitrary data in seconds, analyzing based on image patterns rather than byte sequences. Even previously unseen instruction sets and data formats can be easily located and understood through their visual fingerprint.
Whether searching for exploitable code, stealthy malware, cryptographic keys, or network anomalies, these radical new visual translation techniques will dramatically accelerate the analysis process for security investigators of all backgrounds. We initially demonstrated our new binary visualization tool (dubbed ..cantor.dust..) at Black Hat last year. Based on the overwhelming positive feedback, we felt that we need to continue to expose the concept of 'visual RE' to the community, as well as generate discussion on how to further extend current analysis capabilities. To achieve this, we presented a detailed case study using visual RE at DerbyCon; again, the feedback was tremendous. Since then, we've been progressing in leaps and bounds, and we'd like to give a final presentation on the concept at an RE-exclusive conference, REcon. We'll introduce new visual analysis capabilities, and, time permitting, examine their application towards new firmware level attacks.
The foundation of the tool is _visual_ analysis, and we encourage reviewers to see a high level overview of the translation techniques at sites.google.com/site/xxcantorxdustxx . The site provides a rough illustration of our approach, which we intend to discuss in depth at the conference.
The presentation can be broadly divided into two parts. First, we will introduce the concept of visual binary analysis; we will explain the merits of the approach, and describe the binary-to-image translation techniques we've investigated. Second, we will present a live demonstration of using visual abstractions in a number of common use cases.
In the first half of the presentation, we will introduce the concept and merits of visual binary analysis. We will begin by illustrating traditional tools' over-reliance on data structure, and explore how this can be easily manipulated to thwart even the most powerful reverse engineering software. In order to free ourselves from these weaknesses, we propose the radical step of initially treating all binary data as if it had no structure. Instead, by translating arbitrary data to a visual representation, we can investigate structure a priori. In essence, we intend to bridge the chasm between hex editors and high level analysis tools; in treating all data equally, we can gain the flexibility of a hex editor, and by translating data in a generic way, we are still able to investigate data type, structure, and relationships as we would in a high level tool. To investigate this possibility, we'll examine prior binary visualization work by a number of notable security experts (namely, Kaminsky, Conti, and Cortesi). We'll discuss the limitations of prior approaches, and illustrate how we've extended them to enable practical analysis. We'll then outline our new visualization translation techniques as well, including how we can translate binary data to three dimensional abstractions, and generate interactive function graphs from an arbitrary set of data. Next, we will explore using these techniques to examine the visual signatures of a variety of data classes. We will demonstrate how to immediately recognize text, audio, image, code, and other types of data based on visual patterns, rather than byte sequences or file structure. Subtleties, such as the visual differences between x86 vs x64, Spanish vs Italian text, or black and white vs colored images will be illustrated - this will show how one can visually gain an in depth knowledge of an object, without having any knowledge of the underlying data.
After this introduction to the concept of visual binary analysis, we will examine multiple use cases. We will quickly illustrate using the software to instantly solve past cyber CTF problems (from DEFCON and PlaidCTF), before moving on to real world examples. Real world examples will include the rapid dissection and analysis of a common executable, firmware, and malware. In each case we will demonstrate how a visual examination of the object can save the analyst weeks of work. We will illustrate finding hidden components of an executable, unpackers in malware, and vulnerable regions of firmware (among others), all without ever relying on file structure, data types, or even any particular machine code. The visual translation techniques introduced, by operating independently of underlying data formats, prove to be immensely useful for a wide audience; hackers, pentesters, incident responders, reversers, and all varieties of security researchers will gain valuable insight to entirely new analysis techniques. In the months since their introduction, our visual translation approach to binary analysis has already saved our own researchers thousands of hours of work, and we hope to share this capability with the community.
We'll demonstrate using our software (..cantor.dust..) for the analysis, but this is circumstantial - our primary goal is to present and explore the radical approach of visual analysis, and our software is currently the only way to illustrate this. The software is still in the initial stages of development; as we continue to explore the proper path towards release, we'd like to offer attendees exclusive access to a closed beta.Christopher Domas aka the.delta.axiom12:0001:00Grand Salongrand_salon_-_2013-06-22_12:00_-_lunch_-_57Lunchother13:0001:00Grand Salongrand_salon_-_2013-06-22_13:00_-_apple_icloud_services_reversed_inside_out_-_andrey_malyshev_-_3Apple iCloud services reversed inside outlectureenApple iCloud was meant to improve flexibility and comfort when using your iDevices, however it also provides opportunities to extract as much as everything about the user. Apple iCloud was meant to improve flexibility and comfort when using your iDevices, however it also provides opportunities to extract as much as everything about the user.
Backups: iCloud suggests backing up iMessage, SMS, photos and videos, device settings, documents, music and other things on-the-fly which is useful for syncing or restoring in case your iDevice is lost or damaged, however there is only one way to access iCloud backup data by organic means - you can only restore the backup onto any of your devices (linked to the same account) and, thus, only via Wi-Fi connection. This technical limitation is presupposed by design. But now we can show you a method to simply download everything onto any desired computer at hand, provided we have Apple ID and password.
Find My iPhone: this application was also meant to help you track your own iDevices geographically and should be available strictly to the user under his/her own Apple account, however there is a way to get geo-location data having neither Apple device tethered to that account readily available nor access to iCloud website. If location services are switched on, geo-location of the device can be detected by sending a push request (there will be an arrow indicator in the right upper corner of the target device screen) and getting the requested coordinates. Then, the received positioning data can be applied to any map you prefer (incl. Google Maps or any other).
Storage: apart from backup iCloud can store iTunes contents, photo stream, contacts, iWork documents, application files and more, which can be accessed either from any device signed up to the account or from icloud.com/iwork. However, not all information can be accessed from iCloud webpage, for example, some application files (e.g. data generated by SoundHound) you may have on your iPad or whatever won't be seen from icloud.com/iwork. Our technological analysis allowed us to make it possible to access and download all storage information, including third-party application files on-the-fly and even without launching a work session in iCloud.
In this presentation you'll get more info about reverse-engineering of iCloud protocols itself, including jailbreak, reset, replacing of certificates (to perform a kind of man-in-the-middle attack), sniffing, parsing. You will also learn more about protocol changes that were implemented in the end of this March. And in addition, we'll go further into details of iCloud data access protocol and speak about the peculiarities of storing files like Pages/Numbers/Keynotes: they are being saved in a special proprietary format and there are special commands executed on server that allow downloading files both in Apple and Microsoft Office formats, or Adobe PDF.
Conclusion: iCloud stores large amounts of information and before now access to this info was restricted either by the necessity to have iDevice and Wi-Fi (only) available or by using Internet and web-browser (www.icloud.com), knowing Apple ID and password is required. Now, that we have reverse-engineered Apple iCloud communication protocols we can suggest an alternative technology to reach and absolutely new method to download iCloud data and its changes in standalone mode onto any available computer.
Oleg Afonin14:0001:00Grand Salongrand_salon_-_2013-06-22_14:00_-_many_more_tamagotchis_were_harmed_in_the_making_of_this_presentation_-_natalie_silvanovich_-_18Many More Tamagotchis Were Harmed in the Making of this PresentationlectureYou might remember Tamagotchi virtual pets from the 1990's. These toys are still around and just as demanding as ever! This talk covers my attempts to hack the latest Tamagotchis. Starting with the IR interface, and moving down into the hardware, this presentation will discuss techniques for reverse engineering a device with limited inputs, computing power and debugging capabilities.
Recent Tamagotchis are more than just pets. They can talk to their friends over IR, support games on external ROMs and store generations worth of information about their ancestors. This talk goes through the different ways Tamagotchis can be tampered with through these channels, including making Tamagotchis rich and happy over IR, altering their states in persistent memory and writing custom games. It also goes through attempts to dump the Tamagotchi's code from ROM.Natalie Silvanovich15:0000:30Grand Salongrand_salon_-_2013-06-22_15:00_-_hiding_depth_-_josh_m0nk_thomas_-_37Hiding @ DepthExploring & Subverting NAND Flash memory lectureIn the world of digital storage, gone are the days of spinning platters and magnetic residue. These technologies have been replaced with electron trapping, small voltage monitoring and a lot of magic. These NAND devices are ubiquitous across our culture; from smart phones to laptops to USB memory sticks to GPS navigation devices. We carry many of these devices in our pockets daily without considering the security implications.
The NAND-Xplore project is an attempt to explain how NAND Flash storage functions and to expose logical weaknesses in the hardware and implementation architectures. The project also showcases how the vulnerable underpinnings of NAND hardware can be subverted to hide and persist files on mobile devices. The project will release two open source POC tools for Android, one to inject and hide files on raw NAND based devices and another to find those files. The tools will showcase how advanced malware or other offensive tools could be using NAND to hide persistant files on your devices and how you would go about discovering them. The project also consideres how typical forensic software interacts with NAND devices and how those tools can be subverted. (Hint: your current tools probably don't work as well as you would like to believe). Lastly, the project will showcase how easy it is to brick a deployed device beyond repair, be it SCADA or Smartphones.
Outline - This should show the logical progression of your presentation.
* Who am I
* What is NAND Flash and how does it work at the physical layer
* How does the linux (and Android) kernel interact with NAND Flash
* Enumerate the logical inconsistencies of the NAND architecture, show the logical holes in the design
* Walk through a POC on how to subvert the NAND architecture to deeply hide files on devices (introduce and publicly release the NAND-Hide open source tool)
* Walk through a POC on how to detect hidden files on embedded NAND. (introduce and publicly release the NAND-Find open source tool)
* Walk through the forensics implications of NAND analysis and why we might want to re-evaluate the current practices.
* How advanced malware / rootkits could utilize the tools
* Walk through covert exfil implications of NAND
* Walk through bricking any NAND based deviceJosh "m0nk" Thomas 15:3000:30Grand Salongrand_salon_-_2013-06-22_15:30_-_coffee_break_-_59Coffee Breakother16:0001:00Grand Salongrand_salon_-_2013-06-22_16:00_-_xnu_spelunking_or_fuzzing_the_kernel_inside_your_kernel_-_jesse_d_aguanno_-_49XNU Spelunking or Fuzzing the kernel inside your kernellectureenXNU, the OS X kernel, is made up of a somewhat unholy marriage of the monolithic BSD kernel and the CMU mach microkernel. Because of this marriage, in addition to BSD syscalls, XNU provides additional system calls and an large IPC interface for userland processes to interact with the underlying mach subsystem.
The presence of these IPC interfaces significantly increases the available attack surface between the kernel and userland processes over just the traditional BSD system calls.
This talk will explore these interfaces and detail the processes devised and lessons learned from building fuzzers for bug hunting in mach territory.Jesse D'Aguanno17:0001:00Grand Salongrand_salon_-_2013-06-22_17:00_-_inside_emet_4_0_-_elias_bachaalany_-_33Inside EMET 4.0lectureIn this technical talk, we will be covering about how the mitigations baked into EMET 4.0 work, we will also talk about the technologies used, implementation limitations and challenges faced.
Mitigations covered:
• DEP
• ASLR
• SEHOP
• ROP Checks
o Stack simulation
o Caller check
o Stack pivot
o Memory protection checks
o ROP checks hardenings:
• Deep hooks
• Banned APIs
• Anti detours
• EAF
• SSL Pinning
Elias Bachaalany18:0001:00Grand Salongrand_salon_-_2013-06-22_18:00_-_hardware_reverse_engineering_tools_-_olivier_thomas_-_44Hardware reverse engineering toolsNew threats and opportunitieslectureenOver the past decade (hardware) piracy has evolved significantly.
In the past, attackers could perform analysis with simple methods for injecting transient faults, such as electrical glitching.
More recently, such forms of analysis have been obsoleted by advanced invasive analysis techniques that utilize capital-intensive failure analysis equipment and require extensive technical skills.
One such technique, laser glitching, has recently been included into Common Criteria evaluations.
The transient faults produced by laser glitching are similar in nature to electrical glitching.
However, the spatial resolution provided by the positionable laser stage means such attacks offer far more precision and are far more potent than, for example, electrical glitching.
The most viable option for analysis of modern ICs is to recover the secret contents of a secure device by directly probing on-die memory buses.
Techniques, such as linear code extraction, are also widely used by pirates.
IC vendors are well aware of such attacks and have implemented several layers of attack obfuscation to thwart straight-forward analysis.
Modern ICs transfer exclusively encrypted or obfuscated data over on-die memory buses.
With the help of sample preparation and imaging, sufficient information about the core logic implementation can be obtained.
This includes identifying areas of the IC where data is processed in the clear.
For all these reasons, an automated tool that assists in much of the analysis can be very useful if device characteristics are not otherwise available.
This presentation will cover the evolution of invasive hardware analysis.
Techniques such as laser glitching and linear code extraction will be presented along with several real-world examples.
This research highlights how reverse engineering the logic implementation is a natural progression for anyone working in the field of IC analysis.Olivier Thomas10:0001:00Grand Salongrand_salon_-_2013-06-23_10:00_-_teridian_soc_exploitation_exploration_of_harvard_architecture_smart_grid_systems_-_josh_m0nk_thomas_-_nathan_natron_keltner_-_34Teridian SoC Exploitation: Exploration of harvard architecture smart grid systemslectureenThe Teridian 8051 based chips are found in a variety of places in daily life, from the smart energy grid to smart cards and pin-pads. While the most prominent placement in the US is currently the metrology and power measurement side of a smart meters, the 8051 core is ubiquitous in embedded devices. They are additionally found in power distribution automation (the backend power shoveling inside your utility) and home automation (monitoring energy usage and changing configuration of appliances and similar in the home).
The Teridian System-on-a-Chip platform wraps a complete system around a modified 8051 core, with additional features for chip security to block debug functionality and external access to memory. Additionally, the Harvard architecture design sets relatively rigid barriers between code and data (as opposed to x86/64), which presents an unintentional security barrier, somewhat similar to robust hardware DEP on x86/64 platforms.
In this talk, we will quickly cover architecture and system overviews, then dive into exploitation scenarios with techniques to attack Harvard architecture systems and code security implementations. End state results include pathways to gain coveted binary images of firmware and resident code execution.Josh "m0nk" Thomas Nathan "Natron" Keltner11:0001:00Grand Salongrand_salon_-_2013-06-23_11:00_-_wardriving_from_your_pocket_-_ruby_feinstein_-_omri_ildis_-_7Wardriving from your pocketUsing Wireshark to Reverse Engineer Broadcom WiFi chipsetslectureUntil now WiFi pwnage wasn’t possible on most Android phones due to lack of support in the
WiFi chipset. This is surprising, due to the fact that most android devices have a bcm43xx WiFi chipset. This talk will present our research on the bcm43xx chipsets and the custom tools we’ve developed, enabling the use of mobile phones as a platform for common WiFi pwnage tools.
Unlike PCs which use SoftMac, embedded devices use FullMac meaning that the WiFi chip translates the 802.11 packets into ethernet packets. Crucial information is lost during the process, making WiFi pwnage impossible. Since this translation is done by the WiFi chipset, the only possible solution is to patch its firmware.
One of the challenges was the fact that we only had part of the firmware and were missing the chip’s ROM. To overcome this, we exploited the firmware loading mechanism and extracted the ROM segment of the chip (the protected memory region).
To optimize worktime we decided to implement a live debugging engine using Wireshark as a frontend client, producing custom output from any given function (e.g. stacktrace, return values and buffers). Using our debugging engine and a lot of reverse engineering we managed to enable both monitor mode as well as packet injection on any mobile device based on the Broadcomchipset (Galaxy S1/2/3, Nexus S, and many others).
We will also demonstrate how to use the debugging engine to perform additional analysis and add additional features.
Turning our phones into mobile pwning stations.
Ruby FeinsteinOmri Ildis12:0001:00Grand Salongrand_salon_-_2013-06-23_12:00_-_lunch_-_58Lunchother13:0001:00Grand Salongrand_salon_-_2013-06-23_13:00_-_reconstructing_gapz_position-independent_code_analysis_problem_-_aleksandr_matrosov_-_eugene_rodionov_-_15Reconstructing Gapz: Position-Independent Code Analysis ProblemlectureThis presentation is devoted to analysis one of the stealthiest bootkit seen in the wild – Win32/Gapz. The talk will cover not only remarkable features of the bootkit such as custom kernel-mode network protocol implementation, advanced bootkit technique and payload injection functionality but, also, the way the authors of the presentation approached the problem of analysis Win32/Gapz using the tools by Hex-Rays. The authors will demonstrate the usage of Hex-Rays decompiler SDK for building a plugin that aids with performing reverse engineering of position-independent code in Win32/Gapz. In the recent time there is a steady increase in the number of malware programs utilizing bootkit technology to load unsigned kernel-mode drivers on Microsoft Windows x64 platform, hide malicious modules outside of OS’s file system and etc. The bootkit technology is being constantly enhanced with the appearance of new bootkit threats and Win32/Gapz, without doubt, is at the top of this race.
In this talk we are going to present the result of analysis of Win32/Gapz which is also the most complex bootkit threat known so far. It attracted our attention in December of 2012 due its elaborated dropper and bootkit technique never seen before. Another interesting feature of Win32/Gapz is its kernel-mode module implementation containing a large amount of position-independent code which is quite difficult to analyze using conventional disassemblers and decompiles. In the course of research a plugin for Hex-Rays decompiler was developed to overcome such difficulties.
The presentation will be started with an overview of Win32/Gapz and its implementation details. We will highlight the most interesting features of the malware: dropper injection & HIPS bypassing functionality, a brand new bootkit technique, custom kernel-mode implementation of TCP/IP protocol stack using NDIS miniport adapter. Then, we will be concentrated on implementation of the main part of Win32/Gapz – kernel-mode module. It will be shown which difficulties related to position-independent code analysis the authors had to deal with to be able to reconstruct functionality of the malware.
In the next part of talk the authors will demonstrate the capabilities of Hex-Rays decompiler SDK for developing plugins. It will be shown how the decompiler’s internal facilities helps to build the Win32/Gapz kernel-mode module CFG (Control Flow Graph) and navigate through it, as a result Hex-Rays plugin will be presented. Finally, the authors will discuss the application of the plugin for decompiling object oriented code.Aleksandr MatrosovEugene Rodionov14:0001:00Grand Salongrand_salon_-_2013-06-23_14:00_-_reversing_and_auditing_android_s_proprietary_bits_-_joshua_j_drake_aka_jduck_-_23Reversing and Auditing Android's Proprietary BitslectureAlthough the Android operating system is rooted in open source software, it is not entirely open source. Each device contains several different types of closed-source, proprietary software. Such closed software is tedious and difficult to review and therefore is often of lower code quality. This can lead to serious security issues remaining undiscovered. This talk aims to shine light on these dark places of Android.This presentation covers enumeration, reverse engineering, and auditing of the proprietary bits of Android. A summation of results obtained from interrogating the presenter's Android device collection (including those from Samsung, Motorola, LG, and HTC) will be presented. The presenter will provide a plethora of tips and tricks for obtaining and examining these less reviewed pieces of software. Finally, previously undisclosed bugs will be discussed in a brief case study.Joshua J. Drake aka jduck15:0000:30Grand Salongrand_salon_-_2013-06-23_15:00_-_hot-wiring_of_the_future_exploring_car_can_buses_-_grayson_zulauf_-_christopher_hoder_-_theodore_sumers_-_daniel_bilar_-_17Hot-Wiring of the Future:! Exploring Car CAN Buses!lectureWe present a software package and reverse-engineering methodology abstracting away the CAN protocol and giving users an intuitive process to gain control over any CAN bus. Based on the GoodTHOPTER10 board, our software integrates with SQL and Wireshark and is highly extensible for the users’ individual needs.Using Travis Goodspeed’s GoodThopter10 board to interface with the vehicle’s OBD-II port, the team developed a reverse-engineering methodology and a software package to allow for easy interaction with the CAN bus. This generalizable methodology outlines a series of experiments to map out a given vehicle’s CAN bus and decode the higher-level protocols employed, ultimately giving the user control over the bus.
Currently, the baseline software package provides a user interface to view, store, and analyze raw CAN data. Additional functionality includes integration with a SQL database, experimental documentation, basic fuzzing and other general experiments, and writing to .pcap format for eventual analysis in Wireshark. This interface also provides the user the ability to attach experimental modules for customized capabilities.
A proof-of-concept hack was carried out on a 2004 Ford Taurus, where the team successfully reverse-engineered the manufacturer-specific CAN protocols and demonstrated repeatable hacks, including a complete denial-of-view attack in which we systematically manipulated every component on the dashboard.
Currently, the software is fully functional and provides a user interface to carry out these capabilities. In the next few weeks, we will rewrite our packet manipulation, using the Scapy package in Python, to mirror current standards used in Ethernet packet construction.
We plan to present our methodology and a brief introduction to how to use and build upon the existing open-source software package, as well as the exciting results achieved. The group will start with a discussion of the problem area before delving into a technical discussion, bringing the audience from the lowest level bytes used to construct a higher-level protocol through the implementation of our software package, which abstracts away the bits and bytes for an efficient and streamlined hacking interface. The code will be released at REcon under a BSD license.Grayson ZulaufChristopher HoderTheodore SumersDaniel Bilar15:3000:30Grand Salongrand_salon_-_2013-06-23_15:30_-_-_opengarages_vehicle_research_labs_-_craig_smith_-_1 - OpenGarages: Vehicle Research Labslecture - OpenGarages is public group designed to help build local Vehicle Research Labs (VRL). At the Hive13 Hackerspace VRL we have been working on building low cost Open Hardware boards to assist in reverse engineering CAN bus protocols. This device can not only receive and transmit but can do it in real-time, intercepting and modifying the packets on the bus line.
This CAN-in-the-Middle (CANiTM) device is expected to cost around $100 pre-assembled. The software is also open source and is named CANiBUS.
CANiBUS allows for an entire room to work on a vehicle at one time.
Researches can even work remotely. - OpenGarages is public group designed to help build local Vehicle Research Labs (VRL). At the Hive13 Hackerspace VRL we have been working on building low cost Open Hardware boards to assist in reverse engineering CAN bus protocols. This device can not only receive and transmit but can do it in real-time, intercepting and modifying the packets on the bus line.
This CAN-in-the-Middle (CANiTM) device is expected to cost around $100 pre-assembled. The software is also open source and is named CANiBUS.
CANiBUS allows for an entire room to work on a vehicle at one time.
Researches can even work remotely.Craig Smith16:0000:30Grand Salongrand_salon_-_2013-06-23_16:00_-_coffee_break_-_60Coffee Breaklecture16:3001:00Grand Salongrand_salon_-_2013-06-23_16:30_-_new_ways_to_manage_secret_for_software_protection_-_david_baptiste_-_39New ways to manage secret for software protection.lectureEvery day, many malware or software are analyzed and reversed and the code of their routines is published on the web... When you spend hours creating a new malware and see parts its code leaking on the web site of an antivirus editor, it is just a nightmare.
Reversing software has become nowadays a business like any other, mostly because of a lack of interesting challenge. Equipped with the suitable tools and after reading some good tutorials, any teenager hacker can discover all the hidden secrets in a program supposed "well protected". The number of crackme challenge where a solution is found within 24 hours constantly thrives... It's really too bad, because there are so many ways to definitely complicate the reverse engineering of software.
This is precisely the aim of this talk to show how it is possible to make any analysis almost impossible. Studying deftly memory protection, using advanced mathematical principles, advanced cryptography primitives and going at a really low level in assembly language, we propose to raise the level and terribly complicate reversers’ life. Reinvented and operationally contextualized applications will be presented for the occasion. The goal is to make live some mathematical concepts in real software.
While some works in the same kind have already been published about the use of encryption to protect executable, few have been really interested by managing securely the secret decryption key inside the binary code itself. The acquisition of the secret is made with new ways that benefits the authors of malicious code and seriously disadvantages the analysts.
We are talking here about random secret management, error correction code, statistical analysis of the environment, probabilistic management, etc... Everything that we need to escape to the analysis of our codes. This talk should be pleasant for many software developers who want to keep their codes secret, malware developers and reversers that will found here a very interesting challenge.
Note that all the codes presented can work both under Windows and UNIX under x86 and x64 architectures. The talk will be illustrated with several demonstrations.DAVID Baptiste17:3001:00Grand Salongrand_salon_-_2013-06-23_17:30_-_hybrid_code_analysis_overcoming_weaknesses_of_dynamic_analysis_in_malware_forensics_-_stefan_buehlmann_-_jan_miller_-_30Hybrid Code Analysis: Overcoming Weaknesses of Dynamic Analysis in Malware ForensicslectureenDynamic program analysis has become an important technique to detect and understand malicious software. However, the result of dynamic analysis is often unsatisfactory in malware forensics.
Dynamic analysis does not feature complete code coverage, as only one execution path is analyzed. As a result, dormant functionality may not be observed. In addition, dynamic analysis is per se imprecise, as it does not allow understanding the relationship between different API calls and its context. Therefore, it is often difficult to understand malware and its payload in detail looking purely at dynamic analysis results.
In this paper we propose a new code analysis algorithm called “Hybrid Code Analysis” (HCA). To the best of our knowledge HCA is the first technique which combines dynamic and static analysis to
improve analysis precision and code completion with the target of forensic analysis. HCA uses memory dumps generated during dynamic analysis as well as API call stack information to improve
static analysis. Results of static analysis are linked with API call information to identify dormant functionality. To this end we are going to demonstrate the effectiveness of HCA by analyzing recent
malware samples.Stefan BuehlmannJan Miller