Dynamic obfuscation allocates a new memory block and copies obfuscated api function code into the newly allocated block. For dynamic obfuscation, i suggest memory access analysis. Previous approaches use pattern matching of the obfuscating code or code optimization on instruction trace. Pattern matching and code optimization based approaches are fragile to pattern change along the version up of the packers. My approach utilizes the api function obfuscation process which is harder to change than obfuscation pattern. Embedded obfuscator in packed file obfuscates each api function during runtime by reading the original api function code and writing the obfuscated api code on a newly allocated memory block.
Curiocity (tm usb, wireless
And a very important thing is that the rooting is stable and reliable. Actually, we will present a common way to exploit android kernel Use-After-Free bug to gain root. We summary will also cover some new kernel security issue on the upcoming 64-bit android platform in the future. Presented by, wen. The world of security is riddled with assumptions and guesses. Using data collected summary from hundreds of millions of Android devices, we'll establish a baseline for the major factors driving security in the Android ecosystem. This will help provide direction for the issues that we think will benefit the most from security community attention and research contributions. Presented by, adrian Ludwig Modern packers use api obfuscation techniques to obstruct malware sandboxes and reverse engineers. In such packers, api call instructions are replaced with equivalent lengthy and complex code. Api obfuscation techniques can be categorized into two according to the obfuscation time - static and dynamic. Static obfuscation embeds obfuscated instructions into the executable file.
Our kernel fuzzing, leaded by @wushi, generated a lot of crashes and among them, we found a kernel Use-After-Free bug which lies in all versions of Linux kernel and we successfully take advantage of it to root most android devices(version.3) on the mother market nowadays. We leverage this bug to root whatever android devices(version.3) of whatever brands. And also we are the first one in the world, as far as we are aware, rooting the 64-bit android device by taking advantage of a kernel memory corruption bug. The related kernel exploitation method is unique. In this talk, we will explain the root cause of this uaf bug and also the methods used to exploit. We will demonstrate how we can fill the kernel memory once occupied by the vulnerable freed kernel object with fully user-controlled data by spraying and finally achieved arbitrarily code execution in kernel mode to gain root. All our spraying methods and exploiting ways apply to the latest Android kernel, and we also bypass all the modern kernel mitigations on Android device like pxn and. Even introduced 64-bit address space fails to stop our rooting.
But all such solutions are not scalable. You biography are still bound to the telecom provider. You still have to connect to a vpn - to a core network. You have to bypass location binding and. Perhaps there is an easier solution? Parhaps we can create umts-in-a-box from readily available femtocell and have them available in large quantities without telecom-branding? We will tell the whole story from unboxing to proof-of-concept data intercept and vulnerabilities in umts networks with all your favorite acronyms: hnb, segw, hms, ranap, sctp, tr-069. Presented by, alexey osipov alexander zaitsev, in recent months, we focus on bug writers hunting to achieve root on android devices.
However, the main problem is that we do not have calypso phones for. We do not have cheap and ready to use devices to fuzz 3G devices over the air. Perhaps telecoms are to fast to take their guard down with security considerations embedded in 3G/4G? Users can connect to femocells. And have access the Internet on high speeds, make calls, ect. Why don't we abuse it? Yes, there is already research that allows you to gain control over femtocell. There is also research that allows sniffing calls and messages after gaining control.
Usb, ir, remote ebay
Gsm networks are compromised for over five years. Starting from passive sniffing of unencrypted traffic, moving to a real fully compromised A5/1 encryption and then even to your own base station, we have different tools and opportunities. A motorola phone retails for only 5 gives you the opportunity to peep into your girlfriend's calls. Rtl-sdr retails for 20 which allows you to intercept all two-factor authentication in a medium-sized office building. Lastly, usrp retails for 700 and can intercept almost everything that you can see.
But who cares about 2G? Those who are concerned switched off. At t is preparing to switch off all its 2G networks by the end of 2016. Even gsma (gsm alliance) admitted that security through obscurity is a bad idea (referring to comp128, A5 gea algorithms and other things). 3G and lte networks have mandatory cryptographical integrity checks for all communications, mutual authentication both for mobile devices and base station. The opportunity to analyze all protocols and cryptographical primitives due to their public availability is important.
Presented by, fernando Arnaboldi, hardware attacks are often overlooked since they are generally considered to be complex and resource intensive. However certain industries, such as pay tv, are plagued by piracy and hardware counterfeits. The threat of piracy was so great that pay tv manufacturers were forced to create extensive countermeasures to protect their smartcards in the field. One of the most effective countermeasures is to implement parts or all of their proprietary algorithms in hardware. To analyze proprietary hardware implementations additional analysis techniques are necessary.
It is no longer sufficient to follow individual signals on the chip. Instead, full extraction and analysis of the device's netlist is necessary. This talk will focus on a case study of a widely-used pay tv smartcard. The card includes extensive custom hardware functions and has yet to be compromised after over 5 years in the field. This talk will demonstrate the tools and techniques necessary for successfully performing the analysis of such a target. The research highlights the capabilities of advanced analysis techniques. Such techniques also make analysis significantly more efficient, reducing the time required for a study from many months to a few weeks. Presented by, olivier Thomas.
Presentation, remote, control Clicker Page
Presented by, matthew Graeber. Over the years, xml has been a rich target for attackers due to flaws in its design as well as implementations. It is a tempting target because it is used by other programming languages to interconnect applications and is supported by web browsers. In this talk, i will demonstrate how to use xslt to produce documents that are vulnerable to new exploits. Xslt can be leveraged to affect the integrity of arithmetic operations, lead to code logic failure, or cause random values to use the same initialization vector. Error disclosure has always provided valuable information, but thanks to xslt, it is possible to partially read system files that could disclose service or system's passwords. Finally, xslt can be used to compromise end-user confidentiality by abusing the same-origin policy concept present report in web browsers. This presentation includes proof-of-concept attacks demonstrating xslts potential to affect production systems, along with recommendations for safe development.
Presented by, brian Gorenc abdul-aziz hariri simon Zuckerbraun, imagine a technology that is built into every windows operating system going back to windows 95, runs as System, executes arbitrary code, persists across reboots, and does not drop a single file to disk. Such a thing does exist and it's called Windows Management Instrumentation (WMI). With increased scrutiny from anti-virus and 'next-gen' host endpoints, advanced red teams and attackers already vallabhbhai know that the introduction of binaries into a high-security environment is subject to increased scrutiny. Wmi enables an attacker practicing a minimalist methodology to blend into their target environment without dropping a single utility to disk. Wmi is also unlike other persistence techniques in that rather than executing a payload at a predetermined time, wmi conditionally executes code asynchronously in response to operating system events. This talk will introduce wmi and demonstrate its offensive uses. We will cover what wmi is, how attackers are currently using it in the wild, how to build a full-featured backdoor, and how to detect and prevent these attacks from occurring.
patch (MS14-035) introduced a separate heap, called Isolated heap, which handles most of the dom and supporting objects. July's patch (MS14-037) introduced a new strategy called MemoryProtection for freeing memory on the heap. This talk covers the evolution of the Isolated heap and MemoryProtection mitigations, examines how they operate, and studies their weaknesses. It outlines techniques and steps an attacker must take to attack these mitigations to gain code execution on use-after-free vulnerabilities where possible. It describes how an attacker can use memoryProtection as an oracle to determine the address at which a module will be loaded to bypass aslr. Finally, additional recommended defenses are laid out to further harden Internet Explorer from these new attack vectors.
So where does that leave security, openness, innovation, and resume freedom? The digital Millennium Copyright Act is being used to weld the hood of cars shut to keep engine software safe from mechanics. Will we still have the Freedom to tinker even in the oldest of technologies? What does it mean that the. Is a big player in the zero-day market even as international agreements seek to regulate exploit code and surveillance tools? Will we see liability for insecure software and what does that mean for open source? With advances in artificial intelligence that will decide who gets run over, who gets a loan, who gets a job, how far off can legal liability regimes for robots, drones, and even algorythms be? Is the global Internet headed for history's dustbin, and what does a balkanized network mean for security, for civil rights? In this talk, granick will look forward at the forces that are shaping and will determine the next 20 years in the lifecycle of the revolutionary communications technology that we've had such high hopes for.
Top 10, presentation, remotes of 2018 video review
White paper presentation source, keynote, in the early days of the public internet, we believed that we were helping build something totally new, a world that would leave behind the shackles of age, of race, of gender, of class, even of law. Twenty years on, "cyberspace" looks a lot less revolutionary than it once did. Hackers have become information security professionals. Racism and sexism have proven resiliant enough to thrive in the digital world. Big companies are getting even bigger, and the decisions corporationsnot just governmentsmake about security, privacy, and free speech affect hundreds of thousands, or millions, of people. The four Horsemen of the Infocalypseterrorists, pedophiles, drug dealers, and money launderersare driving online policy as governments around the world are getting more deeply involved in the business of regulating the network. Meanwhile, the next Billion Internet Users are going to connect from Asia and developing countries without a bill of Rights. Centralization, regulation, and Globalization are the key words, and over the next twenty years, we'll see these forces change digital networks and information security as we know it today.essay