The Presentations
Breaking the JavaScript ASLR
This talk presents an ASLR-breaking side channel that exploits a fundamental property of the CPU architecture yet is exploitable from JavaScript. This means browser exploitation from JavaScript will be easier, as memory disclosure bugs are no longer needed to exploit bugs in the browser and JavaScript runtime. We have POCs for Firefox and Chrome. This side channel has been confirmed to be present in all 22 different microarchitectures that we tried - including many current-day Intel, AMD and ARM CPU microarchitectures.
More concretely, we are able to write malicious JavaScript code that is able to compute full 64bit virtual addresses of JavaScript data and code locations, as they are being looked up by the MMU, hence breaking the JavaScript ASLR. We do not rely on any software vulnerabilities to do this.
In this talk we detail the technical workings of this technique, revisiting some CPU architecture lessons as need be. We combine these to form this side channel. Then we discuss its implementation in Javascript, show its performance in some metrics, and show a video demo.
Reverse Engineering the Linear DX Wireless Security System
The Linear DX wireless protocol is as old as dirt and utilized in many physical security components like PIR sensors, bill traps, and door lock strikers. Here we will walk through the black box reverse engineering of the wireless signaling and destroy some of the vendor’s security claims by enumerating the entire key space. We’ll also clobber together a universal transmitter out of an existing remote and a BeagleBone Black capable of triggering some receivers in as little as 30 minutes and jamming other transmitters.
zapZap! bangBang!
Defeating Secure Boot Using Electromagnetic Pulses and badFET
We present our process of defeating secure-boot within a modern
ARM-based IP Phone, Cisco 8861, using software defined radio and our
custom EMP generator as an illustrative vehicle to discuss the following
contributions:
* Dissection of a set of (yet undisclosed) vulnerabilities found in
Broadcom-implemented trust zone execution environments.
* Our recent advancements in real-time tracking of control-flow of
software running in modern embedded devices by the sensing and analysis
of involuntary electromagnetic emanations.
* Our novel electromagnetic fault injection (EMFI) techniques capable
of reliably and predictably altering computation of modern embedded
devices by controlled applications of electromagnetic pulses. We discuss
challenges and methods of achieving reliable control-flow modification
in modern 1Ghz+ processors.
* Discussion of hardware and software design of badFET, a low-cost
programmable electromagnetic pulse generator. It is our hope to release
badFET as an open-source project to democratize EMFI research. (badFET
is currently functional, but due to the nature of the device, it can
cause serious injury or death. We plan to open-source the EMP generator
portion of badFET if/when we build sufficient safety features into its
design.)
A Programmer's Perspective on Reverse Engineering
A programmer who has been reverse engineering for nearly 30 years looks at one recent discovery and one old "I told you so" and concludes to no great surprise that programmers want to understand the software and avoid the bugs but security research is mostly about finding the bugs without understanding the software. Perhaps something significant for each side gets missed in between.
The State of Security
The security field suffers from a lack of hard data. Too often, security professionals have to give recommendations based on what feels true or what seems to be true, rather than real ground truth. At the Cyber ITL, a nonprofit research organization, we're working to replace such truthiness with hard data. We're also focusing on binary analysis, as the field's focus on source code analysis has left some major blind spots in security reviews of software products.
A year ago, Mudge and Sarah introduced the Cyber ITL and its approach to automated software safety analysis. Now, they'll be covering highlights from the past year's research findings, including our in-depth analysis of several different operating systems, browsers, and IoT products.
Parts of their methodologies have now been adopted by Consumer Reports and rolled into their Digital Standard for evaluating safety, security, and privacy, in a range of consumer devices. The standard defines important consumer values that must be addressed in product development, with the goal of enabling consumer organizations to test, evaluate, and report on whether new products protect consumer security, safety, and privacy
The spirit of the 90s is alive in Brooklyn
Using the tools and techniques of today to solve problems that only existed in the 90s and are still alive in DEFCON CTF.
Sophia D'Antoine and Ryan Stortz explain and demo tools built on BInary Ninja’s BNIL to find 90s era bugs such as format string vulnerabilities, stack buffer overflows, and command injection.
Hidden Treasure
A binary's call graph is a treasure trove, that has been vastly neglected in threat research. Dozens of features can be extracted from a call graph, which for once are remarkably useful in threat detection, but also, they can be leveraged for more advanced binary classification and authorship attribution research. The basic theorem goes, that the design of a malicious application is resource intensive, thus is likely to stay the same throughout different pieces of malware written by the same authors. In other words, a keylogging module will always be the same keylogging module, no matter where it is being copy pasted to. Being able to formulate such statements as features, thus, is a powerful capability. Of course though, the design of resilient features which preserve this kind of information is challenging and numerous measures can be taken to destroy them.
In this talk it will be examined, how changes induced by a standard compiler affect the call graphs of malicious code, effectively destroying advanced feature sets; and how features can be lifted up to a more abstract level where they can still preserve the base information.
Why are we still doing this?
Closing remarks for SummerCon 2017!