Past, Present, and Future of Virtualization at ZeroNights 2013
Friends, this year virtualization will be one of the main topics of our conference. We finally decided on one of the keynote speakers. This is Rafal Wojtczuk, which has been around for many years.
For those who still do not know: Rafal Wojtczuk - mega cool specials! He is a former employee of Invisible Things Labs, where he worked for a long time with Yoanna Rutkowska and participated in such research as: “Detecting & Preventing the Xen Hypervisor Subversions”, “Xen 0wning Trilogy: code and demos”, “Attacking Intel Trusted Execution Technology” , “A Stitch in Time Saves Nine: A Case of Multiple Operating System Vulnerability”, etc. Over the years, he has discovered many security vulnerabilities in the cores of popular information systems, including new methods for exploiting buffer overflow vulnerabilities in environments with a partially randomized address space. . Recently, he has researched Intel advanced security technologies, especially TXT and VTd. He is also the author of libnids, a low-level library for reassembling packages. In general, this is a person who knows firsthand how sandboxes and virtualization systems work and how they work. He will not drive a marketing bullet about the clouds, but will tell how things are actually going with virtualization.
')
We will also talk a lot about the safety of the process control system. In particular, at ZeroNights 2013, the Digital Security Research Center for the first time will present the results of two of our latest research in the field of security of the automated process control systems: “HART (in) security” and “Operation of AVR and MSP microchips”.
So, our reports in the main program :
1. “Ensuring the safety of workstations using virtualization sandboxes: past, present and future”, speaker Rafal Wojtczuk (Poland)
Description of the report
Modern large applications, such as a browser, are so complex that there is nothing to hope to release them without vulnerabilities. Therefore, many developers use an alternative approach - run them in a container designed to isolate the compromised application from the rest of the operating system. Such a container can be created, including using the sandbox at the application level or using virtualization of the entire OS. The question is how safe and reliable this or that isolation method is.
In this report, we will summarize and compare the strengths and weaknesses of both isolation methods. We will discuss specific examples: Sandboxie, Google Chrome, Qubes OS, Bromium vSentry. We will look at the evolution of these decisions and try to predict what will happen in the future.
In this report, we will summarize and compare the strengths and weaknesses of both isolation methods. We will discuss specific examples: Sandboxie, Google Chrome, Qubes OS, Bromium vSentry. We will look at the evolution of these decisions and try to predict what will happen in the future.
2. “JSMVCOMFG - A Closer Look at JavaScript MVC and Templating Frameworks”, spokesperson Mario Heiderich (Germany)
Description of the report
You can develop ordinary classic web applications. Well, you know, servers, databases, some HTML, and a little bit of JavaScript. Maybe your grandmother designed these. And you can develop beautiful and hippie, light and modern, flexible and scalable client web applications. Sometimes there is a server behind them, sometimes a database, but most of all it plows a new feature - JavaScript frameworks built on the principle of “Model - Presentation - Controller”.
Angular, Ember and CanJS, Knockout, Handlebars and Underscore ... these are not the names of famous wrestlers, but the names of modern JS frameworks that are more productive and productive due to the magical ability to process many things right in the browser. More and more people lend themselves to fashion, and following their colleagues, these frameworks are set with great success. It's time to take this idyll with the stern look of a security guard, right?
In this report, you will learn how all of these frameworks work, how protected their core is, and what security issues arise from this full potential of the cornucopia. Have their authors studied DOM well enough to enrich it with dozens of layers of abstraction? Or did they open the gates to hell javascript, infested with fresh injection vulnerabilities and worst programming practices? After this report you will understand. You will understand everything ...
Angular, Ember and CanJS, Knockout, Handlebars and Underscore ... these are not the names of famous wrestlers, but the names of modern JS frameworks that are more productive and productive due to the magical ability to process many things right in the browser. More and more people lend themselves to fashion, and following their colleagues, these frameworks are set with great success. It's time to take this idyll with the stern look of a security guard, right?
In this report, you will learn how all of these frameworks work, how protected their core is, and what security issues arise from this full potential of the cornucopia. Have their authors studied DOM well enough to enrich it with dozens of layers of abstraction? Or did they open the gates to hell javascript, infested with fresh injection vulnerabilities and worst programming practices? After this report you will understand. You will understand everything ...
3. “Practical exploitation of rounding vulnerabilities in Internet banking applications”, speaker Adrian Furtuna (Romania)
Description of the report
This report describes the rounding vulnerabilities that are common in Internet banking applications. A variety of methods for their operation will be presented, including a mechanism that attacks an authorization token (for example, Digipass), in order to allow an attacker to perform a large number of transactions automatically within a short period of time.
4. “Machines that have deceived confidence”, speaker Glenn Wilkinson (France)
Description of the report
Devices that accompany us everywhere reveal our secrets, because they emit uniquely identifiable signals. Such signals can be used to track your location, as well as for less innocent purposes. This report describes the path that the author did to create a framework that would be fault tolerant, modular, reliable, distributed, track location, intercept, and profile data.
5. “HART (in) security”, speakers Alexander Bolshev and Alexander Malinovsky (Russia)
Description of the report
What do you know about the current loop and industrial protocols that transmit data through it? This report will look at the HART protocol and show the various methods of attack, both on it and on the software and hardware that use it. We will tell (and show!) How to read and inject packets into the current loop and how this can be used to trigger the fall of SCADA, OPC and PAS systems. If you want to know how a single temperature sensor can bring down the whole complex of ACS / TP, then you should go here.
6. “Operation of AVR and MSP microchips”, reporter Vadim Bardakov (Russia)
Description of the report
The security problem of using microcontrollers is usually considered by the protection of the software embedded in them, without touching upon the subject of protection against exploitation of vulnerabilities. The report will consider the features of the exploitation of vulnerabilities characteristic of microcontrollers, for example, AVR and MSP.
And now about our Workshops :
1. “Peach Fuzzing” will conduct Adam Cecchetti (USA)
Description of the report
This workshop is an introduction to fuzzing with Peach 3.0. Participants will get a general idea of ​​some of the many features of Peach and how to incorporate these capabilities into their own test environments. There will be a short story about data paradigms, state, test model and how, as a result of their merging, the creation of custom fuzzers is facilitated. Finally, we will demonstrate how to connect Peach to the system under test for monitoring feedback and collecting data on failures.
2. “Introduction to the use of SMT solvers for IS tasks” will be conducted by Georgy Nosenko (Russia)
Description of the report
This workshop will acquaint the audience with the results of recent studies in the field of program code analysis using SMT solvers.
During the training, students will gain theoretical knowledge of the principles underlying the techniques that researchers use to search for vulnerabilities, develop exploits, and reverse engineering. Then the knowledge gained will be consolidated in practice.
The goal is to get the participants interested in the topic, to give the basic knowledge necessary for the effective use of tools using SMT solvers.
Some topics of the workshop:
• basics of using SMT solvers, advantages, disadvantages, limitations;
• search for vulnerabilities;
• the task of automatically generating exploits;
• Symbolic \ Concolic Execution;
• Intermediate Language.
Participants will receive:
- Basics of using the Z3 SMT solver:
• theoretical knowledge of the SMT problem, what an SMT solver is, how it works and what characteristics should be considered when choosing an SMT solver;
• skills of expressing logical formulas in SMT-LIB.
- Search for vulnerabilities:
• knowledge of how the use of the SMT solver can help to find Integer Overflow vulnerabilities;
• Students will be able to independently verify the effectiveness of using SMT to solve this problem, using the example of real vulnerabilities;
• Understanding the principles of fuzzing using symbolic \ concolic techniques of execution driven by the SMT solver. Learn about the benefits, limitations and trade-offs associated with the implementation of these techniques.
-The task of automatic generation of exploits:
• understanding of the concepts underlying ROP compilers and other tools;
• skills of applying SMT, as a “helper” for building ROP chains.
- Analysis of software protection mechanisms:
• skills in working with the Binary Analysis Platform toolkit (translating binary code into an SMT formula), using the example of the task of semi-automatic creation of keygens.
During the training, students will gain theoretical knowledge of the principles underlying the techniques that researchers use to search for vulnerabilities, develop exploits, and reverse engineering. Then the knowledge gained will be consolidated in practice.
The goal is to get the participants interested in the topic, to give the basic knowledge necessary for the effective use of tools using SMT solvers.
Some topics of the workshop:
• basics of using SMT solvers, advantages, disadvantages, limitations;
• search for vulnerabilities;
• the task of automatically generating exploits;
• Symbolic \ Concolic Execution;
• Intermediate Language.
Participants will receive:
- Basics of using the Z3 SMT solver:
• theoretical knowledge of the SMT problem, what an SMT solver is, how it works and what characteristics should be considered when choosing an SMT solver;
• skills of expressing logical formulas in SMT-LIB.
- Search for vulnerabilities:
• knowledge of how the use of the SMT solver can help to find Integer Overflow vulnerabilities;
• Students will be able to independently verify the effectiveness of using SMT to solve this problem, using the example of real vulnerabilities;
• Understanding the principles of fuzzing using symbolic \ concolic techniques of execution driven by the SMT solver. Learn about the benefits, limitations and trade-offs associated with the implementation of these techniques.
-The task of automatic generation of exploits:
• understanding of the concepts underlying ROP compilers and other tools;
• skills of applying SMT, as a “helper” for building ROP chains.
- Analysis of software protection mechanisms:
• skills in working with the Binary Analysis Platform toolkit (translating binary code into an SMT formula), using the example of the task of semi-automatic creation of keygens.
3. “Fuzzing: A Practical Application” will be held by Omair (India)
Description of the report
This is a workshop for people starting fuzzing.
It emphasizes that the search for vulnerabilities using fuzzing is quite simple and does not require high-level skills.
In a sense, it is aimed at promoting fuzzing, so that the software becomes better (and what's this?)
- We set up the infrastructure
• To iron with love
• The problem of improper behavior of computers
• -Windows - updates and channel width
- Blunt fuzzing (XLS / DOC)
• Collection and differentiation of samples
• Efficiency
• We are testing the wrong format.
• Practice - fuzzer in 10 lines and operated failures
- Smart Fuzzing (HTML)
• A look into the past
• What fuzzers do we know and what bugs
• IE vs. Firefox vs. Chrome
• Practice - HTML fuzzer and grinder framework
- Fuzzy logic and analysis start
• So many failures, so many repetitions.
It emphasizes that the search for vulnerabilities using fuzzing is quite simple and does not require high-level skills.
In a sense, it is aimed at promoting fuzzing, so that the software becomes better (and what's this?)
- We set up the infrastructure
• To iron with love
• The problem of improper behavior of computers
• -Windows - updates and channel width
- Blunt fuzzing (XLS / DOC)
• Collection and differentiation of samples
• Efficiency
• We are testing the wrong format.
• Practice - fuzzer in 10 lines and operated failures
- Smart Fuzzing (HTML)
• A look into the past
• What fuzzers do we know and what bugs
• IE vs. Firefox vs. Chrome
• Practice - HTML fuzzer and grinder framework
- Fuzzy logic and analysis start
• So many failures, so many repetitions.
4. “Timing analysis” will be conducted by Roman Korkikyan (Switzerland)
Description of the report
In this workshop, we will calculate the secret key of the software implementations DES and AES, measuring their time. This method of cryptanalysis is called time analysis (Timing analysis). It is one of the simplest methods for analyzing secondary channel attacks (Side Channel Attacks). Possession of this method will allow you to understand more complex methods of attacks of cryptographic algorithms, which include the analysis of electromagnetic radiation (Electromagnetic Analysis), the analysis of radiation of photons (Differential Photonic Emission Analysis) and the analysis of power consumption (Differential Power Analysis).
Main topics of the workshop:
- What determines the execution time of the cipher implementation program?
- In what case can the cipher time be used to calculate the key?
- How does the key calculation actually take place?
Main topics of the workshop:
- What determines the execution time of the cipher implementation program?
- In what case can the cipher time be used to calculate the key?
- How does the key calculation actually take place?
5. “BlackBox analysis of iOS apps” will be conducted by Dmitry 'D1g1' Evdokimov
Description of the report
The popularity of mobile applications is growing, along with it the need for assessing their security and finding vulnerabilities is growing. Apple products running iOS are among the most popular on the market. A lot of different software has been created for these devices: from entertainment toys to banking and business applications.
As part of this workshop, we will familiarize ourselves with the device of iOS applications, with the approach to finding vulnerabilities in them without source code and tools that will help us with this.
The program includes:
- iOS device (device, Objective-C, ARM, mechanisms; security, jailbreak, ...);
- iOS applications (Mach-O format, application structure, ...);
- The main vulnerabilities of iOS applications;
- Tools for static and dynamic analysis of iOS applications.
The participant will receive:
- An idea of ​​the work of iOS and iOS-applications;
- Basic knowledge of vulnerabilities in iOS applications;
- Skills of using basic tools for finding vulnerabilities in iOS applications.
As part of this workshop, we will familiarize ourselves with the device of iOS applications, with the approach to finding vulnerabilities in them without source code and tools that will help us with this.
The program includes:
- iOS device (device, Objective-C, ARM, mechanisms; security, jailbreak, ...);
- iOS applications (Mach-O format, application structure, ...);
- The main vulnerabilities of iOS applications;
- Tools for static and dynamic analysis of iOS applications.
The participant will receive:
- An idea of ​​the work of iOS and iOS-applications;
- Basic knowledge of vulnerabilities in iOS applications;
- Skills of using basic tools for finding vulnerabilities in iOS applications.
We remind you that CFP will last until 10/01/2013, there is quite a bit of time left until the completion of the application.
Do not forget about FastTrack , which is a unique opportunity to perform with your little research on the same platform with well-known information security specialists, chat with friends and like-minded people.
We have the first speaker in this section. At FastTrack, Viktor Alushin (Russia) will present a report on the topic: “Extended exploitation of the Android Master Key vulnerability (bug 8219321)”.
Description of the report
Jeff Forristal at the Blackhat USA 2013 conference (https://media.blackhat.com/us-13/US-13-Forristal-Android-One-Root-to-Own-Them-All-Slides.pdf) presented a way to get around digital signatures of Android OS applications and replacing parts of files of any application with your own. This vulnerability can be used to obtain and modify application data, in particular, to read saved logins and passwords (without root and, respectively, without losing the warranty on a smartphone), changing game saves (cheating in games without root), obtaining system privileges (when replacing the system application), and with their help the root-rights (by adding the line “ro.kernel.qemu = 1 \ r \ n” to the file /data/local.prop). However, the proposed method of operation contains a number of limitations, which can create significant problems in some cases. A new way to exploit this vulnerability was found, providing more extensive ways to bypass digital signature verification of programs. In addition, the Bluebox Security Scanner security scanner does not detect apk-files that exploit this vulnerability. A new mode of operation was reported by the Google Security Team. It turned out that the patch for bug 8219321 also closes this vulnerability, however, the malware filter on the Google Play Market has been updated. A new way to exploit the 1-day vulnerability will be presented, the report has never been presented anywhere.
Of the additional features : in the framework of ZeroNights deploy Hardware Village . A great project for those who love low level and hardware hacking, and do not hesitate to mess around with boards and signals. Here you can see and try different methods and devices for hacking embedded systems and not only. We show both the widely used Teensy HID emulators and the software Defined Radio platforms that are gaining popularity.
To participate in the Hardware Village special knowledge and skills are not required. We will show everything in practice and explain it.
In the program will take part:
• HackRF
• BladeRF
• Facedancer
• Die Datenkrake
• JTAGulator
• Proxmark3
• Papillio FGPA
• Teensy
• * duino
• Raspberry Pi
Bring your iron with you, let's break it together!
With the support of our friends from Nuand, a Hardware Contest will be held, in which BladeRF SDR nuand.com will be the prize
Registration is in full swing! Hurry up! 2013.zeronights.ru/registration
Source: https://habr.com/ru/post/194070/
All Articles