AsiaSecWest 2018 完整议题内容
2018/6/11 12:07:16 浅黑科技
浅友们大家好~我是史中,我的日常生活是开撩五湖四海的科技大牛,我会尝试各种姿势,把他们的无边脑洞和温情故事讲给你听。如果你特别想听到谁的故事,不妨加微信(微信号:shizhongst)告诉我。
AsiaSecWest 2018
议题内容整理
以下是每个议题的概要
(本议题概要是浅黑科技校订版,因为演讲者分别用汉语或英语演讲,所以议题概要为中英双语,每一个议题英文介绍下面就是中文介绍。)
Peleus Uhley
The Evolution of Security Craftsmanship
Speaker Bio:
Peleus Uhley has been working in the security industry for 20 years. He has been a developer, a consultant, an incident responder, and a proactive security researcher. Peleus is currently a Lead Security Strategist at Adobe and previously worked for Anonymizer, @stake, and Symantec.
Content:
The security industry has been established for a long enough period that patterns in our challenges, tools, and research have begun to emerge. Understanding these patterns enables us to take the knowledge from our past and apply it to emerging technologies. This talk will explore what are the conceptual techniques that continue to find success despite a constantly shifting landscape of technological implementations. Also, where do we still need to refine our craft with better research?
Peleus Uhley
安全领域的技艺演进
演讲人介绍:
Peleus Uhley 已经在安全行业工作了 20 年。他曾做过开发、顾问、应急事件响应以及安全研究。Peleus 现在是奥多比公司的首席安全战略家。他还曾在 Anonymizer、@stake 和赛门铁克工作过。
演讲内容:
安全行业已经存在了足够长的时间,我们遇到的挑战、创建的工具、所做的研究都开始显现出规律。理解这些规律能让我们把以往的经验应用到新的技术上。本次演讲会探寻那些历经不断变化的技术实现却仍然保持有效的概念性技术,以及那些我们仍需继续研究并完善的领域。
-----
Karsten Nohl
Mind the gap: Dissecting the Android patch gap
Speaker Bio:(none)
Content:
The Android ecosystem has a long-standing reputation of haphazard security, with regular headliner bugs. Despite its open source roots, Android security is still a black box for most users. Security patches are little understood, and users have to blindly trust their phone vendors to install patches.
We find that this trust in the vendor's ability to patch has not always been warranted for all Android vendors.
Using a novel analysis approach, we find missing Android patches on phones or from firmware files. The analysis compares function signatures to large collections of pre-compiled samples.
Based on measurements from tens of thousands of different phone builds we quantify and investigate the Android patch gap.
Karsten Nohl
注意间隙:刨析安卓系统的不完整补丁
演讲人介绍:(暂缺)
演讲内容:
安卓生态系统长期以佛系安全著称,经常出现重大安全漏洞。尽管是个基于开源软件开发的操作系统,对于大多数用户来说其安全性仍是一个黑匣子。用户对安全补丁了解甚少,不得不盲目信任手机厂商的补丁。然而我们发现,许多安卓厂商的补丁能力并不值得信任。我们通过新颖的分析方法在大量预先编译的样本查找函数特征,在手机或固件文件中发现漏打的安卓系统补丁。根据对数万个手机固件的分析结果,我们对漏打的安卓系统补丁进行了调查和量化。
-----
Kai Song and Ce Qin
Chakra vulnerability and exploit bypass all system mitigation
Speaker Bio:
Kai Song: Senior Security Researcher,Tencent Security Xuanwu Lab
Ce Qin:Security Researcher,Tencent Security Xuanwu Lab
Content:
With the development of the Internet, especially the mobile Internet, browsers and its security issues have received widespread attention. Lots of security features have applied on modern browser to defends browser-based vulnerabilities. Despite the best efforts of all browser vendors, vulnerabilities exist and can potentially be exploited. In this talk we are going to introduce a new way to transform a memory safety vulnerability into a method of running arbitrary native code on a target device.This presentation is organized as two parts.
First of all, we will detail a vulnerability in Chakra, and introduce the way to get arbitrary address read&write. In some attack scenarios, arbitrary read&write means full RCE exploit. But as for Chakra in Edge, there is something different.
In the second part we will focus on the exploit technologies. Windows has introduced many exploit mitigations such as ASLR, DEP, CFG, CIG, ACG, with witch running arbitrary code on a target device can be costly. However, there will not be a way to break all exploit. We will detail the mitigations ,and introduce a new way to bypass all these guards. With the method, we could execute arbitrary code inside browser. It can further cooperate with other Privilege Escalations to get a full exploit on a target device.
宋凯、秦策
绕过所有系统缓解措施的Chakra漏洞和利用
演讲人介绍:
宋凯:腾讯玄武实验室高级安全研究员
秦策:腾讯玄武实验室安全研究员
演讲内容:
随着互联网,尤其是移动互联网的发展,浏览器及其安全问题受到了广泛关注。现代浏览器使用了许多安全特性以防范浏览器漏洞。尽管所有浏览器厂商都付出了最大努力,但总有漏洞存在并可能遭利用。在这次演讲中,我们将介绍一种将内存安全漏洞转化为任意代码执行的新方法。演讲将由两部分组成。
首先,我们将详细介绍Chakra的一个漏洞,以及获取任意地址读写的方法。在一些攻击场景中,任意地址读写通常意味着完全的远程代码执行,但Edge浏览器的Chakra引擎不太一样。
在第二部分中,我们将重点介绍漏洞利用技术。Windows已经引入了许多针对漏洞利用的缓解措施,如ASLR、DEP、CFG、CIG和ACG等,因此执行任意代码的难度可能很高。但是没什么缓解措施能阻止所有的漏洞利用方法。我们将详细介绍缓解措施,以及绕过所有防护的一种新方法。利用该方法,我们可在浏览器内执行任意代码,而且它可以与其他提权漏洞进一步结合,以在目标设备上对漏洞实现完全利用。
-----
Jeffrey Dileo
Instrumenting the JVM for Fun and Profit
Speaker Bio:
Jeff Dileo is a security consultant by day, and sometimes by night. He hacks on embedded systems, mobile apps and devices, web apps, and complicated things that don't have names. He also likes exotic candies.
Content:
It's 2018, and analyzing even unobfuscated code running on the JVM is still a pretty miserable experience. And that's just Java, just wait until malware starts getting written in Clojure! Most of the available tooling is focused on minimal tracing of method entry/exits, and many are just different wrappers/clients communicating with the same stale JDWP JVMTI agent that implements jdb's notoriously slow debugging. When one eventually needs more than just basic tracing, JDWP always comes up short.
Why not just hook all the things with dynamic instrumentation? Historically, the answer to this question has been that writing such instrumentation was painful, the instrumentation itself was brittle, and code was modified in very detectable ways. JVM instrumentation techniques have come a long way since then.
This presentation will introduce an ideal framework for the design and implementation of effective function hooks targeting the JVM, including backwards-compatibility, cross-platform, and Java 9 support. In addition, this talk will focus on the following capabilities necessary for usable function hooking, and the design, library, and custom implementation choices made to achieve them in a new open-source cross-platform framework:
- Flexible matching selectors
- Prevention of stack trace corruption
- Hook injection, management, and removal
- Hot reloading of hook code
- Anti-anti-debugging
Jeffrey Dileo
Java 虚拟机插桩好玩又有利
演讲人介绍:
Jeff Dileo 白天的工作是安全顾问,有时候晚上也是。他喜欢捣鼓各种嵌入式系统、移动应用和设备、web 应用,以及一些叫不上名字的很复杂的东西。他还喜欢吃外国的糖果。
演讲内容:
都已经 2018 年了,然而即使是没混淆过的 Java 虚拟机代码分析起来还是很痛苦。而且这还只是 Java 而已,以后恶意软件都用 Clojure 写了看你怎么办!大多数已有工具都只是在函数入口和出口做了少量追踪,还有很多工具只是在实现了奇慢无比的 jdb 的老旧的 Java 调试线协议,也就是 Java 虚拟机工具接口的代理程序外面包了一层而已。当你需要的不只是最基本的追踪时,Java 调试线协议就完全不够用了。
为什么不干脆用动态插桩技术把所有的东西都挂钩了呢?以前不这么做是因为写这种插桩工具太痛苦了,插桩代码本身也很不稳定,目标代码被修改之后还很容易被检测出来。而现在的 Java 虚拟机插桩技术已经不像过去那样了。
本次演讲会介绍一种高效的 Java 虚拟机函数挂钩设计和实现框架,可以做到向后兼容、跨平台、支持 Java 9。另外,本次演讲还会重点讲述下列对于一个可用的函数挂钩框架来说必要的能力,以及在实现一个完全具备这些能力的全新开源框架的过程中关于架构设计、第三方库和自定义实现的技术选型:
- 灵活匹配选择器
- 防止堆栈跟踪被破坏
- 挂钩代码的注入、管理和删除
- 挂钩代码的热更新
- 反反调试
-----
Shane Macaulay
Enlightening the unenlightened: jsASTer
Speaker Bio:(none)
Content:
jsASTer is a script host analyzer with a focus on in memory JIT validation. An enlightened script host may operate while system code integrity policies are being enforced due to interoperation with code policies, restricted language modes and so forth. For unenlightened script hosts it may be that they are simply white listed and allowed to JIT code into their address space (e.g. chrome/v8, firefox, llvm/wasm). Post exploitation, or an evil actor were to inject into the address space of an unenlightened host it may bypass code integrity restrictions depending on the script host and configuration. We will release an initial version of jsASTer that will analyze emitted JIT code to produce a higher level of trust from these hosts.
Time permitting, a current goal is to represent the various (de)optimization states of JIT binary code, as well as the interpreted versions, of JavaScript in memory, to enhance the efficacy of Fuzzing loops where simple AV/SEGV stack hash/fault monitoring is used to classify ‘results’ from a fuzz test. It’s our hope that a fast analyzer can identify subtle errors in JIT code generated for different optimization levels or other characteristics than page fault monitoring or binary traces.
Shane Macaulay
启蒙:JSASTER
演讲人介绍:(暂缺)
演讲内容:
jsASTer 是专用于验证即时编译器的脚本宿主分析器。“开化的”脚本宿主因为支持代码策略、受限语言模式等特性,可在启用系统代码完整性策略时运行。而“蒙昧的”脚本宿主通常就只能被直接加入白名单,允许它在自己的地址空间动态生成代码(例如 Chrome / V8, Firefox, LLVM / WASM)。蒙昧脚本宿主在有漏洞被利用,或被恶意程序往其地址空间注入代码后,就可能绕过代码完整性限制(取决于脚本宿主和配置)。我们将首次发布 jsASTer,它可以分析即时编译器生成的代码,以使蒙昧脚本宿主变得更加可信。
这个工具的目标之一是在时间允许的情况下在内存中记录JavaScript的解释执行版本和即时编译的二进制代码的各种(逆)优化状态。以往的模糊测试都是通过简单的访问冲突和段错误的堆栈散列和崩溃监控对“结果”进行分类,通过记录这些更丰富的信息,可以提升模糊测试的效率。我们希望快速分析器能比页面错误监控或二进制追踪技术更好地发现在开启不同的优化级别及其他特性时即时编译器生成的代码中的细微错误。
-----
Brandon Wilson
The State of Reverse Engineering USB Flash Drive Firmware
Speaker Bio:
Brandon Wilson is a U.S. software developer and application security consultant with over ten years of professional experience, and hacker of random things like game consoles and TI graphing calculators. An avid tinkerer of anything USB-related, he has spoken at DerbyCon and numerous local conferences on this and other subjects, and appeared in the Wall Street Journal and several other publications. He also collects DMCA takedown notices for fun.
Content:
The BadUSB concept highlighted to the world the idea that low-cost, commercial USB flash drives contain modifiable firmware that allow them to be far more powerful and useful than just storage devices. Proof-of-concept code was released for a very specific hardware controller to show that modification was easy, perhaps too easy, and had a wide variety of uses, from an attack vector to a data exfiltration platform.
Today, four years later, there does not appear to be much progress. There have been no further public releases of software for the aforementioned hardware controller, nor any attempt to port similar code to other types of flash drives. There has been no significant attempt to phase out controllers with easily modifiable firmware. If the hardware manufacturers have no interest in changing this situation, then we must make the best of it by exploring these devices to their full potential on our own. These flash drives contain a processor, memory, and I/O, making them capable of making decisions and interacting with the world just like any other embedded device, and they deserve to have a framework so that regular users can take advantage of them, instead of just the bad actors in the world that already can and do.
In this talk, I will discuss the technical details of how we got to where we are, the current state of reverse engineering USB flash drive firmware and its security implications, and hopefully a vision of a bright future. New tools, code, and documentation will be publicly released to advance the state of reverse engineering USB flash drive firmware, and hopefully encourage others to build upon and improve it for the benefit of everyone.
Brandon Wilson
USB 闪存盘固件逆向的最新进展
演讲人介绍:
Brandon Wilson是美国软件开发工程师,也是应用程序安全顾问,有着十多年的专业经验,同时也是一位黑客,攻击游戏机和TI图形计算器等。他还特别爱研究所有与USB相关的东西,曾在DerbyCon(世界黑客大会)和很多当地会议上就此类问题发表演讲,登过《华尔街日报》及多个刊物。他还喜欢收集DMCA(数字千年版权法)删除通知。
演讲内容:
BadUSB的理念重在向世界强调,成本低、商业化的USB闪存盘不仅仅可以作为存储设备使用,其中包含的可修改固件,还使其更强大、更有用。针对具体的硬件控制器发出的概念验证代码,表明修改很简单,或许相当简单,而且还有多种用途,小至攻击向量,大至数据渗漏平台。
但是,四年后的今天,并没有太大的进步。既没有公开发布针对上述硬件控制器的软件,也没有试图把相似的代码输入其他类型的闪存盘。同样,在淘汰易修改固件的控制器上,也没有重大突破。如果硬件生产商无意改变这种现状,那么我们必须靠自己的双手,通过探索这些设备的全部潜能,妥善处理这个问题。这些闪存盘包括一个处理器、存储器和I/O(输入/输出),使它们能够像其他嵌入式设备一样做决定并与世界互动,因此这些闪存盘值得拥有一个框架,这样普通用户也能充分利用,而不仅限于像黑客那样的人。
此次发言,我想谈谈技术细节,我们是如何走到今天的,逆向工程USB闪存盘的现状及其安全影响,同时还想畅想一下美好的未来。我们会向公众公开新工具、代码和文件,以改善逆向工程USB闪存盘固件的现状,希望能够鼓励其他人以此为基础,不断改进,造福所有人。
-----
Haixin Duan
Dangerous Boxes In the Middle(BITM) of End-To-End Communication: Blessing or Curse ?
Speaker Bio:
Dr. Haixin Duan is a professor at the Institute for Network Science and Cyberspace, Tsinghua University. He was once a visiting scholar at UC Berkeley and a senior scientist in International Computer Science Institute(ICSI). Dr. Duan has been working on network security for more than 20 years. His recent research interests include protocol security, intrusion detection, underground economy detection and etc. Some of his research results were deployed by industries like Baidu, and published in top security conferences like Security & Privacy, USENIX Security, CCS and NDSS.
Content:
The most popular protocols, like HTTP and TLS, are designed following the End-to-End principle, which was cherished by most pioneers of Internet. However, with the evolutionary development of the Internet, middle boxes (firewall, cache, proxy, CDN and etc.) have been extensively deployed in current Internet communication, especially in web applications. While Box-In-The-Middle(BITM) improves security, performance and availability, it introduces many new vulnerabilities as well. Professor Duan will introduce security threats of BITM in web communications, including injection of Ads or malicious content, leakage of privacy, cache poisoning and denial of service. He will also give some mitigation solutions for the threats which might be helpful for Internet applications designers, developers and service providers.
段海新
端到端通信中危险的中间盒子:祝福还是诅咒
演讲人介绍:
段海新博士是清华大学网络科学与网络空间研究院的教授。他曾是加州大学伯克利分校的访问学者,也是国际计算机科学研究院(ICSI)的资深科学家。段博士在网络安全领域已经研究了20多年。他最近的研究兴趣包括协议安全、入侵检测、地下经济活动检测等等。很多实业公司采用他的研究成果,比如百度,还发布在顶级安全会议上,如Security & Privacy、USENIX Security、CCS和NDSS。
演讲内容:
广为使用的HTTP和TLS等协议的设计最初遵循互联网先驱者们推崇的端到端(End-to-End)的原则;然而,互联网演化发展至今已经部署了许多中间盒子(Box In The Middle, BITM),比如防火墙、代理、缓存、CDN等。这些中间盒子提高了网络的安全性、可用性和性能的同时,也带来了一些安全隐患。段海新教授将结合他们团队近年的研究,介绍Web通信中的各种中间盒子存在的安全问题,包括注入广告或恶意内容、泄露用户隐私、缓存污染、大规模拒绝服务攻击等。他还将提出一些缓解的方案,希望给互联网协议或应用的设计者、开发者和运营服务商提供一些启示。
-----
Bj?rn Ruytenberg
Playing in the Sandbox: Adobe Flash Exploitation Tales
Speaker Bio:
Bj?rn Ruytenberg is an MSc student in Computer Science and Engineering, specializing in Information Security, at Eindhoven University of Technology. Being a technology enthusiast, he holds a BSc in Electrical Engineering as well as Computer Science (cum laude). Aside from his work as a software developer, he actively participates in bug bounty programs. His vulnerability research mainly focuses on sandboxing technology in widely deployed enterprise products, including Adobe Flash, Microsoft Office and Foxit Reader.
Content:
Sandboxing is a popular technique used by vendors to minimize damage that applications might cause to a system. Dictated by so-called sandbox policies, legitimate and malicious code alike are restricted in their trust boundaries, preventing unauthorized actions.
Input validation is key to enforcing sandbox policies. With input validation, context often matters: given some policy, certain input may be allowed, while the same input may be invalid given another. File paths are a prime example. In Adobe Flash Player, the "remote" sandbox prohibits local file system access but enables remote connections, while the "local-with-filesystem" sandbox enables the opposite use case.
While being a seemingly simple concept, validating file paths becomes increasingly complicated when considering the entire picture. With Flash being the intermediate glue between operating systems and various host environments - web browsers, Microsoft Office, PDF readers - there is a diverse landscape of path schemes to consider. This leads to challenges in path validation, and as it turns out, subtle but unforgiving mistakes.
In this talk, we will review two sandbox escape vulnerabilities I have recently found in Adobe Flash.
Tracked as CVE-2016-4271, the first vulnerability details a local sandbox escape through bypassing path validation, enabling to exfiltrate local data, obtain Windows user credentials, and escalate privileges. The second vulnerability, dubbed CVE-2017-3085, is a patch break in the remote sandbox, showing that Adobe's mitigations for the first vulnerability incompletely solved the issue. Both vulnerabilities have resulted in significant changes to Adobe Flash's decade-old sandbox design, causing web developers to refactor their applications.
In analyzing these vulnerabilities, we'll review the underlying causes that made them possible: arbitrary definitions of what constitutes "remote" and "local", inadequate path validation schemes, and unmitigated OS-specific vulnerabilities. Finally, in light of recent efforts to deprecate Adobe Flash, we'll also discuss how Flash will remain important in the short and long term. What are the industry's efforts to minimize its attack surface? Will end users still be vulnerable until 2020?
Bj?rn Ruytenberg
沙盒游戏:Adobe Flash 漏洞利用的故事
演讲人介绍:
Bjorn Ruytenberg就读于埃因霍芬理工大学计算机科学与工程学院,是一位理科硕士研究生,专攻信息安全。他热爱技术,以优等成绩取得电气工程及计算机科学方面的理学士学位。作为一名软件开发师,他还积极参与“漏洞发现奖励制度”。他对计算机安全隐患的研究主要集中在企业产品中广泛应用的的沙盒技术,这些产品包括Adobe Flash,微软Office和福昕阅读器。
演讲内容:
沙盒是当前厂商广泛使用的一种技术,可用来最大程度地降低应用程序可能对系统造成的损害。根据所谓的沙盒策略,合法和恶意代码均被限制在各自的信任边界内以阻止非法操作。输入验证是执行沙盒策略的关键。上下文对于输入验证很重要:同一个输入可能被一种策略允许,却被另一种策略禁止。文件路径便是一个很好的例子。
在Adobe Flash Player中,“远程”沙盒禁止访问本地文件系统,但可发起远程连接,而“本地和文件系统”沙盒则正好相反。验证文件路径看似简单,但如果考虑到整体环境却会变得很复杂。由于Flash是各种操作系统与宿主环境(例如网页浏览器、微软办公软件、PDF阅读器)之间的胶水层,它需要支持多种完全不同的路径格式。这给路径验证造成了很大的困难,也导致了千里之堤毁于蚁穴。
在这次演讲中,我将介绍最近在Adobe Flash中发现的两个沙盒逃逸漏洞。第一个漏洞是CVE-2016-4271,通过绕过路径验证实现本地沙箱逃逸,能实现盗取本地数据,获取Windows用户凭据并提升权限。第二个漏洞是CVE-2017-3085,是因为远程沙盒补丁未补好,说明Adobe对第一个漏洞的缓解措施未能彻底解决问题。这两个漏洞都导致Adobe Flash对其沿用了十年的沙盒设计做出重大修改,使web开发人员不得不重写他们的程序。
在分析这些漏洞的过程中,我们还将详解产生漏洞的根本原因:对于“远程”和“本地”的定义过于随意、路径验证不严谨以及和操作系统相关的未补漏洞。最后,由于最近有许多希望让Adobe Flash彻底退役的努力,我们还会探讨为什么Flash仍然会在短期和长期内保持其重要性。业界为减少Flash的攻击面做出了哪些努力?用户是否要等到2020年才能免遭Flash漏洞影响?
-----
Jonas Zaddach
BASS Automated Signature Synthesizer
Speaker Bio:(none)
Content:
While research on automated malware clustering is plentiful, the exercise of
finding usable signatures for detection is left to the reader. Solutions
proposed by academia have come and gone, none of them giving us a system for
generating malware signatures which is open and available for tinkering.
In this work, we took bits and pieces from several projects to put together BASS, the BASS Automated Signature Synthesizer. Components are encapsulated in containers, allowing for the maintainability and scalability required for large-scale signature generation. In a nutshell, the system finds code similarities between samples of a malware cluster using binary diffing techniques on the code flow level. To this end, state-of-the-art binary diffing tools such as Bindiff and Kam1n0 as well as IDA Pro are used. From common byte sequences in the identified malicious code, the system generates signatures for the open-source virus scanner ClamAV. BASS is a necessary framework for the modern AV industry that is overwhelmed by millions of samples per day and needs quick and precise coverage for emerging threats as well as polymorphic malware families.
Jonas Zaddach
特码自合特征码自动合成器
演讲人介绍:(暂缺)
演讲内容:
尽管已有很多关于恶意软件自动化聚类的研究,但没有一个提及如何自动发现可用的特征码。学术界提出了一个又一个解决方案,但却没能提供一个开源可用的特征码生成系统。
在这项工作中,我们整合了好几个已有项目,打造出特码自合,即特码自合特征码自动合成器。容器化封装的组件确保了大规模特征码生成所需的可维护性和可扩展性。简而言之,系统在控制流级别上通过二进制差异对比找出一类恶意软件样本之间的代码相似性。为此,我们使用了Bindiff、Kam1n0和IDA Pro等先进的二进制比较工具。
系统根据已知恶意代码中的共有字节序列为开源病毒扫描器ClamAV生成特征码。特码自合对于每天被数百万个样本淹没,还需要快速准确检测新威胁和变形恶意软件家族的现代反病毒行业来说,是一个必不可少的框架。
-----
Georgi Geshev
Chainspotting: Building Exploit Chains with Logic Bugs
Speaker Bio:(none)
Content:
Last year at CanSecWest, we celebrated the advantages of logic bugs over memory corruptions and showcased a nice and shiny bug in Chrome on Android from Mobile Pwn2Own 2016. But did we overstate the merits of this bug class? After all, logic flaws come in all shapes and sizes. You may occasionally need to combine logic bugs into an extraordinarily long and convoluted exploit chain, which is exactly what happened to us at the competition this year. So how does this compare to chaining memory corruption bugs? Is it still an advantage to use logic bugs in these situations?
We used a whopping chain of 11 bugs across 6 unique applications including Chrome, several Samsung and AOSP components. The chain was glued together using virtually every possible means of Android IPC including activities, broadcast receivers, content and file providers. We even threw in a remote DoS bug in the chain for good measure!
This presentation will cover how to hunt for logic bugs at scale, the types of exploit primitives we used, and the way they fit together to achieve a malicious action such as silently installing an arbitrary APK. We will review the approach we use for discovering these types of bugs and discuss our effort into speeding up and automating this process through both static and dynamic analysis tools.
This talk will also cover the limitations of these bugs along with some of the Android mitigations that hindered the exploitation process.
Georgi Geshev
猜链条:利用逻辑漏洞构建漏洞利用链
演讲人介绍:(暂缺)
演讲内容:
去年我们在CanSecWest上称赞了逻辑漏洞相对于内存破坏漏洞的优势,并在Mobile Pwn2Own 2016上展示了谷歌浏览器安卓版的一个高质量漏洞。但是我们是否把这个漏洞类别吹过了头?毕竟,逻辑漏洞各式各样,有大有小。有时候你可能需要把许多逻辑漏洞组成一条漫长蜿蜒的漏洞利用链,我们在今年的比赛里就是这么做的。那么这与内存破坏漏洞利用链相比如何呢?在这样的情况下使用逻辑漏洞仍有优势吗?
我们在比赛中使用了横跨6个不同应用的多达11个漏洞的利用链,这其中包括了谷歌浏览器以及几个三星和安卓开源组件。为了把整个利用链串起来,我们使用了几乎所有的安卓进程间通信方法,比如活动、广播接收器,内容和文件提供者。为了达到更好的效果,我们甚至还放入了一个远程拒绝服务漏洞!
这次演讲将介绍如何大规模检测逻辑漏洞、我们使用的漏洞利用方法以及如何组合实现恶意操作(如静默安装任意应用)。我们将介绍发现这类漏洞的方法,并讨论我们所做的通过静态和动态分析工具加速和自动化这个过程的工作。在演讲中我还会介绍这些漏洞的局限性,以及一些阻碍漏洞利用的安卓缓解措施。
-----
Enrique Nissim
Reverse Engineering and Bug Hunting on KMDF Drivers
Speaker Bio:
Enrique Nissim is a Senior Security Consultant at IOActive. His experience and interests include reverse engineering, exploit development, programming and application security. He has also been a regular speaker at other international cyber security conferences, including CanSecWest, EKOParty, and ZeroNights.
Content:
Numerous technical articles, presentations, and even books exists about reverse engineering the Windows Driver Model (WDM) for purposes that vary from simply understanding how an specific driver works, to malware analysis and bug hunting. On the other hand, Microsoft has been providing the Kernel Mode Driver Framework (KMDF) for quite a while and we now see more and more drivers shifting to this framework instead of interacting directly with the OS like in the old WDM times.
Yet, there is close to no information on how to approach this model from a reverse engineering and offensive standpoint.
In this presentation, I will first do quick recap on WDM drivers, its common structures, and how to identify its entry points. Then I'll introduce KMDF and its core concepts and functions relevant for reverse engineering through a set of case-studies. How to interact with a KMDF device object? How to find and analyze the KMDF dispatch routines? Does the framework actually enhance security? Armed with this knowledge, you will be able to run your own bug hunting session over any KMDF driver.
Enrique Nissim
KMDF 驱动程序的逆向工程和漏洞挖掘
演讲人介绍:
Enrique Nissim是IOActive的高级安全顾问。他的感兴趣和擅长的领域包括逆向、漏洞利用、编程和应用安全。他还经常在CanSecWest,EKOParty和ZeroNights等国际网络安全会议上发表演讲。
演讲内容:
目前有许多关于Windows驱动程序模型(WDM)逆向工程的技术文章、演讲,甚至书籍,内容从纯粹的描述特定驱动程序的工作原理到恶意软件的分析和漏洞挖掘都有。然而,微软的内核模式驱动程序框架(KMDF)已经发布很久了,现在越来越多的驱动程序都改用了这个框架,而不像WDM时代那样直接与操作系统进行交互。但是却几乎没有关于逆向和攻击这种驱动模型的资料。
在此演讲中,首先我将简单介绍WDM驱动程序、其常见结构以及如何定位其入口点。然后,我将通过许多例子来讲解KMDF及与其逆向相关的核心概念和功能。并将讨论如何与KMDF设备对象进行交互、如何查找和分析KMDF调度例程、以及该框架是否真的增强了安全性。掌握了这些知识后,你就可以自己挖掘KMDF驱动程序的安全漏洞了。
-----
AlekSandar Nikolic
COVNAVI: Fuzzing-Driven Code Auditing And Vice Versa
Speaker Bio:(none)
Content:
Coverage-based fuzzers are all the rage these days, but while usually achieving excellent results, they can get stuck on some problematic code parts like large constant comparisons or checksum calculations.
Patching out the problematic code or manually auditing the code fuzzer cannot reach slightly alleviates the problem of code not being covered during audit, but the problem of finding those problematic points in the code remains.
We have developed a tool that combines code coverage information and code property graph analysis to help pinpoint those locations during fuzzing.
Bug hunter can then analyze the problematic part of the code and decide to patch it to remove the problem, augment the fuzzer to get past the block,manually audit the unreached code or write a different fuzzing harness that exercises unreached code specifically.In this talk, we will present the motivation behind this work, the methodology that utilizes the developed tool, implementation of the tool, experimental results and demonstrations of the tool.
AlekSandar Nikolic
COVNAVI: 模糊测试与代码审计互相驱动
演讲人介绍:(官网暂缺)
演讲内容:
如今基于代码覆盖率的模糊测试工具风靡一时。这类工具虽然通常效果不错,但可能会卡在一些类似大常量比较、校验和计算这样的问题代码上。改写问题代码或手动审计未能覆盖的代码部分解决了代码覆盖的问题,但如何找出问题代码这个问题却不好解决。
我们开发了一种工具,可将代码覆盖率信息和代码属性图分析结合起来,有助于在模糊测试中精确地找出这些代码位置。之后漏洞挖掘者就可以分析问题代码,然后决定是改写代码去除问题,还是给模糊测试工具提供能通过代码块的样本,还是手动审计不可达代码,还是编写用于执行特定不可达代码的模糊测试辅助工具。在这次演讲中,我们将介绍做这项研究的原因、如何使用该工具、工具的实现原理、实验结果和现场演示。
再自我介绍一下吧。我叫史中,是一个倾心故事的科技记者。我的日常是和各路大神聊天。如果想和我做朋友,可以关注微博:@史中方枪枪,或者搜索微信:shizhongst。
不想走丢的话,你也可以关注我的自媒体公众号“浅黑科技”。
----点击图片阅读更多精彩文章----
----想看更多请点击下方阅读原文----
中国黑客的精神食粮
源网页 http://weixin.100md.com
返回 浅黑科技 返回首页 返回百拇医药