It’s been several years since the “No More Free Bugs” movement started to gain traction, but now it seems as almost everyone has some form of bug bounty for researchers. This presentation will go over the motivations of certain researchers to stop giving away their work for free and demand satisfaction (well, as close to satisfaction as one can get).
So you think you’re doing OPSEC right, right? You’re going to crazy lengths to protect yourself, reinstalling your main OS every month, or using a privacy-conscious live OS like Tails. Guess what? BIOS malware doesn’t care! BIOS malware doesn’t give a shit!"
Though long thought to be impractical, this talk will dispel the illusion that sophisticated BIOS level malware is exclusively within the realm of possibility for nation state actors. Recent disclosures of firmware level vulnerabilities have given us reliable entry vectors into the firmware on almost all systems we have surveyed. Furthermore, the well defined nature and modularity of UEFI significantly lower the bar for coherently implanting a firmware rootkit onto a system. This talk will detail the result of our 1 month effort to infect the BIOS of every business class system we could get our hands on.
There is a latent distrust of the growing "Internet Of Things" market. The data collected by them is becoming more personal all while proliferation of internet connected devices is continuing without regard to privacy or security. Recent news stories has consumers concerned not only with privacy but also surveillance and data handling. There is no trusted third-party "consumer advocacy" for privacy and security of mobile apps and embedded systems. The designs of these systems make traditional software based security (like "anti-virus" or "end-point detection") virtually impossible. And if you don't think this is going to be a huge problem: Recent research demonstrates that a significant number of the nodes used in CURRENT DDoS attacks are actually compromised embedded devices NOT user end-points....So, the shift has already begun.The "internet of things" is not just newfangled consumer devices however. I'll talk a bit about this and a recurring trend we see in these network enabled embedded systems: something we call the "uncanny valley" that gives rise no only to vulnerabilities but also huge tools gaps for software and hardware security research.
This talk will catalog some of our experiences at Xipiter exploiting these kinds of embedded systems. From trivial "exploitation" to the more advanced hardware exploitation and binary exploitation techniques. We'll talk about how we've applied these techniques to everything from Payment systems and Game Consoles to more esoteric devices like Gaming systems (lottery, casino, etc) and Industrial Controls Systems. We'll also talk about about the custom hardware we've developed (and sell to researchers at http://int3.cc) to help us with this stuff also demonstrates the "tools gap".
As we all know, computer security products are completely
infallible and, themselves, totally secure. Furthermore, Data Loss
Prevention (DLP) solutions are, hands down, the panacea for all data
leakage woes. But, we decided to pretend for a minute that they weren't,
AND YOU WON'T BELIEVE WHAT HAPPENED NEXT!
Despite a plethora of data security and protection standards and
certifications, companies and their systems are still leaking information
like a sieve. With deployment models ranging from a fat agent on an
endpoint, to a blinky-lights box surveilling all network traffic, to some
unified threat management gateway with DLP secret sauce, these solutions
are ripe for bypass - or worse.
This talk will discuss our previous and current research into a handful of
DLP solutions, including their capabilities and their shortcomings. We will
demonstrate flaws in administrative and programmatic interfaces and the
inspection engines themselves. Additionally, we will revisit the tools and
techniques we used to discover these issues.
The Mozilla Firefox browser has a new garbage collection (GC)
implementation
for its JavaScript engine (SpiderMonkey) since version 32. This new GC
algorithm
has introduced significant changes to the way that Firefox's heap is
organized.
The GC heap is now divided into two layers; a first layer for short-lived
objects, called the 'nursery', and a second layer for objects that survived
a GC pass in the nursery, called the 'tenured' heap. Apart from these two,
the
latest version of Firefox continues to use jemalloc (on all its supported
platforms)
for SpiderMonkey metadata and GC heap objects that fit certain criteria.
These
changes directly affect the way that the browser's heap can be manipulated
towards
states that aid in the exploitation of heap vulnerabilities.
In this talk we will expand upon previous work we have published on
jemalloc heap
exploitation approaches and primitives for Firefox, taking into account its
new
GC heap implementation. The presentation will demonstrate a major upgrade
of our
'unmask_jemalloc' Firefox heap exploration utility with new features, and
support
for Windows (and the WinDbg debugger). The new version of unmask_jemalloc,
named
'shadow', will be released as open source along with the talk.
Fighting off attacks based on memory corruption vulnerabilities is hard and a lot of research was and is conducted in this area. In our recent work we take a different approach and looked into breaking the payload of an attack. Current attacks assume that they have access to every piece of code and the entire platform API. In this talk we present a novel defensive strategy that targets this assumption. We built a system that removes unused code from an application process to prevent attacks from using code and APIs that would otherwise be present in the process memory but normally are not used by the actual application. Our system is only active during process creation time, and, therefore, incurs no runtime overhead and thus no performance degradation. Our system does not modify any executable files or shared libraries as all actions are executed in memory only. We implemented our system for Windows 8.1 and tested it on real world applications. Besides presenting our system we also show the results of our investigation into code overhead present in current applications.
Over the past 15 years, security researchers have created specific heap exploitation techniques targeting well identified allocators and developed tools to inspect, visualize, force and sometimes predict layout of dynamically allocated memory regions. Nonetheless, the diversity of Heap Allocators makes it hard for exploit writers to come up with generic heap prediction techniques. Among the various most used allocators are DLmalloc, PTmalloc, JEmalloc, the Windows Heap, as well as several flavors of Garbage collected memory allocators in web browsers. Internals of these allocators differ so vastly that coming up with generic tools to predict the dynamic behavior of these different implementations is currently out of reach. This talk aims at surveying the existing work in the field of heap analysis and attempt to introduce a systematic methodology to analyze dynamic behavior of allocators for the exploit writer.
Infusion pumps are medical devices that deliver drugs into a patient's body in controlled, prescribed amounts. These devices are instrumental in the delivery of patient care in hospitals across the world. How do these devices work? What do these devices look like under the hood? Are there vulnerabilities that could be leveraged to hurt or kill a patient? Let's take a look at a number of infusion pumps and explore the architecture, protocols, and vulnerabilities associated with these pumps. We'll also cover key aspects of vulnerability research in the medical device industry.