Highlights from BlackHat 2015 & Defcon 23

High Level Takeaways from the conference

  • Internet of Things (IoT) in terms of security is analogous to web in early 2000. As it is missing basic security properties like Authentication, Authorization and Confidentiality. We seem to have started the security process from scratch for IoT and there is a dire need for a framework which will translate already existing security properties for various protocols to the IoT specifics, as lot of them are not directly applicable.
  • Lot of fellow Cryptographers are working on solutions implementing end-to-end-encryption as well as transparent and open crypto in a very usable way. Tools like TextSecure by Moxie Marlinspike and the Lets Encrypt initiative headed by EFF are some examples. As Jennifer Granick mentioned, this would be our basis to protect the dream of free Internet.
  • We have a lot of new frameworks like node.js, Mongo Db and so on. The developers tend to assume that all these frameworks will take care of security automatically which they would if used within their architectural capabilities. So, a lot of security issues are popping up because of the failure to understand the architectural capability before using them. Talk on node.js attacks listed in this document is an example.
  • Also noticed the “Assumed breach” model come up in a lot of discussions with other security researchers and it’s also being used heavily in terms of crypto agility and certificate Mgmt.

Black Hat 2015

Jennifer Granick’s keynote speech “The Lifecycle of a Revolution” [1] captured the theme of this year’s conference: Dream of Internet Freedom

Granick is the Director of Civil Liberties at the Stanford Center for Internet and Society and is known for representing Kevin Poulsen and Aaron Swartz before US criminal courts.

In her speech, she spoke of the dream of Internet freedom: the freedom to exist without judgment (be it based on age, race, class, or gender), the freedom to communicate with anyone, anywhere, the freedom to access information, and the hands-on imperative – the freedom to explore and understand the technologies around us.

Some of the key points from her talk were:

  • We are now seeing a centralized, regulated Internet – one that is controlled based on decisions of those in power. It should be rather decentralized and should not be regulated by those with local concerns.
  • Use of End-to-end encryption to break the cycle of power imbalances.
  • Be afraid of right things –  “People are more afraid of sharks than cows, but cows kill ten times more. It’s true!”
  • Start creating technology for the next cycle of revolution or else Internet would become like TV. A perfect example of this is “Let’s Encrypt” [2] initiative by EFF, @bcrypt presented this at Defcon.
  • “Why don’t we amend the Privacy Act to protect our email and geolocation (data). We have to get behind these ideas and give it a push. Or the dream of Internet security is going to get sicker and sicker until it dies.”

Here are few notes from a collection of some of my favorite talks from Black Hat this year:

Android Security

AH! UNIVERSAL ANDROID ROOTING IS BACK by Wen Xu [3]

Wen used a kernel Use-After-Free bug which was found in all versions of Linux kernel and successfully rooted most android devices (version>=4.3), including 64 bit devices. Essentially, they stumbled upon this bug while fuzzing using their customized Trinity fuzzer and they discovered a dangling file descriptor in the user space pointing to PING socket object in kernel. They were then able to spray user controlled data reliably into the kernel space and execute arbitrary code execution in the kernel, bypassing all the modern kernel mitigations like PXN.

Side Channel Attacks

Exploiting out-of-order execution of covert cross-vm communication by Sophia D’Antoine [4]

Sophia demonstrated the use of CPU out-of-order-execution to enable covert cross VM communication in cloud computing environments. This used three channel architectures: exfiltrating, infiltrating, and network as separate side channel. To do this, a pair of transmitting and receiving processes exploit the shared central processing unit. The transmitter must force out-of-order execution to occur and the receiver must record these occurrences.

Exploiting the DRAM Rowhammer bug to gain kernel privileges by Mark Seaborn and Halvar Flake [5]

Rowhammer is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this was originally found by Yoongu Kim et al. and published as “Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors.”

Mark and Halvar wrote two exploits using Rowhammer:
i) The first runs as a Native Client (NaCl) program and escalates privilege to escape from NaCl’s x86-64 sandbox, acquiring the ability to call the host OS’s syscalls directly. This was done by making use of CLFLUSH instruction.
ii) The second runs as a normal x86-64 process on Linux and escalates privilege to gain access to all of physical memory. This is harder to mitigate on existing machines.

IoT and Car Hacking Attacks

Remote Exploitation of an unaltered passenger vehicle by Charlie Miller and Chris Valasek [6]

In this attack Charlie and Chris demonstrated how it’s possible to remotely hack the Uconnect system of 2014 Jeep Cherokee over wi-fi as well as cellular network and then extending the attack to CAN bus service within the vehicle to control more sensitive controls like breaks, steering etc. They observed that Uconnect IP’s are exposed without Auth on Internet on two class-A address blocks: 21.0.0.0/8 or 25.0.0.0/8, which are presumably the address space Sprint reserves for vehicle IP addresses. And the port 6667 binds to the D-bus service on these IP’s. Moreover, Sprint doesn’t restrict two devices communicating to each other and hence they could send packets to port 6667 from their device to jailbreak Uconnect. Using Uconnect(or more precisely the OMAP chip) they flashed the V850 to install a malicious V850 and hence were able to craft packets to control CAN bus. Note: If you now do a port scan for port 6667, it will fail as Sprint has blocked it. And also recently Chrysler recalled 1.4 million vehicles which were potentially directly affected.

When IOT Attacks: Hacking a linux-powered rifle by Runa Sandvik and Michael Auger [7]

TrackingPoint is an Austin based startup which makes precision guided firearms and these firearms ship with an ARM powered scope running a custom Linux version and a linked trigger mechanism. The task of the scope is to follow targets, calculate ballistics and increase users first shot accuracy. Apparently, scope also supports recording and streaming video and audio over wifi and its mobile applications. Essentially, the authors noted that admin API is un-authenticated, which gives un-authenticated access to core system functions and in addition any GPG key in trust DB can encrypt and sign updates. Using these authors controlled the scope and hence the target being fired.

Web platform Attacks

The Node.js highway: Attacks are at full throttle by Maty Siman and Amit Ashbel [8]

Node.js is a platform built on Chrome’s JavaScript Runtime and is non-blocking, single threaded and event driven, which enables building fast, scalable network applications. The authors demonstrated attacks on the architecture of design of node.js: Weak Crypto, Denial of Service and JSON Injection. Most interesting was Weak Crypto; Node.js is based on Chrome’s V8 engine which uses a weak PRNG. Mostly Chrome’s implementation of PRNG is segregated between tabs and each one has its own seed value but in case of Node.js, all users are using the same node.js based web server, hence they are running within that single thread and have a single seed number.

Bypass surgery abusing content delivery networks with server-side-request forgery (SSRF) flash and DNS by Mike Brooks and Matthew Bryant [9]

This talk does have a full exploit but I mostly liked it for the general information that they covered around SSRF, DNS profiling and Flash cross domain exploits w.r.t CDN’s.

Windows and Hypervisors

Attacking Hypervisors using Firmware and Hardware by Yuriy Bulygin, Alexander Matrosov, Mikhail Gorobets and Oleksandr Bazhaniuk [10]

Yuriy discussed the attack surface on hypervisors w.r.t vulnerabilities in system firmware, as in BIOS or in hardware emulation. The attacks discussed were VMM DoS, hypervisor privilege escalation and SMM privilege escalation from within the virtual machines. He demoed the leaking of secrets using a firmware level rootkit in a very detailed way. They released new modules in open source CHIPSEC framework to test issues in hypervisors.

Bypassing CFG comprehensively by Yunhai Zhang [11]

Control flow guard technique checks the target of indirect call by calling ntdll!LdrpValidateUserCallTarget and raises an exception if target is invalid. Guard CF Check function pointer is usually initialized with the address of ntdll!LdrpValidateUserCallTarget when a module is loaded. Yunhai uses Jscript9 CustomHeap::Heap to make read-only memory writeable and then overwrites the Guard CF Check Function pointer to bypass CFG. This has been mitigated in windows by introducing a new function HeapPageAllocator::ProtectPages.

Machine Learning

Deep Learning on Disassembly by Matt Wolff and Andrew Davis [12]

This was an interesting talk on showing the effectiveness of applying deep learning techniques to disassembly in an effort to generate models designed to identify malware. They mention details of the whole pipeline, from raw binary extraction to transformation of disassembly data to training a deep learning model.

Securing your Big Data Environment by Ajit Gaddam [13]

This talk was not about demoing zero days or cool exploits but it was a very comprehensive walk through over the challenges and risk around the Big Data processing environment. The talk described the big data Security framework in detail and also covered the various risks involved in each layer.

DEFCON 23

Defcon Badge Puzzle

In case you’re unaware of the tradition, no mere plastic laminate is good enough for DEF CON. Over the years, the conference’s admission tags have morphed into a variety of charming and perplexing inventions, often incorporating circuit boards with chips, LEDs, and other components for attendees to try to hack.

This year LostboY (@1o57) decided to go analog and DEFCON 23 badge was a playable 7-inch vinyl record as shown below.

defconsidea     defconsideb

If you play the record, its starts with a synthesized voice reading the last few paras of Hacker Manifesto, followed by a female voice reading list of decimal numbers separated by dashes which includes the string “to June 18th 2024” and ends with a bunch of DMTF codes which seems to have 1057 (lostboy’s handle) as delimiter.

There were bunch of other clues scattered across the whole conference setup like in the hotel keys, Shavian language on the badge, gold bug ciphers on the lanyards, information in the defcon newspaper etc. A few of them were misleading/distractions but all in all it was a fun setup.

Here’s the closest to complete archive for all the clues you had to gather in the conference:

https://hackaday.io/project/7087-defcon-23-badge-hacking

*Spoiler Alert *

Here is the final solution to the puzzle:

DEFCON Villages

Villages are communities of people catered to a specific area who get together to discuss and hack. IMHO, this by far is the most informational part of Defcon and I spent almost 50% of my time at these. Some of my favorite ones were:

Crypto/Privacy Village, IoT Village, Social Engineering Village and Wireless Village.

DEFCON Talks

Here are a few notes from selective Defcon talks that I attended and liked:

Let’s Encrypt – Minting Free Certificates to Encrypt the Entire Web by Peter Eckersley, James Kasten, & Yan Zhu [14]

Let’s encrypt is a new Certificate Authority initiative which is an effort to encrypt the entire web by issuing free TLS certificates in an automated, transparent and secure fashion. Here is why I support the initiative:

  • It’s automated the complete process of issuance and renewal of Certificates via ACME protocol which itself has been made on open source standard.
  • It supports Certificate Transparency by default meaning all certificates issued or revoked will be publicly recorded and available for anyone to inspect.
  • It’s free and painless to get a new Certificate within a couple of mins with >= security standards of existing CA’s.
  • The whole code base of Let’s encrypt both server and client side implementation is open source.
  • It is not controlled by one organization, EFF is launching it but is in collaboration with several other organizations.
  • It is backed by Internet Security Research Group and hence is abreast with the latest security standards as and when they are updated.

Here is the code repository if you are interested: https://github.com/letsencrypt/letsencrypt

Linux Containers: Future or Fantasy? by Aaron Grattafiori

Aaron starts with the basics of how Linux containers works (container functions, namespaces, cgroups etc) and how to build system sandboxing using the kernel features focusing on LXC and Docker. He then talks about analysis and discussion of techniques for Linux kernel hardening, reduced capabilities, Mandatory Access Controls (MAC), and seccomp-bpf (syscall filtering). Finally he ends the talk with future of containers.

It’s The Only Way To Be Sure: Obtaining and Detecting Domain Persistence by Grant Bugher[15]

This talk is about how you can maintain domain persistence once you have a handle to domain account. The techniques discussed/demoed included backdoor an administrator workstation, distributing signed Trojan administrator tools, stealing PKI keys, setting powershell as a debugger to something important etc. The talk also discussed few detection and remediation methods.

I Will Kill You by Chris Rock [16]

This presentation talked about the mechanism of declaring someone dead and the process level vulnerabilities that can exploited to virtually kill off anyone and wipe them from the digital system.

Key discussion points:

  • How to fill in a doctor’s medical cause of death certificate anonymously.
  • How to become a funeral director and dispose of the body.
  • How to obtain a Death Certificate.

There is a lot more discussion is his talk and to be honest, this was scary and humorous at the same time.

References

1. https://www.youtube.com/watch?v=Tjvw5fz_GuA

2. https://letsencrypt.org/

3. https://www.blackhat.com/docs/us-15/materials/us-15-Xu-Ah-Universal-Android-Rooting-Is-Back-wp.pdf

4. https://www.blackhat.com/docs/us-15/materials/us-15-DAntoine-Exploiting-Out-Of-Order-Execution-For-Covert-Cross-VM-Communication-wp.pdf

5. https://www.blackhat.com/docs/us-15/materials/us-15-Seaborn-Exploiting-The-DRAM-Rowhammer-Bug-To-Gain-Kernel-Privileges-wp.pdf

6. http://illmatics.com/Remote%20Car%20Hacking.pdf

7. https://www.blackhat.com/docs/us-15/materials/us-15-Sandvik-When-IoT-Attacks-Hacking-A-Linux-Powered-Rifle.pdf

8. https://www.blackhat.com/docs/us-15/materials/us-15-Siman-The-Node-Js-Highway-Attacks-Are-At-Full-Throttle.pdf

9. http://bishopfox.com/download/5439/

10. http://www.intelsecurity.com/advanced-threat-research/content/AttackingHypervisorsViaFirmware_bhusa15_dc23.pdf

11. https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf

12. https://www.blackhat.com/docs/us-15/materials/us-15-Davis-Deep-Learning-On-Disassembly.pdf

13. https://www.blackhat.com/docs/us-15/materials/us-15-Gaddam-Securing-Your-Bigdata-Environment-wp.pdf

14. https://github.com/letsencrypt

15.https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Speaker%20&%20Workshop%20Materials/Grant%20Bugher/DEFCON-23-Grant-Bugher-Obtaining-and-Detecting-Domain-Persis.pdf

16.https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Speaker%20&%20Workshop%20Materials/Chris%20Rock/DEFCON-23-Chris-Rock-I-Will-Kill-You-How-to-Get-Away-with-Mu.pdf

……——————————————————————————————————— ……

By Shrikant Adhikarla

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s