SlideShare a Scribd company logo

Di shen pacsec_final

PacSecJP
PacSecJP

PacSec2017

Internet
1 of 37
Download to read offline
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel Di Shen a.k.a. Retme (@returnsme) Keen Lab of Tencent
whoami •  Di Shen a.k.a. Retme (@returnsme) •  Member of Keen Lab •  Android Kernel vulnerability hunting and exploitation since 2014 •  Aim: to make out universal rooting exploit for Android •  Trophy: •  CVE-2016-6787 & CVE-2017-0403 (kernel/events/core.c) •  CVE-2015-1805 (fs/pipe.c) ’s first working exploit •  CVE-2015-4421,4422 (Huawei TrustZone) •  KNOX Bypassing on Samsung Galaxy S7 (BHUSA 17’) •  Exploiting Wireless Extension for all common Wi-Fi chipsets (BHEU 16’) •  And more To Be Announced in the future •  Available on https://github.com/retme7/My-Slides
Agenda •  Rooting Android: Current situation •  Overview of exploiting UAF in kernel •  Conventional approach •  Afterwards: Gain root •  The Unconventional UAFs •  Implementation of perf system •  Exploiting CVE-2017-0403 •  Exploiting CVE-2016-6787 •  Conclusion
Rooting Android: Current situation • Universal exploitable vulnerability is rare •  Available attack surface: •  Generic Linux syscalls •  Android universal drivers like Binder, ION, Ashmem
Rooting Android: Current situation • Enforced SELinux policy •  Most of device drivers are inaccessible •  Many syscalls are not reachable from untrusted Application •  Sockets ioctl commands are partially restricted
Rooting Android: Current situation •  Verified Boot through dm-verity kernel feature •  The gained root privilege is nonpersistent
Rooting Android: Future challenges •  Privileged Access Never (PAN) •  KASLR •  Pointer Authentication
Overview of exploiting UAF in kernel •  An easily exploitable UAF bug normally has following features: •  Has a function pointer in freed object •  Attacker has plenty of time to refill the freed object.
Conventional approach of UAF exploitation struct socket (freed) ops->ioctl(…) struct socket (refilled) ops->ioctl(…) JOP gadgets •  Free the victim object •  Refill the object with malformed data by heap spraying or ret2dir •  Let the function pointer point to ROP/JOP gadgets in kernel •  Ask kernel reference this function pointer to achieve arbitrary kernel code execution ioctl(sockfd,…) kernel_sock_ioctl() JOP gadgets
Afterwards, from code execution to root Arbitrary kernel code execuAon Overwrite process's addr_limit Arbitrary kernel memory overwriAng Overwrite uid, security id, selinux_enforcing
However… •  Not every UAF bug in kernel is so that idealized •  More unconventional situation to deal with… •  The victim object may don’t have a function pointer •  The kernel may crash soon after UAF triggered •  The attacker may cannot fully controlled the freed object
The unconventional UAFs I found •  All found in sys_perf_event_open() •  Perf system is pretty buggy •  Reachable by application last year •  But now it’s restricted by a feature called “perf_event_paranoid”
The unconventional UAFs I found •  CVE-2017-0403 •  Ever affected all devices shipped with 3.10 or earlier Linux kernel •  More than 14 million users of KingRoot gain root privilege on their smart phones •  CVE-2016-6787 •  Ever affected all Qualcomm-based devices. (Only Qucalcomm enabled hardware perf event…) •  A part of my exploit chain to bypass Samsung KNOX 2.6
sys_perf_event_open() •  Will create a perf_event •  Input: perf_event_attr •  A description of what kind of performance event you need •  Input: group_fd (optional) •  Specify the group leader of new perf_event •  Return the fd of perf_event to user space
Key kernel objects in perf system •  perf_event •  A performance event which is registered by user •  perf_event_context •  The container of all perf events created in one process •  Each process has two contexts, one for software events, other one for hardware events •  Perf group and group leader •  Multiple events can form a group •  One event is the leader perf_sw_context perf_hw_context task_struct event event event event_list event (group_leader) event (group_leader)
move_group •  Happens when user try to create a hardware event in pure software group
CVE-2016-6787 Remove the group_leader from origin software context and then install it to hardware context Remove every event from software context, and then install it to new hardware context ’move_group‘ leads to reducing context’s refcont by one
CVE-2016-6787 •  move_group ignored the concurrency issues •  UAF happens due to race condition •  Attacker trigger the move_group on same group leader simultaneously, •  The ref count of group_leader->ctx may be reduced to zero •  task_struct->perf_event_ctxp[perf_sw_context] will be freed accidently The object is freed
Free perf_event_context (PoC) Create a soJware group_leader Create a hardware perf_event Create a hardware perf_event Main thread Sub thread-1 Sub thread-2 move_group, put_ctx() move_group, put_ctx() kfree_rcu(perf_event_context) ctx->refcount = 1 ctx->refcount = 2 ctx->refcount = 0
Kernel crashed instantly •  Kernel crashed soon after we freed the perf_event_context •  Thread scheduler need to reference this object consecutively •  We don‘t have plenty of time to refill the object L
Solution: freeze thread after free •  Keep thread scheduler away from me •  Switch the status of attacker’s thread from running to (un)interruptible •  The thread will be frozen and kernel won’t crash as soon as perf_event_context freed
How to freeze a thread from user land? •  Sleep() ? Not working •  Use futex_wait_queue_me() switch to interrupAble freezable_schedule()
Create a soJware group_leader Create a hardware perf_event Create a hardware perf_event Main thread Sub thread-1 Sub thread-2 move_group, put_ctx() move_group, put_ctx() kfree_rcu(perf_event_context) futext_wait_queue_me() Phase 1 Phase 2 Spraying the heap by using ‘ret2dir’ trick, fill a malformed perf_event_context{} in every 1024 bytes Use futex_wake() wake up main thread Phase 4 schedule() finish_task_switch() perf_event_context_sched_in() ctx->pmu->pmu_disable() Phase 3
A brief summary of CVE-2016-6787 •  Easy to win the race, and trigger the bug •  Hard to refill the freed object (no time) •  Easy to control the code flow (corrupted object has function pointer) •  Proposed an approach of thread freezing to gain more time to refill object
Review: relationship of perf event, group and group leader •  Group leader has a sibling_list •  sibling_list is a list of perf events which belongs this group perf_sw_context perf_hw_context task_struct event event event event_list event (group_leader) event (group_leader)
CVE-2017-0403 (PoC) •  Create a perf event as ‘A’ •  Create another perf event as ‘B’, specify ‘A’ as its group leader •  Free ‘A’,the group leader •  Free ‘B’, a sibling of group ß---- UAF happens here
Root cause •  Now group leader ‘A’ is freed •  Kernel doesn’t empty its sibling list •  Leads to leaving a dangling pointer in sibling’s event->group_entry
Root cause •  Later on the sibling ‘B’ is freed •  list_del_event() •  list_del_init(&event->group_entry); •  overwrite a pointer to the freed group leader.
•  Slub poinson infomation •  0xfffffc00fc2b1a0 is overwritten to (group_leader+ 0x20)
The unconventional scenario •  The only thing I can do is overwritting the freed object as following *(size_t*)(freed_object + 0x20) = (freed_object + 0x20)
Pipe subsystem in Linux •  readv() & writev(): read/write multiple buffers through pipe •  Use an array of struct iovec{iov_base,iov_len} to describe user buffers •  When no contents available from the write end, readv() may block in kernel •  Then an array of struct iovec{} may stay in kernel’s heap
Compromise pipe system •  Call readv() •  rw_copy_check_uvector() confirm every iov_base must points to userland space. •  An array of struct iovec{} now is in heap. Nothing comes from the write end of pipe, so readv() block. •  If you can somehow overwrite the iovec{}, modify the iov_base to a kernel address. Emmm… iov_base iov_len iov_base iov_len iov_base iov_len ….. kernel_addr iov_len kernel_addr iov_len kernel_addr iov_len
Compromise pipe system •  Now write something to another end of pipe •  pipe_iov_copy_to_user() won’t check the iov_base again. •  Buffers you wrote to pipe will be copied to the kernel address
········ Trigger UAF, write two 8-bytes value“A+0x20”to address = A+0x20 ↓ the 1st freed object, address is A Solution: convert UAF to arbitrary R/W ↓the 2nd freed object, address is B = A + 0x400 Use iovec to spray the heap Freed Data Freed Data Freed Freed Data Freed Data ········· base len base len base base len base len ··················· base len A + 0x20 A+0x20 base ·········· base len base len Write a buffer to pipe ,the buffer will be copied to (A + 0x20) ········· base len KADDR 8 KADDR ·········· KADDR 8 KADDR 8 ········· Write a buffer to pipe again,it will be copied to KADDR KADDR can be any address value, we achieved arbitrary kernel memory overwriting 1 2 3 4 5
A brief summary of CVE-2017-0403 •  Attacker lost the file descriptor of freed object •  Cannot achieve code execution via refilling object’s function pointer •  Only be able to write the address value of freed object twice to freed object •  Proposed a new approach: compromising pipe system
Conclusion •  Most UAF bugs looks not exploitable, but there may be another way •  No idea? Put it down for a while, but do not let it go… •  Be familiar with kernel’s source code, kernel’s own feature may help your exploitation (e.g. pipe for CVE-2017-0403)
Di shen pacsec_final

Recommended

Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 

Recommended

Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026PacSecJP
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisChong-Kuan Chen
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?inaz2
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slidesPacSecJP
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Audit
AuditAudit
AuditMark Ellzey Thomas
 
Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...CODE BLUE
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT SuiteShota Shinogi
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFEReal-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFEWasim Halani
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCanSecWest
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersTazdrumm3r
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsTazdrumm3r
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3PacSecJP
 

More Related Content

What's hot

Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slidesPacSecJP
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisTamas K Lengyel
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRootedCON
 
Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...CODE BLUE
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCanSecWest
 
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFEReal-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFEWasim Halani
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCanSecWest
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat Security Conference
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)Javier Junquera
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...CODE BLUE
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume CompromiseZach Grace
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersTazdrumm3r
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web WorkshopDennis Maldonado
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Shota Shinogi
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsTazdrumm3r
 

What's hot (20)

Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Audit
AuditAudit
Audit
 
Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFEReal-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromised
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invaders
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
 

Viewers also liked

Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02PacSecJP
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3PacSecJP
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalPacSecJP
 
Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2PacSecJP
 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-finalPacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...PacSecJP
 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpPacSecJP
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecPacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...PacSecJP
 

Viewers also liked (9)

Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
 
Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2
 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-final
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jp
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
 

Similar to Di shen pacsec_final

Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
Linux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OLinux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OYourHelper1
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...Priyanka Aash
 
Operating OPNFV: Deploy it, test it, run it
Operating OPNFV: Deploy it, test it, run itOperating OPNFV: Deploy it, test it, run it
Operating OPNFV: Deploy it, test it, run itOPNFV
 
GOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesGOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesAlexandra Masterson
 
story_of_bpf-1.pdf
story_of_bpf-1.pdfstory_of_bpf-1.pdf
story_of_bpf-1.pdfhegikip775
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Christian Schneider
 
Service Discovery. Spring Cloud Internals
Service Discovery. Spring Cloud InternalsService Discovery. Spring Cloud Internals
Service Discovery. Spring Cloud InternalsAleksandr Tarasov
 
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeDEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeFelipe Prado
 
A.I. Exercise.
A.I. Exercise.A.I. Exercise.
A.I. Exercise.Mario Cho
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksAnne Nicolas
 
Breaking paravirtualized devices
Breaking paravirtualized devicesBreaking paravirtualized devices
Breaking paravirtualized devicesPriyanka Aash
 
HOW TO DEAL WITH BLOCKING CODE WITHIN ASYNCIO EVENT LOOP
HOW TO DEAL WITH BLOCKING CODE WITHIN ASYNCIO EVENT LOOPHOW TO DEAL WITH BLOCKING CODE WITHIN ASYNCIO EVENT LOOP
HOW TO DEAL WITH BLOCKING CODE WITHIN ASYNCIO EVENT LOOPMykola Novik
 
Can secwest2011 flash_actionscript
Can secwest2011 flash_actionscriptCan secwest2011 flash_actionscript
Can secwest2011 flash_actionscriptCraft Symbol
 
Introduction Linux Device Drivers
Introduction Linux Device DriversIntroduction Linux Device Drivers
Introduction Linux Device DriversNEEVEE Technologies
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022Stefano Stabellini
 
Python pyenv virtualenv
Python pyenv virtualenvPython pyenv virtualenv
Python pyenv virtualenvMario Cho
 

Similar to Di shen pacsec_final (20)

Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
Linux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OLinux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/O
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
 
Operating OPNFV: Deploy it, test it, run it
Operating OPNFV: Deploy it, test it, run itOperating OPNFV: Deploy it, test it, run it
Operating OPNFV: Deploy it, test it, run it
 
GOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesGOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter Slides
 
story_of_bpf-1.pdf
story_of_bpf-1.pdfstory_of_bpf-1.pdf
story_of_bpf-1.pdf
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Service Discovery. Spring Cloud Internals
Service Discovery. Spring Cloud InternalsService Discovery. Spring Cloud Internals
Service Discovery. Spring Cloud Internals
 
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeDEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
 
A.I. Exercise.
A.I. Exercise.A.I. Exercise.
A.I. Exercise.
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
 
Breaking paravirtualized devices
Breaking paravirtualized devicesBreaking paravirtualized devices
Breaking paravirtualized devices
 
HOW TO DEAL WITH BLOCKING CODE WITHIN ASYNCIO EVENT LOOP
HOW TO DEAL WITH BLOCKING CODE WITHIN ASYNCIO EVENT LOOPHOW TO DEAL WITH BLOCKING CODE WITHIN ASYNCIO EVENT LOOP
HOW TO DEAL WITH BLOCKING CODE WITHIN ASYNCIO EVENT LOOP
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
 
Can secwest2011 flash_actionscript
Can secwest2011 flash_actionscriptCan secwest2011 flash_actionscript
Can secwest2011 flash_actionscript
 
Introduction Linux Device Drivers
Introduction Linux Device DriversIntroduction Linux Device Drivers
Introduction Linux Device Drivers
 
4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
 
Python pyenv virtualenv
Python pyenv virtualenvPython pyenv virtualenv
Python pyenv virtualenv
 

More from PacSecJP

Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jPacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalPacSecJP
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpPacSecJP
 
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaAnıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaPacSecJP
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpPacSecJP
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpPacSecJP
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finPacSecJP
 
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalPacSecJP
 
Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaMarc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaPacSecJP
 
Kasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-correctedKasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-correctedPacSecJP
 
Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3PacSecJP
 
Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2PacSecJP
 
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_finalWenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_finalPacSecJP
 
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-jaWenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-jaPacSecJP
 
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jpNishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jpPacSecJP
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)PacSecJP
 
Moony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinalMoony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinalPacSecJP
 
Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8PacSecJP
 

More from PacSecJP (19)

Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
 
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaAnıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-ja
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
 
Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaMarc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_ja
 
Kasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-correctedKasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-corrected
 
Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3
 
Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2
 
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_finalWenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
 
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-jaWenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
 
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jpNishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
 
Moony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinalMoony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinal
 
Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8
 

Recently uploaded

GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceDelhi Call girls
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...tanu pandey
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGAPNIC
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 

Recently uploaded (20)

GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Sukhdev Vihar Delhi 💯Call Us 🔝8264348440🔝
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 26 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Pratap Nagar Delhi 💯Call Us 🔝8264348440🔝
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 

Di shen pacsec_final

  • 1. The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel Di Shen a.k.a. Retme (@returnsme) Keen Lab of Tencent
  • 2. whoami •  Di Shen a.k.a. Retme (@returnsme) •  Member of Keen Lab •  Android Kernel vulnerability hunting and exploitation since 2014 •  Aim: to make out universal rooting exploit for Android •  Trophy: •  CVE-2016-6787 & CVE-2017-0403 (kernel/events/core.c) •  CVE-2015-1805 (fs/pipe.c) ’s first working exploit •  CVE-2015-4421,4422 (Huawei TrustZone) •  KNOX Bypassing on Samsung Galaxy S7 (BHUSA 17’) •  Exploiting Wireless Extension for all common Wi-Fi chipsets (BHEU 16’) •  And more To Be Announced in the future •  Available on https://github.com/retme7/My-Slides
  • 3. Agenda •  Rooting Android: Current situation •  Overview of exploiting UAF in kernel •  Conventional approach •  Afterwards: Gain root •  The Unconventional UAFs •  Implementation of perf system •  Exploiting CVE-2017-0403 •  Exploiting CVE-2016-6787 •  Conclusion
  • 4. Rooting Android: Current situation • Universal exploitable vulnerability is rare •  Available attack surface: •  Generic Linux syscalls •  Android universal drivers like Binder, ION, Ashmem
  • 5. Rooting Android: Current situation • Enforced SELinux policy •  Most of device drivers are inaccessible •  Many syscalls are not reachable from untrusted Application •  Sockets ioctl commands are partially restricted
  • 6. Rooting Android: Current situation •  Verified Boot through dm-verity kernel feature •  The gained root privilege is nonpersistent
  • 7. Rooting Android: Future challenges •  Privileged Access Never (PAN) •  KASLR •  Pointer Authentication
  • 8. Overview of exploiting UAF in kernel •  An easily exploitable UAF bug normally has following features: •  Has a function pointer in freed object •  Attacker has plenty of time to refill the freed object.
  • 9. Conventional approach of UAF exploitation struct socket (freed) ops->ioctl(…) struct socket (refilled) ops->ioctl(…) JOP gadgets •  Free the victim object •  Refill the object with malformed data by heap spraying or ret2dir •  Let the function pointer point to ROP/JOP gadgets in kernel •  Ask kernel reference this function pointer to achieve arbitrary kernel code execution ioctl(sockfd,…) kernel_sock_ioctl() JOP gadgets
  • 10. Afterwards, from code execution to root Arbitrary kernel code execuAon Overwrite process's addr_limit Arbitrary kernel memory overwriAng Overwrite uid, security id, selinux_enforcing
  • 11. However… •  Not every UAF bug in kernel is so that idealized •  More unconventional situation to deal with… •  The victim object may don’t have a function pointer •  The kernel may crash soon after UAF triggered •  The attacker may cannot fully controlled the freed object
  • 12. The unconventional UAFs I found •  All found in sys_perf_event_open() •  Perf system is pretty buggy •  Reachable by application last year •  But now it’s restricted by a feature called “perf_event_paranoid”
  • 13. The unconventional UAFs I found •  CVE-2017-0403 •  Ever affected all devices shipped with 3.10 or earlier Linux kernel •  More than 14 million users of KingRoot gain root privilege on their smart phones •  CVE-2016-6787 •  Ever affected all Qualcomm-based devices. (Only Qucalcomm enabled hardware perf event…) •  A part of my exploit chain to bypass Samsung KNOX 2.6
  • 14. sys_perf_event_open() •  Will create a perf_event •  Input: perf_event_attr •  A description of what kind of performance event you need •  Input: group_fd (optional) •  Specify the group leader of new perf_event •  Return the fd of perf_event to user space
  • 15. Key kernel objects in perf system •  perf_event •  A performance event which is registered by user •  perf_event_context •  The container of all perf events created in one process •  Each process has two contexts, one for software events, other one for hardware events •  Perf group and group leader •  Multiple events can form a group •  One event is the leader perf_sw_context perf_hw_context task_struct event event event event_list event (group_leader) event (group_leader)
  • 16. move_group •  Happens when user try to create a hardware event in pure software group
  • 17. CVE-2016-6787 Remove the group_leader from origin software context and then install it to hardware context Remove every event from software context, and then install it to new hardware context ’move_group‘ leads to reducing context’s refcont by one
  • 18. CVE-2016-6787 •  move_group ignored the concurrency issues •  UAF happens due to race condition •  Attacker trigger the move_group on same group leader simultaneously, •  The ref count of group_leader->ctx may be reduced to zero •  task_struct->perf_event_ctxp[perf_sw_context] will be freed accidently The object is freed
  • 19. Free perf_event_context (PoC) Create a soJware group_leader Create a hardware perf_event Create a hardware perf_event Main thread Sub thread-1 Sub thread-2 move_group, put_ctx() move_group, put_ctx() kfree_rcu(perf_event_context) ctx->refcount = 1 ctx->refcount = 2 ctx->refcount = 0
  • 20. Kernel crashed instantly •  Kernel crashed soon after we freed the perf_event_context •  Thread scheduler need to reference this object consecutively •  We don‘t have plenty of time to refill the object L
  • 21. Solution: freeze thread after free •  Keep thread scheduler away from me •  Switch the status of attacker’s thread from running to (un)interruptible •  The thread will be frozen and kernel won’t crash as soon as perf_event_context freed
  • 22. How to freeze a thread from user land? •  Sleep() ? Not working •  Use futex_wait_queue_me() switch to interrupAble freezable_schedule()
  • 24. A brief summary of CVE-2016-6787 •  Easy to win the race, and trigger the bug •  Hard to refill the freed object (no time) •  Easy to control the code flow (corrupted object has function pointer) •  Proposed an approach of thread freezing to gain more time to refill object
  • 25. Review: relationship of perf event, group and group leader •  Group leader has a sibling_list •  sibling_list is a list of perf events which belongs this group perf_sw_context perf_hw_context task_struct event event event event_list event (group_leader) event (group_leader)
  • 26. CVE-2017-0403 (PoC) •  Create a perf event as ‘A’ •  Create another perf event as ‘B’, specify ‘A’ as its group leader •  Free ‘A’,the group leader •  Free ‘B’, a sibling of group ß---- UAF happens here
  • 27. Root cause •  Now group leader ‘A’ is freed •  Kernel doesn’t empty its sibling list •  Leads to leaving a dangling pointer in sibling’s event->group_entry
  • 28. Root cause •  Later on the sibling ‘B’ is freed •  list_del_event() •  list_del_init(&event->group_entry); •  overwrite a pointer to the freed group leader.
  • 29. •  Slub poinson infomation •  0xfffffc00fc2b1a0 is overwritten to (group_leader+ 0x20)
  • 30. The unconventional scenario •  The only thing I can do is overwritting the freed object as following *(size_t*)(freed_object + 0x20) = (freed_object + 0x20)
  • 31. Pipe subsystem in Linux •  readv() & writev(): read/write multiple buffers through pipe •  Use an array of struct iovec{iov_base,iov_len} to describe user buffers •  When no contents available from the write end, readv() may block in kernel •  Then an array of struct iovec{} may stay in kernel’s heap
  • 32. Compromise pipe system •  Call readv() •  rw_copy_check_uvector() confirm every iov_base must points to userland space. •  An array of struct iovec{} now is in heap. Nothing comes from the write end of pipe, so readv() block. •  If you can somehow overwrite the iovec{}, modify the iov_base to a kernel address. Emmm… iov_base iov_len iov_base iov_len iov_base iov_len ….. kernel_addr iov_len kernel_addr iov_len kernel_addr iov_len
  • 33. Compromise pipe system •  Now write something to another end of pipe •  pipe_iov_copy_to_user() won’t check the iov_base again. •  Buffers you wrote to pipe will be copied to the kernel address
  • 34. ········ Trigger UAF, write two 8-bytes value“A+0x20”to address = A+0x20 ↓ the 1st freed object, address is A Solution: convert UAF to arbitrary R/W ↓the 2nd freed object, address is B = A + 0x400 Use iovec to spray the heap Freed Data Freed Data Freed Freed Data Freed Data ········· base len base len base base len base len ··················· base len A + 0x20 A+0x20 base ·········· base len base len Write a buffer to pipe ,the buffer will be copied to (A + 0x20) ········· base len KADDR 8 KADDR ·········· KADDR 8 KADDR 8 ········· Write a buffer to pipe again,it will be copied to KADDR KADDR can be any address value, we achieved arbitrary kernel memory overwriting 1 2 3 4 5
  • 35. A brief summary of CVE-2017-0403 •  Attacker lost the file descriptor of freed object •  Cannot achieve code execution via refilling object’s function pointer •  Only be able to write the address value of freed object twice to freed object •  Proposed a new approach: compromising pipe system
  • 36. Conclusion •  Most UAF bugs looks not exploitable, but there may be another way •  No idea? Put it down for a while, but do not let it go… •  Be familiar with kernel’s source code, kernel’s own feature may help your exploitation (e.g. pipe for CVE-2017-0403)