Schedule

Since 1998, when templates and RAII(1) were introduced to string_view in C++17, we ended up with complex and tangled set of features being used by a variety of vendors. C++ 's complexity creates new scenarios of undefined behavior, with each new standard, that could cause a program to be in an undefined state, but it also fixes old standard bugs and shatters bad code habits and vulnerable patterns that were seen in the past.

This talk will show how the process of vulnerability hunting within C++ has changed over the years. It will give a deep dive into some of the hidden problems and gems C++ Standard has and how it influences our research methodology. How can we look for incorrect usage in C++ Binaries? Does the language become safer or do newly-introduced features make our lives more complicated?

(1) https://en.cppreference.com/w/cpp/language/raii

Brida 0.4

New Brida major version (v0.4) will be released at the Hack In Paris 2020 security conference, with many new features.

First of all, Frida hooks for common tasks have been included in Brida, directly callable from the GUI of the tool with a click of the mouse! These scripts include the most recent hooks for Android and iOS platforms that handle the following tasks:

• SSL/TLS pinning bypass
• jailbreak/rooting bypass
• fingerprint bypass
• keychain/keystore dump
• encrypted apps dump
• hooking of common cryptographic routines
• and more…

Then, a new engine has been developed. Previous versions of the tool required to code custom plugins that used the Brida engine to take advantage of dynamic instrumentation of mobile applications to face complex tasks. Now thanks to a new powerful engine, in most situations it will no longer be necessary to write a single line of code! New high-customizable engine will allow to graphically create custom plugins to:

• Process requests/responses that pass through every Burp Suite tool, in order to be able to encrypt/decrypt/resign elements of requests and responses using Frida exported functions
• Add custom context menu options to invoke Frida exported functions on requests and responses
• Add buttons that invoke Frida exported functions

Live demo!

New features of Brida will be shown in a live demo, in which a mobile application with strong encryption and signature features will be used to demonstrate how Brida can be used to handle these situations, decreasing the necessary reversing effort and completely removing the developing effort! We love live demos during conferences, what can go wrong! :)

In all this conflict, it is easy to lose sight of the goal that both teams have: protect people. To this end, we offer some personal history of our own experience navigating the troubled waters dividing red and blue, provide some strategies to bridge that gap, and share some technical insights as examples gained by a cooperative, open environment which encourages the pursuit of excellence and the shared goal of protecting people

RM processors have been widely used in embedded devices. As more and more IoT devices appear in our lives, the security issues have been widely concerned. When the hacker wants to attack a certain type of device, he often chooses to extract the firmware first, and then conducts the attack by reverse engineering. At the same time, the technical details of the manufacturer’s equipment, which involves the protection of intellectual property rights, can also be directly affected by reverse engineering.

In order to resist reverse engineering, the first thing for many manufacturers have done is deterring through legal methods, such as writing a clause prohibiting reverse engineering in the use agreement. But attackers rarely pay attention. Technically, due to cost and efficiency limitations, many mature PC software protection schemes cannot be implemented. Embedded devices often have read-write protection, execute-only and other means for substitution, which increases the cost of reverse engineering. But traditional methods can hardly detect and obtain evidence.

In this speech I will analyze the countermeasures of firmware protection and extraction. By analyzing the characteristics of the dynamic debugging methods and tracing, I will show how to detect them, by the clues left on the device. The reverse engineering method is different from the past that these techniques can detect debugging on bare metal.

The presentation will also introduce techniques similar to honeypots. After detecting debugging, the current debugging softwares’ features can be used to trigger firmware self-modification to resist static analysis and protect the firmware content. At the same time, inducing attackers to enter pre-arranged traps that they will complete fingerprint collection, Forensics or even launch attacks on them.

Presentation outline

1. Common ways to extract firmware

2. This will detail the ways to extract firmware via

   • UART/SPI/I2C
   • SWJ
   • Jump wire to programmer

3. Defense methods against firmware extraction, and how to bypass, taking STM32 as an example

4. This will introduce the widely used techniques for firmware extraction;

5. This will detail software, non-invasive hardware and invasive hardware bypass examples to explain current defense solutions are difficult to guarantee the security;

6. Discuss how the manufactures’ application scenario like OTA makes it easier to get firmware.

7. Debugger detection

8. Dissect the ARM debugging infrastructure, namely Coresight, explain the useful registers for hardware debugging detection;

9. ETM Trace & PMU trace detection；
10. Introduce how to assess which protection method to deploy;

11. Demo 1

12. Static analyze protection with code self-modify

13. Introduce how to modify the firmware in MCU flash after detecting the debugger connectivity;

14. Explain how the shortcomings of common debugging softwares make this trick easy to be triggered;

15. Demo 2

16. Deploy the honey pot for the reverse engineer

17. Explain how to modify the original sensitive information and counterattack the reverse engineering

    • Explain how the original device will be changed to a tracker of the reverse engineer;
    • Some embedded devices have a cloud service, which is a critical target for an attacker. I’ll detail how to protect the real address and turn the attacker’s attention to a honey pot, through which the we can do fingerprinting, including the browser type, operation system, ip address, language etc, and explain how to phish the attacker, by making the cloud service design seems a little goosey;

18. Give different examples of building up a honey pot.

19. Application scenario

20. Q&A

Attendee takeaways

1. A general view of current hardware security, learn the advanced techniques in firmware extraction and how reverse engineering works ;
2. A new method to protect firmware by detecting the reverse engineering and performing self-modification, which can make the reverse engineering in vain;
3. Learn techniques to do fingerprinting, forensic and attacks on reverse engineers.

• WHID Injector (a wifi-enabled Rubberducky on steroids and its mobile app, that allows to remotely inject keystrokes and bypass air-gapped environments).
• P4wnP1 (a wifi-enabled BashBunny on steroids that allows a wide range of attacks, ranging from air-gap bypass to NET-NTLMv2 creds theft & crack a.k.a. Windows Lockpicker).
• WHID Elite (a 2G-enabled offensive device that allows a threat actor to remotely inject keystrokes, bypass air-gapped systems, conduct mousejacking attacks, do GPS or acoustic surveillance, RF replay attacks and much more).
• EvilCrow Cable & Demon Seed (Two similar malicious D.I.Y. USB cables that can inject keystrokes)
• O.MG Cable (a wifi-enabled Malicious USB HID Injecting Cable)
• USBsamurai (a RF Controlled Malicious USB HID Injecting Cable DIY for less than 10$ that can be used to compromise targets remotely in the stealthiest way ever seen & also bypass Air-Gapped Environments like a boss!)

For each of these devices, we will go through their technical specifications and operational features. Passing, of course, through some real case scenarios where you can apply them during an Adversary Simulation.

Since its appearance in Windows 10, AMSI, the Antimalware Scan Interface, has been one of the most powerful tools available to AV vendors to detect and prevent fileless malware. Instrumenting various scripting engines and frameworks, and exposing the data to vendors, which can deem it malicious, and prevent the execution of a piece of code, has as of now dethroned Powershell as the king of AV evasion, and is seemingly starting to level the playing field against various other scripting engines, and even the currently super-trendy .Net-Framework based tooling.

While a few bypasses already exist for this feature, this is never enough, as some of these techniques could be just as conspicuously as the payloads they intend to hide, and could get (and have gotten) killed by updates.

In this talk, we will try and enumerate the attack surface of the feature, discover the various strengths and shortcomings of bypasses, and discuss some new ways to bypass AMSI, as well as improvements to older techniques.

And guess what? If you mix

1) Admins(?) letting sit a poorly configured and forgotten system with a bad password for years

2) Hackers gonna hack

you got a lot of hacked servers and machines all over the world! And sometimes, all of those hacked machines are here for a long time.

Bad guy(c) are not defacing servers anymore (well, sometimes, its still true), they prefer to stay hidden under the radar. Who will suspect that the nice little blog talking about puppies and shiny diamond is the C&C server of a “yet another mirai” botnet, builds ransomware clients and spam the planet for the next magic pill?

In this talk, we will focus on the attacker point of view. We are the good guys, they are the bad guys (tm), and servers are innocent collateral victims. We’ll see how we can find the attacker, learn things, find new victims, look over the shoulders of the attacker, and continue to learn how they operate. In the end, we propose some ways to keep those attackers out of the servers, detect them, and eventually kick them out.