Browse Source

Monday

master
Skia 3 years ago
commit
e8c78ecf34
  1. 9
      Monday/00-Opening.md
  2. 44
      Monday/01-Debian_security_team.md
  3. 23
      Monday/02-r2frida.md
  4. 20
      Monday/03-static_instrumentation.md
  5. 20
      Monday/04-retdec.md
  6. 28
      Monday/05-spectre_on_android_smartphone.md
  7. 11
      Monday/06-cutter.md

9
Monday/00-Opening.md

@ -0,0 +1,9 @@
# Opening
- Thanks
- Code of conduct
- English!
- Steaming! https://passthesalt.ubicast.com
- rumps@passthesalt.com
- social event: Tuesday evening 19pm
-

44
Monday/01-Debian_security_team.md

@ -0,0 +1,44 @@
# Debian security team
- Very small team! (5-10p)
- No LTS
- debian-security-announce@lists.debian.org
## Workflow
- Single point of contact
- Day-to-day routine, distributed among humans
- Automated scripts: check CVEs, and process issues
- Process to release a DSA
## Vulns
- Public vulns
- Private vulns (embargo)
- Many drawbacks, delay, leak pb, quick and ugly fix
## Examples
- KRACK: vuln on WPA
- lot of synchronization required because protocol vuln
- Coordinated by CERT.org, not Debian itself
- During embargo: investigate the issue, then work with maintainers
- Example of well handled vuln
- Meltdown/Spectre
- Debian wasn't in the loop
- Lot of rumours, noise, before the release
- Took their time to make the fix, since there was lot of different patches
- Intel not responding to them
- pca: pacemaker
- Simple embargoed vuln
## Conclusion
- Follow security tracker
- Not all vulns are equal
## Questions
- No NDA, because no legal entity: that's why not in the loop. Sometime, trust
is enough
- CVEs come when Debian is the only one to know about the vuln first
## Personal feeling
Interesting talk, mostly informative.

23
Monday/02-r2frida.md

@ -0,0 +1,23 @@
# Radare2
blinking slides
## What is {radare2,frida}
- r2 is an hexa editor
- frida is a debugger: you can run code inside a process easily
- Both open-source RE tools supporting lot of OS and archi
- Merging the two tools bring both worlds together
## r2frida
- `r2pm -i r2frida`
- `r2 frida://`
- scriptable in JS, Typescript
- demo time!
- Change assembly in memory while running
- Debug Gameboy game running inside emulator
- They triggered actions of a character in a Gameboy emulated game -> impressive
## Personal feeling
Good talk, mostly demo.
Should be usable for automated recording.

20
Monday/03-static_instrumentation.md

@ -0,0 +1,20 @@
## Executable format
- Modify Loader and Kernel behaviour by modify the executable file
## LIEF
- Library to modify the executables
- Change entry point, libs, sections
- Only work with Position Independent Code (fPIC)
## Frida+LIEF
- Injecting code into Android application without root privileges
## Conclusion
- https://lief.quarklabs.com
- Stil WIP, no stable API
## Personal feeling
They said it themselves, it's quite old stuff.
Also, it looks like very young project.

20
Monday/04-retdec.md

@ -0,0 +1,20 @@
# Ret(argetable)Dec(ompiler) - Machine-code decompiler
- Analysis machine-code is boring
- Toolchain based on LLVM
- They lift machine-code to LLVM IR!
- Workflow:
- Capstone2LlvmIR
- Pattern matching of LLVM IR for optimization
- Their custom Backend IR, higher level, supports `switch`, `break`, `continue`, etc...
- Still more optimizations with this IR
- Code generation
- IDA plugin
- Future: more architectures, more integration (Binary Ninja, r2, REVEN?...)
## Personal feeling
Very monotone speakers.
Basically a low-level explanations of their tool.

28
Monday/05-spectre_on_android_smartphone.md

@ -0,0 +1,28 @@
# Are there Spectre-based malware on your Android smartphone?
## Spectre on ARM (focus on ARM A53)
- List of CPUs on developers.arm.com
- A53 is not on the list
- Seems A53 does speculative execution -> may be vulnerable
- Let's test:
- Find a PoC for AArch64: ended up not working
- Implement an ARMv7 PoC for the 32bits smartphone
- Struggle to find all the needed API and instructions
- The PoC does not work, even with tuning
- Same thing with ARM A8
- Conclusion: it's hard to tell whether the CPU is vulnerable or not,
but still no PoC
## Are there Malwares in the wild
- A PoC is NOT a Malware
- Getting PoCs from there AV DB: no Malware, only PoCs
- Active detection of Spectre-based attacks
## Conclusion
- She found no Spectre-based Malware for ARM anywhere
- She found out that cache-timing attack are really not that common
- We'll have to look out in the future, but for now, the wild still seems free of Spectre on ARM
## Personal feeling
Very interesting vulgarization!

11
Monday/06-cutter.md

@ -0,0 +1,11 @@
# Cutter
- Coming from Iaito
- Not intended for r2 users, more for newcomers
- Big refactoring of old code
- Demo on IOLI:crackme0x00
- Looks a lot like Axion, but less broken (Qt, etc...)
- It seems really usable
## Personal feeling
Mostly demo, but interesting.
Loading…
Cancel
Save