Monday
This commit is contained in:
commit
e8c78ecf34
9
Monday/00-Opening.md
Normal file
9
Monday/00-Opening.md
Normal file
|
@ -0,0 +1,9 @@
|
|||
# Opening
|
||||
|
||||
- Thanks
|
||||
- Code of conduct
|
||||
- English!
|
||||
- Steaming! https://passthesalt.ubicast.com
|
||||
- rumps@passthesalt.com
|
||||
- social event: Tuesday evening 19pm
|
||||
-
|
44
Monday/01-Debian_security_team.md
Normal file
44
Monday/01-Debian_security_team.md
Normal file
|
@ -0,0 +1,44 @@
|
|||
# Debian security team
|
||||
|
||||
- Very small team! (5-10p)
|
||||
- No LTS
|
||||
- debian-security-announce@lists.debian.org
|
||||
|
||||
## Workflow
|
||||
- Single point of contact
|
||||
- Day-to-day routine, distributed among humans
|
||||
- Automated scripts: check CVEs, and process issues
|
||||
- Process to release a DSA
|
||||
|
||||
## Vulns
|
||||
- Public vulns
|
||||
- Private vulns (embargo)
|
||||
- Many drawbacks, delay, leak pb, quick and ugly fix
|
||||
|
||||
## Examples
|
||||
- KRACK: vuln on WPA
|
||||
- lot of synchronization required because protocol vuln
|
||||
- Coordinated by CERT.org, not Debian itself
|
||||
- During embargo: investigate the issue, then work with maintainers
|
||||
- Example of well handled vuln
|
||||
- Meltdown/Spectre
|
||||
- Debian wasn't in the loop
|
||||
- Lot of rumours, noise, before the release
|
||||
- Took their time to make the fix, since there was lot of different patches
|
||||
- Intel not responding to them
|
||||
- pca: pacemaker
|
||||
- Simple embargoed vuln
|
||||
|
||||
## Conclusion
|
||||
- Follow security tracker
|
||||
- Not all vulns are equal
|
||||
|
||||
## Questions
|
||||
- No NDA, because no legal entity: that's why not in the loop. Sometime, trust
|
||||
is enough
|
||||
- CVEs come when Debian is the only one to know about the vuln first
|
||||
|
||||
|
||||
## Personal feeling
|
||||
Interesting talk, mostly informative.
|
||||
|
23
Monday/02-r2frida.md
Normal file
23
Monday/02-r2frida.md
Normal file
|
@ -0,0 +1,23 @@
|
|||
# Radare2
|
||||
|
||||
blinking slides
|
||||
|
||||
## What is {radare2,frida}
|
||||
- r2 is an hexa editor
|
||||
- frida is a debugger: you can run code inside a process easily
|
||||
- Both open-source RE tools supporting lot of OS and archi
|
||||
- Merging the two tools bring both worlds together
|
||||
|
||||
## r2frida
|
||||
- `r2pm -i r2frida`
|
||||
- `r2 frida://`
|
||||
- scriptable in JS, Typescript
|
||||
- demo time!
|
||||
- Change assembly in memory while running
|
||||
- Debug Gameboy game running inside emulator
|
||||
- They triggered actions of a character in a Gameboy emulated game -> impressive
|
||||
|
||||
## Personal feeling
|
||||
Good talk, mostly demo.
|
||||
Should be usable for automated recording.
|
||||
|
20
Monday/03-static_instrumentation.md
Normal file
20
Monday/03-static_instrumentation.md
Normal file
|
@ -0,0 +1,20 @@
|
|||
## Executable format
|
||||
- Modify Loader and Kernel behaviour by modify the executable file
|
||||
|
||||
## LIEF
|
||||
- Library to modify the executables
|
||||
- Change entry point, libs, sections
|
||||
- Only work with Position Independent Code (fPIC)
|
||||
|
||||
## Frida+LIEF
|
||||
- Injecting code into Android application without root privileges
|
||||
|
||||
## Conclusion
|
||||
- https://lief.quarklabs.com
|
||||
- Stil WIP, no stable API
|
||||
|
||||
## Personal feeling
|
||||
They said it themselves, it's quite old stuff.
|
||||
Also, it looks like very young project.
|
||||
|
||||
|
20
Monday/04-retdec.md
Normal file
20
Monday/04-retdec.md
Normal file
|
@ -0,0 +1,20 @@
|
|||
# Ret(argetable)Dec(ompiler) - Machine-code decompiler
|
||||
|
||||
- Analysis machine-code is boring
|
||||
- Toolchain based on LLVM
|
||||
- They lift machine-code to LLVM IR!
|
||||
- Workflow:
|
||||
- Capstone2LlvmIR
|
||||
- Pattern matching of LLVM IR for optimization
|
||||
- Their custom Backend IR, higher level, supports `switch`, `break`, `continue`, etc...
|
||||
- Still more optimizations with this IR
|
||||
- Code generation
|
||||
- IDA plugin
|
||||
- Future: more architectures, more integration (Binary Ninja, r2, REVEN?...)
|
||||
|
||||
|
||||
## Personal feeling
|
||||
Very monotone speakers.
|
||||
Basically a low-level explanations of their tool.
|
||||
|
||||
|
28
Monday/05-spectre_on_android_smartphone.md
Normal file
28
Monday/05-spectre_on_android_smartphone.md
Normal file
|
@ -0,0 +1,28 @@
|
|||
# Are there Spectre-based malware on your Android smartphone?
|
||||
|
||||
## Spectre on ARM (focus on ARM A53)
|
||||
- List of CPUs on developers.arm.com
|
||||
- A53 is not on the list
|
||||
- Seems A53 does speculative execution -> may be vulnerable
|
||||
- Let's test:
|
||||
- Find a PoC for AArch64: ended up not working
|
||||
- Implement an ARMv7 PoC for the 32bits smartphone
|
||||
- Struggle to find all the needed API and instructions
|
||||
- The PoC does not work, even with tuning
|
||||
- Same thing with ARM A8
|
||||
- Conclusion: it's hard to tell whether the CPU is vulnerable or not,
|
||||
but still no PoC
|
||||
|
||||
## Are there Malwares in the wild
|
||||
- A PoC is NOT a Malware
|
||||
- Getting PoCs from there AV DB: no Malware, only PoCs
|
||||
- Active detection of Spectre-based attacks
|
||||
|
||||
## Conclusion
|
||||
- She found no Spectre-based Malware for ARM anywhere
|
||||
- She found out that cache-timing attack are really not that common
|
||||
- We'll have to look out in the future, but for now, the wild still seems free of Spectre on ARM
|
||||
|
||||
## Personal feeling
|
||||
Very interesting vulgarization!
|
||||
|
11
Monday/06-cutter.md
Normal file
11
Monday/06-cutter.md
Normal file
|
@ -0,0 +1,11 @@
|
|||
# Cutter
|
||||
|
||||
- Coming from Iaito
|
||||
- Not intended for r2 users, more for newcomers
|
||||
- Big refactoring of old code
|
||||
- Demo on IOLI:crackme0x00
|
||||
- Looks a lot like Axion, but less broken (Qt, etc...)
|
||||
- It seems really usable
|
||||
|
||||
## Personal feeling
|
||||
Mostly demo, but interesting.
|
Loading…
Reference in a new issue