SlideShare ist ein Scribd-Unternehmen logo

Di shen pacsec_final

PacSecJP
PacSecJP

PacSec2017

Internet
1 von 37
Downloaden Sie, um offline zu lesen
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel Di Shen a.k.a. Retme (@returnsme) Keen Lab of Tencent
whoami •  Di Shen a.k.a. Retme (@returnsme) •  Member of Keen Lab •  Android Kernel vulnerability hunting and exploitation since 2014 •  Aim: to make out universal rooting exploit for Android •  Trophy: •  CVE-2016-6787 & CVE-2017-0403 (kernel/events/core.c) •  CVE-2015-1805 (fs/pipe.c) ’s first working exploit •  CVE-2015-4421,4422 (Huawei TrustZone) •  KNOX Bypassing on Samsung Galaxy S7 (BHUSA 17’) •  Exploiting Wireless Extension for all common Wi-Fi chipsets (BHEU 16’) •  And more To Be Announced in the future •  Available on https://github.com/retme7/My-Slides
Agenda •  Rooting Android: Current situation •  Overview of exploiting UAF in kernel •  Conventional approach •  Afterwards: Gain root •  The Unconventional UAFs •  Implementation of perf system •  Exploiting CVE-2017-0403 •  Exploiting CVE-2016-6787 •  Conclusion
Rooting Android: Current situation • Universal exploitable vulnerability is rare •  Available attack surface: •  Generic Linux syscalls •  Android universal drivers like Binder, ION, Ashmem
Rooting Android: Current situation • Enforced SELinux policy •  Most of device drivers are inaccessible •  Many syscalls are not reachable from untrusted Application •  Sockets ioctl commands are partially restricted
Rooting Android: Current situation •  Verified Boot through dm-verity kernel feature •  The gained root privilege is nonpersistent
Rooting Android: Future challenges •  Privileged Access Never (PAN) •  KASLR •  Pointer Authentication
Overview of exploiting UAF in kernel •  An easily exploitable UAF bug normally has following features: •  Has a function pointer in freed object •  Attacker has plenty of time to refill the freed object.
Conventional approach of UAF exploitation struct socket (freed) ops->ioctl(…) struct socket (refilled) ops->ioctl(…) JOP gadgets •  Free the victim object •  Refill the object with malformed data by heap spraying or ret2dir •  Let the function pointer point to ROP/JOP gadgets in kernel •  Ask kernel reference this function pointer to achieve arbitrary kernel code execution ioctl(sockfd,…) kernel_sock_ioctl() JOP gadgets
Afterwards, from code execution to root Arbitrary kernel code execuAon Overwrite process's addr_limit Arbitrary kernel memory overwriAng Overwrite uid, security id, selinux_enforcing
However… •  Not every UAF bug in kernel is so that idealized •  More unconventional situation to deal with… •  The victim object may don’t have a function pointer •  The kernel may crash soon after UAF triggered •  The attacker may cannot fully controlled the freed object
The unconventional UAFs I found •  All found in sys_perf_event_open() •  Perf system is pretty buggy •  Reachable by application last year •  But now it’s restricted by a feature called “perf_event_paranoid”
The unconventional UAFs I found •  CVE-2017-0403 •  Ever affected all devices shipped with 3.10 or earlier Linux kernel •  More than 14 million users of KingRoot gain root privilege on their smart phones •  CVE-2016-6787 •  Ever affected all Qualcomm-based devices. (Only Qucalcomm enabled hardware perf event…) •  A part of my exploit chain to bypass Samsung KNOX 2.6
sys_perf_event_open() •  Will create a perf_event •  Input: perf_event_attr •  A description of what kind of performance event you need •  Input: group_fd (optional) •  Specify the group leader of new perf_event •  Return the fd of perf_event to user space
Key kernel objects in perf system •  perf_event •  A performance event which is registered by user •  perf_event_context •  The container of all perf events created in one process •  Each process has two contexts, one for software events, other one for hardware events •  Perf group and group leader •  Multiple events can form a group •  One event is the leader perf_sw_context perf_hw_context task_struct event event event event_list event (group_leader) event (group_leader)
move_group •  Happens when user try to create a hardware event in pure software group
CVE-2016-6787 Remove the group_leader from origin software context and then install it to hardware context Remove every event from software context, and then install it to new hardware context ’move_group‘ leads to reducing context’s refcont by one
CVE-2016-6787 •  move_group ignored the concurrency issues •  UAF happens due to race condition •  Attacker trigger the move_group on same group leader simultaneously, •  The ref count of group_leader->ctx may be reduced to zero •  task_struct->perf_event_ctxp[perf_sw_context] will be freed accidently The object is freed
Free perf_event_context (PoC) Create a soJware group_leader Create a hardware perf_event Create a hardware perf_event Main thread Sub thread-1 Sub thread-2 move_group, put_ctx() move_group, put_ctx() kfree_rcu(perf_event_context) ctx->refcount = 1 ctx->refcount = 2 ctx->refcount = 0
Kernel crashed instantly •  Kernel crashed soon after we freed the perf_event_context •  Thread scheduler need to reference this object consecutively •  We don‘t have plenty of time to refill the object L
Solution: freeze thread after free •  Keep thread scheduler away from me •  Switch the status of attacker’s thread from running to (un)interruptible •  The thread will be frozen and kernel won’t crash as soon as perf_event_context freed
How to freeze a thread from user land? •  Sleep() ? Not working •  Use futex_wait_queue_me() switch to interrupAble freezable_schedule()
Create a soJware group_leader Create a hardware perf_event Create a hardware perf_event Main thread Sub thread-1 Sub thread-2 move_group, put_ctx() move_group, put_ctx() kfree_rcu(perf_event_context) futext_wait_queue_me() Phase 1 Phase 2 Spraying the heap by using ‘ret2dir’ trick, fill a malformed perf_event_context{} in every 1024 bytes Use futex_wake() wake up main thread Phase 4 schedule() finish_task_switch() perf_event_context_sched_in() ctx->pmu->pmu_disable() Phase 3
A brief summary of CVE-2016-6787 •  Easy to win the race, and trigger the bug •  Hard to refill the freed object (no time) •  Easy to control the code flow (corrupted object has function pointer) •  Proposed an approach of thread freezing to gain more time to refill object
Review: relationship of perf event, group and group leader •  Group leader has a sibling_list •  sibling_list is a list of perf events which belongs this group perf_sw_context perf_hw_context task_struct event event event event_list event (group_leader) event (group_leader)
CVE-2017-0403 (PoC) •  Create a perf event as ‘A’ •  Create another perf event as ‘B’, specify ‘A’ as its group leader •  Free ‘A’,the group leader •  Free ‘B’, a sibling of group ß---- UAF happens here
Root cause •  Now group leader ‘A’ is freed •  Kernel doesn’t empty its sibling list •  Leads to leaving a dangling pointer in sibling’s event->group_entry
Root cause •  Later on the sibling ‘B’ is freed •  list_del_event() •  list_del_init(&event->group_entry); •  overwrite a pointer to the freed group leader.
•  Slub poinson infomation •  0xfffffc00fc2b1a0 is overwritten to (group_leader+ 0x20)
The unconventional scenario •  The only thing I can do is overwritting the freed object as following *(size_t*)(freed_object + 0x20) = (freed_object + 0x20)
Pipe subsystem in Linux •  readv() & writev(): read/write multiple buffers through pipe •  Use an array of struct iovec{iov_base,iov_len} to describe user buffers •  When no contents available from the write end, readv() may block in kernel •  Then an array of struct iovec{} may stay in kernel’s heap
Compromise pipe system •  Call readv() •  rw_copy_check_uvector() confirm every iov_base must points to userland space. •  An array of struct iovec{} now is in heap. Nothing comes from the write end of pipe, so readv() block. •  If you can somehow overwrite the iovec{}, modify the iov_base to a kernel address. Emmm… iov_base iov_len iov_base iov_len iov_base iov_len ….. kernel_addr iov_len kernel_addr iov_len kernel_addr iov_len
Compromise pipe system •  Now write something to another end of pipe •  pipe_iov_copy_to_user() won’t check the iov_base again. •  Buffers you wrote to pipe will be copied to the kernel address
········ Trigger UAF, write two 8-bytes value“A+0x20”to address = A+0x20 ↓ the 1st freed object, address is A Solution: convert UAF to arbitrary R/W ↓the 2nd freed object, address is B = A + 0x400 Use iovec to spray the heap Freed Data Freed Data Freed Freed Data Freed Data ········· base len base len base base len base len ··················· base len A + 0x20 A+0x20 base ·········· base len base len Write a buffer to pipe ,the buffer will be copied to (A + 0x20) ········· base len KADDR 8 KADDR ·········· KADDR 8 KADDR 8 ········· Write a buffer to pipe again,it will be copied to KADDR KADDR can be any address value, we achieved arbitrary kernel memory overwriting 1 2 3 4 5
A brief summary of CVE-2017-0403 •  Attacker lost the file descriptor of freed object •  Cannot achieve code execution via refilling object’s function pointer •  Only be able to write the address value of freed object twice to freed object •  Proposed a new approach: compromising pipe system
Conclusion •  Most UAF bugs looks not exploitable, but there may be another way •  No idea? Put it down for a while, but do not let it go… •  Be familiar with kernel’s source code, kernel’s own feature may help your exploitation (e.g. pipe for CVE-2017-0403)
Di shen pacsec_final

Empfohlen

Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
PacSecJP
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
Silvio Cesare
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
Jason Choi
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?
inaz2
 

Empfohlen

Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
PacSecJP
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
CODE BLUE
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
CODE BLUE
 
Auditing the Opensource Kernels
Auditing the Opensource KernelsAuditing the Opensource Kernels
Auditing the Opensource Kernels
Silvio Cesare
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programming
kozossakai
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security Intelligence
Jason Choi
 
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware AnalysisInside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Inside the Matrix,How to Build Transparent Sandbox for Malware Analysis
Chong-Kuan Chen
 
Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?Can We Prevent Use-after-free Attacks?
Can We Prevent Use-after-free Attacks?
inaz2
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
PacSecJP
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
CODE BLUE
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
Tamas K Lengyel
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
RootedCON
 
Audit
AuditAudit
Audit
Mark Ellzey Thomas
 
Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...
CODE BLUE
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
Shota Shinogi
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
CanSecWest
 
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFEReal-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
Wasim Halani
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromised
CanSecWest
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
FFRI, Inc.
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
Javier Junquera
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
Zach Grace
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invaders
Tazdrumm3r
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
Dennis Maldonado
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Shota Shinogi
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
Tazdrumm3r
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3
PacSecJP
 

Weitere ähnliche Inhalte

Was ist angesagt?

Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
CODE BLUE
 
Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...
CODE BLUE
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
OlehLevytskyi1
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromised
CanSecWest
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat Security Conference
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
CODE BLUE
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
Tazdrumm3r
 

Was ist angesagt? (20)

Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
 
Stealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware AnalysisStealthy, Hypervisor-based Malware Analysis
Stealthy, Hypervisor-based Malware Analysis
 
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valeroRooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
Rooted2020 roapt evil-mass_storage_-_tu-ya_aqui_-_david_reguera_-_abel_valero
 
Audit
AuditAudit
Audit
 
Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...Detection index learning based on cyber threat intelligence and its applicati...
Detection index learning based on cyber threat intelligence and its applicati...
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
ShinoBOT Suite
ShinoBOT SuiteShinoBOT Suite
ShinoBOT Suite
 
Csw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physicalCsw2016 economou nissim-getting_physical
Csw2016 economou nissim-getting_physical
 
Real-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFEReal-Time Static Malware Analysis using NepenthesFE
Real-Time Static Malware Analysis using NepenthesFE
 
Csw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromisedCsw2016 chen grassi-he-apple_graphics_is_compromised
Csw2016 chen grassi-he-apple_graphics_is_compromised
 
BlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deceptionBlueHat v18 || The matrix has you - protecting linux using deception
BlueHat v18 || The matrix has you - protecting linux using deception
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
 
The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)The day I ruled the world (RootedCON 2020)
The day I ruled the world (RootedCON 2020)
 
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
Revealing the Attack Operations Targeting Japan by Shusei Tomonaga & Yuu Nak...
 
Assume Compromise
Assume CompromiseAssume Compromise
Assume Compromise
 
Malware analysis - What to learn from your invaders
Malware analysis - What to learn from your invadersMalware analysis - What to learn from your invaders
Malware analysis - What to learn from your invaders
 
Metasploit for Web Workshop
Metasploit for Web WorkshopMetasploit for Web Workshop
Metasploit for Web Workshop
 
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
Introduction of ShinoBOT (Black Hat USA 2013 Arsenal)
 
Bsides detroit 2013 honeypots
Bsides detroit 2013 honeypotsBsides detroit 2013 honeypots
Bsides detroit 2013 honeypots
 

Andere mochten auch

Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
PacSecJP
 
Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2
PacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
PacSecJP
 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jp
PacSecJP
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
PacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
PacSecJP
 

Andere mochten auch (9)

Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
 
Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2
 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-final
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jp
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
 

Ähnlich wie Di shen pacsec_final

One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
Priyanka Aash
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Christian Schneider
 
Service Discovery. Spring Cloud Internals
Service Discovery. Spring Cloud InternalsService Discovery. Spring Cloud Internals
Service Discovery. Spring Cloud Internals
Aleksandr Tarasov
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
Hackito Ergo Sum
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
Stefano Stabellini
 

Ähnlich wie Di shen pacsec_final (20)

Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
Linux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/OLinux System Programming - Advanced File I/O
Linux System Programming - Advanced File I/O
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
 
Operating OPNFV: Deploy it, test it, run it
Operating OPNFV: Deploy it, test it, run itOperating OPNFV: Deploy it, test it, run it
Operating OPNFV: Deploy it, test it, run it
 
GOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter SlidesGOTO Night with Charles Nutter Slides
GOTO Night with Charles Nutter Slides
 
story_of_bpf-1.pdf
story_of_bpf-1.pdfstory_of_bpf-1.pdf
story_of_bpf-1.pdf
 
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
Serial Killer - Silently Pwning your Java Endpoints // OWASP BeNeLux Day 2016
 
Service Discovery. Spring Cloud Internals
Service Discovery. Spring Cloud InternalsService Discovery. Spring Cloud Internals
Service Discovery. Spring Cloud Internals
 
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with bineeDEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
DEF CON 27 - KYLE GWINNUP - next generation process emulation with binee
 
A.I. Exercise.
A.I. Exercise.A.I. Exercise.
A.I. Exercise.
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecksKernel Recipes 2015: Solving the Linux storage scalability bottlenecks
Kernel Recipes 2015: Solving the Linux storage scalability bottlenecks
 
Breaking paravirtualized devices
Breaking paravirtualized devicesBreaking paravirtualized devices
Breaking paravirtualized devices
 
HOW TO DEAL WITH BLOCKING CODE WITHIN ASYNCIO EVENT LOOP
HOW TO DEAL WITH BLOCKING CODE WITHIN ASYNCIO EVENT LOOPHOW TO DEAL WITH BLOCKING CODE WITHIN ASYNCIO EVENT LOOP
HOW TO DEAL WITH BLOCKING CODE WITHIN ASYNCIO EVENT LOOP
 
fg.workshop: Software vulnerability
fg.workshop: Software vulnerabilityfg.workshop: Software vulnerability
fg.workshop: Software vulnerability
 
Can secwest2011 flash_actionscript
Can secwest2011 flash_actionscriptCan secwest2011 flash_actionscript
Can secwest2011 flash_actionscript
 
Introduction Linux Device Drivers
Introduction Linux Device DriversIntroduction Linux Device Drivers
Introduction Linux Device Drivers
 
4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh4055-841_Project_ShailendraSadh
4055-841_Project_ShailendraSadh
 
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022System Device Tree and Lopper: Concrete Examples - ELC NA 2022
System Device Tree and Lopper: Concrete Examples - ELC NA 2022
 
Python pyenv virtualenv
Python pyenv virtualenvPython pyenv virtualenv
Python pyenv virtualenv
 

Mehr von PacSecJP

Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
PacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
PacSecJP
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
PacSecJP
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
PacSecJP
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
PacSecJP
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
PacSecJP
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
PacSecJP
 
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
PacSecJP
 
Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaMarc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_ja
PacSecJP
 
Kasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-correctedKasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-corrected
PacSecJP
 
Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3
PacSecJP
 
Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2
PacSecJP
 
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_finalWenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
PacSecJP
 
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-jaWenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
PacSecJP
 
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jpNishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
PacSecJP
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
PacSecJP
 
Moony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinalMoony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinal
PacSecJP
 

Mehr von PacSecJP (19)

Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
 
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaAnıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-ja
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
 
Kavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_finKavya racharla ndh-naropanth_fin
Kavya racharla ndh-naropanth_fin
 
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
 
Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaMarc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_ja
 
Kasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-correctedKasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-corrected
 
Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3
 
Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2
 
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_finalWenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
 
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-jaWenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
 
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jpNishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
 
Moony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinalMoony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinal
 
Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8
 

Kürzlich hochgeladen

Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
SOFTTECHHUB
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Monica Sydney
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
kumargunjan9515
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Monica Sydney
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 

Kürzlich hochgeladen (20)

Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024Leading-edge AI Image Generators of 2024
Leading-edge AI Image Generators of 2024
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girlsRussian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
Russian Call girls in Abu Dhabi 0508644382 Abu Dhabi Call girls
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
PIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsxPIC Microcontroller Structure & Assembly Language.ppsx
PIC Microcontroller Structure & Assembly Language.ppsx
 
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
Call girls Service Canacona - 8250092165 Our call girls are sure to provide y...
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
Sensual Call Girls in Tarn Taran Sahib { 9332606886 } VVIP NISHA Call Girls N...
 
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu DhabiAbu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
Abu Dhabi Escorts Service 0508644382 Escorts in Abu Dhabi
 
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
Local Call Girls in Gomati 9332606886 HOT & SEXY Models beautiful and charmi...
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 

Di shen pacsec_final

  • 1. The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel Di Shen a.k.a. Retme (@returnsme) Keen Lab of Tencent
  • 2. whoami •  Di Shen a.k.a. Retme (@returnsme) •  Member of Keen Lab •  Android Kernel vulnerability hunting and exploitation since 2014 •  Aim: to make out universal rooting exploit for Android •  Trophy: •  CVE-2016-6787 & CVE-2017-0403 (kernel/events/core.c) •  CVE-2015-1805 (fs/pipe.c) ’s first working exploit •  CVE-2015-4421,4422 (Huawei TrustZone) •  KNOX Bypassing on Samsung Galaxy S7 (BHUSA 17’) •  Exploiting Wireless Extension for all common Wi-Fi chipsets (BHEU 16’) •  And more To Be Announced in the future •  Available on https://github.com/retme7/My-Slides
  • 3. Agenda •  Rooting Android: Current situation •  Overview of exploiting UAF in kernel •  Conventional approach •  Afterwards: Gain root •  The Unconventional UAFs •  Implementation of perf system •  Exploiting CVE-2017-0403 •  Exploiting CVE-2016-6787 •  Conclusion
  • 4. Rooting Android: Current situation • Universal exploitable vulnerability is rare •  Available attack surface: •  Generic Linux syscalls •  Android universal drivers like Binder, ION, Ashmem
  • 5. Rooting Android: Current situation • Enforced SELinux policy •  Most of device drivers are inaccessible •  Many syscalls are not reachable from untrusted Application •  Sockets ioctl commands are partially restricted
  • 6. Rooting Android: Current situation •  Verified Boot through dm-verity kernel feature •  The gained root privilege is nonpersistent
  • 7. Rooting Android: Future challenges •  Privileged Access Never (PAN) •  KASLR •  Pointer Authentication
  • 8. Overview of exploiting UAF in kernel •  An easily exploitable UAF bug normally has following features: •  Has a function pointer in freed object •  Attacker has plenty of time to refill the freed object.
  • 9. Conventional approach of UAF exploitation struct socket (freed) ops->ioctl(…) struct socket (refilled) ops->ioctl(…) JOP gadgets •  Free the victim object •  Refill the object with malformed data by heap spraying or ret2dir •  Let the function pointer point to ROP/JOP gadgets in kernel •  Ask kernel reference this function pointer to achieve arbitrary kernel code execution ioctl(sockfd,…) kernel_sock_ioctl() JOP gadgets
  • 10. Afterwards, from code execution to root Arbitrary kernel code execuAon Overwrite process's addr_limit Arbitrary kernel memory overwriAng Overwrite uid, security id, selinux_enforcing
  • 11. However… •  Not every UAF bug in kernel is so that idealized •  More unconventional situation to deal with… •  The victim object may don’t have a function pointer •  The kernel may crash soon after UAF triggered •  The attacker may cannot fully controlled the freed object
  • 12. The unconventional UAFs I found •  All found in sys_perf_event_open() •  Perf system is pretty buggy •  Reachable by application last year •  But now it’s restricted by a feature called “perf_event_paranoid”
  • 13. The unconventional UAFs I found •  CVE-2017-0403 •  Ever affected all devices shipped with 3.10 or earlier Linux kernel •  More than 14 million users of KingRoot gain root privilege on their smart phones •  CVE-2016-6787 •  Ever affected all Qualcomm-based devices. (Only Qucalcomm enabled hardware perf event…) •  A part of my exploit chain to bypass Samsung KNOX 2.6
  • 14. sys_perf_event_open() •  Will create a perf_event •  Input: perf_event_attr •  A description of what kind of performance event you need •  Input: group_fd (optional) •  Specify the group leader of new perf_event •  Return the fd of perf_event to user space
  • 15. Key kernel objects in perf system •  perf_event •  A performance event which is registered by user •  perf_event_context •  The container of all perf events created in one process •  Each process has two contexts, one for software events, other one for hardware events •  Perf group and group leader •  Multiple events can form a group •  One event is the leader perf_sw_context perf_hw_context task_struct event event event event_list event (group_leader) event (group_leader)
  • 16. move_group •  Happens when user try to create a hardware event in pure software group
  • 17. CVE-2016-6787 Remove the group_leader from origin software context and then install it to hardware context Remove every event from software context, and then install it to new hardware context ’move_group‘ leads to reducing context’s refcont by one
  • 18. CVE-2016-6787 •  move_group ignored the concurrency issues •  UAF happens due to race condition •  Attacker trigger the move_group on same group leader simultaneously, •  The ref count of group_leader->ctx may be reduced to zero •  task_struct->perf_event_ctxp[perf_sw_context] will be freed accidently The object is freed
  • 19. Free perf_event_context (PoC) Create a soJware group_leader Create a hardware perf_event Create a hardware perf_event Main thread Sub thread-1 Sub thread-2 move_group, put_ctx() move_group, put_ctx() kfree_rcu(perf_event_context) ctx->refcount = 1 ctx->refcount = 2 ctx->refcount = 0
  • 20. Kernel crashed instantly •  Kernel crashed soon after we freed the perf_event_context •  Thread scheduler need to reference this object consecutively •  We don‘t have plenty of time to refill the object L
  • 21. Solution: freeze thread after free •  Keep thread scheduler away from me •  Switch the status of attacker’s thread from running to (un)interruptible •  The thread will be frozen and kernel won’t crash as soon as perf_event_context freed
  • 22. How to freeze a thread from user land? •  Sleep() ? Not working •  Use futex_wait_queue_me() switch to interrupAble freezable_schedule()
  • 24. A brief summary of CVE-2016-6787 •  Easy to win the race, and trigger the bug •  Hard to refill the freed object (no time) •  Easy to control the code flow (corrupted object has function pointer) •  Proposed an approach of thread freezing to gain more time to refill object
  • 25. Review: relationship of perf event, group and group leader •  Group leader has a sibling_list •  sibling_list is a list of perf events which belongs this group perf_sw_context perf_hw_context task_struct event event event event_list event (group_leader) event (group_leader)
  • 26. CVE-2017-0403 (PoC) •  Create a perf event as ‘A’ •  Create another perf event as ‘B’, specify ‘A’ as its group leader •  Free ‘A’,the group leader •  Free ‘B’, a sibling of group ß---- UAF happens here
  • 27. Root cause •  Now group leader ‘A’ is freed •  Kernel doesn’t empty its sibling list •  Leads to leaving a dangling pointer in sibling’s event->group_entry
  • 28. Root cause •  Later on the sibling ‘B’ is freed •  list_del_event() •  list_del_init(&event->group_entry); •  overwrite a pointer to the freed group leader.
  • 29. •  Slub poinson infomation •  0xfffffc00fc2b1a0 is overwritten to (group_leader+ 0x20)
  • 30. The unconventional scenario •  The only thing I can do is overwritting the freed object as following *(size_t*)(freed_object + 0x20) = (freed_object + 0x20)
  • 31. Pipe subsystem in Linux •  readv() & writev(): read/write multiple buffers through pipe •  Use an array of struct iovec{iov_base,iov_len} to describe user buffers •  When no contents available from the write end, readv() may block in kernel •  Then an array of struct iovec{} may stay in kernel’s heap
  • 32. Compromise pipe system •  Call readv() •  rw_copy_check_uvector() confirm every iov_base must points to userland space. •  An array of struct iovec{} now is in heap. Nothing comes from the write end of pipe, so readv() block. •  If you can somehow overwrite the iovec{}, modify the iov_base to a kernel address. Emmm… iov_base iov_len iov_base iov_len iov_base iov_len ….. kernel_addr iov_len kernel_addr iov_len kernel_addr iov_len
  • 33. Compromise pipe system •  Now write something to another end of pipe •  pipe_iov_copy_to_user() won’t check the iov_base again. •  Buffers you wrote to pipe will be copied to the kernel address
  • 34. ········ Trigger UAF, write two 8-bytes value“A+0x20”to address = A+0x20 ↓ the 1st freed object, address is A Solution: convert UAF to arbitrary R/W ↓the 2nd freed object, address is B = A + 0x400 Use iovec to spray the heap Freed Data Freed Data Freed Freed Data Freed Data ········· base len base len base base len base len ··················· base len A + 0x20 A+0x20 base ·········· base len base len Write a buffer to pipe ,the buffer will be copied to (A + 0x20) ········· base len KADDR 8 KADDR ·········· KADDR 8 KADDR 8 ········· Write a buffer to pipe again,it will be copied to KADDR KADDR can be any address value, we achieved arbitrary kernel memory overwriting 1 2 3 4 5
  • 35. A brief summary of CVE-2017-0403 •  Attacker lost the file descriptor of freed object •  Cannot achieve code execution via refilling object’s function pointer •  Only be able to write the address value of freed object twice to freed object •  Proposed a new approach: compromising pipe system
  • 36. Conclusion •  Most UAF bugs looks not exploitable, but there may be another way •  No idea? Put it down for a while, but do not let it go… •  Be familiar with kernel’s source code, kernel’s own feature may help your exploitation (e.g. pipe for CVE-2017-0403)