SlideShare ist ein Scribd-Unternehmen logo

[Defcon24] Introduction to the Witchcraft Compiler Collection

Als PPTX, PDF herunterladen
Moabi.com
Moabi.com

With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code ‘reuse’ by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness. Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it. The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turning PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses) exclusively at DEF CON 24. Jonathan Brossard is a computer whisperer from France, although he's been living in Brazil, India, Australia and now lives in San Francisco. For his first conference at DEF CON 16, he hacked Microsoft Bitlocker, McAffee Endpoint and a fair number of BIOS Firmwares. During his second presentation at DEF CON 20, he presented Rakshasa, a BIOS malware based on open source software, the MIT Technology review labeled "incurable and undetectable". This year will be his third DEF CON ... Endrazine is also known in the community for having run the Hackito Ergo Sum and NoSuchCon conferences in France, participating to the Shakacon Program Committee in Hawaii, and authoring a number of exploits over the past decade. Including the first remote Windows 10 exploit and several hardcore reverse engineering tools and whitepapers. Jonathan is part of the team behind MOABI.COM, and acts as the Principal Engineer of Product Security at Salesforce. Twitter: @endrazine Facebook: toucansystem https://moabi.com

Ingenieurwesen
1 von 67
Introduction to the Witchcraft Compiler Collection Jonathan Brossard 5th of August 2016 DEFCON 24, Las Vegas, USA
• The Witchcraft Compiler Collection is free software (MIT/BSD License). • I would love you to extend it and contribute to WCC on https://github.com/endrazine/wcc • You can write in Lua, Punk-C or C. • No assembly skills required. TL ; DR
Who am I ? Image courtesy of Pixabay (https://pixabay.com/en/museum-mask-africa-african-cult-953595/) License : CC0 Public Domain
https://www.defcon.org/images/defcon-20/dc-20-presentations/Brossard/DEFCON-20- Brossard-Hardware-Backdooring-is-Practical.pdf
https://media.blackhat.com/bh-us-11/Brossard/BH_US_11_Brossard_Post_Memory_WP.pdf https://github.com/toucan-system/pmcma
+ Nullcon Goa, which is awesome :)
+ add your own preferred conferences around the globe here :) #NonExhaustiveList
DISCLAIMERS
• My employers are not associated with this talk in any way. • This is my personal research. DISCLAIMER
• This talk received help from the EFF. • Warmest thank you to Nate Cardozo, Andrew Crocker and Mitch Stoltz Free legal advising to security researchers : https://www.eff.org/ https://www.eff.org/issues/coders/reverse-engineering-faq LEGAL HELP
Fcrnx gb bhe fravbe frphevgl UE: Wnzrf Fnyr wfnyr@fnyrfsbepr.pbz uggc://jjj.yvaxrqva.pbz/va/wnzrftfnyr Tbbq yhpx ! WE’RE RECRUITING
• Motivation • WCC components • “Libifying” a binary • Unlinking binaries • Crossing a Fish and a Rabbit • Introduction to Witchcraft • Binary “reflection” without a VM • Towards binary self awareness • Future work AGENDA
Prerequisites: A binary you have the right to reverse engineer. No source code. Case studies: 1) You would like to verify the results of a static analysis 2) You know a way to crash an application but don’t want to work on the entire binary (eg: remote fuzzing). Let’s work on the ELF 64b version of smbserver-1.5.32. MOTIVATION
CASE STUDY : STATIC ANALYSIS
STATIC ANALYSIS
STATIC ANALYSIS
STATIC ANALYSIS
STATIC ANALYSIS
We have only a partial symbolic stack trace. How to verify if this vulnerability exists ? Wouldn’t it be nice if we could call reply_close() with arbitrary arguments directly ? STATIC ANALYSIS
You are fuzzing a complex server (smbd) over the network. CASE STUDY : FUZZING
We have only a partial symbolic stack trace. This could be a worker thread (note: smbd is linked with libpthread). I don’t want to resend new packets or restart threads when analyzing ! Bonus points if you triggered it via instrumentation/concolic execution and don’t actually have a trigger either. Can we verify if this vulnerability is exploitable ? Wouldn’t it be nice to call rpc_clnt_record_build_header() or any function in client.so with arbitrary arguments directly ? CASE STUDY : FUZZING
You can do the later with some work (exported functions from shared libraries) but in theory, not the former ever ever (function directly within a binary). Let’s make both possible with 0 code nor reverse engineering. PROBLEM STATEMENT
Binaries (C): wld : witchcraft linker wcc : witchcraft core compiler wsh : witchcraft shell : dynamic interpreter + scripting engine Scripts (lua, …): wcch : witchcraft header generator wldd : witchcraft compiler flags generator ... Host machine : GNU/Linux x86_64 (mostly portable to POSIX systems). WCC COMPONENTS
Transforming an ELF executable binary into an ELF shared library. WLD : “LIBIFICATION”
A word on decompiling DEMOS
typedef struct { unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */ Elf64_Half e_type; /* Object file type */ Elf64_Half e_machine; /* Architecture */ Elf64_Word e_version; /* Object file version */ Elf64_Addr e_entry; /* Entry point virtual address */ Elf64_Off e_phoff; /* Program header table file offset */ Elf64_Off e_shoff; /* Section header table file offset */ Elf64_Word e_flags; /* Processor-specific flags */ Elf64_Half e_ehsize; /* ELF header size in bytes */ Elf64_Half e_phentsize; /* Program header table entry size */ Elf64_Half e_phnum; /* Program header table entry count */ Elf64_Half e_shentsize; /* Section header table entry size */ Elf64_Half e_shnum; /* Section header table entry count */ Elf64_Half e_shstrndx; /* Section header string table index */ } Elf64_Ehdr; LIBIFICATION
Libification of proftpd DEMOS
LIBIFICATION OF PROFTPD
WE REALLY PATCHED 1 BYTE ONLY
USING OUR NEW SHARED LIBRARY
We’re really creating a “non relocatable” shared library. ET_DYN and ET_EXEC ELF files are both executable (ASLR support in the kernel) This is equivalent to creating a shared library with a non NULL base address (equivalent to prelinking) Note: Amazingly, this shared library is still a valid executable too. HOW COMES THIS WORKS ?
Linking against apache2 DEMOS
APACHE2 AS A SHARED LIBRARY
APACHE2 AS A SHARED LIBRARY
The typical approach to reverse engineering is to transform binaries or shared libraries back to source code. Instead, we aim at transforming final binaries or shared libraries back to ELF relocatable objects, that can later be relinked normally (using gcc/ld) into executables or shared objects. This binary refactoring is enough to “reuse” (steal) binary functions without any disassembly. This is no longuer true : some relocations require some disassembly. We used the capstone disassembly library to perform this. WCC : “UNLINKING”
Source code WCC : “UNLINKING” Relocatable objects (*.o) Binaries (executables, shared libs…) Compiler L i n k e r
Source code WCC : “UNLINKING” Relocatable objects (*.o) Binaries (executables, shared libs…) Compiler L i n k e r Decompiler
Source code WCC : “UNLINKING” Relocatable objects (*.o) Binaries (executables, shared libs…) Compiler L i n k e r Decompiler
Source code UNLINKING Relocatable objects (*.o) Binaries (executables, shared libs…) Compiler L i n k e r Decompiler w c c
The command line is made to resemble the syntax of gcc : WCC : COMMAND LINE
The front end is build around libbfd. The backend is trivial C to copy each mapped section of the binary, handle symbols and relocations. Benefit of using libbfd : the input binary doesn’t need to be an ELF ! => We can for instance transform a Win64 executable into ELF 64b relocatable objects… WCC : INTERNALS
(Binary to object file to relocatable to unstripped library) DEMO
WCC : DEMO
(Crossing a Fish and a Rabbit) DEMO
PE + ELF = PELF
WCC : PE32 TO ELF64
Native OpenBSD on linux DEMO
(Punk-C/Punxie) WITCHCRAFT
Lua Interpreter + “Reflected” C API = Punk-C PUNK-C LANGUAGE (WSH)
INTRODUCTION TO WITCHCRAFT
Now that we know how to transform arbitrary binaries into shared libraries, we can load them into our address space via dlopen(). Let’s implement the same features as traditional virtual machines, but for raw binaries ! Whish list : - Load arbitrary applications into memory - Execute arbitrary functions with any arguments (and get results) - Monitor/Trace execution - Automated functions prototyping/annotation - Learn new behavior - Examine/Modify arbitrary memory BINARY “REFLECTION” WITHOUT A VM
Loading is done via dlopen(). The core engine/shell is built around lua. Can be compiled with luajit to get JIT compilation. Tracing/Memory analysis doesn’t rely on ptrace() : we share the address space. Lightweight : ~5k lines of C. No disassembler (as of writing. Subject to change). No need for /proc support ! Function names mapped in each library is dumped from the link_map cache. WSH : ARCHITECTURE
Distinctive features: - We fully share the address space with analyzed applications (no ptrace() nor context switches). - Requires no privileges/capabilities (no root, no ptrace(), no CAP_PTRACE, no /proc…) - No disassembly : fully portable (POSIX) - Implements “reflection” for binaries - Full featured programming language - Interactive and/or fully scriptable, autonomous programs - Has no types - Has no fixed API : any function you load in memory becomes available in WSH - Functions have no prototypes => Can call arbitrary functions without knowing their prototypes => Allows for extended function annotations (to be fully automated) => Steal/Reuse any code. Add scripting to any application. NONE OF THIS IS SUPPOSED TO WORK WSH : THE WICHCRAFT INTERPRETER
Advanced features: - Loads any code via dlopen() : this solves relocations, symbols resolution, dependencies for us. - Secondary loader bfd based (could load invalid binaries, anything in memory). - Dumping of dynamic linker cash internals (undocumented) : linkmap - Breakpoints without int 0x03 (use SIGINVALID + invalid opcode) - Bruteforcing of mapped memory pages via msync() (0day, no /proc needed) - Wsh can be compiled to do JIT compilation on the fly at runtime. - Automated fuzzing/extended prototyping/functional testing NONE OF THIS IS SUPPOSED TO WORK WSH : THE WICHCRAFT INTERPRETER
DEMO WITCHCRAFT
Consciousness 1.0 TOWARDS BINARY SELF AWARENESS
“Self-awareness is the capacity for introspection and the ability to recognize oneself as an individual separate from the environment and other individuals.” https://en.wikipedia.org/wiki/Self-awareness “Consciousness is the state or quality of awareness, or, of being aware of an external object or something within oneself. It has been defined as: sentience, awareness, subjectivity, the ability to experience or to feel, wakefulness, having a sense of selfhood, and the executive control system of the mind.” https://en.wikipedia.org/wiki/Consciousness SELF AWARENESS
Numerical solutions WITCHCRAFT
FUTURE WORK WITCHCRAFT
- Hyde our own presence better in memory (second heap) - Remote debugging, running process injection - Shadow mapping, internal libraries tracing (recursive ltrace) - ltrace/strace to valid scripts - system call tracing FUTURE WORK
Questions ? TO BE CONTINUED

Empfohlen

[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slidesMoabi.com
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practicalMoabi.com
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and DriversKernel TLV
 
The Silence of the Canaries
The Silence of the CanariesThe Silence of the Canaries
The Silence of the CanariesKernel TLV
 
Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Hajime Tazaki
 

Empfohlen

[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practical[Defcon] Hardware backdooring is practical
[Defcon] Hardware backdooring is practicalMoabi.com
 
Hardware backdooring is practical : slides
Hardware backdooring is practical : slidesHardware backdooring is practical : slides
Hardware backdooring is practical : slidesMoabi.com
 
[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory Analysis[CCC-28c3] Post Memory Corruption Memory Analysis
[CCC-28c3] Post Memory Corruption Memory AnalysisMoabi.com
 
[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory Analysis[Ruxcon 2011] Post Memory Corruption Memory Analysis
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com
 
[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practical[Hackito2012] Hardware backdooring is practical
[Hackito2012] Hardware backdooring is practicalMoabi.com
 
FreeBSD and Drivers
FreeBSD and DriversFreeBSD and Drivers
FreeBSD and DriversKernel TLV
 
The Silence of the Canaries
The Silence of the CanariesThe Silence of the Canaries
The Silence of the CanariesKernel TLV
 
Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Library Operating System for Linux #netdev01
Library Operating System for Linux #netdev01Hajime Tazaki
 
Kernelvm 201312-dlmopen
Kernelvm 201312-dlmopenKernelvm 201312-dlmopen
Kernelvm 201312-dlmopenHajime Tazaki
 
Direct Code Execution @ CoNEXT 2013
Direct Code Execution @ CoNEXT 2013Direct Code Execution @ CoNEXT 2013
Direct Code Execution @ CoNEXT 2013Hajime Tazaki
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1Hajime Tazaki
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationKernel TLV
 
Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Hajime Tazaki
 
Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Shuo Chen
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsCrowdStrike
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Jérôme Petazzoni
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopQuey-Liang Kao
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Jérôme Petazzoni
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7Sam Kim
 
NUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioNUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioHajime Tazaki
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Sam Kim
 
Fun with FUSE
Fun with FUSEFun with FUSE
Fun with FUSEKernel TLV
 
Kernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver frameworkKernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver frameworkAnne Nicolas
 
Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureJérôme Petazzoni
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Introduction to Docker (and a bit more) at LSPE meetup Sunnyvale
Introduction to Docker (and a bit more) at LSPE meetup SunnyvaleIntroduction to Docker (and a bit more) at LSPE meetup Sunnyvale
Introduction to Docker (and a bit more) at LSPE meetup SunnyvaleJérôme Petazzoni
 
Hardware backdooring is practical
Hardware backdooring is practicalHardware backdooring is practical
Hardware backdooring is practicalMoabi.com
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any meansMoabi.com
 

Weitere ähnliche Inhalte

Was ist angesagt?

Kernelvm 201312-dlmopen
Kernelvm 201312-dlmopenKernelvm 201312-dlmopen
Kernelvm 201312-dlmopenHajime Tazaki
 
Direct Code Execution @ CoNEXT 2013
Direct Code Execution @ CoNEXT 2013Direct Code Execution @ CoNEXT 2013
Direct Code Execution @ CoNEXT 2013Hajime Tazaki
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1Hajime Tazaki
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationKernel TLV
 
Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Hajime Tazaki
 
Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Shuo Chen
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsCrowdStrike
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Jérôme Petazzoni
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopQuey-Liang Kao
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Jérôme Petazzoni
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7Sam Kim
 
NUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioNUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioHajime Tazaki
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxPositive Hack Days
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Sam Kim
 
Kernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver frameworkKernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver frameworkAnne Nicolas
 
Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureJérôme Petazzoni
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
Introduction to Docker (and a bit more) at LSPE meetup Sunnyvale
Introduction to Docker (and a bit more) at LSPE meetup SunnyvaleIntroduction to Docker (and a bit more) at LSPE meetup Sunnyvale
Introduction to Docker (and a bit more) at LSPE meetup SunnyvaleJérôme Petazzoni
 

Was ist angesagt? (20)

Kernelvm 201312-dlmopen
Kernelvm 201312-dlmopenKernelvm 201312-dlmopen
Kernelvm 201312-dlmopen
 
Direct Code Execution @ CoNEXT 2013
Direct Code Execution @ CoNEXT 2013Direct Code Execution @ CoNEXT 2013
Direct Code Execution @ CoNEXT 2013
 
LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1LibOS as a regression test framework for Linux networking #netdev1.1
LibOS as a regression test framework for Linux networking #netdev1.1
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
 
Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)Network Stack in Userspace (NUSE)
Network Stack in Userspace (NUSE)
 
Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++Essentials of Multithreaded System Programming in C++
Essentials of Multithreaded System Programming in C++
 
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of BootkitsI/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
I/O, You Own: Regaining Control of Your Disk in the Presence of Bootkits
 
Let's Containerize New York with Docker!
Let's Containerize New York with Docker!Let's Containerize New York with Docker!
Let's Containerize New York with Docker!
 
Talk 160920 @ Cat System Workshop
Talk 160920 @ Cat System WorkshopTalk 160920 @ Cat System Workshop
Talk 160920 @ Cat System Workshop
 
Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9 Docker Introduction + what is new in 0.9
Docker Introduction + what is new in 0.9
 
Make container without_docker_7
Make container without_docker_7Make container without_docker_7
Make container without_docker_7
 
NUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osioNUSE (Network Stack in Userspace) at #osio
NUSE (Network Stack in Userspace) at #osio
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
 
Ищем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре LinuxИщем уязвимости нулевого дня в ядре Linux
Ищем уязвимости нулевого дня в ядре Linux
 
Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1 Make container without_docker_6-overlay-network_1
Make container without_docker_6-overlay-network_1
 
Fun with FUSE
Fun with FUSEFun with FUSE
Fun with FUSE
 
Kernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver frameworkKernel Recipes 2015 - So you want to write a Linux driver framework
Kernel Recipes 2015 - So you want to write a Linux driver framework
 
Introduction to Docker and deployment and Azure
Introduction to Docker and deployment and AzureIntroduction to Docker and deployment and Azure
Introduction to Docker and deployment and Azure
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
Introduction to Docker (and a bit more) at LSPE meetup Sunnyvale
Introduction to Docker (and a bit more) at LSPE meetup SunnyvaleIntroduction to Docker (and a bit more) at LSPE meetup Sunnyvale
Introduction to Docker (and a bit more) at LSPE meetup Sunnyvale
 

Andere mochten auch

Hardware backdooring is practical
Hardware backdooring is practicalHardware backdooring is practical
Hardware backdooring is practicalMoabi.com
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any meansMoabi.com
 
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...Moabi.com
 
Automated and unified opensource web application testing
Automated and unified opensource web application testingAutomated and unified opensource web application testing
Automated and unified opensource web application testingnavajanegra
 
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...OWASP Russia
 
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris SavkovOWASP Russia
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit AutomationMoabi.com
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #WhitepaperMoabi.com
 
[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet Explorer[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet ExplorerMoabi.com
 
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...OWASP Russia
 
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...Moabi.com
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...Moabi.com
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath InjectionsAMol NAik
 
Grade 7 Science Learner's Module 3rd and 4th QTR Modules
Grade 7 Science Learner's Module 3rd and 4th QTR ModulesGrade 7 Science Learner's Module 3rd and 4th QTR Modules
Grade 7 Science Learner's Module 3rd and 4th QTR ModulesJan Cecilio
 
[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against JavaMoabi.com
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsIvan Novikov
 
Wireless charging of smartphones
Wireless charging of smartphonesWireless charging of smartphones
Wireless charging of smartphonesJeffrey Funk
 

Andere mochten auch (20)

Hardware backdooring is practical
Hardware backdooring is practicalHardware backdooring is practical
Hardware backdooring is practical
 
[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means[HackInTheBox] Breaking virtualization by any means
[HackInTheBox] Breaking virtualization by any means
 
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
[DEFCON 16] Bypassing pre-boot authentication passwords by instrumenting the...
 
DNS Exfiltration Using sqlmap
DNS Exfiltration Using sqlmapDNS Exfiltration Using sqlmap
DNS Exfiltration Using sqlmap
 
Hacking XPATH 2.0
Hacking XPATH 2.0Hacking XPATH 2.0
Hacking XPATH 2.0
 
Automated and unified opensource web application testing
Automated and unified opensource web application testingAutomated and unified opensource web application testing
Automated and unified opensource web application testing
 
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
[1.4] «Ой, не шмогла». Обзор ограничений современных технологий в области ...
 
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
[3.3] Detection & exploitation of Xpath/Xquery Injections - Boris Savkov
 
[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation[HITB Malaysia 2011] Exploit Automation
[HITB Malaysia 2011] Exploit Automation
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES... #Whitepaper
 
[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet Explorer[Blackhat2015] FileCry attack against Internet Explorer
[Blackhat2015] FileCry attack against Internet Explorer
 
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
Web Application Firewalls: Advanced analysis of detection logic mechanisms, V...
 
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
[DEFCON] Bypassing preboot authentication passwords by instrumenting the BIOS...
 
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
[Blackhat2015] SMB : SHARING MORE THAN JUST YOUR FILES...
 
XPath Injection
XPath InjectionXPath Injection
XPath Injection
 
XML & XPath Injections
XML & XPath InjectionsXML & XPath Injections
XML & XPath Injections
 
Grade 7 Science Learner's Module 3rd and 4th QTR Modules
Grade 7 Science Learner's Module 3rd and 4th QTR ModulesGrade 7 Science Learner's Module 3rd and 4th QTR Modules
Grade 7 Science Learner's Module 3rd and 4th QTR Modules
 
[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java[Blackhat2015] FileCry attack against Java
[Blackhat2015] FileCry attack against Java
 
Lie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application FirewallsLie to Me: Bypassing Modern Web Application Firewalls
Lie to Me: Bypassing Modern Web Application Firewalls
 
Wireless charging of smartphones
Wireless charging of smartphonesWireless charging of smartphones
Wireless charging of smartphones
 

Ähnlich wie [Defcon24] Introduction to the Witchcraft Compiler Collection

Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Vincenzo Iozzo
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'acorehard_by
 
maXbox Starter87
maXbox Starter87maXbox Starter87
maXbox Starter87Max Kleiner
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Ricardo Amaro
 
Agile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Partner S.A.
 
Build your own discovery index of scholary e-resources
Build your own discovery index of scholary e-resourcesBuild your own discovery index of scholary e-resources
Build your own discovery index of scholary e-resourcesMartin Czygan
 
Red Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift MessengerRed Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift MessengerJustin Bui
 
Extending DevOps to Big Data Applications with Kubernetes
Extending DevOps to Big Data Applications with KubernetesExtending DevOps to Big Data Applications with Kubernetes
Extending DevOps to Big Data Applications with KubernetesNicola Ferraro
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014Carlo Bonamico
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Codemotion
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xrkr10
 
Binary Packaging for HPC with Spack
Binary Packaging for HPC with SpackBinary Packaging for HPC with Spack
Binary Packaging for HPC with Spackinside-BigData.com
 
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Jérôme Petazzoni
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Ricardo Amaro
 
Dessi docker kubernetes paas cloud
Dessi docker kubernetes paas cloudDessi docker kubernetes paas cloud
Dessi docker kubernetes paas cloudMassimiliano Dessì
 
Come costruire una Platform As A Service con Docker, Kubernetes Go e Java
Come costruire una Platform As A Service con Docker, Kubernetes Go e JavaCome costruire una Platform As A Service con Docker, Kubernetes Go e Java
Come costruire una Platform As A Service con Docker, Kubernetes Go e JavaCodemotion
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionJérôme Petazzoni
 
Intel Briefing Notes
Intel Briefing NotesIntel Briefing Notes
Intel Briefing NotesGraham Lee
 

Ähnlich wie [Defcon24] Introduction to the Witchcraft Compiler Collection (20)

Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009Post exploitation techniques on OSX and Iphone, EuSecWest 2009
Post exploitation techniques on OSX and Iphone, EuSecWest 2009
 
Настройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'aНастройка окружения для кросскомпиляции проектов на основе docker'a
Настройка окружения для кросскомпиляции проектов на основе docker'a
 
maXbox Starter87
maXbox Starter87maXbox Starter87
maXbox Starter87
 
Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant Automate drupal deployments with linux containers, docker and vagrant
Automate drupal deployments with linux containers, docker and vagrant
 
Agile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: IntroductionAgile Brown Bag - Vagrant & Docker: Introduction
Agile Brown Bag - Vagrant & Docker: Introduction
 
Build your own discovery index of scholary e-resources
Build your own discovery index of scholary e-resourcesBuild your own discovery index of scholary e-resources
Build your own discovery index of scholary e-resources
 
Red Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift MessengerRed Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift Messenger
 
Extending DevOps to Big Data Applications with Kubernetes
Extending DevOps to Big Data Applications with KubernetesExtending DevOps to Big Data Applications with Kubernetes
Extending DevOps to Big Data Applications with Kubernetes
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
 
Docker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12xDocker and-containers-for-development-and-deployment-scale12x
Docker and-containers-for-development-and-deployment-scale12x
 
Binary Packaging for HPC with Spack
Binary Packaging for HPC with SpackBinary Packaging for HPC with Spack
Binary Packaging for HPC with Spack
 
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
Docker 1 0 1 0 1: a Docker introduction, actualized for the stable release of...
 
Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant Drupalcamp es 2013 drupal with lxc docker and vagrant
Drupalcamp es 2013 drupal with lxc docker and vagrant
 
Dessi docker kubernetes paas cloud
Dessi docker kubernetes paas cloudDessi docker kubernetes paas cloud
Dessi docker kubernetes paas cloud
 
Come costruire una Platform As A Service con Docker, Kubernetes Go e Java
Come costruire una Platform As A Service con Docker, Kubernetes Go e JavaCome costruire una Platform As A Service con Docker, Kubernetes Go e Java
Come costruire una Platform As A Service con Docker, Kubernetes Go e Java
 
olibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded Linuxolibc: Another C Library optimized for Embedded Linux
olibc: Another C Library optimized for Embedded Linux
 
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special EditionIntroduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
Introduction to Docker, December 2014 "Tour de France" Bordeaux Special Edition
 
Intel Briefing Notes
Intel Briefing NotesIntel Briefing Notes
Intel Briefing Notes
 
Eusecwest
EusecwestEusecwest
Eusecwest
 

Kürzlich hochgeladen

OOP concepts -in-Python programming language
OOP concepts -in-Python programming languageOOP concepts -in-Python programming language
OOP concepts -in-Python programming languageSmritiSharma901052
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating SystemRashmi Bhat
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxRomil Mishra
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfDrew Moseley
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdfCaalaaAbdulkerim
 
Katarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School CourseKatarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School Coursebim.edu.pl
 
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptJohnWilliam111370
 
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTESCME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTESkarthi keyan
 
signals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsignals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsapna80328
 
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Sumanth A
 
Ch10-Global Supply Chain - Cadena de Suministro.pdf
Ch10-Global Supply Chain - Cadena de Suministro.pdfCh10-Global Supply Chain - Cadena de Suministro.pdf
Ch10-Global Supply Chain - Cadena de Suministro.pdfChristianCDAM
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONjhunlian
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substationstephanwindworld
 
Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptxPython Programming for basic beginners.pptx
Python Programming for basic beginners.pptxmohitesoham12
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdfHafizMudaserAhmad
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosVictor Morales
 
Levelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodLevelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodManicka Mamallan Andavar
 
List of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfList of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfisabel213075
 

Kürzlich hochgeladen (20)

OOP concepts -in-Python programming language
OOP concepts -in-Python programming languageOOP concepts -in-Python programming language
OOP concepts -in-Python programming language
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating System
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptx
 
Immutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdfImmutable Image-Based Operating Systems - EW2024.pdf
Immutable Image-Based Operating Systems - EW2024.pdf
 
Research Methodology for Engineering pdf
Research Methodology for Engineering pdfResearch Methodology for Engineering pdf
Research Methodology for Engineering pdf
 
Katarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School CourseKatarzyna Lipka-Sidor - BIM School Course
Katarzyna Lipka-Sidor - BIM School Course
 
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.pptROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
ROBOETHICS-CCS345 ETHICS AND ARTIFICIAL INTELLIGENCE.ppt
 
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTESCME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES
CME 397 - SURFACE ENGINEERING - UNIT 1 FULL NOTES
 
signals in triangulation .. ...Surveying
signals in triangulation .. ...Surveyingsignals in triangulation .. ...Surveying
signals in triangulation .. ...Surveying
 
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
 
Ch10-Global Supply Chain - Cadena de Suministro.pdf
Ch10-Global Supply Chain - Cadena de Suministro.pdfCh10-Global Supply Chain - Cadena de Suministro.pdf
Ch10-Global Supply Chain - Cadena de Suministro.pdf
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
 
Earthing details of Electrical Substation
Earthing details of Electrical SubstationEarthing details of Electrical Substation
Earthing details of Electrical Substation
 
Python Programming for basic beginners.pptx
Python Programming for basic beginners.pptxPython Programming for basic beginners.pptx
Python Programming for basic beginners.pptx
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf11. Properties of Liquid Fuels in Energy Engineering.pdf
11. Properties of Liquid Fuels in Energy Engineering.pdf
 
Designing pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptxDesigning pile caps according to ACI 318-19.pptx
Designing pile caps according to ACI 318-19.pptx
 
KCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitosKCD Costa Rica 2024 - Nephio para parvulitos
KCD Costa Rica 2024 - Nephio para parvulitos
 
Levelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument methodLevelling - Rise and fall - Height of instrument method
Levelling - Rise and fall - Height of instrument method
 
List of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdfList of Accredited Concrete Batching Plant.pdf
List of Accredited Concrete Batching Plant.pdf
 

[Defcon24] Introduction to the Witchcraft Compiler Collection

  • 1. Introduction to the Witchcraft Compiler Collection Jonathan Brossard 5th of August 2016 DEFCON 24, Las Vegas, USA
  • 2. • The Witchcraft Compiler Collection is free software (MIT/BSD License). • I would love you to extend it and contribute to WCC on https://github.com/endrazine/wcc • You can write in Lua, Punk-C or C. • No assembly skills required. TL ; DR
  • 3. Who am I ? Image courtesy of Pixabay (https://pixabay.com/en/museum-mask-africa-african-cult-953595/) License : CC0 Public Domain
  • 4.
  • 5.
  • 7.
  • 8.
  • 10.
  • 11. + Nullcon Goa, which is awesome :)
  • 12. + add your own preferred conferences around the globe here :) #NonExhaustiveList
  • 14. • My employers are not associated with this talk in any way. • This is my personal research. DISCLAIMER
  • 15. • This talk received help from the EFF. • Warmest thank you to Nate Cardozo, Andrew Crocker and Mitch Stoltz Free legal advising to security researchers : https://www.eff.org/ https://www.eff.org/issues/coders/reverse-engineering-faq LEGAL HELP
  • 16. Fcrnx gb bhe fravbe frphevgl UE: Wnzrf Fnyr wfnyr@fnyrfsbepr.pbz uggc://jjj.yvaxrqva.pbz/va/wnzrftfnyr Tbbq yhpx ! WE’RE RECRUITING
  • 17. • Motivation • WCC components • “Libifying” a binary • Unlinking binaries • Crossing a Fish and a Rabbit • Introduction to Witchcraft • Binary “reflection” without a VM • Towards binary self awareness • Future work AGENDA
  • 18. Prerequisites: A binary you have the right to reverse engineer. No source code. Case studies: 1) You would like to verify the results of a static analysis 2) You know a way to crash an application but don’t want to work on the entire binary (eg: remote fuzzing). Let’s work on the ELF 64b version of smbserver-1.5.32. MOTIVATION
  • 19. CASE STUDY : STATIC ANALYSIS
  • 24. We have only a partial symbolic stack trace. How to verify if this vulnerability exists ? Wouldn’t it be nice if we could call reply_close() with arbitrary arguments directly ? STATIC ANALYSIS
  • 25. You are fuzzing a complex server (smbd) over the network. CASE STUDY : FUZZING
  • 26. We have only a partial symbolic stack trace. This could be a worker thread (note: smbd is linked with libpthread). I don’t want to resend new packets or restart threads when analyzing ! Bonus points if you triggered it via instrumentation/concolic execution and don’t actually have a trigger either. Can we verify if this vulnerability is exploitable ? Wouldn’t it be nice to call rpc_clnt_record_build_header() or any function in client.so with arbitrary arguments directly ? CASE STUDY : FUZZING
  • 27. You can do the later with some work (exported functions from shared libraries) but in theory, not the former ever ever (function directly within a binary). Let’s make both possible with 0 code nor reverse engineering. PROBLEM STATEMENT
  • 28.
  • 29. Binaries (C): wld : witchcraft linker wcc : witchcraft core compiler wsh : witchcraft shell : dynamic interpreter + scripting engine Scripts (lua, …): wcch : witchcraft header generator wldd : witchcraft compiler flags generator ... Host machine : GNU/Linux x86_64 (mostly portable to POSIX systems). WCC COMPONENTS
  • 30. Transforming an ELF executable binary into an ELF shared library. WLD : “LIBIFICATION”
  • 31. A word on decompiling DEMOS
  • 32. typedef struct { unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */ Elf64_Half e_type; /* Object file type */ Elf64_Half e_machine; /* Architecture */ Elf64_Word e_version; /* Object file version */ Elf64_Addr e_entry; /* Entry point virtual address */ Elf64_Off e_phoff; /* Program header table file offset */ Elf64_Off e_shoff; /* Section header table file offset */ Elf64_Word e_flags; /* Processor-specific flags */ Elf64_Half e_ehsize; /* ELF header size in bytes */ Elf64_Half e_phentsize; /* Program header table entry size */ Elf64_Half e_phnum; /* Program header table entry count */ Elf64_Half e_shentsize; /* Section header table entry size */ Elf64_Half e_shnum; /* Section header table entry count */ Elf64_Half e_shstrndx; /* Section header string table index */ } Elf64_Ehdr; LIBIFICATION
  • 35. WE REALLY PATCHED 1 BYTE ONLY
  • 36. USING OUR NEW SHARED LIBRARY
  • 37. We’re really creating a “non relocatable” shared library. ET_DYN and ET_EXEC ELF files are both executable (ASLR support in the kernel) This is equivalent to creating a shared library with a non NULL base address (equivalent to prelinking) Note: Amazingly, this shared library is still a valid executable too. HOW COMES THIS WORKS ?
  • 39. APACHE2 AS A SHARED LIBRARY
  • 40. APACHE2 AS A SHARED LIBRARY
  • 41. The typical approach to reverse engineering is to transform binaries or shared libraries back to source code. Instead, we aim at transforming final binaries or shared libraries back to ELF relocatable objects, that can later be relinked normally (using gcc/ld) into executables or shared objects. This binary refactoring is enough to “reuse” (steal) binary functions without any disassembly. This is no longuer true : some relocations require some disassembly. We used the capstone disassembly library to perform this. WCC : “UNLINKING”
  • 42. Source code WCC : “UNLINKING” Relocatable objects (*.o) Binaries (executables, shared libs…) Compiler L i n k e r
  • 43. Source code WCC : “UNLINKING” Relocatable objects (*.o) Binaries (executables, shared libs…) Compiler L i n k e r Decompiler
  • 44. Source code WCC : “UNLINKING” Relocatable objects (*.o) Binaries (executables, shared libs…) Compiler L i n k e r Decompiler
  • 46. The command line is made to resemble the syntax of gcc : WCC : COMMAND LINE
  • 47. The front end is build around libbfd. The backend is trivial C to copy each mapped section of the binary, handle symbols and relocations. Benefit of using libbfd : the input binary doesn’t need to be an ELF ! => We can for instance transform a Win64 executable into ELF 64b relocatable objects… WCC : INTERNALS
  • 48. (Binary to object file to relocatable to unstripped library) DEMO
  • 50. (Crossing a Fish and a Rabbit) DEMO
  • 51. PE + ELF = PELF
  • 52. WCC : PE32 TO ELF64
  • 53. Native OpenBSD on linux DEMO
  • 55. Lua Interpreter + “Reflected” C API = Punk-C PUNK-C LANGUAGE (WSH)
  • 57. Now that we know how to transform arbitrary binaries into shared libraries, we can load them into our address space via dlopen(). Let’s implement the same features as traditional virtual machines, but for raw binaries ! Whish list : - Load arbitrary applications into memory - Execute arbitrary functions with any arguments (and get results) - Monitor/Trace execution - Automated functions prototyping/annotation - Learn new behavior - Examine/Modify arbitrary memory BINARY “REFLECTION” WITHOUT A VM
  • 58. Loading is done via dlopen(). The core engine/shell is built around lua. Can be compiled with luajit to get JIT compilation. Tracing/Memory analysis doesn’t rely on ptrace() : we share the address space. Lightweight : ~5k lines of C. No disassembler (as of writing. Subject to change). No need for /proc support ! Function names mapped in each library is dumped from the link_map cache. WSH : ARCHITECTURE
  • 59. Distinctive features: - We fully share the address space with analyzed applications (no ptrace() nor context switches). - Requires no privileges/capabilities (no root, no ptrace(), no CAP_PTRACE, no /proc…) - No disassembly : fully portable (POSIX) - Implements “reflection” for binaries - Full featured programming language - Interactive and/or fully scriptable, autonomous programs - Has no types - Has no fixed API : any function you load in memory becomes available in WSH - Functions have no prototypes => Can call arbitrary functions without knowing their prototypes => Allows for extended function annotations (to be fully automated) => Steal/Reuse any code. Add scripting to any application. NONE OF THIS IS SUPPOSED TO WORK WSH : THE WICHCRAFT INTERPRETER
  • 60. Advanced features: - Loads any code via dlopen() : this solves relocations, symbols resolution, dependencies for us. - Secondary loader bfd based (could load invalid binaries, anything in memory). - Dumping of dynamic linker cash internals (undocumented) : linkmap - Breakpoints without int 0x03 (use SIGINVALID + invalid opcode) - Bruteforcing of mapped memory pages via msync() (0day, no /proc needed) - Wsh can be compiled to do JIT compilation on the fly at runtime. - Automated fuzzing/extended prototyping/functional testing NONE OF THIS IS SUPPOSED TO WORK WSH : THE WICHCRAFT INTERPRETER
  • 63. “Self-awareness is the capacity for introspection and the ability to recognize oneself as an individual separate from the environment and other individuals.” https://en.wikipedia.org/wiki/Self-awareness “Consciousness is the state or quality of awareness, or, of being aware of an external object or something within oneself. It has been defined as: sentience, awareness, subjectivity, the ability to experience or to feel, wakefulness, having a sense of selfhood, and the executive control system of the mind.” https://en.wikipedia.org/wiki/Consciousness SELF AWARENESS
  • 66. - Hyde our own presence better in memory (second heap) - Remote debugging, running process injection - Shadow mapping, internal libraries tracing (recursive ltrace) - ltrace/strace to valid scripts - system call tracing FUTURE WORK
  • 67. Questions ? TO BE CONTINUED