SlideShare une entreprise Scribd logo

SmartphoneHacking_Android_Exploitation

Malachi Jones
Malachi Jones

Security from both sides of the fence – a discussion of techniques, such as fuzzing, to reduce the likelihood of an attacker discovering exploits on smartphones and PCs; plus a demonstration of approaches hackers may use to weaponize and exploit vulnerabilities.

Logiciels
1  sur  79
Télécharger pour lire hors ligne
Smartphone Hacking TheArt ofAndroid Exploitation By: Malachi Jones, PhD
About Me  Education  Bachelors Degree: Computer Engineering (Univ. of Florida, 2007)  Master’s Degree: Computer Engineering (GeorgiaTech, 2009)  PhD: Computer Engineering (GeorgiaTech, 2013)  Cyber Security Experience  Harris: Cyber Software Engineer (2013-2014)  Harris: Vulnerability Researcher (2015)  BoozAllen DarkLabs : Embedded Security Researcher (2016- Present) https://www.linkedin.com/in/malachijonesphd
About Dark Labs BoozAllen Dark Labs is an elite team of security researchers, penetration testers, reverse engineers, network analysts, and data scientists, dedicated to stopping cyber attacks before they occur.1 (1 http://darklabs.bah.com)
2015: AYear of Embedded Exploitation (Link)
(Link) 2015: AYear of Embedded Exploitation
(Link) 2015: AYear of Embedded Exploitation
(Link) 2016: The Exploitation Continues…
Outline  Motivation: Understanding both sides (offense & defense)  Objectives ofTalk  Review  Secure Coding  Vulnerability Research (VR)  Vulnerability Discovery on Android  Weaponizing & Deploying Exploits  Demo/Conclusion
Motivation: Understanding Offense & Defense  DefensiveCyber Awareness  Understanding and implementation of current best practices (e.g. secure coding) to build a hardened security system  Successfully making tradeoffs between security, performance, and cost to develop a system that is useful, secure, and affordable
Motivation: Understanding Offense & Defense  Offensive Cyber Awareness  Forefront of new attacks & techniques  Can help defenders develop mitigation techniques before a new attack can cause significant damage  Ability to think like the adversary to find and patch potential vulnerabilities before they do
Objectives ofTalk  Discuss techniques (borrowed from hackers) that can allow the defender to find and patch vulnerabilities before a hacker does  Demonstrate how effortless it can be to weaponize a vulnerability to p0wn devices.
Android Hacker’s Handbook  This presentation is based on material from the Handbook  Joshua Drake is the lead author and also the person who discovered the Android vulnerability dubbed StageFright  Handbook provides a lot more in-depth coverage onAndroid Hacking than we can cover in this presentation
Review Secure Coding
Review: Secure Coding  Low level code (e.g. drivers and kernels) of embedded devices such as smartphones are written in C/C++  The genius/curse of C/C++  Trust the programmer  Don’t prevent the programming from doing what needs to be done  Make it fast, even if it is not guaranteed to be portable  How does this translate to security and safety? It doesn’t…..
Review: Secure Coding  Best practices for secure C/C++ coding written by Robert C. Seacord (CERT @ CMU)  Based on common mistakes that inexperienced and professional software developers make  Should be a mandatory reading for any aspiring C/C++ programmer
Review: Secure Coding  Question: So, how can bugs still manifest even if best practices such as secure coding principles are adhered to?  Answer:An attacker can exploit bugs in the interactions (external and/or internal) of components in hardware and/or software systems  Case Study: Hot Potato Exploit (link)  Affects allWindows versions includingWindows 7 & 8  Exploits bugs in the interaction with legacy software components that include NetBIOS Name Service (NBNS)  Can enable remote code execution by an attacker
Review Vulnerability Research
Review:Vulnerability Research  Primary objective of Vulnerability Research (VR) is to find exploitable bugs (not all bugs are exploitable)  Often, a proof of concept (PoC) is desirable that demonstrates the extent to which the vulnerability can be weaponized in a reliable way to p0wn devices.
Review:Vulnerability Research  Complications (in the exploitation of bug)  AddressSpace Layout Randomization (ASLR) : Randomizes base address of modules; difficult for attacker to know where to direct cpu to execute code  Data Execution Prevention (DEP) : Makes non-code memory regions not executable; no shell code execution  Reliability:The vulnerability may be difficult to consistently reproduce; vulnerability may require the system to be in an unlikely state for exploitation
Review:Vulnerability Research  VR Process Overview  ProfilingTarget: Information gathering which includes port scanning and preliminary reviews of device services and security features (e.g. ASLR and SELinux)  InitialAccess: Preferably obtaining access to a shell or a debug serial port on a test device that is similar to target device  Vulnerability Discovery: Activities include static analysis, dynamic analysis, and fuzzing to discover an exploitable bug  Exploitation/Weaponization: Development of a proof-of-concept that demonstrates the exploit capabilities of bug.
Review:Vulnerability Research  VR Process Overview  ProfilingTarget: Information gathering which includes port scanning and preliminary reviews of device services and security features (e.g. ASLR and SELinux)  InitialAccess: Preferably obtaining access to a shell or a debug serial port on a test device that is similar to target device  Vulnerability Discovery: Activities include static analysis, dynamic analysis, and fuzzing to discover an exploitable bug  Exploitation/Weaponization: Development of a proof-of-concept that demonstrates the exploit capabilities of bug. Presentation Focus
Review:Vulnerability Research  Vulnerability Discovery  Static Analysis: Analyzing code and data in the application without directly executing the application; may require converting the binary from machine code to C-like code, aka decompiling.  DynamicAnalysis: Executing the application in an instrumented or monitored manner to garner more concrete information on behavior  Fuzzing: Dynamic method for testing software input validation by feeding it intentionally malformed input
v bool validatePassword(char * usercredential, int password_len, int username_len) { char username[100]; char password[100]; //Get username memcpy(username, usercredential,username_len); char *p_password = usercredential+ username_len +1; //Get password memcpy(password, p_password,password_len); ………………………………………………………………………………………… } No check to make sure that the password length does not exceed the local buffer size of ‘100’ Password buffer has length of 100 Review:Vulnerability Research  Static Analysis  In the above example, there is a stack overflow vulnerability  By passing in a ‘password’ with a length greater than 100, possible to overflow buffer, which can allow for control of code execution
Review:Vulnerability Research  Static Analysis  If the source is unavailable, then it may be necessary to decompile the binary into psuedo code  Tools such as IDA PRO can be used to aid in reversing Decompiled “Pseudo-C”ARM Dissassembly
Review:Vulnerability Research  Dynamic Analysis  Can be used to step through the code to understand behavior  Variables and software state can be manipulated
Review:Vulnerability Research  Fuzzing  A primary objective is to generate malformed input that will induce unexpected behavior in software that can include a crash  Additional static/dynamic analysis can then be used to determine root cause and whether or not the bug is exploitable Software Component Input Output Typical Scenario Fuzzing Scenario Software Component Output Fuzzer (Malformed Input) Input Crash
Review:Vulnerability Research  Exploitation/Weaponization  RemoteAccess: Setting up a backdoor on the victim that allows for future command and control capabilities  Phoning home state of victim: Periodically updating the host about the current activities and state of victim  Persistence: Includes surviving a reboot of victim and attempts to remove installed ‘custom’ software
Review:Vulnerability Research  Weaponization: Case Study of Regin (link)  Remote Access: Cyberattack platform that is deployed on victim networks for total remote control of host at all levels  Phoning Home State ofVictim: Forms a peer-to-peer network with other infected machines to send information back to the command and control center  Persistence: Covertly installs kernel modules and drivers 28
Review:Vulnerability Research  Question: Are Hackers the only ones that conduct vulnerability research? If not, why would others do this type of research?  Answer:  The motivation behind this presentation is that the defenders should also be usingVR techniques to identify exploitable bugs.  Some companies have bug bounty hunting programs, where a white/grey hat identifies a bug in exchange for money  Others hireVR personnel onsite to hack into their own stuff. Example: Charlie Miller and ChrisValasek were hired by Uber after their Chrysler car hack demo (link).
Vulnerability Discovery on Android
Vulnerability Discovery on Android  Important Note: Although concepts and techniques discussed in this section are targeted at the Android platform, they are also relevant for other platforms including iOS, Linux, andWindows.
Vulnerability Discovery on Android Overall Goal: Exercise code on the target with malformed inputs that we generate
Vulnerability Discovery on Android  Steps for Exploit Discovery using FuzzTesting 1. Choose a software target 2. Generate Inputs 3. Delivering & Processing Inputs 4. Monitor for crashes
Vulnerability Discovery on Android (The Steps) 1) Choose a SoftwareTarget
Vulnerability Discovery: Choosing aTarget  Objective 1.1: Find a software attack surface whose code can be exercised remotely by an adversary
Vulnerability Discovery: Choosing aTarget  We’ll target the Android browser  Why?  Standard on all Android devices  Since web browsers focus on performance, much of the code is implemented in C/C++  Very complex with support for new technologies that include HTML5, and the browser is essentially a mini OS
Vulnerability Discovery: Choosing aTarget  Objective 1.2: Select a web technology that the browser implements to focus on  Note: One of the most challenging aspects of fuzzing is to determining where to focus the fuzzing efforts
Vulnerability Discovery: Choosing aTarget  We’ll focus on the Typed Array feature of HTML5  Why HTML5  Relatively new technologies, which means there are bound to be undiscovered bugs  Has a rich feature set that includes support for video and audio, which means high complexity;complexity often introduces bugs
Vulnerability Discovery: Choosing aTarget  Background: Typed Arrays  Allows web developers access to a region of memory that is formatted as a native array  ExampleSnippet:  Snippet Explained : Creates an array of 16 elements and initializes them from 0 to 15 var arr = new Uint8Array(16); for (var n = 0; n < arr.length; n++) { arr[n] = n }
Vulnerability Discovery: Choosing aTarget  Key Concepts:  The typed array is a native array, which means that it doesn’t need to be translated between JavaScript and native representation  Translating back and forth between JavaScript and native representation impacts performance  Browser can achieve greater performance through improved efficiency using this type of array var arr = new Uint8Array(16); for (var n = 0; n < arr.length; n++) { arr[n] = n }
Vulnerability Discovery: Choosing aTarget  Previously disclosed bugs inTyped Array :  Researcher Pinkie Pie compromises of Chrome @ 2013 Mobile pwn2Own (link)  Researcher geohot compromises Chrome @ 2014 pwn2Own (link) var arr = new Uint8Array(16); for (var n = 0; n < arr.length; n++) { arr[n] = n }
2) Generating Inputs Vulnerability Discovery on Android (The Steps)
Vulnerability Discovery: Generate Inputs  So now that we have our target, we’d like to generate inputs to see how the target handles it  Below is an example snippet that would generate different ‘types’ of Typed Arrays  Note: Generating ‘good’ inputs is not trivial. It requires an understanding of the target and the possible unaddressed corner cases and boundary conditions def generate_var(): vtype = random.choice(TYPEDARRAY_TYPES) vlen = rand_num() return “var array1 = new %s(%d);” % (vtype, vlen)
Vulnerability Discovery on Android (The Steps) 3) Delivering & Processing Inputs
Vulnerability Discovery: Delivering Inputs  Delivering Inputs  What we’d like is a way to get the inputs to the target and have the target execute it  Tools such as BrowserFuzz have lightweight http servers that can serve up the input to the target  Processing Input  Getting chrome to process our special URL (that points to our fuzz html server) can be automated  We can take advantage of the ActivityManager to start the browser and tell it where to load content from via Intents
4) Monitoring for Crashes Vulnerability Discovery on Android (The Steps)
Vulnerability Discovery: Monitoring for Crashes  Key Concept: Monitoring the behavior of the target program is essential to knowing whether you’ve discovered something that is noteworthy  When a process on android crashes, debuggerd writes information about the crash to the system log  So we can monitor when the browser crashes by checking the system log.
Weaponizing and Deploying Exploits
Weaponizing and Deploying Exploits  So we’ve found an exploit… How do we make it useful?
Weaponizing and Deploying Exploits  The Steps (Browser exploit) 1. Choose the target 2. Develop or utilize an exploit delivery mechanism (e.g. Metasploit) 3. Get in-between the victim and the network 4. Inject exploit code in the victim’s HTML traffic 5. Implant malware (e.g. key logger, screenscraper, etc..)
Weaponizing and Deploying Exploits(The Steps) 1) Choose the target
Weaponizing and Deploying Exploits  PossibleTargets for Browser Exploit  Note: This exploit technique can be applied to any computing device (e.g. in-car entertainment system) that uses a browser
Weaponizing and Deploying Exploits  For convenience, we’ll target a laptop
Weaponizing & Deploying:TheVM Setup
Choose the target  We’ll target IE 8 (because there is a nice metasploit package for it)
2) Develop or utilize an exploit delivery mechanism Weaponizing and Deploying Exploits(The Steps)
Exploit delivery mechanism  Metasploit will be our exploit delivery mechanism
Exploit delivery mechanism  Note the IE exploit ie_cbutton_uaf (link) use-after-free IE exploit module
3) Get in-between the victim and the network Weaponizing and Deploying Exploits(The Steps)
Man-in-the-middle target device  EvilTwin Attack (link)  We’ll setup a rogue access point with the ssid attwifi  Most smartphones have attwifi as an ssid that they will automatically try to connect to it
 Hardware for EvilTwin Attack  We’ll need a wifi adapter that supports master mode  master mode enables adapter to function as an AP  TheTP-Link WN722N supports master mode and other modes that include monitor mode TP-LINKTL-WN722N Man-in-the-middle target device
Man-in-the-middle target device  Software for EvilTwin Attack  hostapd allows for a softwareAP to be created  Tool supports features includingWPA attwifi ssid
Man-in-the-middle target device  Software for EvilTwin Attack  hostapd allows for a softwareAP to be created  Tool supports features includingWPA
Man-in-the-middle target device Client Connected
4) Inject exploit code in the victim’s HTML traffic Weaponizing and Deploying Exploits(The Steps)
Inject Exploit Code  4a : DNS injection  url “gooogle.com”  exploit server 10.0.0.1” URL resolves to 10.0.0.1 for victim Tool dnsmasq configured to resolve url ‘google’ to ip address 10.0.0.1
Inject Exploit Code  4a : DNS injection  url “gooogle.com”  exploit server 10.0.0.1” URL resolves to 10.0.0.1 for victim
Inject Exploit Code  4b : Serve up a modifed gooogle.com webpage to victim URL resolves to 10.0.0.1 for victim gooogle.com Me
Inject Exploit Code  4c :Configure metasploit Metasploit server configuration parameters
Inject Exploit Code  4d : Start the exploit server
Inject Exploit Code  4e :Victim visits gooogle.com
Inject Exploit Code  4f : Metasploit server injects exploit code Exploit uploaded to victims browser
5) Implant malware (e.g. key logger, screenscraper, etc..) Weaponizing and Deploying Exploits(The Steps)
Implant Malware  5a : Reverse shell malware implanted on victim 10z Reverse shell payload implanted
Implant Malware  5b :Use shell to access victim data Reverse shell payload implanted Victim file: ‘private_stuff_demo.txt’
Implant Malware  5b :Use shell to access victim data The ‘private’ data
Implant Malware  5b :Use shell to access victim data The ‘private’ data
Demo:Weaponizing and Deploying
References 1. Joshua J. Drake, et al. (2014). Android Hacker's Handbook. Wiley Publishing. 2. Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Gideon Lenkey, and Terron Williams. (2015). Gray Hat Hacking the Ethical Hackers Handbook (4th ed.). McGraw-Hill Osborne Media. 3. Robert Seacord. (2013). Secure Coding in C and C++. Addison- Wesley Professional. 4. Ralf-Philipp Weinmann. 2012. Baseband attacks: Remote exploitation of memory corruptions in cellular protocol stacks. In Proceedings of the 6th USENIX conference on Offensive Technologies (WOOT'12). USENIX Association, Berkeley, CA, USA, 2-2. 5. Kleidermacher, D. & Kleidermacher, M. (2012). Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development 6. Gebotys, C.H. (2009). Security in Embedded Devices. Springer

Recommandé

Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareMalachi Jones
 
Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Malachi Jones
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 
Man in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangMan in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangCODE BLUE
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
 

Recommandé

Automating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareAutomating Analysis and Exploitation of Embedded Device Firmware
Automating Analysis and Exploitation of Embedded Device FirmwareMalachi Jones
 
Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Cyber_Attack_Forecasting_Jones_2015
Cyber_Attack_Forecasting_Jones_2015Malachi Jones
 
B-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseB-Sides Seattle 2012 Offensive Defense
B-Sides Seattle 2012 Offensive DefenseStephan Chenette
 
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...
Over-the-Air: How we Remotely Compromised the Gateway, BCM, and Autopilot ECU...Priyanka Aash
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware GenerationStephan Chenette
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesPriyanka Aash
 
Man in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangMan in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangCODE BLUE
 
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...
Automated In-memory Malware/Rootkit Detection via Binary Analysis and Machin...Malachi Jones
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...Priyanka Aash
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat Security Conference
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Riscure
 
Ethical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration TestingEthical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration TestingWon Ju Jub
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5madunix
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty
 
Super1
Super1Super1
Super1neelakanteswarreddy
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat Security Conference
 
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...a001
 
Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4FRSecure
 
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017FRSecure
 
Spectre & Meltdown
Spectre & MeltdownSpectre & Meltdown
Spectre & MeltdownMurray Security Services
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
 
Upfront adoption & migration of applications to latest jdk
Upfront adoption & migration of applications to latest jdkUpfront adoption & migration of applications to latest jdk
Upfront adoption & migration of applications to latest jdkNarendran Solai Sridharan
 
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTUREVULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURENurul Haszeli Ahmad
 

Contenu connexe

Tendances

Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareLastline, Inc.
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksPriyanka Aash
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...Priyanka Aash
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat Security Conference
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Riscure
 
Ethical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration TestingEthical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration TestingWon Ju Jub
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Lastline, Inc.
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5madunix
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxRahul Mohandas
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousRaffael Marty
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsRahul Mohandas
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Rod Soto
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat Security Conference
 
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...a001
 
Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4FRSecure
 
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017FRSecure
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
 

Tendances (20)

Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
 
The Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined NetworksThe Finest Penetration Testing Framework for Software-Defined Networks
The Finest Penetration Testing Framework for Software-Defined Networks
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
 
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
BlueHat v17 || KERNELFAULT: R00ting the Unexploitable using Hardware Fault In...
 
Why is it so hard to make secure chips?
Why is it so hard to make secure chips?Why is it so hard to make secure chips?
Why is it so hard to make secure chips?
 
Ethical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration TestingEthical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration Testing
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5Cissp cbk final_exam-answers_v5.5
Cissp cbk final_exam-answers_v5.5
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
AI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are DangerousAI & ML in Cyber Security - Why Algorithms are Dangerous
AI & ML in Cyber Security - Why Algorithms are Dangerous
 
Super1
Super1Super1
Super1
 
Understand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day ThreatsUnderstand How Machine Learning Defends Against Zero-Day Threats
Understand How Machine Learning Defends Against Zero-Day Threats
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
 
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
Deliberately Un-Dependable Applications: the Role of Dependability Metrics in...
 
Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4
 
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
Slide Deck – Session 8 – FRSecure CISSP Mentor Program 2017
 
Spectre & Meltdown
Spectre & MeltdownSpectre & Meltdown
Spectre & Meltdown
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
 

En vedette

Upfront adoption & migration of applications to latest jdk
Upfront adoption & migration of applications to latest jdkUpfront adoption & migration of applications to latest jdk
Upfront adoption & migration of applications to latest jdkNarendran Solai Sridharan
 
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTUREVULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURENurul Haszeli Ahmad
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!Peter Hlavaty
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFAnthony Jose
 
The Python bites your apple
The Python bites your appleThe Python bites your apple
The Python bites your appleQidan He
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...CODE BLUE
 
Henrique Dantas - API fuzzing using Swagger
Henrique Dantas - API fuzzing using SwaggerHenrique Dantas - API fuzzing using Swagger
Henrique Dantas - API fuzzing using SwaggerDevSecCon
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco GrassiShakacon
 
Bug Hunting with Media Formats
Bug Hunting with Media FormatsBug Hunting with Media Formats
Bug Hunting with Media FormatsRussell Sanford
 
Discovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and ProfitDiscovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and ProfitAbhisek Datta
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerJoxean Koret
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesE Hacking
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteEC-Council
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Andrew McNicol
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectPeter Hlavaty
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsPawel Rzepa
 

En vedette (20)

Upfront adoption & migration of applications to latest jdk
Upfront adoption & migration of applications to latest jdkUpfront adoption & migration of applications to latest jdk
Upfront adoption & migration of applications to latest jdk
 
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTUREVULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
VULNERABILITIES AND EXPLOITATION IN COMPUTER SYSTEM – PAST, PRESENT, AND FUTURE
 
Software Security : From school to reality and back!
Software Security : From school to reality and back!Software Security : From school to reality and back!
Software Security : From school to reality and back!
 
D1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FFD1T3-Anto-Joseph-Droid-FF
D1T3-Anto-Joseph-Droid-FF
 
The Python bites your apple
The Python bites your appleThe Python bites your apple
The Python bites your apple
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
What the fuzz
What the fuzzWhat the fuzz
What the fuzz
 
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
[CB16] About the cyber grand challenge: the world’s first all-machine hacking...
 
Henrique Dantas - API fuzzing using Swagger
Henrique Dantas - API fuzzing using SwaggerHenrique Dantas - API fuzzing using Swagger
Henrique Dantas - API fuzzing using Swagger
 
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
50 Shades of Fuzzing by Peter Hlavaty & Marco Grassi
 
Bug Hunting with Media Formats
Bug Hunting with Media FormatsBug Hunting with Media Formats
Bug Hunting with Media Formats
 
American Fuzzy Lop
American Fuzzy LopAmerican Fuzzy Lop
American Fuzzy Lop
 
Discovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and ProfitDiscovering Vulnerabilities For Fun and Profit
Discovering Vulnerabilities For Fun and Profit
 
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage FuzzerThe Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
The Nightmare Fuzzing Suite and Blind Code Coverage Fuzzer
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
High Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilitiesHigh Definition Fuzzing; Exploring HDMI vulnerabilities
High Definition Fuzzing; Exploring HDMI vulnerabilities
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016Beyond Automated Testing - RVAsec 2016
Beyond Automated Testing - RVAsec 2016
 
Rainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could ExpectRainbow Over the Windows: More Colors Than You Could Expect
Rainbow Over the Windows: More Colors Than You Could Expect
 
Fuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugsFuzzing underestimated method of finding hidden bugs
Fuzzing underestimated method of finding hidden bugs
 

Similaire à SmartphoneHacking_Android_Exploitation

Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best PracticesClint Edmonson
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareLeigh Honeywell
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Stephan Chenette
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedYury Chemerkin
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)Steve Poole
 
4.Security Assessment And Testing
4.Security Assessment And Testing4.Security Assessment And Testing
4.Security Assessment And Testingphanleson
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisAntonio Parata
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentChristopher Frenz
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Processphanleson
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Tim Wright
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration TestingStephan Chenette
 
Op Sy 03 Ch 61
Op Sy 03 Ch 61Op Sy 03 Ch 61
Op Sy 03 Ch 61 Google
 
Chapter 09
Chapter 09Chapter 09
Chapter 09 Google
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3IJERA Editor
 
20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)LeClubQualiteLogicielle
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...centralohioissa
 

Similaire à SmartphoneHacking_Android_Exploitation (20)

Security Best Practices
Security Best PracticesSecurity Best Practices
Security Best Practices
 
Break it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure softwareBreak it while you make it: writing (more) secure software
Break it while you make it: writing (more) secure software
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013Building Custom Android Malware BruCON 2013
Building Custom Android Malware BruCON 2013
 
Stuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learnedStuxnet redux. malware attribution & lessons learned
Stuxnet redux. malware attribution & lessons learned
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
4.Security Assessment And Testing
4.Security Assessment And Testing4.Security Assessment And Testing
4.Security Assessment And Testing
 
HackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware AnalysisHackInBo2k16 - Threat Intelligence and Malware Analysis
HackInBo2k16 - Threat Intelligence and Malware Analysis
 
An Introduction to Secure Application Development
An Introduction to Secure Application DevelopmentAn Introduction to Secure Application Development
An Introduction to Secure Application Development
 
3.Secure Design Principles And Process
3.Secure Design Principles And Process3.Secure Design Principles And Process
3.Secure Design Principles And Process
 
Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)Finding the needle in the hardware haystack - HRES (1)
Finding the needle in the hardware haystack - HRES (1)
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 
Op Sy 03 Ch 61
Op Sy 03 Ch 61Op Sy 03 Ch 61
Op Sy 03 Ch 61
 
Chapter 09
Chapter 09Chapter 09
Chapter 09
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
Exploring the Social Engineering Toolkit (Set) Using Backtrack 5R3
 
20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)20100309 03 - Vulnerability analysis (McCabe)
20100309 03 - Vulnerability analysis (McCabe)
 
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
Timothy Wright & Stephen Halwes - Finding the Needle in the Hardware – Identi...
 

Dernier

cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptrcbcrtm
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...Technogeeks
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineeringssuserb3a23b
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Matt Ray
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf31events.com
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfFerryKemperman
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commercemanigoyal112
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Cizo Technology Services
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Velvetech LLC
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanyChristoph Pohl
 

Dernier (20)

cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.ppt
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Advantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your BusinessAdvantages of Odoo ERP 17 for Your Business
Advantages of Odoo ERP 17 for Your Business
 
What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...What is Advanced Excel and what are some best practices for designing and cre...
What is Advanced Excel and what are some best practices for designing and cre...
 
Software Coding for software engineering
Software Coding for software engineeringSoftware Coding for software engineering
Software Coding for software engineering
 
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
Open Source Summit NA 2024: Open Source Cloud Costs - OpenCost's Impact on En...
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
Sending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdfSending Calendar Invites on SES and Calendarsnack.pdf
Sending Calendar Invites on SES and Calendarsnack.pdf
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Introduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdfIntroduction Computer Science - Software Design.pdf
Introduction Computer Science - Software Design.pdf
 
Cyber security and its impact on E commerce
Cyber security and its impact on E commerceCyber security and its impact on E commerce
Cyber security and its impact on E commerce
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
Global Identity Enrolment and Verification Pro Solution - Cizo Technology Ser...
 
Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...Software Project Health Check: Best Practices and Techniques for Your Product...
Software Project Health Check: Best Practices and Techniques for Your Product...
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte GermanySuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
SuccessFactors 1H 2024 Release - Sneak-Peek by Deloitte Germany
 

SmartphoneHacking_Android_Exploitation

  • 1. Smartphone Hacking TheArt ofAndroid Exploitation By: Malachi Jones, PhD
  • 2. About Me  Education  Bachelors Degree: Computer Engineering (Univ. of Florida, 2007)  Master’s Degree: Computer Engineering (GeorgiaTech, 2009)  PhD: Computer Engineering (GeorgiaTech, 2013)  Cyber Security Experience  Harris: Cyber Software Engineer (2013-2014)  Harris: Vulnerability Researcher (2015)  BoozAllen DarkLabs : Embedded Security Researcher (2016- Present) https://www.linkedin.com/in/malachijonesphd
  • 3. About Dark Labs BoozAllen Dark Labs is an elite team of security researchers, penetration testers, reverse engineers, network analysts, and data scientists, dedicated to stopping cyber attacks before they occur.1 (1 http://darklabs.bah.com)
  • 4. 2015: AYear of Embedded Exploitation (Link)
  • 5. (Link) 2015: AYear of Embedded Exploitation
  • 6. (Link) 2015: AYear of Embedded Exploitation
  • 8. Outline  Motivation: Understanding both sides (offense & defense)  Objectives ofTalk  Review  Secure Coding  Vulnerability Research (VR)  Vulnerability Discovery on Android  Weaponizing & Deploying Exploits  Demo/Conclusion
  • 9. Motivation: Understanding Offense & Defense  DefensiveCyber Awareness  Understanding and implementation of current best practices (e.g. secure coding) to build a hardened security system  Successfully making tradeoffs between security, performance, and cost to develop a system that is useful, secure, and affordable
  • 10. Motivation: Understanding Offense & Defense  Offensive Cyber Awareness  Forefront of new attacks & techniques  Can help defenders develop mitigation techniques before a new attack can cause significant damage  Ability to think like the adversary to find and patch potential vulnerabilities before they do
  • 11. Objectives ofTalk  Discuss techniques (borrowed from hackers) that can allow the defender to find and patch vulnerabilities before a hacker does  Demonstrate how effortless it can be to weaponize a vulnerability to p0wn devices.
  • 12. Android Hacker’s Handbook  This presentation is based on material from the Handbook  Joshua Drake is the lead author and also the person who discovered the Android vulnerability dubbed StageFright  Handbook provides a lot more in-depth coverage onAndroid Hacking than we can cover in this presentation
  • 14. Review: Secure Coding  Low level code (e.g. drivers and kernels) of embedded devices such as smartphones are written in C/C++  The genius/curse of C/C++  Trust the programmer  Don’t prevent the programming from doing what needs to be done  Make it fast, even if it is not guaranteed to be portable  How does this translate to security and safety? It doesn’t…..
  • 15. Review: Secure Coding  Best practices for secure C/C++ coding written by Robert C. Seacord (CERT @ CMU)  Based on common mistakes that inexperienced and professional software developers make  Should be a mandatory reading for any aspiring C/C++ programmer
  • 16. Review: Secure Coding  Question: So, how can bugs still manifest even if best practices such as secure coding principles are adhered to?  Answer:An attacker can exploit bugs in the interactions (external and/or internal) of components in hardware and/or software systems  Case Study: Hot Potato Exploit (link)  Affects allWindows versions includingWindows 7 & 8  Exploits bugs in the interaction with legacy software components that include NetBIOS Name Service (NBNS)  Can enable remote code execution by an attacker
  • 18. Review:Vulnerability Research  Primary objective of Vulnerability Research (VR) is to find exploitable bugs (not all bugs are exploitable)  Often, a proof of concept (PoC) is desirable that demonstrates the extent to which the vulnerability can be weaponized in a reliable way to p0wn devices.
  • 19. Review:Vulnerability Research  Complications (in the exploitation of bug)  AddressSpace Layout Randomization (ASLR) : Randomizes base address of modules; difficult for attacker to know where to direct cpu to execute code  Data Execution Prevention (DEP) : Makes non-code memory regions not executable; no shell code execution  Reliability:The vulnerability may be difficult to consistently reproduce; vulnerability may require the system to be in an unlikely state for exploitation
  • 20. Review:Vulnerability Research  VR Process Overview  ProfilingTarget: Information gathering which includes port scanning and preliminary reviews of device services and security features (e.g. ASLR and SELinux)  InitialAccess: Preferably obtaining access to a shell or a debug serial port on a test device that is similar to target device  Vulnerability Discovery: Activities include static analysis, dynamic analysis, and fuzzing to discover an exploitable bug  Exploitation/Weaponization: Development of a proof-of-concept that demonstrates the exploit capabilities of bug.
  • 21. Review:Vulnerability Research  VR Process Overview  ProfilingTarget: Information gathering which includes port scanning and preliminary reviews of device services and security features (e.g. ASLR and SELinux)  InitialAccess: Preferably obtaining access to a shell or a debug serial port on a test device that is similar to target device  Vulnerability Discovery: Activities include static analysis, dynamic analysis, and fuzzing to discover an exploitable bug  Exploitation/Weaponization: Development of a proof-of-concept that demonstrates the exploit capabilities of bug. Presentation Focus
  • 22. Review:Vulnerability Research  Vulnerability Discovery  Static Analysis: Analyzing code and data in the application without directly executing the application; may require converting the binary from machine code to C-like code, aka decompiling.  DynamicAnalysis: Executing the application in an instrumented or monitored manner to garner more concrete information on behavior  Fuzzing: Dynamic method for testing software input validation by feeding it intentionally malformed input
  • 23. v bool validatePassword(char * usercredential, int password_len, int username_len) { char username[100]; char password[100]; //Get username memcpy(username, usercredential,username_len); char *p_password = usercredential+ username_len +1; //Get password memcpy(password, p_password,password_len); ………………………………………………………………………………………… } No check to make sure that the password length does not exceed the local buffer size of ‘100’ Password buffer has length of 100 Review:Vulnerability Research  Static Analysis  In the above example, there is a stack overflow vulnerability  By passing in a ‘password’ with a length greater than 100, possible to overflow buffer, which can allow for control of code execution
  • 24. Review:Vulnerability Research  Static Analysis  If the source is unavailable, then it may be necessary to decompile the binary into psuedo code  Tools such as IDA PRO can be used to aid in reversing Decompiled “Pseudo-C”ARM Dissassembly
  • 25. Review:Vulnerability Research  Dynamic Analysis  Can be used to step through the code to understand behavior  Variables and software state can be manipulated
  • 26. Review:Vulnerability Research  Fuzzing  A primary objective is to generate malformed input that will induce unexpected behavior in software that can include a crash  Additional static/dynamic analysis can then be used to determine root cause and whether or not the bug is exploitable Software Component Input Output Typical Scenario Fuzzing Scenario Software Component Output Fuzzer (Malformed Input) Input Crash
  • 27. Review:Vulnerability Research  Exploitation/Weaponization  RemoteAccess: Setting up a backdoor on the victim that allows for future command and control capabilities  Phoning home state of victim: Periodically updating the host about the current activities and state of victim  Persistence: Includes surviving a reboot of victim and attempts to remove installed ‘custom’ software
  • 28. Review:Vulnerability Research  Weaponization: Case Study of Regin (link)  Remote Access: Cyberattack platform that is deployed on victim networks for total remote control of host at all levels  Phoning Home State ofVictim: Forms a peer-to-peer network with other infected machines to send information back to the command and control center  Persistence: Covertly installs kernel modules and drivers 28
  • 29. Review:Vulnerability Research  Question: Are Hackers the only ones that conduct vulnerability research? If not, why would others do this type of research?  Answer:  The motivation behind this presentation is that the defenders should also be usingVR techniques to identify exploitable bugs.  Some companies have bug bounty hunting programs, where a white/grey hat identifies a bug in exchange for money  Others hireVR personnel onsite to hack into their own stuff. Example: Charlie Miller and ChrisValasek were hired by Uber after their Chrysler car hack demo (link).
  • 31. Vulnerability Discovery on Android  Important Note: Although concepts and techniques discussed in this section are targeted at the Android platform, they are also relevant for other platforms including iOS, Linux, andWindows.
  • 32. Vulnerability Discovery on Android Overall Goal: Exercise code on the target with malformed inputs that we generate
  • 33. Vulnerability Discovery on Android  Steps for Exploit Discovery using FuzzTesting 1. Choose a software target 2. Generate Inputs 3. Delivering & Processing Inputs 4. Monitor for crashes
  • 34. Vulnerability Discovery on Android (The Steps) 1) Choose a SoftwareTarget
  • 35. Vulnerability Discovery: Choosing aTarget  Objective 1.1: Find a software attack surface whose code can be exercised remotely by an adversary
  • 36. Vulnerability Discovery: Choosing aTarget  We’ll target the Android browser  Why?  Standard on all Android devices  Since web browsers focus on performance, much of the code is implemented in C/C++  Very complex with support for new technologies that include HTML5, and the browser is essentially a mini OS
  • 37. Vulnerability Discovery: Choosing aTarget  Objective 1.2: Select a web technology that the browser implements to focus on  Note: One of the most challenging aspects of fuzzing is to determining where to focus the fuzzing efforts
  • 38. Vulnerability Discovery: Choosing aTarget  We’ll focus on the Typed Array feature of HTML5  Why HTML5  Relatively new technologies, which means there are bound to be undiscovered bugs  Has a rich feature set that includes support for video and audio, which means high complexity;complexity often introduces bugs
  • 39. Vulnerability Discovery: Choosing aTarget  Background: Typed Arrays  Allows web developers access to a region of memory that is formatted as a native array  ExampleSnippet:  Snippet Explained : Creates an array of 16 elements and initializes them from 0 to 15 var arr = new Uint8Array(16); for (var n = 0; n < arr.length; n++) { arr[n] = n }
  • 40. Vulnerability Discovery: Choosing aTarget  Key Concepts:  The typed array is a native array, which means that it doesn’t need to be translated between JavaScript and native representation  Translating back and forth between JavaScript and native representation impacts performance  Browser can achieve greater performance through improved efficiency using this type of array var arr = new Uint8Array(16); for (var n = 0; n < arr.length; n++) { arr[n] = n }
  • 41. Vulnerability Discovery: Choosing aTarget  Previously disclosed bugs inTyped Array :  Researcher Pinkie Pie compromises of Chrome @ 2013 Mobile pwn2Own (link)  Researcher geohot compromises Chrome @ 2014 pwn2Own (link) var arr = new Uint8Array(16); for (var n = 0; n < arr.length; n++) { arr[n] = n }
  • 42. 2) Generating Inputs Vulnerability Discovery on Android (The Steps)
  • 43. Vulnerability Discovery: Generate Inputs  So now that we have our target, we’d like to generate inputs to see how the target handles it  Below is an example snippet that would generate different ‘types’ of Typed Arrays  Note: Generating ‘good’ inputs is not trivial. It requires an understanding of the target and the possible unaddressed corner cases and boundary conditions def generate_var(): vtype = random.choice(TYPEDARRAY_TYPES) vlen = rand_num() return “var array1 = new %s(%d);” % (vtype, vlen)
  • 44. Vulnerability Discovery on Android (The Steps) 3) Delivering & Processing Inputs
  • 45. Vulnerability Discovery: Delivering Inputs  Delivering Inputs  What we’d like is a way to get the inputs to the target and have the target execute it  Tools such as BrowserFuzz have lightweight http servers that can serve up the input to the target  Processing Input  Getting chrome to process our special URL (that points to our fuzz html server) can be automated  We can take advantage of the ActivityManager to start the browser and tell it where to load content from via Intents
  • 46. 4) Monitoring for Crashes Vulnerability Discovery on Android (The Steps)
  • 47. Vulnerability Discovery: Monitoring for Crashes  Key Concept: Monitoring the behavior of the target program is essential to knowing whether you’ve discovered something that is noteworthy  When a process on android crashes, debuggerd writes information about the crash to the system log  So we can monitor when the browser crashes by checking the system log.
  • 49. Weaponizing and Deploying Exploits  So we’ve found an exploit… How do we make it useful?
  • 50. Weaponizing and Deploying Exploits  The Steps (Browser exploit) 1. Choose the target 2. Develop or utilize an exploit delivery mechanism (e.g. Metasploit) 3. Get in-between the victim and the network 4. Inject exploit code in the victim’s HTML traffic 5. Implant malware (e.g. key logger, screenscraper, etc..)
  • 51. Weaponizing and Deploying Exploits(The Steps) 1) Choose the target
  • 52. Weaponizing and Deploying Exploits  PossibleTargets for Browser Exploit  Note: This exploit technique can be applied to any computing device (e.g. in-car entertainment system) that uses a browser
  • 53. Weaponizing and Deploying Exploits  For convenience, we’ll target a laptop
  • 55. Choose the target  We’ll target IE 8 (because there is a nice metasploit package for it)
  • 56. 2) Develop or utilize an exploit delivery mechanism Weaponizing and Deploying Exploits(The Steps)
  • 57. Exploit delivery mechanism  Metasploit will be our exploit delivery mechanism
  • 58. Exploit delivery mechanism  Note the IE exploit ie_cbutton_uaf (link) use-after-free IE exploit module
  • 59. 3) Get in-between the victim and the network Weaponizing and Deploying Exploits(The Steps)
  • 60. Man-in-the-middle target device  EvilTwin Attack (link)  We’ll setup a rogue access point with the ssid attwifi  Most smartphones have attwifi as an ssid that they will automatically try to connect to it
  • 61.  Hardware for EvilTwin Attack  We’ll need a wifi adapter that supports master mode  master mode enables adapter to function as an AP  TheTP-Link WN722N supports master mode and other modes that include monitor mode TP-LINKTL-WN722N Man-in-the-middle target device
  • 62. Man-in-the-middle target device  Software for EvilTwin Attack  hostapd allows for a softwareAP to be created  Tool supports features includingWPA attwifi ssid
  • 63. Man-in-the-middle target device  Software for EvilTwin Attack  hostapd allows for a softwareAP to be created  Tool supports features includingWPA
  • 65. 4) Inject exploit code in the victim’s HTML traffic Weaponizing and Deploying Exploits(The Steps)
  • 66. Inject Exploit Code  4a : DNS injection  url “gooogle.com”  exploit server 10.0.0.1” URL resolves to 10.0.0.1 for victim Tool dnsmasq configured to resolve url ‘google’ to ip address 10.0.0.1
  • 67. Inject Exploit Code  4a : DNS injection  url “gooogle.com”  exploit server 10.0.0.1” URL resolves to 10.0.0.1 for victim
  • 68. Inject Exploit Code  4b : Serve up a modifed gooogle.com webpage to victim URL resolves to 10.0.0.1 for victim gooogle.com Me
  • 69. Inject Exploit Code  4c :Configure metasploit Metasploit server configuration parameters
  • 70. Inject Exploit Code  4d : Start the exploit server
  • 71. Inject Exploit Code  4e :Victim visits gooogle.com
  • 72. Inject Exploit Code  4f : Metasploit server injects exploit code Exploit uploaded to victims browser
  • 73. 5) Implant malware (e.g. key logger, screenscraper, etc..) Weaponizing and Deploying Exploits(The Steps)
  • 74. Implant Malware  5a : Reverse shell malware implanted on victim 10z Reverse shell payload implanted
  • 75. Implant Malware  5b :Use shell to access victim data Reverse shell payload implanted Victim file: ‘private_stuff_demo.txt’
  • 76. Implant Malware  5b :Use shell to access victim data The ‘private’ data
  • 77. Implant Malware  5b :Use shell to access victim data The ‘private’ data
  • 79. References 1. Joshua J. Drake, et al. (2014). Android Hacker's Handbook. Wiley Publishing. 2. Allen Harper, Shon Harris, Jonathan Ness, Chris Eagle, Gideon Lenkey, and Terron Williams. (2015). Gray Hat Hacking the Ethical Hackers Handbook (4th ed.). McGraw-Hill Osborne Media. 3. Robert Seacord. (2013). Secure Coding in C and C++. Addison- Wesley Professional. 4. Ralf-Philipp Weinmann. 2012. Baseband attacks: Remote exploitation of memory corruptions in cellular protocol stacks. In Proceedings of the 6th USENIX conference on Offensive Technologies (WOOT'12). USENIX Association, Berkeley, CA, USA, 2-2. 5. Kleidermacher, D. & Kleidermacher, M. (2012). Embedded Systems Security: Practical Methods for Safe and Secure Software and Systems Development 6. Gebotys, C.H. (2009). Security in Embedded Devices. Springer