MASSIVE SCALE USB DEVICE DRIVER FUZZ WITHOUT DEVICE. HC Tencent s XuanwuLab
|
|
- Alison Roberts
- 5 years ago
- Views:
Transcription
1 MASSIVE SCALE USB DEVICE DRIVER FUZZ WITHOUT DEVICE HC Tencent s XuanwuLab
2 whoami Security Used to doing Chemistry; Interested in: Console Hacking; Embedded Device Security; Firmware Reverse and Emulation; Unpacking and Un-virtualizing; Geek Stuff: RFID lock-picking Device hacking;
3 Agenda Attack On USB and Drivers Creating Hardwares The Massive Fuzzing Results and Demo
4 Attack On USB and Drivers
5 Features Universal Serial Bus; Data Transfer; Multi Device Class; Quick Charge; Determined by VID and PID Research vusbf; BadUSB; USB MITM Fuzzing; PS3 USB JailBreak; Nintendo Switch JailBreak;
6
7 The idea Device Specific Driver Plug to Code execution Usbstor.sys usbport.sys usbhid.sys Software USB*hci.sys USBHUB.sys Enumeration Hardware
8 The attacking scenairo Unpack Cab File; Verify Binary Signature; Install Driver into DriverStore; Load Driver into Kernel Space; Call Entry Point of Driver; Initial PNP irp and call PNP IRP handler in target driver
9 The Goal Find Bugs in auto installed device drivers; Enumeration; Entry point Code in target driver; IRP handler in target driver; Other related code potion in target driver; IO Control Code Fuzzing; Achieve Plug2Pwn attack; Trigger and exploit driver bugs in a crafted USB device; Gain Kernel Code Execution directly;
10 Get the targets Where and How? Drivers Stored on Windows update server; Search while a foreign USB device insert; VID and PID are submitted to server; Protocol is documented (WSUS); Create a fake client with Python and tiny bit reverse-engineering; Enumeration each combination of VID and PID; How many? win7x 64 win10x 64 win7x8 6 win10x86 RAW After updateid After URI Total 3978
11 Trick VID and PID are WORD, max to 65535; 65536*65536= ; Get VIDs first VID:65536->903 (1.3%)
12 Creating Hardwares
13 Hardware Need hardware to trigger the driver-loading; Prepare devices for thousands of drivers is impossible and costly; No way to make fuzzing automatically with real hardwares; Firmware
14 Emulation USB Redirection Protocol: Redirect physical USB device into virtual machine; QEMU s feature; While enabled, a socket is exposed to host from guest machine; Connect the socket normally, send the protocol packets, then a USB device shows in guest machine;
15 Emulation Firmware Based on vusbf s work, thank you Sergej Schumilo vusbf s way: Use scapy to construct USB protocol in Python; Parse real USB device descriptor file; My work: Pack the emulation code into a thread function; Use a common COM device as a base descriptor; Apply new VID and PID on each thread running; Extend code for other device classes; Add Microsoft specific descriptor support; Bulk transfer monitor and fuzzing;
16 Working for 90% drivers; Emulation result
17 Let s Fuzzing
18
19 VM Management Initial Alive Restart EnvOK Plugin VMCrash DrvInstalled DrvRdy BSOD VMStuck VMSnap Fuzzing Stage1 Stage2 Stage3 End
20 Stage 1 Prepare environment for fuzzing; Pre-install target driver into Virtual Machine; Take Snapshot to speed up fuzzing; Task to achieve: Execute program inside VM; Collect as much as possible information for target drivers;
21 Execute program inside VM QGA(Qemu Guest Agent),much like VMTools, but customizable; Run as service on Windows, expose Virtual COM device inside VM; Exposed as regular socket outside VM; Feature: Probe VM status; Read/Write File; Execute Program; Etc.
22 Driver Installation System Pre-install drivers into OS before fuzzing; Dynamically parse CAB file depends on results of installation for each INF file; Information obtained: List of valid INF file; INF dynamic behavior while installation; The actual copied/ installed sys file;
23 Stage 2 Restore VM from Snapshot; Get Virtual USB device ready; Make sure target driver is running; Task to achieve: Launch Virtual USB Device; Monitor Device Status to see if target driver is running;
24 Launch Virutal USB Device Running Virtual Device in a standalone thread; Accept VID and PID as arguments; Connect to the USB redir socket to indicate a USB device inserted; Once inserted, Waiting for packets from guest VM;
25 Device Status Monitor Device is accessible only when driver is properly installed and run; When driver is installed successfully, status code is 0; if (IsFound){ cr = CM_Get_DevNode_Status(&Status, &Problem, DeviceInfoData.DevInst, 0); printf("device status : 0x%x\n",Status); if(status & DN_HAS_PROBLEM) { } printf("\terror code : %d\n", Problem); count++; IsFound=FALSE; } }
26 Stage 3 The IO Control Code Fuzzing Stage; Other Code potion fuzzing occur when virtual USB device inserted in stage2; Task to achieve: Start IO Control Code Fuzzing; Monitor fuzzing and VM status: both VM and VM process; Collect Crashdump and fuzzing testcase;
27 IO Control Code Fuzzing Design a fuzzer running inside VM; Enumerate IoCtl Codes, and do random fuzzing; Record buffer Out data when fuzzing for further analysis; for aa in validinterfaces: print "[*]Try to fuzz interface: %s"%aa['interface'] #if CurrentIoCTL in aa['validcode']: ret=fuzzerdll.fuzzworker("\\\\.\\"+aa['interface'],currentioctl,seed,max_le N_TESTCASE,NUM_OF_EACH_ITERATION) if ret!=0: dict={} dict['errorcode']=ret dict['seed']=seed dict['interface']=aa['interface'] dict['ioctlcode']=currentioctl xml['uifrecord']['errorlog'].append(dict) #print "Error Found while fuzzing, code: %d"%ret CurrentIoCTL=int(xml['UIFRecord']['CurrentIoCTL']["@code"],16) CurrentTestedCase=int(xml['UIFRecord']['CurrentTestedCase']["@num"]) TotalIoCTL=int(xml['UIFRecord']['TotalIoCTL']["@num"])
28 Monitor fuzzing Monitor IO Control Code fuzzing progress; Read, parse progress file and record the current progress; Monitor VM alive status; Monitor VM process alive status;
29 Collection Copy Crashdump and Testcase out of VM; Save crash evidence, and record in database; Restore VM back to snapshot; Re-apply progress file to VM and continue fuzzing;
30 Results and Demo
31 Demo1
32 Getting Results To get a reasonable result, you have to: Reproduce the bug; Scalable Crashdump automatically analysis; Binary level auto-analysis on target drivers;
33 Bug verification Launch two VMs, one for debugger, the other for debugee; Redirect guest virtual serial COM to host tcp/ip port; One-click Windows kernel debugging on Linux Host; Really Slowwwww!!!!!!!!!
34 CrashDump Auto-analysis Hundreds of CrashDump to be analyzed Lots of duplication and time consuming ; python+pykd make life easier; Parse Crashdump and output basic information;
35 Driver Auto-Analysis Tons of drivers need to be analyzed; Time consumingbefore and tedious; IDA plugin is made to make life easier; After
36 Example
37 Result
38 Bonus-Exploit Demo
39 Summary We propose a novel attack surface of Windows; We established a fuzzing system to fuzz USB device driver; 3 rd party driver developer differs in code quality; Low quality of device drive may harm to Microsoft ecology; Virtual device make driver fuzzing possible, extensible, reliable and efficient;
40 My leader: tkyu; Acknowledgement WenqunWang for writing exploit
41 THANKS FOR ATTENTION
Virtualization Device Emulator Testing Technology. Speaker: Qinghao Tang Title 360 Marvel Team Leader
Virtualization Device Emulator Testing Technology Speaker: Qinghao Tang Title 360 Marvel Team Leader 1 360 Marvel Team Established in May 2015, the first professional could computing and virtualization
More informationMWR InfoSecurity Security Advisory. Linux USB Device Driver - Buffer Overflow. 29 th October Contents
Contents MWR InfoSecurity Security Advisory Linux USB Device Driver - Buffer Overflow 29 th October 2009 2009-10-29 Page 1 of 8 Contents Contents 1 Detailed Vulnerability Description... 4 1.1 Technical
More informationVirtual USB Fuzzer Updates
Virtual USB Fuzzer Updates [ 110.768243] usb 1-1: new full-speed USB device number 48 using xhci_hcd [ 111.028327] usb 1-1: config 1 has 1 interface, different from the descriptor's value: 10 [ 111.030544]
More informationReverse Engineering Malware Dynamic Analysis of Binary Malware II
Reverse Engineering Malware Dynamic Analysis of Binary Malware II Jarkko Turkulainen F-Secure Corporation Protecting the irreplaceable f-secure.com Advanced dynamic analysis Debugger scripting Hooking
More informationAutosave for Research Where to Start with Checkpoint/Restart
Autosave for Research Where to Start with Checkpoint/Restart Brandon Barker Computational Scientist Cornell University Center for Advanced Computing (CAC) brandon.barker@cornell.edu Workshop: High Performance
More informationQiang Li && Zhibin Hu/Qihoo 360 Gear Team Ruxcon 2016
Qiang Li && Zhibin Hu/Qihoo 360 Gear Team Ruxcon 2016 Who are we Security researcher in Qihoo 360 Inc(Gear Team) Vulnerability discovery and analysis Specialize in QEMU currently 50+ security issues, 33
More informationMaking Dynamic Instrumentation Great Again
Making Dynamic Instrumentation Great Again Malware Research Team @ @xabiugarte [advertising space ] Deep Packer Inspector https://packerinspector.github.io https://packerinspector.com Many instrumentation
More informationClear Hat Consulting, Inc.
Clear Hat Consulting, Inc. www.clearhatconsulting.com Assessment of Software & Hardware Approaches to Building a USB Fuzzer 1. Background The USB protocol defines communication between a host controller
More informationIn-Memory Fuzzing in JAVA
Your texte here. In-Memory Fuzzing in JAVA 2012.12.17 Xavier ROUSSEL Summary I. What is Fuzzing? Your texte here. Introduction Fuzzing process Targets Inputs vectors Data generation Target monitoring Advantages
More informationAbout unchecked management SMM & UEFI. Vulnerability. Patch. Conclusion. Bruno Pujos. July 16, Bruno Pujos
July 16, 2016 1/45 Whoami RE, vulnerability research LSE 2015 Sogeti since 2/45 1 2 Reverse Exploitation 3 4 3/45 Agenda 1 4/45 Agenda 1 5/45 Unified Extended FIrmware is based on EFI Specification for
More informationProblem System administration tasks on a VM from the outside, e.g., issue administrative commands such as hostname and rmmod. One step ahead tradition
EXTERIOR: Using a Dual-VM Based External Shell for Guest-OS Introspection, Configuration, and Recovery ACM VEE 13 Problem System administration tasks on a VM from the outside, e.g., issue administrative
More informationDesign and Implementation of Peripheral Sharing Mechanism on Pervasive Computing with Heterogeneous Environment
Design and Implementation of Peripheral Sharing Mechanism on Pervasive Computing with Heterogeneous Environment Wonhong Kwon, Han Wook Cho, and Yong Ho Song College of Information and Communications, Hanyang
More informationVirtualization. ...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania.
Virtualization...or how adding another layer of abstraction is changing the world. CIS 399: Unix Skills University of Pennsylvania April 6, 2009 (CIS 399 Unix) Virtualization April 6, 2009 1 / 22 What
More informationHITB Amsterdam
Closer to metal: Reverse engineering the Broadcom NetExtreme s firmware Guillaume Delugré Sogeti / ESEC R&D guillaume(at)security-labs.org HITB 2011 - Amsterdam Purpose of this presentation G. Delugré
More informationMalware
reloaded Malware Research Team @ @xabiugarte Motivation Design principles / architecture Features Use cases Future work Dynamic Binary Instrumentation Techniques to trace the execution of a binary (or
More informationUnderstand USB (in Linux)
Understand USB (in Linux) Krzysztof Opasiak Samsung R&D Institute Poland 1 Agenda What USB is about? Plug and Play How BadUSB works? May I have my own USB device? Q & A What USB is about? What Internet
More informationExploiting USB/IP in Linux
Exploiting USB/IP in Linux Ignat Korchagin ignat@cloudflare.com @secumod Who am I? systems engineer at Cloudflare interests in security and crypto enjoy low-level programming more builder than a breaker
More informationDynamic program analysis
Dynamic program analysis Pierre.Girard@gemalto.com RE-TRUST workshop Meudon, March 19, 2009 Mission of the day Give an overview of tools and procedures for dynamic software analysis in an industrial security
More informationECE 471 Embedded Systems Lecture 22
ECE 471 Embedded Systems Lecture 22 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 31 October 2018 Don t forget HW#7 Announcements 1 Computer Security and why it matters for embedded
More informationBuilding Advanced Coverage-guided Fuzzer for Program Binaries
Building Advanced Coverage-guided Fuzzer for Program Binaries NGUYEN Anh Quynh WEI Lei 17/11/2017 Zero Nights, Moscow 2017 Self-introduction NGUYEN Anh Quynh, PhD
More informationHypervisor security. Evgeny Yakovlev, DEFCON NN, 2017
Hypervisor security Evgeny Yakovlev, DEFCON NN, 2017 whoami Low-level development in C and C++ on x86 UEFI, virtualization, security Jetico, Kaspersky Lab QEMU/KVM developer at Virtuozzo 2 Agenda Why hypervisor
More informationFrancisco Amato evilgrade, "You have pending upgrades..."
Francisco Amato evilgrade, "You have pending upgrades..." Introduction Topics Client side explotation Update process Poor implementation of update processes Attack vectors evilgrade framework presentation
More informationMemory Analysis. CSF: Forensics Cyber-Security. Part II. Basic Techniques and Tools for Digital Forensics. Fall 2018 Nuno Santos
Memory Analysis Part II. Basic Techniques and Tools for Digital Forensics CSF: Forensics Cyber-Security Fall 2018 Nuno Santos Previous classes Files, steganography, watermarking Source of digital evidence
More informationFuzzing the USB in your devices
Fuzzing the USB in your devices or How to root your USB-stick Olle Segerdahl olle@nxs.se whoami Technical IT-sec background Currently in Information Assurance When you're sure it does what it's specified
More informationVMware Workstation 5 Lab. New Features and Capabilities: Multiple Snapshots, Teams, Clones, Video Capture and More
VMware Workstation 5 Lab New Features and Capabilities: Multiple Snapshots, Teams, Clones, Video Capture and More Presentation Summary VMware Workstation overview VMware Workstation usage scenarios Features
More informationInfecting the Embedded Supply Chain
SESSION ID: PDAC-F01 Infecting the Embedded Supply Chain Zach Miller Security Researcher in8 Solutions (Formerly Somerset Recon) @bit_twidd1er Inspiration Inspiration Countless embedded devices exist Each
More informationForeword by Katie Moussouris... Acknowledgments... xvii. Introduction...xix. Chapter 1: The Basics of Networking... 1
Brief Contents Foreword by Katie Moussouris.... xv Acknowledgments... xvii Introduction...xix Chapter 1: The Basics of Networking... 1 Chapter 2: Capturing Application Traffic... 11 Chapter 3: Network
More informationRemote Exploit. compass-security.com 1
Remote Exploit compass-security.com 1 Content Intel Architecture Memory Layout C Arrays Buffer Overflow BoF Exploit Assembler Shellcode Function Calls Debugging Remote Exploit Exploit Mitigations Defeat
More informationAdvances in Linux process forensics with ECFS
Advances in Linux process forensics with ECFS Quick history Wanted to design a process snapshot format native to VMA Vudu http://www.bitlackeys.org/#vmavudu ECFS proved useful for other projects as well
More informationAgenda. Introduction Why are we fuzzing? Types of existing fuzzers Fuzzing, process Adoption Risks Fuzzing costs Pulling it all together
Michael Eddington Agenda Introduction Why are we fuzzing? Types of existing fuzzers Fuzzing, process Adoption Risks Fuzzing costs Pulling it all together Why are we fuzzing? ROI^2! All about the bugs!
More informationVirtualised USB Fuzzing using QEMU and Scapy
Virtualised USB using QEMU and Scapy Breaking USB for Fun and Profit Tobias Mueller School of Computing Dublin City University 2011-09-23 1 / 28 1 Motivation USB Trivia USB Architecture 2 Obtaining valid
More informationBT LE RN4020 USB Dongle Datasheet
BT LE RN4020 USB Dongle Datasheet Introduction BT LE RN4020 Dongle is a USB Stick type device build around Microchip s RN4020 module which provides a fully command based interface to manage the module.
More informationFuzzing the easy way, using Zulu
An NCC Group Publication Fuzzing the easy way, using Zulu Prepared by: Andy Davis Research Director andy.davis at nccgroup dot com Contents 1 Introduction... 3 2 Tutorial One: Zulu basics... 4 3 Tutorial
More informationT Jarkko Turkulainen, F-Secure Corporation
T-110.6220 2010 Emulators and disassemblers Jarkko Turkulainen, F-Secure Corporation Agenda Disassemblers What is disassembly? What makes up an instruction? How disassemblers work Use of disassembly In
More informationProcesses and Threads
COS 318: Operating Systems Processes and Threads Kai Li and Andy Bavier Computer Science Department Princeton University http://www.cs.princeton.edu/courses/archive/fall13/cos318 Today s Topics u Concurrency
More information64-bit ARM Unikernels on ukvm
64-bit ARM Unikernels on ukvm Wei Chen Senior Software Engineer Tokyo / Open Source Summit Japan 2017 2017-05-31 Thanks to Dan Williams, Martin Lucina, Anil Madhavapeddy and other Solo5
More informationDRIVER MODEL ULB Darmstadt
Microsoft" y / /«Second Edition PROGRAMMING MICROSO FT WIN D 0 WS DRIVER MODEL ULB Darmstadt i minis Walter Oney Acknowledgments Introduction Beginning a Driver Project 1 A Brief History of Device Drivers
More informationDevelopment of Complex KNX Devices
Development of Complex KNX Devices Complex KNX Devices Device Models Solutions for Linux and WinCE Quick Client Development with ios KNX Product Database Generation Weinzierl Engineering GmbH Jason Richards,
More informationRemote Exploit. Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona
Remote Exploit Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout C Arrays
More informationThe Attacker s POV Hacking Mobile Apps. in Your Enterprise to Reveal Real Vulns and Protect the Business. Tony Ramirez
The Attacker s POV Hacking Mobile Apps in Your Enterprise to Reveal Real Vulns and Protect the Business Tony Ramirez AGENDA & SPEAKERS Introduction Attacks on Mobile Live Demo Recommendations Q&A Tony
More informationAusgewählte Betriebssysteme - Mark Russinovich & David Solomon (used with permission of authors)
Outline Windows 2000 - The I/O Structure Ausgewählte Betriebssysteme Institut Betriebssysteme Fakultät Informatik Components of I/O System Plug n Play Management Power Management I/O Data Structures File
More informationMSRPC Auditing Tools and Techniques
DeepSec 2007 Aaron Portnoy 1 Cody Pierce 2 1 aportnoy@tippingpoint.com 2 cpierce@tippingpoint.com DeepSec Fall 2007 About Us Introduction Why Do We Care About in 2007? History of Issues Work at TippingPoint
More informationInput / Output. Kevin Webb Swarthmore College April 12, 2018
Input / Output Kevin Webb Swarthmore College April 12, 2018 xkcd #927 Fortunately, the charging one has been solved now that we've all standardized on mini-usb. Or is it micro-usb? Today s Goals Characterize
More informationExploring Qualcomm Baseband via ModKit. Tencent Blade Team Tencent Security Platform Department
Exploring Qualcomm Baseband via ModKit Tencent Blade Team Tencent Security Platform Department About Us - Tencent Blade Team A security research team from Tencent Security Platform Department Focus security
More informationOS structure. Process management. Major OS components. CSE 451: Operating Systems Spring Module 3 Operating System Components and Structure
CSE 451: Operating Systems Spring 2012 Module 3 Operating System Components and Structure Ed Lazowska lazowska@cs.washington.edu Allen Center 570 The OS sits between application programs and the it mediates
More informationFault Injection in System Calls
Fault Injection in System Calls Angelo Haller 2015-05-28 Fault Injection in System Calls 1 Angelo Haller 1 Why System Calls? 2 Trinity Bugs Found Inner Workings Fuzzing Process 3 Demo Annotated System
More informationSTAMP: AN AUTOMATED UNKNOWN ZERO- DAY VULNERABILITY DISCOVERY SYSTEM FOR MOBILE PLATFORMS
STAMP: AN AUTOMATED UNKNOWN ZERO- DAY VULNERABILITY DISCOVERY SYSTEM FOR MOBILE PLATFORMS Dr. S. P. T. Krishnan Institute for Infocomm Research Ms. Seetha M. J. Institute for Infocomm Research Session
More informationADVANCED OPERATING SYSTEMS USB in a microkernel based operating system
ADVANCED OPERATING SYSTEMS 2015 USB in a microkernel based operating system -1- Agenda Microkernels (history and architecture) USB (hardware and protocol specifics) Challenges providing USB in microkernel
More informationBinary Exploitation Lab
SCIENCE PASSION TECHNOLOGY Binary Exploitation Lab Michael Schwarz June 18, 2017 IAIK Spring School 2017 Motivation IoT Bugs 2 Michael Schwarz IAIK Spring School 2017 Top 10 IoT Bugs 3 Michael Schwarz
More informationCS155: Computer Security Spring Project #1
CS155: Computer Security Spring 2018 Project #1 Due: Part 1: Thursday, April 12-11:59pm, Parts 2 and 3: Thursday, April 19-11:59pm. The goal of this assignment is to gain hands-on experience finding vulnerabilities
More informationAndrés Riancho sec.com H2HC, 1
Andrés Riancho andres@bonsai-sec.com sec.com H2HC, HC, Brazil - 2009 1 Web Application Security enthusiast Developer (python!) Open Source Evangelist With some knowledge in networking, IPS design and evasion
More informationCODEBLUE Takahiro Matsuki (FFRI) Dennis Kengo Oka (ETAS)
CODEBLUE 2014.12.18-19 Takahiro Matsuki (FFRI) Dennis Kengo Oka (ETAS) Introduction About ECU Software Overview of TriCore Investigation and Confirmation of Attack Methods Demo Summary and Future Plans
More informationKVM PV DEVICES.
K DEVICES dor.laor@qumranet.com Agenda Kernel Virtual Machine overview Paravirtualized s intro & brief history VirtIO Enhanced VirtIO with K support 2 Kernel Virtual Machine overview is a regular Linux
More informationOutline. What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack
Attacks on TCP Outline What is TCP protocol? How the TCP Protocol Works SYN Flooding Attack TCP Reset Attack TCP Session Hijacking Attack TCP Protocol Transmission Control Protocol (TCP) is a core protocol
More informationFuzzing AOSP. AOSP for the Masses. Attack Android Right Out of the Box Dan Austin, Google. Dan Austin Google Android SDL Research Team
Fuzzing AOSP For the Masses AOSP for the Masses Attack Android Right Out of the Box Dan Austin, Google Dan Austin Google Android SDL Research Team Exploitation: Find the Needle Needles are Interesting
More informationWSUSPect Compromising the Windows Enterprise via Windows Update
WSUSPect Compromising the Windows Enterprise via Windows Update Paul Stone Alex Chapman Agenda Why look at Windows Update? Exploring Windows Update attack surface Installing drivers via Windows Update
More informationChapter 13: I/O Systems
Chapter 13: I/O Systems Silberschatz, Galvin and Gagne 2013! Chapter 13: I/O Systems I/O Hardware" Application I/O Interface" Kernel I/O Subsystem" Transforming I/O Requests to Hardware Operations" STREAMS"
More informationCSCE Operating Systems Interrupts, Exceptions, and Signals. Qiang Zeng, Ph.D. Fall 2018
CSCE 311 - Operating Systems Interrupts, Exceptions, and Signals Qiang Zeng, Ph.D. Fall 2018 Previous Class Process state transition Ready, blocked, running Call Stack Execution Context Process switch
More informationGeneral Pr0ken File System
General Pr0ken File System Hacking IBM s GPFS Felix Wilhelm & Florian Grunow 11/2/2015 GPFS Felix Wilhelm && Florian Grunow #2 Agenda Technology Overview Digging in the Guts of GPFS Remote View Getting
More informationThe Kernel Abstraction
The Kernel Abstraction Debugging as Engineering Much of your time in this course will be spent debugging In industry, 50% of software dev is debugging Even more for kernel development How do you reduce
More informationKVM PV DEVICES.
K DEVICES dor.laor@qumranet.com 1 Agenda Introduction & brief history VirtIO Enhanced VirtIO with K support Further implementation 2 General & history Fully virtualized devices performs bad 55 Mbps for
More informationWind River. All Rights Reserved.
1 Using Simulation to Develop and Maintain a System of Connected Devices Didier Poirot Simics Technical Account Manager THE CHALLENGES OF DEVELOPING CONNECTED ELECTRONIC SYSTEMS 3 Mobile Networks Update
More informationUniversal Windows Driver Development with WDF UMDF 2.0 and KMDF for IoT, Desktop and Server
KMDF - Version: 1.2 11 January 2018 Universal Windows Driver Development with WDF UMDF 2.0 and KMDF for IoT, Desktop and Server Universal Windows Driver Development with WDF UMDF 2.0 and KMDF for IoT,
More informationHacking from ios 8 to ios 9 TEAM PANGU
Hacking from ios 8 to ios 9 TEAM PANGU POC 2015 Agenda ios Security Overview Security Changes from ios 8 to ios 9 Kernel Vulnerability Exploited in Pangu 9 Kernel Exploit Chain Conclusion Who We Are Team
More informationDMTCP: Fixing the Single Point of Failure of the ROS Master
DMTCP: Fixing the Single Point of Failure of the ROS Master Tw i n k l e J a i n j a i n. t @ h u s k y. n e u. e d u G e n e C o o p e r m a n g e n e @ c c s. n e u. e d u C o l l e g e o f C o m p u
More informationLaurent Butti BlackHat Europe
ENSIMAG - 4MMSR - Network Security Seminars Laurent Butti BlackHat Europe - 2007 Corentin Delpech corentin.delpech@ensimag.fr Lucas Fontaine lucas.fontaine@ensimag.fr ENSIMAG 2A TELECOM - 2012 2013 1 /29
More informationUnified RF Fuzzing Under a Common API: Introducing TumbleRF
Unified RF Fuzzing Under a Common API: Introducing TumbleRF Matt Knight, Ryan Speers March 15, 2018 whois Matt Knight Ryan Speers Independent software, hardware, and RF engineer Security Researcher at
More informationRevealing Embedded Fingerprints: Deriving intelligence from USB stack interactions
Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions Andy Davis, Research Director NCC Group Image from: p1fran.com UK Offices Manchester - Head Office Cheltenham Edinburgh
More informationLinuxCon North America 2016 Investigating System Performance for DevOps Using Kernel Tracing
Investigating System Performance for DevOps Using Kernel Tracing jeremie.galarneau@efficios.com @LeGalarneau Presenter Jérémie Galarneau EfficiOS Inc. Head of Support http://www.efficios.com Maintainer
More informationA Hardware-Assisted Virtualization Based Approach on How to Protect the Kernel Space from Malicious Actions
A Hardware-Assisted Virtualization Based Approach on How to Protect the Kernel Space from Malicious Actions Eric Lacombe 1 Ph.D Supervisors: Yves Deswarte and Vincent Nicomette 1 eric.lacombe@security-labs.org
More informationLINUX DEVICE DRIVERS Weekend Workshop
Here to take you beyond LINUX DEVICE DRIVERS Weekend Workshop Linux Device Drivers Weekend workshop Objectives: To get you started with writing device drivers in Linux Provide real time hardware exposure
More informationReversing with Radare2.
Reversing with Radare2 pancake@overdrivecon2016 Who am I? pancake aka Sergi Alvarez i Capilla Twitter: @trufae @radareorg Web: http://rada.re Currently working as a Mobile Security Analyst at NowSecure,
More informationEfficient and Large Scale Program Flow Tracing in Linux. Alexander Shishkin, Intel
Efficient and Large Scale Program Flow Tracing in Linux Alexander Shishkin, Intel 16.09.2013 Overview Program flow tracing - What is it? - What is it good for? Intel Processor Trace - Features / capabilities
More informationDesign Overview of the FreeBSD Kernel CIS 657
Design Overview of the FreeBSD Kernel CIS 657 Organization of the Kernel Machine-independent 86% of the kernel (80% in 4.4BSD) C code Machine-dependent 14% of kernel Only 0.6% of kernel in assembler (2%
More informationCSC 405 Introduction to Computer Security Fuzzing
CSC 405 Introduction to Computer Security Fuzzing Alexandros Kapravelos akaprav@ncsu.edu Let s find some bugs (again) We have a potentially vulnerable program The program has some inputs which can be controlled
More informationDesign Overview of the FreeBSD Kernel. Organization of the Kernel. What Code is Machine Independent?
Design Overview of the FreeBSD Kernel CIS 657 Organization of the Kernel Machine-independent 86% of the kernel (80% in 4.4BSD) C C code Machine-dependent 14% of kernel Only 0.6% of kernel in assembler
More informationMaking Applications Mobile
Making Applications Mobile using containers Ottawa Linux Symposium, July 2006 Cedric Le Goater Daniel Lezcano Clement Calmels Dave Hansen
More informationUSB Interrupt Transfer Example PSoC 3 / PSoC 5
USB Interrupt Transfer Example PSoC 3 / PSoC 5 Project Objective This code example demonstrates how to perform USB Interrupt Transfer from a PC using the USB HID driver and PSoC 3 device. Overview USB
More informationThe Shellcoder's Handbook Discovering and Exploiting Security Holes Second Edition
The Shellcoder's Handbook Discovering and Exploiting Security Holes Second Edition Chris Anley John Heasman Felix "FX" Linder Gerardo Richarte The Shellcoder's Handbook: Discovering and Exploiting Security
More informationUSB Complete. The Developer's Guide Fifth Edition. Jan Axelson. Lakeview Research LLC Madison, WI 53704
USB Complete The Developer's Guide Fifth Edition Jan Axelson Lakeview Research LLC Madison, WI 53704 Contents Introduction 1 USB Basics 1 Uses and limits 1 Benefits for users 2 Benefits for developers
More informationL4/Darwin: Evolving UNIX. Charles Gray Research Engineer, National ICT Australia
L4/Darwin: Evolving UNIX Charles Gray Research Engineer, National ICT Australia charles.gray@nicta.com.au Outline 1. Project Overview 2. BSD on the Mach microkernel 3. Porting Darwin to the L4 microkernel
More informationLLDB for your hardware: Remote Debugging the Hexagon DSP
LLDB for your hardware: Remote Debugging the Hexagon DSP Colin Riley Games Technology Director 1 Outline Introductions Adapting LLDB for your hardware The Why and How? The 3 steps Summary Q&A 2 Introductions
More informationDefending the Gibson in 2015
Incident Response: Defending the Gibson in 2015 Darren Bilby - Digital Janitor dbilby@google.com ACSC 2015, Canberra Incidents are Messy If it were business as usual you would have stopped it Attacker
More informationTesting and Debugging
Testing and Debugging 17 Testing and Debugging Tools In addition to the chip-specific development boards and debugging software described in Chapter 6, a variety of other hardware and software tools can
More informationSecure Firmware Update Lab Session
Secure Firmware Update Lab Session Shotaro Saito, Staff Application Engineer, Secure MCU Class ID: BL02I Renesas Electronics America Inc. Shotaro Saito, Application Engineer 24 years in Embedded Systems
More informationHow to fix Usually Slightly Broken devices and drivers?
How to fix Usually Slightly Broken devices and drivers? Krzysztof Opasiak Samsung R&D Institute Poland Agenda USB basics Plug & Play Plug & do what I want Plug & tell me more Summary Q & A 1 This presentation
More informationPlay with FILE Structure Yet Another Binary Exploitation Technique. Abstract
Play with FILE Structure Yet Another Binary Exploitation Technique An-Jie Yang (Angelboy) angelboy@chroot.org Abstract To fight against prevalent cyber threat, more mechanisms to protect operating systems
More informationEvolution of the netmap architecture
L < > T H local Evolution of the netmap architecture Evolution of the netmap architecture -- Page 1/21 Evolution of the netmap architecture Luigi Rizzo, Università di Pisa http://info.iet.unipi.it/~luigi/vale/
More informationEncyclopedia of Crash Dump Analysis Patterns Second Edition
Encyclopedia of Crash Dump Analysis Patterns Second Edition Detecting Abnormal Software Structure and Behavior in Computer Memory Dmitry Vostokov Software Diagnostics Institute OpenTask 2 Published by
More informationDebugging Usually Slightly Broken Devices and Drivers
Debugging Usually Slightly Broken Devices and Drivers Krzysztof Opasiak Samsung R&D Institute Poland Agenda USB basics Plug & Play Plug & do what I want Plug & tell me more Summary Q & A 1 This presentation
More information1.1 For Fun and Profit. 1.2 Common Techniques. My Preferred Techniques
1 Bug Hunting Bug hunting is the process of finding bugs in software or hardware. In this book, however, the term bug hunting will be used specifically to describe the process of finding security-critical
More information* Bug fix 1 only affects AnywhereUSB/14 and AnywhereUSB/5m which support Dynamic Group Assignment.
INTRODUCTION Release Notes for the AnywhereUSB/5 G2 82002237_P firmware / v1.95.2162 (PN: 93000953_P) February 2, 2018 This is a production release of the AnywhereUSB/5 G2 firmware (EOS). SUPPORTED PRODUCTS
More informationSurvey of Dynamic Instrumentation of Operating Systems
Survey of Dynamic Instrumentation of Operating Systems Harald Röck Department of Computer Sciences University of Salzburg, Austria hroeck@cs.uni-salzburg.at July 13, 2007 1 Introduction Operating systems
More informationAnti-Virus Software 0Day Party
Anti-Virus Software 0Day Party MJ0011 th_decoder@126.com Agenda Disclose AhnLab 0day Disclose NProtect 0day Disclose ViRotbot 0day Disclose ALYAC 0day How to prevent kernel 0day Ahnlab V3 Internet Security
More informationMultithreading and Interactive Programs
Multithreading and Interactive Programs CS160: User Interfaces John Canny. Last time Model-View-Controller Break up a component into Model of the data supporting the App View determining the look of the
More informationCS61 Scribe Notes Date: Topic: Fork, Advanced Virtual Memory. Scribes: Mitchel Cole Emily Lawton Jefferson Lee Wentao Xu
CS61 Scribe Notes Date: 11.6.14 Topic: Fork, Advanced Virtual Memory Scribes: Mitchel Cole Emily Lawton Jefferson Lee Wentao Xu Administrivia: Final likely less of a time constraint What can we do during
More informationLive block device operations in QEMU
Live block device operations in QEMU Paolo Bonzini Red Hat Yokohama, June 2012 1 Outline What is QEMU? The QEMU block layer Live block operations Q&A 2 What is QEMU? A FAST! processor emulator Started
More informationTEMU installation and user manual
TEMU installation and user manual BitBlaze Team Nov 5th, 2009: Release 1.0 and Ubuntu 9.04 Contents 1 Introduction 1 2 Installation 1 3 Configuring a new VM 2 4 Setting up TEMU network 4 5 Taking traces
More informationSoftware Based Fault Injection Framework For Storage Systems Vinod Eswaraprasad Smitha Jayaram Wipro Technologies
Software Based Fault Injection Framework For Storage Systems Vinod Eswaraprasad Smitha Jayaram Wipro Technologies The agenda Reliability in Storage systems Types of errors/faults in distributed storage
More informationCS61 Scribe Notes Lecture 18 11/6/14 Fork, Advanced Virtual Memory
CS61 Scribe Notes Lecture 18 11/6/14 Fork, Advanced Virtual Memory Roger, Ali, and Tochi Topics: exploits fork shell programming rest of course announcements/ending (for later info) final (not as time
More information