Posts Tagged ‘DefCon32’
[DefCon32] AMD Sinkclose – Universal Ring2 Privilege Escalation
In the intricate landscape of system security, Enrique Nissim and Krzysztof Okupski, researchers from IOActive, uncover a critical vulnerability in AMD processors, dubbed Sinkclose. Their presentation delves into the shadowy realm of System Management Mode (SMM), a powerful x86 execution mode that operates invisibly to operating systems and hypervisors. By exposing a silicon-level flaw undetected for nearly two decades, Enrique and Krzysztof reveal a universal ring -2 privilege escalation exploit, challenging the robustness of modern CPU security mechanisms.
Understanding System Management Mode
Enrique opens by elucidating SMM, a privileged mode that initializes hardware during boot and resides in a protected memory region called SMRAM. Invisible to antivirus, endpoint detection and response (EDR) systems, and anti-cheat engines, SMM’s isolation makes it a prime target for attackers seeking to deploy bootkits or firmware implants. The researchers explain how AMD’s security mechanisms, designed to safeguard SMM, falter due to a fundamental design flaw, enabling unauthorized access to this critical layer.
Exploiting the Sinkclose Vulnerability
Krzysztof details the methodology behind exploiting Sinkclose, a flaw in a critical SMM component. By reverse-engineering AMD’s processor architecture, they crafted an exploit that achieves arbitrary code execution in ring -2, bypassing even hypervisor-level protections. Their approach leverages precise engineering to manipulate SMRAM, demonstrating how attackers could install persistent malware undetectable by conventional defenses. The vulnerability’s longevity underscores the challenges in securing silicon-level components.
Implications for Critical Systems
The impact of Sinkclose extends to devices like the PlayStation 5, though its hypervisor mitigates some risks by trapping specific register accesses. Enrique emphasizes that the exploit’s ability to evade kernel and hypervisor defenses poses significant threats to critical infrastructure, gaming platforms, and enterprise systems. Their findings, promptly reported to AMD, prompted microcode updates, though the researchers note the complexity of fully mitigating such deep-seated flaws.
Future Directions for CPU Security
Concluding, Krzysztof advocates for enhanced firmware validation and real-time monitoring of SMM interactions. Their work highlights the need for vendors to prioritize silicon-level security and for researchers to probe low-level components for hidden weaknesses. By sharing their exploit methodology, Enrique and Krzysztof empower the community to strengthen defenses against similar vulnerabilities, ensuring robust protection for modern computing environments.
Links:
[DefCon32] Breaching AWS Through Shadow Resources
The complexity of cloud environments conceals subtle vulnerabilities, and Yakir Kadkoda, Michael Katchinskiy, and Ofek Itach from Aqua Security reveal how shadow resources in Amazon Web Services (AWS) can be exploited. Their research uncovers six critical vulnerabilities, ranging from remote code execution to information disclosure, enabling potential account takeovers. By mapping internal APIs and releasing an open-source tool, Yakir, Michael, and Ofek empower researchers to probe cloud systems while offering developers robust mitigation strategies.
Uncovering Shadow Resource Vulnerabilities
Yakir introduces shadow resources—services that rely on others, like S3 buckets, for operation. Their research identified vulnerabilities in AWS services, including CloudFormation, Glue, and EMR, where misconfigured buckets allowed attackers to assume admin roles. One severe flaw enabled remote code execution, potentially compromising entire accounts. By analyzing service dependencies, Yakir’s team developed a methodology to uncover these hidden risks systematically.
Mapping and Exploiting Internal APIs
Michael details their approach to mapping AWS’s internal APIs, identifying common patterns that amplify vulnerability impact. Their open-source tool, released during the talk, automates this process, enabling researchers to detect exposed resources. For instance, unclaimed S3 buckets could be hijacked, allowing attackers to manipulate data or escalate privileges. This methodical mapping exposed systemic flaws, highlighting the need for vigilant resource management.
Mitigation Strategies for Cloud Security
Ofek outlines practical defenses, such as using scoped IAM policies with resource account conditions to restrict access to trusted buckets. He recommends verifying bucket ownership with expected bucket owner headers and using randomized bucket names to deter hijacking. These measures, applicable to open-source projects, prevent dangling resources from becoming attack vectors. Ofek emphasizes proactive checks to ensure past vulnerabilities are addressed.
Future Research and Community Collaboration
The trio concludes by urging researchers to explore new cloud attack surfaces, particularly internal API dependencies. Their open-source tool fosters community-driven discovery, encouraging developers to adopt secure practices. By sharing their findings, Yakir, Michael, and Ofek aim to strengthen AWS environments, ensuring that shadow resources no longer serve as gateways for catastrophic breaches.
Links:
[DefCon32] Threat Modeling in the Age of AI
As artificial intelligence (AI) reshapes technology, Adam Shostack, a renowned threat modeling expert, explores its implications for security. Speaking at the AppSec Village, Adam examines how traditional threat modeling adapts to large language models (LLMs), addressing real-world risks like biased hiring algorithms and deepfake misuse. His practical approach demystifies AI security, offering actionable strategies for researchers and developers to mitigate vulnerabilities in an AI-driven world.
Foundations of Threat Modeling
Adam introduces threat modeling’s four-question framework: what are we working on, what can go wrong, what are we going to do about it, and did we do a good job? This structured approach, applicable to any system, helps identify vulnerabilities in LLMs. By creating simplified system models, researchers can map AI components, such as training data and inference pipelines, to pinpoint potential failure points, ensuring a proactive stance against emerging threats.
AI-Specific Security Challenges
Delving into LLMs, Adam highlights unique risks stemming from their design, particularly the mingling of code and data. This architecture complicates secure deployment, as malicious inputs can exploit model behavior. Real-world issues, such as AI-driven resume screening biases or facial recognition errors leading to wrongful arrests, underscore the urgency of robust threat modeling. Adam notes that while LLMs excel at specific mitigation tasks, broad security questions yield poor results, necessitating precise queries.
Leveraging AI for Security Solutions
Adam explores how LLMs can enhance security practices. By generating mitigation code or test cases for specific vulnerabilities, AI can assist developers in fortifying systems. However, he cautions against over-reliance, as generic queries produce unreliable outcomes. His approach involves using AI to streamline threat identification while maintaining human oversight, ensuring that mitigations address tangible risks like data leaks or model poisoning.
Future Directions and Real-World Impact
Concluding, Adam dismisses apocalyptic AI fears but stresses immediate concerns, such as deepfake proliferation and biased decision-making. He advocates integrating threat modeling into AI development to address these issues early. By fostering a collaborative community effort, Adam encourages researchers to refine AI security practices, ensuring that LLMs serve as tools for progress rather than vectors for harm.
Links:
[DefCon32] How to Keep IoT From Becoming An IoTrash
The proliferation of Internet of Things (IoT) devices promises connectivity but risks creating a digital wasteland of abandoned, vulnerable gadgets. Paul Roberts, Chris Wysopal, Cory Doctorow, Tarah Wheeler, and Dennis Giese, a distinguished panel from Secure Resilient Future Foundation, Electronic Frontier Foundation, Veracode, Red Queen Dynamics, and DontVacuum.me, respectively, address this crisis. Their discussion, rooted in cybersecurity and policy expertise, explores solutions to prevent IoT devices from becoming e-waste, advocating for transparency, ownership, and resilience.
The Growing Threat of Abandonware
Paul opens by highlighting the scale of the issue: end-of-life devices, from routers to medical equipment, are abandoned by manufacturers, leaving them susceptible to exploitation. Black Lotus Labs’ discovery of 40,000 compromised SOHO routers in the “Faceless” botnet underscores this danger. Cory introduces the concept of “enshittification,” where platforms and devices degrade as manufacturers prioritize profits over longevity, citing Spotify’s Car Thing, bricked without refunds after brief market presence.
Policy and Right-to-Repair Solutions
Tarah and Chris advocate for legislative reforms, such as updating the Digital Millennium Copyright Act (DMCA), to grant consumers repair rights. Google’s extension of Chromebook support to ten years saved millions in e-waste, a model Tarah suggests for broader adoption. Chris emphasizes that unmaintained devices fuel botnets, threatening critical infrastructure. Policy changes, including antitrust enforcement to curb monopolistic practices, could compel manufacturers to prioritize device longevity and security.
Cybersecurity Implications and Community Action
Dennis, known for reverse-engineering vacuum robots, stresses the cybersecurity risks of abandoned devices. Malicious actors exploit unpatched vulnerabilities, conscripting devices into botnets. He calls for community-driven efforts to document and secure IoT systems. Paul, through the Secure Resilient Future Foundation, encourages grassroots advocacy, such as contacting local representatives to support repair-friendly legislation, making it easier for individuals to contribute without navigating complex policy landscapes.
Redefining Ownership and Sustainability
Cory argues for redefining ownership in the IoT era, criticizing practices like Adobe’s Creative Cloud, where Pantone’s licensing dispute threatened to render designers’ work unusable. By designing devices to resist forced downgrades, manufacturers can empower users to maintain control. The panel collectively urges a shift toward sustainable design, where devices remain functional through community-driven updates, reducing e-waste and enhancing digital resilience.
Links:
[DefCon32] Autos, Alcohol, Blood, Sweat, & Creative Reversing Obfuscated Car Modding Tool
In the intricate world of reverse engineering, Atlas, a seasoned security researcher, unveils a captivating journey through the deobfuscation of an automotive modding tool. This software, capable of flashing firmware and tweaking vehicle engines, represents a complex challenge due to its heavily obfuscated code. Atlas’s narrative, rich with technical ingenuity, guides the audience through innovative approaches to unraveling hidden truths, empowering researchers with new methodologies and tools to tackle similar challenges.
Confronting Obfuscation Challenges
Atlas begins by describing the daunting nature of obfuscated code, which obscures functionality to thwart analysis. The automotive modding tool, a blend of machine code and proprietary logic, posed unique hurdles. By leveraging tools like Vivisect, Atlas meticulously dissected the binary, identifying key patterns such as virtual function tables. These tables, often marked by grouped function pointers, served as entry points to understand the code’s structure. His approach focused on analyzing the “this” pointer in 32-bit architectures, typically passed via the ECX register, to map out critical functions like destructors.
Crafting Custom Analysis Tools
To overcome the limitations of existing binary analysis tools, Atlas customized his toolkit, enhancing Vivisect to handle the tool’s unique obfuscation techniques. He explored cross-references to function pointers, uncovering embedded strings and objects. For instance, comparing register values like EDI against offsets revealed string manipulations, allowing Atlas to reconstruct the code’s intent. His creative modifications enabled dynamic analysis, transforming static binaries into actionable insights, a process he encourages others to replicate by adapting tools to specific needs.
Decoding the Automotive Modding Tool
The core of Atlas’s work centered on understanding the modding tool’s interaction with vehicle systems. By analyzing function calls and memory operations, he identified how the tool manipulated firmware to alter engine performance. His methodology involved tracing execution paths, spotting decrement and free operations, and reconstructing object hierarchies. This granular approach not only demystified the tool but also highlighted vulnerabilities in its design, offering lessons for securing automotive software against unauthorized modifications.
Empowering the Community
Atlas concludes with a call to action, urging researchers to think beyond conventional tools and embrace creative problem-solving. By sharing his customized Vivisect enhancements and methodologies, he aims to inspire others to tackle obfuscated code with confidence. His emphasis on understanding the “why” behind code behavior fosters a deeper appreciation for reverse engineering, equipping the community to uncover truths in complex systems.
Links:
- None
[DefCon32] Secrets & Shadows: Leveraging Big Data for Vulnerability Discovery
Vulnerability discovery at scale requires rethinking traditional approaches, and Bill Demirkapi, an independent security researcher, demonstrates how big data uncovers overlooked weaknesses. By leveraging unconventional sources like virus scanning platforms, Bill identifies tens of thousands of vulnerabilities, from forgotten cloud assets to leaked secrets. His talk shifts the paradigm from target-specific analysis to correlating vulnerabilities across diverse datasets, exposing systemic flaws in major organizations.
Scaling Vulnerability Discovery
Bill challenges conventional methods that focus on specific targets, advocating for a data-driven approach. By analyzing DNS records for dangling domains and secret patterns in public repositories, he uncovers misconfigurations like exposed AWS keys. His methodology correlates these findings with organizational assets, revealing vulnerabilities that traditional scans miss. A case study highlights an ignored AWS support case, where a leaked key remained active due to a generic billing email.
Exploiting Forgotten Cloud Assets
Dangling domains, pointing to unclaimed IP addresses, offer attackers entry points to compromise services. Bill’s research identifies these through large-scale DNS analysis, exposing forgotten cloud assets in enterprises. By cross-referencing with cloud provider data, he maps vulnerabilities to specific organizations, demonstrating the devastating impact of seemingly trivial oversights.
Addressing Leaked Secrets
Leaked credentials, such as AWS access keys, pose significant risks when posted publicly. Bill’s use of virus scanning platforms to detect these secrets reveals a gap in provider responses—AWS, unlike Google Cloud or Slack, does not automatically revoke exposed keys. He proposes automated revocation mechanisms and shares a tool to streamline key detection, urging providers to prioritize proactive security.
Industry-Wide Solutions
Bill calls for systemic changes, emphasizing provider responsibility to revoke exposed credentials immediately. His open-source tools and methodology, available for community use, enable researchers to replicate his approach across vulnerability classes. By breaking down traditional discovery methods, Bill’s work fosters a collaborative effort to address ecosystem-wide security gaps.
Links:
[DefCon32] Process Injection Attacks with ROP
Advanced return-oriented programming (ROP) opens new frontiers in process injection, and Bramwell Brizendine and Shiva Shashank Kusuma, from Verona Lab, present a robust methodology to master it. Their talk details chaining complex Windows APIs via ROP, overcoming challenges like string comparison in memory-constrained environments. By introducing a universal solution for identifying target processes, Bramwell and Shiva provide reusable patterns for reliable injection, demonstrated through a live exploit of Winamp.
ROP Challenges in Process Injection
Bramwell outlines the intricacies of ROP-based process injection, which requires chaining multiple WinAPIs with precise parameter handling. Unlike traditional injection, ROP lacks direct string comparison capabilities due to missing gadgets. Their novel solution constructs an enumeration function purely in ROP, enabling precise identification of target processes like Winamp by process ID (PID), a breakthrough for reliable injection.
Building Reusable API Patterns
Shiva details their creation of diverse patterns for WinAPIs, leveraging the PUSHAD instruction for flexibility. For APIs lacking PUSHAD patterns, they employ a “sniper” approach, meticulously crafting alternatives. Their demo walks through injecting shellcode into Winamp, using CreateToolhelp32Snapshot, EnumProcesses, and CreateRemoteThread, with memory permissions adjusted via NtMapViewOfSection. This structured approach ensures reproducibility across different targets.
Practical Demonstration and Tools
The live demo showcases their ROP-based injection, starting with a snapshot of running processes, enumerating to find Winamp’s PID, and injecting shellcode via remote thread creation. Their ROProcket tool, designed for ROP and jump-oriented programming, supports this methodology, offering templates for researchers to adapt. Bramwell emphasizes the goal of providing a scalable framework, not just a one-off exploit.
Implications for Security Research
By sharing their patterns and tools, Bramwell and Shiva empower researchers to explore ROP-based injection systematically. They highlight the need for defenses against such techniques, as early-stage injections can evade EDR systems. Their work invites further innovation in ROP methodologies, urging the community to build on their open-source contributions for enhanced security testing.
Links:
[DefCon32] Manipulating Shim and Office for Code Injection
The Windows ecosystem harbors hidden attack surfaces, and security researchers Ron Ben-Yizhak and David Shandalov from Deep Instinct unveil a sophisticated technique to exploit them. By manipulating the Application Compatibility Framework (shim) and OfficeClickToRun service, they achieve stealthy code injection and privilege escalation without traditional traces like registry modifications. Their reverse engineering of undocumented APIs and kernel drivers reveals novel methods to subvert system defenses, challenging assumptions about patched vulnerabilities.
Reviving the Shim Attack Surface
Ron introduces the Application Compatibility Framework, designed to ensure legacy software runs on modern Windows systems. The shim infrastructure, managed by a kernel driver, applies runtime fixes to processes. By exploiting undocumented APIs, Ron and David craft a malicious shim that injects code without disk-based evidence, evading detection by endpoint detection and response (EDR) systems. This approach, applied to 64-bit processes, bypasses traditional monitoring, as injection occurs before EDR hooks are established.
Exploiting OfficeClickToRun for Escalation
David details their attack surface research on OfficeClickToRun.exe, a service running as NT AUTHORITY\SYSTEM. By leveraging its undocumented RPC interfaces and Opportunistic Lock (OpLock) mechanisms, they inject a DLL into a high-privilege process, achieving escalation. This method requires specific conditions, which they meticulously engineered, demonstrating the power of combining disparate system components into a cohesive attack vector.
Methodology and Community Collaboration
The duo’s methodology hinges on deep reverse engineering, analyzing shim data structures and AVL tables to manipulate process behavior. They modernize a previously known technique, making it registry-free and elusive. Ron and David share their tools’ source code, inviting the community to refine these attacks and explore additional shim fixes. Their findings highlight the potential for OpLock and shim mechanisms to serve as building blocks for complex, multi-component attacks.
Defensive Measures and Future Research
To counter these threats, Ron and David urge developers to monitor early-stage process injections and scrutinize undocumented APIs. They encourage further exploration of shim data structures and AVL table manipulations, which could yield new attack vectors. By open-sourcing their tools, they foster collaborative advancements in offensive security, aiming to strengthen Windows defenses against such stealthy techniques.
Links:
[DefCon32] Sudos and Sudon’ts: Peering Inside Sudo for Windows
In a groundbreaking move, Microsoft introduced Sudo for Windows in February 2024, bringing a Unix-like privilege elevation mechanism to Windows 11 Insider Preview. Michael Torres, a security researcher at Google, delves into the architecture of this novel feature, exploring its implementation, inter-process communication, and potential vulnerabilities. Michael’s analysis, rooted in reverse engineering and Rust’s interaction with Windows APIs, uncovers security flaws that challenge the tool’s robustness. His open-source approach invites the community to scrutinize and enhance Sudo for Windows, ensuring it balances usability with security.
Understanding Sudo for Windows
Michael begins by demystifying Sudo for Windows, a utility designed to allow users to execute commands with elevated permissions directly from a non-elevated console. Unlike its Unix counterpart, it leverages User Account Control (UAC) for elevation and Advanced Local Procedure Call (ALPC) for communication between processes. Available in Windows 11 version 24H2, the tool supports three configurations: running commands in a new window, disabling input in the current window, or inline execution akin to Linux sudo. Michael highlights its open-source nature, hosted on GitHub, which enables researchers to dissect its codebase for potential weaknesses.
Security Implications and Rust Challenges
Delving into the technical intricacies, Michael examines how Sudo for Windows interoperates with Windows APIs through Rust, a language touted for memory safety. However, invoking native Windows APIs requires “unsafe” Rust code, introducing risks of memory corruption vulnerabilities—counterintuitive to Rust’s safety guarantees. He identifies non-critical issues reported to Microsoft’s Security Response Center (MSRC) and one embargoed vulnerability, emphasizing the need for rigorous scrutiny. For bug hunters, Michael advises focusing on unsafe Rust boundaries, where Windows API calls create exploitable seams.
Path Resolution and Process Coordination
Michael explores the path resolution process, critical for handling file and relative path inputs in Sudo for Windows. The tool’s reliance on ALPC for coordinating elevated and non-elevated processes introduces complexity, as it must maintain secure communication across privilege boundaries. Missteps in path handling or process elevation could lead to unintended escalations, a concern Michael flags for further investigation. His analysis underscores the delicate balance between functionality and security in this new feature.
Community Engagement and Future Directions
Encouraging community involvement, Michael praises the open-source release, urging researchers to probe the codebase for additional vulnerabilities. As Sudo for Windows rolls out to mainline Windows 11, its adoption could reshape administrative workflows, but only if security holds. He advocates for responsible bug hunting to prevent malicious exploitation, ensuring the tool delivers on its promise of seamless elevation without compromising system integrity.
Links:
[DefCon32] Spies and Bytes: Victory in the Digital Age
Cyber warfare reshapes global security, demanding agility and collaboration. General Paul M. Nakasone, retired U.S. Army and former director of the NSA and U.S. Cyber Command, shares insights from his career defending against nation-state hackers. His narrative, rooted in real-world operations, highlights strategies for securing critical infrastructure and countering sophisticated threats. Now founding director of Vanderbilt University’s Institute for National Security, Paul envisions a future where adaptive cyber strategies and new leadership tackle emerging challenges.
Paul’s experiences, from thwarting cyberattacks to fostering international alliances, underscore the importance of transparency and intelligence sharing. His forward-looking vision emphasizes resilience and interdisciplinary approaches to safeguard the digital frontier.
Defending Against Nation-State Threats
Paul recounts operations against adversaries like China and Russia, where rapid intelligence sharing thwarted attacks on U.S. infrastructure. As NSA director, he prioritized real-time collaboration with allies, disrupting cyber campaigns targeting elections and utilities.
These efforts highlight the need for dynamic defenses, adapting to adversaries’ evolving tactics in a borderless digital battlefield.
Building Resilient Cyber Defenses
At U.S. Cyber Command, Paul oversaw strategies integrating offensive and defensive operations. He describes fortifying critical systems, like power grids, through persistent engagement—proactively disrupting attacker infrastructure. Partnerships with private sectors, including tech giants, amplified these efforts, leveraging collective expertise.
Transparency in operations, he argues, builds trust and deters adversaries, a lesson drawn from high-stakes missions.
The Role of Intelligence and Alliances
International cooperation was central to Paul’s tenure. Alliances with NATO and Five Eyes nations enabled coordinated responses to threats, such as ransomware campaigns. Intelligence-driven operations, blending human and technical sources, provided actionable insights, often preventing attacks before they materialized.
This collaborative model sets a benchmark for future cyber defense, emphasizing shared responsibility.
Shaping the Future of Cybersecurity
At Vanderbilt, Paul aims to cultivate young leaders through the Institute for National Security, launching in October 2025. By integrating AI, cybersecurity, and decision-making, the institute addresses the industry’s age gap, where most professionals are over 50. He invites the DEF CON community to join, fostering innovation through partnerships and open dialogue.