Jonathan Lalou's Blog

Posts Tagged ‘DefCon32’

Allan Cecil, known as dwangoAC, a prominent figure in the speedrunning community and founder of TASBot, tackles the pervasive issue of cheating in video game speedrunning. By leveraging tool-assisted speedruns (TAS), Allan exposes fraudulent records, including a long-standing Diablo speedrun in the Guinness Book of World Records. His presentation, enriched with technical insights and community-driven investigations, champions transparency and integrity in competitive gaming.

The Challenge of Speedrunning Cheating

Allan introduces the concept of tool-assisted speedruns, where emulators enable frame-by-frame precision to achieve theoretically perfect gameplay. Cheaters misuse these tools to pass off TAS runs as human efforts, undermining leaderboards. Allan’s mission, sparked by his work with TASVideos.org, is to detect such deceptions, as seen in high-profile cases like Todd Rogers’ Dragster and Maciej Maselewski’s Diablo run.

Investigating the Diablo Record

Focusing on Maselewski’s 3-minute, 12-second Diablo record, Allan and his team, including Matthew Petroff, used TASBot to recreate the run. Their analysis revealed inconsistencies in software versions, missing frames, and item anomalies, suggesting tampering. By crafting a legitimate TAS run just one second faster, Allan demonstrated that human records could surpass the fraudulent time, restoring fairness to the Diablo community.

Tool-Assisted Detection Techniques

Allan details the technical prowess behind TAS, using emulators to record precise inputs and verify gameplay on real hardware. His TASBot, a robot mimicking controller inputs, has raised over $1.5 million for charity at events like Games Done Quick. By analyzing frame data and game mechanics, Allan identifies subtle signs of splicing or unauthorized modifications, empowering moderators to uphold leaderboard integrity.

Fostering Community Integrity

Concluding, Allan advocates for clear delineation between TAS and human speedruns to prevent misuse. His open-source approach, including a detailed document at diablo.tas.bot, invites community scrutiny and collaboration. By debunking fraudulent records, Allan not only protects speedrunning’s legitimacy but also inspires researchers to apply similar rigor to cybersecurity investigations, drawing parallels between game integrity and system security.

Links:

• Allan Cecil on LinkedIn
• TASVideos.org website
• TASBot website
• Bishop Fox company website

Moritz Abrell, a senior IT security consultant at Syss, exposes vulnerabilities in a widely deployed industrial VPN gateway critical to operational technology. By rooting the device, bypassing hardware security modules, and reverse-engineering firmware, Moritz demonstrates how attackers could hijack remote access sessions, threatening critical infrastructure worldwide. His findings underscore the fragility of industrial remote access solutions and the need for robust security practices.

Dissecting Industrial VPN Gateways

Moritz begins by outlining the role of VPN gateways in enabling secure remote access to industrial networks. These devices, often cloud-managed by vendors, connect service technicians to critical systems via VPN servers. However, their architecture presents a lucrative attack surface. Moritz’s analysis reveals how vulnerabilities in device firmware and authentication mechanisms allow attackers to gain root access, compromising entire networks.

Exploiting Firmware and Certificates

Through meticulous reverse engineering, Moritz uncovered methods to decrypt passwords and extract firmware-specific encryption keys. By forging valid VPN certificates, attackers could impersonate legitimate devices, redirecting user connections to malicious infrastructure. This scalability—potentially affecting over 500,000 devices—highlights the catastrophic potential of such exploits in energy plants, oil platforms, and other critical facilities.

Real-World Impact and Mitigation

Moritz’s attacks enabled eavesdropping on sensitive data, such as PLC programs, and disrupting legitimate connections. After responsibly disclosing these vulnerabilities, Syss prompted the vendor to patch the backend and release updated firmware. Moritz advises organizations to scrutinize cloud-based remote access solutions, verify third-party infrastructure, and implement strong authentication to mitigate similar risks.

Links:

• Syss company website

Pete Stegemeyer, a seasoned security engineer and heist historian, draws parallels between the 2003 Antwerp Diamond Heist and cybersecurity’s defense-in-depth principles. By dissecting how thieves bypassed multiple security layers to steal millions in diamonds, gold, and cash, Pete illustrates the consequences of complacency and inadequate security practices. His narrative offers actionable lessons for fortifying digital defenses, blending historical intrigue with modern security insights.

Anatomy of the Antwerp Heist

Pete begins by recounting the audacious 2003 heist, where thieves used simple tools like hairspray and double-sided tape to defeat sophisticated vault security. The heist succeeded due to failures in physical security, such as outdated cameras and unmonitored access points. By mapping these lapses to cybersecurity, Pete underscores how neglected vulnerabilities—akin to unpatched software or weak access controls—can lead to catastrophic breaches.

Failures in Security Design

Delving deeper, Pete highlights how the vault’s reliance on single points of failure, like unsegmented keys, mirrored common cybersecurity oversights. The thieves exploited predictable patterns and lax enforcement, much like attackers exploit misconfigured systems or social engineering. Pete stresses that defense in depth requires layered protections, regular updates, and proactive monitoring to prevent such exploitation in digital environments.

Lessons for Cybersecurity

Drawing from the heist, Pete advocates for robust accountability mechanisms to combat complacency. Just as the vault’s operators failed to enforce key-splitting protocols, organizations often neglect security best practices. He recommends rigorous auditing, mandatory updates, and consequence-driven policies to ensure diligence. By treating data as valuable as diamonds, organizations can build resilient defenses against sophisticated threats.

Links:

• None

In the intricate landscape of system security, Enrique Nissim and Krzysztof Okupski, researchers from IOActive, uncover a critical vulnerability in AMD processors, dubbed Sinkclose. Their presentation delves into the shadowy realm of System Management Mode (SMM), a powerful x86 execution mode that operates invisibly to operating systems and hypervisors. By exposing a silicon-level flaw undetected for nearly two decades, Enrique and Krzysztof reveal a universal ring -2 privilege escalation exploit, challenging the robustness of modern CPU security mechanisms.

Understanding System Management Mode

Enrique opens by elucidating SMM, a privileged mode that initializes hardware during boot and resides in a protected memory region called SMRAM. Invisible to antivirus, endpoint detection and response (EDR) systems, and anti-cheat engines, SMM’s isolation makes it a prime target for attackers seeking to deploy bootkits or firmware implants. The researchers explain how AMD’s security mechanisms, designed to safeguard SMM, falter due to a fundamental design flaw, enabling unauthorized access to this critical layer.

Exploiting the Sinkclose Vulnerability

Krzysztof details the methodology behind exploiting Sinkclose, a flaw in a critical SMM component. By reverse-engineering AMD’s processor architecture, they crafted an exploit that achieves arbitrary code execution in ring -2, bypassing even hypervisor-level protections. Their approach leverages precise engineering to manipulate SMRAM, demonstrating how attackers could install persistent malware undetectable by conventional defenses. The vulnerability’s longevity underscores the challenges in securing silicon-level components.

Implications for Critical Systems

The impact of Sinkclose extends to devices like the PlayStation 5, though its hypervisor mitigates some risks by trapping specific register accesses. Enrique emphasizes that the exploit’s ability to evade kernel and hypervisor defenses poses significant threats to critical infrastructure, gaming platforms, and enterprise systems. Their findings, promptly reported to AMD, prompted microcode updates, though the researchers note the complexity of fully mitigating such deep-seated flaws.

Future Directions for CPU Security

Concluding, Krzysztof advocates for enhanced firmware validation and real-time monitoring of SMM interactions. Their work highlights the need for vendors to prioritize silicon-level security and for researchers to probe low-level components for hidden weaknesses. By sharing their exploit methodology, Enrique and Krzysztof empower the community to strengthen defenses against similar vulnerabilities, ensuring robust protection for modern computing environments.

Links:

• IOActive company website

The complexity of cloud environments conceals subtle vulnerabilities, and Yakir Kadkoda, Michael Katchinskiy, and Ofek Itach from Aqua Security reveal how shadow resources in Amazon Web Services (AWS) can be exploited. Their research uncovers six critical vulnerabilities, ranging from remote code execution to information disclosure, enabling potential account takeovers. By mapping internal APIs and releasing an open-source tool, Yakir, Michael, and Ofek empower researchers to probe cloud systems while offering developers robust mitigation strategies.

Uncovering Shadow Resource Vulnerabilities

Yakir introduces shadow resources—services that rely on others, like S3 buckets, for operation. Their research identified vulnerabilities in AWS services, including CloudFormation, Glue, and EMR, where misconfigured buckets allowed attackers to assume admin roles. One severe flaw enabled remote code execution, potentially compromising entire accounts. By analyzing service dependencies, Yakir’s team developed a methodology to uncover these hidden risks systematically.

Mapping and Exploiting Internal APIs

Michael details their approach to mapping AWS’s internal APIs, identifying common patterns that amplify vulnerability impact. Their open-source tool, released during the talk, automates this process, enabling researchers to detect exposed resources. For instance, unclaimed S3 buckets could be hijacked, allowing attackers to manipulate data or escalate privileges. This methodical mapping exposed systemic flaws, highlighting the need for vigilant resource management.

Mitigation Strategies for Cloud Security

Ofek outlines practical defenses, such as using scoped IAM policies with resource account conditions to restrict access to trusted buckets. He recommends verifying bucket ownership with expected bucket owner headers and using randomized bucket names to deter hijacking. These measures, applicable to open-source projects, prevent dangling resources from becoming attack vectors. Ofek emphasizes proactive checks to ensure past vulnerabilities are addressed.

Future Research and Community Collaboration

The trio concludes by urging researchers to explore new cloud attack surfaces, particularly internal API dependencies. Their open-source tool fosters community-driven discovery, encouraging developers to adopt secure practices. By sharing their findings, Yakir, Michael, and Ofek aim to strengthen AWS environments, ensuring that shadow resources no longer serve as gateways for catastrophic breaches.

Links:

• Aqua Security company website

As artificial intelligence (AI) reshapes technology, Adam Shostack, a renowned threat modeling expert, explores its implications for security. Speaking at the AppSec Village, Adam examines how traditional threat modeling adapts to large language models (LLMs), addressing real-world risks like biased hiring algorithms and deepfake misuse. His practical approach demystifies AI security, offering actionable strategies for researchers and developers to mitigate vulnerabilities in an AI-driven world.

Foundations of Threat Modeling

Adam introduces threat modeling’s four-question framework: what are we working on, what can go wrong, what are we going to do about it, and did we do a good job? This structured approach, applicable to any system, helps identify vulnerabilities in LLMs. By creating simplified system models, researchers can map AI components, such as training data and inference pipelines, to pinpoint potential failure points, ensuring a proactive stance against emerging threats.

AI-Specific Security Challenges

Delving into LLMs, Adam highlights unique risks stemming from their design, particularly the mingling of code and data. This architecture complicates secure deployment, as malicious inputs can exploit model behavior. Real-world issues, such as AI-driven resume screening biases or facial recognition errors leading to wrongful arrests, underscore the urgency of robust threat modeling. Adam notes that while LLMs excel at specific mitigation tasks, broad security questions yield poor results, necessitating precise queries.

Leveraging AI for Security Solutions

Adam explores how LLMs can enhance security practices. By generating mitigation code or test cases for specific vulnerabilities, AI can assist developers in fortifying systems. However, he cautions against over-reliance, as generic queries produce unreliable outcomes. His approach involves using AI to streamline threat identification while maintaining human oversight, ensuring that mitigations address tangible risks like data leaks or model poisoning.

Future Directions and Real-World Impact

Concluding, Adam dismisses apocalyptic AI fears but stresses immediate concerns, such as deepfake proliferation and biased decision-making. He advocates integrating threat modeling into AI development to address these issues early. By fostering a collaborative community effort, Adam encourages researchers to refine AI security practices, ensuring that LLMs serve as tools for progress rather than vectors for harm.

Links:

• Adam Shostack on LinkedIn

The proliferation of Internet of Things (IoT) devices promises connectivity but risks creating a digital wasteland of abandoned, vulnerable gadgets. Paul Roberts, Chris Wysopal, Cory Doctorow, Tarah Wheeler, and Dennis Giese, a distinguished panel from Secure Resilient Future Foundation, Electronic Frontier Foundation, Veracode, Red Queen Dynamics, and DontVacuum.me, respectively, address this crisis. Their discussion, rooted in cybersecurity and policy expertise, explores solutions to prevent IoT devices from becoming e-waste, advocating for transparency, ownership, and resilience.

The Growing Threat of Abandonware

Paul opens by highlighting the scale of the issue: end-of-life devices, from routers to medical equipment, are abandoned by manufacturers, leaving them susceptible to exploitation. Black Lotus Labs’ discovery of 40,000 compromised SOHO routers in the “Faceless” botnet underscores this danger. Cory introduces the concept of “enshittification,” where platforms and devices degrade as manufacturers prioritize profits over longevity, citing Spotify’s Car Thing, bricked without refunds after brief market presence.

Policy and Right-to-Repair Solutions

Tarah and Chris advocate for legislative reforms, such as updating the Digital Millennium Copyright Act (DMCA), to grant consumers repair rights. Google’s extension of Chromebook support to ten years saved millions in e-waste, a model Tarah suggests for broader adoption. Chris emphasizes that unmaintained devices fuel botnets, threatening critical infrastructure. Policy changes, including antitrust enforcement to curb monopolistic practices, could compel manufacturers to prioritize device longevity and security.

Cybersecurity Implications and Community Action

Dennis, known for reverse-engineering vacuum robots, stresses the cybersecurity risks of abandoned devices. Malicious actors exploit unpatched vulnerabilities, conscripting devices into botnets. He calls for community-driven efforts to document and secure IoT systems. Paul, through the Secure Resilient Future Foundation, encourages grassroots advocacy, such as contacting local representatives to support repair-friendly legislation, making it easier for individuals to contribute without navigating complex policy landscapes.

Redefining Ownership and Sustainability

Cory argues for redefining ownership in the IoT era, criticizing practices like Adobe’s Creative Cloud, where Pantone’s licensing dispute threatened to render designers’ work unusable. By designing devices to resist forced downgrades, manufacturers can empower users to maintain control. The panel collectively urges a shift toward sustainable design, where devices remain functional through community-driven updates, reducing e-waste and enhancing digital resilience.

Links:

• Secure Resilient Future Foundation website
• Electronic Frontier Foundation website
• Veracode company website
• Red Queen Dynamics website
• DontVacuum.me website

In the intricate world of reverse engineering, Atlas, a seasoned security researcher, unveils a captivating journey through the deobfuscation of an automotive modding tool. This software, capable of flashing firmware and tweaking vehicle engines, represents a complex challenge due to its heavily obfuscated code. Atlas’s narrative, rich with technical ingenuity, guides the audience through innovative approaches to unraveling hidden truths, empowering researchers with new methodologies and tools to tackle similar challenges.

Confronting Obfuscation Challenges

Atlas begins by describing the daunting nature of obfuscated code, which obscures functionality to thwart analysis. The automotive modding tool, a blend of machine code and proprietary logic, posed unique hurdles. By leveraging tools like Vivisect, Atlas meticulously dissected the binary, identifying key patterns such as virtual function tables. These tables, often marked by grouped function pointers, served as entry points to understand the code’s structure. His approach focused on analyzing the “this” pointer in 32-bit architectures, typically passed via the ECX register, to map out critical functions like destructors.

Crafting Custom Analysis Tools

To overcome the limitations of existing binary analysis tools, Atlas customized his toolkit, enhancing Vivisect to handle the tool’s unique obfuscation techniques. He explored cross-references to function pointers, uncovering embedded strings and objects. For instance, comparing register values like EDI against offsets revealed string manipulations, allowing Atlas to reconstruct the code’s intent. His creative modifications enabled dynamic analysis, transforming static binaries into actionable insights, a process he encourages others to replicate by adapting tools to specific needs.

Decoding the Automotive Modding Tool

The core of Atlas’s work centered on understanding the modding tool’s interaction with vehicle systems. By analyzing function calls and memory operations, he identified how the tool manipulated firmware to alter engine performance. His methodology involved tracing execution paths, spotting decrement and free operations, and reconstructing object hierarchies. This granular approach not only demystified the tool but also highlighted vulnerabilities in its design, offering lessons for securing automotive software against unauthorized modifications.

Empowering the Community

Atlas concludes with a call to action, urging researchers to think beyond conventional tools and embrace creative problem-solving. By sharing his customized Vivisect enhancements and methodologies, he aims to inspire others to tackle obfuscated code with confidence. His emphasis on understanding the “why” behind code behavior fosters a deeper appreciation for reverse engineering, equipping the community to uncover truths in complex systems.

Links:

• None

Vulnerability discovery at scale requires rethinking traditional approaches, and Bill Demirkapi, an independent security researcher, demonstrates how big data uncovers overlooked weaknesses. By leveraging unconventional sources like virus scanning platforms, Bill identifies tens of thousands of vulnerabilities, from forgotten cloud assets to leaked secrets. His talk shifts the paradigm from target-specific analysis to correlating vulnerabilities across diverse datasets, exposing systemic flaws in major organizations.

Scaling Vulnerability Discovery

Bill challenges conventional methods that focus on specific targets, advocating for a data-driven approach. By analyzing DNS records for dangling domains and secret patterns in public repositories, he uncovers misconfigurations like exposed AWS keys. His methodology correlates these findings with organizational assets, revealing vulnerabilities that traditional scans miss. A case study highlights an ignored AWS support case, where a leaked key remained active due to a generic billing email.

Exploiting Forgotten Cloud Assets

Dangling domains, pointing to unclaimed IP addresses, offer attackers entry points to compromise services. Bill’s research identifies these through large-scale DNS analysis, exposing forgotten cloud assets in enterprises. By cross-referencing with cloud provider data, he maps vulnerabilities to specific organizations, demonstrating the devastating impact of seemingly trivial oversights.

Addressing Leaked Secrets

Leaked credentials, such as AWS access keys, pose significant risks when posted publicly. Bill’s use of virus scanning platforms to detect these secrets reveals a gap in provider responses—AWS, unlike Google Cloud or Slack, does not automatically revoke exposed keys. He proposes automated revocation mechanisms and shares a tool to streamline key detection, urging providers to prioritize proactive security.

Industry-Wide Solutions

Bill calls for systemic changes, emphasizing provider responsibility to revoke exposed credentials immediately. His open-source tools and methodology, available for community use, enable researchers to replicate his approach across vulnerability classes. By breaking down traditional discovery methods, Bill’s work fosters a collaborative effort to address ecosystem-wide security gaps.

Links:

• Bill Demirkapi on LinkedIn

Advanced return-oriented programming (ROP) opens new frontiers in process injection, and Bramwell Brizendine and Shiva Shashank Kusuma, from Verona Lab, present a robust methodology to master it. Their talk details chaining complex Windows APIs via ROP, overcoming challenges like string comparison in memory-constrained environments. By introducing a universal solution for identifying target processes, Bramwell and Shiva provide reusable patterns for reliable injection, demonstrated through a live exploit of Winamp.

ROP Challenges in Process Injection

Bramwell outlines the intricacies of ROP-based process injection, which requires chaining multiple WinAPIs with precise parameter handling. Unlike traditional injection, ROP lacks direct string comparison capabilities due to missing gadgets. Their novel solution constructs an enumeration function purely in ROP, enabling precise identification of target processes like Winamp by process ID (PID), a breakthrough for reliable injection.

Building Reusable API Patterns

Shiva details their creation of diverse patterns for WinAPIs, leveraging the PUSHAD instruction for flexibility. For APIs lacking PUSHAD patterns, they employ a “sniper” approach, meticulously crafting alternatives. Their demo walks through injecting shellcode into Winamp, using CreateToolhelp32Snapshot, EnumProcesses, and CreateRemoteThread, with memory permissions adjusted via NtMapViewOfSection. This structured approach ensures reproducibility across different targets.

Practical Demonstration and Tools

The live demo showcases their ROP-based injection, starting with a snapshot of running processes, enumerating to find Winamp’s PID, and injecting shellcode via remote thread creation. Their ROProcket tool, designed for ROP and jump-oriented programming, supports this methodology, offering templates for researchers to adapt. Bramwell emphasizes the goal of providing a scalable framework, not just a one-off exploit.

Implications for Security Research

By sharing their patterns and tools, Bramwell and Shiva empower researchers to explore ROP-based injection systematically. They highlight the need for defenses against such techniques, as early-stage injections can evade EDR systems. Their work invites further innovation in ROP methodologies, urging the community to build on their open-source contributions for enhanced security testing.

Links:

• Verona Lab website