conference d ouverture titre venir
play

Conference douverture [titre venir] Travis Goodspeed 4 June - PowerPoint PPT Presentation

May 03, 2023 •48 likes •558 views

Conference douverture [titre venir] Travis Goodspeed 4 June 2014 SSTIC Rennes, Bretagne, France Prezegenn digeri [titl da zont] Travis Goodspeed 4 June 2014 SSTIC Roazhon, Breizh GOOD MORNING! GOOD MORNING!

  1. Conference d’ouverture [titre à venir] Travis Goodspeed � � 4 June 2014 SSTIC Rennes, Bretagne, France

  2. Prezegenn digeriñ [titl da zont] Travis Goodspeed � � 4 June 2014 SSTIC Roazhon, Breizh

  3. GOOD MORNING!

  4. GOOD MORNING! • I hate keynotes. • (Except those by Fx and Dan Geer.) • I love proofs of concept. • Short, nifty tricks. • No grand theories, no unnecessary tables.

  5. Proofs of Concept are Proofs by Construction

  6. Proofs of Concept are Proofs by Construction by Travis Goodspeed to them Ghosts who write History Books and the Ghosts in my Drink concerning the Good Works and the Good Neighbors of PoC||GTFO. � � 4 June 2014 SSTIC Rennes, Brittany, France

  7. Did you know that you can just start a journal?

  8. Did you know that you can just start a journal? • A neighbor and I started a journal. • No peer review, just a benevolent dictatorship. • Pastor Manul Laphroaig, Amateur Tyrant

  9. International Journal of PoC k GTFO Issue 0x00, a CFP with PoC An epistle from the desk of Rt. Revd. Pastor Manul Laphroaig pastor@phrack.org August 5, 2013

  10. Proceedings of the Society of PoC k GTFO Issue 0x01, an Epistle to the 10th H2HC in São Paulo From the writing desk, not the raven, of Rt. Revd. Preacherman Pastor Manul Laphroaig pastor@phrack org

  11. Children’s Bible Coloring Book of PoC k GTFO Issue 0x02, an Epistle to the 30th CCC Congress in Hamburg Composed by the Rt. Revd. Pastor Manul Laphroaig to put pwnage before politics. pastor@phrack org December 28, 2013

  12. AN ADDRESS to the SECRET SOCIETY of POC k GTFO concerning THE GOSPEL OF THE WEIRD MACHINES and also THE SMASHING OF IDOLS TO BITS AND BYTES by the Rt. Revd. Dr. PASTOR MANUL LAPHROAIG pastor@phrack org

  13. TRACT de la SOCIÉTÉ SECRÈTE de POC k GTFO sur L’ÉVANGILE DES MACHINES ÉTRANGES et autres SUJETS TECHNIQUES par le prédicateur PASTEUR MANUL LAPHROAIG pastor@phrack org

  14. Let’s hear some stories!

  15. Nifty Tricks for Today • Active Disk Antiforensics • PGP Matryoshka Doll • PDF+Zip Polyglot • Angecryption • Strange Python Encodings

  16. Active Disk Antiforensics PoC||GTFO 0:2

  17. Active Disk Antiforensics • You think of a disk as a block device. • Blocks are written, then read back intact. • Sometimes they are damaged. • A disk is really a server. • Host makes requests by SCSI or ATA. • Software in the disk responds.

  20. iPod is a Computer • Low-end ARM with hardware MP3 decoding. • Custom operating systems • iPod Linux, Rockbox • Disk Mode is implemented in software. • C code translates USB Mass Storage to ATA.

  21. iPod Disk Layout • First sector is MBR. • Then comes the iPod Firmware. • Finally, there is a FAT32 or HFS+ partition for music.

  22. iPod Disk Layout This is *NEVER* legitimately read by the host! • First sector is MBR. • Then comes the iPod Firmware. • Finally, there is a FAT32 or HFS+ partition for music.

  23. Fingerprinting a Host OS • Windows 
 Reads the Master Boot Record (MBR) 9 times. • FreeBSD 
 Speaks some antique SCSI requests. • OpenBSD 
 Doesn’t delay on SCSI errors. • Linux 
 Varies by automounter.

  24. Fingerprinting Disk Imaging • tar -cf mnt.tar /mnt 
 Follows the filesystem structures, 
 never reading empty space, 
 or deleted files, or orphaned inodes. • dd if=/dev/sdc of=forensics.img 
 This reads from the beginning to the end, 
 in order, as large blocks, without reading ahead, 
 and without following filesystem or partition structs.

  25. So let’s make a trap! • Pick an unused sector early in the disk. • The sector must be one that is *NEVER* read. • If this sector is read anyways, • Erase all future sectors. • Reply with legitimate-looking garbage.

  26. Disk Imaging my iPod

  28. Beyond a PoC • ACSAC 2014, Seagate Disk Backdoor • Talk to Aurélien Francillon. He’s here! • Sprites Mods, Western Digital Reverse Engineering • He booted Linux on a WD hard disk!

  29. Myron Aub’s 
 PGP Matryoshka Doll PoC||GTFO 2:3

  30. PGP Matryoshka Doll • RFC 4880, `OpenPGP Message Format’ 
 by Phil Zimmerman • Messages are compressed or encrypted. • These are just containers, and they can be nested! • You can required more than one key for decrypt. • You can compress more than once.

  31. Lempel-Ziv (LZ) Compression • A dictionary is used as shorthand for a larger file. • The output of the decompression can be the same as the input.

  32. PGP Quine • Message, when decompressed, is itself. • After decompression, the parser tries to go deeper. • And deeper. • And deeper. • And deeper!

  33. PGP Quine • GnuPG fixed this bug. • Symantec PGP didn’t fix this bug.

  34. PDF that’s a ZIP File PoC||GTFO 1:5 • Zip files begin with a footer near the end of a file. • This makes them easy to combine with other files. • cat foo.gif foo.zip >zipgif.bin • PDF also ends near the end.

  40. PDF+ZIP • For very small Zips, just 
 cat foo.pdf foo.zip >bar.pdf • For larger files, insert the zip just before the PDF’s closing xref table. • This is reliable, and we’ve shipped it in every release since the first.

  42. Angecryption PoC||GTFO 3:11 � Ange Albertini Jean-Philippe Aumasson

  43. Angecryption • pocorgtfo03.pdf was a valid PDF file. • Encrypt it with AES CBC to get a valid PNG file. 
 key=“Manul Laphroaig!” 
 IV= 5B F0 15 E2 04 8C E3 D3 8C 3A 97 E7 8B 79 5B C1 • Ain’t that nifty?

  44. Angecryption • It’s easy to control ECB-mode data before or after encryption. • AES(controlled)=uncontrolled • controlled=AES(uncontrolled) 
 AES^-1(controlled)=uncontrolled • Angecryption lets us make a file valid before and after encryption, with different contents!

  45. The Nifty Trick • In ECB mode, we control each block before or after encryption. • In CBC mode, the same is true, except • The very first block is XOR’ed with the IV, • and we control the IV, so • we control Block 0 before and after encryption!

  46. Weird Python Encoding PoC||GTFO 3:10 Frederik Baun

  47. % cat poc.py #! /usr/bin/python #encoding: rot13 cevag ’Hello World’ % ./poc.py Hello World %

  48. Proofs of Concept are Proofs by Construction

  49. Proof of Concept is Proof by Construction • A proof by construction is the best kind of proof. • See Euclid’s proof that there are infinitely many prime numbers. • Stop calling them unscientific! 
 Stop demanding statistics! • ``You can’t argue with a root shell.’’

  50. Go now in peace. • Read your scripture. • PoC||GTFO, Phrack, and SSTIC proceedings! • Preach the good news! • Conference talks, soap box. • ``Hey, want to learn a cool trick?’’

  51. Credits • Antiforensic iPod, PoC||GTFO 0:2 
 Travis Goodspeed • PGP Matryoshka, PoC||GTFO 2:3 
 Myron Aub • PDF Zip File, PoC||GTFO 1:5 
 Julia Wolf • Angecryption, PoC||GTFO 3:11 
 Ange Albertini 
 Jean-Philippe Aumasson • Weird Python Encoding, PoC||GTFO 3:10 
 Frederik Braun

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MEETING 14 FEB 2019 Sous-titre Date Banque Centrale du Luxembourg Titre Introduction to the

MEETING 14 FEB 2019 Sous-titre Date Banque Centrale du Luxembourg Titre Introduction to the

TARGET2 USER GROUP Titre MEETING 14 FEB 2019 Sous-titre Date Banque Centrale du Luxembourg Titre Introduction to the Eurosystem Target Consolidation project Sous-titre Date Banque Centrale du Luxembourg AGENDA 1. The Target

523 views • 23 slides
Prsentation des projets financs au titre de ldition 2 0 0 8 du program m e

Prsentation des projets financs au titre de ldition 2 0 0 8 du program m e

Prsentation des projets financs au titre de ldition 2 0 0 8 du program m e Vulnrabilit : Milieux, Clim at et Socits ACRONYME et titre du projet 3 ACOCLI Adaptations cognitives aux changements climatiques 4 BI OCRUST

412 views • 17 slides
Capturing macroprudential regulation effectiveness: Titre A DSGE approach with shadow

Capturing macroprudential regulation effectiveness: Titre A DSGE approach with shadow

Capturing macroprudential regulation effectiveness: Titre A DSGE approach with shadow intermediaries Sous-titre 10 July 2018, Dublin Date Federico Lubello & Abdelaziz Rouabah Banque centrale du Luxembourg Joint ECB & Central Bank of

500 views • 22 slides
dimanche 9 octobre Amphithtre Reitoria UFMG 19 h SANCED OUVERTURE 20 h CONFRENCE

dimanche 9 octobre Amphithtre Reitoria UFMG 19 h SANCED OUVERTURE 20 h CONFRENCE

dimanche 9 octobre Amphithtre Reitoria UFMG 19 h SANCED OUVERTURE 20 h CONFRENCE Jean-Louis CHISS (Universit de la Sorbonne Nouvelle Paris 3) Directions actuelles de la didactique des langues et des cultures : Le franais

443 views • 21 slides
Ouverture Persistent objects form a general and very useful method for storing internal program

Ouverture Persistent objects form a general and very useful method for storing internal program

Introduction Programmers interface Implementation Closing remarks Ouverture Persistent objects form a general and very useful method for storing internal program data between executions of a program. This presentation is focused on Ada

834 views • 30 slides
New perspectives for Open Source and Free Software from France and Europe Roberto Di Cosmo 19

New perspectives for Open Source and Free Software from France and Europe Roberto Di Cosmo 19

Context What is wrong The Ouverture Competitiveness Cluster The Ouverture project Role of public bodies in the project Annexes New perspectives for Open Source and Free Software from France and Europe Roberto Di Cosmo 19 February 2007

806 views • 46 slides
Ouverture Avere uno strumento per tradurre casi duso in test di integrazione garantisce: Un

Ouverture Avere uno strumento per tradurre casi duso in test di integrazione garantisce: Un

Introduction Some tools Conclusion Ouverture Avere uno strumento per tradurre casi duso in test di integrazione garantisce: Un interpretazione uniforme del significato di casi duso per tutti i test del sistema. Che si prova tutti i

642 views • 14 slides
TITRE L. le Coq, J.M. Floc'h, A. Sharaiha, P. Besnier, O. Lafond, M. Himdi, R. Gillard

TITRE L. le Coq, J.M. Floc'h, A. Sharaiha, P. Besnier, O. Lafond, M. Himdi, R. Gillard

ANTENNA MEASUREMENTS FACILITIES AND NEEDS IN IETR TITRE L. le Coq, J.M. Floc'h, A. Sharaiha, P. Besnier, O. Lafond, M. Himdi, R. Gillard laurent.le-coq@univ-rennes1.fr INSTITUT DLECTRONIQUE ET DE TLCOMMUNICATIONS DE RENNES Introduction

454 views • 23 slides
PRESENTATION Titre du document - Auteur - Date de diffusion - Niveau de classification (PUBLIC ou

PRESENTATION Titre du document - Auteur - Date de diffusion - Niveau de classification (PUBLIC ou

FULL-YEAR 2018 RESULTS 21 FEBRUARY 2019 PRESENTATION Titre du document - Auteur - Date de diffusion - Niveau de classification (PUBLIC ou INTERNE ou CONFIDENTIEL ou SECRET) This presentation contains forward-looking information and statements

914 views • 69 slides
Expos de soutenance pour le titre de Docteur de lcole Polytechnique Spcialit: Physique

Expos de soutenance pour le titre de Docteur de lcole Polytechnique Spcialit: Physique

Expos de soutenance pour le titre de Docteur de lcole Polytechnique Spcialit: Physique Iurii Timrov 27 March 2013, cole Polytechnique 1/57 Outline 1. Introduction 1.1 Motivation 1.2 Material: Bismuth 1.3 State of the art

766 views • 64 slides
Titre Drawbacks of standard fittings Dead Volume. Parts Inventory Gaskets Welding

Titre Drawbacks of standard fittings Dead Volume. Parts Inventory Gaskets Welding

Titre Drawbacks of standard fittings Dead Volume. Parts Inventory Gaskets Welding Panel Design Particle Generation Assembly Twisting of Tubes Footprint Male / Female FLOWMECA The RHP Fitting Patent

1.13k views • 65 slides
TITRE DE LA THESE Pattern Analysis for Source-Code Performance Improvement Authors: Riyane SID

TITRE DE LA THESE Pattern Analysis for Source-Code Performance Improvement Authors: Riyane SID

Data-Layout Optimization based on Memory-Access- TITRE DE LA THESE Pattern Analysis for Source-Code Performance Improvement Authors: Riyane SID LAKHDAR, Henri-Pierre CHARLES, Maha KOOLI Univ Grenoble Alpes, CEA, List, F-38000 Grenoble, France

374 views • 35 slides
Entreprendre et Investir dans les Energies Renouvelables et le Dveloppement Durable AGRION,

Entreprendre et Investir dans les Energies Renouvelables et le Dveloppement Durable AGRION,

Entreprendre et Investir dans les Energies Renouvelables et le Dveloppement Durable AGRION, Mai 2008 Titre de la confrence Summary Context Finance and Renewable Energy Financing entrepreneurs in Cleantech Titre de la confrence The

345 views • 21 slides
TITRE DE PARTIE 28 ARIAL Joachim Schleich a,b , Corinne Faure a , NIVEAU 1 24 ARIAL

TITRE DE PARTIE 28 ARIAL Joachim Schleich a,b , Corinne Faure a , NIVEAU 1 24 ARIAL

TITRE DE PARTIE 28 ARIAL Joachim Schleich a,b , Corinne Faure a , NIVEAU 1 24 ARIAL Marie-Charlotte Guetlein a , Gengyang Tu c Modifiez les styles du texte du masque a Grenoble Ecole de Management, Grenoble, France Deuxime niveau b

343 views • 16 slides
Titre de la prsentation 1 Background Foreign currency lease Article 317 of the Civil Code

Titre de la prsentation 1 Background Foreign currency lease Article 317 of the Civil Code

Legal protection of lessees interests in case of foreign currency lease April 28 th , 2016 Titre de la prsentation 1 Background Foreign currency lease Article 317 of the Civil Code of the Russian Federation allows nomination of price in

115 views • 7 slides
Projet de loi n 48-15 relative la rgulation du secteur de llectricit TITRE PREMIER

Projet de loi n 48-15 relative la rgulation du secteur de llectricit TITRE PREMIER

Projet de loi n 48-15 relative la rgulation du secteur de llectricit TITRE PREMIER Principes de rgulation du secteur de llectricit Chapitre premier Dfinitions Article premier On entend, au sens de la prsente loi,

937 views • 25 slides
Introduction What I do Research new vulnerabilities, malware, and other security threats

Introduction What I do Research new vulnerabilities, malware, and other security threats

Introduction What I do Research new vulnerabilities, malware, and other security threats Create defensive measures Evaluate security software What this talk is about Windows rootkits How they are used How they work

790 views • 54 slides
Solution to ensure TPM resistance to offline dictionary attack Liqun Chen Mark D. Ryan HP Labs,

Solution to ensure TPM resistance to offline dictionary attack Liqun Chen Mark D. Ryan HP Labs,

Solution to ensure TPM resistance to offline dictionary attack Liqun Chen Mark D. Ryan HP Labs, Bristol HP Labs, Bristol University of Birmingham Future of Trust 2008 June 2008 The Trusted Platform Module A hardware chip currently

473 views • 19 slides
Protection and Security Threat is potential security violation Attack is attempt to breach

Protection and Security Threat is potential security violation Attack is attempt to breach

CSC 4103 - Operating Systems The Security Problem Spring 2007 Security must consider external environment of the system, and protect the system resources Lecture - XX Intruders (crackers) attempt to breach security Protection and

195 views • 4 slides
Computer Organization von Neumann Computer Arithmetic-Logical Unit Control Unit (ALU) Data

Computer Organization von Neumann Computer Arithmetic-Logical Unit Control Unit (ALU) Data

Computer Organization von Neumann Computer Arithmetic-Logical Unit Control Unit (ALU) Data Address Primary Memory Device (Executable Memory) Device Device The ALU Right Operand Left Operand R1 R2 . . . Rn Functional Unit Status

485 views • 19 slides
Outline Introduction Malicious Code Viruses CS 239 Trojan horses Computer

Outline Introduction Malicious Code Viruses CS 239 Trojan horses Computer

Outline Introduction Malicious Code Viruses CS 239 Trojan horses Computer Security Trap doors March 15, 2004 Logic bombs Worms Examples Lecture 16 Lecture 16 Page 1 Page 2 CS 239, Winter 2004 CS 239,

408 views • 12 slides
Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Protection Disclaimer: some slides are adopted from book authors slides with permission 1

Protection Disclaimer: some slides are adopted from book authors slides with permission 1 Examples of OS Protection Memory protection Between user processes Between user and kernel File protection Prevent unauthorized

783 views • 39 slides
AD ADVANCE CED M MALWARE RE ALEXANDRE BORGES MALWARE AND SECURITY RESEARCHER THR THREATS

AD ADVANCE CED M MALWARE RE ALEXANDRE BORGES MALWARE AND SECURITY RESEARCHER THR THREATS

AD ADVANCE CED M MALWARE RE ALEXANDRE BORGES MALWARE AND SECURITY RESEARCHER THR THREATS NO HAT 2019 (Bergamo / IT ITALY) by y Alexandre Bor Borges 1 NO HAT 2019 (BERGAMO / ITALY) Agenda: In Intr troductio ion Anti

1.45k views • 105 slides
Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing

Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing

Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing History 1989 AIDS TROJAN DISK distributed/infected via floppy disk developer was caught and put into jail 2005 first internet attack

748 views • 54 slides

More recommend