SlideShare une entreprise Scribd logo

reductio [ad absurdum]

Shakacon
Shakacon

Programmers naturally assume that different programs require different code. Minesweeper is not the same as AES, Windows is not the same as Linux, and Notepad is not the same as malware. But what if this were not the case? We'll walk through how we can convert all programs into the exact same code - allowing the CPU to execute the same sequence of instructions, to run any possible application. By fundamentally changing our ideas about what it means to "compute", we'll outline the unsettling implications for malware detection, and open some fascinating new doors in exploitation.

Technologie
1  sur  101
Télécharger pour lire hors ligne
{ reductio [ad absurdum] domas / @xoreaxeaxeax / Shakacon 2017
 Christopher Domas  Cyber Security Researcher @ Battelle Memorial Institute ./bio
 Observation:  Different paths can produce the same result.  Thought experiment:  Can the inverse be true?  Can one path produce different results? ./intro
 Observation:  Groups of (machine) instructions can often be reduced x = x * 2 x = x + x vs. x = x * 4  Thought experiment:  How much could one program be reduced? ./intro
 (bear with me) Let’s backtrack a bit…
4004e9: mov dword [rbp-8], 0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add dword [rbp-8], 1 400500: cmp dword [rbp-8], 100 400507: jle 4004f2 Assembly…
 mov is Turing-complete  Stephen Dolan  www.cl.cam.ac.uk/~sd601/papers/mov.pdf mov
mov destination, source mov
 Any code we write …  … can be written as a set of movs instead  … and nothing else  Really? Turing Complete?
4004e9: mov dword [rbp-8], 0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add dword [rbp-8], 1 400500: cmp dword [rbp-8], 100 400507: jle 4004f2
80515bc: mov eax,ds:0x835d81a 80515c1: mov ebx,DWORD PTR [eax+0x835d6fc] 80515c7: mov edx,DWORD PTR ds:0x835d7da 80515cd: mov eax,0x0 80515d2: mov al,BYTE PTR [ebx+edx*1] 80515d5: mov al,BYTE PTR [eax+0x835dc7e] 80515db: mov BYTE PTR [ebx+edx*1],al 80515de: mov eax,ds:0x835d81a 80515e3: mov ebx,DWORD PTR [eax+0x835d6fc] 80515e9: mov edx,DWORD PTR ds:0x835d7da 80515ef: mov eax,0x0 80515f4: mov al,BYTE PTR [ebx+edx*1]
Removing all but the mov instruction from future iterations of the x86 architecture would have many advantages: the instruction format would be greatly simplified, the expensive decode unit would become much cheaper, and silicon currently used for complex functional units could be repurposed as even more cache. As long as someone else implements the compiler. - Stephen Dolan
 Where to begin…? Key Ideas
 mov can check equality Key Ideas
 mov [x], 0  mov [y], 1  mov R, [x] x==y
 x=3, y=3  mov [x], 0  mov [y], 1  mov R, [x] x==y
 x=2, y=3  mov [x], 0  mov [y], 1  mov R, [x] x==y
 Requires a single jmp instruction to loop back to the beginning  Incidental  We fixed this later Key Ideas
 start:  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  jmp start
 Build on Dolan’s ideas  Adapt primitive TM operations for higher level logic  Work on actual data, not abstract symbols  Add new operations  If/else  Arithmetic  Logic  Jumps  Loops  Etc…  Bring it closer to something we can use Idea…
Implementing if
 IF X == Y THEN  X = 100 Implementing if
 The catch:  We have no branches  All paths execute, no matter what  Solution:  Force a path to operate on “dummy” data, if we don’t want its results Implementing if
 IF X == Y THEN  X = 100 Implementing if Selector Data Scratch
 IF X == Y THEN  X = 100 Implementing if Data Scratch ⇐ ⇐ Selector
 IF X == Y THEN  X = 100 Implementing if Data Scratch Selector
 IF X == Y THEN  X = 100 Implementing if Data Scratch ⇐ ⇐ Selector
 IF X == Y THEN  X = 100 Implementing if Data Scratch Selector
; X == Y mov eax, [X] mov [eax], 0 mov eax, [Y] mov [eax], 4 mov eax, [X] ; X = 100 mov eax, [SELECT_X + eax] mov [eax], 100 Implementing if
Simple extensions give us if/else if/elseif/else Inequality checks Implementing if
%macro eq 3 mov eax, 0 mov al, [%2] mov byte [e+eax], 0 mov byte [e+%3], 4 mov al, [e+eax] mov [%1], al %endmacro
%macro neq 3 mov eax, 0 mov al, [%2] mov byte [e+eax], 4 mov byte [e+%3], 0 mov al, [e+eax] mov [%1], al %endmacro
; create selector %macro c_s 1 %1: dd 0 d_%1: dd 0 s_%1: dd d_%1, %1 %endmacro
 Extend the if/else idea Loops and branches
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov …  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov …  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ← Implement a branch from here…  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ← Implement a branch from here…  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ←  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start Store target Switch to dummy data 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov … ← Check if branch target  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov … ← Check if branch target  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov … ← Check if branch target  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov … ← Check if target  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov … ← Check if target  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov … ← Check if target  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ←  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFFTarget match Switch to real data
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ←  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c ONTarget match Switch to real data
 Look up tables!  One byte versions are easy. Arithmetic
unsigned char inc[]={ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99,100,101,102,103,104,105,106,107,108,109,110,111,112, 113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128, 129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144, 145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160, 161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176, 177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192, 193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208, 209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224, 225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240, 241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,0 };
incb: %assign y 1 %rep 256 db y&0xff %assign y y+1 %endrep
; increment eax with mov mov eax, [inc + eax] Arithmetic
%macro add32 4 mov eax, 0 mov ebx, 0 mov ecx, 0 mov edx, 0 mov dword [%4], 0 add8 %1+0, %2+0, %3+0, %4 add8 %1+1, %2+1, %3+1, %4 add8 %1+2, %2+2, %3+2, %4 add8 %1+3, %2+3, %3+3, %4 %endmacro
mov eax,0x0 mov ebx,0x0 mov ecx,0x0 mov edx,0x0 mov dword [dword 0x8049576],0x0 mov al,[0x804956a] mov bl,[dword 0x804956e] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049572],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956b] mov bl,[dword 0x804956f] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049573],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956c] mov bl,[dword 0x8049570] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049574],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956d] mov bl,[dword 0x8049571] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049575],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov eax,[0x8049572]
mov dword [q], 0 mov dword [r], 0 %assign bb 31 %rep 32 bit c, n, bb shl32 r, c mov dword [c], 0 gte32 t, r, d, c mov eax, [t] mov edx, [sel_r+4*eax] mov [psr], edx mov edx, [sel_q+4*eax] mov [psq], edx mov eax, [psr] mov eax, [eax] mov [dummy_r], eax sub32 dummy_r, dummy_r, d, c mov eax, [psr] mov edx, [dummy_r] mov [eax], edx mov eax, [psq] mov eax, [eax] mov [dummy_q], eax set32 dummy_q, bb mov eax, [psq] mov edx, [dummy_q] mov [eax], edx %assign bb bb-1 %endrep mov eax, [q]
 lcc  esi/edi  Calling convention  Emulated stack  32 bit ALU  Simplified dummy selectors  102 IL instructions  Not bad! The M/o/Vfuscator
 mov-only C Compiler  https://github.com/xoreaxeaxeax  First single instruction C compiler! The M/o/Vfuscator
 prime  Cube  M/o/Vfuscator The M/o/Vfuscator
 How much can we simplify a program?  We’ve gotten rid of…  Functions  Loops  Branches  Arithmetic  … it’s an okay start. Reduction
 We have all the same instructions  mov  But they’re not all the ”same”  mov eax, edx  mov [100], bl  mov di, 0x1337  mov eax, [edx + 2 * ecx + 0x1094801] Reduction
 Eliminate register to register transfers  mov eax, edx becomes  mov [0x1000], edx  mov eax, [0x1000] x86 addressing
 Eliminate constant to register transfers  mov eax, 12345 becomes  _temp: .dword 12345  mov eax, [_temp] x86 addressing
 All instructions now either read or write to memory. x86 addressing
 Eliminate 8 and 16 bit addressing  mov al, [100] becomes  mov [200], eax  mov eax, [100 - 3]  mov [200 - 3], eax  mov eax, [200] x86 addressing 200 100
 Simplify memory addressing  mov eax, [0x1234 + ecx + 8 * edx]  Use the M/o/Vfuscator ALU!  Calculate ecx + 8 * edx  Accumulate results in ecx  Result:  (dozens of mov ALU instructions)  mov eax, [0x1234 + ecx] x86 addressing
 No more register to register transfers.  No more constant to register transfers.  No more 8 or 16 bit instructions.  All memory accesses are of the form [reg + constant]  mov instructions are now all mov reg, [reg + constant] or mov [reg + constant], reg Almost there.
 We still use 8 registers!  Decrease to 2 by storing extras to scratchpad memory  All mov instructions now mov esi/edi, [esi/edi + constant] or mov [esi/edi + constant], esi/edi Registers
 Writes: mov [esi/edi + constant], esi/edi  Reads: mov esi/edi, [esi/edi + constant]  Alternate reads and writes  1 read, followed by 1 write, followed by 1 read, followed by 1 write…  Insert dummy (unused) accesses Alternating memory
mov esi,[edi+0x816d0e8] mov [edi+0x816d104],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0ec],esi mov esi,[edi+0x816d0eb] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d10c],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d0f8],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi The result…
 Can we take it further?
Psuedo-registers  Instead of registers, use memory to hold the register contents  esi becomes [0x890100]  edi becomes [0x890200]  Let’s call these memory locations “psuedo-registers”
A ‘synthetic’ mov  With psuedo-registers, our movs look like mov [0x890100],[[0x890200]+0x816d0e8]  At this point, we’re just moving values to/from different locations in memory  … but this is no longer a valid x86 instruction
A ‘synthetic’ mov  Let’s invent a new instruction, “MOVE”  MOVE [ *address_1 + offset_1 ] , [ *address_2 + offset_2 ]  Our broken x86 instruction mov [0x890100],[[0x890200]+0x816d0e8]  Becomes  MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]
A ‘synthetic’ mov  Translate the old mov instructions into the more generic MOVE instruction  mov esi,[edi+0x816d0e8] becomes MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]  mov [edi+0x816d0e8], esi becomes MOVE [ *0x890200 + 0x816d0e8 ], [ *0x890100 + 0 ]
A ‘synthetic’ mov  Why is this useful?  All instructions now have exactly the same form.
Extracting the essence MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ] { 0x890100, 0, 0x890200, 0x816d0e8 }  Extract all of the MOVE operands into a table.
 We’ve distilled our entire C program into a table describing a long list of simple data transfers  Let’s write a program to perform the actions described in the table So now what?
Load the table into esi…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov esi, table
Execute a memory read…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov ebx, [esi] ; load addr of psuedo-reg 1  mov ebx, [ebx] ; load psuedo-reg 1  add ebx, [esi+4] ; add offset  mov ebx, [ebx] ; perform memory read
Execute a memory write…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov edx, [esi+8] ; load addr of psuedo-reg 2  mov edx, [edx] ; load psuedo-reg 2  add edx, [esi+12]; add offset  mov [edx], ebx ; perform memory write
Rinse, repeat.  table:  0x890100, 0, 0x890200, 0x816d0e8  0x990010 ; pointer to next table entry  mov esi, [esi+16] ; move to next entry  jmp loop ; repeat the whole process
mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop table: 0x890100, 0, 0x890200, 0x816d0e8 ... With the reductio toolchain, a C program compiles to ->
 Thought experiment:  How far can we reduce a program? So…?
 Every program ever written can be reduced to exactly this -> So…? mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
 Thought experiment:  Can one sequence of instructions produce entirely different results? So…?
 This instruction stream simultaneously implements everything. So…? mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
AES Minesweeper
 (Can’t show compiling ) ./demo
 The instruction sequence executed by the processor is the same for every program. mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
 1.  If every program is the same, malware detection gets a whole lot harder. (demo)  Doing the same thing  (In practice) Implications
 2.  Exploitation  “AVROP” (Mark Barnes, MWR Labs)  https://github.com/mwrlabs/avrop  AVR microcontroller (Raspberry Pi)  Harvard architecture: limited to ROP  Small memory: very few gadgets  Fortunately, all we need is mov. Implications
 The AVROP machine Implications
 3.  It’s cool!  A philosophical conclusion…  If the code makes no difference, what does it mean ‘to program’? Implications
github.com/xoreaxeaxeax  reductio  M/o/Vfuscator  REpsych  x86 0-day PoC  Etc. Feedback? Ideas? domas  @xoreaxeaxeax  xoreaxeaxeax@gmail.com
reductio [ad absurdum]

Recommandé

Command GM
Command GMCommand GM
Command GMRafa Muadz
 
Programação assíncrona utilizando Coroutines
Programação assíncrona utilizando CoroutinesProgramação assíncrona utilizando Coroutines
Programação assíncrona utilizando CoroutinesDiego Gonçalves Santos
 
Behind the Performance of Quake 3 Engine: Fast Inverse Square Root
Behind the Performance of Quake 3 Engine: Fast Inverse Square RootBehind the Performance of Quake 3 Engine: Fast Inverse Square Root
Behind the Performance of Quake 3 Engine: Fast Inverse Square RootMaksym Zavershynskyi
 
The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196Mahmoud Samir Fayed
 
Sine Wave Generator with controllable frequency displayed on a seven segment ...
Sine Wave Generator with controllable frequency displayed on a seven segment ...Sine Wave Generator with controllable frequency displayed on a seven segment ...
Sine Wave Generator with controllable frequency displayed on a seven segment ...Karthik Rathinavel
 
Itty bittypresentation lrug
Itty bittypresentation lrugItty bittypresentation lrug
Itty bittypresentation lrugTom Crinson
 
The Ring programming language version 1.5.4 book - Part 25 of 185
The Ring programming language version 1.5.4 book - Part 25 of 185The Ring programming language version 1.5.4 book - Part 25 of 185
The Ring programming language version 1.5.4 book - Part 25 of 185Mahmoud Samir Fayed
 
かとうの Kotlin 講座 こってり版
かとうの Kotlin 講座 こってり版かとうの Kotlin 講座 こってり版
かとうの Kotlin 講座 こってり版Yutaka Kato
 

Recommandé

Command GM
Command GMCommand GM
Command GMRafa Muadz
 
Programação assíncrona utilizando Coroutines
Programação assíncrona utilizando CoroutinesProgramação assíncrona utilizando Coroutines
Programação assíncrona utilizando CoroutinesDiego Gonçalves Santos
 
Behind the Performance of Quake 3 Engine: Fast Inverse Square Root
Behind the Performance of Quake 3 Engine: Fast Inverse Square RootBehind the Performance of Quake 3 Engine: Fast Inverse Square Root
Behind the Performance of Quake 3 Engine: Fast Inverse Square RootMaksym Zavershynskyi
 
The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196Mahmoud Samir Fayed
 
Sine Wave Generator with controllable frequency displayed on a seven segment ...
Sine Wave Generator with controllable frequency displayed on a seven segment ...Sine Wave Generator with controllable frequency displayed on a seven segment ...
Sine Wave Generator with controllable frequency displayed on a seven segment ...Karthik Rathinavel
 
Itty bittypresentation lrug
Itty bittypresentation lrugItty bittypresentation lrug
Itty bittypresentation lrugTom Crinson
 
The Ring programming language version 1.5.4 book - Part 25 of 185
The Ring programming language version 1.5.4 book - Part 25 of 185The Ring programming language version 1.5.4 book - Part 25 of 185
The Ring programming language version 1.5.4 book - Part 25 of 185Mahmoud Samir Fayed
 
かとうの Kotlin 講座 こってり版
かとうの Kotlin 講座 こってり版かとうの Kotlin 講座 こってり版
かとうの Kotlin 講座 こってり版Yutaka Kato
 
DEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliksDEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliksFelipe Prado
 
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsychDEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsychFelipe Prado
 
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperTokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperConnor McDonald
 
Python Peculiarities
Python PeculiaritiesPython Peculiarities
Python Peculiaritiesnoamt
 
Tetcon2016 160104
Tetcon2016 160104Tetcon2016 160104
Tetcon2016 160104Bordeaux I
 
Hacklu11 Writeup
Hacklu11 WriteupHacklu11 Writeup
Hacklu11 Writeupnkslides
 
05 2 관계논리비트연산
05 2 관계논리비트연산05 2 관계논리비트연산
05 2 관계논리비트연산Changwon National University
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)if kakao
 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good PackagesSaumil Shah
 
There are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docxThere are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docxrelaine1
 
Elixir and OTP Apps introduction
Elixir and OTP Apps introductionElixir and OTP Apps introduction
Elixir and OTP Apps introductionGonzalo Gabriel Jiménez Fuentes
 
An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)Julien SIMON
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeWim Godden
 
CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations Rob LaPlaca
 
Emuladores
EmuladoresEmuladores
EmuladoresBayoch
 
Actor Concurrency
Actor ConcurrencyActor Concurrency
Actor ConcurrencyAlex Miller
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural Net"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural NetKen'ichi Matsui
 
Maze solving app listing
Maze solving app listingMaze solving app listing
Maze solving app listingChris Worledge
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
Macdoored
MacdooredMacdoored
MacdooredShakacon
 

Contenu connexe

Similaire à reductio [ad absurdum]

DEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliksDEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliksFelipe Prado
 
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsychDEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsychFelipe Prado
 
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperTokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperConnor McDonald
 
Python Peculiarities
Python PeculiaritiesPython Peculiarities
Python Peculiaritiesnoamt
 
Tetcon2016 160104
Tetcon2016 160104Tetcon2016 160104
Tetcon2016 160104Bordeaux I
 
Hacklu11 Writeup
Hacklu11 WriteupHacklu11 Writeup
Hacklu11 Writeupnkslides
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016Mikhail Sosonkin
 
다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)if kakao
 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good PackagesSaumil Shah
 
There are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docxThere are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docxrelaine1
 
An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)Julien SIMON
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeWim Godden
 
CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations Rob LaPlaca
 
Emuladores
EmuladoresEmuladores
EmuladoresBayoch
 
Actor Concurrency
Actor ConcurrencyActor Concurrency
Actor ConcurrencyAlex Miller
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...Asuka Nakajima
 
"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural Net"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural NetKen'ichi Matsui
 
Maze solving app listing
Maze solving app listingMaze solving app listing
Maze solving app listingChris Worledge
 

Similaire à reductio [ad absurdum] (20)

DEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliksDEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliks
 
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsychDEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
 
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperTokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java Developer
 
Python Peculiarities
Python PeculiaritiesPython Peculiarities
Python Peculiarities
 
Tetcon2016 160104
Tetcon2016 160104Tetcon2016 160104
Tetcon2016 160104
 
Hacklu11 Writeup
Hacklu11 WriteupHacklu11 Writeup
Hacklu11 Writeup
 
05 2 관계논리비트연산
05 2 관계논리비트연산05 2 관계논리비트연산
05 2 관계논리비트연산
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)
 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good Packages
 
There are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docxThere are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docx
 
Elixir and OTP Apps introduction
Elixir and OTP Apps introductionElixir and OTP Apps introduction
Elixir and OTP Apps introduction
 
An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the code
 
CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations
 
Emuladores
EmuladoresEmuladores
Emuladores
 
Actor Concurrency
Actor ConcurrencyActor Concurrency
Actor Concurrency
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
 
"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural Net"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural Net
 
Maze solving app listing
Maze solving app listingMaze solving app listing
Maze solving app listing
 

Plus de Shakacon

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assemblyShakacon
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can youShakacon
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back togetherShakacon
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEShakacon
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Shakacon
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerShakacon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeShakacon
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureShakacon
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Shakacon
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelShakacon
 
Silent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkSilent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkShakacon
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherShakacon
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareSad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareShakacon
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingShakacon
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresShakacon
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...Shakacon
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamShakacon
 
Swift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzSwift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzShakacon
 

Plus de Shakacon (20)

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
 
Macdoored
MacdooredMacdoored
Macdoored
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back together
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Shamoon
ShamoonShamoon
Shamoon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
 
Silent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkSilent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest Network
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareSad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving Malware
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
 
Swift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzSwift Reversing by Ryan Stortz
Swift Reversing by Ryan Stortz
 

Dernier

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Dernier (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

reductio [ad absurdum]

  • 1. { reductio [ad absurdum] domas / @xoreaxeaxeax / Shakacon 2017
  • 2.  Christopher Domas  Cyber Security Researcher @ Battelle Memorial Institute ./bio
  • 3.  Observation:  Different paths can produce the same result.  Thought experiment:  Can the inverse be true?  Can one path produce different results? ./intro
  • 4.  Observation:  Groups of (machine) instructions can often be reduced x = x * 2 x = x + x vs. x = x * 4  Thought experiment:  How much could one program be reduced? ./intro
  • 5.  (bear with me) Let’s backtrack a bit…
  • 6. 4004e9: mov dword [rbp-8], 0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add dword [rbp-8], 1 400500: cmp dword [rbp-8], 100 400507: jle 4004f2 Assembly…
  • 7.  mov is Turing-complete  Stephen Dolan  www.cl.cam.ac.uk/~sd601/papers/mov.pdf mov
  • 9.  Any code we write …  … can be written as a set of movs instead  … and nothing else  Really? Turing Complete?
  • 10. 4004e9: mov dword [rbp-8], 0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add dword [rbp-8], 1 400500: cmp dword [rbp-8], 100 400507: jle 4004f2
  • 11. 80515bc: mov eax,ds:0x835d81a 80515c1: mov ebx,DWORD PTR [eax+0x835d6fc] 80515c7: mov edx,DWORD PTR ds:0x835d7da 80515cd: mov eax,0x0 80515d2: mov al,BYTE PTR [ebx+edx*1] 80515d5: mov al,BYTE PTR [eax+0x835dc7e] 80515db: mov BYTE PTR [ebx+edx*1],al 80515de: mov eax,ds:0x835d81a 80515e3: mov ebx,DWORD PTR [eax+0x835d6fc] 80515e9: mov edx,DWORD PTR ds:0x835d7da 80515ef: mov eax,0x0 80515f4: mov al,BYTE PTR [ebx+edx*1]
  • 12. Removing all but the mov instruction from future iterations of the x86 architecture would have many advantages: the instruction format would be greatly simplified, the expensive decode unit would become much cheaper, and silicon currently used for complex functional units could be repurposed as even more cache. As long as someone else implements the compiler. - Stephen Dolan
  • 13.
  • 14.  Where to begin…? Key Ideas
  • 15.  mov can check equality Key Ideas
  • 16.  mov [x], 0  mov [y], 1  mov R, [x] x==y
  • 17.  x=3, y=3  mov [x], 0  mov [y], 1  mov R, [x] x==y
  • 18.  x=2, y=3  mov [x], 0  mov [y], 1  mov R, [x] x==y
  • 19.  Requires a single jmp instruction to loop back to the beginning  Incidental  We fixed this later Key Ideas
  • 20.  start:  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  jmp start
  • 21.  Build on Dolan’s ideas  Adapt primitive TM operations for higher level logic  Work on actual data, not abstract symbols  Add new operations  If/else  Arithmetic  Logic  Jumps  Loops  Etc…  Bring it closer to something we can use Idea…
  • 23.  IF X == Y THEN  X = 100 Implementing if
  • 24.  The catch:  We have no branches  All paths execute, no matter what  Solution:  Force a path to operate on “dummy” data, if we don’t want its results Implementing if
  • 25.  IF X == Y THEN  X = 100 Implementing if Selector Data Scratch
  • 26.  IF X == Y THEN  X = 100 Implementing if Data Scratch ⇐ ⇐ Selector
  • 27.  IF X == Y THEN  X = 100 Implementing if Data Scratch Selector
  • 28.  IF X == Y THEN  X = 100 Implementing if Data Scratch ⇐ ⇐ Selector
  • 29.  IF X == Y THEN  X = 100 Implementing if Data Scratch Selector
  • 30. ; X == Y mov eax, [X] mov [eax], 0 mov eax, [Y] mov [eax], 4 mov eax, [X] ; X = 100 mov eax, [SELECT_X + eax] mov [eax], 100 Implementing if
  • 31. Simple extensions give us if/else if/elseif/else Inequality checks Implementing if
  • 32. %macro eq 3 mov eax, 0 mov al, [%2] mov byte [e+eax], 0 mov byte [e+%3], 4 mov al, [e+eax] mov [%1], al %endmacro
  • 33. %macro neq 3 mov eax, 0 mov al, [%2] mov byte [e+eax], 4 mov byte [e+%3], 0 mov al, [e+eax] mov [%1], al %endmacro
  • 34. ; create selector %macro c_s 1 %1: dd 0 d_%1: dd 0 s_%1: dd d_%1, %1 %endmacro
  • 35.  Extend the if/else idea Loops and branches
  • 36.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov …  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
  • 37.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov …  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ← Implement a branch from here…  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
  • 38.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ← Implement a branch from here…  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
  • 39.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ←  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start Store target Switch to dummy data 0x100c OFF
  • 40.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov … ← Check if branch target  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 41.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov … ← Check if branch target  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 42.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov … ← Check if branch target  0x1030 jmp start 0x100c OFF
  • 43.  start:  0x1000 mov … ← Check if target  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 44.  start:  0x1000 mov …  0x1004 mov … ← Check if target  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 45.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov … ← Check if target  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 46.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ←  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFFTarget match Switch to real data
  • 47.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ←  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c ONTarget match Switch to real data
  • 48.  Look up tables!  One byte versions are easy. Arithmetic
  • 49. unsigned char inc[]={ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99,100,101,102,103,104,105,106,107,108,109,110,111,112, 113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128, 129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144, 145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160, 161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176, 177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192, 193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208, 209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224, 225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240, 241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,0 };
  • 50. incb: %assign y 1 %rep 256 db y&0xff %assign y y+1 %endrep
  • 51. ; increment eax with mov mov eax, [inc + eax] Arithmetic
  • 52. %macro add32 4 mov eax, 0 mov ebx, 0 mov ecx, 0 mov edx, 0 mov dword [%4], 0 add8 %1+0, %2+0, %3+0, %4 add8 %1+1, %2+1, %3+1, %4 add8 %1+2, %2+2, %3+2, %4 add8 %1+3, %2+3, %3+3, %4 %endmacro
  • 53. mov eax,0x0 mov ebx,0x0 mov ecx,0x0 mov edx,0x0 mov dword [dword 0x8049576],0x0 mov al,[0x804956a] mov bl,[dword 0x804956e] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049572],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956b] mov bl,[dword 0x804956f] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049573],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956c] mov bl,[dword 0x8049570] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049574],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956d] mov bl,[dword 0x8049571] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049575],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov eax,[0x8049572]
  • 54. mov dword [q], 0 mov dword [r], 0 %assign bb 31 %rep 32 bit c, n, bb shl32 r, c mov dword [c], 0 gte32 t, r, d, c mov eax, [t] mov edx, [sel_r+4*eax] mov [psr], edx mov edx, [sel_q+4*eax] mov [psq], edx mov eax, [psr] mov eax, [eax] mov [dummy_r], eax sub32 dummy_r, dummy_r, d, c mov eax, [psr] mov edx, [dummy_r] mov [eax], edx mov eax, [psq] mov eax, [eax] mov [dummy_q], eax set32 dummy_q, bb mov eax, [psq] mov edx, [dummy_q] mov [eax], edx %assign bb bb-1 %endrep mov eax, [q]
  • 55.
  • 56.  lcc  esi/edi  Calling convention  Emulated stack  32 bit ALU  Simplified dummy selectors  102 IL instructions  Not bad! The M/o/Vfuscator
  • 57.  mov-only C Compiler  https://github.com/xoreaxeaxeax  First single instruction C compiler! The M/o/Vfuscator
  • 58.  prime  Cube  M/o/Vfuscator The M/o/Vfuscator
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.  How much can we simplify a program?  We’ve gotten rid of…  Functions  Loops  Branches  Arithmetic  … it’s an okay start. Reduction
  • 65.  We have all the same instructions  mov  But they’re not all the ”same”  mov eax, edx  mov [100], bl  mov di, 0x1337  mov eax, [edx + 2 * ecx + 0x1094801] Reduction
  • 66.  Eliminate register to register transfers  mov eax, edx becomes  mov [0x1000], edx  mov eax, [0x1000] x86 addressing
  • 67.  Eliminate constant to register transfers  mov eax, 12345 becomes  _temp: .dword 12345  mov eax, [_temp] x86 addressing
  • 68.  All instructions now either read or write to memory. x86 addressing
  • 69.  Eliminate 8 and 16 bit addressing  mov al, [100] becomes  mov [200], eax  mov eax, [100 - 3]  mov [200 - 3], eax  mov eax, [200] x86 addressing 200 100
  • 70.  Simplify memory addressing  mov eax, [0x1234 + ecx + 8 * edx]  Use the M/o/Vfuscator ALU!  Calculate ecx + 8 * edx  Accumulate results in ecx  Result:  (dozens of mov ALU instructions)  mov eax, [0x1234 + ecx] x86 addressing
  • 71.  No more register to register transfers.  No more constant to register transfers.  No more 8 or 16 bit instructions.  All memory accesses are of the form [reg + constant]  mov instructions are now all mov reg, [reg + constant] or mov [reg + constant], reg Almost there.
  • 72.  We still use 8 registers!  Decrease to 2 by storing extras to scratchpad memory  All mov instructions now mov esi/edi, [esi/edi + constant] or mov [esi/edi + constant], esi/edi Registers
  • 73.  Writes: mov [esi/edi + constant], esi/edi  Reads: mov esi/edi, [esi/edi + constant]  Alternate reads and writes  1 read, followed by 1 write, followed by 1 read, followed by 1 write…  Insert dummy (unused) accesses Alternating memory
  • 74. mov esi,[edi+0x816d0e8] mov [edi+0x816d104],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0ec],esi mov esi,[edi+0x816d0eb] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d10c],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d0f8],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi The result…
  • 75.  Can we take it further?
  • 76. Psuedo-registers  Instead of registers, use memory to hold the register contents  esi becomes [0x890100]  edi becomes [0x890200]  Let’s call these memory locations “psuedo-registers”
  • 77. A ‘synthetic’ mov  With psuedo-registers, our movs look like mov [0x890100],[[0x890200]+0x816d0e8]  At this point, we’re just moving values to/from different locations in memory  … but this is no longer a valid x86 instruction
  • 78. A ‘synthetic’ mov  Let’s invent a new instruction, “MOVE”  MOVE [ *address_1 + offset_1 ] , [ *address_2 + offset_2 ]  Our broken x86 instruction mov [0x890100],[[0x890200]+0x816d0e8]  Becomes  MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]
  • 79. A ‘synthetic’ mov  Translate the old mov instructions into the more generic MOVE instruction  mov esi,[edi+0x816d0e8] becomes MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]  mov [edi+0x816d0e8], esi becomes MOVE [ *0x890200 + 0x816d0e8 ], [ *0x890100 + 0 ]
  • 80. A ‘synthetic’ mov  Why is this useful?  All instructions now have exactly the same form.
  • 81. Extracting the essence MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ] { 0x890100, 0, 0x890200, 0x816d0e8 }  Extract all of the MOVE operands into a table.
  • 82.  We’ve distilled our entire C program into a table describing a long list of simple data transfers  Let’s write a program to perform the actions described in the table So now what?
  • 83. Load the table into esi…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov esi, table
  • 84. Execute a memory read…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov ebx, [esi] ; load addr of psuedo-reg 1  mov ebx, [ebx] ; load psuedo-reg 1  add ebx, [esi+4] ; add offset  mov ebx, [ebx] ; perform memory read
  • 85. Execute a memory write…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov edx, [esi+8] ; load addr of psuedo-reg 2  mov edx, [edx] ; load psuedo-reg 2  add edx, [esi+12]; add offset  mov [edx], ebx ; perform memory write
  • 86. Rinse, repeat.  table:  0x890100, 0, 0x890200, 0x816d0e8  0x990010 ; pointer to next table entry  mov esi, [esi+16] ; move to next entry  jmp loop ; repeat the whole process
  • 87. mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop table: 0x890100, 0, 0x890200, 0x816d0e8 ... With the reductio toolchain, a C program compiles to ->
  • 88.  Thought experiment:  How far can we reduce a program? So…?
  • 89.  Every program ever written can be reduced to exactly this -> So…? mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
  • 90.  Thought experiment:  Can one sequence of instructions produce entirely different results? So…?
  • 91.  This instruction stream simultaneously implements everything. So…? mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
  • 93.  (Can’t show compiling ) ./demo
  • 94.  The instruction sequence executed by the processor is the same for every program. mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
  • 95.  1.  If every program is the same, malware detection gets a whole lot harder. (demo)  Doing the same thing  (In practice) Implications
  • 96.  2.  Exploitation  “AVROP” (Mark Barnes, MWR Labs)  https://github.com/mwrlabs/avrop  AVR microcontroller (Raspberry Pi)  Harvard architecture: limited to ROP  Small memory: very few gadgets  Fortunately, all we need is mov. Implications
  • 97.  The AVROP machine Implications
  • 98.  3.  It’s cool!  A philosophical conclusion…  If the code makes no difference, what does it mean ‘to program’? Implications
  • 99.
  • 100. github.com/xoreaxeaxeax  reductio  M/o/Vfuscator  REpsych  x86 0-day PoC  Etc. Feedback? Ideas? domas  @xoreaxeaxeax  xoreaxeaxeax@gmail.com