I like to take plain text notes when I attend lectures, so I thought I'd start sharing them. Please excuse if the earlier ones are bit sketchy.

Computing Lectures

Oct 30, 2010

26C3 Here Be Dragons! 

Here be ELectric Dragons: Prepraing for the Emancipaition of Machines
Lorenz G Lechner - Helsiniki University

-BitBang Rays to the Future: what the tech future would look like in 2025, how affects economy
-started thinking machines were to augment our capabilites ("we have been cyborgs since we started using fire")
-new machines, combinations of mechanic and processing abalities
-"The future is here, just unevertly distributed"
-We differentiate between machines and animals because we look at the world using difgferent senses
-the machines that are market savvy are those that will prevail
	-ex: robot hamster that is silghtly more action than a real hamster
-"There is no physical task in which a human can outperform a robot"
 
Adanced microcontroller programming: Getting deeper into AVR programming
iwesen@ruinwesen.com, http://ruinwesen.com/, http://github.com/wesen, htpt://tiwtter.com/wesen
-Becaus all unit tests don't fit on the AVR, substititue mock objects
-Uses C++ on the 8 bit microcontroller, because you have enough control to
allocate the program flow that it is almost as efficient as if it were written
in Assembly
-does not use any dynamic allocation (no creation of "new" objects), just
static
-uses muliple inheritance, method overloading "virtual methods", no templates
-biggest advantage is Object Orientation
, so entire hardware element of controller can be wrapped in objects
	-can subclass for different defatures using multiple inheritance
	-can use linked lists, other high level data structures
-con: bloated, code size is huge (mostly because C++ and pointer arithmetic)i,
and gcc is not very good and using extra registers of AVR
-if you use 32bit interegers, int operations will be something like 12 times
as slow because it has to slpti into 8 bit operations
-Measuring with Profiler? timing tool
-important to undrestand compiler (assembly( output, even if you aren't
writing in assembly
-code refactoring
	-avoid big switch statements
	-available in a book called Small Memeory Software
-most effective tool for hardwar edubgging is an oscilloscope
-peizo allows you to observe states through auibal frequences
-sends out midi notes instead of logging text
-Can use JTAG with GDB or Kavascript (the latter is much faster/lightweight),
custom debugging environment

Fuzzing your phone from your phone

-SMS
-why attack SMS?
	-received and processed by almsot all phones, no firewalls, can be
	targeted with just a phone, server side without firewall
-life of SMS: message sent to device to the short message service center SMSC,
forwarded to rciptient, in a qSMSC queue messages if not aaliable, delivers
-SMS arrives and the modem dumps 2 lines of text (PDU)
-Take existing input and mutate it, or create input from scratch
-sending test cases best done by adding a man in the middle channes between
the application and the modem, because it's free, no special equipment, etc.
Just results have to be verified over the carrier network
-layes: modem : virtual serial lines : injector, userspace telphony
applicaiton
-SMS acts bteween user and injector layer
-for iphone, crashdumps are generated so you can send your SMS and check for a
new crashdump file, and then finally send a text SMS to make sure app not
hanging
-harder on android because processing done in Java, so have to create a new
interface to replace the java
-logcat -d gives you the logdump, where stars indicate a crash
-motivation is that you can first lock/crash iphone by crashing springboard,
but also interrupt
-with android, you can kick phone off network, make it no longer register with
the network by forgetting the pin for unlocked phones
-windows mobile, makes phone unusable until mallicious SMS is deleted
-somenoe else got remote code execution working for the iphone
-send SMS to port 2948, get java.lang.ArrayOutOfBoundsException (doesn't work
on AT&T)
-on windows mobile, send "%n" seems to crash it (has update now)
-SMS is a great attack method against smart phones
-reported all bugs, and android/iphone has fixed most of them
-http://www.mulliner.org/security/sms

Defending the poor: Defending against Flash exploints
-motivation: project initiated in 2008 by german federal offic efor
infromation securit
-germany is one of the only countries who has a govt dept that is partiall
yresponsible for computer security
-web sites that host flash banners are susceptible to these attacks, or
websites that allow others to upload files to their sites
-RIAs are implemenetd sa plugins for webbrowsers (functionality that
the browser intentianlly did not provide)
-flash security model relies on  code that runs inside a VVM, and tries to
make sure nothing escapes int othe native system
-two sandboxes, one for communicating with the network, and another that can
access to filesystem
-flash is not very configurable, and has no signatures to tell where a swf
came from
-vulnerabilities: copying data to clipboard, FLV intereger overflow, 
-attacks using flash include"exploit characters" bc flash has lots of info
about OSs etc
, clickjacking (USer Intferface Redressing", sending additioal HTTP header in
requests, simply redirecting the web browser (most common)
-1. redirecting 2. binary exploints 3. web attack vehicle
-SWF Adjack/Gnida, which stores campaign information in a local shared object
(in other campaigns, not techincally malware)
-AV companies are not very effective protecting against flash exploits
-everythnig is very dependent on versions
-flash has two VMs, one programmed in ActionScript 1 and 2, most apps.  AVM2
is programmed ActionScript 3, which is more OOP, which would have bene good,
but most flash developers generaly don't understand OOP
-important: all versions of flash are backward compatible
-includes versions of actions/objects, like DefineButton2, etc.
-VM includes function declarations in the bytecode inline, as well as allowing
byte offsets in branch instructions
	-can jump into another code block,
	-if you write a really long if statement, it will validate, but an
	only jump 16 bits of code, because that's the branch offset size
-also, objects at larger depth levels' code is executed last
-open source version is called "Tamarin"
-two types of attacks to be handled: malformed SWF files that cause memory
corrucption in the lpaye, and wellformed swf files that use the playe'rs API
for evilness
-because flash plaers ar e"fragile", a file is analyzed before it's played,
original is deleted, and then recreated using what was understood from te file
-ACtioGetURL2 is the most widely used action to forard browsers to potentially
dangerous targets
-Blitzableiter implements patches in the VM, which supporsts AVM1 exploits
-avg code inflation is 224%, 82% of those swfs patched, flash also went slower
-http://blitzableiter.recurity.com--
-Microsoft Silverlight is a good example