Oct 30, 2010
26C3 Here Be Dragons!
Here be ELectric Dragons: Prepraing for the Emancipaition of Machines Lorenz G Lechner - Helsiniki University -BitBang Rays to the Future: what the tech future would look like in 2025, how affects economy -started thinking machines were to augment our capabilites ("we have been cyborgs since we started using fire") -new machines, combinations of mechanic and processing abalities -"The future is here, just unevertly distributed" -We differentiate between machines and animals because we look at the world using difgferent senses -the machines that are market savvy are those that will prevail -ex: robot hamster that is silghtly more action than a real hamster -"There is no physical task in which a human can outperform a robot" Adanced microcontroller programming: Getting deeper into AVR programming iwesen@ruinwesen.com, http://ruinwesen.com/, http://github.com/wesen, htpt://tiwtter.com/wesen -Becaus all unit tests don't fit on the AVR, substititue mock objects -Uses C++ on the 8 bit microcontroller, because you have enough control to allocate the program flow that it is almost as efficient as if it were written in Assembly -does not use any dynamic allocation (no creation of "new" objects), just static -uses muliple inheritance, method overloading "virtual methods", no templates -biggest advantage is Object Orientation , so entire hardware element of controller can be wrapped in objects -can subclass for different defatures using multiple inheritance -can use linked lists, other high level data structures -con: bloated, code size is huge (mostly because C++ and pointer arithmetic)i, and gcc is not very good and using extra registers of AVR -if you use 32bit interegers, int operations will be something like 12 times as slow because it has to slpti into 8 bit operations -Measuring with Profiler? timing tool -important to undrestand compiler (assembly( output, even if you aren't writing in assembly -code refactoring -avoid big switch statements -available in a book called Small Memeory Software -most effective tool for hardwar edubgging is an oscilloscope -peizo allows you to observe states through auibal frequences -sends out midi notes instead of logging text -Can use JTAG with GDB or Kavascript (the latter is much faster/lightweight), custom debugging environment Fuzzing your phone from your phone -SMS -why attack SMS? -received and processed by almsot all phones, no firewalls, can be targeted with just a phone, server side without firewall -life of SMS: message sent to device to the short message service center SMSC, forwarded to rciptient, in a qSMSC queue messages if not aaliable, delivers -SMS arrives and the modem dumps 2 lines of text (PDU) -Take existing input and mutate it, or create input from scratch -sending test cases best done by adding a man in the middle channes between the application and the modem, because it's free, no special equipment, etc. Just results have to be verified over the carrier network -layes: modem : virtual serial lines : injector, userspace telphony applicaiton -SMS acts bteween user and injector layer -for iphone, crashdumps are generated so you can send your SMS and check for a new crashdump file, and then finally send a text SMS to make sure app not hanging -harder on android because processing done in Java, so have to create a new interface to replace the java -logcat -d gives you the logdump, where stars indicate a crash -motivation is that you can first lock/crash iphone by crashing springboard, but also interrupt -with android, you can kick phone off network, make it no longer register with the network by forgetting the pin for unlocked phones -windows mobile, makes phone unusable until mallicious SMS is deleted -somenoe else got remote code execution working for the iphone -send SMS to port 2948, get java.lang.ArrayOutOfBoundsException (doesn't work on AT&T) -on windows mobile, send "%n" seems to crash it (has update now) -SMS is a great attack method against smart phones -reported all bugs, and android/iphone has fixed most of them -http://www.mulliner.org/security/sms Defending the poor: Defending against Flash exploints -motivation: project initiated in 2008 by german federal offic efor infromation securit -germany is one of the only countries who has a govt dept that is partiall yresponsible for computer security -web sites that host flash banners are susceptible to these attacks, or websites that allow others to upload files to their sites -RIAs are implemenetd sa plugins for webbrowsers (functionality that the browser intentianlly did not provide) -flash security model relies on code that runs inside a VVM, and tries to make sure nothing escapes int othe native system -two sandboxes, one for communicating with the network, and another that can access to filesystem -flash is not very configurable, and has no signatures to tell where a swf came from -vulnerabilities: copying data to clipboard, FLV intereger overflow, -attacks using flash include"exploit characters" bc flash has lots of info about OSs etc , clickjacking (USer Intferface Redressing", sending additioal HTTP header in requests, simply redirecting the web browser (most common) -1. redirecting 2. binary exploints 3. web attack vehicle -SWF Adjack/Gnida, which stores campaign information in a local shared object (in other campaigns, not techincally malware) -AV companies are not very effective protecting against flash exploits -everythnig is very dependent on versions -flash has two VMs, one programmed in ActionScript 1 and 2, most apps. AVM2 is programmed ActionScript 3, which is more OOP, which would have bene good, but most flash developers generaly don't understand OOP -important: all versions of flash are backward compatible -includes versions of actions/objects, like DefineButton2, etc. -VM includes function declarations in the bytecode inline, as well as allowing byte offsets in branch instructions -can jump into another code block, -if you write a really long if statement, it will validate, but an only jump 16 bits of code, because that's the branch offset size -also, objects at larger depth levels' code is executed last -open source version is called "Tamarin" -two types of attacks to be handled: malformed SWF files that cause memory corrucption in the lpaye, and wellformed swf files that use the playe'rs API for evilness -because flash plaers ar e"fragile", a file is analyzed before it's played, original is deleted, and then recreated using what was understood from te file -ACtioGetURL2 is the most widely used action to forard browsers to potentially dangerous targets -Blitzableiter implements patches in the VM, which supporsts AVM1 exploits -avg code inflation is 224%, 82% of those swfs patched, flash also went slower -http://blitzableiter.recurity.com-- -Microsoft Silverlight is a good example