Black Hat - Academia.edu (original) (raw)

Papers by Black Hat

Abstract—Tor is a real-world, circuit-based low-latency anony-mous communication network, support... more Abstract—Tor is a real-world, circuit-based low-latency anony-mous communication network, supporting TCP applications over the Internet. In this paper, we present a new class of attacks, protocol-level attacks, against Tor. Different from existing attacks, these attacks can confirm anonymous communication relationships quickly and accurately by manipulating one single cell and pose a serious threat against Tor. In protocol-level attacks, a malicious entry onion router may duplicate, modify, insert, or delete cells of a TCP stream from a sender. The manipulated cells traverse middle onion routers and arrive at an exit onion router along a circuit. Because Tor uses the counter mode AES (AES-CTR) for encrypting cells, the manipulated cells disrupt the normal counter at exit onion routers and decryption at the exit onion router incurs cell recognition errors, which are unique to the investigated protocol-level attacks. If an accomplice of the attacker at the entry onion router also cont...

• We see MANY web application security flaws – 50,000 unique MS-related domains • These tools and... more • We see MANY web application security flaws – 50,000 unique MS-related domains • These tools and tactics help us assess and defend too

longld at vnsecurity.net Return-oriented programming (ROP), based on return-to-libc and borrowed-... more longld at vnsecurity.net Return-oriented programming (ROP), based on return-to-libc and borrowed-code-chunks techniques, is one of the buzzing advanced exploitation techniques these days to bypass NX. There are several practical works using ROP techniques for exploitations on Windows, iPhone OS to bypass DEP and code signing. On most of modern Linux distributions, ASCII-Armor address mapping (which maps libc addresses starting with NULL byte) and Address Space Layout Randomization (ASLR) are enable by default to protect against return-to-libc / ROP techniques. In this paper, we will show how we can extend old advanced return-to-libc techniques to multistage techniques that can bypass ASLR and ASCII-Armor mapping and make ROP/return-to-libc exploitation on modern Linux x86 become easy. In addition, by reusing not only codes but also data from the binary itself, we can build any chained ret2libc calls or ROP calls to bypass ASLR protection.

Jeff Moss took the audience on a behind-the-scenes look at cybersecurity policy and practice, sta... more Jeff Moss took the audience on a behind-the-scenes look at cybersecurity policy and practice, starting from the origins of DEFCON, and continuing on to present day Washington, DC policy-making as ICANN's chief security officer. Two decades ago, when the first DEFCON was taking shape, part of the goal was to get as many computer security-focused individuals in one place in order to encourage the open exchange of knowledge, at a time when there were no better ways to do so. To that end, DEFCON was the first open hacker conference, eschewing the invitation-only model of similar contemporary events. And, it turned out, not only security professionals and hackers were (and still are) interested in this kind of knowledge exchange, but governments were as well: intelligence and counter-intelligence agents have been spotted at DEFCON from the very early days and continue to appear year after year. Cybersecurity is one of the hottest topics in US government circles currently, being addre...

This document provides an overview of two emulation-based software protection schemes which pro- ... more This document provides an overview of two emulation-based software protection schemes which pro- vide protection from reverse code engineering (RCE) and software exploitation using encrypted code execution and page-granularity code signing, respectively. The two protection mechanisms execute within trusted emulators while remaining out-of-band of untrusted systems being emulated. The integrity and reliability of the protection mechanisms depend upon attackers remaining sandboxed within the emulated environments. The three sections below provide an overview of emulation sandboxing, emulation-based encrypted code execution and emulation-based page granularity code signing.

An important attack vector missing in many penetration testing and attack tools available today i... more An important attack vector missing in many penetration testing and attack tools available today is the tried-and-true telephony dialup. With the recent surge in popularity of VoIP connectivity, accessing such attack vectors has become both cheap and easy. Using the new Metasploit telephony components, users are now able to both scan for and dial up directly to telephony-accessible exploitation targets.

Abstract—Tor is a real-world, circuit-based low-latency anony-mous communication network, support... more Abstract—Tor is a real-world, circuit-based low-latency anony-mous communication network, supporting TCP applications over the Internet. In this paper, we present a new class of attacks, protocol-level attacks, against Tor. Different from existing attacks, these attacks can confirm anonymous communication relationships quickly and accurately by manipulating one single cell and pose a serious threat against Tor. In protocol-level attacks, a malicious entry onion router may duplicate, modify, insert, or delete cells of a TCP stream from a sender. The manipulated cells traverse middle onion routers and arrive at an exit onion router along a circuit. Because Tor uses the counter mode AES (AES-CTR) for encrypting cells, the manipulated cells disrupt the normal counter at exit onion routers and decryption at the exit onion router incurs cell recognition errors, which are unique to the investigated protocol-level attacks. If an accomplice of the attacker at the entry onion router also cont...

• We see MANY web application security flaws – 50,000 unique MS-related domains • These tools and... more • We see MANY web application security flaws – 50,000 unique MS-related domains • These tools and tactics help us assess and defend too

longld at vnsecurity.net Return-oriented programming (ROP), based on return-to-libc and borrowed-... more longld at vnsecurity.net Return-oriented programming (ROP), based on return-to-libc and borrowed-code-chunks techniques, is one of the buzzing advanced exploitation techniques these days to bypass NX. There are several practical works using ROP techniques for exploitations on Windows, iPhone OS to bypass DEP and code signing. On most of modern Linux distributions, ASCII-Armor address mapping (which maps libc addresses starting with NULL byte) and Address Space Layout Randomization (ASLR) are enable by default to protect against return-to-libc / ROP techniques. In this paper, we will show how we can extend old advanced return-to-libc techniques to multistage techniques that can bypass ASLR and ASCII-Armor mapping and make ROP/return-to-libc exploitation on modern Linux x86 become easy. In addition, by reusing not only codes but also data from the binary itself, we can build any chained ret2libc calls or ROP calls to bypass ASLR protection.

Jeff Moss took the audience on a behind-the-scenes look at cybersecurity policy and practice, sta... more Jeff Moss took the audience on a behind-the-scenes look at cybersecurity policy and practice, starting from the origins of DEFCON, and continuing on to present day Washington, DC policy-making as ICANN's chief security officer. Two decades ago, when the first DEFCON was taking shape, part of the goal was to get as many computer security-focused individuals in one place in order to encourage the open exchange of knowledge, at a time when there were no better ways to do so. To that end, DEFCON was the first open hacker conference, eschewing the invitation-only model of similar contemporary events. And, it turned out, not only security professionals and hackers were (and still are) interested in this kind of knowledge exchange, but governments were as well: intelligence and counter-intelligence agents have been spotted at DEFCON from the very early days and continue to appear year after year. Cybersecurity is one of the hottest topics in US government circles currently, being addre...

This document provides an overview of two emulation-based software protection schemes which pro- ... more This document provides an overview of two emulation-based software protection schemes which pro- vide protection from reverse code engineering (RCE) and software exploitation using encrypted code execution and page-granularity code signing, respectively. The two protection mechanisms execute within trusted emulators while remaining out-of-band of untrusted systems being emulated. The integrity and reliability of the protection mechanisms depend upon attackers remaining sandboxed within the emulated environments. The three sections below provide an overview of emulation sandboxing, emulation-based encrypted code execution and emulation-based page granularity code signing.

An important attack vector missing in many penetration testing and attack tools available today i... more An important attack vector missing in many penetration testing and attack tools available today is the tried-and-true telephony dialup. With the recent surge in popularity of VoIP connectivity, accessing such attack vectors has become both cheap and easy. Using the new Metasploit telephony components, users are now able to both scan for and dial up directly to telephony-accessible exploitation targets.