In 2022 I spent a reasonable amount of time researching #linux kernel exploitation. As we come towards the end of the year I thought I would look back at some of the resources which were super useful to me coming from a Windows/macOS background and why this was.

1. Understanding and Improving Linux Kernel Exploit Reliability usenix.org/system/files/sec22f by ky1ebot. Developing memory corruption exploits is an art and the more complex an exploit, often the reliable goes down. This paper evaluate past methods and proposed a novel technique of context conservation.

My team actually used this within
research.nccgroup.com/2022/09/ to help increase the reliability of exploiting multiple UAFs.

2. userfaultfd technique is dead on most Linux distros due to vm.unprivileged_userfaultfd. Fuse has come through as a good replacement for this technique. @jann mentions in 2016 and still applicable today. e.g graplsecurity.com/post/iou-rin by @chompie1337 and willsroot.io/2022/01/cve-2022-

3. Syzkaller is a game changer in kernel. There's a few things to say 1) Even existing publics grammars can find bugs when targeted at areas. 2) Extending coverage is a quick way to find bugs 3) N-day often sits around in syzkaller.appspot.com/upstream

4. So N-day often just sitting around.. KCTF encourages researchers to triage existing bugs and develop new techniques to bypass existing mitigations security.googleblog.com/2021/1 both 0-day/N-day. As a researcher you can learn a lot from past bugs: docs.google.com/spreadsheets/d. There’s also another great write-up blog.kylebot.net/2022/10/16/CV by ky1ebot for his win here. Awarau and pql also described a vuln they found in io_uring and exploited here ruia-ruia.github.io/2022/08/05

5. Keeping on top of mitigations in your head is hard. Especially if you are working on multiple platforms. My colleagues @saidelike and @fidgetingbits created github.com/nccgroup/exploit_mi to try to help track these. Really early days, but any contributions appreciated!

6. Finding the correct size structures with elements you want to control at certain offsets with them is tedious and time consuming. CodeQL massively helps speed up this process.
mmolgtm's article securitylab.github.com/researc shows a query which can be used for this. Again we used this within research.nccgroup.com/2022/09/ to identify new exploit primitives

7. The msg_msg technique which has been a favourite by exploit writes used in willsroot.io/2022/01/cve-2022- / google.github.io/security-rese / nickgregory.me/linux/security/ becomes less useful in 5.14 when GFP_KERNEL_ACCOUNT end up in kmalloc-cg-* caches and your vulnerable object is not.

8. Talking of kmalloc cache's, cross-cache attacks are a thing and can be used when its not possible to find an interesting object within your initial target cache. Markak describes this and other factors to consider when evaluating AUTOSLAB grsecurity.net/how_autoslab_ch

9. Finally a recent article by Awarau interruptlabs.co.uk/labs/pipe_ was posted about a technique which provides an intuitive way to gain arbitrary read/write by targeting the page pointer of a pipe buffer.

10. This list wouldn't be complete andreyknvl and a13xp0p0v with linkersec and github.com/xairy/linux-kernel- which goes into way more things going back over the years.

Apologies if I didn’t have some of your handles on here, I’m still getting to grips with who’s here now and who’s not :)

Did you know you can change the ‘Subscribed language’ of the people you are following? :mastodon:

Just hit the three little dots button on someone’s profile👌🏻♥️

#Mastodon #Tip #FediTip

yes.

Show this to whoever tries to tell you that portscanning is illegal, or that shodan safaris are 'hacking', or any other horrifically uninformed absurdist nonsense.

justice.gov/opa/pr/department-

I know lots of people getting into #infosec want to do the "fun" thing and get into pentesting/red teaming. Here's some truths:

* It's not a bunch of crazy typing on a keyboard and saying "I'm in". It starts with a clearly defined scope, timeframe for testing (including potentially restricted hours for testing). You need to start with a lot of recon and get an understanding of the landscape before you even start.
* Recon is where you're going to spend ~40-50% of your time, if not more. The actual "hacking" will take about 10-20% of the engagement.
* Post-exploitation is going to be another small part of the engagement, which depends on what you're allowed to do. Some clients only want the web app looked at, nothing more.
* Make sure to document/clean up any exploits left on the system. You were keeping track, right?
* Report writing is where the other majority of the time is going to be spent.

In reality, clients are paying for the report. When I used to teach, I would ask my class what the #1 hacking tool was. Lots of guesses for nmap, Metasploit, Cobalt Strike, etc. Nope. It's MS Word. That's the #1 tool that's used. But why?

Simple, clients want to know what's wrong, and more importantly they want to know why it's a problem and how to fix it. This is where the report comes in.

Report writing is hard. You need to be clear, concise and to the point. Yes you can get technical in the findings section where you explain the problem, how it was discovered and how you exploited it. That's going to a technical audience. But the summary of the finding needs to be concise and clear, since a non-techie may be reading it and deciding which of the findings in the report are going to get attention, so you need to do your best to provide information on why each finding is super important.

You also need to be humble. Why? Because you're going to get more than a few customers who will just use your report to satisfy customers asking for them, and unless those customers complain about some findings, then any/all of your findings may be ignored. Nothing burns out pentesters more than watching the same findings re-appear year after year from the same customer. Questioning what value you bring to the table is a common one and it can absolutely be devastating to your ego. You can lead a horse to water and all that is a very important thing to keep in mind.

So yeah, it's not all sunshine and rainbows on one side vs the other. I like blue teaming, I like pentesting. Each have their ups and downs, but just keep in mind that it's two sides of the same coin. There are lots of tools and techniques for both sides, and to be honest, the overlap is a LOT bigger than you think! Your skills will be transferable to either attacking or defending, so you're never going to be "tied" to one side or the other if you put the effort in.

Stay classy #infosec peeps, especially if you're just getting started.

Here's a neat #Mastodon trick I just discovered:

You can access an RSS feed of any user's posts simply by adding .rss onto the end of their profile URL — so, for instance:

twit.social/@jr.rss

You can then use that link to follow all of that person's posts in Feedly, Feedbin, or any other RSS reading service.

Heck, you can even do it directly in #Chrome, if you want!

To this extent I'm really interested to know how the age breakdown of people on the #Fediverse. On one hand it would seem to make sense to me that most people here remember the "old internet" before the centralization and they're here to rekindle that flame of independence. On the other hand the youths are generally pretty up on this whole technology thing. I grew up on the internet and since then smartphones have become even more ubiquitous.

(Please boost for reach)

Show thread

Alright it's ready! The "Gauss Speedway".

youtu.be/ZIINCeOVgow

I prototyped this months ago, and now finally did the re-spin into a better package without the mess of wires.

- Controlled by an STM32F051 on the back running #RustLang.
- Designed in #kicad, with my CurvyCad python library
- The cars are 3D printed, with 2mm diam. axial magnets glued in
- Gratuitously featuring my first ever #blender animation

#electronics
#projects
#maker
#embedded

I keep seeing lots of long-time #fediverse users saying 'don't favourite posts it does nothing' but actually when you favourite my posts it makes me smile and I'm sure I'm not the only one.

If you want to master API security, open this thread!

APIs are used EVERYWHERE for applications to communicate, but let's see how you can HACK them! 👩‍💻

A Thread 🧵👇

I love how the EU doesn't recognise e-sport as sports because the games are privately owned and controlled by corporations. Like, I'm not joking, that's such a great stance!

A corporation running a game can ruin someone's career by making a balance change to the game. They can somewhat fix matches that way by pushing an update just before a tournament.

For videogames to qualify as an actually sports, they'd have to be standards-based rather than implementation-based. Ergo, I can play chess on any kind of board with any pieces so long as they meet the criteria for the rules of the game. But videogames aren't built like that. They're implementation-based and owned by private corporations which makes them really unfit as sports.

File format dissection 

I uploaded a small revision of my JPEG image format dissection, along with a PDF version - and a minor bugfix.
github.com/corkami/pics

Let's start hardware hacking posts with simple power analysis.

Each instruction executed on the CPU will use different amounts of power (whatever it means, just go with me, don't listen to the physics part of your brain). Based on the power usage you can determine not only what instruction is being executed but also what arguments it took!
Seriously.

Let's take the following example:

bool checkPass(String buffer) {
bool result = true;
for (int i = 0; i < PASSWORD.length(); i++) {
if (buffer[i] != PASSWORD[i]) {
result = false;
}
}
return result;
}

As you can see it's a very simple password check, without the usual timing attack bug. It's worth noting that the whole if is one assembly instruction on Arduino (hence it doesn't take longer to execute the loop because of the value assignment).

Now if we assume that the password is just 5 digits we can try ten different passwords: 00000, 11111, ..., 99999 and get 10 power traces. If we overlay all of them we will see the odd ones out (like in the picture below).

If you look closely at the picture below you will see that there are five distinct places in which the power traces differ. If you match the colours of traces to the password attempts you will get the 5 digits password in just 10 tries!

Magic!

Sometimes phone batteries die, and it's difficult to pry open the phone (need a special tool). Sometimes the battery just swells; in this case, it's easy to replace it.

I ordered this phone battery two weeks ago from AliExpress, and it arrived today, and I successfully replaced the battery (Redmi 10X Pro 5G).
ac

This week, the world’s human #population is expected to reach 8B. About 109B people have lived and died. Each grain of sand represents 10M.

Spectacular #data visualization of human life on Earth by Max Roser #science

me, a young web dev in beirut in 2008, finding out that the way you get an HTTPS certificate is you pay an american corporation money for it

I keep hearing that #Mastodon is not likely to replace #Twitter. To that I say: so what?
I've been contributing to the #Linux desktop for the last 15 years not because it's likely to replace #Windows, but because providing people with free desktop is the right thing to do.
I use and support Mastodon not because it's likely to replace Twitter, but because it's a social network done right.

A ✅ has appeared in my profile. Hurrah for that. I think we have to realise that the learning curve here is steepish, but rather than be anxious about it, shouldn’t we should celebrate the adventure of slowly finding out something that was puzzling at first? Like your first week at school or in a new office building. We’ll get there and soon laugh at how confused me were at first. I hope!

I should probably post something related to Android reverse engineering here. So here it goes:
If you have money use JEB, if you don't use JADX.
No matter what your economic status is use Frida.
If you want to start your journey in Android app RE you should absolutely start with "Android App Reverse Engineering 101" by the one and only @maddiestone: ragingrock.com/AndroidAppRE/
If you don't have access to fancy sample repositories check out my list of interesting Android malware samples: maldroid.github.io/android-mal
Finally, if you have any questions - ask. REs are a bunch of nerds who love talking about RE. I promise you will find a ton of helpful, kind people.

Show older
Yohanes' server

Yohanes' personal server