Conference:  Black Hat Asia

Authors: Koh Nakagawa

2023-05-12

In recent years, Arm processors have become popular on laptops, not limited to embedded devices. For example, Apple announced the Mac transition from Intel to Arm-based Apple Silicon in 2020, which made a big splash. Apple Silicon Mac has Rosetta 2, which enables the execution of Intel-based apps by translating x64 code into Arm64 code. Several researchers have conducted research on Rosetta 2 from a performance perspective. However, to our best knowledge, there is no research on Rosetta 2 from a security perspective.In this talk, we present a new code injection vulnerability in Rosetta 2. Rosetta 2 stores binary translation results as Ahead-Of-Time (AOT) files, which are cached and reused for the next application launch. Since these files are SIP-protected, we cannot modify these files even as root users. However, we developed a new exploit that bypasses this SIP protection and injects arbitrary code into AOT files with user privileges. This code injection can be used to bypass macOS security and privacy mechanisms. Moreover, this technique enables us to make a stealthy backdoor by hiding a malicious payload in a SIP-protected location. Apple has fixed this vulnerability, but only partially. Therefore, an attacker can still exploit this vulnerability even for the latest macOS.Our journey does not end with this finding. Interestingly, we also discovered a similar issue in Arm-based Windows x86/x64 emulation and developed a similar code injection. Therefore, we believe this vulnerability is prevalent among these compatibility technologies and will affect similar technologies introduced in the future.This talk will show the vulnerabilities specific to these compatibility technologies in Arm-based OSs for the first time. New code injection techniques with PoC code benefit red teams. In addition, new exploit techniques and reverse engineering results will help future vulnerability research.

Conference:  Black Hat Asia

Authors: Zong Cao, Zheng Wang, Yeqi Fu, Fangming Gu, Bohan Liu

2023-05-12

WebAssembly (WASM) is a high-performance compiled language for execution in web browsers that interoperates with JavaScript. In general, the wasm compiler in the browser is integrated into the javascript engine, which has proven to be an important attack surface in browsers over the past years. Protecting the security of the WASM compiler is a matter of security for the browser, and thus for the users. We have seen a remote code execution vulnerability in the wasm compiler previously (pwn2own2021), and it seems that no public research has continued to demonstrate vulnerabilities from this attack surface since then. In fact, over the past year, the number of commits of the Webassembly compiler in Webkit has surpassed that of javascript JIT and introduced some new features based on the wasm 2.0 specification such as Exceptions, Tail Call, SIMD, etc. In this case, the security of the wasm compiler should be re-emphasized.In this study, we focus on Webkit vulnerability hunting using fuzz testing. We first investigated some of the existing wasm fuzzer and studied their design patterns, and then we used a clever approach to create an efficient fuzzer for Webkit fuzzing. In addition, we deployed the fuzzer to other architectures because the Codegen part of the WASM compiler is architecture related. So far, we have submitted a total of 13 security-related issues (and the fuzzer is still producing new crashes today), 4 of which have been assigned CVEs and official acknowledgments from Apple, while some are still being investigated. These issues affect LLInt, BBQ, and OMG of the Webassembly compiler, some of which are also architecture related. In this talk, we will explain why we chose Webkit as our primary target and give a detailed introduction to the fuzzer creation process, as well as analyze a few interesting vulnerabilities we found.

Conference:  Black Hat Asia

Authors: Xiang Li

2023-05-12

Phoenix Domain is a general and novel attack that allows adversaries to maintain the revoked malicious domain continuously resolvable at scale, which enables an old, mitigated attack, Ghost Domain. Phoenix Domain has two variations and affects all mainstream DNS software and public DNS resolvers overall because it does not violate any DNS specifications and best security practices.The attack is made possible through systematically "reverse engineering" the cache operations of 8 DNS implementations, and new attack surfaces are revealed in the domain name delegation processes. We selected 41 well-known public DNS resolvers and proved that all surveyed DNS services are vulnerable to Phoenix Domain, including Google Public DNS and Cloudflare DNS. Extensive measurement studies were performed with 210k stable and distributed DNS recursive resolvers, and results show that even after one month from domain name revocation and cache expiration, more than 25% of recursive resolvers can still resolve it.The proposed attack provides an opportunity for adversaries to evade the security practices of malicious domain take-down. We have reported discovered vulnerabilities to all affected vendors and suggested 6 types of mitigation approaches to them. Currently, 7 DNS software providers and 15 resolver vendors, including BIND, Unbound, Google, and Cloudflare, have confirmed the vulnerabilities, and some of them are implementing and publishing mitigation patches according to our suggestions. In addition, 9 CVE numbers have been assigned. The study calls for standardization to address the issue of how to revoke domain names securely and maintain cache consistency.

Conference:  Black Hat Asia

Authors: Yakir Kadkoda, Ilay Goldman

2023-05-12

Our talk divides the cloud development flow into 5 phases: IDE, SCM, package managers, CI/CD and Artifacts. We will demonstrate how supply chain attacks can affect organizations at each phase. This includes the risks of cloud, platforms, and application development, as well as the attacker's perspective on how to exploit these areas.We will unveil vulnerabilities and flaws in popular platforms corresponding to each one of the areas. We will also talk about the eco-system and how developers are working with these platforms. Finally, we will show our original research including vulnerabilities and flaws in various platforms and talk about each finding and its implications and mitigations.

Conference:  Black Hat Asia

Authors: Roni Gavrilov

2023-05-12

The adoption of Industry 4.0 and IoT (IIoT) technologies into industrial business operations has brought great operational and economic benefits, but also introduced new risks and challenges. One of the major risks is the potential for central points of failure (the cloud), which in the industrial remote access scenario can leave many industrial companies reliant on a single IIoT supplier's security level.IIoT suppliers often provide cloud-based management solutions to remotely manage and operate devices. While some research has been conducted on the security of these IIoT devices' firmwares and protocols, there is still much to learn about the unexpected security risks emerging from their cloud-based management platforms.In our research, we focused on the cloud-based management platforms of three major IIoT gateway suppliers - Sierra Wireless, Teltonika Networks, and InHand Networks. When investigating how they might be exploited by malicious actors, we found out these types of platforms can act as the backdoor for accessing multiple industrial and critical environments at once, bypassing perimeter and defense-in-depth security measures. During the session, we will present three attack vectors that could compromise cloud-managed IIoT devices through their cloud-based management platforms. The discovered vulnerabilities impact thousands of devices in industrial environments, bypassing NAT and traditional security layers. We will provide an in-depth overview of these vulnerabilities and demonstrate multiple vulnerabilities including RCE over the internet, bypassing NAT and reaching directly to the internal network, without any pre-conditions. At the end of the session, we will suggest practical recommendations for asset owners, security architects and IIoT vendors.

Conference:  Black Hat Asia

Authors: Neil Wyler, Bart Stump

2023-05-12

Back with another year of soul-crushing statistics, the Black Hat NOC team will be sharing all of the data that keeps us equally puzzled, and entertained, year after year. We'll let you know all the tools and techniques we're using to set up, stabilize, and secure the network, and what changes we've made over the past year to try and keep doing things better. Of course, we'll be sharing some of the more humorous network activity and what it helps us learn about the way security professionals conduct themselves on an open WiFi network.

Conference:  Black Hat Asia

Authors: Alex Matrosov, Richard Hughes, Kai Michaelis

2023-05-12

Over the past two years, attacks on multiple targets in the semiconductor industry have consistently led to leaks of firmware source code. A compromised developer device could potentially give an attacker access to the source code repository, adding a major gap in the security of the software supply chain. There are multiple policies in place to improve transparency in the firmware supply chain in general, but implementing and adopting them will take years. The technology industry is in the midst of active discussions about the use of "software bill of materials" (SBOMs) to address supply chain security risks.In order to implement supply chain security practices, there must be better transparency on software dependencies. Previously, any piece of software shipped as black-box without providing any information related to software dependencies and third-party components. Firmware has largely been looked at in the same way. We already discussed in our previous talks the multiple levels of complexity in the UEFI firmware ecosystem and supply chain taxonomy and we already discussed the firmware supply chain complexity topics regarding the firmware update delivery and how the timing plays a negative role to give an attackers advantage to adopt already known vulnerabilities (N-days) to their attacks in last year's research "The Firmware Supply-Chain Security Is Broken: Can We Fix It?".The silicon vendor reference code vulnerabilities are always the worst since impacting the whole industry and all the device vendors have used the same chips on their devices. When it comes to applying mitigations, how does the industry take advantage of them, and who controls their adoption in the firmware? Those are all good questions, but unfortunately, no positive news can be shared. The system firmware attack vectors will be discussed in this talk from the perspective of attacking the operating system or hypervisor. The nature of these attacks breaks the foundation of confidential computing and often creates problems for the entire industry.This talk will focus on practical examples of such attacks and how they are dangerous.

Conference:  Black Hat Asia

Authors: Gaurav Keerthi, Jeff Moss

2023-05-12

In this fireside chat, Black Hat Founder Jeff Moss sits down with Gaurav Keerthi, Former Deputy Chief Executive, CSA to discuss the ongoing tension between regulating emerging technologies and the drive for innovation in cybersecurity. They also examine the role of government vs the private sector in fostering innovation while also protecting against security threats and addressing privacy concerns. Join this session to learn if government technology regulations save humanity or kill innovation.

Conference:  Black Hat Asia

Authors: Sandro Pinto, Cristiano Rodrigues

2023-05-12

The discovery of Spectre and Meltdown has turned systems security upside down. These attacks have opened a novel frontier for exploration to hackers and shed light on the untapped potential of hidden transient states created by shared microarchitectural resources. Since then, we have witnessed the rise of a plethora of effective software-based microarchitectural timing side-channel attacks capable of breaking and bypassing the security (isolation) boundaries of numberless processors from mainstream CPU vendors (Intel, AMD, Arm). Notwithstanding, one class of computing systems apparently is resilient to these attacks: microcontrollers (MCUs). MCUs are shipped in billions annually and are at the heart of every embedded and IoT device. There is a common belief that MCUs are not vulnerable to these attacks because their microarchitecture is intrinsically simple.In this talk, we challenge the status quo by unveiling a novel class of microarchitectural timing side-channel attacks affecting MCUs. First, we provide evidence of the existence of this channel on multiple platforms. Then, we explain the building blocks, the overall methodology, and the main challenges we faced in successfully mounting the attack. To close our talk, we discuss and demonstrate how to bypass the isolation guarantees of a reference TEE architecture on a state-of-art MCU. We perform a live demo of this attack emulating a secure smart lock IoT application.

Conference:  Black Hat Asia

Authors: Imran Saleem

2023-05-12

The talk is mainly driven by the cyber intelligence gathered in response to political shifts in the region. The core focus of the talk is to bring awareness, and reveal actionable intelligence to a larger set of audience, specifically operators to take solid measures to ensure they have cyber resilience when it comes to handling these nation-state attacks during conflicts. As the theme of the talk is cyber-attacks during conflicts, we will share a glimpse of intelligence that was captured during the US forces' withdrawal from Afghanistan. We will discuss the timeline of the US withdrawal and how these activities were directly reflected and seen on the global signalization. We will also share our intelligence gathered around the Russian and Ukraine conflict and how mobile networks were weaponized to inflict cyber war with a primary focus on nation-state activity led by Russian sources/identity holding various objectives (i.e hostile registration, location tracking and surveillance, SMS hijack, account takeover performing identity impersonation, identity spoofing via SS7 on link level and upper layers, and zero-day exploit techniques used in an attempt to bypass security control). These activities were supported by fuzzing looking to evade security defenses. Redacted network capture would be used to demonstrate the attack methodology. We will also walk through and provide evidence of how zero-day exploits on the global Signaling are incurring financial losses for mobile operators. The talk brings a unique perspective for mobile network operators on how revisiting their efforts in building a concrete cyber resilience security strategy can prevent operators from financial and reputational losses and prepare them for hybrid war.Please note that this will be a remote (virtual) presentation.