<< Previous Next >>
system resources
Availability: 9 seats left
I'm really excited about this workshop. It'll involve dissecting a
stored value smart card die and reverse engineering the transistors to
determine what the different parts of the chip do and by the end of
the course be able to circumvent some of the card's hardware access
controls. We're gearing this workshop towards software reverse
engineerers that want to learn more about how the hardware ticks and
get a better understanding for how things are implemented at the even
lower levels. People attending this course will receive decaped parts,
large format prints of the die, flash drives with high-resolution
obviously you can use the OS debugging APIs, or inject a DLL into the
address space of the VM process, or map its memory using memory management
APIs, or exploit a vulnerability in the VM process, or.....
Similar attacks can be performed by altering the disks or attaching
malicious hardware. You could point out that the guest OS need not
trust the disk or the hardware and you would be right. However, all
of the important OSs *DO* trust disks and most are very trusting of
hardware.
Your statements that administrator access protects the VM is simply false.
- Gynvael Coldwind and Unavowed - Syndicate Wars Port: How to port a DOS
game to modern systems
- Dino Dai Zovi - Mac OS X Return-Oriented Exploitation
- Nicolas Falliere - Reversing Trojan.Mebroot's Obfuscation
- Yoann Guillot and Alexandre Gazet - Metasm Feelings (30 minutes)
- Travis Goodspeed - Building hardware for exploring deeply embedded systems
- Sean Heelan - Applying Taint Analysis and Theorem Proving to Exploit
Development
- Alex Ionescu - Debugger-based Target-to-Host Cross-System Attacks
- Ricky Lawshae - Picking Electronic Locks Using TCP Sequence Prediction
(20 minutes)
hacked Echelon and I would like to share")
* Non-IP (SNA, ISO, make us dream...)
* Red-light and other public utilities control networks
* M2M
Attacking Hardware
* Hardware reverse engineering (and exploitation + backdooring)
* Femto-cell hacking (3G, LTE, ...)
* Microchip grinding, opening, imaging and reverse engineering
* BIOS and otherwise low-level exploitation vectors
* Real-world SMM usage! We know it's vulnerable, now let's do something
concentrating on current research with high technical merit.
Traditionally, the majority of all lectures at 26C3 revolve around
hacking.
Topics in this domain include but are in no way limited to:
programming, hardware hacking, cryptography, network and system
security, security exploits, and creative use of technology.
Making
------
The "Making" category is all about making and breaking things and the
use the "show crypto engine brief" command, as shown in the following
example:
Router#show crypto engine brief
crypto engine name: Virtual Private Network (VPN) Module
crypto engine type: hardware
State: Enabled
Location: slot 4
VPN Module in slot: 4
Product Name: VAM2+
Software Serial #: 55AA
sb02536
Secure12
HP StorageWorks Storage Mirroring
Hardware Platform
File
SHA-1 Sum
i386
HP_i386_5.2.1.870.0.exe
including but not limited to:
- Vulnerability research (software auditing, reverse engineering)
- Exploitation techniques and automation
- Network-based attacks (routing, DNS, IDS/IPS/firewall evasion)
- Reconnaissance (scanning, software, and hardware fingerprinting)
- Malware design and implementation (rootkits, viruses, bots, worms)
- Denial-of-service attacks
- Web and database security
- Penetration testing
- Weaknesses in deployed systems (VoIP, telephony, wireless, games)
+--------------------------------
No other Cisco products are currently known to be affected by this
vulnerability.
Other hardware models of Cisco switching products that are running
the vulnerable Cisco IOS Software versions are not affected by this
vulnerability.
Cisco Industrial Ethernet 3000 Series switches that are not running
the Cisco IOS Software releases that is listed above are not
https://www.blackhat.com/html/bh-japan-08/brief-bh-jp-08-onsite-archive.html
BLACK HAT WASHINGTON DC CFP NOW OPEN
Held February 16-19, 2009 at the Hyatt Regency Crystal City. Black Hat DC is
the leading security conference focused on the needs of government and
infrastructure security professionals, with tracks focused on Hardware and
Embedded Devices, Reverse Engineering and Malware, Client Wars and
Application Security, and Forensics and Network Protection. We hope to see
you there for another highly technical and refreshingly vendor-neutral
event.
3. Problem Description
a. Privilege escalation on 64-bit guest operating systems
VMware products emulate hardware functions, like CPU, Memory, and
IO.
A flaw in VMware's CPU hardware emulation could allow the
virtual CPU to jump to an incorrect memory address. Exploitation of
this issue on the guest operating system does not lead to a
> would agree with you that this represents a DoS issue for *that domain*.
Have you ever used vmware? I don't see how Sun domains are supposed
to be any different from vmware in that case. Obviously you are
handing sub-admins control over a domain so that they can run any OS
they need to. There hardware isolation is not supposed to be a joke. It
is serious stuff. It has to work.
Obviously you expect that what a sub-admin does in his domain should
not affect the rest of your machine; ie. force you to power it off.
But that is exactly what is required -- a power off of the whole chassis
----- Original Message -----
From: "Theo de Raadt" <deraadt@cvs.openbsd.org>
To: "B 650" <dunc.on.usenet@googlemail.com>
Cc: <bugtraq@securityfocus.com>
Sent: Tuesday, September 09, 2008 4:27 PM
Subject: Re: Sun M-class hardware denial of service
<snip>
On Wed, Sep 10, 2008 at 09:01:05PM +0200, Florian Weimer wrote:
>
> > How absolutely bizzare. Basically you spend half a million dollars on
> > Sun hardware, and it isn't required to do this better than VMWare?
>
> I think you've got it exactly backwards: you don't let non-trusted
> people run code on these machines because they are so expensive.
>
Right, and even if you are forced to allow root access to someone who
>> with the actual requirements in this situation.
>
> As well, note that a power-off of the system is apparently not
> sufficient (or so I am led to understand).
Yes, obviously, otherwise you could run on hardware which has been
detected as faulty.
If my theory is correct, it would have been possible to avoid the
power-off by replacing the hardware in that domain. You should be able
to clear the fault information in the affected FRUs off-line (which
> > > How absolutely bizzare. Basically you spend half a million dollars on
> > > Sun hardware, and it isn't required to do this better than VMWare?
> >
> > I think you've got it exactly backwards: you don't let non-trusted
> > people run code on these machines because they are so expensive.
> >
>
> Right, and even if you are forced to allow root access to someone who
> is not well trusted then run them in a zone on the hardware domain -
> that way they cannot load random kernel modules even if they have root
*Vulnerability Description*
Virtualization technologies allow users to run different operating
systems simultaneously on top of the same set of underlying physical
hardware. This provides several benefits to end users and organizations,
including efficiency gains in the use of hardware resources, reduction
of operational costs, dynamic re-allocation of computing resources and
rapid deployment and configuration of software development and testing
environments.
Buzzword Survivor:
New Contest for DEFCON 16. Check out discussion of this contest as it
develops at https://forum.defcon.org/forumdisplay.php?f=352
Hardware Hacking Village:
To state it most simply, it's a way to give all the Defcon attendees that
like electronics a place to play. It's also intended to be a place for
everyone that thinks "Wow! That looks cool! I wish I knew how to do that!".
It's also going to be the headquarters for Joe Grand (kingpin) so he can
talk about hacking past badges and such. It should be a great place to hang
Our first speakers come from very different backgrounds, which
illustrate the diverse nature of Information Assurance within our
modern society.
Dave 'h1kari' Hulton is a seasoned 'hardware hacker' and the organizer
of the annual Toorcon (www.toorcon.org) security conferences in
Seattle and San Diego. David will be presenting on intercepting mobile
phone and GSM traffic utilizing techniques and hardware that until
recently had been priced out of the range of most individuals and
companies.
Android is a software stack for mobile devices that includes an
operating system, middleware and key applications. Android relies on
Linux version 2.6 for core system services such as security, memory
management, process management, network stack, and driver model. The
kernel also acts as an abstraction layer between the hardware and the
rest of the software stack.
The WebKit application framework is included to facilitate development
of web client application functionality. The framework in turn uses
different third-party open source libraries to implement processing of
Certainly in VMS there is DMA opened up, but only to buffers that are known
and checked to be legal for such. This is a source of considerable complexity
in the drivers, and depending on hardware architecture (number of control registers
available, for example, to control DMA channels) limits both number of concurrent
operations and size of some operations. For example, the max size of magtape
records is limited, in part to conserve such bandwidth for use with disks.
If driver writers adopt a "wild-west" approach where the DMA space is left wide
open, obviously the security of anything within memory is totally open to
whatever a smart peripheral may do.
Steve Shockley wrote:
> Stefan Kanthak wrote:
>> 2. The typical user authentication won't help, we're at hardware
>> level here, and no OS needs to be involved.
>
> So, if I understand you correctly, if I boot my machine into DOS the
> memory can be read over Firewire?
If DMA is enabled on the firewire interface its possible!
Overview:
/////////
Software called "HP Info Center" is shipped with almost every HP laptop model for few years.
It is designed to support user with quick system information and hardware configuration
using single button touch.
One of its ActiveX controls deployed by default by the vendor has three insecure methods
that allow a malicious person to target the HP notebook machines for a remote code execution
and remote registry manipulation based attacks.
System Bootstrap Version: 7.1(1)
System Boot Image File is 'disk0:cat6000-sup2k8.7-6-9.bin'
System Configuration register is 0x2102
Hardware Version: 3.0 Model: WS-C6506 Serial #: TBA05360375
PS1 Module: WS-CAC-1300W Serial #: ACP05061071
PS2 Module: WS-CAC-1300W Serial #: ACP05060407
Mod Port Model Serial # Versions
topics:
* Reverse Engineering
* Protocol Analysis
* Cryptography
* Hardware Hacks
* Anything related to the number 9
All conference talks should be submitted for 20 minutes in length. 10
additional minutes will be provided for Q/A, setup, and breaks between each
talk. People who submit 20 min talks may be asked to present a more in-depth
inappropriately allow unpriviledged users to send signals to
setuid processes that they start, which may in some circumstances
allow either denial of service or privilege escalation attacks.
This is the first release of the 2.6.22.x kernel for rPath Linux 1,
which enables significant additional hardware support. This includes
support for new hardware in existing drivers, as well as additional
drivers.
This update requires a system reboot to implement the fixes.
topics:
* Reverse Engineering
* Protocol Analysis
* Cryptography
* Hardware Hacks
* Anything related to the number 9
All conference talks should be submitted for 20 minutes in length. 10
additional minutes will be provided for Q/A, setup, and breaks between each
talk. People who submit 20 min talks may be asked to present a more in-depth
On Sat, 25 Aug 2007, Ken Kousky wrote:
> I'm trying to understand how the vm actually prevents the buffer overflow
> from injecting code that has direct hardware control? It seems that the code
> injected into memory should be truly "arbitrary code" based on the physical
> machine.
First off, you need to understand what a buffer overflow is -- in most cases
it's not an attack on the hardware, it's an attack on the process. Which is
usually running in its own protected address space.
Submition Topics:
------------------------------
1. One of the topics of interest to us is "Desi Jugaad"(Local Hack)
and has a separate track of it's own. Submissions can be any kind of
local hacks that you have worked on (hints: electronic/mechanical
meters, automobile hacking, Hardware, mobile phones, lock-picking,
bypassing procedures and processes, etc, Be creative :-D)
2. The topics pertaining to security and Hacking in the following
domains(but not limited to)
- Hardware (ex: RFID, Magnetic Strips, Card Readers, Mobile Devices,
http://www.cisco.com/go/psirt and any subsequent advisories to determine
exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS Software table (below) names a Cisco IOS
<<Previous Next>>
|
