The fine Art of Mentorship

South Indian Filter Coffee; source: https://commons.wikimedia.org/wiki/File:South_Indian_Filter_Coffee.jpgWe will support the Rookie Track at BSidesLondon in 2019 again. This is a perfect way for rookies to get started on presenting at a conference. However it is much more – the stages before the presentation is held. Preparing for 15 minutes of talk will keep you busy for ten or twenty times the amount you spend presenting. It depends on the research you have to do, the illustrations you have to create, the code samples, the tests, and a lot more things that need to be sorted out. That’s not an easy task. But you do not have to do it alone.

BSidesLondon is looking for rookies and mentors. If you have experience in IT security, being on stage for presentations, research, and preparing materials for workshops and talks, then you should consider applying as mentor for the rookie track. Call for mentors has started on 15 February. Rookies are already working on their topics, so help them present it. They will learn from your experience. You will learn from their questions and their perspective of approaching topics you might know inside out. Questioning yourself won’t give you any new insights. Let others do this, and help them to benefit from your experience.

Since we also have presentations slots for young researcher, let us know if your are interested in being a mentor in general. We are planning to extend our rookie programme for the DeepSec 2019 and beyond. More details will follow.

 

Translated Press Release: IT Security is increasingly dominated by Geopolitics

DeepSec and DeepINTEL conference open call for papers – submission for lectures and trainings are in demand.Anyone who reads the technology part of their favourite magazine can hardly escape the promises of future network technologies. Your own car becomes a smartphone. The talking fridge becomes a therapist. 5G mobile networks promise high-speed fibre optic streaming of data on the speed-limited electric scooter. The second reading reveals the meaning of the letter G in 5G – it stands for geopolitics. As part of the network expansion, there are discussions about hidden killswitches for emergency shutdowns, entire networks and backdoors to eavesdrop on customers. In November, the DeepSec In-Depth Security Conference addresses the technical challenges of the Internet of Things, emerging network technologies, and geopolitical constraints dictated by key events of the last 6 years.

5G as a continuation of the Trade Wars

There are very few mobile network technology providers worldwide. The name Huawei has been mentioned quite often in recent months in the news coverage. The benefits of the offered products or the actual implementations of the new mobile radio standard 5G are seldom discussed. Instead, it is about the charge of secretly built emergency shutdowns that can paralyze the entire mobile network of an operator in one fell swoop. And about accusations of supposedly hidden code that allows remote access and copying of data from the network. Equipped with many allegations without concrete evidence, an exclusion of Chinese telecommunications equipment is currently being discussed in certain Western countries. The worries are justified, nevertheless they are familiar to security researchers. Almost all computers used in Europe and elsewhere seldom come from the countries where they actually do their work. The chips, the firmware and many other hardware and software ingredients are being built elsewhere. Since in the last decades one had systematically refrained from questioning,, let alone understand, the content of the box behind the keyboard or touchscreen, the allegations are driven by imagination.

IT security research can only counter this with facts and solid research. Robert Hannigan, former head of the British intelligence service GCHQ, has confirmed that the National Cyber Security Center (NCSC) has spent many years concerning themselves with components from Chinese supply chains. So far, according to his statement, there has been no evidence of government-mandated covert attacks by Huawei hardware. Since 2010 NCSC has access to the source code of the products with the help of the Huawei Security Evaluation Center (HSEC). The purpose behind this is certification by the NCSC before technology can be used in sensitive areas. Herewith, Robert Hannigan directly contradicts the allegations from the US and the assessment of Gerhard Schindler, the former president of the German Federal Intelligence Service (BND). In addition, critics are ignoring the legal surveillance interfaces already required in Europe, standardized by the European Telecommunications Standards Institute (ETSI). Incidentally, these specifications apply to all providers who want to build networks in Europe.

Intranet instead of Internet

The current news situation therefore illustrates very well what you should pay attention to in information security. Securing your own data has long ceased to be done with individual isolated considerations. Also, the DeepSec conference has a long history of mobile security research, from the first public release of vulnerabilities in the A5/1 encryption algorithm (between phone and cell) to security issues with smartphones. This area is just one example, and has gained immense importance due to the rapid spread of mobile technology. To revisit the discussed Killswitch in networks: The idea to control information networks in a national emergency is not new. President Franklin D. Roosevelt has already implemented this in the Communications Act of 1934. At that time it was about media. In the proposed Protecting Cyberspace as a National Asset Act of 2010, one wanted to do the same for the Internet, with the difference of a shutdown rather than control. The proposed law of 2010 fell without getting votes, because the technical implementation was not clear and still is not. The idea to paralyze communication networks at will with a simple switch  worked well on the movie screen or on TV in the past – unfortunately, now information is streamed via the Internet.The alternative is a strictly national network. The Iranian government is working on an Iranian intranet, spurred on by the protests in 2009. The Chinese firewall is trying to do something similar, albeit through rigorous filters driven by newsrooms. Russia is currently also testing to disconnect from the Internet. The communication networks will still work then, but they plan to separate them from the rest of the world. De facto, this is the low-fat variant of the Killswitches. Both approaches demonstrate how enormously important the Internet has become – it can not be ignored anymore. This is even more true for companies than for countries.

Digital Realism

Realistically, it makes little sense to make the own population and the state first dependent on a network, and then to turn it off again. The longing for local networks proves that. In companies it is no different. Data must be exchanged and communication must take place. Serious information security must therefore investigate how the integrity of the infrastructure and data can be maintained even in adverse circumstances. The most important point is the secure design of applications right from the start. At the past DeepSec conferences there were plenty of lectures and training courses for developers and planners. IT Security has the reputation of being sort of a stumbling block. In fact, the opposite is true. Past security incidents and published documents about organized vulnerabilities such as those revealed by Edward Snowden are and have been essential building blocks for improving security in our everyday lives. The prerequisite for this is, paradoxically, a free exchange between security researchers. A national intranet, bans on cryptographic algorithms, filters on published content or similar restrictions are therefore the most uncertain counterpoint to the necessary security in the digital world.Therefore, the DeepSec conference explicitly does not only want to address security experts. The penetration of digital networks requires the involvement of companies, developers, the hacker community, authorities, users, infrastructure managers, designers and interdisciplinary scientists for a sensible further development of IT security measures. People in advisory capacity are expressly invited to participate in the exchange of experiences and ideas in Vienna in November.

Contributions wanted – Call for Papers

The DeepSec conference plans to focus this year on the link between geopolitics and information security. Therefore, until July 31 2019, we are looking for lectures on technologies that affect both worlds. Specifically, the challenges for industrial and control systems, the Internet of Things, all mobile communication technology (from car to telephone), the use of algorithms and modern data management. We are currently experiencing an accelerated mixing of new and existing methods. Security researchers are in demand who creatively deal with the current possibilities and point out weaknesses. Risks can only be managed if you know them. The program committee is therefore looking forward to as many submissions as possible, which scrutinize trends and so-called future technologies under the digital microscope.The two-day trainings before the DeepSec conference are also part of the call for papers. Trainers who want to share their knowledge are welcome to submit courses. Accepted courses are announced ahead of time to help participants plan their bookings.

Programs and booking

The DeepSec 2019 conference takes place on the 28th and 29th of November.

At the same time, the ROOTS 2019 lectures will be held in a separate room next to the DeepSec conference. The DeepSec trainings will take place on the two preceding days, 26th and 27th of November.

The DeepINTEL conference will take place on November 27th.
Upon request to deepsec@deepsec.net we’ll be glad to send you the program.
Tickets are available on the website https://deepintel.net/.

The venue for DeepSec, DeepINTEL and ROOTS 2019 is The Imperial Riding School Vienna – A Renaissance Hotel, Ungargasse 60, 1030 Vienna.

Submissions can be made at https://deepsec.net/cfp.html. The current program of events will be announced after the submission deadlines.

Tickets for the DeepSec conference as well as ROOTS 2019 and DeepSec trainings can be ordered at any time at https://deepsec.net/register.html.

DeepSec 2019 – Call for Papers – Security Research Results wanted!

An OpenWebRX screenshot of http://sdr.dy.fi 1386 kHz Sitkunai, LithuaniaThe DeepSec 2019 In-Depth Security Conference is calling for presentations and trainings. We are interested in your information security research. Since 2007 DeepSec has aimed to provide in-depth analysis of design flaws, vulnerabilities, bugs, failures, and ways to improve our existing IT ecosystem. We need more high quality reviews of code and concepts we rely on every day. Digital processing power and network connections have become ubiquitous. So the focus of this year’s DeepSec will be on the Internet of Things (IoT), processing/moving data (small and big), infrastructure (critical and convenient), the statistics of data analysis (also called machine learning), real artificial intelligence (not statistics or clever use of Markov chains), and the current state and future of information security research.

Due to past and current geopolitical events affecting information technology and the security thereof the unofficial motto of the DeepSec 2019 Call for Papers will be  “Internet of Facts and Fears”. Disinformation is part of warfare, and the information domain in the digital age has been a battleground for decades. We do not know if peak information war has been reached yet. However we do know that information security research has become a target in itself. A long time ago there was the discussion about full/responsible/no disclosure of security vulnerabilities. We have moved on, but issues of the past, such as the Crypto Wars, have caught up. The upcoming 5G networks raise the same discussions as their predecessors, albeit earlier than the roll-out is scheduled. If you have any input on these issues, please consider submitting your content.

The Reversing and Offensive-oriented Trends Symposium (ROOTS) 2019 will be co-hosted with DeepSec 2019 again. We still believe that sensible information security must be done scientifically. In addition we will provide a platform for research teams to present their ongoing work. Last year Mathias Zeppelzauer gave an overview about the work of the Sonicontrol team. We hope to give more research projects an opportunity to talk about their research goals.

Head to our CfP section and submit your presentation or training!

Supporting BSidesLondon “My Machine is not Learning” 2019

This year’s BSidesLondon is pondering the most important question of machine learning. What is my machine doing and learning? Well, it might be that “My Machine is not Learning” at all. Sounds a lot like the intelligence we all know from living beings. So, armed with this new motto, BSidesLondon is turning 9, and we will support the Rookie Track again. The winner gets a trip to Vienna and free entry to DeepSec 2019. Get going and get started with your presentation! It’s worth it, and we love to welcome you in Vienna! Ask @5w0rdFish about it.

If you are looking for research topics, please drop us a line. We have some ideas about good questions and things to explore.

See you in London!

Save the Date for DeepINTEL and DeepSec 2019

We did some clean-up and dealt with the administrative issues of past and future events. Finally we can announce the dates for DeepINTEL 2019 and DeepSec 2019. Grab or calendars or log into them:

  • DeepSec 2019 Trainings – 26/27 November 2019
  • DeepSec 2019 Conference – 28/29 November 2019
  • DeepINTEL 2019 – 27 November 2019

The conference hotel is the same as for every DeepSec. We haven’t changed our location. As for the date, yes, we announced at the closing ceremony that we won’t collide with thanksgiving. We tried hard to avoid this, but given the popularity of Vienna as a conference and event city we had no choice. For 2020 and consecutive years we will do early reservations in order to avoid the week of Thanksgiving.

The call for papers opens soon, as does our ticket shop. For the latter we have made some changes to the payment options. We will explain them in a separate article. The topical focus of the call for papers will follow current technology, but not trends. Connected systems in production are focus of attacks, not buzzwords. Unless they are connected to the Internet, of course.

So mark the dates in your calendar. Hope to see you in Vienna!

Translated Article: Campaign of the Spy Alliance “Five Eyes” against WhatsApp and Co

Feldzug der Spionageallianz „Five Eyes“ gegen WhatsApp und Co for fm4 by Erich Moechel

The current scattered news and reports on “encryption” belong together. The military secret services of the “Five Eyes” conduct a global campaign; in Australia they’ve already reached their first milestone.

Every two years, around the same time, a campaign of the espionage alliance “Five Eyes” against encryption programs takes place. Unlike in 2016, the new campaign has reached its first goal in a flash. In early December, a bill was passed in the Australian Parliament obliging Internet companies to break up encrypted communications.

The providers of Whatsapp, Snapchat, and Co are hereby required to build surveillance interfaces into their apps to give hidden access to the Australian law enforcement. In a parliamentary coup – without discussion or amendments – the “Assistance and Access Act” created a global precedent. The campaign is orchestrated by the British GCHQ, which had published a programmatic plea for backdoors a few days before the coup took place.

Moderate Proposal for Conference Calls

It was written by Ian Levy, the director of the British National Cyber Security Center, which belongs to the military intelligence service GCHQ. The essay, which was published in late November on the prestigious “Lawfare” blog, was very moderately titled “Principles for a More Informed Exceptional Access Debate”. This holds true for the first two thirds of the text, which is about “necessary transparency”, “privacy and security”, and about all things planed for monitoring. To enable these “exceptions”, providers of messaging services such as Apple, Facebook, Snapchat, et al. should be required to install surveillance interfaces in the same way as telecoms providers.

In a chat of two or more people a hidden account should be added secretly – that’s the core message of the GCHQ. It refers to conference calls that were used by analog telephony until the early days of mobile networks for monitoring purposes, ie before there were standardized, specialized monitoring interfaces. This was done to meet the legal requirements for the monitoring of all networks.

Cloak and Dagger Operation in Down under

Just a few days after these moderate proposals of the GCHQ, a law was passed by the Parliament of Australia through a covert operation of the two major parties. Because of 171 amendments of the Labour party one had prepared for a lengthy debate but, quite unexpectedly, the Social Democrats had withdrawn all applications last week. This cleared the way and the “Assistance and Access Act” was passed with a large majority, and the vague promise that objections would be considered later on.

The law does not only impose severe penalties if a provider doesn’t cooperate, even the consultation of technicians is punishable if it serves to circumvent these measures, and the consultant will be also prosecuted. First the Australian IT industry was caught off guard by this coup, then there was riot. They, of course, immediately understood what consequences this overarching law would have on its industry. Whoever operates communication channels, would have to incorporate a “trap-and-trace” for the concealed monitoring by third parties. The Australian market leader Telstra is one of the largest IT players in the South Pacific, with branches in 20 states, from the Philippines to China to Malaysia.

GCHQ Campaign Number Two

Clearly, the GCHQ’s moderate proposals for conference calls lead to serious interventions in the software of the apps themselves. In fact, options have to be built in to manipulate the display of the chat participants. In the service operator’s network, specially secured “conference servers” have to be set up to transfer these “conferences” to the prosecutors in audio, video or text format. Not surprisingly, this is not mentioned in the GCHQ’s proposals, but emphasized that these would only apply in “exceptional cases” and not expected that 100 percent of the orders could be executed.

At the same time, the GCHQ has raised a second, intertwining campaign. The GCHQ complains about the prevalence of encrypted communications, which rose to 95 percent of the data exchange. If it’s not possible to create new legal frameworks that allow for targeted monitoring of messenger services, then the GCHQ would find itself forced to significantly increase its metadata monitoring on the fibre optics. So the problem is that 95 percent of the traffic is encrypted. How this fits in with the claim that access to encrypted records shall only be required in “exceptional cases” is not explained.

The Purpose of the moderate Proposal

The same day the moderate proposals of the GCHQ were published, US Attorney General Rod Rosenstein met the press and complained about the increase of encrypted communication. This would make it more and more impossible for police authorities to do their job, said the top US prosecutor. Similar comments were also received from Canada and New Zealand, so all Five Eyes are represented. Unlike in 2016, this time, not the prosecutors, but the military intelligence services are in charge, which are now touchingly concerned with the issues of civilian prosecutors.

The reason: in the UK and the other Five Eyes states, more complex surveillance measures are carried out by the military secret services on behalf of the prosecutors. That’s the consequence of these moderate intelligence proposals, suspiciously similar to the NSA’s notorious PRISM program, where the US services had demanded access from the Internet companies to data, which they could not get in an unencrypted state at the mass tap points of the optical fibres.

What happens next

In the meantime, further traces of this campaign have been discovered in international standardization committees. The matter requires a certain amount of research, a follow-up therefore will not be published in direct succession, but can be expected to be released still in 2018. As for the term “moderate proposal”, it was coined by the Irish satirist Jonathan Swift. In view of the famine in Ireland in 1729, which killed tens of thousands, the satirist proposed, in an essay of the same name (“A Modest Proposal”), to slaughter infants at the age of one year and serve them either boiled, grilled, or as a fricassee.

ROOTS 2018: Library and Function Identification by Optimized Pattern Matching on Compressed Databases – Maximilian von Tschirschnitz

[Editor’s note: This article belongs to the Reversing and Offensive-oriented Trends Symposium 2018 (ROOTS). It was misplaced, so we publish it today. Maximilian’s talk was recorded and can be watched on Vimeo.]

The goal of library and function identification is to find the original library and function to a given machine-code snippet. These snippets commonly arise from penetration tests attacking a remote executable, static malware analysis or from an IP infringement investigation. While there are several tools designed to achieve this task, all of these seem to rely on varied methods of signature-based identification. In this work, the author argues that this approach is not sufficient for many cases and propose a design and implementation for a multitool called KISS. KISS uses lossless compression and highly optimized pattern matching algorithms to create a very compact but substantial database of library versions. In practice, KISS shows to achieve remarkable compression rates below 30 percent of the original database size while still allowing for extremely fast snippet identification with high success rates.

Finally, the author also argues how this approach improves the security of existing techniques as the design relies fully on complete function body verification, which prevents analysis-resilient malware from disguising as external and trusted library code. This has recently been shown to be a problem for
malware analysis with existing identification solutions.

 

Maximilian von Tschirschnitz is working as an prototype engineer and researcher for the Intel Corporation in Germany. In parallel he is currently conducting his studies of Informatics at the TU Munich. His current research topics cover IT-security and high precision positioning methods. His further professional interests include theoretical informatics, image feature recognition and computer graphics.

Analysing Data Leaks and avoiding early Attribution

Hex dump of compressed Linux 4.20 kernel image.The new year starts with the same old issues we are dealing with for years. German politicians, journalists, and other prominent figures were (are) affected by a data leak. A Twitter account started tweeting bits from the leaked data on 1 December 2018 in the fashion of an Advent calendar. The account was closed today. You will find articles describing single parts of what may have happened along with tiny bits of information. Speculation is running high at the moment. So we would like to give you some ideas on how to deal with incomplete information about a security event floating around in the Internet and elsewhere.

Attributing data leaks of this kind is very difficult. Without thoroughly understanding and investigating the situation, proper attribution is next to impossible. Given the method of disclosure the leak is not published completely. While the links published on the Twitter account led to a data sharing platform, there is no way of knowing how much data was really copied from where. Analysing where the data came from is only possible with the help of the owners. The type of dumped data varies. There were mobile phone numbers, addresses, internal political party communications, photographs of ID cards, letters, emails, invoices, chat transcripts, mobile phone numbers, and credit card information. This selection points to a communication device such as an email client or a smartphone. Personal communication is often governed by the need to access data when being mobile. Again this is speculation. Given the variety of data owners there are probably more accounts compromised. Which kind of account exactly is guesswork. You would have to see a more complete picture of the data dumped.

The leaked bits of data also do not pose a complete picture in terms of chronological information. Some data was commented as already being copied months ago. Leaked data usually gets post-processed into collections. These collections are being refined and verified in order to increase the value of the data. Apparently this wasn’t important to whoever put the data online.

It’s always a good idea to go for the agenda. Look at the way the data is leaked, and ask who benefits from this. Just dumping data somewhere is not very smart. Using the data without publishing it has a lot more advantages. Publicity is a sign for the dreaded manipulation of the mind – information warfare. Advertising works the same way. Publish something that sticks to your thoughts. Works almost all of the time, especially in all kinds cyber. But again, this is speculation.

If you read about issues like this, there is a simple rule: Do not read any articles with a question mark (this „?“) in titles or subtitles. The „?“ is usually a sign for speculation. No offence, but you do not get anywhere in an analysis by asking your audience questions. The audience wants to know your facts, not your questions.

Merry XSSmas and a successful new mktime() Syscall

Macro-photography of snowflake. Source: https://commons.wikimedia.org/wiki/File:Snowflake_macro_photography_2.jpgThe holidays are coming, next to Winter (hopefully). Thank you all for attending and contributing to DeepSec and DeepINTEL 2018! All slides we got are online. The videos have almost left post-production (except one recording which is being fixed audio-wise) and are on the way to the content distribution network. The ROOTS videos will be first. You will find all videos in their albums. Make sure you look for collections, too. We will set-up a tip jar for our video team again, so if you want to leave a small thank you for the crew, please do so.

We are going to deal with infrastructure and upkeep of our to-dos. Plus we will spend some time off-line. Or maybe just in local networks to do some well-deserved hacking. The dates for DeepSec and DeepINTEL 2019 are being fixed, and we will publish them probably next week or in the first week of 2019. It’s better to announce stuff if it is really tightly sealed. Furthermore we did read your feedback and have planned some improvements for next year. We will let you know about the details. Don’t wait. Off you go! Enjoy the holidays!

Encryption, Ghosts, Backdoors, Interception, and Information Security

Source: https://commons.wikimedia.org/wiki/File:Al-kindi_cryptographic.pngWhile talking about mobile network security we had a little chat about the things to come and to think about. Compromise of communication is a long time favourite. Hats of all colours need to examine metadata and data of messages. Communication is still king when it comes to threat analysis and intrusion detection. That’s nothing new. So someone pointed into the direction of an published article. Some of you may have read the article titled Principles for a More Informed Exceptional Access Debate written by GCHQ’s Ian Levy and Crispin Robinson. They describe GCHQs plan for getting into communication channels. Of course, “crypto for the masses” (yes, that’s crypto for cryptography, because you cannot pay your coffee with it) or “commodity, end-to-end encrypted services” are also mentioned. They explicitly claim that the goal is not to weaken encryption or defeat the end-to-end nature of the service. Instead they propose to take advantage of existing weaknesses in the implementation. This can either be done by using an exploit, or it can be accomplished by the lack of identity verification, for example in (large) groups such as chats. This is not a new idea. Basically this technique was and is being used throughout the ages, with or without the Internet.

Matthew Green has written a comment on these ghost users or ghost devices. The key point is not to be distracted by the amicable style of GCHQs proposal. It boils down to changes which will weaken the security of the system, or to using communication infrastructure which is less secure, because it allows either backdoors or has no end-to-end encryption. The discussion can be seen as a preparation for adopting legislative measures such as Australia’s Assistance and Access Bill 2018. This bill has drawn a lot of criticism. If One Eye does it, why shouldn’t the remaining Four Eyes? We recommend Matthew’s article to anyone who relies on secure communication.

In case you had not time following the news regarding interception of communication – nothing has changed. Either you have a secure system (of which end-to-end encryption is a key component), or you don’t. It doesn’t matter if you rephrase the idea of having escrow keys, backdoors, or strategic weak points in a communication architecture. The principles are the same. The worst case scenario is the fact that we keep collecting extra 0day exploits for legal reasons. That’s not information security, it’s something radically different.

Need something to read? – First Batch of DeepSec 2018 Presentation Slides online

PDF document symbol.Do you fear reading the news? Fancy some facts? Well, we have something different for you to read. We have collected presentation slides from DeepSec 2018 and put the first batch online. You can find them in this rather nostalgic directory listing. We have renamed the files with their title and the name of the presenters. They are mostly PDF, but two presentations consist of a HTML slideshow. We have created a PDF document containing the link to the original presentation for your convenience. The directory will be filled with the remaining documents as soon as we get them.

Thank you all for attending and speaking at DeepSec 2018!

Stickers at the DeepSec registration desk, courtesy of Florian Stocker <fs@fx.co.at>.

At the registration desk.

DeepSec 2018 is over. Thank you for attending and presenting at our conference! Without your interest and your configuration there would be no talks, no workshops, and no one else present.We had a great time, and we hope you enjoyed everything. We are now dealing with the administrative backlog, the metric ton of receipts, the post-processing of the video recordings, and lots of other things. Among the tasks is the feedback you gave us. We will try to improve, so the next DeepSec conference will feature some or all of your suggestions.

Dates for DeepSec and DeepINTEL 2019 will be available soon. We will publish this information on Twitter, on our web site, and on our blog.

As for the video recordings, please give us some time. The post-production has to deal with the lighting conditions at the hotel (which will improve for the next conference, promised).

Opening & Keynote – DeepSec 2018 has started

So, now is the opening and the keynote presentation by the magnificent Peter Zinn. This means that DeepSec 2018 has officially started. Since we do not live stream the talks, we will be away from the blog and mostly from Twitter until the end of the conference. Communication in meatspace has full priority. In case of urgent messages, use the contact information on our web site. We still use telephones, you know.

In case you are at DeepSec and wish to comment on content, discussions, or summarise a presentation, please do. Post it on Twitter and mention us (or use a meaningful hashtag), we will retweet and pick up your thoughts later on the blog.

Enjoy the conference!

Discussing Threat Intelligence in the City of Spies – DeepINTEL 2018 has started

Le cabinet noir ou: les pantins du 19eme siècle; source: https://en.wikipedia.org/wiki/File:Bodleian_Libraries,_Le_cabinet_noir_ou-_les_pantins_du_19eme_si%C3%A8cle.jpg

1815 caricature of the cabinet noir, Bodleian Libraries.

What’s the best place to discuss security and threat intelligence? Well, according to Austrian investigative journalist Emil Bobi there are over 7,000 spies living and working in Vienna. To quote the article: „Austria has been an international spy hub since the late 19th Century, when people from all parts of the Austro-Hungarian empire flocked to the city.“ Basically it’s ancient tradition going back to the 19th century. During DeepINTEL we will discuss modern threats – advanced, persistent, networked, or otherwise. The focus will be on indicators of suspicious behaviour, the human component of information security, challenges by drone technology, and how to protect sources of information.

 

ROOTS 2018 Talk: Kernel-Assisted Debugging of Linux Applications – Tobias Holl, Philipp Klocke, Fabian Franzen

On Linux, most—if not all—debuggers use the ptrace debugging API to control their target processes. However, ptrace proves unsatisfactory for many malware analysis and reverse engineering tasks: So-called split-personality malware often adapts its behavior in the presence of a debugger, yet ptrace makes no attempt to hide from a target process. Furthermore, ptrace enforces a strict one-to-many relation meaning that while each tracer can trace many tracees, each tracee can only be controlled by at most one tracer. Simultaneously, the complex API and signal-based communications provide opportunities for erroneous usage.

Previous works have identified the newer uprobes tracing API as a candidate for building a replacement for ptrace, but ultimately rejected it due to lack of practical use and documentation. Building upon uprobes, we introduce plutonium-dbg, a Linux kernel module providing debugging facilities independent of the limitations of ptrace alongside a GDB-compatible interface. Our approach aims to mitigate some of the design flaws of ptrace that make it both hard to use and easy to detect by malicious software.

We show how plutonium-dbg’s design and implementation remove many of the most frequently named issues with ptrace, and that our method improves on traditional ptrace-based debuggers (GDB and LLDB) when evaluated on software samples that attempt to detect the presence of a debugger.

We asked Tobias, Philipp and Fabian a few more questions about their talk.

Please tell us the top 5 facts about your talk.

  • We implemented a debugger using existing linux kernel infrastructure
  • Alternative to ptrace API (the usual debugging interface), which has several design flaws
  • Use of modern kernel features (uprobes, kprobes, etc.)
  • Resists most approaches to detect debuggers
  • Compatible to existing Debugger frontends (GDB) and their plugins (pwndbg)

How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?

We encountered a program which ptraced itself, to detect the presence of a debugger. To allow for dynamic analysis, we asked ourselves if we could avoid this well-known mechanism.

Why do you think this is an important topic?

Some Malware also uses this trick to avoid analysis by security researchers and analysis tools in general. Thus, we aim for minimal interference with the target process, which also allows for other kinds of debugging. For example, we can investigate so-called Heisenbugs (bugs that occur in production only, not in debugging).

Is there something you want everybody to know – some good advice for our readers maybe?

Ptrace has major drawbacks, the biggest is that every target can be debugged by only one debugger. Others include the destruction of process order, poor performance in accessing memory and a non-intuitive API.

A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?

Our approach removes obvious detection possibilities in what we believe to be an arms race of debugger detection and debugger stealthiness. Therefore we expect malware authors to develop new evasion techniques, which we will counter, as we think our capabilities are not maxed out yet.

 

Tobias Holl is a computer science student at TUM with a passion for reverse engineering and IT security. By day, he develops high-performance parallel software in C++, with a focus on computer vision and machine learning.

 

 

 

 

 

 

Philipp Klocke is a hacker, nerd and tech-enthusiast. He occasionally plays CTF and pursues a B.Sc. at the Technical University of Munich.

 

 

 

 

 

 

 

 

Since 2018 Fabian Franzen is a PhD student and researcher at the Chair of IT-Security of the Technical University of Munich (TUM). When he is not trying to teach his students the foundations of IT security, he is interested in various research topics. More specifically, these are reverse engineering, binary exploitation, Android security and improving systems security by introducing additional features to the Linux Kernel.