1st Reversing and Offensive-oriented Trends Symposium 2017 (ROOTS)

Academic workshop co-located with DeepSec November 16/17, Vienna

List of Accepted Papers

Reverse Engineering a Code without the Code

Abdelhak Mesbah, Jean-Louis Lanet and Mohamed Mezghiche

Retrieving assets from inside a secure element should be difficult. While the most attractive assets are the cryptographic keys stored in the Non Volatile Memory (NVM) area, the algorithms which are executed are also of interest. This means that the confidentiality of binary code embedded in the Read Only Memory (ROM) of that device should also be protected from extraction and reverse engineering. Thanks to a previous attack, we obtained a dump of the NVM, but not of the ROM. In this paper, we demonstrate that we can reverse engineer the algorithms without having access to the code by taking advantage of the object oriented features of the platform. We have only access to the data. We use a specifically designed graphic tool to reason about the data such that we are able to understand the principle of the algorithm. Then, we are able to bypass the protection mechanism in order to get access to the binary code.
[ ACM DL Paper ] [ Video of Presentation ]

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion

Alexei Bulazel and Bulent Yener

Automated dynamic malware analysis systems are important in combating the proliferation of modern malware. Unfortunately, malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has pushed each to continually evolve their tactics for countering the other. In this paper we systematically review i) “fingerprint”-based evasion techniques against automated dynamic malware analysis systems for PC, mobile, and web, ii) evasion detection, iii) evasion mitigation, and iv) offensive and defensive evasion case studies. We also discuss difficulties in experimental evaluation, highlight future directions in offensive and defensive research, and briefly survey related topics in anti-analysis
[ ACM DL Paper ]

On The (In-)Security Of JavaScript Object Signing and Encryption

Dennis Detering, Juraj Somorovsky, Christian Mainka, Vladislav Mladenov and Jörg Schwenk

JavaScript Object Notation (JSON) has evolved to the de-facto standard file format in the web used for application configuration, cross- and same-origin data exchange, as well as in Single Sign-On (SSO) protocols such as OpenID Connect. To protect integrity, authenticity, and confidentiality of sensitive data, JavaScript Object Signing and Encryption (JOSE) was created to apply cryptographic mechanisms directly in JSON messages. We investigate the security of JOSE and present different applicable attacks on several popular libraries. We introduce JOSEPH (JavaScript Object Signing and Encryption Pentesting Helper) – our newly developed Burp Suite extension, which automatically performs security analysis on targeted applications. JOSEPH’s automatic vulnerability detection ranges from executing simple signature exclusion or signature faking techniques, which neglect JSON message integrity, up to highly complex cryptographic Bleichenbacher attacks, breaking the confidentiality of encrypted JSON messages. We found severe vulnerabilities in six popular JOSE libraries. We responsibly disclosed all weaknesses to the developers and helped them to provide fixes.
[ ACM DL Paper ] [ Video of Presentation ]

Out-of-Order Execution as a Cross-VM Side Channel and Other Applications

Sophia d'Antoine, Jeremy Blackthorne and Bulent Yener

Given the rise in popularity of cloud computing and platform-as-a-service, vulnerabilities in systems which share hardware have become more attractive targets to malicious actors. One of the vulnerabilities inherent to these systems is the potential for side-channels, especially ones that violate the isolation between virtual machines.. In this paper, we introduce a novel side-channel which functions across virtual machines. The side-channel functions through the detection of out-of-order execution. We create a simple duplex channel as well as a broadcast channel. We discuss possible adversaries for the side-channel and propose further work to make the channel more secure, efficient and applicable in realistic scenarios. In addition, we consider seven possible malicious applications of this channel: theft of encryption keys, program identification, environmental keying, malicious triggers, determining virtual machine co-location, malicious data injection, and covert channels.
[ ACM DL Paper ] [ Video of Presentation ]

Dynamic Loader Oriented Programming on Linux

Julian Kirsch, Bruno Bierbaumer, Thomas Kittel and Claudia Eckert

Memory corruptions are still the most prominent venue to attack otherwise secure programs. In order to make exploitation of software bugs more difficult, defenders introduced a vast number of post corruption security mitigations, such as w⊕x memory, Stack Canaries, and Address Space Layout Randomization (ASLR), to only name a few. In the following, we describe the Wiedergänger-Attack, a new attack vector that reliably allows to escalate unbounded array access vulnerabilities occurring in specifically allocated memory regions to full code execution on programs running on i386 / x86_64 Linux. Wiedergänger-attacks abuse determinism in Linux ASLR imple- mentation combined with the fact that (even with protection mechanisms such as relro and glibc’s pointer mangling enabled) there exist easy-to-hijack, writable (function) pointers in application memory. To discover such pointers, we use taint analysis and backwards slicing at the binary level and calculate an over-approximation of vulnerable instruction sequences. To show the relevance of Wiedergänger, we exploit one of the discovered instruction sequences to perform an attack on Debian 10 (Buster) by overwriting structures used by the dynamic loader (dl) that are present in any application with glibc and the dynamic loader as dependency. In order to show generality, we solely focus on data structures dispatched at program shutdown, as this is a point that arguably all applications eventually have to reach. This results in a reliable compromise that effectively bypasses all protection mechanisms deployed on x86_64 / i386 Linux to date. We believe Wiedergänger to be part of an under-researched type of control flow hijacking attacks targeting internal control structures of the dynamic loader for which we propose to use the terminology Loader Oriented Programming (LOP).
[ ACM DL Paper ]

Security Analysis of the Telegram IM

Tomáš Sušánka and Josef Kokeš

Telegram is a popular instant messaging service, a self-described fast and secure solution. It introduces its own home-made crypto- graphic protocol MTProto instead of using already known solutions, which was criticised by a significant part of the cryptographic com- munity. In this article we will briefly introduce the protocol to provide context to the reader and then present two major findings we dis- covered as part of our security analysis performed in late 2016. First, the undocumented obfuscation method Telegram uses, and second, a replay attack vulnerability we discovered. The analysis was mainly focused on the MTProto protocol and the Telegram’s official client for Android.
[ ACM DL Paper ]

Paying the Price for Disruption: How a FinTech Allowed Account Takeover

Vincent Haupert, Dominik Maier and Tilo Müller

This paper looks at N26, a pan-European banking startup and the poster child for young FinTech companies. We assess how security is treated by startups that provide disruptive technologies in the financial sector. In an area that has been committed to security, we find that FinTech companies have modern designs and outstanding user experience as their main priority. This strategy is rewarded by a rapidly increasing customer base but reveals a flawed understanding of security. We analyzed all aspects of security of N26, including the frontend, backend, protocols, human factors, and underlying design concepts, and found issues in all of them. We succeeded in leaking customer data, manipulating and carrying transactions and even could have entirely taken over foreign accounts. We reported these findings to N26 and did not disclose them before they were fixed. By publishing this case study, we hope to raise awareness about security considerations in the critical banking sector, especially for other FinTech startups.
[ ACM DL Paper ] [ Video of Presentation ]

Enhancing Control Flow Graph Based Binary Function Identification

Clemens Jonischkeit and Julian Kirsch

Recognition of binary functions in compiled code is a major stepping stone towards any advanced binary analysis technique. Nucleus is a novel algorithm based on the idea of using the Interprocedural Control Flow Graph (ICFG) to detect function boundaries. Building upon this technology we propose a new approach to address the related problem of identifying previously-seen known functions within a binary. Our idea is based on comparing the Control Flow Graphs (CFGs) of unknown functions from a binary to known functions from a previously generated database. Compared to traditional approaches, our method is aware of the underlying graph matching problem being performed on CFGs of binary code: First, it utilizes instruction level knowledge about basic blocks as additional constraints for graph isomorphism. Second, optimizations and transformations introduced by different compilers affecting the shape of the CFG are taken into account. Our approach aims to avoid false positives (wrongly assigning a known function symbol to an unknown function) at all cost: The evaluation shows that this method is very effective in reducing false positive matches (below one percent in most cases) and doubles recall rates compared to the traditional graph matching based approach when matching one version of nginx compiled with different optimization levels.
[ ACM DL Paper ] [ Video of Presentation ]