INSIGHTS | May 22, 2012

ST19XL18P – K5F0A Teardown

By IOActive

4 Metal, 350 nanometer fabrication process, EAL4+ smart card. A device fabricated in 2002 and yet, today the latest ST19W/N series only main differences are the ROM data bus output width into the decrypt block and the fabrication process (180nm and 150nm shrink).

The device was dipped into a HydroFluoric (HF) bath until the active shielding fell off. The result of this saved about 10 minutes of polishing to remove the surface oxide and Metal 4 (M4). This also helps begin the polishing process on the lower layers fairly evenly.

The oxide thickness of a layer once the passivation oxide is removed requires less than 2 minutes per layer to remove. We purposely stop just before the Metal 3 (M3) surface is exposed leaving the vias visibly clear (there are several gates tied to the ground of the mesh on Metal 4 (M4) as well as the active shield’s begin and end vias.

The device was very modularly placed n’ routed. The MAP consists of asymmetric and symmetric crypto functions (DES, RSA, etc).

The EEPROM control logic is actually in the lower left corner of the EEPROM block.

As Metal 3 (M3) was removed exposing the M2 layer, the device is beginning to not look so complicated.

Metal 1 (M1) shows us all the transistors. We did not polish down to the poly. Most of the gates are understandable without it for the purposes of finding the clear data bus.

Most likely, these NVM areas in Figure 7 & 8 are trimming or security violation related. No further investigation is planned on these areas (it isn’t necessary).

Strangely enough, it is now understandable why ST cannot achieve high performance on the ST19 platform. Each logic area with access to the clear data bus runs via a high-output driver that is tri-stated (hi-z) when not driven. This means that all drivers are OR-tied and only one set of 8 drivers are ever active at a time. This is a very large and cumbersome way of creating a MUX.

As time permits, the ST19W and ST19N series will be looked at. It is expected to again find this kind of pattern. Overall, finding the clear data bus took 1.5 hours once the images were created. Most of the 1.5 hours was the alignment of the layers.

INSIGHTS | May 15, 2012

#HITB2012AMS: Security Bigwigs and Hacker Crème de la Crème Converge in Amsterdam Next Week

By IOActive

Hi guys! We’re less than a week away from #HITB2012AMSand we’re super excited to welcome you there!

HITBSecConf 2012 – Amsterdam, our third annual outing in Europe will be at the prestigious Hotel Okura Amsterdam and this year marks our first ever week-long event with what we think is a simply awesome line-up of trainings, speakers, contests and hands-on showcase activities. There should be pretty much something to keep everyone happy!

The HITB crew is pretty excited and there’s very little else we talk about these days, so when IOActive invited us to write a blog post with complete free rein – we can’t help but name a couple of event highlights the crew are particularly looking forward to and we think you’ll be equally excited about.

Here’s a ~~little~~ lot of what’s in store in less than T minus 7 days’ time:

Hands on Technical Training Sessions

May 21st – May 23rd: Training Day 1, 2 & 3

As always, we kick things off with our hands-on training days. This year, trainings stretch across a three-day period and will feature all new 1-day-only courses covering a gamut of topics from wireless security, SQL injection attacks and mobile application hacking. This will be followed by several 2-day intensive hands-on classes featuring some of our popular trainers. Laurent Oudot will be Hunting Web Attackers alongside Jonathan Brossard who’ll be conducting a course on Advanced Linux Exploitation Methods. Next door Shreeraj Shah will be running his ever popular Advanced Application Hacking training. As usual, trainees come braced for intense headache filled days with these hands-on courses crammed to the brim with real-life cases plus new, next-gen attack and defense tools and methods.

Quad Track Conference – The Pièce de résistance

May 24th – May 25th: Conference Day 1 & 2

Big Ideas – Big Picture…

It’s always hard selecting keynote speakers – especially at HITBSecConf, where our audience expects nothing but absolutely killer content filled with awesome! Andy Ellis, CSO of Akamai we feel will deliver a talk that fulfills that and will be kicking off Conference Day 1 with a keynote on Getting Ahead of the Security Poverty Line – sharing a behind-the-scenes look at Akamai’s in-house security program and how it has evolved over the years to protect over 105,000 servers in 78 countries.

On Day 2, a man who needs no introduction and who has the rare distinction of having delivered keynote at all the locations of HITBSecConf events held around the globe, Bruce Schneier, CISO of BT Counterpane will deliver the second keynote. Bruce’s talk on Trust, Security and Society will deliver a big picture look at how in any system of trust, there will always be abuses. Understanding how moral systems, reputational systems, institutional systems, and security systems work and fail in today’s society is essential in understanding the problems of our interconnected world.

An Apple a Day…

One of the indisputable highlights this year and perhaps the one item the HITB Crew is most looking forward to is the first ever appearance by the full four-member iOS Jailbreak Dream Team (@p 0 sixninja, @pod 2 g , @planetbeing and @pimskeks) plus world famous, iPhone Dev Team member @MuscleNerd .

They will be rocking Amsterdam with three talks (and maybe a new jailbreak?), two of which will primarily focus on the detailed inner workings behind the Corona (A4) and Absinthe (A 5) jailbreaks. Apple fans and jailbreak enthusiasts will be well pleased to hear the team plans to cover pretty much everything a jailbreaker would want to know including:

iOS security basics

iOS format string attacks

iOS kernel heap overflows

iOS profile command injections

iOS application sandbox escape

How to bypass ASLR & DEP for all exploits listed above

In the third and separate talk, MuscleNerd will dive into the inner workings and most recent changes to the iPhone baseband comparing it against its earlier hardware and software incarnations. His presentation will cover everything baseband related – from baseband ROP to activation and baseband tickets: The mechanism Apple uses to authorize use with specific carriers and authenticates software updates to the baseband. He will also look at the current attack surfaces comparing iPhone4 vs iPhone4S hardware-based protection mechanisms. Tasty.

I want my MTV…

And here’s another personal crew favourite – Adam Gowdiak . Is .
Back. The man who first brought Microsoft Windows to its knees in 2003 as part of the LSD Group and later became the world’s first to present a successful and widespread attack against the mobile Java platform is back at HITBSecConf! This time he will demonstrate the first ever successful attack against digital satellite set –top –box equipment implementing the Conax Conditional Access System with advanced cryptographic pairing function. Yes, we’re talking major security flaws in digital satellite TV set-top-boxes and DVB chipsets used by many satellite TV providers worldwide.

More Labs / More Signal Intelligence

Forming our third track in our quad-track line up, only a maximum of 75 attendees will get to experience these intensive, mini training sessions, so get to the doors early if you wanna join in. Audience interaction is expected so bring your laptops with you! What kind of brain mashing kungf00 can you expect?

Hacking Using Dynamic Binary Instrumentation by Intel’s Gal Diskin promises an insight into extracting metadata and other hidden goodies from public documents using FOCA 3 and bad nasty things one can do with malformed portable executable (PE ) files and Didier Stevens, Security Consultant, Contraste Europe NV will be talking about the reverse of the kind of shellcode we all know and love – White Hat Shellcode : Not for Exploits.

Still hungry for more bytes? Grab your coffee, real world bites and head into the SIGINT sessions – our version of lightning talks which run for 30 minutes during coffee and lunch breaks. The SIGINT sessions this year are twice as long as usual as we want you to truly savour the appetising morsels we’ve lined up.

24TH MAY 2012

12:30 – 13:00 – Pastebinmon .pl & Leakedin .com – Xavier Mertens

13:00 – 13:30 – Third Party Software in Your Baseband – Ralf-Philipp Weinmann

15:30 – 16:00 – Hack To The Future – Marinus Kuivenhoven

25TH MAY 2012

12:30 – 13:00 – Integrating DMA Attacks in Metasploit – Rory Breuk & Albert Spruyt

13:00 – 13:30 – Close –Up of Three Technical Hackerspace Projects – Elger ‘stitch’ Jonker

Lawfully intercepting your packets…

After 2 days of conference awesomeness, Ms . Jaya Baloo , Verizon ’s in –house lawful interception expert and our first-ever lady closing keynoter will wrap things up in a yet to be announced keynote.

We’re not done yet …

If it isn’t already difficult enough to pick which talks to go to, we’ve got even more things lined up to keep you busy outside of the main conference tracks – With an expanded technology showcase area, our all new CommSec Village is going to be packed to the brim with more hacky-goodness than you can shake a Kinect at!

CommSec Village

Last year, LEGO Mindstorm robots ruled the roost and this year, the HITB CommSec Challenge is bringing the world of motion capture into the tinkering hands of Benelux hackerspaces. Seven hackerspaces from Belgium and the Netherlands will work with Microsoft ’s all new Kinect for Windows platform and battle head to head to translate their body movements into words at the highest rate of character output. Yep – expect to see lots of physical action here as the various participants battle it out for the grand prize of EUR1000.

HackWEEKDAY

HackWEEKDAY : Turbo Edition will see code junkies and working over a 12 hour period on this year’s theme of ‘Browsers and Extensions’ – Sponsored again by Mozilla and organized by the HITB.nl Crew, participating developers stand a chance to walk away with a prize of EUR1337 for the best coder!

Capture The Flag – Bank0verflow

Capture The Flag : Bank 0 verflow will see eleven teams – 5 home grown teams from The Netherlands: Mediamonks and four Vubar teams battle it out against French team C.o.P. Also, for the first time two Russian teams will be joining the battleground including the much ‘feared’ winners of #CODEGATE2012’s Capture The Flag – Leetchicken

Lock Picking Village by TOOOL.nl

The ever popular Lock Picking Village returns this years with crowd favourite TOOOL.nl at hand to showcase best and latest picking, shimming, bumping and safecracking techniques. Hands on as usual, come with deft fingers and your own locks to see how (in)secure that house or fiets lock of yours really is!

Sogeti Social Engineering Challenge

This year for the first time Sogeti is introducing Sogeti Social Engineering and CTF Challenge(#SSEC2012). This will be HITB’s first ever social engineering game so we’re pretty excited to say the least! Participants will be flexing their wit and wits against the top 100 Dutch companies via in-live-studio phone calls and conference attendees plus members of the public can check out the game in progress via the Listening Post. Blag for swag – and the best ‘wit-hacking’ engineer walks away with a swanky new iPad 3 sponsored by Sogeti!

Hackers On The Far Side of the Moon with Microsoft and IOActive

It would not be a proper HITBSecConf if there was no killer party to cap things off. This year we plan to blast off to the dark side of the moon with IOActive’s Keith Myers providing the choons!

Sponsored as always by Microsoft, conference hackers, heroes, dudes and dudettes will make their way to the Wyndham Apollo Hotel for three solid hours of food, music and of course, copious amounts of alcohol thanks to additional alco_pwn support by the kind folks at IOActive! o/

IOActive’s DJ Keith Myers will be delivering the ear pounding dance floor madness with a warm up set by Roy Verschuren of Elevator Passion – all this at the only spot in Amsterdam where the city’s five famous grachts meet!

Bring. On. The. Madness.

See you next week!

– The HITB Crew

INSIGHTS | May 3, 2012

Enter the Dragon(Book), Pt 2

By Shane Macaulay

Nobody has been able to find this backdoor to date (one reason I’m talking about it).

While the C specification defines many requirements, it also permits a considerable amount of implementation-defined behavior (even though it later struck me as odd that many compilers could be coerced into generating this backdoor in an identical way).

From the C specification; Environmental Considerations, Section 5.2—in particular section 5.2.4.1 (Translation limits)—seems to offer the most relevant discussion on the topic.

Here’s a concise/complete example:

typedef struct _copper

{

char field1[0x7fffffff];

char field2[0x7fffffff];

char pad0;

char pad1;

} copper, *pcopper;

int main(int argc, char **argv)

{

copper david;

printf(“sizeof david = %xn”, sizeof(david));

printf(“sizeof david’s copper.field1 = %xn”, sizeof(david.field1));

if(argc > 1 && strlen(argv[argc-1]) < sizeof(david.field1))

strncpy_s(david.field1, argv[argc-1], sizeof(david.field1));

return 0;

}

What is the expected size of david?

What is the expected size of the copper.field?

Here’s the compiled output:

sizeof david = 1

sizeof david.copper.field1 = 7fffffff

W0W!! The sum of the parts is GREATER than the whole!

It would seem that a (somewhat) correct check for length (let’s forget about the NULL and strncpy_s for portability/readability) is always going to pass since field1’s length is VERY large; however, the storage for this type is allocated with sizeof(copper) (statically or dynamically). This means that we can arbitrarily write into memory despiteany amount of bounds checking!

So, what we have is the sizeof operator failing due to the arrangement of this struct, which violates the environmental limits of C.

This struct actually contains numerous variations and interesting vectors. For instance, I’ve found _MANY_ type’s defined in the SDK of both operating systems and compilers—if you surreptitiously #define (actually redefine) an existing constant, you can exploit existing code.

The situation here is that it’s virtually impossible to detect this backdoor.

I’ve attempted to detect the flaw with all sorts of code checking tools, all of which are blind to this attack. It seems that this overflow occurs statically, which is why sizeof is failing. I’ve been calling this a “static overflow,” which may or may not be a good name, but it seems to fit given that the overflow happens during compilation (AST formulation).

Possible attack vectors include: (1) untrusted .c/.h files in your compiler’s path, (2) environment (set CARGS=/DMAXPATH=0x7fffffff), (3) arguments, and (4) flags.

This may seem a relatively small surface area, but in any modestly-complex application, hundreds/thousands of header files are included from untrusted sources.

I’ve had many crashes in cc/ld. I anyone finds a way to exploit the actual compilation (take control of the cc/ld process) that would be pretty neat. Some of the more aggressive faults tend to occur when the compiler looks up instructions to address the oversized region, or when this type is used in more elaborate loop/indexed [array].foo[bar] arrangements.

I hope you all enjoyed this magic trick.

INSIGHTS | April 4, 2012

Hackito Ergo Sum: Not Just Another Conference

By IOActive

My name is Jonathan Brossard, but you may know me under the nic Endrazine. Or maybe as the CEO of Toucan System. Nevermind: I’m a hacker. Probably like yourself, if you’re reading this blog post. Along with my friends Matthieu Suiche and Philippe Langlois,—with the invaluable help of a large community worldwide—we’re trying to build a conference like no other: Hackito Ergo Sum.

First, a bit of background on conferences as I have discovered them:

I remember really well the first conference I attended almost a decade ago: it was PH-Neutral in Berlin. The first talk I’d ever seen was from Raoul Chiesa on attacking legacy X25 networks, specifically how to root satellites. (For those unfamiliar with X25, it was the global standard for networking before the internet existed. Clearly, if you sent a satellite to space in the 1980s, you weren’t going to get it back on earth so that you could path it and upgrade its network stack, so it would remain in space, vulnerable for ages, until its owner eventually decided to change its orbit and destroy it).

The audience comprised some of the best hackers in the world and I got to meet them. People like Dragos Riou, FX, Julien Tinnes, and various members of the underground security industry were asking questions or completing what the presenter was saying in a relaxed, respectful, and intelligent atmosphere. It was a revelation. That’s when I think I decided I’d spend the rest of my life learning from those guys, switch my career plans to focus on security full time, and eventually become one of them: an elite hacker.

Back in those days, PH-Neutral was a really small conference (maybe 50 or 100 people, invitation only). Even though I had many years of assembly development and reverse engineering behind me, I realized those guys were way ahead in terms of skills and experience. There were exactly zero journalists and no posers. The conference was put together with very little money and it was free; anyone could pay for their travel expenses and accommodations, and, as a result, all the people present were truly passionate about their work.

Since then I’ve traveled the world, gained some skills and experience, and eventually was able to present my own research at different security conferences. I have probably given talks or trainings at all the top technical security conferences in the world today, including CCC, HITB, BlackHat U.S., and Defcon. I couldn’t have done half of it without the continuous technical and moral help and support of an amazing group of individuals who helped me daily on IRC.

Building the Team

I remember the first talk I ever gave myself: it was at Defcon Las Vegas in 2008. Back in those days, I was working in India for a small security startup and was quite broke (imagine the salary of an engineer in India compared to the cost of life in the U.S.). I was presenting an attack, working against all the BIOS passwords ever made, as well as most disk encryption tools (Bitlocker, Truecrypt, McAfee). I remember Matthieu knocking at my door after his own BlackHat talk on RAM acquisition and forensics: he was only 18 and had no place to stay!

We slept in the same bed (no romantic stuff involved here). To me, that’s really what hacking was all about: sharing, making things happen in spite of hardcore constraints, friendship, knowledge. I also started to realize that those big conferences had nothing to do with the small elite conferences I had in mind. A lot of the talks were really bad. And it seemed to me that attitude, going to as many parties as possible, and posing for journalists was what attendees and most speakers really expected from those conferences.

In 2008 during PH-Neutral (once again), I met Philippe Langlois. For those of you who don’t know him by any of his numerous IRC nics, you might know him as the founder and former CTO of Qualys. An old-school guy. Definitely passionate about what he was doing. Phil was feeling equally unsatisfied with most conferences: too big, too commercial, too much posing, and very little actual content. At that time in France the only security conference was organized by the army and the top French weapons sellers. To make it even worse, all the content was in French (resulting in zero international speakers, which is ridiculous given that we collaborate daily with hackers literally from around the globe, even when coding in our bedrooms, at our desks, or in a squat).

So, we decided to make our own conference with Matt.

Breaking the Rules and Setting Our Own

We agreed immediately that the biggest problem with modern conferences was that they had turned into businesses. You can’t prioritize quality if your budget dictates you have famous, big-name speakers. So we decided that Hackito would be a spin-off from the /tmp/lab, the first French hackerspace, which was a 100% non-profit organization housed in a stinky basement of an industrially-zoned Paris suburb. At first we squatted until we reached an agreement with the landlord, who agreed to let us squat and eventually pay for both our electricity (which is great for running a cluster of fuzzing machines) and water. It was humid, the air was polluted by a neighboring toxic chemical plant, and trains passed by every 10 minutes right outside the window. But it didn’t matter because this spot was one of the most important hacker headquarters in France.

One thing that played a major role in creating the spirit of Hackito was the profile of the people who joined this hackerspace: sure there were software programmers, but also hardware hackers, biologists, artists, graphic designers, and general experimenters who wanted to change the world from a dank, humid garage. This was a major inspiration to us because (just like the internet) anyone was welcome to the space, without discrimination. Hackerspaces by nature are open and exchange a lot of information by having joint events such as the HackerSpace Festival or hosting members from other hackerspaces for extended period of times. We modeled this by wanting to share with other conferences instead of competing, which led to the Security Vacation Club (it started as a joke, but today allows us to share good speakers, good spirit, and mutual friendship with other hacking conferences we respect).

We then called our irc friends for help. Some could make it and others couldn’t, but all of them contributed in one way or another, even if it was only with moral support.

Early Days

Building your own conference out of thin air is more challenging than you might expect and, of course, we wanted to do it with minimal sponsorship. We agreed straight away with sponsors that they’d get nothing in exchange for their support (no anticipated disclosure, no right to vote on what talks would be presented, no paid talk or keynote). We requested help from friends to help us select solid technical talks and to come speak. You’d be surprised how the hackers you respect most (and are seriously busy) are willing to help when they share the spirit of what you’re doing.

So, we ended up with the scariest Programming Committee on earth, for free—I don’t think there’s a company in existence with a security team half as talented. I can’t express here how much we value the time and effort that they, and our speakers, spend helping us. Why would they do this? Because a lot of people are unsatisfied with the current conference offerings. Now don’t get me wrong, commercial and local conferences do offer value, if only to gather disparate communities, foster exchange of ideas, and sometimes even introduce business opportunities. If you’re looking after your first job in the security industry, there’s no better choice than attending security conferences and meeting those who share the same taste for security.

Hackers Prize Quality—Not Open Bars, Big Names, or Bullshit

To give you some perspective: two of the talks nominated in last year’s pwnie awards at BlackHat were given first at Hackito. Tarjei Mandt and his 40 kernel Windows Exploit (winner of the Pwnie award for best local exploit) and Dan Rosenberg and John Obereide with their attack against grsecurity exploit. That’s what Hackito is all about: giving an opportunity to both known and unknown speakers, judging them based solely on their work—not their stardom or their capacity to attract journalists, or money.

I think it’s important to make clear that most Hackito speakers have paid for their own plane tickets and accommodations to come and present their work in Paris. I can’t thank them enough for this; they are true hackers. It is common practice for so-called security rock stars to not only pay for nothing, but to ask for a four-digit check to present at any conference. In contrast, we believe our hacking research is priceless and that sharing it for free (or even at your own cost) with your peers is what makes you a hacker. That’s the spirit of Hackito.

Without any rock stars, Hackito can feature what we believe represents some of the most innovative security researchers worldwide. The content is 100% in English and must be hardcore technical—if you can’t code, you can’t talk for the most part. If it’s not new or offensive, we don’t care. If you’re asking yourself why anyone would present years of hard research for free at Hackito instead of selling it the highest bidder, the answer is simple: respect from your peers. That’s what hackers do: distribute software, share knowledge, collaborate. Period.

Hackito is More Than Just Talks

I’ve used the words quality and best a lot in this post; to be honest, I believe competition is a bad thing in general and for hacking in particular. Hacking is not about being better than others. It’s about being better than the machine and getting better yourself. It has everything to do with sharing and being patient, polite, passionate, respectful, innovative…that is, being an accomplished human being.

If you remember only one thing from this post, make it that message.

In the same vein, I don’t see Hackito as directly competing with other conferences. We actually speak at other conferences of similar quality and I strongly believe that any conference that promotes hacking is a good thing. We need diverse offerings to match all skills and expectations. Hackito focuses on the hardcore top end of security research, but that doesn’t mean newbies shouldn’t be allowed to progress in other cons.

The Hackito framework allows us to offer more than just talks, which are important, but like FX repeatedly told my in the PH-Neutral days: the conference is the people. Therefore, we try to maintain an open conference as much as possible. Anyone with a cool security-related project is welcome to submit it to us, making it part of Hackito and then labeling it Hackito. For example, Steven van Acker from the overthewire.org community has written a special war game for attendees every year.

Our presenter line-up seriously rocks! This year, Matias Brutti from IOActive will offer a free workshop on Social Engineering and Walter Belgers from the highly respected Toool group will do the same with a Lockpicking workshop. Eloi just published a cryptographic challenge open to anyone on the internet with the valuable help of Steven Van Acker (who is hosting the challenge on the overthewire.org community servers). Other featured editions include an FPGA reverse engineering challenge by the incredible hardware hacker LeKernel.

We Still Party Hard

Hackito unites hackers from across the globe—Korea, Brazil, Israel, Australia, Argentina, Germany, Sweden, U.S., Portugal, Switzerland, Russia, Egypt, Romania, Chile, Singapore, Vietnam, New Zealand—so of course we have to party a bit. I remember the first Hackito party in our /tmp/lab garage space; imagine the anti-Vegas party: no sponsors, live hardteck music, artists spanking each other in a crazy performance, raw concrete walls, bad cheap beer, virtually no females, zero arrogance, zero drama, zero violence—just 300 people going nuts together. That was one of the best parties of my entire life.

Have a look at our website.

Greetings

Thanks heaps to (in no particular order): itzik, Kugg, redsand, Carlito, nono, Raoul, BSdeamon, Sergey, Mayhem, Cesar Cerrudo, Tarjei, rebel, #busticati, baboon, all those I can’t possibly exhaustively name here, plus the Hackito team of Matt and Phil.

I also must thank:

All of our speakers.
All of our sponsors (who help us and don’t ask much in exchange).
The incredible team behind Hackito that spends countless hours in conference calls on their weekends to make things happen during an entire year so that others can present or party.
Our respected Programming Committee of Death (you guys have our highest respect; thank you for allowing us to steal some of your time in return).
Every single hacker who comes to Hackito, often from very far, to contribute and be part of the Hackito experience. FX was right: the conference is the people!!

RESEARCH | March 16, 2012

Atmel AT90SC3232CS Smartcard Destruction

By IOActive

Having heard that Atmel actually produced three variants of the AT90SC3232 device, we did some digging and found some of this previously never-seen-by-Flylogic AT90SC3232CS. We had already several AT90SC3232 and AT90SC3232C. We assumed that the CS was just a 3232C with an extra IO pad. Well, one should never ass-u-me anything! The AT90SC3232CS is a completely new design based on the larger AT90SC6464C device.

Decapsulation revealed that Atmel actually did place an active shielding over the surface of the device. A 350nm, 4 metal process was used on the AT90SC3232CS where the AT90SC6464C was a 350nm, 3 metal.

A quick polishing session removes that residue you saw in the previous photo. Now the device looks very similar to the AT90SC6464C.

Given the AT90SC family all run encrypted code that even Atmel claims they don’t know the key on. It’s mandatory to polish down the device and image areas of interest at each level to trace through the logic.

With the chip at Metal 2, it was time to go to Metal 1. This is where the actual transistor is put together to become something such as AND, OR, INVert, …

While not really required but always desired, removal of Metal 1 leaves us with the poly/diffusion areas visible. This is always helpful to explain P/N FETs for our purposes.
Given the feedback received from the recent 3 Metal display, we thought we would do it again. This time however, we imaged it at 1000x for a distance of 25,000 pixels across by 2413 down (25,000 is the max a JPEG will allow).

Having no knowledge of how the Atmel AVR smart card family works means we have to tear it down and trace out the databus paths. Â The next 4 images are just a sample of the real image we created. Â The real image is so huge, it would take days to download.

The next four images can be clicked on to open up the full 25,000 pixel JPEG. Â Metal 4 was not imaged because it was the active shield. Â The active shield is an obstacle Â that can be ignored until the signals determined to be important are identified.

This is definitely the memory encrypt-decrypt block (MED) or at least the entry of it ;).

INSIGHTS | March 12, 2012

3 Metal 350nm teardown explanation

By IOActive

Real quick image as posted on Facebook tech .at. flylogic.net profile. A Total of 4 overlayed images of a small section of an NEC upd78F9210 MCU.

A FlipFlop and a few AND’s were quickly spotted. Can you find them?

INSIGHTS | March 6, 2012

Enter the Dragon(Book), Part 1

By Shane Macaulay

This is a fairly large topic; I’ve summarized and written in a somewhat narrative/blog friendly way here.

A few years ago I was reading a blog about STL memory allocators (http://blogs.msdn.com/b/vcblog/archive/2008/08/28/the-mallocator.aspx), memory allocators being a source of extreme security risk, I took the author’s statement, “I’ve carefully implemented all of the integer overflow checks and so forth that would be required in real production code.” as a bit of a challenge.

After playing with permutations of the code I was able to get failures of this STL allocator. What was interesting to me is that I wasn’t only getting failures in being able to cause failures in my test code; I was able to also crash the compiler and linker.

Exploiting a compiler is nothing new; Trusting Trust by Ken Thompson is of course the preeminent philosophy on this topic. In a nutshell, a compiler can be made that compiles other applications with known subtle backdoors which when any valid/flawless code is compiled, the backdoor is included, very interesting and tricky.

David A. Wheeler has a page dedicated to his PhD dissertation that (http://www.dwheeler.com/trusting-trust/) proposes a fairly simple technique known as Diverse Double-Compiling (DDC) where you compile all code with a save/trusted compiler to validate your possibly-untrusted compiler output. Sounds simple and effective enough?

Enter the dragon(book), or rather the C specification. I am not a language lawyer (and I do not even play one on T.V.), but what’s interesting about the C specification is that there are significant portions of state that are left to the imagination of the compiler writer (i.e. undefined operations). What if you could exploit this behavior in a deterministic way? What if you could exploit this behavior in a cross-compiler-deterministic way?

It would seem then that you would have the perfect backdoor, undetectable by DDC techniques or even manual inspection.

After some time and checking with vendors on the security sensitivity nature of this class of problems, I found out that there was unlikely to be a “fix” (unless the C specification is altered). This gave me a clear conscience to publish the method.

The attached code is the code I used to win the backdoor hiding contest @ DEFCON (http://defcon.org). It is a library class written in C++/CLI that exposes a number of methods that allow for the loading/saving of data to a disk file.

See if you can find the backdoor, I’ll post the explanation and details on the flaw soon.

// eBookLib.cpp : main project file.
// Project requirements
// Add/Remove/Query eBooks
// One code file (KISS in effect)
//

//
// **** Mostly generated from Visual Studio project templates ****
//
#define WIN32_LEAN_AND_MEAN
#define _WIN32_WINNT 0x501

#include <windows.h>
#include <stdio.h>
#include <wchar.h>

#include <msclrmarshal.h>

#using <Microsoft.VisualC.dll>
#using <System.dll>
#using <System.Core.dll>

using namespace System;
using namespace System::IO;
using namespace System::Threading;
using namespace System::Threading::Tasks;
using namespace System::Reflection;
using namespace System::Diagnostics;
using namespace System::Globalization;
using namespace System::Collections::Generic;
using namespace System::Security::Permissions;
using namespace System::Runtime::InteropServices;
using namespace System::IO::MemoryMappedFiles;
using namespace System::IO;
using namespace System::Runtime::CompilerServices;

using namespace msclr;
using namespace msclr::interop;

//
// General Information about an assembly is controlled through the following
// set of attributes. Change these attribute values to modify the information
// associated with an assembly.
//
[assembly:AssemblyTitleAttribute(“eBookLib”)];
[assembly:AssemblyDescriptionAttribute(“”)];
[assembly:AssemblyConfigurationAttribute(“”)];
[assembly:AssemblyCompanyAttribute(“Microsoft”)];
[assembly:AssemblyProductAttribute(“eBookLib”)];
[assembly:AssemblyCopyrightAttribute(“Copyright (c) Microsoft 2010”)];
[assembly:AssemblyTrademarkAttribute(“”)];
[assembly:AssemblyCultureAttribute(“”)];
//
// Version information for an assembly consists of the following four values:
//
// Major Version
// Minor Version
// Build Number
// Revision
//
// You can specify all the value or you can default the Revision and Build Numbers
// by using the ‘*’ as shown below:

[assembly:AssemblyVersionAttribute(“1.0.*”)];

[assembly:ComVisible(false)];

[assembly:CLSCompliantAttribute(true)];

[assembly:SecurityPermission(SecurityAction::RequestMinimum, UnmanagedCode = true)];

////////////////////////////////////////////////////////////////////////////////////////////////////////////////
// Native structures used from legacy system,
// define the disk storage for our ebook,
//
// The file specified by the constructor is read from and loaded automatically, it is also auto saved when closed.
////////////////////////////////////////////////////////////////////////////////////////////////////////////////
enum eBookFlag
{
NOFLAG = 0,
ACTIVE = 1,
PENDING_REMOVE = 2
};

typedef struct _eBookAccountingData
{
// Binary Data, may include nulls
char PurchaseOrder[ACCOUNTING_SIZE];
char RecieptData[ACCOUNTING_SIZE];
size_t PurchaseOrderLength;
size_t RecieptDataLength;
} eBookAccountingData, *PeBookAccountingData;

typedef struct _eBookPublicData
{
wchar_t ISBN[BUFSIZ];
wchar_t MISC[BUFSIZ];
wchar_t ShortName[BUFSIZ];
wchar_t Author[BUFSIZ];
wchar_t LongName[BUFSIZ];
wchar_t PathToFile[MAX_PATH];
int Rating;
int SerialNumber;
} eBookPublicData, *PeBookPublicData;

typedef struct _eBook
{
eBookFlag Flag;
eBookAccountingData Priv;
eBookPublicData Pub;
} eBook, *PeBook;

// define managed analogues for native/serialized types
namespace Client {
namespace ManagedEbookLib {
[System::FlagsAttribute]
public enum class ManagedeBookFlag : int
{
NOFLAG = 0x0,
ACTIVE = 0x1,
PENDING_REMOVE = 0x2,
};

public ref class ManagedEbookPublic
{
public:
__clrcall ManagedEbookPublic()
{
ISBN = MISC = ShortName = Author = LongName = PathToFile = String::Empty;
}
Int32 Rating;
String^ ISBN;
String^ MISC;
Int32 SerialNumber;
String^ ShortName;
String^ Author;
String^ LongName;
String^ PathToFile;
};

public ref class ManagedEbookAccounting
{
public:
__clrcall ManagedEbookAccounting()
{
PurchaseOrder = gcnew array<Byte>(0);
RecieptData = gcnew array<Byte>(0);
}
array<Byte>^ PurchaseOrder;
array<Byte>^ RecieptData;
};

public ref class ManagedEbook
{
public:
__clrcall ManagedEbook()
{
Pub = gcnew ManagedEbookPublic();
Priv = gcnew ManagedEbookAccounting();
}
ManagedeBookFlag Flag;
ManagedEbookPublic^ Pub;
ManagedEbookAccounting^ Priv;
array<Byte^>^ BookData;
};
}
}

using namespace Client::ManagedEbookLib;

// extend marshal library for native/managed inter-op
namespace msclr {
namespace interop {
template<>
inline ManagedEbookAccounting^ marshal_as<ManagedEbookAccounting^, eBookAccountingData> (const eBookAccountingData& Src)
{
ManagedEbookAccounting^ Dest = gcnew ManagedEbookAccounting;

if(Src.PurchaseOrderLength > 0 && Src.PurchaseOrderLength < sizeof(Src.PurchaseOrder))
{
Dest->PurchaseOrder = gcnew array<Byte>((int) Src.PurchaseOrderLength);
Marshal::Copy(static_cast<IntPtr>(Src.PurchaseOrder[0]), Dest->PurchaseOrder, 0, (int) Src.PurchaseOrderLength);
}

if(Src.RecieptDataLength > 0 && Src.RecieptDataLength < sizeof(Src.RecieptData))
{
Dest->RecieptData = gcnew array<Byte>((int) Src.RecieptDataLength);
Marshal::Copy(static_cast<IntPtr>(Src.RecieptData[0]), Dest->RecieptData, 0, (int) Src.RecieptDataLength);
}

return Dest;
};
template<>
inline ManagedEbookPublic^ marshal_as<ManagedEbookPublic^, eBookPublicData> (const eBookPublicData& Src) {
ManagedEbookPublic^ Dest = gcnew ManagedEbookPublic;
Dest->Rating = Src.Rating;
Dest->ISBN = gcnew String(Src.ISBN);
Dest->MISC = gcnew String(Src.MISC);
Dest->SerialNumber = Src.SerialNumber;
Dest->ShortName = gcnew String(Src.ShortName);
Dest->Author = gcnew String(Src.Author);
Dest->LongName = gcnew String(Src.LongName);
Dest->PathToFile = gcnew String(Src.PathToFile);
return Dest;
};
template<>
inline ManagedEbook^ marshal_as<ManagedEbook^, eBook> (const eBook& Src) {
ManagedEbook^ Dest = gcnew ManagedEbook;

Dest->Priv = marshal_as<ManagedEbookAccounting^>(Src.Priv);
Dest->Pub = marshal_as<ManagedEbookPublic^>(Src.Pub);
Dest->Flag = static_cast<ManagedeBookFlag>(Src.Flag);

return Dest;
};
}
}

// Primary user namespace
namespace Client
{
namespace ManagedEbooks
{
// “Store” is Client::ManagedEbooks::Store()
public ref class Store
{
private:
String^ DataStore;
List<ManagedEbook^>^ Books;
HANDLE hFile;

// serialization from disk
void __clrcall LoadDB()
{
Books = gcnew List<ManagedEbook^>();
eBook AeBook;
DWORD red = 0;

marshal_context^ x = gcnew marshal_context();
hFile = CreateFileW(x->marshal_as<const wchar_t*>(DataStore), GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE, 0, OPEN_ALWAYS, 0, 0);

if(hFile == INVALID_HANDLE_VALUE)
return;

do {
ReadFile(hFile, &AeBook, sizeof(eBook), &red, NULL);

if(red == sizeof(eBook))
Books->Add(marshal_as<ManagedEbook^>(AeBook));

} while(red == sizeof(eBook));
}

// scan hay for anything that matches needle
bool __clrcall MatchBook(ManagedEbook ^hay, ManagedEbook^ needle)
{
// check numeric values first
if(hay->Pub->Rating != 0 && hay->Pub->Rating == needle->Pub->Rating)
return true;
if(hay->Pub->SerialNumber != 0 && hay->Pub->SerialNumber == needle->Pub->SerialNumber)
return true;

// scan each string
if(!String::IsNullOrEmpty(hay->Pub->ISBN) && hay->Pub->ISBN->Contains(needle->Pub->ISBN))
return true;
if(!String::IsNullOrEmpty(hay->Pub->MISC) && hay->Pub->MISC->Contains(needle->Pub->MISC))
return true;
if(!String::IsNullOrEmpty(hay->Pub->ShortName) && hay->Pub->ShortName->Contains(needle->Pub->ShortName))
return true;
if(!String::IsNullOrEmpty(hay->Pub->Author) && hay->Pub->Author->Contains(needle->Pub->Author))
return true;
if(!String::IsNullOrEmpty(hay->Pub->LongName) && hay->Pub->LongName->Contains(needle->Pub->LongName))
return true;
if(!String::IsNullOrEmpty(hay->Pub->PathToFile) && hay->Pub->PathToFile->Contains(needle->Pub->PathToFile))
return true;
return false;
}

// destructor
__clrcall !Store()
{
Close();
}

// serialization to disk happens here
void __clrcall _Close()
{
if(hFile == INVALID_HANDLE_VALUE)
return;

SetFilePointer(hFile, 0, NULL, FILE_BEGIN);
for each(ManagedEbook^ book in Books)
{
eBook save;
DWORD wrote=0;
marshal_context^ x = gcnew marshal_context();
ZeroMemory(&save, sizeof(save));

save.Pub.Rating = book->Pub->Rating;
save.Pub.SerialNumber = book->Pub->SerialNumber;
save.Flag = static_cast<eBookFlag>(book->Flag);

swprintf_s(save.Pub.ISBN, sizeof(save.Pub.ISBN), L”%s”, x->marshal_as<const wchar_t*>(book->Pub->ISBN));
swprintf_s(save.Pub.MISC, sizeof(save.Pub.MISC), L”%s”, x->marshal_as<const wchar_t*>(book->Pub->MISC));
swprintf_s(save.Pub.ShortName, sizeof(save.Pub.ShortName), L”%s”, x->marshal_as<const wchar_t*>(book->Pub->ShortName));
swprintf_s(save.Pub.Author, sizeof(save.Pub.Author), L”%s”, x->marshal_as<const wchar_t*>(book->Pub->Author));
swprintf_s(save.Pub.LongName, sizeof(save.Pub.LongName), L”%s”, x->marshal_as<const wchar_t*>(book->Pub->LongName));
swprintf_s(save.Pub.PathToFile, sizeof(save.Pub.PathToFile), L”%s”, x->marshal_as<const wchar_t*>(book->Pub->PathToFile));

if(book->Priv->PurchaseOrder->Length > 0)
{
pin_ptr<Byte> pin = &book->Priv->PurchaseOrder[0];

save.Priv.PurchaseOrderLength = min(sizeof(save.Priv.PurchaseOrder), book->Priv->PurchaseOrder->Length);
memcpy(save.Priv.PurchaseOrder, pin, save.Priv.PurchaseOrderLength);
pin = nullptr;
}

if(book->Priv->RecieptData->Length > 0)
{
pin_ptr<Byte> pin = &book->Priv->RecieptData[0];

save.Priv.RecieptDataLength = min(sizeof(save.Priv.RecieptData), book->Priv->RecieptData->Length);
memcpy(save.Priv.RecieptData, pin, save.Priv.RecieptDataLength);
pin = nullptr;
}

WriteFile(hFile, &save, sizeof(save), &wrote, NULL);
if(wrote != sizeof(save))
return;
}
CloseHandle(hFile);
hFile = INVALID_HANDLE_VALUE;
}

protected:

// destructor forwards to the disposable interface
virtual __clrcall ~Store()
{
this->!Store();
}

public:

// possibly hide this
void __clrcall Close()
{
_Close();
}

// constructor
__clrcall Store(String^ DataStoreDB)
{
DataStore = DataStoreDB;
LoadDB();
}

// add ebook
void __clrcall Add(ManagedEbook^ eBook)
{
Books->Add(eBook);
}

// remove ebook
void __clrcall Remove(ManagedEbook^ eBook)
{
Books->Remove(eBook);
}

// get query list
List<ManagedEbook^>^ __clrcall Query(ManagedEbook^ eBook)
{
List<ManagedEbook^>^ rv = gcnew List<ManagedEbook^>();

for each(ManagedEbook^ book in Books)
{
if(MatchBook(book, eBook))
rv->Add(book);
}
return rv;
}
};
}
}

INSIGHTS | February 24, 2012

IOActive’s IOAsis at RSA 2012

By IOActive

This is not a technical post as usual. This is an invitation for an important event if you are going to RSA 2012 and want to escape the chaos and experience the luxury at IOAsis while enjoying great technical talks and meeting with industry experts. If you want to feel like a VIP and have great time then don’t miss this opportunity!

We have scheduled some really interesting talks such as:

Firmware analysis of Industrial Devices with IOActive researcher Ruben Santamarta
Mobile Security in the Enterprise with IOActive VP, David Baker and IOActive Principal Consultant, Ilja van Sprundel
The Social Aspect of Pen Testing with IOActive Managing Consultant, Ryan O’Horo
Battling Compliance in the Cloud with IOActive Principal Compliance Consultant, Robert Zigweid

We hope to see you there!

INSIGHTS | February 17, 2012

Estimating Password and Token Entropy (Randomness) in Web Applications

By Ryan O'Horo

Entropy

“In information theory, entropy is a measure of the uncertainty associated with a random variable. In this context, the term usually refers to the Shannon entropy, which quantifies the expected value of the information contained in a message, usually in units such as bits. In this context, a ‘message’ means a specific realization of the random variable.” [1]

1. http://en.wikipedia.org/wiki/Entropy_%28information_theory%29

I find myself analyzing password and token entropy quite frequently and I’ve come to rely upon Wolfram Alpha and Burp Suite Pro to get my estimates for these values. It’s understandable why we’d want to check a password’s entropy. It gives us an indication of how long it would take an attacker to brute force it, whether in a login form or a stolen database of hashes. However, an overlooked concern is the entropy contained in tokens for session and object identifiers. These values can also be brute forced to steal active sessions and gain access to objects to which we do not have permission. Not only are these tokens sometimes too short, they sometimes also contain much less entropy than appears.

Estimating Password Entropy

Wolfram Alpha has a keyword specifically for analyzing passwords.

http://www.wolframalpha.com/input/?i=password+strength+f00b4r^LYFE

Estimating Token Entropy

Estimating the solution for: [ characters ^ length = 2 ^ x ] will convert an arbitrary string value to bits of entropy. This formula is not really solvable, so I use Wolfram Alpha to estimate the solution.

e.g. 1tdrtahp4y8201att8i414a7km has the formula:

http://www.wolframalpha.com/input/?i=36^26+%3D+2^x

Click “Approximate Form” under the “Real solution”:

The password strength calculator also works okay on tokens, and we’ll see a similar result:

http://www.wolframalpha.com/input/?i=password+strength+1tdrtahp4y8201att8i414a7km

BUT! Analysis of a single token is not enough to measure /effective/ entropy. Burp Suite Sequencer will run the proper entropy analysis tests on batches of session identifiers to estimate this value. Send your application login request (or whatever request generates a new token value) to the Sequencer and configure the Sequencer to collect the target token value. Start collecting and set the “Auto-Analyze” box to watch as Burp runs its tests.

A sample token “1tdrtahp4y8201att8i414a7km” from this application has an estimated entropy of 134.4 bits, but FIPS analysis of a batch of 2000 of these identifiers shows an effective entropy of less than 45 bits!

Not only that, but the tokens range in length from 21 to 26 characters, some are much shorter than we originally thought.

Burp will show you many charts, but these bit-level analysis charts will give you an idea of where the tokens are failing to meet expected entropy.

You can spot a highly non-random value near the middle of the token (higher is better), and the varying length of the tokens drag down entropy near the end. The ASCII-based character set used in the token have one or more unused or underused bits, as seen in the interspersed areas of very low entropy.

In the case illustrated above I would ask the client to change the way randomness is supplied to the token and/or increase the token complexity with a hashing function, which should increase attack resistance.

Remember, for session or object identifiers, you want to get close to 128 bits of /effective/ entropy to prevent brute forcing. This is a guideline set by OWASP and is in line with most modern web application frameworks.

If objects persist for long periods or are very numerous (in the millions) you’ll want more entropy to maintain the same level of safety as a session identifier, which is more ephemeral. An example of persistent objects (on the order of years) which rely on high entropy tokens would be Facebook photo URLs. Photos marked private are still publicly accessible, but Facebook counts on the fact that their photo URLs have high entropy.

The following URL has at least 160 bits of entropy:

https://fbcdn-sphotos-a.akamaihd.net/hphotos-ak-ash4/398297_10140657048323225_750784224_11609676_1712639207_n.jpg

For passwords, the analysis is a little more subjective, but Wolfram Alpha gives you a good estimate. You can use this password analysis for encryption keys or passphrases as well, e.g. if they are provided as part of a source code audit.

Happy Hacking!

INSIGHTS | February 8, 2012

I can still see your actions on Google Maps over SSL

By Vincent Berg

A while ago, yours truly gave two talks on SSL traffic analysis: one at 44Con and one at RuxCon. A demonstration of the tool was also given at last year’s BlackHat Arsenal by two of my co-workers. The presented research and tool may not have been as groundbreaking as some of the other talks at those conferences, but attendees seemed to like it, so I figured it might make some good blog content.

Traffic analysis is definitely not a new field, neither in general nor when applied to SSL; a lot of great work has been done by reputable research outlets, such as Microsoft Research with researchers like George Danezis. What recent traffic analysis research has tried to show is that there are enormous amounts of useful information to be obtained by an attacker who can monitor the encrypted communication stream.

A great example of this can be found in the paper with the slightly cheesy title Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow. The paper discusses some approaches to traffic analysis on SSL-encrypted web applications and applies them to real-world systems. One of the approaches enables an attacker to build a database that contains traffic patterns of the AutoComplete function in drop-down form fields (like Google’s Auto Complete). Another great example is the ability to—for a specific type of stock management web application—reconstruct pie charts in a couple of days and figure out the contents of someone’s stock portfolio.

After discussing these attack types with some of our customers, I noticed that most of them seemed to have some difficulty grasping the potential impact of traffic analysis on their web applications. The research papers I referred them to are quite dry and they’re also written in dense, scientific language that does nothing to ease understanding. So, I decided to just throw some of my dedicated research time out there and come up with a proof of concept tool using a web application that everyone knows and understands: Google Maps.

Since ignorance is bliss, I decided to just jump in and try to build something without even running the numbers on whether it would make any sense to try. I started by running Firefox and Firebug in an effort to make sense of all the JavaScript voodoo going on there. I quickly figured out that Google Maps works by using a grid system in which PNG images (referred to as tiles) are laid out. Latitude and longitude coordinates are converted to x and y values depending on the selected zoom level; this gives a three dimensional coordinate system in which each separate (x, y, z)-triplet represents two PNG images. The first image is called the overlay image and contains the town, river, highway names and so forth; the second image contains the actual satellite data.

Once I had this figured out the approach became simple: scrape a lot of satellite tiles and build a database of the image sizes using the tool GMapCatcher. I then built a tool that uses libpcap to approximate the image sizes by monitoring the SSL encrypted traffic on the wire. The tool tries to match the image sizes to the recorded (x,y,z)-triplets in the database and then tries to cluster the results into a specific region. This is notoriously difficult to do since one gets so many false positives if the database is big enough. Add to this the fact that it is next to impossible to scrape the entire Google Maps database since, first, they will ban you for generating so much traffic and, second, you will have to store many petabytes of image data.

With a little bit of cheating—I used a large browser screen so I would have more data to work with—I managed to make the movie Proof of Concept – SSL Traffic Analysis of Google Maps.

As shown in the movie, the tool has a database that contains city profiles including Paris, Berlin, Amsterdam, Brussels, and Geneva. The tool runs on the right and on the left is the browser accessing Google Maps over SSL. In the first attempt, I load the city of Paris and zoom in a couple of times. On the second attempt I navigate to Berlin and zoom in a few times. On both occasions the tool manages to correctly guess the locations that the browser is accessing.

Please note that it is a shoddy proof of concept, but it shows the concept of SSL traffic analysis pretty well. It also might be easier to understand for less technically inclined people, as in “An attacker can still figure out what you’re looking at on Google Maps” (with the addendum that it’s never going to be a 100% perfect and that my shoddy proof of concept has lots of room for improvement).

For more specific details on this please refer to the IOActive white paper Traffic Analysis on Google Maps with GMaps-Trafficker or send me a tweet at @santaragolabs.