WOOT '20 Workshop Program

Papers are available for download below to registered attendees now and to everyone beginning Tuesday, August 11, 2020. Paper abstracts are available to everyone now. Copyright to the individual works is retained by the author[s].

All the times listed below are in Pacific Daylight Time (PDT).

Tuesday, August 11

8:00 am–8:15 am

Opening Remarks and Awards

Program Co-Chairs: Yuval Yarom, University of Adelaide and Data61, and Sarah Zennou, Airbus

8:15 am–9:00 am

Invited Talk

Hardware Security Is Hard: How Hardware Boundaries Define Platform Security

Alex Matrosov, NVIDIA

Available Media

Nowadays it's difficult to find any hardware vendor who develops all the components present in their platform. The big piece of it outsourced to OEM's includes firmware too. That creates additional complexity and limits hardware vendor control under the platform. That creates not only supply chain security risks but also produces security gaps in the threat modeling process by design.

In most cases, hardware vendors separate threat model and security boundaries for each hardware component present on the platform but in reality, it misses a lot of details which is directly reflected on platform security. This talk will look through the prism security problems and vulnerabilities created over those architecture design mistakes.

Alex Matrosov, NVIDIA

Alex Matrosov is a chief offensive security researcher at NVIDIA. He has more than two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. Before joining NVIDIA, Alex served as Principal Security Researcher at Intel Security Center of Excellence (SeCoE), spent more than six years in the Intel Advanced Threat Research team, and was Senior Security Researcher at ESET. Alex has authored and co-authored numerous research papers and is a frequent speaker at security conferences.

9:00 am–9:15 am

Break

9:15 am–10:15 am

Technical Session

Exploiting Uses of Uninitialized Stack Variables in Linux Kernels to Leak Kernel Pointers

Haehyun Cho, Arizona Sate University; Jinbum Park and Joonwon Kang, Samsung Research; Tiffany Bao, Ruoyu Wang, Yan Shoshitaishvili, and Adam Doupé, Arizona State University; Gail-Joon Ahn, Arizona State University and Samsung Research

Available Media

Information leaks are the most prevalent type of vulnerabilities among all known vulnerabilities in Linux kernel. Many of them are caused by the use of uninitialized variables or data structures. It is generally believed that the majority of information leaks in Linux kernel are low-risk and do not have severe impact due to the difficulty (or even the impossibility) of exploitation. As a result, developers and security analysts do not pay enough attention to mitigating these vulnerabilities. Because of this, these vulnerabilities are usually assigned low CVSS scores or without any CVEs assigned. Moreover, many patches that address uninitialized data use bugs in Linux kernel are not accepted, leaving billions of Linux systems vulnerable.

Nonetheless, information leak vulnerabilities in Linux kernel are not as low-risk as people believe. In this paper, we present a generic approach that converts stack-based information leaks in Linux kernel into kernel pointer leak vulnerabilities, which can be used to defeat modern security defenses such as KASLR. Taking an exploit that triggers an information leak in Linux kernel, our approach automatically converts it into a highly impactful exploit that leaks pointers to either kernel functions or the kernel stack.We evaluate our approach on four known CVEs and one security patch in Linux kernel and demonstrate its effectiveness. Our findings provide solid evidence for Linux kernel developers and security analysts to treat information leaks in Linux kernel more seriously.

Automatic Generation of Compact Printable Shellcodes for x86

Dhrumil Patel, Description Dhirubhai Ambani Institute of Information and Communication Technology; Aditya Basu, Pennsylvania State University; Anish Mathuria, Description Dhirubhai Ambani Institute of Information and Communication Technology

Available Media

Shellcode is a sequence of executable instruction(s) that can be used to exploit vulnerable processes by injecting it into a processes address space. A typical shellcode comprises of printable (ex. 'a', '{', '/', etc) and non-printable bytes (ex. DEL, INS, etc). A way to inject these shellcodes into a processes address space is by leveraging a buffer overflow exploit. However defensive filters will drop non-printable bytes from program inputs, thereby rendering the shellcode exploit useless. In order to bypass these defensive filters, shellcodes with only printable characters can be used. However it is a non-trivial task to write printable shellcodes. For this reason researchers have come up with tools to convert arbitrary shellcodes into functionally equivalent printable shellcodes. One of the popular tools is based on the Riley Eller algorithm. One drawback of this algorithm is that the resultant shellcode is much larger than the original shellcode. In this paper we present a new encoding scheme which produces a much more compact (about ~40% smaller) printable shellcode as compared to the Riley Eller algorithm.

When Oblivious is Not: Attacks against OPAM

Nirjhar Roy, Nikhil Bansal, and Gourav Takhar, Indian Institute of Technology - Kanpur; Nikhil Mittal, Fortanix; Pramod Subramanyan, Indian Institute of Technology - Kanpur

Available Media

Enclave platforms like Intel SGX, Sanctum and Keystone promise attractive security guarantees but have not always lived up to their billing, mostly due to side-channel leaks in platform implementations. A particularly important side-channel in these platforms has been the page fault side-channel. This side channel has proven to be particularly problematic because it is deterministic and controllable by a malicious operating system. This paper presents a new attack on the page fault channel that works on the state-of-art proposal for secure demand paging in enclaves (InvisiPage, ISCA'19). The insight behind the attack is that even if the exact page fault addresses are hidden, the adversary may be able to infer the interval between when a page is evicted from an enclave and when it is fetched back into the enclave. Our evaluation shows this leak is sufficient to: (i) identify which application is being executed in an enclave, (ii) infer confidential details about the inputs to the application, and (iii) function as a covert channel between an untrusted enclave application and a malicious operating system.

Unearthing the TrustedCore: A Critical Review on Huawei’s Trusted Execution Environment

Marcel Busch, Johannes Westphal, and Tilo Mueller, Friedrich-Alexander-University Erlangen-Nürnberg

Available Media

Trusted Execution Environments (TEEs) are an essential building block in the security architecture of modern mobile devices. In this paper, we review a TEE implementation, called TrustedCore (TC), that has been used on Huawei phones for several years. We unveil multiple severe design and implementation flaws in the software stack of this TEE which affect devices including the popular Huawei P9 Lite, released in 2016, and partially the more recent Huawei P20 Lite, released in 2018. First, we reverse-engineer TC’s components, their interconnections, and their integration with the Android system, focusing on security aspects. Second, we examine the Trusted Application (TA) loader of the TC platform and reveal multiple design flaws. These flaws allow us to decrypt any TA found on our target devices and, thus, break code confidentiality. Third, we describe the design of Huawei’s keystore system, the heart of all services using hardware-backed cryptography. We found severe vulnerabilities in this keystore system and demonstrate the leakage of export-protected keys from the TEE, which considerably weakens full-disk encryption. Fourth, along with these findings, we additionally discovered an exploitable memory corruption within Huawei’s keymaster TA, enabling us to execute arbitrary code within the ARM TrustZone at the highest privilege level. The exploit requires us to bypass several mitigation techniques such as stack canaries and Address Space Layout Randomization (ASLR), which are all flawed in this TEE’s design. We reported our findings to Huawei in a responsible disclosure procedure and publicly discuss our analyses for the first time in this paper.

NFCGate: Opening the Door for NFC Security Research with a Smartphone-Based Toolkit

Steffen Klee, Alexandros Roussos, Max Maass, and Matthias Hollick, Secure Mobile Networking Lab, TU Darmstadt

Available Media

Near Field Communication (NFC) is being used in a variety of security-critical applications, from access control to payment systems. However, NFC protocol analysis typically requires expensive or conspicuous dedicated hardware, or is severely limited on smartphones. In 2015, the NFCGate proof of concept aimed at solving this issue by providing capabilities for NFC analysis employing off-the-shelf Android smartphones. In this paper, we present an extended and improved NFC toolkit based on the functionally limited original open-source codebase. With in-flight traffic analysis and modification, relay, and replay features this toolkit turns an off-the-shelf smartphone into a powerful NFC research tool. To support the development of countermeasures against relay attacks, we investigate the latency incurred by NFCGate in different configurations. Our newly implemented features and improvements enable the case study of an award-winning, enterprise-level NFC lock from a well-known European lock vendor, which would otherwise require dedicated hardware. The analysis of the lock reveals several security issues, which were disclosed to the vendor.

One Exploit to Rule them All? On the Security of Drop-in Replacement and Counterfeit Microcontrollers

Johannes Obermaier, Marc Schink, and Kosma Moczek

This paper is under embargo and will be released on Thursday, August 6, 2020.

With the increasing complexity of embedded systems, the firmware has become a valuable asset. At the same time, pressure for cost reductions in hardware is imminent. These two aspects are united at the heart of the system, i.e., the microcontroller. It runs and protects its firmware, but simultaneously has to prevail against cheaper alternatives. For the very popular STM32F1 microcontroller series, this has caused the emergence of many competitors in the last few years who offer drop-in replacements or even sell counterfeit devices at a fraction of the original price. Thus, the question emerges whether the replacements are silicon-level clones and, if not, whether they provide better, equal, or less security. In this paper, we analyze a total of six devices by four manufacturers, including the original device, in depth. Via a low-level analysis, we identify all of them as being individually developed devices. We further put the focus on debug and hardware security, discovering several novel vulnerabilities in all devices, causing the exposure of the entire firmware. All of the presented vulnerabilities, including invasive ones, are on a Do it Yourself (DiY) level without the demand for a sophisticated lab -- thereby underlining the urgency for hardware fixes. To facilitate further research, reproduction, and testing of other devices, we provide a comprehensive description of all vulnerabilities in this paper and code for proofs-of-concepts online.

10:15 am–11:15 am

Lunch break

11:15 am–12:00 pm

Invited Talk

OS Security Is Hard: Why All the Fuzzers in the World Won't Change the Way Platform Security Is Failing Us

Alex Ionescu, CrowdStrike, Inc.

The last couple of years have brought exciting hardware and software security features in the top operating systems—Windows, macOS, and Linux, which have all moved toward greater integration with hypervisor, TPM, and chipset/CPU security mitigations and capabilities, while taking advantage of the compiler as well. Additionally, security teams embedded in various companies are now involved (or claim to be) in the design, implementation, and testing of such features.

Over a year ago, I presented a number of vulnerabilities in recent Windows code at a keynote in France and later in Israel, vulnerabilities which were of such simplicity that it became unclear why they had not been found through code review, fuzzing, or other tooling (because all developers write bugs). I posited that such tooling is insufficient to build truly secure systems, and that the added complexity, and reduction on the quality of training & education of developers, is leading us toward a world with more bugs, not less.

At the time, arguments were made that these were one-offs, and not all processes meant to find these types of bugs had activated yet. Multiple presentations were made on how new processes were added to fix and address future similar issues, especially when related to system calls. In this keynote, I'll review the state since last year, and show how not only were additional similar bugs added in both Dxgkrnl and Ntoskrnl, as well as how entire new security features continued to have fatal design flaws (leading to over 100K in bug bounty money due to their discovery). While these examples are Windows centric, equivalents exist in the Linux and macOS space, as this is not some sort of unique Microsoft problem.

Programmers are human, and humans make mistakes. Is automation truly the solution, or are there more fundamental changes that are needed for how we address security engineering? This keynote will make one last plea to propose changes to the engineering processes and educational priorities of future software practitioners.

Alex Ionescu, CrowdStrike, Inc.

Alex Ionescu is VP of Endpoint Engineering at CrowdStrike, Inc., where he started as the Founding Chief Architect in 2011. Alex is a world-class security architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering. He is co-author of the last 3 editions of the Windows Internals series. During the last two decades, his work led to the fixing of dozens of critical kernel vulnerabilities in Windows. Previously, Alex was the lead kernel developer for ReactOS, an open source Windows clone written from scratch, for which he wrote most of the Windows NT-based subsystems. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, and drivers on the original core platform team behind the iPhone, iPad, and AppleTV. Alex is also the founder of Winsider Seminars & Solutions Inc., a company that specializes in low-level system software, reverse engineering and security training for various institutions.

12:00 pm–12:15 pm

Break

12:15 pm–1:15 pm

Technical Session

ToothPicker: Apple Picking in the iOS Bluetooth Stack

Dennis Heinze, TU Darmstadt, Secure Mobile Networking Lab and ERNW GmbH; Jiska Classen and Matthias Hollick, TU Darmstadt, Secure Mobile Networking Lab

Available Media

Bluetooth enables basic communication prior to pairing as well as low-energy information exchange with multiple devices. The Apple ecosystem is extensively using Bluetooth for coordination tasks that run in the background and enable seamless device handover. To this end, Apple established proprietary protocols. Since their implementation is closed-source and over-the-air fuzzers are very limited, these protocols are largely unexplored and not publicly tested for security. In this paper, we summarize the current state of Apple's Bluetooth protocols. Based on this, we build the iOS in-process fuzzer ToothPicker and evaluate the implementation security of these protocols. We find a zero-click Remote Code Execution (RCE) that was fixed in iOS 13.5 and simple crashes.

BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy

Jianliang Wu, Yuhong Nan, Vireshwar Kumar, Dave (Jing) Tian, and Antonio Bianchi, Purdue University; Mathias Payer, EPFL; Dongyan Xu, Purdue University

Available Media

The Bluetooth Low Energy (BLE) protocol ubiquitously enables energy-efficient wireless communication among resource-constrained devices. To ease its adoption, BLE requires limited or no user interaction to establish a connection between two devices. Unfortunately, this simplicity is the root cause of several security issues.

In this paper, we analyze the security of the BLE link-layer, focusing on the scenario in which two previously-connected devices reconnect. Based on a formal analysis of the reconnection procedure defined by the BLE specification, we highlight two critical security weaknesses in the specification. As a result, even a device implementing the BLE protocol correctly may be vulnerable to spoofing attacks.

To demonstrate these design weaknesses, and further study their security implications, we develop BLE Spoofing Attacks (BLESA). These attacks enable an attacker to impersonate a BLE device and to provide spoofed data to another previously-paired device. BLESA can be easily carried out against some implementations of the BLE protocol, such as the one used in Linux. Additionally, for the BLE stack implementations used by Android and iOS, we found a logic bug enabling BLESA. We reported this security issue to the affected parties (Google and Apple), and they acknowledged our findings.

Firmware Insider: Bluetooth Randomness is Mostly Random

Jörn Tillmanns and Jiska Classen, SEEMOO, TU Darmstadt; Felix Rohrbach, Cryptoplexity, TU Darmstadt; Matthias Hollick, SEEMOO, TU Darmstadt

Available Media

Bluetooth chips must include a Random Number Generator (RNG). This RNG is used internally within cryptographic primitives but also exposed to the operating system for chip-external applications. In general, it is a black box with security-critical authentication and encryption mechanisms depending on it. In this paper, we evaluate the quality of RNGs in various Broadcom and Cypress Bluetooth chips. We find that the RNG implementation significantly changed over the last decade. Moreover, most devices implement an insecure Pseudo-Random Number Generator (PRNG) fallback. Multiple popular devices, such as the Samsung Galaxy S8 and its variants as well as an iPhone, rely on the weak fallback due to missing a Hardware Random Number Generator (HRNG). We statistically evaluate the output of various HRNGs in chips used by hundreds of millions of devices. While the Broadcom and Cypress HRNGs pass advanced tests, it remains indistinguishable for users if a Bluetooth chip implements a secure RNG without an extensive analysis as in this paper. We describe our measurement methods and publish our tools to enable further public testing.

AFL++ : Combining Incremental Steps of Fuzzing Research

Andrea Fioraldi, Sapienza University of Rome; Dominik Maier, TU Berlin; Heiko Eißfeldt; Marc Heuse, The Hacker's Choice

Available Media

In this paper, we present AFL++, a community-driven open-source tool that incorporates state-of-the-art fuzzing research, to make the research comparable, reproducible, combinable and - most importantly - useable. It offers a variety of novel features, for example its Custom Mutator API, able to extend the fuzzing process at many stages. With it, mutators for specific targets can also be written by experienced security testers. We hope for AFL++ to become a new baseline tool not only for current, but also for future research, as it allows to test new techniques quickly, and evaluate not only the effectiveness of the single technique versus the state-of-the-art, but also in combination with other techniques. The paper gives an evaluation of hand-picked fuzzing technologies - shining light on the fact that while each novel fuzzing method can increase performance in some targets - it decreases performance for other targets. This is an insight future fuzzing research should consider in their evaluations.

Bankrupt Covert Channel: Turning Network Predictability into Vulnerability

Dmitrii Ustiugov, Plamen Petrov, M. R. Siavash Katebzadeh, and Boris Grot, University of Edinburgh

Available Media

Recent years have seen a surge in the number of data leaks despite aggressive information-containment measures deployed by cloud providers. When attackers acquire sensitive data in a secure cloud environment, covert communication channels are a key tool to exfiltrate the data to the outside world. While the bulk of prior work focused on covert channels within a single CPU, they require the spy (transmitter) and the receiver to share the CPU, which might be difficult to achieve in a cloud environment with hundreds or thousands of machines.

This work presents Bankrupt, a high-rate highly clandestine channel that enables covert communication between the spy and the receiver running on different nodes in an RDMA network. In Bankrupt, the spy communicates with the receiver by issuing RDMA network packets to a private memory region allocated to it on a different machine (an intermediary). The receiver similarly allocates a separate memory region on the same intermediary, also accessed via RDMA. By steering RDMA packets to a specific set of remote memory addresses, the spy causes deep queuing at one memory bank, which is the finest addressable internal unit of main memory. This exposes a timing channel that the receiver can listen on by issuing probe packets to addresses mapped to the same bank but in its own private memory region. Bankrupt channel delivers 74Kb/s throughput in CloudLab's public cloud while remaining undetectable to the existing monitoring capabilities, such as CPU and NIC performance counters.

Office Document Security and Privacy

Jens Müller, Ruhr University Bochum; Fabian Ising, Münster University of Applied Sciences; Christian Mainka and Vladislav Mladenov, Ruhr University Bochum; Sebastian Schinzel, Münster University of Applied Sciences; Jörg Schwenk, Ruhr University Bochum

Available Media

OOXML and ODF are the de facto standard data formats for word processing, spreadsheets, and presentations. Both are XML-based, feature-rich container formats dating back to the early 2000s. In this work, we present a systematic analysis of the capabilities of malicious office documents. Instead of focusing on implementation bugs, we abuse legitimate features of the OOXML and ODF specifications. We categorize our attacks into five classes: (1) Denial-of-Service attacks affecting the host on which the document is processed. (2) Invasion of privacy attacks that track the usage of the document. (3) Information disclosure attacks exfiltrating personal data out of the victim's computer. (4) Data manipulation on the victim's system. (5) Code execution on the victim's machine. We evaluated the reference implementations – Microsoft Office and LibreOffice – and found both of them to be vulnerable to each tested class of attacks. Finally, we propose mitigation strategies to counter these attacks.

1:15 pm–1:30 pm

Break

1:30 pm–2:15 pm

Invited Talk

When Is a Proof Actually Not?

Vanessa Teague, Thinking Cybersecurity

Available Media

I'll examine some practical implementations of cryptographic proofs, including zero knowledge proofs for facts such as proper mixing, decryption, and equality testing. In each case, we can generate a 'proof' of a fact that is clearly false. In some cases these are simply bugs; in others, the forgery is possible because of a subtle misalignment of the security assumptions of a prove n-secure component and the context of the protocol.

Examples will include the SwissPost-Scytl-iVote mixing and decryption proofs, plus some new results on Plaintext Equivalence in the Civitas implementation of the Juels-Catalano-Jakobsson e-voting protocol.

Although all my examples come from e-voting, these results justify more careful analysis of other uses of zero knowledge proofs in other practical scenarios, such as blockchains, cryptocurrencies, and online auctions.

This is joint work with Thomas Haines, Sarah Jamie Lewis, Eleanor McMurtry, and Olivier Pereira.

Vanessa Teague, Thinking Cybersecurity

Vanessa Teague is the CEO of Thinking Cybersecurity and Associate Prof (Adj.) in the Research School of Computer Science at the Australian National University. Her research focuses primarily on cryptographic methods for achieving security and privacy, particularly for issues of public interest such as election integrity and the protection of government data. She was part of the team (with Chris Culnane and Ben Rubinstein) who discovered the easy re-identification of doctors and patients in the Medicare/PBS open dataset released by the Australian Department of Health. She has co-designed numerous protocols for improved election integrity in e-voting systems, and co-discovered serious weaknesses in the cryptography of deployed e-voting systems in New South Wales, Western Australia, and Switzerland.

2:15 pm–2:30 pm

Closing Remarks