What is it for?

1. Decreasing number of defects, detected by our colleagues from the software quality control department and by company's clients.
2. Reducing an application maintenance cost due to increase of code quality.
3. Securing quality and quantity of unit tests.
4. Securing joint code ownership.
5. Securing experience interchange among team members.
6. Perfecting a code style. Detecting and discussing style controversies within the team.

Who participates in a review?

When to review?

How does it work?

1. a reviewer of their group;
2. a lead of their group.

• Before a code is added to a repository, it is surely reviewed by at least one person, who knows it well.
• Developers always know about any changes introduced into their projects by other groups.
• A group lead knows everything what the group does and gets a good overview of any code of the group.
• Within a group, developers have sufficient knowledge of a code written by their colleagues.
• If these terms are complied with, project participants achieve a good level of collective code ownership.

A developer writes a code affecting both groups' modules

A developer writes a code to a common module  

How can we get mt_rand seed via PHPSESSID?

• client IP is known to the attacker;
• timestamp is known through Date HTTP-header;
• microseconds1 – a value from 0 to 1000000;
• php_combined_lcg() – an example value is 0.12345678.

• timestamp is the same;
• microseconds2 is greater than microseconds1 (when the first time measurement was made) by 0–3;
• pid is the id of the current process (0–32768, 1024–32768 on Unix);
• microseconds3 is greater than microseconds2 by 1–4.

Adversarial Time Synchronization

Request Twins

• MySQL function RAND() — it can be also predicted though.
• Suhosin patch — does not patch mt_srand, srand. The Suhosin extension should also be installed.
• /dev/urandom — the securest way.

Digging the sources

struct security_operations 
{
char name[SECURITY_NAME_MAX + 1];

int (*ptrace_access_check) (struct task_struct *child, unsigned int mode);
         int (*ptrace_traceme) (struct task_struct *parent);
int (*capget) (struct task_struct *target,
            kernel_cap_t *effective,
            kernel_cap_t *inheritable, kernel_cap_t *permitted);
    …
};

 * register_security – registers the security module with the kernel.
 * @ops: a pointer to the structure security_options that will be used. 
 *
 * This function allows a security module to register itself with the
 * kernel security subsystem.  Some rudimentary checking is done on the @ops
 * value passed to this function. You'll need to check first if your LSM
 * is allowed to register its @ops by calling security_module_enable(@ops).
 *
 * If the security module has been already registered with the kernel, an error
 * will be returned. In case of success, 0 will be returned
 */
int __init register_security(struct security_operations *ops) 
{
    if (verify(ops)) 
        {
        printk(KERN_DEBUG "%s could not verify "
               "security_operations structure.\n", __func__);
        return -EINVAL;
    }

    if (security_ops != &default_security_ops)
        return -EAGAIN;

    security_ops = ops;

    return 0;
}

Writing the skeleton

Writing a super cool module

static int ptlsm_inode_create(struct inode *dir, struct dentry *dentry, int mask)
{
    if (find_usb_device() != 0)
    {
        printk(KERN_ALERT "You shall not pass!\n");
        return -EACCES;
    }
    else {
        printk(KERN_ALERT "Found supreme USB device\n");
    }

    return 0;
}

static int find_usb_device(void)
{
    struct list_head* buslist;
    struct usb_bus* bus;
    int retval = -ENODEV;

    mutex_lock(&usb_bus_list_lock);

    for (buslist = usb_bus_list.next; buslist != &usb_bus_list; buslist = buslist->next) 
    {
        bus = container_of(buslist, struct usb_bus, bus_list);
        retval = match_device(bus->root_hub);
        if (retval == 0)
        {
            break;
        }
    }    

    mutex_unlock(&usb_bus_list_lock);
    return retval;
}

static int match_device(struct usb_device* dev)
{
    int retval = -ENODEV;
    int child;

    if ((dev->descriptor.idVendor == vendor_id) &&
        (dev->descriptor.idProduct == product_id)) 
    {
        return 0;
    }

    for (child = 0; child < dev->maxchild; ++child) 
    {
        if (dev->children[child]) 
        {
            retval = match_device(dev->children[child]);
            if (retval == 0)
            {
                return retval;
            }
        }
    }

    return retval;
}

#include <linux/usb.h>
#include <linux/usb/hcd.h>

1. Web Self Service — a web based virtual machine management console.
2. vSwitch Controller — a web console for virtual network infrastructure management.
3. License Administration Console — XenServer license management service.

Web Self Service

• Cross-site request forgery (CSRF);
• Cross-site scripting (stored XSS);
• URL redirector abuse;
• HTTP response splitting.

1. At first we redirect the administrator to a specially crafted page using URL redirector abuse.
2. The page script via CSRF creates a new system account. The user name field contains a stored XSS vulnerability. We inject useful JavaScript load to the page with a user list by exploiting the vulnerability and redirect the administrator there.
3. The injected JavaScript code sends the administrator cookie to our server and then removes the account that has just been created.

vSwitch Controller

• Cross-site request forgery (CSRF);
• URL redirector abuse;
• HTTP response splitting;
• Insufficient authorization.

License Administration Console

• Content spoofing;
• Cross-site scripting (stored XSS);
• Cross-site request forgery (CSRF);
• Denial of service.

Author: Artem Shishkin

1.    Introduction

2.    Hardware support of SMEP

3.    Software support of SMEP

4.    The way to bypass SMEP on Windows and its mitigation

4.1.     The flaw

4.2.     Other SMEP bypassing attack vectors

5.    Conclusion

6.    Future work

References

KiSaveInitialProcessorControlState():
mov     rax, cr0
mov     [rcx], rax
mov     rax, cr2
mov     [rcx+8], rax
mov     rax, cr3
mov     [rcx+10h], rax
mov     rax, cr4
mov     [rcx+18h], rax
mov     rax, cr8
mov     [rcx+0A0h], rax
sgdt    fword ptr [rcx+56h]
sidt    fword ptr [rcx+66h]
str     word ptr [rcx+70h]
sldt    word ptr [rcx+72h]
stmxcsr dword ptr [rcx+74h]
retn

HvlEndSystemInterrupt():
…
pop     rdx
pop     rax
pop     rcx
retn

KiConfigureDynamicProcessor():
…
mov     cr4, rax
add     rsp, 28h
retn

What is SIEM?

• Consolidation and storage of event logs from various resources — network devices, applications, OS logs, protection tools. Any information security standard provides technical requirements on event collection and analysis. They are needed not only to fulfill a standard requirement. There are situations when an incident is noticed too late, and events were erased long ago, or event logs are unavailable, and in fact it is impossible to find out the incident reasons. Moreover, connecting to each resource and event viewing will take too much time. Otherwise, without event analysis, there is a risk to learn about an incident in your company from the news.
• Provision of tools for event analysis and incident investigation. Event formats differ in various resources. Text format in case of huge volumes is too tiresome; it reduces the possibility of incident detection. A part of products of the SIEM class unifies events and make them more readable, and the interface visualizes only important information events, focuses on them, allows filtering out not critical events.
• Correlation and processing in accordance with rules. An incident cannot be judged by only one event. The simplest example is login failed — one event means nothing, but three and more such events with the same account can already indicate brute force attempts. Rules in SIEM, in the simplest case, are represented as RBR (Rule Based Reasoning) and contain a set of conditions, triggers, counters, an action script.
• Automatic notification and incident management. The SIEM primary task is not only to collect events, but to automate the process of event detection and registration in its own log or an external system HelpDesk, and to inform about the event timely.

• Severity of a system (value, risks) and information (processed and stored)
• Validity and self-descriptiveness of event resources
• Information channel coverage (not only external, but an internal network perimeter should be taken into account)
• Solution of IT and IS tasks (ensuring continuity, incident investigation, policy compliance, information leakage prevention, etc.)

• Access Control, Authentication — to control access to information systems and to use privileges
• Event logs of servers and working stations — to control access, ensure continuity, comply with information security policies
• Active network equipment (modification control and access, network traffic counters)
• IDS\IPS. Notifications about network attacks, configuration changes, and device access
• Antivirus protection. Notifications about software workability, databases, configuration and policy changes, malware
• Vulnerability scanners. Inventory of assets, services, software, vulnerabilities, provision of inventory data and topological structure
• GRC systems for recording of risks, threat severity, incident prioritization
• Other systems of protection and compliance with IS policies (DLP, antifraud, device control, etc.)
• Inventory and asset management systems — to control and detect new infrastructure assets
• Netflow and traffic control systems

• Agents installed on an information system under investigation (essential for operating systems; an agent is a resident program (service, demon), which collects event logs locally and transfers them to a server if possible).
• Agents' collectors, which in fact are modules (libraries) for interpreting a particular event log or system.
• Server collectors intended for prior event accumulation from various resources.
• A server correlator responsible for collecting of information from collectors and agents and processing it in accordance with the rules and algorithms of correlation.
• Database and storage server responsible for event log storing.

SIEM and (or) vulnerability scanner

• A known, described by correlation rules threat
• A threat based on a general template
• Abnormal behavior in case of deviation from a baseline
• Deviation from a security policy based on the idea "everything what is not allowed is prohibited" (it is possible not in all SIEM systems)
• Cause-effect relations if correlation algorithms such as CBR (codebook, smart), GBR (graph based), statistical, Bayesian are used

xpc_connection_t myconnection;
 
dispatch_queue_t queue = dispatch_queue_create("com.apple.chatkit.clientcomposeserver.xpc", DISPATCH_QUEUE_CONCURRENT);
 
myconnection = xpc_connection_create_mach_service("com.apple.chatkit.clientcomposeserver.xpc", queue, XPC_CONNECTION_MACH_SERVICE_PRIVILEGED);

xpc_connection_set_event_handler(myconnection, ^(xpc_object_t event){
        xpc_type_t xtype = xpc_get_type(event);
        if(XPC_TYPE_ERROR == xtype)

        {
        NSLog(@"XPC sandbox connection error: %s\n", xpc_dictionary_get_string(event, XPC_ERROR_KEY_DESCRIPTION));

        }
        // Always set an event handler. More on this later.
        
        NSLog(@"Received an message event!");
        
    });

    xpc_connection_resume(myconnection);

NSArray *receipements = [NSArray arrayWithObjects:@"+7 (90*) 000-00-00", nil];
    
NSData *ser_rec = [NSPropertyListSerialization dataWithPropertyList:receipements format:200 options:0 error:NULL];

xpc_object_t mydict = xpc_dictionary_create(0, 0, 0);
xpc_dictionary_set_int64(mydict, "message-type", 0);
xpc_dictionary_set_data(mydict, "recipients", [ser_rec bytes], [ser_rec length]);
xpc_dictionary_set_string(mydict, "text", "hello from your application!");

Little is left: send the message to the XPC port and make sure it is delivered.

xpc_connection_send_message(myconnection, mydict);
xpc_connection_send_barrier(myconnection, ^{
        NSLog(@"Message has been successfully delievered");
    });

• Generation of different tokens (CSRF, password reset tokens, and etc.)
• Generation of random passwords
• Generation of a text in CAPTCHA
• Generation of session identifiers

SPECIFIC FEATURES OF PYTHON PRNG

• _random implements the Mersenne Twister algorithm (MT) ([6],[7]) with few changes in the C language
• urandom uses external entropy resources (CryptGenRandom uses Windows encryption provider) in the C language
• random is a shell for the _random module in Python-е, including both libraries and having two main functions for pseudorandom number generation — random() and SystemRandom(). 

RANDOM()

SYSTEMRANDOM()

PROTECTION

• Find a script displaying the value random.random() (for instance, error logger does this in Plone (SiteErrorLog.py), it leads to a page "error with number *** is detected", where a random number is displayed).
• Make consequently a series of requests and fix random numbers in them. Request numbers are 1,2,199,200,511,625.
• Perform an easy-to-guess action with the 313th request (for example, generate a link to reset a password).
• Relying on requests 1,199, define the states state_1[1], state_1[2], state_1[397].
• Relying on requests 2,200, define the states state_1[3], state_1[398].
• Relying on request 511 — state_2[397].
• Relying on request 625 — state_3[1].

PRACTICAL APPLICATION

CONCLUSION

• Use the urandom module or the random.SystemRandom() function.
• Initiate with the help of random.seed() prior to each random.random() call with sufficient SEED entropy (if it is impossible to use urandom, you can use, for example, the value of the function md5(time.time()*(int)salt1+str(salt2)) as SEED, where salt1 and salt2 are initiated in the course of web application installation).
• Restrict random number displaying in your web application (you only need to use such hash functions as md5).

LINKS

UXSS

CREDENTIAL DISCLOSURE

#define MI_64K_ALIGN(x)(x +0x0F)>>4
#define MmHighsetUserAddress 0x7FFFFFEFFFF

typedef PIMAGE_BASE ULONG_PTR;

typedef enum _MI_MEMORY_HIGHLOW{
    MiMemoryHigh    =0,
    MiMemoryLow     =1,
    MiMemoryHighLow =2} MI_MEMORY_HIGHLOW,*PMI_MEMORY_HIGHLOW;


MI_MEMORY_HIGHLOW MiSelectBitMapForImage(PSEGMENT pSeg){if(!(pSeg->SegmentFlags & FLAG_BINARY32))// WOW binary{if(!(pSeg->ImageInformation->ImageFlags & FLAG_BASE_BELOW_4GB)){if(pSeg->BasedAddress >0x100000000){return MiMemoryHighLow;}else{return MiMemoryLow;}}}return MiMemoryHigh;}

PIMAGE_BASE MiSelectImageBase(void* a1<rcx>, PSEGMENT pSeg){
    MI_MEMORY_HIGHLOW ImageBitmapType;
    ULONG ImageBias;
    RTL_BITMAP *pImageBitMap;
    ULONG_PTR ImageTopAddress;
    ULONG RelocationSizein64k;
    MI_SECTION_IMAGE_INFORMATION *pImageInformation;
    ULONG_PTR RelocDelta;
    PIMAGE_BASE Result = NULL;// rsi = rcx// rcx = rdx// rdi = rdx

    pImageInformation = pSeg->ImageInformation;
    ImageBitmapType = MiSelectBitMapForImage(pSeg);

    a1->off_40h = ImageBitmapType;if(ImageBitmapType == MiMemoryLow){// 64-bit executable with image base below 4 GB
        ImageBias = MiImageBias64Low;
        pImageBitMap = MiImageBitMap64Low;
        ImageTopAddress =0x78000000;}else{if(ImageBitmapType == MiMemoryHighLow){// 64-bit executable with image base above 4 GB
            ImageBias = MiImageBias64High;
            pImageBitMap = MiImageBitMap64High;
            ImageTopAddress =0x7FFFFFE0000;}else{// MiMemoryHigh 32-bit executable image
            ImageBias = MiImageBias;
            pImageBitMap = MiImageBitMap;
            ImageTopAddress =0x78000000;}}// pSeg->ControlArea->BitMap ^= (pSeg->ControlArea->BitMap ^ (ImageBitmapType << 29)) & 0x60000000;// or bitfield form
    pSeg->ControlArea.BitMap = ImageBitmapType;

    RelocationSizein64k = MI_64K_ALIGN(pSeg->TotalNumberOfPtes);if(pSeg->ImageInformation->ImageCharacteristics & IMAGE_FILE_DLL){
        ULONG StartBit =0;
        ULONG GlobalRelocStartBit =0;

        StartBit = RtlFindClearBits(pImageBitMap, RelocationSizein64k, ImageBias);if(StartBit !=0xFFFFFFFF){
            StartBit = MiObtainRelocationBits(pImageBitMap, RelocationSizein64k, StartBit,0);if(StartBit !=0xFFFFFFFF){
                Result = ImageTopAddress -(((RelocationSizein64k)+ StartBit)<<0x10);if(Result ==(pSeg->BasedAddress - a1->SelectedBase)){
                    GlobalRelocStartBit = MiObtainRelocationBits(pImageBitMap, RelocationSizein64k, StartBit,1);
                    StartBit =(GlobalRelocStartBit !=0xFFFFFFFF) ? GlobalRelocStartBit : StartBit;
                    Result = ImageTopAddress -(RelocationSizein64k + StartBit)<<0x10;}

                a1->RelocStartBit = StartBit;
                a1->RelocationSizein64k = RelocationSizein64k;
                pSeg->ControlArea->ImageRelocationStartBit = StartBit;
                pSeg->ControlArea->ImageRelocationSizeIn64k = RelocationSizein64k;return Result;}}}else{// EXE imageif(a1->SelectedBase != NULL){return pSeg->BasedAddress;}if(ImageBitmapType == MiMemoryHighLow){
            a1->RelocStartBit =0xFFFFFFFF;
            a1->RelocationSizein64k =(WORD)RelocationSizein64k;
            pSeg->ControlArea->ImageRelocationStartBit =0xFFFFFFFF;
            pSeg->ControlArea->ImageRelocationSizeIn64k =(WORD)RelocationSizein64k;return((DWORD)(ExGenRandom(1)%(0x20001- RelocationSizein64k))+0x7F60000)<<16;}}

    ULONG RandomVal = ExGenRandom(1);
    RandomVal =(RandomVal %0xFE+1)<<0x10;

    RelocDelta = pSeg->BasedAddress - a1->SelectedBase;if(RelocDelta > MmHighsetUserAddress){return0;}if((RelocationSizein64k <<0x10)>  MmHighsetUserAddress){return0;}if(RelocDelta +(RelocationSizein64k <<0x10)<= RelocDelta){return0;}if(RelocDelta +(RelocationSizein64k <<0x10)> MmHighsetUserAddress){return0;}if(a1->SelectedBase + RandomVal ==0){
        Result = pSeg->BasedAddress;}else{if(RelocDelta > RandomVal){
            Result = RelocDelta - RandomVal;}else{
            Result = RelocDelta + RandomVal;if(Result < RelocDelta){return0;}if(((RelocationSizein64k <<0x10)+ RelocDelta + RandomVal)>0x7FFFFFDFFFF){return0;}if(((RelocationSizein64k <<0x10)+ RelocDelta + RandomVal)<(RelocDelta +(RelocationSizein64k <<0x10)))){return0;}}}//random_epilog
    a1->RelocStartBit =0xFFFFFFFF;
    a1->RelocationSizein64k = RelocationSizein64k;
    pSeg->ControlArea->ImageRelocationStartBit =0xFFFFFFFF;
    pSeg->ControlArea->ImageRelocationSizeIn64k = RelocationSizein64k;return Result;}

VOID MiInitializeRelocations(){
    MiImageBias = ExGenRandom(1)%256;
    MiImageBias64Low = ExGenRandom(1)% MiImageBitMap64Low.SizeOfBitMap;
    MiImageBias64High = ExGenRandom(1)% MiImageBitMap64High.SizeOfBitMap;return;}

struct MiniFsFileEntry{DWORD fileIndex;DWORD fileOffset;DWORD fileSize;};

1. Retrieves hard drive features.
2. Reads original MBR from the hidden file system.
3. Replaces our MBR with original MBR at the 0x7c00 address.
4. Reads and decrypts a hypervisor loader from the file system.
5. Reads and decrypts a hypervisor body from the file system.
6. Prepares parameters and passes control to the hypervisor loader.

• Enters the VMX-root mode.
• Sets the VMCS structure to start the guest system in the real mode starting from the 0x7c00 address.
• Sets up guest exit handlers.
• Starts a guest by executing the VMLAUNCH instruction.

importsys, hashlib(5, 1, 3, 6,) = (10018627425667944010192184374616954034932336288972070602267764174849233338727414964592990350312034463496546535924460513481267263055398790908691402854122123L, 7548218116432136940925610514648634474612691039131890951895054656437277296127635726026902728136306678987800886118938655787775411887815467753774352743068577L, 6192128262312421513644888506697421915171917575080330421897398651929773466194971539791158995262083381167771056580666419101167108372547406447696753234781064L, sys.argv[-1])ifnot 6.isalnum()orlen(6)>10: raiseException('Bad pwd')0 = (chr(len(6)) + 6)*322 = pow(1, int(0[:64].encode('hex'), 16), 5)if3!= 2: printhex(2)else: print hashlib.md5(6).hexdigest()

Python 2.7, "pgxweh"<=>"513602"

importsys, hashlib(p, g, x, w,) = (10018627425667944010192184374616954034932336288972070602267764174849233338727414964592990350312034463496546535924460513481267263055398790908691402854122123L,
7548218116432136940925610514648634474612691039131890951895054656437277296127635726026902728136306678987800886118938655787775411887815467753774352743068577L,
6192128262312421513644888506697421915171917575080330421897398651929773466194971539791158995262083381167771056580666419101167108372547406447696753234781064L, sys.argv[-1])ifnot w.isalnum()orlen(w)>10: raiseException('Bad pwd')
e = (chr(len(w)) + w)*32
h = pow(g, int(e[:64].encode('hex'), 16), p)if x != h: printhex(h)else: print hashlib.md5(w).hexdigest()

Binary – 400 (BoobFs)

This task is very interesting, but no team managed to solve it.
Input data:

1. BMP image (file system image).
2. A software to create a file system image out of files.

File system image as a picture

The file system consists of a main header, one directory including a variable file amount and divided into several blocks of variable length. Each file is also divided into blocks of variable length. The blocks are encrypted by the RC4 algorithm on a user key. A directory contains a file name, its size, and the size and offset of the first file's block. Each block contains the offset and size of the next block. The file system grows from the end.

struct FS_HEADER{
 DWORD signature;// BOOB
 DWORD dirOffset;
 DWORD firstBlockSize;}; struct DIR_BLOCK_HEADER{
 BYTE  signature;// D
 DWORD nextBlockOffset;
 DWORD nextBlockSize;
 DWORD numberOfFiles;}; struct FILE_ENTRY{
 CHAR  fileName[MAX_FNAME];// MAX_FNAME = 20
 DWORD fileSizeInBytes;
 DWORD firstBlockOffset;
 DWORD firstBlockSize;}; struct FILE_BLOCK_HEADER{
 BYTE  signature;// F
 DWORD nextBlockOffset;
 DWORD nextBlockSize;};