2nd Reversing and Offensive-oriented Trends Symposium 2018 (ROOTS)

Academic workshop co-located with DeepSec November 29/30, Vienna

Keynote: Automatic Exploitation - The DARPA Cyber Grand Challenge, what came after, and what is next

Kevin Borgolte (Princeton University)

The automatic exploitation of vulnerabilities has long been a holy grail for software security. However, even manual exploitation by experienced security analysts and researchers has become ever more challenging due to the increased complexity of software systems and the introduction of security defenses. In this keynote, we will orientate ourselves on where we are on the path to automatically "popping root shells with theorems." We will recap the DARPA Cyber Grand Challenge, a competition organized by the United States' Defense Advanced Research Projects Agency, in which competitors were required to develop and implement a self-contained system that automatically finds, patches, and exploits vulnerabilities in software, and which spurred research on automatic exploitation because of its high stakes. We will look into the automatic exploitation systems that Shellphish fielded in the DARPA Cyber Grand Challenge (CGC), the Mechanical Phish, which exploited more binary executables than any other team in the CGC's final event. Finally, we will learn what research came after the DARPA Cyber Grand Challenge, the limitations of current approaches, and what the next challenges that we need to tackle are.
[ Video ]

List of Accepted Papers

How Android's UI Security is Undermined by Accessibility

Anatoli Kalysch, Davide Bove and Tilo Müller

Android's accessibility API was designed to assist users with disabilities, or temporarily preoccupied users unable to interact with a device, e.g., while driving a car. Nowadays, many Android apps rely on the accessibility API for other purposes, including apps like password managers but also malware. From a security perspective, the accessibility API is precarious as it undermines an otherwise strong principle of sandboxing in Android that separates apps. By means of an accessibility service, apps can interact with the UI elements of another app, including reading from its screen and writing to its text fields. As a consequence, design shortcomings in the accessibility API and other UI features such as overlays have grave security implications.
This talk will provide a critical perspective on the current state of Android accessibility and selected UI security features. Starting with an app store centered overview of how accessibility services are used we will continue with currently unpatched flaws in the accessibility design of Android discovered during our assessment. These flaws and vulnerabilities allow information leakages and denial of service attacks up until Android 8.1. With an enabled accessibility service, we are able to sniff sensitive data from apps, including the password of Android's own lock screen.
To evaluate the effectiveness of our attacks against third-party apps, we examined the 1100 most downloaded apps from Google Play and found 99.25% of them to be vulnerable to at least one of the attacks covered in this talk. In the end possible countermeasures are discussed and we shed some light on the reporting process of Android vulnerabilities.

[ Video of Presentation ] [ PDF from ACM DL ] [ DOI 10.1145/3289595.3289597 ] [ PDF from author's repository ]

The Swift Language from a Reverse Engineering Perspective

Malte Kraus and Vincent Haupert

ver the last decade, mobile devices have taken over the consumer market for computer hardware. Almost all these mobile devices run either Android or iOS as their operating systems. In 2014, Apple introduced the Swift programming language as an alternative to Objective C for writing iOS and macOS applications. The rising adoption of this new language has to some extent obsoleted existing techniques for program analysis for these platforms, like method swizzling and "class-dump".
In this paper we discuss features of Swift binaries that help in reverse engineering the functionality of the contained code: We document the memory layout of compound data types and the calling convention used by the Swift compiler, as well as the runtime type information that is used by runtime and debugger when data types are not known statically. This type information is rich enough to allow an almost full recovery of the definition of most Swift data types, e.g. including even the names and offset of the members of compound data types.
Based on these findings, we introduce the open source swift-frida library for iOS built on top of the Frida instrumentation framework. It provides this information about all public and many private Swift data types in a process. It allows transparent read/write access to Swift variables and their data members with known type and memory location.

[ Video of Presentation ] [ PDF from ACM DL ] [ DOI 10.1145/3289595.3289599 ]

Library and Function Identification by Optimized Pattern Matching on Compressed Databases

Maximilian von Tschirschnitz

The goal of library and function identification is to find the original library and function to a given machine-code snippet. These snippets commonly arise from penetration tests attacking a remote executable, static malware analysis or from an IP infringement investigation. While there are several tools designed to achieve this task, all of these seem to rely on varied methods of signature-based identification. In this paper, we argue that this approach is not sufficient for many cases and propose a design and implementation for a multitool called KISS. KISS uses lossless compression and highly optimized pattern matching algorithms to create a very compact but substantial database of library versions. In practice, KISS shows to achieve remarkable compression rates below 30 percent of the original database size while still allowing for extremely fast (sublinear) snippet identification.
We use statistical test to show that its code snippet recognition is tremendously successful while having a close to the lowest theoretical bound of false positives. Finally, we also demonstrate how our approach improves the security of existing techniques as our design relies fully on complete function body verification, which prevents analysis-resilient malware from disguising as external and trusted library code. This has recently rosen to a problem for malware analysts with existing identification solutions.

[ Video of Presentation ] [ PDF from ACM DL ] [ DOI 10.1145/3289595.3289598 ]

Kernel-Assisted Debugging of Linux Applications

Tobias Holl, Philipp Klocke, Fabian Franzen and Julian Kirsch

On Linux, most---if not all---debuggers use the ptrace debugging API to control their target processes. However, ptrace proves unsatisfactory for many malware analysis and reverse engineering tasks: So-called split-personality malware often adapts its behavior in the presence of a debugger, yet ptrace makes no attempt to hide from a target process. Furthermore, ptrace enforces a strict one-to-many relation meaning that while each tracer can trace many tracees, each tracee can only be controlled by at most one tracer. Simultaneously, the complex API and signal-based communications provide opportunities for erroneous usage.
Previous works have identified the newer uprobes tracing API as a candidate for building a replacement for ptrace, but ultimately rejected it due to lack of practical use and documentation. Building upon uprobes, we introduce plutonium-dbg, a Linux kernel module providing debugging facilities independent of the limitations of ptrace alongside a GDB-compatible interface. Our approach aims to mitigate some of the design flaws of ptrace that make it both hard to use and easy to detect by malicious software.
We show how plutonium-dbg's design and implementation remove many of the most frequently named issues with ptrace, and that our method improves on traditional ptrace-based debuggers (GDB and LLDB) when evaluated on software samples that attempt to detect the presence of a debugger.

[ Video of Presentation ] [ PDF from ACM DL ] [ DOI 10.1145/3289595.3289596 ]