Efficient Bytecode Analysis: Linespeed Shellcode Detection
4 likes4,077 views
The document discusses efficient techniques for detecting shellcode inline. It describes the structure of shellcode and challenges in detecting it. It introduces libscizzle, which uses efficient emulation to identify possible shellcode execution sequences and verifies candidates using sandboxed hardware execution. Libscizzle scans data at gigabit speeds with no false positives and no known false negatives, representing about a 1000x speed improvement over previous tools like libemu.
1 of 11
Downloaded 66 times
![Shellcode Decoder Structure
jmp getpc ; jump to GetPC
start: ; GetPC 2: ebp = EIP
pop ebp
push 42 ; load counter = 42
pop ecx
push 23 ; load key = 23
pop edx
decrypt:
xor byte [ebp+ecx], dl ; unxor one byte
loop decrypt ; repeat until ecx = 0
jmp payload
getpc:
call start ; GetPC 1: push EIP to stack
payload:](https://image.slidesharecdn.com/shellcodedetection-110321051546-phpapp02/85/Efficient-Bytecode-Analysis-Linespeed-Shellcode-Detection-3-320.jpg)
![GetPC Sequences
• call $+5, pop r32
– Push return address for function call onto stack
– Use stack access to read back the return address
• fnop, fnstenv [esp+0x0c], pop r32
– Use a floating point instruction, address will be stored in floating point
control aread
– Save floating point control area on stack
– Read back the instruction address from stack
• Structured Exception Handling
– Windows specific, trigger an exception
– Get address of exception instruction in exception handler](https://image.slidesharecdn.com/shellcodedetection-110321051546-phpapp02/85/Efficient-Bytecode-Analysis-Linespeed-Shellcode-Detection-4-320.jpg)
![Evaluation: Performance
$ ./libscizzle-test < urandom.bin
[*] Filtering / scanning over 32.0 MiB of data took 105 ms.
[*] Verifying 700 shellcode candidate offsets...
[*] Verification over 32.0 MiB of data took 217 ms.
[*] Everything over 32.0 MiB of data took 322 ms.
• 99.38 Mib / sec, 795 MiB / sec on my presentation laptop, single core
• About 1000x faster than libemu, a lot faster than Markov Chains
• This is fast enough to do it inline at GigaBit speed on a commodity
server, think IPS
• Real world data has usually better properties than purely random data](https://image.slidesharecdn.com/shellcodedetection-110321051546-phpapp02/85/Efficient-Bytecode-Analysis-Linespeed-Shellcode-Detection-9-320.jpg)
Ad
Recommended
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017
Dynamic Instrumentation- OpenEBS Golang Meetup July 2017OpenEBS The slides were presented by Jeffry Molanus who is the CTO of OpenEBS in Golang Meetup. OpenEBS is an open source cloud native storage. OpenEBS delivers storage and storage services to containerized environments. OpenEBS allows stateful workloads to be managed more like stateless containers. OpenEBS storage services include: per container (or pod) QoS SLAs, tiering and replica policies across AZs and environments, and predictable and scalable performance.Our vision is simple: let’s let storage and storage services for persistent workloads be so fully integrated into the environment and hence managed automatically that is almost disappears into the background as just yet another infrastructure service that works.
Make Your Own Developement Board @ 2014.4.21 JuluOSDev
Make Your Own Developement Board @ 2014.4.21 JuluOSDevJian-Hong Pan This document discusses building a development board for an ATMega8 microcontroller that functions as a simple oscilloscope. It outlines meeting specifications, minimizing costs, and completing the project in the shortest time as the core engineering values. It provides the specifications for the oscilloscope, discusses using AVR microcontroller features to implement it, and lists the tools needed including an AVR compiler and programmer. Circuits for a function generator and integrating the oscilloscope with a Python console are presented. The document emphasizes applying knowledge from school to implementation and building your own tools.
grsecurity and PaX
grsecurity and PaXKernel TLV In this talk, Gil Yankovitch discusses the PaX patch for the Linux kernel, focusing on memory manager changes and security mechanisms for memory allocations, reads, writes from user/kernel space and ASLR.
High-Performance Networking Using eBPF, XDP, and io_uring
High-Performance Networking Using eBPF, XDP, and io_uringScyllaDB Bryan McCoid discusses using eBPF, XDP, and io_uring for high performance networking. XDP allows programs to process packets in the kernel without loading modules. AF_XDP sockets use eBPF to route packets between kernel and userspace via ring buffers. McCoid is building a Rust runtime called Glommio to interface with these techniques. The runtime integrates with io_uring and allows multiple design patterns for receiving packets from AF_XDP sockets.
The Silence of the Canaries
The Silence of the CanariesKernel TLV Agenda:
This talk will provide an in-depth review of the usage of canaries in the kernel and the interaction with userspace, as well as a short review of canaries and why they are needed in general so don't be afraid if you never heard of them.
Speaker:
Gil Yankovitch, CEO, Chief Security Researcher from Nyx Security Solutions
The Simple Scheduler in Embedded System @ OSDC.TW 2014
The Simple Scheduler in Embedded System @ OSDC.TW 2014Jian-Hong Pan The document describes a simple scheduler module implemented in C for embedded systems. It breaks processes into small jobs represented by functions that are scheduled in a first-in, first-out queue without preemption. This allows embedding an operating system concept into simple systems using only functions and a ready queue. Interrupts can add jobs to the queue. The scheduler and example oscilloscope application demonstrate scheduling without process state using only callbacks.
Advance ROP Attacks
Advance ROP Attacksn|u - The Open Security Community This document discusses return-oriented programming (ROP) attacks and variants. It begins with an introduction to ROP attacks, explaining that they circumvent data execution prevention by chaining small snippets of executable code (called gadgets) that end in return instructions. It then covers different ROP attack techniques like using arithmetic, comparison, and loop gadgets to achieve Turing completeness. The document discusses challenges like handling null bytes and describes variants like jump-oriented programming (JOP) that uses indirect jumps. It also covers creating alphanumeric ROP shellcode by selecting printable addresses. In the end, it provides tips for effectively searching gadgets.
Get Lower Latency and Higher Throughput for Java Applications
Get Lower Latency and Higher Throughput for Java ApplicationsScyllaDB Getting the best performance out of your Java applications can often be a challenge due to the managed environment nature of the Java Virtual Machine and the non-deterministic behaviour that this introduces. Automatic garbage collection (GC) can seriously affect the ability to hit SLAs for the 99th percentile and above.
This session will start by looking at what we mean by speed and how the JVM, whilst extremely powerful, means we don’t always get the performance characteristics we want. We’ll then move on to discuss some critical features and tools that address these issues, i.e. garbage collection, JIT compilers, etc. At the end of the session, attendees will have a clear understanding of the challenges and solutions for low-latency Java.
OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?ScyllaDB In the context of high-performance computing (HPC), the Operating System Noise (osnoise) refers to the interference experienced by an application due to activities inside the operating system. In the context of Linux, NMIs, IRQs, softirqs, and any other system thread can cause noise to the application. Moreover, hardware-related jobs can also cause noise, for example, via SMIs.
HPC users and developers that care about every microsecond stolen by the OS need not only a precise way to measure the osnoise but mainly to figure out who is stealing cpu time so that they can pursue the perfect tune of the system. These users and developers are the inspiration of Linux's osnoise tracer.
The osnoise tracer runs an in-kernel loop measuring how much time is available. It does it with preemption, softirq and IRQs enabled, thus allowing all the sources of osnoise during its execution. The osnoise tracer takes note of the entry and exit point of any source of interferences. When the noise happens without any interference from the operating system level, the tracer can safely point to a hardware-related noise. In this way, osnoise can account for any source of interference. The osnoise tracer also adds new kernel tracepoints that auxiliaries the user to point to the culprits of the noise in a precise and intuitive way.
At the end of a period, the osnoise tracer prints the sum of all noise, the max single noise, the percentage of CPU available for the thread, and the counters for the noise sources, serving as a benchmark tool.
Onnc intro
Onnc introLuba Tang The document discusses ONNC, a compiler for deep learning formats like ONNX. It aims to connect ONNX to various deep learning accelerator (DLA) chips to help vendors bring products to market faster. Key features include supporting DLA features, optimizing memory usage and execution time, and being released as open source before the end of July 2018.
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudAndrea Righi The Linux 4.x series introduced a new powerful engine of programmable tracing (BPF) that allows to actually look inside the kernel at runtime. This talk will show you how to exploit this engine in order to debug problems or identify performance bottlenecks in a complex environment like a cloud. This talk will cover the latest Linux superpowers that allow to see what is happening “under the hood” of the Linux kernel at runtime. I will explain how to exploit these “superpowers” to measure and trace complex events at runtime in a cloud environment. For example, we will see how we can measure latency distribution of filesystem I/O, details of storage device operations, like individual block I/O request timeouts, or TCP buffer allocations, investigating stack traces of certain events, identify memory leaks, performance bottlenecks and a whole lot more.
Using eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster HealthScyllaDB As a k8s cluster-admin your app teams have a certain expectation of your cluster to be available to deploy services at any time without problems. While there is no shortage on metrics in k8s its important to have the right metrics to alert on issues and giving you enough data to react to potential availability issues. Prometheus has become a standard and sheds light on the inner behaviour of Kubernetes clusters and workloads. Lots of KPIs (CPU, IO, network. Etc) in our On-Premise environment are less precise when we start to work in a Cloud environment. Ebpf is the perfect technology that fulfills that requirement as it gives us information down to the kernel level. In 2018 Cloudflare shared an opensource project to expose custom ebpf metrics in Prometheus. Join this session and learn about: • What is ebpf? • What type of metrics we can collect? • How to expose those metrics in a K8s environment. This session will try to deliver a step-by-step guide on how to take advantage of the ebpf exporter.
Translation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary TranslationSaber Ferjani Our project comes in order to enhance Qemu simulation speed, through the proposal of a new cache algorithm that detect frequently used blocks and improves their reuse ratio.
Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)Sneeker Yeh The document outlines the analysis of a kernel panic log to identify a concurrency bug in a driver. The analysis included: 1) Log analysis found a buggy memory write, 2) Dump file analysis traced execution to this write, 3) Further log analysis found an interrupted context was involved, suggesting a concurrency bug. Tracing ARM instructions in the dump file around the interruption point helped identify that a variable was being incorrectly accessed.
Dead Lock Analysis of spin_lock() in Linux Kernel (english)
Dead Lock Analysis of spin_lock() in Linux Kernel (english)Sneeker Yeh The document discusses spin locks and semaphores in the Linux kernel. It begins with an introduction to the difference between spin locks and semaphores. Spin locks cause threads to continuously loop trying to acquire the lock, while semaphores cause threads to sleep. An example is given of a deadlock scenario that can occur with spin locks. The document then discusses the concept of context in the kernel, including user context, interrupt context, and the control flow during procedure calls and interrupts. Log analysis and examples of double-acquire deadlocks involving spin locks are provided. The document concludes with recommendations for how to prevent deadlocks, such as using spin_lock_irqsave/restore and avoiding semaphores in interrupt context.
Whoops! I Rewrote It in Rust
Whoops! I Rewrote It in RustScyllaDB Three engineers, at various points, each take their own approach adding Rust to a C codebase, each being more and more ambitious. I initially just wanted to replace the server’s networking and event loop with an equally fast Rust implementation. We’d reuse many core components that were in C and just call into them from Rust. Surely it wouldn’t be that much code…
Pelikan is Twitter’s open source and modular framework for in-memory caching, allowing us to replace Memcached and Redis forks with a single codebase and achieve better performance. At Twitter, we operate hundreds of cache clusters storing hundreds of terabytes of small objects in memory. In-memory caching is critical, and demands performance, reliability, and efficiency.
In this talk, I’ll share my adventures in working on Pelikan and how rewriting it in Rust can be more than just a meme.
Continuous Performance Regression Testing with JfrUnit
Continuous Performance Regression Testing with JfrUnitScyllaDB Gunnar Morling is a software engineer and open-source enthusiast by heart. He is leading the Debezium project, a platform for change data capture (CDC). He is a Java Champion, the spec lead for Bean Validation 2.0 (JSR 380) and has founded multiple open source projects such as Deptective and MapStruct. Prior to joining Red Hat, Gunnar worked on a wide range of Java EE projects in the logistics and retail industries. He's based in Hamburg, Germany.
Linux kernel debugging
Linux kernel debugginglibfetion This document discusses Linux kernel debugging. It provides an overview of debugging techniques including collecting system information, handling failures, and using printk(), KGDB, and debuggers. Key points covered are the components of a debugger, how KGDB can be used with gdb to debug interactively, analyzing crash data, and some debugging tricks and print functions.
Crimson: Ceph for the Age of NVMe and Persistent Memory
Crimson: Ceph for the Age of NVMe and Persistent MemoryScyllaDB Ceph is a mature open source software-defined storage solution that was created over a decade ago.
During that time new faster storage technologies have emerged including NVMe and Persistent memory.
The crimson project aim is to create a better Ceph OSD that is more well suited to those faster devices. The crimson OSD is built on the Seastar C++ framework and can leverage these devices by minimizing latency, cpu overhead, and cross-core communication. This talk will discuss the project design, our current status, and our future plans.
RISC-V on Edge: Porting EVE and Alpine Linux to RISC-V
RISC-V on Edge: Porting EVE and Alpine Linux to RISC-VScyllaDB This document discusses porting the Alpine Linux distribution and EVE operating system to RISC-V processors. It provides an overview of RISC-V and describes how Alpine Linux and EVE-OS are well-suited for edge computing workloads due to their small footprint and use of containers. The document then outlines the steps taken to port Alpine Linux and its packages to RISC-V, including getting key packages like libunwind to build and working with the Alpine community. It concludes by encouraging more development of software for the emerging RISC-V server platforms.
Demo
Demosean chen This document outlines requirements and frameworks for hardware/software co-design verification including using a simulator for co-simulation of hardware and software with a unit testing framework in Python, implementing a regression framework in Jenkins for running daily jobs and reporting results, and providing examples for hardware/software co-design verification using tools like MyHDL, as well as references Python and Perl projects.
LAS16-101: Efficient kernel backporting
LAS16-101: Efficient kernel backportingLinaro LAS16-101: Efficient kernel backporting
Speakers: Alex Shi
Date: September 26, 2016
★ Session Description ★
In computer/mobile product world, due to the stability, project timeline, etc considerations, latest upstream kernel isn’t their preference. The long term stable kernel is. But if you want to some of the latest features which only is in upstream kernel,you will have to backport them to old stable kernel. This presentation will share the kernel feature backport experience with audience, help them understand how to do backports quickly and effectively without detailed knowledge of the target feature, thus giving more flexibility and Improving productivity when making products. We will use some examples, to discuss how to get info from backport request, how to find necessary commits, how to get dependency, how to resolve conflicts, and finally how to test it.
★ Resources ★
Etherpad: pad.linaro.org/p/las16-101
Presentations & Videos: http://connect.linaro.org/resource/las16/las16-101/
★ Event Details ★
Linaro Connect Las Vegas 2016 – #LAS16
September 26-30, 2016
http://www.linaro.org
http://connect.linaro.org
OSv Unikernel — Optimizing Guest OS to Run Stateless and Serverless Apps in t...
OSv Unikernel — Optimizing Guest OS to Run Stateless and Serverless Apps in t...ScyllaDB Unikernels have been demonstrated to deliver excellent performance in terms of throughput and latency, while providing high isolation. However they have also been shown to underperform in some types of workloads when compared to a generic OS like Linux. In this presentation, we demonstrate that certain types of workloads - web servers, microservices, and other stateless and/or serverless apps - can greatly benefit from OSv optimized networking stack and other features. We describe number of experiments where OSv outperforms Linux guest: most notably we note 1.6 throughput (req/s) and 0.6 latency improvement (at p99 percentile) when running nginx and 1.7 throughput (req/s) and 0.6 latency improvement (at p99 percentile) when running simple microservice implemented in Golang.
We also show that OSv' small kernel, low boot time and memory consumption allow for very high density when running server-less workloads. The experiment described in this presentation shows we can boot 1,800 OSv microVMs per second on AWS c5n.metal machine with 72 CPUs (25 boots/sec on single CPU) with guest boot time recorded as low as 8.98ms at p50 and 31.49ms at p99 percentile respectively.
Lastly we also demonstrate how to automate the build process of the OSv kernel tailored exactly to the specific app and/or VMM so that only the code and symbols needed are part of the kernel and nothing more. OSv is an open source project and can be found at https://github.com/cloudius-systems/osv.
Continuous Go Profiling & Observability
Continuous Go Profiling & ObservabilityScyllaDB This presentation is for Go developers and operators of Go applications who are interested in reducing costs and latency, or debugging problems such as memory leaks, infinite loops, performance regressions, etc. of such applications. We'll start with a brief description of the unique aspects of the Go runtime, and then take a look at the builtin profilers as well as Go's execution tracer. Additionally we'll look at the interoperability with popular observability tools such as Linux perf and bpftrace. After this presentation you should have a good idea of the various tools you can use, and which ones might be the most useful to you in a production environment.
Evented Ruby VS Node.js
Evented Ruby VS Node.jsNitin Gupta This document discusses evented programming in Node.js and Ruby. It explains that evented programming uses callbacks and asynchronous non-blocking I/O. Node.js uses this approach to improve concurrency over blocking I/O models. Ruby can also implement evented programming using libraries like EventMachine that provide asynchronous abstractions while keeping app code procedural. The document provides examples of building evented applications in both languages.
Designing Tracing Tools
Designing Tracing ToolsSysdig You have a system with an advanced programmatic tracer: do you know what to do with it? Brendan has used numerous tracers in production environments, and has published hundreds of tracing-based tools. In this talk he will share tips and know-how for creating CLI tracing tools and GUI visualizations, to solve real problems effectively. Programmatic tracing is an amazing superpower, and this talk will show you how to wield it!
from Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu WorksZhen Wei This document discusses how Qemu works to translate guest binaries to run on the host machine. It first generates an intermediate representation called TCG-IR from the guest binary code. It then translates the TCG-IR into native host machine code. To achieve high performance, it chains translated blocks together by patching jump targets. Key techniques include just-in-time compilation, translation block finding, block chaining, and helper functions to emulate unsupported guest instructions.
IPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onAPNIC This document discusses various techniques for IPv6 transition and coexistence with IPv4, including:
- Dual-stack which allows simultaneous support of both IPv4 and IPv6.
- Tunnels which encapsulate IPv6 packets in IPv4 packets to provide IPv6 connectivity through IPv4 networks.
- Translation techniques like NAT64 which allow communication between IPv4-only and IPv6-only nodes.
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAbhineet Ayan This is a basic guide to step by step analysing of a shell code and a good example of reverse engineering by Abhineet Ayan
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali The document discusses different types of shellcodes and their uses. It provides examples of x86 and x86_64 shellcode code to execute a Linux system call. It also lists resources for further information on shellcode design and exploitation techniques.
Ad
More Related Content
What's hot (20)
OSNoise Tracer: Who Is Stealing My CPU Time?
OSNoise Tracer: Who Is Stealing My CPU Time?ScyllaDB In the context of high-performance computing (HPC), the Operating System Noise (osnoise) refers to the interference experienced by an application due to activities inside the operating system. In the context of Linux, NMIs, IRQs, softirqs, and any other system thread can cause noise to the application. Moreover, hardware-related jobs can also cause noise, for example, via SMIs.
HPC users and developers that care about every microsecond stolen by the OS need not only a precise way to measure the osnoise but mainly to figure out who is stealing cpu time so that they can pursue the perfect tune of the system. These users and developers are the inspiration of Linux's osnoise tracer.
The osnoise tracer runs an in-kernel loop measuring how much time is available. It does it with preemption, softirq and IRQs enabled, thus allowing all the sources of osnoise during its execution. The osnoise tracer takes note of the entry and exit point of any source of interferences. When the noise happens without any interference from the operating system level, the tracer can safely point to a hardware-related noise. In this way, osnoise can account for any source of interference. The osnoise tracer also adds new kernel tracepoints that auxiliaries the user to point to the culprits of the noise in a precise and intuitive way.
At the end of a period, the osnoise tracer prints the sum of all noise, the max single noise, the percentage of CPU available for the thread, and the counters for the noise sources, serving as a benchmark tool.
Onnc intro
Onnc introLuba Tang The document discusses ONNC, a compiler for deep learning formats like ONNX. It aims to connect ONNX to various deep learning accelerator (DLA) chips to help vendors bring products to market faster. Key features include supporting DLA features, optimizing memory usage and execution time, and being released as open source before the end of July 2018.
Linux kernel tracing superpowers in the cloud
Linux kernel tracing superpowers in the cloudAndrea Righi The Linux 4.x series introduced a new powerful engine of programmable tracing (BPF) that allows to actually look inside the kernel at runtime. This talk will show you how to exploit this engine in order to debug problems or identify performance bottlenecks in a complex environment like a cloud. This talk will cover the latest Linux superpowers that allow to see what is happening “under the hood” of the Linux kernel at runtime. I will explain how to exploit these “superpowers” to measure and trace complex events at runtime in a cloud environment. For example, we will see how we can measure latency distribution of filesystem I/O, details of storage device operations, like individual block I/O request timeouts, or TCP buffer allocations, investigating stack traces of certain events, identify memory leaks, performance bottlenecks and a whole lot more.
Using eBPF to Measure the k8s Cluster Health
Using eBPF to Measure the k8s Cluster HealthScyllaDB As a k8s cluster-admin your app teams have a certain expectation of your cluster to be available to deploy services at any time without problems. While there is no shortage on metrics in k8s its important to have the right metrics to alert on issues and giving you enough data to react to potential availability issues. Prometheus has become a standard and sheds light on the inner behaviour of Kubernetes clusters and workloads. Lots of KPIs (CPU, IO, network. Etc) in our On-Premise environment are less precise when we start to work in a Cloud environment. Ebpf is the perfect technology that fulfills that requirement as it gives us information down to the kernel level. In 2018 Cloudflare shared an opensource project to expose custom ebpf metrics in Prometheus. Join this session and learn about: • What is ebpf? • What type of metrics we can collect? • How to expose those metrics in a K8s environment. This session will try to deliver a step-by-step guide on how to take advantage of the ebpf exporter.
Translation Cache Policies for Dynamic Binary Translation
Translation Cache Policies for Dynamic Binary TranslationSaber Ferjani Our project comes in order to enhance Qemu simulation speed, through the proposal of a new cache algorithm that detect frequently used blocks and improves their reuse ratio.
Concurrency bug identification through kernel panic log (english)
Concurrency bug identification through kernel panic log (english)Sneeker Yeh The document outlines the analysis of a kernel panic log to identify a concurrency bug in a driver. The analysis included: 1) Log analysis found a buggy memory write, 2) Dump file analysis traced execution to this write, 3) Further log analysis found an interrupted context was involved, suggesting a concurrency bug. Tracing ARM instructions in the dump file around the interruption point helped identify that a variable was being incorrectly accessed.
Dead Lock Analysis of spin_lock() in Linux Kernel (english)
Dead Lock Analysis of spin_lock() in Linux Kernel (english)Sneeker Yeh The document discusses spin locks and semaphores in the Linux kernel. It begins with an introduction to the difference between spin locks and semaphores. Spin locks cause threads to continuously loop trying to acquire the lock, while semaphores cause threads to sleep. An example is given of a deadlock scenario that can occur with spin locks. The document then discusses the concept of context in the kernel, including user context, interrupt context, and the control flow during procedure calls and interrupts. Log analysis and examples of double-acquire deadlocks involving spin locks are provided. The document concludes with recommendations for how to prevent deadlocks, such as using spin_lock_irqsave/restore and avoiding semaphores in interrupt context.
Whoops! I Rewrote It in Rust
Whoops! I Rewrote It in RustScyllaDB Three engineers, at various points, each take their own approach adding Rust to a C codebase, each being more and more ambitious. I initially just wanted to replace the server’s networking and event loop with an equally fast Rust implementation. We’d reuse many core components that were in C and just call into them from Rust. Surely it wouldn’t be that much code…
Pelikan is Twitter’s open source and modular framework for in-memory caching, allowing us to replace Memcached and Redis forks with a single codebase and achieve better performance. At Twitter, we operate hundreds of cache clusters storing hundreds of terabytes of small objects in memory. In-memory caching is critical, and demands performance, reliability, and efficiency.
In this talk, I’ll share my adventures in working on Pelikan and how rewriting it in Rust can be more than just a meme.
Continuous Performance Regression Testing with JfrUnit
Continuous Performance Regression Testing with JfrUnitScyllaDB Gunnar Morling is a software engineer and open-source enthusiast by heart. He is leading the Debezium project, a platform for change data capture (CDC). He is a Java Champion, the spec lead for Bean Validation 2.0 (JSR 380) and has founded multiple open source projects such as Deptective and MapStruct. Prior to joining Red Hat, Gunnar worked on a wide range of Java EE projects in the logistics and retail industries. He's based in Hamburg, Germany.
Linux kernel debugging
Linux kernel debugginglibfetion This document discusses Linux kernel debugging. It provides an overview of debugging techniques including collecting system information, handling failures, and using printk(), KGDB, and debuggers. Key points covered are the components of a debugger, how KGDB can be used with gdb to debug interactively, analyzing crash data, and some debugging tricks and print functions.
Crimson: Ceph for the Age of NVMe and Persistent Memory
Crimson: Ceph for the Age of NVMe and Persistent MemoryScyllaDB Ceph is a mature open source software-defined storage solution that was created over a decade ago.
During that time new faster storage technologies have emerged including NVMe and Persistent memory.
The crimson project aim is to create a better Ceph OSD that is more well suited to those faster devices. The crimson OSD is built on the Seastar C++ framework and can leverage these devices by minimizing latency, cpu overhead, and cross-core communication. This talk will discuss the project design, our current status, and our future plans.
RISC-V on Edge: Porting EVE and Alpine Linux to RISC-V
RISC-V on Edge: Porting EVE and Alpine Linux to RISC-VScyllaDB This document discusses porting the Alpine Linux distribution and EVE operating system to RISC-V processors. It provides an overview of RISC-V and describes how Alpine Linux and EVE-OS are well-suited for edge computing workloads due to their small footprint and use of containers. The document then outlines the steps taken to port Alpine Linux and its packages to RISC-V, including getting key packages like libunwind to build and working with the Alpine community. It concludes by encouraging more development of software for the emerging RISC-V server platforms.
Demo
Demosean chen This document outlines requirements and frameworks for hardware/software co-design verification including using a simulator for co-simulation of hardware and software with a unit testing framework in Python, implementing a regression framework in Jenkins for running daily jobs and reporting results, and providing examples for hardware/software co-design verification using tools like MyHDL, as well as references Python and Perl projects.
LAS16-101: Efficient kernel backporting
LAS16-101: Efficient kernel backportingLinaro LAS16-101: Efficient kernel backporting
Speakers: Alex Shi
Date: September 26, 2016
★ Session Description ★
In computer/mobile product world, due to the stability, project timeline, etc considerations, latest upstream kernel isn’t their preference. The long term stable kernel is. But if you want to some of the latest features which only is in upstream kernel,you will have to backport them to old stable kernel. This presentation will share the kernel feature backport experience with audience, help them understand how to do backports quickly and effectively without detailed knowledge of the target feature, thus giving more flexibility and Improving productivity when making products. We will use some examples, to discuss how to get info from backport request, how to find necessary commits, how to get dependency, how to resolve conflicts, and finally how to test it.
★ Resources ★
Etherpad: pad.linaro.org/p/las16-101
Presentations & Videos: http://connect.linaro.org/resource/las16/las16-101/
★ Event Details ★
Linaro Connect Las Vegas 2016 – #LAS16
September 26-30, 2016
http://www.linaro.org
http://connect.linaro.org
OSv Unikernel — Optimizing Guest OS to Run Stateless and Serverless Apps in t...
OSv Unikernel — Optimizing Guest OS to Run Stateless and Serverless Apps in t...ScyllaDB Unikernels have been demonstrated to deliver excellent performance in terms of throughput and latency, while providing high isolation. However they have also been shown to underperform in some types of workloads when compared to a generic OS like Linux. In this presentation, we demonstrate that certain types of workloads - web servers, microservices, and other stateless and/or serverless apps - can greatly benefit from OSv optimized networking stack and other features. We describe number of experiments where OSv outperforms Linux guest: most notably we note 1.6 throughput (req/s) and 0.6 latency improvement (at p99 percentile) when running nginx and 1.7 throughput (req/s) and 0.6 latency improvement (at p99 percentile) when running simple microservice implemented in Golang.
We also show that OSv' small kernel, low boot time and memory consumption allow for very high density when running server-less workloads. The experiment described in this presentation shows we can boot 1,800 OSv microVMs per second on AWS c5n.metal machine with 72 CPUs (25 boots/sec on single CPU) with guest boot time recorded as low as 8.98ms at p50 and 31.49ms at p99 percentile respectively.
Lastly we also demonstrate how to automate the build process of the OSv kernel tailored exactly to the specific app and/or VMM so that only the code and symbols needed are part of the kernel and nothing more. OSv is an open source project and can be found at https://github.com/cloudius-systems/osv.
Continuous Go Profiling & Observability
Continuous Go Profiling & ObservabilityScyllaDB This presentation is for Go developers and operators of Go applications who are interested in reducing costs and latency, or debugging problems such as memory leaks, infinite loops, performance regressions, etc. of such applications. We'll start with a brief description of the unique aspects of the Go runtime, and then take a look at the builtin profilers as well as Go's execution tracer. Additionally we'll look at the interoperability with popular observability tools such as Linux perf and bpftrace. After this presentation you should have a good idea of the various tools you can use, and which ones might be the most useful to you in a production environment.
Evented Ruby VS Node.js
Evented Ruby VS Node.jsNitin Gupta This document discusses evented programming in Node.js and Ruby. It explains that evented programming uses callbacks and asynchronous non-blocking I/O. Node.js uses this approach to improve concurrency over blocking I/O models. Ruby can also implement evented programming using libraries like EventMachine that provide asynchronous abstractions while keeping app code procedural. The document provides examples of building evented applications in both languages.
Designing Tracing Tools
Designing Tracing ToolsSysdig You have a system with an advanced programmatic tracer: do you know what to do with it? Brendan has used numerous tracers in production environments, and has published hundreds of tracing-based tools. In this talk he will share tips and know-how for creating CLI tracing tools and GUI visualizations, to solve real problems effectively. Programmatic tracing is an amazing superpower, and this talk will show you how to wield it!
from Binary to Binary: How Qemu Works
from Binary to Binary: How Qemu WorksZhen Wei This document discusses how Qemu works to translate guest binaries to run on the host machine. It first generates an intermediate representation called TCG-IR from the guest binary code. It then translates the TCG-IR into native host machine code. To achieve high performance, it chains translated blocks together by patching jump targets. Key techniques include just-in-time compilation, translation block finding, block chaining, and helper functions to emulate unsupported guest instructions.
IPv4aaS tutorial and hands-on
IPv4aaS tutorial and hands-onAPNIC This document discusses various techniques for IPv6 transition and coexistence with IPv4, including:
- Dual-stack which allows simultaneous support of both IPv4 and IPv6.
- Tunnels which encapsulate IPv6 packets in IPv4 packets to provide IPv6 connectivity through IPv4 networks.
- Translation techniques like NAT64 which allow communication between IPv4-only and IPv6-only nodes.
Viewers also liked (20)
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAbhineet Ayan This is a basic guide to step by step analysing of a shell code and a good example of reverse engineering by Abhineet Ayan
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali The document discusses different types of shellcodes and their uses. It provides examples of x86 and x86_64 shellcode code to execute a Linux system call. It also lists resources for further information on shellcode design and exploitation techniques.
Linux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary The document provides a basic guide to reverse engineering Linux x86 shellcode. It summarizes reversing two sample shellcodes: 1) A simple program that reads the /etc/passwd file by executing the cat command. By examining registers, it is determined the shellcode executes execve to read the file. 2) An XOR encrypted shellcode that decrypts itself before launching a ksh shell with root privileges using the setreuid system call. Breakpoints are used to stop and disassemble the shellcode at key points to understand its functionality.
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger The document discusses bypassing address space layout randomization (ASLR) on Linux. It begins with a refresher on buffer overflows and modern protections like ASLR and DEP. It then explores finding fixed addresses in the .text section that are not subject to ASLR to redirect execution, such as calls and jumps to registers. The document shows searching binaries for these instruction sequences and checking register values to leverage them for exploiting a vulnerable program while ASLR is enabled.
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycZ Chen The document discusses using the libemu library to detect shellcode and heapspray in the Python honeyclient phoneyc. Libemu allows for shellcode detection using x86 instruction emulation and GetPC heuristics. The document outlines integrating libemu into phoneyc to defend browsers against drive-by downloads and heap-spraying code injection attacks in web-based malware.
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger This document discusses bypassing address space layout randomization (ASLR) protections to execute shellcode on the stack. It begins with an overview of stack-based buffer overflows and modern protections like non-executable stacks. It then describes using return-oriented programming (ROP) techniques like ret2libc to hijack control flow and call library functions like system() to spawn a shell. Specifically, it outlines overwriting a return address to call mprotect() to make the stack executable, then jumping to shellcode on the stack. The document provides example exploit code and steps to find needed addresses in memory.
Java Shellcode Execution
Java Shellcode ExecutionRyan Wincey This document discusses running shellcode from Java by overwriting the pointer to a Java method with a pointer to shellcode. It explains that Java is cross-platform, has an extensive library, and is widely deployed. It then provides an example of NOP shellcode in C to call the shellcode. It links to resources on injecting shellcode from Java without JNI. The document shows a Java method with volatile variables that is overwritten by the shellcode and demonstrates calling the shellcode from Java.
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentAjin Abraham Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru This document discusses using the Browser Exploitation Framework (BeEF) and inter-protocol exploitation techniques to gain control of victim browsers. It begins with an overview of traditional browser attack vectors and their limitations. It then introduces BeEF and how it can be used to hook victim browsers through XSS and control them remotely with JavaScript. The document proposes revitalizing inter-protocol exploitation techniques to bypass cross-domain restrictions and allow executing commands on the victim's machine. It presents the design of a new BeEF Bind shellcode that sets up a web server to accept commands and control a process like cmd.exe on the victim internally without needing an outbound connection.
Anton Dorfman. Shellcode Mastering.
Anton Dorfman. Shellcode Mastering.Positive Hack Days This document provides an overview of shellcode mastering techniques. It discusses the basics of shellcode including features, types, and development tasks. It covers basic shellcode techniques like call/ret algorithms and delta offset approaches. Optimization techniques are analyzed like instruction format optimizations, register value reusing, and avoiding the stack. An example analysis is given of the evolution of smaller shellcodes over time in a shellcode size competition. Hands-on labs are described to practice skills like addressing variables, using strings, and finding Windows API entry points. Required tools are listed for the labs including debuggers and assemblers.
Shellcode Analysis - Basic and Concept
Shellcode Analysis - Basic and ConceptJulia Yu-Chin Cheng The document discusses analyzing malicious PDF files. It describes decompressing PDFs using PDFTK to extract JavaScript. JavaScript is analyzed using a JavaScript emulator like SpiderMonkey to deobfuscate code. Any shellcode is reformed from Unicode and analyzed using Sctest for its behavior. The document provides examples of analyzing sample PDFs, extracting JavaScript, decompressing streams, and inspecting shellcode payloads. Analysis steps and tools used are explained to help understand how malicious PDF files work and discover embedded exploits.
Hacking school computers for fun profit and better grades short
Hacking school computers for fun profit and better grades shortVincent Ohprecio The document discusses various topics related to hacking including motivations, methodologies, and tools. It describes how hackers conduct reconnaissance on targets, develop exploits, execute exploits, and maintain access. Specific hacking methods like fuzzing, malware kits, and shellcode are explained. Potential targets mentioned include students, faculty computers, wireless networks, and websites. The document also provides biographical information about the author and recommends books and resources for hacking.
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013midnite_runr Patching Windows Executives with the Backdoor Factory is a presentation about binary patching techniques. It discusses the history of patching, how key generators and Metasploit patch binaries, and how the author learned to manually patch binaries. The presentation then introduces the Backdoor Factory tool, which can automatically patch Windows binaries by injecting shellcode into code caves. It demonstrates patching via code cave insertion, single cave jumps, and cave jumping. Mitigations like self-validation and antivirus are discussed.
Exploit Research and Development Megaprimer: Win32 Egghunter
Exploit Research and Development Megaprimer: Win32 EgghunterAjin Abraham Exploit Research and Development Megaprimer
http://opensecurity.in/exploit-research-and-development-megaprimer/
http://www.youtube.com/playlist?list=PLX3EwmWe0cS_5oy86fnqFRfHpxJHjtuyf
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton As the internet of things becomes less a buzzword, and more a reality, we're noticing that it's growing increasingly common to see embedded software which runs across different architectures -whether that's the same router firmware running across different models, or the operating system for a smart TV being used by different manufacturers. In a world where even your toaster might have internet access, we suspect that the ability to write cross-platform shellcode is going transition from being a merely neat trick, to a viable tool for attackers.
Writing cross-platform shellcode is tough, but there's a few techniques you can use to simplify the problem. We discuss one such method, which we used to great success during the DEFCON CTF qualifiers this year.
Presented by Tinfoil Security founder Michael Borohovski and engineer Shane Wilton at Secuinside 2014, in Seoul.
https://www.tinfoilsecurity.com/blog/cross-platform-exploitation
Software Exploits
Software ExploitsKevinCSmallwood This is a presentation I put together and presented for my colleagues at IBM back in 2006. I started on the section featuring heap exploits and never finished it. I want to finish it someday.
Shellcode injection
Shellcode injectionDhaval Kapil A talk about injecting shellcode in a binary vulnerable to buffer overflow as well as bypassing ASLR(Address Space Layout Randomization)
Writing Metasploit Plugins
Writing Metasploit Pluginsamiable_indian The document discusses exploiting a buffer overflow vulnerability in Internet Explorer's VML implementation (MS06-055) to execute arbitrary code. It describes overwriting the structured exception handler to gain control of the instruction pointer, using heap spraying to load a buffer in memory, and having the instruction pointer jump to the buffer to execute shellcode and spawn a command shell. Metasploit is introduced as an open-source framework for developing exploits.
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru Browser exploits are a primary attack vector to compromise a victims internal network, but they have major restrictions including; limited current browser exploits; the huge price for 0-day browser exploits; and exploit complexity due to sandboxing. So, instead of exploiting the victims browser, what if the victims browser exploited internal systems for you?
The new "BeEF Bind Exploit Proxy" module does this! This BeEF (Browser Exploitation Framework) module will allow penetration testers to proxy exploits through a victims web browser to compromise internal services. Not only this, but the new "BeEF Bind" shellcode also enables the communication channel to the attacker to pass back through the existing browser session.
This attack technique (Inter-protocol Exploitation) removes browser-based attacks from being dependent upon browser vulnerabilities. It increases the number of potential exploits to include many service vulnerabilities throughout the internal corporate network. This includes whatever service can be contacted via a browser request. This increases the success rate of client-side exploitation attempts by dramatically increasing the number of vulnerabilities accessible to the attacker.
So how does the new BeEF Bind Exploit Proxy work? BeEF is configured to use the BeEF Bind Exploit Proxy, and is set as the payload for XSS exploits or Phishing attacks. Once the victim visits the malicious site, their web browser becomes hooked and performs JavaScript port scanning across the internal corporate network looking for chosen open ports. Once a server has been identified, the BeEF server is notified and begins to send exploits through the hooked web browser to the service on the internal server. Each of these exploits are configured to use the new BeEF Bind shellcode.
Once an exploit has successfully triggered a vulnerability within the internal service, the BeEF Bind shellcode is executed. This shellcode is designed to setup a web-listener that proxies commands through to a shell on the compromised server. This allows the attacker to send commands through the hooked web browser to the BeEF Bind payload. The command is executed on the compromised server and returned to the web browser in HTTP responses. The hooked web browser is then able to receive the command output and proxy it back to the attacker at the BeEF server.
Penetration testers can now inject steroids into their XSS exploits by replacing simple alert boxes with demonstrations of actual compromised internal machines. They can also now increase the scope and success rate of their Phishing attacks to compromise internal servers. This new approach also minimizes the likelihood of IDS/IPS detection, and does not require an additional socket open back to the attacker via the firewall.
Ad
Similar to Efficient Bytecode Analysis: Linespeed Shellcode Detection (20)
Jvm memory model
Jvm memory modelYoav Avrahami The JVM memory model describes how threads in the Java eco-system interact through memory. While the memory model impact on developing for the JVM may not be obvious, it is the cause for certain number of "anomalies" that are, well, by design.
In this presentation we will explore the aspects of the memory model, including things like reordering of instructions, volatile members, monitors, atomics and JIT.
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_S17.shtml
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger This presentation shows that code coverage guided fuzzing is possible in the context of network daemon fuzzing.
Some fuzzers are blackbox while others are protocol aware. Even ones which are made protocol aware, fuzzer writers typically model the protocol specification and implement packet awareness logic in the fuzzer. Unfortunately, just because the fuzzer is protocol aware, it does not guarantee that sufficient code paths have been reached.
The presentation deals with specific scenarios where the target protocol is completely unknown (proprietary) and no source code or protocol specs are accessible. The tool developed builds a feedback loop between the client and the server components using the concept of "gate functions". A gate function triggers monitoring. The pintool component tracks the binary code coverage for all the functions untill it reaches an exit gate. By instrumenting such gated functions, the tool is able to measure code coverage during packet processing.
Ahead-Of-Time Compilation of Java Applications
Ahead-Of-Time Compilation of Java ApplicationsNikita Lipsky Geekout 2016 presentation.
Ahead-of-time (AOT) native compilation has been available for .NET for quite some time, whereas Java SE, while being older than .NET, still does not have a standard AOT compiler. Some people ask why, some people think that it could only work for certain limited types of Java applications, some people think that it is not needed.
The truth, however, is that a Java AOT compiler has been available for over a decade, as part of a compliant Java SE implementation called Excelsior JET, and it proved to be useful for many organizations around the world. In this session, I would like to dispel the common myths about Java AOT compilation and show where it has advantages over JIT compilation from the technical point of view.
A New Tracer for Reverse Engineering - PacSec 2010
A New Tracer for Reverse Engineering - PacSec 2010Tsukasa Oi This document discusses a new tracer for reverse engineering based on record and replay. It aims to make reverse engineering more efficient by overcoming issues with existing instruction tracers like slow speed and large data generation. The proposed tracer is implemented as a virtual machine monitor (VMM) on x64 platforms using binary translation. By classifying elements as deterministic or nondeterministic inputs and interrupts, it can generate small trace logs and have overhead under 100% by leveraging record and replay techniques. It also discusses challenges in modeling x86 elements and implementing lazy evaluation for EFLAGS to further improve efficiency.
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe Shockwave
HES2011 - Aaron Portnoy and Logan Brown - Black Box Auditing Adobe ShockwaveHackito Ergo Sum This document summarizes an approach to auditing the Adobe Shockwave file format and verifying vulnerabilities. It describes how the authors:
1) Encountered difficulties reversing the Shockwave memory manager using traditional debugging tools.
2) Developed a technique using dynamic binary instrumentation to hook the Shockwave file read function and search read buffers for fuzzed file data.
3) Further refined their approach by directly hooking the file read function in MSVCR71.dll, allowing the technique to be reused for other projects.
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia This document summarizes techniques for reverse engineering MIPS firmware. It discusses extracting firmware from devices, analyzing firmware binaries to find code, filesystems and encryption. It provides an overview of the MIPS architecture and reversing tools. It also presents a case study on analyzing routers from Draytek, including decrypting configuration files, dumping firmware and extracting the compressed filesystem. Master keys were derived from MAC addresses using a simple polynomial algorithm.
JVM Memory Model - Yoav Abrahami, Wix
JVM Memory Model - Yoav Abrahami, WixCodemotion Tel Aviv This document discusses the Java Virtual Machine (JVM) memory model and just-in-time (JIT) compilation. It explains that the JVM uses dynamic compilation via a JIT to optimize bytecode at runtime. The JIT profiles code and performs optimizations like inlining, loop unrolling, and escape analysis. It also discusses how the JVM memory model allows for instruction reordering and caching but ensures sequential consistency through happens-before rules and volatile variables. The document provides examples of anomalies that can occur without synchronization and how tools like synchronized, locks, and atomic operations can be used to prevent issues.
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q.
Instructor: Sam Bowne
Class website: https://samsclass.info/127/127_F18.shtml
VMs, Interpreters, JIT
VMs, Interpreters, JITMarcus Denker This document provides an overview of virtual machines, bytecode, and techniques for efficiently executing bytecode. It discusses:
1) How virtual machines simulate processors through bytecode instruction sets and memory management.
2) Bytecode formats and examples of bytecode for operations.
3) Different techniques for executing bytecode like interpretation, threaded code, and just-in-time compilation.
4) Optimizations for method lookup like inline caching and polymorphic inline caching to speed up dynamic method dispatch.
5) Advanced dynamic optimization techniques used in virtual machines like HotSpot that recompile and optimize hot code sections at runtime.
[Ruxcon 2011] Post Memory Corruption Memory Analysis![[Ruxcon 2011] Post Memory Corruption Memory Analysis](https://cdn.slidesharecdn.com/ss_thumbnails/ruxcon-111127233040-phpapp02-thumbnail.jpg?width=560&fit=bounds)
[Ruxcon 2011] Post Memory Corruption Memory AnalysisMoabi.com The document introduces PMCMA, a debugger tool that analyzes memory corruption bugs by forcing processes to fork, overwriting memory locations in the offspring processes, and monitoring execution to map exploitable scenarios. PMCMA aims to provide a roadmap for exploitation by identifying vulnerabilities and possible exploitation techniques like truncating function pointers or exploiting 4-byte aligned memory writes. The tool is available online and has received over 10,000 downloads in its first two months.
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Peter Hlavaty Decades history of kernel exploitation, however still most used techniques are such as ROP. Software based approaches comes finally challenge this technique, one more successful than the others. Those approaches usually trying to solve far more than ROP only problem, and need to handle not only security but almost more importantly performance issues. Another common attacker vector for redirecting control flow is stack what comes from design of today’s architectures, and once again some software approaches lately tackling this as well. Although this software based methods are piece of nice work and effective to big extent, new game changing approach seems coming to the light. Methodology closing this attack vector coming right from hardware - intel. We will compare this way to its software alternatives, how one interleaving another and how they can benefit from each other to challenge attacker by breaking his most fundamental technologies. However same time we go further, to challenge those approaches and show that even with those technologies in place attackers is not yet in the corner.
Larson Macaulay apt_malware_past_present_future_out_of_band_techniques
Larson Macaulay apt_malware_past_present_future_out_of_band_techniquesScott K. Larson The document discusses advanced persistent threats and techniques used by attackers both historically and currently. It covers topics like out-of-band analysis techniques to gain "perfect knowledge" of attackers through reverse engineering, using telemetry and signatures to detect malware, and challenges with scanning techniques due to polymorphism and evasion methods used by attackers.
You didnt see it’s coming? "Dawn of hardened Windows Kernel" 
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty Past few years our team was focusing on different operating systems including Microsoft windows kernel. Honestly our first pwn at Windows kernel was not that challenging. Number of available targets with friendly environment for straightforward pwn, from user up to reliable kernel code execution.
However, step by step, security policies continue to evolve, and it becomes more troublesome to choose ideal attack surface from various sandboxes. In addition, what steps to follow for digging security holes is highly dependent upon the chosen target. In general, a few common strategies are available for researchers to choose: e.g choose “unknown” one which hasn’t been researched before; Select well fuzzed or well audited one, or research on kernel module internals to find “hidden” attack surfaces which are not explicitly interconnected. In the first part of the talk we introduce our methodology of selecting, alongside with cost of tricks around to choose seemingly banned targets, illustrated by notable examples.
After getting hands on potential bug available from targeted sandbox, it is time for Microsoft windows taking hardening efforts to put attacker into corner. Strong mitigations are being introduced more frequently than ever, with promising direction which cuts lots of attack surface off, and a several exploitation techniques being killed. We will show difficulties of developing universal exploitation techniques, and demonstrate needed technical level depending on code quality of target. We will examine how different it becomes with era of Redstone and following versions even with those techniques and good vulnerability in hand. How it changed attacker landscape and how it will (and will not) kill those techniques and applications. However will it really change the game or not?
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...
JavaOne 2010: Top 10 Causes for Java Issues in Production and What to Do When...srisatish ambati Top 10 Causes for Java Issues in Production and What to Do When Things Go Wrong
JavaOne 2010.
Abstract: It's Friday evening and you hear the first rumble . . . one java node has become slightly unresponsive. You lookup the process, get a thread dump, and for good measure restart it at 8 p.m. Saturday afternoon is when you realize that other nodes have caught the flu and you get the ugly call from the customer. In a matter of hours, you're on that conference bridge with support groups of different packages and Java vendors and one of your uberarchitects. Yes, production instances are up and down, and restarting like there's no tomorrow. Here's an accumulated compendium of the op 10 things that can cause Java production heartburn and what to do when your Java production is on fire. And yes, please have your tools belt on.
Speaker(s):
Cliff Click, Azul Systems, Distinguished Engineer
SriSatish Ambati, Azul Systems, Performance Engineer
Vulnerability desing patterns
Vulnerability desing patternsPeter Hlavaty This document discusses vulnerability design patterns for kernel exploitation. It outlines several common vulnerability classes for the kernel including out of boundary errors, buffer overflows, and null pointer writes. It provides examples of how these vulnerabilities could be used to achieve kernel code execution or privilege escalation. It also notes how kernel exploitation techniques have evolved over time to bypass defenses like KASLR and discusses developing exploitation tools instead of just shellcode.
Auditing the Opensource Kernels
Auditing the Opensource KernelsSilvio Cesare The document provides an overview of a presentation on kernel auditing research, including:
- Three parts to the presentation covering kernel auditing research, exploitable bugs found, and kernel exploitation.
- Audits were conducted on several open source kernels, finding over 100 vulnerabilities across them.
- A sample of exploitable bugs is then presented from the audited kernels to provide evidence that kernels are not bug-free and vulnerabilities can be relatively simple to find and exploit.
New hope is comming? Project Loom.pdf
New hope is comming? Project Loom.pdfKrystian Zybała At a time when Herbt Sutter announced to everyone that the free lunch is over (The Free Lunch Is Over: A Fundamental Turn Toward Concurrency in Software), concurrency has become our everyday life.A big change is coming to Java, the Loom project and with it such new terms as "virtual thread", "continuations" and "structured concurrency". If you've been wondering what they will change in our daily work or
whether it's worth rewriting your Tomcat-based application to super-efficient reactive Netty,or whether to wait for Project Loom? This presentation is for you.
I will talk about the Loom project and the new possibilities related to virtual wattles and "structured concurrency". I will tell you how it works and what can be achieved and the impact on performance
owasp lithuania chapter - exploit vs anti-exploit
owasp lithuania chapter - exploit vs anti-exploitKęstutis Meškonis This document discusses various exploit techniques, mitigations against exploits, and ways to bypass mitigations. It covers popular exploitation methods like stack-based buffer overflows, heap overflows, and return-oriented programming (ROP). It also outlines key mitigations like stack cookies, data execution prevention (DEP), address space layout randomization (ASLR), and structured exception handler overwrite protection (SEHOP). Finally, it examines techniques for bypassing protections like avoiding ASLR, memory leaks to disclose addresses, and using ROP chains combined with memory leaks to bypass DEP and ASLR. The document provides a technical overview of the exploit-mitigation landscape.
Earhart
Earhartsiam hossain The document provides an overview of the Windows operating system, summarizing its key goals, components, and design principles. The Windows OS aims for hardware and software portability, high performance, and a secure object-oriented architecture. It uses a thread-based process model, handles for object access control, and structured exception handling for robust error handling. The OS implements standard objects like events, mutexes, and files using its object manager and security model.
Ad
Recently uploaded (20)
Web and Graphics Designing Training in Rajpura
Web and Graphics Designing Training in RajpuraErginous Technology Web & Graphics Designing Training at Erginous Technologies in Rajpura offers practical, hands-on learning for students, graduates, and professionals aiming for a creative career. The 6-week and 6-month industrial training programs blend creativity with technical skills to prepare you for real-world opportunities in design.
The course covers Graphic Designing tools like Photoshop, Illustrator, and CorelDRAW, along with logo, banner, and branding design. In Web Designing, you’ll learn HTML5, CSS3, JavaScript basics, responsive design, Bootstrap, Figma, and Adobe XD.
Erginous emphasizes 100% practical training, live projects, portfolio building, expert guidance, certification, and placement support. Graduates can explore roles like Web Designer, Graphic Designer, UI/UX Designer, or Freelancer.
For more info, visit erginous.co.in , message us on Instagram at erginoustechnologies, or call directly at +91-89684-38190 . Start your journey toward a creative and successful design career today!
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...
IEDM 2024 Tutorial2_Advances in CMOS Technologies and Future Directions for C...organizerofv IEDM 2024 Tutorial2
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...BookNet Canada Book industry standards are evolving rapidly. In the first part of this session, we’ll share an overview of key developments from 2024 and the early months of 2025. Then, BookNet’s resident standards expert, Tom Richardson, and CEO, Lauren Stewart, have a forward-looking conversation about what’s next.
Link to recording, presentation slides, and accompanying resource: https://bnctechforum.ca/sessions/standardsgoals-for-2025-standards-certification-roundup/
Presented by BookNet Canada on May 6, 2025 with support from the Department of Canadian Heritage.
Technology Trends in 2025: AI and Big Data Analytics
Technology Trends in 2025: AI and Big Data AnalyticsInData Labs At InData Labs, we have been keeping an ear to the ground, looking out for AI-enabled digital transformation trends coming our way in 2025. Our report will provide a look into the technology landscape of the future, including:
-Artificial Intelligence Market Overview
-Strategies for AI Adoption in 2025
-Anticipated drivers of AI adoption and transformative technologies
-Benefits of AI and Big data for your business
-Tips on how to prepare your business for innovation
-AI and data privacy: Strategies for securing data privacy in AI models, etc.
Download your free copy nowand implement the key findings to improve your business.
Semantic Cultivators : The Critical Future Role to Enable AI
Semantic Cultivators : The Critical Future Role to Enable AIartmondano By 2026, AI agents will consume 10x more enterprise data than humans, but with none of the contextual understanding that prevents catastrophic misinterpretations.
Mastering Advance Window Functions in SQL.pdf
Mastering Advance Window Functions in SQL.pdfSpiral Mantra How well do you really know SQL?📊
.
.
If PARTITION BY and ROW_NUMBER() sound familiar but still confuse you, it’s time to upgrade your knowledge
And you can schedule a 1:1 call with our industry experts: https://spiralmantra.com/contact-us/ or drop us a mail at [email protected]
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Aqusag Technologies In late April 2025, a significant portion of Europe, particularly Spain, Portugal, and parts of southern France, experienced widespread, rolling power outages that continue to affect millions of residents, businesses, and infrastructure systems.
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxshyamraj55 We’re bringing the TDX energy to our community with 2 power-packed sessions:
🛠️ Workshop: MuleSoft for Agentforce
Explore the new version of our hands-on workshop featuring the latest Topic Center and API Catalog updates.
📄 Talk: Power Up Document Processing
Dive into smart automation with MuleSoft IDP, NLP, and Einstein AI for intelligent document workflows.
Quantum Computing Quick Research Guide by Arthur Morgan
Quantum Computing Quick Research Guide by Arthur MorganArthur Morgan This is a Quick Research Guide (QRG).
QRGs include the following:
- A brief, high-level overview of the QRG topic.
- A milestone timeline for the QRG topic.
- Links to various free online resource materials to provide a deeper dive into the QRG topic.
- Conclusion and a recommendation for at least two books available in the SJPL system on the QRG topic.
QRGs planned for the series:
- Artificial Intelligence QRG
- Quantum Computing QRG
- Big Data Analytics QRG
- Spacecraft Guidance, Navigation & Control QRG (coming 2026)
- UK Home Computing & The Birth of ARM QRG (coming 2027)
Any questions or comments?
- Please contact Arthur Morgan at [email protected].
100% human made.
Build 3D Animated Safety Induction - Tech EHS
Build 3D Animated Safety Induction - Tech EHSTECH EHS Solution Train Smarter, Not Harder – Let 3D Animation Lead the Way!
Discover how 3D animation makes inductions more engaging, effective, and cost-efficient.
Check out the slides to see how you can transform your safety training process!
Slide 1: Why 3D animation changes the game
Slide 2: Site-specific induction isn’t optional—it’s essential
Slide 3: Visitors are most at risk. Keep them safe
Slide 4: Videos beat text—especially when safety is on the line
Slide 5: TechEHS makes safety engaging and consistent
Slide 6: Better retention, lower costs, safer sites
Slide 7: Ready to elevate your induction process?
Can an animated video make a difference to your site's safety? Let's talk.
Rusty Waters: Elevating Lakehouses Beyond Spark
Rusty Waters: Elevating Lakehouses Beyond Sparkcarlyakerly1 Spark is a powerhouse for large datasets, but when it comes to smaller data workloads, its overhead can sometimes slow things down. What if you could achieve high performance and efficiency without the need for Spark?
At S&P Global Commodity Insights, having a complete view of global energy and commodities markets enables customers to make data-driven decisions with confidence and create long-term, sustainable value. 🌍
Explore delta-rs + CDC and how these open-source innovations power lightweight, high-performance data applications beyond Spark! 🚀
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...Alan Dix Talk at the final event of Data Fusion Dynamics: A Collaborative UK-Saudi Initiative in Cybersecurity and Artificial Intelligence funded by the British Council UK-Saudi Challenge Fund 2024, Cardiff Metropolitan University, 29th April 2025
https://alandix.com/academic/talks/CMet2025-AI-Changes-Everything/
Is AI just another technology, or does it fundamentally change the way we live and think?
Every technology has a direct impact with micro-ethical consequences, some good, some bad. However more profound are the ways in which some technologies reshape the very fabric of society with macro-ethical impacts. The invention of the stirrup revolutionised mounted combat, but as a side effect gave rise to the feudal system, which still shapes politics today. The internal combustion engine offers personal freedom and creates pollution, but has also transformed the nature of urban planning and international trade. When we look at AI the micro-ethical issues, such as bias, are most obvious, but the macro-ethical challenges may be greater.
At a micro-ethical level AI has the potential to deepen social, ethnic and gender bias, issues I have warned about since the early 1990s! It is also being used increasingly on the battlefield. However, it also offers amazing opportunities in health and educations, as the recent Nobel prizes for the developers of AlphaFold illustrate. More radically, the need to encode ethics acts as a mirror to surface essential ethical problems and conflicts.
At the macro-ethical level, by the early 2000s digital technology had already begun to undermine sovereignty (e.g. gambling), market economics (through network effects and emergent monopolies), and the very meaning of money. Modern AI is the child of big data, big computation and ultimately big business, intensifying the inherent tendency of digital technology to concentrate power. AI is already unravelling the fundamentals of the social, political and economic world around us, but this is a world that needs radical reimagining to overcome the global environmental and human challenges that confront us. Our challenge is whether to let the threads fall as they may, or to use them to weave a better future.
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025BookNet Canada Book industry standards are evolving rapidly. In the first part of this session, we’ll share an overview of key developments from 2024 and the early months of 2025. Then, BookNet’s resident standards expert, Tom Richardson, and CEO, Lauren Stewart, have a forward-looking conversation about what’s next.
Link to recording, transcript, and accompanying resource: https://bnctechforum.ca/sessions/standardsgoals-for-2025-standards-certification-roundup/
Presented by BookNet Canada on May 6, 2025 with support from the Department of Canadian Heritage.
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Splunk Security Update
Sprecher: Marcel Tanuatmadja
How analogue intelligence complements AI
How analogue intelligence complements AIPaul Rowe
Artificial Intelligence is providing benefits in many areas of work within the heritage sector, from image analysis, to ideas generation, and new research tools. However, it is more critical than ever for people, with analogue intelligence, to ensure the integrity and ethical use of AI. Including real people can improve the use of AI by identifying potential biases, cross-checking results, refining workflows, and providing contextual relevance to AI-driven results.
News about the impact of AI often paints a rosy picture. In practice, there are many potential pitfalls. This presentation discusses these issues and looks at the role of analogue intelligence and analogue interfaces in providing the best results to our audiences. How do we deal with factually incorrect results? How do we get content generated that better reflects the diversity of our communities? What roles are there for physical, in-person experiences in the digital world?
Into The Box Conference Keynote Day 1 (ITB2025)
Into The Box Conference Keynote Day 1 (ITB2025)Ortus Solutions, Corp This is the keynote of the Into the Box conference, highlighting the release of the BoxLang JVM language, its key enhancements, and its vision for the future.
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPathCommunity Join this UiPath Community Berlin meetup to explore the Orchestrator API, Swagger interface, and the Test Manager API. Learn how to leverage these tools to streamline automation, enhance testing, and integrate more efficiently with UiPath. Perfect for developers, testers, and automation enthusiasts!
📕 Agenda
Welcome & Introductions
Orchestrator API Overview
Exploring the Swagger Interface
Test Manager API Highlights
Streamlining Automation & Testing with APIs (Demo)
Q&A and Open Discussion
Perfect for developers, testers, and automation enthusiasts!
👉 Join our UiPath Community Berlin chapter: https://community.uipath.com/berlin/
This session streamed live on April 29, 2025, 18:00 CET.
Check out all our upcoming UiPath Community sessions at https://community.uipath.com/events/.
Efficient Bytecode Analysis: Linespeed Shellcode Detection
- 1. Efficient Bytecode Analysis: Linespeed Shellcode Detection Georg Wicherski Security Researcher
- 2. Anatomy of a Shellcode • Little piece of Bytecode that gets jumped to in an exploit – Direct overwrite of EIP on the stack – Sprayed on the Heap and called as a function pointer – Allocated by small ROP payload and jumped to by last gadget • Minus Zynamics Google, they do ROPperies • Usually some requirements because it is delivered inline – Null byte free, because it terminates a C-String – rn free, because it often is a delimiter in network protocols – ... Decoder Stub Encoded Shellcode
- 3. Shellcode Decoder Structure jmp getpc ; jump to GetPC start: ; GetPC 2: ebp = EIP pop ebp push 42 ; load counter = 42 pop ecx push 23 ; load key = 23 pop edx decrypt: xor byte [ebp+ecx], dl ; unxor one byte loop decrypt ; repeat until ecx = 0 jmp payload getpc: call start ; GetPC 1: push EIP to stack payload:
- 4. GetPC Sequences • call $+5, pop r32 – Push return address for function call onto stack – Use stack access to read back the return address • fnop, fnstenv [esp+0x0c], pop r32 – Use a floating point instruction, address will be stored in floating point control aread – Save floating point control area on stack – Read back the instruction address from stack • Structured Exception Handling – Windows specific, trigger an exception – Get address of exception instruction in exception handler
- 5. Existing Detection Approaches • Static / Statistical Approaches – e.g. Markov Chains for Bytecode (Alme & Elser, Caro 2009) • Trained with shellcode / non-shellcode data • Measures likelyhood of certain instructions following each other – Can only detect the decoder and therefore tend to be either false positive or false negative prone (weighting, training data, ...) • GetPC Sequences + Backtracking + Emulation (libemu) – Identify possible GetPC sequences in data – Build up tree of possible starting locations by disassembling “backwards” • A problem on its own on the x86 CISC architecture – Software x86 emulation to weed out (the many) false positives
- 6. libscizzle • Identification of possible GetPC sequences – A little less strict than libemu in terms of triggering combinations • Brute force possible starting location around sequence – Efficient emulation allows this performance wise • Use efficient sandboxed hardware execution for verification – No, this is not virtualization, no VT involved – Yes, it is secure, so we do not get owned (trivially) http://code.mwcollect.org/projects/libscizzle
- 7. x86 Segmentation vs. Paging Segment Virtual Physical
- 8. Code Execution / “Emulation” • Disassemble guest code – Stop on any privileged or (potentially) execution flow modifying instruction – This is roughly equivalent to “basic blocks” – Segment register access is considered a privileged instruction ;) • Execute one basic block at a time within the guest segment • Emulate all other instructions – Conditional jumps, calls, ... – Abort analysis on any privileged instructions • Exception: backwards short jumps
- 9. Evaluation: Performance $ ./libscizzle-test < urandom.bin [*] Filtering / scanning over 32.0 MiB of data took 105 ms. [*] Verifying 700 shellcode candidate offsets... [*] Verification over 32.0 MiB of data took 217 ms. [*] Everything over 32.0 MiB of data took 322 ms. • 99.38 Mib / sec, 795 MiB / sec on my presentation laptop, single core • About 1000x faster than libemu, a lot faster than Markov Chains • This is fast enough to do it inline at GigaBit speed on a commodity server, think IPS • Real world data has usually better properties than purely random data
- 10. Evaluation: Success Rate • False Positives: none. – If it is detected, it resembles valid shellcode – Random data might resemble valid shellcode but this is a philosophical problem then, highly unlikely. • False Negatives: none so far – Tested on a lot of public shellcodes (tricky Metasploit ones, egghunters) – Used during CTFs for testing libscizzle, detected everything • DefCon, ruCTFe, ... • Manual evasion possible
- 11. Questions? Thanks for your attention!