Minecraft anarchy – The Layman’s Guide to Zero-Day Engineering

Okay welcome back to the subway tile English yeah oh yeah yes we are okay welcome back to this effort iseman stream for laser globulin there’s an Auckland is a vanilla minecraft server which has no active administration and I also know in game where aeration so a bad behavior will not be punished

Connect with a gog.com area it stands for laser Gordon land which is German for Q Cumberland or laser q complaint okay and here where did we left often what’s going on with my frames am i cutting yes I am I have 17 frames there is there is not

Good let me quickly you see if I can do something okay so we’ll be as minecraft Crone from you okay it looks fine this Oh this pulls out you is it yeah I guess that’s expected background:none it’s just some ex walk background shop running it’s a better

Now yes I don’t know I don’t know what happened here sometimes computers to things okay that completely confused my introduction I’d say if this dream is running yes it is running okay so um let’s go glint if you want to play some classical anarchy um go on Troy those

Machines ready no they are not he’s already and I need some more of those okay yeah so the thing is this stream is meant to be a advertisement for the server so just connect to the server and yeah that’s it I don’t feel like expending too much

Writer service so great but I still wait so short let’s make it longer um put its lava down there not sure how to start the machine now during day time I should probably wait one night cycle yeah okay so it’s an energy server where you can grief other people’s buildings there’s

No protection there no plugins it’s pure vanilla you’re allowed to kill you allowed to grief you’re allowed to heck you are allowed to yeah do all the nasty things there will be no word resets and server is going to stay online for at least three to four or five years since I paid

Already in advance and yeah so if then people are still interested in a server I will most likely still keep it up if I can’t afford it or I’m not really not interested in a few years to keep it up I will publish the word file and

Somebody else can take it over so everything you do here is not lost or like does not disappear due to some admin rage quitting the game and like throwing everything away so some people might dislike that that’s why I surf this server there are other big energy service with similar concepts but those

Usually have tons of players and tons of plugins so that’s why the server exists where you can yeah be a little bit more more shield a little bit more pure as players less struggle okay so that’s that’s the advertisement part and for today I found a crazed video about zero

Days yeah so I’m going to watch a video now from the media CCC channel and you will have terrible audio quality so if you’re interested in 0 days or the media CCC conference and then go check out the original talk I will link it in the description the video that we are going

To watch as the title 35 C 3 the layman’s guide to zero day engineering and it’s hard to read and watch and search for lava the thing is yeah I I can really recommend you watching this in the original version and not continue to watch this video because the purpose

Of this video or stream or whatever it is is to sell you this minecraft server while sell and the sense fun I don’t even know if it’s a is it an English saying to say it something I mean it’s free but I want to advertise it because

You know I paid for a server and I yeah i do not need like a thousand players here but since I’m playing alone here it’s kind of useless so would be nice if a few players could join I’m not here to steal your money or whatever just wanna play a little bit minecraft

Yeah so if you’re interested in that come and play yeah so and if you’re interested in zero days then check out their original make sure that will be in the description so the video is from 2018 and has 10,000 views and it is uploaded from Romania CCC a channel okay so enough warnings

Enough recommendations yeah let’s go the layman’s guide to zero day engineering is our next stock buy and my colleagues out in Austin who run the dome come contest assure me that our next speakers are really very much the top of their class and I’m really looking forward to this talk before that

A capture the flag contents like that requires having done a lot of your homework upfront so that you have the tools at your disposal at at the time so that you can win and Marcus and Amy here here to tell us something way more valuable about the actual tools they

Found but how they actually arrived to the those tools and you know the process of going and going today and I think that is going to be a very valuable wrestle recipe or lesson for us so please help me welcome Marcus and Amy to a very much anticipated talk

All right hi everyone thank you for making out to our talk this evening so I’d like to start by thanking the CCC organizers for inviting us out here to give this talk this was a unique opportunity for us to share some of our experience with the community and we’re

Really happy to be here so yeah I hope you guys enjoyed okay so who are you well my name is Marcus Gadsden I sometimes go by the handle Gazza dawn which is my last name and I’m joined here by my coworker Amy he’s also a good friend and longtime collaborator

We work for a company called wreck two systems right two is best known publicly for its security research and development behind the scenes we do consulting and have been pushing to improve the availability availability of security education in specialized security training as well as raising awareness and sharing information like

You’re going to see today and so this talk has been structured roughly to show our approach in breaking some of the world’s most hardened consumer software in particular we’re going to talk about one of the zero days that we produced at rent two in 2018 and over the course

That talk we hope to break some common misconceptions about the process of zero day engineering we’re going to highlight some of the observations that would have gathered and built up about this industry and this trade over the course of many years now and we’re going to try

To offer some advice on how did it start doing this kind of work as an individual so we’re calling this talk a non technical commentary about the process of zero day engineering at time it may seem like we’re stating the obvious but the point is to show that there’s less

Magic behind the curtain then most of you spectators probably realize so let’s talk about condone 2018 for those that don’t know Rondon is an industry level security competition organized annually by Trend Micro zero day initiative Penn own invites the top security research researchers from around the world to showcase zero-day

Exploits against high value software targets such as premiere web browsers operating systems and virtualization solutions such as hyper-v VMware virtual box then whatever so that right – we thought it’d be fun to play a poem this year specifically we wanted to target the competitions browser category we chose to attack

Apple’s Safari web browser on Mac OS because it was new it was mysterious but also the avoid any prior conflicts of interest and so for this competition we ended up developing any type of zero-day known typically as a single click RCE or Safari remote kind of as some some

Industry language so what this means is that we could gain a remote root level access to your macbook should you click a single malicious link of ours i’m incentive terrifying you know a lot of you might feel like you’re very prone to not clicking malicious links or not

Getting Spearfish but it’s so easy maybe you’re in a coffee shop maybe I just man in the middle of your connection it’s pretty yeah it’s a pretty scary rule so this is actually a picture that we took on stage at pono in 2018 directly following our exploit attempt this is

Actually Joshua Smith from zdi folding the competition machine after our exploit had landed unfortunately a little bit too late but the payload at the end of our exploit would pop apples cut a calculator up and reverse landing on the victim machine this is usually used to demonstrate code execution so

For fun we also made the payload change if that stops background to the right to logo so that’s what you’re seeing there so what makes a zero-day upon case study is that we had virtually no prior experience at Safari or maca less going into this event we literally didn’t even

Have a single MacBook in the office we have to go out and buy one and so as a result you get to see how we as expert researchers approach new and unknown software targets so I promise that this is a non-technical talk which is mostly true that’s because we actually publish

All the nitty-gritty details for the entire exploit chain as a verbose sixth part log series on our blog this past summer it’s hard to make highly tactical talk fun and accessible to all audiences so we’ve reserved much of the truly technical stuff for you to read at your

Own leisure it’s not a prerequisite for this talk so don’t feel bad if you haven’t read those so with that in mind for ready to introduce you to the very first step of what we’re calling the layman’s guide to zero day engineering so at the start of this talk I said we’d be

Attacking some of the most high value and well protected consumer software this is no joke right this is a high-stakes game it’s a report any of you even think about looking at code or searching for vulnerabilities in these products you need to set some expectations about what you’re going to

Be up against so this is a picture deal you might be a security expert a software engineer or even just an enthusiast but there’s some odd twist of self-loathing you find yourself interested in zero-days and the desire to break some in high-impact software like a web browser but it’s important to

Recognize that you’re looking to devise them a largest most successful organizations of our generation these types of companies have every interest in securing the products and building trust with consumers these vendors have steadily even growing and investments in software and device security and that trends will only continue you see cyber

Security and headlines every day hacking you know these systems compromised it’s only getting more popular you know there’s more money than ever in this space so this is a beautiful mountain peak that represents your mission of I want to cop to zero day but you’re sent

Off this mountain is not going to be an easy task as an individual the odds are not really in your favor this game is sort of a free-for-all and everyone is at each other’s throats so in one corner is the vendor might as well have infinite money and infinite

Experience in another corner is the rest of the security research community fellow enthusiasts all their threat actors so all of you are going to be fighting over the same train which is the code this is unforgiving terrain in and of itself but the vendor has home-field advantage

So these obstacles are not fun but it’s only going to get worse for you newcomers often don’t prepare themselves for understanding what kind of time scale you should expect when working on these types of projects so for those of you who are familiar with the capture the flag circuit these competitions

Usually our time box from 36 to 48 hours normally they’re over a weekend you know we came out of that circuit we love the sport we still play but how long does it take to develop a zero-day well it can vary a lot sometimes we get really lucky I’ve seen someone produce a

Chrome / v8 but in two days other times it’s taken two weeks sometimes it takes a month but sometimes you can actually take a lot longer to study and exploit new targets you need to be thinking you know you need to be looking at time in these kind of scales

And so it could take three and a half months it could take maybe even six months for some targets the fact of the matter is that it’s almost impossible to tell how long the process is going to take and so I’m like a CTF challenge there’s no upper bound to this process

Of zero day engineering there’s no guarantee that the exploitable bikes you need to make a zero date even exist in the software your target you also don’t always know what you’re looking for and you’re working on projects that are many order magnitudes of larger than any sort of educational resource we’re talking

Millions of lines of code or your average CTF challenge might be a couple hundred lines to see at most so I can already see the terror and self-doubt in some of your eyes but I really want to stress that you shouldn’t be too hard on yourself about this stuff as a novice

You need to keep these caveats in mind and accept that failure is not unlikely in the journey all right so please check this box before watching ours to talk so having built some psychological foundation for the task at hand the next step and the layman’s guide is what we call reconnaissance so

This is kind of a giftie slide oh yeah it’s even Metasploit reminds you to start up doing three time so with regard to zero to engineering discovering vulnerabilities against large scale software can be an absolutely overwhelming experience like that mountain it’s like where do I start what

Foothill do I go up like we’re doing video from there sit overcome this it’s vital to build foundational now what’s going on okay about the target it’s also one of the least glamorous parts of the zero days development process and often see it by many you don’t see any of the

Other speakers really talking about this so much you don’t see blog posts for people they’re like I google it for eight hours about Apple Safari before writing a zero day for so you want to aggregate and review all existing research related to your target this is

Super super important so how do you do every time well the simple answer is Google every day this is literally something and what we do is we go through and we click and you download an e-book mark every single thing for about five pages and that’s how you get a

One-click remote execution and your sister click everything download everything see all these buttons that you never click at the bottom of Google all the danger is here it’s related searches you might want to look at Oh No spit some coffee hmm yet hmm whatever you should definitely click all those you should

Also go through at least four or five pages and keep downloading and saving everything that looks remotely relevant so you just keep doing this over and over and over again and you just Google and Google and Google everything that you think could possibly be related and

The idea is you know you just want to grab all this information you want to understand everything you can about this target even if it’s not Apple Safari is specific I mean look into the ate look into chrome look into opera look into chakra look into

Whatever you want so the goal is to build up a security literature a library of security literature related to your target and its ecosystem and then I want you to read all of it but I don’t want you don’t don’t force yourself to understand everything in your sack new

Literature the point of this exercise is to build additional context about software its architect new security track record by the end of the comments phase you should aim to be able to answer these kind of questions about your target what is the purpose of the software how is it architected it’s

Can anyone describe what WebKit’s architecture is to me what are its major components is there a sandbox around it how do you need bug it how did it developers misstep you any tips and tricks are there special flags what did a security track record look like does it have historically

Vulnerable components is there existed write-up exploits or research in it etc alright you need me reconnaissance step 2 is going to be target selection so there’s actually a few different names that you could you could maybe call this technically we’re targeting Apple Safari but you want to try and narrow your

Scope and so what we’re looking at here is a tree map visualization of the the WebKit source so Apple Safari web browsers have to built on top of the WebKit framework which is a essentially a browser engine this is open source and so yeah this is a tree map visualization

Of the source directory where files are sorted in by size so each of those boxes is essentially a file while all the gray boxes to bake bread boxes are directories all those sub squares are filed and each file is sized based on its representative complexity detected

In each first of all and you might be getting anyway you might be getting five drafts back to that picture that mountain team how do you even start to hunt for security vulnerabilities in a product or code base of this size three million lines of code you know I may be

Written like I don’t know like a hundred thousand lines of C or C++ to my life what puzzling render reviewed three million so the short answer to freaking this problem down is that you need to reduce your scope of evaluation and focused on depth over breadth and this

Is most critical when attacking an extremely well tipped over card you know maybe you’re probing IOT device you probably just use up that thing and it’s going to find vulnerabilities but you know you’re fighting on a very different landscape here and so you need to be very detailed with your review so

Reduce your scope our reconnaissance and has experience with exploiting browsers as one of those to focus on the web hits JavaScript engine highlighted up here in orange so bugs and Jas engines when it comes to browsers are generally regarded as extremely powerful bugs but they’re also few and far between and they’re

Kind of becoming more rare as more you are looking for bugs more people are colliding they’re dying quicker and so anyway let’s try to reduce our scope so we reduced our scope from 3 million down to 350 thousand lines of code here we’ll zoom into that orange so now we’re

Looking at the JavaScript directory specifically in the JavaScript or directory so this is a JavaScript engine within WebKit as used by Safari on Mac OS and specifically to further reduce our scope we chose to focus on the highest level interface of the JavaScript court which is the runtime

Folder so this contains code that’s almost one-to-one mappings to JavaScript objects and methods in the interpreter so for example array dot reverse or attack or whatever it is very close to what you JavaScript authors are familiar with and so this is what the Brotherton folder looks like at approximately 70,000 lines of code

When we were spinning up for ponen we said ok we are going to find a budget in this directory and one of these files and we’re not going to leave this until we have you know block the way with something so if we take a step back now

This is what we started with and this is what we’ve done we’ve reduced our scope so it helped illustrate illustrates this you know whittling process it was almost a little bit arbitrary there’s a lot there previously there’s been a lot of bugs in the runtime directory but it’s

Really been cleaned up the past few years so anyway this is what we chose for our RT so having spent the number of years going back and forth between tapping and defending I’ve come to recognize that bad components do not get good spouse usually researchers are able to hammer

Away at these components for years before they reach some level of acceptable security so let’s keep our sandbox we simply look at the security trends covered during their comments on stage so this observation historically bad components while often take years to improve means that we chose to look at

Windows Server and so for those that don’t know a Windows server is a root level system service that runs on Mac OS our research turned up a trail of ugly bytes from them from a Mac Allah from from essentially the Windows Server which is accessible to the safari

Sandbox and in particular when we’re doing our research we’re looking at EDI water and why do I get sponges from oh I have my base I should go and back to my base and get some sponges I will most likely forget it until I arrive but yeah whatever

Make sure to remind me in the stream shed all my viewers let’s check in we have oh we have actually one viewer you speak Russia um da yang camera will cover you or chin how to have a sofa ruski no and speak russian at all yeah I think it’s a fun

Language though sounds kind of cool hmm yeah you can and in particular in 2015 there’s or 10 flexible mobilities for parts and EDI that were you so much long time only works for the desolation colleges and so these are only vulnerabilities that refer to this DDI if you look in 2017

There is for all again uses for the same purpose I think all of these were actually probably used I’ve honed on both years and then then 2018 they’re just one and so this is three years over the span of three years where people were hitting the same exact component

And Apple or researchers around the world could have been watching or listening and finding bugs and fighting over this land right here and so it’s pretty interesting I mean they give some perspective the fact of the matter is that it’s hard to write it’s really hard for bad components to improve quickly

Nobody wants to try and sit down and rewrite bad code and vendors are terrified absolutely terrified of shaping regressions most vendors will only patch or modify old bad code only when they absolutely must for example when a vulnerability is reported to them and so as listed on this slide there’s a

Number of reasons why a certain module or a component has terrible has a terrible security track record just try to keep in mind that’s usually a good place to look for more funds if you see a waterfall of budge this year in some component like lazon or JIT maybe you

Should be looking there right but that might be good for a few more years yeah all right step 3 so after all this talk were finally getting to a point where we can start probing and exploring the codebase in greater depth this step is all about bug on day

So as an individual researcher or a small organization the hardest part of the zero day engineering process is usually discovering an exploitable vulnerability that’s just kind of from our perspective this can maybe vary from person to person but you know we don’t have 100 million dollars to spend on

Buzzers for example and so we literally have one back foot right so it’s kind of like looking for a needle in a haystack we’re also well versed in the exploitation process itself and so those that end up being a little bit more formulaic for ourselves so there are two

Core strategies for finding exploitable vulnerabilities there’s a lot of pros and cons to both of these approaches but I don’t want to spend too much time talking about the strengths or weaknesses so they’re all listed here the the short summary is that fuzzing is the main go-to strategy for many

Security enthusiasts some of the key perks that it’s a scalable its scalable and almost always dealing through phones and so a spoiler alert but later in this talk they’re gonna see we’ve biases both of our bugs but the bike that we use for our full chain and we you know is 2018

These things are still following out with some very turbulent means okay so source review is the other main strategy source review is often much harder for novices but it can produce some high quality bugs when performed diligently yeah if you’re looking to just get into this stuff I would say start real simple

Start buzzing and see how far you get so yeah for the purpose of this talk I’m mostly going to focus on fuzzing this is a picture from the dashboard of a simple scalable buzzing harness we built for javascriptcore this is when we were ramping up for pun dome and trying to

Build our chain it was a grammar based JavaScript buzzer based on Mozilla’s dharma there’s nothing fancy about it this is a snippet of some of what some of its output look like we’d only start building it out when the actually found the exploitable vulnerability that we

Ended up using so we haven’t we haven’t really played with as much since then but it’s I mean it shows kind of how easy it was to get where we needed to go so something like we we like to stress heavily to the vault to buzz is that it

Really must be treated as a science for these competitive targets guys I know code coverage is the best metric but you absolutely must use some form of the intersection to quantify the progress and reach of your budget please don’t just funds blindly so our pleasure would generate web-based covered covered

Reports of our grammars every 15 minutes or so this allows us to quickly narrate a pond or buzzer helping generate more interesting complex test cases a good target is 60% code coverage so you can see that in the upper right hand corner that’s kind of what we were shooting for

Again it really varies from target to target this is also just us focusing on the runtime folder you see in the upper left hand corner and so something that we’ve observed again over many targets and exotic exotic targets is that bugs almost always fall out of what we call the hard-fought final coverage

Percentages and so what this means is you might work for a while trying to build up your coverage trying to you know build a good set of test cases or grammars for funding and then you’ll hit that 60 percent in the okay what am I missing now like everyone gets to 60%

Let’s say but then once you start inching a little bit further is when you start finding a lot of bugs and so for example a little pull-up code and we’ll be like why did he not hit those blocks up there why are those gray box why did we never

Hit those in our millions of test cases and we’ll go find that that’s some weird edge case or some unoptimized condition or something like that and we will modify your test cases to hit that code other times will actually sit down pull it up on our projector and talk through

Some of that code and it’ll be like what the hell is going on there and so this is actually it’s funny this is actually a live photo that I took during our pundit on hunt then you know as cliche as this picture is of hackers standing

In front of like a dark screen and dark room this was happy you know we we were just reading some code and so it’s it’s good to property among co-workers into to hash out ideas helped confirm theories or discard them and so yeah this kind of leads us to the next

Piece of advice is when you’re doing source reviews so this applies to both debugging or assessing kind of those corner cases and whatnot if you’re ever unsure about the code that you’re reading you absolutely should be using debuggers on dynamic analysis so as painful as it can maybe be to set up

JavaScript court or debug this massive C++ application that’s dumping these massive call stacks that are 100 deep you need to learn those tools are you never gonna be able to understand the amount of contacts necessary for some of these bugs and complex code so for example one of our blog posts makes

Extensive use of our r2 to reverse our to root cause the vulnerability that we endeavor exploiting it was a race condition in the garbage collector totally wild bug there’s probably I said there was probably three people on earth that could have spotted this book through source review it required

Immense knowledge of code base in my opinion to be able to recognize this as a vulnerability we found it through fuzzing we had to root cause it using time travel debugging Mozilla’s R&R which is an amazing project and and so yeah absolutely use debuggers this is an

Example of a call stack again just using a debugger to dump the Paula stock from a function that you’re auditing can give you an insane amount of context as to how that function is used what kind of data is operating it on operating it on

Maybe you know what kind of areas of the code base it’s called from you’re not actually supposed to be able to read the size or read the slide but it’s factories from gdb that is 40 or 50 Hall steps deep all right so there’s this huge misconception by novices that new code

Is inherently more secure and that vulnerabilities are only being removed from code bases not added hmm this is almost patently false and this is something that I’ve observed over the course of several years countless targets you know code from all sorts of vendors and there’s this really

Great blog post put out by ivan from GPZ this past fall and in despachos he basically so one year ago he fudged WebKit using his fuzzer call it D’Amato you found a bunch of vulnerabilities she reported him and then he open sourced the puzzle but then this year this fall

He down with his putter ran it again with little to no changes just just to get things up and running and then he found another eight plug exploitable use after free one really wait did nobody use this fahza Oh what crazy I mean I don’t know maybe it’s naive for me but

I expect if somebody takes the time to write such a clue father that was successful once maybe the maintainer are going to like integrate it into CI or maybe run it like here and there on their changes or whatever I don’t know but yeah it doesn’t seem to be the case

Always was yeah it’s obviously some effort spent without any like I wouldn’t say outcomes but yeah it’s probably not yeah you know what I mean it’s not a shiny feature if you do not add bugs or like security vulnerabilities yeah yeah crazy so what’s really amazing about

This is when you look at these last columns that have highlighted in red virtually all the bugs he found have been introduced were regressed in the past 12 months so yes new vulnerabilities did introduce every single day so the biggest reason new code is considered harmful is simply

That it’s not had years to sit and market this means it hasn’t had time to mature it hasn’t been tested exhaustively like the rest of the code base as soon as that developer pushes it whenever it hits release whenever it hits table that’s when you have a

Billion users pounding at it let’s say on Chrome I don’t know how big that user Basin is but its massive and that’s a thousand users around the world just using the browser who are effectively plunging it just by browsing the web and so of course you’re going to manifest

Interesting conditions that will cover things that are not in your test cases in unit testing so yeah it’s not uncommon the second point down here is that sound common for new code to break assumptions made elsewhere in the code base and this is also actually extremely common the

Complexity of these code bases can be absolutely insane and can be extremely hard to tell if let’s say some new code that Joe Schmoe the new developer adds break some paradigm held by let’s say the previous owner of the codebase he maybe doesn’t understand that as well

You know maybe it could be an expert developer who just made a mistake um it’s super common now the Peters advice this should be a no-brainer for bite hunting the novices often grow impatient and start hopping around between code and functions and getting lost or trying to chase use

After freeze or bug classes without really truly understanding you know what they’re looking for so you know a great starting point is always identifying the sources of user in input or the way that you can interface with a program and then just follow the data follow it down

You know what functions parse it what manipulates your data what reads it what what rights to it you know just keep it simple and so when we’re looking for our sandbox escapes we knew we’re looking at Windows Server and our research has showed that there’s all these functions

We don’t know anything about map but we read this blog post from team that was like oh there’s all these functions that you can send data to in Windows Server and apparently there’s about 600 and they’re there they’re all these functions prefixed with underscore underscore X and so these 600 end points

While Parson operate upon data that we send to them and so it’s a drawn rough diagram there’s essentially this big red data tube from the Safari sandbox to the Windows Server system service this tube can deliver arbitrary data that we control it to all those 600 endpoints we immediately immediately thought let’s

Just try to man in the middle this data fight said we can like see what’s going on and so that’s exactly what we did we just hooked up freedom to it another open source DDI it’s on github it’s pretty cool and we were able to stream all of the

Messages flowing over this button so we can see all this data just being sent into the windows server from all sorts of applications actually everything on Mac OS talks to this the Windows server is responsible for drawing all your windows on the desktop your mouse clicks your whatever it’s kind of like

Explore EFT on windows so you know we see all this data coming through we see all these crazy messages all these unique message formats all these data buffers that it’s sending yang and this is just begging to be buzzed and so we said okay let’s fuzz I remember getting all hype and I

Distinctly remember saying maybe we can jerry-rig AFL into the window server or let’s mutate these buffers with random stuff or why don’t we just try flipping some bits and so that’s what we did and so how about wraps you had a very timely tweet just a few weeks back that echoed

This exact experience he said that looking at my security / vulnerability research career my biggest mistakes were almost always trying to be too clever success hides behind what is the dumbest thing that could possibly work the takeaway here is that you should always start simple and iterate so this is our

Farm is a single 13-inch MacBook Pro I don’t know if this is actually gonna wear it’s not a big deal vanilla I’m only gonna play a few seconds of it so this is me literally placing my wallet on the enter key and you can see that there’s a box popping up and we’re

Buzzing our buzzers running now and flipping bits in the messages and the screen is changing colors you’re gonna start seeing the box is freaking out it’s going all over the place this is because the bits are being flipped it’s corrupting stuff it’s changing the messages I normally this this little box

Is supposed to show you password hint but the thing is by holding the Enter key on the lock screen all this traffic was being generated to the windows server and every time the windows server crashed you know where it brings you to brings you right back to your lock

Screen so we have this awesome flooding set up by just holding the enter key yeah oh no I started to know Allah well yeah it could work okay add good work we love idols that picture advanced persistent threat in our blog so this is a crash that we got

Out of the buzzer um this occurred very quickly after this was probably within the first 24 hours so we found a ton of crashes we we didn’t even explore all of them there’s probably a few still sitting on our server but uh there’s lots and all dear ask lots of garbage

But then this one stood out in particular so anytime you see this thing up here that says exc bad access with a big number of their address it equals blah blah blah that’s a really bad place to be and so this is the vibe that we

Ended up using @po known to perform our sandbox escape if you want to read about it again it’s on the blog we’re not going to go too deep into it here so maybe some of you have seen that inputs up comment comment you know it’s all

About how you know people trying to do these really cool clever things they think it people will pain get too caught up trying to inject so much science and technology into these problems that they often miss the forest for the trees and so you know here we are in the second

Channel you know we just wrote this really crappy little buzzer and we found our bug pretty quickly and this guy’s really upset so which brings us to the misconception that only expert researchers with blank tools can find bugs and so you can fill in the blank with whatever you want it can be

Cutting-edge tools state-of-the-art state-sponsored magic bullet this is not true there are very few secrets to the next observation you should be very wary of any bugs that you find quickly a good man turret is that an easy to find bug is just as easily found

By others and so what this means is that soon after our blog post on how so absolutely at Coney Island 2018 we actually knew we had collided with fluorescence one of the other competitors we both struggled with exploiting this issue is a difficult fight to exploit you know and we were we

Had some very creative exploit it was a very strange but uh there’s some discussion after the fact on Twitter by Ned start by noting is probably out here actually speaking tomorrow you guys should go see his talk about the chrome IPC that should be really good but there’s some discussion on Twitter

That Ned had started and Lester’s also here said well at least three teams found it separately so at least us fluorescence and Nicholas had found this body and we were all at Ponemah own so you can think how many people out there might have also found this there’s

Probably at least a few how many people actually tried to weaponize this thing uh maybe not many is kind of a difficult line and so they’re probably at least uh yeah a few other researchers who are aware of this book so yeah that kind of

Closes the you know if you found a bike very quickly especially with buzzing you can almost guarantee that someone else has found it so I want to pass over the next option to Amy to continue and yeah yep alright so we just talked a bunch about you know techniques and

Expectations when you’re actually looking for the bug I’m gonna take over here and talk a little bit about what to expect from trying to you know exploit whatever bug you end up finding yeah so we have the exploit development is next step so okay you found a bug all

Right you’ve done the hard part you were looking at whatever your target is maybe it’s a browser maybe it’s the Windows server or the kernel or whatever you’re trying to target but the question is how do you actually do the risk how do you go from the bug to actually popping a calculator

Onto the screen the systems that you’re working with have such a high level of complexity that he’s are just like understanding you know enough to know how your fun words it might not be enough to actually know how to exploit it should we try to like brute force our

Way to an exploit that a good idea well alright before we try to tackle your bug let’s take a step back and ask a slightly different question you know how do we actually break the next play which is in general now you know I feel like a lot of people consider these kind

Of exploits maybe be in their own league at least when you compare them to something like maybe what you do at a CTF competition or something simpler like that and if you work for example to be given a browser exploit challenge I the CTF competition it may seem like an

Impossibly daunting task has just been laid in front of you if you’ve never done this stuff before so how can we work to sort of change that view and you know it might be kind of cliched but I actually think the best way to do it is

Practice and I know everyone says oh how do you get good practice but I think that this is actually very valuable for this and the way that practicing actually comes out is that well before we talked a lot about consuming everything you could about your target like searching for everything you could

The public downloading it trying to read it even if you don’t understand it because you’ll hopefully glean something from it it doesn’t hurt but maybe your goal now could be actually trying to understand it as at least as much as you can you know it’s going to be

To be easy these are very inserted systems that we’re attacking here and so it will be a lot of work to understand this stuff but for every old exploit you can work your way through the pack will become clearer or actually explain these targets so as because I focus mostly on

Browser work and I did that browser part of our chain at least the exploitation part I have done a lot of to exploit and write a ton of browser exploits and one thing that I have found is that a lot of them have very very similar structure and they’ll have similar techniques in

Them they’ll have similar sort of primitives that are being used to build up the exploit and so that’s one observation and to actually illustrate that I have an example so alongside us at this phone to own the spring we had a sandal grasp of Phoenix he’s probably

Here right now but so he was targeting Safari just like we were but his bug was in the just-in-time compiler at the JIT which converts javascript to the machine code our boat was nowhere near that it was over in the garbage collector so completely different kind of bug but the

Bug here that it was super reliable it was very very clean I recommend you go look at it online that is a very good resource and then a few months later pwned on mobile so another pony in it we have a forest cake which was an amazing team

Who matched to pretty much bone everything they could get their hands on it’s like competition including an iPhone which of course iPhone uses Safari so they needed a Safari bug the Safari button that they had was very similar in structure to the previous bug earlier that year at least in terms of

How the bug worked and what you could do with it so now you could exploit both of these bugs with very similar exploit code almost in the same way there were a few tweaks you had to do because Apple added two things since then but the path

Between bug and code execution was very similar then even a few months after that there is a CTF called real-world CTF which took place in China and as the title suggests they had a lot of realistic challenges including Safari so of course where my team archaic was

There and they woke me up in the middle of the night and tasked me with solving it and so I was like ok ok look at this and I looked at it and it was a JIP bug and I’ve never actually before that looked at the Safari JIT and so you know

I didn’t have much previous experience doing that but because I had taken the time to read all the public exploits so I read all the poem the other poem to own competitors exploits and I read all the other things that people were releasing four different sea bees I had

Seen a bug like this before very similar and I knew how to exploit it so I could I was able to quickly build the path from bug to code exec and we actually managed to get first blood on the challenge which was really really cool so so what does this actually mean well

I think not not every bug is gonna be you know that easily just to swap into an exploit but I do think the understanding old ex place is extremely valuable if you’re trying to explain new bugs a good place to start if you’re interested in looking at old bugs is on

Places like this with the jazz foam DB which is a basically a repository of a whole bunch of JavaScript bugs and krupa concepts and sometimes even exploits for them and so if you were to go through all those again you have a great understanding of the types of bugs that

Are showing up these days and probably how to explain most of them and but there aren’t that many bugs they can get published that are full exploits there’s only a couple year maybe so what do you do from there once you’ve read all of those and you want to learn more well

Maybe you start trying to exploit other bugs yourself so you can go for example I like chrome because they have a very nice list of all their vulnerabilities that they post every time they have an update and they even link you to the issue so you can go and see exactly what

Was wrong and so take some of these for example at the very top you have out of bounds right and v8 so we could click on that and go and see what the bug was and then we could try to write an exploit

For it and then by the end we all have a much better idea of how to exploit and out of bounds right and yeah and we’ve now done it ourselves too so this is a chance to sort of apply what you’ve learned but you think okay that’s a lot

Of work you know that I have to do all kinds of other stuff I’m still in school or I have a full-time job nice place ETF’s well it’s like it’s a good question the question is how much these two camps actually help you with these kind of exploits I do think that

You can build a very good mindset for this because you need a very adversarial mindset to do this sort of work but a lot of the time the challenges don’t really represent the real-world exploitation there’s a good tweet just the other day like a few days ago where we’re saying

That yeah Lipsy is it’s like random whoopsy challenges I just I don’t think it’s yes it’s let’s see here yeah are often very artificial and don’t carry much value to real world because they’re very specific some people love these sort of very specific CTF challenges but

I don’t think that there’s as much value as there could be however a lot of there’s been a couple CTS recently and historically as well that have had pretty realistic challenges in them in fact right now is they seek a 35 C 3 CTF is running and they have three

Browser exploit challenges they have a full chain safari challenge they have a virtual box challenge it’s like it’s pretty crazy um and it’s crazy to see people solve those challenges in such a short time span too but I think that it’s definitely something that you can look

At afterwards even if you don’t man to get through one of those challenges today but something to like try to work on and so these are these sort of new or CTFs are actually pretty good for people could want to jump off to this kind of real estate or real exploit development

Work however it can be kind of scary for newer newcomers to the CTF scene because suddenly you know it’s your first CTF and they’re asking you to exploit chrome and you’re like what what is going on here so there is a bit of double-edged sword sometimes alright so now we found the

Bug and we have experience so what do we actually do well you have to kind of get lucky though because even if you’ve had a ton of experience that doesn’t necessarily mean that you can instantly write an exploit for a bug our javascript exploit was kind of like that

It was kind of nice we know what to do right away but the Brat are our sandbox exploit did not fit into a nice box of a previous exploit that we had seen so I took a lot of effort quickly I’ll show so this was the actual bug that we exploited

For the sandbox it’s a pretty simple bug it’s a integer issue where index is signed which means it can be negative so normally it expects like a value like fork but we could give it a value like negative 3 and that would make it go out

Of bounds and we could corrupt memory so very simple bug not like a crazy complex one like some of the other ones we’ve seen on but does that mean that this exploit it’s gonna be really simple well let’s see oh that’s a lot of code so our exploit for this bug and have

Been about 1,300 lines and so that’s pretty crazy and you’re gonna probably wondering how it got there but I don’t say just be aware that it when you do find a simple-looking bug it might not be that easy that to solve or to exploit and it might take a lot of effort but

Don’t get discouraged if it happens to you it just means it’s time to write the exploit development rollercoaster and basically what that means is there’s a lot of ups and downs to an exploit and we have to basically ride the roller coaster until hopefully we haven’t the

Exploit finished and we had to do that for our sandbox xscape and so to start I said we found the bug and we had a bunch of great ideas we’ve previously seen a bug exploited like this by keen and we had read their papers and we had a great

Idea but then we’re like ok ok this is gonna work we just have to make sure this one bit is not set and it was like in a random looking value so we assumed it would be fine you know but turns out that bit is always set and we have no

Idea why and note and no one else knows why so Thank You Apple for that and so right ok maybe we can work around it and maybe we can figure out a way to unset it and we’re like oh yes we can delete it it’s gonna work again everything will be

Great until we realize that that actually breaks in our stance plate so it’s this back and forth that’s an up and down and you know sometimes when you solve one issue you know you think you’ve got what you need and then another issue shows up yeah so it’s all about making incremental progress

Towards removing all the issues that are in your way and getting at least something that works assembly just as a quick aside this all happened within like sixty minutes one night yeah there was just a me saw me just like I was just like I’m out of breath I was like

Are you kidding me like did there’s two bugs that trick this up that meant that may just find much more difficult to explain and there’s no good reason for why does the issue disorder there and whose is a horrible experience but it’s still one I’d recommend yeah sure and

Then so that this roller coaster and it’s actually applies to the entire process not just for you know the exploit development because you’ll have it when you to look fine crashes that don’t actually lead to vulnerabilities or on exploitable crashes or super unreliable exploits you just have to

Keep pushing your way through until eventually you’ll hopefully get to the end of the ride and you’ve got yourself a nice exploit and so now okay so we assume okay we’ve written an exploit at this point it’s a maybe it’s not the most reliable thing but it works like I

Can give to my code exec every now and then so guess they’re talking about the payload so what is the payload exactly the payload is whatever your exploits trying to actually do it could be trying to open up a calculator on the screen it could be trying to launch your sandbox

Escape exploit it could be trying to clean up your system after you’re explained by that I mean fix the program that you’re actually exploiting so it’s ETFs we don’t get a lot of practice with this because we’re so used to doing system you know cat play and then it

Doesn’t matter if the entire program is crashing down the planes around us cuz we got the flag and so in this case yeah you count the flag and then it crashes right away because you didn’t have anything after you’re rocking but in the real world it kind of matters a little

More so here’s an example of like what would happen if your exploit didn’t clean up after itself and his crashes and you go back to the logon screen this doesn’t look very good this yeah if you’re at a conference like Kondo own this won’t work I don’t think that they would let

You when if this happened and so it’s very important to try to go back and fix up any damage that you’ve done to the system before hey Bobby right after you finished all right and so actually running your payload so a lot of times we see ours in the exploits

We’ll see that you’ll get to the code exec here which is just cc’s which men means int 3 which just tells a program to stop or trap to a breakpoint and all the exploits you see most the time they just stop here they don’t tell you

Anymore and to be fair you know they’ve gotten you the code exec they’re just talking about the exploit but you know we stopped to figure out how to do your payload because unless you want to write those thirteen hundred lines of code in handwritten assembly and then make it in

The shellcode you’re not gonna have a good time and so we had to figure out a way to actually take our payload right into the file system in the only place that the sandbox of lettuce and then we could run it again as a library and then

It would go and actually do our exploit yeah and so now that you’d like to come build everything you’re almost done here you have your exploit working you get a calculator pops up this is actually our sandbox escaped running and popping calculator and proving that we had root

Code exec but we’re not completely done yet because we need to do a little bit more which is exploit reliability we need to make sure that our exploit is actually is reliable as we want it to because it only works one in a hundred times that’s not going to be very good

For panda own we ended up building a harness for our Mac which would let us run the exploit multiple times and they collect information about it so we could look here and we could see very easily how often it would fail and half and would succeed and then we could go and

Get more information maybe a log and other stuff like how long it ran and this is what made it very easy to iterate over our exploit and try to correct issues and make it better and more reliable I found that most of our failures were coming from our heat groom

Which is where you try to align all your memory in certain ways but there’s not much that you can do there in our situation so we tried to make it as best as we could and then accepted the reliability that we got on something

Else might want to test on is a bunch of multiple devices for example our JavaScript exploit was a race condition so that means the number of CPUs nodes of ice on the speed at the CPUs actually might matter when you’re running your exploit you might all launch five different operating systems or different

Operating system versions because even if they’re all vulnerable they might have different quirks or tweets that you have to do to actually make your exploit work reliably on all of them we had we wanted to test on the mac OS beta as well as the normal mac OS release so

That we could make sure it worked in case apple pushed an update right before the competition so we need to make sure that some parts of our code on our exploit the interchange so for example we have addresses here that we are specific to the operating system version

And we could swap those out very easily by changing what part of the code is done here yeah and then also if you’re targeting some browsers you might be interested in testing them on mobile too even if you’re not targeting a mobile device because a lot of times the bugs

Might also work on a phone or at least the initial bugs will and so that’s another Murray you might be interested in if you weren’t thinking about it originally so generally what I didn’t lose my concurrently and everything you can really you will be able to recover some reliability percentages or figure

Out things that you of course on your initial testing hey I’m gonna throw it back over for the final section so I didn’t get get to spend as much time as I would have liked on this section but I think it’s an important discussion to

Have on here and so the very last step of our layman’s guide is about responsibilities and so this is critical and so you listen to our talk you’ve seen us develop the skeleton keys to computers and systems and devices you know we didn’t we can create doors into computers and servers and people’s

Machines you can invade privacy you can feel damage to people’s lives and companies and systems and countries and so there’s a lot of you have to be very careful with these and so everyone in this room you know if you take any of our advice going into this stuff you

Know please acknowledge what you’re getting into and what can be done to people and so there’s at least one example that’s kind of related that I pulled out quickly that you know quickly came to mind was in 2016 I I’m supposed to remember this day actually I was

Sitting at work and there’s this uh there is this massive DDoS that plagued the Internet at least in the US and it took down all your favorite sites Twitter Amazon Netflix Etsy did help Spotify read it I remember the whole intern and it came to a halt in the US

This is a health tree outage map this was absolutely insane and I remember people were bouncing off the walls like crazy you know after the fact they’re all referencing British diners blog and they were you know on Twitter there’s all this discussion popping up that this is likely a state

Actor this is a newly sophisticated DDoS attack Bruce suggested it was China or Russia or you know some nation-state and the blog post was specifically titled someone is learning how to take down the internet but then a few months later we figured out that this was called the

More I bought that and it’s actually just a bunch of kids trying to ddos each others minecraft servers well I know it’s a it’s scary because you know I have a lot of respect for no way how talented they are and it’s a but people may be very conscious about the damage

That can be caused by these things Mariah they weren’t using O’Day’s per se well later nowadays they are using nowadays but but back then they weren’t it was an IOT baseball hat one of the biggest in the world our highest throughput but it was incredibly damaging and you know so when you’re

It’s hard to recognize the power of an eau de until you are wielding it and so that’s why it’s not the first step of the layman’s guide once you finish this process you will come to realize the danger that you can cause but also the danger that you might be putting

Yourself in and so I kind of want to close on that please be very careful right and so that’s all we have this is a conclusion the layman’s guide that’s the summary if you have any questions we’ll take them now otherwise if you’ve run out of time then you catch us after

The talk and I’ll have some cool stickers too while great toxic we have very very little time for questions if somebody’s very quick they can come up to one of the microphones in the front we’ll handle one but otherwise will you guys be available after the talk

Yeah we’ll be available after the top you wanna come up in chat I we might get swarmed but we’ll also have some cool red few stickers so come grab them if you want and then work where can we find you we’ll be over here we’re trying to

Head out to the back yeah yeah could we have another talk coming down in a moment or so okay I don’t see any questions so I’m going to wrap it up at this point but as I said the speakers will be available let’s give this great speech another round of applause [Applause]

Okay so that’s it for this effort iseman stream you go and check out layers goodnight and if you’re watched until you go check out the original talk the layman’s guide to zero day engineering link to that in the description I think it was an interesting talk and it is it

Deserves some nice comments and likes so do that on the original video not here this is an advertisement video for minecraft server and also please do not ddos the server or you might actually accidentally delete the internet that’s what we learned from this episode nice see you in the next three