Posts

Showing posts from December, 2015

Right now at Dreamplex

Image
I feel old sitting next to these comrades. What was I doing when I was 20? Didn't really remember, but for sure I wasn't learning to hack Windows kernel.

Dreamplex looks like a nice place. They probably need to provide more comfortable chairs, but the offices look modern with fancy equipments and really fast WiFi, and the atmosphere is exciting with a lot of folks busily coding their dreams. I feel like at home.

Here come the winners

Whoa. Bruce and I have finally selected the winners of the memset challenge. We got 9 submissions, 5 of which came up with the same size, but only one person attempted to implement memcpy, and it's Manh Luat Nguyen. Congratulations!
The winning code is
global my_memset my_memset: pop edx ; return address pop edi ; src String pop eax ; char pop ecx ; length push edi rep stosb pop eax sub esp,16 ret
The resulting shellcode is 12-byte: \x5a\x5f\x58\x59\x57\xf3\xaa\x58\x83\xec\x10\xc3. Instead of using movs, Luat was the first that creatively used one-byte pop instructions to save space.
The runner ups are - Pham Hong Phi (12 bytes) - Le Thanh Binh (12 bytes) - Nguyen Vu Hoang (12 bytes)
There's actually one person that came up with a 10-byte implementation, it didn't pass my unit tests, but Bruce likes him enough that he wants to give him a special prize. Congratulations to Pham Viet Hoa!
Regarding scholarships I made a stupid mistake and booked a room too small (there were also some la…

Another update on memset()

We test submissions by running them through a set of unit tests which are written in standard C. Each unit test accepts a function pointer, which points to the being tested implementation. Thus, your function needs to work properly when called in a C program. While it's possible to use special compiler options or attributes to reduce code size, we won't use them in our unit tests. Moreover, if we replace the standard memset with your implementation existing C programs must still work.Although you can give us an .asm file, it's best if you just give us some shellcode.We have one hour to go, and the correct and shortest implementation that we've seen so far is 12-byte.

Last update on the memset challenge

We've received many good submissions to the memset challenge in the past 24 hours. We haven't tested, but it looks like someone has managed to shrunk it to fewer than 10 bytes, really cool!

Note that although we ask you to optimize for code size, in order to win your implementation must be correct first. It looks like some implementations don't return anything which is wrong as memset returns its first argument. Please send us updates if you want to correct your submission.

We're going to head out for the meeting at University of Science. After that we'll test the implementations and measure their size. We'll announce the winners early this evening.

Thanks all for participating!

The shortest memset is... ?

We have a few 100% scholarships for college students to attend Bruce Dang's training class at TetCon 2016. In order to select the best persons that might make the most out of the class, we ask those who want to apply for the scholarship to implement memset, and whoever writes the shortest code wins. More details on this mini challenge can be found here.

So far we've already received 3 submissions. The shortest implementation is just 10-byte. Can you beat it ;)? Don't worry if you can't we'd love to see your code anyway.
--
In other news, tomorrow Bruce and I are going to have a Q&A session with computer science and computer security students at University of Science. We're going to share what we do in our day jobs, and answer any questions the audience might have w.r.t technology, working in the U.S., etc. The exact date and location is
Time: 13:00, December 29 2015 (tomorrow) Location: Room I-23, 227 Nguyễn Văn Cừ, District 5.
The organizers told me that eve…

Đánh nhau bằng toán

(Hello Facebookers! Có vẻ như ai đó đã gửi bài này lên Facebook. Tôi thấy rất nhiều người đọc đến từ đó. Tôi thêm vào một phần tóm tắt để cho những ai không rành kỹ thuật dễ nắm bắt hơn.)

Tóm tắt: Juniper, một hãng chuyên bán các thiết bị mạng nổi tiếng của Mỹ, thông báo rằng có ai đó đã bí mật cài mã độc vào các thiết bị của họ. Mã độc này cho phép kẻ tấn công có thể truy cập từ xa vào các thiết bị này, đồng thời giải mã luôn các dữ liệu được gửi xuyên qua chúng. Sau quá trình tìm hiểu, người ta phát hiện ra một trong hai mã độc có liên quan đến giải thuật tạo số ngẫu nhiên Dual EC. Từ năm 2007 hai nhà nghiên cứu ở Microsoft đã chỉ ra rằng giải thuật này có thể đã bị NSA cài mã độc và điều đó sau này được xác nhận bởi các tài liệu do Edward Snowden tiết lộ. Ngoài Juniper thì RSA, một công ty chuyên bán các sản phẩm an toàn thông tin đình đám khác của Mỹ, cũng từng bị phát hiện cố tình sử dụng Dual EC trong các sản phẩm của họ, sau khi nhận 10 triệu USD từ NSA. Nếu bạn là chủ doanh ng…

Free seats for Bruce Dang's training class

Better late than never, I'm excited to announce that we're going to grant a handful of 100% scholarships for college students to attend Bruce Dang's class at TetCon 2016.Since we'll probably receive more applications than available spots, we have a challenge and whoever wins will get to attend the class for free (with a chance to obtain a signed copy of Bruce's book on practical reverse engineering). Anyone can take the challenge, but in order to win you must be currently enrolling to some official university in Vietnam or oversea. We will check your student ID at entrance.The class is two-day, Dec 30 and Dec 31. The location is in downtown Saigon. We won't be able to pay for accommodation or transportation.Without further ado, here's the challenge: write memset() using x86 assembly. Whoever provides the shortest code in terms of code size, i.e., number of instructions, wins. You can implement for Linux or Windows. You can use whatever instruction set you w…

Tại sao các công ty nên gửi người đến TetCon

Trong lần nói chuyện ở ngày hội an toàn thông tin ở VNISA, tôi có nói trái với hiểu biết thông thường của nhiều người hầu hết các thiết bị và giải pháp bảo mật có sẵn thường làm cho hệ thống của người mua kém an toàn hơn (xem tóm tắt báo cáo của tôi ở đây). Mấy tuần vừa rồi xảy ra một sự kiện chứng minh cho luận điểm này.
Nhóm Project Zero phát hiện ra một lỗi chạy lệnh từ xa trên các thiết bị của FireEye. Lỗi chạy lệnh từ xa là dạng lỗi nguy hiểm nhất vì chúng cho phép toàn quyền điều khiển mục tiêu có lỗi. Các thiết bị của FireEye thường được đặt ở những khu vực trọng yếu trong hệ thống, có thể thấy hết toàn bộ dữ liệu đi ra đi vào hệ thống, từ email, tài liệu, cho đến mật khẩu, v.v. Nói cách khác, các thiết bị này trở thành mục tiêu "béo bở" nhất. Vấn đề là chất lượng an ninh phần mềm của các thiết bị như vậy thường không được đảm bảo, bởi các công ty làm thiết bị an ninh, trớ trêu thay, lại thường không có đội làm an ninh phần mềm. Ngoài FireEye, Project Zero còn phát hi…

Sài Gòn

Bay nửa vòng trái đất, vừa thấy may mắn vì mình sinh ra thời này, di chuyển xa như vậy mà chỉ mất có chưa đến một ngày, vừa thấy mệt vì vẫn còn dài quá. Chuyến bay đầu kéo dài gần 15 tiếng đồng hồ, thêm chuyến sau 2 tiếng nữa, cuối cùng tôi cũng đã về đến Sài Gòn. Chỉ có điều hành lý thì vẫn đang ở lại San Francisco. Tôi sẽ sa thải hãng United mắc dịch.
Năm nay tôi chỉ về vài bữa, phải quay trở lại ngay sau TetCon 2016. Tôi muốn đi dự hội thảo Real World Crypto 2016 diễn ra ngay sau TetCon 2016 ở Stanford, lỡ hẹn mấy lần rồi. Nhắc mới nhớ, hôm trước nhờ báo Tuổi Trẻ đưa tin (có chỗ sai là tôi không phải làm cho Project Zero), bán nhanh vèo vèo, bây giờ đã bán hết hơn 2/3, chỉ còn vài chục vé cuối cùng. Ai chưa mua nên nhanh tay.
Thời gian ít ỏi nên chắc tôi chỉ loanh quanh ở nhà với gia đình. Hoạt động yêu thích của tôi là dẫn mấy đứa con nít trong nhà đi chơi sở thú. Dẫu vậy tôi cũng muốn có một buổi gặp gỡ nói chuyện với các bạn sinh viên đang theo học ngành CNTT hoặc ATTT. Năm n…

Whiteout

Image

TetCon 2016: discounted tickets sold out!

Wow, thanks to your support all of our discounted tickets are claimed. Please keep spreading the word and help us sell even more!

Note that even at full price, we're selling tickets at a loss, as Sheraton charges us \$30 per person. A friend asked why I keep the prices too low, and I don't even have a good reason rather than that I want to ensure that everyone has a chance to attend the conference. That's why we give away 30 free tickets to students who show some interest in our field. That's why we have discounted tickets. But we really need your support to make this work. Please share the conference with a link to https://tetcon.org/ on Facebook, Twitter, your favorite forums, or write about it on your blog. Anything would be helpful and much appreciated :).

We need this world of mouth marketing, because this year I didn't raise enough money to hire someone to run a proper marketing campaign. Last year I got \$17,000 from Microsoft, Facebook, and my employer, but…

TetCon 2016 Final Program Released

Phew! I'm excited to announce that the final program of TetCon 2016 has been released. It'll be a packed day full of hackers and security researchers who will show you how to find 0-days in Microsoft Edge, to break Android phones, or to build your own security tools.

We'll have 10 talks (out of 20 submissions.) We know it's insane to pack so much content in a single day -- next year I'll try to make this a two-day event -- but just come and see, and you'll understand why we chose these talks.

Happy holidays and see you all at Sheraton Saigon a few weeks from now!

TetCon 2016: 3 more new talks announced!

Congratulations to Nguyen Anh Quynh, Nguyen Hong Quang and Nguyen Minh Hai! They will share with us their tools and frameworks that they've built to analyze malware, write exploits, or just do anything you want to do with the CPU. These are must-see talks for people who are into low-level stuff.

I'm waiting for confirmation from the last two speakers, and will update you all as soon as they get back to me.

I've also sent 30 free tickets to students that have reached out to us. We won't be able to give away any more.

There are fewer than 20 discounted tickets left. Go buy yours before the price increases any moment from now.

TetCon 2016 news

I've been working on the final program, and will release it as soon as the committee gives me the green light and the speakers confirm their participants.

If nothing changes at the last minute, the second batch of talks will be on building security tools to find 0days, to analyze malware or to develop kernel exploits. This is another proof that our community has reached to the next level of the security research food chain -- we used to be consumer of tools provided by oversea researchers, but we now build our own ones.
We will have up to 10 talks, and it's already a challenge to schedule the program. We want to give speakers enough time to demonstrate their ideas, but we also want to have more time for tea and lunch breaks which hopefully would sparkle more interactions between speakers and attendants. Speaking of lunch break, it'll be awesome if someone can sponsor a lunch party for everyone. Please drop me a line if you or someone you know are interested in this great c…

First batch of TetCon 2016 talks released tonight

Edit: talks are out. Congratulations to Ngo Anh Huy, Pham Tung Duong, Tran Minh Quang, Nguyen Van Long, Hung Dang, and Caleb Fenton!

We've finally come up with the first batch of talks, which will be released on https://tetcon.org as soon as I get home today (I'm at work and don't have access to the server.) The rest will be chosen and announced in a few days.

The talks are super interesting, some are very original, and I'm sure you will enjoy them all. All but one speaker are local, but what's made me most excited is I don't know most of them. Perhaps I've been too disconnected with the community -- I used to know most Vietnamese hackers -- but perhaps there is now a new generation with so many great hackers that it's impossible for anyone to know everyone. The new faces are young, speak English, work for big corps or consulting firms, and thanks to CTF games they can reverse engineer code, write exploits, hack web or break crypto. I have no doubt that…

Bad Life Advice: Never Give Up - Replay Attacks Against HTTPS

(joint work with Thiago Valverde and Quan Nguyen -- see also Thiago's post on his blog)

I was once advised by a self-help book that I should never give up, be confident in myself, and keep trying. The secret to success is failure, wrote the book. I'd always believed that this is a great wisdom until Thiago and Quan helped me realize that it could lead to replay attacks.

A few weeks ago we found that because Chrome (and Firefox and possibly other browsers) automatically retries failed requests, a man-in-the-middle adversary can easily duplicate and replay HTTPS traffic. More details can be found in Thiago's blog post, but the attack can be summarized as follows:

* The adversary sets itself up as a TCP layer relay for the targeted TLS connection to, say, google.com.

* When the adversary detects a request that it wants to replay (using traffic analysis), it copies all relevant TLS records, and instead of relaying the HTTP response from the server it just closes the socket to …

Buy your tickets to TetCon 2016 now!

TetCon 2016 tickets are available for sale today. There are only 300 tickets. Buy yours now before it's too late!

Each ticket is VND500,000, but if you buy before December 21, you are eligible for a ~30% discount, and have to pay only VND350,000. Available tickets are on sale until January 3, 2016. We do not sell tickets on the day of the conference or at the entrance.

For students only: we will give free tickets to eligible students.

TetCon 2016 Last Call For Papers

If you submitted something, I just emailed you with a round of feedback from the committee. Please respond and address our concerns as soon as possible.

If you, however, plan to submit something, this is your last chance. We've received 13 submissions, 9 of them are Vietnamese, 3 of which are working and living oversea, and the rest are foreigner. The committee will be working very hard next week to select the best submissions which together with the invited talks will form the final program of TetCon 2016.

Chances are we have to cancel the training program, unless we get 5 more sign ups for each class before the end of next week. So if you want to learn more about bitcoin, Windows kernel reversing, or crypto, sign up now! I don't want to brag about it, but other conferences have offered the same classes at 4 to 6 times our price.

It's official: TetCon 2016 will be at Sheraton Saigon

It's somewhat unexpected, but a very nice man, perhaps a regular reader of this blog, has helped us secure a deal with Sheraton, the marvelous 5-star hotel right at the heart of Saigon.
Tickets will be on sale tomorrow. See you all at Sheraton on Jan 4, 2016!

TetCon News

* If you want to submit to TetCon, please do it now. The CFP will end by the end of this week.

* If you want to take one of the training classes, please sign up now. We need at least 10 attendants per class; otherwise we have to cancel because we can't cover the cost.

* We are still working on the venue, as it turns out that we couldn't afford what we chose last time. If you know someone that wants to sponsor TetCon please leave a comment or reach out to me in private at thaidn@gmail.com. We seriously need more funding.

Thanks!