Assembly Tanka on Web - Aiko Kenji

Download Assembly Tanka on Web - Aiko Kenji

Post on 05-Dec-2014

367 views

Category:

Technology

1 download

Embed Size (px)

DESCRIPTION

http://ja.avtokyo.org/MediaArchives

TRANSCRIPT

<ul><li> 1. on Web Lets make Assembly Tanka on Web Kenji Aiko @07c00 kenjiaiko@gmail.com </li> <li> 2. on Web , , on Web Whats Assembly Tanka on Web </li> <li> 3. on Web , , on Web Whats Assembly Tanka on Web </li> <li> 4. how to run binary codes on browser How to build the environment for running any machine codes </li> <li> 5. implementation 1. Emulation Emulate some CPUs Ex:x86/ARM/ppc emulation on JavaScript 2. Sandbox Exec in jail (VM) ExExec on VM -&gt; send browser the result </li> <li> 6. implementation 1. Emulation Emulate some CPUs Ex:x86/ARM/ppc emulation on JavaScript 2. Sandbox Exec in jail (VM) ExExec on VM -&gt; send browser the result </li> <li> 7. CPU Emulation on JavaScript jslinux http://bellard.org/jslinux/ Virtual x86 http://copy.sh/v24/ </li> <li> 8. Assembly Tanka on JavaScript cpux86.js xor eax,eax = 31 C0 eax = 0x00 </li> <li> 9. Assembly Tanka on JavaScript cpux86.js PUSH! Demo Assembly Tanka on JavaScript http://07c00.com/asmtanka_on_js/ xor eax,eax = 31 C0 eax = 0x00 </li> <li> 10. Demo http://07c00.com/asmtanka_on_js/ </li> <li> 11. implementation 1. Emulation Emulate some CPUs Ex:x86/ARM/ppc emulation on JavaScript 2. Sandbox Exec in jail (VM) ExExec on VM -&gt; send browser the result </li> <li> 12. SandBox for analyzing malwares https://www.virtualbox.org/wiki/Screenshots VirtualBox https://www.virtualbox.org/ VMWare http://www.vmware.com/jp </li> <li> 13. 31 VM But It is unrealistic to run a VM for only 31bytes </li> <li> 14. 2 So, run 2 processes which are debugger and debuggee at firstly, The debugger give debuggee some codes, and reply to debugger the result of executing it on debuggee </li> <li> 15. Assembly Tanka on Server-side tanka.cgi New process Debugging Return the result 6a 00 58 50 40 68 79 61 6d 61 50 40 6a 08 5a 5b 40 68 57 61 6b 61 54 40 59 cd 80 58 58 58 c3 Execute Debugging API DebugActiveProcess (Win) ptrace(UNIX) </li> <li> 16. Assembly Tanka on Server-side tanka.cgi New process 6a 00 58 50 40 68 79 61 6d 61 50 40 6a 08 5a 5b 40 68 57 61 6b 61 54 40 59 cd 80 58 58 58 c3 push 0x00 = 6a 00 Every step, Dbger check the code STEP </li> <li> 17. Assembly Tanka on Server-side tanka.cgi New process 6a 00 58 50 40 68 79 61 6d 61 50 40 6a 08 5a 5b 40 68 57 61 6b 61 54 40 59 cd 80 58 58 58 c3 pop eax = 58 STEP Every step, Dbger check the code </li> <li> 18. Assembly Tanka on Server-side tanka.cgi New process 6a 00 58 50 40 68 79 61 6d 61 50 40 6a 08 5a 5b 40 68 57 61 6b 61 54 40 59 cd 80 58 58 58 c3 push eax = 50 STEP Every step, Dbger check the code </li> <li> 19. Assembly Tanka on Server-side tanka.cgi New process 6a 00 58 50 40 68 79 61 6d 61 50 40 6a 08 5a 5b 40 68 57 61 6b 61 54 40 59 cd 80 58 58 58 c3 inc eax = 40 STEP Every step, Dbger check the code </li> <li> 20. Every step, Dbger check the code And, monitoring sys-call, if code is cd 80, stop the process Assembly Tanka on Server-side tanka.cgi New process 6a 00 58 50 40 68 79 61 6d 61 50 40 6a 08 5a 5b 40 68 57 61 6b 61 54 40 59 cd 80 58 58 58 c3 int 0x80 = cd 80 STEP </li> <li> 21. Demo http://x86.seccon.jp/99.html </li> <li> 22. Yaha-, Its okey completely! </li> <li> 23. However </li> <li> 24. Critical vulnerabilities </li> <li> 25. cd 80 (int 0x80) Actually, you exec cd 80 with a prefix </li> <li> 26. SandBox codes what I write if(code[0] == 0xcd &amp;&amp; code[1] == 0x80){ exit(1); } execute(code); systemcall I thought you can NOT exec sys-calls </li> <li> 27. code = {0x2e, 0xcd, 0x80}; if(code[0] == 0xcd &amp;&amp; code[1] == 0x80){ exit(1); } execute(code); However, can executing cd 80 with some prefix (ex:0x2e) SandBox codes what I write </li> <li> 28. orz </li> <li> 29. orz Really difficult to write secure codes </li> <li> 30. How to enjoy it Trying on several CPUCPU Trying on several OS Try to put how many charactors Try for a Tasty The environment to be easy learning Assembly Automation of making Tanka </li> <li> 31. you should enjoy what you want to do But I recommend you to try Assembly Tanka once </li> <li> 32. on JS Lastly, I introduce other on JS </li> <li> 33. on JS Binary Karuta on JS Demo </li> <li> 34. on JS Assembly Tetris on JS Demo http://07c00.com/asmtetris_on_js/ </li> <li> 35. Enjoy a binary! </li> <li> 36. Thank you! Now on sale! http://www.amazon.co.jp/dp/B00ICKLC2U/ </li> </ul>