Firmware Cartography: Charting the Course for Modern Server Compromise

Channel:
United States All Hacking Cons
Subscribers:
5,970
Published on ● Video Link: https://www.youtube.com/watch?v=B5LfnHoZnXE


Duration: 51:27
7 views
0

Nathan Keltner | CTO, Cofounder, Atredis Partners
Dionysus Blazakis | Principal Research Consultant, Atredis Partners
Location: Jasmine
Date: Thursday, August 8 | 12:10pm-1:00pm
Format: 50-Minute Briefings
Tracks: Hardware/Embedded, Platform Security

The modern server is the Matryoshka doll of computers, computers inside computers, a giant, undocumented mess. Undocumented devices have made homes at undocumented addresses, on buses, and in protocols most server owners don't know exist. With few exceptions, however, they and their secrets can't really stay hidden -- you just have to know how to look.

In this talk, we'll cover our methodology for vulnerability hunting in undocumented server components, mapping the paths laid out in binary firmware images. Tracking the interactions between software, hardware, and everything in-between exposes the permeable (or missing!) security controls that attempt to block you from opening these new worlds to explore. Through PoC helper libraries and chaining useful primitives together, oh, the places you'll go.

In addition to showing how to find new vulnerabilities, we'll use case studies of public vulns found by ourselves and others, explaining what makes them unique, or common, and other unreleased exploitation details. We'll release initial versions of Binary Ninja plugins we're working on at Atredis Partners, bringing UEFI coverage to the new platform and its hot MLIL. And who knows, we might disclose some new bugs or useful post exploitation details if we're able.







Black Hat - USA - 2019 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security



Other Videos By All Hacking Cons


2022-01-07Everybody be Cool, This is a Robbery!
2022-01-07Biometric Authentication Under Threat Liveness Detection Hacking
2022-01-07Hunting for Bugs, Catching Dragons
2022-01-07Exploiting Qualcomm WLAN and Modem Over The Air
2022-01-07I'm Unique, Just Like You: Human Side-Channels and Their Implications for Security and Privacy
2022-01-07All the 4G Modules Could be Hacked!
2022-01-07Exploiting the Hyper V IDE Emulator to Escape the Virtual Machine
2022-01-07Infighting Among Russian Security Services in the Cyber Sphere
2022-01-07All Your Apple are Belong to Us: Unique Identification and Cross-Device Tracking of Apple Devices
2022-01-07Exploring the New World : Remote Exploitation of SQLite and Curl
2022-01-07Firmware Cartography: Charting the Course for Modern Server Compromise
2022-01-07API-Induced SSRF: How Apple Pay Scattered Vulnerabilities Across the Web
2022-01-07Fantastic Red-Team Attacks and How to Find Them
2022-01-07Arm IDA and Cross Check Reversing the Boeing 787's Core Network
2022-01-07Finding a Needle in an Encrypted Haystack: Detect the Most Prevalent Attacks on Active Directory
2022-01-07Flying a False Flag: Advanced C2, Trust Conflicts, and Domain Takeover
2022-01-07Attacking and Defending the Microsoft Cloud (Office 365 & Azure AD)
2022-01-07GDPArrrrr: Using Privacy Laws to Steal Identities
2022-01-07Finding Our Path: How We're Trying to Improve Active Directory Security
2022-01-07Ghidra - Journey from Classified NSA Tool to Open Source
2022-01-07Bounty Operations: Best Practices and Common Pitfalls to Avoid in the First 6-12 Months


Tags:
data
hacker
security
computer
cyber
internet
technology
hacking
attack
digital
virus
information
hack
online
crime
password
code
web
concept
thief
network
scam
fraud
malware
secure
phishing
software
access
safety
theft
system
firewall
business
privacy
account
spy
program
hacked
hacking conference
conference
2022
cybersecurity
owned
break in
securing
exploit
exploitation
recon
social engineering
Nathan Keltner
Dionysus Blazakis
firmware
cartography
modern server compromise