Global Cybersecurity Camp 2025(以ä¸GCC2025) ã®é¸èã«ééããã®ã§, é¸èã®éã«æåºãã課é¡ã«ã¤ãã¦ã¤ã³ã¿ã¼ãããä¸ã«æ®ãã¦ãããã¨ã«ãã. åæããã®ã¾ã¾ã³ãããã¦ãããã®ã ã, ãã£ãããªã®ã§ææã交ãã¦ãã. 誰ãã®ä½ãã«ã¨ã£ã¦åèã«ãªãã°å¹¸ãã§ãã.
2024å¹´12/18æ¥ç¾å¨, ã¢ããã³ãã«ã¬ã³ãã¼ã«éã«åãããããã«æ¥ãã§æ¸ãã¦ãã. æ¬ã¨ã³ããªã¯, å¾ã«ä¿®æ£ãããå¯è½æ§ã大ãã«ãããã¨ã«çæãããã.
åºæ¬æ¹é
GCCã«ã¤ãã¦ã®èª¬ææãèªãéã, è¬ç¾©ãã³ãã¥ãã±ã¼ã·ã§ã³ã¯å ¨é¨è±èªã§è¡ãããããã. ã§ããã°ã¾ã課é¡ãã§ããã ãè±èªã§æ¸ãã¦ããããã¨æã, å¯è½ãªéãè±èªã§åçãããã¨ã«ãã.
What is your cyber security experience
My cybersecurity experience started in 2023, October. At that time, I learned about CTF. Especially pwnable and reverse seemed pretty cool. But I literarily knew nothing about low-layer knowledge of computers, so I spent half a year studying that by myself. Nowadays, I consistently ranked 20th ~ 50th place in many CTFs by solving only pwn, rev, and sometimes misc and OSINT challenges.
Since last March, I've been studying and researching about decompilers. Existing decompilers are not perfect. Generally speaking, they have 4 unresolved problems. Control Flow Graph Recovery, Type Recovery, Control Flow Structuring, Symbol (Identifier) Recovery. These days, I'm working on verifying the augmentation of datasets used by an LLM-based decompiler. In the future, I'd like to work on anti-disassembly techniques, control flow graph recovery, and category theory-based machine learning-based decompilers.
Last July, I participated in Crisis Management Contest. My team ranked 2nd place and receive the Mizuo RT prize. Also, as an individual, I received the grand prize from JPCERT/CC. Crisis Management Contest is a competition of an incident response desk exercise. I learned much about incident response, log forensics, and reporting from this contest.
Last August, I participated in an IoT security class in Security Camp. I worked on and learned much about security in medical systems, cars, binary forensics, sbom, IoT, and CPU. This was an encouraging experience. There were also many interesting classes, and thankfully, students have access rights to all documents in almost all classes. I learned about compilers and hypervisors by reading these documents, particularly for compilers, I made my own one in the C language.
Last October, I participated in the MWS Cup. MWS is a security competition held in CSS (Computer Security Symposium). MWS stands for Malware Workshop. In this competition, I worked on static analysis and ranked 2nd place in the category. In the competition, the target binary is made by the Go language. Analyzing the target binary was pretty difficult because the Go language has its own ABI and data structures. Through the contest, I learned about the basics of the binary that is not written in C language.
ææ
ã¨ããããæ¸ããããªçµé¨ãåæãã¦ã¿ã. ã»ãã¥ãªãã£ãã£ã³ããã¯ã¹ãã®å¿å課é¡åæ§å ç¹æ¹å¼ã ã¨ä¿¡ãã¦ãã£ã±ãæ¸ããã, ããã¡ãã£ã¨ã³ã³ãã¯ãã«æ¸ããæ¹ãããã£ãå¯è½æ§ããã. 2024å¹´12æç¾å¨, ã»ãã¥ãªãã£ã«å ¥éãã¦ä¸å¹´ã¡ããããçµã£ã¦ãªãã®ã§, ãã¾ãããããã¨ã¯ãªã. 対å¤çã«ãããããã£ã¦ã¾ããã¨ããã¢ãã¼ã«ãã¡ã¤ã³ã§ãã. ãã³ã³ãã¤ã©ã®ãã ãã«ã¤ãã¦ã¯ä»è¦ãã¨ã¡ãã£ã¨ãç²æ«ãªã¨ãããããæ¥ãããã.
What is your English proficiency?
Since I was a high school student, I learned English by communicating with English speakers on the internet, watching videos on YouTube, and reading English documents and tech blogs on programming and software. Through these experiences, I can at least have daily conversations in English. On the other hand, I'm not so good at writing English. To write English mail or articles, I sometimes use machine translators and dictionaries. For reference, my TOEIC score is 865.
ææ
è±èªã«ã¤ãã¦ã®è³ªå. æ£ç´ã«æ¸ãã. ããã¹ãåã«ã¯ãããªã«å°ããªã(ã¨æã£ã¦ãã)ãã¨, ã©ã¤ãã£ã³ã°ã¯ã¡ãã£ã¨è¦æãªãã¨, ãã®ãããªè±èªãã©ã®ããã«èº«ã«çãããã«ã¤ãã¦. åèã«ãªãã°ããã¨æã£ã¦TOEICã®ç¹æ°ã¨ããæ¸ãã¦ã¿ã.
ã»ãã¥ãªãã£ã»ãã£ã³ãã«åå ãããã¨ããã人ã¯ãåå ãã大ä¼åã¨ãã¯ã©ã¹/ãã©ãã¯/åè¬è¬ç¾©çãæãã¦ãã ããã (ãªãå ´åã¯ããªããã¨è¨è¼ã)
I joined the IoT security class in Security Camp 2024(ã»ãã¥ãªãã£ãã£ã³ã2024 å ¨å½å¤§ä¼). The classes I participated in are
- Information security about medical information systems.
- The exercise of analyzing CAN packets.
- Understanding of file system and analysis of data in a memory chip.
- Security risk analysis of IoT devices based on sbom and system information.
- Secure coding experience with robot car.
- Circuit-level CPU design
ææ
åå çµé¨ããã£ãã®ã§ãã®æ¨ãè¨è¼. ãã®è¨åã«é¢ãã¦ã¯æ¥æ¬èªã§æ¸ããæ¹ãããã£ãããããªããããã¨ããæ°ããã. ãã®æ¹ãæ£ç¢ºãªã®ã§. ã§ãã¾ãè±èªåã®è¬å¸«ãè¦ã¦ãããããå¾ããªã£ã¦.
å ¬éãã¦ãæè¡ç³»ã®æ´»åãè³æ(ããã°ããXãGitHubãSlideshareãSpeaker Deckãªã©)ãããã¾ãããURLçãè¨è¼ãã¦ãã ããã
X: https://x.com/77777kusa
Qiita: https://qiita.com/kikyo_nanakusa
Blog: https://kikyonanakusa.github.io/blog/
Hatena Blog: https://kikyonanakusa.hatenablog.com/
GitHub: https://github.com/Kikyonanakusa
ææ
æ¸ãããã©è¦ããã¦ããã ããã. 1å以ä¸æè¡çãªçºä¿¡ããããã¨ã®ããã¡ãã£ã¢ãåæãã.
FindTheKey.exeããã¦ã³ãã¼ããã解æãã¦ãã ããããã®ããã°ã©ã ãè¦æ±ããKeyãè¦ã¤ãã解çãã¦ãã ããã
You passed GCC 2025 pre-test!!
ä¸è¨ã®ããã°ã©ã ã§Keyãçæããããã«å¿ è¦ã¨ãªãæå·/復å·éµï¼éµãæå·åããã¦ããã°ãããã復å·ããå¾ã®æååï¼ãâãã¹ã¦âã¢ãã¬ã¹ã¨ã¨ãã«åæãã¦ãã ããããã ããKeyã®çæã«ä¸è¦ãªããã¼ã®éµã¯å«ã¾ãªãããã«åãé¤ããKeyã®çæã«å¿ è¦ãªéµã®ã¿ãåæãã¦ãã ãããã¢ãã¬ã¹ãè¨è¿°ããéãããã°ã©ã ãå®è¡ããã¨ASLRã«ãã£ã¦ã¢ãã¬ã¹ãå¤ãã£ã¦ãã¾ãããããã¼ã¹ã¢ãã¬ã¹ã«ã¯ããã®ããã°ã©ã ã®æ¬æ¥ã®ãã¼ã¹ã¢ãã¬ã¹ã§ãã0x140000000ãç¨ãã¦ãã ããã
All numbers are in hexadecimal unless otherwise noted. From 140022a37: 6c 6b 3c 41 24 2b 5f 66 4c 40 From 140022a30: 7b From 140022a45: 61 From 140022a71: 6c From 140022a50: 54 68 32 61 54 4a 2c 15 29 24 2d 40 04 02 04 19 6f 54 79 60 7d 75 22 6c 50 4e 2c 12 6d 61
ã©ã®ããã«ãã¦è§£ããã®ãããæè¡çã«200å以å ã§çãã¦ãã ãããçãããããããã¯é·ããã説æã¯æ¸ç¹ã®å¯¾è±¡ã¨ãªãã¾ãã®ã§ãã注æãã ããã
Ghidraã使ç¨ãã¦è©²å½ãã¤ããªããã³ã³ãã¤ã«ãè¡ã£ã. ãã³ã³ãã¤ã«ãããã³ã¼ãããã¨ã³ããªãã¤ã³ããçºè¦ã, 解æãéå§ãã. ãã¤ããªã¯, 主ã«3ã®å°ä½ã§åé¡ãããã¤ãã«å¯¾ãã¦, XORã§æå·å, 復å·åãè¡ã£ã¦ãããã¨ãåãã£ã. æ¼ç®ã«ã¯, çµæãå¤åãããªãããã¼ãå«ã¾ãã¦ãã. 解æããã¨ã«, Keyãç¹å®ããpythonã¹ã¯ãªãããä½æã, è¦æ±ããããã¼ãå°ãã.
ææ
FindTheKey.exe
ãªããã¤ããªã渡ããã¦è§£æããã¨ã®è©±ã§ãã£ã. æ£ç´åãã«è¦ãã¨ãã¯ãPEãï½, å¾æããããã ããªï½ãã¨æã£ã¦ããããã£ã¦ã¿ããã¾ãä½ã¨ããªã£ã. 解æã«ã¯Ghidraã使ç¨ãã. Ghidraã使ãã³ãã¨ãã¦, ãã³ã³ãã¤ã«ãããã³ã¼ããä¿¡ç¨ãã, ã¢ã»ã³ããªãèªãã®ãéè¦ã ãªï½ã¨æè¿ã¯æã£ã¦ãã.
éµã®æå·åã¯å¤éXORæ¼ç®ã§è¡ããã¦ãã, è¦ã¤ãã¦ãã¾ãã°å¾©å·ã¯å®¹æã ã£ã. ãã äºåç®ã«ããããã«, æå·åã®éç¨ã§æ¶ããæ¼ç®ãæ··ãã£ã¦ããã®ã§, ããã ãæåºããªãããã«æ°ãä»ãã. (i$key \oplus a \oplus a$ ã®$a$ã¿ãããª)
ä¸åç®ã¯200å以å
ã¨è¨ãããã®ã§, æåå½ããã®æ
å ±å§ç¸®çãé«ãæ¥æ¬èªã§åçãã. è±èªã§200æåã ã¨è¨ããããã¨ãè¨ããªãã£ã.
æ»æè ãCommand & Controléä¿¡ãè¡ãææ³ã¨ãã¦ãDNSãã³ããªã³ã°ãããã¾ããâ DNSãã³ããªã³ã°ã¨ã¯ä½ããâ¡æ»æè ãå©ç¨ããã¡ãªãããâ¢å¯¾çææ³ã調ã¹ã¦ãåçãã¦ãã ããã
1st question:
DNS stands for Domain Name System. It is usually used to convert raw IP address (e.g. 142.250.206.206) to URL (e.g. google.com). For its uses, almost all computers that are connected to the internet use DNS, and it is trusted. Generally, software uses URL to communicate through networks. While doing this, the computer communicates with the DNS server to convert the URL to an IP address. For this reason, DNS is required to network, and many firewalls don't block DNS packets. Malicious actors use this rule of the firewalls to avoid security systems and deliver traffic.
To establish DNS tunneling, crackers use the following method.
- Crackers prepare a domain and an authoritative DNS server under control.
- In some way, crackers deliver malware to inside firewalls.
- The malware issues a DNS query to the cracker's DNS server. Data is often appended to subdomains. This packet is not filtered by firewalls.
- Cracker's server returns the response. It contains data or commands that will be executed in the infected machine.
2nd question: The advantages of using DNS tunneling are the following.
- DNS is widely used and trusted. For this reason, DNS packets are rarely blocked.
- The packet itself is a perfectly legal DNS packet. This makes DNS tunneling difficult to detect.
- DNS uses a UDP connection. It means DNS is connection-less. It allows attackers to spoof the source IP address more easily.
3rd question:
To counter DNS tunneling, the following methods are suggested.
- DNS tunneling needs malware or payload first. To avoid installing that, malware detection software, mail/website filtering, train the employee is effective.
- Checking the size of the DNS request packet. If data is sent to attackers by DNS request, the size of the packet should be bigger than usual requests. Monitoring the oversized DNS packets helps discover the attacks.
- Checking the high frequency or routine DNS request to a specific domain. Such activities are suspicious and should be investigated.
ææ
åå¼·ã«ãªã£ã. æ£ç´ååããç¥ããªãã£ãã®ã§, ã¡ããã¨è©³ãã調ã¹ãæ©ä¼ã«ãªã£ã¦ããã£ã.
ãã©ã¦ã¶ã®æ¤ç´¢å±¥æ´ãè¦ãéãã§ã¯, 以ä¸ã®ãã¼ã¸çãåèã«ãã¦ããããã .
- https://help.zscaler.com/zia/detecting-and-controlling-dns-tunnels
- https://www.akamai.com/glossary/what-is-dns-tunneling
- https://lab.wallarm.com/what/dns-%e3%83%88%e3%83%b3%e3%83%8d%e3%83%aa%e3%83%b3%e3%82%b0%e6%94%bb%e6%92%83/?lang=ja
Volt Typhoonã«ã¤ãã¦ã調ã¹ããã¨ãã¾ã¨ãã¦ä¸ãããç¹ã«ãâ æ»æè ã®æå³ãâ¡æ»æè ã使ãæ»æææ³ãâ¢ãªãVolt Typhoonã注ç®ããã¦ããã®ããèªåã®èããã¾ã¨ãã¦ãã ããã
Attackers intent:
Volt Typhoon is a state-sponsored actor from China.
According to CISA, NSA, and FBI, Volt Typhoon compromised the IT environments primarily in the Communications, Energy, Transportation Systems, and Water and Wastewater Systems Sectors in the US and its territories.
The objective of Volt Typhoon is developing a method of re-entry into government agencies and critical infrastructures. To achieve the objective, Volt Typhoon mainly stole credentials for network access of them.
As international advisory says, it is concerned that these credentials are used for disruptive effects in the event of potential geopolitical tensions and/or military conflicts.
Attacker strategy: Volt Typhoon mainly uses the strategy called Living Off The Land(LotL). In LotL strategy, attackers do not use malware or malicious payload. They use the software within the intruded networks. These software are totally legitimate software like PowerShell and cmd. Because of that LotL activity is difficult to detect.
These are details of Volt Typhoon strategy.
- First, Volt Typhoon conducts in-depth reccoassance of target networks and operations.
- Volt Typhoon gains initial access to target networks by exploiting vulnerabilities, including known zero-day.
- Volt Typhoon tries to gain administrator access in the network often by using privilege escalation vulnerabilities.
- When Volt Typhoon got valid administrator access, they use it for lateral movement.
- Volt Typhoon uses LotL binary to collect information in the intruded network.
- Volt Typhoon typically steals Active Directory Database(NTDS.dat) from domain controller. It has a lot of information about the networks, including usernames and hashed passwords.
- Volt Typhoon tries to gain access to OT system by gaining credentials.
Why Volt Typhoon is attracting attention?
Volt Typhoon has been just gaining credentials and access to critical infrastructures in the US and also maybe Asia region, but Volt Typhoon has not been using them to cause real damage. This leads us to believe Volt Typhoon has not yet achieved the final goal of its operation. This means we can potentially defend against their next strategic actions. I believe this is one of the reasons for the increased attention.
On the other hand, detecting the activities of Volt Typhoon is difficult. They thoroughly use LotL not to leave information that could be used for detection. To counter this, different strategies are needed to detect activities. I believe this is also a reason for attracting attention.
Reference:
https://www.microsoft.com/ja-jp/security/security-insider/volt-typhoon
https://www.jpcert.or.jp/at/2024/at240013.html
https://blogs.jpcert.or.jp/ja/2024/06/volt-typhoon-threat-hunting.html
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
https://jp.security.ntt/resources/cyber_security_report/CSR_202402.pdf
ææ
APTã®è©±. 主ã«JPCERT/CCããã¨CISAã®ã¬ãã¼ããèªãã§æ¸ãã. ããã«ã¤ãã¦ã¯, äºå®(ãããã¯äºå®ã¨ãã¦åãå
¥ãããã¦ãããã¨) ãééããªãæ¸ãã®ãããã¨æã£ãã®ã§åèæç®ãå«ãã¦æåºãã.
CISAç£ã®ã¬ãã¼ããåãã¦èªãã ã, ãã®ä¸å¯§ãã¨è©³ç´°ãã«é©ãã. ãããæ©ã«ä»ã«ãããããèªãã§ã¿ã¦ãã.
ããé¢é£ã ã¨æè¿Solt Typhoonã話é¡ã§ãããªã©
What are the key differences between âAutomotive Ethernetâ and âTraditional Ethernet?â
One of the key differences between Automotive Ethernet and Traditional Ethernet is the cable.
Traditional Ethernet uses two twisted pair cables. One is for transmitting data, the other is for receiving data. In contrast, Automotive Ethernet uses only one twisted pair cable. Also, the cable length is limited to 15 meters. In the automotive industry, reduction of the cables in vehicles is a major challenge. The specification of the cable is for solving this issue.
Broadcom invented this cable and IEEE confided that as 100BASE-T1. This is the first specification of Automotive Ethernet.
Later, 1000BASE-T1, 10BASE-T1, and some specifications are standardized. Some of these new specifications has PoDL(Power Over Data Lines), PLCA(Physical Layer Collision Avoidance), etc for stability and space-saving of cables. These are also differences from Traditional Ethernet.
ææ
幸ãã«ã, ç§ã¯ä»å¹´ã®ã»ãã¥ãªãã£ãã£ã³ãå
¨å½å¤§ä¼Aã¯ã©ã¹ã§è»è¼CANãã±ãã解ææ¼ç¿ã¨ããè¬ç¾©ãåãã¦ããã®ã§, ããç¨åº¦è»è¼ãããã¯ã¼ã¯ã«é¢ãã¦äºåç¥èãããç¶æ
ã§ã®ã¹ã¿ã¼ãã¨ãªã£ã.
æèãããã¨ã¨ãã¦ã¯, ã§ããã ãä¸æ¬¡æ
å ±ã追ãããã«ãã. ããç¨åº¦äºå®ã®åæã¯ã§ãã¦ããã¨æãã®ã ã, Key differences ã§ãããã©ããã¯ãã¾ãèªä¿¡ããªã.
What is an âECUâ in an automotive cybersecurity context?
ECU stands for Electronic Control Unit. Modern vehicles are controlled by the ECUs. In cybersecurity context, ECU are the main target of attack for actors and the main target to be protected by cybersecurity.
Normally a modern vehicle has from tens to over a hundred of ECU in the frame. To control the vehicle ECUs have to communicate each other (e.g., handling, braking, door controlling, etc.). This means if attackers take the control of ECU, they can control the vehicle. Actually, in BlackHat, DEFCON, some reports claiming they took control of vehicles by cyberattacks.
To achieve the attack, attackers have to connect to the network of ECUs. ECU may uses proprietary network protocols. One of the most famous protocols is CAN(Control Area network) but this protocol has many problems in security aspects. CAN is a type of bus network and all packets in CAN are sent as broadcast packet, all the packets are visible from outside and packets can be injected. Nevertheless, CAN has no authentication and encryption system. For these reasons, CAN network is essentially vulnerable to ever droppings, spoofing, DoS attacks. Other automotive network protocols like LIN, FlexRay has similar problems.
For this situation, ECU is the main target of cyberattacks and cybersecurity.
ææ
ãããã¾ãè»è¼ã»ãã¥ãªãã£ã®è©±. ã«ã¼ããã«ã¼ãºã»ãã³ãããã¯ãèªã¿ãªããæ¸ãã. ããã«ã¤ãã¦ã, ã»ãã¥ãªãã£ãã£ã³ãã®çµé¨ã大å¤å½¹ã«ç«ã£ã.
https://amzn.asia/d/6z0A1Vn
In your own words, explain the difference between âHackingâ and âCybersecurityâ
I suppose the word "Hacking" is used as doing malicious/illegal thing in cyberspace in this question. This meaning has become widely accepted, but I know original meaning of "Hacking" is not kind of that meaning. I personally call doing such things as "Cracking"
In this question, It is difficult to decide which meaning should be taken of word "Hacking", so I assume the meaning of "Hacking" in this question as doing malicious things in the cyberspace.
Main difference between Hacking and Cybersecurity is this: Cybersecurity protect IT systems. Cracking break into them. In some cases, what Hacking and Cybeersecurity do could be the same thing (e.g., Malicious intrusion and bug bounty are the same in terms of what they are doing.). However the purpose of the acts is completly deferent.
ææ
ãããã³ã°ã¨ãµã¤ãã¼ã»ãã¥ãªãã£ã®éãã¯ä½ãã¨ã®ãã¨. å人çã«ãµã¤ãã¼ç©ºéã§æªããã¨ããããã¨ããããã³ã°ã¨å¼ã¶ã®ã¯å«ãã§ãã¿ãããªã¡ãã£ã¨ææ³ã®å¼·ãåç½®ããç½®ãã¦ãã. èæ¯ã¨ãã¦ã¯, Eric Raymondã®æ¸ãã以ä¸ã®æç« ã好ãã§, åãã¯åçãããã®ãããã§ä½ã£ã¦ããåæ®ã¨ããã®ããã.
http://www.catb.org/~esr/faqs/hacker-howto.html
æ¬å½ã¯èããã¦ããéãã«ã¤ãã¦ãå¼ç¨ãã¦,
The basic difference is this: hackers build things, crackers break them.
ã¨æ¸ãã¦ããããã¨æã£ã¦ããã "In your own words" ã£ã¦èããã¨ãããªï½ã¨ããã£ã¦å¤ãã. ã§ãã¾ãããæã£ã¦ãããã¨ã«ããç¨åº¦éãã¯ãªã.
Explain the key differences between Bluetooth Legacy Pairing and Secure Simple Pairing.When was SSP added to the Bluetooth Specification?
The key differences between Bluetooth Legacy Pairing and SSP(Secure Simple Pairing) is using PIN code or not.
Legacy pairing and SSP are both pairing protocol. Pairing protocols are implemented in Link Management Protocol(LMP). Bluetooth 2.0 or earlier versions use Legacy Pairing. Bluetooth 2.1 or later versions use SSP.
Pairing is the process to authenticate the devices to be connected. Legacy Pairing uses PIN code to authenticate. When devices start connecting, user input same PIN code to both device. Max length of PIN code is 16 digits, but normally all digits are not used. If both devices enter the same PIN code, pairing success. In some devices, PIN code are fixed. This protocol is vulnerable to Brute force and used encryption method called e0 has vulnerabilities. Legacy Pairing remains for backward compatibility and now obsoleted.
SSP uses ECDH algorithm public key exchange to pairing the devices. Also, to defend against MITM (Man In The Middle), multiple authentication methods are supported. This makes pairing safer than Legacy Pairing.
In Bluetooth 2.1, SSP was added to the Bluetooth specification. As official specification document, Bluetooth 2.1 was released in 26 July 2007.1
Reference
ææ
ããã¥ã¡ã³ããèªã¿ã¾ãããã¨ããæã. ããã«ã¤ãã¦, æ¥æ¬èªã®Wikpediaã¯èª¤æ
å ±ãå¤ããã©ããã¨åãã¦ãã (è±èªçã¯å²ã¨ã¾ã).
https://ja.wikipedia.org/wiki/Bluetooth
ãããã®ã¿ããªã¯ä¸æ¬¡æ
å ±ãåç
§ãããã.
ããã¯ããã¨ãã¦, BlueToothã®åå¼·ã«ãªã£ã¦å¤§å¤è¯ãã£ã. æ¯æ¥ä½¿ã£ã¦ãè¦æ ¼ãªã®ã§, ã§ããã°è©³ããç¥ã£ã¦ããããã¨ã¯æã£ã¦ãããã®ã®æ©ä¼ããªãã£ãã®ã§, ã¡ããã©ããã£ã. æ室ã§æè¿HackRFãè²·ã£ãã®ã§, ç¡ç·éä¿¡ããããããã£ã¦ããããã¨ããã£ã¦ãã.
Suppose you wish to perform a penetration test of a device with a USB interface. What kinds of tests would you perform? Assume that the device can read audio and video files from a USB storage device and play them (like a vehicle navigation system or radio)
Check the specification and information of target device.
- What file formats the device can read.
- When device read the file from USB.
- Try to play invalid files and non-audio / video files to check error message.
- Try to find the documents on the internet.
- Try to find hidden commands for debugging.
- Try to find the devices made by the same vendor that have similar feature and to check if these devices have vulnerabilities. If there is, target device may have same vulnerability.
Check UART or some kind of physical access point are available or not.
Test buffer overflow.
- Try to play very long audio / video files.
- Try to play audio / video files that has very long data in metadata section.
Test common vulnerability by known payloads.
- Try to play the PoC of vulnerabilities of common audio / video file parser and common device driver of speaker and monitor.
Using ROM lighter to extract firmware, file system or any kind of data.
If I found common firmware, Linux or some kind of OS are running in background, I will try
- Using Bad USB to execute commands.
Try USB killer or high voltage to test how physically robust the device is.
ææ
æãèªä¿¡ã®ãªãåé¡. ãã¸ã§ä½ãããããããã ãã¨æããªããæãã¤ããã¨ãåæãã. ã¨ã«ãããã£ã±ãæ¸ãã¦, ãã®ä¸ã«è¬å¸«ã®æå³ãããã®ãç´ãã¦ããã°ãããªï½ã¨ããæã. ä»ã®åè¬çãä½æ¸ããã®ããããæ°ã«ãªã£ã¦ãã¾ã.
What does the Arbitration field in a CAN 2.0B frame do? Why is it important? What are some security concerns with the way arbitration is done in CAN networks?
Arbitration field in a "CAN2.0" (not only 2.0B) is used to identify the destination of the frame.
Arbitration field contains the data called CAN ID (CAN Identifier). It sometimes called as Arbitration ID. This ID is directly used to identify the destination ECU. If two CAN packets are sent to CAN bus at the same time, the packet that has smaller CAN ID has priority.
Standard CAN packet has CAN ID as 11bit information. In contrast, CAN2.0B is expanded version of standard CAN packets and its arbitration field is expanded. Expanded arbitration field has CAN ID as 29bit data. Extensions are made to maintain backward compatibility.
Arbitration field is ensuring real-time communication and efficiency in CAN networks. It gives high priority to time critical packets like air-bug control. It is essential for safe automotive systems.
However, CAN bus is a broadcast network. It means any device that is connected to the network can see every packet on the same network. With close observation, attacker can determine which CAN ID corresponds to specific ECUs. Additionally, the CAN protocol has no systems for encryption and authorization. It doesn't even have source address of the packets. Under the above circumstances, it is easy to launch spoofing attacks against the CAN networks.
ææ
ã¾ããã¦ãè»è¼ã»ãã¥ãªãã£. CANã®è¦æ ¼ã¨ã, ã»ãã¥ãªãã£ãã£ã³ãã§ããã£ãè³æã¨ã, ã«ã¼ããã«ã¼ãºã»ãã³ãããã¯ãèªã¿ãªããæ¸ãã.
Pick one CVE ID for a vulnerability stemming from undefined behavior in C or C++ programming. Briefly describe the undefined behavior that led to the vulnerability in few sentences. Please cite at least one relevant section of the C or C++ language standard (or working draft) that explicitly defines the behavior as undefined.
CVE ID: CVE-2008-0062
Undefined behavior: Null Pointer Dereference.
In C, null pointer is defined as pointing nowhere (i.e., not pointing to any valid objects). Dereferencing such pointer is undefined behavior and leads program crash or unexpected results.
This vulnerability was found in 2008, so I reference C99 standard.
In C99 standard 6.3.2.3 says that
An integer constant expression with the value 0, or such an expression cast to type void *, is called a null pointer constant. 55) If a null pointer constant is converted to a pointer type, the resulting pointer, called a null pointer, is guaranteed to compare unequal to a pointer to any object or function.
In C99 standard 6.3.2.1 says that
if an lvalue does not designate an object when it is evaluated, the behavior is undefined.
Because of above definition, null pointer dereference is undefined behavior.
ææ
ãªãã ããã Cã®è¦æ ¼ãåãã¦èªãã . C99ã¨ãã®èªã¿æ¹ãããç¨åº¦ããã£ã¦å¤§å¤å¦ã³ãå¤ãã£ã. 人ã«èª¬æããæã¨ã, è¨èªä»æ§ããã¡ãã¨åç §ãã«è¡ããã¨ããã®ã¯å²ã¨ä¾¿å©ãªã¹ãã«ãªæ°ããã¦ãã.
å ¨ä½ãéãã¦
å¦ã³ã«ãªãè¨åãå¤ãã£ãã¨æãã¾ãã. å
¨ä½ãéãã¦ãªãã ãä¸æ¬¡æ
å ±ãåç
§ãã«è¡ããã®ãè¯ãã£ãã®ããªï½ã¨æã£ã¦ãã¾ã.
å¾åã®åãã«ãªãã«ã¤ãææãéã«ãªã£ã¦ãã¿ã¾ãã. ã¾ã2æã®è¬ç¾©ãçµãã£ããåå è¨ãæ¸ããã¨æãã¾ã. ã¨ãããããã£ãã¨ãã¹ãã¼ããåããªãã¦ã¯