SlideShare uma empresa Scribd logo

reductio [ad absurdum]

Shakacon
Shakacon

Programmers naturally assume that different programs require different code. Minesweeper is not the same as AES, Windows is not the same as Linux, and Notepad is not the same as malware. But what if this were not the case? We'll walk through how we can convert all programs into the exact same code - allowing the CPU to execute the same sequence of instructions, to run any possible application. By fundamentally changing our ideas about what it means to "compute", we'll outline the unsettling implications for malware detection, and open some fascinating new doors in exploitation.

Tecnologia
1 de 101
Baixar para ler offline
{ reductio [ad absurdum] domas / @xoreaxeaxeax / Shakacon 2017
 Christopher Domas  Cyber Security Researcher @ Battelle Memorial Institute ./bio
 Observation:  Different paths can produce the same result.  Thought experiment:  Can the inverse be true?  Can one path produce different results? ./intro
 Observation:  Groups of (machine) instructions can often be reduced x = x * 2 x = x + x vs. x = x * 4  Thought experiment:  How much could one program be reduced? ./intro
 (bear with me) Let’s backtrack a bit…
4004e9: mov dword [rbp-8], 0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add dword [rbp-8], 1 400500: cmp dword [rbp-8], 100 400507: jle 4004f2 Assembly…
 mov is Turing-complete  Stephen Dolan  www.cl.cam.ac.uk/~sd601/papers/mov.pdf mov
mov destination, source mov
 Any code we write …  … can be written as a set of movs instead  … and nothing else  Really? Turing Complete?
4004e9: mov dword [rbp-8], 0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add dword [rbp-8], 1 400500: cmp dword [rbp-8], 100 400507: jle 4004f2
80515bc: mov eax,ds:0x835d81a 80515c1: mov ebx,DWORD PTR [eax+0x835d6fc] 80515c7: mov edx,DWORD PTR ds:0x835d7da 80515cd: mov eax,0x0 80515d2: mov al,BYTE PTR [ebx+edx*1] 80515d5: mov al,BYTE PTR [eax+0x835dc7e] 80515db: mov BYTE PTR [ebx+edx*1],al 80515de: mov eax,ds:0x835d81a 80515e3: mov ebx,DWORD PTR [eax+0x835d6fc] 80515e9: mov edx,DWORD PTR ds:0x835d7da 80515ef: mov eax,0x0 80515f4: mov al,BYTE PTR [ebx+edx*1]
Removing all but the mov instruction from future iterations of the x86 architecture would have many advantages: the instruction format would be greatly simplified, the expensive decode unit would become much cheaper, and silicon currently used for complex functional units could be repurposed as even more cache. As long as someone else implements the compiler. - Stephen Dolan
 Where to begin…? Key Ideas
 mov can check equality Key Ideas
 mov [x], 0  mov [y], 1  mov R, [x] x==y
 x=3, y=3  mov [x], 0  mov [y], 1  mov R, [x] x==y
 x=2, y=3  mov [x], 0  mov [y], 1  mov R, [x] x==y
 Requires a single jmp instruction to loop back to the beginning  Incidental  We fixed this later Key Ideas
 start:  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  jmp start
 Build on Dolan’s ideas  Adapt primitive TM operations for higher level logic  Work on actual data, not abstract symbols  Add new operations  If/else  Arithmetic  Logic  Jumps  Loops  Etc…  Bring it closer to something we can use Idea…
Implementing if
 IF X == Y THEN  X = 100 Implementing if
 The catch:  We have no branches  All paths execute, no matter what  Solution:  Force a path to operate on “dummy” data, if we don’t want its results Implementing if
 IF X == Y THEN  X = 100 Implementing if Selector Data Scratch
 IF X == Y THEN  X = 100 Implementing if Data Scratch ⇐ ⇐ Selector
 IF X == Y THEN  X = 100 Implementing if Data Scratch Selector
 IF X == Y THEN  X = 100 Implementing if Data Scratch ⇐ ⇐ Selector
 IF X == Y THEN  X = 100 Implementing if Data Scratch Selector
; X == Y mov eax, [X] mov [eax], 0 mov eax, [Y] mov [eax], 4 mov eax, [X] ; X = 100 mov eax, [SELECT_X + eax] mov [eax], 100 Implementing if
Simple extensions give us if/else if/elseif/else Inequality checks Implementing if
%macro eq 3 mov eax, 0 mov al, [%2] mov byte [e+eax], 0 mov byte [e+%3], 4 mov al, [e+eax] mov [%1], al %endmacro
%macro neq 3 mov eax, 0 mov al, [%2] mov byte [e+eax], 4 mov byte [e+%3], 0 mov al, [e+eax] mov [%1], al %endmacro
; create selector %macro c_s 1 %1: dd 0 d_%1: dd 0 s_%1: dd d_%1, %1 %endmacro
 Extend the if/else idea Loops and branches
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov …  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov …  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ← Implement a branch from here…  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ← Implement a branch from here…  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ←  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start Store target Switch to dummy data 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov … ← Check if branch target  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov … ← Check if branch target  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov … ← Check if branch target  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov … ← Check if target  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov … ← Check if target  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov … ← Check if target  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ←  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFFTarget match Switch to real data
 start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ←  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c ONTarget match Switch to real data
 Look up tables!  One byte versions are easy. Arithmetic
unsigned char inc[]={ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99,100,101,102,103,104,105,106,107,108,109,110,111,112, 113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128, 129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144, 145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160, 161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176, 177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192, 193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208, 209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224, 225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240, 241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,0 };
incb: %assign y 1 %rep 256 db y&0xff %assign y y+1 %endrep
; increment eax with mov mov eax, [inc + eax] Arithmetic
%macro add32 4 mov eax, 0 mov ebx, 0 mov ecx, 0 mov edx, 0 mov dword [%4], 0 add8 %1+0, %2+0, %3+0, %4 add8 %1+1, %2+1, %3+1, %4 add8 %1+2, %2+2, %3+2, %4 add8 %1+3, %2+3, %3+3, %4 %endmacro
mov eax,0x0 mov ebx,0x0 mov ecx,0x0 mov edx,0x0 mov dword [dword 0x8049576],0x0 mov al,[0x804956a] mov bl,[dword 0x804956e] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049572],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956b] mov bl,[dword 0x804956f] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049573],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956c] mov bl,[dword 0x8049570] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049574],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956d] mov bl,[dword 0x8049571] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049575],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov eax,[0x8049572]
mov dword [q], 0 mov dword [r], 0 %assign bb 31 %rep 32 bit c, n, bb shl32 r, c mov dword [c], 0 gte32 t, r, d, c mov eax, [t] mov edx, [sel_r+4*eax] mov [psr], edx mov edx, [sel_q+4*eax] mov [psq], edx mov eax, [psr] mov eax, [eax] mov [dummy_r], eax sub32 dummy_r, dummy_r, d, c mov eax, [psr] mov edx, [dummy_r] mov [eax], edx mov eax, [psq] mov eax, [eax] mov [dummy_q], eax set32 dummy_q, bb mov eax, [psq] mov edx, [dummy_q] mov [eax], edx %assign bb bb-1 %endrep mov eax, [q]
 lcc  esi/edi  Calling convention  Emulated stack  32 bit ALU  Simplified dummy selectors  102 IL instructions  Not bad! The M/o/Vfuscator
 mov-only C Compiler  https://github.com/xoreaxeaxeax  First single instruction C compiler! The M/o/Vfuscator
 prime  Cube  M/o/Vfuscator The M/o/Vfuscator
 How much can we simplify a program?  We’ve gotten rid of…  Functions  Loops  Branches  Arithmetic  … it’s an okay start. Reduction
 We have all the same instructions  mov  But they’re not all the ”same”  mov eax, edx  mov [100], bl  mov di, 0x1337  mov eax, [edx + 2 * ecx + 0x1094801] Reduction
 Eliminate register to register transfers  mov eax, edx becomes  mov [0x1000], edx  mov eax, [0x1000] x86 addressing
 Eliminate constant to register transfers  mov eax, 12345 becomes  _temp: .dword 12345  mov eax, [_temp] x86 addressing
 All instructions now either read or write to memory. x86 addressing
 Eliminate 8 and 16 bit addressing  mov al, [100] becomes  mov [200], eax  mov eax, [100 - 3]  mov [200 - 3], eax  mov eax, [200] x86 addressing 200 100
 Simplify memory addressing  mov eax, [0x1234 + ecx + 8 * edx]  Use the M/o/Vfuscator ALU!  Calculate ecx + 8 * edx  Accumulate results in ecx  Result:  (dozens of mov ALU instructions)  mov eax, [0x1234 + ecx] x86 addressing
 No more register to register transfers.  No more constant to register transfers.  No more 8 or 16 bit instructions.  All memory accesses are of the form [reg + constant]  mov instructions are now all mov reg, [reg + constant] or mov [reg + constant], reg Almost there.
 We still use 8 registers!  Decrease to 2 by storing extras to scratchpad memory  All mov instructions now mov esi/edi, [esi/edi + constant] or mov [esi/edi + constant], esi/edi Registers
 Writes: mov [esi/edi + constant], esi/edi  Reads: mov esi/edi, [esi/edi + constant]  Alternate reads and writes  1 read, followed by 1 write, followed by 1 read, followed by 1 write…  Insert dummy (unused) accesses Alternating memory
mov esi,[edi+0x816d0e8] mov [edi+0x816d104],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0ec],esi mov esi,[edi+0x816d0eb] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d10c],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d0f8],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi The result…
 Can we take it further?
Psuedo-registers  Instead of registers, use memory to hold the register contents  esi becomes [0x890100]  edi becomes [0x890200]  Let’s call these memory locations “psuedo-registers”
A ‘synthetic’ mov  With psuedo-registers, our movs look like mov [0x890100],[[0x890200]+0x816d0e8]  At this point, we’re just moving values to/from different locations in memory  … but this is no longer a valid x86 instruction
A ‘synthetic’ mov  Let’s invent a new instruction, “MOVE”  MOVE [ *address_1 + offset_1 ] , [ *address_2 + offset_2 ]  Our broken x86 instruction mov [0x890100],[[0x890200]+0x816d0e8]  Becomes  MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]
A ‘synthetic’ mov  Translate the old mov instructions into the more generic MOVE instruction  mov esi,[edi+0x816d0e8] becomes MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]  mov [edi+0x816d0e8], esi becomes MOVE [ *0x890200 + 0x816d0e8 ], [ *0x890100 + 0 ]
A ‘synthetic’ mov  Why is this useful?  All instructions now have exactly the same form.
Extracting the essence MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ] { 0x890100, 0, 0x890200, 0x816d0e8 }  Extract all of the MOVE operands into a table.
 We’ve distilled our entire C program into a table describing a long list of simple data transfers  Let’s write a program to perform the actions described in the table So now what?
Load the table into esi…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov esi, table
Execute a memory read…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov ebx, [esi] ; load addr of psuedo-reg 1  mov ebx, [ebx] ; load psuedo-reg 1  add ebx, [esi+4] ; add offset  mov ebx, [ebx] ; perform memory read
Execute a memory write…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov edx, [esi+8] ; load addr of psuedo-reg 2  mov edx, [edx] ; load psuedo-reg 2  add edx, [esi+12]; add offset  mov [edx], ebx ; perform memory write
Rinse, repeat.  table:  0x890100, 0, 0x890200, 0x816d0e8  0x990010 ; pointer to next table entry  mov esi, [esi+16] ; move to next entry  jmp loop ; repeat the whole process
mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop table: 0x890100, 0, 0x890200, 0x816d0e8 ... With the reductio toolchain, a C program compiles to ->
 Thought experiment:  How far can we reduce a program? So…?
 Every program ever written can be reduced to exactly this -> So…? mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
 Thought experiment:  Can one sequence of instructions produce entirely different results? So…?
 This instruction stream simultaneously implements everything. So…? mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
AES Minesweeper
 (Can’t show compiling ) ./demo
 The instruction sequence executed by the processor is the same for every program. mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
 1.  If every program is the same, malware detection gets a whole lot harder. (demo)  Doing the same thing  (In practice) Implications
 2.  Exploitation  “AVROP” (Mark Barnes, MWR Labs)  https://github.com/mwrlabs/avrop  AVR microcontroller (Raspberry Pi)  Harvard architecture: limited to ROP  Small memory: very few gadgets  Fortunately, all we need is mov. Implications
 The AVROP machine Implications
 3.  It’s cool!  A philosophical conclusion…  If the code makes no difference, what does it mean ‘to program’? Implications
github.com/xoreaxeaxeax  reductio  M/o/Vfuscator  REpsych  x86 0-day PoC  Etc. Feedback? Ideas? domas  @xoreaxeaxeax  xoreaxeaxeax@gmail.com
reductio [ad absurdum]

Recomendados

Command GM
Command GMCommand GM
Command GM
Rafa Muadz
 
Programação assíncrona utilizando Coroutines
Programação assíncrona utilizando CoroutinesProgramação assíncrona utilizando Coroutines
Programação assíncrona utilizando Coroutines
Diego Gonçalves Santos
 
Behind the Performance of Quake 3 Engine: Fast Inverse Square Root
Behind the Performance of Quake 3 Engine: Fast Inverse Square RootBehind the Performance of Quake 3 Engine: Fast Inverse Square Root
Behind the Performance of Quake 3 Engine: Fast Inverse Square Root
Maksym Zavershynskyi
 
The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196
Mahmoud Samir Fayed
 
Sine Wave Generator with controllable frequency displayed on a seven segment ...
Sine Wave Generator with controllable frequency displayed on a seven segment ...Sine Wave Generator with controllable frequency displayed on a seven segment ...
Sine Wave Generator with controllable frequency displayed on a seven segment ...
Karthik Rathinavel
 
Itty bittypresentation lrug
Itty bittypresentation lrugItty bittypresentation lrug
Itty bittypresentation lrug
Tom Crinson
 
The Ring programming language version 1.5.4 book - Part 25 of 185
The Ring programming language version 1.5.4 book - Part 25 of 185The Ring programming language version 1.5.4 book - Part 25 of 185
The Ring programming language version 1.5.4 book - Part 25 of 185
Mahmoud Samir Fayed
 
かとうの Kotlin 講座 こってり版
かとうの Kotlin 講座 こってり版かとうの Kotlin 講座 こってり版
かとうの Kotlin 講座 こってり版
Yutaka Kato
 

Recomendados

Command GM
Command GMCommand GM
Command GM
Rafa Muadz
 
Programação assíncrona utilizando Coroutines
Programação assíncrona utilizando CoroutinesProgramação assíncrona utilizando Coroutines
Programação assíncrona utilizando Coroutines
Diego Gonçalves Santos
 
Behind the Performance of Quake 3 Engine: Fast Inverse Square Root
Behind the Performance of Quake 3 Engine: Fast Inverse Square RootBehind the Performance of Quake 3 Engine: Fast Inverse Square Root
Behind the Performance of Quake 3 Engine: Fast Inverse Square Root
Maksym Zavershynskyi
 
The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196The Ring programming language version 1.7 book - Part 57 of 196
The Ring programming language version 1.7 book - Part 57 of 196
Mahmoud Samir Fayed
 
Sine Wave Generator with controllable frequency displayed on a seven segment ...
Sine Wave Generator with controllable frequency displayed on a seven segment ...Sine Wave Generator with controllable frequency displayed on a seven segment ...
Sine Wave Generator with controllable frequency displayed on a seven segment ...
Karthik Rathinavel
 
Itty bittypresentation lrug
Itty bittypresentation lrugItty bittypresentation lrug
Itty bittypresentation lrug
Tom Crinson
 
The Ring programming language version 1.5.4 book - Part 25 of 185
The Ring programming language version 1.5.4 book - Part 25 of 185The Ring programming language version 1.5.4 book - Part 25 of 185
The Ring programming language version 1.5.4 book - Part 25 of 185
Mahmoud Samir Fayed
 
かとうの Kotlin 講座 こってり版
かとうの Kotlin 講座 こってり版かとうの Kotlin 講座 こってり版
かとうの Kotlin 講座 こってり版
Yutaka Kato
 
DEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliksDEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliks
Felipe Prado
 
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsychDEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
Felipe Prado
 
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperTokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Connor McDonald
 
Python Peculiarities
Python PeculiaritiesPython Peculiarities
Python Peculiarities
noamt
 
Tetcon2016 160104
Tetcon2016 160104Tetcon2016 160104
Tetcon2016 160104
Bordeaux I
 
Hacklu11 Writeup
Hacklu11 WriteupHacklu11 Writeup
Hacklu11 Writeup
nkslides
 
05 2 관계논리비트연산
05 2 관계논리비트연산05 2 관계논리비트연산
05 2 관계논리비트연산
Changwon National University
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
Mikhail Sosonkin
 
다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)
if kakao
 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good Packages
Saumil Shah
 
There are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docxThere are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docx
relaine1
 
Elixir and OTP Apps introduction
Elixir and OTP Apps introductionElixir and OTP Apps introduction
Elixir and OTP Apps introduction
Gonzalo Gabriel Jiménez Fuentes
 
An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)
Julien SIMON
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the code
Wim Godden
 
CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations
Rob LaPlaca
 
Emuladores
EmuladoresEmuladores
Emuladores
Bayoch
 
Actor Concurrency
Actor ConcurrencyActor Concurrency
Actor Concurrency
Alex Miller
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
Asuka Nakajima
 
"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural Net"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural Net
Ken'ichi Matsui
 
Maze solving app listing
Maze solving app listingMaze solving app listing
Maze solving app listing
Chris Worledge
 
Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
Shakacon
 
Macdoored
MacdooredMacdoored
Macdoored
Shakacon
 

Mais conteúdo relacionado

Semelhante a reductio [ad absurdum]

다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)
if kakao
 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good Packages
Saumil Shah
 
There are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docxThere are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docx
relaine1
 
Emuladores
EmuladoresEmuladores
Emuladores
Bayoch
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
Asuka Nakajima
 

Semelhante a reductio [ad absurdum] (20)

DEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliksDEF CON 23 - Atlas - fun with symboliks
DEF CON 23 - Atlas - fun with symboliks
 
DEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsychDEF CON 23 - CHRIS DOMAS - REpsych
DEF CON 23 - CHRIS DOMAS - REpsych
 
Tokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java DeveloperTokyo APAC Groundbreakers tour - The Complete Java Developer
Tokyo APAC Groundbreakers tour - The Complete Java Developer
 
Python Peculiarities
Python PeculiaritiesPython Peculiarities
Python Peculiarities
 
Tetcon2016 160104
Tetcon2016 160104Tetcon2016 160104
Tetcon2016 160104
 
Hacklu11 Writeup
Hacklu11 WriteupHacklu11 Writeup
Hacklu11 Writeup
 
05 2 관계논리비트연산
05 2 관계논리비트연산05 2 관계논리비트연산
05 2 관계논리비트연산
 
NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016NYU hacknight, april 6, 2016
NYU hacknight, april 6, 2016
 
다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)다음웹툰의 UX(Animation, Transition, Custom View)
다음웹툰의 UX(Animation, Transition, Custom View)
 
When Bad Things Come In Good Packages
When Bad Things Come In Good PackagesWhen Bad Things Come In Good Packages
When Bad Things Come In Good Packages
 
There are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docxThere are two types of ciphers - Block and Stream. Block is used to .docx
There are two types of ciphers - Block and Stream. Block is used to .docx
 
Elixir and OTP Apps introduction
Elixir and OTP Apps introductionElixir and OTP Apps introduction
Elixir and OTP Apps introduction
 
An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)An introduction to Deep Learning with Apache MXNet (November 2017)
An introduction to Deep Learning with Apache MXNet (November 2017)
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the code
 
CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations CSS Transitions, Transforms, Animations
CSS Transitions, Transforms, Animations
 
Emuladores
EmuladoresEmuladores
Emuladores
 
Actor Concurrency
Actor ConcurrencyActor Concurrency
Actor Concurrency
 
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
[ROOTCON13] Pilot Study on Semi-Automated Patch Diffing by Applying Machine-L...
 
"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural Net"Deep Learning" Chap.6 Convolutional Neural Net
"Deep Learning" Chap.6 Convolutional Neural Net
 
Maze solving app listing
Maze solving app listingMaze solving app listing
Maze solving app listing
 

Mais de Shakacon

Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
Shakacon
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
Shakacon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
Shakacon
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Shakacon
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
Shakacon
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
Shakacon
 
Silent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkSilent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest Network
Shakacon
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
Shakacon
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareSad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving Malware
Shakacon
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
Shakacon
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
Shakacon
 
Swift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzSwift Reversing by Ryan Stortz
Swift Reversing by Ryan Stortz
Shakacon
 

Mais de Shakacon (20)

Web (dis)assembly
Web (dis)assemblyWeb (dis)assembly
Web (dis)assembly
 
Macdoored
MacdooredMacdoored
Macdoored
 
I can be apple and so can you
I can be apple and so can youI can be apple and so can you
I can be apple and so can you
 
Cloud forensics putting the bits back together
Cloud forensics putting the bits back togetherCloud forensics putting the bits back together
Cloud forensics putting the bits back together
 
Pwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCEPwned in Translation - from Subtitles to RCE
Pwned in Translation - from Subtitles to RCE
 
Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS Oversight: Exposing spies on macOS
Oversight: Exposing spies on macOS
 
Modern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layerModern Reconnaissance Phase on APT - protection layer
Modern Reconnaissance Phase on APT - protection layer
 
Shamoon
ShamoonShamoon
Shamoon
 
A Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts BytecodeA Decompiler for Blackhain-Based Smart Contracts Bytecode
A Decompiler for Blackhain-Based Smart Contracts Bytecode
 
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker InfrastructureHoney, I Stole Your C2 Server: A Dive into Attacker Infrastructure
Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure
 
Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...Dock ir incident response in a containerized, immutable, continually deploy...
Dock ir incident response in a containerized, immutable, continually deploy...
 
Reviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android KernelReviewing the Security of ASoC Drivers in Android Kernel
Reviewing the Security of ASoC Drivers in Android Kernel
 
Silent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest NetworkSilent Protest: A Wearable Protest Network
Silent Protest: A Wearable Protest Network
 
WiFi-Based IMSI Catcher
WiFi-Based IMSI CatcherWiFi-Based IMSI Catcher
WiFi-Based IMSI Catcher
 
Sad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving MalwareSad Panda Analysts: Devolving Malware
Sad Panda Analysts: Devolving Malware
 
XFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnellingXFLTReat: a new dimension in tunnelling
XFLTReat: a new dimension in tunnelling
 
Windows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul RascagneresWindows Systems & Code Signing Protection by Paul Rascagneres
Windows Systems & Code Signing Protection by Paul Rascagneres
 
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
The Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant OllamThe Search for the Perfect Door - Deviant Ollam
The Search for the Perfect Door - Deviant Ollam
 
Swift Reversing by Ryan Stortz
Swift Reversing by Ryan StortzSwift Reversing by Ryan Stortz
Swift Reversing by Ryan Stortz
 

Último

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
Overkill Security
 

Último (20)

Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 

reductio [ad absurdum]

  • 1. { reductio [ad absurdum] domas / @xoreaxeaxeax / Shakacon 2017
  • 2.  Christopher Domas  Cyber Security Researcher @ Battelle Memorial Institute ./bio
  • 3.  Observation:  Different paths can produce the same result.  Thought experiment:  Can the inverse be true?  Can one path produce different results? ./intro
  • 4.  Observation:  Groups of (machine) instructions can often be reduced x = x * 2 x = x + x vs. x = x * 4  Thought experiment:  How much could one program be reduced? ./intro
  • 5.  (bear with me) Let’s backtrack a bit…
  • 6. 4004e9: mov dword [rbp-8], 0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add dword [rbp-8], 1 400500: cmp dword [rbp-8], 100 400507: jle 4004f2 Assembly…
  • 7.  mov is Turing-complete  Stephen Dolan  www.cl.cam.ac.uk/~sd601/papers/mov.pdf mov
  • 9.  Any code we write …  … can be written as a set of movs instead  … and nothing else  Really? Turing Complete?
  • 10. 4004e9: mov dword [rbp-8], 0 4004f2: push 600004 4004f8: call printf 4004fa: pop eax 4004fc: add dword [rbp-8], 1 400500: cmp dword [rbp-8], 100 400507: jle 4004f2
  • 11. 80515bc: mov eax,ds:0x835d81a 80515c1: mov ebx,DWORD PTR [eax+0x835d6fc] 80515c7: mov edx,DWORD PTR ds:0x835d7da 80515cd: mov eax,0x0 80515d2: mov al,BYTE PTR [ebx+edx*1] 80515d5: mov al,BYTE PTR [eax+0x835dc7e] 80515db: mov BYTE PTR [ebx+edx*1],al 80515de: mov eax,ds:0x835d81a 80515e3: mov ebx,DWORD PTR [eax+0x835d6fc] 80515e9: mov edx,DWORD PTR ds:0x835d7da 80515ef: mov eax,0x0 80515f4: mov al,BYTE PTR [ebx+edx*1]
  • 12. Removing all but the mov instruction from future iterations of the x86 architecture would have many advantages: the instruction format would be greatly simplified, the expensive decode unit would become much cheaper, and silicon currently used for complex functional units could be repurposed as even more cache. As long as someone else implements the compiler. - Stephen Dolan
  • 13.
  • 14.  Where to begin…? Key Ideas
  • 15.  mov can check equality Key Ideas
  • 16.  mov [x], 0  mov [y], 1  mov R, [x] x==y
  • 17.  x=3, y=3  mov [x], 0  mov [y], 1  mov R, [x] x==y
  • 18.  x=2, y=3  mov [x], 0  mov [y], 1  mov R, [x] x==y
  • 19.  Requires a single jmp instruction to loop back to the beginning  Incidental  We fixed this later Key Ideas
  • 20.  start:  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  mov …  jmp start
  • 21.  Build on Dolan’s ideas  Adapt primitive TM operations for higher level logic  Work on actual data, not abstract symbols  Add new operations  If/else  Arithmetic  Logic  Jumps  Loops  Etc…  Bring it closer to something we can use Idea…
  • 23.  IF X == Y THEN  X = 100 Implementing if
  • 24.  The catch:  We have no branches  All paths execute, no matter what  Solution:  Force a path to operate on “dummy” data, if we don’t want its results Implementing if
  • 25.  IF X == Y THEN  X = 100 Implementing if Selector Data Scratch
  • 26.  IF X == Y THEN  X = 100 Implementing if Data Scratch ⇐ ⇐ Selector
  • 27.  IF X == Y THEN  X = 100 Implementing if Data Scratch Selector
  • 28.  IF X == Y THEN  X = 100 Implementing if Data Scratch ⇐ ⇐ Selector
  • 29.  IF X == Y THEN  X = 100 Implementing if Data Scratch Selector
  • 30. ; X == Y mov eax, [X] mov [eax], 0 mov eax, [Y] mov [eax], 4 mov eax, [X] ; X = 100 mov eax, [SELECT_X + eax] mov [eax], 100 Implementing if
  • 31. Simple extensions give us if/else if/elseif/else Inequality checks Implementing if
  • 32. %macro eq 3 mov eax, 0 mov al, [%2] mov byte [e+eax], 0 mov byte [e+%3], 4 mov al, [e+eax] mov [%1], al %endmacro
  • 33. %macro neq 3 mov eax, 0 mov al, [%2] mov byte [e+eax], 4 mov byte [e+%3], 0 mov al, [e+eax] mov [%1], al %endmacro
  • 34. ; create selector %macro c_s 1 %1: dd 0 d_%1: dd 0 s_%1: dd d_%1, %1 %endmacro
  • 35.  Extend the if/else idea Loops and branches
  • 36.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov …  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
  • 37.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov …  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ← Implement a branch from here…  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
  • 38.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ← Implement a branch from here…  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start
  • 39.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov … ←  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start Store target Switch to dummy data 0x100c OFF
  • 40.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov … ← Check if branch target  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 41.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov … ← Check if branch target  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 42.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov … ← Check if branch target  0x1030 jmp start 0x100c OFF
  • 43.  start:  0x1000 mov … ← Check if target  0x1004 mov …  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 44.  start:  0x1000 mov …  0x1004 mov … ← Check if target  0x1008 mov …  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 45.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov … ← Check if target  0x100c mov … ← … to here  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFF
  • 46.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ←  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c OFFTarget match Switch to real data
  • 47.  start:  0x1000 mov …  0x1004 mov …  0x1008 mov …  0x100c mov … ←  0x1010 mov …  0x1014 mov …  0x1018 mov …  0x101c mov …  0x1020 mov …  0x1024 mov …  0x1028 mov …  0x102c mov …  0x1030 jmp start 0x100c ONTarget match Switch to real data
  • 48.  Look up tables!  One byte versions are easy. Arithmetic
  • 49. unsigned char inc[]={ 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99,100,101,102,103,104,105,106,107,108,109,110,111,112, 113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128, 129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144, 145,146,147,148,149,150,151,152,153,154,155,156,157,158,159,160, 161,162,163,164,165,166,167,168,169,170,171,172,173,174,175,176, 177,178,179,180,181,182,183,184,185,186,187,188,189,190,191,192, 193,194,195,196,197,198,199,200,201,202,203,204,205,206,207,208, 209,210,211,212,213,214,215,216,217,218,219,220,221,222,223,224, 225,226,227,228,229,230,231,232,233,234,235,236,237,238,239,240, 241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,0 };
  • 50. incb: %assign y 1 %rep 256 db y&0xff %assign y y+1 %endrep
  • 51. ; increment eax with mov mov eax, [inc + eax] Arithmetic
  • 52. %macro add32 4 mov eax, 0 mov ebx, 0 mov ecx, 0 mov edx, 0 mov dword [%4], 0 add8 %1+0, %2+0, %3+0, %4 add8 %1+1, %2+1, %3+1, %4 add8 %1+2, %2+2, %3+2, %4 add8 %1+3, %2+3, %3+3, %4 %endmacro
  • 53. mov eax,0x0 mov ebx,0x0 mov ecx,0x0 mov edx,0x0 mov dword [dword 0x8049576],0x0 mov al,[0x804956a] mov bl,[dword 0x804956e] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049572],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956b] mov bl,[dword 0x804956f] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049573],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956c] mov bl,[dword 0x8049570] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049574],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov al,[0x804956d] mov bl,[dword 0x8049571] mov cl,[dword 0x8049576] mov dl,[eax+ecx+0x8049168] mov al,[ebx+edx+0x8049168] mov [0x8049575],al mov al,[ebx+edx+0x8049369] mov [0x8049576],al mov eax,[0x8049572]
  • 54. mov dword [q], 0 mov dword [r], 0 %assign bb 31 %rep 32 bit c, n, bb shl32 r, c mov dword [c], 0 gte32 t, r, d, c mov eax, [t] mov edx, [sel_r+4*eax] mov [psr], edx mov edx, [sel_q+4*eax] mov [psq], edx mov eax, [psr] mov eax, [eax] mov [dummy_r], eax sub32 dummy_r, dummy_r, d, c mov eax, [psr] mov edx, [dummy_r] mov [eax], edx mov eax, [psq] mov eax, [eax] mov [dummy_q], eax set32 dummy_q, bb mov eax, [psq] mov edx, [dummy_q] mov [eax], edx %assign bb bb-1 %endrep mov eax, [q]
  • 55.
  • 56.  lcc  esi/edi  Calling convention  Emulated stack  32 bit ALU  Simplified dummy selectors  102 IL instructions  Not bad! The M/o/Vfuscator
  • 57.  mov-only C Compiler  https://github.com/xoreaxeaxeax  First single instruction C compiler! The M/o/Vfuscator
  • 58.  prime  Cube  M/o/Vfuscator The M/o/Vfuscator
  • 59.
  • 60.
  • 61.
  • 62.
  • 63.
  • 64.  How much can we simplify a program?  We’ve gotten rid of…  Functions  Loops  Branches  Arithmetic  … it’s an okay start. Reduction
  • 65.  We have all the same instructions  mov  But they’re not all the ”same”  mov eax, edx  mov [100], bl  mov di, 0x1337  mov eax, [edx + 2 * ecx + 0x1094801] Reduction
  • 66.  Eliminate register to register transfers  mov eax, edx becomes  mov [0x1000], edx  mov eax, [0x1000] x86 addressing
  • 67.  Eliminate constant to register transfers  mov eax, 12345 becomes  _temp: .dword 12345  mov eax, [_temp] x86 addressing
  • 68.  All instructions now either read or write to memory. x86 addressing
  • 69.  Eliminate 8 and 16 bit addressing  mov al, [100] becomes  mov [200], eax  mov eax, [100 - 3]  mov [200 - 3], eax  mov eax, [200] x86 addressing 200 100
  • 70.  Simplify memory addressing  mov eax, [0x1234 + ecx + 8 * edx]  Use the M/o/Vfuscator ALU!  Calculate ecx + 8 * edx  Accumulate results in ecx  Result:  (dozens of mov ALU instructions)  mov eax, [0x1234 + ecx] x86 addressing
  • 71.  No more register to register transfers.  No more constant to register transfers.  No more 8 or 16 bit instructions.  All memory accesses are of the form [reg + constant]  mov instructions are now all mov reg, [reg + constant] or mov [reg + constant], reg Almost there.
  • 72.  We still use 8 registers!  Decrease to 2 by storing extras to scratchpad memory  All mov instructions now mov esi/edi, [esi/edi + constant] or mov [esi/edi + constant], esi/edi Registers
  • 73.  Writes: mov [esi/edi + constant], esi/edi  Reads: mov esi/edi, [esi/edi + constant]  Alternate reads and writes  1 read, followed by 1 write, followed by 1 read, followed by 1 write…  Insert dummy (unused) accesses Alternating memory
  • 74. mov esi,[edi+0x816d0e8] mov [edi+0x816d104],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0ec],esi mov esi,[edi+0x816d0eb] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d10c],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d0e8],esi mov esi,[edi+0x816d0e0] mov [edi+0x816d0e9],esi mov esi,[edi+0x816d0e8] mov [edi+0x816d0f8],esi mov esi,[edi+0x816d0c8] mov [edi+0x816d0e8],esi The result…
  • 75.  Can we take it further?
  • 76. Psuedo-registers  Instead of registers, use memory to hold the register contents  esi becomes [0x890100]  edi becomes [0x890200]  Let’s call these memory locations “psuedo-registers”
  • 77. A ‘synthetic’ mov  With psuedo-registers, our movs look like mov [0x890100],[[0x890200]+0x816d0e8]  At this point, we’re just moving values to/from different locations in memory  … but this is no longer a valid x86 instruction
  • 78. A ‘synthetic’ mov  Let’s invent a new instruction, “MOVE”  MOVE [ *address_1 + offset_1 ] , [ *address_2 + offset_2 ]  Our broken x86 instruction mov [0x890100],[[0x890200]+0x816d0e8]  Becomes  MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]
  • 79. A ‘synthetic’ mov  Translate the old mov instructions into the more generic MOVE instruction  mov esi,[edi+0x816d0e8] becomes MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ]  mov [edi+0x816d0e8], esi becomes MOVE [ *0x890200 + 0x816d0e8 ], [ *0x890100 + 0 ]
  • 80. A ‘synthetic’ mov  Why is this useful?  All instructions now have exactly the same form.
  • 81. Extracting the essence MOVE [ *0x890100 + 0 ], [ *0x890200 + 0x816d0e8 ] { 0x890100, 0, 0x890200, 0x816d0e8 }  Extract all of the MOVE operands into a table.
  • 82.  We’ve distilled our entire C program into a table describing a long list of simple data transfers  Let’s write a program to perform the actions described in the table So now what?
  • 83. Load the table into esi…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov esi, table
  • 84. Execute a memory read…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov ebx, [esi] ; load addr of psuedo-reg 1  mov ebx, [ebx] ; load psuedo-reg 1  add ebx, [esi+4] ; add offset  mov ebx, [ebx] ; perform memory read
  • 85. Execute a memory write…  table:  0x890100, 0, 0x890200, 0x816d0e8  ...  mov edx, [esi+8] ; load addr of psuedo-reg 2  mov edx, [edx] ; load psuedo-reg 2  add edx, [esi+12]; add offset  mov [edx], ebx ; perform memory write
  • 86. Rinse, repeat.  table:  0x890100, 0, 0x890200, 0x816d0e8  0x990010 ; pointer to next table entry  mov esi, [esi+16] ; move to next entry  jmp loop ; repeat the whole process
  • 87. mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop table: 0x890100, 0, 0x890200, 0x816d0e8 ... With the reductio toolchain, a C program compiles to ->
  • 88.  Thought experiment:  How far can we reduce a program? So…?
  • 89.  Every program ever written can be reduced to exactly this -> So…? mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
  • 90.  Thought experiment:  Can one sequence of instructions produce entirely different results? So…?
  • 91.  This instruction stream simultaneously implements everything. So…? mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
  • 93.  (Can’t show compiling ) ./demo
  • 94.  The instruction sequence executed by the processor is the same for every program. mov esi, table loop: mov ebx, [esi] mov ebx, [ebx] add ebx, [esi+4] mov ebx, [ebx] mov edx, [esi+8] mov edx, [edx] add edx, [esi+12] mov [edx], ebx mov esi, [esi+16] jmp loop
  • 95.  1.  If every program is the same, malware detection gets a whole lot harder. (demo)  Doing the same thing  (In practice) Implications
  • 96.  2.  Exploitation  “AVROP” (Mark Barnes, MWR Labs)  https://github.com/mwrlabs/avrop  AVR microcontroller (Raspberry Pi)  Harvard architecture: limited to ROP  Small memory: very few gadgets  Fortunately, all we need is mov. Implications
  • 97.  The AVROP machine Implications
  • 98.  3.  It’s cool!  A philosophical conclusion…  If the code makes no difference, what does it mean ‘to program’? Implications
  • 99.
  • 100. github.com/xoreaxeaxeax  reductio  M/o/Vfuscator  REpsych  x86 0-day PoC  Etc. Feedback? Ideas? domas  @xoreaxeaxeax  xoreaxeaxeax@gmail.com