A walk with radare2 analysis

Analysing the binary: “resident”

https://github.com/radare/radare2/issues/3433

https://github.com/radare/radare2/issues/3684

https://github.com/radare/radare2/issues/9166

https://samsymons.com/blog/reverse-engineering-with-radare2-part-1/

https://www.linuxdays.cz/2017/video/Tomas_Antecky-Disassembling_with_radare2.pdf

https://radare.gitbooks.io/radare2book/disassembling/intro.html

https://www.g0jirasan.com/2017/08/radare2-cheat-sheet.html

https://twitter.com/binitamshah/status/535968768371859457

https://eforensicsmag.com/reverse_engi_cheatsheet/

And this:

https://gist.github.com/williballenthin/6857590dab3e2a6559d7

https://scoding.de/uploads/r2_cs.pdf

http://b404.xyz/sources/r2-cheatsheet.pdf

https://reverseengineering.stackexchange.com/questions/11653/method-disassembly-of-objective-c-mach-o-with-radare-2

Analysis:   load without any analysis (file header at offset 0x0): r2 -n /path/to/file

  • analyze all: aa
  • show sections: iS
  • list functions: afl
  • list imports: ii
  • list entrypoints: ie
  • seek to function: s sym.main
  • show basic block disassembly: pdb
  • show function disassembly: pdf
  • show function arguments: afa
  • show function variables: afv
  • rename function variable: afvn
  • set function variable type: afvt
  • add/analyze function: af
  • enter graph modes: VV
  • cycle types of graphs:
    • forward: p
    • backwards: P
Advertisements

RUST programming

Wow…I am very impressed…..soon or later all C programs (meaning Operating SYstem) will be migrated to RUST soon…..

https://www.reddit.com/r/rust/comments/2snn7a/hashmaprcstring_v/

https://doc.rust-lang.org/book/second-edition/ch15-04-rc.html

https://www.youtube.com/watch?v=_jMSrMex6R0 (good, but not as inspiring as the next video below)

https://os.phil-opp.com

https://github.com/redox-os/redox

RUST security:

https://www.rust-lang.org/en-US/security.html

https://users.rust-lang.org/t/what-makes-rust-a-high-security-language-what-could-be-done-better/9879

https://www.reddit.com/r/rust/comments/5y3cxb/how_many_security_exploits_would_rust_prevent/

https://www.youtube.com/watch?v=cDFSrVhnZKo

Memory Safety
Thread Safety (ie, NO data race)
Unit tests
Type system
No Exceptions, which allows warnings for unused Err Results meaning all errors can be provably caught and handled
No Garbage collector

https://blog.getreu.net/projects/embedded-system-security-with-Rust/

Cyclone (predecessor for RUST): http://www.cs.umd.edu/projects/cyclone/online-manual/main-screen002.html

https://medium.com/@shnatsel/auditing-popular-rust-crates-how-a-one-line-unsafe-has-nearly-ruined-everything-fab2d837ebb1

https://medium.com/@shnatsel/how-rusts-standard-library-was-vulnerable-for-years-and-nobody-noticed-aebf0503c3d6

How to install PPC-based ubuntu inside the x86-64 environment

Firstly my hardware is running Ubuntu 16-04 64-bit on Ryzen 7 AMD64 hardware:

I would like to install a PPC-based Ubuntu as downloaded from here:

wget http://cdimage.ubuntu.com/releases/trusty/release/ubuntu-14.04.5-server-powerpc.iso

Next is to mount the above image as cdrom image:

sudo mount -o loop=/dev/loop0 ubuntu-14.04.5-server-powerpc.iso /mnt/xubuntu/

Now going into /mnt/xubuntu/install we can identify many files: rootfilesystem, and powerpc kernel + initrd files (under powerpc and powerpc64 and e500mc)

We will use the powerpc64/vmlinux and powerpc64/initrd.gz files.

And for the squashfs it is in squashfs format – which is readonly filesystem. Since squashfs format is not recognizable by QEMU I have decided to manually convert it to ext3 filesystm as follows:

sudo mount -o loop=/dev/loop1 filesystem.squashfs /mnt/rootfs/
cd /mnt/rootfs

sudo tar cvfz /tmp/rootfs.tgz . (notice the last char is full stop ".")

dd if=/dev/zero of=/sda3/ppc_rootfs.img bs=600M count=1

cd /sda3

mkfs.ext3 ppc_rootfs.img
sudo mount ppc_rootfs.img /mnt/rootfs/
cd /mnt/rootfs/

sudo tar xvfz /tmp/rootfs.tgz .

sudo umount /mnt/rootfs

cd /mnt/xubuntu/install

And the directory looked like this:

And to startup QEMU:

sudo qemu-system-ppc64 -kernel powerpc64/vmlinux -initrd powerpc64/initrd.gz -boot c -hda /sda3/ppc_rootfs.img

And booting goes ahead:

Selection_015

Enter “Alt-Ctrl-t” and you will get this:

Selection_016

Select the “Execute a shell” and now you have a shell to run any PPC binaries you want (without ever using any “qemu-user” utilities).

Or you may want to install from the ISO file:

dd if=/dev/zero of=/sda3/ppc_hda.img bs=600M count=1
mkfs.ext3 /sda3/ppc_hda.img
sudo qemu-system-ppc64 -kernel powerpc64/vmlinux -initrd powerpc64/initrd.gz -boot c -hda /sda3/ppc_hda.img -cdrom ~/ubuntu-14.04.5-server-powerpc.iso

 

 

Scalable design checklist

  • resources locking design: by CPU, by processes, by threads etc.
  • how data structures is shared by the CPU (per-CPU or no per-CPU locking),
  • total nos of global resources and its locks,
  • nos of CPU,
  • CPU task scheduler design,
  • atomicity of instructions (number of bytes for each instructions),
  • caching / prefetching,
  • speculative prefetching,
  • timeout / round-trip time (for gigabit networking)
  • memory pool design (allocated/deallocated pool etc)
  • memory vs storage usage,
  • one-off vs repeated request design (asynchronous vs synchronous design)
  • traceability/debuggability vs scalability/performance (amount of logging)
  • bottleneck monitoring & identification – how resources competitions are even out and smoothen out (information cached in procfs etc)
  • CPU utilization
  • GPU utilization

References:

https://github.com/brendangregg/msr-cloud-tools

https://www.youtube.com/watch?v=zxCWXNigDpA

https://thetechsolo.wordpress.com/2016/02/29/scalable-io-events-vs-multithreading-based/

https://murphyswork.wordpress.com/2015/08/01/linux-tcp-connections-tuning-for-scalability/

https://mrotaru.wordpress.com/2013/10/10/scaling-to-12-million-concurrent-connections-how-migratorydata-did-it/

https://thetechsolo.wordpress.com/2016/08/28/scaling-to-thousands-of-threads/

https://cs.nju.edu.cn/tianchen/lunwen/2017/sgws-Zhao.pdf

https://lwn.net/Articles/295094/

https://lwn.net/Articles/419811/

https://lwn.net/Articles/633538/

https://lwn.net/Articles/704478/

http://www.ncic.ac.cn/~majie/Papers/References/p294_SC2000.pdf

SimpleLink Wi-Fi CC3200 Project 0: Unboxing and writing the first BLINK + Wifiwebserver

First is to watch the video:

https://www.youtube.com/watch?v=Kn-YPsByyYU

After connecting as per below the picture:

And followed by compiling the BLINK example and uploading to the Launchpad:

https://www.youtube.com/watch?v=hhdKg6_lkVA

https://training.ti.com/simplelink-wi-fi-cc3200-project-0-energia-ide

And next is to run the Wifi Webserver:

Completed.

radare2: A checklist showing how to analyze a binary

Installing radare2 from docker hub:

https://hub.docker.com/r/radare/radare2/

docker pull radare/radare2

Next is to start the docker container:

docker run -it radare/radare2

And copy the "resident" binary from host into container (container id is 1288):

docker cp resident 1288:/tmp

And now analysing the "resident" binary inside the docker container:

Starting from main analysis (VV):

(Enter "q" after "VV", hexdump of binary):

(showing sections: iS)

(showing functions: afl)

(showing basic blocks: pdb)

(showing main entry point: ie)

(showing imports: ii)

Looking for other command:

https://www.g0jirasan.com/2017/08/radare2-cheat-sheet.html

https://twitter.com/binitamshah/status/535968768371859457

https://eforensicsmag.com/reverse_engi_cheatsheet/

And this:

https://gist.github.com/williballenthin/6857590dab3e2a6559d7

https://scoding.de/uploads/r2_cs.pdf

http://b404.xyz/sources/r2-cheatsheet.pdf

My steps for analysis:

load without any analysis (file header at offset 0x0): r2 -n /path/to/file

  • analyze all: aa
  • show sections: iS
  • list functions: afl
  • list imports: ii
  • list entrypoints: ie
  • seek to function: s sym.main
  • show basic block disassembly: pdb
  • show function disassembly: pdf
  • show function arguments: afa
  • show function variables: afv
  • rename function variable: afvn
  • set function variable type: afvt
  • add/analyze function: af
  • enter graph modes: VV
  • cycle types of graphs:
    • forward: p
    • backwards: P

Hypercall Security Assessment Checklist

What are the checklist items when secure auditing hypercalls?

a. What are the hypercall instructions, and their input/output registers and side effects?

b. What are the privileges available when executing the hypercalls?

c. Are there any opportunities for transiting to other privilege level during runtime? If there is then under what conditions and requirements?

d. How to check through all the software boundary between the two different privilege level – and ensuring that reasonable checks are done before passing information from one side to another?

e. Any dependencies/races conditions on usage at runtime between different/same instructions by multiple CPU cores?

https://www.coursehero.com/file/p7bq556/8-Hypercalls-are-analogous-to-system-calls-in-the-OS-world-While-VM-Exits-are/

https://xenbits.xen.org/docs/4.8-testing/misc/pvh.html https://www.researchgate.net/post/Problem_with_hypercall_KVM_Xen

https://research.spec.org/fileadmin/user_upload/documents/wg_ids/endorsed_publications/SPEC-RG-2014-001_HypercallVulnerabilities.pdf

https://xenbits.xen.org/docs/4.8-testing/misc/pvh.html

https://reviews.freebsd.org/D8100?id=20886

ftp://netbsd.ftp.fu-berlin.de/misc/joerg/XEN3DOMU/src/src/sys/arch/xen/include/amd64/hypercalls.h.html

http://wwwi10.lrr.in.tum.de/~weidendo/lehre/VT-WS15/lab3-loesung.pdf

Project Zero: Pandavirtualization: Exploiting the Xen hypervisor

https://googleprojectzero.blogspot.com/2017/04/pandavirtualization-exploiting-xen.html

Below are security strengthening of KVM as done by Google:

https://www.linux-kvm.org/images/f/f6/01×02-KVMHardening.pdf

https://www.theregister.co.uk/2017/01/30/google_cloud_kicked_qemu_to_the_kerb_to_harden_kvm/

https://cloud.google.com/blog/products/gcp/7-ways-we-harden-our-kvm-hypervisor-at-google-cloud-security-in-plaintext

Security checklist in general for Google:

https://cloud.google.com/security/infrastructure/design/

KVM in general:  https://lwn.net/Articles/619376/

%d bloggers like this: