DTrace: The Reverse Engineer’s
Unexpected Swiss Army Knife
BlackHat DC 2008
The DTrace talk was nice and not too heavy technical so most everyone could follow the talk. Since I am not into “Reverse Engineering” I will just quote some of the high lights and features of DTrace. Keep in mind that all the whitepapers and presentation will be open to everyone on the BlackHat site after the convention.
What is DTrace:
• Kernel-Based dynamic tracing framework
• Created by Sun Microsystems
• First released with Solaris 10 OS
• Now included with Apple OS X Leopard
• Soon to be included with FreeBSD
DTrace allows you to perform debugging in real-time with out stopping the target program or process. Use of probes lets you get real-time info in thousands of places though out the system on the fly. As the program or process executes one of the probe you start to get real-time information with out stopping the target process.
The “D” Language
• D is an interpreted, block-structured language
• D syntax is a subset of “C”
• D programs are complied into the intermediate from
• Intermediate form is validated for safety when your program is first examined by DTrace kernel software
• The DTrace execution environment handles any runtime errors
• D does not use control-flow constructs such as if statements and loops
• D program causes are written as a single, straight-line statement list that trace an optional, fixed amount of data
• D can conditionally trace data and modify control flow using logical expressions called predicates
• A predicate is tested at probe firing before executing any statements
• DTrace is dynamic: probes are enabled only when you need them
• No code is present for inactive probes
• There is no performance degradation when you are not using DTrace
• When the “dtrace’ command exits, all probes are disabled and instrumentation removed
• The systems is returned to it original state
I enjoyed this talk but as I am not a programmer a lot of the detail did not mean too much to me. The presenters where well spoken and did not just read power points. You got the feeling they really knew what they where talking about.
Physical Access Control Systems
BlackHat 2008 DC
This discussion covered Different kinds of access control cards for things like building entry or Magnetic/ID cards. The talk was very informative and covered a lot more than the sides as Zac had a lot of comments and explanations on the different controls. Below is a summary of some of the technologies covered in his talk.
Card Technologies discussed:
• Magnetic Strip Cards
• Wiegand Card
• Proximity Card
• Barium Ferrite Card
• Concealed Barcode Card
• Smart Cards
• Not very good security
• Regular barcode obscured by IP transparent material (like a remote control)
• Normally 3 tracks
• High Coercivity – 4,000 Oersted
• Low Coercivity – 300 Oersted
• Cards are read by an exposed read head in the reader
• “High Security” cards can mean simply offsetting the track by millimeters
Clock & Data Protocol
• 3 wires required: Clock, Data & Ground
• Standard output from a mag strip reader
• Tends to use an insertion reader
• Card contains discrete magnetic domains
• Normally encodes in “fridge magnet” type material
• This was the original “Card Key”
• Special alloy wire is processed in such a way to create two distinct magnetic regions in the same piece of wire when passed over a magnetic field
• Wire is embedded in the card in a distinct order to create an individual code
• Each wiegand pulse is translated to a digital 0 or 1 depending on the wire location
• Reader emits an RF field that powers the card
• Card sends its data back to the reader where it is read by the host system
• An active card emits a field to the reader
Proximity vs. RFID
• Proximity cards are MAGNETICALLY coupled.
- Short read range
- Transmit response by shorting out own receive coil and causing minute power drops in readers transmit coil.
• RFID cards can have longer read range
- Energized by signal on frequency X
- Transmit response on a fraction of frequency ½ X
Proximity ID cards:
• Barf back a single bit stream
• Nominally 26 bits
• “High Security” can be 40 bits, though there are rumors of up to 84 bit versions.
• Security by manufacturers restricting “Site codes”
• The world generally uses 26 bits
Contact less Smart Card
• The way to go
• Authentication between reader & card
• Strong Crypto
• Retina Scan
• Iris Scan
• Venial Hand/Finger map
• Hand Geometry
Ok so you know the basics already about most biometrics and access control technologies but this talk brought a lot more info on details and history on many of the access control devices. I real enjoyed this talk and it had some similar topics to the RFID talk the day before and added some good details. This is a good presentation if you plan on getting your CISSP because everything discussed in this talk is covered on the CISSP exam.
Side Channel Analysis (hard ware security)
Job De Haas
BlackHat 2008 DC
This talk discusses way to secure hardware and keep hackers out of embedded devices (X-box 360, PlayStation 3, Linksys routers, Cell Phones, & More). Some of the information covered was Preventing Debug access, Protecting Busses and Memory Components, & Code Integrity. The talk was fasted paced but understandable and he followed the slides well which helped to keep up with his fast pace.
The talk was interesting and it covered ways and places to look for information leakage to intercept CM and code of debug what the PCB is doing. After he discussed the places to find and hack the devices he followed up with ways to lock down and secure the devices. Some of the tools he used where high end lab EMI scanners, Frequency analyzers, Oscilloscopes, and other high end tools your average hacker would not have access to. It was very interesting seeing the timing samples of leaked EMI data and them him showing you how to could tell what encryption might be used by counting the peaks in the analyzer (16 peak/bit would be DES and 10 would be AES). Another cool demo was looking at the heat signatures on the chips/CPU surface at different frequencies to figure out how the chip might work. In the end he covered some real high-tech testing methods but explained them in a way everyone could understand. The idea of manufactures removing the JTAGs and other Diagnostic ports from devices will make hardware hacking more difficult so in the future it might a lot more to hack your hardware.
I have dumbed down a lot of this talk and highly recommend you to download the sides once they are posted on BlackHat to get the real scoop on this talk.
Thanks and feel free to ask any questions you may have. Myself and Chris Gates sat in some different tracks so remember to hit him up too if you have questions about some of the other tracks.