I want to start the new year with a short trip report of my visit to the 29th Chaos Communication Congress (29c3) in Hamburg, Germany.
It was my first attendance of Germany’s largest hacker conference and mostly met my expectations. Prior to travelling and judging from the “Fahrplan” (that’s how the overview of scheduled talks is called) hardcore tech talks had only a minor role this year which was kind of sad. So from that point of view it was a bit disappointing for me personally, as I had experienced two great technical conferences in 2012 already, REcon and a very familial and special one on binary occultism.
However, with about 6000 attendees, 29c3 was a great chance to meet people again that I knew from before, fill up some formerly pure digital contacts with real life interactions and randomly get to know new people. Shouts out to all of you who enjoyed the time spent together as much as I did.
Apart from that, in one of the workshops and over the days I obtained some basic skills of lock picking. I never thought I would enjoy it that much, but lock picking pretty much resembles my activities of reverse engineering but projected onto physical objects with a additional need for manual / mechanical skill. It’s pretty much like Mastermind, I guess. I immediately bought myself some equipment and practice “materials”. Maybe I will blog about my progress at a later time as well.
To be useful to my readers, here is my personal selection of some talks I visited (in chronological order) and which I would like to highlight because of their awesomeness.
The talk I appreciated the most on the first day was one of the last to be held, given by Sergey Gordeychik, Gleb Gritsai, and Denis Baranov (Project’s Twitter). While we all now that SCADA still has a lot of potential for future catastrophes, this talk gave a nice overview on how (NOT) hard it actually seems to pwn SCADA equipment. Very scary.
Aaron Portnoy’s recent adventure into SCADA software already gave a nice impression on the state of security but this talk completed the picture in a very entertaining way.
29c3 page of this talk - Video - Project Page
On the one hand, with a title like this, it was only natural to join this talk as it implicated low level focus and hardware hacking. My expectations were more than met when Natalie Silvanovich explained here journey towards making her Tamagotchis the happiest in the world and finally achieved it by setting the respective variable to 0xFFFF. ;)
Due to Tamagotchis being hip during my time in school, I well remembered those little plastic eggs (never owned one). Natalie outlined the evolution of the devices since the 90ies, showing pluggable bonus devices and explaining the IR communication capabilities of recent releases.
Having reversed the IR protocol gave her already plenty power to mess with the little creatures but left some aspects unresolved that required reversing the chip. She continued by detailing her attempts to uncover and identify the micro controller. In probably numerous hours of work she was able to fiddle around with the EEPROM and Figure ROM, finally being able to extract some data such as the animations stored in this memory.
The talk was very informative and was presented in an awesome way.
29c3 page of this talk - Video - Project Page
First: I have to admit that I didn’t visit that one in person because I was a bit late at the lecture hall, but hey, I watched the live stream!
I kind of knew Carlos Garcia Prado: only from Twitter before his talk. He was the first person I followed because I wanted to stay up to date on his Daemon Enterprises challenges during the time he published them. :)
His talk’s topic was using binary instrumentation targeting client / server software in order to improve fuzzing. He started out with a very short introduction to fuzzing as being a technique to cause crashes in proprietary software by feeding pseudo-randomly crafted and thus hopefully invalid but acceptable content to interfaces.
Next, he validly argued against dumb fuzzing. As alternative approach he came up with a comparison to biotech / protein manipulation. The binary equivalent in that sense would be interfering with a programs DNA (code) and partly using / altering it to create custom behaviour.
He achieved this by combining hooking and instrumentation, namely through using Detours and PIN. Detours is used to intercept execution and save / manipulate program state, PIN is used to differentially debug the program to spot interesting parts / functionality.
He finally gave a demo showing his framework’s functionality on a little network based crackme.
He spiced up his presentation by including tons of pictures from various movies and series on whose characters’ identities he asked the audience about. Correct answers were gifted with pieces of chocolate. I would have loved to see that in person, on the stream it looks like he was throwing pretty hard. :)
29c3 page of this talk - Video - Project Page
This talk by Julian Bangert and Sergey Bratus gave an excellent insight on how weird x86 actually is.
Julian constructed a Turing complete machine just based on the behaviour of the trap flag. Instruction set completeness is achieved by only one instruction, case-dependent representing an arithmetic (SP decrement) or branching (CPU double fault) operation. This is enough to represent arbitrary programs.
It’s noticeable that using double faults in such a way is very transcendental as such an error under normal circumstances is most likely connected to a buggy kernel and will lead to a reboot in case the DF handler fails (= triple fault). Therefore, it’s pretty impressive how Julian has abused the specifications of x86 to create this weird machine.
Don’t expect this behaviour to be demonstrated easily, out of the emulation systems tried by Julian (QEMU, Bochs, Simics, KVM, PLTSim), only Bochs was able to show this functionality properly.