(My) BruCON 2015 notes (3)

Here are my quick notes from the BruCON 2015 conference. All the slides can be found here.

Intrusion detection on Linux and OSX with osquery

osquery goals:

  • explore your operation system using sqlbruCon
  • host visibility is motivated by intrusion detection
  • wanted 1 binary; 6MB with no dependencies
  • done in C++
  • created and used by facebook (installed on 60 000 osx)

Same osquery query examples:

  • select pid, name, uid from processes where [constraints]
  • the sql syntax is the SQL lite  syntax.
  • no Windows version; linux and osx only.
  • a lot of cool examples: the list of events that happened on the host (files changed, usb sticks inserted).

A second binary that is presented is called osqueryd. osqueryd is a daemon; it uses a json-config config file to set options and define a schedule. The goal of osqueryd is to execute queries peridically and then send the result to an ELK (ElasticSearch+LogStash+Kibana) system.

The queries used by Facebook are packaged in different files; these packages can be also downloaded free of charge.

Kernel Tales: Security Testing of aarch64 Android Kernels

A kernel contains code from various sources; hardware manufacturers, software companies (google, samsung).
An Android kernel is almost a Linux kerner, so the attack surface is through syscalls;
The way to corrupt the kernel: the user space tries to write in the kernel space by using syscalls or even better use the ioctls to replace the syscall.

The overall idea is to fuzzy the parameters passed to ioctls. The fuzzer used (dronity) is based on the trinity fuzzer; dronity is not yet available (it will be soon on github).

The demo contained the following items:

  • dronity fuzzing a Android development board.
  • dronity fuzzing a real Android tablet.
  • dronity fuzzing an aarch64 kernel on qemu.
  • dronity fuzzing an aarch64 kernel with gdb attached (on qemu) in order to intercept the exception thrown by the kernel.

Comments are closed.

%d bloggers like this: