1st Reversing and Offensive-oriented Trends Symposium 2017 (ROOTS)
Academic workshop co-located with DeepSec
November 16/17, Vienna
List of Accepted Papers
Reverse Engineering a Code without the Code
Abdelhak Mesbah, Jean-Louis Lanet and Mohamed Mezghiche
Retrieving assets from inside a secure element should be
difficult. While the most attractive assets are the cryptographic keys stored in the Non Volatile Memory (NVM) area,
the algorithms which are executed are also of interest. This
means that the confidentiality of binary code embedded in
the Read Only Memory (ROM) of that device should also be
protected from extraction and reverse engineering. Thanks
to a previous attack, we obtained a dump of the NVM, but
not of the ROM. In this paper, we demonstrate that we can
reverse engineer the algorithms without having access to the
code by taking advantage of the object oriented features of
the platform. We have only access to the data. We use a
specifically designed graphic tool to reason about the data
such that we are able to understand the principle of the algorithm. Then, we are able to bypass the protection mechanism
in order to get access to the binary code.
A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion
Alexei Bulazel and Bulent Yener
Automated dynamic malware analysis systems are important in
combating the proliferation of modern malware. Unfortunately,
malware can often easily detect and evade these systems. Competition between malware authors and analysis system developers has
pushed each to continually evolve their tactics for countering the
In this paper we systematically review i) “fingerprint”-based
evasion techniques against automated dynamic malware analysis
systems for PC, mobile, and web, ii) evasion detection, iii) evasion
mitigation, and iv) offensive and defensive evasion case studies. We
also discuss difficulties in experimental evaluation, highlight future
directions in offensive and defensive research, and briefly survey
related topics in anti-analysis
Dennis Detering, Juraj Somorovsky, Christian Mainka, Vladislav Mladenov and Jörg Schwenk
cross- and same-origin data exchange, as well as in Single Sign-On (SSO) protocols such as OpenID Connect. To protect integrity,
Signing and Encryption (JOSE) was created to apply cryptographic
mechanisms directly in JSON messages.
We investigate the security of JOSE and present different applicable attacks on several popular libraries. We introduce JOSEPH
our newly developed Burp Suite extension, which automatically
performs security analysis on targeted applications. JOSEPH’s automatic vulnerability detection ranges from executing simple signature exclusion or signature faking techniques, which neglect JSON
message integrity, up to highly complex cryptographic Bleichenbacher attacks, breaking the confidentiality of encrypted JSON
messages. We found severe vulnerabilities in six popular JOSE libraries. We responsibly disclosed all weaknesses to the developers
and helped them to provide fixes.
Out-of-Order Execution as a Cross-VM Side Channel and Other Applications
Sophia d'Antoine, Jeremy Blackthorne and Bulent Yener
Given the rise in popularity of cloud computing and platform-as-a-service, vulnerabilities in systems which share hardware have become more attractive targets to malicious actors. One of the vulnerabilities inherent to these systems is the potential for side-channels,
especially ones that violate the isolation between virtual machines..
In this paper, we introduce a novel side-channel which functions across virtual machines. The side-channel functions through
the detection of out-of-order execution. We create a simple duplex
channel as well as a broadcast channel. We discuss possible adversaries for the side-channel and propose further work to make the
channel more secure, efficient and applicable in realistic scenarios.
In addition, we consider seven possible malicious applications of
this channel: theft of encryption keys, program identification, environmental keying, malicious triggers, determining virtual machine
co-location, malicious data injection, and covert channels.
Dynamic Loader Oriented Programming on Linux
Julian Kirsch, Bruno Bierbaumer, Thomas Kittel and Claudia Eckert
Memory corruptions are still the most prominent venue to attack
otherwise secure programs. In order to make exploitation of software bugs more difficult, defenders introduced a vast number of
post corruption security mitigations, such as w⊕x memory, Stack
Canaries, and Address Space Layout Randomization (ASLR), to only
name a few. In the following, we describe the Wiedergänger-Attack,
a new attack vector that reliably allows to escalate unbounded array
access vulnerabilities occurring in specifically allocated memory
regions to full code execution on programs running on i386 / x86_64
Wiedergänger-attacks abuse determinism in Linux ASLR imple-
mentation combined with the fact that (even with protection mechanisms such as relro and glibc’s pointer mangling enabled) there exist
easy-to-hijack, writable (function) pointers in application memory.
To discover such pointers, we use taint analysis and backwards
slicing at the binary level and calculate an over-approximation of
vulnerable instruction sequences.
To show the relevance of Wiedergänger, we exploit one of the
discovered instruction sequences to perform an attack on Debian 10
(Buster) by overwriting structures used by the dynamic loader (dl)
that are present in any application with glibc and the dynamic
loader as dependency. In order to show generality, we solely focus
on data structures dispatched at program shutdown, as this is a point
that arguably all applications eventually have to reach. This results
in a reliable compromise that effectively bypasses all protection
mechanisms deployed on x86_64 / i386 Linux to date.
We believe Wiedergänger to be part of an under-researched
type of control flow hijacking attacks targeting internal control
structures of the dynamic loader for which we propose to use the
terminology Loader Oriented Programming (LOP).
Security Analysis of the Telegram IM
Tomáš Sušánka and Josef Kokeš
Telegram is a popular instant messaging service, a self-described
fast and secure solution. It introduces its own home-made crypto-
graphic protocol MTProto instead of using already known solutions,
which was criticised by a significant part of the cryptographic com-
In this article we will briefly introduce the protocol to provide
context to the reader and then present two major findings we dis-
covered as part of our security analysis performed in late 2016.
First, the undocumented obfuscation method Telegram uses, and
second, a replay attack vulnerability we discovered. The analysis
was mainly focused on the MTProto protocol and the Telegram’s
official client for Android.
Paying the Price for Disruption: How a FinTech Allowed Account Takeover
Vincent Haupert, Dominik Maier and Tilo Müller
This paper looks at N26, a pan-European banking startup and the
poster child for young FinTech companies. We assess how security
is treated by startups that provide disruptive technologies in the
financial sector. In an area that has been committed to security, we
find that FinTech companies have modern designs and outstanding
user experience as their main priority. This strategy is rewarded by a
rapidly increasing customer base but reveals a flawed understanding
of security. We analyzed all aspects of security of N26, including the
frontend, backend, protocols, human factors, and underlying design
concepts, and found issues in all of them. We succeeded in leaking
customer data, manipulating and carrying transactions and even
could have entirely taken over foreign accounts. We reported these
findings to N26 and did not disclose them before they were fixed.
By publishing this case study, we hope to raise awareness about
security considerations in the critical banking sector, especially for
other FinTech startups.
Enhancing Control Flow Graph Based Binary Function Identification
Clemens Jonischkeit and Julian Kirsch
Recognition of binary functions in compiled code is a major stepping stone towards any advanced binary analysis technique. Nucleus is a novel algorithm based on the idea of using the Interprocedural Control Flow Graph (ICFG) to detect function boundaries.
Building upon this technology we propose a new approach to address the related problem of identifying previously-seen known
functions within a binary. Our idea is based on comparing the Control Flow Graphs (CFGs) of unknown functions from a binary to
known functions from a previously generated database. Compared
to traditional approaches, our method is aware of the underlying
graph matching problem being performed on CFGs of binary code:
First, it utilizes instruction level knowledge about basic blocks as additional constraints for graph isomorphism. Second, optimizations
and transformations introduced by different compilers affecting the
shape of the CFG are taken into account.
Our approach aims to avoid false positives (wrongly assigning a
known function symbol to an unknown function) at all cost: The
evaluation shows that this method is very effective in reducing false
positive matches (below one percent in most cases) and doubles
recall rates compared to the traditional graph matching based approach when matching one version of nginx compiled with different