5th Reversing and Offensive-oriented Trends Symposium 2021 (ROOTS)

Academic workshop co-located with DeepSec November 18/19, Vienna

Keynote


Ethics in Security Research – The Good, the Bad and the Ugly

Katharina Krombholz

In recent years, the top security conferences have started to add ethics statements to their call for papers. It has become common practice to obtain ethics votes for human subjects studies in security research. But what about everything else, such as offensive security research, large scale measurement studies or adversarial machine learning? In this talk, I discuss good, bad and ugly examples of how ethics are handled in security & privacy research. I will also present actionable recommendations to ensure ethical and responsible research practices that are essential to build and break systems without causing harm.


List of Accepted Papers


Acceptance Rate = 33%

Reversing and Fuzzing the Google Titan M Chip

Damiano Melotti, Maxime Rossi-Bellom and Andrea Continella

Google recently introduced a secure chip called Titan M in its Pixel smartphones, allowing the implementation of a Trusted Execution Environment (TEE) in Tamper Resistant Hardware. TEEs have been proven effective in reducing the attack surface exposed by smartphones, by protecting specific security-sensitive operations. However, studies have shown that TEE code and execution can also be targeted and exploited by attackers, therefore studying their security lays the basis of the trust we have in the features that they bring.
In this paper, we provide the first security analysis of the Titan M. We start by reverse engineering the firmware and reviewing the open source code in the Android OS responsible for the communication with the chip. By exploiting a known vulnerability, we then dynamically examine the memory and the internals of the chip. Finally, leveraging the acquired knowledge, we design and implement a structure-aware black-box fuzzer.
Using our fuzzer, we rediscover several known vulnerabilities after a few seconds of testing, proving the effectiveness of our solution. In addition, we find and report a new vulnerability in the latest version of the firmware.

Uncovering Smart Contract VM Bugs Via Differential Fuzzing

Dominik Maier, Fabian Fäßler and Jean-Pierre Seifert

The ongoing public interest in blockchains and smart contracts has brought a rise to a magnitude of different blockchain implementations. The rate at which new concepts are envisioned and implemented makes it hard to vet their security. Still, people put their trust and money into chains that may lack proper testing. However, smart contract platforms, executing untrusted code, are complex by design. A behavior deviation for edge cases of single op-codes is a critical bug class in this brave new world. It can be abused for Denial of Service against the blockchain, chain splits for double-spending, or direct attacks on applications operating on the blockchain. In this paper, we propose an automated methodology to uncover such differences. Through coverage-guided, and state-guided fuzzing, we explore smart contract virtual machine behavior against multiple VMs in parallel.
We develop NeoDiff, the first framework for feedback-guided differential fuzzing of smart contract VMs. We discuss real, monetary, consequences our tool prevents. NeoDiff can be ported to new smart contract platforms with ease. Apart from fuzzing Ethereum VMs, NeoDiff found a range of critical differentials in VMs for the Neo blockchain. Moreover, through a higher-layer semantics mutator, we uncovered semantic discrepancies between Neo smart contracts, written in Python and classic CPython. Along the way, NeoDiff uncovered memory corruptions in the C# Neo VM.

WAFL: Binary-Only WebAssembly Fuzzing with Fast Snapshots

Keno Haßler and Dominik Maier

WebAssembly, the open standard for binary code, is quickly gaining adoption on the web and beyond. As the binaries are often written in low-level languages, like C and C++, they are riddled with the same bugs as their traditional counterparts. Minimal tooling to uncover these bugs on Wasm binaries exists. In this paper we present WAFL, a fuzzer for Wasm binaries. WAFL adds a set of patches to the WAVM WebAssembly runtime to generate coverage data for the popular AFL++ fuzzer. Thanks to the underlying JITing WAVM, WAFL is already very performant. WAFL adds lightweight VM snapshots. By replacing forks, traditionally used in AFL++ harnesses, with WAFL’s snapshots, WAFL harnesses can even outperform native harnesses with compile-time instrumentation in raw fuzzing performance. To the best of our knowledge, WAFL is the first coverage-guided fuzzer for binary-only Wasm, without the need for source.