../ m0leCon 2023

Days ago I went to Turin for the annual m0lecon 2023 conference.

The topics covered during the conference were all related to computer security, and they all managed to be interesting enough, which has led me to write a little bit about the main ideas, to remind myself of them and also to bring some references.

Below you can find the URL for the conf

https://m0lecon.it/

They also uploaded all the talks on youtube at the following playlist

Youtube – m0leCon 2023

---

#Rowhammer: The Power of Bitflips

The first talk was rowhammer.

The speakers, Lukas Gerlach and Daniel Weber, explained the main idea behind the rowhammer attack. Then they gave some possible exploitation techniques, and finally discussed possible mitigations.

The basic idea of rowhammer is that memory is built on top of eletrical components that, after some usage, need to be recharged. An attacker can abuse this physical need in order to flip bits in memory by doing quick memory accesses in specific patterns. The "row" part refers to the fact that RAM memory is structured in rows of adjacent cells, and the attacker is able to influence the bits of a given row by accessing the memory of near-by rows. While bitflips might seem like not much, with "a bit" (pun intended) of luck and a lot of preperation, if the bit flipped is in critical positions within the memory of the kernel, such as in blocks of memory used to manage page tables, this can allow for privilege escalation.

This means that with this technique you can potentially become root/administrator starting from RCE as a low privileged user.

During the talk they discussed their research related to rowhammer. In their research they also developed a simulated environment that allows you to test what happens when you randomly flip bit within the computer memory in a controlled way. This is useful because otherwise, when you test this sort of attack, you might freeze/crash your OS if the bit is flipped in a wrong position.

It would be interesting to understand how practical these types of attacks are, and in particular how reliable they can become with enough preparation.

Suppose you're able to introduce random bit flips within a given RAM, in a given OS. Then, I wonder

What is the probability that you will crash the system before actually triggering the RCE?

Some references:

• Hammulator: Simulate Now – Exploit Later
• A Rowhammer Reproduction Study Using the Blacksmith Fuzzer
• Rowhammer Exploits are still possible

---

#Developments in Isogeny-based Cryptography

The second talk was about cryptography, and in particular on the recent advances in isogeny-based cryptography, which is a relatively new branch of post-quantum cryptography.

The cryptographic systems we use right now are based on mathematical problems which are solid and robust against classical computers, but are not as strong against quantum computers. Examples of these problems are

• The factorization problem, used to protect the RSA cryptosystem.

• The discrete logarithm problem, used to protect the Diffie-Hellman key exchange.

Quantum computers are different with respect to classical computers in a profound sense, meaning that they are able to perform different operations. Out of the differences comes an interesting fact for cryptography: quantum computers are able to attack some of the mathematical problems that sit at the foundation of modern cryptography.

While this may seem really scary when you first hear about it, in practice quantum computers are still not feasible to use, at least as far as I've heard, because they have deep problems with size and accuracy. Indeed, their power comes from the fact that they are able to harness the physical states of elementary particles, which allows them to use the effect of quantum mechanics for performing different sorts of computation. To stabilize a quantum system however is really, really hard. This is why the quantum computers in use today are really small, so small that they cannot attack modern cryptosystems.

In the future however things might change. If new techniques and technologies are found in order to improve the stability/accuracy problem of quantum computers, in the future they might become big enough to actually attack modern cryptosystem. This is why NIST, the american National Institute of Standards and Technology, decided to open up a contest in order to choose new cryptographic systems and primitives.

These new systems have to be post-quantum, meaning that they have to respect the following properties

1. They need to run on normal, non-quantum computers, and be compatible with current network protocols.

2. They need to survive against attacks carried out by quantum computers.

Among the few cryptosystem that survived to this day there was one named Supersingular Isogeny Diffie-Hellman (SIDH), which, after many years of existence, was still not broken, and so it was thought to be a solid candidate for the task.

Few months ago, Wouter Castryck and Thomas Decru showed an attack on such scheme, which was then expanded by Luciano Maino and Chloe Martindale. This attack sort of broke the expectations of the community, I believe, because they did not expect it to be vulnerable. Out of the attack on SIDH, some of these researchers were able to use it constructively in order to create FESTA, an efficient isogeny-based public-key encryption protocol.

This talk was a bit challenging to follow, especially for the mathematical bits, although the Luciano was able to keep the abstraction at a digestible level.

Some references on the topic are found here below. Also, given that one of the authors of the paper linked below is Giacomo Pope, I will also link a platform he developed and mantains, the CryptoHack platform, an open and free to access platform full of CTFs to learn modern cryptography.

• An efficient key recovery attack on SIDH
• An attack on SIDH with arbitrary starting curve
• A Direct Key Recovery Attack on SIDH
• Github – SIDH direct attack
• FESTA*: Fast Encryption from Supersingular Torsion Attacks
• Implementing the Castryck-Decru SIDH Key Recovery Attack in SageMath
• CryptoHack

---

#FloatZone: A surprisping application of floating point additions

The third talk was the one I prefered the most, due to

1. The idea of the talk was extremely simple
2. The idea of the talk was extremely effective

The author, Floris Gorter, explained his journey in trying to improve the performance of memory sanitizers. A memory sanitizer is used within the software development cycle during the testing phase in order to make sure that a given program written in a low level language such as C or C++ does not have memory corruption errors.

Did we write a buggy program that will overflow the memory, or did we use a memory area after we had freed it? Whathever the error is, memory sanitizers work by adding blocks of memory with specific values, called redzones, and making sure that within the flow of the program those blocks are not modified. This requires pervasive instrumentation, something which can slow down program by almost ~2x.

The simple, surprising and extremely effective idea was to

express comparisons as underflow exceptions generated through floating point additions

Exceptions in certain cases can be interpreted as specific comparisons. For example, when we divide two numbers, say a and b, the computer has to check that the denominator, b, is different from 0, and only then perform the operation. Otherwise, if b = 0, then we throw an exception.

This also applies to underflow situations when we add two floating point numbers. In particular, if you fix one of the number you're adding to the magic value 0x0b8b8b8a, and consider the following

\[\texttt{res} = \texttt{float}(\texttt{0x0b8b8b8a}) + \texttt{float}({y})\]

Then you have two specific values for y which can cause an underflow exception, and these are 0x8b8b8b8b and 0x8b8b8b89. This means that with a simple sum of two floating point numbers, one of which is \(\texttt{0x0b8b8b8a}\), is actually executing the following conditional statement

if( y == 0x8b8b8b8b || y == 0x8b8b8b89 ) {
  fp_underflow_exception();
} else {
  res = float(0x0b8b8b8a) + float(y)
}

By placing within the memory one of these values, say 0x8b8b8b8b, as redzones, with a simple floating point addition we're able to understand if the value has changed or not.

This idea is beautiful, and it showcases perfectly the value of creativity when dealing with computers. For this reason this was my favorite talk of the entire conference.

Some references:

• https://www.vusec.net/projects/floatzone/
• https://github.com/vusec/floatzone
• FloatZone paper

---

#Web Session Integrity Vulnerabilities

This talk, brought by Marco Squarcina, was all about web security, and in particular it showcased various attacks you can perform on cookies assuming you're able to control a subdomain (atk.example.com) of a domain of interest (example.com) in a situation known as same-site attacker.

The idea basically is that the sameSite attribute that you can give to a cookie does not apply to attackers that are able to control a subdomain of your site.

Some of the attacks mentioned were:

• Session fixation
• Cross-Origin Request Forgery (CORF)

Other than the technical part, the talk was extremely interesting because it discussed just how messy the state of the web still is. In particular they did a study on how cookies are handled between the browsers and the servers, and found, for example, the fact that nameless cookies, which are cookies with an empty name such as =value, can create vulnerability problem when they are not correctly handled by the backend of the application. This was the case for example for Werzeug, which led to CVE-2023-23934.

Some references:

• Cookie Crumbles: Breaking and Fixing Web Session Integrity
• Cookie Crumbles – Slides
• Internet Security: the Danger of Nameless Cookies
• Danger Caused by Subdomains

---

#Virtualbox N-day vm escape exploit

This talk described the journey of a researcher, Luca Ginex, in order to implement an n-day exploit for a CVE regarding a guest escape exploit found in 2019, CVE-2019-2722, found within the virtual box software.

The talk was fascinating, although I had bit of trouble to follow, because it was extremely technical and I was already tired at that point. Anyhow, the explanation was extremely thorough and extremely useful for those who want to learn how to do this this type of activity. This is the sort of presentation that, in my opinion, has actually more value later on, when you're studying on your own how to do this specific type of research based on exploit development.

Luca has a blog, you can find it in the following references:

• https://exploiter.dev/blog
• https://exploiter.dev/blog/2023/Virtualbox-research.html
• https://nvd.nist.gov/vuln/detail/CVE-2019-2722

---

#PyJails in the Wild: Bringing CTF Challenges to the Real World

The final talk, bought by Chih-Jen Huang, was all about python and in particular two classes of vulnerabilities:

• jail escapes
• deserialization attacks

Currently I cannot find the slides of the talk, but as soon as I get them, I will post them here, because they contain useful payloads and techniques. At some point the author discussed a project he created, pickora, to convert python script into pickle bytecode.

Some references:

• https://blog.splitline.tw/
• https://github.com/splitline
• https://github.com/splitline/Pickora

---

#Conclusion

In these years of learning, my awareness on what we can do with mathematics and programming is increasing and increasing.

These subjects are so vast that it can be extremely exciting and fascinating, as well as daunting, to explore these lands. It is simply wonderful to realize what can be done with a bit of creativity and a lot of effort.