When SideChannelMarvels meet LIEF

On how we used LIEF to lift an Android x86_64 library to Linux to perform our usual white-box attacks on it.

more ...

Android Bluetooth Vulnerabilities in the March 2018 Security Bulletin

The March 2018 Android Security Bulletin includes fixes for 10 vulnerabilities in its Bluetooth stack, some of which were also independently discovered by Quarkslab, but were fixed while we were in the process of reporting them to Google (spoiler alert: we have reported a few more new Bluetooth vulnerabilities to the Android team — we'll disclose the details after they get fixed). This blogpost shows technical details for a couple of these fixed bugs, which can be triggered remotely and without any user interaction, as well as proof-of-concept code for them.

more ...

Flash Dumping - Part II

Second part of a blog post series about our approach to dump a flash chip. In this article we describe how to restore functionality of a device with a flexible setup.

more ...

Frozen - zero cost initialization for immutable containers and various algorithms

A new version of Frozen, an open source, header-only library that provides fast, immutable, constexpr-compatible implementation of std::search, std::set, std::map, std::unordered_map and std::unordered_set to C++14 users. That's a follow up to the previous post !

more ...

Reverse Engineering the Win32k Type Isolation Mitigation

Given the popularity of GDI Bitmap objects for exploitation of kernel vulnerabilities -due to the fact that almost any kind of memory corruption vulnerability (except for NULL-writes) could be used to reliably gain arbitrary R/W primitives over the kernel memory by abusing Bitmaps- Microsoft decided to kill exploitation techniques based on Bitmaps. In order to do this, Windows 10 Fall Creators Update (also known as Windows 10 1709) introduced the Type Isolation feature, an exploitation mitigation in the Win32k subsystem, which splits the memory layout of SURFACE objects, the internal representation of Bitmaps on the kernel side. This blogpost takes a deep dive into the details of how Type Isolation is implemented.

more ...

Slaying Dragons with QBDI

This article aims to present a simple use of our Dynamic Binary Instrumentation framework QBDI which has recently been publicly released following a talk at 34C3. We will resolve, step by step, a CTF challenge by analyzing an obfuscated binary using QBDI, thus showcasing some of the nice features it offers. This blog post was written last year during my internship at Quarkslab, where I discovered the wonderful (but not so simple) world of Dynamic Binary Instrumentation.

more ...

Spectre is not a Bug, it is a Feature

What happens if one builds up on the Spectre vulnerability to implement a convoluted version of memcpy? From an obfuscator point-of-view, it unleashes a wide range of opportunities, which turn a definite bug into a fun[nk]y feature.

more ...

Have fun with LIEF and Executable Formats

This blog post introduces new features of LIEF as well as some uses cases.

more ...

Internship offers at Quarkslab for the 2017-2018 season

Quarkslab's new internships season is open! Like every year, we are looking for adventurous, motivated and courageous students, impatient to test their skills against real-life research and engineering problems. The topics we propose cover various aspects of the security field, and they all have in common being highly technical, complex and challenging. Be prepared to work hard for your own enjoyment: the satisfaction when overcoming such difficulties is priceless. As an intern, you will work among the amazing Qb crew, whose humour is also priceless.

All internships will take place in our main office in Paris, France. If you are coming from abroad, you will need a proper visa to be with us. At Quarkslab, we encourage remote working, but that does not apply to internships.

Last but not least, we usually train Padawans so that they remain with us once the training period is done, even if that does not mean the training is over :)

more ...

Reverse engineering of the Nitro OBD2

This blog post presents the reverse engineering of an OBD2 dongle called "Nitro OBD2". It is advertised like this: "NitroOBD2 is a Chip Tuning Box which can be plugged into OBD2 connector of your car to increase the performance of your car." There are a lot of testimonies on the internet about this device being a fake, while other people say that is is really working. We wanted to reverse engineer it to check by ourselves.

more ...