Quarks In The Shell - Episode IV

This year has been very fruitfull for Quarkslab with lot of research, new challenges, newcomers, open source success. It is now a tradition to look back at what we have done during a small conference named “Quarks in the Shell” or just "QITS", where we share the year experience with our customers, partners and friends. QITS meeting is one of the output channels for our research work that is also reflected in internal tools, our open-source projects (e.g. Triton, LIEF and QDBI), and our products (IRMA Enterprise and Epona).

more ...

Introduction to Trusted Execution Environment: ARM's TrustZone

Increasing popularity of connected devices in recent years has led devices manufacturers to deal with security issues in a more serious way than before. In order to address these issues appropriately, a specification has emerged to define a way to ensure the integrity and confidentiality of data running in the entity implementing this specification.

more ...

LIEF 0.9

This blog post introduces major changes in LIEF 0.9 as well as work in progress features that will be integrated in further releases. Changelog is available here.

more ...

When SideChannelMarvels meet LIEF

On how we used LIEF to lift an Android x86_64 library to Linux to perform our usual white-box attacks on it.

more ...

Android Bluetooth Vulnerabilities in the March 2018 Security Bulletin

The March 2018 Android Security Bulletin includes fixes for 10 vulnerabilities in its Bluetooth stack, some of which were also independently discovered by Quarkslab, but were fixed while we were in the process of reporting them to Google (spoiler alert: we have reported a few more new Bluetooth vulnerabilities to the Android team — we'll disclose the details after they get fixed). This blogpost shows technical details for a couple of these fixed bugs, which can be triggered remotely and without any user interaction, as well as proof-of-concept code for them.

more ...

Flash Dumping - Part II

Second part of a blog post series about our approach to dump a flash chip. In this article we describe how to restore functionality of a device with a flexible setup.

more ...

Frozen - zero cost initialization for immutable containers and various algorithms

A new version of Frozen, an open source, header-only library that provides fast, immutable, constexpr-compatible implementation of std::search, std::set, std::map, std::unordered_map and std::unordered_set to C++14 users. That's a follow up to the previous post !

more ...

Reverse Engineering the Win32k Type Isolation Mitigation

Given the popularity of GDI Bitmap objects for exploitation of kernel vulnerabilities -due to the fact that almost any kind of memory corruption vulnerability (except for NULL-writes) could be used to reliably gain arbitrary R/W primitives over the kernel memory by abusing Bitmaps- Microsoft decided to kill exploitation techniques based on Bitmaps. In order to do this, Windows 10 Fall Creators Update (also known as Windows 10 1709) introduced the Type Isolation feature, an exploitation mitigation in the Win32k subsystem, which splits the memory layout of SURFACE objects, the internal representation of Bitmaps on the kernel side. This blogpost takes a deep dive into the details of how Type Isolation is implemented.

more ...

Slaying Dragons with QBDI

This article aims to present a simple use of our Dynamic Binary Instrumentation framework QBDI which has recently been publicly released following a talk at 34C3. We will resolve, step by step, a CTF challenge by analyzing an obfuscated binary using QBDI, thus showcasing some of the nice features it offers. This blog post was written last year during my internship at Quarkslab, where I discovered the wonderful (but not so simple) world of Dynamic Binary Instrumentation.

more ...

Spectre is not a Bug, it is a Feature

What happens if one builds up on the Spectre vulnerability to implement a convoluted version of memcpy? From an obfuscator point-of-view, it unleashes a wide range of opportunities, which turn a definite bug into a fun[nk]y feature.

more ...