Binbloom blooms: introducing v2

In this blogpost we present our brand new version of binbloom, a tool to find the base address of any 32 and 64-bit architecture firmware, and dig into the new method we designed to recover this grail on both of these architectures.

more ...

A virtual journey: From hardware virtualization to Hyper-V's Virtual Trust Levels

A step by step approach to reverse engineer Hyper-V and have a low level insight into Virtual Trust Levels.

more ...

Guided tour inside WinDefender’s network inspection driver

This article describes how Windows Defender implements its network inspection feature inside the kernel through the use of WFP (Windows Filtering Platform), how the device object’s security descriptor protects it from being exposed to potential vulnerabilities and details some bugs I found. As a complement to this post, a small utility is released to test the different bugs.

more ...

How the MSVC Compiler Generates XFG Function Prototype Hashes

Microsoft is currently working on Xtended Flow Guard (XFG), an evolved version of Control Flow Guard (CFG), their own control flow integrity implementation. XFG works by restricting indirect control flow transfers based on type-based hashes of function prototypes. This blog post is a deep dive into how the MSVC compiler generates those XFG function prototype hashes.

more ...

A Deep Dive Into Samsung's TrustZone (Part 3)

This third article from the Samsung's TrustZone series details some vulnerabilities that were found and how they were exploited to obtain code execution in EL3.

more ...

CVE-2020-0069: Autopsy of the Most Stable MediaTek Rootkit

In March 2020, Google patched a critical vulnerability affecting many MediaTek based devices. This vulnerability had been known by MediaTek since April 2019, and later exploited in the wild! In this post, we give some details about this vulnerability and see how we can use it to achieve kernel memory reads and writes.

more ...

A Deep Dive Into Samsung's TrustZone (Part 2)

In this second blog post of our series on Samsung's TrustZone, we present the various tools that we have developed during our research to help us reverse engineer and exploit Trusted Applications as well as Secure Drivers.

more ...

A Deep Dive Into Samsung's TrustZone (Part 1)

In this first article of a series of three, we will give a tour of the different components of Samsung's TrustZone, explain how they work and how they interact with each other.

more ...

Analysis of Qualcomm Secure Boot Chains

Qualcomm is the market-dominant hardware vendor for non-Apple smartphones. Considering the [SoCs] they produce are predominant, it has become increasingly interesting to reverse-engineer and take over their boot chain in order to get a hold onto the highest-privileged components while they are executing. Ultimately, the objective is to be able to experiment with closed-source and/or undocumented components such as hardware registers or Trusted Execution Environment Software.

more ...

Reverse-engineering Broadcom wireless chipsets

Broadcom is one of the major vendors of wireless devices worldwide. Since these chips are so widespread they constitute a high value target to attackers and any vulnerability found in them should be considered to pose high risk. In this blog post I provide an account of my internship at Quarkslab which included obtaining, reversing and fuzzing the firmware, and finding a few new vulnerabilities.

more ...