Analysis of MS16-104: .URL files Security Feature Bypass (CVE-2016-3353)

On September 13th, 2016 Microsoft released security bulletin MS16-104 , which addresses several vulnerabilities affecting Internet Explorer. One of those vulnerabilities is CVE-2016-3353, a security feature bypass bug in the way .URL files are handled. This security issue does not allow for remote code execution by itself; instead, it allows attackers to bypass a security warning in attacks involving user interaction. In this blogpost we discuss the whole process, from reverse engineering the patch to building a Proof-of-Concept for this vulnerability.

more ...

Global Dead Code Elimination for LLVM, revisited

While building an LLVM-based obfuscator, we explore some unexpected code areas. For instance, what happens when you try to optimize a single function that holds millions of instructions? Some LLVM passes start to suffer, including an unexpected one: Global Dead Code Elimination. Let's investigate!

more ...

Differential Fault Analysis on White-box AES Implementations

With the Differential Computation Analysis (DCA) presented at CHES 2016, we have shown that side-channel techniques developed to break hardware cryptographic implementations can be adapted successfully to break white-box implementations. In this post, we will explore another class of hardware attacks: fault injections and how to apply them on white-box implementations.

more ...

CVE-2016-7259: An empty file into the blue

A binary analysis of CVE-2016-7259: A win32k kernel bug.

more ...

Internship offers at Quarkslab for the 2016-2017 season

EDIT: All positions are filled

Every year, we are looking for young and adventurous students, with promising skills, eager to dig deeper into the field of security through its more technical side. The topics we propose are complex, challenging and will require a lot of efforts and sweat. But in the end, you will get the satisfaction to have learned a lot about security. All this without emphasizing enough the opportunity to work with the sometimes weird but always amazing Qb crew, especially when it comes to humour or training a Padawan.

All trainings are to be done in our main office in Paris, France. We encourage remote working, but that does not apply to trainings where the Padawans need to be among the team. That means the applier will need to have the proper visa to work with us if required.

Last but not least, we usually train Padawans so that they remain with us once the training period is done, even if that does not mean the training is over :)

more ...

No Tears, No Fears

Cappsule was released a few weeks ago and we're happy of the positive attention received. However, relying on a custom hypervisor make its usage quite difficult across various distros. This blogpost explains how the same goals can be achieved on Linux with usual software. Impatient readers can directly checkout NoFear's GitHub.

more ...

Security Assessment of VeraCrypt: fixes and evolutions from TrueCrypt

Quarkslab made a security assessment of VeraCrypt 1.18. The audit was funded by OSTIF and was performed by two Quarkslab engineers between Aug. 16 and Sep. 14, 2016 for a total of 32 man-days of study. A critical vulnerability, related to cryptography, has been identified. It has been introduced in version 1.18, and will be fixed in version 1.19.

more ...

Back from CppCon 2016

Quarkslab was present at CppCon 2016, presenting general thoughts on the C++ optimization process and how much the so-called zero-cost abstraction relied on the compiler implementation, and not on the standard. Now comes a humble report from this great event!

more ...

On the fly virtualization with Cappsule

At Quarkslab, we don't only break software and exploit vulnerabilities, we also try to create innovative and efficient solutions to counter them. Cappsule is one of those solutions.

more ...

Arybo: cleaning obfuscation by playing with mixed boolean and arithmetic operations

Obfuscation is made of many different tricks. One we meet very often is mixed instructions who make computations mixing usual arithmetic (ADD, SUB, MUL, DIV) and boolean one (XOR, AND, NOT, OR). All tools get lost when it comes to cleaning this kind of very messy blocks of instructions, and that is why we designed Arybo. With Arybo, analyzing such expressions become way more easy.

more ...