Reverse Engineering a Philips TriMedia CPU based IP camera - Part 2

Second part of a blog post series about our approach to reverse engineer a Philips TriMedia based IP camera.

more ...

Reverse Engineering a Philips TriMedia CPU based IP camera - Part 1

First part of a blog post series about our approach to reverse engineer a Philips TriMedia based IP camera.

more ...

Playing with the Windows Notification Facility (WNF)

This blogpost briefly presents the Windows Notification Facility and provides a write-up for a nice exercise that was given by Bruce Dang during his workshop at Recon Montreal 2018.

more ...

Modern Jailbreaks' Post-Exploitation

In this blog post we compare the post-exploitation process of two jailbreaks for iOS 11.1.2 : LiberiOS and Electra. We start by giving a quick refresher about jailbreaks, and then proceed with the description of their implementation.

more ...

Overview of Intel SGX - Part 2, SGX Externals

This blog post provides the reader with an overview of the Intel SGX technology, as a follow-up to SGX Internals. In this second part, we quickly explain how an application interacts with its enclave. We also detail what pieces of software are included within the SDK and PSW. Finally, we summarize the known attacks and concerns with this technology, as well as conclude on the subject.

more ...

Attacking the ARM's TrustZone

An overview of the TrustZone was given in a previous article. This second article more technically addresses the attack surface and hotspots exposed to an attacker, as well as what can be done once code execution is achieved in the different privilege levels available in TrustZone.

more ...

Overview of Intel SGX - Part 1, SGX Internals

This blog-post provides the reader with an overview of the Intel SGX technology. In this first part, we explore the additions made to Intel platforms to support SGX, focusing on the processor and memory. We then explain the management and life cycle of an enclave. Finally, we detail two features of enclaves: secret sealing and attestation.

more ...

Quarks In The Shell - Episode IV

This year has been very fruitful for Quarkslab with lots of research, new challenges, newcomers, open source success. It is now a tradition to look back at what we have done during a small conference named “Quarks in the Shell” or just "QITS", where we share the year experience with our customers, partners and friends. QITS meeting is one of the output channels for our research work that is also reflected in internal tools, our open-source projects (e.g. Triton, LIEF and QBDI), and our products (IRMA Enterprise and Epona).

more ...

Introduction to Trusted Execution Environment: ARM's TrustZone

Increasing popularity of connected devices in recent years has led devices manufacturers to deal with security issues in a more serious way than before. In order to address these issues appropriately, a specification has emerged to define a way to ensure the integrity and confidentiality of data running in the entity implementing this specification.

more ...

Reverse Engineering the Win32k Type Isolation Mitigation

Given the popularity of GDI Bitmap objects for exploitation of kernel vulnerabilities -due to the fact that almost any kind of memory corruption vulnerability (except for NULL-writes) could be used to reliably gain arbitrary R/W primitives over the kernel memory by abusing Bitmaps- Microsoft decided to kill exploitation techniques based on Bitmaps. In order to do this, Windows 10 Fall Creators Update (also known as Windows 10 1709) introduced the Type Isolation feature, an exploitation mitigation in the Win32k subsystem, which splits the memory layout of SURFACE objects, the internal representation of Bitmaps on the kernel side. This blogpost takes a deep dive into the details of how Type Isolation is implemented.

more ...