Software Integrity

 

Pwnie Award winners announced at Black Hat USA 2016

On Wednesday, the winners of this year’s Pwnie Awards were announced in a ceremony following the first full day of conference briefings. Among those walking away with the My Little Pony awards in hand were Charlie Miller and Chris Valasek (Jeep hack), Tavis Ormandy (Antivirus vulnerabilities), and Peiter Zatko (.Mudge) (Lifetime Achievement).

Before, however, a group of hacker all-stars gathered for a group photo.

And now, without further delay, are the winners direct from the Pwnie Award site:

Pwnie for Best Server-Side Bug

Awarded to the researchers who discovered or exploited the most
technically sophisticated and interesting server-side bug. This
includes any software that is accessible remotely without using
user interaction.


  • Cisco ASA IKEv1/IKEv2 Fragmentation Heap Buffer Overflow

    (CVE-2016-1287)

    Credit: David Barksdale, Jordan Gruskovnjak, and Alex Wheeler

    Cisco’s ASA (Ancient Security Architecture) firewalls had a
    vulnerability in their IKE fragment re-assembly that permitted
    remote unauthenticated heap memory corruption. Thanks to a
    lack of non-executable memory and ASLR protections, these
    Exodus researchers were able to turn this vulnerability into
    an epic win just as if they were exploiting a late 90’s Linux
    box. It just turns out that this late 90’s Linux box happens
    to be your firewall/NIDS/VPN/IRC Bouncer. Yay.

Pwnie for Best Client-Side Bug

Awarded to the researchers who discovered or exploited the most
technically sophisticated and interesting client-side bug.


  • glibc getaddrinfo stack-based buffer overflow

    (CVE-2015-7547)

    Credit: Fermin J. Serna

    This vulnerability was discovered when SSH kept segfaulting
    when a Google engineer tried to connect to a particular
    host. Rather than being a bug in SSH, it turned out that
    Google has ridiculously long internal hostnames that cause
    stack buffer overflows in glibc’s DNS resolution code. They
    also have some ridiculously talented security engineers who
    were able to bypass modern Linux security mitigations like
    ASLR and exploit this bug.

Pwnie for Best Privilege Escalation Bug

Awarded to the researchers who discovered or exploited the most
technically sophisticated and interesting privilege escalation
vulnerability. These vulnerabilities can include local operating
system privilege escalations, operating system sandbox escapes,
and virtual machine guest breakout vulnerabilities.


  • Widevine QSEE TrustZone Privilege Escalation

    (CVE-2015-6639)

    Credit: laginimaineb

    The best part about platforms building new layers of privilege
    with Trusted Execution Environments is that they all present
    new opportunities for wicked cool privilege escalation
    vulnerabilities. While Intel is down to somewhere around Ring
    -37, ARM-based platforms are catching up quickly. A mysterious
    porcupine slash hacker slash blogger has spent the last year
    documenting a privilege escalation chain from zero privileges
    to full dumping of FDE keys outta TrustZone. The exploitation
    of this vulnerability in the Widevine DRM-protected video
    trustlet was a work of art and it deserves a video of a round
    of applause displayed through a hardware-protected video path
    that fully protects the rights of the content owner
    end-to-end.

Pwnie for Best Cryptographic Attack (new for 2016!)

Awarded to the researchers who discovered the most impactful
cryptographic attack against real-world systems, protocols, or
algorithms. This isn’t some academic conference where we care
about theoretical minutiae in obscure algorithms, this category
requires actual pwnage.


  • SSLv2 Crypto attack

    (CVE-2016-0800)

    Credit: Nimrod Aviram, Sebastian Schinzel,
    Juraj Somorovsky, Nadia Heninger, Maik Dankel, Jens Steube, Luke
    Valenta, David Adrian, J. Alex Halderman, Viktor Dukhovni,
    Emilia Käsper, Shaanan Cohney, Susanne Engels, Christof Paar,
    and Yuval Shavitt

    DROWN is the Mark Dowd Flash Exploit of crypto attacks. It is
    one of the all-time great papers not just in crypto
    exploitation, but in exploitation period.

    Start here: almost everyone working in software security knows
    that if you encrypt a message and then don’t authenticate the
    resulting ciphertext, you’ve got problems. If you encrypt with
    a block cipher in CBC mode, which is how everyone encrypted
    until like 5 minutes ago, you have a problem with a name: a
    padding oracle.

    Among all the viable crypto attacks you can pull off with a
    laptop to get a game-over serverside flaw with, there are two
    that you can count on a strong pentester to actually know
    about: hash length extension and the CBC padding oracle.

    What a lot of strong pentesters don’t know is that the padding
    oracle attack that breaks AES in CBC mode also breaks RSA. The
    attack is trickier, but not that much trickier, and when you
    pull it off you join a secret society of people who get to
    make dumb jokes based on the name “Bleichenbacher”. We have a
    Slack!

    So, DROWN exploits the Bleichenbacher RSA padding oracle
    against TLS. Easy peasy, lemon squeezy, right?

    Wrong. There is neither pease nor squeeze to be found anywhere
    in DROWN.

    To start with: the Bleichenbacher oracle doesn’t work against
    SSL 3.0 or TLS. And SSL 3.0 or TLS is what everyone uses. But
    DROWN still works. Why?

    Because people still have SSL 2.0 servers stood up on the
    Internet. They don’t use them. They’re not even aware that
    they’re there. But they are, and because people are lazy, they
    have the same certificates and keys installed as the TLS
    servers do. DROWN takes advantage of that: it’s a
    cross-protocol attack.

    In the DROWN attack, attackers start a handshake with a TLS
    server, and then quickly shuttle the victim’s TLS messages to
    an SSL 2 server. SSL 2 is vulnerability to RSA oracles, and
    can be used as a cross-protocol oracle.

    But wait: there’s more. SSL 2.0 is not the same protocol as
    TLS. It can’t do anything with TLS ciphertexts. But there’s an
    extension to the RSA padding oracle attack that takes
    advantage of RSA malleability. The same malleability that
    allows attackers to do the number-theoretic equivalent of
    flipping bits in a CBC ciphertext also allows attackers to
    *tune* their corrupted TLS RSA ciphertexts.

    The DROWN attack takes advantage of an optimization Bardou
    used for fast padding oracle attacks against embedded hardware
    to adapt TLS messages to SSL 2.0, and then use SSL 2.0’s
    vulnerability to padding oracles to decrypt them.

    It’s among the coolest attack papers I’ve ever read. Let’s
    pretend, just for this one Pwnies event, that it had better
    branding than Badlock.

Pwnie for Best Backdoor (new for 2016!)

Awarded to the researchers who introduced or discovered the most
subtle, technically sophisticated, or impactful backdoor in widely
used software, protocols, or algorithms.


  • Juniper ScreenOS: 哈哈哈哈哈哈
    (CVE-2015-7755 & CVE-2015-7756)

    Credit: Chinese Information Operations and Information Warfare Center

    Although many vendors intentionally backdoor their products,
    because they hate their users, some companies have to rely on
    the cyberwarfare divisions of global powers to do so. In late
    2015, Juniper issued an advisory claiming that “unauthorized”
    code in the Netscreen operating system had been active for the
    last few years. Netscreen firewalls are externally exposed by
    their very nature and it wasn’t long before two sets of issues
    were uncovered.

    In a nod to grunge 90s, a SSH backdoor was added that allowed
    anyone (mostly China) to login to a Netscreen device over SSH
    using a hardcoded backdoor. The security firms who published
    the details did so knowing that far too many sysadmins were
    stuck at their in-laws over the December holidays and looking
    for any excuse to spend some quality time in a dark room by
    themselves.

    The second issue was far more interesting. In an attempt to
    make all of the privacy crazies^W^W crypto activists feel
    better about themselves, the Dual_EC RNG constant hardcoded
    into the Netscreen firmware was changed from one mysterious
    constant to another. Juniper hasn’t clarified whether the
    first constant was a backdoor as well, but it is safe to
    assume that the entire Netscreen platform should be gently
    lowered into a volcano at this point.

    Eight months later, not much is publicly known about how these
    backdoors were added, or which Juniper developer has a storage
    unit full of Chinese tiger penis wine as a result.

Pwnie for Best Junk or Stunt Hack (new for 2016!)

Awarded to the researchers, their PR team, and participating
journalists for the best, most high-profile, and fear-inducing
public spectacle that resulted in the most panic-stricken phone
calls from our less-technical friends and family members. Bonus
points for it being a needlessly sophisticated attack against a
needlessly Internet-enabled “Thing.”


  • Remotely Killing a Jeep on the Highway

    Credit: Charlie Miller and Chris Valasek

    They may not have been the first
    first,
    but in our not-so-biased opinion, Charlie and Chris wore it
    best. The car hacking papers from researchers at UCSD and UW
    just lacked sufficient…

    Andy Greenberg freaking out.

    This high-profile demo caused Chrysler to

    recall

    1.4M vehicles in order to address the vulnerabilities that
    Charlie and Chris identified. More importantly, it
    demonstrated to the entire industry how expensive not properly securing
    smart vehicles’ systems could be and that proper software
    security programs just might be a good idea.

Pwnie for Best Branding

Sometimes the most important part of security research is how you
market and sell the vulnerability you discovered. Who cares how
impactful the actual vulnerability is, what matters is how sweet
your logo turns out!


  • Mousejack wireless keystroke injection bug

    Credit: Marc Newlin, Bastile’s Threat Research Team

    This team didn’t stop at the named vulnerability or the
    prostyle logo, they produced a 3 minute video outlining the
    threat of this issue. The video looks impressive including
    slow motion hacker walking and on screen typing. The voice
    over, pimping the Bastille team, is not as impressive.
    Basically, if you can get close to a target that is using a
    non-bluetooth wireless keyboard or mouse, and not have the
    victim look at their screen, you’re golden. The movie
    highlights a victim on the phone but unaware of his computer
    screen while another victim leaves for coffee. Oscar award
    winning performances all around. This came in with a CVSS
    score of 2.9 which is about the same as not using a password
    manager.

Pwnie for Epic Achievement (new for 2016!)

Awarded to the researchers, attackers, defenders, executives,
journalists, nobodies, randos, or trolls for pulling off something
so truly epic that we couldn’t possibly have predicted it by
creating an award category that did it justice.

Pwnie for Most Innovative Research

Awarded to the person who published the most interesting and
innovative research in the form of a paper, presentation, tool or
even a mailing list post.


  • Dedup Est Machina: Memory Deduplication as an Advanced Exploitation Vector

    Credit: Erik Bosman, Kaveh Razavi, Herbert Bos, Cristiano Giuffrida

    Memory deduplication, a well-known technique to reduce the
    memory footprint across virtual machines, is now also a
    default-on feature inside the Windows 8.1 and Windows 10
    operating systems. Deduplication maps multiple identical
    copies of a physical page onto a single shared copy with
    copy-on-write semantics. As a result, a write to such a shared
    page triggers a page fault and is thus measurably slower than
    a write to a normal page. Prior work has shown that an
    attacker able to craft pages on the target system can use this
    timing difference as a simple single-bit side channel to
    discover that certain pages exist in the system.

    In this paper, we demonstrate that the deduplication side
    channel is much more powerful than previously assumed,
    potentially providing an attacker with a weird machine to read
    arbitrary data in the system. We first show that an attacker
    controlling the alignment and reuse of data in memory is able
    to perform byte-by-byte disclosure of sensitive data (such as
    randomized 64 bit pointers). Next, even without control over
    data alignment or reuse, we show that an attacker can still
    disclose high-entropy randomized pointers using a birthday
    attack. To show these primitives are practical, we present an
    end-to-end JavaScript-based attack against the new Microsoft
    Edge browser, in absence of software bugs and with all
    defenses turned on. Our attack combines our deduplication-based
    primitives with a reliable Rowhammer exploit to gain arbitrary
    memory read and write access in the browser.

    We conclude by extending our JavaScript-based attack to
    cross-process system-wide exploitation (using the popular
    nginx web server as an example) and discussing mitigation
    strategies.

Pwnie for Lamest Vendor Response

Awarded to the vendor who mis-handled a security
vulnerability most spectacularly.

  • “WD MyPassword Drive”

    Credit: Western Digital

    Western Digital is no stranger to redundancy in the context of data
    integrity, and they’re not cutting any corners in applying those lessons
    to their cryptographic failures. Their firmware is rich with layers of
    keys resting adjacent to ciphertext, like a matryoshka doll of plaintext
    surprises. The most impressive part is that you don’t need to be a
    firmware extraction connoisseur to benefit from the rewards of their
    abundant “data recovery” options; take comfort in knowing that the
    keys themselves are actually just redundant copies of a 32bit rand()
    value repeated over and over, making the keys impossible to lose!

    In response, the good folks at WD “continue to evaluate the observations”,
    possibly the most indecipherable output they’ve ever produced.

Pwnie for Most Over-hyped Bug

Awarded to the person who discovered a bug resulting in the most
hype on the Internets and in the traditional media. Extra points
for bugs that turn out to be impossible to exploit in practice.


  • Badlock

    (CVE-2016-0128)

    Credit: Stefan Metzmacher

    Countdown timer, logo, website, and excessive Twitter/media
    hype all for a Denial of Service bug.

Pwnie for Best Song

What kind of awards ceremony does not have an award for best
song?

  • “Cyberlier”

    Katie Moussouris

    This cover of Sia’s “Chandalier” was the keynote of Kiwicon 2015, where
    it was combined with interpretive dance to artistically summarize the deep
    geopolitical tensions surrounding cyberwar, attribution, and the Wassenaar
    Arrangement (maybe?).

    Video

Pwnie for Most Epic FAIL

Sometimes giving 110% just makes your FAIL that much more epic. And
what use would the Internet be if it wasn’t there to document this FAIL for
all time? This award is to honor a person or company’s spectacularly epic
FAIL.

It turned out that 2015-2016 was the first year that everyone
everywhere won at security all year round. Either that or the
Internet didn’t give us enough good nominations for this
category. It’s most probably the first one, though.

Lifetime Achievement Award

Most hackers have the personality of a supermodel who does
discrete mathematics for fun. Like mathematicians, hackers get off
on solving very obscure and difficult to even explain
problems. Like models, hackers wear a lot of black, think they are
more famous than they are, and their career effectively ends at
age 30. Either way, upon entering one’s third decade, it is time
to put down the disassembler and consider a relaxing job in
management.

  • Mudge

    Peiter C. Zatko, one time L0pht frontman and author of
    fundamental hacking tools including L0phtcrack is a long-time
    vulnerability research educator and influencer. He is well
    known for leading L0pht’s 1998 senate testimony about the end
    of the world as we know it, which ended up with the US Govt
    trusting this hacker enough to allow him to control DARPA’s
    cyber security program. Like most security researchers Mudge
    also did his time at Google, but has since returned to the
    beltway to help establish a cyber consumer reports magazine
    service, apparently by request of the White House.

Pwnie for Epic 0wnage

0wnage, measured in owws, can be delivered in mass quantities to a
single organization or distributed across the wider Internet
population. The Epic 0wnage award goes to the hackers responsible
for delivering the most damaging, widely publicized, or hilarious
0wnage. This award can also be awarded to the researcher
responsible for disclosing the vulnerability or exploit that
resulted in delivering the most owws across the Internet.


  • The Juniper Backdoor

    Credit: Some Bad Ass Motherfuckers

    Backdooring cryptographic routines makes them fragile,
    especially when you are trying to hide said backdoor as a neat
    coincidence between leaking a lot of key data, failing to use
    the normal default Q value, and just generally sucking at
    security engineering. We’re not saying Juniper was backdoored
    to start with, we’re just saying, hey, what a neat
    coincidence
    , and we respect the amount of work that went
    into that coincidence.

    And the genius of the hackers who REBACKDOORED the backdoor is
    that all they had to do is change one simple number, the fake
    Q number, and nobody even noticed, because “Hey, we can’t
    decrypt that stream? Whatever. More where that came from.” is
    the standard SIGINT response.

    Then later, they added an admin/password backdoor, just in
    case they didn’t have passive collection around a site, and
    wanted to get more active access.

    Hat’s off to you, unknown (Russian) hackers.

    There’s no CVE for this issue because CVE is dead.