WEBVTT 1 00:00:00.040 --> 00:00:03.279 Hey everyone, and welcome back. Yeah, welcome back to another 2 00:00:03.399 --> 00:00:04.040 deep dive. 3 00:00:04.240 --> 00:00:05.240 It's a deep dive. 4 00:00:05.360 --> 00:00:07.440 You ready to get our hands dirty with some Oh 5 00:00:07.559 --> 00:00:10.599 yeah absolutely or p ORC or GTFO volume three. 6 00:00:10.759 --> 00:00:12.240 Yeah, digging right back in all right. 7 00:00:12.279 --> 00:00:15.240 So just a reminder for listeners just joining us for 8 00:00:15.279 --> 00:00:18.399 the first time, right, p WORC or GTFO Volume three 9 00:00:19.000 --> 00:00:19.600 is a book. 10 00:00:20.000 --> 00:00:22.320 It is a book, a real book. You can hold it. 11 00:00:22.320 --> 00:00:22.960 It's fantastic. 12 00:00:23.039 --> 00:00:23.199 Yeah. 13 00:00:23.239 --> 00:00:28.120 It's a collection of various security research and kind of 14 00:00:28.359 --> 00:00:32.200 proofs of concept, absolutely, and different kind of just deep 15 00:00:32.280 --> 00:00:35.439 dives into various aspects of security. 16 00:00:34.960 --> 00:00:36.159 Yep, and some hardware hacking. 17 00:00:36.320 --> 00:00:38.520 Yeah, hard we're hacking all sorts of things. 18 00:00:38.600 --> 00:00:40.840 Yeah, it's a really cool collection, really cool. Yeah. 19 00:00:40.920 --> 00:00:42.560 So we're going to kind of jump around to different 20 00:00:42.640 --> 00:00:45.840 sections from the book that that were really interesting. So 21 00:00:45.880 --> 00:00:47.880 you get a little sampler platter, Yeah. 22 00:00:47.719 --> 00:00:49.479 A little taste of everything. 23 00:00:49.399 --> 00:00:51.560 Hopefully to entice you to go check out the book 24 00:00:51.560 --> 00:00:52.079 for yourself. 25 00:00:52.159 --> 00:00:54.640 Yeah. Okay, so let's jump in. 26 00:00:54.759 --> 00:00:57.399 Let's jump right in. Yeah. First one we have is 27 00:00:57.880 --> 00:01:00.159 this one was interesting to me just because. 28 00:01:00.159 --> 00:01:04.159 That the target was so unexpected, unexpected, unexpected. Yeah, a 29 00:01:04.239 --> 00:01:04.959 children's toy. 30 00:01:05.319 --> 00:01:06.400 Yeah, who would have thought? 31 00:01:06.760 --> 00:01:10.120 So we have the uh, it's the Pokemon z Ring, 32 00:01:10.200 --> 00:01:10.599 that's right. 33 00:01:10.920 --> 00:01:14.519 And this is security researcher named Vicky Fou who actually 34 00:01:14.879 --> 00:01:17.040 decided to look into this and to break it, to 35 00:01:17.079 --> 00:01:19.480 break it, figure out how it worked, and. 36 00:01:19.519 --> 00:01:20.280 See what's going on. 37 00:01:20.480 --> 00:01:22.799 So what's interesting about the z ring is it uses 38 00:01:23.000 --> 00:01:25.760 ultrasonic frequencies which. 39 00:01:25.920 --> 00:01:28.480 Most people can't hear. Yeah, you and I probably can't hear. 40 00:01:28.560 --> 00:01:30.519 Yeah, we're getting old, I know, I know. 41 00:01:32.799 --> 00:01:36.359 And so she had to actually use a special equipment 42 00:01:36.560 --> 00:01:40.480 like in acilloscope to be able to see these sound waves. 43 00:01:40.159 --> 00:01:42.000 In an emulator to run the game and. 44 00:01:41.920 --> 00:01:44.519 An emulator, and so that she could really cool Yeah 45 00:01:44.560 --> 00:01:44.920 she could. 46 00:01:45.040 --> 00:01:47.280 I mean, it's just amazing to me. She went to 47 00:01:47.319 --> 00:01:50.840 these lengths to figure this out, but it paid off 48 00:01:50.959 --> 00:01:52.799 because she discovered some really interesting stuff. 49 00:01:53.280 --> 00:01:55.439 Yeah. So I guess kind of the first question. 50 00:01:55.280 --> 00:01:57.799 Like why why go to all this trouble for right? 51 00:01:58.200 --> 00:01:59.959 Right? Why break a kid's. 52 00:01:59.799 --> 00:02:03.000 To a children's toy? Yeah? What I think the you know, 53 00:02:03.040 --> 00:02:05.680 the answer is the same for a lot of security researchers. 54 00:02:05.680 --> 00:02:07.519 Curiosity. That's what drives a lot of this. 55 00:02:07.840 --> 00:02:10.159 It's just that curiosity of how does this thing work? 56 00:02:10.400 --> 00:02:12.159 Yeah? How does it work. What are its secrets? 57 00:02:12.319 --> 00:02:13.360 Yeah, what are its secrets? 58 00:02:13.439 --> 00:02:16.159 Can I control it? Can I make it do something 59 00:02:16.199 --> 00:02:17.639 it wasn't intended to do? 60 00:02:17.840 --> 00:02:20.240 Exactly? So I think for her it was kind of 61 00:02:20.240 --> 00:02:23.199 a personal challenge of like, yeah, okay, this thing uses sound. 62 00:02:23.560 --> 00:02:26.120 I want to figure out what sounds, what a secret 63 00:02:26.159 --> 00:02:28.639 sound it's using, and how it's doing. 64 00:02:28.400 --> 00:02:30.400 That, and how can I use those sound Yeah, kind 65 00:02:30.400 --> 00:02:33.599 of replicate that to do something else, right, exactly. 66 00:02:33.240 --> 00:02:33.840 So pretty cool. 67 00:02:33.919 --> 00:02:34.400 It is cool. 68 00:02:34.599 --> 00:02:38.400 Okay, So moving on to another one that I thought 69 00:02:38.520 --> 00:02:41.240 was really interesting and a little mind bending. 70 00:02:41.360 --> 00:02:42.639 This one's a little more technical. 71 00:02:42.960 --> 00:02:47.719 Yeah it is. This is the flush plus reload side 72 00:02:47.800 --> 00:02:48.759 channel attack. 73 00:02:48.919 --> 00:02:49.400 Wow. 74 00:02:49.520 --> 00:02:53.680 Yeah, So side channel attacks in general are just fascinating. 75 00:02:53.759 --> 00:02:55.280 Yeah, side channel attacks because. 76 00:02:55.120 --> 00:02:57.080 They're not what you think about when you think about 77 00:02:57.159 --> 00:02:58.039 like typical hacking. 78 00:02:58.240 --> 00:03:01.159 Right, it's not not like breaking You're not like breaking 79 00:03:01.199 --> 00:03:02.319 down the door, right. 80 00:03:02.159 --> 00:03:05.039 You're not brute forcing a password. Yeah, you're kind of 81 00:03:05.120 --> 00:03:08.800 like looking for these like subtle little hints that the 82 00:03:08.840 --> 00:03:10.120 system's giving off. 83 00:03:10.280 --> 00:03:11.599 Yeah, it's like eavesdropping. 84 00:03:11.719 --> 00:03:14.919 It is eavesdropping, rather than that's like the spycraft of hacking. 85 00:03:15.039 --> 00:03:16.759 Yeah exactly. That's really cool. 86 00:03:16.840 --> 00:03:23.439 So the flesh plus reload attack. Specifically, it kind of 87 00:03:23.479 --> 00:03:27.719 exploits the way that modern CPUs use this shared memory 88 00:03:27.719 --> 00:03:31.560 space called the L three cash. Yes, And so the idea. 89 00:03:31.400 --> 00:03:34.800 Is, so all the programs on your computer are sharing 90 00:03:34.840 --> 00:03:38.080 the space and accessing it to store data that they're 91 00:03:38.199 --> 00:03:42.039 using frequently. So it's like a common area. 92 00:03:42.120 --> 00:03:44.680 Yeah, like a whiteboard that everyone can exactly. 93 00:03:44.360 --> 00:03:48.719 It's like a whiteboard. And so what the attacker can 94 00:03:48.759 --> 00:03:52.039 do is they can basically flush a certain piece of 95 00:03:52.120 --> 00:03:53.280 memory from the cash. 96 00:03:53.080 --> 00:03:54.840 Force it out of the cash, Yeah, force it out. 97 00:03:54.879 --> 00:03:56.639 So it's like a racing part of the whiteboard. 98 00:03:56.719 --> 00:03:58.879 Yeah, raising part of the whiteboard, and then time how 99 00:03:58.919 --> 00:04:00.000 long it takes. 100 00:04:00.039 --> 00:04:02.120 And then see how long it takes for somebody else 101 00:04:02.159 --> 00:04:03.560 to write in that same spot. 102 00:04:04.439 --> 00:04:07.240 Yeah, for another process to write to that, Because. 103 00:04:06.960 --> 00:04:11.039 If the victim process was using that data recently, yeah, 104 00:04:11.120 --> 00:04:12.879 it's going to reload it back into the cash and 105 00:04:12.919 --> 00:04:14.800 it's going to be faster, and that's going to be faster. 106 00:04:15.080 --> 00:04:17.720 And so by timing how long that takes. 107 00:04:17.639 --> 00:04:20.519 You can infer it. You can infer what the victim 108 00:04:20.560 --> 00:04:21.759 process was doing. 109 00:04:21.600 --> 00:04:25.399 Yeah, what data they were accessing. That's crazy, it is crazy. 110 00:04:25.439 --> 00:04:27.839 It's like, so you can still data. 111 00:04:27.759 --> 00:04:30.519 Without even without directly accessing. 112 00:04:30.000 --> 00:04:31.560 It, directly accessing memory. 113 00:04:31.639 --> 00:04:34.240 Yeah, you're just watching. It's just like you're just watching 114 00:04:34.920 --> 00:04:36.560 what's happening in this shared space. 115 00:04:36.639 --> 00:04:38.879 You're watching the patterns of access. 116 00:04:38.600 --> 00:04:40.720 Exactly and inferring information from that. 117 00:04:41.120 --> 00:04:42.920 Yeah, that's so cool. 118 00:04:43.279 --> 00:04:45.040 It is cool, but also kind of scary. 119 00:04:45.120 --> 00:04:46.920 Well, yeah, a little bit scary because. 120 00:04:46.720 --> 00:04:50.360 It means that our systems are leaking information in ways 121 00:04:50.399 --> 00:04:52.079 that you don't even realize. 122 00:04:52.319 --> 00:04:55.839 Yeah, and that it's not just about like securing the 123 00:04:55.959 --> 00:04:58.079 memory itself. It's about securing. 124 00:04:57.720 --> 00:05:01.839 Like goal systems, way everything interacts, weigh everything in act, 125 00:05:02.240 --> 00:05:04.959 timing the patterns, all that stuff. That's right, Okay, it's 126 00:05:04.959 --> 00:05:06.120 a whole new level of security. 127 00:05:06.160 --> 00:05:09.040 All right. So now we're gonna jump way back in time, 128 00:05:09.160 --> 00:05:12.600 way back to the retro days, the retro days of 129 00:05:12.839 --> 00:05:13.439 the Apple two. 130 00:05:13.800 --> 00:05:18.759 Ah, the Apple two classic classic, legendary machine. 131 00:05:18.480 --> 00:05:22.199 Legendary machine. And we have a story here about a 132 00:05:22.240 --> 00:05:27.560 group of uh, some dedicated hackers, hackers that wanted to 133 00:05:27.680 --> 00:05:29.360 crack a particular game. 134 00:05:30.040 --> 00:05:32.959 They did. They wanted to play it for free, gumble Gumball, 135 00:05:33.240 --> 00:05:34.279 a classic game. 136 00:05:34.439 --> 00:05:38.160 It was not easy, it was those days. 137 00:05:39.079 --> 00:05:41.399 Yeah, they didn't have the tools and the Internet that 138 00:05:41.439 --> 00:05:42.120 we have today. 139 00:05:42.920 --> 00:05:45.439 Right, they couldn't just they couldn't just google how to 140 00:05:45.480 --> 00:05:46.360 do it? Google it? 141 00:05:46.480 --> 00:05:46.600 Yea. 142 00:05:47.199 --> 00:05:49.199 So they had figured out themselves. 143 00:05:49.360 --> 00:05:51.959 So what made Gumball so hard? 144 00:05:52.680 --> 00:05:56.000 Well, the Apple two itself was a limited machine, had 145 00:05:56.040 --> 00:05:59.720 a very simple processor, not a lot of memory, right, 146 00:06:00.040 --> 00:06:02.079 so you have to be really clever to do anything 147 00:06:02.079 --> 00:06:02.920 interesting with it. 148 00:06:03.160 --> 00:06:07.120 So they had to really understand the system. Oh yeah, 149 00:06:07.160 --> 00:06:08.360 at a very low level. 150 00:06:08.399 --> 00:06:10.639 Intimately, you had to know it inside and out. 151 00:06:11.000 --> 00:06:14.360 So these two researchers, yeah, for Aim and Peter Ferry 152 00:06:14.560 --> 00:06:18.519 legends really just kind of like, yeah, painstakingly went through 153 00:06:18.519 --> 00:06:19.199 the code. 154 00:06:19.120 --> 00:06:21.879 Line by line, Yeah, trying to figure out how the 155 00:06:21.920 --> 00:06:24.480 protection worked. Yeah, they had to kind of learn the 156 00:06:24.560 --> 00:06:27.439 secret language of the game, the game's secret link. 157 00:06:27.639 --> 00:06:30.040 Yeah, it's like being a code breaker, you know, exactly 158 00:06:30.199 --> 00:06:32.480 back in the war. It's that kind of You've got 159 00:06:32.959 --> 00:06:35.800 this encrypted message, you've got to figure out the key. 160 00:06:35.680 --> 00:06:37.360 You've got to figure out the cipher, you've. 161 00:06:37.199 --> 00:06:39.120 Got to crack the code. And what they did, what 162 00:06:39.160 --> 00:06:40.680 it was doing, it's amazing. 163 00:06:40.839 --> 00:06:41.800 Yeah, that's pretty cool. 164 00:06:41.879 --> 00:06:42.439 It is cool. 165 00:06:42.639 --> 00:06:45.560 So I guess the. 166 00:06:45.680 --> 00:06:47.639 So why is the story important today? 167 00:06:47.920 --> 00:06:50.160 Yeah? So why is this important. You know, why should 168 00:06:50.199 --> 00:06:53.759 we care about you know, why does this matter to us? 169 00:06:53.800 --> 00:06:58.319 Some retro hackers cracking this old game on this old system. 170 00:06:58.519 --> 00:07:01.360 For one thing, it shows that the spirit of hacking 171 00:07:01.800 --> 00:07:04.079 has been around for a long time. It's not it's 172 00:07:04.079 --> 00:07:07.360 not a new thing. It's not like kids these days 173 00:07:07.399 --> 00:07:10.319 with their computers, right, this has been going on since 174 00:07:10.360 --> 00:07:11.240 the dawn of computing. 175 00:07:11.319 --> 00:07:15.720 This is like a fundamental human desire. It's about curiosity 176 00:07:15.759 --> 00:07:18.519 to figure out how things. 177 00:07:17.920 --> 00:07:20.120 Pushing the limits of what's possible. 178 00:07:20.199 --> 00:07:23.240 And then I think also it shows that even seemingly 179 00:07:23.560 --> 00:07:25.800 simple systems can have. 180 00:07:26.040 --> 00:07:28.279 Like the Apple, it seems simple, you can have these 181 00:07:28.319 --> 00:07:29.160 like hidden but. 182 00:07:29.199 --> 00:07:32.240 Under the hood, there's a lot of complexity, complexities in that, 183 00:07:32.279 --> 00:07:35.319 and if you're willing to dig deep, you can find 184 00:07:35.439 --> 00:07:36.759 really interesting stuff. 185 00:07:37.000 --> 00:07:39.920 You can find those and exploit them exactly. 186 00:07:40.000 --> 00:07:42.600 So it's kind of a it's inspiring. It's inspiring, it 187 00:07:42.639 --> 00:07:45.639 is it is. Yeah, okay, all right, so let's move 188 00:07:45.639 --> 00:07:47.680 on to something a little more modern. All right, So 189 00:07:47.720 --> 00:07:49.360 let's move on to something a little more modern, little 190 00:07:49.360 --> 00:07:49.839 more high tech. 191 00:07:50.000 --> 00:07:52.360 And this is an interesting technique. 192 00:07:52.519 --> 00:07:54.000 Yeah, this is one of my favorites. 193 00:07:54.040 --> 00:07:55.759 Actually, Zero copy networking. 194 00:07:55.879 --> 00:07:59.800 Yeah, zero copy networking. So what is it's all about? 195 00:08:00.839 --> 00:08:02.000 Zero copy networking. 196 00:08:02.120 --> 00:08:04.800 Yeah, efficiency, getting the most out of your hardware. 197 00:08:05.519 --> 00:08:09.199 It's kind of like in the realm of high performance, high. 198 00:08:09.040 --> 00:08:12.399 Performance computing, real time systems. 199 00:08:12.600 --> 00:08:16.279 Yeah, anything where latency matters, millisecond counts. 200 00:08:16.399 --> 00:08:18.040 Yeah, this is where zero copy comes in. 201 00:08:18.480 --> 00:08:22.120 Yeah, because traditional networking involves a lot of copying data. 202 00:08:22.560 --> 00:08:26.040 Yeah. So the problem that it solves is that normally 203 00:08:26.040 --> 00:08:28.759 when you send data over a network, right, there's a 204 00:08:28.800 --> 00:08:30.560 lot of copying that happened. 205 00:08:30.319 --> 00:08:32.200 From the CPU to the kernel, from. 206 00:08:32.120 --> 00:08:33.240 The CPU to the CURL, the. 207 00:08:33.240 --> 00:08:35.840 Kernel to the network card, the network call, all these 208 00:08:35.840 --> 00:08:40.120 different buffers and all that copying takes time. 209 00:08:40.360 --> 00:08:44.440 It takes time, it consumes CPU cycles, and it uses resource. 210 00:08:44.519 --> 00:08:47.799 It slows things down. So zero copy networking. 211 00:08:48.279 --> 00:08:50.879 So the idea is, can we just skip all that? 212 00:08:51.320 --> 00:08:54.440 Can we just cut out the middle man the middle man? 213 00:08:54.639 --> 00:08:59.080 Let the data flow directly from the application memory straight 214 00:08:59.120 --> 00:09:02.039 from point A to point B to the network card. Yeah, 215 00:09:02.120 --> 00:09:04.440 without all those extra stops along the way. 216 00:09:05.200 --> 00:09:07.159 So how do they actually how do they do that? 217 00:09:07.240 --> 00:09:07.519 Do that? 218 00:09:08.200 --> 00:09:11.840 Well? It involves a few tricks. Yeah, One is using 219 00:09:11.879 --> 00:09:12.879 something called DMA. 220 00:09:13.919 --> 00:09:16.039 DMA direct memory access. 221 00:09:15.720 --> 00:09:18.840 Direct memory access yeah, which allows the network card to 222 00:09:18.960 --> 00:09:22.759 access memory right directly without going through the CPU. 223 00:09:22.519 --> 00:09:25.600 So the CPU can be doing other things exactly. 224 00:09:25.639 --> 00:09:28.279 The CPU is like, hey, network card, you handle this, 225 00:09:28.360 --> 00:09:28.919 You handle this. 226 00:09:28.960 --> 00:09:31.240 I'm busy, I've got other things to do. I'm playing 227 00:09:31.240 --> 00:09:32.200 a game over here. 228 00:09:32.120 --> 00:09:33.279 I'm rendering this video. 229 00:09:33.679 --> 00:09:38.399 Don't bother me. So DMA is one part of it, right. 230 00:09:38.600 --> 00:09:44.240 Another part is using specialized drivers okay, like PFR im PFR, 231 00:09:44.799 --> 00:09:49.399 which are designed specifically for high performance networking. They bypass 232 00:09:49.440 --> 00:09:51.320 a lot of the traditional networking stacks. 233 00:09:51.039 --> 00:09:53.120 So they cut out all all. 234 00:09:52.879 --> 00:09:55.720 The layers, the bureaucracy of the networking. 235 00:09:55.320 --> 00:09:57.200 Stack, the unnecessary red tape. 236 00:09:57.320 --> 00:09:59.919 Exactly, just get the data where it needs to go. 237 00:10:00.120 --> 00:10:02.480 Just get the data there as fast as possible. That's 238 00:10:02.519 --> 00:10:02.879 the goal. 239 00:10:03.799 --> 00:10:07.440 So what kind of applications would this be really useful for? 240 00:10:07.639 --> 00:10:10.200 Oh, so many things, so many things. Think about like 241 00:10:10.360 --> 00:10:15.039 high frequency trading where microseconds matter, milliseconds matter. If you 242 00:10:15.039 --> 00:10:18.279 can shave off right, if you can get you're trade in, 243 00:10:18.480 --> 00:10:20.320 you can make a lot of money a few milliseconds 244 00:10:20.360 --> 00:10:21.159 before the other guy. 245 00:10:21.320 --> 00:10:24.879 Real time streaming. You don't want your video to lag. 246 00:10:24.879 --> 00:10:27.600 Yeah, you don't want You want it to be smooth buffering. 247 00:10:27.759 --> 00:10:33.879 Yeah, so any application gaming aiming where you need that 248 00:10:34.000 --> 00:10:35.320 low latency. 249 00:10:34.919 --> 00:10:37.679 Where low latency is critical. So this is kind of 250 00:10:37.720 --> 00:10:40.440 like zero copy networking can really. 251 00:10:40.200 --> 00:10:41.559 Make a difference under the hood. 252 00:10:41.720 --> 00:10:44.519 It's the secret sauce, secret sauce that makes things fast. 253 00:10:44.679 --> 00:10:47.720 Yeah, that you don't see, but it's there, work in 254 00:10:47.759 --> 00:10:48.279 its magic. 255 00:10:48.360 --> 00:10:50.320 It's working hard behind the scenes. 256 00:10:50.440 --> 00:10:51.159 That's cool. 257 00:10:51.279 --> 00:10:53.759 Yeah. Okay, so all right, what's next? 258 00:10:53.879 --> 00:10:54.440 What's next? 259 00:10:54.519 --> 00:10:56.799 What other cool stuff do we have on our list 260 00:10:56.840 --> 00:10:57.360 in this book? 261 00:10:57.360 --> 00:11:00.159 All right, so this one is a hardware hack. 262 00:11:00.159 --> 00:11:03.840 Oh, hardware hacking. This is called the I Love Hardware Hacking. 263 00:11:03.559 --> 00:11:06.360 The ip flip Wixer trick. 264 00:11:06.320 --> 00:11:11.399 D I p flip wixer trick. That's a mouthful, it is, 265 00:11:12.000 --> 00:11:13.240 but it's a really cool trick. 266 00:11:13.559 --> 00:11:17.360 It is a cool trick. Yeah, so uh what is it? 267 00:11:17.399 --> 00:11:18.240 This is from Joe. 268 00:11:18.039 --> 00:11:22.279 Grant, Joe grand the King of hardware hacking. Yeah, he's amazing. 269 00:11:22.360 --> 00:11:24.720 So the idea is, how do you reprogram a device 270 00:11:25.080 --> 00:11:28.840 without any special tools, without any special tools. 271 00:11:28.519 --> 00:11:31.320 Without any special never hacking. 272 00:11:31.399 --> 00:11:34.120 You know you've got You're stuck on a desert island. 273 00:11:34.799 --> 00:11:37.159 All you've got is a paper clip and a piece 274 00:11:37.200 --> 00:11:40.600 of chewing gum. Yeah, and you've got to reprogram. 275 00:11:40.000 --> 00:11:44.840 This device shoelace, and somehow, somehow you do it reprogrammed. 276 00:11:44.919 --> 00:11:47.480 That's Joe Gran he's the master of that. 277 00:11:47.559 --> 00:11:51.919 So in this particular case, he is exploiting the the. 278 00:11:51.879 --> 00:11:54.720 Ftd I chick, the FTDI chick, which is a very 279 00:11:54.759 --> 00:11:58.080 common chip used for USB to serial communication. 280 00:11:58.279 --> 00:12:01.159 Right, So if you've ever used like an Urduen or 281 00:12:01.200 --> 00:12:02.360 a Raspberry. 282 00:12:01.919 --> 00:12:05.120 Pie or any kind of embedded device, you've probably used 283 00:12:05.120 --> 00:12:09.399 an FTDI chip. You've probably seen it. Yeah, these little chips, 284 00:12:09.519 --> 00:12:12.519 they're everywhere. And so what he figured out is that 285 00:12:12.639 --> 00:12:13.720 there's a way. 286 00:12:13.600 --> 00:12:16.919 To uh reconfigure. 287 00:12:16.960 --> 00:12:20.080 We can figure the gpio pins. 288 00:12:19.879 --> 00:12:21.960 The gpo opins on the fly on the floor, which 289 00:12:21.960 --> 00:12:22.679 is kind of unusual. 290 00:12:22.679 --> 00:12:25.159 So gpio pins are basically like little. 291 00:12:24.879 --> 00:12:27.440 Switches you can turn on and off, and they could 292 00:12:27.440 --> 00:12:28.519 be used for all sorts of things. 293 00:12:28.600 --> 00:12:32.200 Yeah, they can be used to control LEDs or motors 294 00:12:32.320 --> 00:12:35.799 or sensors or whatever you want, all sorts of things. 295 00:12:35.840 --> 00:12:39.200 And so he figured out a way to reconfigure. 296 00:12:38.360 --> 00:12:41.200 Those to use those pins, to use those pins redirect 297 00:12:41.200 --> 00:12:42.919 the cereal data to redirect. 298 00:12:42.519 --> 00:12:44.120 The serial data. So instead of going to. 299 00:12:44.080 --> 00:12:47.360 The normal to basically reprogram the chair the device. 300 00:12:47.600 --> 00:12:49.279 It's going back to the FTDI. 301 00:12:48.919 --> 00:12:52.200 Chip, the FTDI chip itself and reprogramming it, which is 302 00:12:52.240 --> 00:12:52.720 so clever. 303 00:12:52.919 --> 00:12:56.519 It is so clever. It's like using the device's own 304 00:12:56.559 --> 00:12:57.639 defenses against it. 305 00:12:57.759 --> 00:13:00.759 Yeah, it's like turning its own power against it, exactly. 306 00:13:01.279 --> 00:13:03.840 And so, so how does he actually do this? 307 00:13:04.159 --> 00:13:08.600 The way he does this is by using specific key strokes, 308 00:13:08.600 --> 00:13:14.279 Like so, if you press the right combination of keys, it. 309 00:13:13.200 --> 00:13:14.240 It triggers a mode switch. 310 00:13:14.279 --> 00:13:17.440 It triggers this mode switch and FTDI chip. Yeah, and 311 00:13:17.480 --> 00:13:20.279 then suddenly the serial data is and then suddenly the 312 00:13:20.360 --> 00:13:21.879 serial data is going to. 313 00:13:22.000 --> 00:13:24.879 The data is flowing in a different direction to the chip. Yeah, 314 00:13:24.960 --> 00:13:26.080 you can reprogram it. 315 00:13:26.080 --> 00:13:26.919 It's wild. 316 00:13:27.080 --> 00:13:28.919 It is wild. It's like, so what does this It's 317 00:13:28.919 --> 00:13:31.720 like a secret back door, yeah, into the chip. 318 00:13:31.879 --> 00:13:33.440 So what's the takeaway here? 319 00:13:33.639 --> 00:13:34.759 So what can we learn from this? 320 00:13:34.919 --> 00:13:35.840 Why is this important? 321 00:13:35.960 --> 00:13:39.679 Besides the coolness factor, besides being super cool? 322 00:13:39.759 --> 00:13:42.399 I mean, it's just so cool, it's super cool. Yeah, 323 00:13:42.440 --> 00:13:45.519 what's the practical lesson here? I think the lesson is 324 00:13:45.559 --> 00:13:48.480 that I think it teaches us to think outside the box. 325 00:13:48.320 --> 00:13:51.679 To think outside the box, and to not don't assume. 326 00:13:51.320 --> 00:13:53.000 That you need specialized tools. 327 00:13:53.200 --> 00:13:56.279 Assume that you need these to do amazing things especial 328 00:13:56.440 --> 00:13:58.840 Sometimes the tools you need are right in front of you. 329 00:13:59.399 --> 00:14:00.720 You just have to know how to use them. 330 00:14:00.759 --> 00:14:04.200 Sometimes the things you have in a different way can 331 00:14:04.240 --> 00:14:08.120 be used for something completely different than they were intended for. 332 00:14:08.279 --> 00:14:12.879 It's about creativity, and that's about resourcefulness. It's about that 333 00:14:12.960 --> 00:14:16.639 hacker spirit, the hackers, you know, finding a way even 334 00:14:16.639 --> 00:14:19.960 when it seems impossible. Okay, okay, so one more, one more, 335 00:14:20.159 --> 00:14:21.759 one more for this segment. 336 00:14:21.480 --> 00:14:23.679 For this segment, and then we'll hit me with it. 337 00:14:23.720 --> 00:14:26.679 We'll take a break. So this one is a little 338 00:14:26.720 --> 00:14:27.480 bit more in the. 339 00:14:27.399 --> 00:14:28.720 Weeds, a little more technical. 340 00:14:28.879 --> 00:14:32.480 Yeah, okay, so this is about uh. 341 00:14:32.320 --> 00:14:34.360 Static ELF relocations. 342 00:14:34.559 --> 00:14:37.159 Static ELF relocations. 343 00:14:37.320 --> 00:14:41.360 Wow, that's a mouthful, but it's an important concept. 344 00:14:41.039 --> 00:14:43.879 The security implications, especially. 345 00:14:43.519 --> 00:14:47.559 If you're working with like low level systems. Yeah, embedded systems. 346 00:14:48.320 --> 00:14:52.399 ELF is the operating system kernels, executable and linkable format. 347 00:14:52.559 --> 00:14:55.879 That's right. It's basically it's the standard format programs are 348 00:14:56.480 --> 00:14:58.159 for executable files on. 349 00:14:58.240 --> 00:15:00.399 Linux sort on Linux and any. 350 00:15:00.240 --> 00:15:03.039 Other Unix like systems. Yeah, so it's pretty important. 351 00:15:03.159 --> 00:15:07.480 And so when we talk about static ELF relocations we're 352 00:15:07.519 --> 00:15:13.240 talking about. UH. A statically linked binary. 353 00:15:12.879 --> 00:15:16.600 Aesthetically linked binary is often seen is like a self 354 00:15:16.639 --> 00:15:20.600 contained unit, more secure. It's got everything it needs than dynamically. 355 00:15:20.720 --> 00:15:22.559 All the libraries are built. 356 00:15:22.320 --> 00:15:23.279 In linked binary. 357 00:15:23.320 --> 00:15:26.000 It's like a standalone program. You don't need anything else 358 00:15:26.000 --> 00:15:26.799 to run it. 359 00:15:26.679 --> 00:15:31.120 Because it's self contained. What this research show there's. 360 00:15:30.879 --> 00:15:33.799 A catch is that even there's always a catch, statically 361 00:15:33.879 --> 00:15:37.559 linked binaries can still have there's no such thing as perfect. 362 00:15:37.320 --> 00:15:43.559 Security vulnerabilities relating to these relocations static binaries. The idea 363 00:15:43.600 --> 00:15:45.159 is even though there's statically. 364 00:15:44.840 --> 00:15:49.159 Linked, even though they still contain relocation tables, which are 365 00:15:49.200 --> 00:15:52.679 basically instructions for how to load the different parts of 366 00:15:52.720 --> 00:15:57.200 the program into memory at run time. So even though 367 00:15:57.240 --> 00:16:00.639 the libraries are statically linked, there's still this there's still 368 00:16:00.639 --> 00:16:05.879 this table of information this function needs to be loaded 369 00:16:06.320 --> 00:16:09.399 at this address. Assumption this data needs to be loaded 370 00:16:09.399 --> 00:16:10.600 at this address. 371 00:16:10.320 --> 00:16:13.000 Is here, and so on, this data is here. 372 00:16:12.879 --> 00:16:16.919 And attackers can exploit and an attacker those relocation tables 373 00:16:17.480 --> 00:16:21.120 to do nasty things like shared library injection. 374 00:16:21.320 --> 00:16:22.960 Shared library inject. 375 00:16:22.639 --> 00:16:24.960 Which is a classic attack which is basically where you 376 00:16:25.080 --> 00:16:30.279 trick the program, picking the program into loading a malicious 377 00:16:30.519 --> 00:16:34.519 library loading your code instead of the legitimate one, and 378 00:16:34.559 --> 00:16:36.480 then your code gets executed. 379 00:16:36.679 --> 00:16:37.720 So that's crazy. 380 00:16:37.879 --> 00:16:39.120 It is crazy. 381 00:16:38.799 --> 00:16:41.840 Because you think it's like, okay, you think you're saying 382 00:16:41.879 --> 00:16:43.200 statically linked. 383 00:16:42.919 --> 00:16:46.440 Because you've got this statically linked binary self contained, but 384 00:16:47.000 --> 00:16:51.200 there's still these subtle ways that attackers can get in 385 00:16:52.360 --> 00:16:53.360 and mess things up. 386 00:16:53.559 --> 00:16:55.080 Yeah, that's so cool. 387 00:16:55.240 --> 00:16:56.799 It is cool, and it's a good reminders. 388 00:16:56.840 --> 00:17:00.240 But what does this tell us that security is hard? 389 00:17:00.320 --> 00:17:00.759 In general? 390 00:17:00.840 --> 00:17:04.759 Security is never easy, and it's not about you can't 391 00:17:04.799 --> 00:17:08.559 just rely on building the wall or one assumption. 392 00:17:08.880 --> 00:17:13.000 You have to understand the system deeply and you have 393 00:17:13.079 --> 00:17:16.480 to be constantly deep looking for new ways. 394 00:17:17.200 --> 00:17:20.000 Yeah. Attacks, it's like try to get in never ending 395 00:17:20.279 --> 00:17:22.720 is a never ending battle arms race, the arms race 396 00:17:22.759 --> 00:17:23.440 of security. 397 00:17:23.400 --> 00:17:25.359 Yeah, okay, all right. 398 00:17:25.240 --> 00:17:27.640 So that's it for this segment. So we've covered We've 399 00:17:27.640 --> 00:17:30.200 covered a lot of grounds quite a bit, from hacking 400 00:17:30.319 --> 00:17:35.839 children's toys to cracking retro games to exploiting the intricacies 401 00:17:35.880 --> 00:17:41.039