Shadow Runners

Transcript

1. SHADOW RUNNERS OWASP SAITAMA MTG #18, TALK #1

2. TEXT SESSION FLAGS ▸ ࿥ըɾ࿥Իɾެ։: OK Image by Nico Kaiser

   on flickr, CC-BY 2.0

3. TEXT WHO I AM ▸ Takahiro Yoshimura (@alterakey) https://keybase.io/alterakey ▸

   Monolith Works Inc. Co-founder, CTO Security researcher ▸ ໌࣏େֶαΠόʔηΩϡϦςΟݚڀॴ ٬һݚڀһ

4. TEXT WHAT I DO ▸ Security research and development ▸

   iOS/Android Apps →Financial, Games, IoT related, etc. (>200) →trueseeing: Non-decompiling Android Application Vulnerability Scanner [2017] ▸ Windows/Mac/Web/HTML5 Apps →POS, RAD tools etc. ▸ Network/Web penetration testing →PCI-DSS etc. ▸ Search engine reconnaissance (aka. Google Hacking) ▸ Whitebox testing ▸ Forensic analysis

5. TEXT WHAT I DO ▸ CTF ▸ Enemy10, Sutegoma2 ▸

   METI CTFCJ 2012 Qual.: Won ▸ METI CTFCJ 2012: 3rd ▸ DEF CON 21 CTF: 6th ▸ DEF CON 22 OpenCTF: 4th ▸ ൃදɾߨԋͳͲ DEF CON 25 Demo Labs (2017) DEF CON 27 AI Village (2019) CODE BLUE (2017, 2019) CYDEF (2020) etc. Image by Wiyre Media on flickr, CC-BY 2.0

6. TEXT BACKGROUND ▸ iOSΞϓϦ ϦϦʔε࣌ΞϓϦϨϏϡʔͰ඼࣭୲อ ▸ API࢖༻ঢ়گϨϙʔτͷ֬ೝ ▸ ࣮ڍಈͷ֬ೝ ▸

   ಈతϩʔυͳͲ͸ʁ →App Review Guidelines, 2.5.2ʹΑΓېࢭ Image by Microsiervos on flickr, CC-BY 2.0

7. TEXT BACKGROUND ▸ ཧ༝ →ϨϏϡʔͷҙຯ͕ͳ͘ͳΔ͔Β ▸ …࣮ࡍʹ͸Ͳ͏ͳͷͩΖ͏͔ → ௐࠪ Image

   by Microsiervos on flickr, CC-BY 2.0

8. TEXT TOOLCHAINS ▸ Ghidra: Multiarch disassembler (NSA) - 10.3.2 ▸

   Trueseeing: Non-decompiling Android app vulnerability scanner (alterakey et al.) - 2.2.1 ▸ frida-ios-dump: Binary dumper (Alone_Monkey et al.) Swiss Army Knife on black by Edgar Pierce on flickr, CC-BY 2.0

9. TEXT TOOLCHAINS? ▸ trueseeing͸AndroidͷΈͳͷͰ͸ʁ ▸ 2.2ܥͰຐվ଄; தͰ΋: fi le format

   extension API, signature extension API ▸ ద੾ͳ fi le format handler+sigΛ༩͑Δ͜ͱͰ iOSΞϓϦղੳ΋े෼Մೳʢʂʣ ▸ ͓଴ͨͤ͠·ͨ͠… Image by _gift on flickr, CC-BY-NC-ND 2.0

10. TEXT CASE STUDY #1. FACEBOOK ▸ facebook Image by Kārlis

    Dambrāns on flickr, CC-BY 2.0

11. TEXT CASE STUDY #1. FACEBOOK ▸ facebook ▸ ಈతίʔυϩʔυ

12. TEXT CASE STUDY #1. FACEBOOK ▸ facebook ▸ ಈతίʔυϩʔυ ▸

    Stack-based VM

13. TEXT CASE STUDY #1. FACEBOOK ▸ facebook ▸ ಈతίʔυϩʔυ ▸

    Stack-based VM ▸ ϑΟʔυͷཏྻ

14. TEXT CASE STUDY #1. FACEBOOK ▸ facebook ▸ ಈతίʔυϩʔυ ▸

    Stack-based VM ▸ ϑΟʔυͷཏྻ ▸ ͞Βʹ: Ad͔Βϩʔυ͢ΔΑ͏ͳࣔࠦ

15. TEXT CASE STUDY #1. FACEBOOK -- BUSTED ▸ ໌֬ͳҧ൓ ▸

    ಛʹAd͔ΒίʔυΛ࣮ߦ͢Δ࢓૊Έ͸ߴϦεΫ ▸ …ͳͥ͜Μͳ΋ͷ͕໺์͠ʹʁ Image by Remy Sharp on flickr, CC-BY-SA 2.0

16. TEXT CASE STUDY #2. LINE ▸ LINE

17. TEXT CASE STUDY #2. LINE ▸ LINE ▸ ಈతίʔυϩʔυ

18. TEXT CASE STUDY #2. LINE ▸ LINE ▸ ಈతίʔυϩʔυ ▸

    ෆద੾ͳγεςϜίʔϧ: VMͷՄೳੑ ▸ ෆద੾ͳϥΠϒϥϦ

19. TEXT CASE STUDY #2. LINE -- BUSTED ▸ ҧ൓ͷՄೳੑ͕ߴ͍ ▸

    ߇͑Ίʹݴͬͯ΋ؾ࣋ͪѱ͍ ▸ syscall, fork ▸ MbedελοΫʹΑΔ҉߸ܥ࣮૷Λྲྀ༻ →ͱͯ΋҆શͱ͸͍͑ͳ͍࣮૷ Image by Cloudtail the Snow Leopard on flickr, CC-BY-NC-ND 2.0

20. TEXT CASE STUDY #3. GMAIL ▸ Gmail Image by Cairo

    on flickr, CC-BY-NC-ND 2.0

21. TEXT CASE STUDY #3. GMAIL ▸ Gmail ▸ ಈతίʔυϩʔυ →

    libGL (OK) ▸ ͕ͩͳͥ…

22. TEXT CASE STUDY #3. GMAIL ▸ Gmail ▸ ಈతίʔυϩʔυ →

    libGL (OK) ▸ …͜Ε͸

23. TEXT CASE STUDY #3. GMAIL -- QUESTIONABLE ▸ JVM +

    j2objcͷՄೳੑ ▸ 2.5.2͸͜Ε͚ͩͰ͸ҧ൓Ͱ͸ͳͦ͞͏͕ͩ: 2.3.1 (no hidden feature) ͔Β͸Ͳ͏ͳͷ͔ ▸ Ұൠͷ։ൃऀ͕΍ͬͨΒଟ෼reject͞ΕΔͩΖ͏ ͍ͣͿΜҟ࣭ͳߏ଄ Image by Bricknave on flickr, CC-BY-NC-ND 2.0

24. TEXT TAKEAWAYS ▸ ݐલ্ɺiOSΞϓϦͰ͸ಈతίʔυϩʔυෆՄ ▸ ͕࣮ͩଶ͸: ܗ֚Խ͕ஶ͍͠ →ύϒϦογϟʔʹର͢Δ዁౓ͷՄೳੑ͕ු͖ூΓʹ ʢ͔ͭͯͷtiktok෼ੳճΛ͍֮͑ͯ·͔͢…ʣ ▸

    ಈతίʔυϩʔυ͚ͩͰͳ͘ɺVMͳͲ΋ԣߦ ▸ ਓྗϨϏϡʔ͸҆શੑʹد༩͠ͳ͍… ಛʹඇӳޠݍͷਓؒʹର͢ΔएׯͷࢀೖোนΛܗ੒͠ ͍ͯΔͷΈͱݟͯྑ͍ͷͰ͸ Image by Cairo on flickr, CC-BY-NC-ND 2.0

25. STAY SAFE! Image by KaCey97078 on flickr, CC-BY-NC 2.0

26. FIN. 27.2.2024 TAKAHIRO YOSHIMURA (@ALTERAKEY)