DRAM rowhammer vulnerability

DRAM rowhammer is a very strange hardware vulnerability which, in turn, opens the door to software vulnerabilities. In short, it allows an attacker to change a flip bits in a physical memory address, without accessing that address. Instead, the attacker writes one or more neighboring addresses in a DRAM, and, in some cases, the bits in another address will flip.

Successful attacks from user mode using this vulnerability can:

  • elevate user privileges
  • break security sandboxes
  • forge new private keys

Screen Shot 12-10-17 at 06.51 PM

“NUMA also allows for greater opportunities to exploit Rowhammer”.

Note that this is a hardware failure, most software, even some security-oriented one, are not able to cope with this type of hardware-based attack. The vulnerability has been introduced in recent years due to the growing use of smaller memory cells, to enable memory-chips with more capacity.

Screen Shot 12-10-17 at 06.55 PM




BFT-SMaRt is: Byzantine fault-tolerant state machine replication

BFT-SMaRt is a high-performance Byzantine fault-tolerant state machine replication library developed in Java with simplicity and robustness as primary requirements. Our main objective is to provide a code base that can be used to build dependable services and also extended to create new protocols.

Check it out here:

BitTorrent Tracker Protocol examples

HTTP Tracker

HTTP protocol is used and a typical request contains

  • info_hash
    • 20 byte sha1 hash of the bencoded form of the info value from the metainfo file
  • key
  • peer_id
    • string of length 20 which this downloader uses as its id
  • port
  • downloaded
    • total amount downloaded so far
  • left
    • number of bytes this peer still has to download
  • uploaded
    • total amount uploaded so far
  • compact
  • event
    • optional key which maps to started, completed, or stopped


GET /announce?peer_id=aaaaaaaaaaaaaaaaaaaa&
GET /announce?info_hash=%fc~6%f2%d01d%8e%f3%cd%dd%a0%1f%f7%3a%9d%ffH%cd%e3&

User-Agent: uTorrent/348(110208592)(42576)
Accept-Encoding: gzip
Connection: Close

Screen Shot 10-30-17 at 03.33 PM 001Screen Shot 10-30-17 at 03.33 PM

HTTP Tracker Responses

    • Tracker responses are bencoded dictionaries.
        • if a tracker response has a key failure reason that maps to a human readable string which explains why the query failed


    • the response contains two typical keys:
      • interval
          • number of seconds the downloader should wait between regular rerequests


      • peers. peers
        • a list of peers, each peer containing
            • peer id
            • ip
            • port



HTTP/1.1 200 OK


Screen Shot 10-30-17 at 03.41 PM

UDP Tracker

URLs for this protocol use the form udp://tracker:port. This type of tracker was created to improve on the overhead caused by the HTTP protocol usage. The URLs can be obtained in the metadata file for the torrent.

Possible requests supported by a UDP Tracker:

  • 0: connect
  • 1: announce
  • 2: scrape
  • 3: error

Connect Request

Before announcing, the client must obtain a connection ID (to avoid IP spoofing problems).

  • Choose a (random) transaction ID, Fill the connect input structure, Send the packet.
  • connect input
    • Offset 00 | 64-bit integer | connection_id 0x41727101980
      Offset 08 | 32-bit integer | action 0 (connect)
      Offset 12 | 32-bit integer | transaction_id

ExampleScreen Shot 10-30-17 at 04.00 PM

Connect Response

  • connect response
    • Offset 00 | 32-bit integer | action 0 (connect)
      Offset 04 | 32-bit integer | transaction_id
      Offset 08 | 64-bit integer | connection_id (random)

Announce, scrape, error

These messages are similar to the connect message, using the same semantics as the HTTP Tracker requests.





My new e-book “Deep VMware™ Guest Tools and Guest-Hypervisor communication” at Amazon

Just published my new e-book “Deep VMware™ Guest Tools and Guest-Hypervisor communication” at Amazon.

Check it out.

Most virtualization platforms provide some sort of mechanism of communication between the the hypervisor and its guest virtual machines. “Open VM Tools” is a set of tools that implements such communication mechanisms for VMware™ virtual machines and hypervisors. In this book we analyze each of these these tools and APIs, from high-level usage to low-level communication details, between the guest and the host. This information can be used for a better understating of what actually happens when using a guest machine with these tools. It can also be used as inspiration for using and extending guest-hypervisor communication and penetration testing.

Screen Shot 10-05-17 at 12.44 PM



DDoS prevention and mitigation

There are many DDoS prevention and mitigation products. Many of these products work at the network level, filtering out malicious packets.

For example, Guard-Host states that it provides:

  • a mitigation solution based on VAC technology

    • Analyse all packets at high speed in real time
    • Vacuum your server’s incoming traffic
    • Mitigate i.e. singling out all the illegitimate IP packets, while allowing legitimate ones to pass through
  •  “To detect the attack, we use the netflow sent by the routers and analysed by the Arbor Peakflow boxes. Each router sends a summary of 1/2000 of the traffic that is actually passing through it. The Arbor Peakflow boxes analyse this and compare it to the attack signatures. If the comparison is positive, mitigation is activated within seconds.
  • The signatures analysed are based on traffic thresholds of
    • “packets per second” (pps, Kpps, Mpps, Gpps) or
    • “bits per second” (bps, Kbps, Mbps, Gbps) on certain packet types”

DDoS attack types

For example, Guard-Host acknowledges the following DDoS attack types:

DDoS Attack Types

DDoS Attack Types

Mitigation phase

In the following diagram, the packets in the red area are flagged as belonging to a DDoS attack and are thus discarded and not sent to the server under attack.

Attack detection




New e-Book: “VMware™ hypervisor fingerprinting”

Just published a new e-book at Amazon.com: “VMware™ hypervisor fingerprinting”.

You can find it here:

«In this book, we show how to determine hypervisor properties by running commands in the guest operating system, without any special privileges in the host machine running the hypervisor. This can be useful for penetration testing, information gathering, determining the best software configuration for virtualization-sensitive and virtualization-aware software. Finally, we present a reporting tool that unifies all the presented methods, by running them all in sequence and gathering the information in a useful report that can be run from any guest system.»


VMware hypervisor fingerprinting Tool ( & Paper)

Just published a new tool vmhost_report.rb (and a paper about it) for VMware hypervisor fingerprinting. The tool is released with an open source license (GPL), you can use it freely.

In the paper, I show you how to determine hypervisor properties (such as hypervisor version or virtual CPU Limits) by running commands in the guest operating system, without any special privileges in the host machine running the hypervisor.

This can be useful for penetration testing, information gathering, determining the best software configuration for virtualization-sensitive and virtualization-aware software.

I have developed a reporting tool vmhost_report.rb that unifies all the presented methods, by running them all in sequence and gathering the information in a useful report that can be run from any guest system. Currently, Linux and Nested ESXi are supported.

You can run it as “ruby vmhost_report.rb“. It will return a lot of useful information in the vmhost_report.log file.

These reports can be used to learn a lot about VMware internals or a particular guest system or network. You can find report examples in the Paper’s “Annex A”.

Some of the described methods can be used even if the VMware Tools are disabled or not installed, or if some of the methods are disabled by host configuration. Some of the methods require “root” privileges, while others do not need it.





Anomaly & Intrusion Detection+Prevention – Overview and Survey

Anomaly Detection is an scientific subject focused on detecting “unusual” and “interesting” patterns on system events (a.k.a. “outliers”).

Screen Shot 07-15-16 at 06.47 PM.PNG

Just published a new slide presentation on academia.edu focused on:

  • Anomaly Detection,
  • Anomaly Detection vs Intrusion Detection,
  • Intrusion Detection and Prevention Systems (IDPS),
  • Open Source IDPS systems

You can check it here:


Fundamental References

  1. Intrusion prevention system – http://en.wikipedia.org/wiki/Intrusion_prevention_system
  2. Guide to Intrusion Detection and Prevention Systems – http://csrc.nist.gov/publications/drafts/800-94-rev1/draft_sp800-94-rev1.pdf
  3. Network Intrusion Detection Signatures, Part Five – http://www.symantec.com/connect/articles/network-intrusion-detection-signatures-part-five
  4. Network Intrusion Detection Systems – http://www.cse.scu.edu/~tschwarz/COEN250_07/LN/NIDS.ppt
  5. Intrusion detection system evasion techniques – https://en.wikipedia.org/wiki/Intrusion_detection_system_evasion_techniques
  6. An Overview of Intrusion Detection Systems Technology and Research – http://www.bzaugg.com/2010/06/an-overview-of-intrusion-detection-systems-technology-and-research/
  7. An intrusion-detection model (DE Denning) – http://web2.utc.edu/~djy471/CPSC4660/DenningModel.pdf
  8. Intrusion Detection using Sequences of System Calls – http://www.cs.unm.edu/~forrest/publications/int_decssc.pdf
  9. Anomaly Detection : A Survey – http://dl.acm.org/citation.cfm?id=1541882
  10. Learning Nonstationary Models of Normal Network Traffic for Detecting Novel Attacks – https://repository.lib.fit.edu/bitstream/handle/11141/106/cs-2002-06.pdf?sequence=1
  11. Learning Rules for Anomaly Detection of Hostile Network Traffic – https://repository.lib.fit.edu/bitstream/handle/11141/123/cs-2003-16.pdf?sequence=1
  12. Open source intrusion detection tools (a quick overview) – https://www.alienvault.com/blogs/security-essentials/open-source-intrusion-detection-tools-a-quick-overview
  13. Security Onion – http://blog.securityonion.net/p/securityonion.html https://securityonion.net/
  14. Snort – https://www.snort.org/https://www.snort.org/faq/
  15. Snorby – https://www.snorby.org/
  16. Squert – http://www.squertproject.org/
  17. BRO – https://www.bro.org/documentation/index.html
  18. Network Taps – http://en.wikipedia.org/wiki/Network_taphttps://www.blackbox.com/resource/genpdf/Network-Taps.pdf
  19. vSphere 5 Networking : Port Mirroring – http://blogs.vmware.com/vsphere/2011/08/vsphere-5-new-networking-features-port-mirroring.html
  20. OSSEC – http://ossec-docs.readthedocs.io/en/latest/

TOR: introduction

TOR stands for “The Onion Router”.

It is a network designed to protect its users anonymity by routing the user’s TCP/IP traffic through multiple layers of encryption and multiple proxy nodes, obfuscating the user’s real IP address.

The proxy nodes are contributed by network volunteers,  mostly in a distributed and decentralized fashion.

Web servers are normally unable to detect the user’s real IP, as traffic seems to originate from the last proxy node in the user’s TOR proxy chain (a.k.a. TOR circuit).

A TOR circuit is typically composed by:

  • the user’s real IP
  • 3 TOR nodes
    • 1 Entry node
    • 1 intermediate node
    • 1 Exit node

Traffic is encrypted using several “onion layers”, for TCP/IP connections (UDP is not supported), as follows (simplified):

  • A data packet (DP1) is encrypted with the Exit Node’s public key
    • P1 = PKexit(DP1)
  • The encrypted packet is again encrypted with the Intermediate  Node’s public key:
    • P2 = PKiterm( PKexit(DP1) )
  • The encrypted packet is again encrypted with the Entry Node’s public key:
    • P3 = PKentry ( PKiterm( PKexit(DP1) ) )

Each node only knows the preceding and following node. No node gets to “know” the complete circuit.

TOR can be useful in a number of situations, for example:

  • protect whistle blowers identity
  • circumvent network censorship in censored regions
  • NGOs communicating with its volunteers in a foreign country
  • users can publish web sites without needing to reveal the location of the site (using TOR’s hidden services)

Nevertheless, TOR must be used carefully, so that no “real IP” address leaks or other identity leaks occur (more info here (TOR Overview) ). Attention must also be paid to the risk of possible attacks from powerful adversaries, such as governments and agencies.

Usually a “TOR Browser” is used in combination with TOR. The TOR Browser is a modified version of the official Mozilla Firefox web browser. It usually disables dangerous features for anonymity, such as javascript, cookies and direct TCP/IP connections (it always routes all connection through the TOR network).

TOR Browser

To connect to the TOR network, a user usually has to install the “TOR Client” in its device or network. You can download it at here (TOR project official site)

I’ll be exploring “TOR Client” low-level features in future posts.

[UPDATED with the new posts:]