Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation Review

In December 2019, MobileCoin engaged NCC Group to conduct a review of the AES/GCM and ChaCha20+Poly1305 implementations provided by the RustCrypto/AEADs crates. The intended usage context of these crates includes SGX enclaves, making timing-related side channel attacks relevant to this assessment. Two consultants provided five person-days of effort. The Public Report for this audit may … Continue reading Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation Review →

Reviewing Verifiable Random Functions

While Verifiable Random Functions (VRFs) were first described just over twenty years ago [1], they have recently seen a strong resurgence in popularity due to their usefulness in blockchain applications [2]. This blog post will introduce VRFs in the context of other well-known cryptographic primitives, describe three example use cases, and then highlight over two … Continue reading Reviewing Verifiable Random Functions →

CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for fun and exploitation

Written by Cedric Halbronn On Saturday 15th February, I gave a talk titled "How CVE-2018-8611 Can be Exploited to Achieve Privilege Escalation on Windows 10 1809 (RS5) and Earlier". This research was done by Aaron Adams and myself and was presented by Aaron at POC2019 at the end of last year. The OffensiveCon slides are … Continue reading CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for fun and exploitation →

Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses

Microcontrollers commonly include features to prevent the readout of sensitive information in internal storage. Such features are commonly referred to as readback protection or readout protection. This paper describes common readback protection implementation flaws, discusses techniques that can be used to defeat readback protection, and provides guidance to implement effective readback protection, written by Sultan … Continue reading Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses →

Improving Software Security through C Language Standards

This blog post describes my history with the C Standards Committee, the work standards organizations are currently doing in software security, and the future of NCC Group's work in improving software security by working with the C Standards Committee and other standardzation efforts. Past I became involved with the C Standards Committee (more formally, ISO/IEC … Continue reading Improving Software Security through C Language Standards →

Whitepaper – A Tour of Curve 25519 in Erlang

An introduction to elliptic curve cryptography theory alongside a practical implementation in Erlang, written by Eric Schorn. This whitepaper may be downloaded below. A Tour of Curve25519 in ErlangDownload

Deep Dive into Real-World Kubernetes Threats

On Saturday, February 1st, I gave my talk titled “Command and KubeCTL: Real-World Kubernetes Security for Pentesters” at Shmoocon 2020. I’m following up with this post that goes into more details than I could cover in 50 minutes. This will re-iterate the points I attempted to make, walk through the demo, and provide resources for … Continue reading Deep Dive into Real-World Kubernetes Threats →

Technical Advisory – playSMS Pre-Authentication Remote Code Execution (CVE-2020-8644)

Vendor: playSMS Vendor URL: https://playsms.org/ Versions affected: Before 1.4.3 Systems Affected: All Author: Lucas Rosevear Advisory URL / CVE Identifier: CVE-2020-8644 Risk: Critical Summary: PlaySMS is an open source SMS gateway, which has a web management portal written in PHP. PlaySMS supports a custom PHP templating system, called tpl (https://github.com/antonraharja/tpl). PlaySMS double processes a server-side … Continue reading Technical Advisory – playSMS Pre-Authentication Remote Code Execution (CVE-2020-8644) →

Interfaces.d to RCE

Several months ago, I was having a poke at the Mozilla WebThings IoT gateway. The gateway essentially allows a user to host their own IoT cloud from a device (such as a Raspberry Pi) on their local network. It creates a tunnel to a personal subdomain of mozilla-iot.org for managing a user’s devices from the … Continue reading Interfaces.d to RCE →

Properly Signed Certificates on CPE Devices

During late January 2020, a hot topic surfaced between security professionals on an issue that has historically had different proposed solutions. This blog post seeks to explore these solutions and identify pragmatic approaches to risk reduction on this specific issue concerning Customer Premises Equipment (CPE) security. Two security researchers (Tom Pohl and Nick Starke) analysed … Continue reading Properly Signed Certificates on CPE Devices →