Blogs

Ninjadiff - open source binary hashing

February 23, 2021

A year ago, we released a series of blog posts documenting our research into the world of binary hashing. While we speculated about the efficacy of this technique for binary diffing, our primary goal was to recognize similar code between binaries for the purpose of porting annotations from one analyzed binary to another and many of our design choices reflected this end-goal. Luckily, we’ve been given the opportunity to explore how these hashing techniques could be applied to the world of “bindiffing” through DARPA’s Assured Micropatching (AMP) ¹ program.

As part of this ongoing research, we have developed NinjaDiff - an open source binary diffing plugin for BinaryNinja. Throughout this blog post, we will be discussing the underlying algorithms and technical design choices made while designing this tool.

Security Penetration Testing: Why, When, and How?

January 28, 2021

Proactive cybersecurity protections are critical to overall product success due to increasing risk, combined with consumer and enterprise awareness of cyber practices and their impact. River Loop Security works with a wide variety of organizations to secure their products; as a result we have seen the effectiveness proactive security has on their success. One tool that we often draw upon is penetration testing (‘pentest’ for short), or the act of simulating a scenario in which a malicious actor is attempting to penetrate a device or system. From this scenario, we are able to emulate the attacker mindset and see things that are often missed during regular code review or quality assurance, resulting in valuable feedback that can be used to further secure a system. In this post we will be discussing some key advantages penetration tests provide, the differences in testing during various stages of the product lifecycle, along with some of our methodology on how we work with teams to provide the most value during a penetration test.

IEEE PAINE 2020: Decoding & Defending the Trusted Platform Module Against Malicious Hardware Implants

January 11, 2021

River Loop Security’s team members presented at IEEE International Conference on Physical Assurance and Inspection of Electronics (PAINE). The presentation provided a background on hardware implants, secure boot, and background on the Trusted Platform Module (TPM). We then focused on explaining and demonstrating our team’s work developing an TPM interposer and decoder. It concluded in discussing defending agaisnt malicious hardware implants.

Internet of Things Cybersecurity Improvement Act of 2020: What You Need to Know

November 25, 2020

On November 17, 2020 the senate passed H.R. 1668, the Internet of Things Cybersecurity Improvement Act of 2020, by unanimous consent. It is expected to be signed into law, making it a major step in describing and enforcing Internet of Things (IoT) cybersecurity.

In short, this bill requires that the National Institute of Standards and Technology (NIST) set standards, guidelines, and best practices for IoT devices that are procured or used by federal agencies. While the scope of the bill is limited to federal contracts (via the Federal Acquisition Regulations (FAR)), we believe it will have far-ranging consequences on the security of IoT and other embedded systems in the future.

Hardware Hacking 101: Glitching into Privileged Shells

October 14, 2020

Introduction Welcome back to our hardware hacking series! We are excited to share the “glitching” techniques we use in our device assessment process. Glitching, or voltage or fault injection, is the process of changing voltage levels in a digital system in a manner that causes disruption of the system under test or corruption of data. If timed correctly, a glitch of even 1 millisecond can cause a system to fail open into a potentially privileged state.

CVE-2020-13995: Details on a Vulnerability in a NITF Parser

September 24, 2020

While fuzzing a NITF Extract utility extract75 utility published by the US Air Force Sensor Data Management System, we found a global buffer overflow that leads to a write-what-where condition. This flaw has been assigned CVE-2020-13995 and is disclosed in this blog post.

See our Coordinated Vulnerability Disclosure process for more information on how we go about disclosing vulnerabilities we find.

Suggested Updates to the National Imagery Transmission Format (NITF) Specification

August 19, 2020

The National Imagery Transmission Format (NITF) was brought to our attention under the DARPA SafeDocs program. In this program, we are using binary instrumentation and static analysis to understand parsers’ de facto file format specifications. The NITF format is a container format for other image files. It details a large amount of metadata, such as classification info for each file and sub-section. A single NITF file can contain, for example, multiple images, text annotations, and graphics.

This blog post shares our analysis of the format, and updates to the format that we have proposed to the NITF Technical Board. We focus on features or specification language that we believe are likely to lead to implementation errors and vulnerabilities.

Digging into the Android SystemUI Crash from a JPEG

July 29, 2020

In late May 2020, we were asked to help triage the root cause of a bug where an image, when parsed by Android SystemUI, caused the Android process to crash. This could cause a boot loop if, for example, the image was set as the phone’s background. We quickly identified the root cause which we found interesting from an ecosystem perspective.

This blog shares parts of our analysis, and covers our trace of the relevant code path and diagnosis of the root cause. We describe how the fixes work, and then dive into why this bug was only seen relatively recently. Finally, we break down the file’s JPEG and ICC structures, and what impacts these may have on the parsers.

Analysis Methods and Tooling for Parsers

June 9, 2020

This is the first post in a series that describes how we built tools to rapidly identify and characterize “format extensions”: modifications and new feature additions in parsers of complex formats. In this puzzle, we were given a set of binaries and a few input files – in this instance PDFs. Our task was to precisely characterize any new feature(s) present in the binaries and describe how the input files triggered them. Moreover, our goal was to build tools to enable a human to do this faster and/or more completely than they could previously. Our approach was to make the best use of the inputs that triggered modified behaviors, with a combination of fine-grained static binary diffing and execution trace and memory trace analysis.

Analyzing Data Use by the DJI Mimo App

May 12, 2020

The Chinese drone manufacturer, Da Jiang Innovations, Inc. (DJI), recently donated hundreds of unmanned aircraft and accessories to US law enforcement organizations to help enforce stay-at-home orders during the COVID-19 pandemic. Police in 22 states accepted these drones and began using them. This move has stirred up longstanding concerns and allegations that DJI works with the Chinese Communist Party (CCP) to spy on Americans. Claims of this kind of espionage have caused controversy for several years.