Greatra Mayana

Career & Employment Opportunities

The Best of Bug Finding – Duo Tech Talk (Charlie Miller)


(audience murmuring) (speaking away from mic) – Charlie and I go way back. – [Audience Member] Oh, yeah? – No, not really. (speaking away from mic) (audience murmuring) (knocking on mic) Test, test, yep. All right, everybody,
settle in, settle in. – [Charlie] Hey, this is not a roast. (laughs) – You’re actually not giving a talk. I’m just giving a talk about you. – [Charlie] Sitting up on like a stage with all these like famous people. – You can get on the podium. You’re the only famous one here, Charlie. – [Charlie] This is the worst roast ever, and it hasn’t even started. (laughs) – Your mic is on. – [Charlie] Only yours is on. – Oh. Thank you guys for coming
out to Duo Tech Talks. I’m just gonna ignore that guy. We might here something from him later. So, Duo Tech Talks is our monthly event that we hold here at Duo Security. We’ve got a full house down here, although there’s one seat available, two seats if anyone
else is still coming in. If you’re upstairs, there’s two seats available down here. – [Charlie] Some in the back. – Four, four seats, one
behind a pilar back there. (audience laughs) And like, you guys can crowd into the machine room, possibly. So, Duo Tech Talks is a
monthly event we hold here bringing some of our
friends, quote unquote, to give talks at Duo about
security topics, technology. We’ve stuck to a pretty
strict security agenda so far, but we’re open if Charlie decides he doesn’t wanna do security anymore. So, before we start, we have to do a mandatory announcements. If anyone has any
community events going on feel free to shout out, throw
your hands up, CTF Club. (audience member whoops) Oh, I think you volunteered. – [Audience Member] Oh no. – [Audience Member] Give him a mic. – [Audience Member] So, the
Duo CTF Team just got created probably last week, so if anybody… (audience laughs) So, that’s not actually
like capturing the flags like physical flags. It’s like capturing
flags inside computers, so it’s like competitive hacking almost. But if you’re interested in that, you can come talk to
me after this, I guess. We’re open to accepting
anybody from the community. So, you don’t have to be a
member of Duo to join it. – Cool, anybody else? The flags are inside the
computer is what you’re saying. (audience laughs) Where’s Mister Lanyard at? Any ARPSEC, MISEC announcements? No, honey. (speaking away from mic) All’s good in honey land? – [AV Guy] Awesome. – Job announcements, I know we’re hiring some people here at Duo. Back there. – [Neil] Yeah, I’m Neil Borkowicz, I’m from FCA, used to be Chrysler, and we are looking for security
professionals right now. – So, FCA and Chrysler’s looking for security professionals to stop Charlie from hacking their cars, pretty much. – [Charlie] They’d hire me,
but I’m not professional. – Oh, it’s a challenge. You can’t hack Chryslers. – [Charlie] Oh, okay. – What’s in your garage right now? Is it a Jeep, you have a Jeep, right? – [Charlie] Yeah, I got a Jeep. – Okay. – [Charlie] It’s a great
vehicle, I love it. (audience laughs) – Charlie loves Jeeps, for the record. – [Charlie] The only problem is that it has to go to the shop a lot. There’s a lot of problems. – [Audience Member] If
you’d quit bricking– (Charlie laughs) – [Charlie] I was just
driving and it went out. This stuff’s covered under warranty, as far as I know. – I don’t know if you
guys made it to Valasek’s Duo Tech Talk a few months
ago, many months ago. He’s supposed to be our first one, but he missed the first one
because he’s a bad person. But he came to our second
one and talked about when they hacked cars and they ended up bricking, I don’t know,
the ECUs or whatever. – Computer. – Computers in the car, and they drove it into the shop, and the dashboard is completely torn apart, and the Toyota mechanic is like, “What is
going on with your car?” Chris is like, “I don’t know, it just, (audience laughs) “stopped runnin’.” (speaking away from mic) Anybody else, Ashley
Vartyak, any announcements? (speaking away from mic) (audience laughs) – [Ashley] All right, our
shameless plug, right? So Duo is hiring for security researchers, security engineers, we have a lot of front end, back end engineering positions. We’re gonna be looking for a
growth hacker come this spring. What else? Sale engineers, so
anybody on the solutions engineering side that wants to be involved with the customer and clients. Post sales, we’re looking
for folks in London as well. So, if you know of anybody in London, we’re looking for a couple of positions, and we’ll be posting for those shortly, so pre and post sales there. – Anybody else, job hunting, job posting? (speaking away from mic) – Techstars event here Monday. Dug, where are you at? Not here. (laughs) – [Audience Member] CEO gone. – [Charlie] He’s upstairs. – Techstars Detroit will be holding an event here Monday if you guys are interested in kind of the startup ecosystem in Southeastern Michigan. Come on out, we’ll be back down
in the basement, I believe. So, more information on
that, we’ll send it out to the Duo Tech Talk list. So, to get started here,
you know I normally give embarrassing intros for speakers, but Charlie is very
special, so I wanted to give something a little more heartfelt. Charlie and I go way back. This was actually a
picture that my mom sent me earlier this week. I don’t know if you can guess which one is charlie and which one’s me. Any guesses? – [Charlie] Neither. – Neither. It was a Google image search
for boys holding hands. But Charlie started off growing up in the wonderful city of Saint Louis where he still resides. As we all know, Saint
Louis beat out Detroit for the number one most
deadly city in America, a title we were sad to lose. Also, Charlie made some bad decisions early on in his life. (audience laughs) He decided to go to Notre Dame. Now, I just wanna point
out a few metrics here. The series record between
Notre Dame and Michigan. NCAA Football, no shame. But Charlie decided to
go into mathematics. Back when Charlie grew up, computers weren’t really invented yet. It was very, very, early on. I think you went to
school with Alan Turing if I’m correct, or maybe
Babbage, I’m not sure. But South Bend, absolutely wonderful city. After graduating, Charlie decided to straighten up and join the NSA, (audience laughs) where he rubbed elbows with Edward Snowden on a daily basis. After the NSA, Charlie decided to go, not straight, and do a
bunch of stunt hacking. So, Charlie is responsible,
if you see from the pictures here, for
a lot of Apple ownage, whether it’s on the iOS platform or OSX. Several of these shots
here, not a very good quality picture, but
Charlie doing the Heisman after the Pwn2Own competition, which I believe you won three, is it? Is that the three-peat? – [Charlie] Yeah, but then
there was another year. I won four, thank you very much, four. – [Jon] So, Pwn2Own’s a competition at CanSecWest where if you’re able to own a mobile device or a browser with a client side vulnerability, you win like, I don’t know, a
couple dollars and the laptop. – [Charlie] You win the thing, and then when I was doing it, like 10,000, then once I retired, at like 100,000. – [Jon] It got a little more expense. But some other highlights
of Charlie’s career, he wrote a book with good buddy Dino, and he also has lifetime bans from both the Apple and Android apps stores. (audience laughs) – [Charlie] I might be
the only person with that. – Yeah, I can’t top you. I actually have two lifetime bans from the Android App Store,
but nothing from Apple. Actually, two consecutive, I
have multiple life sentences. I don’t understand how it works but, you’ve definitely got the diversity, and I’ve got the depth. (audience laughs) Charlie’s also been hacking
on some cars recently. So, you might’ve seen him
on some Forbes videos, also on the Daily Show with Carson Daly in Time Square with him and Valasek looking really nervous on national TV showing how they can, I don’t know, was it a Jeep that you guys hacked? – [Charlie] That was a Ford Escape. – As long as it wasn’t a Chrysler, ’cause those unhackable, yeah. (audience laughs) So, besides research, Charlie has been a professional costume model. Actually, earlier– – [Charlie] I don’t think
I’m actually wearing that doctor’s outfit,
just so know you know. – [Jon] I had to Photoshop
him because I couldn’t, we spent so much time on this presentation on our costumes and our pinata, that the slides were in absolute disarray. Someone came up to use earlier today and said, “Hey, Charlie,
I remember I saw your talk “where you were dressed
up in the costume,” and Charlie’s response was, “You’re gonna have to be more specific.” (audience laughs) Because, basically, half
of Charlie’s presentations are some goofy costume like when he dressed up as a North
Korean cyber army officer and then Photoshopped pictures of himself with Kim Jong-il every other slide. And then there was about three slides of content through the entire talk. (audience laughs) Nowadays Charlie is a staff engineer at Twitter where he spends most of his day responding to But Bounty reports and thanking people for the report and that they’ll get a
free T-shirt very quickly. (laughs) – [Charlie] How the heck
did you get that slide? – Oh. (laughs) I think Chris deserves
credit for that one. – [Charlie] Just so you know, that was actually a macro,
those are not my own words. (audience laughs) – [Audience Member] You
didn’t even write the macro? – [Charlie] No, (audience laughs) I got people to do that. – But, in all seriousness, Charlie has an impressive career. As you know, in security, most people’s careers end when you turn 30. That’s when you officially retire. And we’re excited to host Charlie here for basically his greatest hits album. Now that he is almost
officially in retirement, he’s gonna give a talk about sort of a life time of bugs, and a overview of some of the research he’s done. So, Charlie’s a great buddy of mine, and I love the work he’s done, so I really wanna welcome Charlie very warmly to Duo Tech Talks. (audience applauds) – Thanks. In like three slides you’re gonna have to hook me up, serious. Okay, I need a clicker or something. All right, so this is the first time I’ve ever given a talk
on not my own computer. I’ve probably given 200 talks in my life, so I’m a little nervous about that. So, let’s see how it goes. So, John O invited me
up here to give a talk, and I told him I don’t really
have anything to talk about. And he’s like, “Well,
just talk about anything.” I was like, “Well, I could talk about “that time I hacked a iPhone.” he’s like, “Yeah, yeah,
just talk about that.” So, this talk is just like a bunch of stuff about bug hunting in general, and different bugs I found, and exploits I’ve written,
and stuff like that. So, that’s it. I probably don’t need to do this since that was such a great intro. I do remember that time we
were in the park, great times. So, I might as well start out with my favorite but of all times. Which is, undoubtedly, is this bug in Duo Security’s Web SDK. (audience laughs) I mean, for real, the guys who wrote this bug must’ve been total idiots. God, it’s so bad. (audience laughs) Anyway, what am I really gonna talk about? (laughs) Basically, two things. One is like how do I find bugs, how do people find bug, and then just some bugs I found that
I think are kinda cool. So, what is the art and
science of bug finding? So, basically, it’s hard, right? If it was easy, there’d be no bugs because we’d just find them all, like when we made them. So, by it’s very nature it’s hard. The thing that’s hard about it, from my perspective, is
that you look at source code and the bugs are like one line out of 10,000 lines, so it’s like
really hard to find bugs. And the reason that bugs are so important is in this pyramid which I’ve patented and copyrighted in case
anyone wants to use this. It’s what I call the
pyramid of exploitation. And so, the base of the
pyramid is finding these bugs. So, if you have a bug, that is what starts off everything else. So, you have a bug, and then you write and exploit based on that bug, and then you install
some sort of backdoor, or rootkit, or something,
and then you do bad stuff. So, you can’t do the bad stuff without the bug to start with. And then other things that make it hard is there’s lots of different
people looking for bugs. So, there’s the good guys like me, and then there’s academics
who once in a while stumble upon a bug. (audience laughs) Sorry about that, U of M people. (audience laughs) And then you got bad guys, and then, of course, government guys doing it. And then, the other thing
that’s sort of tricky about it is if you gave me $10 million and said, “Okay, do what you would normally do, “but now you have all this money.” I don’t know what I would
really do that much differently besides hire a bunch of people. Personally, on me, if you gave me tons of computing resources, I don’t know if that would really help me that much. So, it’s very labor intensive, and there’s not necessarily
a good relationship between how much you spend and
the number of bugs you find. So, what do I do? Well, the first thing that’s important from a researchers perspective is what are you gonna look for a bug in? So, if you work for a company, you don’t really have a choice. Your boss tells you what
to look for a bug in. But if you’re just
looking for any old bug, you have to choose out of all the programs in the world what you’re
gonna look for a bug in. Even if you’re, say for example, looking for a bug in, I don’t know, a car, there’s a lot of choices, right? Are you gonna look at Bluetooth, or are you gonna look at wireless tire sensors, or whatever? And so, you have to make choices about what you’re gonna focus your time on. And so, this is probably the thing that’s, actually, the hardest to do and the thing that I’ve been
pretty lucky with so far. Because otherwise, you waste your time and you only have so much time. So, after that, then
you do some actual work. And I’ll talk about all
this stuff in a minute. So, how do we choose which software you’re gonna look for the bug in? And so, it’s a factor of these things. How distributed is the software? Does everyone use this,
or does no one use it? So, it turns out the
software that no one uses, there’s tons of bugs, and
you can find them very easy, but no one gives a shit. So, on the other hand, if you look at some software that everyone uses, probably that’s pretty
had to find a bug in, so maybe you don’t wanna focus on that, at least when you’re starting out. And then the other thing is, well, there’s bugs and then
there’s exploits, right? And so, whoa, I don’t
even know how to fix that. Guy in the back, make it
go back to how it was. Thank you. So, just ’cause you can find a bug doesn’t necessarily mean that
you can exploit it, right. So, you have to think about how hard it would be to write an
exploit on the system. And this is one of the reasons that, if you’ve followed along
the arc of my career, I moved from web browsers,
to mobile devices, to embedded devices,
mostly because of this. Writing an exploit against Chrome, even if you could find
a bug, is super hard, because of all this sandboxing and all this other kind of memory protections. So, then I went to
phones where it was easy, and then they added all the
member protections and stuff. So, I was like, well,
screw this, it’s too hard. So, then I went to embedded devices where they don’t have that yet. So, eventually they’ll have it, and then I’ll have to retire for sure. (audience laughs) These are just the last things I talked about in more detail. So if you wanna figure
out what to go after, there’s stats on this kind of stuff. So, if you wanna own 70% of internet webservers then, own Apache. But again, that’s gonna be really hard. And if wanna talk about
how hard exploitation is, well of course, there’s things like memory protections and stuff, but not even thinking about that, if you think about how hard
it’s gonna be to exploit, so how much data can you send a thing? Are you limited to like, if
you wanna attack Twitter, you can send 140 characters. It’s gonna be hard, even
if you found an exploit, to really exploit that if you’re limited to that little tiny payload versus an entire PDF which can be megabytes big. And then, how much interaction is it? Is it like I send the thing
and I forget about it? Or is it like JavaScript where I have a lot of control over what’s going on. So, it’s gonna be a lot
easier to exploit something just to set up the heap and so forth if you have control over a
scripting kind of language. And then how hard is it
gonna be to actually exploit? If you find some bug
in port 135 of Windows, that’s like super cool
if you’re on the network, but on the internet, there’s not gonna be that many host that have that open. But if you find a bug in Apache, well, every Apache server’s
obviously gonna let port 80 in, and so, it’s
not gonna be a problem. Okay, so the other thing you can do is, I was a consultant for
seven years or something, and one of the things that you have to be really good at, or at
least you get practiced at, is within about 10 minutes I can tell you whether I’m gonna find
like 1000 bugs or one bug. Because you just know
when you look at the code, you’re like, this code is terrible, or this code is pretty good. So, this is basically what’s it’s like. It’s like, how old is it,
was it written in like 2001, or was it written three years ago? Are there tons of new
features constantly added, or is it pretty static? Who wrote it, was it some start up manned by a bunch of college kids from U of M, (audience laughs) not to pound on Duo anymore, or was it some professional
software developers. (audience laughs) I can do this all night long. So, then what’s the history? Has there been a bug
reported every week or not? And then just look at the code. Does it look crappy, are there string copies everywhere or not? Another thing is we don’t really know how to measure how many
bugs are gonna be in code, but one general principle
that some people think is the bigger the code the more bugs. Just because the number of bugs is proportional to the amount of code. If you just look at
how much code is in it, you can get at least a general idea of how many bugs you
might be able to find. So, the bigger things are probably gonna be easier to find,
so you can look at that. This is some crazy
picture of code coverage of Linux Kernel which is massive. So, what do you do? The thing that I think
about looking for bugs is there’s not really any new things that I’m every surprised about, about like, oh, I found
this new way to find bugs. Well, that really never happens. The thing is you just have
to sit down and do it, commit the resources to do it. You see research about this, but it’s mostly just very,
very, incremental improvements. There’s two general approaches. One is look at the code, whether it’s source code or binary or whatever, and that’s what we call static analysis. And you can have tools help you do that or tools that try to do it automatically, although, these tools
usually aren’t that good. So, this is you just sit down, you look for bugs, use tools if you can, it takes a long time. People ask me, “Oh, does your math degree “ever help you in what you do?” I’m like, “Well, not really, because “I’m not really solving differential “equations very often
in computer security.” But what it does help me do is, to get a PhD you have to
work on a very hard problem, it takes you many years,
and a lot of the time you think you’re gonna fail, right? So, that’s what, basically,
bug finding is too, is like, okay, I’ve looked at this thing for two weeks, I haven’t found a bug, but I’m not gonna give up. I’m gonna keep going because I know that sometimes it’s hard
and it takes a while. If it was easy, everyone would do it. I tell my kids that all the
time, and then the quit stuff. (audience laughs) Okay, so the bad thing
about doing it this way is that you need people to do this work, and so, you can’t really scale up to a massive program, because you
need people, and it’s hard. The other thing is you might find things that kinda look like
bugs, but they’re not. So, then you tell your developers, and they’re like, “Oh,
that’s not even bug,” and then they don’t wanna
listen to you any more. The other thing is you
might find something that looks like a bug, but you have no idea how to get an input to it. And it turns out figuring out the input to get to that line of code is sometimes just as hard as having looked for the bug in the first place. And then this is the worst thing, especially as a consultant,
someone hires you, you spend a month looking
at their software, and they’re like, “How’s it going?” You’re like, “It’s going great, “I’m still looking at the code.” (audience laughs) You have nothing to show for your work except if you find a bug. So, that’s sort of frustrating for people who are paying you a bunch of money. That’s how it goes. So, here’s some examples,
first a theoretical example and then a real practical example. So, how does this thing fail? So, here’s a function, it’s called bar, and it looks like it could be dangerous, it’s a string copy, that’s
bad, into a fixed link buffer. But what if every function that calls this only sends in small inputs? And what if this is only called
through a function pointer, and that function pointer’s never called. So, it’s like, yeah, this looks bad, and if I was the consultant,
I would flag that and say this looks serious, or whatever. But to actually know
whether it’s vulnerable you’d have to understand
more about the program than just this line. And so that’s why it’s kinda hard. So, here’s another example of where static analysis just fails. So, if you notice, I’m obsessed with finding an Apache bug. That’s my life’s goal. So, a lot of these talks
are about Apache bugs. In 2003 there was this Apache bug. So, here’s the source code from it. And the actual bug is at this line. Instead of saying ps->free=node, it should say ps->free=active. It’s like, how the hell are
you ever gonna find that? It’s not like a string copy, right? You can’t grep for this. This is something you have
to read every line of code and understand every line
of code in this function to know what’s going on. And so, there’s no way
anyone’s ever gonna find that. At least by reading the code. So, the other alternative is to have a computer to look for bugs for you. So, that’s called dynamic
analysis or fuzzing. This is something I like
’cause it’s easy, and I’m lazy. So, what you do is you
send in a bunch of inputs to the program that have been
corrupted in some manner. What else do I wanna say about this? So, if it ever crashes, then that’s bad. It might not be a security bug, but it’s still some sort of bug. And the good thing is
it’s really a real thing. It’s not like some theoretical sort of like, I think there’s a bug here, but I don’t know how to make it go off. So, when is this bad? Well, the bad thing is you get a crash, you don’t know whether
it’s a security bug or not. Sometimes it’s hard to
tell whether it’s working. It’s like, I’m sending
inputs and it’s not crashing. Does that mean the program’s good or does that mean your fuzzer sucks? I don’t know. So, you don’t really know
exactly what to send. You might have too many test cases. If you try to make just
completely random things, it might take forever
to send the test cases. So, there’s some problems. And here’s a theoretical example of how you can imaging this failing. So, there’s a simple little program, in theory, you can send in an infinite number of inputs, and
depending on how long they are, different things happen in the program. Right? In practice, not infinite, but still, way to many that you’d wanna send. So, you’re not gonna be able to send in inputs to exercise every
single line of code. So, here’s my fair example. And if you’re on Twitter, I liked this example before Halvar did. But Halvar likes to talk
about this example too. It’s a very classic example. So, Sendmail is a program
that Hilary Clinton uses, (audience laughs) other people use as well. And so, there’s a function
in it called crackaddr, and this is a function you pass into it some big thing that looks
like Charlie Miller, bracket, Charlie @ OpenRC, or whatever. And it’s an email address, right? And it parses it out into
whatever it needs to do. And so, it turned out there was this bug, and you had to send in an email that looked exactly like this. So, it had to have open,
close, and then a bracket. Every time you hade one of those it changed some buffer in some way. I don’t know the details. So, you had to put a bunch of those to change the buffer in some way, and then you had to have
a bunch of these things to actually write over past
the buffer or something. And if you had anything
else, it didn’t work. And so, the idea was there’s no way you would ever randomly
throw in that input. And it turns out that,
also, to make it worse, this function is so huge and complicated that there’s what, two
to the 120 different paths through this function, even if you don’t count the loops. And there’s a ton of loops. So, there’s no way
you’re ever gonna do that unless you’re reading the source code. So, this is an example of a bug that you can only find statically. So, the sort of middle ground is this thing called Code coverage. It’s like, what lines
have you hit in code? What branches have you taken? And so, this is a way to
measure your progress. Which is something you can do dynamically which you can’t do statically. Statically, it’s like,
yeah, I’ve kinda looked at the code, I don’t know, I could look at it more or less or whatever. But if you measure code
coverage you can see it. I’ve tested exactly these
lines and at these other lines. So, the idea is you run
your fuzzing test suite, and you see which lines you haven’t hit, and then you try to improve your fuzzing test suite to make it better. So, this works really well because the parts that you’re not getting to, that’s the important parts, and to understand how to get
your test suite to go there, you have to understand the program, and then you might just find
bugs statically as well. So, a small case study. Let’s see. At one point in my life, someone said, “See if you can find a bug in a WebKit.” And the reason was we were
interested in Safari bugs. So, WebKit is like the
HTML JavaScript parser inside of Safari and
Chrome, I guess maybe, or for a while, I don’t
know if it is anymore. So, we were starting to look at WebKit. And it turns out it’s huge,
there’s thousands of files. And so, we were gonna like, well, let’s at least focus a
little bit on JavaScript. I gotta make a phone call real quick. So, the important thing about this is that if you look at
the actual documentation from the WebKit webpage, it tells you if you were a developer for WebKit, you need to pass these tests. So, there’s this test suite that is there. – [Jon] Hey. – Hey, where are you, upstairs? – [Jon] Yeah. – Hey dude, I need a drink. (audience laughs) All right, all right, bye. All right, sorry about that. So, the point is the developers
use a certain test suite, and so, I was like, okay– – [Jon] I’m so sorry, Charlie. – Okay.
– I’m so sorry. – I mean, Jesus, how long do I gotta talk? I’m getting parched here. (sighs) – [Jon] Jeez. – Well, at least I know
how to get a hold of you. If you wouldn’t have answered the phone, I would’ve walked right out. So, well done.
(audience laughs) All right, so I decided to
use their suite and see. So, what I did was, I instrumented WebKit, which meant I made little changes to it to where it would record how much code coverage was covered. And then I ran their test suite, and I wanted to see what code is their test suite testing, and what
code are they not testing. So, then I put it all
in this big database, and then I ran the test suite, and then I wrote this cool GUI program. I was like really into GUIs at the time. (audience laughs) And I blacked out the
person who paid me to do it. It was like, some company buddy, but now it’s black box buddy. So, anyway, you could go through, for each test case you could see which lines it hit, and then
you could see which files, like how much each file you did, and for each file, what lines you hit, it was really cool. But the main point was, you could look at directory levels and
see what directories were they sort of ignoring. And it turned out that if you looked that the main engine had been covered 81% of the time, so 82 really. So, most of the code had
been covered quite well. But there was one little
directory called PCRE which was a small part of the code, only 70% of the code, but they only covered it by 52%, so much less. So, I was like, okay,
let’s look at that code, because they haven’t
touched that code as well. So, I wrote a fuzzer for
a PCRE which stands for Perl Compatible Regular Expressions. And the way I wrote this fuzzer was I looked in the source code and I found all the things that they sort
of had case statements for. So, it was things like question
marks, braces, whatever. And then I just wrote a fuzzer that just mashed tons of those
together and tried it. Also, I should mention for this talk, Jon O said I could talk
as long as I wanted, so plan to do that. So, if at some point, you get bored, if you leave, I won’t be too upset, unless I feel like being
upset, and then I’ll be upset. So, anyway, I send in these inputs into the program, and it never crashed. The program never crashed, and so I was kinda devastated. It’s like I did all this super PhD level, like I could have 10
PhD’s from Carnegie Mellon kind of research, but what
came out of it was not crashes. So, it was like total academia here. (audience laughs) But, what I did notice,
was while it didn’t crash, I looked in the logs, and there was these interesting lines
that said things like PCRE compilation failed,
internal error, code overflow. I was like, well, I
like the word overflow. (audience laughs) So, I need to figure out what’s going on, if this is like a legit thing that I should care about or not. So, did I win, or did I lose? So, I recompiled the thing
to run under Windows, and I used this tool
called Rational Purify, I don’t know if this
tool even exists anymore. But anyway, it’s similar
to Valgrind for example. Had I done it today, I
would’ve used Valgrind, but back then, I don’t know if Valgrind existed, or if was just
too stupid, or what. Maybe it was ’cause it had a GUI. So, it did have a GUI,
and if you look in here, it says (beeps) writing one byte, that is four bytes past
the end of a malic buffer. So, I won. So, there was a buffer overflow. I corrupted memory in some way. Although, I corrupted memory in a way that was not enough to
make the program crash. But that’s fine, I can go from there. So, then it’s like, okay,
well, is it exploitable? And I’ll get to that in a little bit. This is the teaser so you don’t all leave. (audience laughs) So, you’re not supposed to talk about bugs you find when you’re a consultant, but I’ve been not consulting long enough, I think I can do that. So, someone hired us to look at their little C language
authentication server. And it was so bad, that I actually could still remember what the bugs were. For some reason I didn’t
ever delete the project like, I guess, I was supposed to. (audience laughs) I mean that I got it back from the employer who gave it to
me, and I relooked at it, that’s what I mean. So anyway, here’s a bug I suspect. So, this is the part of the program that you give it the
username to authenticate, and then it’s gonna see
if you’re a valid user. So, it loops through and (mumbles) Does anyone see the bug here? If you find it, I will
hire you at Twitter. Any bugs, anyone, anyone. Jon O, come, you’re supposed to be a professional computer hacker. (speaking away from mic) Move out into the crowd here. Where’s your computer
security research team? (speaking away from mic) Is that you? No?
– No, no. – Well, this is why you guys pay me. The problem is that you take this string length of the
thing the user gave you which is like your name,
like Charlie or whatever, and than you’re comparing
the thing they gave you, Charlie versus like a real user name, and then the amount of data that you’re comparing it against is however long the person they gave you was. Say my user name is C. And then it’s only gonna
compare one byte of that. So, if there’s any user names that start with C, then it passes. And even worse, if I
give it the user name, like nothing, then it automatically passes because the length is zero. So, this was a bug that’s bad. So, finding a user name,
that’s only so much. You’re still not in the server. You have to pass the password too. So, here’s the password. So, I bet you guys can find this bug. So, there’s some stuff, and then it does this this SQL stuff, and can anyone guess what they did? Right, so there’s SQL injection. If you give it the password, like A, blah, blah, blah, blah, blah, then it passes. So, you can pass in a
user name of nothing, and that password, and you’re in as root, because root’s the first user in the list. So, that’s bad. But you’re logged in as root. That’s not the same as
running arbitrary code, right, which is way cooler. So, here’s another bug. And this is all in one file. I was just like, I mentioned to you as a consultant, you get at the idea of
when you look at code of when it’s horrible
or when it’s like okay. And this was horrible code. So, here is, if for some
reason you failed to log in, which I can’t imagine how
you could possible fail, (audience laughs) it logs it, right? So, does anyone see the bug here? (speaking away from mic) What’s that? – [Woman] There was a
cough, a well timed cough. – Oh, okay. Anyone, anyone. – [Audience Member] Overflow. – No, no overflow. – [Audience Member] Underflow. – No underflow.
(audience laughs) But keep going. – [Audience Members] Format string? – Yes. So, it turns out that if
there’s a format string bug that you follow the logic here. If you pass in that your
username is like %N, it’ll crash the system. But I like to make fun of vendors, and I like to say how
it’s so fun to find bugs, and like I’m so awesome. Especially if you read my Twitter stream, you’ll really think I think I’m awesome, and I think I’m pretty good. But I’m not perfect. So, here is a bug, I worked for a consulting company which I won’t name, and I was hired by a
company which I won’t name. But if you put two and two together, you’ll probably figure
out who that company was. And I was hired amongst some other guys, one of which claimed on Twitter he was watching us livestream. What’s up? So, we were supposed to
look for all these bugs, and this bug slipped through the cracks. So, this bug was like, I
don’t remember exactly, it was like a system call or something, and you could just like, boop, right to arbitrary kernel memory. And I saw it, this is the
things that’s bad, I saw this. I was like, you know, it looks kinda like you could just write
anything you wanted anywhere. I was like, nah, they
wouldn’t do that, right? (audience laughs) And so, I tried for like a little bit to try to see if it was true or not, and I couldn’t figure it out. I was like, ah, I’m sure it’s fine. I quit that company, and it was it was like my second week at Twitter, and I see this article in
the newspaper or whatever. I was like, oh, I feel so bad. Anyway, the point is
that even I miss bugs. So, it’s hard to find bugs,
and you shouldn’t feel bad. But everyone misses bugs, even ones that are like one click instaroots. Like, oops, sorry. Like thinks for the 500 K. (audience laughs) All right, so anyway, that
was some consulting fun. I highly encourage young
people to become consultants ’cause it exposes you to lots of different code bases and tools and stuff. But once you’ve been that
for a while, it’s horrible. (audience laughs) Your job is like, every month you’re hired by a new company who thinks they’re getting ripped off, and you have to prove to them that your not. So, it’s awful. Anyway, I’m not a consultant anymore. So, blackbox exploitation of the iPhone. So, they had a trivia session tonight. That was one of the questions, who was the very first person to ever write an iPhone exploit? – [Jon] Charlie Miller. – Yes, yes. So, I gave that same trivia question at DEF Con Kids once. I was giving out books,
or phones, or something, I don’t know.
– Did they say Kyle Milner? – No, they didn’t say that. – [Jon] Oh. – I’m okay with that. But anyway, I asked that question, I was like, “Does anyone know who the “first one to write an
iPhone exploit was?” And no one raise their hand. I was like, “I’ll give you a hint, “he’s in this room right now.” It was like me and Moxy or something. And they’re like, I was like, anyway. Eventually, some kid figured
it out and they won something. So, anyway, the point is, in a world where there is no jailbreak, can you write a exploit for a phone that you have no way to get a terminal on? You have no debugging on it, nothing. Can you write an exploit? And this is how I did it. So, now it’s easy. Any old joker like geohot or on of these comics,
they can write exploits. Yeah, it’s easy if you can jailbreak it, but try doing it without jailbreaking. Everyone will hate me now. That’s why I did that. I hate when people like me. Anyway, so this thing earlier about the regular expressions, we found that a long time ago for Safari, but we couldn’t figure out
how to exploit it because, as Jon O pointed out,
I’m really old, dude, and at the time, there was not the Alex Sotirov heap feng shui
had not been invented yet. And so, I was like, “Dude,
I don’t know what to do.” But when the iPhone came out, it turned out the same
bug crashed the iPhone, and the iPhone didn’t have
the same memory protections, so you could actually exploit it. So, the key regular expression was you had to have brace, brace,
star, star, brace, brace. If you had that, then it
would do something bad. It would overwrite a buffer
by one byte or something. So what we did was, we had this iPhone, it was this physical device
you could hold in your hand, but you couldn’t do anything with it. You couldn’t SSH to it,
you couldn’t GDB it, or anything like that,
it was just this thing. The only thing you could do is you could plug it into your computer,
and iTunes or Xcode or something, you could
download crash reports. And so, if you download a crash report, it says some information about the registers at the time of the crash. Which of course, it’s not
gonna crash very often, but if you fuzz it, it
crashes all the time. So, what we did is we made tons of different regular
expressions containing this, and just sent them at the phone and download the crash files,
and sorted through them until we would see something good. This is not the ideal way to
run an exploit, by the way. But eventually, we found
one that was pretty good. So, here’s a crash report
from the iPhone one which was made before
most of you were born. (audience laughs) So, these are the registers, and so the point here is if you know ARM assembly, which I’m
assuming you all do. If this this is right to
here, and then right to here. And these things, you know, I don’t know, maybe I control those things, they’re sorta regular looking,
maybe not, I don’t know. It seems like there’s chance. And if you’re a super hard core hacker like Jon O, or myself. Do you recognize what
this looks lie, Jon O? I’ll give you a hint. I say it right her on this bullet point if you just wanna read it. – [Jon] Looks like it might be
the unlinking of linked list. – That’s absolutely right. – [Jon] I never passed that
programming interview question. – Yeah. The problem when I go to interview places is they don’t ask this
programming question. Otherwise, I would pass
with flying colors. They asked me to write
implementation of a linked list. I was like, “Well, I’ll
tell you what happens “if you corrupt a linked list.” Anyway, so the point is, this is the unlinking of a linked list
which happens in heaps when you’re freeing a buffer. And back in the old days, this is the way that you got control of programs before anyone had invented heap feng shui. So, this was good. It looked like it was the
unlinking of a linked list, which I probably corrupted heap metadata. The question was how controlled
were those two values? Could I really make
those any value I wanted? and this is what computer
security research is all about, if you’re ever curious. It’s like you find a
bug, and then you spend all your time doing something completely unrelated to what you’re trying to do. And so, it took like a week to figure out how to write a regular expression that you could actually use these things called character classes. All the time I’m doing this work that has nothing to do
with my ultimate goal, and this is what it’s all about. So, a week later I learn how
to write character classes, and then I could control
it whenever I wanted. So, I could put whatever
I wanted in this register. I basically could write
anywhere in memory. Okay? And this is what the regular expression looks like at this point. So, if you took your old iPhone one, which I have one at my house, and you went to this HTML page, you would be able to
write anything anywhere. But, still, if I gave you an iPhone, and I could say you can
write anything anywhere, but you can’t debug it,
it’s still kinda tough to make it do something useful. So, what we wanted to do is
then figure out what to do. What we started to is like, well, I don’t know where to
write, I have no idea. We had never seen what the memory of this device looks like. No one ever has. So we’re like, well, we do
know where the stack is. Right? ‘Cause it gives it to you. And so we’ll just start overwriting different values of stack, and we’ll just try all of them and see what happens. And so, we started doing that. We tried different SP
stack pointer values, we tried different values to overwrite, and eventually we got something like this. So, what you’ll see is,
here’s a stack pointer, and here’s the program counter. This is where it’s actually executing, and they’re like really
close to each other. So, I’m executing code on the stack, which on the iPhone one you could do, which is not ideal situation, by the way. So then it was like,
okay, so, I have control of the program even
though I don’t even know what the hell’s going
on inside the program. Now what do I do? It’s like, okay, no one has ever seen the file system for the iPhone. So, what am I gonna do. So, you can start to do things like just try to grab random things, you give director listings or whatever. So, we eventually found
file that we wanted, and then we just wrote shell
code for a Mac OS X computer, so like a desktop that
did what we wanted in C, then we compiled it with a cross compiler, and then we made it work. And so, the first thing we did is we reverse engineered a bunch of stuff, and we figured out how
to call it, and we did. So, here is PlaySystemSound. So, this turns out this
is the little noise it makes when you get a text message, like (buzzes) you know. So, I guess that’s actually the vibration. But anyway, you get the idea. I can imitate many sounds on an iPhone. So, you just find the address and you call it, and that’s it. So, that was the very first exploitation of an iPhone. I will pause if you’d
like to clap for that. (audience applauds)
Thank you very much. I’d like to point out, I
didn’t do this one myself. Jake Honoroff was the guy I worked with, and then this other guy who probably doesn’t want me to say his name. So, there was thee of us working. And then like two weeks later they came out with a jailbreak, and I was like, oh, it’s so easy now. (audience laughs) So, another thing I did that is kind of a fun little exploit was, believe it or not, many years ago there was this thing called Second Life that people thought was really cool. It was like World of Warcraft, except there was money involved. Or you could say it
was like, I don’t know, what’s another online thing people use? – [Jon] It’s like World
of Warcraft for Business. – Yeah. (laughs) – [Jon] Can hold your meetings and stuff. – Right. (laughs) Yeah. As long as you don’t mind flying penises in your meeting, it’s like totally legit. (audience laughs) (speaking way from mic) Yeah, I know. So, anyway, there was this
thing called Second Life, and the reason I was interested it it is, A: it was a game, and I was kinda like, I wonder if you can totally
hack games, you know. And the other thing I was interested in, there was a legitimate way that you could take US dollars and turn
them into Linden Dollars, and back and forth, right. So, I was like, well, if you hack someone in Second Life, you can
steal their linen dollars and make them into real
dollars, and get rich. So, it sounds like
something sort of appealing. – [Jon] That assumes people in
Second Life had actual funds. – Right, well, at the time they did. Believe it or not, people
actually had money. Real companies were in Second Life. It was unbelievable. And then they weren’t, I don’t know. It might still exist, I don’t know. But this is like 2008 or something. This was a long time ago. So, the idea is it’s this world, it’s like, oh, here we go,
it’s like Minecraft with money. Oh, nailed it. That’s exactly what it was. It was Minecraft with money. Minecraft, but you could buy stuff. And there were like
corporations in it and stuff. It was crazy. So anyway, imagine Minecraft with money. So, I was like, okay, I’m gonna hack it. And you’re like, okay, well everyone has this sort of thing on their desktops, and they’re talking to the
server and that sort of thing. So, what can you do? Well, there’s lots of different ways you could give data to the world. You could make objects. You could talk to each other and chat. You could actually make
it spawn the browser, but that’s super boring, even though I can totally exploit a browser. Because then I’m exploiting a browser, and I’m not exploiting the game. So, I’ll be able to steal their cookies, but I won’t be able to
steal their Linden Dollars, and I want their linen dollars, ’cause those are super valuable. So anyway, the problem is that the only way that I’m talking
to the other clients is, I don’t talk to the
other clients directly, I talk tot he server, and the server sends my message to the other client. It looks like this. So, here’s me, and then
here’s like Duo engineers. and then here’s the Second Life servers. They all play Second Life, I’m sure, or Minecraft at least. So, if I’m like, “Hey guys,” I say, “Say ‘hi,'” so I don’t send that directly to them, I
send it to the servers. And then the server’s like,
“Yo, Attacker says ‘hi,'” and they’re like, “Oh my God, I can’t “believe Attacker said hi.” So, the problem with this is that I don’t have direct control
over the data they get. They’re getting sort of the sanitized version from the server. The other thing is if I do find a bug in the way that they read my message, probably the Second Life
servers have the same bug, so instead of crashing my buddies, I’m gonna crash Second Life,
which is not what I wanna do. And even if I do do it, Second Life’s gonna see all these
messages going through them, and they’ll log it for one thing. At some point they can
filter it and stop my attack, and I don’t want them
to be able to stop it. But there’s one time when there’s like an acception to the rule. And that’s when it comes to multimedia, so like, movies and stuff. So, in that case what happens is I’m like, “Hey, yo, Second Life server. “There’s this object I made, “and there’s this video
that goes with it.” And so then when that happens, when victim Duo engineer, Jon, or how ’bout Bob walks
and sees this object, the Second Life server’s like, “Hey, yeah, “the media, you can go get at this URL.” They’re like, “Okay.” The server’s like, “Okay, I’ll go get it,” and the URL actually points to me. So now, this is one case where they’re connecting directly to me instead of the Second Life servers. And so the good thing about this is that I control the media, I
control when I deliver it, and I control if I deliver it. So, if I find a bug, Second
Life servers can’t stop me. Also, I don’t have to exploit everyone. I can just exploit the
people I care about. So, this is like a perfect scenario. So, this is work I did with Dino Dai Zovi who was mentioned in the earlier talk, or the earlier introduction. It was so long it was like a talk. So, there’s two ways you can
get media into Second Life. One is through QuickTime player API, and one is through sound, which they use this thing called fmod to do it. It turned out there was a QuickTime exploit available at the time, so we built on top of that. It was a known bug and a known exploit that hadn’t been patched yet. So, we just built on top of that. And so while you would think QuickTime was super safe and that
they would compile it with all the right compiler
flags, they didn’t. And so, even though it
was a stack overflow, we were able to exploit it. And you can check out
the details in my talk. I don’t think I have a slide on this. I could’ve actually prepared
for the talk I guess. But instead I’ll just wing it. So, we gave this talk,
Dino and I at ShmooCon and we told the Second Life
people we’re gonna do it, and back then I wasn’t very smart and I thought you should do live demos. People who do video tape demos, they’re totally bogus, right? I don’t that anymore ’cause that’s stupid. But at the time we were giving live demo. So, it was time to give the demo. We log on to Second Life, like literally live on the screen in front of everyone, and I go to the part in the world where there’s the exploit,
and there’s this dude there, and he’s got this like
sign, like a picket sign, like if you were protesting. And it say, “Hi, ShmooCon,” or something. And it’s one of the Second Life workers who found out I was giving the talk and is there live protesting the exploit. I don’t know, it was crazy. I wish I had a video of that. I was like, “Huh, okay, run the exploit.” (audience laughs) So anyway, this is another example of, like being a security researcher is like, writing the exploit was technical, but that’s what we do. We did it, it took a couple days, done. But trying to get an
actual multimedia thing associated with an object
in Second Life took forever. It was like a week and a half of me trying to run their stupid GUI, right? So, here’s me. My character’s name was Sussy McBride. I don’t know why. I think I meant Suzy, but I misspelled it. (audience laughs) So, here’s me creating an object. And so, you have to figure
out how to create an object, and make it to where people walk up to it. As soon as the Second Life person sees the object, they’ll be exploited. There was a time when I was worried that I would exploit
random Second Life people, and I felt bad about that. And so, I built this
like super secret lab. In Second Life, I built this building, and I would only have the
object in the building so that no one could see it. And there were no windows in the building, and no one was allowed on
my property, or whatever. So I was like I’m being very responsible, this is very secure. And then later on I found out, oh, it turns out you don’t have to actually see the thing. If it’s just in your area
of, I don’t know, being, you get exploited. So eventually, you could
just put it underground, and if someone walked
by, they’d be exploited. I was like, oh well. I spent like two days building
this super secret lab, it didn’t do anything,
but it was kinda fun. So, you have to figure out how this Linden scripting language works and how to make it where there’s this multimedia thing is attached to it. And this is what you basically have to do. So, this took me like
two weeks to figure out. ‘Cause there’s no documentation. So, here’s what it looks like here. You say replace this with this URL and this is the text to do it, and blah, blah, blah, blah, and then if you wanna
write the actual exploit, the thing is you have
to survive execution. So, you’ve corrupted the stack, but you have to keep the program going, ’cause you don’t want it to crash. That’s not fun, you want it to keep going. And you’ve overwritten this structured exception
handle, it’s really hard. But anyway, you can check out the talk if you want more details on that. – [Woman] I found the photo, by the way. – Of the dude protesting? Oh, I wish you cold show it. – [Woman] Well, I tweeted it but– – Okay. AV guy, can you get on this Twitter thing and make it show up? – [AV Guy] Maybe by the end. – Maybe by the end, okay. I’ll give you five minutes It’s just like I’m Captain Kirk and you’re like Sulu or
however the engineer dude was. Anyway. – [AV Guy] Would that be Geordi? – No, it would not be
Geordi just so you know. (audience laughs) – Anyway, so the point is we figured out how to continue execution
even though it was hard, and we’re like super league hackers, and I kept going, blah, blah, blah. We finished it, it worked, it was awesome. This is the object, right. So, if you ever saw this object
in Second Life, I owned you. So, then it was like, okay,
what are we gonna make it do? Well, your credit card’s associated with it, with your accounts. We can actually make you
take your credit card, buy a ton of Linden
Dollars and steal them, but we didn’t do that. But what we can do is we can figure out how many Linden Dollars you have, we can steal all your Linden Dollars, and then we can make
you physically do stuff. Another thing I was really interested in is like, I was sick of making calculator pop up on a computer. I wanted to like do something real. I wanted to like control your person, make them punch themselves
in the face, or whatever. All the things that the bullies
made me do in fifth grade I wanted to do to other people. And the only way I can do it with my 130 pounds is in a computer. All right, so here is the video of it. So, this is me, the
attacker, here is the victim, Sussy, here is the object. So, when she gets close
enough to where it goes off, she will pause momentarily
as I take control of her, and then she will give me all her money, which happens to be 12 Linden dollars, and then she will shout. In a second here, it will shout, oh, there we go, “I got hacked!” So anyway, I have complete control over Sussy McBride at this point. It’s pretty awesome. And all the newspapers were like, “This is really awesome. “He can steal 12 of your Linden Dollars, “but only 12, so it’s okay, don’t worry.” (audience laughs) I was like, I think you kinda missed the point, but okay, cool. So, that’s one story we’re
done with, Second Life. Off to the next one. (audience applauds)
Oh, thank you, Jon O. Hey, while you’re sitting there, uh. – [Jon] I got you. – Okay, okay. I didn’t wanna call you when
you’re sitting there, but. So, the next thing I wanna talk about is the time I exploited SMS on iPhone. And one of the things
I like about this story is that, you know, I talk
to people like researchers, like, “Hey, what are you workin’ on?” And I’ll be like, “Oh, I’m gonna try to “exploit SMSs on iPhone,” and
like, “Dude, you’re stupid. “That’s never gonna work.” And the reason they thought this was it’s like, “It’s only 140 characters, “it’s just ascii, like
they can’t screw that up.” Right? (audience laughs) And I was like, “I don’t know. “I’ve worked with Apple a long time. “They screw stuff up.” Anyway, the point is no one
thought that this was possible because it’s such a simple thing. It’s not like parsing a PDF where it’s very complicated. Or parsing an HTML page
with java script in it, and with images, and
like, it’s hard, right? SMS, if we can’t do that right, we failed as a industry, right? So anyway, so I looked at this with a guy named Kyle Milner,
who Jon O mentioned earlier as someone who, apparently he thinks children might mistake me for and my work. But anyway, the idea was we wanted to fuzz SMS and see what happened. And we fuzzed iPhones, Windows
phones, and Android phones, and we wanted to see what happened. And the reason that we were interested in SMS is everyone has SMS, you can’t stop SMS from
showing up at your phone. I mean, the lame things
about browser exploits is like, oh, I gotta make
someone click on a link. So, lame. But SMS, I just gotta
know your phone number, I’ll send it to you. And the other thing that
was liker really great is like eventually you’ll see that I found a bug and ruin the exploit. But when I gave the
talk, people were like, “Hey, Charlie, yeah, I saw your talk “and I turned off my phone, ha ha ha ha.” I was like, “Oh, yeah,
you’re super cleaver. “Do you know how text messages work? “I sent it, and you don’t
have to have your phone on. “It’ll just send the carrier, and as soon “as you turn your phone
on, it’ll deliver for me. “But, cool, I’m glad you turned it off.” But anyway. Sorry if anyone said that
to me who’s in the audience. The point is it’s like
a great attack vector. There’s no way to filter it off without turning your
phone off to phone calls. It’s the same functionality. So, to get in a little
bit of technical details. SMSs come to your phone as a AT command It looks like this. So, if you could see inside your phone, this is what a text message looks like when it shows up at your phone. Some AT command and then a bunch of data. And this is one, some
data that I’d broken out. And so interestingly as you’d think text messages are only
text, but they’re not. So, there’s a little bit of binary stuff, and that little bit is what got ’em. So, you can break out
this thing called a PDU, and it has things like links, addresses, some other stuff which I
don’t remember, but data. And so, that last thing I
showed was a simple one. But there’s other ones you can send that have more data in it. So, this is the most simple example. So, I don’t remember, this
is user defined header or something, I don’t know. Colin, if he’s watching livestream is probably making fun of me right now. Anyway, so the point is there’s a link, a type, no, this is a, I
don’t know what this thing is, this is a type, a link,
and then data of that link. Right? And so, for the different types, there’s different things that can happen. The type that’s sort of
the most easy to understand is type zero, which is
concatenated messages. So, have you ever sent a message to someone, like a text message, that was more than 140 characters? A lot of times you can
just keep on typing, right, unlike Twitter where it stops you. If you can just keep typing and it’s like, two of blah, blah, blah,
at least on my phone, and you send it, and the way that works underneath is it sends you one of these messages and it has a special data. It says things like, the zero means this is a concatenated message, and this says there’s three bytes of data. This is number zero, it’s an identifier. This says expect this is
gonna take three messages, and this is the first one. So, you get data like that. That’s what’s going across
the phones and stuff. So, if you reverse engineer the iPhone, you’ll see that it supports zero, which is concatenated messages, and then a few others. So, we were like, okay, let’s just fuzz the crap out of this, so we did. And we started to get crashes. And the first thing that
crashed was SpringBoard, which is sort of the GUI for iPhone, ’cause it was trying to display something. And it crashed, but it was like, if you’ve crossed before, you’ll recognize that this looks like a
no pointed reference. Not very interesting. We kept crashing, then we
eventually found this crash, which is in CommCenter which is the process that handles text
messages on an iPhone. At least it was, who knows. You can see this was a long time ago, iPhone OS2, a long time ago. But anyway, the thing that
was interesting back then is they did have sandboxing and stuff, but this particular process, CommCenter, ran as root with no sandbox, which is another reason
it was interesting. And after I gave this research, it no longer ran as root or
without being in a sandbox. So, this is the kind of benefits that I’ve given all of you iPhone users. You’re welcome. (audience laughs) So, if you start reverse
engineering this thing, you’ll see this thing which
I call read next byte, it’s calling all over the place. But the thing that’s
interesting about this function is it returns the next byte, shocking. But if there is not next byte, it returns minus one to to indicate like, “Yo, there is not next byte.” But if you look back at this code, it never actually checks whether it returns minus one or whether it didn’t. So, what happens if you don’t send in enough data, you can start making negative ones show up all over the place. And so, you can make it think that the message you sent is negative one, or the total number of
messages is negative one, or whatever you want. And so, it turns out that you can do some sort of crazy stuff with this. And the thing that I did was, there’s this array of pointer strings and it references an index into that based on which message number this is. And it checks to make sure
it’s greater than zero. But if you send a negative one, it totally beats the
check, and it does stuff. – [Jon] Don’t be nervous. – I’m a little nervous about this. What is this? – [Jon] Sunny D. – Sunny D? – [Jon] Like we used to
drink when we were kids. (audience laughs)
With vodka. – It doesn’t taste like when we were kids. (audience laughs) I don’t know what that is. It must be a Michigan thing. – [Jon] Yeah, is it ever. – So anyway, I gave this Black Hat talk where I spend 30 minutes talking about how to set up the heap and all this stuff. But eventually, the cool thing is you eventually can take complete control. And I’m sorry to any women in the audience that my favorite hex string is babecafe, but it rounded it up for
me, so it’s babecafc. (audience laughs) Sorry, don’t blame me. Anyway. So, that was cool, so the point was I could send you a text message
and get root on your phone, which was kinda awesome. So, here’s another story about this, since I just do whatever I
want since I’m the speaker. So, of course, being
the responsible person of the internet I am, I reported this bug as soon as we found it to Apple. And I was like, “Dude, I don’t think “you can exploit it, but here’s a bug. “It’ll return minus one when you’re “not expecting it, it’ll crash.” Like, “Okay, thanks, Charlie.” And then I went to this
conference called SyScan, an Dave Aitel was there, and he’s like, “Charlie, you gotta
make that exploit work.” I was like, “Fine.” So, I spent like two months
making the exploit work. I finally got it to work. And then like a week before Black Hat, I was gonna present this work. Maybe it was actually at Black Hat, one of the Apple guys came up, he’s like, “Oh, man, so you’re
talking about that SMS bug.” I said, “Yeah.” He’s like, “That’s too bad
you never got that to work.” I was like, “Oh, actually I did.” They had never fixed it, and
they were like, “Oh, shit!” And so, the next day it was patched. So, anyway, they were really surprised. I was like, “Oh, nah, I got that to work. “You should’a tried.” So, anyway. So, I would have to send
you 519 text messages to set things up exactly, and then I would send you
the one to totally wham you. It was great. And if it didn’t work for some reason, you could just keep trying,
because what are you gonna do? You’re powerless. I can send you tex messages. You can’t stop me from
sending you tex messages. (audience laughs) So, the next bug, I think this
is the last bug of the talk, so we’re in the final stretch here. So, this is a bug in the code signing mechanisms of iOS, and code signing is really important in iOS because it’s what stops you from being able to download apps except from the App Store, and it stops you from,
the apps you download, from downloading new stuff, or a new code, or updating themselves,
or anything like that. So, any bug in their code signing sort of changes the whole
way that the iPhone works. So, I found this bug. So, here’s the code from the bug. When you map memory, they’re looking see if you have this special flag which lets you do crazy stuff you’re
not supposed to do, if you have that flag and this then don’t let that happen. Or if you have this flag,
don’t let that happen. Or if you have this flag,
don’t let that happen. It turns out there’s only one more flag that hasn’t happened since then. And the only other flag that they haven’t mentioned is this one, MAP_ANON. And so, if you haven’t got any of those, then you must have MAP_ANON, and if you have MAP_ANON,
then they do this check, and they make sure that you’re
not doing anything funny. So, if you could figure out a way to get by this and not go into this, then you would win. You would be able to
do unsigned code stuff which you’re not supposed to do. So, I looked at this code in binaries. This is interesting. People tell me all the time, “Well, it’s harder to find bugs “in source code than binary.” I was like, “Well, I don’t
know, it’s the same to me.” So, I found this bug in binary, and I wouldn’t have
found it in source code. So, does anyone see the bug. Of course not, it’s impossible,
you can’t find the bug. Oops, this is just what I told you. It only checks the entitlement, which is the thing that it checks to make sure you can do the bad stuff if that MAP_ANON set. So, this is they key, is
they have the pound define. And in the source code, I
would’ve never found this bug, but in the binary, it
was like totally obvious it wasn’t checking something. And so, does anyone now see the bug? Security researchers of Duo, you have a whole team devoted to this. Does your team read C code? (murmurs from audience) Right, so the problem
is if you set MAP_FILE let’s see if it passes this check. Well, it doesn’t do
that, it doesn’t do that. Now, what about this one,
where it’s checking it? Well, MAP_FILE is zero,
so zero and zero is zero, which is zero, and that’s false. So, it turns out that they screwed up that they couldn’t made this any other value but zero and it
would’a worked great. But they didn’t, they made it zero. And then, therefore, if you sent in something with MAP_FILE, it would pass this check, and then
it wouldn’t go into here, and then you’re golden. So, if you wanted to allocate a region where you could write and execute code, which you should never be
able to do on an iPhone, all you had to do was
send in that MAP_ANON, and I think that’s what it was, whatever. I’ve had too much, so far. You could bypass all their checks. And this would work on any
app, except mobile Safari, ’cause there was some check where you could only do the bad thing once, and they already did the bad thing once, but no one else could, so they didn’t. So, here’s the way you do it. If you allocate memory with MAP_JIT which is the thing that
gives you magical powers, and MAP_FILE, which lets you
bypass all the checks, you win. You can write code and
you can execute code. So, this means that you could have an app that downloads new codes anytime it wants which it should not be able to do. Apple does not get to check this code. You can have exploits. Exploits are hard on iPhone because you can’t ever download tools, you can’t write shell code
that works, nothing works. But now it does work all of the sudden. And so, basically, it turns out that any code signing is like
super serious against iPhone. Being the responsible
researcher that I am, I reported this to apple immediately. But I was kind of a jerk about it, I have to admit. I thought I was really clever at the time, (audience laughs) but now that I work for a company that receives bug reports, I
realize what a big jerk I was. (audience laughs) So, instead of telling
them what the bug was, I said I don’t think this
does what you think it does, and I gave them the line source. I thought it would be sort of fun, like it’s a puzzle, they’d
have to figure it out. (audience laughs) To their credit, they never wrote back and said, “What are you talking about?” They figured out what I
meant, so that was good. They figured out what I meant. So, like I said, the bug was that you could have apps download
new apps, essentially. But the apps have to go
through the App Store process, and I was afraid, you
know, I’m from Missouri, that’s the show me state, I was afraid that they would say like, “Oh, sure.” I worked with Apple, I
know what they would do. They would be like, “Yeah, sure, but we “would catch any app that did this.” So, I was like, “Okay, well to show you “before you tell me that
you would catch this, “I’m just gonna do it. So, before I sent this email, I submitted an app to the App Store
that did exactly this. – [Jon] What app? – You’ll see. You’re name is even mentioned. I give credit where credit is due. I’m fair to share. Malicious App Store Apps
could download unsigned code. It would be like super
easy and awesome, right. So, I wrote an app that did that. It downloaded unsigned code and ran it. It could do anything it wanted. But, because I’m, again, I wanna emphasize what a good internet citizen I am, that it only did that if I wanted it to, which was never, except for me and Valsec. So, we’re the only ones who
were ever exploited by this bug. So, I don’t know how to write apps. I’m a computer security researcher. Yeah, I work for a company
that makes an app, essentially, for their entire livelihood. But still, I don’t know
how to really write apps. So, I contacted the one guy I know who knows how to write
code, which is Jon O, and I said, Jon O, I need an app, any app. I don’t care what it is. I’m just gonna put this secret sauce in it and it’s gonna be able to
do something really evil. – [Jon] So, backstory, I don’t know how to write apps either. (audience laughs) The only apps I’ve written
have been malicious apps. (audience laughs) – Which is exactly what I’m trying to do. – [Jon] So, I contacted my friend I went to school with,
Pavel, who had done– – Pavel Malik, right here. – [Jon] And he provided the
delivery mechanism, if you will. – Right, so, I summited
two apps to the App Store, which both contained the secret thing that would download unsigned code and run it, which should not be possible. It would call out to
my server, if the code was there, it would
download it and run it, if it wasn’t there, it would
just do it’s regular thing. And that’s what happened
to the normal person. So, this is the first app. The first app I tried to submit was called The Daily Hoff. Actually, initially it
was just called The Hoff. – [Jon] It originally did
get into the App Store. When Pavel first wrote this app, it was accepted, and it was a big hit, and he made a decent
amount of money off of it. (audience laughs) – So, you don’t really
get what it does without, but if you look at his crotch region, there’s another picture of the Hoff, and what happened is, if you zoomed, you would zoom into that, and it was like an infinite zoom into his crotch. (audience laughs) So, I submitted this app, but unfortunately, it was rejected. (audience laughs) But it was not rejected because it downloaded unsigned code and ran it. It was rejected because it said
that, oh, here’s the thing. “The features or content of your app “were not useful or entertaining enough, “or your app did not appear
to a broad enough audience.” I guess they thought it just appealed to Germany, apparently. (audience laughs) Anyway. I know, so that’s why I, eventually, named it The Daily Hoff,
because I was like, yes, it seems very simple. It’s just you infinitely
going into his crotch, but the thing you can’t see is every day, there’s a new picture of the Hoff. And they still didn’t go for it. So, anyway, no one will know
how awesome this app is. It’s still on a couple of my phones. I think it’s on my wife’s phone. It’s pretty sweet. So, this app did not get in, but this app did, called Instastock. So, this was like a stock
market tracking app. I submitted it, it got rejected. And I was like, “Oh no,
I’m totally busted.” And it’s like, “We found that your app “does not use one or more nonpublic APIs.” That sounds kinda scary. It’s like, “We found the
following nonpublic API “addTextFieldWithValue Label.” It’s like, oh, I can fix
that, that’s no problem. So, then I did submit it again. It got in the App Store. It was in there for a couple months. Anyone could download it, and it would, if I wanted it to, make
them run unsigned code. And so, after I submitted this, I told Apple about it, they knew about it, they’d known about it for months. And then I was talking to a reporter, and I was like, “Yo, you
should check out the app. “Like, it’s totally cool. “Just download it, it’s fun.” And so, I was out jogging or something, and I came home, and my wife’s like, “Charlie, Apple just called.” (audience laughs) I was like, “What, Apple doesn’t call me. “I don’t know anyone there hardly.” So, she’s like, “I don’t know,
you need to call them back.” So, i was like, “Okay.” So, I call them back, and they had apparently seen the article. It had come out, I didn’t know it. And the article showed a
video of the app acting. So, I called, and it was some developer services team or something. They’re like, “Yes, we’re gonna have to “remove your app from the App Store.” I was like, “Okay.” They’re like, “Don’t you wanna know why?” I was like, “I think I know.” (audience laughs) And so the lady was kinda confused. And so then I was like,
“Okay, talk to you later.” So, they removed the
app from the App Store, and they banned me for a
year from the App Store. So, after a year, I wrote them an email. I was like, “Yo, a year’s up, I’m ready, “I’m ready to come back.” They never wrote me back. So, I guess it was, in all
essence, a lifetime ban. But anyway, so I stopped doing Apple, and I started doing car stuff after this. So, here’s what the app
looked like when it was there. It was like a super awesome
app that worked great. Any customer ratings? No. It was rated four plus. Way to go Charlie Miller,
super app developer. (audience laughs) So, that’s it, that’s
all the stories I have. I guess the conclusions are
bugs are hard, I found some, Apple will crush you if
you try to work with them, follow me on Twitter, I need users. That’s it, thanks. (audience applauds) Do you have some final words? – [Jon] Any questions for Charlie? – [Audience Member] What
happened with the Apple WebKit? You said you were gonna tell us about it? – Oh, I did, you just
didn’t pay attention. So, the first iPhone exploit
was the Apple WebKit thing. That same bug that we found is the very first exploit for iPhone. Oh, look, here we go. Are we gonna have the picture? Here’s the dude protesting right here. (audience laughs) Here’s Sussy McBride, and here’s the sign, if you look closely, it says, “Warning, exploitation in progress.” (audience laughs) So, don’t go near there. That was it. So, yeah, it was kind of
shocking when we went live, and there was this little dude there. I don’t know how you even make a little guy like that, but he was there. Other questions. – [Audience Member] Did
you play Second life with Something Awful? – Did I play Second Life? – [Audience Member] Or
did you actually play it, or did you just– – I mean, not really. If I was a player of Second Life, it would’ve been super
easy to do this stuff. But the problem was… – [Audience Member] You mentioned the Something Awful penis things. – Oh, that’s just ’cause
if you do some research in Second Life, there
was some super serious COO type, and she went for an interview with Time Magazine in Second Life. And some griefer sent
like thousands of penises through the interview. And she got super mad and sued people, like you do in Second Life, and she got mad and sued everyone. That’s all I know. My experience with Second
Life is this area right here which I owned. No one could go in it if
I didn’t want them to. I built the little cube. I built the super research lab, which I guess I destroyed because it didn’t actually do anything. And that’s my experience with Second Life. And I put some Linden Dollar in so I could steal Linden Dollars. But that was about it. (speaking away from mic) – [Audience Member] Would you go back to work to the NSA at any point, or are you gonna just stick with Twitter? – I’m not going back to NSA. So, when I was at the NSA, we were told all the time that we
didn’t spy on US people. And in fact, we went to training ever year that talked about how serious it was we didn’t spy on US people, and this was a really big deal. In the government you can’t get fired. This was the one thing they told you could do, you’d get fired. And then I left just for
geographical reasons. And it turns out that in retrospect, I was there five years, the last two years we were totally spying on US people, and they totally duped me. Anyway, I wouldn’t go for more reasons. The other reason is I make
like two or three times as much money not working
for the government. So, I won’t go back to the government unless like I’m just richie rich rich and then I have nothing else to do. But yeah, so, it was fun to work there. I learned tons of stuff. That’s what got me going in this career. I got to do tons of stuff that would be illegal if I did it now. So, that was kinda fun. But I think that was a career builder, not like where I’m planning on going back. – [Audience Member] For the SMS exploit, the data packets or the format of that, was that something you
had public information on, or did you have to reverse (mumbles). – No, it was public. I don’t remember the specs as much. You can watch my talk,
it has all the details. PDUs and UDHs, so that’s like public. There’s formats of that kind of stuff. So, it was just a matte of, I don’t remember what the actual bug was. Oh, so the actual bug was
sending not enough data. There was a link field, and
you would say like five, but you would only send like two bytes, and that would screw it up. That was the actual bug. But yeah, all the, what
the three, or four, or five bytes were, that
was well documented, not by Apple or anything, but you could read RFCs that talked about it. Yep. – [Audience Member] Do
you have any insight into what makes a good bug bounty program? Is it just the size of the bounty, or are there other factors? – One of the things I did a long time ago was try to get bug bounty programs going, so like no more more free bugs thing. Now I work for a company that
has a bug bounty program. So, we try to get people to submit bugs. And certainly, the amount
of money is important. Like the more money you give, the more people are interested. Especially, the best people. So, if you give any amount of money, even if you don’t give any
money, people will submit. So, we had a bug bounty
program for a long time that didn’t have any money,
and tons of people submitted. But as soon as you start to give money, and even lots of money, then you get better people submitting. So, you tend to get more
quality reports that way. So, what can you do? More money’s the easy
thing to do, for sure. But the other thing you
can do is figure out ways to sort of encourage
them in nonmonetary ways. So, give them some sort of point system, or you put their picture
on the webpage or something where they can show their friends, or like potential employers,
and stuff like that. I know ZDI’s done things like fly people out to Vegas. There’s other things you can do, but I mean, if you give them more money, it certainly works for
sure for some people. I don’t have tons of data on that, just from my personal experience. Yeah. – [Audience Member] I was just wondering if you take any security precautions, just general things that you do to keep your identity, anything safe. – Can we turn off the
live stream for a second? (audience laughs) So, there’s this story about the cobbler who’s kids have not shoes. That’s me. So, I don’t do any security
stuff, really, on my own. My computer is there, and it was just like upstairs unattended forever. At my house, I don’t run
any encryption on my WiFi, because to me it seems like
the neighborly thing to do. Right? Like, my computer should
not be more vulnerable because I have an open WiFi. It should send like, when I’m going through my bank,
it should be encrypted. It shouldn’t matter if you’re
on my WiFi network or not. And if my neighbor’s WiFi goes down, they can use mine, that’s cool. And if mine goes down, it’d be nice if I had someone I could use. So, I don’t do really any encryption or any sort of security for my systems because, the stuff I’m doing is sort of cutting edge and crazy, and half the time doesn’t work. And so, one of the things I don’t wanna have to worry about is like, oh, it’s that firewall I installed. No, I just wanna make things
as simple as possible, and make things work easy, and hope that everything’s secure enough as it is. So, that’s why I’m
surprised Jon O mentioned, he’s like, “Oh, I run Linux with JRSC.” I’m like, “Dude, I just buy
my computer, and I use it.” I use Safari, and I use
Apple Mail, and whatever. It’s easy, it works. So, yeah, so my computers are like super, I mean, they’re secure
because I’m not a total idiot. I’m not gonna click on random stuff. I don’t go out of my way to
make my stuff more secure because, generally when
you go out of your way to make stuff more secure it
makes things harder to use, and I got enough problems
in life, and limited time. I gotta make stuff work fast. – [Audience Member] One
of the things that– (audience laughs) – That was a speedy mic. Well done, well done. That was like amazing–
– Instamic. – [Audience Member] Instamic, right there. I watch a lot of Dave Aitel’s talks. Like his talk from (mumbles) 2008, USENIX 2012, and one of the things he talks about in there
is how he feels like there is really this drop off of professionals who are really
finding the hardcore bugs, because nowadays there’s not 12,000 vulnerabilities in Sendmail you can find. Your modern operating systems have a whole bunch of stuff like ASLR and Dep that raises the barrier of entry to get into being able to find these bugs. And I was just wondering if you feel like that’s the case, right, nobody is going to go off on a weekend,
drink a can of Red Bull, and find a heap corruption
in Windows 8.1, right? – No, totally. So, Dave and I disagree
a lot on junk hacking since that’s my career essentially now, and he thinks it’s stupid. But I do agree with him there. A lot of the really great
computer researchers now, are like in their 30s and 40s, right. 10 years ago, the great
computer researchers are 19. And the reason that that’s changed I think is that things are so much
harder now than they were then. And so, the things that were
super easy are hard now. So, when I was doing it, it started easy, and it kinda slowly got harder, and I kinda slowly got
better as it got harder. So, that was not that hard for me. And so, now I can do hard stuff because I got good as it went. But if you just getting into the field it’s really hard to be like, “Oh, crap, “I don’t even know what I’m doing, “and I have to pass ASLR
and Dep, and sandboxing,” it’s so difficult. I have to download some Red Hat image from 1997 to learn how to do exploitation. And so, it’s hard, and I mean, that’s good for us as a society. But it is hard, and there’s not good ways to kinda get into it. So, I totally agree with him, and I don’t know how to change that. I don’t know if I wanna change that. It might be good that a 20 year old can’t break into my computer. That’s sort of a win for us, right? But yeah, you know, it’s totally true. Things are definitely harder now. When I started, you could do a stack of overflow and be done, boop, done. And then it’s like, they add in one thing, and one thing, one thing, one thing, and now it’s like, when
you start you have to learn how to bypass 20 things. Where when I started, you had to bypass one thing, or zero things. And then they added one,
and then I was like, “Well, I don’t know how to do that,” and then someone figured
it out, and then I did. Just like the iPhone thing I talked about. We had this vulnerability for a long time. We didn’t know how to exploit it because no one knew how. And then Alex Sotirov
came off with a way to exploit things, to
arrange heap in such a way that you could exploit it. And that stuff doesn’t happen anymore. So, no one really finds
ways to exploit things anymore because it’s just too hard. It’s a dying field. I don’t know. It’s sad. – [Audience Member] Just a
follow up question on that. So, what do you think about
the state of tools nowadays? I remember I watched a talk from Halvar at some conference in Europe in 2012, and he was showing off
some tool that he had, that was like, oh, here you can visualize the heap in real time as we’re doing allocations and stuff like that. And one of the things that he lamented was that he thought
that the state of tools, just the tools that people are using to be able to either find
bugs or exploit them, it just wasn’t as good as
he felt that it could be. And I was just wondering if
you kind of agree, disagree? Do you think GDB is good enough, that’s all I need? – My compute doesn’t
even have GDB anymore, and it makes me said. My computer has LLDB which is like awful, because I don’t know how to use it. So, tools are a huge part. If you have the right
tools, things become easy, and we don’t usually have the right tools. And people who write tools,
tend to not share their tools. Like that black box buddy tool. I never shared that. Not because I’m a jerk, but just because I just never did, you know. In most things, Halvar’s right. I don’t know. The other thing is visualizing the heap is not really enough to keep up with with heap mitigations. I don’t know. So, something I mentioned to Neil, who’s from Chrysler earlier, is that we had two vehicles we wanted to try to like do security analysis of, and the first step was like, well, we need to get tools on both of them, to see how they work
and what they’re doing, and what programs they use, and extract firmware, and stuff like that. On the one, we were able to actually get access to it to where
we could do that stuff, and so we could actually do work, and the other one we couldn’t. And it wasn’t because we were stupid, it was just that they had
never issued an update, and so we couldn’t see how updates work. And it was like, well,
with the right tooling we could do work, and without tooling we couldn’t do work. I mean, that’s not a reason
not to have tooling available. It’s just like you need
the right tools to do work. And half the job is
having the right tools. And if you can have the right tools, things are easy, and if you
don’t, then things are hard. I don’t know. I don’t know if that answers
your question, sorry. (audience laughs) Just rambling. – [Audience Member] Did you ever get unbanned from the Play Store? – No. So, here’s a funny story
about the Play Store. So, I’ve never in my entire life updated an app to the Play Store, never. So, you would think it would be impossible to get banned
from the Play Store, having never actually
developed a Play Store app. Because what we would do when Jon O and I were trying to do
research about how Google looks at apps you update is, you could upload an app and not actually publish it to the Play Store, and when you uploaded
it, they would actually do their analysis, and
that’s what we cared about is what analysis are they doing. And so, I would just upload it, see what analysis they were doing, and then write conclusions about it. I never in my life published
an app to the Play Store, yet I got banned. And so, I was really mad about. I was like this is fucking ridiculous. (audience laughs) I’ve never uploaded an app and I’m banned. This is so stupid. And so, I went and I talked to their main security guy one day. I was like, “Come on, this is stupid. “I’m banned from the Play Store “and I’ve never uploaded anything? “Please justify this to me.” And so he said to me, “Well,
we have this algorithm, “and it figures out who
developers are associated with, “and whether those people are bad, “and we try to draw conclusion on that, “and we figured out that
your developer account “was associated with Jon
O’s developer account, “and Jon O’s account had been associated “with installing malware.” And I was like, hmm, that’s
like totally legit, I get it. (audience laughs) I walked away, I was like,
“Okay, fine, I get it.” So, I’ve taken the ban in place even though I’ve never uploaded an app. It makes perfect sense to me. The thing that’s worse is my wife is actually banned as well. Because once I was banned, I was like, fuck that I’m making a
new developer account, and you have to have a credit card. I was like, well, I’ll
use my wife’s credit card. (audience laughs) I use my wife’s credit
card, my wife’s name, and somehow they associated it with my account, and
so she got banned too. But luckily, that’s not a
huge loss for our family, so. (audience laughs) but yeah, their algorithm works on like who you’re buddies
with, and it’s legit. Any friend of Jon O’s should
not be developing apps. (audience laughs) – [Audience Member] Google knows all. – Yeah, Google knows, and
they have legit algos. – [Jon] They had a legit reason though. They said if you’re doing research on our infrastructure, okay fine, but we’re gonna treat you exactly as we would treat a true adversary. So, we’re gonna apply the same bans, the same analysis. We’re not gonna flip the whitelist flag to allow you to keep doing this. We’re gonna subject you to
our full security controls. And I was like, cool – Yeah, same thing. I was like, “Yeah, well
okay, that makes sense.” Once they explained it to me, I was like “Oh yeah, for sure, any friend of Jon O’s, “I get why you would ban them.” – [Jon] Until later when now that not only am I banned from the App Store, but I can’t use Google Wallet. I wanna give Google money. I’m like, I’m out of storage,
I’ve got too much Gmail. I wanna buy some movies from you guys, I wanna buy some devices, and
I can’t use Google Wallet. I’m like, “I will give you
money if you’d let me.” And they’re like, “No, no, no, no. “You can’t, no, we can’t unban you.” Eventually they did. It took like three years. They finally like, “Okay, but
just don’t do anything bad.” Okay. – I’ve heard secret rumors that I could be unbanned from Apple. And so, I went through the flow, I tried to log in, they’re like, “Sorry, there’s a problem, click here.” I clicked here, clicked here. It was like you’ll have to calls someone. I was like, yeah, it’s not worth it. – [Jon] The Google flow,
you go in and it says, “You’re suspected as fraud. “Please upload your passport
and all this stuff.” I went through that. I scanned everything like, I don’t know, bank account information,
and they called back, and they’re like, “Yeah, you have “a special flag on your account.” (audience laughs) I was like, “Oh, I’m not sure
what that could be about.” They’re like, “We can’t, no, sorry.” – That’s funny. Yeah, we both have special flags. We’re special people. – [Jon] But when you
submitted to the App Store, you submit it onto your name. You would think that,
given your iOS research, Apple might have some
sore of regex that’s like, “If Charlie Miller signs up– – That how I said, the fact they didn’t find my
app and I submitted it, they totally failed. I gave them every indication,
I did it real light, I was like, “Why is Charlie Miller “who’s only found exploits in the past “now writing David Hasselhoff
and Instastock apps? “This does not make sense. “We need to reverse engineer
the shit out of this.” But they never did, and instead they just like clicked a little button and some GUI somewhere. – [Jon] Any other questions? All right, thank you
Charlie so much for coming. – Yeah, thanks. (audience applauds) Thanks Ann Arbor. (whooshing) (thunder claps)
(light clicks) (whooshing)

2 Replies to “The Best of Bug Finding – Duo Tech Talk (Charlie Miller)”

  • The economics of RE and exploit dev are understated 99% of the time. Even top guys even with the latest tools like the latest IDA Pro and python, and ready-made fuzzers can't really churn out that many zero days. It actually takes a building full of experts just to do 2-3 every 1.5 months if even..

  • Presentation starts at 6:40.
    For those who just want to get straight to the nitty-gritty, introductions etc. end at 18:32.

Leave a Reply

Your email address will not be published. Required fields are marked *