Friday, October 30, 2009

What happened to Google ?

Hi Folks,
yesterday evening while I was planning my roadtripping from Washington DC to Davis (CA), I found this interesting Google bug (?)



Well.... What button should I click to send the link to my friend ?

Thursday, October 29, 2009

Workshop on a Common Data Format for Electronic Voting System

Today and tomorrow I'm involved in NIST Workshop on a Common Data Format for Electronic Voting System

The goal of this two-day workshop is to identify and agree upon a set of requirements for a common data format for voting systems. While there have been many calls for a common data format for voting systems, there is little consensus on the requirements for this format or what it is to accomplish. Possible goals for a common data format include interoperability of different equipment, auditability, transparency, publishing (communication with consumers of election data, such as media outlets), integration between polls and registration, transition to electronic record-keeping, or the ability just to "get the data out" by any means possible. Stakeholders include manufacturers, election officials, the EAC, consumers of election data, voters, organizations with existing data formats (including OASIS and the Voting Information Project), academics, and others with related work.


I believe this workshop comes in the right time, we really need a common data format. Actually, there are too many different formats, each vendor use its own one for final reports, configuration files and communication messages. So far, not only Interoperability is a dream but also integratability is very far from the current voting systems. EML seems to be the far light and the common criteria for each system, but it is also very huge. Just to let a little flavour, EML takes care about four big set:


- Transactions (Pre-election, Election and Post-election)

- Specification (otlines voting process, identifies data requirenments, contains glossary of term, addresses security issues, overview aof the XML schemas)

- Data Dictionary (Defines all exchanged data componets)

- XML Schema (Family of 38 components, 29 specific exchange schema, 2 new US driven schema developed for UML 6.0 )



In addition we ha to remember that laws are different from state to state and EML may permit to do something which maybe it's forbidden in some states. On the other side of the coin we cannot implement different EML's slangs... we'll back to the present situation. Moreover US' precincts are so different, some are huge like LA (millions of voters) and other ones are small (hundred of voters) and they use different kind of voting systems. This is another issue, it's difficult to figure out a so much general Data Format able to satisfy each precinct.

So, let's go ! We have a lot to do to improve our democracy.

Wednesday, October 28, 2009

5 Million Hashes !

I've just realized what 5 Million of Hashes means :D, congratulations SANS !
Here the query page.

Damn Vulnerable Web Application

Hi Folks,
today I wanna point out this amazing project called DVWA (Damn Vulnerable Web App) developed by Ryan Dewhurst.

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

The"camera-shy" presentation :D is here :



And here the well-done "how to install and set up" DVWA.



As you probably know I've written some Vulnerable Challenges and some Hacking Missions around theglobe (especially cesena.ing2.unibo.it) but the great idea of this guy is the "View Code" button which shows where is the bug inside the code.
Good job man, and if you need help please feel free to contact me.

Monday, October 26, 2009

CISCO-Zine Against BPDU Attack

Hi folks,
today I wanna point out this nice article written by Fabio Semperboni for CiscoZine (his blog..). The paper describes in a easy and intuitive way how the BPDU attack works and finally it describes a possible network based solution.

CIA and Social Data Mining

Via Wired:

America’s spy agencies want to read your blog posts, keep track of your Twitter updates — even check out your book reviews on Amazon.
In-Q-Tel, the investment arm of the CIA and the wider intelligence community, is putting cash into Visible Technologies, a software firm that specializes in monitoring social media. It’s part of a larger movement within the spy services to get better at using ”open source intelligence” — information that’s publicly available, but often hidden in the flood of TV shows, newspaper articles, blog posts, online videos and radio reports generated every day.

Friday, October 23, 2009

NIST on Security: Video

It's amazing to see my associates on video !
This is definitely one of the best "knowledge base" video ever.
Enjoy it.





NIST Computer Security Division.

Rat Brain and Computer Security

Hey folks,
today my big news is about "the rat brain". Yea, some researchers in University of Reading (UK) build one of the first prototypes of robots working with true "animal" cells. Here the main page of the project

Here the video:



That's awesome and it seems to have infinite way to be utilized. Let's think about security, like for example patterns recognition (like CAPTCHA) or Intrusion Systems or again Intelligent HoneyNet able to follow perceptively attacks trees and so forth. Apply "Brain Computing" ( "Neural Systems" .. or whatever they call it) will be the next big challenge for security engineers, and maybe the biggest challenge ever for hacking communities.

Monday, October 19, 2009

Windows Auto Start Locations

Hi Folks,
this weekend I've been involved in a interesting Windows Forensic Analysis Process. There are lots of Forensic Analysis tools around here (just ask google to see a couple of that), but in some scenarios, like for example scenarios where you wont shutdown the machine, you might find some troubles to install new security tools because some malware make it impossible.
In these and other situations is still useful knowing where Auto Start Locations are in Windows XP and Windows VISTA (I dunno yet Windows 7, and for older Windows these location might be different).
Reading different blogs, forum and some good book, I learned some interesting places where find out malware and viruses,and today I wanna point out these interesting places where the penetrator should investigate. I don't think the following list complete, but anyway... stay tuned for more upgrades.

Some useful variables to make the list shorter:
HKLM : HKEY_LOCAL_MACHINE
HKCU : HKEY_CURRENT_USER
HKCR : HKEY_CLASSES_ROOT
%windir% : The Windows Directory. Can be C:Windows or C:WINNT or anything, depending on the location, the OS & the customization of the OS!
%USERPROFILE% : Normally is C:Documents and Settings, depending on the installation location.
%ALLUSERSPROFILE% : Normally is C:Documents and SettingsAll Users, depending on the installation location.



Register locations:
1. HKLMSystemCurrentControlSetControlTerminal ServerWdsrdpwdStartupPrograms

2. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonAppSetup

3. HKLMSoftwarePoliciesMicrosoftWindowsSystemScriptsStartup

4. HKCUSoftwarePoliciesMicrosoftWindowsSystemScriptsLogon

5. HKLMSoftwarePoliciesMicrosoftWindowsSystemScriptsLogon

6. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUserinit

7. HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemShell

8. HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell

9. HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemShell

10. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonShell

11. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonTaskman

12. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRunonce

13. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRunonceEx

14. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun

15. HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun

16. HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnceEx

17. HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunOnce

18. HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsLoad

19. HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsRun

20. HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesExplorerRun

21. HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun

22. HKCUSoftwareMicrosoftWindowsCurrentVersionRun

23. HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce

24. HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnceSetup

25. HKCUSOFTWAREMicrosoftWindows NTCurrentVersionTerminal
ServerInstallSoftwareMicrosoftWindowsCurrentVersionRunonce

26. HKCUSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRunonceEx

27. HKCUSOFTWAREMicrosoftWindows NTCurrentVersionTerminal ServerInstallSoftwareMicrosoftWindowsCurrentVersionRun

28. HKLMSOFTWAREClassesProtocolsFilter

29. HKLMSOFTWAREClassesProtocolsHandler

30. HKCUSOFTWAREMicrosoftInternet ExplorerDesktopComponents

31. HKLMSOFTWAREMicrosoftActive SetupInstalled Components

32. HKCUSOFTWAREMicrosoftActive SetupInstalled Components

33. HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorerSharedTaskScheduler

34. HKLMSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad

35. HKCUSOFTWAREMicrosoftWindowsCurrentVersionShellServiceObjectDelayLoad

36. HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShellExecuteHooks

37. HKCUSoftwareClasses*ShellExContextMenuHandlers

38. HKLMSoftwareClasses*ShellExContextMenuHandlers

39. HKCUSoftwareClassesAllFileSystemObjectsShellExContextMenuHandlers

40. HKLMSoftwareClassesAllFileSystemObjectsShellExContextMenuHandlers

41. HKCUSoftwareClassesFolderShellExContextMenuHandlers

42. HKLMSoftwareClassesFolderShellExContextMenuHandlers

43. HKCUSoftwareClassesDirectoryShellExContextMenuHandlers

44. HKLMSoftwareClassesDirectoryShellExContextMenuHandlers

45. HKCUSoftwareClassesDirectoryBackgroundShellExContextMenuHandlers

46. HKLMSoftwareClassesDirectoryBackgroundShellExContextMenuHandlers

47. HKCUSoftwareClassesFolderShellexColumnHandlers

48. HKLMSoftwareClassesFolderShellexColumnHandlers

49. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers

50. HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerShellIconOverlayIdentifiers

51. HKCUSoftwareMicrosoftCtfLangBarAddin

52. HKLMSoftwareMicrosoftCtfLangBarAddin

53. HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved

54. HKLMSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved

55. HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects

56. HKCUSoftwareMicrosoftInternet ExplorerUrlSearchHooks

57. HKLMSoftwareMicrosoftInternet ExplorerToolbar

58. HKCUSoftwareMicrosoftInternet ExplorerExplorer Bars

59. HKLMSoftwareMicrosoftInternet ExplorerExplorer Bars

60. HKCUSoftwareMicrosoftInternet ExplorerExtensions

61. HKLMSoftwareMicrosoftInternet ExplorerExtensions

62. HKLMSystemCurrentControlSetServices

63. HKLMSystemCurrentControlSetServices

64. HKLMSystemCurrentControlSetControlSession ManagerBootExecute

65. HKLMSystemCurrentControlSetControlSession ManagerSetupExecute

66. HKLMSystemCurrentControlSetControlSession ManagerExecute

67. HKLMSoftwareMicrosoftWindows NTCurrentVersionImage File Execution Options

68. HKLMSoftwareMicrosoftCommand ProcessorAutorun

69. HKCUSoftwareMicrosoftCommand ProcessorAutorun

70. HKLMSOFTWAREClassesExefileShellOpenCommand(Default)

71. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindowsAppinit_Dlls

72. HKLMSystemCurrentControlSetControlSession ManagerKnownDlls

73. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonSystem

74. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonUIHost

75. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify

76. HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogonGinaDLL

77. HKCUControl PanelDesktopScrnsave.exe

78. HKLMSystemCurrentControlSetControlBootVerificationProgramImagePath

79. HKLMSystemCurrentControlSetServicesWinSock2ParametersProtocol_Catalog9

80. HKLMSYSTEMCurrentControlSetControlPrintMonitors

81. HKLMSYSTEMCurrentControlSetControlSecurityProvidersSecurityProviders

82. HKLMSYSTEMCurrentControlSetControlLsaAuthentication Packages

83. HKLMSYSTEMCurrentControlSetControlLsaNotification Packages

84. HKLMSYSTEMCurrentControlSetControlLsaSecurity Packages

85. HKLMSYSTEMCurrentControlSetControlNetworkProviderOrder

86. HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsload

87. HKCRbatfileshellopencommand @=""%1" %*"

88. HKCRcomfileshellopencommand @=""%1" %*"

89. HKCRexefileshellopencommand @=""%1" %*"

90. HKCRhtafileShellOpenCommand @=""%1" %*"

91. HKCRpiffileshellopencommand @=""%1" %*"

92. HKLMSoftwareClassesbatfileshellopencommand

93. HKLMSoftwareClassescomfileshellopencommand

94. HKLMSoftwareClassesexefileshellopencommand

95. HKLMSoftwareClasseshtafileshellopencommand

96. HKLMSoftwareClassespiffileshellopencommand

97. HKLMSystemCurrentControlSetControlClass{4D36E96B-E325-11CE-BFC1-08002BE10318}UpperFilters

98. HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonVmApplet

99. HKLMSoftwareMicrosoftWindows NTCurrentVersionInitFileMapping

100. HKLMSoftwareMicrosoftWindows NTCurrentVersionAedebug

101. HKLMSoftwareClassesCLSID{CLSID}Implemented Categories{00021493-0000-0000-C000-000000000046}

102. HKLMSoftwareClassesCLSID{CLSID}Implemented Categories{00021494-0000-0000-C000-000000000046}

103. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.batApplication

104. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.cmdApplication

105. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.comApplication

106. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.exeApplication

107. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.htaApplication

108. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.pifApplication

109. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.scrApplication

110. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.batProgID

111. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.cmdProgID

112. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.comProgID

113. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.exeProgID

114. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.htaProgID

115. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.pifProgID

116. HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerFileExts.scrProgID

117. HKLMSoftwareCLASSESbatfileshellopencommand @=""%1" %*"

118. HKLMSoftwareCLASSEScomfileshellopencommand @=""%1" %*"

119. HKLMSoftwareCLASSESexefileshellopencommand @=""%1" %*"

120. HKLMSoftwareCLASSEShtafileShellOpenCommand @=""%1" %*"

121. HKLMSoftwareCLASSESpiffileshellopencommand @=""%1" %*"

122. HKCRvbsfileshellopencommand

123. HKCRvbefileshellopencommand

124. HKCRjsfileshellopencommand

125. HKCRjsefileshellopencommand

126. HKCRwshfileshellopencommand

127. HKCRwsffileshellopencommand

128. HKCRscrfileshellopencommand

129. HKLMSoftwareMicrosoftActive SetupInstalled ComponentsKeyNameStubPath=C:PathToFileFilename.exe



Folders Locations


1. %ALLUSERSPROFILE%Start MenuProgramsStartup
2. %USERPROFILE%Start MenuProgramsStartup
3. %windir%Tasks
4. %windir%System32Tasks - Windows Vista
5. %ALLUSERSPROFILE%MicrosoftWindowsStart MenuProgramsStartup
6. %USERPROFILE%AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup

Friday, October 16, 2009

Evil Maid goes after TrueCrypt!

Hey Folks,
today I wanna point out this great article made by InvisibleThings. I just "cut'nPaste" the original one (from Friday October 16).



Let’s quickly recap the Evil Maid Attack. The scenario we consider is when somebody left an encrypted laptop e.g. in a hotel room. Let’s assume the laptop uses full disk encryption like e.g. this provided by TrueCrypt or PGP Whole Disk Encryption.

Many people believe, including some well known security experts, that it is advisable to fully power down your laptop when you use full disk encryption in order to prevent attacks via FireWire/PCMCIA or ”Coldboot” attacks.

So, let’s assume we have a reasonably paranoid user, that uses a full disk encryption on his or her laptop, and also powers it down every time they leave it alone in a hotel room, or somewhere else.

Now, this is where our Evil Maid stick comes into play. All the attacker needs to do is to sneak into the user’s hotel room and boot the laptop from the Evil Maid USB Stick. After some 1-2 minutes, the target laptop’s gets infected with Evil Maid Sniffer that will record the disk encryption passphrase when the user enters it next time. As any smart user might have guessed already, this part is ideally suited to be performed by hotel maids, or people pretending to be them.

So, after our victim gets back to the hotel room and powers up his or her laptop, the passphrase will be recorded and e.g. stored somewhere on the disk, or maybe transmitted over the network (not implemented in current version).

Now we can safely steal/confiscate the user’s laptop, as we know how to decrypt it. End of story.


For more detail please see the InvisibleThings home page.
Enjoy your hack

Thursday, October 15, 2009

So many important people in one day ..

Hey folks,
during these two days (13 and 14) I've been involved in E2E voting system workshop in Marvin Center @ George Washington University. The workshop was really interesting because there were lots of different cultures, like for example "University Staff", "Poll Workers", and "Usability People", that explained the same problems in different point of views.
What I liked more were the two "thinking panel" (aka: where the E2E voting science is going...) because well known people like Ron Rivest and David Chaum have given their futuristic vision and, unbelievably, it was clear and well detailed.

After the two main panels I spoke for few minutes with them, and I'm extremely grateful to both of them to have participated at our WorkShop.

Monday, October 12, 2009

New Article Accepted on Security & Privacy

I wrote another article for Security & Privacy magazine.
It should be published in the November/December issue .The title will be "Frightened By Links". And this is the Abstract:

This article describes a recent attack trend called ClickJacking, aiming at the exploitation of hyperlinks as the attack vehicle.
This article introduces the reader to the attack concept and to the possible ways to implement it, by means of some practical
example. Then it discuss the detectability of this attack.

And this is the main example of the paper.



Comments are appreciated. Thank you.

Sunday, October 11, 2009

Student Innovation Contest: Jeff Allen and John Howard, good Job !

These guys presented at UIST 2009 an amazing biometric typing security "engine".This software records your typing style including the time between keystrokes, the time keys are held, and key pressure data. This information is then normalized and compared to the information stored about the user when the password was originally set. If you don’t fall within specifications that match the stored data, you won’t get in even with the right password.



UIST (ACM Symposium on User Interface Software and Technology) is the premier forum for innovations in the software and technology of human-computer interfaces. Sponsored by ACM's special interest groups on computer-human interaction (SIGCHI) and computer graphics (SIGGRAPH), UIST brings together researchers and practitioners from diverse areas that include traditional graphical & web user interfaces, tangible & ubiquitous computing, virtual & augmented reality, multimedia, new input & output devices, and CSCW. The intimate size, the single track, and comfortable surroundings make this symposium an ideal opportunity to exchange research results and implementation experiences.

Saturday, October 10, 2009

Small Botnets Are More Powerful Then Big One ?!

I was not surprised to read this result fom damballa.

The net result is that these smallest botnets efficiently evade detection and closure by staying below the security radar and relying upon botnet masters that have a good understanding of how the enterprise functions internally. As such, they’re probably the most damaging to the enterprise in the longterm.

Wednesday, October 7, 2009

Google Adsense

Finally after some years of bog I decided to put on google Ad.
I've been never interested on that but I know that sometime you can earn coffee money, so I decided to try. Maybe after one or two month I'll get a coffee payed from Google :D ... who knows ?!
Anyway after a while I thought: "Hey man, his is easy to cheat !, it's probably enough a clicker boot !". Suddenly after 2 r 3 google clicks :D, I found this old, but still interesting post about that: How To Get Banned From Google Adsense.
So I just want to copy and paste it here:



Keep in mind that these are HOW TO GET BANNED. In other words, this is a “DO NOT” list if you don’t want your adsense account to be disabled .

1. Ignore Adsense Program Policies & TOS

2. Click on your own ads, specially those you are “genuinely interested” in. Ask people to click on your ads: your friends, your family members, your relatives, your visitors, or even your dogs or your cats. Use proxies to avoid detection.

3. Participate in some form of click-ring. Click-rings are groups of people who gather with consensus to click each others’ ads. Most commonly used methods are Yahoo Groups, instant messenger, mail list, web forum, or specially written software.

4. Buy, write, or use click-bot software. Click-bot software will go around your site and click on your ads. Most of the times, these click-bots are using proxies to avoid detection.

5. Pay the Indian-clickers. These are the people whose main jobs are clicking on PPC advertisements and paid by the malicious publishers. Most of them are from developing countries like India or China.

6. “Invest” with websites that promises to deliver “adsense clicks” for your site. Whatever methods they are using, most likely it falls under one of the aboves.

7. Extra words to make your visitors to notice your ads. Write “Click here” or “Please support us” or “Visit our sponsors”. Anything other than Google-approved “sponsored links” or “advertisements”.

8. Put in as many ads as possible in every page. Put more than three units of the normal ads block, more than one unit of ads links, or more than one referral buttons for each adsense, adwords, and firefox; all in one page.

9. Use spyware to get traffics to your site. Spyware, adware, malware, or whatever it is called can force computer users to open your website everytime they start the computer. Or even better, use some kind of specially written software, toolbar, etc to display or click on your ads.

10. Use pop-ups on your website. Everytime your user open a page, pop-up another one, ideally with the smiley or the IQ Test advertisements.

11. Get as much un-targetted traffic as possible, for instance using the auto-surfing programmes to rotate the members around your site and other sites.

12. Put the adsense code in non-content pages: registration forms, term and condition, login page.

13. Have a competitor contextual ad on same page with adsense ads, for example Yahoo Publisher Network. Please note though that non-contextual ads, e.g. affiliate links or keyword-based ads are acceptable by google and won’t get you banned.

14. Get more than one adsense account. Maybe one for your dog-site, one for your cat-site, one for the v1agra pills, one for mp3 download, etc.

15. Put your adsense code in email the email, usenet, RSS, etc.

16. Tell everyone what is your CTR, your page impressions, etc. Telling people about your total earning, unfortunately, is allowed.

17. Put Google logo where you shouldn’t, and don’t put the logo where you should. In other word, ignore Google trademark.

18.Modify Adsense code as you see fit. Modify the layout, color, URL, will be well. Just anything other than copy-and-paste the code from Google.

19.And, this is important: if and when Google Adsense Team sends you email, ignore it.

20.Put adsense codes in the banned contents

That's weird, how does Google know all that ? :)

Monday, October 5, 2009

Yet Another Diebold Hack Demonstration

Hi folks,
this week I suggest this amazing reading on "Return Oriented Programming" by 6 researchers from Princeton University, University of California @ San Diego and University of Michigan.


The researchers used a clever trick to achieve this. In the existing code, they searched for short code sequences that end in a RET instruction. The RET instructions retrieves an address from the stack and jumps to this address. Using an ingeniously crafted stack consisting of the addresses of suitable code snippets, the researchers can recreate almost arbitrary programs. They created the required stack with a conventional buffer overflow in the existing program code. The program's next RET instruction consequently triggers a series of RETs which eventually executes the code that manipulates the election result according to the attackers wishes. The researchers have called their ingenious exploit technique "Return-oriented Programming".

Viao h-online