ARM Exploitation: Switzerland

Late last year we got an email from Paul Such (the founder of SCRT Information Security) inviting us to present and lead a workshop at the Insomni’hack 2013 conference.  A workshop is like a 1-day, mini-training.  The conference is a two-track one day conference with workshops beforehand, and an all-night hacking contest and CTF afterwards.

Maybe this is just some dumb yokel from Pittsburgh talking who’s never seen the Alps before, but this conference also happens to be held in one of the most scenic and diverse cities in Europe: Geneva. I’d never actually been to Switzerland before, and Ridley had never been to Geneva, so obviously we both wanted to go.

We arrived at the Geneva airport on March 20, the day before our workshop.  The hotel was about a 5 minute bus ride away at the Suite Novotel across from the Balexert.  We checked in, and it wasn’t long before we realized that we should probably get a car so that we could get out and enjoy some of the scenery.  So back to the airport we go and visited the Avis desk to rent a car.  Now of course in Europe, when you rent a crummy cheap car it costs $120 dollars a day and is a tiny crummy … stick shift.  Uh oh, I’m a stupid American used to $25/day automatics in Little Rock, Arkansas.  In America, why would you get a stick shift when automatics are so cheap? Fortunately Ridley was not quite so lame as I and was able to drive us back to the hotel. Clearly I was going to have to finally learn to actually drive in Switzerland.

But first we stopped by downtown to Geneva to explore a bit and take in the scenery before checking in to the Palexpo Center where the conference was being held. Lake Geneva and the alps really are something to see.  The city has old French architecture, pretty awesome mountain views, lots of cafes and shops.  Everyone is polite, even the meter

maids who opted not to ticket us for a parking infraction, given that we were obviously just stupid tourists. One thing the people of Geneva do not know how to do, however, is make a readable street map.  Apparently every street and road in Geneva has at least two French names, rarely use street signs, and when they do, the name on the sign does not match what is on your map.  It took quite a long while to drive the 3.5 miles back to the Palexpo Center and our hotel, whereupon we immediately crashed due to exhaustion.

The next day we awoke and with power adapters, a switch and a wireless router, and our handy Gumstix we set out to the Palexpo to set up for our workshop.  We arranged the tables for our class, set up the projector, plugged in our power supplies to our universal power adapter, slapped it into the wall outlet and………….. bzip! We managed to trip a breaker in the utility closet.  No one could get power to their laptops, the projector was down.  We had to call the conference personnel to reset the breaker.  This went on through several iterations, including the purchase of actual power converters (from Tashi Station…that’s what it was called), at least one fried Gumstix, and actual smoke.  Clearly our American and European electronics were not going to cooperate. Fortunately I had an Amazon AWS instance with QEMU installed sitting on ice since Blackhat last year, so we had to make do with performing our labs in a virtualized environment. (One of our class participants, Ruchna, did a writeup over at Fortinet.)

For the workshop we mostly just went through some reversing challenges using IDA and gdb, and talked a bit about to exploit stack overflows. We then followed with a whirlwind tour of “ROP”, “pievuts”, and so on, as more “advanced” topics.

This slideshow requires JavaScript.

The next day we actually attended the conference, and even gave a talk of our own.  But Charlie Miller‘s talk was no doubt more interesting.  Afterwards it was time for us to find a large empty parking lot for me, late in my life, to finally learn how to drive a stick shift properly.  Of course, we were in Europe, so everything is tiny, and small, and compact, and there are apparently no large empty parking lots anywhere.  After much asking, someone finally admitted that the airport does, indeed, possess several large parking lots, but they were probably closed, because no one uses them in March.  Well, that being our best bet, we drove around the airport and did manage to find a large, empty, parking lot, that was open.  And there I finally learned to drive stick shift.  After that all we had to do was go back to the hotel, and maybe stop by the Palexpo to join in the CTF festivities.

What we did instead is we managed to get lost for hours, somehow, even though we were literally only a few miles from the hotel, aided, not at all, by the street map whose street names did not match the signs on the streets, as I stalled out on the hills of Geneva repeatedly, much to the consternation of the otherwise polite Swiss drivers behind me.  It was very late, and we were starving, so we hooked up with Charlie Miller. Charlie claimed that navigating through Geneva was actually quite simple, and that we were fools with no sense of direction (probably true!) and navigated us to downtown Geneva.  The concierge at the Four Seasons directed us to a fondue restaurant in the old town, where we ate copious amounts of cheese. (…and got accosted)

I suppose there’s not much else to report on Geneva.  We drove around the Lake and saw the Alps.  I mean… I cannot describe in words how amazing that place is.  We stopped in some little town with a bar overlooking the lake near all these ancient vineyards.  It would be a great place in the summer, man.

We also (through the miracle of social networks) managed to get a private tour of CERN from some friends of Ridleys’…that was pretty awesome too…to see where they just recently discovered “The God Particle” (the particle that gives all matter its mass)..all their backend computing infrastructure, the world’s first webserver, and the particle accelerators (well some of them, the rest were off limits because they were still radioactive from recent experiment runs).

We also visited Gruyere, a tiny fortified medieval village that is home of, well, of Gruyere Cheese.  Also home, oddly enough, of H.R. Giger’s museum and Giger Bar.  I have to say that walking through a tiny cute quaint Swiss village with chocolate and fondue restaurants, past an old medieval church, under the archway of a manor house, and then coming face to face with H.R. Giger’s bizarre sculptures is a little jarring.  When I was a teenager I used to hang out at Border’s Books (yes, in addition to my other hobbies of playing Dungeons & Dragons and cracking computer games my time as a teenage boy, you can imagine, involved literally zero female companionship).  ANYWAY, I used to hang out at Border’s Books and drink coffee and I’d read through the “Necronomicon” and read all this crap about H.R. Giger and his Giger Bar.

“Someday, I’m going to go to that bar and it is going to be so fucking awesome.” I would say to myself, imagining gothic chicks with copies amounts of black eyeshadow in corsets dancing to industrial music in a smoky biomechanical bar lifted straight out of the nightmarish subconscious of H.R. Giger.

And like so many of our childish idols, reality turned out to be vastly different than I thought it would be.  I mean it was pretty cool. But we went during the day. It was sunny. I sat in a big alien seat like right out of Prometheus in a very well-lit kinda weird looking tavern, with French love songs and reggae playing in the background, while a bored

Swiss teenager poured my Guinness out of a can as she texted to her friends.  I don’t know, maybe she wasn’t a teenager, I’m probably just getting old.

….and that….was our trip to Geneva. A fully captioned gallery of photos from our trip is here.