Four major research results were selected by Baidu Security to create another history in Black Hat Europe 2021

From November 8th to 11th, UK local time, Black Hat Europe 2021 kicked off at the London conference site and online. White hat geeks and security experts from all over the world gathered together to share breakthrough research results in application security, exploit development, malware and other fields. In this conference, a total of four research results of Baidu Security were selected into the Briefings section of the Black Hat core, making history again.

Baidu Security was selected as Topic 1:

AI Model-Mutator：Finding Vulnerabilities in TensorFlow**

Baidu Security announced a new fuzzing tool!
Fill up the shortcomings of API Fuzzing!
TensorFlow welcomes a safer blessing!

There is no doubt that the active iteration of open source machine learning platforms has created conditions for the rapid upgrade of AI, but it has also laid a lot of hidden dangers for the quality of the code development of the AI computing framework. Just look at Google's TensorFlow, and its number of CVEs has increased by 15 times in the three years from 2019 to 2021.

Generally speaking, API Fuzzing is a commonly used vulnerability detection method, but it cannot find the "deep" vulnerabilities hidden in the complex code logic. In response to this problem, Baidu Security announced at the conference a new model mutation-based fuzzing tool AI Model-Mutator. It can use the model file as a data input file to test the code quality of the underlying computing framework through random mutation. As a result, the technical team can find "deep" vulnerabilities without manually constructing the "context" needed to trigger the vulnerability.

Based on Baidu's security verification test, AI Model-Mutator can effectively reproduce the 66 vulnerabilities discovered in TensorFlow with the help of the above mutation rules. At the same time, it also discovered 6 new vulnerabilities, which were confirmed and acknowledged by the TensorFlow team.

Regarding the professional technical interpretation of this topic, you can continue to read the following expanded content:
Acknowledgements regarding TensorFlow's assistance to Baidu Security to fix 87 security vulnerabilities
https://github.com/tensorflow/tensorflow/tree/master/tensorflow/security

Baidu Security was selected as Topic 2:

Your Trash Kernel Bug，My Precious 0-day

What if the kernel bug risk rating is inaccurate?
What if low-risk vulnerabilities evolve into high-risk?
It's time to study a new evaluation method!

Security vulnerabilities in programs are inevitable for complex software, and the same is true for operating system kernels. Even for a relatively mature system like Linux, dozens of different types of vulnerabilities may be discovered every month. When a vulnerability is discovered, the first problem facing the technical team is to determine the priority of these vulnerabilities and determine the priority of repair.

At present, the above judgment is mainly based on the risk rating of security vulnerability reports. The advancement of Kernel Fuzzing technology has also greatly accelerated the discovery efficiency of kernel vulnerabilities. However, the joint research results from Baidu Security and Penn State University (PSU) show that the current rating information is very unreliable-based on the analysis tools for Linux kernel vulnerabilities developed by both parties, some seemingly low-risk vulnerabilities It may be "transformed" into high-risk exploitable memory corruption vulnerabilities. Some warnings that are considered not serious may cause serious security risks.

For the industry, this research has exposed the limitations of the current kernel vulnerability risk rating. The security risks it brings are worthy of the attention of the entire security community. It is necessary to study new vulnerability risk evaluation methods.

Baidu Security was selected as Topic Three:

New Ways of IPv6 Scanning

Hard to crack in 500,000 years!
Does IPv6 address look safe?
Actually not safe!

With the allocation of 4.3 billion IPv4 addresses exhausted, IPv6 has gradually become the mainstream, and the 128-bit address length adopted by it is also considered a more secure solution option. Because the address is long enough, it cannot perform address scanning like IPv4. However, according to the new address scanning method proposed by Baidu Security, this "old" attack strategy is still applicable to IPv6, which may not be as secure as we thought.

This latest research result from Baidu Security points to almost all Linux kernel devices and all Android devices. Researchers have discovered multiple new IPv6 address scanning methods. Threats include iPhones, Android phones, routers, portable WIFI, and smart devices. Common IoT devices, including speakers and car entertainment systems, involve common operating systems such as iOS, Android, Windows, and Ubuntu. Attackers can take advantage of these security risks to easily obtain millions or tens of millions of random IPv6 addresses in a short period of time. At the same time, using the feature of IPv6 to support one-to-one direct access, attackers can directly access these scanned devices. It is like attacking internal network devices, launching attacks against the known vulnerabilities of these weak IoT devices, ADB debugging ports, Web services, Telnet services, etc. This kind of security risk exists in most countries and regions and operators in the world.

Baidu Security was selected as Topic 4:

BadMesher：New Attack Surfaces of Wi-Fi Mesh Network

EasyMesh is so fragrant!
Wi-Fi Mesh has no dead ends home network is really fragrant!
But this may not be safe...

With the advent of the Internet of Everything era, the interconnection and mutual control of IoT devices has become a trend. As an efficient mobile access, the Wi-Fi network is the natural transmission network for IoT devices. As an emerging networking technology, Wi-Fi Mesh has the characteristics of self-organization, self-management, and self-healing, which effectively solves the problems of flexibility and reliability in traditional Wi-Fi networking, and has gradually become the interconnection of IoT devices. Infrastructure for interoperability.

However, research from Baidu Security found that Wi-Fi Mesh networks have multiple security attack surfaces, allowing attackers to launch attacks on devices during the Mesh network construction phase and the network control phase. In the actual test, the industry's leading chip manufacturer Mediatek MT7915 EasyMesh solution was found to have multiple security issues, and the number of CVEs reached 19.

In the face of the above series of problems, Baidu Security attributed it to the memory corruption problem caused by TLV (Type-Length-Value) analysis, and launched a custom-developed automated vulnerability mining tool MeshFuzzer. This tool can cover all stages and roles in EasyMesh, and can help equipment manufacturers conduct in-depth inspections on the implementation of EasyMesh, and help improve product security.

The Black Hat Conference is one of the top conferences in the global information security field. It is highly professional and trendy. Baidu Security has always been an important participant. At the Black Hat Europe 2021, four research results of Baidu Security were selected as Briefings, which not only created a new history for Baidu itself, but also represented the growing technological strength of China's cybersecurity industry.

Adhering to the concept of "with AI, safer", Baidu Security has always been committed to promoting the arrival of the AI era with safer technology. In the face of the escalation of traditional security issues and the emergence of new security challenges, Baidu Security will also take this Black Hat conference as an opportunity to continue to work with professionals from all walks of life, academia, and research to demonstrate China’s practices, voice China’s voice, and jointly create more security. Network world.