nganhkhoa/website
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: nganhkhoa:7968743f3cac3d65c85c5a6942efd16e53bce591
Branches Tags
nganhkhoa:main
...
compare: nganhkhoa:591b6e56df8e2ce2caa463b800a061d675cbea39
Branches Tags
nganhkhoa:main

3 Commits
7968743f3c ... 591b6e56df

Author SHA1 Message Date
nganhkhoa
591b6e56df update pdfs 2023-11-06 00:09:00 +07:00
nganhkhoa
ee238ba72b add malware neutralization 2023-11-06 00:08:41 +07:00
nganhkhoa
4a6cd83870 updated index page 2023-11-05 22:06:54 +07:00
6 changed files with 287 additions and 14 deletions
Show Stats Expand all files Collapse all files

221
app/Route/Index.elm
View File

@ -4,7 +4,7 @@ import BackendTask exposing (BackendTask)
import FatalError exposing (FatalError)
import Head
import Head.Seo as Seo
import Html.Styled as Html
import Html.Styled exposing (..)
import Html.Styled.Attributes as Attributes
import Link exposing (Link)
import Pages.Url
@ -59,20 +59,24 @@ head :
head app =
Seo.summary
{ canonicalUrlOverride = Nothing
, siteName = "elm-pages"
, siteName = "nganhkhoa.com"
, image =
{ url = [ "images", "icon-png.png" ] |> UrlPath.join |> Pages.Url.fromPath
, alt = "elm-pages logo"
{ url = "https://nganhkhoa.com/nganhkhoa.png" |> Pages.Url.external
, alt = "nganhkhoa"
, dimensions = Nothing
, mimeType = Nothing
}
, description = "Welcome to elm-pages!"
, description = "Personal blog of nganhkhoa"
, locale = Nothing
, title = "elm-pages is running"
, title = "Anh Khoa Nguyen"
}
|> Seo.website
withSpacing : (List (Html msg) -> Html msg) -> List (Html msg) -> Html msg
withSpacing element =
List.intersperse (text " ") >> element
view :
App Data ActionData RouteParams
-> Shared.Model
@ -80,17 +84,206 @@ view :
view app shared =
{ title = "Anh Khoa Nguyen"
, body =
[ Html.p []
[ Html.text <| "Welcome to my personal website, where I post random things and thoughts."
[ img [Attributes.src "/nganhkhoa.png"] []
, withSpacing (p [])
[ text "Welcome to my personal website, where I post random things and thoughts."
]
, Link.link (Link.internal (Route.Blog__Slug_ { slug = "" })) [] [ Html.text "Blogs" ]
, Html.br [] []
, Link.link (Link.internal (Route.Osx__Slug_ { slug = "" })) [] [ Html.text "OSX Series" ]
, Html.br [] []
, Html.text "Here is my CV:"
, Link.link (Link.external cvpdf) [Attributes.target "_blank"] [Html.text "CV.pdf"]
, withSpacing (p [])
[ text "I'm a Security Engineer at"
, Link.link (Link.external "https://bshield.io") [Attributes.target "_blank"] [text "BShield"]
, text "and"
, Link.link (Link.external "https://verichains.io") [Attributes.target "_blank"] [text "Verichains."]
, text "Before that, I was a member of Efiens under the name"
, Link.link (Link.external "https://blog.efiens.com/author/luibo/") [] [text "luibo."]
]
, withSpacing (p [])
[ text "My specialty are in computer security: memory forensics, binary analysis, program analysis, and compiler."
, text "My interest in computer systems are programming languages."
, text "I am finding for opportunities in type theory, operational semantic, and formal methods."
]
, withSpacing (p [])
[ text "My Github is"
, Link.link (Link.external "https://github.com/nganhkhoa") [Attributes.target "_blank"]
[text "nganhkhoa."]
, text "But I also maintain my personal git at"
, Link.link (Link.external "https://git.nganhkhoa.com/nganhkhoa") [Attributes.target "_blank"]
[text "git.nganhkhoa.com."]
]
, text "You can find out more about me in my "
, Link.link (Link.external cvpdf) [Attributes.target "_blank"] [text "CV."]
, br [] []
, text "I often write blogs, most of them are based on my research knowledge."
, text "You can find my blogs "
, Link.link (Link.internal (Route.Blog__Slug_ { slug = "" })) [] [ text "here." ]
, br [] []
, text "I also wrote a series about Mach-O binary format."
, text "You can find it "
, Link.link (Link.internal (Route.Osx__Slug_ { slug = "" })) [] [ text "here." ]
, br [] []
, text "I am a Vietnamese polyglot, fluent in English, conversational in Japanese, beginners in Mandarin and Korean."
, withSpacing (p [])
[ text "\"I use (neo)Vim and Arch, btw\" - probably me."
, text "This site is written using"
, Link.link (Link.external "https://elm-pages.com/") [] [ text "elm-pages." ]
]
, projects
, br [] []
, publications
]
}
cvpdf : String
cvpdf = "cv.pdf"
projects : Html msg
projects =
div []
[ h1 [] [text "My Projects"]
, div []
[ text "2023"
, text " "
, h2 [] [text "TSShock"]
, withSpacing (p [])
[ text "At Verichains, our team discovered multiple weaknesses in most implementations of Threshold ECDSA Signature Scheme following the works of"
, Link.link (Link.external "https://eprint.iacr.org/2019/114") [] [text "Gennaro and Goldfeder."]
, text "As the result, we presented our findings at "
, Link.link (Link.external "https://www.blackhat.com/us-23/briefings/schedule/#tsshock-breaking-mpc-wallets-and-digital-custodians-for-billion-profit-33343") [] [text "Black Hat USA 2023"]
, text "and"
, Link.link (Link.external "https://conference.hitb.org/hitbsecconf2023hkt/session/tsshock-breaking-mpc-wallets-and-digital-custodians/") [] [text "Hack In The Box Phuket 2023"]
, text "titled \"TSSHOCK: Breaking MPC Wallets and Digital Custodians for $BILLION$ Profit\"."
]
]
, div []
[ text "2023"
, text " "
, h2 [] [text "Audited Vietnam Citizen Card"]
, withSpacing (p [])
[ text "Performed auditing of the protocol and the chip-based Citizen Card of Vietnam."
, text "Simulation of NFC protocols conforming to ICAO 9303."
, text "Found several vulnerabilities in applications verifying the authenticity of these cards."
, text "Government applications and devices are also audited."
, text "The foundation research for the development of"
, Link.link (Link.external "https://bshield.io/") [] [text "BShield Secure-ID."]
]
]
, div []
[ text "2020 - 2023"
, text " "
, h2 [] [text "Mach-O binary format analysis and obfuscation"]
, withSpacing (p [])
[ text "Research into Mach-O binary format, which is used in Apple devices."
, text "Proposed obfuscation for the Mach-O binary."
, text "Familiar with tools for pentesting iOS applications."
]
]
, div []
[ text "2021"
, text " "
, h2 [] [text "LLVM based Obfuscation"]
, withSpacing (p [])
[ text "Build a LLVM based obfuscation compiler."
, text "Extend"
, Link.link (Link.external "https://doi.org/10.1109/SPRO.2015.10")
[] [text "Obfuscator-LLVM"]
, text "with"
, Link.link (Link.external "https://doi.org/10.1007/978-3-540-77535-5_5")
[] [text "Mixed Boolean-Arithmetic"]
, text "as well as many other obfuscation passes."
, text "Fully updated to LLVM 14 with support for both new and legacy pass manager."
, text "A CTF challenge is released obfuscated using our obfuscator in"
, Link.link (Link.external "https://twitter.com/hgarrereyn/status/1477919411977830402")
[] [text "TetCTF 2022"]
]
]
, div []
[ text "2019-2020, 2022-2023"
, text " "
, h2 [] [text "Windows Live Memory Forensics"]
, withSpacing (p [])
[ text "Research into Windows Forensics."
, text "Learned techniques used in Memory Forensics and familiar with tools like Volatility."
, text "Develope a new method for Live Forensics using Memory Forensics without Memory Extraction."
, text "A prototype is implemented, capable of inspecting the kernel global variables, structures,"
, text "and performing"
, Link.link (Link.external "https://doi.org/10.1016/j.diin.2016.01.005")
[] [text "Pool Tag Quick Scanning."]
, text "This prototype is updated in 2023 to also detect injected code in processes for detection of"
, text "DLL Injection, Reflective DLL Injection, Process Hollowing, and similar malware techniques."
]
]
]
publications : Html msg
publications =
div []
[ h1 [] [text "Publications"]
, text "Most of my publications are drafts and not reviewed paper."
, text " "
, text "Because I am not in an academic environment so I do not know how to publish."
, br [] []
, br [] []
, withSpacing (div [])
[ text "New Key Extraction Attackson Threshold ECDSA Implementations."
, text "Duy Hieu Nguyen, Anh Khoa Nguyen, Huu Giap Nguyen, Thanh Nguyen, Anh Quynh Nguyen."
, text "August 2023."
, br [] []
, Link.link (Link.external "https://verichains.io/tsshock") [] [text "[website]"]
, Link.link (Link.external "https://www.verichains.io/tsshock/verichains-tsshock-wp-v1.0.pdf")
[Attributes.target "_blank"]
[text "[whitepaper]"]
, Link.link (Link.external "https://youtu.be/1ks2jcS7UE4") [] [text "[HITB Recordings]"]
]
, br [] []
, withSpacing (div [])
[ text "(Draft) Obfuscate API calls in Mach-O Binary."
, text "Anh Khoa Nguyen."
, text "Expecting 2024."
, br [] []
, Link.link (Link.external "macho-obfuscation.pdf")
[Attributes.target "_blank"]
[text "[pdf]"]
]
, br [] []
, withSpacing (div [])
[ text "(Draft) Live Memory Forensics Without RAM Extraction."
, text "Anh Khoa Nguyen, Dung Vo Van Tien."
, text "Expecting 2024."
, br [] []
, Link.link (Link.external "live-memory-forensics.pdf")
[Attributes.target "_blank"]
[text "[pdf]"]
]
, br [] []
, h2 [] [text "Dissertations"]
, withSpacing (p [])
[ text "After I graduated, I often advise undergraduate students on their dissertations."
, text "The list below contains my dissertation and dissertations I advised."
]
, withSpacing (div [])
[ text "Windows Memory Forensics: Finding hidden processes in a running machine."
, br [] []
, text "Author: Anh Khoa Nguyen."
, br [] []
, text "Advisors: An Khuong Nguyen, Le Thanh Nguyen, Quoc Bao Nguyen."
, br [] []
, text "Year: 2020"
, br [] []
, Link.link (Link.external "https://drive.google.com/file/d/1Z_cKtBsi_gm8ugsrnAEPo-Wmx9GAuaSK/view?usp=sharing")
[Attributes.target "_blank"]
[text "[pdf]"]
]
, br [] []
, withSpacing (div [])
[ text "Windows Memory Forensics: Detecting hidden injected code in a process."
, br [] []
, text "Author: Vo Van Tien Dung."
, br [] []
, text "Advisors: An Khuong Nguyen, Anh Khoa Nguyen."
, br [] []
, text "Year: 2023"
, br [] []
, Link.link (Link.external "https://drive.google.com/file/d/1X18tr4OvcNYRoyxzTcsxM_MgjcqVW1sk/view?usp=sharing")
[Attributes.target "_blank"]
[text "[pdf]"]
]
]

80
content/blog/malware-neutralization.md Normal file
View File

@ -0,0 +1,80 @@
---
title: "Malware Neutralization"
subtitle: ""
summary: ""
tags: ["program analysis", "binary analysis", "program synthesis", "malware"]
categories: []
published: "2023-11-05"
featured: false
draft: false
---
# Malware Neutralization
In this blog post, I will describe a novel idea for software security named "Malware Neutralization". At the moment, everything said in here is theoretic. There will be no implementation, or even a PoC. It could be a new topic for furthur research in the future, I don't know.
## Motivation
Ever download something online and got "infected"? The problem with overwhelming distribution of software (legit and non-legit) is the validity of the software. Software downloaded could be infected or modified with malware components. And not only software, documents file can be infected too.
How are we dealing with this issue? Easy answer, we remove them as soon as we detect them as "malware". Is this the best solution? Are there any other way to solve this issue? I propose **Malware Neutralization**.
## Concept
So what is **Malware Neutralization**? The concept is easy to explain in a few lines. We remove malware components in the binary (be it software or documents) while keeping other components. This effectively keep the "good" and does not remove the file from running.
The steps to make this work can be illustrated below:
1. Detect malicious components
2. Remove malicious components
3. Repair the binary
In the following sections, we will go into each of these steps and discuss their technical view.
## Steps
### Detecting malicious components
This step is easy to understand, we must be able to detect the malicious components for a given binary file. This involves a compilation of all malware infection techniques (I shall call this malware embeding). If we do not know about the techniques used for malware embeding, we cannot deploy a good detection method.
Detecting the malicious components cannot be easily applying YARA signatures or normally detection based on heuristics. These detection techniques are for quick classification of software. In this context, a quick classification is not enough, we demand all malicious components be found to carry on. This requirement is strict and might appear hard to find a fully working method.
I suggest using Machine Learning or Deep Learning model to tackle this problem. Although I am not an AI guy, but with my limited knowledge of malware detection, I believe this way is the fastest.
### Removing malicious components
After all malicious components are found, the next step is simply removing them from the binary. This could be simply done through overwriting their place with a series of dummy bytes, i.g., 0x00. In practical scenario, this involves direct assembly patching for executable binaries or encoding/decoding of documents files (OLEs, or zip streams).
The hardest part of this step is probably how much should we remove. Without evidence, I guess that malicious components might spans over a large part of the binary, but the detection might only be able to discover a part of them. This might strongly effect how we approach the removal step, mostly on the degree of removal. Should a whole function be removed or only a part of what is detected is removed. These questions are subtopic to be researched.
### Repairing the binary
And the last step, repairing the binary. People with less familiarity with Program Synthesis might not understand what Repairing means. So I give a short description on Automatic Program Repair, a subtopic of Program Synthesis.
> Automated program repair is an emerging suite of technologies for automatically fixing errors or vulnerabilities—bugs, colloquially—in software systems. Automatic program repair as a research field focuses on a class of techniques that produces source code-level patches for such bugs, of the same variety that programmers produce in addressing a defect they find in their own programs or in response to a bug report. Thus, at a high level, an automatic repair approach takes as input a program and some evidence that the program has a bug (commonly, a failing test) and produces a patch for that programs source to fix that bug, ideally without negatively influencing other correct functionality.
I found this in the introduction of the book [Automatic Program Repair](https://www.computer.org/csdl/magazine/so/2021/04/09461040/1uCdJpSV13a).
So what does that have to do with this step? Obviously, we only want to neutralize malware components found in the binary. However, some of the techniques for malware embeding might involve strong binding with the underlying valid components. Thus even after you successfully remove all malware components, the binary cannot be executed successfully. To solve this issue, I propose using Automatic Program Repair to recover the removed components without breaking the execution flow.
Ofcourse, this proposed method contains multiple problems that should be looked at independently to complete this step effectively. One of the first problem is how should we build constrainst to fill this removed part. For assembly, it could be maintaining the stacks and registers, but that is open to arguements. Another problem that might arise is the algorithm used to define the correct "fixes". This could be done through logic examination of programs (Program Semantics) or through Machine Learning / Deep Learning or even through LLM. Of course, these "algorithms" must compete in their effectiveness, robustness, and speed.
This step is proposed to use a relatively novel technology called Program Synthesis. There could be other technology for the recovering/repairing of the removed parts to render the program executable without errors emerging from our removal of malicious components.
## Conclusion
To recap, we define **Malware Neutralization** as a process to neutralize a binary, either software executable or documents files or other types of files susceptible to malware embeding. We also list out an overall step-by-step to perform this process, together with their technical problems.
**Malware Neutralization** are relevant to nowadays software and files distribution. Distribution of files can be unsafe due to many factors. And by removing the malicious components embeded inside the file, neutralization, the file can be used normally without fear of malware infection.
The proposed idea is an innovative way of ensuring safety to our daily lives of files downloads. While still maintain the overall content of the file to be executed or read, without having to remove them as awhole when flagged as a malware.
> I should emphasize that this is not for malware with only malware functionality.
## Research?
I leave my idea open to the world. Researchers interested in this problem can carry on the research with the following guidelines described above (or not, you are free to explore all methods). This research should be a joint research of several topics together, including Malware Analysis, Program Analysis, Binary Analysis, Assembly, Machine Learning, Deep Learning, Large Language Modeling, Program Synthesis, Program Semantics, Formal Assembly, as such. It will be hard to tackle all of them at once, I suggest tackle what is familiar with you first and solve them seperately. After all steps are implemented, a PoC should be produced to prove the overall performance.
I may work on this problem when I have an opportunity and when my research is aligned with my target. In the near future, I might work on something else not relating to this idea. However, I would love to hear from researchers taking my idea to the test.

BIN
public/cv.pdf
View File

Binary file not shown.

BIN
public/live-memory-forensics.pdf Normal file
View File

Binary file not shown.

BIN
public/macho-obfuscation.pdf
View File

Binary file not shown.

BIN
public/nganhkhoa.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB