Sharing the Team’s Recent Research at DefCon & BlackHat

June 19, 2018

At River Loop Security, we are always looking to advance the state of cybersecurity research alongside our work tackling our clients’ toughest problems. Presenting our research at computer security conferences is one way that we hope to share our lessons learned with the community.

This summer, we’re excited to present at BlackHat USA and DefCon. We’ll be showcasing some select areas of our team’s research: 1) RF Fuzzing and Hardware Tools, 2) Reversing a Windows Antivirus Emulator, 3) Understanding Attack Attribution. We aim to empower others to understand currently uncharted (or at least less charted!) areas, as well as share ways to frame complex problems facing the industry today.

We hope that some of you are able to make it to the conferences. We are looking forward to connecting with old friends – and make new ones as well. We’d welcome the opportunity to meet up with you to discuss any of these topics or your cybersecurity priorities and how we could potentially assist. If you’re interested, please reach out to us at or contact us.

Embedded: RF Fuzzing and Hardware Tools

At BlackHat Arsenal and DefCon, Matt Knight and Ryan Speers are discussing the TumbleRF radio fuzzing framework, which we created as an open-source hardware and software framework for fuzzing arbitrary RF protocols – all the way down to the PHY (physical) layer. Many in the security community have used software fuzzing frameworks in projects – including on embedded assessments – to identify bugs which could be security weaknesses. However, applying these methodologies to RF systems has historically been challenging as the tools are siloed and commodity RF chipsets impose limitations on what types of fuzzing can be done (e.g., at lower layers than they expose).

We felt that these shortfalls needed to be addressed to help drive security research forward in these spaces. We abstracted the hardware interfaces and set up core fuzzing logic which can be mapped to different RF drivers. As a result, supporting a new radio involves now oftentimes means just extending an API, rather than writing a protocol-specific fuzzer from scratch.

We’re also excited to introduce Orthrus, a low-cost 2.4 GHz offensive radio tool that provides PHY-layer mutability to offer Software Defined Radio-like features in a flexible and low-latency embedded form factor.

We hope that by combining the TumbleRF and Orthrus, researchers will be able to fuzz and test RF protocols with greater depth and precision than ever before. If you can attend, we hope that you leave this talk with an understanding of how RF and hardware physical layers actually work, and how to identify security issues that lie latent in these designs.

Windows: Reversing an Antivirus Emulator

On the Windows side, we’re proud to have Alex Bulazel at Blackhat sharing “Windows Offender: Reverse Engineering Windows Defender’s Antivirus Emulator,” where he will present his experience looking at the emulation code within Windows Defender’s 30,000+ function mpengine.dll. Through looking at many anti-viruses and similar security technologies over the years, we have often (alarmingly) found that these tools can add significant attack surface to the system that they are intended to protect. He’ll discuss the emulator which executes potentially malicious Windows PE binaries – covering a number of topics in technical depth including emulator internals (bytecode to intermediate language lifting and execution); memory management; Windows API emulation; NT kernel emulation; and file system and registry emulation.

However, perhaps most interesting to us is sharing how Alex built the tooling to assist in reverse engineering the emulator and writing instrumentation tools (and static analysis scripts) for the project. Although most of our time is spent in the depths of embedded systems, Alex enjoyed investigating this unusual environment.

Attacker Attribution

When we take a step back from the deep technical topics, we’re glad to be able to share thoughts on one of the problems currently facing the industry – the topic of attribution. Mara Tam’s presentation at Black Hat, “No Royal Road … Notes on Dangerous Game,” looks at not only the “how” and the “who” behind attacks, but also the “why”. Although there have been a number of public announcements attributing attacks to specific groups – both by private industry and by government entities – and extensive focus on how the attacks are carried out, the reasoning behind these attacks and the adversary’s requirements is often neglected. Mara will share her views on how nation-states have used malware as a form of geopolitical signalling, the myth of vendor neutrality in the nation-state threat ecosystem, and opportunistic distortion of technical analysis.