Know your community – Stefan Esser

One of the first names I knew of when I entered into the security field was Stefan Esser (@i0n1c). The guy that dropped 10 0-days in 2013 during SyScan, Founder of SektionEins GmbH, CEO of Antid0te UG, Speaker in all major security conferences and today’s one of the most talented security researchers.

I had the honor to interview Stefan, about the security community, researcher of iOS and PHP, his relationship with Luca Todesco and more.

Questions

Q: How many years have you been working in the security field?

A: I started around 1997 to develop RTE (runtime encryption) tools for MSDOS and a year later for Windows PE files (CrackStop, PE-SHIELD, PE-PACK). A little bit later around 1998 I started to look for vulnerabilities in Linux daemons and PHP.

Q: What was your motivation for getting into the security field in the first place?

A: The person that got me into vulnerability research was Scut [TESO] who invited me to join the team after seeing my work on RTE. He thought finding vulnerabilities and writing exploits was the right thing for me.

And he was right. While I had loved the cat and mouse game of writing runtime crypters and unpackers the idea that you can write a piece of code that will influence another running program and make it do what you want was thrilling.

Q: What was the first vulnerability you found?

A: After all these years I forgot what vulnerability was the first one I found. But i will never forgot my first really critical bug: PHP RFC1867 file upload

Q: How did you feel when you found the vulnerability?

A: For me finding vulnerabilities and writing exploits for them has always been like solving complicated puzzles or riddles. It is like a stream of never ending challenges and solving them makes me feel good.

Q: Did someone help you?

A: Well my first steps in security were helped by Scut. We shared source code of exploits and discussed exploitation techniques for the bugs we found. We also made it a game to write the shortest shell code.

But back when I started there was a different culture. There weren’t blogs filled with exploit writeups only exploit sharing websites often limited to a few comments in C code. But the really good stuff and ideas were only shared among friends in the group.

Q: What is your field of expertise in vulnerability research?

A: I prefer source code audits over anything else. At the moment I focus on OSX / iOS kernel vulnerabilities.

Most people know you as iOS / OSX security researcher, but in fact one of your expertise is PHP. Do you still conduct PHP related research?

A: I did work on PHP related projects (PHP level and engine level) up until November 2016 when I left SektionEins. I cannot go into detail because that work is NDA protected.

Q: Is there some security research field that you always wanted to learn but never had a chance?

A: I have always worked as a freelancer or in small companies which gave me a level of freedom and flexibility to look at whatever I want, this is not possible in a lot of bigger companies. But at the same time, it limited me to look at physical products that I either own already or that there was budget to purchase. This is also how I got into MacOS and iOS security. Our company had bought Apple equipment and I had an iPhone so researching it was obvious.

So there is a lot of stuff that I want to look into, that is just out of reach, cost wise. But if I have to narrow it down to something, I must say hardware level security (not software running on hardware).

Q: What would be your dream job? pure research? exploit development? relaxing at the beach?

A: My dream job is a job that allows me to be flexible about what I want todo. I get bored if I do the same thing over and over again. So even though relaxing at the beach sounds great I cannot do this for more than 2 weeks at a time.

Q: You are a very experienced researcher and you had the opportunity to participate in many security conferences both as a speaker and as an attendee. What is you favorite security conference?

A: My favorite security conference is still SyScan Singapore.

Q: What kind lectures you like to attend? listen to?

A: I like to attend lectures about vulnerability discovery and exploitation.

Q: How do you choose your lecture topics?

A: I am usually presenting on topics that are related to my current research projects. For the last few years this have been topics in the iOS and OSX world. I gave a number of talks where I summarized how Apple improved the security of iOS and then I pointed out where they made mistakes. From time to time I also discussed the exploitation of certain bugs in my talks.

Q: What do you love most in conferences? (conference events – CTF / hacking village / Hack the badge, drinking parties etc)

A: For me the most important thing in conferences is what people have dubbed “the hallway track”. I get the chance to meet with many people face to face that are usually at the other side of the world and directly exchange ideas.

When you speak at certain set of conferences over and over again you will realize that you always bump into the same group of people so that attending a conferences sometimes feel like meeting family.

Q: What is the most exotic place you attended a security conference at?

A: I have only attended security conferences in Northern America, Europe and various places in Asia. The most exotic were likely the ones in Taiwan and China, because in these countries getting around without speaking the local language is challenging. It is scary taking a taxi in China when there is not a single sign you can read or person that speaks your language.

Q: In which country have you been surprised by the size / quality of the security community?

A: Ever since my first visit to South Korea I have been surprised by the size of the security community over there and their attempts to grow their community of whitehat hackers: e.g. the BoB program.

For outsiders this is often hard to see, because not many Korean security people are publicly known in the western world. They seem to stay among themselves and often only communicate in the Korean language. Only a few of them are widely known outside Korea like beist or lokihardt.

Also very surprising for many westeners is the amount of women in the security community in South Korea. I think they were also the first country that seemed to have the concept of an all women CTF.

Q: In your opinion, how did the international security community change in the past 5 years?

A: I think there have been a number of notable developments in the international security community in the last 5 years. First there have been the Snowden leaks. Those leaks had, imho, the impact that far more people got interested in (state sponsored) surveillance and malware. We also had a boom in Anti APT companies. I think it also had the side effect that now many seem to believe their threat model includes defense against nation states. I think it also leads to way more research into crypto vulnerabilities. However that might be just my impression because these things are covered more in the media than before.

The next thing that happened in the last 5 years is that bug bounty programs have become widespread. I love bug bounty programs because over the years I have seen a lot of highly critical vulnerabilities being disclosed by 3rd parties that stumbled over these vulnerabilities while they were using or researching a product instead of being hired.

The internet would be a lot unsafer without all these unpaid 3rd party disclosures and I think the idea that researchers are being paid by bug bounties to finance this important source of critical vulnerabilities was just the logical and fair next step.

But of course paying for vulnerabilities brought by unhired 3rd parties has also opened a can of worms. There are people who feel payment to be unfair, others want money for the simplest bugs, and then we have those that overstep the boundaries and perform borderline blackmail.

The next problem is that there is repeated quarrels about where the scope begins and ends, because of definitions that are too unspecific or not easy to understand. And of course sometimes people intentionally go out of scope in the hope to get some extra money. In the end, it sometimes feels like wild west because there is simply no contract between the parties that clarifies and limits stuff.

What I really dislike, is that there are people in the security community that openly look down on bug bounty submitters. You will hear statements like: “bug bounties are only for low hanging fruit” or “get a real job”. I really cannot understand these people.

The last thing I want to mention, that happened in the last 5 years is that (at least for me) it seems that more and more bug hunters, and researchers no longer work for classical security companies but more and more get hired into vendor teams and at least part of their job is to look at third party code.

Best example is Google’s project zero. The interesting thing here is that this means that a lot of security research these days is not financed by security consulting jobs, but instead by whatever companies like Google make their money with: e.g. Advertisement.

Q: Could you please tell us about the German security community?

A: I think the most widely known fact about the German security community is that we have the CCC with more than 5000 members and 25 (?) local chapters. These are not all hackers but it gives you an idea about the size. In my point of view the existence of the CCC is one of the main reasons why the word hacker doesn’t have such a negative connotation in Germany that it has in other countries. However there are also a large number of security people in Germany that are not affiliated with the CCC in any way for various reasons. I am one of those.

People not organized in the CCC sometimes meet in local meeting groups like the CGNSEC meetings that I started in Cologne and that is derived from NYSEC. A few other cities like Münster have started with similar meetings, too.

The University of Bochum has an own security major and they invite outside speakers from the security community to speak infront of the students about up to date topics from the security field.

The German hacking scene in general is very critical of intelligence services and things like state sponsored surveillance.

Most security people in Germany that I know off have more connections to people outside of Germany than inside.

We have/had a number of conferences every year like xxC3, PH-Neutral, Berlin Sides, Troopers that attract people from all over the world.

Black Hat 2011 was the first time you gave lecture on iOS kernel exploration and you used Pod2g HFS stack buffer overflow and your own Heap buffer overflow.

At SyScan in the same year gave lecture on “How to’s” – how to dump iOS kernel cash and analyzing the content, how to get kernel symbols and how to debug the kernel.

Then in 2013 “all hell broke loose” and you publish at the legendary lecture at SyScan 2013 – 10 (!) iOS 0-days in 60 minutes.

Q: Why did you decide to “target” Apple products?

A: My first talk about Apple products was actually in November/December 2010 when I presented about “Antid0te” an implementation of library randomization for jailbroken iOS devices before iOS had ASLR. I decided to target Apple products because I recently had bought an iPhone and I was bored with PHP.

Q: Why did you decide to give the lecture in SyScan?

A: I like the SyScan conference. Also if I recall correctly 2013 was a special year. I don’t remember what exactly, maybe it was my 5th time on stage at SyScan or something like that.

Q: How long it took you to find those vulnerabilities?

A: Some of the vulnerabilities I knew for a while, some others I found only days/weeks before the conference. Unfortunately rushing the vulnerability analysis lead to me wrongly classifying the posix_spawn vulnerability as information leak only. Only a reanalysis after the talk after a hint from Mark Dowd revealed to me that this was actually a real memory corruption. However I learned from this fail to not rush analysis and I was able to make another talk out of it that I presented at HITB [Hack in the Box].

Q: How did Apple respond to the lecture?

A: I never got any major reaction from Apple after my lectures. From time to time some Apple guys would approach me after my talks and ask me a few questions about it. But aside from that there has never been a real line of communication between them and me. Oh yeah: Once they gifted me an Apple *paper notebook* from the Apple merchandise store.

Q: When you start a new research project (vulnerability research on a new product) how do you prepare for it? do you look for previous vulnerabilities? do you read the documentation?

A: It depends on the target and my intention. If my goal is to only find a vulnerability fast I might just browse through previous vulnerabilities and check if the vendor has fixed them correctly. Often enough this is not the case. However what I like best is to find vulnerabilities with a long life time. If that is your goal you might want to spend your time auditing exactly those areas that haven’t shown up in previous vulnerabilities.

However all the vulnerabilities I have disclosed during the years is really just the tip of the iceberg. Most of the vulnerabilities I have discovered were during hired audits by vendors, often on new products when there are no previous vulnerabilities available. In this case I just try to learn as much as possible (in the limited time available) about the product and then dive into the source code (I really prefer source code) trying to find insecure code or code that violated the technical documentation (if such a documentation is available at all).

Q: As an offensive security researcher, how many times do you get “shady” emails / contacted by unknown companies asking about acquiring vulnerabilities? and what is your funniest story for someone who contacted you?

A: It happens from time to time, but it is not really often. I think I usually make it pretty clear that I don’t want to work with “shady” entities. However these days people ask me more to get trained than to directly buy exploits.

Especially when it comes to jailbreaks I was approached by the strangest people that tell you all kind of stories why you should send them a jailbreak for the latest iOS. From accidental upgrades done by the girlfriend to some strange story about a mother with a brain cancer that requires a jailbroken iPhone to install some special software.

Q: You told me that you quit SektionEins last November (2016), what are your plans for the near future? is there a project you are interested in promoting?

A: For the next few months I have scheduled some training sessions at various conferences. The time in between will be used to upgrade the training sessions and to clean up some code. I am also working on another secret project. But I cannot disclose the nature of the project at the moment.

Q: What are your hobbies?

A: When possible I am going to the gym, but I also own a cinema flat-rate ticket

In June 2014 the Pangu team released their “Pangu Jailbreak for iOS 7.1 – 7.1.x”. Pangu achieved the jailbreak using an infoleak you found. According to my understanding, they paid for security training sessions with you and in these sessions you showed the attendees the infoleak.

Why did you use 0-day in your workshop?

A: I used 0-day because it makes it more interesting for trainees to discover real existing vulnerabilities during the training that are still unfixed. For obvious reasons I only use information leaks. Also the average trainee does not leak information from the training to the public so the 0-days I used remained usable for many months. And even after Pangu decided they wanted to make money with my vulnerabilities, published it and included it in their jailbreak tool, Apple failed like 3-4 times to fix the bugs correctly so I could still use them in training sessions.

Do you still use 0-days in your workshops?

A: Until recently I used another 0-day in the workshop. It was an infoleak that would only return “partially” interesting data. So no danger at all. It survived for many months until December 2016.

On April 2015 you published a YouTube video of an iOS 8.4 beta jailbreak and said that you will not release it to the public.

On December 2016 you Tweeted that someone is working on iOS 10.2 jailbreak and you are not allowed to tell who is it.

Q: In general, do you oppose to the concept of jailbreak?

A: I have no problem with the concept of a jailbreak, beside the fact that it makes the device less secure and therefore should only be applied to test, research or “play with” devices.

What I oppose however, is the trend to do whatever it takes to release a jailbreak. I also oppose that iOS 8 and 9 jailbreaks have been paid for (a.k.a. sponsored) by entities making money from copyright infringement.

I also oppose the way these jailbreaks were made by stealing other people’s code and ideas. The two Chinese teams Taig and 25pp/Pangu even accused each other of stealing parts of each other’s jailbreak.

In the past few month there is “rivalry” between you and Luca Todesco. You blocked his Twitter account, he Tweets about it and than you made a reference on it.

Someone posted “Anyone But Stefan Esser” licence as a joke. Luca posted on this Yalu jailbreak that his code is under “Anyone But Stefan Esser” licence.

There are several examples where you Tweeted that someone stole / used, without permission, your code. In one example you accused someone that he stole your code, but there wasn’t any licence that forbid him from using the code.

Luca reply to that was by posting “disclaimer: you may do whatever the fuck you want with code on all my repos without a license”. There are other examples, but I believe this is a good overview of the situtation.

A: I would not call it rivalry. For months now Luca repeatedly tries to provoke me. For example by releasing code under his ABSE license or just uploading code derived from my training material to GitHub. These provocations have now happened repeatedly, exactly during the time I gave a training (at a conference). I am not sure what is he trying to achieve with that.

When you enumerate the few times this happened it becomes obvious that these incidents always involve people from the same small circle: Pangu, “Fried Apple” team and Luca Todesco. This is a very small circle of people who apparently don’t care about abusing intellectual property. Luckily the vast majority of my trainees does not think it is appropriate to upload code directly derived from training material to GitHub.

When there is no licence shipped with code you basically have no rights to the code at all. (But uploading code to GitHub automatically gives people some rights). So the excuse “but there was no licence that forbids it” actually achieves the opposite. So it is better to ask the author in these cases if he is okay with what you want to do with it – than assume it is ok.

Q: Do you remember from what all of this started from?

A: The stream of attacks started when someone from “Fried Apple” team took code from my GitHub and just put it into “their” IDA extension, wrote his copyright at the top of the file and then asked for donations for it. I called him out for that and Luca went nuts.

Q: Do you see you and Luca as rivals? If yes, what are you competing on?

A: No comment.

Q: Don’t you believe that the security community and the customers’ of Apple can benefit from cooperation between you and Luca (and others)?

A: I do not want to have anything to do with Luca or his circle of friends/business partners.

It was a pleasure, Stefan, to talk to you

You’re welcome.