why H.264 (MP4) play on iphone (7/6S/6) is quite annoying

Use your iPhone play H.264 (MP4) video is annoying, the problem is that sometimes the videos work, sometimes it doesn’t. As a matter of fact, the IOS are quite unstable with mp4 format and h.264 on HTML5. But why is that people always encounter the problem of MP4 not playing on iPhone 7/6S/6?

iPhone 7 Only Supports Two Types of MP4 Files Natively

1. MP4 video with H.264 codec, and the MP4 should meet below specifications:

Up to 1080P, 30fps, high profile level 4.1 with AAC-LC audio below 160Kbps, 48kHz and stereo audio.

2. MP4 video with MPEG-4 codec, and have to meet another different specifications of:

Up to 2.5 Mbps, 640 X 480 resolution, 30fps, simple profile with AAC-LC audio up to 160 Kbps, 48kHz and stereo audio.

iPhone 4S

Compatible with H.264 or MPEG-4 video format with the following specifications:If it is H.264 video, it should meet: up to 1080p, 30 frames per second, High Profile level 4.1 with AAC-LC audio up to 160 Kbps, 48kHz, stereo audio in .m4v, .mp4, and .mov file formats;

If it is MPEG-4 video, it should meet: up to 2.5 Mbps, 640 by 480 pixels, 30 frames per second, Simple Profile with AAC-LC audio up to 160 Kbps per channel, 48kHz, stereo audio in .m4v, .mp4, and .mov file formats;

Think it over? The development life cycle on iphone 4s to iphone 7 not a short period, why there were no improvement in this area?

The culprit

a. iOS10 videos not playing with X-Accel-Redirect

b. X-accel allows for internal redirection to a location determined by a header returned from a backend.

c. Different browsers (Firefox, Safari & IE) have different policies mechanism to cache.

  • TTL hold the valid time of dns entry
  • Browser should cache until TTL expires

But the major factor bother Apple development team not the above items, the issue is that they found a vulnerability in Safari.

The instigator of this vulnerability

Refer to below diagram, CFNetwork Framework embedded in core services layer. It provides the following functions.

  • Use BSD sockets
  • Create encrypted connections using SSL or TLS
  • Resolve DNS hosts
  • Work with HTTP servers, authenticating HTTP servers, and HTTPS servers
  • Work with FTP servers
  • Publish, resolve, and browse Bonjour services

Unfortunately the vulnerability found that Safari support of HTTP/0.9 and accidentally allow cross-protocol exploitation of non-HTTP services using DNS rebinding. The remediation step of Apple is that restrict HTTP/0.9 responses to default ports and canceling resource loads if the document was loaded with a different HTTP protocol version. Sounds like a middle man verify the communication between external and core services. However it break X-Accl-Redirect function thus H.264 (MP4) doesn’t work properly.


Apple remediation of CVE-2016-4760 (About the security content of iOS 10)

iOS 10 – Released September 13, 2016


Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: A malicious website may be able to access non-HTTP services

Description: Safari’s support of HTTP/0.9 allowed cross-protocol exploitation of non-HTTP services using DNS rebinding. The issue was addressed by restricting HTTP/0.9 responses to default ports and canceling resource loads if the document was loaded with a different HTTP protocol version.

Web browser design weakness (DNS pinning) & DNS rebinding vulnerability

Web browser pins host name to IP address but pin is easily to release with below command.

<img src:http://xxx.com:81/>

DNS rebinding vulnerability: Attacker will respond with the XML below:

<?xml version"1.0"?>
 <allow-access-from domain="*" to-ports="*" />

DNS rebinding scenario replay:

  1. Victim visits the malicious Web site hunt.com and loads the script it contains.

2. The attacker then changes the DNS entry of hunt.com in order to resolve to the internal server’s IP address, which is the target. In addition, the attacker disconnects the Web server that was running on the original IP address.

3. The script uses a timed event (setIntervall or setTimeout) to load a Web page from hunt.com. (Different browsers (Firefox, Safari & IE) have different policies mechanism to cache).

4. The victim’s Web browser executes the script and tries to connect back to hunt.com using the IP address, which is bound to it due to DNS pinning. But, as the Web server is no longer available, the connection is rejected and DNS pinning is dropped, due to the weakness described in the previous section.

5. The browser then drops the DNS pinning and does a new DNS lookup request for hunt.com. This time, the response results in a different IP address; the browser has removed from its cache the previous mapping of the server hostname (hunt.com) to an IP address, so cannot be protected from the misdirection.

6. As the new IP address points to the internal server, the attacker’s script is now able to access the internal server’s content and reveal it.

Information Supplement – iOS security function:

The security feature set on iOS or Mac OS design are advanced. The Security Server (securityd) is a daemon running in macOS and iOS that implements several security protocols, such as encryption, decryption, and (in macOS) authorization computation. The Security Agent is a separate process that provides the user interface for the Security Server in macOS (not iOS). Its primary purpose is to request authentication whenever an app requests additional privileges.

The iOS operating system isolates each and every app on the system. Apps are not allowed to view or modify each other’s data, business logic, and so on. Isolation prevents one app from knowing whether any other app is present on the system or whether apps can access the iOS operating system kernel until the device is jailbroken. This ensures a high degree of separation between the app and operating system.

iOS provides two types of isolation:

  • Process isolation
  • Filesystem isolation

Predict 2017 – a political fight on nuclear power facilities

Headline news yesterday (20th Dec 2016) report Ukraine Suffers Power Outage. It was the 2nd time of power disruption this year. As far as I remember the 1st incident occurred on Jan 2016. The motivation of this news lets information security experts re-think about BlackEnergy DDos tools.The Blackenergy soft tools found 2007, a notorious powerful distributed denial of services soft tool conducted cyber attacks suspended Georgian Soviet Socialist Republic communication facilities. Sum up the cyber attack in nuclear power facilities, it gives people to feel those incidents looks like a political fights. Sounds like naughty boy intend to turn off neighbor main water tap to create troubles.

Analyze of nuclear power facility of attacks

Hardcore type malware: Stuxnet, Duqu, and Flame are categories hardcore type malware. The hardcore type malware usually achieve the following actions.

Incident historical records:

  1. June 2010 – Stuxnet malware to sabotage Iran’s nuclear program.
  2. May 2012 – Flame malware targeted cyber espionage in Middle Eastern countries.
  3. Dec 2014 – South Korean nuclear operator hacked amid cyber-attack fears.
  4. Mar 2015 – South Korea claims North hacked nuclear data.
  5. Apr 2016 – A malware infected systems at the Gundremmingen nuclear plant in Germany.
  6. Oct 2016 – Headline News: Rep. Kim Jin-pyo, a lawmaker of the main opposition Minjoo Party of Korea, told Yonhap News Agency in a telephone interview that the hacking targeted the “vaccine routing server” installed at the cyber command.

Weaponize types of malware: contains sabotage, interfere, traffic monitoring function and remote control functions.

The original goal of design for BlackEnergy is provides powerful distributed denial of service function. To meet attacker functional requirement, BlackEnergy began supporting plugins in 2007. This is the second generation of BlackEnergy. The malware plugin feature make use of mutex objects to avoid infecting the system more than once, as well as to coordinate communications among its multiple components on the host (see below diagram for reference). To evade virus and malware detection, malware avoids using a hardcoded name for its mutex.

The third generation of BlackEnergy take advantage of OLE object (CVE-2014-6352). Embedded mailicous code to MS office xls format of document gained remote code execution. Since the blackenergy hash exposed to the world (see below details for reference). More than 90% of above antivirus program can detected. It looks that the severity level of risk dropped.

SHA256: f5785842682bc49a69b2cbc3fded56b8b4a73c8fd93e35860ecd1b9a88b9d3d8

Target windows component: Win32 DLL

Attack scenario: PE32 executable for MS Windows (DLL) (GUI) Intel 80386 32-bit

Malware implant target destination:

  • Win32 Executable MS Visual C++ (generic) (67.4%)
  • Win32 Dynamic Link Library (generic) (14.2%)
  • Win32 Executable (generic) (9.7%)
  • Generic Win/DOS Executable (4.3%)
  • DOS Executable Generic (4.3%)

Status update on 21st Dec 2016

Ukraine Suffers Power Outage Possibly Due to Energy Plant Hack on 17th Dec 2016 Sat. What do you think? Do you think a new shape of blackenergy was born? My speculation is that the cyber attacks in nuclear power facilities will going to increase coming months.

For reference:



Descendant of VSAM File Organization,that is blockchain technology today

Old school boy might remember fundamental of Virtual storage access method (VSAM). I object, banking and financial institution are close with VSAM technologies day to day. Yes, they are using mainframe computer. For instance IBM S390. People discontentment of proprietary payment solution (SWIFT) sounds high! Hackers targeted payment system via the SWIFT, no significant figures show the security weakness of traditional payment system (SWIFT). Do you think the exploit come from fundamental design or it is the operation weakness? The block chain technology (bitcoins) carry out challenge to traditional payment method. For sure that it is a long run of competition. It includes intangible factors. Example: political, conflict of interest on business side, renovation of traditional payment culture,…etc.

Descendant of VSAM File structure,that is blockchain conceptual technology today

Blockchain technology – who is who?

Blockchain technology confusing me! What is bitcoin blockchain? Or it is Ethereum technology? But heard that there is another digital currencies or digital token. Oh! my god, still have smart contracts! Find the answer conclude that it is list of transactions that is replicated across a number of computers.

i. Blockchain keep track of a currency’s balances.Since it is a decentralized networks, blockchain does not have a central point of failure and is better able to avoid malicious attacks.

ii. Ethereum is an public blockchain-based distributed application platform featuring smart contract functionality.

iii. A smart contract is a digitally signed, computable agreement between two or more parties. A virtual third party work as software agent to execute and enforce at least some of the terms of such agreements.

iv. Digital tokens being used to represent different assets on a blockchain.

The overall opinion of people feel that BlockChain technologies are advanced compare with traditional payment method. See below diagram, the layering architecture of blockchain not special. If you take a closer look and focus in blockchain and share data storage layer. You will feel that blockchain design concept like IBM Mainframe VSAM file organization structure.

From design point of view, VSAM structure consists of tables, columns, primary keys, indexes, stored procedures, and views (refer to below left hand side diagram). When a direct READ is performed for a VSAM indexed file, based on an alternate index for which duplicates exist, only the first record in the data set (base cluster) with that alternate key value is retrieved. You need a series of READ NEXT statements to retrieve each of the data set records with the same alternate key.

How about block chain design structure? The terminology so called terms includes Transactor, Transaction, Ledger,World stat, Chaincode, Validating peer, Non-validating peer, Consensus and Permissioned network (refer to below right hand side diagram).

Descendant of VSAM File Organization,that is blockchain technology today.

Blockchain Key terms (copy from IBM Bluemix Docs)

The following terms are instrumental in gaining a holistic understanding of blockchain concepts:

Transactor: A network participant connected to the blockchain network through a node, who submits transactions from a client using an SDK or API.

Transaction: A request by a transactor to execute a function on the blockchain network. The transaction types are deploy, invoke, and query, which are implemented through the chaincode functions set forth in the fabric’s API contract.

Ledger: A sequence of cryptographically-linked blocks, containing transactions and the current world state. In addition to data from previous transactions, the ledger also contains the data for currently-running chaincode applications.

World state: Key-value database used by chaincodes to store their state when executed by a transaction.

Chaincode: Embedded logic that encodes the rules for specific types of network transactions. Developers write chaincode applications and deploy them to the network. End users then invoke chaincode through a client-side application that interfaces with a network peer, or node. Chaincode runs network transactions, which if validated, are appended to the shared ledger and modify world state.

Validating peer: A network node that runs the consensus protocol for the network to validate transactions and maintain the ledger. Validated transactions are appended to the ledger, in blocks. If a transaction fails consensus, it is purged from the block and therefore, not written to the ledger. A validating peer (VP) has authority to deploy, invoke and query chaincode.

Non-validating peer: A network node that functions as a proxy, connecting transactors to validating peers. A non-validating peer (NVP) forwards invocation requests to its connected validating peer (VP). It also hosts the event stream server and the REST service.

Consensus: A protocol that maintains the order of blockchain network transactions (deploy and invoke). Validating nodes work collectively to approve transactions by implementing the consensus protocol. Consensus ensures that a quorum of nodes agree on the order of transactions on the shared ledger. By resolving any discrepancies in this order, consensus ensures that all nodes operate on an identical blockchain ledger. See the consensus topic for more information and test cases.

Permissioned network: A blockchain network where each node is required to maintain a member identity on the network, and each node has access to only the transactions that its permissions allow.

For readers who are interested of block chain technology. Please refer below url for reference.

About blockchain (IBM Bluemix Docs)


Merry Christmas!

Behaviour based Malware Detection Methods, do you think it is outdated?

Whenever Windows OS or applications execute syntax action, check the registry, read or write a file, launch or close a process, etc. It result in Windows calling a service in the System Service Descriptor Table (SSDT).

Hooking SSDT technique exploits found on 2010. The problem was that attacker might fool the security check especially antivirus program. Attacker benefits on behavior of an electronic, software or other system output design limitation. A specific kind of bug given by race condition. This is so called time-of-check-to-time-of-use (TOCTTOU or TOCTOU), a vulnerability in security-conscious code. Microsoft suggest antivirus vendor use microsoft offical API, whereas the official API does not support all the required functions. Therefore antivirus vendor was still forced to use SSDT hooks to implement behavior detection.

CWE-367 – The software checks the state of a resource before using that resource, but the resource’s state can change between the check and the use in a way that invalidates the results of the check. This can cause the software to perform invalid actions when the resource is in an unexpected state.

How the code (TOCTTOU) does?

The program uses the access() system call to check if the person running the program has permission to access the specified file before it opens the file and performs the necessary operations. The program uses the access() system call to check if the person running the program has permission to access the specified file. If an attacker replaces file after the call to access() with a symbolic link to a different file, the program will use its root privileges to operate on the file even if it is a file that the attacker would otherwise be unable to modify. By tricking the program into performing an operation that would otherwise be impermissible, the attacker has gained elevated privileges.

$user = getCurrentUser();

//resolve file if its a symbolic linkif(is_link($filename)){
$filename = readlink($filename);

echo file_get_contents($realFile);
echo'Access denied';

In real world attacker change above file from a real file to a symbolic link between the calls to is_link() and file_get_contents(), allowing the reading of arbitrary files.

Hooked with inline, IAT or EAT hooks

Reference: System Service Descriptor Table (SSDT) is an internal dispatch table within Microsoft Windows. Hooking SSDT calls is often used as a technique in both Windows rootkits and antivirus software.

Why Anti-viruses not check the library modules of exe to detect hook?

Avoid false positive mainly! Antivirus detect the (SetWindowsHookEx) API call is not sufficient since it is also used by many authorized applications. For instance the fundamental design of hooking calls such as SetWindowsHookEx is for debugging.

Security expert know the weakness of anti virus program and therefore develop additional scan tool. Yes, it is a Ring 3 hook scanner. The scanner can do the following functions.

(Ring3) Scan every running process:

(Ring3) Scan only the running process with PID 

To be honest, IT guy might feel that malware running on Ring 3 is easy to figure out compare with Ring 1 and Ring 0. But properly not.


As of today, it is hard to judge behavior base malware detection method is outdated. We known that malware detector especially FireEye can arrest over 99% of malware. The reason is that the detective control of Fire-eye looks great. The device stand parallel with layer 3 core switch. The gateway type infrastructure which enhance the detection level of malware activities. It is because malware require communicate with C&C server.

Next topic we discuss Ring 1 and Ring 0 concept. Stay tuned.

Do you think 64 bit OS can secure critical facilities in your country?

Few years ago, heard that 64 bit version of windows is more secure. Expert was told, 64-bit operating systems aren’t immune to malware but security features are stronger.

Address Space Layout Randomization – incorrect guess may result in the program crashing

Mandatory Driver Signing – prevents unsigned drivers provided by malware from running on the system

Kernel Patch Protection – prevents device drivers from patching the kernel

Data Execution Protection – DEP allows an operating system to mark certain areas of memory as “non-executable

It looks that above 4 items of feature capable to protect the OS system infected by malware. Recall cyber incident history, 1st version of the Stuxnet computer virus that was used to attack Iran’s nuclear program in November 2007, being developed as early as 2005, when Iran was still setting up its uranium enrichment facility. SCADA system compatible with windows 32 bit and 64 bit OS. SCADA manufacturer strongly recommend to use 64 Bit operating systems. The 32 Bit operating systems may be used for compatibility reasons within already existing configurations. Seems we can figure out hints of malware weakness. And speculate that Stuxnet virus infect the SCADA system are run on top of windows 32 bit operating system (OS) instead of 64 bits.

Descendant Of The Malware – embedded new DLL injection technique (reflective DLL injection)

A more sophisticated of DLL injection method, so called reflective DLL injection. It loads code without calling the normal Windows API calls, potentially bypassing DLL load monitoring. Conceptual diagram shown as below:

Above reflective loader function will find the following target:

  • Process Environment Block (PEB) of the target process
  • suitable CPU register
  • the address in memory of kernel32.dll
  • and other required libraries

Next step: Find the memory addresses of required API functions such as LoadLibraryA, GetProcAddress, and VirtualAlloc. Relies on these API functions to load the DLL (malware) into memory and call its DllMain entry point.

Remark: What is DllMain Entry point – An optional entry point into a dynamic-link library (DLL). When the system starts or terminates a process or thread, it calls the entry-point function for each loaded DLL using the first thread of the process. The system also calls the entry-point function for a DLL when it is loaded or unloaded using the LoadLibrary and FreeLibrary functions.

In the DllMain function, you can perform only a very limited set of actions. The thing is that some DLL may be not loaded yet, and you cannot call functions from them.

Does it mean that the 64-bit operating systems not easy to implant malware?

All applications except malware would use the standard main memory. The copy (shadow memory) is designed to be used by malware. Shell code might have difficulties to pass though parameters on shadow memory space. The fact is that there are differences between x86 and x64 operating system. The 64-bit addressing capability and a flat set of 16 64-bit registers for general use. If that “shadow space” on the stack was not allocated by the caller, the function may not work as expected.

Remark: In 64 bit OS environment, the allocates pages in the shadow region on demand. That is only when page contains tag information. As every byte of tracked program data need four more bytes for its tag, part of the physical memory footprint of a process increase by a factor of four.


Believe that nuclear power facility still have 32 bit SCADA application in operation. But no harm to keep, the fact is that even though you upgrade to 64 bit OS. It is hard to guarantee you can avoid malware silently implant to your environment.

Below url is the malware attack nuclear power facilities historical information for your reference.