Black Hat USA 2011

Black Hat USA 2011 //briefings

Caesars Palace Las Vegas, NV • August 3 - August 4


( MEDIA LEGEND )

white paper document

presentation

video

source

audio


Keynote Speaker


Cofer Black

10th Anniversary of 9/11 and Lessons Learned for Black Hat


Peiter "Mudge" Zatko

How a Hacker Has Helped Influence the Government - and Vice Versa

Mudge, front man for the L0pht, founder of @stake, author of L0phtCrack, and a pioneer in vulnerability discovery and disclosure still calls himself a "hacker". As a senior DoD official working as a Program Manager at DARPA (the Defense Advanced Research Project Agency) he is designing and funding cyber research programs for the U.S. Government. He is additionally working to build areas of aligned interest between the cyber security research community and the government so that both parties can better become resources to each other where appropriate and more articulately convey divergent beliefs and goals in others.


Briefings


Alessandro Acquisti

Faces Of Facebook-Or, How The Largest Real ID Database In The World Came To Be

Have online social networks created one of the largest databases of identities in the world? We investigate the technical feasibility and privacy implications of combining publicly available Web 2.0 images with off-the-shelf face recognition technology, for the purpose of large-scale, automated individual re-identification. A series of experiments demonstrate a high degree of success in identifying, as well as inferring sensitive information about, strangers online and offline based on profile pictures posted on popular online social networks. The results highlight the technological and legal implications of the convergence of face recognition technologies and online social networks, and the future of privacy in an augmented reality world.



James Arlen

Security When Nano-seconds Count

There's a brave new frontier for IT Security-a place where "best practices" does not even contemplate the inclusion of a firewall in the network. This frontier is found in the most unlikely of places, where it is presumed that IT Security is a mature practice. Banks, Financial Institutions and Insurance Companies. High Speed Trading, High Frequency Trading, Low Latency Trading, Algorithmic Trading-all words for electronic trades committed in microseconds without the intervention of humans. There are no firewalls, everything is custom and none of it is secure. It's SkyNet for Money and it's happening now.



Don Bailey

War Texting: Identifying and Interacting with Devices on the Telephone Network

Devices have been attached to the telephone network for years. Typically, we think of these devices in terms of modems, faxes, or TTY systems. Now, there is a growing shift in the nature of the devices that are accessible over the telephone network. Today, A-GPS tracking devices, 3G Security Cameras, Urban Traffic Control systems, SCADA sensors, Home Control and Automation systems, and even vehicles are now telephony enabled. These systems often receive control messages over the telephone network in the form of text messages (SMS) or GPRS data. These messages can trigger actions such as firmware updates, Are You There requests, or even solicitations for data. As a result, it is imperative for mobile researchers to understand how these systems can be detected by attackers on the global telephone network, then potentially abused.

These systems are increasingly capable of affecting the physical world around us. Additionally, devices attached to the phone network cannot be easily compartmentalized or firewalled from potential abusers the same way that IP enabled systems can. Therefore, understanding the threat models associated with these devices and the telephone network will allow mobile researchers and embedded engineers to correctly implement security solutions that minimize a device's exposure to threat actors.

Empirical evidence will be presented that demonstrates creative and successful ways to classify potential devices amongst millions of phone numbers world wide. Once properly classified, devices can be interacted with in simple and efficient ways that will be revealed by the speaker. Simple scripts and software will be released that exemplify these techniques with real world examples, but are designed in a pluggable fashion that allows mobile researchers to develop their own device profiles and methods for interaction.



Marco Balduzzi

Automated Detection of HPP Vulnerabilities in Web Applications

HTTP Parameter Pollution (HPP) is a recent class of web vulnerabilities that consists of injecting encoded query string delimiters into other existing HTTP parameters. When a web application does not properly sanitize the user input, a malicious user can compromise the logic of the application to perform either client-side or server-side attacks.

To begin with, I introduce HTTP Parameter Pollution by analyzing different real attacking scenarios and discussing the problems that may face. I will then present the first automated system, called PAPAS that we designed for the detection of HPP flaws in real web applications. PAPAS combines a modified version of Firefox with a crawler and two scanners in order to analyze web pages efficiently for the presence of vulnerable parameters that can be injected with arbitrary HPP payloads.

PAPAS has been used to conduct a large-scale experiment of the Internet by testing more than 5,000 popular websites and discovering unknown HPP bugs in many important and well-known sites such as Facebook, Google and Paypal.

The talk features a live demo of PAPAS, which has been made available as a free-to-use service recently. I will conclude the talk by discussing the different countermeasures that conscious web designers may adopt to deal with this novel class of injection vulnerabilities.



Dillon Beresford

Exploiting Siemens Simatic S7 PLCs

During this presentation we will cover newly discovered Siemens Simatic S7-1200 PLC vulnerabilities. I plan to demonstrate how an attacker could impersonate the Siemens Step 7 PLC communication protocol using some PROFINET-FU over ISO-TSAP and take control.



Ravishankar Borgaonkar + Nico Golde + Kevin Redon

Femtocells: A poisonous needle in the operator's hay stack

Femtocells are an emerging technology deployed by the operators around the world to enhance 3G connectivity. These secured devices are installed in the customers home and connect the mobile phone to the mobile network operator's core network using an existing broadband connection.

Various researchers have shown in the past that these devices are not secure and it is possible to compromise these devices. However, nobody has actually published further attacks that utilized the device. We will give a short introduction to femtocell technology and show different attacks based on a rogue femtocell. These attacks can target end-users being logged into a femtocell, femtocell owners, as well as network operators.



Jonathan Brossard

Post Memory Corruption Memory Analysis

In this presentation, we introduce a new exploitation methodology of invalid memory reads and writes, based on dataflow analysis after a memory corruption bug has occured inside a running process.

We will expose a methodology which shall help writting a reliable exploit out of a PoC triggering an invalid memory write, in presence of security defense mechanisme such as compiler enchancements (full RELRO, SSP...), or kernel anti exploitation features (ASLR, NX...).

We will demonstrate how to:find all the function pointers inside a running process, how to determine which ones would have been dereferenced after the crash, which ones are truncable (in particular with 0x00000000). In case all of the above fail, how to test for specific locations overwrites in order to indirectly trigger a second vulnerability allowing greater control and eventually control flow hijacking. All of the above without source code, indeed ;)

In the case of invalid memory reads, we will exemplify how indirectly influence the control flow of execution by reading arbitary values, how to trace all the unaligned memory access and how to test if an invalid read can be turned into an invalid write or used to infere the mapping of the binary.

We will also introduce a new debugging technique which allows for very effective testing of all of the above by forcing the debugged process to fork(). Automatically. And with a rating of the best read/write location based on probabilities of mapping addresses (because of ASLR).

Finally, since overwriting function pointers doesn't allow direct shellcode execution because of W^X mappings, we introduce a new exploitation technique which works even in the most hardcore kernels such as grsecurity. IT is called "stack desynchronization" and allows frame faking inside the stack itself.

Those techniques are implemented in the form of a proof of concept tool running under x86 GNU/Linux to be released during the conference : pmcma.



Fran Brown + Rob Ragan

Pulp Google Hacking:The Next Generation Search Engine Hacking Arsenal

Last year's Lord of the Bing presentation stabbed Google Hacking in the heart with a syringe full of adrenaline and injected life back into a dying art form. New attack tools and modern defensive techniques redefined the way people thought about Google Hacking. Among these were the first ever Bing Hacking tool and the Google/Bing Hacking Alert RSS feeds, which have grown to become the world's single largest repository of live vulnerabilities on the web. And it was only the beginning…

This year, we once again tear down the basic assumptions about what Google/Bing Hacking is and the extent to which it can be exploited to target organizations and even governments. In our secret underground laboratory, we've been busy creating an entirely new arsenal of Diggity Hacking tools that we'll be unveiling for the first time and releasing for free at Black Hat USA 2011. Just a few highlights of new tools to be unveiled are:

  • BaiduDiggity:first ever Baidu hacking tool, which targets vulnerabilities disclosed by China's dominant search engine. DEMO: Live targeting of vulnerabilities in Chinese government websites exposed via Baidu.
  • DroidDiggity:fully functional GoogleDiggity and BingDiggity application for Android phones.
  • GoogleCodeSearchDiggity:identifying vulnerabilities in open source code projects hosted by Google Code, MS CodePlex, SourceForge, and more. The tool comes with over 40 default searches that identify SQL injection, cross-site scripting (XSS), insecure remote and local file includes, hard-coded passwords, and much more.
  • FlashDiggity:automated Google searching/downloading/decompiling/analysis of SWF files to identify Flash vulnerabilities and info disclosures.
  • SHODAN Hacking Alerts:new live vulnerability RSS feeds based on results from the popular SHODAN hacking search engine.
  • MalwareDiggity and MalwareDiggity Alerts:leveraging Bing API and the Google SafeBrowsing API together to provide an answer to a simple question, "Am I being used as a platform to distribute malware to people who visit my website?"
  • AlertDiggity:Windows systray application that filters the results of the various Google/Bing/Shodan Hacking Alerts RSS feeds and notifies the user if any new alerts match a domain belong to them.
  • DiggityDLP:Data loss prevention tool that leverages Google/Bing to identify exposures of sensitive info (e.g. SSNs, credit card numbers, etc.) via common document formats such as .doc, .xls, and .pdf. Also utilizes Google APIs for searching across Google Docs/Spreadsheets for data leaks.

That is just a taste of the new tools that will be explored in this DEMO rich presentation. So come ready to engage us as we re-define Google Hacking once again. WARNING: For safety, you should be in good health and free from high blood pressure, heart, back or neck problems, motion sickness, or other conditions that could be aggravated by this adventure.




Elie Bursztein + Ivan Fontarensky + Matthieu Martin + Jean-Michel Picod

Beyond files undeleting: OWADE

You recovered a bunch of files from a used hard drive and now what ?

If you ever wanted to push Windows offline forensic to the next level, come to our talk where we will show you how to use our open source tool OWADE (Offline Windows Analyzer and Data Extractor) to recover many interesting information from a used hard drive including web credentials, instant messaging credentials and user habits information.

We will walk you through the entire recovery chain process and demonstrate how to use OWADE to handle Windows various level of encryption (Syskey, DPAPI…) and extract the maximum information from used drives. OWADE is based on our work on DPAPIck our tool to decrypt DPAPI secrets.

We will present various statistics we computed on the data we gathered from the eBay used hard drive we bought to test and develop OWADE.

At the end of the talk we will release OWADE so you can play with it.



Jamie Butler + Justin Murdock

Physical Memory Forensics for Cache

Physical memory forensics has gained a lot of traction over the past five or six years. While it will never eliminate the need for disk forensics, memory analysis has proven its efficacy during incident response and more traditional forensic investigations.

Previously, memory forensics, although useful, focused on a process' address space in the form of Virtual Address Descriptors (VADs) but ignored other rich sources of information. In the past, some techniques of process reconstitution have been auspicious at best and erroneous at worst. This presentation will build upon lessons learned and propose more thorough ways to reconstruct process contents, and therefore a process' address space. By using the methods presented, it will be possible to further reduce the data you care about in an incident response or forensic investigation and to better apply the traditional computer security techniques such as reverse engineering, hash matching, and byte pattern or signature matching such as those provided by ClamAV and VxClass.



George Chamales

Lives On The Line: Defending Crisis Maps in Libya, Sudan, and Pakistan

Crisis maps collect and present open source intelligence (Twitter, Facebook, YouTube news reports) and direct messages (SMS, email) during disasters such as the Haiti earthquake and civil unrest in Africa. The deployment of crisis mapping technology is on its way to becoming a standard tool to collect and track ground truth from crisis zones, but very little work has been done to evaluate and mitigate the threat posed by adversaries with offensive infosec capabilities.

These platforms can provide responders and humanitarian organizations with the timely, high fidelity situational awareness necessary to direct aid and save lives. Unfortunately, they can also provide hostile national security services and other malicious groups with the information they need to target vulnerable populations, hunt down individuals, and manipulate response operations.

In this session we'll setup, operate, attack and defend an online crisis map. Bring your laptop and toolsets because you will have the opportunity to play the bad actor (a technical member of the secret police or terrorist organization) as well as the defender (the response agency, citizen on the ground, and sysadmin trying to keep the server online).

The experience will bring together everything we know and love and hate about defending online systems including buggy code, naive users, and security vs. usability tradeoffs and do so in a situation where people are dying and the adversary controls the network. We'll also introduce some not-so-typical concepts like building trust on the fly, crowdsourced verification, and maintaining situational awareness from halfway around the globe.

Each step in the process will be based on real-world deployment experiences monitoring everything from local riots to nation-wide revolutions and natural disasters. The lessons learned, vulnerabilities found, and exploits developed during the session will be taken back to the crisis mapping community, enabling them to build more secure systems and more effective, life-saving deployments.



Robert Clark

Legal Aspects of Cybersecurity–(AKA) CYBERLAW: A Year in Review, Cases, issues, your questions my (alleged) answers

The past year has recently gotten really busy. Jailbreaking and Sony are going places not seen before – subpoenaing records from ISPs, Twitter, etc - and we're beginning to get some recognition from court cases on the unique aspect of information technology. This presentation will look at these legal developments particularly:

Jailbreaking; Google faces class action over wi-fi downloads yet police intercept unsecured wi-fi without a warrant and that's not a search;

Sony faces class action for negligence - what is the standard required for cybersecurity - one court has already held a bank negligent, could this happen with Sony; a magistrate denies a search warrant for a computer as over-broad stating police must exclude use of the "plain view" doctrine and conduct a tailored search using a taint team – government is appealing; similarly other judges beginning to acknowledge computers contain massive amounts of data and searches need limitations;

TimeWarner eliminating ISP competition in North Carolina; damages for seized computers; 5th Amendment and password protected computers; use and admissibility of emails in litigation; juror's and Facebook; Supreme Court looks into employer email monitoring; smart phones treated as computers and searched in addition Michigan State Police doing some interesting things with traffic stops and smart phones; are IP addresses personally identifiable information;

Patent wars- Microsoft in front of Supreme Court to lower patent standard; spouses, divorces and spyware; computer search terms – hearsay or evidence when they involve schemes to murder; and, stealing your boss' email is probably not only a crime but a bad idea.

This presentation is strongly audience driven and it quickly becomes an open forum for questions and debate.



Dino Dai Zovi

Apple iOS Security Evaluation: Vulnerability Analysis and Data Encryption

As the popular smartphone platforms have increased in popularity with consumers, many enterprises and businesses are considering broadening their support beyond their traditionally support platforms. These new smartphone platforms such as iOS and Android, however, come with a lack of detailed understanding of their security features and shortcomings. This presentation is the result of an extended assessment of the security mechanisms and features of Apple's iOS with an emphasis on the concerns of an enterprise considering a deployment of iOS-based devices or allowing employees to store sensitive business data on their personal devices.

iOS 4 implements several key security mechanisms: Trusted Boot, Mandatory Code Signing, Code Signing Enforcement, Sandboxing, Device Encryption, Data Protection, and (as of iOS 4.3) Address Space Layout Randomization. Each of these mechanisms' precise operation is documented in detail as revealed through static and dynamic binary analysis, as well as their strengths and any identified weaknesses.

We examine and document the risks of a lost device or a remote iOS compromise through a malicious web page or e-mail. Finally, based on the strengths and weaknesses identified, concrete recommendations will be made on what compensating measures an organization can and should take when deploying iOS-based devices for business use.



Neil Daswani

Mobile Malware Madness, and How To Cap the Mad Hatters

This talk surveys mobile malware (such as DroidDream, Ikee, and Zitmo) that have recently infected hundreds of thousands of user devices, and shows demos of how web malware threats such as drive-by-downloads and malvertising are on the horizon for mobile devices. We also discuss how behavioral-based malware detection techniques can be used to identify and neutralize such malware.



datagram

Tamper Evident Seals: Design and Security

Tamper evident technologies are quickly becoming an interesting topic for hackers around the world. Defcon 18 (2010) held the first ever "Tamper Evident" contest, where contestants were given a box sealed with a variety of tamper evident devices, many of which purport to be "tamper proof." All of these devices were defeated, even by those with little experience and a limited toolkit. Like the computer world, the security of many of these devices are over-represented and it is difficult for the average person to compare different technologies.

This talk covers the design and uses of tamper evident devices used in the commercial and government sectors. We'll dig into the nitty gritty of how many of these devices work, the methods by which they can be defeated, and live demonstrations of defeats against common tamper evident devices.



Andy Davis

USB: Undermining Security Barriers

Although the concept of identifying and exploiting vulnerabilities in USB drivers is not new, the approach presented here will be, as it provides the capability to test any USB platform or device (previous techniques have been either device or USB-host dependent). Although the new approach is quite simple, its effectiveness has been clearly demonstrated over the past few months by identifying vulnerabilities in USB drivers of many of the well-known operating systems in use today. The presentation will cover typical USB vulnerability classes and also discuss the implications of this type of vulnerability for Endpoint security products.



Artem Dinaburg

Bit-squatting: DNS Hijacking without exploitation

Barring deliberate sabotage, we generally assume that computer hardware will work as described. This assumption is mistaken. Poor manufacturing, errant radiation, and heat can cause malfunction. Commonly, such malfunction manifests in DRAM chips as flipped bits. Security researchers have known about the danger of such bit flips but these attacks have not been very practical. Thanks to ever-higher DRAM densities and the use of computing devices outdoors and in high-heat environments, that has changed.

This presentation will show that bit flips pose a real attack vector. First, the presentation will describe bit-squatting, an attack akin to typo-squatting, where an attacker controls domains one bit away from a commonly queried domain (e.g. mic2osoft.com vs. microsoft.com). To verify the seriousness of the issue, I bit-squatted several popular domains, and logged all HTTP and DNS traffic. The results were shocking and surprising, ranging from misdirected DNS queries to requests for Windows updates. The presentation will show an analysis of 6 months of real DNS and HTTP traffic to bit-squatted domains. The traffic will be shown in terms of affected platform, domain queried, and HTTP resources requested. Using this data, the presentation will also attempt to ascertain the cause of the bit-flip, such as corruption on the wire, in requestor RAM, or in the RAM of a third party.

The presentation will conclude with potential mitigations of bit-squatting and other bit-flip attacks, including both hardware and software solutions. By the end I hope to convince the audience that bit-squatting and other attacks enabled by bit-flip errors are practical, serious, and should be addressed by software and hardware vendors



Nelson Elhage

Virtualization Under Attack: Breaking out of KVM

KVM, the Linux Kernel Virtual Machine, seems destined to become the dominant open-source virtualization solution on Linux. Virtually every major Linux distribution has adopted it as their standard virtualization technology for the future. And yet, to date, remarkably little work has been done on exploiting vulnerabilities to break out of KVM.

We're here to fix that. We'll take a high-level look at KVM's architecture, comparing and contrasting with other virtualization systems and describing attack surfaces and possible weaknesses. Using the development of a fully-functioning exploit for a recent KVM vulnerability, we'll describe some of the difficulties involved with breaking out of a VM, as well as some features of KVM that are helpful to an exploit author.

Once we've explored the exploit in detail, we'll finish off with a demonstration against a live KVM instance.



Stefan Esser

Exploiting the iOS Kernel

The iPhone user land is locked down very tightly by kernel level protections. Therefore any sophisticated attack has to include a kernel exploit in order to completely compromise the device. Because of this our previous session titled "Targeting the iOS Kernel" already discussed how to reverse the iOS kernel in order to find kernel security vulnerabilities. Exploitation of iOS kernel vulnerabilities has not been discussed yet.

This session will introduce the audience to kernel level exploitation of iPhones. With the help of previously disclosed kernel vulnerabilities the exploitation of uninitialized kernel variables, kernel stack buffer overflows, out of bound writes and kernel heap buffer overflows will be discussed.

Furthermore the kernel patches applied by iPhone jailbreaks will be discussed in order to understand how certain security features are deactivated. A tool will be released that allows to selectively de-activate some of these kernel patches for more realistic exploit tests.



Thanassis Giannetsos

Spy-Sense: Spyware Tool for Executing Stealthy Exploits Against Sensor Networks

As the domains of pervasive computing and sensor networking are expanding, a new era is about to emerge, enabling the design and proliferation of intelligent sensor-based applications. At the same time, sensor network security is a very important research area whose goal is to maintain a high degree of confidentiality, integrity and availability of both information and network resources. However, a common threat that is often overlooked in the design of secure sensor network applications is the existence of spyware programs. As most works try to defend against adversaries who plan to physically compromise sensor nodes and disrupt network functionality, the risk of spyware programs and their potential for damage and information leakage is bound to increase in the years to come.

This work demonstrates Spy-Sense, a spyware tool that allows the injection of stealthy exploits in the nodes of a sensor network. Spy-Sense is undetectable, hard to recognize and get rid of, and once activated, it runs discretely in the background without interfering or disrupting normal network operation. It provides the ability of executing a stealthy exploit sequence that can be used to achieve the intruder's goals while reliably evading detection. To the best of our knowledge, this is the first instance of a spyware program that is able to crack the confidentiality and functionality of a sensor network. By exposing the vulnerabilities of sensor networks to spyware attacks, we hope to instigate iscussion on these critical issues because sensor networks will never succeed without adequate provisions on security and privacy.



Jennifer Granick

The Law of Mobile Privacy and Security

Increasingly, individuals use mobile devices to communicate and access the internet. Mobile security is thus increasingly important, and so are the laws that govern mobile hacking and data privacy. This talk is for anyone who uses a cell phone or hacks a cell phone. Through the speaker's professional experience with phone hackers, mobile applications providers, law enforcement requests for location tracking, attendees will learn about cutting edge legal questions on this topic including: wiretapping/Title III, FCC regulations of IMSI catchers, jailbreaking and security, commercial and law enforcement access to device IDs and location data, cell tower triangulation and GPS tracking.



Jeremiah Grossman + Brad Arkin + Alex Hutton + Adrain Lane + John Johnson

PANEL: Trillions of Lines of Code and Counting: Securing Applications At Scale

As the entire computer security industry is fully and painfully aware, applications are the #1 target for malicious attack. Whether we're talking exploitation of Web browsers, file readers, or Web applications, the root of the problem is the same, vulnerable software -- trillions of lines worth of code and counting. Now that almost every person, government, and company is online, it's difficult to imagine a bigger, more challenging, complex, and important problem to solve than application security.

Today, application security is about program execution at a scale large enough to match the threat - and that's the hard part. On an internet-wide scale, how do we go about writing more secure code? How do we deal with the massive backlog of vulnerable code already in wide circulation? What are the best strategies for ensuring code remains secure as threats evolve?

This is but a taste of the questions on the topic that our panelists, all respected experts with relevant field experience, will be ready to discuss.


Nathan Hamiel + Justin Engler + Seth Law + Gregory Fleischer

Smartfuzzing The Web: Carpe Vestra Foramina

It can be scary to think about how little of the modern attack surface many tools cover. There is no one best tool for the job and on top of that some tools don't do a great job at anything. Often in the hands of general users the capabilities and limitations are not even thought of during testing. Point, click, done. The attack surface of modern web environments as well as their protection mechanisms have become increasingly complicated and yet many tools have not adapted. Hey, Y2K called and it wants some applications tested.

There is certainly no shortage of vulnerabilities in modern web environments but we should be looking beyond low hanging fruit at this point. In between fully automated scanners and manual testing lies a sweet spot for the identification of vulnerabilities. Some of the juiciest pieces of information are not found by vulnerability scanners but are found by humans creating custom tests. This is why semi-automated testing space is so important. All of this complicated blending of protection mechanisms, services, and RIA technologies means that moving in to the area of semi-automated testing can be fraught with failure. We detail how these failures can be avoided. We also provide a tool that begins to solve some of these problems as well as provides analysis for your own tools and scripts. Your web applications have moved on, don't you think it's time your tools to do the same?



Matt Johansen + Kyle Osborn

Hacking Google Chrome OS

Google recently announced Chrome OS powered computers, called Chromebooks, at Google I/O and the company is getting ready to market them to businesses as well as consumers. What's different about Chrome OS and Chromebooks, other than the entire user-experience taking place exclusively in a Web browser (Google Chrome), is everything takes place in the cloud. Email, document writing, calendaring, social networking – everything. From a security perspective this means that all website and Web browser attack techniques, such as like Cross-Site Scripting, Cross-Site Request, and Clickjacking, have the potential of circumventing Chrome OS's security protections and exposing all the users data.

Two members of the WhiteHat Security's Threat Research Center, Matt Johansen and Kyle Osborn, have spent months hacking away on Google's Cr-48 prototype laptops. They discovered a slew of serious and fundamental security design flaws that with no more than a single mouse-click may victimize users by:

  • Exposing of all user email, contacts, and saved documents.
  • Conduct high speed scans their intranet work and revealing active host IP addresses.
  • Spoofing messaging in their Google Voice account.
  • Taking over their Google account by stealing session cookies, and in some case do the same on other visited domains.

While Chrome OS and Chromebooks has some impressive and unique security features, they are not all encompassing. Google was informed of the findings, some vulnerabilities were addressed, bounties generously awarded, but many of the underlying weaknesses yet remain -- including for evil extensions to be easily made available in the WebStore, the ability for payloads to go viral, and javascript malware survive reboot. With the cloud and web-based operating systems poised to make an impact on our computing future, Matt and Kyle ready to share all their never-before-seen research through a series of on-stage demonstrations.



Kevin Johnson + Tom Eston + Joshua Abraham

Don't Drop the SOAP: Real World Web Service Testing for Web Hackers

Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.

In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.



Dan Kaminsky

Black Ops of TCP/IP 2011

Remember when networks represented interesting targets, when TCP/IP was itself a vector for messiness, when packet crafting was a required skill? In this thoroughly retro talk, we're going to play with systems the old fashioned way, cobbling together various interesting behaviors with the last few shreds of what low level networking has to offer. Here's a few things to expect:

  • IPv4 and IPv6 Fragmentation Attacks, Eight Years In The Making
  • TCP Sequence Number Attacks In Modern Stacks
  • IP TTLs: Not Actually Expired
  • Inverse Bug Hunting: More Things Found On The Open Net
  • Rebinding Attacks Against Enterprise Infrastructure
  • BitCoin: Network Manipulation for Fun And (Literal) Profit
  • The Net Neutrality Transparency Engine

DNS might show up, and applications are going to be poked at. But this will be an old style networking talk, through and through.



Adam Laurie + Zac Franken + Andrea Barisani + Daniele Bianco

Chip & PIN is definitely broken

Credit Card skimming and PIN harvesting in an EMV world. We analyze the practicality of credit card information skimming, cloning and PIN harvesting on Chip & PIN enabled POS terminals. We intentionally ignore Magstripe skimming (which is still effective and widely used) and focus on the chip interface.



Long Le + Thanh Nguyen

ARM exploitation ROPmap

It is no doubt that ARM will be the next mainstream of exploitation with hundred of millions smartphones, tablets delivered today. There are several talks and papers about ROP on ARM but no any public ROP toolkit for ARM has been released so far as leet hackers keep their tools privately.

In this presentation we will show how ROP exploitation on ARM can be done easily via a systematic, generic approach to generate, search and chain gadgets together. A simple Intermediate Language will be presented that helps people write ROP shellcode and get it transformed automatically to chain of gadgets. As a part of the presentation, we will release an updated version of ROPEME with additional ARM support along with a demo of advanced ROP payloads on latest Android OS.



Anthony Lineberry, Tim Strazzere and Tim Wyatt

Don't Hate the Player, Hate the Game: Inside the Android Security Patch Lifecycle

A new Android vulnerability is discovered today. When will the phone in your pocket be patched? We studied firmware update events across millions of Android devices around the world, to answer this question and many more. As it turns out, updating mobile devices is significantly more complex than the desktop world.

Android has become a top player in the smartphone explosion. Its success is due in no small part to its openness and flexibility, enabling an entire ecosystem of unique devices built on an open-source core. This proliferation has not been without the challenge of fragmentation. In this talk, we survey what it takes to push a security update in the Android ecosystem, study prominent vulnerabilities that have affected the platform, and examine the patch history and current state of prominent devices to answer the question: What is the half-life of a vulnerability on Android?


David Litchfield

Hacking and Forensicating an Oracle Database Server



Tarjei Mandt

Windows Hooks of Death: Kernel Attacks Through User-Mode Callbacks

15 years ago, Windows NT 4.0 introduced Win32k.sys to address the inherent limitations of the older client-server graphics subsystem model. Today, win32k still remains a fundamental component of the Windows architecture and manages both the Window Manager (USER) and Graphical Device Interface (GDI).

In order to properly interface with user-mode data, win32k makes use of user-mode callbacks, a mechanism allowing the kernel to make calls back into user-mode.

User-mode callbacks enable a variety of tasks such as invoking application-defined hooks, providing event notifications, and copying data to/from user-mode. In this talk, we discuss the many challenges and problems concerning user-mode callbacks in win32k. We will show how win32k's questionable design potentially may have introduced hundreds of subtle vulnerabilities, which so far have resulted in numerous patch bulletins. Recently, MS11-034 addressed a record number (30) of privilege escalation vulnerabilities in an effort to remove multiple bug classes related to user-mode callbacks. However, in spite of the attempts made to address these vulnerabilities, the underlying problem still persists.



Moxie Marlinspike

SSL And The Future Of Authenticity

In the early 90's, at the dawn of the World Wide Web, some engineers at Netscape developed a protocol for making secure HTTP requests, and what they came up with was called SSL. Given the relatively scarce body of knowledge concerning secure protocols at the time, as well the intense pressure that everyone at Netscape was working under, their efforts can only be seen as incredibly heroic. But while it's amazing that SSL has endured for as long as it has, some parts of it -- particularly those concerning Certificate Authorities -- have always caused some friction, and have more recently started to cause real problems.

This talk will provide an in-depth examination of the current problems with authenticity in SSL, discuss some of the recent high-profile SSL infrastructure attacks in detail, and cover some potential strategies for the future. It will conclude with a software release that aims to definitively fix the disintegrating trust relationships at the core of this fundamental protocol.




Jon McCoy

Hacking .Net Applications: The Black Arts

This presentation will cover the Black Arts of Cracks, KeyGens, Malware on .NET Framework applications. The information in this presentation will show how a .NET programmer can do unspeakable things to .NET applications. I will cover the life cycle of developing such attacks and overcoming common countermeasures.

- This presentation will focus on C# but applies to any application based on the .NET framework.



Robert McGrew

Covert Post-Exploitation Forensics With Metasploit

In digital forensics, most examinations take place after the hardware has been physically seized (in most law enforcement scenarios) or a preinstalled agent allows access (in the case of enterprise forensics packages). These scenarios imply that the"subject" (the one in possession of the media) is aware of the fact that their data has been seized or subject to remote access. While penetration testing tools allow for surface-level access to the target filesystem, there is a lot of potential data that is being missed in unallocated space that could be accessed by file system forensic tools such The Sleuth Kit.

In this presentation, Wesley will present a new set of tools that will allow forensic examiners and pentesters alike to image remote filesystems of compromised systems, or perform examinations directly on remote filesystem with forensic tools on the attacking machine by mapping remote drives to local block devices. This is the integration of Metasploit with a large body of existing digital forensic tools.



John McNabb

Vulnerabilities of Wireless Water Meter Networks

Why research wireless water meters? Because they are a potential security hole in a critical infrastructure, which can lead to a potential leakage of private information, and create the potential to steal water by lowering water bills? It's a technology that's all around us but seems to too mundane to think about. Because a hacker can't resist exploring technology to see how it works and how to break it… because they are there? In this talk the speaker, who managed a small water system for 13 years, will first present an overview of drinking water security, review reported water system security incidents and the state of drinking water security over the past year, and will then take a deep dive into the hardware, software, topology, and vulnerabilities of wireless water meter networks and how to sniff wireless water meter signals.



Charlie Miller

Battery Firmware Hacking

Ever wonder how your laptop battery knows when to stop charging when it is plugged into the wall, but the computer is powered off? Modern computers are no longer just composed of a single processor. Computers possess many other embedded microprocessors. Researchers are only recently considering the security implications of multiple processors, multiple pieces of embedded memory, etc. This paper takes an in depth look at a common embedded controller used in Lithium Ion and Lithium Polymer batteries, in particular, this controller is used in a large number of MacBook, MacBook Pro, and MacBook Air laptop computers.

In this talk, I will demonstrate how the embedded controller works. I will reverse engineer the firmware and the firmware flashing process for a particular smart battery controller. In particular, I will show how to completely reprogram the smart battery by modifying the firmware on it. Also, I will show how to disable the firmware checksum so you can make changes. I present a simple API that can be used to read values from the smart battery as well as reprogram the firmware. Being able to control the working smart battery and smart battery host may be enough to cause safety issues, such as overcharging or fire.



Gabi Nakibly

Owning the Routing Table: New OSPF Attacks

The holy grail of routing attacks is owning the routing table of a router. We present new found vulnerabilities in the OSPF protocol - the most popular routing protocol inside autonomous systems (AS) - which allow to own a router's routing table without having to own the router itself.

We present new attacks that falsify the LSAs of routers not controlled by the attacker while evading the "fight-back" mechanism. These attacks affords a single attacker a great power to persistently falsify large portions of the routing domain's topology. This may be utilized to induce routing loops, network cuts or longer routes in order to facilitate DoS of the routing domain or to gain access to information flows which otherwise the attacker had no access to.

This is a joint work with Alex Kirshon and Dima Gonikman.



Karsten Nohl + Chris Tarnovsky

Reviving Smart Card Analysis

Smart cards chips -- originally invented as a protection for cryptographic keys -- are increasingly used to keep protocols secret. This talk challenges the chips' security measures to unlock the protocols for public analysis.

Hardened security chips are protecting secret cryptographic keys throughout the virtual and physical worlds. These smart card chips are found in banking cards, authentication tokens, encryption appliances, and master key vaults.

The protection capabilities of the chips is increasingly used to also keep secret application code running on the devices. For example, the protocols of modern EMV credit cards are not publicly known. Such obscurity is hindering analysis, hence letting logic and implementation flaws go unnoticed in widely deployed systems, including credit card systems.

We demonstrate a method of extracting application code from smart cards with simple equipment to open the application code for further analysis.



Tavis Ormandy

Sophail: A Critical Analysis of Sophos Antivirus

Antivirus vendors often assert they must be protected from scrutiny and criticism, claiming that public understanding of their work would assist bad actors. However, it is the opinion of the author that Kerckhoffs's principle applies to all security systems, not just cryptosystems. Therefore, if close inspection of a security product weakens it, then the product is flawed.

The veil of obscurity removes all incentive to improve, which can result in heavy reliance on antiquated ideas and principles. This paper describes the results of a thorough examination of Sophos Antivirus internals. We present a technical analysis of claims made by the vendor, and publish the tools and reference material required to reproduce our results.

Furthermore, we examine the product from the perspective of a vulnerability researcher, exploring the rich attack surface exposed, and demonstrating weaknesses and vulnerabilities.



Greg Ose

Exploiting USB Devices with Arduino

Hardware devices are continually relied upon to maintain a bridge between physical and virtual security. From access cards to OTP tokens, hardware devices receive limited review by application security professionals. They are often considered vastly more complex and difficult to assess than common web- and network-based applications.

In this talk I will cover a lightweight methodology to use when approaching the assessment of USB-based hardware devices. This will include the identification of trust boundaries and threat modeling, use case analysis though protocol analysis, as well as crafting a hardware device to exploit identified vulnerabilities. Not only will this methodology be described, it will be detailed through the assessment and exploitation of a hardware-based proximity sensor. Hardware-based proximity sensors attempt to enforce desktop security and lock a user's desktop when the device has been removed from the vicinity of the computer. I will describe my experience and process for assessing a USB-based proximity sensor device and its eventual exploitation using components of the Arduino hardware architecture. I will describe the entire process not from the view of an electrical engineer, but from that of an application security professional with limited knowledge of current and voltage and a hobbyist's budget.



Chris Paget

Microsoft Vista: NDA-less The Good, The Bad, and The Ugly

Five years ago I signed one of the most draconian Non-Disclosure Agreements in the computer world to get access to the source code, design specifications, threat models, developers and managers of Windows Vista for its Final Security Review. This NDA expires the day before Blackhat, meaning that I am free to talk about all of the secrets I was given during the 9 months I spent at Redmond.

In addition to a critical analysis of the entire SDL process, this talk will reveal all manner of previously-secret information about the security process that Vista went through, the reality of running an infosec program on a behemoth like Vista, and the internal workings of the Secure Windows Initiative. Expect brutal honesty, some real shock-and-awe moments, and a few unexpected twists that you probably won't see coming.



Richard Perkins + Mike Tassey

Aerial Cyber Apocalypse: If we can do it... they can too.

What could a low observable autonomous aircraft carrying 10 pounds of cyber-attack tools do to your organization's networks, your Nations critical infrastructure or worse if it were carrying something unspeakable, what would that do to expectations of public safety?

It's quiet, cheap, and able to be built in a garage using hand tools, but it packs a wallop like it was built in the Skunk Works. Unmanned Aerial Vehicles used to be the exclusive realm of governments and universities, requiring unique skills and a fat wallet to make them work effectively. We will show you how today anyone can build their own autonomous UAV that delivers a payload to any point on earth from a remote location using free and open source technology at a fraction of the cost of the bolt that holds the nose wheel on a Predator. Morals and consequences not included.

Our presentation will focus on the development and demonstration of our own autonomous UAV and the cyber-weaponry hanging under the wings. We will discuss the construction of the aircraft and support systems, design philosophy and cost. We will explain and demonstrate the capabilities of our on-board payloads, such as: attacking wireless systems, creating rogue access points or hijacking cellular phone calls. We will elaborate the ramifications and explore the threat posed by these types of systems to industry and the governments worldwide.



Alexander Polyakov

A Crushing Blow At the Heart of SAP J2EE Engine

Nowadays SAP NetWeaver platform is the most widespread platform for developing enterprise business applications. It's becoming a popular security topic but still not covered well.

This talk will be focused on one of the black holes called SAP J2EE engine. Some of the critical SAP products like SAP Portal, SAP Mobile, SAP XI and many other applications lay on J2EE engine which is apart from ABAP engine is less discussed but also critical.

I will explain architecture of SAP's J2EE engine and give a complete tour into its internals. After that I will show a number of previously unknown architecture and program vulnerabilities from auth bypasses, smbrelays, internal scans, xml/soap attacks to insecure encryption algorithms and cross-system vulnerabilities in J2EE platform.

Finally it will be presented chained attack which use multiple logic vulnerabilities and give a full control on any version of SAP's J2EE Engine on any platform. A free tool will be presented to automatically scan custom applications against this attack



Thomas Ptacek + Michael Tracy

Crypto for Pentesters

Some people, when confronted with a problem, think "I know, I'll use cryptography." Now they have two hundred problems.

People test cryptography and think about the wrong things. How often are keys rotated? How big should the RSA keys be? Is it safe to use SHA-1 or do they need to use SHA-256? In the real world, these questions don't matter. They're like looking at 1995-era C code and asking whether it's const-correct. It's 1995 out there for crypto. Everything is wide open.

Think of a crypto primitive, like AES or SHA-1. Key exchange. Signatures. I'd like to show you something that goes wrong with it. Something so bad you can break a cryptosystem in seconds inside a Ruby interpreter. The slow kind of Ruby interpreter. Then I'd like to show you how to use simple tools, like that interpreter and Webscarab, to test for those flaws in real apps. Without knowing anything about the crypto they're using. I think you might be surprised. Especially if you thought you needed a math degree to break real-world crypto.

I'm going to demonstrate testing techniques and explain and then generalize real-world flaws, so you can reuse the ideas behind them on applications you come into contact with. This talk comes with code, and with a sandbox app to try the attacks out on. This is the coolest stuff I've learned in the past several years. Picking these tricks up feels like it did to learn stack overflows in '95. I'm psyched to share it.



Jerome Radcliffe

Hacking Medical Devices for Fun and Insulin: Breaking the Human SCADA System

As a diabetic, I have two devices attached to me at all times; an insulin pump and a continuous glucose monitor. This combination of devices turns me into a Human SCADA system; in fact, much of the hardware used in these devices are also used in Industrial SCADA equipment. I was inspired to attempt to hack these medical devices after a presentation on hardware hacking at DEF CON in 2009. Both of the systems have proprietary wireless communication methods.

Could their communication methods be reverse engineered? Could a device be created to perform injection attacks? Manipulation of a diabetic's insulin, directly or indirectly, could result in significant health risks and even death. My weapons in the battle: Arduino, Ham Radios, Bus Pirate, Oscilloscope, Soldering Iron, and a hacker's intuition.

After investing months of spare time and an immense amount of caffeine, I have not accomplished my mission. The journey, however, has been an immeasurable learning experience - from propriety protocols to hardware interfacing-and I will focus on the ups and downs of this project, including the technical issues, the lessons learned, and information discovered, in this presentation "Breaking the Human SCADA System."



Chris Rohlf + Yan Ivnitskiy

Attacking Clientside JIT Compilers

Just-In-Time (JIT) compilers help power most modern web browsers and are prevalent in interpreted virtual machines such as the JVM and .NET runtimes. JITs postpone deriving machine code from an intermediate format until execution time and can substantially increase performance of interpreted code. Since JITs are optimized for execution speed and generate machine code in memory by design, they raise a number of security issues. Our research surveys competing JIT designs to evaluate their comparative maturity and deep dives on the Mozilla Javascript and LLVM JITs. We wrote grammar fuzzers for ECMAScript/Javascript and LLVM IR to expose security vulnerabilities, focusing on memory corruption and information leaks. We evaluate how JIT engines may be used to bypass memory protections such as DEP and ASLR.

In addition to our destructive fuzzers we created a reusable toolchain, jitter, to help assist in our research. Our jitter tools are built on the dynamic debugging library Ragweed to track, disassemble and analyze JIT page allocations in real time. These tools are useful to both the developers of JIT engines and vulnerability researchers in generically analyzing JIT behavior. The security community has just begun to explore these complex components. We feel our ideas, tools and results will be applicable to other JIT compilers and help advance the state of security research of the modern web browsers and language runtimes that use them.



Thomas Roth

Analyzing SPDY: Getting to know the new web protocol

SPDY is Googles approach to a new standard-protocol for the web. As a replacement for HTTP it offers features like multiplexing multiple requests over a single TCP connection, header compression, flow-control (including prioritizing requests) and server-side push functionality. Because of the complexity that comes with such features, SPDY can also be attractive for attackers: For instance, hijacking server-side push functionality can lead to a whole new generation of XSS attacks.

This presentation is about an in-depth explanation of the upcoming standard and about the lessons learned during the implementation and testing of it.

The second half of the talk is about tools and methods for analyzing and intercepting SPDY traffic, like using a libspdy-based fork of mitmproxy for hijacking a SPDY session on the fly and pushing arbitary content to the client.



Paul Sabanal + Mark Yason

Playing In The Reader X Sandbox

In an effort to mitigate the effects of successful exploitation of Adobe Reader vulnerabilities, Adobe announced Adobe Reader Protected Mode back in July 2010. Since its release on November 2010, very little in-depth technical information is available about how the Adobe Reader Protected Mode sandbox works and how it was implemented.

The first part of this talk attempts to close this information gap by diving deep into the implementation details of the Adobe Reader Protected Mode sandbox. We will discuss the results of our reversing efforts to understand the mechanisms and data structures that make up the sandbox.

Using the knowledge gained in the first part, the second part then focuses on the security of the Adobe Reader Protected Mode sandbox. First, we will discuss the limitations and weaknesses of its earlier releases and their security implications, then we will discuss possible avenues to achieve privilege escalation.

At the end of our talk, we will demonstrate how an attacker could leverage the limitations and weaknesses of the Adobe Reader Protected Mode sandbox to carry out information theft or corporate espionage. We will be demonstrating a proof-of-concept information stealing exploit payload bootstrapped by exploiting a publicly known Adobe Reader X vulnerability



David Schuetz

Inside Apple's MDM Black Box

Mobile Device Management (MDM) has become a hot topic as organizations are pressured to bring iStuff into their organization. Mobile devices are invading every level of corporate society, making the need to remotely manage and control them increasingly urgent. Apple has provided some enterprise management features, first via over-the-air configuration profiles, and beginning in 2010, full MDM support. Unfortunately, the exact features available through MDM, as well as details of the protocol itself, are tightly controlled by Apple.

This talk dissects how Apple MDM works. Starting with basic iOS configuration principles, the talk explores mobile config profiles generated by the iPhone Configuration Utility, over-the-air profile delivery, and eventually describes the key features and mechanisms behind MDM, including remote device locking and wiping. Finally, we explore how to implement your own MDM server, which allows you to manage iOS devices using official device management APIs. We also explore the security and social engineering impacts of freely available MDM servers with these capabilities.



Shreeraj Shah

Reverse Engineering Browser Components: Dissecting and Hacking Silverlight, HTML 5 and Flex

Hacking browser components by Reverse Engineering is emerging as the best way of discovering potential vulnerability across web applications in era of Rich Internet Applications (RIA). RIA space is flooded with technologies like HTML 5, Flex/Flash, Silverlight, extended DOM and numerous third party libraries. Browsers are getting hacked and attacked almost every day by attacker, worms and malware with specific scope. We have seen exploitation of these technologies on popular site like facebook, twitter, yahoo, google to name a few.

The traditional boundaries of web applications are fading out and browsers are hosting substantial part of web application including data access, business logic, encryptions etc. along with presentation layer. It is making browser components a potential target for hackers. The danger of poorly written browser components is greater in today's world and successful exploitation can have significant impact on application.

Reverse Engineering can be applied to determine potential weakness by following well defined methodology. It contains reverse engineering the architecture of browser layer, fingerprinting components, discovery of cross domain interactions, debugging calls, DOM inspection, decompiling components, inter-platform communication, socket calls inspection and vulnerability tracing.

This paper will go over these steps in detail and help in identifying any weakness or vulnerability associated with browser component. Browsers are no longer a static content loader; it allows complicated operations in this era. Browsers can run powerful application using HTML 5 components like WebWorkers (threads), WebSockets and Sandboxed iframes. It can load Silverlight and flex content and allows application to emulate a rich desktop. We will be covering following attacks, threats and analysis techniques to dissect browser component using reverse engineering tools (author is releasing tools along with the paper).

  • Malware and Worms leveraging XHR and WebSockets
  • Exploiting cool HTML 5 presentation features like CSS-opacity, Sandboxed iframes, Canvas etc. for potential abuses like ClickJacking and Spoofing
  • Reverse engineering Silverlight components to discover vulnerabilities and business logic secrets
  • Hacking and attacking flex/flash components via DOM
  • Protocol reverse engineering and injections AMF, WCF, JSON etc.
  • DOM injections and pollution to gain execution capabilities
  • Cross widgets and component hacking and architecture reverse engineering
  • HTML 5 usage and impact analysis (Tag and Attributes decomposition)
  • Decompilation and Static Code Analysis vectors for JavaScript/Flash/Silvelight
  • Abusing and exploiting storage and WebSQL based browser components
  • Attacking offline application mechanism
  • Quick analysis of WebWorkers and abuse scenario
  • SOP bypass and cross domain access and call reversing

We will be covering above attacks and their variants in detail along with some real life cases and demonstrations. It is also important to understand methods of discovering these types of vulnerabilities across application base. We will see some new scanning tools and approaches to identify some of these key issues.



Tyler Shields + Anthony Lineberry + Charlie Miller + Chris Wysopal + Dino Dai Zovi + Ralf-Phillipp Weinmann + Nick DePetrillo + Don Bailey

PANEL: Owning Your Phone at Every Layer

According to IDC, 100 million smartphones were shipped in the fourth quarter of 2010, compared to just 92 million computers. With smartphone growth rates continuing to rise, mobile security is a topic fresh on everyone's mind. Security research in the area of mobile devices has also picked up over the last few years with a diversified attack portfolio targeting every level of the mobile security stack. But which of these attack models is the most dangerous to the enterprise? Which carries the most risk? When will the monetization of mobile attacks REALLY occur? What can an organization do to saves themselves?! These and other interesting mobile security questions will be posed to a panel of top mobile security experts in the world. See what happens when they are asked to defend their turf and attack models as the best.


Marco Slaviero

Sour Pickles

Python's Pickle module provides a known capability for running arbitrary Python functions and, by extension, permitting remote code execution. However there is no public Pickle exploitation guide and published exploits are toy examples only.

This talk is a deep dive into Pickle exploitation, and is useful post vulnerability discovery; our focus is on steps to be taken once a bug has been found, not on finding new bugs. We describe the Pickle environment, outline numerous hurdles facing the discerning shellcoder and provide guidelines for writing Pickle shellcode. A survey of public Python code was undertaken to establish the prevalence of the vulnerability and templates for shellcode writing as well as a shellcode library will be released.

In the presentation we will demonstrate a new set of tools used to generate exploits for insertion into a wide range of hapless pickles, including generic exploits as well as framework-specific exploits for Django and AppEngine.



Alex Stamos + Aaron Grattafiori + Tom Daniels + Paul Youn + B.J. Orvis

Macs in the Age of the APT

The term "Advanced Persistent Threat" has been wildly overused, often by intrusion victims attempting to make excuses for their poor security preparedness. This labeling abuse should not distract from the fact that many Western businesses are facing industrial espionage on a wide scale. These attacks utilize a very effective combination of social engineering, custom malware development and a good understanding of the weaknesses commonly found in corporate Windows networks.

The increasing market share of Macs in large and small businesses throws a wrench into the plans of attackers and defenders alike. Does the Cocoa API provide equivalent opportunities for malicious software as Win32? Should corporate IT departments utilize OpenDirectory and other Apple management technologies to take control of their Macs? Can OS X Server stand up to escalation attacks better than the oft-updated Active Directory?

This talk will attempt to answer these questions by examining how Macs compare to Windows during every step of the APT attack chain. The speakers will use their experience responding to these attacks to measure OS X against the resiliency of Windows 7 and 2008R2, and will game out how attackers can carry out each step, from initial exploitation to exfiltration, using only issues in Apple technologies. We will complete the talk with recommendations on how to handle Macs in your corporate network, and will demonstrate steps to harden OS X Servers and detect infiltration early in it's lifecycle.



Bryan Sullivan

Server-Side JavaScript Injection: Attacking NoSQL and Node.js

Fallout from the browser wars has given us blazingly fast JavaScript engines - engines so fast that they're now being used for much more than just browsers. Server-side JavaScript (SSJS) is integral to many NoSQL databases such as MongoDB and Neo4j, and the web server framework Node.js is also built on SSJS. These projects score high benchmarks for speed and scalability, but does this speed come at the cost of security?

If you thought client-side JavaScript injection (better known as XSS) was dangerous, wait until you see what an attacker can do with server-side JavaScript injection (SSJI). In this talk, we'll demonstrate SSJI exploits against NoSQL and Node.js applications that allow attackers to read, write, upload and execute arbitrary files anywhere on the server. We'll also demonstrate that the programming errors that lead to these vulnerabilities are just as simple as the ones that lead to XSS. Finally, we'll conclude the presentation with techniques you can use to find and fix SSJI vulnerabilities in your own applications.



Michael Sutton

Corporate Espionage for Dummies: The Hidden Threat of Embedded Web Servers

Today, everything from kitchen appliances to television sets come with an IP address. Network connectivity for various hardware devices opens up exciting opportunities. Forgot to lower the thermostat before leaving the house? Simply access it online. Need to record a show? Start the DVR with a mobile app. While embedded web servers are now as common as digital displays in hardware devices, sadly, security is not. What if that same convenience exposed photocopied documents online or allowed outsiders to record your telephone conversations? A frightening thought indeed.

Software vendors have been forced to climb the security learning curve. As independent researchers uncovered embarrassing vulnerabilities, vendors had little choice but to plug the holes and revamp development lifecycles to bake security into products. Vendors of embedded web servers have faced minimal scrutiny and as such are at least a decade behind when it comes to security practices. Today, network connected devices are regularly deployed with virtually no security whatsoever.

The risk of insecure embedded web servers has been amplified by insecure networking practices. Every home and small business now runs a wireless network, but it was likely set up by someone with virtually no networking expertise. As such, many devices designed only for LAN access are now unintentionally Internet facing and wide open to attack from anyone, regardless of their location.

Leveraging the power of cloud based services, Zscaler spent several months scanning large portions of the Internet to understand the scope of this threat. Our findings will make any business owner think twice before purchasing a 'wifi enabled' device. We'll share the results of our findings, reveal specific vulnerabilities in a multitude of appliances and discuss how embedded web servers will represent a target rich environment for years to come. Additionally, we'll launch BREWS, a crowd sourcing initiative to build a global database EWS fingerprinting data. Traditional security scanners largely ignore EWSs and gathering appropriate fingerprinting data is a challenge as most reside on LANs where external scanning is not an option. As such, we're issuing a call to arms to collectively gather this critical data.



Richard Thieme

Staring into the Abyss: The Dark Side of Security and Professional Intelligence

Nothing is harder to see than things we believe so deeply we don't even see them. This is certainly true in the "security space," in which our narratives are self-referential, bounded by mutual self-interest, and characterized by a heavy dose of group-think. That narrative serves as insulation to filter out the most critical truths we know about our work.

An analysis of deeper political and economic structures reveals the usual statements made in the "security space" in a new context, one which illuminates our mixed motivations and the interpenetration of overworlds and underworlds in our global society. Crime and legitimacy, that is, are the yin/yang of society, security, and our lives. You can't have one without the other. And nobody should know this better than hackers.

This presentation will make you think twice before uncritically using the buzzwords and jargon of the profession - words like "security," "defense," and "cyberwar." By the end of this presentation, simplistic distinctions between foreign and domestic, natural and artificial, and us and them will go liquid and the complexities of information security will remain ... and permeate future discussions of this difficult domain.

As a result, we will hopefully think more clearly and realistically about our work and lives in the context of the political and economic realities of the security profession, professional intelligence, and global corporate structures.



Sung-ting Tsai + Ming-chieh Pan

Weapons of Targeted Attack: Modern Document Exploit Techniques

The most common and effective way is using document exploit in the targeted attack. Due to the political issue, we have had opportunities to observe APT (advanced persistent threat) attacks in Taiwan since 2004. Therefore we have studied and researched malicious document for a long period of time.

Recently, we found APT attacks (e.g. RSA) used the same technique as we disclosed last year, e.g. embedding flash exploit in an excel document. In order to protect users against malicious document and targeted attacks, we would like to discuss the past, present, and future of document exploit from technical perspective, and predict possible techniques could be used in a malicious document in the future by demonstrating "proof of concept" exploits.

The presentation will cover four major types of document attacks:

  • Advanced fuzzing techniques.
  • Techniques to against exploit mitigation technologies (DEP/ASLR).
  • Techniques to bypass sandbox and policy control.
  • Techniques to defeat behavior based protection, such as host IPS.


Mario Vuksan + Tomislav Pericin

Constant Insecurity: Things you didn't know about (PE) Portable Executable file format

One constant challenge of modern security will always be the difference between published and implemented specifications. Evolving projects, by their very nature, open up a host of exploit areas and implementation ambiguities that cannot be fixed. As such, complex documentation such as that for PECOFF or PDF are goldmines of possibilities.

In this talk we will disclose our recent findings about never before seen PE or Portable executable format malformations. These findings have serious consequences on security and reverse engineering tools and lead to multiple exploit vectors.

PE is the main executable image file format on Windows operating system since its introduction in Windows NT 18 years ago. PE file format itself can be found on numerous Windows-based devices including PCs, mobile and gaming devices, BIOS environments and others. Its proper understanding is the key for securing these platforms. The talk will focus on all aspects of PE file format parsing that leads to undesired behavior or prevents security and reverse engineering tools from inspecting malformated files due to incorrect parsing. Special attention will be given to differences between PECOFF documentation and the actual implementation done by the operating system loader. With respect to these differences we will demonstrate existence of files that can't possibly be considered valid from a documentation standpoint but which are still correctly processed and loaded by the operating system. These differences and numerous design logic flaws can lead to PE processing errors that have serious and hardly detectable security implications. Effects of these PE file format malformations will be compared against several reverse engineering tools, security applications and unpacking systems. Special attention will be given to following PE file format aspects and their malformation consequences:

  • General PE header layout in respect to data positioning and consequences of different memory model implementations as specified by PECOFF documentation. Use of multiple PE headers in a single file along with self-destructing headers.
  • Alignment fields with their impact on disk and memory layout with the section layout issues that can occur due to disk or memory data overlapping or splicing. In addition to this, section table content will be inspected for issues of data hiding and its limits will be tested for upper and lower content boundaries. We will demonstrate how such issues affect existing static and dynamic PE unpacking systems.
  • Data tables, including imports and exports, will be discussed in detail to show how their malformated content can break analysis tools but is still considered valid from the operating system loader standpoint. We will demonstrate existence of files that can miss use existing PE features in order to cloak important file information and omit reverse engineering process. Furthermore based upon these methods a unique undetectable method of API hooking that requires no code for hooks insertion will be presented.
  • PE file format will be inspected for integer overflows and we will show how their presence can lead to arbitrary code execution in otherwise safe analysis environments. We will show how PE fields themselves could be used to deliver code payload resulting in a completely new field of programming; via the file format itself.
  • In addition to single field and table malformations more complex ones involving multiple fields and tables will also be discussed. As a demonstration of such use case scenario a unique malformation requiring multiple fields working together to establish custom file encryption will be presented. This simple, yet effective, encryption that is reversed during runtime by the operating system loader itself requires no code in the malformated binary itself to be executed. Its effectiveness is in a unique approach to encryption trough file format features themselves in order to prevent static and dynamic file analysis tools from processing such files.

This talk will be a Black Hat exclusive; Whitepaper accompanying the presentation materials will contain detailed description of all malformations discussed during the talk. This whitepaper aims to be a mandatory reading material for security analysts. It will continue to be maintained as new information on PE format malformations are discovered.



Chuck Willis + Kris Britton

Sticking to the Facts: Scientific Study of Static Analysis Tools

The National Security Agency's Center for Assured Software (CAS) researches tools and techniques that can be used throughout the development lifecycle to evaluate and improve the assurance of software and to avoid and eliminate exploitable vulnerabilities. Over the past two years, the CAS has extensively and scientifically studied commercial and open source static analysis tools for C, C++, and Java. The purpose of this research is to determine the strengths and limitations of modern static analysis tools with respect to the flaws they identify, the flaws they miss, and the false positives they report.

This presentation will describe the CAS's most recent study of commonly used static analysis tools and include details on the test cases, methodology, and analysis techniques used. It will cover the study's conclusions, aggregate results, and trending information from previous studies, and also provide guidance for those using or considering static analysis tools.



Julia Wolf + Alex Lanstein

The Rustock Botnet Takedown

The Rustock botnet operated for several years, and at several times was the largest operating botnet on Earth sending spam emails. This talk covers the history of the botnet, and the most recent shutdown of it instigated by researchers (Operation b107). The techniques used can be generalized to the takedown of other botnets.



Fabian Yamaguchi

Vulnerability Extrapolation or 'Give me more Bugs like that, please?'

Security researchers and vendors alike know the situation: A vulnerability has been identified but it is unclear whether further vulnerabilities 'just like that' exist hidden somewhere in the code. Since application programming interfaces often dictate or induce programming patterns and simply because developers tend to copy & paste throughout the development process, it makes sense to ask whether it is possible to automatically identify functions sharing similar programming patterns in source-code to assist auditors in finding vulnerabilities similar to a known vulnerability.

To answer this question, we decided to study how other fields deal with the discovery and exploitation of patterns in data. We found that simple statistical methods from the field of machine-learning provide a promising set of tools for offensive security research and are in particular well suited to address the outlined problem of vulnerability extrapolation. To demonstrate that these methods are useful in practice despite their academic feel, we present a detailed case-study where a zero-day vulnerability is discovered based on a known vulnerability using our method. Since it is BlackHat, we will of course be presenting a working exploit as well.



Workshops


Andrew Case

WORKSHOP - Investigating Live CDs using Volatility and Physical Memory Analysis

Traditional digital forensics encompasses the examination of data from an offline or "dead" source such as a disk image. Since the filesystem is intact on these images, a number of forensics techniques are available for analysis such as file and metadata examination, timelining, deleted file recovery, indexing, and searching. Live CDs present a large problem for this forensics model though as they run solely in RAM and do not interact with the local disk. This removes the ability to perform an orderly examination since the filesystem is no longer readily available and putting random pages of data into context can be very difficult for in-depth investigations.

During this workshop we will perform a hands-on investigation of a live CD memory capture. This will include using newly developed Volatility functionality that allows for complete recovery of the in-memory filesystem. After we have recovered the filesystem, we will then gather traditional in-memory information such as process listings, memory maps, open files, and network connections. We will finish the investigation by correlating recovered data to solve the case and formulate our final results. Throughout the workshop there will be illustrations of the in-memory data structures being recovered as well as numerous source code examples, both from the Linux kernel as well as the Volatility scripts being used.

Upon conclusion of the workshop, attendees will have an understanding of the power of memory analysis, the unique issues presented by live CDs, and will be able to use Volatility in real forensics investigations. To participate, attendees only need to bring a laptop with Python installed. The live demonstrations will be done using Linux, but Windows and Mac users will also be able to fully participate. All workshop-specific materials will be provided by the instructor.



Cesar Cerrudo

WORKSHOP - Easy and quick vulnerability hunting in Windows

This short workshop will teach attendees how to easily and quickly find vulnerabilities in Windows applications by using some easy to use tools. I will detail step by step some simple techniques that can be used by experts and non experts. While the techniques are simple the results can be great. Learning these easy and fast techniques will allow attendees to do quick audits on Windows applications to determine how secure they are. I will show how to spot vulnerabilities with just a couple of clicks or with very simple and short debugging sessions. The techniques I will be showing are the same that allowed me to find dozen of vulnerabilities in Windows applications, I'm sure that after the workshop attendees will be able to do the same.



Gal Diskin

WORKSHOP - Binary Instrumentation Workshop for Security Experts

Binary instrumentation, in particular dynamic binary instrumentation (DBI), is a valuable tool for hackers and security experts. Most hackers/security experts use different forms of it without knowing they belong in the general category. Recently Instrumentation and DBI in particular started getting more attention in the security community (see SourceFire at BH'10 and many others) but it is still relatively unknown and not widely used.

The aim of this workshop is to help people get started on using DBI by teaching them how to write instrumentation programs using the Pin DBI engine. During the workshop simple instrumentation programs for security usages will be taught and analyzed and some will be demonstrated live. The source code will be provided under the Intel open source license. At the end of the workshop you will have an understanding of what you can use DBI for and be able to begin developing your own instrumentation programs.



Lee Kushner + Mike Murray

WORKSHOP - Infosec 2021: A Career Odyssey

"There is no doubt that the future looks promising for Information Security professionals. Slowly but surely, the world is waking up to the importance of having competent information security professionals as respected members of their organization. However, with the surge in popularity, attractive compensation, and professional respect, comes increased competition.

If your future career plans include a role as an Information Security Leader, you will need to begin preparation now, so that you will be able to successfully compete for these desired opportunities.

The Information Security Career Management workshop will offer the Black Hat attendee a departure from the technical tracks, and enable them to learn how to better manage their information security careers and more effectively pursue their individual career goals. The "Career Management" workshop will be broken up into four (4) sessions–linked by a common theme–Differentiation through Targeted Skill Development. The format will allow the Black Hat Attendee to stay through the full workshop–or select specific sessions that appeal to their personal career development efforts."



Vivek Ramachandran

WORKSHOP - Advanced Wi-Fi Security Penetration Testing

This workshop will provide a highly technical and in-depth treatment of Wi-Fi security. The emphasis will be to provide the participants with a deep understanding of the principles behind various attacks and not just a quick how-to guide on publicly available tools. We will start our journey with the very basics by dissecting WLAN packet headers with Wireshark, then graduate to the next level by cracking WEP, WPA/WPA2 and then move on to real life challenges like orchestrating Man-in-the-Middle attacks, creating Wi-Fi Backdoors and solving some live CTF style challenges together!

A non-exhaustive list of topics to be covered include:

  • WLAN Protocol Basics using Wireshark
  • Bypassing WLAN Authentication - Shared Key, MAC Filtering, Hidden SSIDs
  • Cracking WLAN Encryption - WEP, WPA/WPA2 Personal and Enterprise, Understanding encryption based flaws (WEP,TKIP,CCMP)
  • Attacking the WLAN Infrastructure - Rogues Devices, Evil Twins, DoS Attacks, MITM
  • Advanced Enterprise Attacks - 802.1x, EAP, LEAP, PEAP, IPSec over WLAN
  • Attacking the Wireless Client - Honeypots and Hotspot attacks, Caffe-Latte, Hirte, Ad-Hoc Networks and Viral SSIDs, WiFishing
  • Breaking into the Client - Metasploit, SET, Social Engineering
  • Enterprise Wi-Fi Worms, Backdoors and Botnets
  • Wireshark as a Wireless Forensics Tool
  • Programming and Scripting Wireless packet sniffers and Injectors for fun and profit

To participate attendees need to get a laptop with Wireshark and the Aircrack suite of tools installed (Backtrack would be recommended).


Thomas Roth

WORKSHOP - Breaking Encryption in the Cloud: Cheap, GPU Assisted Supercomputing for Everyone

It has been known since some time now that the massive parallel architecture of modern GPUs provide enormous acceleration when trying to break encryption- or hashalgorithms: GPUs are (depending on the algorithm and the implementation) some hundred times faster compared to standard quad core CPUs when it comes to brute forcing SHA1 and MD5. The enormous potential can also be seen in the supercomputing business: The Tianhe-1A, leader of the top 500 list of supercomputers, is not only equipped with 14.336 CPUs but also with 7.168 NVIDIA Tesla ""Fermi"" M2050 GPUs - each of which has 448 cores and 3GB RAM. Until recently, one needed to spend a lot of money to get a small cluster of GPU assisted servers, but Amazon now provides an instance type in it's EC2 cloud that sports two of the GPUs that are also used in the Tianhe-1A, resulting in a cheap way to boot up a cluster of GPU accelerated servers that can be used for own purposes.

The first part of the talk will be about the design and the implementation of a massive parallel and GPU assisted environment for breaking encryptions: From generation, the storing and the use of rainbow tables to brute forcing in the cloud. In the second part of the talk the "Cloud Cracking Suite" is introduced: An open source suite designed to demonstrate the performance of breaking several algorithms in the cloud.

The 'Cloud Cracking Suite' is splitted in two parts: The server side and the client. The server side consists of especially for the Fermi-architecture optimized, high performance implementations of SHA1 and MD5 with an interface to use them for rainbow table generation or brute forcing as well as a self-configuring Pyrit for WPA database generation. The client side provides an easy to use CLI which allows one to spawn and control a cluster for a specific task.

As the server side will be available as a hosted AMI, everyone participating can simply download the client, create an account at the AWS and try it out himself.


Mark Russinovich

WORKSHOP - Zero Day Malware Cleaning with the Sysinternals Tools

Learn how to analyze and clean zero day malware using the Sysinternals tools directly from their author, including Process Monitor, Process Explorer, and Autoruns. By enabling deep inspection and control of processes, file system and registry activity, and autostart execution points, these utilities are useful for everything from day-to-day computer maintenance to advanced system and application troubleshooting. The tools are especially effective for malware analysis and cleaning - so much so that malware commonly tries to prevent their execution. Mark focuses on the features useful for malware hunting, demonstrates their capabilities by presenting real-world cases of the tools being used to identify and clean malware, and concludes with a live analysis of the infamous Stuxnet virus.


Justin Searle

WORKSHOP - Pentesting the Smart Grid

This workshop will take a deep dive into the penetration testing of the hardware and network protocols of three of the most important systems of the Smart Grid, namely smart meters, SCADA, and synchrophasors. We'll look at the common features provided by AMI meters, dissect the ANSI c12 family of protocols they use, and the systems they connect to. Next we'll look the most common SCADA protocols used in the Smart Grid (DNP3 and IEC 61850), the devices they control, and the infrastructure used for substation automation. Finally we'll look at synchrophasor architectures, look at their most common protocol (C37.118), and discuss how they are used in Wide-Area Monitoring, Protection, and Control (WAMPAC). To wrap up the workshop, we'll play with embedded hardware pentesting techniques and introduce a new live Linux distro created for this purpose.

  • Overview of Smart Grid Architecture
  • Deep dive into AMI Smart Meters
  • Architectural Overview
  • Functions & Data Flows Breakdown
  • ANSI C12.xx
  • Deep dive into SCADA
  • Architectural Overview
  • Functions & Data Flows Breakdown
  • DNP3 & IEC 61850
  • Deep dive into Sycnrophasors
  • Architectural Overview
  • Functions & Data Flows Breakdown
  • IEEE C12.118
  • Embedded Hardware Pentesting
  • Flash/EEPROM Dumping
  • Bus Sniffing
  • Key Extraction
  • Conclusions and Wrap-up

Sumit Siddharth + Aleksander Gorkowienko

WORKSHOP - The Art of Exploiting Lesser Known Injection Flaws

OWASP rates injection flaws as the most critical vulnerability within the Top 10 most Critical Web Application Security Risks under the OWASP Top 10 project. http://www.owasp.org/index.php/Top_10_2010-A1.

This hands-on session gives attendees an over-view of this vulnerability. While topics such as SQL Injection are very well documented, there are quite a lot of other injection flaws which are not much talked about. Some of these are:

  • XPATH Injection
  • LDAP Injection
  • Hibernate Query Language Injection
  • Direct OS Code Injection
  • XML Entity Injection

This hands-on session will introduce the attendees to such less popular vulnerabilities and allow the attendees to gain an in-depth knowledge of the impact of the vulnerability.


Turbo Talks


Bradley Anstis

Affiliate Programs: Legitimate Business or Fuelling Cybercrime?

The market appears to have made some progress in fighting cybercrime, spam and all the other security threats, but how much progress have we really made? In the spam area for example, attempts have been made to take down several bot networks which had limited success. However, once Spamit, a well known affiliate program used by spammers decided to close its doors, spam levels plummeted overnight. The lingering question is: are we targeting the right sources of the problem? Should we, instead, be trying to identify the money trail in cybercrime and would disrupting the trail help reduce the explosion of cybercrime levels? Affiliate programs are run by legitimate businesses and ones not so legitimate. This session looks at the different types of affiliate programs such as pay-per-install and spam referral programs, the players involved in the cybercrime community and how we know who is legitimate and who is not.



Andrey Belenko

Overcoming iOS Data Protection to Re-enable iPhone Forensic

Data protection is a feature available for iOS 4 devices with hardware encryption: iPhone 4, iPhone 3GS, iPod touch (3rd generation or later), and all iPad models. Introduction of this feature had complicated iPhone forensics process because now (almost) all files on user partition are encrypted and physical dumps are of much less value to examiners: while the filesystem seems to be intact, actual file contents are encrypted and are not suitable for analysis.

This talk will provide in-depth information about iOS 4 Data protection. More specifically, it will cover the following:

  • System keys and their hierarchy
  • Device passcode and its recovery
  • Escrow keys
  • Filesystem encryption
  • Keychain encryption


Johnny Cache

PPI-Geolocation: The Next Generation of 802.11 Visualization and Geo-Location

Johnny will present his results of his latest R&D efforts: PPI-Geo location. PPI-Geolocation is a new technology that allows applications to encode position, orientation, signal strength, and antenna characteristics into a industry-standard pcap file. Johnny will walk us through the concepts behind the standard, as well as a tour of the entire stack of open source software support. To date, this includes Kismet, Wireshark, scapy, and the associated SDK.



Sandy Clark

Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities

Good programmers write code, great programmers reuse" is one of the most well known truisms of software development. But what does that mean for security? For over 30 years software engineering has focused on writing the perfect code and reusing it as often as they can, believing if they can just get the bugs out, the system will be secure. In our talk we will demonstrate how the most prominent doctrine of programming is deadly for security. Analysis of software vulnerability data, including a full decade of data for several versions of the most popular operating systems, server applications and user applications (both open and closed source), shows that properties extrinsic to the software play a much greater role in the rate of vulnerability discovery than do intrinsic properties such as the actual software quality. We show that (at least in the first phase of a product's existence), software vulnerabilities have different properties from software defects.

Our analysis of popular exploits shows that the attacker's learning curve can help determine when and which particular products are likely to be attacked. Improvements in those tools affect the frequency of attack, and the ultimate result is point-and-click usability. I will demonstrate that the more familiar an attacker is with your product, the more likely you are to be attacked and the more likely an attacker will succeed.


Richard Costa

The Troika of E-Discovery: Ethics, ESI, and Expertise in a Web 2.0 World

A primer of the 20 most recent "e-discovery" legal court decisions concisely covered in 20 minutes.

Aimed toward IT professionals who may find themselves having to produce records if their company is ever sued, who want to hire themselves out as an expert witness, or who who may find themselves unwittingly called to testify in court over a breach of security at their workplace, this talk provides useful insight into how judges view things like server backups, data deletion, and even the use of evidence from Facebook. This practical "cheat sheet" gives real-world examples as to how to gather, use, support, and debunk digital evidence in light of actual court holdings.

For legal professionals who deal with technology cases or any matters of e-discovery, this will bring you up to speed with the most recent case holdings of immediate and practical value.


Ang Cui + Jatin Kataria + Salvatore Stolfo

Killing the Myth of Cisco IOS Diversity: Towards Reliable, Large-Scale Exploitation of Cisco IOS

iOS firmware diversity, the unintended consequence of a complex firmware compilation process, has historically made reliable exploitation of Cisco routers difficult. With approx- imately 300,000 unique IOS images in existence, a new class of version-agnostic shellcode is needed in order to make the large-scale exploitation of Cisco IOS possible. We show that such attacks are now feasible by demonstrating two different reliable shellcodes which will operate correctly over many Cisco hardware platforms and all known IOS versions.

We propose a two-phase attack strategy against Cisco routers and the use of offline analysis of existing IOS images to defeat IOS firmware diversity. Furthermore, we discuss a new IOS rootkit which hijacks all interrupt service routines within the router and its ability to use intercept and modify process-switched packets just before they are scheduled for transmission.

This ability allows the attacker to use the pay- load of innocuous packets, like ICMP, as a covert command and control channel. Furthermore, the same mechanism can be used to stealthily exfiltrate data out of the router, using response packets generated by the router itself as the vehicle. We present the implementation and quantitative reliability measurements by testing both shellcode algorithms against a large collection of IOS images.

As our experimental results show, the techniques proposed in this paper can reliably in- ject command and control capabilities into arbitrary IOS images in a version-agnostic manner. We believe that the technique presented in this paper overcomes the last hurdle in the large-scale, reliable exploitation of Cisco IOS. Thus, effective host-based defense for such routers is imperative for maintaining the integrity of our global communication infrastructures.



Mark Kennedy + Igor Muttik

IEEE Software Taggant System

Packed files are a huge problem in the software security world. Many attackers use packers to create polymorphic code to defeat anti-malware signature systems. The Software Taggant System is designed to address this. In the physical world, a taggant is a physical marker added to explosives at manufacturing so either pre or post explosion the manufacturer can be determined. In the software world the taggant will allow security vendors to determine what packer license key was used to create a given packed file. The taggant is cryptographically secure so it cannot be spoofed. When a malware author creates a malicious file and packs it the taggant is added. This way security vendors can blacklist various license keys while allowing other good files with non-blacklisted keys to run. Any attempt to spoof the system is easily identified and those files blocked. This system is the result of an unprecedented cooperation between the software security vendors and the software packer providers.



Khash Kiani

OAuth – Securing the Insecure

OAuth is an emerging open-web specification for a growing number of organizations to access protected resources on each other's web sites. This presentation is a focused study of this user-centric Identity technology and its security weaknesses. We will present concise scenarios of how insecure implementations of this protocol can be abused maliciously. We examine the characteristics of some of these attack vectors, with real-world examples, and discuss tips on secure implementation and countermeasures.



Aaron LeMasters

Heap Spray Detection with Heap Inspector

HeapInspector is a heap visualization and analysis tool. It has the ability to collect a process's heaps using both API and raw methods. Features include searching heaps for string or byte patterns (including regex), dumping heap chunks to a file, and viewing chunks in a hex editor pane. Heaps are displayed visually in a bar chart format known as the heap hash map, allowing the user to view allocations spatially. A similar chart called the heap data map overlays regular expression matches for useful patterns on top of the heap bars.

This visualization allows an investigator to quickly discover evidence of a heap spray attack and other useful information stored in an application's heap memory. This presentation will demonstrate how the utility can be used to visualize a heap spray in arbitrary applications and retrieve the shellcode. It will also cover relevant windows internals and some challenges involved in writing this type of utility. Future direction and uses for the tool will be covered. This free tool will be released on the day of the presentation



Katie Moussouris

From Redmond with Love!

In 2008, people thought we'd lost our minds when we announced three strategic programs: sharing vulnerability information in our products before there was an update (MAPP), finding vulnerabilities in third party products (MSVR), and predicting which vulnerabilities would get reliably exploited in a short timeframe (Exploitability Index). Well, it's 2011 and we haven't stopped coming up with crazy ideas. Come see Katie Moussouris explain what we've been up to. Katie is head of Microsoft's Security Community Outreach and Strategy team.


Jason Raber

Function Rerouting from Kernel Land "Hades"

Hades is a function rerouting tool that will subvert Windows application functions from the Kernel space. Advantages are: Detours, WinAPIOverride without the weight – When I saw that some malware was able to detect Detours and WinAPIOverride, I reversed the malware and determined that they were detecting if any unauthorized DLLs were being loaded. Detours and WAO depend on this ability to work effectively. So I created a system profiler that does not use DLL injection…



Ivan Ristic

The Ultimate Study of Real-Life SSL Issues

Big breaches make for interesting headlines, but in real life it's the small stuff that's breaking SSL for most web sites. This talk is the culmination of two years of work across three separate SSL Labs surveys, analysing virtually all SSL sites in the world. Using the hard data as a backdrop, we present the top challenges for the SSL ecosystem and give hints to how they should be approached. We pay special attention to the less-often mentioned issues, such as insecure session cookies, mixed content, incorrect site configuration, and distribution of trust to third-party web sites.


Joe Skehan

SSH as the next back door. Are you giving hackers root access?

SSH is a broadly leveraged to secure communication technology used for admin, root-level access into mission critical systems (firewalls, routers, switches, Unix, Linux, etc.) as well as for automated machine-to-machine operations in corporations and governments alike. Most organizations don't track or manage the SSH keys used to encrypt communications and authenticate syste and users, exposing them to vulnerabilities. Without concise information about the account and system access made possiblems by these keys, organizations are at risk of unauthorized access to sensitive data and systems. This session will address common and best practices for managing SSH encryption and authentication keys in enterprise environments.