|
DAY 2 - 2nd July 08
START |
END |
TOPIC |
COMPANY |
| 09:00 |
10:15 |
Heaps about heaps
This presentation will briefly explain old heap exploitation techniques, but focus on detailing various new methods that can be used when overwriting heap structures. Including;
1. Improved lookaside list manipulation
2. Is the write 4 really, really dead?
3. Tricks to flip the heap and stack
4. Factors in heap layout
It will be technical and an understanding of the heap is advised. It will include a step by step demonstration of working a published advisory through to a working exploit. Including;
1. Reproducing the vulnerability
2. Locating the cause of the vulnerability
3. Overwriting a function pointer
4. Turning off DEP and gaining execution flow |
|
Brett Moore
Insomnia Security |
| 10:15 |
10:30 |
Coffee and Tea Break |
|
| 09:15 |
10:15 |
Buffered Code Execution
| This presentation will cover a new prototype developed in Symantec Resarch Labs to run kernel-mode drivers from user-mode. This technology is primarily intended to sandbox a rootkit driver and monitors its activities. Utilizing this technique, the rootkit driver's activities can be controlled. Rather than utilizing emulation, the rootkit code is run directly on the native hardware but at ring 3. When the rootkit tries to utilize privileged instructions or read/write/execute kernel-mode memory, the faults are captured and proxied into the kernel, allowing the rootkit to function normally while at the same time preventing the rootkit from escaping the sandbox. The presentation will discuss the technology behind the prototype and demo the tool in action. |
|
Matthew Conover
Symantec |
| 11:45 |
12:45 |
Lunch |
|
| 12:45 |
14:00 |
Killing the myth of Cisco IOS rootkit
Rootkits are very common in most popular Operating Systems like Windows, Linux, Unix and any variant of those but they are rarely seen in embedded OS's. This is due to the fact that most of the time embedded OS's are closed source, hence internals of the OS are unknown and reverse engineering process is harder than usual. In real life, it's very common that once an attacker takes control of a system he or she needs to maintain access to it so a rootkit is installed. The rootkit seizes control of the entire system running on that hardware by hiding files, processes, network connections, allowing unauthorized users to act as system administrators, etc.
This paper demonstrates that a rootkit with those characteristics can be easily created and deployed for a closed source OS like IOS and run unnoticed by system administrators by surviving to most, if not all, of the security measures given by experts on the field.
As a proof of this, different ways to infect a target IOS will be shown like runtime patching and image binary patching. To discuss the binary patching technique from a practical point of view, DIK (Da Ios rootKit) which is a set of python[1] scripts that provides a generic rootkit implementation for IOS will be introduced. |
|
Sebastian Muniz
CORE Security |
| 14:00 |
15:15 |
PhlashDance, fuzzing your way to expensive bricks
This presentation intends to discuss a new class of attack termed Permanent Denial Of Service (PDOS) targeted against embedded devices. Specifically, a particular manifestation of PDOS will be discussed which targets the firmware update mechanisms of embedded devices, such abuses of flash update mechanisms to cause PDOS conditions have been named Phlash attacks (cuz every attack needs a ‘ph’ right!). Phlash attacks targeting both the flash update mechanisms of devices, and the structuring of the binary firmware’s themselves will be discussed in a generic way. The presentation will also discuss the development of a generic fuzzing framework called PhlashDance, which aims to assist in the automatic identification of PDOS vulnerabilities across an extensible range of embedded devices. Beyond the pure technicalities of how Phlash attacks may be mounted, the presentation will also discuss why such novel attack vectors will be of particular concern to technology vendors, and the difficulties being faced in responding to and mitigating such vulnerabilities. |
|
Richard Smith
Hewlett-Packard |
| 15:15 |
15:30 |
Beer Break |
|
| 15:30 |
16:45 |
Hacking RFiD devices – Singapore Passport?
RFID is being embedded in everything... From Passports to Pants. Door Keys to Credit Cards. Mobile Phones to Trash Cans. Pets to People even! For some reason these devices have become the solution to every new problem, and we can't seem to get enough of them....
This talk will look at the underlying technology, what it's being used for, how it works and why it's sometimes a BadIdea(tm) to rely on it for secure applications, and, more worryingly, how this off-the-shelf technology can be used against itself... Software and Hardware tools and techniques will be discussed and demonstrated, and a range of exploits examined in detail. |
|
Adam Laurie |
| 16:45 |
17:00 |
Break |
|
| |
|
End of Day 2 |
|
| |
|
|
DAY 1 - 1st July 08
|
| Powered by SyScan © 2009 SyScan'09 |
|
