第一天 五月十三号 09年

开始

结束

 主题 讲师
09:00 09:30
开幕致词
Thomas Lim
CEO, COSEINC Organiser, SyScan'09
信息安全公司负责人
09:30 10:30
Kostya Kortchinsky
Immunity
10:30 11:00 Coffee and Tea Break
11:00 12:00
    如何利用Ruby来Fuzzing
    二进位档案找出微软作业系统漏洞
    Finding Microsoft Office Vulnerabilities by Fuzzing Binary Files with Ruby
    While a lot of public material is available that _mentions_ fuzzing Office files, there is very little detail. While I have been dealing mainly with Word, the bulk of the techniques are applicable to any Office application. I plan to cover:

    – Reading and writing "streams" in the OLE "compound binary file" format

    – Recognising and parsing interesting structures in the Word Binary Fileformat

    – Highlights / 'errors' from the specification documents

    – Instrumenting Word with Win32OLE to automate the testing

    – Did it crash? Is the document sitting there open, wasting testing time?

    – Lightweight and totally flexible runtime monitoring by automating CDB with ruby (what good's a crash without the details?)

    – Dialog Boxes You Will Meet that will hang your fuzzer thread and How to Eliminate Them

    – Turning off annoying Word 2007 Resiliency features and other ways to reduce registry bloat

    – Where Word stores its bizarre, invisible temp files (which don't get deleted if it crashes)

    – Dealing with hangs and memory eaters.

    – Wrapping the whole lot up in a distributed fuzzing framework to spread the fuzzing load over as many client machines (or VMs) as you like, save all the results in a DB and even use other frameworks or languages to create test cases

    – Doing the whole lot in Ruby, because nobody else has, yet. (at least nobody who has released their code)

Ben Nagy
Senior Researcher, COSEINC
12:00 13:00 Lunch
13:00 14:00
WEB 应用和数据库安全剖析
Frank Fan 范渊
CTO,
杭州安恒信息技术有限公司
14:00 14:15 Break
1415: 15:15
    缓冲环境内执行程式-
    如何分析电子计算机中来历不明驱动程序
    Buffered Code Execution version 3 -
    Analyzing Unknown Loaded Driver in your machine
    A followup on last year's SyScan BCE presentation. I can now "hijack" a Windows driver which this about to be executed (it has been loaded with the standard Windows loader). The benefit now is that I can run any driver which has been loaded within BCE. I can check if it is a "known safe" driver and, if not, run it using BCE. The intention is not to prevent the driver from doing anything malicious, but rather to trace/profile any unknown driver. BCE v3 can record all memory read/write events outside of it's own code/stack, as well as all the APIs used and parameters passed.

    The obvious benefit to this prototype is that it will let us analyze any unknown driver loaded on the system and still allow the driver to fully function (although, there is obviously a big performance cost).
Matthew Conover
Senior Researcher,
Symantec
15:15 15:45 Coffee Break
15:45 16:45
    工具的新发展-案例分析
    What's new in new xprobe - case studiesXprobe

    The upcoming version of the tool, which will be released in June, is built on the top of updated scanning engine and includes new set of plugins including application level discovery plugins, path discovery plugins, updated plugin prioritization and signature scoring. the presentation is built on the top of network mapping, analysis and attack investigation case studies that led to development of new features of the tool.
Fyodor Yarochkin


第二天 五月十四号 09年


Powered by SyScan © 2009 SyScan'09