| 0900 - 0915 |
Opening and Welcome Address
|
Thomas Lim
Organiser, SyScan, CEO, COSEINC
|
| 0915 - 1015 |
In this talk, the author presents various ways to subvert Windows Embedded CE 6 kernel to hide
certain objects from the user. Architecture and inner mechanisms of the Windows Embedded CE 6
kernel and comparison with Windows CE 5 kernel are discussed first, with a focus on memory
management, process management, syscall handling, and security. Next the author explains the
methods he used for hiding processes, files, and registry keys - mainly direct kernel object
manipulations, hooking of handle- and non-handle-based syscalls not only via apiset modifications
but also using previously not documented ways. The author also discusses ways to detect rootkits
installed on the device. A fully functional prototype rootkits, detection programs and various
monitoring utilities are presented and examined.
|
Petr Matousek
COSEINC
|
| 1015 - 1030 |
Coffee Break |
|
| 1030 - 1130 |
With the increasing popularity of Trusted Platform Modules (TPMs) in present-day Personal
Computers, new challenges impose themselves in front of the software security industry.
The future forecast suggests that TPM functionalities will be coupled with virtualised
environments in order to manage secure domains where kernel layers and applications can
scale in a trusted fashion. "Trust" does not necessarily imply "security", but it can
suggest it. Content providers will be having considerably more control over their data
on the users' desktops, which might bring a lot of controversy about end users' authority
over their machines. Meanwhile, despite the fact that all main-stream hardware and OS
vendors have developed their own Trusted Computing (TC) models; none of those models
has prevailed as the standard.
This eminent paradigm shift would radically change the legacy methods in which security
products have dealt with malicious activities. The introduction of those locked-down
layers might mean that anti-malware scanners will have to deal differently with adversaries
who can achieve higher privileges (e.g. Originally, PatchGuard did not completely prevent
patching the kernel, but it blocked security applications from accessing the kernel for
legitimate reasons. So, malware could use those vulnerabilities, but anti-malware scanners
could not).
The purpose of this paper is to explain the implications of the next generation of
hardware platforms on the software security industry. These changes will not only affect
the PC architecture, but will extend to the mobile platforms. Will immune implementations
of trusted computing models ever render anti-malware scanners useless? Or, in fact, TC
is the next weapon in the anti-malware industry's arsenal?
|
Gaith Taha
McAfee Avert Labs
|
| 1130 - 1230 |
SCADA systems directly influence the lives and wellbeing of all civilians
in almost any modernized country. The best site for an attacker to compromise
in order to cause maximum damage is the control center. Much like Aikido, an
attacker can use your strengths (centralized management of assets, multiple
control applications) to his benefit.
A common argument of the engineering and operations personnel against the
possibility of successfully launching an attack on the SCADA network of
electric grid utilities is that the network is too complex for an outsider
to operate. This assumption is based on the obscure communication protocols
and addressing schemes in use in such networks, which do not allow easily
identification of which device is using any given address, and how to
properly control it.
In the whitepaper we will describe a tool that can put the abovementioned
assumption to the test. This malware is designed to cause havoc in an
electric T&D control center and the grid under its command without the
need for any knowledge about the network, its nodes and EMS (Energy
Management System) application. In addition, the malware is autonomous
and does not rely on remote operation by the attacker after its
installation.
|
Eyal Udassin
C4 Security
|
| 1230 - 1330 |
Lunch Break |
|
| 1330 - 1430 |
|
Edgar Barbosa
COSEINC
|
| 1430 - 1530 |
As user-level security gets more robust, hackers continue to find vulnerabilities in the
kernel. Each of these vulnerabilities requires new techniques and because any mistake
can cause a blue-screen, reliability is paramount. In this talk, Kostya Kortchinsky
will detail the results of his work while exploiting the MS08-001 IGMP kernel overflow vulnerability.
|
Kostya Kortchinsky
Immunity
|
| 1530 - 1545 |
Break |
|
| 1545 - 1645 |
Over the past several years, Microsoft has implemented a number of memory
protection mechanisms with the goal of preventing the reliable exploitation
of common software vulnerabilities on the Windows platform. Protection mechanisms
such as GS, SafeSEH, DEP and ASLR complicate the exploitation of many memory
corruption vulnerabilities and at first sight present an insurmountable obstacle
for exploit developers.
This talk aims to present exploitation methodologies against this increasingly
complex target. I will demonstrate how the inherent design limitations of the
protection mechanisms in Windows Vista make them ineffective for preventing the
exploitation of memory corruption vulnerabilities in browsers and other client
applications.
Each of the aforementioned protections will be briefly introduced and its design
limitations will be discussed. I will present a variety of techniques that can be
used to bypass the protections and achieve reliable remote code execution in many
different circumstances. Finally, I will discuss what Microsoft can do to increase
the effectiveness of the memory protections at the expense of annoying Vista users even more.
|
Alexander Sotirov
VMWare
|
| 1645 - 1730 |
Beer Break |
|
| |
End of Day 1 |
|