| 0900 - 0915 |
OPENING AND WELCOME ADDRESS
|
THOMAS LIM
Organiser, SyScan'09, CEO, COSEINC
|
| 0915 - 1015 |
Recently Immunity researcher Kostya Kortchinsky has exploited a serious vulnerability in VMWare's hypervisor that allows
Guest to Host escaping. During this presentation Kostya will explain the vulnerability primitives, how to combine these
primitives into a reliable exploit that bypasses EP/ASLR, how to make that exploit reliable across Linux, Windows XP,
and Windows Vista, and how to obtain post-exploitation control of the host without any network access. This extremely
technical talk will delve into the detailed workings of a highly complex exploit and discuss the development process
in a rare level of depth.
|
Dave Aitel
CTO, Immunity
|
| 1015 - 1030 |
Coffee Break |
|
| 1030 - 1130 |
The objective of the presentation is to show a new code framework extremely useful to create hypervisors
using the Intel and AMD virtualization instruction sets. Creating a VMM using these instructions is a very
complex and error prone process. With the framework, it becomes easy and fast the creation of VMMs due to
a simple abstraction layer created over these virtualization technologies. The framework's exported API
will be presented and will be demonstrated how to use it to create powerful system hacking tools and bypass
system protections. It also includes a discussion of the security and detection aspects of the framework.
List of topics covered:
- Virtual Machines
- Virtual Machine Monitors, aka Hypervisors
- Types of VMM
- Popek and Goldberg�s requirements
- Innocuous and Sensitive instructions
- Privileged instructions
- Virtualizing sensitive instructions
- Hardware assisted virtualization
- Intel VT and AMD SVM technologies
- Creating a VMM with Intel VT
- VMCS internals
- Host control area
- Guest control area
- Guest event interception
- The 'Hypervisor Framework'
- Architecture
- Features
- Framework API
- VMINFO data structure
- Virtual Machines and Interception Events management
- Framework Client's communication protocol
- Creating tools with the Framework
- Bypassing kernel protections with the framework
- Virtualization security
- Detection issues
|
Edgar Barbosa
Sr. Researcher, COSEINC
|
| 1130 - 1230 |
There is very little salient information about Windows kernel auditing and kernel
exploitation techniques. This is probably due to the nature of the security industry
these days. Bugs are getting harder to find, so techniques tend to be closely held.
There have been some "primer" presentations on windows kernel security ("Attacking
the Windows Kernel" NGSSoftware, etc) and some very specific kernel exploitation
presentations on specific bugs. This presentation is more on "lessons learned" while
developing kernel security auditing tools for the Windows kernel.
|
Stephen Ridley
Matasano
|
| 1230 - 1300 |
Lunch Break |
|
| 1300 - 1400 |
While a lot of public material is available that _mentions_ fuzzing Office files, there is
very little detail. While I have been dealing mainly with Word, the bulk of the techniques
are applicable to any Office application. I plan to cover:
- Reading and writing "streams" in the OLE "compound binary file" format
- Recognising and parsing interesting structures in the Word Binary Fileformat
- Highlights / 'errors' from the specification documents
- Instrumenting Word with Win32OLE to automate the testing - Did it crash? Is the document sitting there open, wasting testing time?
- Lightweight and totally flexible runtime monitoring by automating CDB with ruby (what good's a crash without the details?)
- Dialog Boxes You Will Meet that will hang your fuzzer thread and How to Eliminate Them
- Turning off annoying Word 2007 Resiliency features and other ways to reduce registry bloat
- Where Word stores its bizarre, invisible temp files (which don't get deleted if it crashes)
- Dealing with hangs and memory eaters.
- Wrapping the whole lot up in a distributed fuzzing framework to spread the fuzzing load over as many client machines (or VMs) as you like, save all the results in a DB and even use other frameworks or languages to create test cases
- Doing the whole lot in Ruby, because nobody else has, yet. (at least nobody who has released their code)
|
Ben Nagy
Sr. Researcher, COSEINC
|
| 1400 - 1415 |
Break |
|
| 1415 - 1515 |
This talk will briefly introduce the the iPhone security architecture. It will then demonstrate
how to perform automated fuzzing on the device including SMS fuzzing. It will then demonstrate
some payloads for the iPhone. iPhone payloads are complicated by the fact that on factory phones,
no pages can be made executable. Therefore, the payloads consist of long chains of return-to-libc.
|
Charles Miller
Independent Security Evaluator
|
| 1515 - 1530 |
Coffee Break |
|
| 1530 - 1630 |
This talk gives an overview of the security of emerging Rich Internet Application (RIA) technologies.
Because these technologies are so new, little information is currently available on their security
or lack thereof. This talk will provide attendees with an in-depth look into the security of leading
RIA technologies, as well as the security concerns presented by the RIA paradigm itself.
|
Justine Osborne
iSecPartners
|
| 1630 - 1730 |
Two Proof of Concepts (PoC) used during the reconnaissance phase of a penetration test will be demonstrated:
-
"TCP Input Text" extracts TCP Ports and Fully Qualified Domain Names (FQDN) from Google
Search Results into a .csv file and individual shell scripts for nmap and nc aka netcat
to provide assurance of a listening TCP service since the last crawl performed by the "GoogleBot".
-
"Download Indexed Cache" retrieves content indexed within the Google Cache and supports
the "Search Engine Reconnaissance" section of the recently released OWASP Testing Guide v3.
During the demonstration of "Download Indexed Cache", the superiority of this approach will be proven over
lesser methodologies, such as "Google Hacking" and the associated Google Hacking Database (GHDB). The impact
of mitigating controls, such as <META> Tags and robots.txt, based on the recommendations within the
"Spiders/Robots/Crawlers" section of the recently released OWASP Testing Guide v3, will be explained.
|
Christian Heinrich
Project Leader, OWASP
|
| |
End of Day 1 |
|