DAY 1 (2nd July 2009)

TIME	TOPIC	SPEAKER
0900 - 0915	OPENING AND WELCOME ADDRESS	THOMAS LIM Organiser, SyScan'09, CEO, COSEINC
0915 - 1015	CLOUDBURST Recently Immunity researcher Kostya Kortchinsky has exploited a serious vulnerability in VMWare's hypervisor that allows Guest to Host escaping. During this presentation Kostya will explain the vulnerability primitives, how to combine these primitives into a reliable exploit that bypasses EP/ASLR, how to make that exploit reliable across Linux, Windows XP, and Windows Vista, and how to obtain post-exploitation control of the host without any network access. This extremely technical talk will delve into the detailed workings of a highly complex exploit and discuss the development process in a rare level of depth.	Dave Aitel CTO, Immunity
1015 - 1030	Coffee Break
1030 - 1130	Creating Hpervisor-based Hacking Tool: The COSEINC Hypervisor Framework The objective of the presentation is to show a new code framework extremely useful to create hypervisors using the Intel and AMD virtualization instruction sets. Creating a VMM using these instructions is a very complex and error prone process. With the framework, it becomes easy and fast the creation of VMMs due to a simple abstraction layer created over these virtualization technologies. The framework's exported API will be presented and will be demonstrated how to use it to create powerful system hacking tools and bypass system protections. It also includes a discussion of the security and detection aspects of the framework. List of topics covered: Virtual Machines Virtual Machine Monitors, aka Hypervisors Types of VMM Popek and Goldberg�s requirements Innocuous and Sensitive instructions Privileged instructions Virtualizing sensitive instructions Hardware assisted virtualization Intel VT and AMD SVM technologies Creating a VMM with Intel VT VMCS internals Host control area Guest control area Guest event interception The 'Hypervisor Framework' Architecture Features Framework API VMINFO data structure Virtual Machines and Interception Events management Framework Client's communication protocol Creating tools with the Framework Bypassing kernel protections with the framework Virtualization security Detection issues	Edgar Barbosa Sr. Researcher, COSEINC
1130 - 1230	Windows NT Kernel Security There is very little salient information about Windows kernel auditing and kernel exploitation techniques. This is probably due to the nature of the security industry these days. Bugs are getting harder to find, so techniques tend to be closely held. There have been some "primer" presentations on windows kernel security ("Attacking the Windows Kernel" NGSSoftware, etc) and some very specific kernel exploitation presentations on specific bugs. This presentation is more on "lessons learned" while developing kernel security auditing tools for the Windows kernel.	Stephen Ridley Matasano
1230 - 1300	Lunch Break
1300 - 1400	Finding Microsoft Vulnerabilities by Fuzzing Binary Files with Ruby - A New Fuzzing Framework While a lot of public material is available that _mentions_ fuzzing Office files, there is very little detail. While I have been dealing mainly with Word, the bulk of the techniques are applicable to any Office application. I plan to cover: Reading and writing "streams" in the OLE "compound binary file" format Recognising and parsing interesting structures in the Word Binary Fileformat Highlights / 'errors' from the specification documents Instrumenting Word with Win32OLE to automate the testing - Did it crash? Is the document sitting there open, wasting testing time? Lightweight and totally flexible runtime monitoring by automating CDB with ruby (what good's a crash without the details?) Dialog Boxes You Will Meet that will hang your fuzzer thread and How to Eliminate Them Turning off annoying Word 2007 Resiliency features and other ways to reduce registry bloat Where Word stores its bizarre, invisible temp files (which don't get deleted if it crashes) Dealing with hangs and memory eaters. Wrapping the whole lot up in a distributed fuzzing framework to spread the fuzzing load over as many client machines (or VMs) as you like, save all the results in a DB and even use other frameworks or languages to create test cases Doing the whole lot in Ruby, because nobody else has, yet. (at least nobody who has released their code)	Ben Nagy Sr. Researcher, COSEINC
1400 - 1415	Break
1415 - 1515	Hacking iPhone - Fuzzing and Payload This talk will briefly introduce the the iPhone security architecture. It will then demonstrate how to perform automated fuzzing on the device including SMS fuzzing. It will then demonstrate some payloads for the iPhone. iPhone payloads are complicated by the fact that on factory phones, no pages can be made executable. Therefore, the payloads consist of long chains of return-to-libc.	Charles Miller Independent Security Evaluator
1515 - 1530	Coffee Break
1530 - 1630	Living in the Rich Internet Application (RIA) World - Blurring the line between Web and Desktop Security This talk gives an overview of the security of emerging Rich Internet Application (RIA) technologies. Because these technologies are so new, little information is currently available on their security or lack thereof. This talk will provide attendees with an in-depth look into the security of leading RIA technologies, as well as the security concerns presented by the RIA paradigm itself.	Justine Osborne iSecPartners
1630 - 1730	Googless Two Proof of Concepts (PoC) used during the reconnaissance phase of a penetration test will be demonstrated: "TCP Input Text" extracts TCP Ports and Fully Qualified Domain Names (FQDN) from Google Search Results into a .csv file and individual shell scripts for nmap and nc aka netcat to provide assurance of a listening TCP service since the last crawl performed by the "GoogleBot". "Download Indexed Cache" retrieves content indexed within the Google Cache and supports the "Search Engine Reconnaissance" section of the recently released OWASP Testing Guide v3. During the demonstration of "Download Indexed Cache", the superiority of this approach will be proven over lesser methodologies, such as "Google Hacking" and the associated Google Hacking Database (GHDB). The impact of mitigating controls, such as <META> Tags and robots.txt, based on the recommendations within the "Spiders/Robots/Crawlers" section of the recently released OWASP Testing Guide v3, will be explained.	Christian Heinrich Project Leader, OWASP
	End of Day 1

DAY 2 (3rd July 2009)

TIME	TOPIC	SPEAKER
0900 - 1000	Agentless Guest Protection - Stealthy Code Injection from the Virtual Machine This will demonstrate that we can inject code into a guest virtual machine from the hypervisor. We are able to install a standard Windows driver and invoke an exported function in the driver. It will run within the guest VM at ring 0 and it can interact with the guest in a standard way (use exported NTOSKRNL functions, etc.). It runs under a standard Windows kernel thread. After the function returns, the driver is unloaded and all traces of the driver are removed. The benefit to this design is that we can minimize the chance for malware in the guest to detect or interfere with our in-guest agent to a small window. The in-guest agent is only detectable while it is running. It is intended that the code be relatively small and fast (i.e., used to kill a malware process, apply a code patch, etc.).	Matthew Conover Symantec
1000 - 1015	Coffee Break
1015 - 1115	Persistent BIOS Infection When developing rootkits, one of the biggest problems resides on getting the malicious code executed always, surviving reboots and being undetectable. In this talk we want to demonstrate how malicious code can be injected into commercial BIOS firmware. Instead of other rootkit methods which make use of the ACPI specification, we have focused our work in a binary generic implementation independent of the installed OS.	Alfredo Ortega & Anibal Sacco CORE
1115 - 1215	Outspect: Live Memory Forensic and Incident Response for Virtual Machine Recently, memory analyzing has become a popular mechanism to perform incident response and forensic. However, traditional approach of memory forensic has some major drawbacks that cannot be solved in current systems. The first shortcoming is the inconsistency memory problem: memory cannot be consistenly acquired because system is still functioning in the process. Another issue is that existent rootkits can easily tamper with the acquired and analyzed steps. Last but not least, loading forensic tools into the memory will inevitably erase evidences in the memory. This research presents "Outspect", a new tool set to perform memory forensic and incident response for live virtual machine (VM). By running Outspect outside of the inspected VM, we can solve the above-mentioned problems of traditional memory forensic. While Outspect and its architecture is designed to support all kind of guest OSes and hypervisors, in this presentation we focus on Windows guests running on Xen hypervisor. The talk dedicates some time to discuss the advantages and challanges of our approach. The mechanism to inspect and extract important system objects from raw memory will also be examined. We will go into detail on our architecture, and prove that it is useful for many things other than just live memory forensic. The presentation includes some live demos to demonstrate the effectiveness of Outspect. We will use Outspect to inspect and detect some popular kernel rootkits and userspace malware on Windows VM. The demo will also show that it is trivial to detect exploitation using sophisticated attack technique like Metaspoit with Meterpreter payload (which cannot be detected by any anti-virus at the moment).	Nguyen Anh Quynh
1215 - 1245	Lunch
1245 - 1345	Hacking Citrix Citrix. The point and click remote desktop interface that is often seen but not heard. Often used as an alternative to RDP as it offers flexible and secure configuration options. Typically though a deployment is extremely weak and a compromise is guaranteed. This talk will cover off some standard deployment scenarios and explain a lot of Citrix security issues. The presentation will cover various network layer security weaknesses and other configuration issues that should be addressed when implementing a secure Citrix installation. The presentation will also include a live demonstration that will show a common scenario where an attacker can exploit vulnerabilities allowing them to take over the server and potentially the entire network. This includes breaking out of a typical Citrix environment, escalating privileges, and stealing domain authentication to access a domain controller.	Brett Moore Insomniasec
1345 - 1445	Ghost Recon - Subverting Local Networks Networks are a crucial component of information systems and businesses. This presentation demonstrates both passive and active attacks on networks that can cause havoc if they fail to implement comprehensive countermeasures. The security of Open Shortest Path First (OSPF), a popular routing protocol, will be examined. Attacks discussed include passive topology discovery, traffic redirection, man-in-the-middle, and GPU-based offline brute-force recovery of authentication keys. Some recently developed and released tools will be demonstrated in this talk. An understanding of networking fundamentals is assumed. This talk is intended for professionals who want a greater understanding of threats against local networks. They will learn how attacks can be implemented against networks that have inadequate controls, and the importance of these controls will be reinforced. It is hoped that due to this education the security of networks will improve.	Berne Campbell
1445 - 1500	Break
1500 - 1600	State of the Art Post Exploitation in Hardened PHP Environments When an attacker manages to execute arbitrary PHP code in a web application he nowadays often ends up in hardened PHP environments that not only make use of PHP's internal protections like safemode, openbasedir or disable_functions but also make use of Suhosin and operating system, filesystem or libc level security mechanisms like ASLR, NX, hardened memory managers or unix file permissions. In such a situation taking over the server becomes a challenge and requires PHP shellcode that is able to use local PHP exploits to get around these protections. This talk will show the problems arising from the different protection mechanisms for PHP shellcode, will give an insight into the internal memory structures of PHP that are required to write stable local exploits and will demonstrate how a special class of vulnerabilities in PHP that also exists in standard functions enables PHP shellcode to get around most of these protections.	Stefan Esser
1600 - 1615	Coffee Break
1615 - 1715	Reconstructing Dalvik Applications (Google Android) The virtual machine for running the majority of userland applications within Google's Android machine is called "Dalvik". It is a natural successor of the Java VM, improving design and footprint for mobile application scenarios, by avoiding the overhead of Java ME. Although Google chose to use the java toolchain to generate applications, they designed a new compiled representation of the compiled applications, compared to java with different stack semantics and a denser instruction set (imho, java done right:)). For reverse engineering until now you could either learn Dalvik bytecode or bribe the original author to give you access to the source code. Both approaches do not deliver fast and readable results, so our "undx" (dx is the java-to-dalvik compiler) provides reverse engineers and software auditors, as well as virus checking software a reliable technique to process dalvik code by translating those back to Java classes, which opens the opportunity to re-use established tools and techniques from the java world for analysis. Our entire code was created without code knowledge of any Dalvik code internals. For our purpose we solely studied the output of the binary "dexdump" tool and used a decent hex editor to discover helpful structures within the binary. We will present the following: The dalvik architecture (compared to Java SE) The dalvik instruction set and runtime layout (compared to Java VMs) A short excourse: Manual decompilation Presentation of an automation approach towards java class recovery Insights of the implemented converter Coding hurdles, caveats (we currently create 95% verifiable java classes) Further work, further application potentials within the reverse engineering and software testing areas.	Marc Schoenfeld
1715 - 1800	CTF'09 Prize Presentation and Lucky Draw
	End of SyScan'09 Singapore