| 0830 - 0900 |
REGISTRATION
|
|
| 0900 - 0910 |
OPENING AND WELCOME ADDRESS
|
MR. NGUYEN TIEN THANH
Director, I. E. T. Co., Ltd
|
| 0910 - 0920 |
WELCOME ADDRESS
|
THOMAS LIM
SyScan'10, COSEINC
|
| 0920 - 0930 |
WELCOME ADDRESS
|
MR. LE MANH HA
Director of Ho Chi Minh City Department of Information and Communications, Ministry of ICT
|
| 0930 - 1030 |
Nowadays, people are well-aware of malware in executable format such
as EXE, and they can protect themselves with defense solutions such as
anti-virus (AV). However, modern threats come from malicious files
such as PDF, DOC, PPT, XLS, etc... The attacker can embed malware into
any type of electronic documentations, and the victim will get
exploited once he opens these files with unpatched, vulnerable
applications. Unfortunately, this attack vector is increasingly
popular, and it is extremely hard to know if a documentation is
poisonous, especially if the attacker uses 0-day bugs. The situation
is even more frustrated because current AV softwares badly fail
against this upcoming malware.
This paper presents a novel tool named D-Analyzer to detect malicious
documentations. Using tainting analysis method, our tool is able to
identify all the nasty files trying to exploit vulnerable
applications. D-Analyzer supports all kind of documentation,
regardless the file types. Obviously, our tool can also detect 0-day
attack, with zero false positive.
The presentation includes some demos, so the audience can see how
D-Analyzer really works.
|
NGUYEN ANH QUYNH
|
| 1030 - 1100 |
Coffee Break |
|
| 1100 - 1200 |
This talk is introducing MoonSols Windows Memory Toolkit aims at being
the ultimate memory and crash dump acquisition and conversion tool for
Windows. Including live acquisition on Windows of Microsoft crash
dumps, the conversion of hibernation file into crashdump, and even to
get a crashdump of a running VMWare Virtual Machine without rebooting
it and without any BSOD !
|
MATTHIEU SUICHE
|
| 1200 - 1230 |
Break |
|
| 1230 - 1330 |
This is a multipart presentation presented by engineers working on Microsoft Office security.
The first part will detail a distributed fuzzing framework. The second part will detail
engineering defenses to fuzzing attacks in the upcoming release of Office (Office 2010).
Security researchers and zero day exploits continue to leverage fuzzing bugs in Microsoft
products. What are we doing to defend our products? As presented during Blue Hat 2009 (Jason Shirk)
and Cansecwest 2008 (Charlie Miller), the more fuzzing iterations performed, the more likely you
are to find bugs. The SDL now requires a clean fuzz run of half a million iterations in order to
ship. Seems like a good idea and achievable, but what happens if your application parses more than
200 formats? Time to think like a black hat and leverage the power of a botnet to get your work done -
complete with fuzzing commands and control servers to delegate work to the fuzzing bots.
This presentation covers a framework built by the Office team to efficiently fuzz
any file format parser. This framework can be used by any internal product team that
parses file input and significantly reduces the pain around file fuzzing. This framework
is not a fuzzer itself. You won't need to rewrite your fuzzers. Instead it allows existing
fuzzers to plugin and run in a distributed fashion. The Office team is using this system to
perform millions of iterations per day without purchasing any additional hardware. The
Office team turned desktop machines and lab machines into a botnet for fuzzing during downtime.
Other challenges that are solved by the distributed fuzzing framework and covered in
this presentation include central run management, recurring job scheduling, duplicate
detection across machines and runs, automated regression passes, and automated bug filing.
Even with millions of fuzz iterations and following the best
practices of the Security Development Lifecycle (SDL), some bugs will be missed.
The Office security team has engineered a series of layered defenses in addition
to strengthen the parsers themselves. This presentation also covers two of these
layers. The first layer, Gatekeeper, helps validate if the data should be loaded
by the target application. The Gatekeeper architecture allows it to be used by
other applications and describe additional binary formats. The second layer discussed
leverages Windows Integrity Levels and is known as Protected View. Even if malicious
code runs inside of Protected View, it should not be able to alter the host machine.
The presentation will demonstrate how recent MSRC cases are mitigated by Protected
View and Gatekeeper.
|
TOM GALLAGHER & DAVID CONGER
Microsoft
|
| 1330 - 1430 |
Lunch |
|
| 1430 - 1530 |
Two of the biggest problems with SQL-injection vulnerabilities are
that the tools that detect them have a rate of false positives
which is non-negligible or sometimes just too high, and, when a
tool detects a vulnerability, it will provide little or no
information to developers and testers, hence, it becomes difficult
for these to assess the impact of the vulnerability in the
security posture of the web application. We introduce a
methodology and an implementation of this methodology into a
black-box tool that solves the two problems. Using it, one can
verify with 100% certainty that a potential SQL injection
vulnerability is exploitable, and at the same time assess the
impact of the vulnerability. Explicitly, if our tool detects a
vulnerability, it provides an interface to execute arbitrary SQL
code through them; this would confirm the vulnerability and give
the developers an easy way to assess the impact of the
vulnerability. Using a combination of heuristics and syntax
analysis, our tool constructs a "channel" for each vulnerability
that will encode SQL queries to the webapp and their answers
solving problems related to encoding of for the tester. The core
of this talk is in examining the difficulties that appear while
trying to expose vulnerabilities and how to setup a process that
will automatically turn them into a black-box query console.
|
SEBASTIAN CUFRE
|
| 1530 - 1600 |
Coffee Break |
|
| 1600 - 1700 |
If bugs are the raw ore of exploits - Rootite, if you like - then we're mining in areas where the
Rootite is rare and deeply buried. Industrial scale bug mining starts with very, very fast fuzzing.
In contrast to the MS Fuzzing Botnet, we use a dedicated, single purpose cluster of virtual machines
which is optimised for fuzzing. Last year we released some metrics, then MS released better ones.
So, we rebuilt the whole system and made it faster and more scalable - can we outperform the Redmond
Botnet in one small rack? After a fuzz run, we are left with massive piles of low-grade Rootite, full
of impurities such as Nullpointium, which needs to be graded and enriched before it is valuable. After
grading, We "enrich" our highest grade Rootite by using differential runtracing of crashes to assist
root cause analysis. The runtraces are tens of millions of lines long, but we postprocess them using
magic, funky graphs and compression before comparing them side by side with the clean run. Our diff
files are plaintext, small enough for us to eyeball them, and allow us navigate to any point in the
trace using any debugger we choose. Feel free to drop by for a guided tour of the mine. Bring a beer.
|
BEN NAGY
COSEINC
|
| |
End of Day 1 |
|