| 0900 - 1000 |
这是一个由在微软office安全工作的工程师们展示的多环节演示。第一部分会详细说明一个分布式fuzzing框架。第二部分会详细说明在即将发行的office版本(office 2010)中的防御fuzzing攻击的方法。
安全研究者和0day开发人员持续地在微软的产品中找到bug。我们应该做些什么来保护我们的产品呢?正
如在 Blue Hat 2009 (Jason Shirk) 和 Cansecwest 2008 (Charlie Miller)中展示的那样,
fuzzing的次数越多,就越有可能找到bugs。SDL现在要求产品必须通过50万次迭代的fuzz测试。这看上去
像是一个能够做到的好办法,但是如果你的应用涵盖了超过200种格式将会发生什么呢?是时候
像一个black hat那样去思考了,借助机器人网络的力量来帮助你完成工作——通过fuzzing命令来控制服务
器为每个fuzz机器人分配工作。
这个演示包括了一个Office小组搭建的框架,能够有效得fuzz任何文件格式。这个框架可以被任何内部产
品小组使用,帮助解析输入的文件并减轻fuzz的负担。这个框架本身不是一个fuzzer,你不用重写你的fuzzer。它允许
现有的fuzzers做为插件在分布式环境中运行。这个Office小组正在使用这套系统每天进行上百万次的迭代
测试,不需要添置任何额外的硬件。该小组将台式机和实验室机器变成一个在空闲时间fuzzing的机器人。本次演讲
会提到分布式fuzzing框架能解决的一些挑战,包括集中运行控制、工作分配、跨机器的运行和检测,自动化的漏洞修补。
即使产品通过几百万次fuzz迭代测试并遵从安全部署生命周期(SDL)的开发规定,仍然会错过一些bug。Office安全小组通过设置一些保护层
来加强文件解析器的保护。这次演讲也涵盖了其中的2层。第一层,Gatekeeper,帮助验证数据是否应该被目标程序加载。Gatekeeper架构允许
被其它应用程序使用和描述额外的二进制格式。第二层被称为Protected View,它是对Windows系统完整性的补充。即使恶意
代码在Protected View中运行,它也无法控制主机。报告将会演示最近的MSRC利用Protected View和Gatekeeper进行保护的案例。
This is a multipart presentation presented by engineers working on Microsoft Office security.
The first part will detail a distributed fuzzing framework. The second part will detail engineering
defenses to fuzzing attacks in the upcoming release of Office (Office 2010).
Security researchers and zero day exploits continue to leverage fuzzing bugs in Microsoft products.
What are we doing to defend our products? As presented during Blue Hat 2009 (Jason Shirk) and Cansecwest
2008 (Charlie Miller), the more fuzzing iterations performed, the more likely you are to find bugs.
The SDL now requires a clean fuzz run of half a million iterations in order to ship. Seems like a good
idea and achievable, but what happens if your application parses more than 200 formats? Time to think
like a black hat and leverage the power of a botnet to get your work done – complete with fuzzing commands
and control servers to delegate work to the fuzzing bots.
This presentation covers a framework built by the Office team to efficiently fuzz any file format parser.
This framework can be used by any internal product team that parses file input and significantly reduces
the pain around file fuzzing. This framework is not a fuzzer itself. You won’t need to rewrite your fuzzers.
Instead it allows existing fuzzers to plugin and run in a distributed fashion. The Office team is using
this system to perform millions of iterations per day without purchasing any additional hardware. The Office
team turned desktop machines and lab machines into a botnet for fuzzing during downtime. Other challenges
that are solved by the distributed fuzzing framework and covered in this presentation include central run
management, recurring job scheduling, duplicate detection across machines and runs, automated regression
passes, and automated bug filing.
Even with millions of fuzz iterations and following the best practices of the Security Development Lifecycle
(SDL), some bugs will be missed. The Office security team has engineered a series of layered defenses in
addition to strengthen the parsers themselves. This presentation also covers two of these layers. The first
layer, Gatekeeper, helps validate if the data should be loaded by the target application. The Gatekeeper
architecture allows it to be used by other applications and describe additional binary formats. The second
layer discussed leverages Windows Integrity Levels and is known as Protected View. Even if malicious code
runs inside of Protected View, it should not be able to alter the host machine. The presentation will
demonstrate how recent MSRC cases are mitigated by Protected View and Gatekeeper.
|
TOM GALLAGHER
Microsoft
|
| 1000 - 1030 |
茶点 / Coffee Break |
|
| 1030 - 1130 |
返回到PHP解释器--PHP中内存漏洞的远程溢出利用仍未终结
WEB应用安全专家中最流行的观点认为,像缓冲区溢出和其它内存崩溃那样的底层漏洞对WEB应用
安全没有影响。再加上在现代WEB服务器上使用溢出保护技术的增加,许多人认为利用WEB服务器软
件中的内存漏洞进行远程溢出已经不可行了。但的确是这样么?
这次演讲将介绍通过返回到PHP的解释器来利用内存漏洞的办法,并讨论实现的几种方法的必要
条件和可行性。我们将看到这个办法如何被应用于一个未公开的PHP漏洞,该漏洞允许攻击者可
以远程攻击一些常用的PHP应用。我们将会分析该漏洞的各个方面,解释该漏洞产生的原因以及如
何导致内存崩溃。我们会对这样一个远程代码执行的溢出一步步地详细说明。
Among web application security experts there is the popular believe that low level vulnerabilities
like buffer overflows and other kinds of memory corruption vulnerabilities do not matter for web
application security. In addition to that the increasing use of exploit mitigation techniques on
modern web servers make many believe that exploiting remote memory corruptions in webserver software
is over. But is it really?
This talk will introduce the idea of returning into the PHP interpreter from memory corruption
vulnerabilities and discuss the requirements and feasibility of different ways to do that. This
idea will then be applied to a yet undisclosed PHP vulnerability, which is exposed to remote
attackers in several widespread PHP applications. Different aspects of this vulnerability will
be analyzed and it will be explained how they can be abused in remote information leak and memory
corruption exploits. The creation of such a remote code execution exploit will then be detailed step by step.
|
STEFAN ESSER
Sektioneins
|
| 1130 - 1145 |
休息 / Break |
|
| 1145 - 1245 |
当在web服务器上检测到攻击时,一些防御者的解决办法是清除入侵者留下的后门并加固系统的结构,防止它们被
再次入侵。有时他们有足够的时间分析发生了什么,并做一些取证工作,或者联系远程管理员和专家等来分析问题。但目前
来看,攻击者可能并不怎么害怕他们电子犯罪带来的后果。
这次演讲的目的是更深入得思考如何重新平衡光明方与黑暗方之间的互联网战争。我们将会在发现邪恶的黑客
后,做一些和以前截然不同的事情。TEHTRI-Security将会说明怎样反击攻击你web的家伙,你可能会:获取更多
关于他们他们的信息或者确认他们的身份,学习他们的工具和方法,或者某些情况下反渗透进他们的电脑。的确,这些
技术提议可能会导致法律上问题,这取决于国际通用的和当地的法律(如正当防卫等)。但是这次发言将会着重于
战术层面的话题,用真实生活中的例子来展示黑掉这些web黑客的可能性。
When an attack is detected on a web server, some defenders try to handle that incident,
by getting rid of the intruders and by hardening their infrastructure so that they won't
be owned again. Sometimes they get enough spare time to analyze what happened exactly, by
doing some kind of forensics actions, or by contacting remote administrators and authorities,
etc. But recently, attackers might not really be afraid of the consequences of their digital crimes.
This talk proposes to think further and to re-balance the Internet war between the light
side and the dark side. We will add a new way to behave when evil hackers are caught on a
host. Indeed, TEHTRI-Security will explain how to strike back against your web assailants,
so that you would be able to: get more information about them or identify them, steal their
tools and methods, or sometimes to penetrate back their own computers too. Of course those
technical initiatives might lead to legal issues, depending of the international and local
laws (self defense, etc). But this talk will focus on tactical issues, to show real life
examples when it might be possible to hack the web hackers.
|
LAURENT OUDOT
TEHTRI-SecurITY
|
| 1245 - 1400 |
Lunch |
|
| 1400 - 1500 |
随着技术的发展,GSM工具最终被摆到了安全研究人员和黑客的面前。终于,我们有可能直接探索最底层的GSM栈。
这次发言同时着重于GSM网络中用户和网络直接进行交互的地方:无线接口的两侧。
发言的技术重点在于GSM网络和用户间暴露出来的接口上。这覆盖了基站系统——与手机通信的网络组件和基带——与网络通信的手机组件。
在发言中,我们将会演示攻击系统的两个主要组件——恶意基站和恶意基带。这里的基站能够像其它攻击方法一样fuzzing手机基带。这里的基带用于试探GSM网络设备的缺陷并溢出后台系统。
相信我们,就在我说话的时候,你一定想关掉你的电话!
Technological advances have finally placed GSM tools within the reach of security
researchers and hackers. Finally it is possible to directly explore the lowest levels of the GSM stack.
This talk focuses on both sides of the GSM network where the users and network directly interact: the Um (air) interface.
The primary technological focus of this talk is on the exposed interfaces between the GSM networks
and users. This covers the base station system -- the network components which communicate with
mobile phones -- and the base band -- the component of the mobile phone which communicates with the network.
During the talk the two main components of the attack system will be demoed - malicious
basestations and malicious basebands. The base station enables fuzzing mobile phone basebands,
as well as other attacks. The baseband is used to test GSM network equipment for flaws,
as well as exploit backend systems.
Trust us, you'll *want* to turn off your phone for the duration of this talk!
|
THE GRUGQ
COSEINC
|
| 1500 - 1515 |
休息 / Break |
|
| 1515 - 1615 |
此次发言将会给出一个关于2010 ICAO 电子旅行文档标准 MRTDs (Doc 9303)的概述,我们会看到一个完整的端到
端的过程,从获取护照到自动检查系统。它将会展示电子护照的审计技术,说明为何2010版的电子护照几乎不比我们
当年复制的2006版来的好。而随着自动化出入境信息技术投入使用,麻烦比以前大得多。
我们将会看到发行机构和用户遇到的问题,他们该怎样保护他们的电子护照。
听众将会了解到电子护照的概述和以护照持有者的身份来旅行所面临的风险。此外,不仅仅是护照,利用方法和恶意软件
分析可以应用于所有"RFID"智能卡上。
This talk will give a overview the the 2010 ICAO Version of Electronic Travel Documents MRTDs (Doc 9303),
as well will have a holistic end - to - end view from getting a passport up to automated inspection systems.
It will show audit techniques of ePassports, and why the 2010 Version of the ePassports are little better then
the 2006 Version we cloned that year. But things getting much worse with automated immigration technology in use.
We will have a look to the problems of the issuer and the user, and how they should protect their ePassport.
The Audience will get an overview of ePassports and the Risks using them as traveler get used by someone
else on the name of the passport holder. Additionally the Exploitation and Malware-Analysis apply to every
"RFID" Smartcard System, not only to Passports.
|
LUKAS GRUNWALD
DN-Systems Enterprise Internet Solutions GmbH
|
| 1615 - 1630 |
休息 / Break |
|
| 1630 - 1730 |
大多数用户认为Mac系统比Windows系统更为安全,并且苹果公司也是如此宣称的。
但是,事实是否真的如此呢?
本次议题将涵盖Mac系统下的各种安全问题。我们会讨论Mac系统所使用的各种安全
机制以及一些常见的攻击手段。通过与大家熟知的Windows系统下的攻击相比较,
大家能够更清晰得了解Mac系统的安全性。
我们会首先介绍Mac系统的基本情况,并描述有哪些安全措施来保护系统。随后讨
论一些恶意软件技术,包括病毒、木马、键盘记录等等。我们还会详细讨论 Mac系
统下的溢出利用,并展示一个真实的溢出攻击。最后一部分将会介绍Mac系统下的
Rootkit。经过上述的讨论,希望大家能对Mac系统是否安全有一个新的认识。
Mac OS is thought to be better than Windows on security aspects. Also Apple Inc
announce that Mac OS is strong enough to against virus and attack. But, is that the truth?
This talk will cover most kinds of security problems under Mac OS. We will talk
about Mac OS security protection mechanism and normal attack vectors. Compared with
what happens under Windows, you can figure out that how secure Mac OS is.
Firstly, we will introduce what Mac OS is and the security methods used to protect it.
Then malware techniques will be discussed, such as virus, trojan horse, keylogger and so
on. After that, we will talk about how to exploit vulnerabilties under Mac OS and show you
a real exploit. Last part is something about Rootkit under Mac OS. I hope you could have a
more clear view of Mac OS security after the talk.
|
XU HAO
Cactus Security Lab
|
| |
End of SyScan'10 HangZhou |
|