| 1000 - 1030 |
開幕與致歡迎詞
Opening and Welcome Address
|
Thomas Lim
Organiser, SyScan'11, CEO, COSEINC
|
| 1030 - 1130 |
Antivirus vendors often assert they must be protected from scrutiny and
criticism, claiming that public understanding of their work would assist
bad actors (1). However, it is the opinion of the author that
Kerckhoffs’s principle applies to all security systems, not just
cryptosystems. Therefore, if close inspection of a security product
weakens it, then the product is flawed.
The veil of obscurity removes all incentive to improve, which can result
in heavy reliance on antiquated ideas and principles. This paper
describes the results of a thorough examination of Sophos Antivirus
internals. We present a technical analysis of claims made by the vendor,
and publish the tools and reference material required to reproduce our
results.
Furthermore, we examine the product from the perspective of a
vulnerability researcher, exploring the rich attack surface exposed, and
demonstrating weaknesses and vulnerabilities.
|
Tavis Ormandy
|
| 1130 - 1200 |
上午茶
Coffee Break |
|
| 1200 - 1300 |
Exploit mitigation technologies have made reliable heap exploitation increasingly difficult since the inception of the 4-byte over write, over ten years ago. At the same time, applications needed to become more stable without using absurd amounts of memory (Who doesn't keep their web browser with multiple tabs open for days?). Heap memory management has matured over time, but with complex new code comes new opportunity for exploitation.
This presentation will focus on understanding the Low Fragmentation heap on Windows 7 (32-bit). After a foundation of integral concepts is laid, new exploitation techniques will be thoroughly discussed. Finally, we will use this new found knowledge to leverage supposed non-exploitable vulnerabilities. Specifically we will cover a case study showing how to craft an exploit for the IIS FTP 7.5 denial of service (http://blogs.technet.com/b/srd/archive/2010/12/22/assessing-an-iis-ftp-7-5-unauthenticated-denial-of-service-vulnerability.aspx), resulting in full control of EIP.
http://illmatics.com/FTPOwned.PNG
|
Chris Valasek
Accuvant LABS
|
| 1300 - 1400 |
午餐
Lunch |
|
| 1400 - 1500 |
The iPhone user land is locked down very tightly by kernel level protections. Therefore any sophisticated attack has to include a kernel exploit in order to completely compromise the device. Because of this our previous session titled "Targeting the iOS Kernel" already discussed how to reverse the iOS kernel in order to find kernel security vulnerabilities. In the second part titled "iOS Kernel Exploitation" we showed how stack and heap overflows are exploited inside the iOS kernel
and now in our third part of the series we want to discuss kernel attacks through IOKit interfaces.
This session will introduce the audience to kernel level exploitation of iPhones like our previous session but concentrate on vulnerabilities triggered through IOKit interfaces. We will discuss previously disclosed kernel vulnerabilities and explain their exploitation step by step. We also briefly cover tools that help finding this kind of vulnerabilities.
Furthermore the kernel patches applied by iPhone jailbreaks will be discussed in order to understand how certain security features are deactivated.
|
Stefan Esser
SektionEins
|
| 1500 - 1515 |
休息
Break |
|
| 1515 - 1615 |
If you ever thought finding bugs was 'too hard', think again. Attacking
difficult problems with innovative new approaches is great, and the
areas of vulnerability discovery, analysis, triage and exploitation have
all benefited from the work of some very smart people using exciting new
tools and techniques. A few researchers, however, consistently obtain
annoyingly good results with much more simplistic methods. To
investigate, I take some simple Pintools, a Ruby interpreter and a ton
of horizontal scale. In the classic tradeoff between brute force and
finesse, let's apply a big, cloudy hammer and go looking for nails.
|
Ben Nagy
COSEINC
|
| 1615 - 1645 |
下午茶
Coffee Break |
|
| 1645 - 1745 |
In recent years, more and more large enterprises and critical systems around the
world were targeted by APT (advanced-persistent threat). Unfortunately, even a
single access to a malicious document enables the attacker to download a
multitude of malware binaries. Frequently, this malware allows the adversary to
gain full control of the compromised systems leading to further penetrations of
other privileged hosts. We have identified that APT-based malware is very
different from traditional understanding of polymorphic viruses and drive-by
downloads. Moreover, APT-based malware are often delivered to a small number
of victims, resulting signature-based approach ineffective for real-time detection.
To characterize the nature of this significant-yet-mysterious threat, we design
layers of signature-free malware analysis including automated error-prone
document walker, and adaptive malware analyzer. For each of these layers, we present APT-based examples of malformed file format and instances abusing
unknown exploits found on the Internet. In this paper, we share the state of APT
and share an effective approach to detect and analyze this rising threat.
|
Jeremy Chiu
Benson Wu
Xecure-Lab
|
