DAY 1 ( 28th April 2011 )
DAY 1 ( 26th April 2012 )
|
TIME
|
TOPIC
|
SPEAKER
|
| 0800 - 0900 |
Registration
|
|
| 0900 - 0915 |
Opening and Welcome Address
|
Thomas Lim
Organiser, SyScan'12, CEO, COSEINC
|
| 0915 - 1015 |
Windows 8 developer preview was released in September 2011. While many focused on the Metro UI of the operating system, we decided to investigate the memory manager. Although generic heap exploitation has been dead for quite some time, intricate knowledge of both the application and underlying operating system's memory manager have continued to prove that reliable heap exploitation is still achievable. This presentation will focus on the transition of heap exploitation mitigations from Windows 7 to Windows 8. We will be examining the inner workings of the Windows memory manager for allocations, de-allocations and all additional heap-related security features implemented in Windows 8. Also, additional tips and tricks will be covered providing the attendees the proper knowledge to achieve the highest possible levels of heap determinism.
|
Chris Valasek
& Tarjei Mandt
|
| 1015 - 1030 |
Coffee Break |
|
| 1030 - 1130 |
The EFI firmware used in Intel Macs and other modern systems presents some interesting possibilities for rootkit developers.
This presentation will provide a full account of how an EFI-based rootkit might work. We will begin with some background on the EFI architecture - what it does, how it works, and how we can leverage EFI to inject code into the Mac OS X kernel or attack the user directly. We will then detail how a kernel payload might work, employing a number of rootkit techniques that can be used within the XNU kernel. Finally, we will discuss the possibilities for rootkit persistence that are presented by EFI. This presentation will leave the audience with an understanding of the ways in which EFI can be used in a modern Mac OS X rootkit.
|
Loukas
|
| 1130 - 1230 |
Outsourcing is great right? Cheap labor/First to Market/Exploiting
resources are all excellent reasons to set up a remote office. The problem in defending your
newly acquired revenue center is that you cannot replicate your security practices and expect
them to succeed against local threats. If you deployed the most popular/expensive US based
security products would you feel protected? In this talk we will use South Korea as a case
study. A short introduction to the criminal hacking scene in Korea will be given, and then
a demo of us bypassing enterprise security solutions with a 0day in one of the most popular
word processors in Korea (99% penetration) will be shown. How popular is that p2p client
Xunlei in china? Why do state of the art malware detection appliances fall short? All this
and more after Ben Nagy talks about fuzzing; don't miss it!
|
Ryan MacArthur
& Beist
|
| 1230 - 1330 |
Lunch |
|
| 1330 - 1430 |
Master Boot Record based rootkits (MBR rootkits, or bootkits for short)have existed for decades but are more recently gaining widespread attention with the growing deployment of nasty bootkits such as TDL4 and Popureb. The most advanced versions of these rootkits hook the normal storage device stack (i.e., "normal I/O path") at the lowest possible level in order to hide the infected MBR and malicious components: the port and miniport drivers. This presentation will introduce a novel technique to read/write to disk using an alternate I/O path provided by the operating system: the crash dump I/O path. This poorly documented crash dump path represents a pristine, untargeted I/O path to disk, effectively defeating all known I/O-hooking rootkits.
In addition to providing the attendee with original research and a new methodology for defeating bootkits, this presentation will offer extensive insight into the poorly-understood crash dump mechanism used by Windows. This research is a result of weeks of debugging and reverse engineering various disk drivers and operating system core features. This presentation will distill all of those details into simple important facts for the attendee's consideration.
|
Aaron LeMasters
|
| 1430 - 1445 |
Break |
|
| 1445 - 1545 |
|
James Burton
|
| 1545 - 1600 |
Coffee Break |
|
| 1600 - 1700 |
Kernels are soft targets. But getting harder. Even the Linux kernel. Ha
ha, just kidding. OK, only 90% joking. Some people care about kernel
exploitation these days, partially due the increasing need to pop
application sandboxes. Apparently, people even care about Linux kernel
exploitation since owning a bunch of Android phones is the new hotness.
This presentation will look at the state of Linux kernel exploitation:
the latest and greatest techniques, how exploitation has gotten slightly
harder over the past few years, and what challenges lie ahead for the
offensive-minded in the near future on both vanilla and hardened
kernels.
|
Jon Oberheide
|
| End of Day 1 |
| |
| 1700 - 2000 |
SyScan'12 Networking Party |
|
DAY 2 ( 29th April 2011 ))
DAY 2 ( 27th April 2011 )
|
TIME
|
TOPIC
|
SPEAKER
|
| 0900 - 1000 |
This talk will disclose certain new features of the ACPI 5.0
Specification which is now public and was primarily designed to support ACPI on
ARM Embedded SoCs for the upcoming release of Windows 8. Some of these new
features have important security considerations which have not been traditionally
monitored by security products and/or users, specifically in the areas of covert code
execution at Ring 0 privileges.
|
Alex Ionescu
|
| 1000 - 1015 |
Coffee Break |
|
| 1015 - 1115 |
This talk starts by giving the audience an overview of the different kernel heap allocators and what they are used for.
The talk will discuss how these allocators are related to each other, which contain exploitable meta data and which do not. The previous work: attacks on the zone allocator's freelist will be briefly described Attacking other meta data will be discussed.
The relative position of kernel zones, and memory allocated by different allocators will be analyzed to answer the question if a buffer overflow in memory of one kernel zone can overflow data in another kernel zone. Or if overflowing memory of one allocator can overflow into another allocator.
The memory layout of C++ kernel objects used by IOKit drivers will be explained and it will be discussed how overwriting them can result in code execution. This talk will also cover what portions of the kernel heap/memory are just readable and writable and which are also executable.
Then a more generic technique will be introduced that allows to control the iOS kernel heap layout (heap spraying, heap feng shui) and at the same time allows to fill the kernel heap with application data like C++ kernel objects that when overwritten lead to code execution.
|
Stefan Esser
|
| 1115 - 1215 |
With the value of 0 day bugs, and the methods to exploit them and bypass
current security protections, increasing; the last thing an exploit writer
wants is for the target process to crash and alert the victim that something
has happened.
Previously it was common to see discussions about fixing the heap, but this
is not so anymore and the solution appears to be process migration. This
talk will discuss various post exploitation methods that can be used to
clean up the target process state, after shellcode execution has been
obtained and increase the likelihood of a successful recovery from crash
state. There are more options than just terminating the current thread or
process, and while some vulnerabilities are relatively easy to recover from
others may require more in-depth techniques to recreate the required process
state.
|
Brett Moore
|
| 1215 - 1315 |
Lunch |
|
| 1315 - 1415 |
If you live in Singapore and use a mobile banking application on your iPhone or iPad, chances are at one time or another I have spent days testing the application you use. Pouring over the source code till my eyes bleed - picking out any security vulnerabilities and bugs, all this so you can enjoy a secure product. From Shenton Way to Harbor Front, Changi Business Park and SunTec, I spend my day-to-day working with the Financial Services Industry; helping companies deploy secure applications to the Singaporean public. The ironic and often humorous aspect of my work is that no matter where I am, or what company I am working for - the vulnerabilities I find are the same. The developers can be French, Japanese, Chinese, Korean or even Singaporean - all developers appear to make the same mistakes when it comes to mobile technology. This presentation will aim to show a cross-section of the state of security of Singaporean FSI mobile applications - direct from the horse's mouth. I will illustrate the risk profile of iOS Applications, the review process and methodology that I follow - and a rundown of the most common vulnerabilities that I have discovered. A rare insight into the otherwise unknown world of mobile banking applications in the Lion City, and an overall view of the state of Singaporean mobile application security.
|
Paul Craig
|
| 1415 - 1430 |
Break |
|
| 1430 - 1530 |
The presentation will demonstrate a system able to extract data structure information
from binaries using static and dynamic analysis using an Intermediate Language for
the x86 instruction set. It will also show the current limitations and challenges on the
implementation of the system. The system is projected to not depend on symbols (PDB) and
there will be a demonstration of the extraction process against Microsoft binaries.
|
Edgar Barbosa
|
| 1530 - 1600 |
Coffee Break |
|
| 1600 - 1700 |
|
|
| 1700 - 1730 |
Prize Giving Ceremony and Lucky Draw |
|
| End of SyScan'12 Singapore |
