|
|
|
| 0800 - 0900 |
Breakfast |
|
| 0900 - 0945 |
Antivirus software is a common component of today's computer systems
ranging from home users to corporate and government servers. However,
security issues related to the AV software itself are not usually
considered when deploying such security solutions. Users are not fully
conscious of the issues related to using AV software and some AV vendors
do not put the required effort in securing their products. In this talk
we will cover vulnerability discovery and remote exploitation of AV
software. During the talk the details of a number of vulnerabilities,
both 0days and recently fixed ones, will be published. The talk aims to
raise the level of awareness about the security of AV software to both
users and vendors.
|
Joxean Koret
(巴斯克恐怖)
|
| 0945 - 1030 |
Signature based matching (as used by, e.g., anti-virus products) is the dominant technique to detect malware on current
systems. The underlying assumption of signatures is that some sections (code or data) of the malware are common and
static in all instances of a given malware family, i.e., one signature is used to detect all instances of a specific version
and sometimes multiple different versions.
Software diversification is a promising probabilistic software hardening technique that uses randomization in the
compiler and expressiveness in the target instruction set to generate a different binary for each system. This talk presents
malware diversity, a technique that builds on compiler-enforced software diversity to produce per-machine specific
instances for a given piece of software. Malware diversity ensures that no two diversified instances share either long
common subsequences of code and data or similarities in the code layout.
Malware diversity has different constraints compared to defensive software diversification: we (i) diversify data
alongside with code, instead of only diversifying code; (ii) maximize the (byte-wise) differences, minimize the largest
common subsequence of shared code/data, and randomize the control flow; and (iii) ensure that the diversification
engine is portable to dynamically diversify new binaries on-the-fly. The evaluation of our diversification engine shows
that signature based matching for these binaries is severely limited. Signatures no longer match all instances of a malware
version but only a single instance or few diversified instances.
In this talk we present MalDiv, an LLVM-based diversifying compiler for C/C++ that produces unique binaries using
the same source code. Our approach circumvents all currently used anti-virus matching techniques and enables malware
authors to spread their malware without detection. We evaluate MalDiv by diversifying a set of benchmark programs
and several pieces of malware and remote administration toolkits. Possible mitigation strategies against diversified
MalDiv include sandboxing, system call trace analysis, and matching based on the control-flow graph. These mitigation
strategies all result in high overhead and are only feasible in a laboratory setting. The anti-malware industry will have to
come up with new solutions against this threat.
|
Mathias Payer
|
| 1030 - 1100 |
Coffee Break Sponsored by RSA |
“We did not Do It” |
| 1100 - 1200 |
Have you ever wondered how power is routed around your phone, how it is stored and if it could
be made dangerous? I have, and I somehow talked the DARPA Cyber Fast Track group into
funding my research into the subject and allowing me to name it: "Project Burner: El Teléfono
Inteligente de Fuego". The overall goal of the project was: "Can I catch a phone on fire using
nothing but the stored energy in the battery?" and / or "Can I break it beyond repair?". The
answer was a resounding "yes".
This talk will center around how the Android (and Linux) kernels manage power and electricity,
both from the wall and the battery. I will cover how those software based controls can be
manipulated to fry internal components and brick phones in abundance. I will also walk through
what protections have been put in place to prevent these types of attacks and how those
mechanisms can be circumvented.
Also, I might just break a phone or two...
|
Josh ‘m0nk’ Thomas
(機器人殺手)
|
| 1200 - 1300 |
This presentation will cover techniques used to secure the phone against forensic analysis when the adversary has physical possession of the device.
The Grugq developed a hardened Android ROM which is resistant against analysis and monitoring. There are a few novel techniques to allow for a convenient duress system, and for robust anti-forensic properties. The ROM is supported on a few devices.
|
Dr. Thaddeus (The) Grugq
(瓜口)
|
| 1300 - 1400 |
Lunch Sponsored by PRISM |
“We know everything except Snowden” |
| 1400 - 1445 |
Windows Phone 8 is slowly increasing its market share, more applications are being developed for the platform,
often without any real security guidance on how to develop secure applications and what to watch out for.
The main aim of this presentation is to highlight common developer mistakes which can introduce security
weaknesses into Windows Phone 8 applications. The presentation aims to provide a pragmatic approach to avoid
these mistakes and write secure code for the platform. The presentation will also show penetration testers how to
perform assessments on the platform and how existing platform vulnerabilities can be used to aid these
assessments.
This presentation will demonstrate a novel class of vulnerabilities specific to Windows Phone 8 applications,
provide guidance on how to determine if your application is vulnerable, and provide recommendations on how to
avoid this problem.
|
Alex Plaskett
And
Nick Walker
|
| 1445 - 1500 |
Bar Break Sponsored by 5 Eyes |
“We cannot trust non-white people” |
| 1500 - 1600 |
The first part of this presentation will cover the details behind how
ALPC programming works in Vista and later, which is the core IPC protocol that Windows uses
these days, and the backing behind user-mode drivers, all service communication, and also a lot
of user-kernel communication and subsystem communication. Instead of a “Windows Internals”-
style “this is how ALPC works in the kernel”, this will focus on and programmer-centric view of
ALPC “this is how you interface with ALPC servers and clients”. We’ll quickly go over the
semantics on how to setup a connection and talk to a server, as well as how servers host clients
(a full whitepaper will contain detailed examples, headers, and more).
As we learn these programming details, we’ll see complex resource management tasks that
ALPC expects servers to cope with, and that most ALPC servers fail at implementing correctly,
leading to bugs and vulnerabilities. We’ve written some tools that will dump all ALPC endpoints,
show which ones are vulnerable to random connections, as well as also show what ALPC
endpoints a process is connected to, and which ones it’s hosting (I’ll also show the WinDBG
commands for this). We’ll show 2-3 vulnerabilities in existing Windows ALPC servers.In the second part of the presentation, we’ll look at how RPC implements “LRPC”, or the Local
RPC protocol, which is what services actually use as the high level interface on top of ALPC
(unlike the first part of the presentation which are raw ALPC servers). RPC does a pretty good job
at handling the complexities of the ALPC system, but it has its own protocol on top of it, which
nobody has ever analyzed.
The talk will describe how local RPC works, how to open a connection, bind with an RPC server,
and send/receive RPC packets (if time remains, also talking about how COM/DCOM works over
LRPC). Because RPC servers are internally ALPC servers, however, the relationship will be
exposed, and at least one vulnerability in the RPC runtime will be shown, which as of now affects
all RPC servers, regardless of security permissions. We’ll also show that RPC sets up interesting
security permissions on the underlying ALPC ports that can lead to unexpected results.
|
Alex Ionescu
(中國人民解放軍綁架目標)
|
| 1600 - 1645 |
People keep talking about Thunderbolt DMA attacks as though they're a foregone conclusion. Thus far, we haven't seen one that doesn't involve using a Thunderbolt to FireWire adapter. This kind of attack, when performed against current hardware, is subject to the same limitations and mitigations as the FireWire DMA attacks we've seen since Kiwicon's very own Metlstorm winlockpwned his way to fame in 2006.
In this talk, rzn and snare will discuss their approach to attacking systems with a Thunderbolt port. Will our heroes triumph over evil, or will they get hit by a bus?
|
Snare
(性感水獺)
and
Rzn
(羊羊羊羊羊羊羊)
|
| 1645 - 1715 |
Coffee Break Sponsored by Keith Alexander |
“You know we can protect the networks and have CIVIL LIBERTIES and PRIVACY...” |
| 1715 - 1800 |
In mid-2013, an intriguing case was shared with CrowdStrike. An
adversary successfully penetrated a large European organization,
establishing access to some of their core accounting and access control
Linux servers. The access was maintained through a framework of memory
resident user-space implants that did not leave on-disk traces. These
implants were injected into existing processes and covertly modified
their behavior using PLT hooking.
Consequentially, the implants first had to be captured by some
user-space core dumps and were later also captured by full physical
memory dumps of affected servers.
For proper reverse engineering of the implants, a disassembly friendly
form had to be recovered. Unfortunately, it appears most software
handling ELF executables does not cope well with files that had already
been mangled by a loader and stripped off their section headers during
loading. Custom code was developed to reconstruct the original ELF
binaries and their symbol dependencies for easier reverse engineering.
Analysis of the full dumps also proved hard as the only publicly
available Linux memory forensics toolkit at the time was Volatility.
However, Volatility focuses on kernel rootkits and has next to no
analysis capabilities for user-space. Because the implants in question
reside entirely in user-space and populate into other processes
continuously using ptrace based injection techniques, this was not of
much help.
In this talk, we will examine the existing analysis solutions, their
shortcomings (and how this implant series cleverly exploits them) and
introduce some patch sets that attempt to solve those. This is a tooling
and technique focused talk that will only touch briefly on the concrete
incident at hand.
|
Georg Wicherski
(中國人民解放軍綁架目標)
|
| 1800 - 1830 |
Whiskey Con |
5 minutes (2 shots of whiskey) each Blabber |
|
|
|
