DAY 2 ( 4th April 2014 )
|0800 - 0900||Breakfast|
|0900 - 0945||
Antivirus software is a common component of today's computer systems ranging from home users to corporate and government servers. However, security issues related to the AV software itself are not usually considered when deploying such security solutions. Users are not fully conscious of the issues related to using AV software and some AV vendors do not put the required effort in securing their products. In this talk we will cover vulnerability discovery and remote exploitation of AV software. During the talk the details of a number of vulnerabilities, both 0days and recently fixed ones, will be published. The talk aims to raise the level of awareness about the security of AV software to both users and vendors.
|0945 - 1030||
Signature based matching (as used by, e.g., anti-virus products) is the dominant technique to detect malware on current systems. The underlying assumption of signatures is that some sections (code or data) of the malware are common and static in all instances of a given malware family, i.e., one signature is used to detect all instances of a specific version and sometimes multiple different versions.
Software diversification is a promising probabilistic software hardening technique that uses randomization in the compiler and expressiveness in the target instruction set to generate a different binary for each system. This talk presents malware diversity, a technique that builds on compiler-enforced software diversity to produce per-machine specific instances for a given piece of software. Malware diversity ensures that no two diversified instances share either long common subsequences of code and data or similarities in the code layout.
Malware diversity has different constraints compared to defensive software diversification: we (i) diversify data alongside with code, instead of only diversifying code; (ii) maximize the (byte-wise) differences, minimize the largest common subsequence of shared code/data, and randomize the control flow; and (iii) ensure that the diversification engine is portable to dynamically diversify new binaries on-the-fly. The evaluation of our diversification engine shows that signature based matching for these binaries is severely limited. Signatures no longer match all instances of a malware version but only a single instance or few diversified instances.
In this talk we present MalDiv, an LLVM-based diversifying compiler for C/C++ that produces unique binaries using the same source code. Our approach circumvents all currently used anti-virus matching techniques and enables malware authors to spread their malware without detection. We evaluate MalDiv by diversifying a set of benchmark programs and several pieces of malware and remote administration toolkits. Possible mitigation strategies against diversified MalDiv include sandboxing, system call trace analysis, and matching based on the control-flow graph. These mitigation strategies all result in high overhead and are only feasible in a laboratory setting. The anti-malware industry will have to come up with new solutions against this threat.
|1030 - 1100||Coffee Break Sponsored by RSA||“We did not Do It”|
|1100 - 1200||
Have you ever wondered how power is routed around your phone, how it is stored and if it could be made dangerous? I have, and I somehow talked the DARPA Cyber Fast Track group into funding my research into the subject and allowing me to name it: "Project Burner: El Teléfono Inteligente de Fuego". The overall goal of the project was: "Can I catch a phone on fire using nothing but the stored energy in the battery?" and / or "Can I break it beyond repair?". The answer was a resounding "yes".
This talk will center around how the Android (and Linux) kernels manage power and electricity, both from the wall and the battery. I will cover how those software based controls can be manipulated to fry internal components and brick phones in abundance. I will also walk through what protections have been put in place to prevent these types of attacks and how those mechanisms can be circumvented.
Also, I might just break a phone or two...
Josh ‘m0nk’ Thomas
|1200 - 1300||
This presentation will cover techniques used to secure the phone against forensic analysis when the adversary has physical possession of the device. The Grugq developed a hardened Android ROM which is resistant against analysis and monitoring. There are a few novel techniques to allow for a convenient duress system, and for robust anti-forensic properties. The ROM is supported on a few devices.
Dr. Thaddeus (The) Grugq
|1300 - 1400||Lunch Sponsored by PRISM||“We know everything except Snowden”|
|1400 - 1445||
Windows Phone 8 is slowly increasing its market share, more applications are being developed for the platform, often without any real security guidance on how to develop secure applications and what to watch out for.
The main aim of this presentation is to highlight common developer mistakes which can introduce security weaknesses into Windows Phone 8 applications. The presentation aims to provide a pragmatic approach to avoid these mistakes and write secure code for the platform. The presentation will also show penetration testers how to perform assessments on the platform and how existing platform vulnerabilities can be used to aid these assessments.
This presentation will demonstrate a novel class of vulnerabilities specific to Windows Phone 8 applications, provide guidance on how to determine if your application is vulnerable, and provide recommendations on how to avoid this problem.
|1445 - 1500||Bar Break Sponsored by 5 Eyes||“We cannot trust non-white people”|
|1500 - 1600||
The first part of this presentation will cover the details behind how ALPC programming works in Vista and later, which is the core IPC protocol that Windows uses these days, and the backing behind user-mode drivers, all service communication, and also a lot of user-kernel communication and subsystem communication. Instead of a “Windows Internals”- style “this is how ALPC works in the kernel”, this will focus on and programmer-centric view of ALPC “this is how you interface with ALPC servers and clients”. We’ll quickly go over the semantics on how to setup a connection and talk to a server, as well as how servers host clients (a full whitepaper will contain detailed examples, headers, and more).
As we learn these programming details, we’ll see complex resource management tasks that ALPC expects servers to cope with, and that most ALPC servers fail at implementing correctly, leading to bugs and vulnerabilities. We’ve written some tools that will dump all ALPC endpoints, show which ones are vulnerable to random connections, as well as also show what ALPC endpoints a process is connected to, and which ones it’s hosting (I’ll also show the WinDBG commands for this). We’ll show 2-3 vulnerabilities in existing Windows ALPC servers.In the second part of the presentation, we’ll look at how RPC implements “LRPC”, or the Local RPC protocol, which is what services actually use as the high level interface on top of ALPC (unlike the first part of the presentation which are raw ALPC servers). RPC does a pretty good job at handling the complexities of the ALPC system, but it has its own protocol on top of it, which nobody has ever analyzed.
The talk will describe how local RPC works, how to open a connection, bind with an RPC server, and send/receive RPC packets (if time remains, also talking about how COM/DCOM works over LRPC). Because RPC servers are internally ALPC servers, however, the relationship will be exposed, and at least one vulnerability in the RPC runtime will be shown, which as of now affects all RPC servers, regardless of security permissions. We’ll also show that RPC sets up interesting security permissions on the underlying ALPC ports that can lead to unexpected results.
|1600 - 1645||
People keep talking about Thunderbolt DMA attacks as though they're a foregone conclusion. Thus far, we haven't seen one that doesn't involve using a Thunderbolt to FireWire adapter. This kind of attack, when performed against current hardware, is subject to the same limitations and mitigations as the FireWire DMA attacks we've seen since Kiwicon's very own Metlstorm winlockpwned his way to fame in 2006.
In this talk, rzn and snare will discuss their approach to attacking systems with a Thunderbolt port. Will our heroes triumph over evil, or will they get hit by a bus?
|1645 - 1715||Coffee Break Sponsored by Keith Alexander||“You know we can protect the networks and have CIVIL LIBERTIES and PRIVACY...”|
|1715 - 1800||
In mid-2013, an intriguing case was shared with CrowdStrike. An adversary successfully penetrated a large European organization, establishing access to some of their core accounting and access control Linux servers. The access was maintained through a framework of memory resident user-space implants that did not leave on-disk traces. These implants were injected into existing processes and covertly modified their behavior using PLT hooking.
Consequentially, the implants first had to be captured by some user-space core dumps and were later also captured by full physical memory dumps of affected servers.
For proper reverse engineering of the implants, a disassembly friendly form had to be recovered. Unfortunately, it appears most software handling ELF executables does not cope well with files that had already been mangled by a loader and stripped off their section headers during loading. Custom code was developed to reconstruct the original ELF binaries and their symbol dependencies for easier reverse engineering.
Analysis of the full dumps also proved hard as the only publicly available Linux memory forensics toolkit at the time was Volatility. However, Volatility focuses on kernel rootkits and has next to no analysis capabilities for user-space. Because the implants in question reside entirely in user-space and populate into other processes continuously using ptrace based injection techniques, this was not of much help.
In this talk, we will examine the existing analysis solutions, their shortcomings (and how this implant series cleverly exploits them) and introduce some patch sets that attempt to solve those. This is a tooling and technique focused talk that will only touch briefly on the concrete incident at hand.
|1800 - 1830||Whiskey Con||5 minutes (2 shots of whiskey) each Blabber|
|End of SyScan'14 Singapore|
The organizer reserves the rights to change the program.