會議第二天(2011年11月18日)
DAY 2 ( 18th November 2011 )
時間
TIME
|
議題
TOPIC
|
講師
SPEAKER
|
| 1000 - 1100 |
Since iOS 2.0, code signing has been used to validate executables and libraries in iOS. Besides at execution time, code signing is continually enforced to ensure existing code is not modified while running and that code is not dynamically added to a process. The one recently added exception to this policy is the Nitro JIT compiler which is allowed to add dynamic, unsigned code to a process while running. This presentation will walk through the code used to enforce code signing in the iOS kernel, as well as the implications of the JIT compiler exception on iOS malware and exploit development.
|
Charlie Miller
Accuvant
|
| 1100 - 1130 |
上午茶
Coffee Break |
|
| 1130 - 1230 |
This talk will describe a more general form of looking at exploitation; specifically
approaching the process of writing an exploit as the programming of a "weird machine". Software
often contains "implicit state machines" which are supposed to have a number of well-defined
program states; once memory is corrupted, the possible space of program states grows enormously.
The exploit itself is then a program the attacker runs on the "weird machine".
Practical applications for ASLR/DEP bypassing etc. will also be discussed.
|
Halvar Flake
Google
|
| 1230 - 1330 |
午餐
Lunch |
|
| 1330 - 1430 |
15 years ago, Windows NT 4.0 introduced Win32k.sys to address the inherent limitations of the older client-server graphics subsystem model. Today, win32k still remains a fundamental component of the Windows architecture and manages both the Window Manager (User) and Graphics Device Interface (GDI). In order to properly interface with user-mode data, win32k makes use of user-mode callbacks, a mechanism allowing the kernel to make calls back into user-mode. User-mode callbacks enable a variety of tasks such as invoking application-defined hooks, providing event notifications, and copying data to/from user-mode. In this talk, we discuss the many challenges and problems concerning user-mode callbacks in win32k. We show how win32k's questionable design potentially may have introduced hundreds of subtle vulnerabilities, which so far have resulted in numerous patch bulletins. In MS11-034 and MS11-054, Microsoft addressed more than 40 privilege escalation vulnerabilities in an effort to remove multiple bug classes related to user-mode callbacks. However, in spite of the attempts made to address these vulnerabilities, the underlying problem still persists.
|
Tarjei Mandt
|
| 1430 - 1445 |
休息
Break |
|
| 1445 - 1545 |
|
The Grugq
COSEINC
|
| 1545 - 1615 |
下午茶
Coffee Break |
|
| 1615 - 1715 |
As vulnerabilities are discovered and become widespread technologies appear or are suggested to fix them: secure string functions, web application firewalls, cert pinning, DNSSEC, cloud deployments. However one class of vulnerability has persisted and is present in web applications, client-‐server applications, mobile applications, and cloud architectures and applications: Logic flaws. Kevin and Garrett will draw on their hundreds of past engagements to discuss real life logic flaws that we have encountered in a variety of environments from mobile to client/server. We will pick several logic flaws and then deep dive into them. We will trace the root cause it shares with other vulnerabilities (design assumptions) to discovery. Then, using examples from real-life tests, we will re-create the design meetings and use audience participation to see if faulty assumptions are caught before it's too late.
|
Garrett Held & Kevin Stadmeyer
Trustwave
|
| 1715 - 1730 |
幸運抽獎
Lucky Draw |
|
SyScan'11 Taipei 會議閉幕
End of SyScan'11 Taipei |
主辦單位保留議程變更之權利
The organizer reserves the rights to change the program.
