Keynote Presentation November 4: Mitsugu Okatani, National Information Security Center / Ministry of Defense / Japan Air Self-Defense Force
Keynote Presentation November 5: Hideaki Kobayashi, Information-Techonology Promotion Agency, Japan
Virtualisation security and the Intel privilege model
Tavis Ormandy & Julien Tinnes, Google
Abstract
Virtualisation is often used as a security boundary, yet few people understand the security implications of various virtualisation techniques. x86 vitualisalisation is a challenging problem that requires application of complex and innovative ideas. Solutions often rely on complex and little known features of the Intel architecture that are poorly understood and rarely used outside of virtualisation implementors. We analyse some of these techniques from a security perspective and investigate their security models. We will compare the strengths, weaknesses and attack surfaces of full virtualisation, paravirtualisation and hardware-assisted virtualisation.
Bio
Tavis Ormandy is a UNIX security researcher and an active participant in open source security. As an information security engineer on Google's Security Team, he is responsible for identifying and analyzing vulnerabilities and exploits in a wide range of software. Recent publications include the co-authored Exposing Application Internals, and Hostile Virtualized Environments.
Julien Tinnes has been interested in computer security since the late f90s. He enjoys both designing and breaking the security aspects of complex systems. Before joining Google as an information security engineer, Julien was working for one of the biggest telecoms company as a security engineer and technical project manager. At that time, he was also a part-time teacher for various French gGrandes Ecolesh.
Silicon Chips: No More Secrets
Karsten Nohl,
Abstract
Microchips have long been objects of fascination for hackers and geeks. The manuals of processors and microcontrollers are well studied as are their assembly languages. But what if you could dig deeper into the chips and fully understand their hardware implementation?
Bio
Karsten is a security researcher and hardware hacker. Karsten's academic research deals with privacy protection, while his hacking projects focus on cryptographic hardware. In the past year, Karsten presented on smart-card security and embedded cryptography at 25C3, CanSecWest, USENIX Security, BlackHat, Toorcon, and the HOPE conference.
Filter Resistant Code Injection on ARM
Yves Younan, Katholieke University of Leuven
Abstract
In this paper we show that it is possible to build alphanumeric shellcode for ARM. This is a non-trivial result, because of the way RISC architectures work: all instructions are 4 bytes in length which means that we need to make 4 bytes alphanumeric rather than 1 or 2, like on IA32. This restriction reduces the number of usable instructions from 144 to 6. However we show that these 6 instructions are enough to build shellcode that can execute arbitrary code. A number of challenges needed to be solved to do this, the presentation will focus on how we solved these challenges.
Bio
Yves Younan received a Master's in Computer Science from the Vrije Universiteit Brussel (Free University of Brussels) in 2003 and a PhD in Engineering: Computer Science from the Katholieke Universiteit Leuven. His PhD focussed on efficient countermeasures against code injection attacks on programs written in C and C++. He is currently a post-doctoral researcher at the DistriNet research group, which is part of the Department of Computer Science of the Katholieke Universiteit Leuven, where he continues the research in the area of systems security that was started in his PhD. This research has led to several actual countermeasures being designed and publicly released. Publications are available at http://www.fort-knox.org. He also goes by the nick "ace" and is a member of the nologin security research group.
iPhone SMS Fuzzing and Exploitation
Charlie Miller, Independent Security Evaluators
Abstract
Bio
Charlie Miller is Principal Analyst at Independent Security Evaluators. He is best known as the first to publicly create a remote exploit against the iPhone and has discovered flaws in numerous applications on various operating systems. He has spoken at the Workshop on the Economics of Information Security, Black Hat, DEFCON, ToorCon, ShmooCon, and CanSecWest. He authored the book "Fuzzing for Software Security Testing and Quality Assurance" and the forthcoming "The Mac Hacker's Handbook". He won a MacBook Air by winning the Pwn2Own contest in 2008 for breaking into a fully patched Mac OS X computer. He has a PhD from the University of Notre Dame.
The Microsoft View of the 2008 Threat Landscape
Tony Lee, Microsoft
Abstract
In this paper, I will examine closely a number of important threat patterns/trends that took place in late 2008 continuing onto 2009, based on data collected from a number of Microsoft technologies and products, including Windows Defender, Forefront security products, Live Search, IE8 SmartScreen Technology, etc.
Among these threat patterns and trends include
- Software vulnerability disclosure trends in terms of security, complexity, vendor distribution and platform/application distributions. Specifically, we saw vulnerabilities have gone up in severity and lower in complexity. We will take a close look at the specifics of distribution and breakdowns.
- Browser exploits distribution among applications/platforms, as well as regions, based unique views via Live Search and IE8 SmartScreen technology. Specifically, Live Search has found on average 1 million malicious pages per month, that is, 0.07 percent of all pages indexed by search engine, with top locale such as US and China. It was also found and confirmed that most servers were legitimate but hacked by attackers. We closely examine these data, and present an coherent malware distribution mechanism and its prevalence.
- We have also observed data from a number of sources that presents a threat landscape highly regionalized, i.e. threat (type) prevalent in one region if often absent or must less seen in other regions. This pattern is confirmed by data both on types of malicious software as well as the servers that host them. We will closely examine the differences among the regions, and reasons behind these differences.
- We saw a significant spike in Rogue security software, which had become pervasive especially in later half of 2008. Microsoft produced removed Rogue security software from 10 million computers in second half of 2008 alone. We will examine the various behaviors and factors that contributed to this surge.
Bio
Tony Lee is a senior research manager from the Microsoft Malware Protect Center team.
His current research focuses on intelligence data sharing, data mining, and automated malware analysis. He graduated from University of California at Berkeley with BS in Computer Science and Electrical Engineering, and later MS from University of California at Los Angeles.
Cloud Defense in the Post-BotWar Era
Ikuo Takahashi,
Abstract
Mass Internet Society and Bot net are biggest two elements. Bot net is manipulated by crime organization for their monetary greed. On the other hand, security industries should protect innocent users. We are now in asymmetric Information warfare. We come to new stage to move the defense line into the "cloud".
Bio
2007-present Owner of KK IT research Art 2004-oresent lecturer of Utsunomiya Univ. Faculty of Engineering 1993-present The Chambers of Mr.Ikuo Takahashi (Fukushima Bar Association) 1992 Bird & Bird (London) 1987 called to the Bar (Daiichi Tokyo Bar Association) 1985 pass the Bar exam (39th Legal Apprentice) Member of computer research committee of Japan Bar Association Contract researcher of Ministry of EconomyCTrade and Industry@2003 Contract researcher@of Information-technology Promotion Agency 2000
The Android Security Story: Challenges and Solutions for Secure Open Systems
Rich Cannings & Alex Stamos Google, iSec Partners
Abstract
The Android Platform faces a unique set of security challenges. Limited hardware, battery concerns, cramped screen space and the insistent demands of network carriers are standard problems in mobility security. However, Android is also a completely open and open-source platform, adding a whole new set of problems not faced by the other leading smartphone systems.
This talk will start with a quick overview of the state of security in the mobile world, and a review of the security models and precautions taken on Android's predecessors, including Windows Mobile and the iPhone. We will then discuss the unique facets of Android's security design and how the open-source ethos affected major decisions on the platform. We will cover the details of how security was worked into the planning, implementation and testing of Android and reveal details of interesting flaws that were discovered along the way.
The talk will also review some of the bugs that have been publicly found and fixed, and what lessons the Android security team learned from these mistakes. The talk will include recommendations for hobbyists and OEMs who are building custom versions of Android, as well as lessons we can share about how to build more trustworthy and free systems.
Bio
Alex Stamos is a co-founder and Partner at iSEC Partners Inc., a strategic digital security organization. Alex is an experienced security engineer specializing in solving difficult problems in application security and is a leading researcher in the field of web application and mobile security. He has been a featured speaker at top industry conferences such as Black Hat, Web 2.0 Expo, CanSecWest, DefCon, SyScan, Microsoft BlueHat and OWASP App Sec. He holds a BSEE from the University of California, Berkeley.
Rich is the Android Security Lead at Google. His research includes mobile and web security, with a special interest in Flash security. He co-authored Hacking Exposed: Web 2.0 Security Secrets and Solutions.
Stealthy Rootkit : How bad guy fools live memory forensics?
Tsukasa Ooi, Livegrid
Abstract
Bio
20-year-old security researcher and a programmer. There is not the experience such as lecturers, but I have abundant knowledge about rootkit and virtualization, the scenery technology and gather up the technical documents about it in blog (http://d.hatena.ne.jp/xna/) of own. In Livegrid which is the company which own established, I command a study about rootkit, the development of a utility software wear affecting forensic and Anti Piracy activity.
Defending a Social Network
Alex Rice, Facebook
Abstract
An overview of how Facebook defends against the threats targeting them and their users. Detecting spam, blocking botnets, fighting fraud, withstanding DDoS, and other fun stuff.
Bio
Alex Rice is on the Security Incident Response team at Facebook, where he focuses on crafting innovative responses to emerging threats on the site. Prior to Facebook, Alex built systems to find malicious content on the Internet as a Senior Security Researcher with Websense Security Labs.
Museum of API Obfuscation on Win32
Masaki Suenaga, Symantec
Abstract
This paper illustrates API obfuscations seen in dumped process memory on Win32 environment.
Anti-malware vendors are making efforts to effectively detect malware by unpacking suspicious samples. When a sample is unpacked successfully, it can be marked as a virus if some portions found there are characteristic to the virus. If it is just a variant of a well-known virus family, we can do without knowing what APIs are called.
However, when it is necessary to analyze in depth, the knowledge of called APIs is a great help. Most anti-malware vendors might be struggling to support as many packers as possible to resolve imported APIs.
Even if unpackers fail to unpack, we can obtain memory dumps in many cases. Such memory dumps are good enough to determine whether it is viral or not, though it might not be suitable for analyzing by disassemblers. In order to analyze, we have to adjust PE headers so that disassembers are not distracted by wrong file aligments and have to know what APIs are called.
APIs are obfuscated in a variety of methods:
- multiple memory blocks containing jump relays
- copying some initial instructions of APIs into malware module and jumping into the middle of the APIs
- not just copying instructions but replacing with redundant instructions
- and so on
In some cases some methods are mixed, in the other case the redundant instructions are 100,000 steps, long enough to stop us from trying to resolve manually.
I will explain the obfuscating methods and what is necessary to resolve obfuscated APIs by a tool.
Bio
Joined Fujitsu Limited in 1991, having worked as a software engineer. Joined Symantec Corporation in 2004, working as a virus analyst since. Paper: IME as s Possible Keylogger / VirusBulletin November 2005
!exploitable and Effective Fuzzing Strategies as a Regular Part of Test
Jason Shirk, Microsoft
Abstract
Microsoft does a LOT of fuzzing. The !exploitable Crash Analyzer tool released at CanSecWest assists with some of the back-end workload from fuzzing. By using !exploitable Crash Analyzer regularly, and by applying other research presented by Microsoft at BlueHat in October 2008, fuzzing can be executed much more effectively over time.
The !exploitable Crash Analyzer presentation at CanSecWest 2009 discussed the deep internals of the tool. This presentation is to show effective ways for those who fuzz regularly to deploy !exploitable, and more effective ways to fuzz generally. Also included will be research done on finding the "Last Bug" and data about some of our fuzzing efforts.
Bio
Jason Shirk has been in the software industry for 10 years, initially in telecommunications, where he became "reacquainted" with software security, and pursued a degree in Computer Networking and Security. His security work ranges from corporate software security standards to penetration testing and vulnerability tracking and response. Jason is presently a Security Program Manager for the Microsoft Security Engineering Center (MSEC) Security Science team where he is responsible for Microsoft's fuzzing toolkit and strategy, including !exploitable
Analyzing Word and Excel Document Encryption
Eric Filiol, ESIEA - Operational cryptology and Virology Lab
Abstract
Microsoft Word and Excel application use RC4 encryption with a 128-bit secret key for the confidentiality puposes (up to Office 2003 or equivalently up to the version 11). RC4 encryption is considered as strongly secure and the user's confidence relies on this alleged security. Unfortunately the RC4-based encryption implemented in Word and Excel (up to Office 2003) is very weak. Starting from a previous theoretical attack published in 2005 we present in our paper an operationnal cryptanalysis of this encryption but combining pure cryptanalytic techniques and forensics techniques. With a probability of success greater than 90 % we are able to recover the complete plaintext both for Word and Excel. The time complexity of the attack is linear in the size of the Word or Excel document. From a practical point of view, it is therefore possible to bypass RC4 encryption in this context within a few minutes of computing time.
Bio
Eric Filiol has spent 21 years in the French Army mainly as a cryptographer and a computer virology expert. He has published reference books in computer virology and a large number of research/technical papers. He has been speaker at many security conferences.
