"Data Mining a Mountain of Zero Days"
Chris Eng, Veracode,
Every day, software developers around the world, from Bangalore to Silicon Valley, churn out millions of lines of insecure code. We used static binary analysis on thousands of applications submitted to us by large enterprises, commercial software vendors, open source projects, and software outsourcers, to create an anonymized vulnerability data set. By mining this data we can answer some interesting questions. What types of mistakes do developers make most often? Are we making any progress at eradicating XSS and SQL injection? How long does it really take to remediate software vulnerabilities? We will address these questions and many others, giving you a deep dive into metrics at a scale that can't be found anywhere else.
"The Future of Automated Malware Generation"
Stephan Chenette, IOActive,
Cyber-criminals have had back-end infrastructures equivalent to Virus Total to test if malware is effective against AV scanners for many years, showing that attackers are proactively avoiding detection when building malware. In this day of age malicious binaries are generated on demand by server-side kits when a victim visits a malicious web page, making reliance solely on hash based solutions inadequate. In the last 15 years detection techniques have evolved in an attempt to keep up with attack trends. In the last few years security companies have looked for supplemental solutions such as the use of machine learning to detect and mitigate attacks against cyber criminals.
Machine Learning (ML), though not a new concept, is all the rage these days, touted as the next big thing in defensive technology. While ML is beginning to be used in the detection of polymorphic malware, let's not pretend attackers aren't also experimenting with ML to create advanced malware which can bypass learning algorithms and heuristics. I will present work to show how attackers might be utilizing ML offensively, in a supervised learning mode, to expose common features to avoid or alternatively utilize in order to increase the chances of bypassing binary AV scanners that utilize heuristics and ML for detection.
"Machine Learning for Security"
Kenji Aiko, , @07c00
Anti-Virus has needed heuristic analysis for detecting a new malwares, Network analyzer would like to filter an unknown exploiting packet. Security Research has to focus next technology which is not black lists, one of them is Machine Learning. However, is it true it's a usefulgood method, we should learn it for security? Machine learning has the potential to solve some security issues? I'll introduce several algorithm and limit of Machine Learning on the security.
"You keep using that Sandbox, I don't think it does what you think it does" - OSX Mountain Lion's security model
Paul Sebastian Ziegler, ,
Due to remaining access to OS X's accessibility API it becomes possibleto write a fully functioning Key/Mouse-Logger and Screengrabber runningwith standard user privileges on OS X Mountain Lion with Sandboxingenabled. This talk will look at a practical implementation, the generalweaknesses of Mountain Lion's security model and ways to safeguard 3rdparty apps against this attack vector. Live demonstration included.
"what it takes to successfully run a vulnerability reward program"
Adam Bacchus + Kevin Stadmeyer, Google,
Kevin and Adam will discuss what it takes to successfully run a vulnerability reward program, the number of types of issues that we have discovered as a result of this program and more importantly how much you can expect to get for your 1337 Google Maps SQL Injection. The talk will cover several interesting bugs which have been submitted to us (and subsequently patched) as well as some ad hoc examples of the types and amounts of the awards we typically award, the process will be examined as part of this talk but the main focus is on the types and amounts of awards and some funny stories from running it. I will also discuss my motivations in working with this program and what Google hopes to accomplish by paying external researchers.
"Future of trust in the Internet"
Marat Vyshegorodtsev, University of Tokyo, "More Smoked Leet Chicken" CTF team, @touzoku
The trust models in different spheres are totally different. There are strict models like in iPhone or trusted mode unix and loose models like in Android or Linux apt. However, the web went its own way and we verify not the content, but channel authenticity. In this talk I will take an approach to analyse these differences and describe how the Internet should be changed in order to achieve better security.
"Android malware detection in the cloud"
Elson Lai, Websense,
In this presentation I will show 2 parts of a project I'm working on now:
A classification service in the cloud will be introduced which can auto parse features from android app files and train machine learning engine to get correct category of each file.
Like Amazon's 'Test Drive' but different experience. Our dynamic analysis engine support nearly any Android application directly from your browser using some very interesting technology. Just upload the android apk file and click a button on a webpage, we will launch an emulated instance of Android on cloud, which you'll be able to control directly from your browser and get a report of what the app has done and a result of whether the app is a malicious app.
"New "open source" step in Android Application Analysis"
Anthony Desnos + Geoffroy Gueguen, Androguard,
In this framework, you have the possibility to access to each element of an Android app (define by the Dalvik Executable Format), and to analyze it. You are able to create (save/load) a new session, and to annotate methods/instructions, or to modify and save the app. Of course, you can disassemble all instructions and to see the control flow graph, but one major feature is to decompile each method "on the fly" with a native Android decompiler (DAD) (no java steps, dead code elimination procedure followed by a register propagation procedure) which is the first public decompiler with this technique. Moreover, we would like to present our improvements on our similarities tools (comparison/diff of Android apps) where we have explained the general concept in our Phrack (http://phrack.org/issues.html?issue=68&id=15#article) article. Finally, we will present tip and tricks to block the analysis of a wild sample by using various techniques to break Android Reverse Engineering tools, and to try to escape to automated analysis.
"Windows Kernel Font Fuzzing and Exploitation"
Ling Chuan Lee (a.k.a lclee_vx), CyberSecurity Malaysia, + Lee Yee Chan, F13 Laboratory,
This presentation is focused on the use of TrueType Font and Microsoft Bitmap Font as Windows kernel attack vector, based on a special crafted font size that lead to a memory overwrites occurred inside Windows kernel.The talk features a live demo of both local and remote Windows kernel font exploitation. Detail regards important function of installing vulnerable font, triggering and attacking the vulnerability will be explain and shown. We will also show how to create an office exploitable document, which embedded a special crafted font that potentially used as a remote attack weapon to gain the remote control privilege.
This talk also come with our automated font generator exploitation utilities which allows for very effective fuzzing testing of all vulnerable TrueType/Microsoft Bitmap font based on different sizes, automatically compile and insert kernel shellcode into font file. The utilities will then convert the crafted font into odttf font format and embedded into office document.
"Using Theory to Hack the Geopolitical Dynamics of Cyber Security"
Eli Jellenc VeriSign,
Many cyber security practitioners remain puzzled by the geopolitics of cyber security while national strategists and political scientists struggle to understand what cyber security is even about; I show in this presentation that existing theories from political science and sociology can be modified to explain the dynamics of cyber security competition among nations and to improve understanding of strategic cyber conflict behavior.
"NFC using Software Defined Radio"
Jonathan Andersson, ,
unable to participate by an urgent issue.
*note: Due to various circumstanses, speakers, topics, date and stage order may be changed without notice.