TIMING |
TOPIC |
SPEAKERS |
| 09:00-09:15 |
Opening and Welcome Address
|
Thomas Lim
CEO, COSEINC
Organiser, SyScan’09 |
| 09:15-10:15 |
CLOUDBURST
Recently Immunity researcher Kostya Kortchinsky has exploited a serious vulnerability in VMWare's hypervisor that allows Guest to Host escaping. During this presentation Kostya will explain the vulnerability primitives, how to combine these primitives into a reliable exploit that bypasses EP/ASLR, how to make that exploit reliable across Linux, Windows XP, and Windows Vista, and how to obtain post-exploitation control of the host without any network access. This extremely technical talk will delve into the detailed workings of a highly complex exploit and discuss the development process in a rare level of depth.
|
Dave Aitel
CTO, Immunity |
| 10:15-10:30 |
Coffee Break |
|
| 10:30-11:30 |
Creating Hpervisor-based Hacking Tool: The COSEINC Hypervisor Framework
The objective of the presentation is to show a new code framework extremely useful to create hypervisors using the Intel and AMD virtualization instruction sets. Creating a VMM using these instructions is a very complex and error prone process. With the framework, it becomes easy and fast the creation of VMMs due to a simple abstraction layer created over these virtualization technologies. The framework’s exported API will be presented and will be demonstrated how to use it to create powerful system hacking tools and bypass system protections. It also includes a discussion of the security and detection aspects of the framework.
List of topics covered:
- Virtual Machines
- Virtual Machine Monitors, aka Hypervisors
- Types of VMM
- Popek and Goldberg’s requirements
- Innocuous and Sensitive instructions
- Privileged instructions
- Virtualizing sensitive instructions
- Hardware assisted virtualization
- Intel VT and AMD SVM technologies
- Creating a VMM with Intel VT
- VMCS internals
- Host control area
- Guest control area
- Guest event interception
- The ‘Hypervisor Framework’
- Architecture
- Features
- Framework API
- VMINFO data structure
- Virtual Machines and Interception Events management
- Framework Client’s communication protocol
- Creating tools with the Framework
- Bypassing kernel protections with the framework
- Virtualization security
- Detection issues
|
Edgar Barbosa
Sr. Researcher
COSEINC |
| 11:30-12:30 |
Windows NT Kernel Security
There is very little salient information about Windows kernel auditing and kernel exploitation techniques. This is probably due to the nature of the security industry these days. Bugs are getting harder to find, so techniques tend to be closely held. There have been some “primer” presentations on windows kernel security (“Attacking the Windows Kernel” NGSSoftware, etc) and some very specific kernel exploitation presentations on specific bugs. This presentation is more on “lessons learned” while developing kernel security auditing tools for the Windows kernel. |
Stephen Ridley
Matasano
|
| 12:30-13:00 |
Lunch Break |
|
| 13:00-14:00 |
Finding Microsoft Vulnerabilities by Fuzzing Binary Files with Ruby – A New Fuzzing Framework
While a lot of public material is available that _mentions_ fuzzing Office files, there is very little detail. While I have been dealing mainly with Word, the bulk of the techniques are applicable to any Office application. I plan to cover:
- Reading and writing "streams" in the OLE "compound binary file" format
- Recognising and parsing interesting structures in the Word Binary Fileformat
- Highlights / 'errors' from the specification documents
- Instrumenting Word with Win32OLE to automate the testing - Did it crash? Is the document sitting there open, wasting testing time?
- Lightweight and totally flexible runtime monitoring by automating CDB with ruby (what good's a crash without the details?)
- Dialog Boxes You Will Meet that will hang your fuzzer thread and How to Eliminate Them
- Turning off annoying Word 2007 Resiliency features and other ways to reduce registry bloat
- Where Word stores its bizarre, invisible temp files (which don't get deleted if it crashes)
- Dealing with hangs and memory eaters.
- Wrapping the whole lot up in a distributed fuzzing framework to spread the fuzzing load over as many client machines (or VMs) as you like, save all the results in a DB and even use other frameworks or languages to create test cases
- Doing the whole lot in Ruby, because nobody else has, yet. (at least nobody who has released their code) |
Ben Nagy
Sr. Researcher
COSEINC |
| 14:00-14:15 |
Break |
|
| 14:15-15:15 |
Hacking iPhone – Fuzzing and Payload
This talk will briefly introduce the the iPhone security architecture. It will then demonstrate how to perform automated fuzzing on the device including SMS fuzzing. It will then demonstrate some payloads for the iPhone. iPhone payloads are complicated by the fact that on factory phones, no pages can be made executable. Therefore, the payloads consist of long chains of return-to-libc. |
Charles Miller
Independent Security
Evaluator |
| 15:15-15:30 |
Coffee Break |
|
| 15:30-16:30 |
Living in the Rich Internet Application (RIA) World – Blurring the line between Web and Desktop Security
This talk gives an overview of the security of emerging Rich Internet Application (RIA) technologies. Because these technologies are so new, little information is currently available on their security or lack thereof. This talk will provide attendees with an in-depth look into the security of leading RIA technologies, as well as the security concerns presented by the RIA paradigm itself. |
Justine Osborne
iSecPartners |
| 16:30-17:30 |
Googless
Two Proof of Concepts (PoC) used during the reconnaissance phase of a penetration test will be demonstrated:
1. "TCP Input Text" extracts TCP Ports and Fully Qualified Domain Names (FQDN) from Google Search Results into a .csv file and individual shell scripts for nmap and nc aka netcat to provide assurance of a listening TCP service since the last crawl performed by the "GoogleBot".
2. "Download Indexed Cache" retrieves content indexed within the Google Cache and supports the "Search Engine Reconnaissance" section of the recently released OWASP Testing Guide v3. During the demonstration of
"Download Indexed Cache", the superiority of this approach will be proven over lesser methodologies, such as "Google Hacking" and the associated Google Hacking Database (GHDB). The impact of mitigating controls, such as <META> Tags and robots.txt, based on the recommendations within the "Spiders/Robots/Crawlers" section of the recently released OWASP Testing Guide v3, will be explained. |
Christian Heinrich
Project Leader, OWASP |
| |
End of Day 1 |
|
