DAY 1 ( 26th April 2012 )
|
TIME
|
TOPIC
|
SPEAKER
|
| 0800 - 0900 |
Registration
|
|
| 0900 - 0915 |
Opening and Welcome Address
|
Thomas Lim
Organiser, SyScan'12, CEO, COSEINC
|
| 0915 - 1015 |
Windows 8 developer preview was released in September 2011. While many focused on the Metro UI of the operating system, we decided to investigate the memory manager. Although generic heap exploitation has been dead for quite some time, intricate knowledge of both the application and underlying operating system's memory manager have continued to prove that reliable heap exploitation is still achievable. This presentation will focus on the transition of heap exploitation mitigations from Windows 7 to Windows 8. We will be examining the inner workings of the Windows memory manager for allocations, de-allocations and all additional heap-related security features implemented in Windows 8. Also, additional tips and tricks will be covered providing the attendees the proper knowledge to achieve the highest possible levels of heap determinism.
|
Chris Valasek
& Tarjei Mandt
|
| 1015 - 1030 |
Coffee Break |
|
| 1030 - 1130 |
The EFI firmware used in Intel Macs and other modern systems presents some interesting possibilities for rootkit developers.
This presentation will provide a full account of how an EFI-based rootkit might work. We will begin with some background on the EFI architecture - what it does, how it works, and how we can leverage EFI to inject code into the Mac OS X kernel or attack the user directly. We will then detail how a kernel payload might work, employing a number of rootkit techniques that can be used within the XNU kernel. Finally, we will discuss the possibilities for rootkit persistence that are presented by EFI. This presentation will leave the audience with an understanding of the ways in which EFI can be used in a modern Mac OS X rootkit.
|
Loukas
|
| 1130 - 1230 |
Outsourcing is great right? Cheap labor/First to Market/Exploiting
resources are all excellent reasons to set up a remote office. The problem in defending your
newly acquired revenue center is that you cannot replicate your security practices and expect
them to succeed against local threats. If you deployed the most popular/expensive US based
security products would you feel protected? In this talk we will use South Korea as a case
study. A short introduction to the criminal hacking scene in Korea will be given, and then
a demo of us bypassing enterprise security solutions with a 0day in one of the most popular
word processors in Korea (99% penetration) will be shown. How popular is that p2p client
Xunlei in china? Why do state of the art malware detection appliances fall short? All this
and more after Ben Nagy talks about fuzzing; don't miss it!
|
Ryan MacArthur
& Beist
|
| 1230 - 1330 |
Lunch |
|
| 1330 - 1430 |
Master Boot Record based rootkits (MBR rootkits, or bootkits for short)have existed for decades but are more recently gaining widespread attention with the growing deployment of nasty bootkits such as TDL4 and Popureb. The most advanced versions of these rootkits hook the normal storage device stack (i.e., "normal I/O path") at the lowest possible level in order to hide the infected MBR and malicious components: the port and miniport drivers. This presentation will introduce a novel technique to read/write to disk using an alternate I/O path provided by the operating system: the crash dump I/O path. This poorly documented crash dump path represents a pristine, untargeted I/O path to disk, effectively defeating all known I/O-hooking rootkits.
In addition to providing the attendee with original research and a new methodology for defeating bootkits, this presentation will offer extensive insight into the poorly-understood crash dump mechanism used by Windows. This research is a result of weeks of debugging and reverse engineering various disk drivers and operating system core features. This presentation will distill all of those details into simple important facts for the attendee's consideration.
|
Aaron LeMasters
|
| 1430 - 1445 |
Break |
|
| 1445 - 1545 |
|
James Burton
|
| 1545 - 1600 |
Coffee Break |
|
| 1600 - 1700 |
Kernels are soft targets. But getting harder. Even the Linux kernel. Ha
ha, just kidding. OK, only 90% joking. Some people care about kernel
exploitation these days, partially due the increasing need to pop
application sandboxes. Apparently, people even care about Linux kernel
exploitation since owning a bunch of Android phones is the new hotness.
This presentation will look at the state of Linux kernel exploitation:
the latest and greatest techniques, how exploitation has gotten slightly
harder over the past few years, and what challenges lie ahead for the
offensive-minded in the near future on both vanilla and hardened
kernels.
|
Jon Oberheide
|
| End of Day 1 |
| |
| 1700 - 2000 |
SyScan'12 Networking Party |
|
The organizer reserves the rights to change the program.
