Breakpoint

AARON PORTNOY

@aaronportnoy‎

Bypassing All of the Things

This presentation is intended to give the viewer insight into an approach to the vulnerability discovery and exploitation process. I'll cover a memory disclosure vulnerability and a stack-based buffer overflow I discovered that together can be abused to bypass stack cookies (/GS), SafeSEH (/SAFESEH), full process Address Space Layout Randomization (ASLR, /DYNAMICBASE) and High Entropy ASLR (HEASLR), Data Execution Prevention (DEP), Structured Exception Handler Overwrite Protection (SEHOP), and the Enhanced Mitigation Experience Toolkit 4.0 (EMET) to gain reliable code execution against a multitude of platforms, but with a focus on achieving reliability against Windows 8 x64.

AARON PORTNOY BIO

Aaron Portnoy is the Vice President of Research at Exodus Intelligence where he tends to spend most of his time reading assembly code. The results of this usually include the discovery of vulnerabilities in ubiquitous software and the subsequent formation of an artisan exploit. Some software vendors affected by this include: Microsoft, Adobe, RSA, Novell, Symantec, HP, IBM, and VMware.

Aaron has presented research pertaining to reverse engineering, given training classes on bughunting, and organized contests such as Pwn2Own at conferences worldwide. Some of these include: CanSecWest, BlackHat, Microsoft's BlueHat, EkoParty, SummerCon, and RECon. He also lectures yearly at a Master's course at the Polytechnic Institute of NYU, has given a private lecture at the National Security Agency, and has had work credited in several published books.

JAMES FORSHAW

@tiraniddo

The Forger's Art: Exploiting XML Digital Signature Implementations

Many security critical systems rely on the correct implementation of the XML Digital Signature standard for the purposes of verification and identity management. Technologies such as SAML and Web Service Security use the standard, and its sibling XML Encryption, to manage the security of these technologies. Being a standard there is, unsurprisingly, no canonical implementation for any platform or language, with so many different developments there are likely to be differences in how the standard is interpreted.

While a fair amount research has been done into the effects of the standard such as it allowing signature wrapping attacks, these tend to be exposed due to poor usages of the XML Digital Signature libraries. Comparatively little research has been undertaken in the implementations themselves, how they diverge from the standard, how they ensure security and whether there are any vulnerabilities in the implementations themselves.

This presentation is about research done against the main open and closed source implementations of XML Digital Signatures, how they can be exploited to gain remote code execution, signature verification bypass, file stealing or denial of service. It will show some of the more nasty vulnerabilities found during the research including a novel attack against the built-in Java and .NET libraries which allow for trivial signature spoofing exposing any user of those implementations into accepting an invalid signature which is independent of their usage.

The presentation will be broken out into the following sections.

• Quick overview of XML Digital Signature Standard:
  • The standard itself
  • Uses of XML Digital Signatures in the real world, e.g. WSS, SAML
• History of XML Digital Signature Attacks:
  • HMAC Truncation
  • Signature Wrapping
  • DoS
• Current Implementations:
  • Overview of where you will find each one in the real world
  • Type of things to go looking for
  • Approach to investigation, manual review, fuzzing
• Vulnerabilities Identified:
  • Remote Code Execution, including from unauthenticated perspective
  • Parsing inconsistencies, blended attacks against systems using multiple implementations
  • Denial of service
  • Signature Spoofing
• Demos of vulnerabilities

JAMES FORSHAW BIO

James is the Head of Vulnerability Research at Context Information Security in the UK. He has been involved with computer hardware and software security for over 10 years with a skill set which covers the bread and butter of the security industry such as application testing, through to more bespoke product assessment, vulnerability analysis and exploitation. He has numerous public vulnerabilities disclosures in many different products including web browser issues and virtual machine breakouts as well as being a winner of the Java Pwn2Own competition in 2013.

He has spoken at a number of security conferences in the past, on a range of different topics such including managed language security at Blackhat USA, CanSecWest and Bluehat, Sony Playstation Portable hacking at Chaos Computer Congress, WebGL exploitation at Ruxcon and Citrix network exploitation at Blackhat Europe. He is also the developer of the free CANAPE networking analysis and exploitation tool.

SEUNGJIN LEE

@beist

Hacking, Surveilling, and Deceiving victims on Smart TV

Smart TVs sold over 80,000,000 units around the world in 2012. This next generation "smart" platform is becoming more and more popular. On the other hand, we hardly see security research on Smart TVs. This presentation will cover vulnerabilities we've found on the platform.

You can imagine that Smart TVs have almost the exact same attack vectors that PC and Smart Phones have. Also, Smart TVs have interesting new attack surface such as the remote controller. We'll talk about attack points for Smart TV platform and cover security bugs we discovered. This talk will mostly focus on what attackers can do on a hacked Smart TV.

For example, expensive Smart TVs have many hardware devices like a Camera or Mic which, if remotely controlled, means bad guys can spy remotely without you knowing. Even more, it is possible to make Smart TVs monitor you 24/7 even though users turn off their TV, meaning #1984 could be done.

In addition, we'll point out a difference of viewpoint on leaked information type among PC, Smart Phone and Smart TV. Lastly, we'll give demo of live remote surveliance cam which is sent to attacker's server at this talk.

This talk is an extended version of one which I gave at CANSECWEST. It will demonstrate a spoofed news story on a hacked Smart TV and possibly TVshing (Smart TV edition of phishing.)

SEUNGJIN LEE BIO

Beist has been a member of the IT security field since 2000. His first company was Cyber Research based in Seoul, South Korea and first focused on pen-testing. He then got a Computer Engineering B.A. degree from Sejong University.

He has won more than 10 global CTF hacking contests in his country as well as passed DefCon quals 5 times. He has sold his research to major security companies like iDefense and ZDI (Recon ZDI contest). He has run numerous security conferences and hacking contests such as SECUINSIDE in Korea. Also, he has given talks at SYSCAN, CANSECWEST, AVTOKYO, HITCON and TROOPERS. Hunting bugs and exploiting them are his main interest. He does consulting for big companies and is now a graduate student at CIST IAS LAB, Korea University.

STEFAN ESSER

@i0n1c

Advanced iOS Kernel Debugging for Exploit Developers

With the release of iOS 6 Apple has raised the bar for iOS kernel exploit development dramatically due to new protections and mitigations inside the kernel. This has lead to more difficult kernel exploits that have a higher demand for kernel debugging.

This presentation will give an insight into iOS kernel debugging techniques, starting from crash dumps, over XNU built-in kernel debugging features like KDP or heap zone recording and will demonstrate new custom debugging extensions like an advanced iOS kernel heap visualization and debugging toolset, which will be released as open source after the talk.

STEFAN ESSER BIO

Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded.

In 2010 and 2011 he got a lot of attention for presenting about iPhone security topics and supplying the jailbreaking scene with an exploit that survived multiple updates by Apple.

JEROEN DOMBURG

@spritemods

Hard Disks: More Than Just Block Devices

While a hard disk usually is seen as a stupid block device, it's actually a bit more intelligent than that: apart from reading and writing data, there's caching to be handled, bad block remapping to be done and SMART counters to keep, to name a few tasks. All these tasks are done in the hard disk controller, and because of the complexity of these tasks, it's usually done by one or more microcontrollers running the disks firmware.

Unfortunately, very little is known about these hard disk controllers. This presentation will discuss a reverse engineering attempt on a Western Digital hard disk: from getting access to the firmware itself to figuring out how the firmware works. All this is done with the ultimate goal of compromising the data stream to and from the hard disk: is it possible to make and install a firmware hack that compromises the security of the computer the hard disk is in?

JEROEN DOMBURG BIO

Hi, I'm Jeroen aka Sprite_tm. I've always been interested in anything that goes on in the place where hardware meets software, and I've done my share of hacking the devices that go with that; either re-purposing or 'upgrading' existing devices or building them from scratch. I run a website, spritesmods.com, where I document most of the projects I do.

PAUL RASCAGNERES

@r00tbsd

APT1: Technical Backstage

Earlier this year Mandiant published a report about an alleged state-sponsored Chinese hacking group nicknamed APT1. The Mandiant report caused quite a stir, making headlines around the world. Paul's presentation focuses on his own in-depth analysis of this group, based on the information provided by Mandiant. Paul discovered numerous C&C (Command & Control) servers located in China running the same software that is highlighted in the Mandiant report. He managed to penetrate the APT1 hacking infrastructure using vulnerabilities identified in the C&C server and unveil the inner-workings of the APT1 group. Paul's research provides a rare insight into activities and methodologies used by these attackers. This presentation will identify the infrastructure, tools, and malware used by the APT1 group to perform unscheduled backups of company data and intellectual property. 

Paul's research has been nomiated for a Pwnie Award this year:

"After Mandiant published their report on the APT1 group, malware.lu upstaged them by owning C&C infrastructure of APT1. They scanned for Poison Ivy C&Cs, developed a custom John the Ripper extension specifically for Poison Ivy's encryption algorithm, exploited a (known) buffer overflow in the C&C to gain access to all the C&Cs they found, revised the Metasploit module for it to improve the remote exploit so that it could accept a non-default connectback password, wrote a great deal of custom shellcode from scratch to properly hide their presence, discovered a brand new homemade RAT on one of the servers, reversed it to bruteforce its password, wrote a scanner to find C&C servers running it, discovered and wrote an exploit for a RCE buffer overflow vulnerability they found in that, and wrote a Metasploit module for it..."

PAUL RASCAGNERES BIO

Paul has been a security consultant and security researcher for 10 years. He is the creator of the project Malware.lu, a repository of free samples for security researchers and a platform to publish technical analysis. Paul established the first private CERT in Luxembourg, which assists clients with reverse engineering,, malware analysis, and incident response.

JONATHAN BROSSARD

Malware, Sandboxing and You: How Enterprise Malware and 0day Detection is About To Fail (Again)

The most notable trend in the AV industry over the past couple years is the increasing use of sandboxing to help move from a signature based detection paradigm - now essentially understood to fail due to the exploding number of malware variants - to a behavioral based detection mechanism based on sandboxing. If such technologies do help researchers detect and analyse 0day vulnerabilities in the wild, the push for full automation of malware analysis at network perimeter - being it MTAs, corporate proxies or other sources of file downloads - also have a great potential to backfire. This talk will attempt to demonstrate why, in the author's view, such technologies can actually do more harm than good in an enterprise context, not simply by looking at some easy to fix bugs, but really by questioning the very fundamental architecture and design of sandboxing in the context of 0day detection and malware analysis.

JONATHAN BROSSARD BIO

Jonathan Brossard is an established security researcher based in Sydney. His previous work included finding and reporting vulnerabilities in complex low level software such as Microsoft Bitlocker, McAfee Endpoint, Truecrypt as well as most BIOSes available in the market (Defcon 2008). He also contributed a disruptive debugger aiming at proving exploitation of invalid memory writes (Blackhat USA 2011), and more recently a proof of concept firmware backdoor to exemplify the risk of state backdooring at supply chain level (Blackhat 2012). Jonathan is also a recurrent speaker at Ruxcon, and the co-founder/co-organizer of the Hackito Ergo Sum as well as NoSuchCon conferences in Paris.

DANNY QUIST

@openmalware

LOBO: Scalable Covert Malware Analysis

Dynamic malware analysis is a well rounded field that suffers from known problems: Analysis is slow, detectable, expensive, and fail to relate back to manual reverse engineering techniques. This talk introduces the Lobotomizer (Lobo for short), a modernized scalable hypervisor based analysis system for large-scale, high-speed analysis of malicious executables. We implement modifications to the Linux kernel virtual machine to provide host based introspection. From here we feed into visualization systems, IDA Pro, and other analysis tools. Lobo has a full API based monitoring system, along with client libraries for integration into existing projects.

DANNY QUIST BIO

Danny Quist is a staff member at MIT Lincoln Laboratory. He holds a Ph.D. from the New Mexico Institute of Mining and Technology. Previously, Danny founded Offensive computing, an open malware research site. His interests include reverse engineering, software and hardware exploitation, virtual machines, and automatic executable classification systems. He has presented at Blackhat, the RSA Conference, Defcon, and Shmoocon.

JOHN BUTTERWORTH

@mitrecorp

BIOS Chronomancy

In 2011 the National Institute of Standard and Technology (NIST) released a draft of special publication 800-155. This document provides a more detailed description than the Trusted Platform Module (TPM) PC client specification for content that should be measured in the BIOS to provide an adequate Static Root of Trust for Measurement (SRTM). To justify the importance of 800-155, in this talk we look at the implementation of the SRTM from a vendor's pre-800-155 laptop. We discuss how the BIOS and thus SRTM can be manipulated either due to a configuration that does not enable signed BIOS updates, or via an exploit we discovered that allows for BIOS reflash even in the presence of a signed update requirement.

 We also show how a 51 byte patch to the SRTM can cause it to provide a forged measurement to the TPM indicating that the BIOS is pristine. If a TPM Quote is used to query the boot state of the system, this TPM-signed falsification will then serve as the root of misplaced trust. We also show how reflashing the BIOS may not necessarily remove this trust-subverting malware. To fix the un-trustworthy SRTM we apply an academic technique whereby the BIOS software indicates its integrity through a timing side-channel.

 Reason why the material is innovative:

• We are the first to demonstrate firmware level malware that evades detection by the Trusted Platform Module by forging the Platform Configuration Registers through clean-copy replay attacks.
• We also demonstrate a firmware rootkit that can survive BIOS reflashes by attaching itself to the new incoming BIOS image.

JOHN BUTTERWORTH BIO

John Butterworth is a security researcher at The MITRE Corporation who specializes in low level system security. He is applying his electrical engineering background and firmware engineering background to investigate UEFI/BIOS security.

Corey Kallenberg is a security researcher currently employed by The MITRE Corporation. Corey specializes in low level system development, vulnerability discovery and exploitation, and rootkit analysis. Corey's current focus is on BIOS/UEFI security. Corey has previously had his research presented at the IEEE Symposium on Security and Privacy, DEFCON and Shmoocon.

Xeno is a Lead InfoSec Engineer at The MITRE Corporation, a non-profit company that runs 6 federally funded research and development centers (FFRDCs) as well as manages CVE. He is the team lead for the BIOS Analysis for Detection of Advanced System Subversion project. On the predecessor project, Checkmate, he investigated kernel/userspace memory integrity verification & timing-based attestation. Both projects have a special emphasis on how to make it so that the measurement agent can't just be made to lie by an attacker. Xeno has previously had his research presented at the IEEE Symposium on Security and Privacy, DEFCON and Shmoocon.

DAN TENTLER

@Viss

Building Antibodies - The Phishing program at Twitter

I run the internal phishing program at Twitter. It was built from scratch and uses open source tools. It’s custom tailored to our organization. This talk will describe the objective of running an internal phishing program at your organization, what to track, how to measure, and how to grow the program. This is not an awareness program, this program is designed to imbue antibodies into the culture that will promote the growth of a security culture and help make people more security aware overall. Since the instantiation of this program at twitter we have seen dramatic changes that make the whole organization safer. There are some configurations an org can employ to dramatically decrease the influx of spam and phishing mails on top of a program such as this. If more orgs had a program like this, phishing would start to become much harder to do. The measurements that come from this program allow us to have a much better view of the risks attached to phishing as well, so we have a tangible, measurable result we can work with. You want to be the guy who designs attack models for your company, then lobs them at employees? This is how to do it.

DAN TENTLER BIO

Dan Tentler is the sole proprietor of Aten Labs, a freelance Information Security consultancy firm in San Diego and is routinely parachuted into various clients in southern California. Dan carries a wide breadth of clients and engagements, ranging from threat intelligence, to wireless site surveys and penetration testing, to full blown social engineering campaigns, to lockpicking and threat & vulnerability assessments. Dan has presented at DefCon, BlackHat, various BarCamps, Toorcon San Diego, ToorCon Seattle, regional OWASP meetings Refresh San Diego and SDSU computer security advanced lecture classes. Dan has been interviewed by the BBC, CNN, The San Diego Reader and a variety of information security blogs and publications. If you need a bad guy, call Dan.

TED SUMERS & GRAYSON ZULAUF

Hot-Wiring of the Future: Exploring Car CAN Buses!

To the layperson, a car is a primarily mechanical system—an internal combustion engine linked to four wheels. Yet modern vehicles are highly computerized, with dozens of sensors and MCUs (collectively known as electronic control units, or ECUs) controlling every aspect of the car from engine timing to infotainment systems. These ECUs pass vast amounts of unsecured information over a mandated intra-vehicle network: the CAN bus.

Accessing the network via the standardized OBD-II port, we were able to gain control over numerous safety-critical systems, including the dashboard display and door locks. We present our open-source software package, part of the GoodFET framework, as well as a methodology for reverse-engineering proprietary automotive CAN implementations.

TED SUMERS & GRAYSON ZULAUF BIO

Ted Sumers recently graduated from Dartmouth College with a degree in Electrical Engineering and is now an embedded software engineer at Automatic Labs in San Francisco, building an OBD-II interface for smartphones to help people drive more efficiently.

Ted is still young and idealistic about the potential of technology to address the world's problems; in college, he worked extensively for Dartmouth Humanitarian Engineering, spending several months in east Africa developing sustainable rural infrastructure. He's also an avid climber; when he's not trying to build the next hot iPhone app, breaking cars, or trying to save the world, he can usually be found clinging to a cliff in Yosemite or a frozen waterfall in New England.

Grayson Zulauf is an Electrical Engineer at Motiv Power Systems in California, a small company producing all-electric commercial vehicles with an exciting modular powertrain control system. He is a recent graduate of Dartmouth College with a degree in Electrical Engineering, where he had the opportunity to work on a number of cool projects, from the all-vegetable oil Big Green Bus to in-vivo nanoparticle targeting for hyperthermia cancer treatment to the CAN-bus deviousness presented here. At any given moment, he'd probably rather be skiing.

SNARE

@snare

The Mathematics of Wonton Burrito Meals

Memory forensics is a bit of a big deal these days and there are some great tools around for analysing captured memory. The tools for actually capturing memory generally either rely on a kernel module, or on DMA capture through FireWire and the like. To a certain extent, kernel-mode rootkits can interfere with these methods of capturing memory, resulting in a less-than-accurate picture of what is actually going on in a system.

When the only tool you have is a hammer, everything starts to look like a nail. That considered, snare will discuss how UEFI can be used to capture the contents of physical memory on a system with a modern UEFI BIOS. This method can be used in concert with a kernel-space memory capture method to fill in the gaps and circumvent nasty tricks that kernel rootkits might have in store.

SNARE BIO

A lawyer for the mayor's office and also the world's strongest millionaire.

SILVIO CESARE

@silviocesare

A Whirlwind Tour of Academic Techniques for Real-World Security Researchers

This talk will discuss some of the academic tools and techniques discovered and implemented whilst completing a Doctorate degree that are useful to real-world security researchers. Each of the techniques discussed will include real-world usage. Machine learning brings classification and clustering that implements supervised and unsupervised learning. You can use this to classify and cluster malware, emails, twitter messages, web pages, and the list goes on. You can even use classification to help find vulnerabilities. You'll learn that in less time than an afternoon you can implement and evaluate these techniques on your data sets using free software. Well that's cool, but what then? You probably all know about abstract data types and how they are useful to programmers, but what about abstractions used by mathematicians and computer scientists? Using vectors, sets, and graphs, you'll learn how these abstractions can be compared, approximated, indexed, and searched that will let you find near duplicates from your data set which could be things such as log files, network packets, stack traces, web pages, network topologies, or even malware. Finally, we'll look at the academic world of program analysis. You'll learn about monotone frameworks, abstract interpretation, data-flow analysis, white-box fuzzing, and what those SMT solvers are all about. Hopefully, by the time this talk is over, you'll see that academia offers tools that are useful right now for many of us in the real-world.

SILVIO CESARE BIO

Silvio Cesare is a PhD student at Deakin University and his thesis is currently under examination. His research is supported by a full scholarship under a Deakin University Postgraduate Research Award and two publication scholarships. His research interests include malware detection and automated vulnerability discovery using static analysis of executable binaries. He has previously spoken at industry conferences including Blackhat, Cansecwest, Ruxcon, Breakpoint, AusCERT and has published in academic journals such as IEEE Transactions on Computers. He is also author of the book Software Similarity and Classification, published by Springer. He has worked inindustry within Australia, France and the United States.

This work includes time as the scanner architect of Qualys – now the world's largest vulnerability assessment company. In 2008 he was awarded $5000 USD tied 3rd prize for the highest impact vulnerability reported to security intelligence company IDefense for an implementation specific IDS evasion bug in the widely deployed Snort software. He has a Bachelor of Information Technology and a Master of Informatics by research from CQUniversity where he was awarded with two academic prizes during his undergraduate degree, a University Postgraduate Research Award full scholarship during his Masters degree, and a school of IT award during his PhD candidature for the student of highest merit

MICHAEL SULMEYER

The Political Economy of the Cyber-security and Malware Markets

When governments and their national-security bureaucracies consider the acquisition of new tools or capabilities, these acquisitions seldom occur within a traditional market context. Instead, the “market” looks more like a “monopsony” where the government is the only purchaser of a specialty good manufactured by a small number of suppliers. Fighter aircraft for an Air Force or submarines for a Navy are prime examples. Yet in the field of cyber-security,governments do indeed operate in a traditional market: as purchasers, they must compete not only with private industry but with other national and sub-national governments as well. In addition, suppliers are plentiful, as are the types of products they attempt to sell. Operating in this type of market economy is less-familiar territory for many governments and prospective sellers. This presentation will

1. examine the distinctions between markets and monopsonies in general;
2. apply these distinctions to the field of cyber-security;
3. describe the implications for purchasers and sellers of cyber-security tools;
4. assess the implications for current national export-control regimes that were not designed to address cyber-security products;
5. conclude with a discussion of how certain changes over the next five-to-ten years may affect the cyber-security and malware markets.

This presentation would likely be of interest to those considering broader questions of interactions between the private sector and governments: for sellers and coders, they might learn about marketing strategies for their products; for affiliates of governments and institutional purchasers, they might learn about how to think through their own regulatory regimes to ensure they can be fully competitive in the cyber-security field.

MICHAEL SULMEYER BIO

Michael Sulmeyer is currently a Senior Fellow at the Center for Strategic and International Studies in Washington DC. Michael is a graduate of Stanford Law School and he received his doctorate in Politics from Oxford University as a Marshall Scholar. His dissertation “Money for Nothing: Understanding the Termination of U.S. Major Defense Acquisition Programs” was awarded the Political Studies Association's Sir Walter Bagehot Prize for Best Dissertation in Government and Public Administration. He earned his Master’s in War Studies at King’s College London and was a Zukerman Fellow at Stanford’s Center for International Security and Cooperation (CISAC). His academic research examines how civil-military relations and the constitutional principles of the separation of powers affect defense resource allocation and strategy.