SyScan, day 2

Breaking Anti-Virus Software: Joxean Koret

Joxean gave a great introduction into worst security practices at anti virus companies. He basically dropped a large amount of 0days on a bunch of AV engines (I liked his opening statement "all bugs are 0days unless otherwise mentioned"). Using dumb fuzzing Joxean found a huge amount of crashes and then started diving into the individual engines. He wrote a quick fuzzer himself that runs on Linux and he runs the scanners either under wine or extracts the core engine and runs that one directly. Some of the worst practices he found are that many engines (i) disable ASLR for their core libraries, (ii) inject (unsafe) libraries into all processes, (iii) the scan engine often runs as root with full privileges, and (iv) is full of bugs. So you might want consider trusting your AV engines to handle untrusted files.

Embracing the New Threat: Towards Automatically Self-Diversifying Malware: Mathias Payer

The talk by yours truly. I talked about fully automatic malware diversification. Using a modified compiler we modify the generated code and static data on a per-binary basis. White-paper, slides, and code are released on github.

How to Train Your SnapDragon: Exploring Power Regulation Frameworks on Android: Josh 'm0nk' Thomas

m0nk introduced a set of nice concepts on how to attack different sets of phones by tinkering with power regulation and batteries. Unfortunately, I missed most of the talk, will watch it later when it's online!

Click and Dragger: Denial and Deception on Android: the grugq

Rockstar on the stage, ranting about phone security: mobile phones suck for anonymity, privacy, and security. Smartphones suck even more. Location information (e.g., through triangulation) allows building social graphs, clustering, deanonymization of secondary phones if they correlate with other phones. Networks are just as bad: you can be identified by the numbers you call or the calls you receive, or the calling pattern as well. Smartphones add content, GPS sensors, apps, network connectivity, and so on the mix.

To be safe get burner phones. Buy phone and SIM apart from each other long ago, use infrequently, never at home, and throw away after use. Smartphones are inherently unsafe. You cannot make Android safer by installing apps (e.g., TextSecure).

The grugq presents a new Android mod, based on CyanogenMod and removes all Google code. Added a set of tripwires and default return values that ensure privacy. Lots of userland hardening as well, e.g., adding grsecurity patches, save allocators, and so on. As an add on he presents DarkMatter, a secure app that allows dynamic per-application TrueCrypt volumes (using crypted containers) and transparent access to that data.

(this was the most awesome talk so far - except mine of course)

All about the ALPC, RPC, LPC, LRPC in your PC: Alex Ionescu

All the dirty details of different forms of remote or local procedure calls on Windows using different transport services.

Thunderbolts and Lightning: Very Very Frightening: Snare and Rzn

Tunderbolt is a display port and PCIe bundled together. Same DMA attacks as over FireWire a couple of years ago should be possible. The implement the PCIe interface on an FPGA to capture data that is in flight on the cable. The run DMA over PCIe and patch login password check to always return true. Nice!

Linux Memory Forensics: A Real-Life Case Study: Georg Wicherski

Georg started off with a long introduction into APT, attacks, and a discussion of the ELF format. Dumping an executable from memory is no easy task as not the whole binary is loaded into memory and a lot of the section view is lost when individual segments are loaded. In the end Georg wrote some volatility plugin that looks for PLT and GOT.PLT sections and compares the entries of the individual libraries with possible injected ones.


Speakers have to drink two shots of Whiskey to get 5 minutes of talking time. Nguyen Anh Quynh presented his Capstone engine, a multi-platform, multi-ISA disassembly engine. Mark talkes about weirdness on the internet, misconfigured DNS entries, UPnP, telnet, serial port, and much more. Scan all the IPv4 all the time and add a time component to it. The results are online. Rex against the romans was about abuse of power and attacking Macs (i.e., what kind of malware is running there and how to the droppers work). Miaubiz talked a bit longer about lldb and different hooks. metl ranted about IT risk management and liability assessment. Joey was just there for the shots. Yevgeniy talked about abusing malware protections.