Last week we celebrated that special time of the year
again. For me it was the 8th time that we went to the Chaos
Communication Congress and the 3rd time that I had a talk. This year
we also had tokens for the BerlinSides, a side conference with only
technical talks organizes by Aluc.
We carried out the same procedure as every year; Stormbringer and I meet
on December 26th around 7pmish at the airport in Zürich for a beer or
two. Unfortunately he was late, so I had to drink alone. No harm was
done as I still had to finish the slides for my talk. The flight was
really smooth and we arrived at 11pm at the hostel. Following our
regular procedure we walk right to the bcc to get our badges (and the
first couple of beers). A couple of things changed this year, the bcc
committee no longer allowed smoking inside the venue so the hack lounge
(that was very cozy in the last couple of years with many couches,
music, video installations, good wired network connectivity) was
replaced by a smoking tent outside of the bcc that had like 1/100 of the
style. The hacking area was never as crowded as it was in earlier years
and the hackers are moving more and more towards software only. Well,
nevertheless we had to try out the lounge/tent on the first day and were
thrown out at around 4am. That's one other novelty: for the first time
the bcc (or parts of the congress) closed during the night.
The following four days went by in a blur. I watched many interesting
talks, met many interesting people, had good discussions, had a blast
during my talk, and had the one-odd beer or so. I organized the
interesting talks into three categories, technical talks, political /
social talks, talks that I would have liked to watch. The talks are
ordered according to my subjective rating on a scale from 1 to 10.
Technical talks:
String Oriented Programming, Mathias Payer (my talk)
Mathias first gives an overview of all the different attack vectors that
are currently used in exploits (code injection, return oriented
programming, jump oriented programming, and format string attacks). He
then discusses the available defenses on current systems (Data Execution
Prevention, Address Space Layout Randomization, and ProPolice). Using a
tool that emits specially crafted format strings he presents an attack
that can be used to rewrite some static regions of a program (e.g., GOT,
or PLT regions of the main executable) into a jump/return oriented
interpreter that reuses parts of the application to execute arbitrary
code.
Print Me If You Dare, Ang Cui, Jonathan Voris (8)
Ang et al. present an awesome hack how you can upload your own malware
to regular HP printers. Current HP printers are connected to the
network, have fairly powerful processors, and can be updated (without
authentication) over the Internet. The talk includes a live demo. Great
presentation!
Datamining for Hackers, Stefan Burschka (7+)
Stefan gave great talk about the potential of datamining and how
datamining can be used to exploit and analyze legacy systems. Stefan
talks about traffic mining where he exclusively looks at traffic
patterns and unencrypted fields in the headers (e.g., length, flags) to
infer details of the encrypted connection (e.g., pauses, which party is
speaking, and other details). All in all an entertaining talk with
medium level of details and verbosity.
802.11 Packets in Packets, Travis Goodspeed (and Sergey Bratus) (7)
Travis and Sergey talk about and introduce probabilistic packet
injection. If the wireless signal is congested in one way or another or
if there are interferences then the transmission of a packet can be
incomplete. The main idea of the hack is that a part of the original
(legit) packet is destroyed during the transmission. The data section of
the packet now contains a complete inner packet of the same protocol. If
the header of the original packet is destroyed then the inner packet is
parsed like a regular packet. This hack can be used to inject illegal
packets into protected networks (e.g., somebody downloading a large
file; some packets are transmitted wrong and are reinterpreted as
"attack packets" due to the Trojan horse character of the packets). The
idea is really nice, but I doubt that an attacker is able to race a
sufficiant amount of times against the (very low) probability that only
the header is destroyed and no other parts of the data section that
contains the illegal packet. After the talk I actually asked this
question and Travis did not really answer it.
Can trains be hacked?, Stefan Katzenbeisser (7)
Interesting talk (in German) about the history of train safety
(including infos on signalling, relays, and so on). Stefan includes
details on "Stellwerken" as well.
The Atari 2600 Video Computer System: The Ultimate Talk, Sven Oliver ('SvOlli') Moll (6)
Interesting talk bei Sven about all the Atari 2600 internals. Sven was
inspired by Michael Steil's talk at 26c3 about the C64 internals (which
was an awesome talk as well, go watch the recording!). Sven presents a
nice introduction about all the hardware details of the Atari 2600, the
development of ROM/RAM boards, and a lot of nitpicking about programming
the given hardware.
x86 oddities, corkami (6)
Corkami presents nice subtleties of the x86 machine code. He shows
undocumented instructions, especially how these instructions can be used
in packers and malware to circumvent debuggers, emulators, and other
checking techniques. Very low level talk that assumes a lot of prior
knowledge of x86. Overall very interesting, unfortunately there is no
recording available.
Reverse Engineering USB Devices, Drew Fisher (6)
Drew is a MsC student at UC Berkeley in Human Interaction. He talks
about the USB protocol and how to reverse engineer drivers for new USB
hardware.
Introducing Osmo-GMR, Sylvain Munaut (6)
Hacking satellite phones. Sylvain introduces a new feature for the Osmo
software stack.
Defending mobile phones, Karsten Nohl, Luca Melette (5)
Karsten and Luca show techniques how to clone existing mobile phones
given a regular call that can be eavesdropped. The cloned phones can be
used to call premium numbers or to send text messages to premium
services. After the motivating example they shows how the attacks that
Karsten and co. developed during the last couple of congresses can be
mitigated using additional software, additional checks, or new
algorithms. Interesting talk, but the "big hack" was missing. They gave
a great overview of the available attacks but failed to bring up
something new (for this year).
Rootkits in your Web application, Artur Janc (5) (2nd link)
A regular XSS bug is used in combination with new HTML5 features to
implement persistent rootkits in web applications. The combination of
persistence and XSS bugs enables rootkits that reinstall themselves even
if caches are cleared. Artur also explains how these rootkits can be
used to grab information and forge, e.g., baking sites.
New Ways I'm Going to Hack Your Web App, Jesse Ou, Rich (5)
Similar to Rootkits in your Web application. Featuring HTML5, XSS
attacks, and other nice technologies.
Cellular protocol stacks for Internet, Harald Welte (5)
Great overview talk of all the wireless protocols used in the last 20
years. If you want to know more about GSM, UMTS, and all the other
protocols, then go watch this talk to get some pointers. If you are not
interested in an overview, then the talk is just a 1hr show of three
letter acronyms.
Time is on my Side, Sebastian Schinzel (5)
Sebastian is a PhD student in Erlangen. He studies side-channel attacks
on web pages. The talk introduces timing analysis, how to get exact
timing measurments, and how to remove jitter. He talks about different
approaches based on TCP/IP how to measure jitter for each packet instead
of per connection. If the sever side is stacked (PHP over Apache) then
you need domain specific knowledge, you need to know which parts are
sent by Apache and when control is passed to PHP. Using this DS
knowledge you can reduce the jitter inside the PHP application. The idea
is pretty straigth-forward. Do n measurments, do statistic analysis,
compare, get hidden data. Talk shows attack on XML RSA encryption using
timing attack (based on PKCS#1 decryption and pre-existing attack);
combine both techniques to break XML encrypted messages.
Security Log Visualization with a Correlation Engine, Chris Kubecka (5)
Solid talk about how to use correlation engines to analyze log files.
Apple vs. Google Client Platforms, Bruhns, FX of Phenoelit, greg (4)
FX and some guys bash about Apple and Google client platforms. They
analyze the hardware platforms of the Google Chromebook (no good
exploits found) and the iPad 1 (some possible exploits similar to red
snow found, red snow uses a bug in the boot ROM that can not be fixed by
Apple). They also found some bugs in the markets of Apple and Google.
Both markets are vulnerable to XSS exploits. All in all I expected more
of this talk. The presentation was good but FX was overselling the bugs
they found and in my opinion there was too much bashing around.
Protecting Software, dosbart (3)
How to protect legacy software from piracy. So-so talk that ended in a
long rant against piracy and software cracking.
X(tra|ml|slt|query|dp|mas) pwnage, Nicob (3)
Let's just use XSL bugs to inject new code into a server and let's
execute it server side. Nicob includes details on how to transcode
procedural-oriented code into functional-oriented code used by XSL. Talk
was not that interesting as he presented too many details on how to
write code instead of showing individual attacks.
Automatic Algorithm Invention with a GPU, Wes Faler (2)
Wes talks about genetic programming and GPU programming. I was not that
interested in the topic of the talk and drifted off pretty soon. In
addition I do not believe that genetic programming or some other
automatic programming techniques will be able to evolve automatically
generated code to very complex/optimized algorithms.
Political/social:
Hacker Jeopardy (9)
Jeapardy game show with hacking questions. Awesome just like every year!
„Die Koalition setzt sich aber aktiv und ernsthaft dafür ein“,
maha/Martin Haase (8)
Unfortunately this talk is only available in German. Martin Haase
analyzes the talks of politicians and shows the use (and misuse) of
language. Interesting and funny as usual.
Fnord-Jahresrückblick, Felix von Leitner, Frank Rieger (8)
The second political talk that is only available in German. Fefe and
Frank talk about what happened during the year and give a nice "fnord"
review about all the political, social, and other mishaps. Funny and
entertaining, although not the best Fnord show ever.
Der Staatstrojaner, 0zapfths, Constanze Kurz, Frank Rieger, Ulf
Buermeyer (7)
The third political talk that is only available in German. The group
reviews the Trojan horse that was developed by Germany to spy on its
people. They analyze both the technical and the political side and give
a great review on the development.
The coming war on general computation, Cory Doctorow (6)
Cory discusses the problems with Turing complete CPUs. They can be used
to compute anything. Appliances now want to ensure that only specific
functionality can be executed on these CPUs. This is hard to enforce.
The Hack will not be televised?, Caspar Clemens Mierau (6)
One of the few talks that was not recorded (due to copyright issues -
torrent might be available). Caspar shows different sequences of hacks
in movies. He talks about the hacks and how they are shown on the
screen. I liked the movie sequences but I do not like his take-outs
(e.g., women are not hackers).
"Neue Leichtigkeit", Alex Antener, Amelie Boehm, Andrin Uetz, Jonas
Bischof, Ruedi Tobler, Samuel Weniger (6)
Artistic show with lots of booze.
SCADA and PLC Vulnerabilities in Correctional Facilities, Tiffany
Rad, Teague Newman, John Strauchs (4) (2nd link)
New breakthroughs in SCADA systems... More and more people know about
the vulnerabilities in SCADA and PLC systems. These systems are also
used in correctional facilities. Exploits and expertise in these systems
can therefore be used to break out of prisons. Tada.