Random ramblings of a security nerd

SyScan, day 2

Breaking Anti-Virus Software: Joxean Koret

Joxean gave a great introduction into worst security practices at anti virus companies. He basically dropped a large amount of 0days on a bunch of AV engines (I liked his opening statement "all bugs are 0days unless otherwise mentioned"). Using dumb fuzzing Joxean found a huge amount of crashes and then started diving into the individual engines. He wrote a quick fuzzer himself that runs on Linux and he runs the scanners either under wine or extracts the core engine and runs that one directly. Some of the worst practices he found are that many engines (i) disable ASLR for their core libraries, (ii) inject (unsafe) libraries into all processes, (iii) the scan engine often runs as root with full privileges, and (iv) is full of bugs. So you might want consider trusting your AV engines to handle untrusted files.

Embracing the New Threat: Towards Automatically Self-Diversifying Malware: Mathias Payer

The talk by yours truly. I talked about fully automatic malware diversification. Using a modified compiler we modify the generated code and static data on a per-binary basis. White-paper, slides, and code are released on github.

How to Train Your SnapDragon: Exploring Power Regulation Frameworks on Android: Josh 'm0nk' Thomas

m0nk introduced a set of nice concepts on how to attack different sets of phones by tinkering with power regulation and batteries. Unfortunately, I missed most of the talk, will watch it later when it's online!

Click and Dragger: Denial and Deception on Android: the grugq

Rockstar on the stage, ranting about phone security: mobile phones suck for anonymity, privacy, and security. Smartphones suck even more. Location information (e.g., through triangulation) allows building social graphs, clustering, deanonymization of secondary phones if they correlate with other phones. Networks are just as bad: you can be identified by the numbers you call or the calls you receive, or the calling pattern as well. Smartphones add content, GPS sensors, apps, network connectivity, and so on the mix.

To be safe get burner phones. Buy phone and SIM apart from each other long ago, use infrequently, never at home, and throw away after use. Smartphones are inherently unsafe. You cannot make Android safer by installing apps (e.g., TextSecure).

The grugq presents a new Android mod, based on CyanogenMod and removes all Google code. Added a set of tripwires and default return values that ensure privacy. Lots of userland hardening as well, e.g., adding grsecurity patches, save allocators, and so on. As an add on he presents DarkMatter, a secure app that allows dynamic per-application TrueCrypt volumes (using crypted containers) and transparent access to that data.

(this was the most awesome talk so far - except mine of course)

Navigating a sea of Pwn?: Windows Phone 8 AppSec: Alex Plaskett and Nick Walker

The talk is about Windows mobile phone hacking and as expected, Windows mobile is full of pwn. Great talk about general Windows phone pen testing.

All about the ALPC, RPC, LPC, LRPC in your PC: Alex Ionescu

All the dirty details of different forms of remote or local procedure calls on Windows using different transport services.

Thunderbolts and Lightning: Very Very Frightening: Snare and Rzn

Tunderbolt is a display port and PCIe bundled together. Same DMA attacks as over FireWire a couple of years ago should be possible. The implement the PCIe interface on an FPGA to capture data that is in flight on the cable. The run DMA over PCIe and patch login password check to always return true. Nice!

Linux Memory Forensics: A Real-Life Case Study: Georg Wicherski

Georg started off with a long introduction into APT, attacks, and a discussion of the ELF format. Dumping an executable from memory is no easy task as not the whole binary is loaded into memory and a lot of the section view is lost when individual segments are loaded. In the end Georg wrote some volatility plugin that looks for PLT and GOT.PLT sections and compares the entries of the individual libraries with possible injected ones.

WhiskeyCon

Speakers have to drink two shots of Whiskey to get 5 minutes of talking time. Nguyen Anh Quynh presented his Capstone engine, a multi-platform, multi-ISA disassembly engine. Mark talkes about weirdness on the internet, misconfigured DNS entries, UPnP, telnet, serial port, and much more. Scan all the IPv4 all the time and add a time component to it. The results are online. Rex against the romans was about abuse of power and attacking Macs (i.e., what kind of malware is running there and how to the droppers work). Miaubiz talked a bit longer about lldb and different hooks. metl ranted about IT risk management and liability assessment. Joey was just there for the shots. Yevgeniy talked about abusing malware protections.

Other articles

SyScan, day 1

Published: Thu 03 April 2014
By Mathias Payer

In Conferences.

tags: Singapore hacking SyScan

Opening speech: Thomas Lim

Thomas gave a great introduction, the conference is as big as ever and attracted a whole bunch of different people. BlackHat Asia is going to stay in Singapore, so there will be some challenges in the future. Most speakers on the other hand preferred to drop …
read more
WarGames in memory: shall we play a game?

Published: Tue 12 March 2013
By Mathias Payer

In Security.

tags: analysis memory safety research security hacking

Memory corruption (e.g., buffer overflows, random writes, memory allocation bugs, or uncontrolled format strings) is one of the oldest and most exploited problems in computer science. Low-level languages like C or C++ trade memory safety and type safety for performance: the compiler adds no bound checks and no type …
read more
All paths lead to Rome: POPL and PPREW from a syssec perspective

Published: Wed 13 February 2013
By Mathias Payer

In Conferences.

tags: Rome analysis travel POPL acm sightseeing PPREW hacking

A week in Rome: what could be better than sitting all day in a conference room?

POPL (Principles Of Programming Languages) is one of these great conferences that have been around forever and sound very interesting to any systems person. The definition of POPL according to the SIGPLAN homepage is …
read more
28c3 - 28th Chaos Communication Congress & Berlin Sides or a tough week in Berlin

Published: Mon 09 January 2012
By Mathias Payer

In Conferences.

tags: security hacking ccc BerlinSides conference 28c3

Last week we celebrated that special time of the year again. For me it was the 8th time that we went to the Chaos Communication Congress and the 3rd time that I had a talk. This year we also had tokens for the BerlinSides, a side conference with only technical …
read more
27c3 - 27th Chaos Communication Congress in Berlin (2010-12-27 to 2010-12-30)

Published: Mon 28 February 2011
By Mathias Payer

In Conferences.

tags: conference ccc security hacking 27c3

For the 7th time in a row Stormbringer and I visited the Chaos Communication Conference in Berlin. It was fun as always, I had my second talk about libdetox and we were able to drink many beers and I also listened to some interesting talks. A writeup about the different …
read more