10:00 AM
to 11:00 AM
John McDonald & Chris Valasek: Practical Windows Heap Exploitation
65 Attendees
Location
Augustus Ballroom 5-6
Type Exploitation
John McDonald & Chris Valasek
As we all know, the era of the straightforward 4-byte overwrite is over. Heap exploitation has steadily increased in difficulty since its genesis in Solar Designer's ground-breaking Bugtraq post in July of 2000. This trend towards increasingly complicated exploitation is primarily a result of the widespread implementation of technical heap counter-measures in modern systems software. The effort required to write reliable heap exploits has steadily increased due to other factors as well: applications have become more and more multi-threaded to take advantage of trends in hardware, and -- in certain code -- memory corruption vulnerabilities have become more nuanced and unique as a result of common, straightforward vulnerability patterns slowly but surely being audited out of existence. The end result of all these defensive machinations is that now, more than ever, you need a fluid, application-aware approach to heap exploitation. The building blocks of such an approach are an extensive working knowledge of heap internals, an understanding of the contributing factors in heap determinism, various tactics for creating predictable patterns in heap memory, and, naturally, a collection of techniques for exploiting myriad different specific types of memory corruption in heap memory.
Our talk is chiefly concerned with developing this foundational knowledge, focusing on the practical challenges of heap exploitation on Windows XP SP3 and Server 2003. While Windows Vista is gaining market share and Windows 7 is on its way, the XP code base is still the most prevalent attack surface on the Internet. XP heap exploitation may not technically qualify as "
Our talk is chiefly concerned with developing this foundational knowledge, focusing on the practical challenges of heap exploitation on Windows XP SP3 and Server 2003. While Windows Vista is gaining market share and Windows 7 is on its way, the XP code base is still the most prevalent attack surface on the Internet. XP heap exploitation may not technically qualify as "
11:15 AM
to 12:30 PM
Nathan Hamiel & Shawn Moyer: Weaponizing the Web
130 Attendees
Location
Augustus Ballroom 5-6
Type Exploitation
Nathan Hamiel, Shawn Moyer
Ultimately, basing the value proposition of your site on user-generated and external content is a kind of variant on Russian Roulette, where in every turn the gun is pointed at your head, regardless of the number of players. You may win most of the time, but eventually a bullet is going to find its way into the chamber with your name on it.
We spent some time last year looking at this problem as it related specifically to Social Networks, but that left a lot of the territory unexplored. This time around we'll be talking about a previously unnoticed attack vector for lots and lots of web applications with user-generated content, and releasing a handy tool to exploit it. Bundled in are some thoughts on Web 2.0 attack surface, a few new exploitation techniques, and as in last year, a hefty helping of lulz, ridicule, and demos-of-shame at the expense of a few of your and (our) favorite sites.
We spent some time last year looking at this problem as it related specifically to Social Networks, but that left a lot of the territory unexplored. This time around we'll be talking about a previously unnoticed attack vector for lots and lots of web applications with user-generated content, and releasing a handy tool to exploit it. Bundled in are some thoughts on Web 2.0 attack surface, a few new exploitation techniques, and as in last year, a hefty helping of lulz, ridicule, and demos-of-shame at the expense of a few of your and (our) favorite sites.
1:45 PM
to 3:00 PM
Moxie Marlinspike: More Tricks for Defeating SSL
147 Attendees
Location
Augustus Ballroom 5-6
Type Exploitation
Moxie Marlinspike
This talk aims to pick up where SSL stripping left off. While sslstrip ultimately remains quite deadly in practice, this talk will demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach. Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping.
This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.
This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.
3:15 PM
to 4:30 PM
Mark Dowd, Ryan Smith & David Dewey: The Language of Trust
74 Attendees
Location
Augustus Ballroom 5-6
Type Exploitation
Mark Dowd, Ryan Smith, David Dewey
Interactive content has become increasingly powerful and more flexible over the last few years, with major functionality additions appearing in several web-based technologies such as Javascript, .NET, and via browser plugins. These functionality changes coupled with increasingly complex cross-communication layers has created a nuanced and precarious trust layer between many different previously unrelated components.
This presentation attempts to address the issue of trust in the context of active content, and how it is is more complicated than it might first appear. We will demonstrate the exploitation of these trust relationships at different levels of applications, from subverting architectural security controls to memory corruption vulnerabilities that lead to arbitrary execution.
This presentation attempts to address the issue of trust in the context of active content, and how it is is more complicated than it might first appear. We will demonstrate the exploitation of these trust relationships at different levels of applications, from subverting architectural security controls to memory corruption vulnerabilities that lead to arbitrary execution.
4:45 PM
to 6:00 PM
Thomas Ptacek, David Goldsmith & Jeremy Rauch: Hacking Capitalism '09
67 Attendees
Location
Augustus Ballroom 5-6
Type Exploitation
Thomas H. Ptacek, David Goldsmith, Jeremy Rauch
Place an order for a stock on a retail brokerage, and you've set off a long chain of events across a broad, proprietary network of systems running at most financial institutions around the world. Orders are created, tagged, and stored in multiple databases. Messages are created in middleware stacks, funneled through order routing systems, and stored in persistence layers backed by everything from embedded databases to Oracle servers. Traders at firms large and small join in as the other side of the order, working from proprietary Windows trading dashboards, web applications, and magical excel spreadsheets. Sub-second latencies matter, so parts of this patchwork quilt are written in C, and virtually none of it is encrypted.
Our talk is a guided tour through the systems and protocols used to transact this business; a parallel Internet that routes money and contracts instead of porn and MP3s. We'll describe patterns of vulnerabilities we've uncovered, explain poorly-understood trading protocols and middleware stacks and describe the all-important interactions between these components where subtle vulnerabilities crop up.
Our talk is a guided tour through the systems and protocols used to transact this business; a parallel Internet that routes money and contracts instead of porn and MP3s. We'll describe patterns of vulnerabilities we've uncovered, explain poorly-understood trading protocols and middleware stacks and describe the all-important interactions between these components where subtle vulnerabilities crop up.
