10:00 AM
to 11:00 AM
Michael Tracy, Chris Rohlf, & Eric Monti: Ruby for Pentesters
54 Attendees
Location
Augustus Ballroom 3-4
Type Testing
Michael Tracy, Chris Rohlf & Eric Monti
Getting up to speed quickly on projects where you're down deep reversing protocols or applications can be challenging at best and catastrophic at worst. In this talk we highlight our use of Ruby to solve the problems we're faced with every day. We use Ruby because it's easy to leverage its flexibility and power for everything from reverse engineering network protocols to fuzzing to static and dynamic analysis, all the way to attacking exotic proprietary enterprise network applications. Having a great set of tools available to meet your needs might be the difference between a successful result for your customer and updating your resume with the details of your former employer.
If you're not familiar with Ruby, we'll lead off by illustrating why Ruby is so powerful, making a case for rapidly prototyping everything from reversing tools to hacked up network clients using our not-so-patented 'bag-o-tricks' approach.
If you're not familiar with Ruby, we'll lead off by illustrating why Ruby is so powerful, making a case for rapidly prototyping everything from reversing tools to hacked up network clients using our not-so-patented 'bag-o-tricks' approach.
Tags Ruby, Audit, Pentesting
11:15 AM
to 12:30 PM
Michael Eddington: Demystifying Fuzzers
68 Attendees
Location
Augustus Ballroom 3-4
Type Testing
Michael Eddington
Fuzzing is an important part of the secure development lifecycle (SDL) and a popular tool for both defensive and offensive security researchers, consultants, and even software developers. With this popularity comes a plethora of fuzzers both open source and commercial. This briefing takes a look at these different fuzzers and provides insights in to "if" and "what" they should be used for. As the developer for Peach, I am often asked to compare various fuzzers and clarify terms tossed around such as Smart and Dumb fuzzing. Additionally the hidden costs and pitfalls will be addressed.
1:45 PM
to 3:00 PM
Eduardo Vela Nava & David Lindsay: Our Favorite XSS Filters and How to Attack Them
77 Attendees
Location
Augustus Ballroom 3-4
Type Testing
Eduardo Vela Nava, David Lindsay
Present several techniques that have been used, are being used, and could be used in the future to bypass, exploit and attack some of the most advanced XSS filters. These would include the new IE8 XSS Filters, browser addons (NoScript), server side IDSs (mod_security, PHP-IDS), and human log-review. We will present innovative techniques that expand the scope of what we think we know about XSS filters. We will give you some ideas on what to do to find your own based upon some real world examples, discoveries, techniques and attacks.
3:15 PM
to 4:30 PM
Stefan Esser: State of the Art Post Exploitation in Hardened PHP Environments
52 Attendees
Location
Augustus Ballroom 3-4
Type Testing
Stefan Esser
When an attacker manages to execute arbitrary PHP code in a web application he nowadays often ends up in hardened PHP environments that not only make use of PHP's internal protections like safemode, openbasedir or disable_functions but also make use of Suhosin and operating system, filesystem or libc level security mechanisms like ASLR, NX, hardened memory managers or unix file permissions. In such a situation taking over the server becomes a challenge and requires PHP shellcode that is able to use local PHP exploits to get around these protections.
This talk will show the problems arising from the different protection mechanisms for PHP shellcode, will give an insight into the internal memory structures of PHP that are required to write stable local exploits and will demonstrate how a special class of vulnerabilities in PHP that also exists in standard functions enables PHP shellcode to get around most of these protections.
This talk will show the problems arising from the different protection mechanisms for PHP shellcode, will give an insight into the internal memory structures of PHP that are required to write stable local exploits and will demonstrate how a special class of vulnerabilities in PHP that also exists in standard functions enables PHP shellcode to get around most of these protections.
4:45 PM
to 6:00 PM
Riley Hassell: Exploiting Rich Content
54 Attendees
Location
Augustus Ballroom 3-4
Type Testing
Riley Hassell
As RIA (Rich Internet Application) technologies flourish onto the marketplace many wonder what impact they will have on the security landscape. Routinely iSEC Partners performs assessments of emerging technologies to better understand their risks and how to remediate these risks in live deployments. As RIA technologies advance vendors move to complex file formats as a solution to deliver rich content. With this in mind iSEC Partners performed an assessment of various file formats used by the popular RIA implementations. During the assessment of these technologies several issues were discovered in the popular technologies. At initial glance these issues may appear harmless. This presentation will demonstrate how these often considered low risk issues can be carefully exploited to have a much deeper impact. Developers should be aware of these common programming mistakes when developing complex file formats, which are especially critical in Rich Internet Applications.
10:00 AM
to 11:00 AM
Ales Stamos, Andrew Becherer & Nathan Wilcox: Cloud Computing Models
150 Attendees
Location
Augustus Ballroom 3-4
Type Cloud Virtualization
Alex Stamos, Andrew Becherer & Nathan Wilcox
Cloud computing is an unstoppable meme at the CIO level, and will dominate corporate IT planning for the next several years. Although they do offer the promise of cost savings for many organizations, the basic ideas behind abstracting out the corporate datacenter greatly complicates the tasks of securing and auditing these systems. While there has been excellent research into low-level hypervisor and virtualization bugs, there has been little public discussion of the "big picture"
11:15 AM
to 12:30 PM
Matt Conover: SADE: Injecting agents in to VM guest OS
113 Attendees
Location
Augustus Ballroom 3-4
Type Cloud Virtualization
Matt Conover
As more and more virtual machines (VM) are packed into a physical machine, refactoring common kernel components shared by virtual machines running on the same physical machine could significantly reduce the overall resource consumption. The refactored kernel component typically runs on a special VM called a virtual appliance. Because of the semantics gap in Hardware Abstraction Layer (HAL)-based virtualization, a physical machine's virtual appliance requires the support of per-VM in-guest agents to perform VM-specific operations such as kernel data structure access and modification.
To simplify deployment, these agents must be injected into guest virtual machines without requiring any manual installation. Moreover, it is essential to protect the integrity of inguest agents at run time, especially when the underlying refactored kernel service is security-related. This paper describes the design, implementation and evaluation of a stealthy agent deployment and execution mechanism called SADE that requires zero installation effort and effectively hides the execution of agent code. To demonstrate the efficacy of SADE, we describe a signature-based memory scanning virtual appliance that uses SADE to inject its in-guest kernel agents, and show that both the start-up overhead and the run-time performance penalty of SADE are quite acceptable.
To simplify deployment, these agents must be injected into guest virtual machines without requiring any manual installation. Moreover, it is essential to protect the integrity of inguest agents at run time, especially when the underlying refactored kernel service is security-related. This paper describes the design, implementation and evaluation of a stealthy agent deployment and execution mechanism called SADE that requires zero installation effort and effectively hides the execution of agent code. To demonstrate the efficacy of SADE, we describe a signature-based memory scanning virtual appliance that uses SADE to inject its in-guest kernel agents, and show that both the start-up overhead and the run-time performance penalty of SADE are quite acceptable.
1:45 PM
to 3:00 PM
Haroon Meer: Clobbering the Cloud!
132 Attendees
Location
Augustus Ballroom 3-4
Type Cloud Virtualization
Haroon Meer, Nick Arvanitis, Marco Slaviero
Cloud Computing dominates the headlines these days but like most paradigm changes this introduces new risks and new opportunities for us to consider. Some deep technical research has gone into the underlying technologies (like Virtualization) but to some extent this serves only to muddy the waters when considering the overall threat landscape. During this talk, SensePost will attempt to separate fact from fiction while walking through several real-world attacks on "the cloud." The talk will focus both on attacks against the cloud and on using these platforms as attack tools for general Internet mayhem. For purposes of demonstration we will focus most of our demos and attacks against the big players...
3:15 PM
to 4:30 PM
Kostya Kortchinsky: Cloudburst - Hacking 3D and Breaking out of VMware
142 Attendees
Location
Augustus Ballroom 3-4
Type Cloud Virtualization
Kostya Kortchinsky
Virtualization is everywhere, and VMware is a major actor in the domain. A MacOS user running a Windows only application in a Fusion guest. A malware researcher analysing the latest Conficker in a Workstation guest. A big company running a cloud virtualized on some ESX servers. All of them rely on the security offered by the virtualization software, as a breakout would have disastrous consequences.
Yet VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
Yet VMware products include implement a lot of functionality, and as such have a decent chance to include some bugs. CLOUDBURST is the combination of 3 of those found in the virtualized video device (more specifically the 3D code). Combined, these allow a user in a Guest to execute code on the Host. Since the virtualized device code is the same for all the branches of the products, this impacts Workstation, as well as Fusion or ESX. Immunity, Inc. will present the various vulnerabilities and the techniques used to exploit the bug reliably, even on platforms with ASLR or DEP such as Vista SP1. Once exploited, Immunity will demonstrate how to establish MOSDEF between the Host and Guest.
4:45 PM
to 6:00 PM
Bruce Schneier: Reconceptualizing Security
169 Attendees
Location
Augustus Ballroom 3-4
Type Cloud Virtualization
Bruce Schneier
Security is both a feeling and a reality. You can feel secure without actually being secure, and you can be secure even though you don't feel secure. We tend to discount the feeling in favor of the reality, but they're both important. The divergence between the two explains why we have so much security theater, and why so many smart security solutions go unimplemented. Several different fields-behavioral economics, the psychology of decision making, evolutionary biology-shed light on how we perceive security, risk, and cost. It's only when the feeling and reality of security converge that we have real security.
