me::title_else
My Schedule
8:00 AM
to 8:50 AM
9:00 AM
to 9:50 AM
Keynote
431 schedule::attendees
Location
Augustus Ballroom
10:00 AM
to 11:00 AM
John McDonald & Chris Valasek: Practical Windows Heap Exploitation
65 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Exploitation
John McDonald & Chris Valasek
event::about As we all know, the era of the straightforward 4-byte overwrite is over. Heap exploitation has steadily increased in difficulty since its genesis in Solar Designer's ground-breaking Bugtraq post in July of 2000. This trend towards increasingly complicated exploitation is primarily a result of the widespread implementation of technical heap counter-measures in modern systems software. The effort required to write reliable heap exploits has steadily increased due to other factors as well: applications have become more and more multi-threaded to take advantage of trends in hardware, and -- in certain code -- memory corruption vulnerabilities have become more nuanced and unique as a result of common, straightforward vulnerability patterns slowly but surely being audited out of existence. The end result of all these defensive machinations is that now, more than ever, you need a fluid, application-aware approach to heap exploitation. The building blocks of such an approach are an extensive working knowledge of heap internals, an understanding of the contributing factors in heap determinism, various tactics for creating predictable patterns in heap memory, and, naturally, a collection of techniques for exploiting myriad different specific types of memory corruption in heap memory.
Our talk is chiefly concerned with developing this foundational knowledge, focusing on the practical challenges of heap exploitation on Windows XP SP3 and Server 2003. While Windows Vista is gaining market share and Windows 7 is on its way, the XP code base is still the most prevalent attack surface on the Internet. XP heap exploitation may not technically qualify as "
Our talk is chiefly concerned with developing this foundational knowledge, focusing on the practical challenges of heap exploitation on Windows XP SP3 and Server 2003. While Windows Vista is gaining market share and Windows 7 is on its way, the XP code base is still the most prevalent attack surface on the Internet. XP heap exploitation may not technically qualify as "
10:00 AM
to 11:00 AM
FX: Router Exploitation
155 schedule::attendees
Location
Roman Ballroom
eventtype Infrastructure
Felix 'FX' Lindner
event::about Exploitation of active networking equipment has its own history and challenges. This session will take you through the full spectrum of possible attacks, what they yield and how the art of exploitation in that particular field evolved over the recent past to its present state. We will cover attacks on Cisco equipment and compare them to other specimen in the field, talk about the challenges you face to get a simple shell on such devices and what to actually do with them once you made it.
event::tags Network, Infrastructure
12:30 PM
to 1:45 PM
1:45 PM
to 3:00 PM
Moxie Marlinspike: More Tricks for Defeating SSL
147 schedule::attendees
Location
Augustus Ballroom 5-6
eventtype Exploitation
Moxie Marlinspike
event::about This talk aims to pick up where SSL stripping left off. While sslstrip ultimately remains quite deadly in practice, this talk will demonstrate some new tricks for defeating SSL/TLS in places where sslstrip does not reach. Cautious users, for example, have been advised to explicitly visit https URLs or to use bookmarks in order to protect themselves from sslstrip, while other SSL/TLS based protocols such as imaps, pop3s, smtps, ssl/irc, and SSL-based VPNs never present an opportunity for stripping.
This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.
This talk will outline some new tools and tricks aimed at these points of communication, ultimately providing highly effective attacks on SSL/TLS connections themselves.
3:15 PM
to 4:30 PM
Jeff Williams: There's a Fox in the Henhouse
79 schedule::attendees
Location
Augustus Ballroom 1-2
eventtype Rootkits
Jeff Williams
event::about How much would it cost to convince a developer to insert a few special lines of Java in your application? Would you detect the attack before it went live? How much damage could it do? Malicious developers are the ultimate insiders. With a very small number of lines of Java, they can steal all your data, corrupt systems, install system level attacks, and cover their tracks. A trojaned Struts or Log4j library could affect most of the financial industry at once.
This talk will examine the techniques that malicious programmers can use to insert and hide these attacks in a Java web application. We'll start by looking at the code for a few naive examples of timebombs and backdoors to show the power of these attacks. Several real examples discovered during 10 years of security code reviews will be shared. A more sophisticated attacker will seek to obfuscate their attacks and achieve plausible deniability. We'll start by exploring the tricks for hiding attacks from security code reviewers, including escaping, string hiding, string conversion, and method misuse. We'll also examine data and control flow tricks to fool static analysis tools, such as using EJBs, exception handling, static initializers, dynamic class loading, and compiler misuse. The talk will demonstrate the ease of undetectably loading an application rootkit remotely and executing it in the JVM.
What can organizations do to minimize the risk of malicious Java developers? We'll review the benefits and limitations of technical controls, such as sandboxes, configuration management, least privilege, and intrusion detection. We'll also discuss the use of detection techniques such as code review and static analysis tools. Finally, we'll talk about people and organizational issues that can help minimize this risk. In a world with layoffs, outsourcing, and organized crime, the risk from malicious developers should be considered seriously. Microsoft's Doug Leland has called these attacks "one of the most significant threats companies face." Businesses need to be aware of these risks so that they can make informed decisions about searching their code, using controls, and even whether to use applications to perform certain business functions at all.
This talk will examine the techniques that malicious programmers can use to insert and hide these attacks in a Java web application. We'll start by looking at the code for a few naive examples of timebombs and backdoors to show the power of these attacks. Several real examples discovered during 10 years of security code reviews will be shared. A more sophisticated attacker will seek to obfuscate their attacks and achieve plausible deniability. We'll start by exploring the tricks for hiding attacks from security code reviewers, including escaping, string hiding, string conversion, and method misuse. We'll also examine data and control flow tricks to fool static analysis tools, such as using EJBs, exception handling, static initializers, dynamic class loading, and compiler misuse. The talk will demonstrate the ease of undetectably loading an application rootkit remotely and executing it in the JVM.
What can organizations do to minimize the risk of malicious Java developers? We'll review the benefits and limitations of technical controls, such as sandboxes, configuration management, least privilege, and intrusion detection. We'll also discuss the use of detection techniques such as code review and static analysis tools. Finally, we'll talk about people and organizational issues that can help minimize this risk. In a world with layoffs, outsourcing, and organized crime, the risk from malicious developers should be considered seriously. Microsoft's Doug Leland has called these attacks "one of the most significant threats companies face." Businesses need to be aware of these risks so that they can make informed decisions about searching their code, using controls, and even whether to use applications to perform certain business functions at all.
footer::loading