Black Hat Briefings, Usa 2007 [audio] Presentations From The Security Conference.

The vast majority of security testing relies on two approaches: the use of randomly generated or mutated data and the use of type-specific boundary test cases. Unfortunately, the current state of software security is such that most applications fall to these relatively simple tests. For those applications that have been specifically hardened against attack, something more sophisticated is required. Evolutionary algorithms can be used to gain the benefits of both approaches: tests that are better directed than random test cases but are not rigidly tied to data types. This topic has been a hot one in the security industry for several years. Many approaches use code coverage or debugging techniques as key inputs for test case generation. Though helpful, these require complete access to the system under test. This talk will cover the use of evolutionary algorithms in blind security testing, with an emphasis on test case generation and evaluation of test results. The concepts presented can be applied to a

The vast majority of security testing relies on two approaches: the use of randomly generated or mutated data and the use of type-specific boundary test cases. Unfortunately, the current state of software security is such that most applications fall to these relatively simple tests. For those applications that have been specifically hardened against attack, something more sophisticated is required. Evolutionary algorithms can be used to gain the benefits of both approaches: tests that are better directed than random test cases but are not rigidly tied to data types. This topic has been a hot one in the security industry for several years. Many approaches use code coverage or debugging techniques as key inputs for test case generation. Though helpful, these require complete access to the system under test. This talk will cover the use of evolutionary algorithms in blind security testing, with an emphasis on test case generation and evaluation of test results. The concepts presented can be applied to a

Heap exploitation is getting harder. The heap protection features in the latest versions of Windows have been effective at stopping the basic exploitation techniques. In most cases bypassing the protection requires a great degree of control over the allocation patterns of the vulnerable application. This presentation introduces a new technique for precise manipulation of the browser heap layout using specific sequences of JavaScript allocations. This allows an attacker to set up the heap in any desired state and exploit difficult heap corruption vulnerabilities with great reliability and precision. This talk will begin with an overview of the current state of browser heap exploitation and the unreliability of many heap exploits. It will continue with a discussion of Internet Explorer heap internals and the techniques for JavaScript heap manipulation. I will present a JavaScript heap exploitation library that exposes an abstract heap manipulation API. Its use will be demonstrated by exploit code for two

Traditional software vendors have little interest in sharing the gory details of what is required to secure a large software project. Talking about security only draws a spotlight to what is generally considered a weakness. Mozilla is using openness and transparency to better secure its products and help other software projects do the same. Mozilla has built and collaborated on tools to secure the Firefox Web browser and Thunderbird e-mail client, the first of which will be released at Blackhat Las Vegas 2007. These tools include protocol fuzzers for HTTP and FTP and a fuzzer for Javascript, which together have led to the discovery and resolution of dozens of critical security bugs. These tools may be useful to anyone developing or testing applications that implement or depend on these technologies. Window Snyder and Mike Shaver will introduce these tools at BlackHat Las Vegas 2007 and discuss methods used to identify vulnerabilities in Firefox; plans for expanding the scope of Mozilla's work on Web sec

Security is both a feeling and a reality. You can feel secure without actually being secure, and you can be secure even though you don't feel secure. In the industry, we tend to discount the feeling in favor of the reality, but the difference between the two is important. It explains why we have so much security theater that doesn't work, and why so many smart security solutions go unimplemented. Two different fieldsbehavioral economics and the psychology of decision makingshed light on how we perceive security, risk, and cost. Learn how perception of risk matters and, perhaps more importantly, learn how to design security systems that will actually get used. Bruce Schneier is an internationally renowned security technologist and CTO of BT Counterpane, referred to by The Economist as a "security guru." He is the author of eight booksincluding the best sellers "Beyond Fear: Thinking Sensibly about Security in an Uncertain World," "Secrets and Lies," and "Applied Cryptography"and hundreds of articles and acade

Access control systems are widely used in security, from restricting entry to a single room to locking down an entire enterprise. The many different systems available?card readers, biometrics, or even posting a guard to check IDs?each have their own strengths and weaknesses that are often not apparent from the materials each vendor supplies. We provide a comprehensive overview of 20 different access control technologies that focuses on weaknesses (particularly little known or not-yet public attacks) and other points that a buyer would not likely get from a vendor. We also present a model for thinking about access control systems in general that will provide a useful framework for evaluating new or obscure technologies.

In recent years, an increasing amount of academic research has been focused on secure anonymous communication systems. In this talk, we briefly review the state of the art in theoretical anonymity systems as well as the several deployed and actively used systems, and explain their strengths and limitations. We will then describe the pseudonym system we are developing based on an information-theoretic secure private information retrieval protocol, designed to be secure against an adversary with unbounded computing power, as long as (as little as) a single honest server exists in the network of servers operating this system. We will explain the design decisions behind the architecture of the system, intended to be operated by volunteers with a limited resource pool. We will discuss the usability considerations in designing a system intended to be accessible to a more naive user-base than simply "hackers and cypherpunks", and explain why user accessibility is critical to the security of anonymity systems in g

The Information Assurance Directorate (IAD) within the National Security Agency (NSA) is charged in part with providing security guidance to the national security community. Within the IAD, the Vulnerability Analysis and Operations (VAO) Group identifies and analyzes vulnerabilities found in the technology, information, and operations of the Department of Defense (DoD) and our other federal customers. This presentation will highlight some of the ways that the VAO Group is translating vulnerability knowledge in cooperation with many partners, into countermeasures and solutions that scale across the entire community. This includes the development and release of security guidance through the NSA public website (www.nsa.gov) and sponsorship of a number of community events like the Cyber Defense Initiative and the Red Blue Symposium. It also includes support for, or development of, open standards for vulnerability information (like CVE, the standard naming scheme for vulnerabilities); the creation of the extensibl

As recent as a couple of years ago, reverse engineers can get by with just knowledge of C and assembly to reverse most applications. Now, due to the increasing use of C++ in malware as well as most moderns applications being written in C++, understanding the disassembly of C++ object oriented code is a must. This talk will attempt to fill that gap by discussing methods of manually identifying C++ concepts in the disassembly, how to automate the analysis, and tools we developed to enhance the disassembly based on the analysis done. Paul Vincent Sabanal is a researcher with the IBM Internet Security Systems X-Force research team. Prior to joining IBM, Paul worked as an antivirus researcher at Trend Micro. Paul has spent most of his career doing malware reverse engineering, and has recently been delving into vulnerability research as well.

We will present new, practical methods for compromising Vista x64 kernel on the fly and discuss the irrelevance of TPM/Bitlocker technology in protecting against such non-persistent attacks. Then we will briefly discuss kernel infections of the type II (pure data patching), especially NDIS subversions that allow for generic bypassing of personal firewalls on Vista systems. A significant amount of time will be devoted to presenting new details about virtualization-based malware. This will include presenting various detection methods that could be used to either detect the presence of a hypervisor or find the malware itself. We will also discuss why each of these approaches cannot be used to build a practical detector, either because they could be fully defeated by virtualization based malware or because they are very impractical. This will include demonstration of how virtualization based malware can avoid timing-based detection, even if a detector uses trusted time source. We will also discuss detection appr

The last two years have seen a big new marketing-buzz named "Admission Control" or "Endpoint Compliance Enforcement" and most major network and security players have developed a product-suite to secure their share of the cake. While the market is still evolving one framework has been getting a lot of market-attentiont: "Cisco Network Admission Control". NAC is a pivotal part of Cisco?s "Self Defending Network" strategy and supported on the complete range of Cisco network- and security-products. >From a security point of view ?NAC? is a very interesting emerging technology which deservers some scrutiny. The Cisco NAC solution contains two major design-flaws which enable us to hack (at least) two of the three different variants using some kind of ?posture spoofing attack?. We will release updated code & tool for posture spoofing in Cisco NAC ?secured? networks.

Software armoring techniques have increasingly created problems for reverse engineers and software analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common newer methods must be developed to cope with them. In this talk we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from the most advanced software armoring systems. As a demonstration we will automatically remove packing protections from malware.

Since last year's Black Hat, the debate has continued to grow about how undetectable virtualized rootkits can be made. We are going to show that virtualized rootkits will always be detectable. We would actually go as far as to say they can be easier to detect than kernel rootkits.

Processor emulation has been around for as long as the processor it emulates. However, emulators have been difficult to use and notoriously lacking in flexibility or extensibility. In this presentation I address these issues and provide a solution in the form of a scriptable multi-purpose x86 emulator written in Python. The concept was to allow a security researcher the ability to quickly integrate an emulator into their work flow and custom tools. Python was chosen as the development language for multiple reasons, mainly to leverage the benefits of existing Python libraries such as PaiMei/PyDbg and IDApython. With obvious uses in reverse engineering, vulnerability research, and malware analysis PyEmu is a very valuable addition to any security researchers repertoire.

Imagine your only connection to the Internet was through a potentially hostile environment such as the Defcon wireless network. Worse, imagine all someone had to do to own you was to inject some html that runs a plugin or some clever javascript to bypass your proxy settings. Unfortunately, this is the risk faced by many users of the Tor anonymity network who use the default configurations of many popular browsers and other network software. Tor is designed to make it difficult even for adversaries that control several points in the network to determine where you're coming from or where you're going, yet these "data anonymity" attacks and attacks to bypass Tor can be performed effectively by a malicious website, or just one guy with a Ruby interpreter! To add insult to injury, software vendors seldom consider such exploits and other privacy leaks as real vulnerabilities. Fortunately, there are some things that can be done to improve the security of the web browser and Tor users in general. This talk will disc

cross the world law enforcement, enterprises and national security apparatus utilize a small but important set of software tools to perform data recovery and investigations. These tools are expected to perform a large range of dangerous functions, such as parsing dozens of different file systems, email databases and dense binary file formats. Although the software we tested is considered a critical part of the investigatory cycle in the criminal and civil legal worlds, our testing demonstrated important security flaws within only minutes of fault injection. In this talk, we will present our findings from applying several software exploitation techniques to leading commercial and open-source forensics packages. We will release several new file and file system fuzzing tools that were created in support of this research, as well as demonstrate how to use the tools to create your own malicious hard drives and files. This talk will make the following arguments: 1. Forensic software vendors are not paranoid e

Black Hat DC 2007 was supposed to be the venue for "RFID For Beginners", a talk on the basic mechanisms of operation used by RFID tags. Legal pressure forced the talk to be curtailed, with only 25% of the material being presented. The remainder was replaced with a Panel debate involving IOActive, US-CERT, ACLU, Blackhat, and Grand Idea Studio. After spending far too much time and money dealing with lawyers and consulting with some strategic allies, IOActive has made some relatively minor tweaks to the original presentation, which will be presented as the first part of this talk. The second part of the talk introduces Cloner 2.0. The first Cloner was designed to be as simplistic as possible, and succeeded at the cost of read range, flexibility, and overall sophistication. Cloner 2.0 aims to address these concerns with a significantly enhanced read range, a "passive" mode to sniff the exchange between tags and legitimate readers, multi-tag storage capability, multiple RF frontends and an enhanced software ba

OpenBSD is regarded as a very secure Operating System. This article details one of the few remote exploit against this system. A kernel shellcode is described, that disables the protections of the OS and installs a user-mode process. Several other possible techniques of exploitation are described.

As of today, Vista, XP, 2K03, OS X, every major Linux distro, and each of the BSD's either contain some facet of (stack|buffer|heap) protection, or have one available that's relatively trivial to implement/enable. So, this should mean the end of memory corruption-based attacks as we know it, right? Sorry, thanks for playing. The fact remains that many (though not all) implementations are incomplete at best, and at worst are simply bullet points in marketing documents that provide a false sense of safety. This talk will cover the current state of software and hardware based memory corruption mitigation techniques today, and demystify the myriad of approaches available, with a history of how they've been proven, or disproved. Our focus will be on building defense-in-depth, with some real-world examples of what works, what doesn't, and why. As an attendee, you should come away with a better understanding of how to protect yourself and your boxes, with some tools to (hopefully) widen the gap between w

Penetration testing often focuses on individual vulnerabilities and services. This talk introduces a tactical approach that does not rely on exploiting known vulnerabilities. Using combination of new tools and obscure techniques, I will walk through the process of compromising an organization without the use of normal exploit code. Many of the tools will be made available as new modules for the Metasploit Framework. REVIEWER NOTES: This is a monstrous presentation and will absolutely require the 150-minute time slot. For a smaller version of this presentation, please see my other submission (System Cracking with Metasploit 3). The goal of this presentation is to show some of the non-standard ways of breaking into networks, methods that are often ignored by professional pen-testing teams.