Black Hat Briefings, USA 2007 [Video] Presentations from the security conference.

Since last year's Black Hat, the debate has continued to grow about how undetectable virtualized rootkits can be made. We are going to show that virtualized rootkits will always be detectable. We would actually go as far as to say they can be easier to detect than kernel rootkits.

Software armoring techniques have increasingly created problems for reverse engineers and software analysts. As protections such as packers, run-time obfuscators, virtual machine and debugger detectors become common newer methods must be developed to cope with them. In this talk we will present our covert debugging platform named Saffron. Saffron is based upon dynamic instrumentation techniques as well as a newly developed page fault assisted debugger. We show that the combination of these two techniques is effective in removing armoring from the most advanced software armoring systems. As a demonstration we will automatically remove packing protections from malware.

The last two years have seen a big new marketing-buzz named "Admission Control" or "Endpoint Compliance Enforcement" and most major network and security players have developed a product-suite to secure their share of the cake. While the market is still evolving one framework has been getting a lot of market-attentiont: "Cisco Network Admission Control". NAC is a pivotal part of Cisco?s "Self Defending Network" strategy and supported on the complete range of Cisco network- and security-products. >From a security point of view ?NAC? is a very interesting emerging technology which deservers some scrutiny. The Cisco NAC solution contains two major design-flaws which enable us to hack (at least) two of the three different variants using some kind of ?posture spoofing attack?. We will release updated code & tool for posture spoofing in Cisco NAC ?secured? networks.

We will present new, practical methods for compromising Vista x64 kernel on the fly and discuss the irrelevance of TPM/Bitlocker technology in protecting against such non-persistent attacks. Then we will briefly discuss kernel infections of the type II (pure data patching), especially NDIS subversions that allow for generic bypassing of personal firewalls on Vista systems. A significant amount of time will be devoted to presenting new details about virtualization-based malware. This will include presenting various detection methods that could be used to either detect the presence of a hypervisor or find the malware itself. We will also discuss why each of these approaches cannot be used to build a practical detector, either because they could be fully defeated by virtualization based malware or because they are very impractical. This will include demonstration of how virtualization based malware can avoid timing-based detection, even if a detector uses trusted time source. We will also discuss detection approaches based on exploiting CPU bugs. The conclusion of this part is that we still do not have any good way to detect virtualization based malware... Were also going to talk about malware that fully supports nested virtualization (like e.g. our New Blue Pill does) and how this might be a challenge for OSes that would like to provide their own hypervisors in order to prevent Blue Pill-like attacks. People say that once an attacker gets into the kernel, the game is over and we should reinstall the whole system from scratch. In this presentation we show that sometimes we cannot know that the game is actually over, so we do not even know when to stop trusting our systems. In order to change this we need something more then just a bunch of patches! Joanna Rutkowska is a recognized researcher in the field of stealth malware and system compromises. Over the past several years she has introduced several breakthrough concepts and techniques on both the offensive and defensive side in this field. Her work has been quoted by the international press and she is a frequent speaker at security conferences around the world. In April 2007 she founded Invisible Things Lab, a consulting company dedicated for cutting-edge research into operating systems security. Alexander Tereshkin, aka 90210, is a seasoned reverse engineer and expert into Windows kernel, specializing in rootkit technology and kernel exploitation. He presented several sophisticated ideas for rootkit creation and personal firewall bypassing in the past few years. During the last year, when working for COSEINC Advanced Malware Labs, he has done significant work in the field of virtualization based malware and kernel protection bypassing.

As recent as a couple of years ago, reverse engineers can get by with just knowledge of C and assembly to reverse most applications. Now, due to the increasing use of C++ in malware as well as most moderns applications being written in C++, understanding the disassembly of C++ object oriented code is a must. This talk will attempt to fill that gap by discussing methods of manually identifying C++ concepts in the disassembly, how to automate the analysis, and tools we developed to enhance the disassembly based on the analysis done. Paul Vincent Sabanal is a researcher with the IBM Internet Security Systems X-Force research team. Prior to joining IBM, Paul worked as an antivirus researcher at Trend Micro. Paul has spent most of his career doing malware reverse engineering, and has recently been delving into vulnerability research as well.

In recent years, an increasing amount of academic research has been focused on secure anonymous communication systems. In this talk, we briefly review the state of the art in theoretical anonymity systems as well as the several deployed and actively used systems, and explain their strengths and limitations. We will then describe the pseudonym system we are developing based on an information-theoretic secure private information retrieval protocol, designed to be secure against an adversary with unbounded computing power, as long as (as little as) a single honest server exists in the network of servers operating this system. We will explain the design decisions behind the architecture of the system, intended to be operated by volunteers with a limited resource pool. We will discuss the usability considerations in designing a system intended to be accessible to a more naive user-base than simply "hackers and cypherpunks", and explain why user accessibility is critical to the security of anonymity systems in general. Finally, we'll present an attack on the original design of the system whereby an attacker could cause a denial of service attack untraceable to the attacker, and explain the solution we have implemented to prevent this attack.

Access control systems are widely used in security, from restricting entry to a single room to locking down an entire enterprise. The many different systems available?card readers, biometrics, or even posting a guard to check IDs?each have their own strengths and weaknesses that are often not apparent from the materials each vendor supplies. We provide a comprehensive overview of 20 different access control technologies that focuses on weaknesses (particularly little known or not-yet public attacks) and other points that a buyer would not likely get from a vendor. We also present a model for thinking about access control systems in general that will provide a useful framework for evaluating new or obscure technologies.

Traditional software vendors have little interest in sharing the gory details of what is required to secure a large software project. Talking about security only draws a spotlight to what is generally considered a weakness. Mozilla is using openness and transparency to better secure its products and help other software projects do the same. Mozilla has built and collaborated on tools to secure the Firefox Web browser and Thunderbird e-mail client, the first of which will be released at Blackhat Las Vegas 2007. These tools include protocol fuzzers for HTTP and FTP and a fuzzer for Javascript, which together have led to the discovery and resolution of dozens of critical security bugs. These tools may be useful to anyone developing or testing applications that implement or depend on these technologies. Window Snyder and Mike Shaver will introduce these tools at BlackHat Las Vegas 2007 and discuss methods used to identify vulnerabilities in Firefox; plans for expanding the scope of Mozilla's work on Web security, and how Mozilla's security community uses openness and transparency to protect 100 million users around the world. Learn how to apply Mozilla's tools and techniques to secure your own software, and get an early look at new security features for Firefox 3.

Heap exploitation is getting harder. The heap protection features in the latest versions of Windows have been effective at stopping the basic exploitation techniques. In most cases bypassing the protection requires a great degree of control over the allocation patterns of the vulnerable application. This presentation introduces a new technique for precise manipulation of the browser heap layout using specific sequences of JavaScript allocations. This allows an attacker to set up the heap in any desired state and exploit difficult heap corruption vulnerabilities with great reliability and precision. This talk will begin with an overview of the current state of browser heap exploitation and the unreliability of many heap exploits. It will continue with a discussion of Internet Explorer heap internals and the techniques for JavaScript heap manipulation. I will present a JavaScript heap exploitation library that exposes an abstract heap manipulation API. Its use will be demonstrated by exploit code for two complex heap corruption vulnerabilities. The talk will focus on Internet Explorer exploitation, but the general technique presented is applicable to other browsers as well.

The vast majority of security testing relies on two approaches: the use of randomly generated or mutated data and the use of type-specific boundary test cases. Unfortunately, the current state of software security is such that most applications fall to these relatively simple tests. For those applications that have been specifically hardened against attack, something more sophisticated is required. Evolutionary algorithms can be used to gain the benefits of both approaches: tests that are better directed than random test cases but are not rigidly tied to data types. This topic has been a hot one in the security industry for several years. Many approaches use code coverage or debugging techniques as key inputs for test case generation. Though helpful, these require complete access to the system under test. This talk will cover the use of evolutionary algorithms in blind security testing, with an emphasis on test case generation and evaluation of test results. The concepts presented can be applied to any application under test, though this presentation will use web applications as the systems under test.

Interest in Ajax is sky-high and only continues to grow. Unfortunately, far too many people rush into Ajax development without giving proper consideration to security issues. These unfortunate individuals suffer from the most embarrassing of security issues: Premature Ajax-ulation. This presentation will demonstrate specific Ajax application design flaws that stem from a disregard for security, including: Improper use of client-side XSLT; Use of overly- or underly-granular server-side APIs; and Storing secrets (either data or functionality) in client-side code. We will also perform live demonstrations of exploits of these vulnerabilities, including: Vastly more efficient Blind SQL and Blind XPath injection techniques; Detecting and exploiting race conditions; and Applying static analysis to deobfuscate client-side JavaScript. Given the popularity of Ajax and the ease of use of framework helper libraries, it can be very tempting for developers to use Ajax when it's not really necessary. This is a significant security risk in itself, since Ajax applications can be more difficult to secure than traditional Web applications. Furthermore, the use of third-party frameworks can actually make the problem worse, since they hide potential security issues without truly resolving them. We will address these issues, make recommendations on which Ajax frameworks to avoid, and make recommendations on when to avoid Ajax altogether. Following the design and implementation guidelines set out in this presentation will help you to delay your Ajax gratification to provide the highest level of security satisfaction for you and your partners.

The presentation will disclose new attacks and weaknesses associated with protocols that are used to establish and protect VoIP communications. In addition, a newer "unpublished" version of the SIVuS tool will be demoed.

Tired of tracking your username and password across 169 Web 2.0 websites that you have registered with? Thinking of adding SSO to your webapp? Pen-testing a Web 2.0 app? Then come and learn about OpenID - a new decentralized Single Sign-On system for the web. OpenID is increasingly gaining adoption amongst large sites, with organizations like AOL acting as a provider. In addition, integrated OpenID support has been made a mandatory priority in Firefox 3 and Microsoft is working on implementing OpenID 2.0 in Windows Vista. As OpenID adoption increases pace, the security of the protocol becomes of increasing importance. This talk introduces OpenID, takes you through its demo and discusses the security of the underlying protocol. The talk will also introduce known attacks against OpenID such as phishing and some of the possible work arounds.

Dynamic content for Web applications is typically managed through database engines, including registration information, credit cards medical records and other private information. The web applications typically interface with web users and allow them to make only certain queries from the database while they safeguard the privacy where expected, for example, they may allow to add data in a column of the database but not to view the complete contents of this column. We will describe a new technique that allows executing a timing attack which recovers entries from a private column in a database and only requires the ability to insert data in this private column. During the presentation, we will show the experiments that lead us to developing exploit code for the MySQL engine that demonstrates this technique, give details for the audience to understand the underlying algorithm, analyze the results and discuss future work. We will also discuss how to protect from or detect this exploit.

Backdoors have been part of software since the first security feature was implemented. So unless there is a process to detect backdoors they will inevitably be inserted into software. Requiring source code is a hurdle to detecting backdoors since it isn't typically available for off the shelf software or for many of the libraries developers link to. And what about your developer tool chain? Ken Thompson in "Reflections on Trusting Trust" showed your compiler can't be trusted. What about your linker, obfuscator or packer? To find backdoors in these scenarios you need to inspect the software executable binary. We will present techniques for inspecting binaries for backdoors. We will discuss the different backdoor approaches that have been discovered in the wild and hypothesize other approaches that are likely to be used. We will give examples of how the backdoors present themselves in the binary and how to find them.