top ^
This is the current list of presentations for Ruxcon 2008
top ^
This presentation proposes technology which can be used to monitor a web application while the fuzz testing is in progress. This way typically non visible bugs can be detected and exploited (or fixed).
During this talk, a virtual machine will be demoed and released which implements this technology.
top ^
The heap is the userland component in charge of dynamic memory management. It is present and used to some extent in every Windows Vista process. Memory corruption on the heap (heap overflow) is common, seen in nearly every application and making up a large portion of reported vulnerabilities. With Windows Vista, Microsoft introduced several security features to the heap, effectively hardening it from classic heap overflow exploit techniques.
top ^
New exploits appear to be being discovered almost on a monthly basis making perimeter scanning an ongoing game of catchup. The underlying idea is simple - deliver a malicious object to an intended victim, compromise their account in as stealthy manner as possible and then erase all trace.
This presentation will give a detailed analysis of how such an attack is structured and demonstrate some exploit-independent methods for verifying the integrity of suspect documents.
top ^
Unfortunately the use of existing technologies brings with it the burden of existing ways to write vulnerable code, but adds yet more ways. This presentation will examine the largely under-researched topic of RIA security in the hopes of illustrating how the complex interactions with their executing environment, and general bad security practices, can lead to exploitable applications. Specifically we will focus on Javascript, Google Gears, AIR and Flash applications.
Stefano Di Paola is the CTO and a cofounder of Minded Security, where he is responsible for Research and Development Lab. Prior to founding Minded Security, Stefano was a freelance security consultant, working for several private and public companies. He also worked in collaboration with University of Florence at the Faculty of Computer Engineering. In the past years he released several advisories including the ones that are not publicly disclosed but patched and several open source tools (such as SWFIntruder). He has also contributed to OWASP testing guide and is also the Research & Development Director of OWASP Italian Chapter. Stefano has participated to several international talk as speaker @ 23rd CCC,Owasp Appsec2k7 S.Jose, Google Tech Talk and others.
top ^
top ^
Sure, we know all about the usual suspects who pop up wherever there's obfuscated code. Say packed and encrypted PE sections, tons of hostility towards poor little debuggers, on-demand runtime decryption, seemingly absent imports that are runtime redirected, SEH gymnastics, crazy kernel mode trickery, replicated API voodoo and last but not the least, much dreaded virtual machine implementations; all seasoned players, growing wiser with age (it seems).
So yes, we do need bigger and better tools to deal with these guys, especially some elaborate VM implementations and clever ring-0 trickery. But we're not going to talk about these guys here. Well, not too much anyway (okay, fine, enough already - so we might show a trick or two that we use to deal with some of these guys). But really, all these techniques are designed to prevent the reconstruction of original code that is executed at runtime. Now tell us please, what's the point of reconstructing original code if we can't make a reasonable approximation as to it's intended functionality?
Well, that's exactly what we'll be talking about! We're going to talk about some interesting ideas that throw a spanner in the works when it comes to any "reasonable comprehension of the intended functionality of a given chunk of code". Both from static and dynamic analysis standpoints no less! We will also explore some tools and techniques that will assist us in cutting through to the essence of such code that doesn't want to be comprehended, to boot.
Now all the glitz and glam aside, why do we think all this is important? Well for starters, more and more bad guys are relying on increasingly sophisticated obfuscation techniques to keep their evil plans secret from the good guys. Better analysis tools can never really hurt in this department. Besides, let's face it, even good guys have things they want to keep secret (or so I've been told). Turns out obfuscation can help! Better the obfuscation, the safer it feels apparently. Yes, it is a strange world we live in. But it's a really fun place to be!
So if you feel like hearing our thoughts or sharing your thoughts, or perhaps even both, the presentation is the place to be. And yes, it is better than day time TV for sure. We don't judge, so everyone is welcome; even the DRM boys :-p
top ^
top ^
top ^
In contrast, it seems that browser-borne malware written in JavaScript should be easy in comparison. There is no standardised JavaScript VM, so you never get bytecode. You always have the source! So how hard can it be to analyse and to understand?
The answer is that JavaScript can be absurdly complex, and often it is. Indeed, web-borne JavaScript can very easily use cryptographic obfuscation tricks which are impossible to unravel without knowing the specific context in which the code appears, each and every time it appears.
For example, have a crack at this one (the code is deformatted to make it dysfunctional here):
+--------------------+
|h=location[unescape(|
|'%68%72e%66')];e="es|
|arhpyekehtsisiht".sp|
|lit("").reverse().jo|
|in("");p="";for(i=0x|
|b;i<0x1d;i++){k=h.ch|
|arCodeAt(i+11);if(k>|
|96&&k<123){k+=e.char|
|CodeAt(i-11)-97;if(k|
|>122)k-=26}p+=String|
|.fromCharCode(k)}doc|
|ument.write('\74h1\7|
|6'+p+'\74\x2Fh1\76')|
+--------------------+
Can you tell what it is yet? How do you decide whether it's good or bad? How do you unravel it in a reasonable time?
Easy. Come to this talk and find out.
top ^
top ^
top ^
This talk aims to present exploitation methodologies against this increasingly complex target. I will demonstrate how the inherent design limitations of the protection mechanisms in Windows Vista make them ineffective for preventing the exploitation of memory corruption vulnerabilities in browsers and other client applications.
Each of the aforementioned protections will be briefly introduced and its design limitations will be discussed. I will present a variety of techniques that can be used to bypass the protections and achieve reliable remote code execution in many different circumstances. Finally, I will discuss what Microsoft can do to increase the effectiveness of the memory protections at the expense of annoying Vista users even more.
top ^
This talk contains cutting edge research performed at great personal risk to the presenter which will demonstrate how many common and esoteric vulnerabilities present throughout the internet today can be used to make you the internet bully you always wanted to be.
top ^
top ^
Ben is a web application security fanatic currently working as a pentester for SIFT. Previously this year, Ben has presented at the national OWASP conference on Javascript worms and has delivered a workshop on Web 2.0 Insecurities as AusCert. During his free time Ben practices Parkour because he can't get enough of extreme challenges.
top ^
This presentation will give an analysis of how the GPU can be used by malware as an anti-reverse engineering platform, with examples using the CUDA technology. With CUDA, the GPU is fully programmable in C, but the resulting device program can't be debugged because Nvidia's GPUs do not support this feature natively. As a result, a malware analyst has to use static analysis against the device code in order to understand the malware. But this task is harder with GPU code than with traditional binaries since the source of a CUDA program is compiled to undocumented microcode (and therefore unsupported by standard disassemblers such as IDA Pro).
Finally, this presentation will also assess the technical feasability of an unpacker written fully in device code.
top ^
1. "Speak English or Die" Google Translate Workaround.
2. Google SOAP Search API "Key Ring" Workaround.
3. "TCP Input Text" Proof of Concept (PoC) which implements the Google SOAP
Search API to extract TCP Ports from Google Search Results as input for nmap
and netcat.
cmlh has also presented at Ruxcon 2005, Ruxcon 2006, SecTor 2008 and ToorCon X.
top ^
This presentation will detail how a Juniper Netscreen can be completely subverted by installation of attacker modified firmware. This firmware is effectively an embedded rootkit. Details of how to reverse engineer and then modify the closed source firmware will be supplied and there will be a live demonstration of installing and using trojaned firmware on a Netscreen appliance.