There are so many security conferences around the world… Some people already debated about this: Is it better to restrict the annual agenda to well-known events or let people start their own? IMHO, we need initiatives like this. It’s good to have a broad agenda with local conferences where local people can attend without spending huge amounts of money for travels and lodging (If you can go to conferences, let’s bring the conferences to you!) So, let’s welcome the newly born conference called “NoSuchCon“. The first edition was just organized in Paris across the last three days. Unfortunately, I was only able to attend the last day… If only I could expand my holidays like a filesystem! 🙂 I joined Paris early the morning to attend the first keynote. Here is a quick review of the day.
Today’s keynote was presented by Dmitri Alperovitch (from Crowdstrike). His presentation had only… one slide, displayed at the end of his keynote! The first message broadcasted by Dmitri was “We are doing wrong!“. Is it really a breaking news? No, major vendors, browsers, mobile phones, all of them are working to improve their security. We also have Next-Generation firewalls, powerful forensic tools and medias are talking about “cyber-*” (replace the star with your favourite term) and are trying to do some awareness. So what?
This is a paradox! Even with all those changes, we are still unable to block our adversaries. Our desire to have a “one-size-fits-all” security solution is bad. We have very specific issues to address. One category of actors are hacktivists. Another one is espionage. Classic defences approach do not work with those actors. Offensive is more lucrative and cheaper. If you increase your defences, offensive guys will grow too. This is a never-ending story. A good example are DDoS. Increasing your pipe to the Internet (bandwidth) and server farms will not solve the problem. Attackers will use bigger bots! Also, how to defend against national agencies which have huge budgets? Know your enemy, this will allow you to break the asymmetry between attack & defense. Find the pin-point and push on it. Attackers usually focus on a target and don’t have a look at its competitor. An idea proposed by Dmitri: can a “bounty hunter” program law help to catch attackers? Dmitri brought a big suitcase full of t-shirts and distributed them after his keynote. That’s for the show but it’s always funny to get goodies!
The first half-day was dedicated to presentations about the Windows kernel. A first one was performed by Aaron LeMasters about “Crashdmp-ster diving the Windows 8 crash dump stack“. The Microsoft crash dump mechanism is an interesting component of the operating system. Aaron performed some researches about this feature. His project is hosted on crashd.md.
The crash dump mechanism is a layer driver providing an I/O path to a mass storage device. It is used in two situations: when a bug check occurs (hey, it’s Windows! ;-)) or to hibernate the system (crashdmp.sys). Aaron describe how it works. Note that the mechanism is different between Windows XP – 7 and Windows 8. With the last version of the Microsoft OS, the crash dump subsystem can be tricked into reading and writing everywhere. That’s what Aaron explained during his talk. Based on his research, he also wrote a CTF challenge for SOURCE Boston and explained in details how it worked. The source code will be released soon, check out his website.
Then, a second talk immediately followed: “Exploiting hard core pool corruption in Microsoft Windows kernel” by Nikita Tarakanov. Today, many applications implement sandboxes (ex: browsers). To evade sandboxes, a good idea is to abuse… the low level… the kernel.
Once broken, you have access to everything. Previous vulnerabilities found in Windows kernels are memory corruption. Today, known techniques do no work anymore with Windows 8. First, Nikita reviewed how kernel pool is working and what were the “old” attacks. The next part covered a new attack which works on all versions of Windows: DKOHM (“Direct Kernel Object Header Manipulation“).
After a lunch break in a small Parisian restaurant, eating and talking about security, the second set of talks started again. The first one was “XML – Out-of-band exploitation” by Yunusov Timur and Alexey Osipov. First part was about parameter entities (“PE“). Speakers reviewed then and how they work. How work out-of-band attacks? The attacker send XML to the server which parses it and requests data from the malicious host.
They also performed demos of exfiltrating data from via an XML file: Using DNS requests made during XML document XSLT transformation to extract information via a bunch of A queries to forged names. An other demo was to grab /etc/passwd from a website just be trying to validate an XML file. Sweet!
The next talk was again about kernels but this time on MacOS X! Pedro Vilaca presented “Revisiting Mac OS X kernel root kits“. Rootkits are kernel extensions. Pedro reviewed interesting ideas to make them more powerful. The Mac OS landscape has less researchers and lack of public developments about rootkits. But it does not mean that more are working in the wild. Great job performed by Pedro but difficult to maintain due to the operating system being closed source.
After a coffee break, the last run of talks started. Luigi Auriemma & Donato Ferrante presented “Exploiting game engines for fun & profit“.
Why target games? Because the attack surface is huge! Did you know that some engines are sold with special licenses to military organisations? Almost all kind of people are playing once back at home. Even C-level people can be gamers during their free time. This can be a nice way of exploiting their company. The same engine can be shared across multiple games (and stuff added like Lego-blocks). The same vulnerability can be re-used! Gain of time and $$$. Game engines can be attacked on four topics:
- Fragmented packets: Games are based on UDP protocol but they try to implement a TCP-over-UDP. When fragmentation occurs, the engine must rebuild the original packet. This process is performed in memory. What about trying to place the payload of a packet in another memory area?
- Compression: Not algorithms but index numbers.Flipping bits can be interesting
- Game Protocols:
- Customization (extensions also called “mods” and command line)
After the theori, the speakers performed some live demos. Check out revuln.com for their white paper released today!
For the next talk, the planning changed. The scheduled speaker was not able to come to France due to a visa issue. Weird! A last minute (but excellent!) speaker replaced him: Sergey Bratus presented “Any input is a program“. I was lost, his topic was too complex! I don’t know how many people were able to fillow him in the audience.
The last talk was “Killing rats with incident response process” by Robinson Delaugerre and Adrien Chevalier. The result of their research is a new framework called Arsenic which will be released soon. The goal is to perform incident response in a easy way. They started the talk with some facts about incident handling and how complex it can be.
This process is based on three pillars:
- Network analysis
- Host forensics
- Reverse engineering
Arsenic is a their framework, written in Ruby, which brings those pillars together. They also performed live demos to detect a well-known RAT (Poison Ivy). It seems to be an interesting tool.
And that’s already done. That was a quick but interesting visit to this new event. Again, NoSuchCon, welcome in the world of security conferences! Organizers made it a success with 250 attendees (number received from a member of the organisation). I liked particularly: