I would definitely recommend to check out the following talks:
- Immunity's talk about exploiting bugs smoothly, without unwanted side effects. Interesting, but this talk could have used a few real-world examples.
- Loic Duflot's talk about attacking SMM via CPU cache poisoning. Something that has apparently been independantly discovered a few months later by Joanna. Be sure to attend the follow-up talk at SSTIC if you can understand French!
- Halvar's talk about static binary analysis and the accompanying paper. Yes, he really does binary-level abstract interpretation.
- Matt Miller (skape) and Tim Burrell's talk about the evolution of exploit mitigation in Microsoft's products. Some insight about what has been done and what may be done in the future. A good way to check that you're still up-to-date.
- Microsoft's Jason Shirk and Dave Weinstein presentation about their !exploitable crash analyser.
- Alexander Sotirov and Mike Zusman's talk about EV certificates. The general idea is based on Adam Barth and Collin Jackson’s paper which showed how browsers fail to draw a clear barrier between EV SSL and non-EV SSL, including when applying the same origin policy. This is expected behavior since both are served under the https:// scheme, but the result is that EV is, as currently implemented, useless against MITM attacks (but still useful against fishing attacks). Alexander and Mike showed various ways of exploiting this, and with cool demos!
Nevertheless, this year I've been quite disappointed with the lightning talks, only a handful of peoples bothered giving one. Most probably, most wanted to run to Grouse Mountain quickly for the awesome party!
- The highlight of the lightning talks was someone showing relationship between old school and nowadys' technologies (finger <-> twitter, talk <-> chat etc..), with cool pure ASCII slides.
- Philippe Biondi talked about stateful protocol modelization in Scapy (with a TCP example).
- Raphaël Rigo presented his Nintendo DS Wifi scanner.
- Tavis Ormandy and I talked about bypassing Linux' recent hiding of /proc/pid/maps file to make ASLR useful locally. The idea is to monitor the stack and instruction pointers in /proc/pid/stat to infer the address space layout (Tavis wrote cool PoC code for this!). Funny to see info leaking prevention done wrong 6 years after grsecurity and PaX+obs did it right.
- I presented my subtty backdoor.
- Charlie Miller told us how bad it is to report bugs for free. I wonder if he might be biased on this.
Charlie Miller owned Safari, Nils owned Safari, Firefox and IE8 and I owned Safari and Firefox. For those of you who are asking, I actually paired with someone (more information on this in a later post) and we didn't qualify for a price because the vulnerabilities had already been reported.
The reason for competing was that technically this would still qualify to keep the machine (and also, I must admit, because it's always fun to pop some shells). Though, Charlie was lucky and was the first to give a try (I was second) and so kept the Mac.
Well, I guess that's what you get for not being good researchers and not sitting on issues ;)
On Friday, many peoples left for Whistler for a great ski trip and further interesting security discussions. It was the perfect sequel to a great CanSecWest edition!