Sunday, March 29, 2009

CanSecWest 2009 report

I am back from CanSecWest. Like every year, it was interesting and great fun. And for the first year, presentation material has been put online in a matter of days!

I would definitely recommend to check out the following talks:
  • Immunity's talk about exploiting bugs smoothly, without unwanted side effects. Interesting, but this talk could have used a few real-world examples.
  • Loic Duflot's talk about attacking SMM via CPU cache poisoning. Something that has apparently been independantly discovered a few months later by Joanna. Be sure to attend the follow-up talk at SSTIC if you can understand French!
  • Halvar's talk about static binary analysis and the accompanying paper. Yes, he really does binary-level abstract interpretation.
  • Matt Miller (skape) and Tim Burrell's talk about the evolution of exploit mitigation in Microsoft's products. Some insight about what has been done and what may be done in the future. A good way to check that you're still up-to-date.
  • Microsoft's Jason Shirk and Dave Weinstein presentation about their !exploitable crash analyser.
  • Alexander Sotirov and Mike Zusman's talk about EV certificates. The general idea is based on Adam Barth and Collin Jackson’s paper which showed how browsers fail to draw a clear barrier between EV SSL and non-EV SSL, including when applying the same origin policy. This is expected behavior since both are served under the https:// scheme, but the result is that EV is, as currently implemented, useless against MITM attacks (but still useful against fishing attacks). Alexander and Mike showed various ways of exploiting this, and with cool demos!
There were other good talks, such as Andrea and Daniele's on power line leakage (very entertaining, but a bit less than last year's talk).

Nevertheless, this year I've been quite disappointed with the lightning talks, only a handful of peoples bothered giving one. Most probably, most wanted to run to Grouse Mountain quickly for the awesome party!

  • The highlight of the lightning talks was someone showing relationship between old school and nowadys' technologies (finger <-> twitter, talk <-> chat etc..), with cool pure ASCII slides.
  • Philippe Biondi talked about stateful protocol modelization in Scapy (with a TCP example).
  • RaphaĆ«l Rigo presented his Nintendo DS Wifi scanner.
  • Tavis Ormandy and I talked about bypassing Linux' recent hiding of /proc/pid/maps file to make ASLR useful locally. The idea is to monitor the stack and instruction pointers in /proc/pid/stat to infer the address space layout (Tavis wrote cool PoC code for this!). Funny to see info leaking prevention done wrong 6 years after grsecurity and PaX+obs did it right.
  • I presented my subtty backdoor.
  • Charlie Miller told us how bad it is to report bugs for free. I wonder if he might be biased on this.
Another interesting event was the 2009 edition of pwn2own. Everything exciting happened on day 1, since not many peoples were interested in the phone challenges and those who were had been annoyed by the lack of specifications before the challenge and couldn't get ready on time.

Charlie Miller owned Safari, Nils owned Safari, Firefox and IE8 and I owned Safari and Firefox. For those of you who are asking, I actually paired with someone (more information on this in a later post) and we didn't qualify for a price because the vulnerabilities had already been reported.
The reason for competing was that technically this would still qualify to keep the machine (and also, I must admit, because it's always fun to pop some shells). Though, Charlie was lucky and was the first to give a try (I was second) and so kept the Mac.
Well, I guess that's what you get for not being good researchers and not sitting on issues ;)

On Friday, many peoples left for Whistler for a great ski trip and further interesting security discussions. It was the perfect sequel to a great CanSecWest edition!

Sunday, March 22, 2009

Blog boot!

I have finally decided to open a blog. I am not exactly an early adopter, it took me a long time to feel the need of having one.
IT security is a long-time interest for me. I've usually been sharing thoughts, ideas and opinions in bars, restaurants and conferences or on IRC. I'll use this blog to reach a broader audience.
To publish new tools, I hope it will be more user-friendly than raw updates to

So, here's my first post from Whistler, Canada, just after the CanSecWest security conference!