Microsoft BlueHat Security Briefings: Fall 2007 Sessions and Interviews

This talk will outline a simple, repeatable procedure for turning Microsoft Tuesday patch releases into proof of concept exploits within a matter of hours. We will walk through each step, starting with information gathering and patch disassembly, and detailing how knowledge of systems and patching practices mixed with basic reverse engineering knowledge can result in quickly discovered vulnerabilities. Once the triggering conditions are discovered, we will discuss how hackers decide which vulnerabilities will be weaponized, and the speed with which hackers can do so with the metasploit framework.

Lurene Grenier
Sourcefire

Lurene Grenier is a senior security researcher at Sourcefire and is currently working on the Metasploit 3 framework, primarily in the areas of shellcode encoding and exploit development. She has published papers on a variety of topics including C code auditing, frustrating disassemblers, and an early analysis of the unpatched Microsoft RPC memory exhaustion flaw. Day-to-day she works heavily with Microsoft products, reverse engineering userland and kernel space binaries for the purpose of vulnerability research and development. Her current research revolves around uniting fuzzers and debuggers to automate the process of exploit development.

Listen to a podcast interview with Lurene Grenier.

Part of the design of the web allows browsers to collect and render resources across security boundaries. This capability has a number of issues, but they've historically been mitigated with what's known as the Same Origin Policy, which attempts to restrict scripting and other forms of enhanced access to sites with the same name. However, scripts are not acquired from names; they come from addresses. As RSnake of ha.ckers.org and Dan Boneh of Stanford University have pointed out, so-called "DNS Rebinding" attacks can break the link between the names that are trusted, and the addresses that they were connected to, allowing an attacker to proxy connectivity from a client. I will demonstrate an extension of RSnake and Boneh's work, that grants full IP connectivity, by design, to any attacker who can lure a web browser to render his page.

Dan Kaminsky
IO Active

Dan Kaminsky is the Director of Penetration Testing for Seattle-based IOActive, where he is greatly enjoying having minions. Formerly of Cisco and Avaya, Dan was most recently one of the "Blue Hat Hackers" tasked with auditing Microsoft's Vista client and Windows Server 2008 operating systems. He specializes in absurdly large scale network sweeps, strange packet tricks, and design bugs.

Listen to a podcast interview with Dan Kaminsky.

Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired in the way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. Nonetheless, if you are serious about fuzz testing as a scientific process as much as possible, then you have no doubt been disappointed with the current state of affairs. Until now.

This talk is about Sulley, an open-source, freely-available, full-featured and extensible fuzzing framework released August 2007. Modern-day fuzzers are usually solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, and is capable of reverting to a good state using multiple methods. Sulley detects, tracks, and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.

Pedram Amini
Tipping Point

Pedram Amini currently leads the security research and product security assessment team at TippingPoint, a division of 3Com. Previous to TippingPoint, he was the assistant director and one of the founding members of iDEFENSE Labs. Despite the fancy titles he spends much of his time in the shoes of a reverse engineer—developing automation tools, plug-ins and scripts. His most recent projects (aka "babies") include the PaiMei reverse engineering framework and the Sulley fuzzing framework.

In conjunction with his passion for the field, he launched OpenRCE.org, a community website dedicated to the art and science of reverse engineering. He has previously presented at DefCon, RECon, ToorCon and taught numerous sold out reverse engineering courses. Pedram holds a computer science degree from Tulane University, finds his current commander-in-chief rather humorous and recently co-authored a book on Fuzzing titled "Fuzzing: Brute Force Vulnerability Discovery".

Listen to a podcast interview with Pedram Amini.

Aaron Portnoy
Tipping Point

Aaron Portnoy, aka deft, is a researcher within TippingPoint's security research group. His responsibilities include reverse engineering, vulnerability discovery, and tool development. Aaron has discovered critical vulnerabilities affecting a wide range of enterprise vendors including: RSA, Citrix, Symantec, Hewlett-Packard, IBM and others. Additionally, Aaron has contributed mind share and code to OpenRCE, PaiMei, Sulley, and various white papers and books.

Depending on who you ask, platform virtualization (a la Virtual Server, VMWare, Xen) is useful, cost-effective, sexy, or all of the above. So it's no surprise that the world is migrating to virtualized environments in droves; however, in doing so, has anyone really considered the security trade-offs? How well are virtual guest machines compartmentalized/segregated from each other? Looking beyond single one-off vulnerabilities (although those do exist!), this talk will explore various under-discussed problems on how current virtualization and compartmentalization implementations are not as rigid and secure as everyone would hope. In some cases, the move to virtualized platforms has us coming full-circle back to many insecurities that were solved/mitigated long ago in equivalent non-virtual components. This talk will encompass multiple virtualization products, and will focus on simple, practical areas of concern (network problems, abuse of product features, etc.). Basic ethernet networking knowledge is recommended for portions of this talk; low-level hardware topics relating to virtualization (CPU capabilities/abuses, memory management) will not be addressed.

Jeff Forristal
SPI Dynamics

Jeff Forristal is a senior R&D engineer for SPI Dynamics (now HP). Prior to SPI Dynamics, Jeff worked for 7 years at Neohapsis, a security services company based in Chicago. During his tenure at Neohapsis, Jeff broke everything he got his hands onto including wireless and USB security hardware, security management/SSO products, customer web sites and proprietary applications, etc. He is also an accomplished writer, having written multiple articles and cover stories for Network Computing and Secure Enterprise magazines on various topics such as physical security, source code static analysis products, and network vulnerability scanners; he also contributed multiple chapters to the book "Hack Proofing Your Web Applications."

Listen to a podcast interview with Jeff Forristal.

In this talk, the author presents various ways to subvert Windows CE kernel to hide certain objects from the user. Architecture and inner mechanisms of the Windows CE kernel are discussed first, with a focus on memory management, process management, syscall handling, and security. Next the author explains the methods he used for hiding processes, files, and registry keys using hooking of handle- and non-handle-based syscalls, direct kernel object manipulations, injecting filtering code into various server processes and steps to stay loaded even after cold reboot. A fully functional prototype rootkit is presented.

Petr Matousek
Coseinc

Petr Matousek is a security researcher with an interest in general computer security. He specializes in rootkits, viruses, worms and other malware that affect Microsoft platforms. He has long-time experience in low level programming, and he has pioneered several proof-of-concept security technologies. Recently his main field of interest is mobile device security.

Listen to a podcast interview with Petr Matousek.

Ollie Whitehouse from Symantec will present a matter-of-fact look at Windows Mobile 5 & 6 security and how it pales in his opinion when compared to the security of Microsoft's other products, in terms of investment and disclosure. The purpose of this presentation is to articulate the types of vectors and attacks which are both common and unique to mobile platforms as well as the problems the author has previously in engaged with Microsoft to discuss. The presentation will also present some of the more advanced rootkit research Ollie has performed as a demonstration of what is possible if attackers did target Windows Mobile aggressively.

Ollie Whitehouse
Symantec

Mr. Ollie Whitehouse has worked in information security both as a consultant and researcher. This has included being employed by companies in a variety of industries ranging from financial services to telecommunications. Mr. Whitehouse originally created Delphis Consulting's security practice in 1999 while working as consultant. Mr. Whitehouse joined @stake Inc in 2000 as a Managing Security Architect before becoming European Technical Director in 2004. After Symantec’s acquisition of @stake Inc in 2004, Mr. Whitehouse continued as Technical Manager for its professional services division in London until 2005. In mid-2005 he took a full time research role with Symantec Research Labs in Government research. Mr. Whitehouse subsequently moved to Symantec’s Response division joining its Advanced Threats Research team specializing in mobile platforms and related technologies.

Mr. Whitehouse has previously published research on the security of mobile telecommunication networks, mobile devices and Bluetooth. In addition he has also discovered numerous security vulnerabilities in a wide range of desktop and server applications. His previous research has led him to present at Blackhat, CanSecWest, RuxCON, UNCON, and Chaos Communication Camp among others.

Listen to a podcast interview with Ollie Whitehouse.

Three days after its launch, the Wabisabilabi project attracted the world's attention. For the good and for the bad, the press covered the project in all its aspects, generating an endless round of comment threads on specialized forums. The project got the attention of the financial press, hitting the Economist and Forbes. This speech will let you hear directly from WABISABILABI's Strategy Director about the project philosophy, business model, and milestones, as well as the challenges the project has to overcome in the future.

Roberto Preatoni
Director of Strategy, WabiSabiLabi

Roberto Preatoni (aka Sys64738): 40, is the Director of Strategy of WabiSabiLabi, the first marketplace for security research and intellectual property. He is also the founder of the cybercrime archive Zone-H (http://www.zone-h.org). He’s also CEO of an International ITsec company (Domina Security) which is active in European and former Soviet countries. He has been globetrotting, lecturing in several ITsec security conferences, including Defcon in the US, HITB in Malaysia, Paranoia in Norway, and Chaos Communication Congress in Germany. He has been interviewed by several print and online newspapers where he shares his experiences relating to cyberwar and cybercrimes.

Listen to a podcast interview with Roberto Preatoni.

Just about everyone thinks they know the solution to the malware problem, whether it is virtual machines, light-weight virtualization, integrated user accounts, or new integrity levels. Unfortunately, user experience, application compatibility, and the end-user desire to move data in and out of a sandbox all conspire to wreck the value of such schemes. In this session, you’ll learn what constitutes a security boundary, get a tour through core Windows technologies, including user sessions, Code Integrity, PatchGuard, Service Security Hardening, and User Account Control, to gain an understanding of where Windows currently defines such boundaries, and gain insight into the opportunities and challenges that are guiding Windows long-term OS and application security and isolation strategy.

Mark Russinovich
Technical Fellow, Microsoft

Mark Russinovich is a Technical Fellow at Microsoft in the Platform and Services division working on future versions of Windows. His major interests include security, performance, and virtualization. Mark is co-author of Windows Internals, 4th Edition (Microsoft Press) and he has written dozens of articles on Windows internals. A frequent speaker at major industry conferences, including Microsoft’s TechEd, IT Forum, WinHec, and PDC, he also writes popular troubleshooting and administrative tools that are published at Microsoft’s TechNet Sysinternals Tech Center (http://www.microsoft.com/technet/sysinternals). Prior to joining Microsoft in 2006, he was Chief Software Architect and Co-Founder of Winternals Software, which Microsoft acquired along with Sysinternals.

Listen to a podcast interview with Mark Russinovich.

In 2006, MSRC received an unprecedented number of vulnerability reports for Office 2003. Some of these vulnerabilities were used in targeted 0-day attacks against our customers.

In this presentation I will show you what it was like to be a victim in such an attack by running an actual malicious PowerPoint file sent to a customer, while examining its effects on the system with Process Monitor and Process Explorer. Then I will demonstrate what customers can do to reduce the risk from these types of attacks by opening the document again with the Microsoft Office Isolated Conversion Environment and FileBlock configured.

Robert Hensing
Security Software Engineer, Microsoft

Robert Hensing is a Software Security Engineer on the Secure Windows Initiative team and is responsible for providing mitigations and workaround guidance to the MSRC.

An understanding of Microsoft's Phoenix framework will soon be a requirement for those involved in software analysis and optimization. Phoenix makes it possible to easily develop tools that can be used during the compilation or analysis of software. While Phoenix has been used for this purpose within Microsoft for quite some time, it has only within the last year seen broader third party use.

The Cthulhu framework, built largely on top of Phoenix, is an example of a third-party tool in development. Cthulhu's purpose is to provide an abstraction layer that supports seamless and consistent representation of concrete software elements, such as a method, a data type, an instruction, and so on. This abstraction layer makes it possible to build tools that will be API compliant with different fundamental binary analysis frameworks, such as Phoenix. Using abstraction, it's possible to normalize information obtained with Phoenix to a database in a format that can be easily indexed later. Storing this information in a database can permit the analysis of much larger data sets than could reasonably be represented at once in physical memory. The purpose of this talk will be to illustrate one direction in which Phoenix can be extended and abstracted. This direction will be described in terms of the general architecture of Cthulhu as well as some of the more interesting features it supports. The reason for the direction's name should be obvious; after all, the only thing that could possibly contain and ultimately devour a Phoenix would be Cthulhu himself, right?

Matt Miller
Leviathan

Matt Miller is an active member of the security research and development community where he focuses primarily on areas relating to exploitation technology and reverse engineering. Matt joined the Metasploit project in 2004 and has contributed to the advancement of the Metasploit framework. Some of these advancements include the Meterpreter, VNC injection, and his work as a core developer on Metasploit 3.0. Matt is also an editor and contributor to the Uninformed Journal. The journal is a free, community driven outlet for new research. Matt's contributions to the journal have included papers on bypassing PatchGuard and DEP as well as other techniques that can be used to improve exploit reliability in differing circumstances. In addition to his work with Metasploit and Uninformed, Matt also developed a functional implementation of Address Space Layout Randomization (ASLR) for Windows 2000, XP, and 2003 prior to Microsoft's integration of ASLR into Vista. Matt currently works as a consultant with Leviathan Security Group, Inc.

Listen to a podcast interview with Matt Miller.

This talk demonstrates security visualization at the systems layer to depict an instrumented application context. The initial scope of this work was to visualize the representation of interaction between code and data, over a 3D topographical map (3 axes to depict the degree of significance). My goal is to provide insightful representations of core application functionality.

Shane Macaulay

Shane Macaulay is a world-class IT Security Specialist. Shane has a deep and broad security view of systems ranging from every major flavor of UNIX, Microsoft and networking operating systems. He has made numerous contributions to the security community through various papers, books and revolutionary technical applications. Mr. Macaulay has audited proprietary source code for security vulnerabilities. Being proficient at discovering unknown vulnerabilities in custom software applications, Shane has led many teams internally at Microsoft spanning virtually every product division. Mr. Macaulay is an alumni member of the international security group called “The Honeynet project”. He has co-authored a book on the hacker mentality titled "Know your Enemy", published by Addison-Wesley, as well as co-authoring "Hack Proofing Your Network: Second Edition", published by Syngress publishing. Shane has spoken on multiple occasions at industry conferences: Microsoft Bluehat, CanSecWest, the Blackhat briefings, DefCon and SANS.23. Mr. Macaulay’s major employment/contract history includes: IBM, Bloomberg, @stake / Symantec, Core Security and LGS.

Listen to a podcast interview with Shane Macaulay.

The growth of cellular and mobile technologies has expanded at phenomenal rates over the past 1-2 years giving rise to vastly different attack targets, both on the devices themselves and to the services to which they connect. During this talk, I aim to show mobile device security considerations and how they have, in the past, differed from the desktop and enterprise and how current mobile device security issues are influencing the development of security features, how we provide software updates, and how we have to work much closer with mobile device manufacturers and service providers.

Sean Hunt
SDE II, Microsoft

Sean Hunt has been a software engineer for over 15 years with experience in mobile and embedded computer systems. He has worked for Microsoft for more than 6 years now, working for 5 of those years with the security of Windows CE and Windows Mobile based products. Most of his day to day work involves researching and investigating mobile related security issues.

Malware authors are changing. In the past, their motivation was fame, nowadays it is mostly money. With the change of focus, development practices on the side of the malware authors are changing, too: Hand-crafted polymorphic assembly code is out, cheap-to-maintain-and-develop C/C++ code is in. Simple ‘offline polymorphism’ (for example, clever recompile with small changes) and targeted attacks allow the evasion of traditional AV signatures without giving up on massive code reuse. To automatically deal with the (almost boringly) growing flood of malware, several classification methods have been proposed - ranging from looking at instructions, n-grams and n-perms, and other "features" to generate high-dimensional vectors to behavioral techniques. These techniques suffer from the drawback of high "brittleness", that is, they can be easily circumvented without requiring significant skill or time on the side of the malware author.

This talk will discuss using structural (for example, callgraph- and flowgraph-based) metrics for the automated classification of malware into families. The advantage of the discussed approach is its relative "suppleness" - it is resistant up to drastic measures such as "recompiling a virus for a different architectures" etc. A significant investment of work is needed on the malware authors’ side to break the analysis. We will discuss an example implementation of a fully automated malware classification system (VxClass) which automatically unpacks, disassembles, and compares new malware against an existing database. A number of horribly incorrect predictions about the future will be given.

Halvar Flake
SABRE Security, CEO

Halvar has been working on topics related to reverse-engineering (and vulnerability research) for the last 9 years. He has repeatedly presented innovative research in the realm of reverse engineering and code analysis at various renowned security conferences (Blackhat Briefings, CanSecWest, SSTIC, DIMVA). Aside from his research activity, he has taught classes on code analysis, reverse engineering and vulnerability research to employees of various government organizations and large software vendors. Halvar founded SABRE in 2004 in order to further research into automation of reverse engineering and code analysis.

Listen to a podcast interview with Halvar Flake.

MSRC has been around for just about 10 years. This talk will show MSRC then and now, with the goal of helping understand the “why” behind some of the things we do. This will be a great MSRC 101 for teams that have yet had the joy of an MSRC release, as well as a good background for teams that have been through this path several times.

Mike Reavey
Group Manager, MSRC

As group manager of the Microsoft Security Response Center (MSRC) at Microsoft Corp., Mike Reavey works with security teams to proactively identify and communicate critical software vulnerabilities to customers. Building on Microsoft’s commitment to Trustworthy Computing, Mr. Reavey’s responsibilities include responding to vulnerability reports, engaging with the security community, and collaborating with internal product groups to provide updates to customers and help protect them from computing security threats.

Part of a collective initiative to better protect software users from such threats, Mr. Reavey’s team is constantly evolving its response capabilities. Reavey was deeply involved in Microsoft’s work combating the Zotob, Sasser and Blaster outbreaks, and has helped MSRC continually prove its ability to respond to attacks and blended threats. His goal for the group is to continue to evolve in the wake of new threats and serve as the first and best source of information for customers and internal teams.

Mr. Reavey joined Microsoft in June 2003 as part of the MSRC team focused on vulnerability response initiatives for Microsoft Internet Explorer. Before that, he served in the U.S. Air Force as team leader for the Air Force Communications Agency and 92nd Information Warfare Squadron, responsible for securing and optimizing global air force networks.