[Keynote] Emerging New Technologies for Information Security Management
Suguru Yamaguchi, Nara Institute of Science and Technology
Information systems are now taking the important role to support core competence components of businesses in various
industries so that they requires more dependability and sustainability. New technologies for improvement to make information systems more
dependable are emerging from R&D field to the actual operational environment, however still more development are expected. In this keynote
session, the speaker presents new risk on information security coming up with information systems, then express his views and directions on
technical solutions and technologies required.
Suguru Yamaguchi was born in Shizuoka, Japan in 1964. He received the M.E. and D.E. degrees in computer science from Osaka
University, Osaka, Japan, in 1988 and 1991, respectively. From 1990 to 1992 he was an Assistant Professor in Education Center for Information
Processing, Osaka University. In 1992, he was moved to Information Technology Center, Nara Institute of Science and Technology, Nara, Japan,
and served as an Associate Professor till 1993. From 1993 to 2000, he was with Graduate School of Information Science, Nara Institute of Sc
ience and Technology, Nara, Japan, as an Associate Professor. In 2000, he was promoted to a Professor with the Graduate School of Information
Science, Nara Institute of Science and Technology, Nara, Japan. During his work in Nara Institute of Science and Technology, he has been
working very aggressively on research, education and management. Especially from 2002 to 2004, he served as Director of University Library,
and devoted himself to i mprove and enhance the digital library system, which was the nation's first digital library system available for
national universities, initially funded in 1995.His research interests include technologies for information sharing, multimedia communication
over high-speed communication channels, large-scale distributed computing systems, network security and network management for the Internet.
Since mid 1980's, he has been working very hard on development the Internet in Japan and Asia and Pacific region. He has been also a member
of WIDE project, which is one of pioneer projects for the Internet development, since its creation in 1988. In the project, he has been
conducting research on network security system, especially PKI infrastructure for wide area distributed computing environment.
In 2004, he was appointed to Advisor on Information Security, Cabinet Secretariat, Government of Japan. He has been
deeply involved to design and implementation of basis of national policy on information security and establishment of National Information
Security Center (NISC) in Cabinet Secretariat in 2005. Even though he is still working for his university, he didn't spare himself for
this important task in the government. Because of tight relationship with government's information security policy, he was also appointed
to Advisor for Government Program Management Office (GPMO) at secretariat office of IT Strategic Headquarter, Government of Japan.
With his contribution for Internet development and network security, he is involved and working with several organizations.
Since 1992, he was working for JPCERT/CC, which is a first national CSIRT in Japan, and now serving as a member of its board of trustee. Since 2002,
he has been a member of board of trustee of Japan Network Information Center (JPNIC), which is national Internet registry managing IP address and AS
number allocations and registrations. For the Internet development in Asia and Pacific region, he is working so long for Asian Internet
Interconnection Initiatives (AI3) since its creation in 1996.
Fuzzing Sucks (Or Fuzz Like You Mean It)
Pedram Amini, Tipping Point
Aaron Portnoy, Tipping Point
Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation.
Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz
testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now.
This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007.
Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and
methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple
methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can
automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.
currently leads the security research and product security assessment team at TippingPoint, a division of 3Com.
Previous to TippingPoint, he was the assistant director and one of the founding members of iDEFENSE Labs. Despite the fancy
titles he spends much of his time in the shoes of a reverse engineer- developing automation tools, plug-ins and scripts. His
most recent projects (aka "babies") include the PaiMei reverse engineering framework and the Sulley fuzzing framework.
In conjunction with his passion for the field, he launched OpenRCE.org, a community website dedicated to the art and science
of reverse engineering. He has previously presented at DefCon, RECon, ToorCon and taught numerous sold out reverse engineering
courses. Pedram holds a computer science degree from Tulane University, finds his current commander in chief rather humerous and
recently co-authored a book on Fuzzing titled "Fuzzing: Brute Force Vulnerability Discovery".
aka deft, is a researcher within TippingPoint's security
research group. His responsibilities include reverse engineering,
vulnerability discovery, and tool development. Aaron has discovered
critical vulnerabilities affecting a wide range of enterprise vendors
including: RSA, Citrix, Symantec, Hewlett-Packard, IBM and others.
Additionally, Aaron has contributed mind share and code to OpenRCE,
PaiMei, and various white papers and books. On a more personal note,
Aaron is the proud owner of a Rottweiler/German Shepherd puppy and he
also drives really (really) fast.
Kick Ass Hypervisor
Brandon Baker, Microsoft
Virtualization is changing how operating systems function and how enterprises manage data centers.
Windows Server Virtualization, a component of Windows Server 2008, will introduce new virtualization
capabilities to the Windows operating system. This talk will focus on security model of the system,
with emphasis on design choices and deployment considerations. Aspects of virtualization security
related to hardware functions will also be explored.
Brandon Baker is a security developer in the Windows kernel team working on the Windows hypervisor and leading security development and testing for the Windows Server Virtualization project. For the past five years he has worked on security and separation kernels at Microsoft of one form or another. Prior to joining Microsoft, Mr. Baker was a security architect at a managed data center company. He has been working in the computer security field since 1997, when at NSA he co-authored the first guide for the secure configuration of Windows NT for the DoD. Mr. Baker has a B.S. in Computer Science from Texas A&M University.
Automated Unpacking and Malware Classification
Halvar Flake, Founder, SABRE Labs
is SABRE Labs' founder. Originating in the fields of copy protection and digital
rights management, he gravitated more and more towards network security over time as he
realized that constructive copy protection is more or less fighting windmills. After
writing his first few exploits he was hooked and realized that reverse engineering
experience is a very handy asset when dealing with COTS software. With extensive
experience in reverse engineering, network security, penetration testing and exploit
development he a coveted speaker and trainer.
Greetz from Room 101
Imagine you are king for a day. Enemies are all around you, and they seem to be using the Internet to plot against you.
Using real-world cyber war stories from the most tightly controlled nations on Earth, Greetz from Room 101 puts you in the shoes of a king
who must defend the royal palace against cyber-equipped revolutionaries. Can a monarch buy cyber security? Are his trusty henchmen smart
enough to learn network protocol analysis? Could a cyber attack lead to a real-life government overthrow? Ten case studies reveal the
answers. Which countries have the Top Ten most Orwellian computer networks? Come to the talk and find out.
Now imagine that your name is Winston Smith, and that you live in a place called 1984. You don't trust the government, and you don't
trust the evening news. You can't send your girlfriend an email because you think that the Thought Police will get it first. Greetz
from Room 101 details what Web surfing, email, blogging, and connections to the outside world are like for the half of our planet's
population who enjoy little to no freedom online, in places where network security battles can mean life or death. Last but not least,
the Black Hat audience will hear about the future of cyber control, and the future of cyber resistance.
Kenneth Geers has worked for many years in a wide variety of technical and
not-so-technical disciplines. The oddest job he had was working on the John F. Kennedy Assassination Review Board (don't ask). He
also waited tables in Luxembourg, harvested flowers in the Middle East, climbed Mount Kilimanjaro, was bitten by a deadly spider
in Zanzibar and made Trappist beer at 3 AM in the Rochefort monastery. Kenneth is the author of Cyber Jihad and the Globalization
of Warfare; Hacking in a Foreign Language: A Network Security Guide to Russia; Sex, Lies, and Cyberspace: Behind Saudi Arabia's
National Firewall; and IPv6 World Update. His website, chiefofstation.com, is devoted to the intersection of art, the fate of
nations, and the Internet. Greetz to Bunny, Izzy, Yofi, and Boo!
The Little Hybrid Web Worm That Could
Billy Hoffman, SPI Dynamics
The past year has seen several web worms attacks against various online applications. While these worms have gotten
more sophisticated and made use of additional technologies like Flash and media formats, they all have some basic limitations such as
infecting new domains and injection methods. These worms are fairly easily detected using signatures and these limitations have made
web worms annoying, but ultimately controllable. Often the source website simply fixes a single flaw and the worm dies.
In this presentation we will examine ways web worms might evolve to overcome these limitations. We describe a hybrid web worm
combining both server-side and client side languages to exploit both the web server and the web browser to aid in its propagation
across multiple hosts. We will discuss how such a hybrid worm is able to find new vulnerable systems and infect new hosts on
different domains from both the client and the server. In addition will we look at how a hybrid worm could upgrade its infection
methods while in the wild by fetching and parsing new web vulnerability information from public security sites, preventing a single
silver bullet fix from stopping it. We will examine how web worms could implement polymorphism and source code mutation to evade
a browser allowed for some interesting twists and caused some challenges.
While we have not built a fully functioning hybrid worm, we will demo different parts of the worm in isolation to show how these
features would function. Specifically we will look at how the worm could upgrade itself with publicly available vulnerability data
steps to prevent hybrid web worms from exploiting a website or its users.
is a lead security researcher for SPI Dynamics. At SPI Dynamics, Billy focuses on automated discovery of Web
application vulnerabilities and crawling technologies. His work has been featured in Wired, Make magazine, Slashdot,
G4TechTV, and in various other journals and Web sites. In addition, Billy is a reviewer of white papers for the Web
Application Security Consortium (WASC), and is a creator of Stripe Snoop, a suite of research tools that captures,
modifies, validates, generates, analyzes, and shares data from magstripes. Billy is currently coauthoring "Ajax Security",
to be published by Addison-Wesley in Summer 2007.
DNS Pinning and Socket API
this kinds of technology mostly works on the user's web browser which visited the page with the trap. Most of those technology has
the security restriction which "allow the connection if the host name is the same as the download origin host." However, this
restriction can be easily broken by the DNS server which has the malware controlod by the attacker.
This issue is known of "DNS Pinning" and "Anti-DNS Pinning". At this moment, most article explained
about this topic is "Expected damage will be the leking information from the web page on the Intranet", but as the matter
of fact, there are more serious risks which is not revealed yet. From Java Applet, and new version of the Flash Player,
because the API of the TCP level whichi is known as the Socket is available, the attackers can exploit the many protcols
other except HTTP as the targets. By this expoit, the victim user's web browser will be the proxy server at the TCP
level, the attacks below will be possible.
- Portscan the host on the Intranet/Internet via the victim user's web browser
- Send the shell code to the host on the Intranet/Internet via the victim user's web browser
- Send the spam mail from the victim user's web browser
- Access to the file sharing network on the Intranet
- Any Aceess to any TCP level via the victim user's web browser
This presentation will be cover the attacks by using this Socket API and its countermeasure.
Mr. Kanatoko is a programmer, and was born in 1975. He has managed JUMPERZ.NET which offers information related to the network and security since 1998. He has developed several open source tools such as, Guardian@JUMPERZ.NET(Web Application Firewall), Doorman@JUMPERZ.NET(Client Side Proxy), and HTTPTunnel@JUMPERZ.NET (a tool that builds a virtual TCP connection on HTTP). Moreover, he has regularly contributed articles to the online magazine "WizardBible.org" which can be called Japanese version of Phrack.
In the field of DNS Rebinding (Or, Anti-DNS Pinning), he showed the possibility of attacks on
FLASH with the Socket Interface, based on the principle of Martin Johns. Moreover, he is well known for
having an online demonstration of the various DNS Rebinding attacks opened to the public.
In addition, a whitepaper at Stanford University utilizes his site as a reference. http://crypto.stanford.edu/dns/
Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment
Clemens Kolbitsch, Technical University Vienna
The presentation documents the process of identifying potential vulnerabilities in IEEE 802.11
device drivers through fuzzing. The relative complexity of 802.11 as compared to other layer two protocols imposes a number
of non-trivial requirements on regular 802.11 protocol fuzzers.
This paper describes a new approach to fuzzing 802.11 device drivers on the basis of emulation. First, the process of creating a
virtual 802.11 device for the processor emulator QEMU is described. Then, the development of a stateful 802.11 fuzzer based on the
virtual device is discussed. Finally, we report the results of fuzzing the Atheros Windows XP driver, as well as the official and
open source MADWifi drivers.
is currently finishing his master studies ("Software Engineering and Internet Computing") at the Technical University
in Vienna, Austria. His main research is computer security with a special interest in memory manangement and virtual machines.
is also finishing his master studies ("Software Engineering and
Internet Computing") at the Technical University in Vienna, Austria.
Besides their research into wireless 802.11 vulnerability detection, they are
currently working on linux kernel mode exploitation techniques, both
supported by SEC Consult Unternehmensberatung GmbH.
Passive OS Fingerprinting Using DHCP
David LaPorte, Harvard University, UIS Network Operations
Eric Kollmann, Boise State University
Passive OS fingerprinting is not a new topic - tools such as Siphon, p0f, and ettercap have existed for years. These tools perform
fingerprinting based on unicast traffic and therefore must sit in the data stream or receive an out-of-band copy of it (eg. a SPAN port). What is new,
however, is the use of DHCP as a fingerprinting mechanism.
DHCP is, in part, a broadcast protocol. This fact allows it to be monitored without sitting in the data stream. Any system within the broadcast domain or
remote system - through the use of a DHCP relay - can capture broadcast DHCPDISCOVER packets and fingerprint all DHCP-enabled systems on the LAN. One such
fingerprinting method uses the order and number of options specified in option 55 of the DHCP packet (parameter request list) to trivially infer the OS.
DHCP is a little known method of fingerprinting which presents an easy means of host profiling and a useful network inventorying tool for IT professionals.
Both of these uses are only likely to increase in the future as awareness spreads.
Both presenters have extensive experience with DHCP fingerprinting and each have written software that utilizes it.
Satori is a windows-based passive fingerprinting utility.
is the Network Security Manager for Network and Server Systems at Harvard University. In his off-hours,
David works extensively on PacketFence, an open-source network registration and worm mitigation system. David received a
BS in Computer Science from Northeastern University and is pursuing an MS in Information Assurance. He holds CISSP, CCNP,
and RHCE certifications.
works as a Microsoft Systems Engineer. He has written white papers on Active/Passive OS Fingerprinting and most
recently on DHCP Fingerprinting. He has been involved in software projects whose purpose is OS Identification, Patch
Management, and Security Vulnerabilities. His latest project has been Satori which does passive fingerprinting across
multiple DHCP, ICMP, TCP, CDP, HPSP, SMB, SNMP, plus many others.
URI Use and Abuse
Nathan McFeters, Senior Security Advisor, Ernst & Young
Rob Carter, Security Advisor, Ernst & Young
URIs link us to commands and programs which have been written by developers and are subject to all of the same code flaws that any other system might be, what is most interesting is that the usage of URIs links us to that back end application through a browser, making Cross Site Scripting attacks a possible trigger for any flaws we may discover.
This presentation will discuss the subject of URI attacks, glossing over several 0-days that were originally discussed at DEFCON 15 and will move into more recent research that exposes applications functionality resulting in some scary attacks. Examples will include stack overflows, command injections, utilizing an application to send all of a user's pictures to an arbitrary server, etc. All of these attacks are leverageable thru XSS exposures, and thus XSS, CSRF, Phishing, and Anti-DNS Pinning attacks will be combined with the URI attacks to devestating effect.
Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center based out of Houston, TX. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for several clients in the Fortune 500 during his career at Ernst & Young and has served as the Engagement Manager for the ASC's largest client, leading hundreds of web application reviews this year alone.
Prior to taking the position with Ernst & Young, Nathan paid his way thru undergrad and graduate degrees at Western Michigan University by doing consulting work for Solstice Network Securities a company co-founded with Bryon Gloden of Arxan, focused on providing high-quality consulting work for clients in the Western Michigan area.
Nathan has an undergraduate degree in Computer Science Theory and Analysis from Western Michigan University and a Master of Science Degree in Computer Science with an emphasis on Computer Security, also from Western Michigan University.
Rob Carter is a Security Advisor for Ernst & Young's Advanced Security Center in Houston, TX. He has performed web application, internet, intranet, and wireless reviews and penetration tests for multiple Fortune 500 clients.
Rob's primary area of interest is in web application security research and tool development. He has an undergraduate degree from Western Michigan University in Computer Science.
Hijacking Virtual Machine Execution
Nguyen Anh Quynh, National Institute of Advanced Industrial Science and Technology (AIST)
In general Virtual Machine (VM) technology can guarantee strong isolation between VMs, so even if a VM is hacked, other VMs are still tamper-resistant.
However, this talk demonstrates that if the attacker takes over the host VM, he can do pretty much anything he wants with the guest VMs. Several
sophisticated techniques to hijack the execution of a running VM are presented, which can be used to redirect any VM execution at will.
While the proposed methods are not limited to any kind of virtual machine, we demonstrate them in 3 demos, with 3 kinds of Virtual
Machines: KVM, Xen and QEMU.
The first demo shows that with only 1 byte injected into a Linux VM, the attacker can capture all the SSH usernames and passwords of users
logged in to the OpenSSH service running inside that VM.
In a second demo, the attacker dynamically injects 3 bytes into a Linux VM, then captures (and later replays) all the keystrokes and
output screen of the VM's consoles. The hijacking does not generate any negative impact in I/O performance, therefore not likely to cause any suspect to the VM's owner.
Meanwhile, the hijacking technique can also offer great benefit for the defense side. The third demo proves that with less than 10 bytes
injected into a protected Linux VM, we can have a file-system integrity tool. Compared to traditional approaches like Tripwire or AIDE, this IDS offers some
advantages such as: real-time detection, zero deployment cost, richer intrusion evidence, and less exposed to attacker.
The presented techniques work with any kind of OS-es, and need absolutely no modification to the kernel of the guest VMs or
to the hypervisor. Besides, everything is done inside the user-space, thus straightforward to implement, and requires no deep knowledge about OS kernel.
Nguyen Anh Quynh is a postdoctoral researcher at National Institute of Advanced Industrial Science and TechnologyAIST, Japan. His research interests include computer security, networking, data forensic, virtualization, trusted computing and operating system. His papers has been published in various academic conferences, such as ACM, IEEE, LNCS, Usenix among others. Quynh is a contributor of numerous open source projectsnotably are Xen Virtual Machine and Linux kernel. He is not limited his research to to the academic field though, as he loves to get involved with the industry. He presented his research results at international hacking conferences such as EusecWest, HackInTheBox, Hack.lu, SyScan, VNSECON. Quynh obtained PhD degree in computer science from Keio University, Japan. He is also a member of Vnsecurity, a pioneer information security research group in Vietnam.
Secure Programming with Static Analysis
Jacob West, Fortify Software
Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an
almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth
comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static
analysis is part of the solution.
- The most common security short-cuts and why they lead to security failures
- Why programmers are in the best position to get security right
- Where to look for security problems
- How static analysis helps
- The critical attributes and algorithms that make or break a static analysis tool
We will look at how static analysis works, how to integrate it into the software development
processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from
real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how
static analysis can rapidly uncover similar errors.
manages Fortify Software's Security Research Group, which is
responsible for building security knowledge into Fortify's products. Jacob
brings expertise in numerous programming languages, frameworks and styles
together with knowledge about how real-world systems can fail. In addition,
he recently co-authored a book, "Secure Programming with Static Analysis,"
which was released in June 2007. Before joining Fortify, Jacob worked with
Professor David Wagner, at the University of California at Berkeley, to
develop MOPS (MOdel Checking Programs for Security properties), a static
analysis tool used to discover security vulnerabilities in C programs. When
he is away from the keyboard, Jacob spends time speaking at conferences and
working with customers to advance their understanding of software security.
Multiplatform Malware Within the .NET Framework
Paul Sebastian Ziegler
Recently there have been a lot of talks going on concerning multiplatform malware and its possibilities. However only very few people have
stepped up to the challenge and actually created some multiplatform malware so far. Furthermore the created worms and viruses usually had some gross requirements,
as for example requiring a specially patched Linux kernel.
Multiplatform malware is extremely interesting and possesses immense potential. It opens up completely new approaches to system security that might render
a lot of what we do up until now useless. Take this for an example:
While it might not be possible to remotely hack into some company's high security network, you might be able to own an employee's kid
Xbox360. Now imagine that a worm could jump from there. It could directly infect the family's desktop PC, from there get synced onto a
PDA, PocketPC or Smartphone, get physically carried into the company and attack local computers within the network using Wifi, Bluetooth
or those computer's synicing mechanisms - thus opening up a completely new attack vector.
I will present a different approach to implementing multiplatform malware. Instead of trying to create complex assembler
patterns that will run on multiple kernels in an extremely unstable manner (if you are lucky), it is also possible to
make use of runtime frameworks.
I created a worm that runs within the .NET framework. I will present the technique used to make it completely compatible with
WindowsXP (.NET/Mono), Linux (Mono), Solaris (Mono), Mac OS X (Mono) and the BSD descendants (Mono/possibly Rotor). The sourcecode
of the worm is available under the GPLv2 at observed.de/?download. There is also a blog-entry on that worm at observed.de/?official.
There is very little information on the real potential of multiplatform malware yet. And there is by no means any kind of common
understanding concerning it. So let us create that understanding together in order not to be on lost stands once multiplatform
malware will start to strike in a couple of years.
Paul Sebastian Ziegler is an autodidact. You can easily tell since he sometimes messes up the pronunciation of technical termswhitepapers in leetspeak simply don't contain phonetic spellings very often. His mind is just as chaotic with a lot of ideas, concepts and terms lying around and links between them wildly spreading like weeds. This constellation often leads to strange gasps of reality and also of computer security. And as always"strange" is just another term for "new" and "unusual".
Being a freelancer brings Paul time to write articles (hakin9) and books
(O'Reilly), but pentesting and system administration take up most of his
time. During free time he enjoys geeking out (e.g. turning record
players into voice-controlled wireless mp3-music-stations), programming
and swordplay. Also friends tend to keep him distracted a lot.
Paul believes that real security can only come from broad knowledge and that security through obscurity is doomed to failure. Due to this basic assumption most of his research is dedicated to breaking security mechanisms and discovering new attack vectors to raise public awarenessbe it by analyzing wireless frames, messing with people's minds or pushing the topic of multiplatform malware.