Paris, from 7th to 9th of April 2011 After the sucess of its first edition the HES2011 conference gathers together once again the finest experts of the international security scene. Backed up with an amazing program committee*, HES is on the way to be an international event of exceptional quality.
The topics covered will include : vulnerability analysis, SCADA architectures, Reverse Engineering, the underground economy, attacks on banking or telecom infrastructures, Cloud Computing security, the botnet fenomenon, threat intelligence…
According to the traditional spirit of security conferences, the 2011 edition will offer various challenges, like a lockpicking contest or the mandatory « Capture The Flag », which was last year prepared by the Over The Wire online wargame community.
On Thursday and Friday, the end of the day are reserved to Anonymous Talks / Lightning Talks.
PROGRAM
Thursday April, 7
Keynote by Eric Freyssinet, Head of the cybercrime division at Gendarmerie Nationale. Computer forensic specialist, coordinator in criminal investigations related to information technology and cybercrime.
Itzik Kotler – (Let Me Stuxnet You)
Itzik brings more than ten years of technical experience in the software, telecommunications and security industries. Early in his career, Itzik worked at several start-up companies as a Security Researcher. Prior to joining Security Art, Itzik worked for Radware (NASDQ: RDWR), where he managed the Security Operation Center (SOC), a vulnerability research center that develops update signatures and new techniques to defend known and undisclosed application vulnerabilities. Itzik has published several security research articles, and is a frequent speaker at industry events including Black Hat, RSA, and DEFCON. Einstein said “I know not with what weapons World War III will be fought, but World War IV will be fought with sticks and stones”. This statement is as true today as it was then, and Stuxnet was only the first round.
This presentation discusses the different Permanent Denial-of-Service attacks against hardware such as Phlashing, Overclocking, Overvolting, Overusing and Power Cycling. We will provide real life examples and scenarios (using standard, default applications when possible) of attacks against hardware such as hard-drives, CPU, RAM, GPU, flash memory and legacy hardware such as CRT monitors, floppy disk drives and Motorola 6800/6900 as well.
Marc “van Hauser” Heuse – (Recent advanced in IPv6 insecurities)
Marc is performing security research since 1993, having found vulnerabilities in software like firewalls, DNS servers, SAP middleware, etc. and is the author of various famous security and pentest tools like hydra, amap, THC-Scan, secure_delete, SuSEFirewall and many more. He is performing security research on IPv6 since 2005 and has spoken on many conferences on this topic since then, among these are the CCC congress (Germany), Cansecwest (Canada), PacSec (Japan) and many more international conferences, and additionally has programmed the solely available pentest toolkit for ipv6: the thc-ipv6 protocol attack suite. In 1995 he founded the renowned security research group “The Hacker’s Choice”, which was the first group to e.g. crack A5 GSM in 2006 within a minute. Since 1997 he is working as a security consultant in the top-5 enterprise consultant companies, since 2007 he is working as an independant security consultant.
Five years have past since my initial talk on IPv6 insecurities 2005 and 2006. New protocol features have been proposed and implemented since then and ISPs are now slowly starting to deploy IPv6. Few changes have led to a better security of the protocol, several increase the risk instead. This talk starts with a brief summary of the issues presented 5 years ago, and then expands on the new risks especially in multicast scenarios. As an add-on, discovered implemention security issues in Windows 7/2008, Linux and Cisco will be shown too. Lets hope patches are out until the conference, if not – they had enough time. All accompanied with GPL’ed tools to and a library: the new thc-ipv6 package. rewritten, expanded, enhanced.
Tarjei Mandt – (Kernel Pool Exploitation on Windows 7)
Tarjei is a security researcher at Norman and a previous speaker at Black Hat. His work is currently focused on vulnerability research/analysis and exploit detection. In his free time, he enjoys spending countless hours challenging security mechanisms and researching intricate issues in low-level system components. Recently, he has been credited for discovering several vulnerabilities affecting core kernel components of the Windows operating system.
In Windows 7, Microsoft introduced safe unlinking to the kernel pool to address the growing number of vulnerabilities affecting the Windows kernel. Prior to removing an entry from a doubly-linked list, safe unlinking aims to detect memory corruption by validating the pointers to adjacent list entries. Hence, an attacker cannot easily leverage generic “write 4″ techniques in exploiting pool overflows or other pool corruption vulnerabilities. In this talk, we show that in spite of the efforts made to remove generic exploit vectors, Windows 7 is still susceptible to generic kernel pool attacks. In particular, we show that the pool allocator may under certain conditions fail to safely unlink free list entries, thus allowing an attacker to corrupt arbitrary memory. In order to thwart the presented attacks, we conclusively propose ways to further harden and enhance the security of the kernel pool.
From 5pm to 6pm: Anonymous lightning talks
Friday April, 8
Keynote Rodrigo Rubira Branco (BSDaemon) – (Behind the Scenes: Security Research)
Rodrigo is working at Qualys Technologies. Founder of the Dissect || PE Project, funded by Qualys. As the Chief Security Research in Check Point he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. Previous to that, he worked as Senior Vulnerability Researcher in Coseinc. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest and biggest security research conference in latin america.
It is well known that Security Research became a trend worldwide. Terms like cyberwar and 0day are now part of the normal media jargon. Security companies are releasing advisories. Computer hardware companies are buying security companies. Software companies are hiring hackers. How does that work behind the scenes? How good (or bad) the vulnerabilities are been coordinated? Why a security vulnerability has a value? Who is buying? How security research is been done nowadays? Why the real hackers are disappearing? This talk will give some answers and will create even more questions. It is the opinion of someone who created security research teams around the globe, coordinated security issues with different companies and developed security solutions too.
James Oakley and Sergey Bratus – (Exploiting the Hard-Working DWARF)
James is an undergraduate Computer Science student at Dartmouth College. Having come to computer programming by way of microcontroller programming, he enjoys hands-on work with low level systems. His interests include computer graphics, digital electronics, security, and operating systems.
Sergey Bratus is a Research Assistant Professor of Computer Science at Dartmouth College. He enjoys wireless and wired network hacking and tries to help fellow academics to understand its value and relevance. Before coming to Dartmouth, he worked on machine learning for natural text processing at BBN Technologies. He has a Ph.D. in Mathematics from Northeastern University.”
All binaries compiled by recent versions of GCC from C++ programs include complex data and dedicated code for exception handling support. The data structures describe the call stack frame layout in the DWARF format bytecode. The dedicated code includes an interpreter of this bytecode and logic to implement the call stack unwinding.
Despite being present in a large class of programs — and therefore potentially providing a huge attack surface — this mechanism is not widely known or studied. Of particular interest to us is that the exception handling mechanism provides the means for fundamentally altering the flow of a program. DWARF is designed specifically for calculating call frame addresses and register values. DWARF expressions are Turing-complete and may calculate register values based on any readable data in the address space of the process. The exception handling data is in effect an embedded program residing within every C++ process. This talk explores what can be accomplished with control of the exception handling information without modifying the program’s text or data. We also examine the exception handling mechanism and argue that it is rife for vulnerability finding, not least because the error states of a program are often those least well tested.
Jon Oberheide / Dan Rosenberg – (Kernel Fun)
Jon is CTO of Duo Security, an Ann Arbor-based startup developing kick-ass two-factor authentication. In his free time, Jon dabbles in kernel exploitation, mobile security, and beer brewing.
Dan Rosenberg is a security consultant at Virtual Security Research. In his free time, Dan mercilessly crushes both userspace and kernel targets and does his best to make Linux just a little bit more secure.
In this talk, Jon and Dan will be hating on Linux kernel security, giving an overview of the highlights and lowlights of Linux kernel security last year and presenting some sexy new techniques to bypass popular kernel protection mechanisms.
Richard Johnson – (A Castle Made of Sand: Adobe Reader X Sandbox)
Richard is a computer security specialist who spends his time playing in the realm of software vulnerability analysis. Richard currently fills the role of Principal Research Engineer on Sourcefire’s Vulnerability Research Team, offering 10 years of expertise in the software security industry. Current responsibilities include research on exploitation technologies and automation of the vulnerability triage and discovery process. Past areas of research include memory management hardening, compiler mitigations, disassembler and debugger design, and software visualization. Richard has released public code for binary integrity monitoring, program debugging, and reverse engineering and has presented at 18 conferences worldwide since 2004 Richard is also a co-founder of the Uninformed Journal and a long time resident of the Hick.org ranch.
Adobe Reader is one of the most widely installed software applications on the planet. The vast complexity of the PDF format results in a huge attack surface that has lead to a high number of vulnerabilities. Adobe has decided the best approach to combat this exposure is to integrate mitigations into Adobe Reader in the form of a sandbox. A sandbox is intended to limit an attacker after they have gained code execution in the process through an exploit. This talk will dissect the Adobe sandbox technology and expose weaknesses in the design and implementation including ASLR & DEP bypass, data exfiltration abilities, and more.
Aaron Portnoy / Logan Brown – (Concentrated Fire: Black Box Auditing Adobe Shockwave)
Aaron is the Manager of the Security Research Team at TippingPoint Technologies. His group is responsible for reverse engineering vulnerability submissions to the Zero Day Initiative program, discovering new 0day vulnerabilities in enterprise software, developing tools to aid in these processes, and architecting competitions such as Pwn2Own. Aaron has discovered critical vulnerabilities affecting a wide range of vendors including, but not limited to: Microsoft, Adobe, RSA, Novell, Symantec, HP, IBM, and VMware. He has presented original research in the areas of reverse engineering and fuzzing at conferences such as BlackHat, BlueHat, RSA, and RECon. Additionally, Aaron has been an invited speaker at the National Security Agency, the Polytechnic Institute of NYU, and has been referenced in several published books.
Logan Brown is a researcher within TippingPoint’s security research group. Day to day he works on verifying vulnerabilities received through the Zero Day Initiative, writing fuzzers and developing tools to assist in vulnerability discovery. Random fact about Logan: prior to joining TippingPoint he had a stint as a producer/actor alongside Gary Busey in Hallettsville.
Attempting to familiarize oneself with another’s codebase is a daunting task, even with well-documented source code. Attempting to do so for a large symbol-less binary application is even harder. This talk will walk the audience through the TippingPoint security research team’s approach to reverse engineering Adobe Shockwave for the purposes of vulnerability discovery and analysis. We will cover reconnaissance of the attack surface, vulnerabilities discovered, tools developed, and our techniques utilized to recover type information and functionality throughout a 6 month focused audit.
In early 2010 our team began a simple audit of the Shockwave player which, according to Adobe, is installed on an estimated 45% of Internet-enabled computers. Our initial poking at this software turned up 7 remote code execution vulnerabilities. After bringing attention to Shockwave by publishing these, we began to see a substantial increase in industry focus on this particular application. In the months following we have been consistently receiving upwards of 15 Shockwave vulnerabilities per week through the Zero Day Initiative program. Sometimes these submissions are well documented; more often, they are not. Either way, we are required to locate the offending vulnerability’s root cause. This is often a time-consuming task, especially if each team member works on their assigned vulnerabilities in isolation. As such, we have taken a good deal of time analyzing the requirements for collaborating on these projects and we have developed techniques and tools to return to the audit with a more effective and complete tactic.
As the entire Shockwave codebase is symbol-less (only exporting by ordinal, using a custom memory manager, and generally shirking the use of many standard API calls) we will demonstrate our successful attempt to recover function names and type information. We will release a set of IDA scripts that allow a researcher to match functions from one platform’s version of a codebase to another (as well as multiple versions on the same platform). We will also walk through our analysis and dissection of the custom memory manager used by Shockwave, including a tool release that will allows one to track allocations, frees, and walk heap structures in memory. Additionally, we will cover the heuristic-based approaches we took to identify platform-specific abstraction layers within Adobe’s code and our tools to display such information within IDA.
Recovering such information is not, however, the most we can do. We will also demonstrate how we have reversed the undocumented file format chunks (based on RIFF) that the Shockwave player uses. This was accomplished using our internal code injection tools and we will demonstrate how the same techniques can be replicated using an instrumentation engine such as Dynamorio or Pin. As we unearthed more and more about Shockwave we became aware of the extent of its attack surface. So, we will also walk through the fuzzing architecture we have used to fuzz both the Director file format, the signed Asset files, and the internal language known as Lingo that Shockwave supports. Cumulatively, these efforts have led to over 20 0day discoveries in the product (at the time of this writing, more likely on the way).
From 5pm to 6pm: Anonymous lightning talks
Saturday April, 9
Keynote by Marc “van Hauser” Heuse
Marc is performing security research since 1993, having found vulnerabilities in software like firewalls, DNS servers, SAP middleware, etc. Many people know Marc as the author of various famous security and pentest tools like hydra, amap, THC-Scan, secure_delete, SuSEFirewall and many more and he has spoken on many international security conferences. In 1995 he founded the renowned security research group « The Hacker’s Choice », which was the first group to e.g. crack A5 GSM in 2006 within a minute. Since 1997, Marc has been working as a security consultant in the top-5 enterprise consultant companies, and since 2007 he is a world renowned independent security consultant.
Joernchen – (Ruby on Rails from a code auditor’s perspective)
Joernchen likes to read. His main points of interest are in enjoying the reading of other peoples source code, as well as the inspection of interesting binary data in order to extend given systems functionality to unexpected Limits.
Ruby on Rails (RoR) is an open source web application framework based on the Ruby programming language, that’s been around now for over five years. The popularity this framework has gained within the recent past might not solely be based on some serious advertisement efforts, but also – and more likely so – on its broad use in agile/rapid development, condemning repetition, while emphasizing Convention over Configuration principles. In this talk, we will take a closer look on RoR from a code auditor’s perspective: Besides a basic overview of the Rails framework and its security mechanisms, developers’ common pitfalls will be layed out, and both general web application flaws as well as RoR specific issues will be discussed. All in all, attendees can expect a code centric walkthrough of Ruby on Rails security.
Gabriel Gonzalez – (Man-In-Remote: PKCS11 for fun and non-profit)
Gabriel Holds a BSc in Computer Engineering and has spent his professional and vocational career working in different fields such as Artificial Intelligence and Embedded Systems with the IT Security as a backbone.
During the talk the deployment of the Spanish National Electronic ID will be analyzed showing an scenario where an attacker can remotely take control of the device, allowing they to impersonate a trojanized victim.
A live demo showing the components involved and the final result of an attack will also be part of the talk.
Jon Larimer – (Autorun attacks against Linux)
Jon is a senior researcher on IBM’s X-Force Advanced Research team. Jon has been working in the security industry for over 12 years at companies including Internet Security Systems, nCircle Network Security, and now IBM. He has been involved in an array of security fields such as penetration testing, vulnerability research, security software development, and malware analysis.
Linux is not immune to the type of removable storage Autorun attacks that have plagued Windows systems with malware over the years. Advances in the usability of Linux as a desktop OS have introduced features that can be leveraged by attackers for Autorun style attacks.
In this presentation, I’ll explain how attackers can abuse these features to gain access to a live system by using a USB flash drive. I’ll also show how removable storage as an exploitation platform can allow for easy bypass of protection mechanisms like ASLR and how these attacks can provide a level of access that other physical attack methods do not.
The talk will conclude with steps that Linux vendors and end-users can take to protect systems from this threat to head off a wave of Linux Autorun malware.
Eloi Vanderbéken – (Hackito Ergo Sum crackme)
Eloi is a student in his last year of master’s degree in cryptology and software security at Ecole Normale Supérieure de Cachan. Less formally, Eloi has been studying packers and registration schemes for the last 6 years and will be happy to offer you a beer at HES if you give him a valid key for his crackme. HES crackme uses several techniques to slow down analysis and to bypass automatic analysis tools. In his presentation, Eloi will be discussing how they have been implemented, how to break them and how to make them even stronger. At the end of the presentation, prizes will be offered to the first and the best solutions.
The Program Committee is composed of some of the most respected hackers worldwide.
This is the ultimate garantee of the quality of the content chosen to be presented at HES.
In spite of the borders and their ideological, economical or military differences, they share their research and forge together new concepts. At the same time theoretician and experimentators, they all collaborate in a community spirit, to contribute to the progress of computer security and anticipate tomorrow’s challenges.
* Program Committee is composed of the following World-Wide Experts :
Tavis Ormandy (Google)
Matthew Conover (Symantec)
Jason Martin (SDNA Consulting Shakacon)
Stephen Ridley
Mark Dowd (AzimuthSecurity)
Tiago Assumpcao
Alex Rice (Facebook)
Pedram Amini (ZDI)
Erik Cabetas
Dino A. Dai Zovi (Trail Of Bits)
Alexander Sotirov
Barnaby Jack (IOActive)
Charlie Miller (SecurityEvaluators)
David Litchfield (V3rity Software)
Lurene Grenier (Harris)
Alex Ionescu
Nico Waisman (Immunity)
Piotr Bania
Laurent Gaffié (Stratsec)
Julien Tinnes (Google)
Brad Spengler (Grsecurity)
Silvio Cesare (Deakin University)
Carlos Sarraute (Core security)
Cesar Cerrudo (Argeniss)
Daniel Hodson (Ruxcon)
Nicolas Ruff (E.A.D.S)
Julien Vanegue (Microsoft Security Redmond)
Itzik Kotler (Security Art)
Rodrigo Branco (Checkpoint)
Tim Shelton (HAWK Network Defense)
Ilja Van Sprundel (IOActive)
Raoul Chiesa (TSTF)
Dhillon Andrew
Kannabhiran (HITB)
Philip Petterson
The Grugq (COSEINC)
Emmanuel Gadaix (TSTF)
Kugg (/tmp/lab)
Harald Welte (gnumonks.org)
Van Hauser (THC)
Fyodor Yarochkin (Armorize)
Gamma (THC Teso)
Pipacs (Linux Kernel Page Exec Protection) Shyama Rose.
Including the three organisers of HES:
Philippe Langlois (P1 Security TSTF /tmp/lab)
Jonathan Brossard (Toucan System P1 Code Security /tmp/lab)
Matthieu Suiche (MoonSols)
About Hackito Ergo Sum
Hackito Ergo Sum (HES) is a security conference offering new and exclusive points of view on IT security. It gathers together international security experts along with the most respected hackers from the underground. HES aims at facilitate the sharing of knowledge and best practices, the release of previously undisclosed research, and trends, in order to anticipate and face the upcoming challenges in IT security. Since it was created in 2009, Hackito Ergo Sum can count on the help of the best security researchers worldwide.
For more information : http://hackitoergosum.org
Schedule: http://hackitoergosum.org/schedule/