The Blackhat 2012
The
Blackhat 2012 keynote started the event with Shawn Henry, former
Executive Assistant Director of the Fbi, painting a grim, seemingly
unspeakable picture of cyberespionage in the US. It was interesting that
he continually spoke about the gravity of the situation and the need to
apply what he learned at the Fbi to protecting digital assets, but he
couldn't describe a single concrete example. At the same time, other
than a weapon of mass destruction, he claimed that cyber threats are the
single biggest problem facing this nation. This inability to convey
concrete details during the Blackhat keynote only highlights some of the
problem in understanding the cyber problem. And it's the problem of
overclassification of computer network exploitation (CNE) incidents and a
tangled set of dynamics that silence breach data sharing and exchange.
There is a long way to go here to fixing it.
While parts of the talk were very interesting, especially discussion of
creating a hostile network for your adversaries and taking intrusion
tolerance a step further, it was criticized for being a bit
self-promoting. All across the twittersphere, tweets
like this one protested signs of this year's corporate influence.
The two days of talks explored some new territory. Day 1 included
"Advanced ARM Exploitation", where Stephen Ridley and Stephen Lawler
provided some more indepth Android exploitation details and the quirks
in exploring the software and developing exploits on the platform. For
example, ROP techniques are required even to perform the ancient
ret2libc technique on Android. They poured over data manipulation on ARM
and particular assembly level tricks, specifics of discovering ROP
pivots and pushing data into the stack on ARM for control. The talk
provided content from their hands-on, 650+ slides across 12 decks, 80
page lab manual, multi-day course "Practical ARM Exploitation".
Other notable talks included Chris Valesek and Tarjei Mandt's discussion
of Windows 8 Heap Internals. From the offensive security perspective,
they blew through new Windows 8 usermode and kernel heap protections
that they reversed and analyzed, based on Microsoft's heavy investment
in understanding and addressing past exploitation techniques.
The two presented a list of eight or ten past publicly known heap
exploitation techniques effective on Windows 7 and prior that Microsoft
for the most part has stamped out on Windows 8 with new protection
technologies. An impressive feat on the part of Microsoft, and something
the other vendors, like Oracle and Apple, have a difficult time keeping
up with.
This presentation was followed by Microsoft's Matt Miller and Ken
Johnson, whose previous work can be found in the Uninformed journal and
early ASLR technology implementations. These two "defenders" provided
details on the long list of protections from the Microsoft Security
Science team previously discussed by the two "attackers" onstage.
Day two brought two talks that were particularly good. For another year,
Mark Vincent Yason and Paul Sabanal from IBM X-Force presented their
analysis of Adobe's sandboxing technology, this time focusing on Flash.
The talk was very well structured and progressed, probably the best
technical talk I attended. They pulled apart details of three different
implementations of the Flash sandbox for Firefox and Chrome web
browsers, finding that "Pepper Flash" is implemented with the lowest
level of privileges and tightest set of policies. Pepper is the plugin
API that the Adobe and Google teams are using to develop this more
secure plugin that is yet to be complete for chrome.
The end of the day approached with a talk from Jonathan Brossard on
"Hardware Backdooring is Practical", where he presented his tool,
"Rakshasa", focused on permanently backdooring computer hardware. The
tool is frankensteined together from various open source projects like
Coreboot, SeaBIOS and iPXE, so as to minimize any visibility into this
software as malicious, attempting to gain a greater chance of evading
anti-malware solutions. Interesting PoC material indeed. But the
backdoor does not really backdoor any hardware, it is all
software-based. Other interesting functionality included its ability to
disable DEP and ASLR, remove CPU updates, and force write permissions on
every kernel level memory mapping.
Source Kaspersky Lab :
Securelist
