This day of NoSuchCon conference was very exiting. Unfortunately was the last one…
I woke up quite early this morning, after a great Conference party organized the evening before at “La rotonde de la Villette” pub in Paris… I met a lot of security researcher there, and had a beer altogether. I found indeed that there are some very good and clever italian researchers that do a work very closely to mine. We have spoken a lot and know each others.
The morning has started with an explaination of an interesting idea showed by Aaron LeMasters (Crowdstrike guy that works with Alex Ionescu) to bypass MBR rootkits. Use crash dump drivers to actually low-level read disk drives. He has demostrated the idea that pretend to be able to bypass every rootkit Disk port driver alteration. The idea was good, I need to deepen it. I have developed a clever driver for Webroot that uses another branded concept… But I think that even this one could be attractive…
Next speaking has been done by Nikita Tarakanov. He has explained Windows Kernel memory pool corruption theory, but has concluded that in the last Windows Os, this kind of attack become more and more difficult.
The morning was ended. We went to have lunch and then the afternoon started.
At 2 o’clock PM Pedro Vilaca has shown a prototype of fully working MAC OS X Kernel rootkit, explaining the idea behind it: Kernel mode symbol lookup, VFS file system reading, and Syscall table stealth techinque are only few of the concept explained. Very cool presentation!
Then the main talking has take place: Donato Ferrante and Luigi Ariemma has presented their work on Videogames (yes you have understand well). The idea based on this presentation was ingenious: analyze code of Games engine, search vulnerabilities and use them to completely stop, or to acquire system privileges in a target system.
Yes, the principle is the same as the one used to hack all standard applications, but who has considered Games? Games are innocent. A game engine is like the kernel of an OS, and control a lot of games (think about CryEngine 3 for example). Luigi has some example of poor written Game engine code. This has allowed a dimostration that shows the completely stop or exploitation of about 200 servers hosting Game engines (servers obviously) in about 2 minutes (with an application they have built). The idea was great! Luigi and Donato have analyzed a lot of game engines and found a lot of vulnerabilities, poor written code and disabled mitigation. This time an Italian idea has dominated the conference day.
After last speaking we went to have dinner and have a pair of beer together. Conference was ended!
We have had a great time!
This day was the second one, attending NosuchCon conference….
In the morning we have seen a good analysis on a new kind of BIOS rootkit, able to resist to even a BIOS reflashing. Its name is “The Flea”. Entire work was presented by John Butterworth, Corey Kallenberg, Xeno Kovah (guys from Mitre). I think that it could be a very strong and interesting project…
We have seen furthermore a presentation of ARM exploitations techinques, a board able to debug ARM boot loader, system application: and obviously simplify ARM exploit development. This showing was very funny: the speaker (S.A. Ridley) has even distributed a sort of black hat condoms.
Very funny for a security talk…. Don’t you think so?
In the afternoon there were showed others talking…. But in my opinion these were not of much interest… except for “Advanced Heap Manipulation in Windows 8” project, presented by Zhenhua(Eric) Liu, from Fortinet…
As promised I am starting to write a series of 3 blog posts regarding my visit to NoSuchCon conference here in Paris…
I have just attended the first of the three days of this good Security conference.
Researchers from all over the world have presented some interesting topics.
In my opinion the most important and useful (for at least this first day) is the one showed by Mateusz Jurczyk. He has discussed some “weakness” in Intel x86 architecture, mixed with Windows Os kernel frail implementations, that let an attacker crash target system with only 2 ASM instructions: “xor ebp, ebp – jmp KiSystemServiceAccessTeb”. This behavior is binded with a bad trust of user-mode data done by Windows kernel exception handling routine.
For all nitty-gritty details I advise readers to explore Mateusz blog available at http://j00ru.vexillium.org/.
Even Alex Ionescu presentation was really interesting: it has found an exploitable implementation in every MAC SMC chips. The System Management Controller I/O Chip is a 200 Mhz 16-bit processor present in every MAC systems tied with its UEFI boot loader. It manages light sensors, FAN, stores FileVault key, regulates current and voltage, and so on… Everyone can update it, but you can’t read from it. It works in this manner: you read, write, execute access to “Keys”. Alex has found 2 nasty keys (KPPW and KPST), that if exploited well, using “Harry potter” spell (yes, you have read the good term), allow you to reprogram entire SMC chip. However this research is still in progress…
I’m quite sure that I would like to present some of my works in one of the future conference like this one. Speaking with conference organizers (and even with researchers) has pinpointed that I could be a good candidate for showing my works done in Saferbytes labs.. I really hope that this idea can be right! (I need just the time to perfect my english 😉 )
Attached this post there is even a screenshot of my present work… However I can’t still say no words about it now… Stay tuned!