This day of NoSuchCon conference was very exiting. Unfortunately was the last one…
I woke up quite early this morning, after a great Conference party organized the evening before at “La rotonde de la Villette” pub in Paris… I met a lot of security researcher there, and had a beer altogether. I found indeed that there are some very good and clever italian researchers that do a work very closely to mine. We have spoken a lot and know each others.
The morning has started with an explaination of an interesting idea showed by Aaron LeMasters (Crowdstrike guy that works with Alex Ionescu) to bypass MBR rootkits. Use crash dump drivers to actually low-level read disk drives. He has demostrated the idea that pretend to be able to bypass every rootkit Disk port driver alteration. The idea was good, I need to deepen it. I have developed a clever driver for Webroot that uses another branded concept… But I think that even this one could be attractive…
Next speaking has been done by Nikita Tarakanov. He has explained Windows Kernel memory pool corruption theory, but has concluded that in the last Windows Os, this kind of attack become more and more difficult.
The morning was ended. We went to have lunch and then the afternoon started.
At 2 o’clock PM Pedro Vilaca has shown a prototype of fully working MAC OS X Kernel rootkit, explaining the idea behind it: Kernel mode symbol lookup, VFS file system reading, and Syscall table stealth techinque are only few of the concept explained. Very cool presentation!
Then the main talking has take place: Donato Ferrante and Luigi Ariemma has presented their work on Videogames (yes you have understand well). The idea based on this presentation was ingenious: analyze code of Games engine, search vulnerabilities and use them to completely stop, or to acquire system privileges in a target system.
Yes, the principle is the same as the one used to hack all standard applications, but who has considered Games? Games are innocent. A game engine is like the kernel of an OS, and control a lot of games (think about CryEngine 3 for example). Luigi has some example of poor written Game engine code. This has allowed a dimostration that shows the completely stop or exploitation of about 200 servers hosting Game engines (servers obviously) in about 2 minutes (with an application they have built). The idea was great! Luigi and Donato have analyzed a lot of game engines and found a lot of vulnerabilities, poor written code and disabled mitigation. This time an Italian idea has dominated the conference day.
After last speaking we went to have dinner and have a pair of beer together. Conference was ended!
We have had a great time!