The second day of CanSecWest was a beautiful day in Vancouver. The day was full of information-packed sessions and anticipation for the evening dinner party reception.
"SEH overwrite and its exploitability - Shuichiro Suzuki"
Shuichiro, who works for Forteenforty, demonstrated methods to bypass DEP using the Structured Exception handler in Windows. His research provided an interesting viewpoint into methods that can be reproduced reliably. One point he made is that these attacks do not work when ASLR is used in conjunction with DEP. I have previously discussed the importance of using these technologies together in a podcast and my blog.
"There's a party at ring0, and you're invited. - Julien Tinnes and Tavis Ormandy"
Julien and Tavis of Google shared with us the research they have been doing into kernel vulnerabilities. They were unable to share full details for flaws that have yet to be patched, but provided insight into what appears to be a long-neglected space. Their research into Linux at Google has provided a needed push for more holistic thinking in the kernel development process.
"Babysitting an army of monkeys: an analysis of fuzzing 4 products with 5 lines of Python - Charlie Miller"
Whether you agree with Charlie's philosophy or not, you can always depend on him for an informative and entertaining presentation. Charlie demonstrated the laziness of our business by using 5 lines of Python to dumb fuzz 4 common applications. He'd won two of his test Macs at CanSecWest in previous Pwn20wn contests. His findings for exploitable vulnerabilities in Adobe Acrobat Reader, Apple Preview, OpenOffice Impress, and Microsoft PowerPoint for Mac were disturbing. Our industry has a long way to go simply to meet the basic security requirements we should demand from our vendors.
"ShareREing is Caring - Halvar Flake and Sebastian Porst"
Halvar and Sebastian are researchers at Zynamics GMBH, founded by Halvar in 2004. They announced the availability of a new beta tool called BinCrowd. The intent of the tool is to provide a collaborative service for sharing information among reverse engineers. I am not sure if the tool can be as open as they propose without being poisoned by trolls and thieves, but the power of their techniques looks promising.
"Cisco IOS Exploitation with IODIDE - Andy Davis"
When he discovered that his employer, KPMG, needed to investigate vulnerabilities in Cisco's IOS-based routers, Andy decided to solve the lack of tools for debugging and investigating attack techniques by writing one himself. IODIDE is a customized debugger similar in nature to OllyDbg, but focused on Cisco's IOS. Andy hopes to provide the tool for free later this year after obtaining permission from KPMG's lawyers.
"Random tales from a mobile phone hacker - Collin Mulliner"
Collin is a student at Technical University, Berlin. This was one of my favorite talks this year, as Collin was enthusiastic about his topic and showed how, with a little innovation, you can uncover a lot of information. The meat of his session was showing how mobile phone operators' proxy servers are leaking large quantities of personal information through add HTTP headers -- everything from subscriber numbers to your phone number -- with each web request. He also provides a service for you to test your phone, with the promise not to log your information. Browse from your phone to http://www.mulliner.org/pc.cgi for a list of data your carrier may be sending to every site you surf. You can also download Collin's presentation from his website.
"Legal Perspectives of Hardware Hacking - Jennifer Granick"
Jennifer is a lawyer for the Electronic Frontier Foundation. Her presentation focused on the legal issues surrounding hardware hacking under the DMCA and US copyright law. She used the jailbreaking of the iPhone as an example to walk us through the ways we can avoid breaking the law and still explore the great new hardware and devices available on the market.