Conference Details

We're pleased to announce our 2010 conference lineup. More talks will be added as they are confirmed.

The conference will be composed of talks between 20 and 60 minutes on a single track, and will have lightning talks during Recon Party.

Keynote

Richard Thieme - Ethical Considerations of Intelligence and Information Security

Speakers

Pierre-Marc Bureau and Joan Calvet - Understanding Swizzor's Obfuscation Scheme
Stephan Chenette - Using Fireshark to Analyze Malicious Websites (20 minutes)
Ero Carrera and Jose Duart - Packer Genetics: The Selfish Code
Gynvael Coldwind and Unavowed - Syndicate Wars Port: How to port a DOS game to modern systems
Dino Dai Zovi - Mac OS X Return-Oriented Exploitation
Nicolas Falliere - Reversing Trojan.Mebroot's Obfuscation
Yoann Guillot and Alexandre Gazet - Metasm Feelings (30 minutes)
Travis Goodspeed - Building hardware for exploring deeply embedded systems
Sean Heelan - Applying Taint Analysis and Theorem Proving to Exploit Development
Alex Ionescu - Debugger-based Target-to-Host Cross-System Attacks
Ricky Lawshae - Picking Electronic Locks Using TCP Sequence Prediction (20 minutes)
Assaf Nativ - Memory analysis - Looking into the eye of the bits
Danny Quist - Reverse Engineering with Hypervisors
Deviant Ollam - Finding Chinks in the Armor - Reverse-Engineering Locks
Sebastian Porst - How to really obfuscate your malware PDF files
Jason Cheatham and Jason Raber - Reverse Engineering with Hardware Debuggers (20 minutes)
Stephen Ridley - Escaping the Sandbox
Igor Skochinsky - Intro to Embedded Reverse Engineering for PC reversers
Michael Sokolov - SDSL reverse engineering
Jonathan Stuart - DMS, 5ESS and Datakit VCS II: interfaces and internals
William Whistler - Reversing, better
Georg Wicherski - dirtbox, a highly scalable x86/Windows Emulator
Sebastian Wilhelm Graf - Rainbow tables re-implemented

--------------------------------^_

Schedule

Friday July 9

08.00-09.30 : Breakfast / Registration
09.40-10.00 : Recon Staff - Opening
10.00-11.00 : Richard Thieme - Ethical Considarations of Intelligence and Informtion Security
11.00-12.00 : Sean Heelan - Applying Taint Analysis and Theorem Proving to Exploit Development
12.00-13.00 : Lunch
13.00-14.00 : Alex Ionescu - Debugger-based Target-to-Host Cross-System Attacks
14.00-15.00 : Sebastian Porst - How to really obfuscate your malware PDF files
15.00-15.30 : Break
15.30-16.30 : Gynvael Coldwind and Unavowed - Syndicate Wars port: how to port a DOS game to modern systems
16.30-17.30 : William Whistler - Reversing, better
17.30-18.30 : Pierre-Marc Bureau and Joan Calvet - Understanding Swizzor's obfuscation scheme
21.00-? : Pub crawl

Saturday July 10

08.00-09.00 : Breakfast
09.00-10.00 : Deviant Ollam - Finding chinks in the armor: reverse engineering locks
10.00-11.00 : Ero Carrera and Jose Duart - Packer Genetics: The Selfish Code
11.00-12.00 : Jonathan Stuart - DMS, 5ESS, and Datakit VCS II: interfaces and internals
12.00-13.00 : Lunch
13.00-14.00 : Igor Skochinsky - Intro to embedded reverse engineering for PC reversers
14.00-15.00 : Stephan Ridley - Escaping the Sandbox
15.00-16.00 : Dino Dai Zovi - Mac OS X return oriented exploitation
16.00-16.20 : Break
16.20-17.20 : Michael Sokolov - SDSL reverse engineering
17.20-18.20 : Sebastian Wilhelm Graf - Rainbowtables re-implemented
19.00-? : Recon party

Sunday July 11

08.00-09.00 : Breakfast
09.00-09.20 : Jason Cheatham and Jason Raber - Reverse engineering with hardware debuggers
09.20-09.40 : Stephan Chenette - Using Fireshark to Analyze Malicious Websites
09.40-10.00 : Yoann Guillot and Alexandre Gazet - Metasm Feelings
10.00-11.00 : Assaf Nativ - Memory analysis - looking into the eye of the bits
11.00-12.00 : Danny Quist - Reverse engineering with hypervisors
12.00-13.00 : Lunch
13.00-14.00 : Travis Goodspeed - Building hardware for exploring deeply embedded systems
14.00-15.00 : Georg Wicherski - Dirtbox, a highly scalable Windows/x86 emulator
15.00-15.20 : Ricky Lawshae - Picking Electronic Locks Using TCP Sequence Prediction
15.20-16.20 : Nicolas Falliere - Reversing Trojan.Mebroot's obfuscation

Ethical Considerations of Intelligence and Information Security - Richard Thieme

An incisive illumination of how the transformational engines of information technologies alter our religious structures, spiritual frameworks, and points of ethical reference even as we try to apply them to the new humanity, i.e. individuals and organizational structures all the way to the top of geo-political realities who are morphing as a result of their symbiotic relationship with those technologies. Not only what we see is changing but the lenses through which we see are changing too, because the eyes that see through them are also changing ... Thieme addressed these issues first at a forum convened by Bill Moyers on religion and technology in New York and at the ARIL symposium on the same subject at MIT, many years ago.

Bio:

Richard Thieme has published hundreds of articles, dozens of short stories, two books with more coming, and given several thousand speeches. He speaks professionally about the challenges posed by new technologies and the future, how to redesign ourselves to meet these challenges, and creativity in response to radical change. Many recent speeches have addressed security and intelligence issues for professionals around the world. He has keynoted conferences in Sydney and Brisbane, Wellington and Auckland, Dublin and Berlin, Amsterdam and Rotterdam, Israel and the USA. Clients range from GE, Medtronic, and Microsoft to Neohapsis, Network Flight Recorder, and Synapse/Center for the Advancement of Intelligent Systems to the FBI, the US Dept of the Treasury. and the US Secret Service. He has spoken for the US Army Information Technology Agency, guest lectured for a graduate seminar at Purdue's CERIAS, and spoken for the Technology, Literacy and Culture Distinguished Speakers Series of the University of Texas. Recent speeches address identity shift in light of transforming technologies, biohacking, and "UFOlogy 101," a look at the residual data after disinformation, misinformation, and sludge are removed from that domain.

--------------------------------^_

Understanding Swizzor's Obfuscation Scheme - Pierre-Marc Bureau and Joan Calvet

Swizzor is a malware family that was first seen on the Internet in 2002 and, since then, researchers have collected millions of different binary samples. The reason so many different files exist is that Swizzor uses strong server-side binary obfuscation to evade antivirus detection and slow down manual reverse engineering.

In this talk, we will present a set of tools and techniques we have developed to understand and defeat Swizzor's binary protection. Upon execution, the custom packer goes through more than 40 million instructions before reaching any useful code. To deal with this, we created a tracing framework which builds a comprehensive timeline of the process execution, including memory modifications.

We also created visualisation tools to quickly identify key elements of the unpacking process without having to read any assembly instruction. We have built an inference engine to automatically identify known patterns in memory such as decryption keys, useless values and control structures used by the packer. By taking into account the memory access and modification of the code, we were able to bypass its traditional syntactic obfuscation. We thus achieved a comprehensive understanding of the unpacking process and were able to reduce the need for manual analysis of new binaries.

To the best of our knowledge, no one has deeply investigated the Swizzor malware family and its ties to shady advertisement companies. We will explain how Swizzor and its adware components are installed by affiliation programs to finance the development of well known applications. We will show the communication protocol used by Swizzor to fetch binary updates and how different packages are deployed depending on the affiliation program.

Material

slides(pdf)

Bio:

Pierre-Marc Bureau is senior researcher at antivirus company ESET. In his position, he is responsible of investigating trends in malware and finding effective techniques to counter these threats. Prior to joining ESET, Pierre-Marc Bureau worked for a network security company where he was senior security analyst. Pierre-Marc Bureau finished his Master degree in computer engineering at Ecole Polytechnique of Montreal in 2006. His studies focused mainly on the performance evaluation of malware. He has presented at various international conferences including Recon, Infosec, and Virus Bulletin. His main interests lie in reverse engineering, application and network security.

Joan Calvet is a Ph.D. student at the High Security Lab in LORIA (Nancy, France) and the SecSI Lab at the Ecole Polytechnique of Montreal. His main interests lie in malware analysis, reverse engineering, and software security.

--------------------------------^_

Using Fireshark to Analyze Malicious Websites - Stephan Chenette (20 minutes talk)

In this 20 minute presentation I will review an open-source tool I've written called Fireshark.

Fireshark was written for researchers and security enthusiasts to help in reversing malicious website content, be it by the hundreds, thousands are simply a single URL. It enables a view of all aspects of a compromised or malicious website, tracking network requests/responses JS function calls and storing the screen shot, source code, and normalized deobfuscated source code/DOM view.

Materials

slides(pptx)

Bio:

Stephan Chenette is a Principal Security Researcher for Websense Security Labs working on malcode detection techniques. His specialty is in writing research tools and investigating next generation emerging threats. He has released public analyses on various vulnerabilities and malware.

Prior to joining Websense, Stephan was a security software engineer for 4 years working in research and product development at eEye Digital Security.

--------------------------------^_

Packer Genetics: The Selfish Code - Ero Carrera and Jose Duart

Unpacking automation has been attacked in many different ways. In this paper we propose a new method based on the detection of unique characteristics in unpacked code. Using proper monitorization of the process it's possible to determine when the unpacking is done, even if multiple chained packers have been used.

Bio

Ero Carrera is currently Chief Research Officer of Collaborative Security at VirusTotal and a reverse engineering automation researcher at zynamics GmbH (was SABRE Security GmbH), home of BinDiff and BinNavi. While working at F-Secure he advanced the field of malware classification introducing a joint paper with Gergely Erdelyi on applying genomic methods to binary structural classification. Other projects he's worked on include seminal research on generic unpacking. Ero has presented in conferences such as HackInTheBox, RSA, BlackHat and Source in addition of also teaching a reverse engineering course in the BlackHat conferences.

Jose Duart, also known as Tora, started doing reverse engineering in the late 90s and he's a big fan of death listing, zen cracking and wargames (as part of the inglorious Sexy Pandas team). His work has been always focused on reverse engineering and in most cases applied to several side-fields like anti-forensics, behaviour analysis or software optimization. He recently joined Zynamics to work inside the VxClass team.

--------------------------------^_

Syndicate Wars Port: How to port a DOS game to modern systems - Gynvael Coldwind and Unavowed

During the presentation we will introduce the Syndicate Wars Port (http://swars.vexillium.org/), and discuss in detail how we ported the game to modern operating systems. In particular, we will focus on the following:

1. The methods and infrastructure for disassembling LE files into a recompilable form using a custom disassembler,
2. Locating and replacing DOS-specific functions with portable equivalents for graphics, sound and I/O, and automating the process of combining incompatible calling conventions,
3. The many different interesting bugs and platform quirks that appeared during the time we sent on this project.

Materials

slides(pdf)

Bio

Gynvael Coldwind is a researcher, specializing in reverse engineering, vulnerability research, penetration testing and tool programming. Currently working with Hispasec, previously created static unpackers for an anti-virus company. http://gynvael.coldwind.pl/

Unavowed is a hobbyist programmer who likes to spend free time time on interesting Free Software projects.

--------------------------------^_

Mac OS X Return-Oriented Exploitation - Dino Dai Zovi

The latest advances in exploitation of memory corruption vulnerabilities revolve around applying return-oriented exploitation techniques to evade non-executable memory protections such as Microsoft's Data Execution Prevention (DEP), CPU-supported non-executable memory (NX/XD), and mandatory code-signing such as on iPhone OS. Although the ideas behind these exploitation techniques can be traced quite far back, they are receiving more attention as non-executable memory protections become more prevalent. This presentation will describe how return-oriented exploitation techniques can be applied to bypass non-executable memory protections in 32-bit x86 processes on Mac OS X Leopard and Snow Leopard. While most processes in Snow Leopard are 64-bit x64 processes, many key parts of the client-side attack surface remain 32-bit x86 processes (3rd party web browser plugins for Safari, Mozilla Firefox, and Google Chrome). Finally, the presentation will conclude with a review of the key differences in the exploitation environment between 32-bit and 64-bit processes on Snow Leopard, detailing how 64-bit processes are more difficult to exploit by default.

Materials

slides(pdf)

Bio

Dino Dai Zovi, currently an independent security consultant and researcher, has been working in information security for over 9 years with experience in red teaming, penetration testing, software security, and information security management. Mr. Dai Zovi is also a regular speaker at information security conferences having presented his independent research on memory corruption exploitation techniques, 802.11 wireless client attacks, and Intel VT-x virtualization rootkits over the last 10 years at conferences around the world including DEFCON, BlackHat, and CanSecWest. He is a co-author of the books "The Mac Hacker's Handbook" (Wiley, 2009) and "The Art of Software Security Testing" (Addison-Wesley, 2006). In 2008, eWEEK named him one of the 15 Most Influential People in Security. He is perhaps best known in the information security and Mac communities for winning the first PWN2OWN contest at CanSecWest 2007

--------------------------------^_

Reversing Trojan.Mebroot's Obfuscation - Nicolas Falliere

Trojan.Mebroot is one of the most complex malware we've seen in the past years. It infects the MBR, leaves no trace on disk, does everything in kernel-mode, and uses a complex obfuscation method to conceal key driver routines from analysts' eyes.

In this presentation, I focus on the obfuscation scheme and present a way (using static analysis and partial emulation) to reverse-engineer it in order to restore obfuscated functions back or close to their original form.

Materials

slides(pptx)

Bio

I studied at INSA in Toulouse, France, in the Computer Science department; after a few trips abroad (internship, exchange program), and graduating my MSc in 2006, I moved to Dublin, Ireland to work for Symantec Security Response. I relocated to Paris, France a few years ago, where I've been working as a malware analyst/software engineer for Response. Always been interested in computer security and low-level topics, Symantec blog at http://www.symantec.com/connect/blogs/nicolas-falliere and I also have a personal blog at http://0x5a4d.blogspot.com.

--------------------------------^_

Metasm Feelings - Yoann Guillot and Alexandre Gazet (30 minutes)

Metasm is an open source ruby framework developed by Yoann Guillot. It can: work with binary files, assemble, disassemble, debug running processes, manipulate C source code, play the ruby interpreter, and plenty other things. Our talk follows a simple guideline based on a real life case: the development of a code tracer. Starting from a trivial tracing algorithm, we will show that the use of Metasm allows to efficiently build a multi-platforms tool, then we will extend its capacity by taking advantages of the native Windows API. At the end we will use the tool to debug the firmware of a network card, running on the NIC and not on the main CPU.

Materials

slides(pdf)

Bio

Alexandre Gazet is are currently working for Sogeti ESEC R&D laboratory, in France. He is an IT security researcher in ESEC lab for almost three years.

Yoann Guillot is are currently working for Sogeti ESEC R&D laboratory, in France. He is an IT security researcher in ESEC lab for almost three years. Yoann is the author of the binary manipulation framework Metasm.

--------------------------------^_

Building hardware for exploring deeply embedded systems - Travis Goodspeed

Before exploiting any system, it is necessary to have tools--debuggers, disassemblers, emulators, packet sniffers, and bus adapters--for the job. In low-power embedded systems, implementing the victim protocols is often more difficult than implementing an attack, as a researcher often finds himself to be the very first person to work on a given platform.

This lecture concerns the rapid development of tools for exploiting and reversing embedded systems, centered around the concrete example of the GoodFET project. Examples include a voltage glitcher with nanosecond resolution, a radio driver that operates through a hardware debugger, and all the components necessary for reading, writing, debugging, sniffing, and injecting battery-powered devices.

The author will bring tools and targets to the conference for those that are interested in trying these techniques out first-hand.

Materials

slides(pdf)

Bio

Travis Goodspeed is a neighborly engineer of Tennessee-shaped, electronic belt buckles from Southern Appalachia. He hacks 8-bit and 16-bit embedded systems, particularly those used in ZigBee and the Smart Grid. He started the GoodFET, an open source programmer and debugger for MSP430, AVR, PIC, Chipcon, ARM7, SPI Flash, and other chips. It also packet sniffs ZigBee and ANT radio packets when so inclined.

--------------------------------^_

Applying Taint Analysis and Theorem Proving to Exploit Development - Sean Heelan

As reverse engineers and exploit writers we spend much of our time trying to illuminate the relationships between input data, executed paths and the values we see in memory/registers at a later point. This work can often be tedious, especially in the presence of extensive arithmetic/logical modification of input data and complex conditions.

Using recent (and not so recent) advances in run-time instrumentation we can go a long way towards automating the process of tracking input data and its effects on execution. In this talk we will discuss possible approaches to solving this problem through taint analysis. The solutions we will discuss are useful in many scenarios e.g. determining the set of conditional jumps under our control, discovering buffers in memory that are useful for injecting shellcode, tracking parameters to potentially insecure function calls, discovering 'bad bytes' for exploits and so on.

Building on this we will delve into the construction of logical formulae expressing the relationships between input and data in memory and ways in which these formulae can be manipulated and solved for interesting results. Depending on how we manipulate the initial formulae we can use theorem provers to automatically solve many problems e.g. 'unraveling' arithmetic/logical modifications on input, generating inputs that trigger specific paths, discovering the bounds on given variables and so forth.

Materials

slides(pdf)

Bio

Sean is a security researcher with Immunity. His primary interests are in software verification/program analysis and its applications to vulnerability detection, reverse engineering and exploit development. Before joining Immunity Sean was a student at Oxford University where his research focused on combining run-time dataflow analysis and decision procedures for exploit generation.

--------------------------------^_

Debugger-based Target-to-Host Cross-System Attacks - Alex Ionescu

This talk will present a critical design flaw in the Windows KD (Kernel Debugger) protocol that is implemented in all Windows versions, as well as XBOX and Xbox 360, Windows CE, Singularity and some EFI/EXDI hardware. This flaw enables an attacker running in the target system to attack any host running a KD-compatible debugger, crossing machine isolation boundaries as well as VM boundaries, regardless of the virtualization product in use, be it VMWare or Virtual Box. This design flaw allows the target to execute arbitrary commands on the host, including code execution and local file modification, through a stealthy and covert channel that leaves no fingerprints, since it uses a legitimately implemented feature, without causing the usual stack or buffer overflow. This presentation will also cover a technical analysis of the KD protocol as well as how it can easily be implemented on top of an application that emulates a given OS or architecture, or on top of an OS itself. Finally, techniques on how to mitigate such an attack will be given. With more and more security researchers opting to use VMs to analyze and debug malware, the danger of such a flaw is obvious, obviating the extra security granted by the isolation boundary and turning it against the host.

Bio

Alex is coauthor of Windows Internals 5th edition. He teaches Windows OS internals to Microsoft employees and other organizations worldwide. He is the founder of Winsider Seminars & Solutions Inc., specializing in low-level system software for administrators and developers. Alex was the lead kernel developer for ReactOS, an open source clone of Windows XP/2003 written from scratch, where he wrote most of the NT-based kernel. Alex is also very active in the security research community, discovering and reporting several vulnerabilities related to the Windows kernel and presenting talks at conferences such as Blackhat and Recon. In the last three years, he has also contributed to patches and development in two major commercially used operating system kernels.

--------------------------------^_

Picking Electronic Locks Using TCP Sequence Prediction - Ricky Lawshae

Electronic physical access systems are being relied on more and more for securing our infrastructure. Recently, there has been a trend in making these systems ip-based for ease of deployment and management. However, even though these are networked devices, little thought is being given to protecting them against even some of the most basic network-based attacks. If you have ever watched a movie like "Sneakers" and thought, "Man, I'd really like to know how to do something like that," then you should come see this talk.

Materials

slides+script(tgz)

Bio

Still a relative newcomer on the scene, Ricky Lawshae is doing his best to claw his way into a reputation for himself. Most recently, he spoke at Defcon 17 and was featured on wired.com's ThreatLevel. He enjoys talking with anyone who will put up with him about everything from comic books to politics to music to technology. Ricky Lawshae is a security reseacher for BreakingPoint Systems in Austin, TX, USA.

--------------------------------^_

Memory analysis - Looking into the eye of the bits - Assaf Nativ

Memory analysis is a reverse engineering method every reverser uses, but we rarely pay attention to doing it right, and the abundance of information that we can gain by it. Besides reverse engineering, this method can be used for security, debugging, monitoring, cheating in games, fun and profit.

Assaf Nativ shares with the audience his tools for a new type of software analysis which allows recovering internal implementation details using only passive memory analysis, and without requiring any disassembly. He explains the benefits of this method. Assaf discusses a major application of this technique (monitoring application activity), and demonstrates recovering the internal structures of a complex program, as well as a new security problem he had discovered in Microsoft SQL Server while applying this technique.

Materials

slides(pdf)

Bio

Assaf Nativ is a leading security researcher at Sentrigo. He has been active as an SRE during the last 10 years in various positions. Assaf is credited for discovering various DBMS vulnerabilities. In his free time he practices professional cheating in Facebook games.

--------------------------------^_

Reverse Engineering with Hypervisors - Danny Quist

Hypervisors make very good tools to aide in reverse engineering. This talk will concentrate on two related areas: Modifications to the Ether system made to improve unpacking capabilities. I will highlight my method for more accurate OEP detection, PE rebuilding, and using the Windows memory management data structures to more accurately recover the import table. I will also show my improvements to VERA, a visualization tool to make reverse engineering drastically faster.

Bio

Danny Quist is the CEO and founder of Offensive Computing, LLC. He holds a Ph.D. from the New Mexico Institute of Mining and Technology. Danny is the founder of Offensive Computing, an open malware research site. His interests include malware defense, reverse engineering, software and hardware xploitation, virtual machines, and automatic executable classification systems. He has presented at Blackhat, the RSA Conference, Shmoocon, and Defcon.

--------------------------------^_

Finding Chinks in the Armor - Reverse-Engineering Locks - Deviant Ollam

I find the stories that surround how lockpickers and researchers have been able to exploit weaknesses in some of the world's most secure and trusted locks to be fascinating. This talk will present, in detail, the tales of how three major physical security products were attacked: The Mul-T-Lock, Medeco, and Kwikset Smart Series. What to look for in locks and possible routes of attack against other popular high security products will then be discussed.

Materials

slides(ppt)

Bio

While paying the bills as a security auditor and penetration testing consultant with The CORE Group, Deviant Ollam is also a member of the Board of Directors of the US division of TOOOL, The Open Organization of Lockpickers. Every year at DEFCON and ShmooCon Deviant runs the Lockpicking Village, and he has conducted physical security training sessions at Black Hat, DeepSec, ToorCon, SOURCE, HackCon, ShakaCon, QuahogCon, HackInTheBox, CanSecWest, ekoparty, and the United States Military Academy at West Point. He has recently published his first book on lockpicking and his favorite Amendments to the US Constitution are, in no particular order, the 1st, 2nd, 9th, & 10th.

--------------------------------^_

How to really obfuscate your malware PDF files - Sebastian Porst

During my work as a PDF malware analyst I have seen lots and lots of PDF files that try to use code obfuscation techniques to make analysis harder. Most malware authors completely botch obfuscation though. In this talk I will walk the audience through examples of botched code obfuscation techniques, what went wrong, and how to fix the failed obfuscation attempts. Along the way I will give a general introduction to the PDF format, which I expect to be a major exploit vector of 2010.

Materials

slides(pdf)

Bio

After finishing his Masters degree in Computer Science in 2007, Sebastian joined zynamics GmbH as lead developer of the reverse engineering IDE BinNavi, the collaborative RE information sharing tool BinCrowd, and the malware PDF analysis tool PDF Inspector. Among other things, he is responsible for developing and implementing new static code analysis algorithms for both vulnerability development and malware analysis. Sebastian has been a speaker at various IT security conferences including CanSecWest, SOURCE Barcelona, Hack in the Box, and hack.lu.

--------------------------------^_

Reverse Engineering with Hardware Debuggers - Jason Cheatham and Jason Raber

This is a brief tutorial of one of the reverse engineering tools (Hardware Emulator) used by the Air Force Research Laboratory to analyze application and driver code on x86 systems. It's also a neat way to debug hypervisors!

Materials

slides(pptx)

Bio

Jason has been involved in the computer security field for the past 5 years. During that time he has analyzed a number of commercial and government developed software systems, contributed to some very novel attack modeling research, and has become an accomplished lurker at technical conferences. Jason has also worked on the development side, creating an encryption tool that is officially certified for use on Air Force desktops and a stealthy kernel debugger that used by the DoD. Jason is also employed by the US Air Force Research Laboratory as a reverse engineer on the other Jason's assessment team.

Jason has spent 9 years in the world of reverse engineering, preceded by 5 years working at Texas Instruments developing compiler tools for DSPs (code generators, assemblers, linkers, disassemblers, etc). Developing Compilers for 5 years prior to reverse engineering provided a good foundation for understanding machine language and hardware that is commonly utilized in reverse engineering tasks. Jason has significant experience in extracting intellectual property from a broad spectrum of software, including user applications, DLLs, drivers, OS kernels, and firmware, on a variety of platforms (Windows/Linux/Mac/embedded). He has also worked on identifying and analyzing malware to characterize it and/or neutralize it. Jason has also presented at 2 different Black Hat Cons, Recon 2008, and WCRE 2008. Jason currently serves as a team lead for a software assessment team in the United States Air Force Research Laboratory, providing the DoD with specialized software security support.

--------------------------------^_

Escaping the Sandbox - Stephen Ridley

This presentation will discuss and demonstrate practical techniques for the evasion and escape of "Sand-boxing" technologies. Many techniques have been discussed but only vaguely at popular security conferences. Very little *actual* code and demonstrations have been performed. This presentation will consist mostly of demonstrations and review of actual code.

Materials

slides(pdf)

Bio

Stephen Ridley is a Senior Researcher at Matasano Security LLC, an independent security research and development firm specializing in software security and reverse engineering. Prior to Matasano, Stephen worked at McAfee as a founding member of the Security Architecture research group. Before that, Stephen did reverse engineering and software vulnerability research in a "skunkworks" team at a leading U.S. Defense/Intel contractor. He is privately credited with vulnerability discoveries in popular COTS packages as well as open-source software. Stephen has written for several trade magazines and been quoted in publications such as "Wired" and "Security Focus". He has also taught reverse engineering and software security to companies from the Fortune 500 and to Military and Defense agencies. Stephen currently lives in Manhattan, New York.

--------------------------------^_

Intro to Embedded Reverse Engineering for PC reversers - Igor Skochinsky

These days many researchers working in the PC software area are starting to get interested in the embedded reverse engineering. However, most of the materials presented so far assumed familiarity with the topic. This presentation tries to offer a general introduction to the basics from the point of view of a PC reverser. But it's not all theory, there will be plenty of practical techniques discussed as well.

Materials

slides(odp)

Bio

Igor Skochinsky was interested in "how stuff works" since childhood and got into software reverse engineering while attending Belarusian State University. After graduating cum laude in Computer Science, he spent several years at a big software company but continued to pursue his RE hobby in free time. He had brief periods of internet fame after releasing a dumper for iTunes DRM-ed files (QTFairUse6) and hacking the Amazon Kindle. In 2008 he got his dream job at Hex-Rays where he is helping Ilfak Guilfanov to develop the world famous IDA Pro disassembler.

--------------------------------^_

SDSL reverse engineering - Michael Sokolov

SDSL is a trailing-edge telecom technology that was originally intended to fill the gap between consumer ADSL and business T1/FT1 services. When I started working with SDSL in 2004, I had chosen it because it allowed me to remain a "business" customer (as opposed to consumer/ residential), have symmetric up & down speeds (I would rather have a low symmetric speed than high asymmetric), go faster than ISDN, yet pay only $150 to $180 per month instead of upwards of $500 for a T1.

Over the past 5 years I have successfully carried out a project which allows low-speed SDSL (from 160 kbps to T1 speeds) to be used as a still-available replacement for ARPANET and for the old 1980s-style Internet, for those who miss the latter. More specifically, I have developed a way to use SDSL with traditional 1980s routers of the late ARPANET / early Internet era.

ARPANET and early Internet ran over 56 kbps DDS and other leased lines; a line of that type is a pipe that carries a synchronous serial bit stream. The WAN interfaces on the classic 1980s / early 1990s routers are thus designed to attach to synchronous serial bit stream media. As it happens, SDSL is also a synchronous serial bit stream, but because it came about in the days when traditional WAN interfaces were going out of fashion in favor of Ethernet, CPE that would allow SDSL to be used in the old-fashioned manner was never made widely available.

When I started working with SDSL in 2004, it was severely hobbled by the fact that the only type of CPE available for it were Ethernet-presenting DSL "modems" and routers much like those for consumer ADSL. Not being able to obtain a non-Ethernet CSU/DSU type of CPE device for SDSL, I had set out to design and build one myself, and 5 years later I have scored a complete & total success. The challenge was further complicated by the fact that SDSL/2B1Q was never a real standard, only somewhat of a pseudostandard with a variety of incompatible proprietary flavors.

In this talk I will share the highlights of my journey which has brought me to the present state of having a CSU/DSU-like device which attaches SDSL to a 1980s/90s router's non-Ethernet WAN interface. This journey included social engineering ventures with several legacy SDSL infrastructure vendors, brute force cracking of an encrypted ZIP with SDSL transceiver chip control software source code, and lots of hardware, firmware and wire protocol reverse engineering.

Related project website: http://ifctfvax.Harhan.ORG/OpenWAN/

Materials

slides(pdf)

Bio

I was born and raised in what was then USSR. I grew up with a computer architecture that was a Soviet clone of DEC's PDP-11; Russian and PDP-11 assembly were my equally native first languages. After being dragged kicking and screaming into the (much inferior to DEC) IBM PC-compatible architecture around age 11, I had been a DOS jockey for a while. In my DOS days I had studied everything there was to know about floppy disk copy-protection schemes (and the underlying physics of magnetic recording and the workings and idiosyncrasies of the standard controllers) in the process of developing Floppy Disk Analyser, a copy-protected floppy disk copying tool. I had also delved heavily into the world of 386 memory managers and the use of protected mode in the DOS environment (DOS extenders etc), and wrote my own MMM386 memory manager in the process.

Upon reaching the independent adult status I had joyfully said "good riddance" to the PeeCee (pee sea) architecture and returned to my DEC roots. I have fully embraced DEC's VAX architecture (PDP-11's direct successor), but just the hardware part of it. Instead of DEC's OSes like VMS, I run UNIX - and not any UNIX, but UC Berkeley's original UNIX for the VAX. As the world's last known site still running a VAX 4.3BSD variant in full production operation and planning to continue doing so indefinitely, I have become this operating system's de facto owner. My personal interests outside of hacking are very diverse and range from cell & molecular biology to exopolitics.

--------------------------------^_

DMS, 5ESS and Datakit VCS II: interfaces and internals - Jonathan Stuart

In a nutshell: 5ESS (include VCDX under emulation), demonstration using either the simulator and/or the 3B20/21 emulator. Demonstration of MCC pages and pokes, as well as useful CRAFT commands. RC/V (Recent Change/Verify). Talk about GRASP (the 5E/DMERT/UNIX-RTR debugger).

Will talk about DMS SuperNode series of switches, from the basics (how to login and get to the Command Interpreter - CI), as well as MAPCI, the Table Editor, which tables are useful, adding to tables, as well as SERVORD (RC/V for the DMS). Will also talk about the DMS debugger, through which alot of things can be done. May have remote access to a DMS-500 live at the conference (the setup is still being worked out, it is owned by a friend).

Will talk about Datakit II VCS, how to navigate the virtual-circuit-switched network, how to identify a Datakit terminal server, or a host with Datakit installed (e.g., Solaris, or more obscure versions of Unix like Amdahl UTS Unix). How to use Datakit directory assistance to find other hosts on different networks. How Datakit dialstrings work (e.g., nyc/queens1/lab[.service]). May also talk about the lower-level Datakit Universal Receiver Protocol, using information from a paper I received from Dennis Ritchie.

Bio

Have been working with various architectures (vax, sparc, mips, POWER/ppc, alpha, pa-risc, 3b2, m68k, Cray XMP/YMP) for quite a while. Formerly worked as a security consultant. For the past 2.2 years have worked with the product security group of a large company in Silicon Valley.

--------------------------------^_

Reversing, better - William Whistler

This fast-paced talk will be the first public unveiling of REvealer, a new standalone application for the interactive analysis of executable code.

Inspired by the idea of extending formal program analysis techniques to be more relevant to reverse engineering, REvealer can collect information using a range of static and dynamic techniques and integrate it into a powerful and flexible model, easily explored and refined by the user.

The principles behind the technology will be discussed, and there will be demonstrations of how it allows an analyst to deal quickly and intuitively with not only day-to-day reversing tasks but some of the most complex and time-consuming cases encountered today, such as self-modifying code, arithmetic obfuscation and virtualising packers.

Materials

slides(pptx)

Bio

William Whistler has been reverse engineering software for over a decade and has an MA in Computer Science from Oxford University. He specialises in both creating and analysing heavily obfuscated code, DRM systems and other software protections. His life's ambition is to reverse engineer the human brain.

--------------------------------^_

dirtbox, a highly scalable x86/Windows Emulator - Georg Wicherski

dirtbox is an attempt to implement a highly scalable x86/Windows emulator that can be both used for simple malware detection and detailed behavior analysis reports. Instead of emulating every single x86 instruction in software, malware instructions are executed directly on the host CPU in a per basic block fashion. A disassembling run on each basic block ensures that no privileged or control flow subverting instructions are executed. The notion of virtual memory that is separated from the emulators memory is employed by special LDT segments and switching segment selectors before executing guest instructions.

The operating system is emulated at the syscall layer. While this layer is mostly undocumented and implementing it in an accurate fashion is a challenging task on its own, the fact that no register changes are leaked from Ring 0 thwarts a lot of detection techniques. For usage of the high-level APIs, corresponding libraries are directly mapped into the virtual memory as well. Detection mechanisms such as:

- Examination of the ecx register after a SEH protected API call
- Stolen bytes from an API library implementation
- Direct reads and writes from PEB or other static locations or libraries are supported automatically

Materials

slides(pdf)

Bio

Georg is a Virus Analyst at Kaspersky Lab, researching and developing new prototypes for upcoming A/V technologies. He is a member of the Honeynet Project and his last public project was mwcollectd v4, a low interaction malware collection honeypot. Other interests include general low level fun, such as (advanced ;) ) binary exploitation; network development and high-performance async I/O coding; beer & women. He is an undergraduate student at RWTH Aachen University.

--------------------------------^_

Rainbowtables re-implemented - Sebastian Wilhelm Graf

Over the last few years rainbow-tables have started to disappear. Torrents didn't get seeded anymore, mirrors went down. So we wondered why that happened and what mistakes have been made in the past. With more and more graphics cards adding support for running own code on their gpu's one has to ask himself is there still a need for rainbow-tables. Does the memory over time tradeoff still meet the requirements of modern day computing? Taking a closer look, one quickly realises the reduction function used by tools such as rainbow-crack and rcracki doesn't scale well on gpu's. There are also a few things that aren't as good as they could be with the current table implementations. So we decided to give it another go. Re- Think, Re- Plan, Re- write in oder to meet the new challenges of gnu computing.

Bio

Naxxatoe is a IT Security Researcher / Analyst currently resident in Austria. His Technical Skill and Abilities as well as his knowledge about IT Security lead him to travel the world and give bleeding edge talks at various IT Conferences and work as a Consultant for various Global Companies. Combining the best from both the Ethical Hacking and the Dark Arts, he is able to provide good and balanced Advice on Potential Threats / Attacks and Countermeasures.

--------------------------------^_