Overall the REcon conference has been kept intentionally small.  Only a limited number of tickets are sold each year and the price point for tickets is more in-line with CanSecWest and BlackHat than the less expensive conferences like DEFCON, ToorCon, InfoSec Southwest, and so forth.  For non-Canadians, the travel can be a bit expensive as well so it seems that the level of quality of the attendees is very high in that the majority of the attendees are the really serious reverse engineers who are willing to foot the expense themselves and the ones who do this kind of work professionally and can have their employer pay the expense end up attending.  This makes for some very engaging conversations with people who really know what they’re talking about and know the subject inside and out.

As mentioned above I saw nearly all of the lectures this year except for a few so I won’t write up a summary of all of them, however some of the ones that I really enjoyed were:

Rolf Rolles – Keynote: The Case for Semantics-Based Methods in Reverse Engineering

Shortly after his keynote was the first time I had met Rolf in person, however over the years I’ve heard nothing but good things about the exceptional quality of his work and the training he provides on a regular basis.  We attempted to have him provide training at InfoSec Southwest 2012 although unfortunately we didn’t have enough students sign up for his course in order to have him proceed with that, but hopefully we’ll be having him provide training at next year’s InfoSec Southwest.  Regardless, after watching his lecture, everything I had ever heard about his work, his presentation style, and his approach to security problems was spot on.  While a lot of the abstract concepts presented in his lecture went somewhat over my head (or my mind was too exhausted from travel), it was still quite impressive.

Igor Glücksmann - Injecting custom payload into signed Windows executables

If you ever trusted signed Windows Portable Executable (PE) files to be safe from malicious code, don’t.  Igor presented analysis of CVE-2012-0151, then went on to describe a number of additional techniques which expanded on the problem.  Essentially, there are various tricks that you can use depending on the type of signed PE executable you’re using as the host file to inject or append arbitrary payload into, resulting in a signed executable that will execute your code when a user runs the program while maintaining the integrity of the digital signature.  The techniques he presented were reported to Microsoft and most of them fixed, however he indicated that there are likely additional cases that still exist that are able to be leveraged as Microsoft’s solution to one of the techniques was to use a blacklist, and we all know how well blacklists work (they only block what is known and identified).

Dimitry Nedospasov - Backside optical analysis hardware/software running on ICs

This was a pretty cool explanation of how to inexpensively analyze running integrated circuits (ICs) using optics and a whole lot of looping code and time (:  By watching the back-side of an IC while looping through various bits of code that exercise certain parts of a chip such as memory, registers, etc., you can identify where on the hardware those components are actually located by recording the photon emission leakage from the various components while the device is under test.

Sergey Bratus & Travis Goodspeed - Facedancer USB: Exploiting the Magic School Bus

This lecture was an overview of Travis’s new device which is essentially a GoodFET with an additional chip which allows it to interface to USB enabled devices.  Using this device, you can use the python GoodFET interface you’ve come to know and love in order to emulate a USB device and attack the USB stack on the host system.  This includes the USB hardware bus itself, the driver, and application, and so on.  I would assume you could also use it to attack USB devices themselves but I don’t recall them covering this use case.  The entire lecture was themed “the Magic School Bus” as we’re talking about buses here, and every few slides or so they had a picture of a crashed school bus and an accompanying joke or anecdote.  Amusing, but also a bit dark as at one point Travis commented that in some of those cases school children had died in order to allow us to laugh at these images, so we should continue to laugh so that their lives were not lost in vain.  Dark, Travis… dark.  Anyhow, one thing I noticed was how well Sergey and Travis present together.  They both usually had commentary for each slide, their commentary was often very complimentary to the point that the other was conveying, and they avoided stepping on each other’s toes quite well.

Joan Cälvet - Cryptographic Function Identification in Obfuscated Binary Programs

Joan covered a couple of techniques using both behavioral and static analysis of obfuscated binaries that allows the reverse engineer to identify known and common cryptography libraries and cryptographic functions used in the binary under analysis.  Very interesting research subject.

Francisco Falcon & Nahuel Riva - Dynamic Binary Instrumentation Frameworks: I know you’re there spying on me

Francisco and Nahuel are from Argentina and apparently this was their first lecture either outside their home country or ever, but at least their first in English, and I have to say they did a fine job with the lecture format and language.  These two covered something like twenty different techniques that can be used from within an application to identify the potential presence of instrumentation of the executing code.  They focused on a common instrumentation framework called Pin so some of the techniques were specific to Pin, however during the questions at the end of the lecture they indicated that some of the techniques should be commonly applicable to other instrumentation tools and frameworks as well.  This lecture also gave me the idea to add support for a Plugin product type in the ExploitHub as all of their techniques were implemented as plugins to a framework for running their tests, so expect to be able to sell plugins to various applications in the ExploitHub soon (:

Aaron Portnoy & Brandon Edwards - IDA Toolbag

Although these guys had released their IDA Toolbag prior to the conference and I was already familiar with it and most of what functionality it provided, they still surprised me with a few features that I wasn’t aware of.  Also, seeing such a powerful tool speed-demoed like it was (they only had a 30 minute lecture slot) made it look  extremely impressive.  If you use IDA Pro at all and have not checked out their IDA Toolbag, stop reading right now and go begin downloading it.  This blog post will be here when you get back and you’ll thank me later.  The Toolbag provides a ton of features that make working in IDA much, much easier and will save you a LOT of time.  From a more intuitive navigation method which employs a history list that you can jump around through, to collaborative features that make it easier for multiple team members to jointly reverse the same target, it’s quite comprehensive.  My favorite feature, and the one that prompted it’s own individual round of applause from the lecture audience, was easily the Pathfinding functionality.  Pick a location, pick another location, and the Pathfinder will find all of the potential routes from one to the other.  If I still had time to bug hunt vulnerabilities myself this feature would save me massive amounts of time.  Mark the data input, mark the vulnerable code, now how do I get from one to the other?  This used to be a pain to analyze by hand, but can now the majority of which can be done in a matter of seconds thanks to the Toolbag.  On a related note, I was referring to people as “toolbags” in my best New Yorker accent all day in honor of their lecture (:

In conclusion, overall the conference was awesome.  This was my third time in Montreal for REcon and this year the weather was perfect; mid-70′s during the day and low 60′s at night.  I don’t think I’ve drunk anywhere near the amount of scotch that I drank over these five days ever.  I’m definitely looking forward to attending next year, and it may be about time I learned some French if I’m going to continue attending in the future (:

Overall, the conference went extremely smooth, which I attribute almost entirely to my awesome staff that I had handling the logistics and execution of the event, Christina and Rachel.  As they aren’t InfoSec or hacker folks I did have to handle a few key components myself such as soliciting sponsorship, managing the speaker selection process, and coming up with badges that were a little more involved than just a printed card and a generic lanyard, but nearly all of the remainder of the event planning and execution I left in their capable hands and they did not let me down, nor did our excellent volunteers who assisted during the execution of the event.

As you may have heard by now, we had challenge coins made for our badges this year.  I chose to go this route for a couple of reasons, primarily because one of my goals for the conference was to bring together the hacker, professional InfoSec, and defense and military communities.  Challenge coins are quite popular in the defense and military space so I was hoping that the badge would appeal particularly well to them.  Also, I wanted to provide everyone involved in our first year with a quality keepsake that honored their involvement.  That said, we will not use challenge coins as our badge for any subsequent iterations of this conference.  Next year and possibly subsequent years we intend to provide a discount on registration if you have, and can produce during check-in, your challenge coin.  We also intend to auction off a few of the remaining challenge coins to help fund next year’s conference, and you may occasionally find one of our coins showing up in other charity auctions in the future.

Regarding this year’s selection of speakers, I was quite happy with the outcome and was impressed by their professionalism and punctuality.  We unfortunately had two speakers who had to cancel within the week leading up to the conference, however we planned for this potentiality by having two alternate speakers selected who would be able to fill in if just such a thing were to happen.  Unfortunately one of our alternates also had to cancel so we ended up with one speaker slot that was regrettably empty during the second day of the conference.  It just goes to show you that even when you plan for a certain level of failure or unexpected deviance from the original plan, things can still go awry.  Regardless, the remaining speakers nearly all kept to their allotted time slots and showed up on time to speak.  I was also extremely happy to have our first choice selection for our Keynote, Mudge, accept and deliver our Keynote.  As mentioned before, I was attempting to bring together the hacker, professional InfoSec, and defense and military communities with our conference and Mudge quite nicely embodies all three of these sectors.

The Saturday Night party had a few hiccups with the DJ equipment which resulted in us having to shuffle our lineup a bit but overall went off quite well.  The open bar provided by various sponsors and some individuals provided just enough funds to keep our attendance drinking for nearly five hours and only ran dry right before the venue bar was about to close at 2:00 am anyway.  The feedback I got regarding the party was very positive, and it seems that choosing to co-locate our conference party alongside another unrelated party in the same venue provided an interesting atmosphere for our attendees.  I’d especially like to thank IOActive for sponsoring the party by flying in Keith Myers to DJ for us as well as contributing to the open bar.  I had a number of my local Austin friends at the party and all of them really enjoyed Keith’s set.

On the second day of the conference we decided to move the AHA! style open forum out of the second lecture space we had rented and into the chill area where we had the CTF and Lockpick Village happening.  The first day of the conference we had a number of people show up to speak during the open forum however due to the location of the lecture space we were using it seemed to not be conducive to keeping an audience in there, so many of them chose not to speak due to the lack of a decent sized audience, or at some times an audience at all.  There was also an issue with the Lockpick Village on the first day as they were attempting to provide their instructional mini-lectures during our caffeine breaks and without an audio system it was very difficult to hear their speaker over the noise of the breaks, so by bringing the open forum track out into this area, along with it’s audio system, we were able to solve both issues with one solution.  On the second day, we had a number of open forum speakers actually present as the space always had a bit of a captive audience in the CTF participants and others just hanging out in the chill area, and the Lockpick Village was able to be heard over the noise of the breaks by having the audio system available to them.  Keeping things dynamic with the format definitely assisted in resolving these two issues which really were the only major issues we had with the conference proper.

All in all the conference was a major success and we will be hosting it again next year.  Our attendance was a little lower than expected due in large part to nearly none of the Dallas / Fort Worth crowd showing up (where were you guys???) but not so low that we took too much of a financial hit.  We did expect to come out in the red this first year however we came fairly close to breaking even, so we expect next year to begin making a small profit which we can then use to grow the conference a little as we would like to have more contests and competitions, more attendees, and more perks for our speakers and attendees.  I hope to see you all at the conference in 2013!

Well, it wasn’t born overnight.  At first, my idea was to create an open marketplace for the buying and selling of Metasploit exploit modules that was integrated directly into Metasploit, like an iTunes-style App Store for the Metasploit Framework.  The overall application was to be both on the web and integrated within Metasploit, as the exploit Authors also needed an interface to submit and manage their exploits with since the original Customers’ interface would essentially be Metasploit itself.  This functionality is actually still part of the plan, however we’ve focused on flushing out the community features of the site before integration with Metasploit and have since expanded beyond only supporting Metasploit exploit modules due to popular request.  I took my original idea to HD Moore at the time for some feedback given that Metasploit is his application, and as it turns out NSS Labs had approached him with nearly exactly the same idea within a few days of me speaking to him about it.  Since NSS Labs and I essentially had the exact same idea at nearly the exact same time, HD suggested we discuss it with each other and potentially partner on the project.  This resulted in nearly a year of design and development of what was to become the ExploitHub.

Flash-forward to BlackHat USA 2011 and DEFCON 19 and the official launch of ExploitHub.  We held a small launch event and the project was very well received by the community and industry at large.  At the time we had a handful of initial exploit Authors offering their exploits for sale in the store, and today that small group has expanded quite a bit.  At launch, we immediately had revenue in the form of site-licenses sold pre-launch and were able to immediately begin paying Authors residual monthly payments from that revenue.  At the time, individual purchases of exploits were not even enabled yet, however we rolled out that capability about a month later.  Following that, we launched a development request and bounty system which allows Customers to provide Authors with guidance regarding what exploits they would like to see developed and how much they are willing to pay just to have those exploits created and submitted to the store.

Overall we’ve come a long way in a couple of years and made great progress since our initial public launch.  To date, we now have over 100 exploits for sale in the market which are exclusively available via ExploitHub.  We also recently launched the ExploitHub blog, which is where I will likely be posting further ExploitHub-related information rather than here, so if you’re interested in this project, I would recommend you follow that blog as well.

During all of this, and my wait which was somewhere around ten minutes or so, my effects sat on the conveyor past the x-ray machine as countless people walked past them retreiving their own things.  As neither the gate agent nor any of the conveyer x-ray agents asked me which items were mine until I was ushered through for my pat-down, it would have been extremely easy for any of those people to walk off with any of my belongings.  Luckily, regular citizens still seem to be honest for the most part.

Once it became obvious that the gate agent had assumed my refusal to be subjected to the scanner was due to health and safety reasons, I decided to test a theory.  As soon as I opted out I was asked to stand next to they conveyer x-ray machine which was about as close as you could get to the radiation scanner  without walking the short distance from the end of the line to the actual scanner.  I asked the gate agent if I could stand somewhere else farther away from the equipment.  The gate agent rudely dismissed my request with the statement that I was required to stand exactly where I was and could not move anywhere else.  Interesting passive-aggressive response from someone who was assuming that I didn’t want to be near the radiation.  I remained there for the remaining duration of my wait.

The pat-down agents were contrastingly both courteous and respectful when compared to the gate agent and the supervisor that I was about to speak with.  After my pat-down, I complained to the TSA supervisor about the gate agent and was told that the lecture he subjected me to is policy, that the scanner isn’t an X-ray machine, and then I was rudely dismissed yet again, this time with a disgusted look and a “you’re done here, sir.”

As being subjected to a radiation scan is not mandated, it’s still my choice whether or not to opt out of the scan and no one should ever be lectured about it or coerced into changing their mind.  Furthermore, I’m appalled that the supervisor would blatantly lie about the technology being used.  Granted, he didn’t technically lie as AUS uses millimeter wave scanners which is T-ray, but a layperson doesn’t usually know the difference.  Furthermore, within the context of the conversation the supervisor had assumed that my objection to the scanner was for health and safety reasons, which, if that is your reason for objecting, which type of radiation you’re being exposed to is likely a moot issue for you.  What he was deceptively implying was that the device was not a radiation scanner and I was stupid for being afraid of it.

New Harassment Policy?

The lecture I received about how safe the scanners are must be new policy, as I’ve never been lectured before at other airports and I opt out EVERY time. Granted, by the time I took this trip I hadn’t traveled in a few months and this is the first time I’ve traveled through AUS since they started using the new scanners.  Since reporting my experience to friends and family via social media, I’ve heard many similar stories regarding recent travel that involved a lecture, and most of those included comments about this being a recent change in their travel experiences.  All I can conclude from this is that it is now the TSA’s policy to lecture, berate, shame, and intimidate air travelers into compliance and submission.

Reasons for Opting Out

The reasons for opting out are likely as varied as the people who choose to do so.  There are a few usual ones however, which I will outline here and how they relate to my experience.

Health and Safety Reasons

This is probably the most common, and why the TSA gate agent and the supervisor both assumed that I was simply scared of the scanner even though I never expressed to them my reasons for opting out.  Knowing multiple cancer survivors and witnessing the ordeal that they went through in order to survive, I can completely understand why some people are suspect of radiation scanners.  If I knew that I was prone to cancer, I would avoid anything that exposed my body to additional radiation as often as I could.  The last thing I would want was some random particle zipping through my body and whacking a cell just the wrong way and potentially triggering the development of another tumor.  Conversely, if my cancer treatment involved radiation therapy, I likely would have had far more than my share of radiation in my lifetime and would want to avoid any additional exposure.  That said, I am personally not prone to cancer as far as I’m aware and health and safety reasons are not my reasons for opting out, as I’m not too worried about the occasional dose of radiation. I’d be much more concerned if I had to stand next to the scanner all day like the TSA employees do, as studies have indicated that any additional exposure to radiation, including low levels, increases your lifetime risk of developing cancer.

Privacy

Privacy concerns are another common reason for opting out.  These new radiation scanners, both backscatter X-ray and millimeter wave T-ray scanners, reveal the naked human body in all its glorious detail.  Many people are self-conscious about their bodies.  Many people have religious or spiritual objections to having people they don’t know see them naked. Whatever the reason, personal privacy can be a concern, however privacy concerns are also not my reason for opting out.

Fourth Amendment

The final reason I’ll outline here for opting out is that many people believe that full body scans violate an individual’s Fourth Amendment right to not be unreasonably searched without issuance of a warrant due to probable cause:

The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

This is one part of my reasons for opting out.

My Reasons

I personally choose to opt out both in protest of the liberty-encroaching policies of our Federal Government in recent years, the mere existence of the TSA, and the blatant overreach and disregard for the public that they routinely engage in. I also believe that a pat-down is far less of a violation of my Fourth Amendment rights than a full-body scan is.  There are a number of valid reasons to opt out, and doing so is a personal choice that should not be questioned or required to be explained. It’s somewhat amusing that the TSA gate agent assumed I was scared of the scanner, which isn’t at all the reason that I opt out.

In hindsight, even though the target time frame during which I wanted to have the conference was still a good eight months away, my schedule may have been a bit too aggressive… I am a procrastinator, and I really didn’t get started until more like six months away.  Some delays and other complications turned that six months into four, which is where we really were able to begin.  It is now roughly two months from the conference date, and I’m feeling fairly confident in our execution thus far and the logistics we’ve nailed down.  We just recently announced our final speaker selections as well as our venue.  People seem quite excited about our unique take on Capture-the-Flag, which will be crowd-sourced, and the first few blocks of registrations have sold out which has us approaching our minimum goal of expected attendance level in registrations.  Finally, our Saturday Night Party is also coming together quite nicely, and hopefully I can again meet the high bar of expectation I set for myself in that area with my No More Cheap Bugs party last year during the BlackHat and DEFCON conferences in Vegas…  Overall, I’d say we’re well on our way to hosting our first successful conference.

Recently, I realized that I’ve got so many different things going on that some reorganization was sorely needed, and thus Trammell Ventures was born.  Most of my projects and fledgling companies now fall under the management of this business entity.  Feel free to click-through to the Trammell Ventures website and peruse the site, or check back there anytime you want an update on what I’m currently working on or what crazy idea I’m putting some effort into at the time…

That said, please stay tuned for additional in-depth posts on the various businesses and projects you’ll see currently listed at the Trammell Ventures website.

I have to say, the hype I’ve heard over the years is well deserved.  The talks that I saw were excellent, registration was quick and smooth, the overall venue was very nice and quite accommodating, and Vancouver is a beautiful city.  I arrived on Tuesday evening before the conference and checked into the hotel.  I ended up with a corner room in the North Tower which had a nice amount of space and was near the conference hall which made it quite convenient to go back and forth between the conference and my room when I needed to work.  I actually did get a fair amount of work done as for some reason a lot of my Clients waited until I was at the conference to email me new submissions, and I was managing another round of development for the ExploitHub and reviewing its latest contracts.

The Tronapalooza party at Five Sixty on Thursday night was ++awesome.  Five Sixty can only be described as a video game bar, with both retro arcade games lining the walls, a line of racing games complete with bucket seats and wheel/petal controllers along one wall, and a HUGE projector screen upstairs for larger-than-life Street Fighter on Xbox.  The bars were open and flowing, there was a decent sized dance floor, and the DJ’s rocked it.  Had the Ms. Pacman machine been set to fast mode instead of slow, it would have been a PERFECT venue in my opinion.

One highlight of my conference experience was the massage room.  I had just spent about four and a half hours up in my hotel room poring over the latest ExploitHub contracts when I finished up and went downstairs to see what talk was currently being given.  It was about halfway through and wasn’t something that I was too terribly interested in anyway, so I decided to walk upstairs and see who was hanging out in the lobby bar.  After the first set of escalators I saw the massage room and thought to myself, “Self, that’s a PERFECT reward for just having spent four and a half hours reading contracts”, so I got myself a massage, and it was fantastic.  Whoever had the bright idea of having a massage room at the conference is a genius.

Anyhow, my notes on the few talks that I did manage to attend are below.

Black Box Auditing Adobe Shockwave – Aaron Portnoy & Logan Brown

I would have named this talk “Adventures in Dynamic Binary Instrumentation” myself, as every few slides Aaron and Logan were solving some problem they had run into using some DBI technique.  While the target of the assessment they were detailing was Adobe Shockwave, I got much more out of this talk regarding the DBI techniques.  I won’t be discussing much of the ZDI-related process info or statistics that they discussed as that bit of the talk wasn’t all that interesting to me, however I must note that those bits were the motivation behind the assessment and why they developed some of the techniques that they did.

The first, and a very important point that they made, was that Adobe Shockwave is NOT Adobe Flash.  While the two products essentially do much of the same thing, and Adobe will shortly end-of-life the Shockwave product line in favor of Flash, they are two distinct and different code-bases.  Also, Shockwave has no symbols when you disassemble it, and functions are exported by ordinal, which makes taking a first look at this product unintuitive.  Also, !heap from WinDBG indicated that this product has it’s own memory manager rather than relying on the operating system’s memory manager.  One of the first things this product does when starting up is to allocate about a Gigabyte of memory from the operating system for it’s own memory manager to manage.  Instead of starting off by reversing an entire custom memory manager, Aaron and Logan decided to use Dynamic Binary Instrumentation (DBI) to hook on read functions and using pre and post-call hooks to identify where in memory data was being stored and then searching those locations for the injected fuzzer data that they were looking for.  The result was a much faster and more scalable method than using breakpoints in the debugger.

An interesting side-quest that they embarked upon during this assessment was when they noticed that the slim version of Shockwave would dynamically go out and download support DLLs for unsupported file formats.  They attempted to compromise this update feature since it’s essentially going out, grabbing executable code, and then executing it, however Adobe was smart for once and were signing these DLL packages with a digital signature including an embedded certificate, so that adventure led to a dead-end.

After fuzzing, Aaron and Logan identified approximately 2500 crashes using simple bit-flipping fuzzing techniques, and about 4000 more crashes fuzzing the RIFF file structure.  They also used another DBI technique while fuzzing to great success, which involved hooking and doing memory allocation as exceptions happened.  When a memory read exception occurred, they would inject code that would allocate memory at the location that was being attempted to be read from, simulate a heap spray by writing heap spray data there, then returning to execution and hoping for a write exception.  This technique is very effective at further verifying that a crash may be exploitable by automatically progressing to feeding the read call malicious data and logging the write exceptions rather than collecting a huge batch of read exceptions and then having to go analyze them manually.

Eventually though Aaron and Logan did have to reverse the custom memory manager but after some initial analysis discovered that it was an off-the-shelf memory manager called SmartHeap.  SmartHeap has five different APIs that all do different things.  This library still had no exported symbols except for one implementation of it for OS X if I recall correctly.  By binary diffing the different implementations against each other and using yet some more DBI techniques to gather statistics on function calls to search for correlations and patterns such as memory allocation functions and memory freeing functions having roughly the same number of calls made to them, Aaron and Logan were able to make a fair amount of progress reversing this memory manager.  It turns out that when you find vulnerabilities in products that use SmartHeap, they are relatively easy to exploit as SmartHeap has no exploitation mitigations like ASLR, heap cookies, etc.

In the end, Aaron and Logan indicated that they had found and fully developed around 20 0day vulnerabilities as well as a number of analysis tools using DBI techniques.

SMS-o-Death: From Analyzing To Attacking Mobile Phones on a Large Scale – Nico Golde and Collin Mulliner

This was a fairly straightforward talk and has apparently been given at previous conferences so I’m not going to go into too much detail here.  I’ve done my own research into the GSM space about five years ago so Nico and Collin’s point about while phone hardware and software being largely proprietary and closed source, the GSM specs being open making research via fuzzing the protocols is approachable I was very familiar with.  They also made a point that I remember well about there being a TON of GSM specs.  Literally thousands and thousands of pages of text.  It was an interesting space to be working in at the time, but the sheer volume of it can indeed overwhelm you.  Anyhow, the result of their research is that after fuzzing over SMS, they identified crashes in every single product that they tested which included a lot of major phone manufacturers and models.

A Castle Made of Sand: Adobe Reader X Sandbox – Richard Johnson

Richard started off his talk with some interesting statistics about Adobe Reader, such as that it has about 30% market share as of June 2010 and that it’s had 358 vulnerabilities in the last 10 years, 278 of which resulted in code execution, and about 22 that were actively exploited in the wild.  It would seem that Adobe has good reason to attempt to mitigate exposure after a compromise via employing a sandbox, and their approach to using sandboxing made it’s debut in Adobe Reader X which not only employs a sandbox but is also hardened to utilize the mitigation technologies provided by the operating system such as ASLR and DEP with the PERMANENT flag.  As a result, it seems that PDF-based attacks fell by about 30% since Q2 of 2010.  Richard did note however that some 3rd-party crypto libraries that Adobe Reader includes do not make use of these mitigation technologies which, if you have Reader load the crypto features, results in about 1.5 Megabytes of non-randomized memory in the Reader process’s address space .  How ironic that loading security libraries actually introduces more opportunity for successful exploitation…

Anyhow, the “Protected Mode” sandbox includes separation of rendering code from initialization and management processes, rendering code is not allowed to write to the filesystem, and API and system calls are filtered through the parent process.  The default configuration of the sandbox includes JavaScript enabled by default although there is a JavaScript API black-list in place, ACLs for file, registry, and process access, and logging is disabled by default.  Given all this, you still have some opportunities for attack and security analysis, such as leveraging a vulnerability in the rendering process which is the most likely attack surface to load an attack DLL and use the attack DLL to attack the broker or parent process.  This attack DLL could be a fuzzer or a more targeted exploit if you’ve discovered a vulnerability in the parent or broker process.  Another interesting configuration of the sandbox is that socket and handle use is not restricted, therefore it could be possible to use a PDF file as a pivot into a target network.  Also, reading files and reading clipboard data is not restricted, so similarly a PDF could be used as a platform for the exfiltration of data.  Finally, the log file, if logging is actually enabled which stated earlier is not by default, is writable.  This makes it possible to potentially cover one’s tracks when performing an attack by wiping or cleaning up the log file.  Overall, it sounds like Adobe is taking some steps in the right direction, however there are still a number of attack vectors present as well as some fairly insecure configurations by default.

Security Defect Metrics for Targeted Fuzzing – Dustin Duran, Matt Miller, and David Weston

This was overall a very well thought-out, performed, and summarized experiment on behalf of the researchers and the extended team that they mentioned in the credits.  That said, due to certain factors like extremely short test periods, a small number of input file formats, small numbers of crash results, and so forth, it was very obviously just that; an experiment.  I would very much like to see this same experiment performed with much larger data sets and testing periods to get a better idea of how biased the results were due to the bounds of the experiment.

First the researchers outlined their motivation for this experiment.  Three challenges with the vulnerability discovery technique of fuzzing were outlined which included the fact that while “dumb” fuzzing is blind and fast, “smart” fuzzing is generally on the opposite end of the spectrum being targeted and more apt to finding crashes, it’s also higher cost in both computing and human resources and due to this could have a much lower ROI, and there really aren’t any current fuzzing techniques that are more in the center of this spectrum.  They also cited that many researchers have a finite amount of resources and time to perform the fuzzing phase of an assessment, and that with most fuzzing approaches today, the process is fairly opaque in that there is limited visibility into the process of fuzzing as well as the code coverage achieved by any particular fuzzing activity.

After outlining the motivation and challenges, the researchers described their approach called “taint-driven” fuzzing, which was loosely defined as dynamic analysis that allows mutative target offset selection based on observing what code affects what memory locations.  Given that with this approach you’re targeting specific functions in code that are reachable via the application’s inputs, they then covered a number of different metrics that could be used for choosing your fuzzing targets.  The team presented five different metrics, the first of which was referred to as Cyclomatic Complexity which essentially meant that the more complex the function is, the more bugs it is likely to have.  Second was a metric based on crash reports from the field.  Microsoft has a fairly robust error reporting mechanism for most of it’s products so that when they crash they offer to send the crash report directly to Microsoft.  These crash reports identify the code that they crashed in, so using these reports for target selection makes absolute sense.  Third was a metric based on static analysis issues such as compiler warnings, use known-problematic sub-functions and system calls, etc.  Fourth was a metric based on the attack surface within the function presented by the instructions in the function that operate on tainted data. The fifth metric was based on perceived exploitability and was  rather interesting as it was to essentially step through every instruction in a target function, simulate a crash on that instruction, and then use WinDBG’s !exploitable logic to indicate whether or not if there is a crash there, if it is obviously exploitable or not.  Collecting the results from these simulations you can calculate a score on how potentially exploitable any given function is, assuming a crash exists.

Finally, the group disclosed their results which included lots of charts and graphs and various different views of the data from differing perspectives.  I’ll leave it to you to go dig into their research if you want the exact details, but in a nutshell, the team tested four binary file formats using five fuzzing engines made up of three that were taint-based and two control fuzzers, 6 different metrics including the five outlined above and a control which was entirely random, and spent five days on each combination of fuzzing engine, metric, and target file format.  The results were somewhat inconclusive other than an indication that the larger the code base, the more applicable taint-based fuzzing seemed to be as it’s results improved over the control fuzzing engines as the application’s code-base grew in size.

The Monday after ToorCon 12 I boarded a red-eye flight at 9:30 PM bound for Newark and then took the connection from Newark to Toronto at 6:45 AM. I was honestly really surprised when I arrived at my hotel at 9:30 AM and they actually had my room ready. I was afraid I would have to check my bag and find something to do for a while until it was ready, but luckily I was able to go up to my room immediately. Having my own space as soon as I arrived helped quite a bit because I actually had a fair amount of work to get done and since landing in Toronto I had a somewhat severe atmospheric-pressure-change headache to deal with. After working for a few hours I decided the only way to kill the headache was to take a nap, and when I woke up it was 4:30 PM. As I’m sure you’ve guessed at this point, I missed the entire first day of the SecTor conference due to unexpectedly needing to work and the headache.

After waking I continued to work for a bit while most of the SecTor attendees were at the reception and speakers attended the speaker dinner.  I caught up with a few people at the Pub following the dinner and was fortunate enough to be introduced to Eric Boyd, the creator of the North Paw project which I intend to build from one of his kits at some point in the near future.  We had some great conversation about sensory and haptic feedback technology and discussed some of his upcoming project ideas.  If you’re interested in that sort of thing, you should definitely follow the Sensebridge site’s RSS feed or subscribe to the Body Hacking list where he will hopefully be posting updates and information on new kits that will become available.  After hanging out at the Pub for a while I headed back to the hotel to work some more before crashing out around 5 AM.

On Wednesday I woke to continue working a while and to participate in some conference calls, and by the time I was finished with that there was no point in even attempting to attend the conference any longer.  Once the conference was over I headed over to the Rapid 7 Metasploit One Year Anniversary party, celebrating the anniversary of Rapid 7‘s acquisition of Metasploit.  I spent a lot of time talking about the ExploitHub at that party, imagine that…

After the Metasploit party I headed over to the first Quantified Self meeting for Toronto which I had found out about the night before.  The format of the meeting was nearly identical to the AHA! meeting format, which ironically enough was happening at just about the same time as the AHA! meeting back in Austin.  This meeting was excellent.  There were lots of people sharing their own experiences and questions with personal tracking and statistics with the group, lots of group participation, and I learned about a number of interesting projects and resources such as CureTogether, which is an online community for people with chronic and not easily identified conditions where the site’s tools assist in potential diagnosis and visibility into what treatments other similar sufferers are trying and how well they are working for those other people.  There was also someone at the meeting with a haptic feedback sonar system which allows the user to detect physical objects at range via modulating the frequency of a haptic feedback pulse.  Another attendee introduced us all to an Android app called KeepTrack, which I’ve been using ever since to keep track of all sorts of things.  You can even have KeepTrack alert you to enter values at specific times with it’s reminder feature.  Overall this meeting exposed me to some really cool stuff and has somewhat inspired me to be a better scientist when performing experiments with and on myself by recording and tracking more personal data during such experiments than I have been.

After the Quantified Self meeting some of the group walked a few blocks to a Pub for some food, drinks, and further discussion, and then I headed back to my hotel as I had to check out of the hotel and head to the airport at the wee hour of 4:30 AM in order to get through customs and catch my flight back to Austin.

Overall, other than actually missing the conference that I was in Toronto for in the first place, I had a really good time.  Toronto is a beautiful city even though it was a little on the cold and rainy side.  Fallen maple leaves everywhere made me smile more than once.  I had a chance to catch up a bit with my local friend and met lots of new and interesting people.  I hope to have the opportunity to visit Toronto again when I have more time and there isn’t so much going on with conferences and unexpected work so that I can spend more time with my local friend and really explore and enjoy the city.

On Friday night I only made it through about half of the reception and didn’t make it to the party that evening as about the time the reception started I was going on about 40 hours without any sleep.  Lately I’ve been going to bed about 5 in the morning and I had to be at the airport to catch my flight at 6:30 AM, so I just didn’t sleep Thursday night at all.  I attempted to get some sleep on the plane flight in but every time I would start to doze off the plane would hit some turbulence and wake me back up.  Anyhow, I crashed out early on Friday night.

Saturday was a good day at the conference with many excellent lectures.  I got to catch up with some folks I hadn’t seen in a while since I had missed the last two ToorCons as well as others who I had seen as recently as BlackHat and DEFCON.  The Microsoft sponsored party Saturday night was good, I had a number of great conversations and even had a chance to dance a bit.  After the party a lot of people went back to h1kari’s room at Hotel Solamar to hang out and chat and of course drink more.  Good times.

Sunday was all turbo-talks at the conference followed by the closing remarks and then the ToorCon afterparty.  I only saw a couple of talks but the ones I did see were good.  After the closing remarks a few of us had a quick bite at a sports bar in the same hotel as the after party and then headed up to that.  Similar to the parties the previous night I met a number of interesting new people and had some good conversations.  Hopefully I’ll see many of these people again soon at other conferences or back again next year at ToorCon 13.

Below are my thoughts on some of the lectures I was able to attend:

Real Men Carry Pink Pagers – Travis Goodspeed & Michael Ossmann

While I had been following this research for a while and saw an earlier talk covering some of the subject material given by Travis at REcon, this talk was full of interesting information and was quite entertaining with Travis and Michael constantly referring to certain types of people  as quiche-eaters and showing some rather funny marketing videos from the manufacturer of the IMMe.

This talk came at the subject from a slightly different direction than the talk I had seen before and had more information deriving from Travis’s more recent advancements as well as contributed by Michael.  They covered how while the radio chip in the IMMe is hardware, it’s about as close as you’re going to get to a software radio due to how flexible and configurable it is.  The radio itself is entirely capable of using a wide range of frequencies other than the few that the manufacturer used for its purpose as a communications toy for girls.  Beyond even that, you can configure the radio’s packet structure so that it can be made to talk to a wide range of devices, even devices that don’t necessarily share the type of radio chip used in the IMMe in common.  If you want to work with this device’s radio for very specific frequencies, TI’s Smart RF Studio is extremely useful and will save you a lot of time.  However, if you want to write an application that employs frequency hopping, or monitoring multiple frequencies at once like Micheal’s spectrum analyzer that he wrote for the device, Smart RF Studio isn’t quite adept at those things, so you’ll want to roll your own or email Travis or Michael for some pointers.

Some interesting tidbits of information that came from the spectrum analyzer project is that some consumer two-way radios that they analyzed, while having 14 “channels”, really only used two distinct frequencies to cover those channels; one frequency for the lower 7 and one for the upper 7.  They speculated that there is something in the radio packet that is sent that indicates which of the 7 channels that are assigned to one of the two frequencies is to be used and the radio just squelches any packets received for the channels it’s not tuned to.  Due to only employing two frequencies, it makes it quite easy to monitor or jam the devices as you can observe or affect 7 channels simultaneously.

Another interesting use they had made of the device was using it to observe and replay garage door opening codes, of which they showed a video of this working.

Travis and Michael then talked about some RF devices used for instant feedback and polling which are becoming popular on many university campuses.  Apparently they use these to take attendance, and to do instant polling during lectures.  The application that they developed to attack these is essentially a monitor to see in real time what answers other devices around you are responding with before you choose your own answer (:

The guys finished up showing Travis’s new case mod for the IMMe which accommodate an opening in the side of the device for an internal GoodFET interface that has a Mini USB Type B socket rather than the older GoodFET USB Type A plug, a number of boards for which they gave out at the end of the talk.  I already have a GoodFET however I also own an IMMe so I went ahead and grabbed a board so that I can duplicate the case mod so that it’s much easier to reprogram it.  They also briefly touched on a Zombie game that they are developing for the device which is to be debuted at the next CCC, so now I have even more incentive to make it out to the next one… I love multi-player games, especially when they involve hardware or gadgets (:

All in all an extremely informative and entertaining lecture.  So cool…  So connected.

Exploiting SCADA Systems – Jeremy Brown

I only got to see the first bit of this talk as about 20 minutes into it I got a phone call and had to duck out of the talk to answer.  Jeremy started off by noting how poor security is on many SCADA systems as many of them run services that you can interface with without any authentication at all, they’re just wide open services that you can have perform actions for you.  Jeremy then went though an amusing story about attempting to disclose a vulnerability to a SCADA vendor who seemed fairly clueless regarding security, what a vulnerability is, whether or not it could be leveraged to do anything, etc.  He then went into some tips for managing the vulnerability disclosure process which seemed like he was getting off-topic a bit and that was the point at which I had to duck out.

Advanced AIX Heap Overflow Methods – Tim Shelton

I had already seen most of this talk on video from Black Hat earlier this year but I wanted to catch the rest and Tim is a friend so I figured as a last resort I could heckle him a bit if things got too boring (:  Things didn’t get boring because he started off the talk drinking and was dipping the entire time, which got quite amusing toward the end of the talk after he’d gone through about half a bottle of liquor (:

As far as the content goes, Tim covered Litchfield’s previous research on the topic from 2005 and explained that technique for achieving code execution using heap corruption.  This context is important because the second technique he detailed was his new research on the topic and without an understanding of Litchfield’s previous research you might not understand how the two techniques differ and under what different process execution circumstances each are used.

In short, Litchfield’s previous research described a technique for abusing heap corruption employing the rightmost() function when memory is allocated and then followed by a free().  Tim’s new technique is a way to abuse heap corruption employing the leftmost() function when memory is allocated and then followed by another memory allocation.  In both cases however you’re overwriting 8 bytes beyond the end of a heap buffer and creating a fake heap frame in memory for your linked list pointers that got overwritten to point to, so without understanding the subtle differences it can seem like the same technique.  All in all, it was some good research in an area that isn’t too well explored that actually advances the current state of the art in that area and provides more options for anyone attempting exploitation against that platform.

How I Met Your Girlfriend – Samy Kamkar

This was a fairly entertaining talk that took the form of a case study in social engineering assisted by various and fairly interesting web application attacks and browser protocol abuse.

The web application attack scenario covered breaking down a site’s authentication cookie into components that could be guessed, harvested,or brute-forced, with the goal of bringing the amount of brute-force work within the realm of possibility.  The example cookie broken down during the lecture contained components such as the user’s IP address, timestamps, etc.

The protocol abuse component covered some interesting properties of text-based protocols that use CRLFs as command or line delimiters.  By abusing the properties of web forms and POST commands, an HTTP client like a browser can be made to connect to other services such as SMTP or IRC servers which are usually resilient enough to ignore the HTTP commands and headers and only start processing commands once it receives commands it recognizes.  By using hidden form fields a user that submits the form can have their browser subverted into connecting to a different remote server and issuing commands, such as sending an email or logging into an IRC server and sending a message.  This behavior obviously gives up sensitive information that the attacker may not already have such as IP address of the connecting client, various HTTP headers, etc., some of which were used in the authentication cookie that was being broken down and attacked during the talk.

Samy also covered a technique for geo-locating someone based on XXXSS combined with Google’s street view tracking of WiFi access points by MAC address.  By causing the victim’s browser to pull the MAC address from the internal side of the victim’s WiFi AP/Router and then send it out to the attacker, the attacker can then  look the MAC up on Google to get a fairly accurate location of where that AP resides in the real world.

Overall this was an informative talk and Samy is an engaging and entertaining speaker.  I look forward to more lectures from him in the future (:

The Carmen Sandiego Project – Don A. Baily & Nick DePetrillo

I had missed this talk the last few times it was given for various reasons, so I was glad to finally catch this even though I was aware of the research Nick and Don were doing well before the first time they gave this talk.  I am into phones, after-all, and I know Nick fairly well so we had been discussing various things relating to this research for a while.  It was good to finally see it all come together and actually be useful for the intended goal though (:

Nick and Don started off covering SS7 a bit and explaining how prevalent it is in the back-end cellular networks and how having access to it essentially gives you the keys to the kingdom to do whatever you want, however access is fairly expensive and if you’re abusing your access your peers will cut you off as they actively detect bad actors in the community.  Part of the point of bringing this up at the beginning was to set the frame that everything they describe doing throughout the rest of the lecture was done entirely with available information and without any special access to data or systems such as SS7 devices.

After setting the stage, and identifying a few acronyms (yes, look this over now…), they first covered using CNAM and HLR information to ID and track someone via cellular tower switching of the person’s cellular devices.  This essentially allowed them to somewhat granularly map MSC areas and where their boundaries are geographically.  Then by using other data points for augmentation such as traffic cameras with publicly available video feeds, reversing flight information from times and dates where cellular devices disappeared and showed up again, and other data, a fairly detailed intelligence profile can be constructed about a given individual.

Watch Primer for Hackers – Nick DePetrillo

This was probably the talk that I found most entertaining of the entire conference, and describing it here won’t even do it justice.  I’m sorry you weren’t there…

Autism and the Coevolutionary Imperative for Cyborgsurvivalism – Amber Lundy

This lecture was a LOT of information that was being compressed down to fit in a 20 minute turbo-talk.  As such the presenter was rushed, but there was really no escaping that for the amount of material being presented.  Honestly it went so fast that I wasn’t able to take notes, so it’s hard to write up a report here.  If you have an opportunity to see the full length talk I would recommend it if you’re into this sort of thing, as I’m sure much more detail would be available than was given here, as this was somewhat high level due to the time constraint.

After this talk I spoke to Amber briefly to see if she perhaps had been subscribed to my Body Hacking email list and had just been a lurker, but she said she hadn’t heard of it so hopefully she’ll join as I feel she likely has a lot to contribute to the discussions there.

Upon arrival at the conference hotel, it was immediately noticeable that the air conditioner was not working.  Had the conference not been in this hotel, and if I didn’t really like being extremely convenient to the conference, I probably would have not even checked in and gone somewhere else.  They assured me that the air conditioning would be fixed “tommorrow”, as they did every day, and it actually was fixed in parts of the hotel over the five days I was there, however it was never fixed in my room.  Luckily I didn’t spend much time in my room as I was attending the conference and going out to the various clubs and bars to socialize with other REcon folk.  Other than the heat issue the conference was excellent.  It’s definitely a contender for my favorite small conference, of which that title is currently held by ToorCon.

Montreal was nice, although predominantly French Canadian, so it was good to have so many friends around that could speak both French and English.  For the most part, in the nicer establishments such as hotels and nice restaurants the people there were usually fluent in both languages, however in the random bars or clubs, or fast food restaurants, it was fairly hit or miss if you would end up speaking to someone that spoke English.  Since I don’t speak French other than a few words that I picked up during my stay, having French speaking friends around was extremely useful.

The first two nights of my stay I overslept due to the alarm clock being set exactly twelve hours off.  The first time I overslept I chalked it up to user error with an unfamiliar alarm clock, but when I overslept a second time, I knew something was amiss.  Due to oversleeping the first two days of the conference I missed a few of the lectures that I had wanted to see in the mornings, however I did manage to catch some of the others.  Below are my notes and impressions from some of the more interesting ones that I did manage to attend.

Jonathan Stuart – DMS, 5ESS, and Datakit VCS II: interfaces and internals

This was a fairly interesting talk about interfacing with various telephone switches.  I used to dabble in this area way back in the day, so some of it was a bit familiar, but not since the mid-90′s have I done much telephony stuff until the past few years and my adventures in VoIP land.  While informative and interesting, the omissions of the “juicy bits” got a bit repetitive.  However understanding the speaker’s background it was understandable.

Dino Dai Zovi – Mac OS X return oriented exploitation

I really enjoyed this talk.  My last couple years at BreakingPoint I wasn’t doing much fully functional exploit development as the BreakingPoint system takes exploitation up to the point of triggering the vulnerability and no farther, so I hadn’t been keeping up with new developments in the exploitation field as much as I should have.  When ROP and borrowed instruction programming recently became all the rage, I gave it a passing glance and understood the concept, but didn’t really dig too much into the details.  This talk was an excellent overview and filled in most of the gaps for me.  Now I’m somewhat motivated to go write some ROP/BISC exploits (:

Travis Goodspeed – Building hardware for exploring deeply embedded systems

Another talk I really enjoyed, Travis covered a bit of time on his GoodFET JTAG interface as well as spoke about reversing some various hardware as well as a clicker device used in academia by students to answer questions, vote on things, etc.  Apparently there may be some legal issues surrounding the disclosure of some of the clicker information, so here’s to hoping that Travis stays out of the pokey (:  I’m also now motivated to finish assembling these two GoodFET boards that I have sitting here…

Ricky Lawshae – Picking Electronic Locks Using TCP Sequence Prediction

Although I’ve seen this talk before at AHA!, it was good to see a prior colleague getting out to speak.  Ricky covered sending unauthorized commands to physical access system door controllers via TCP packet injection.  For a turbo talk it was well organized and he paced it well.  Good job, Ricky (:

Overall I had a great experience at REcon and met a ton of awesome people.  I also had an opportunity to catch up with many of the usual suspects, including Richard Thieme who was keynoting this year.  Richard has a new book that was recently published entitled “Mind Games”, of which I picked up a copy that he graciously scribbled on for me.  So far it is an excellent read and I highly recommend picking it up.

As far as REcon goes, I completely intend to go back again next year as apparently Hugo plans to forgo the bi-annual schedule he’s been on and go annual!  So, I’ll see you all again next year at REcon (: