BlueHat v5

BlueHat v5, held at the Microsoft campus in Redmond, is Microsoft’s own little hacker conference. It’s an invite only conference, however I was able to get an invite through a colleague. Normally I wouldn’t be interested in a Microsoft-centric security conference, as the large majority of my research targets have nothing to do with Microsoft products, but I was going to be in town during BlueHat anyway due to a small vacation prior to BlueHat, and speaking at ToorCon Seattle (Beta) afterward, so I figured I might as well attend.

Being an “external” attendee (i.e., I don’t work for Microsoft), I was essentially treated as a speaker and got to hang out in the speaker lounge since apparently the only external people that really attend are generally the speakers. That was fine by me however, since mostly everyone there that I knew was speaking or was in the same situation I was in.

Finally, here are my comments for the various talks that I attended:

Your Underground Vulnerability Economy

Rob Thomas

This guy was an extremely engaging speaker. He was essentially talking about the seedy underbelly of the Internet, the black market for sploits, botnets, money transfer and laundering, etc. He also had lots of case studies and examples. I got the impression that all the players in the game are extremely specialized and segmented into specific roles, like botnetters, cashiers, exploit writers, etc. He also made the point that organized crime is of course involved in all of this but due to the way the game is played online, the mobsters are essentially operating like everyone else, essentially anonymously, so it’s not like the way organized crime operates in meat-space.

Breaking and Breaking Into Microsoft Products

David Maynor & Robert Graham

These guys started off by talking about software such as anti-virus systems, stating that they have large attack surfaces and some of these types of poducts create threats like evasion and modification which can cause more problems than the product actually solves. They then went on to describe how a vulnerability is reverse engineered from a patch using tools like bindiff and function tracing with IDA. They then mentioned that software that perform auto-updates provide a convenient attack vector via the update process to inject and/or poison the content (like anti-virus signatures) or code (for software updates). They then described how most anti-virus signatures work by identifying various data points like filename, path, checksum, strings, etc., and stated that if you change enough of these data points in your malware, they will easily evade detection. They then performed a demo of subverting/controlling Microsoft Defender by feeding it info saying it’s own scanning engine was malware, thus having it kill itself, an example of poisoning an auto-update request. They then pointed out the futility of attempting to detect malicious activity via IDS/IPS by relying on things like banners, and used the example of looking for a remote shell being spawned by identifying cmd.exe’s initial banner, which can be disabled via a command-line option, stating that preemptive coverage via these methods can’t be comprehensive. They then went on to discuss DRM and cracking products, and how hackers rely on firmware updates that they can analyze and disassemble to understand the underlying hardware, and used the Zune as an example. They finished up by stating that one way to help thwart reversing of patches is to change much more than is necessary to fix the bug, thus making it harder to identify from the patch where the bug was located. Security via obscurity? I think that’s what they actually recommended!

Your Tamper-Resistant Hardware Makes a Great Sport for Hackers

Bunny Huang & Felix

This was a really interesting talk. Bunny first talked about some cool chip reversing using microscopes, and compared it to code reversing with IDA. He noted that you can generally hone in on interesting bits by looking for suspicious hardware features like metal shielding over components. He then detailed a method to erase certain parts of chips using electrical tape for masking and extended exposure to ultraviolet light. Felix then went on to detail three case studies in hacking hardware devices. The first was a cable box. They bypassed the boot loader security by discovering a debug mode. In the debug mode, the box will boot custom code, allowing a full Linux OS and application software to replace the original. As the original manufacturer’s software was horrible and they are now out of business, his estimate is that 80% of all of the devices in question are now running their custom software instead of the manufacturer’s original. The second case study was the Nintendo Gamecube. He stated that the Gamecube had no chain of trust which was a major weakness. He detailed the Phantasy-Star Online hack which allowed you to use this network-enabled game to run your own software as previous research for the device. Once the device was hacked and would run custom code, he praised the separation of security mechanisms in the Gamecube because the anti-piracy protection is within the CD-ROM drive, which he had no reason to hack because it didn’t prevent him from running his custom code. Thus, even with using his hacks, there are still no piracy problems for the Gamecube. The final case study was the Xbox360, which overall has excellent security, however he discovered a bug in the hypervisor which makes use of 64-bit values, the lower 32-bits used for addressing and the upper 32 used for security flags. A bug which did a bitwise shift-left on the entire 64-bit value rather than just the 32-bits of addresses allowed an attacker to modify the security flags in the upper 32 bits, thus allowing some compromise.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: