REcon 2012

I’ve just recently returned from REcon 2012 and while I heard a couple people express that they had “heard” that some people were more disappointed with this year’s conference compared to prior ones, I personally really enjoyed it and felt it was the best one yet.  I saw and enjoyed more of the lectures this year than I have in the past and seemed to have better interactions with the other conference attendees, better conversations, and generally enjoyed myself more than years past.  Perhaps it was because this year Montreal wasn’t in the middle of a heat wave with no air conditioning in the hotel and the conference hotel didn’t catch fire (:

Overall the REcon conference has been kept intentionally small.  Only a limited number of tickets are sold each year and the price point for tickets is more in-line with CanSecWest and BlackHat than the less expensive conferences like DEFCON, ToorCon, InfoSec Southwest, and so forth.  For non-Canadians, the travel can be a bit expensive as well so it seems that the level of quality of the attendees is very high in that the majority of the attendees are the really serious reverse engineers who are willing to foot the expense themselves and the ones who do this kind of work professionally and can have their employer pay the expense end up attending.  This makes for some very engaging conversations with people who really know what they’re talking about and know the subject inside and out.

As mentioned above I saw nearly all of the lectures this year except for a few so I won’t write up a summary of all of them, however some of the ones that I really enjoyed were:

Rolf RollesKeynote: The Case for Semantics-Based Methods in Reverse Engineering

Shortly after his keynote was the first time I had met Rolf in person, however over the years I’ve heard nothing but good things about the exceptional quality of his work and the training he provides on a regular basis.  We attempted to have him provide training at InfoSec Southwest 2012 although unfortunately we didn’t have enough students sign up for his course in order to have him proceed with that, but hopefully we’ll be having him provide training at next year’s InfoSec Southwest.  Regardless, after watching his lecture, everything I had ever heard about his work, his presentation style, and his approach to security problems was spot on.  While a lot of the abstract concepts presented in his lecture went somewhat over my head (or my mind was too exhausted from travel), it was still quite impressive.

Igor Glücksmann – Injecting custom payload into signed Windows executables

If you ever trusted signed Windows Portable Executable (PE) files to be safe from malicious code, don’t.  Igor presented analysis of CVE-2012-0151, then went on to describe a number of additional techniques which expanded on the problem.  Essentially, there are various tricks that you can use depending on the type of signed PE executable you’re using as the host file to inject or append arbitrary payload into, resulting in a signed executable that will execute your code when a user runs the program while maintaining the integrity of the digital signature.  The techniques he presented were reported to Microsoft and most of them fixed, however he indicated that there are likely additional cases that still exist that are able to be leveraged as Microsoft’s solution to one of the techniques was to use a blacklist, and we all know how well blacklists work (they only block what is known and identified).

Dimitry Nedospasov – Backside optical analysis hardware/software running on ICs

This was a pretty cool explanation of how to inexpensively analyze running integrated circuits (ICs) using optics and a whole lot of looping code and time (:  By watching the back-side of an IC while looping through various bits of code that exercise certain parts of a chip such as memory, registers, etc., you can identify where on the hardware those components are actually located by recording the photon emission leakage from the various components while the device is under test.

Sergey Bratus & Travis Goodspeed – Facedancer USB: Exploiting the Magic School Bus

This lecture was an overview of Travis’s new device which is essentially a GoodFET with an additional chip which allows it to interface to USB enabled devices.  Using this device, you can use the python GoodFET interface you’ve come to know and love in order to emulate a USB device and attack the USB stack on the host system.  This includes the USB hardware bus itself, the driver, and application, and so on.  I would assume you could also use it to attack USB devices themselves but I don’t recall them covering this use case.  The entire lecture was themed “the Magic School Bus” as we’re talking about buses here, and every few slides or so they had a picture of a crashed school bus and an accompanying joke or anecdote.  Amusing, but also a bit dark as at one point Travis commented that in some of those cases school children had died in order to allow us to laugh at these images, so we should continue to laugh so that their lives were not lost in vain.  Dark, Travis… dark.  Anyhow, one thing I noticed was how well Sergey and Travis present together.  They both usually had commentary for each slide, their commentary was often very complimentary to the point that the other was conveying, and they avoided stepping on each other’s toes quite well.

Joan Cälvet – Cryptographic Function Identification in Obfuscated Binary Programs

Joan covered a couple of techniques using both behavioral and static analysis of obfuscated binaries that allows the reverse engineer to identify known and common cryptography libraries and cryptographic functions used in the binary under analysis.  Very interesting research subject.

Francisco Falcon & Nahuel Riva – Dynamic Binary Instrumentation Frameworks: I know you’re there spying on me

Francisco and Nahuel are from Argentina and apparently this was their first lecture either outside their home country or ever, but at least their first in English, and I have to say they did a fine job with the lecture format and language.  These two covered something like twenty different techniques that can be used from within an application to identify the potential presence of instrumentation of the executing code.  They focused on a common instrumentation framework called Pin so some of the techniques were specific to Pin, however during the questions at the end of the lecture they indicated that some of the techniques should be commonly applicable to other instrumentation tools and frameworks as well.  This lecture also gave me the idea to add support for a Plugin product type in the ExploitHub as all of their techniques were implemented as plugins to a framework for running their tests, so expect to be able to sell plugins to various applications in the ExploitHub soon (:

Aaron Portnoy & Brandon Edwards – IDA Toolbag

Although these guys had released their IDA Toolbag prior to the conference and I was already familiar with it and most of what functionality it provided, they still surprised me with a few features that I wasn’t aware of.  Also, seeing such a powerful tool speed-demoed like it was (they only had a 30 minute lecture slot) made it look  extremely impressive.  If you use IDA Pro at all and have not checked out their IDA Toolbag, stop reading right now and go begin downloading it.  This blog post will be here when you get back and you’ll thank me later.  The Toolbag provides a ton of features that make working in IDA much, much easier and will save you a LOT of time.  From a more intuitive navigation method which employs a history list that you can jump around through, to collaborative features that make it easier for multiple team members to jointly reverse the same target, it’s quite comprehensive.  My favorite feature, and the one that prompted it’s own individual round of applause from the lecture audience, was easily the Pathfinding functionality.  Pick a location, pick another location, and the Pathfinder will find all of the potential routes from one to the other.  If I still had time to bug hunt vulnerabilities myself this feature would save me massive amounts of time.  Mark the data input, mark the vulnerable code, now how do I get from one to the other?  This used to be a pain to analyze by hand, but can now the majority of which can be done in a matter of seconds thanks to the Toolbag.  On a related note, I was referring to people as “toolbags” in my best New Yorker accent all day in honor of their lecture (:

In conclusion, overall the conference was awesome.  This was my third time in Montreal for REcon and this year the weather was perfect; mid-70’s during the day and low 60’s at night.  I don’t think I’ve drunk anywhere near the amount of scotch that I drank over these five days ever.  I’m definitely looking forward to attending next year, and it may be about time I learned some French if I’m going to continue attending in the future (:

Leave a Reply