ToorCon is always one of my favorite conferences of the year, and this year was no different. Actually, I take that back, it WAS different, it was even better than usual. I got something out of almost every talk that I attended, and the conference ran very smoothly. The conference is small and intimate and the speaker badges are green… I really can’t ask for much more. This year the conference was split between the two days; the first day being traditional hour-long presentations whereas the second day took the cue from ToorCon Seattle (beta) and was entirely 20-minute turbo talks. I thought the conference format worked out really really well and provided a much larger breadth of subject-matter than would normally have been possible with entirely traditional-length talks.

Below are my thoughts on the various talks I attended.

Wolverine, Yo’Mama, Spooks, and Osama

Beetle

This was one of the most entertaining talks I’ve seen in a while. Beetle started his talk off about the current state of the Marvel comic universe and how it is eerily paralleling the real world and many of it’s issues; overreaching government control, national security, fear of terrorism, etc. Being a comic geek myself, and the Marvel universe being within which the vast majority of the comics I read are set, I understood exactly what he was talking about and where he was going. This part of his talk may have been lost on some of the non-comic minded in the crowd. Next he told some funny stories about his parents and their interactions with technology and security, making the point that old people will likely be the death of the Internet. The end of his talk focused on “cyber-terrorism” and how he felt that the hype far outweighed the real threat.

Black Ops 2007: Design Reviewing the Web

Dan Kaminsky

Usually when I attend Dan’s Black Ops talks, I have to sit through some of his content which I’d seen before to get to the new stuff toward the end. I don’t know if Dan is getting better at including a larger majority of fresh content in his talks, or if my avoiding his last couple of talks so as to wait a bit longer between seeing them is responsible, but this time I saw entirely new content. I heard someone mention that they had seen part of it before, perhaps at BlueHat? But I hadn’t, so it was all new to me.

Dan started off talking about DNS resolution pinning and tricks you can use to cause browsers running both javascript and flash to execute arbitrary code within the security context of a different site. This basically involved responding to DNS requests differently depending on what content the browser was after; load the normal site resources by resolving the hostname to the site’s real IP but then also load some malicious code from a different IP as well, still by responding to the site’s normal hostname. He leveraged this to load malicious software within a browser that allows a client application to set up TCP and UDP sockets with the malicious code running within the browser, essentially allowing network tunneling into a restricted network area such as behind a firewall by tunneling through a compromised browser.

At the end of his talk he also talked about net neutrality, or rather, hostile ISPs, and demonstrated a way to definitively tell whether or not your ISP is being hostile to various types of your network traffic by leveraging some of the tricks from the earlier part of his talk.

Fuzzing with Code Coverage by Example

Charles Miller

In my opinion, there is not much research being done (or at least being talked about) which truly advances the state of the art in fuzzing. Pedram and Aaron’s talk at BlackHat was one of them. I believe that this talk may be another, and both this talk and the BlackHat talk were about completely different things. Most of the prominent fuzzing tools and methodologies these days involve thoroughly researching the type and format of the input data which will be used for fuzzing, and then manipulating that data set to achieve the result. This talk was more about observation of behavior and trial and error rather than understanding the data or what it’s used for.

Charles started off with some basics of fuzzing, which I’m not sure this audience really needed, but at least that part was short and to the point. He then went on to discuss some code coverage techniques and tools that you can use to help identify what code (or instructions, if you’re dealing with binary executables) are being exercised by various types of input. By watching the data flow from input vectors through the code, you can note things like conditional branching which can be more effectively covered by massaging your input. The process he described takes much less initial research as it’s designed to be used without much knowledge of the underlying data such as protocol semantics and packet structure. He ended the presentation with a case study of a vulnerability he found and worked out an exploit for entirely by code coverage fuzzing and with no prior knowledge of the protocol or data structure being used.

Cthulhu: A Software Analysis Framework Built on Phoenix

Matt Miller

Matt (skape) always brings something extremely interesting (and usually pretty obscure) to the table. This talk was no different. Matt started off by stating that software analysis was something that he’s been very interested in for a while but just recently had the opportunity to begin to explore. He also described what Phoenix is, which is the next generation of compiler for Microsoft systems. The talk is rather hard to summarize but essentially Cthulhu is designed to make use of the information provided by Phoenix to perform data flow and control flow analysis of various aspects of an application or larger complex system. By abstracting out and generalizing components, analysis can link data flow between two components which may not be directly connected. The example Matt used was connecting data flow from an output function of one part of a network client application to an input function of another part of a network server application. I highly recommend you read the slides or watch the video to really grasp the concepts and what he is trying to accomplish. I personally saw an immediate benefit to some research that I’ve been using and plan to follow up with Matt and see if his analysis framework could be used for my purpose.

Speeding Up the Exploits’ Development Process

Jerome Athias

I really enjoyed this talk as I use Metasploit myself and am becoming more and more involved in exploit and attack development. Jerome presented an overview of MSF-XB, or, the Metasploit eXploit Builder. MSF-XB is essentially a GUI front-end to Metasploit and other tools which provides the user with a single interface for exploit development. This interface assists the developer in various tasks such as determining return addresses, generating shellcode, etc. by leveraging the underlying systems such as Metasploit. Unfortunately, it’s a windows application and I primarily use Metasploit on Linux, but given it’s utility it may be worth booting a windows VM (:

The Last Stand: 100% Automatic 0day, Achieved, Explained, and Demonstrated

Jason Medeiros

Jason described some of the common ways that bugs are analyzed and exploits written and noted that a lot of this process can be easily automated. He then questioned why no one had automated it before. Next he went on to explain how parts of the process could be automated and then demoed his automation tool in action, which produced a C exploit for the vulnerability he was using as an example. It was really cool stuff, and extremely useful for cranking out exploits to simple vulns like straight-forward stack and heap overflows, but I wonder if it can target more complicated and esoteric vulnerabilities like integer overflows, some of the more crazy heap overflows, format string bugs, etc. Overall it’s a very very cool tool and I look forward to trying it out.

CDMA Unlocking and Modification

Alexander Lash

The technical depth of this talk was a little shallow, but the speaker noted that that was intentional as he wanted to leave the majority of his time for answering specific questions from the audience. Alexander is one of the best speakers I’ve seen in a while; he was concise and to the point, and he spoke with obvious knowledge and authority about his subject, even in the face of some fairly obscure questions from the audience. The subject of his talk covered CDMA cellular phones, various ways to unlock them, and various types of modification.

VoIP Penetration Testing: Lessons Learned, Tools and Techniques

Jason Ostrom, John Kindervag

This presentation was mostly about a new tool called voiphopper. John started off with some quick information about what they do and the types of assessments they’ve been working on for customers. Jason then presented some case studies which outlined the abilities of the voiphopper tool, which centered around hopping VLANs so as to traverse the logical separation of VoIP and data networks, essentially making the case that VLANs are not a security technology. I always try to convince people that using VLANs as a security control just isn’t a good idea but many times they don’t believe me without concrete proof or examples. While there have always been ways to demonstrate the failings of VLANs when used as a control, within the context of VoIP this tool makes an extremely good case.

Byakugan: Automating Exploitation

Nathan Rittenhouse

Nathan essentially gave an update on the Byakugan WinDBG plug-in project and the types of things they are accomplishing with it. Pusscat gave a previous overview back at ToorCon Seattle (beta) and this was essentially an extension of that. Nathan outlined some of the features of Byakugan and also introduced NOXdbg, intended to be the Ruby equivalent of PyDbg for python. Toward the end of the talk, JohnnyCache demoed a real-time 3D visualization of a process’s heap, which was really cool.

Live Memory Forensics

datagram

This talk was basically an overview of live memory forensics, how it differs from “dead” forensics (targeting a powered-off system), and described many of the tools an techniques for performing this type of forensics. datagram also discussed some of the limitations of both live and dead forensics and made the point that both should be used to augment each other rather than one as a replacement for the other. Forensics is definitely not my research field so I don’t have the background to state whether or not there was anything new here, but it seemed like a good overview to the field and the speaker at least provided tools references.

Attacking VoIP to Gain Control of a Laptop

Nick Kezhaya, Sachin Joglekar

This presentation is what I assume is a condensed version of what was supposed to have been presented at BlackHat. This time however the original speakers made it to give the talk and since I saw both versions I can say this one was much improved. Sachin, who essentially replaced me when I left Sipera to move to Austin, presented the case that the majority of VoIP phones, both soft-phones and hardware devices, are essentially crap. Nick then went on to demonstrate the LAVA attack framework launching a buffer overflow exploit against a particular soft-phone in order to execute a remote shell and gain control of the target laptop. Compared to the BlackHat version, these two speakers were much more versed in security concepts and the common vernacular and were able to explain the details of the vulnerability and how the attack worked in the face of some questions from the audience. I believe that the 20-minute turbo-talk format was much more appropriate for this talk than the hour slot it was given at BlackHat, although for the particular audience at ToorCon I would have liked to have seen some more details on the vulnerability being exploited itself, such as perhaps a disassembly of the vulnerable code, references to offsets, the exploit payload, etc. Perhaps they should use an old vulnerability which already has a patch so that they can disclose more detail. Given a less technical audience however, what was presented would have probably been adequate. Overall, while I felt the presentation lacked the technical detail I mentioned it was much improved over the version from BlackHat.

Context-keyed Payload Encoding

I)ruid

This was my talk. Overall I felt it went really well, I hit my time constraint with a few minutes left for Q&A, and I stayed focused and on point. As always I forgot to repeat the question for the benefit of the microphone a couple of times but it can’t always go perfectly (: You can view the slides and video from my talk at my website.

The Talk Talk: How to Give Better Tech Presentations

Strom Carlson

Since there seems to be no end in sight regarding myself giving tech presentations, nor would I want there to be, I went to this talk with interest. Strom outlined some fundamental things that you can do to better format your message and reach a wider audience, as well as some good pointers on how to connect with the audience and keep them engaged. Overall I felt it was fairly informative and I should be able to use some of the information when preparing for future speaking engagements.

Post-Scarcity

Christopher Abad

Not Abad’s normal style of rant but interesting nonetheless. Chris talked about supply and demand and how it relates to scarce or abundant resources. He then tied that to intellectual property, or “ideas”, and their property of not having a significant material or tangible barrier to reproduction thus making an enforcement of their scarcity (such as per-seat licensing) essentially an artificial attribute. His opinion seems to be that such practices are simply wrong and software developers should be paid for their effort in a different manner. He believes that things which are by their very nature abundant should be freely available to the masses.

vnak (VoIP Network Attack Kit)

Zane Lackey

Zane outlined some attacks against VoIP signaling protocols like H.323, SIP, and IAX such as authentication downgrade attacks, authentication token cracking attacks, etc., essentially the same types of attacks he detailed in his BlackHat talk. The difference here was that he provide an all-encompassing tool called vnak which implemented many of these attacks. vnak is intended to be a swiss-army-knife type tool for VoIP signaling hackers.