Internet Security Systems - AlertCon(TM)

What's up at BlackHat this year?

Posted by Jon Larimer on July 29, 2011 at 10:37 AM EDT.

The speaker lineup at BlackHat USA this year is pretty impressive and there's a lot that I want to see. My day-to-day focus here on the IBM X-Force team is malware and reverse engineering, but I also spend time bug hunting when I get a chance. So the talks that I'm particularly interested in are the ones on reversing and vulnerability discovery and exploitation. I'm not really into the high level, non-technical stuff – I need to see some assembly code on a slide to be happy.

A few people have been complaining that there are just too many tracks going on at once at BlackHat. The BH organizers heard the complaints and responded: there were 11 simultaneous tracks last year, and they trimmed it down to 9 this year. One of the consequences of that is that it was harder to get a paper accepted this year. I know tons of smart people with great talks that weren't accepted. There are still a lot of good looking presentations on the schedule, and here are the ones that I'm going to check out:

Mario Vuksan + Tomislav Pericin: Constant Insecurity: Things you didn't know about (PE) Portable Executable file format

The PE format used in Windows EXE and DLL files has been around for a while, and I haven't seen any new PE tricks in ages. Mario and Tomislav are promising to show off some new techniques that malicious software could take advantage of to avoid detection by security tools. This should be pretty interesting if you're into reverse engineering.

Chris Rohlf + Yan Ivnitskiy: Attacking Clientside JIT Compilers

JIT compilers are everywhere, and they're an interesting avenue of attack. Besides exploiting bugs in the JIT compilers themselves, attackers can use techniques like JIT spraying to avoid protections like DEP and ASLR. I haven't yet seen an in-depth analysis of JIT engines and the ways they can be used by attackers though, so hopefully this will be that talk. I'm also hoping Chris and Yan will be releasing the tool they developed. I'm sick of being disappointed by seeing a conference talk about an interesting tool that never gets released.

Tarjei Mandt: Windows Hooks of Death: Kernel Attacks Through User-Mode Callbacks

Win32k.sys has been a productive place for finding kernel bugs in Windows for a while. Tarjei found tons of them over the past couple of years, and in this talk he's going to talk about one big avenue of attack: user-mode callbacks. He found a fundamental flaw in the design of user-mode callbacks, and it's likely that lots of new bugs will be discovered. This will be a good talk to see if you want to spend time bug hunting in the Windows kernel or if you want to be ready to analyze the next piece of malware with kernel privilege escalation 0-day.

Paul Sabanal + Mark Yason: Playing In The Reader X Sandbox

My X-Force teammates, Paul and Mark, spent a lot of time this year digging into the internals of the Adobe Reader X sandbox. It seems like everyone's putting a sandbox in their software now, which is a good thing, and the security researcher community has been paying attention. Paul and Mark's research could be applicable to other application sandboxes, and if you're into that kind of thing you should definitely come see this talk.

Nelson Elhage: Virtualization under attack: Breaking out of KVM

I'm a heavy user of VMs for malware analysis. I haven't yet seen a piece of malware that exploits a VM escape vulnerability to break out and infect the host, but I know it's possible. Nelson's research should help make VM hypervisors more secure against escape attacks, as long as the other VM vendors are paying attention.

Tavis Ormandy: Sophail: A Critical Analysis of Sophos Antivirus

As a malware researcher, I'm well aware of the limitations of antivirus software. I'm always finding new samples that come back from VirusTotal with only 0-2 detections, and there have been quite a few documented vulnerabilities in AV software reported over the years. I'm not surprised by Tavis's conclusion that AV software has flaws, but I'm very interested in the results of analysis and the different types of vulnerabilities he found. It's likely that AV software from other vendors could have similar flaws, so this is definitely a talk to see if you're involved in the AV industry at all.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.