Internet Security Systems - AlertCon(TM)

What's Happening at Black hat this Year

Posted by Zubair Ashraf on July 23, 2012 at 5:05 PM EDT.

BlackHat 2012 is just around the corner and like last year all of Xforce Research team will be in attendance. This is going to be the first time I will be attending BlackHat in person. Two of my teammates Paul Sabanal and Mark Yason are keeping their tradition of taking apart sandboxes and I am looking forward to their presentation

I will organize the rest of the blog entry based on different skills and technology areas I am interested in and    the related briefings I have selected.

State of the Art in Sandboxing Technology, Reverse Engineering, and Escaping the Sandbox:

Digging Deep Into The Flash Sandboxes - Looking forward to it to enhance my understanding of cutting edge Sandboxing technology, and gain some insight as my colleagues Mark and Paul describe the internals of three sandbox implementations for Flash: Protected Mode Flash for Chrome, Protected Mode Flash for Firefox, and Pepper Flash and how they broke out of it.

Google Native Client-Analysis of a Secure Browser Plugin Sandbox – Google's Native client approach can be seen as safe and restricted environment to run untrusted native code which it achieves through a combination of software fault isolation, a custom compiler toolchain and a secure plugin architecture. Looking forward to what Chris learnt about the vulnerabilitys in it via a combination of fuzzing and source code auditing.

Recent Java Exploitation Trends and Malware – would be a good refresher to get an insight about recent Java sandbox escapes and exploitation.

Mobile Exploitation:

In this space I look forward to attending Charlie Miller's Don't Stand So Close To Me: An Analysis of the NFC Attack Surface. Charlie will be describing NFC protocols and results of his fuzzing attempts.

There are many other interesting talks in this space, that I will have to skip due to simultaneously held other talks.

RE, Exploit Dev, Exploit Mitigation Technologies:

In this wide category I am looking forward to the following talks:

  • Windows 8 Heap Internals
  • Exploit Mitigation Improvements in Windows 8
  • iOS Kernel Heap Armageddon Revisited
  • Easy Local Windows Kernel Exploitations
  • Exploitation of Windows 8 Metro Apps


Going deeper in the stack, Hardware, firmware, hypervisor RE and exploitation:

A Stitch in Time Saves Nine: A Case of Multiple Operating System Vulnerability – Here Ralph will subtleties of “sysret” and other relevant Intel instructions and how they can be exploited.

Advanced ARM Exploitation – Although this one conflicts with the one above, but is quite appealing to understanding exploitation techniques for ARM processors.

Hardware Backdooring is Practical – Will be interesting to see a POC capable of infecting more than a hundred of different motherboards and able to disable NX permanently and remove SMM related fixes from the BIOS. Also hoping for  a deep dive into Coreboot and hardware components such as the BIOS, CMOS and PIC embedded on the motherboard.

Other talks in this area that I am interested in are:

Here Be Backdoors: A Journey Into the Secrets of Industrial Firmware

SQL Injection to MIPS Overflows: Rooting SOHO  Routers

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.