Internet Security Systems - AlertCon(TM)

Blackhat USA for Mobile Researchers

Posted by Takehiro Takahashi on July 21, 2010 at 12:39 AM EDT.

Blackhat USA is coming up in 2 weeks and I'll be in Las Vegas with my colleagues to attend some of the presentations there. In the previous post Jon has made his presentation picks which focus on interesting malware research and reverse engineering. So I've made my choices based on my other interest: mobile stuff. Of course, our teammates Chris Valasek and Tom Cross's talks will be fun, too.

Everybody be cool this is a roppery 
Return-Oriented Exploitation
Vincenzo Iozzo, Tim Kornau and Ralf-Phillipp Weinmann are presenting a return-oriented programming (ROP) talk and its application to the iPhone OS platform. Iozzo and Charlie Miller had an awesome talk on the iPhone security at last year's Blackhat, and I'm assuming this one is going be just as cool!

Similarly, Dino Dai Zovi will be presenting the techniques he has developed to exploit platforms such as the iPhone OS which implements NX/XD memory and mandatory code signing.

The return-orientied exploitation has been receiving more attention lately in order to counteract these protection schemes. These ROP talks should be extremely informative and insightful to those who are in the mobile platform research including myself.

Payload already inside: data re-use for ROP exploits
Long Le will discuss how to apply ROP in Linux x86 where mapped libc address starts with NULL and ALSR is in place by extending the old return-into-libc technique.
Wow, Another ROP talk!

App Attack: Surviving the Mobile Application Explosion
More Bugs in more Places: Secure Development On Mobile Platforms
Ever since Apple released the SDK for their iPhone OS, the mobile world is about 'App's. Kevin Mahaffey and John Hering will talk about data interactions which take place inside of many 'App's they analyzed.

Similarly, David Kane-Parry will be presenting a comparison and analysis work for security features offered in different mobile platform SDKs.

As a vulnerability researcher at IBM X-Force, I expect that there will soon be attacks targeted towards popular 'App's. Any software developers working in multiple mobile platforms should benefit from these talks significantly.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.