DeepSec 2013

Last week Florian and I participated at this year’s DeepSec in Vienna. We had a really good time, thanks again to the DeepSec staff for a nice conference. Although it might be a bit late, I want to share some impressions about various talks I enjoyed.

## spin: Static Instrumentation For Binary Reverse-Engineering

This talk primarily covered a technique called binary instrumentation, which is used e.g. for performance evaluation, CPU emulation, tracing and profiling but also for malware- and threat-analysis. David Guillen Fandos proposed the application of this technique in the field of reverse engineering. Binary instrumentation is a technique which allows to modify and rewrite binaries during their execution by injecting instructions into the original code (pretty much like virtual machines do too). Therefore one could easily wrap instructions with logging/tracing functions, to observe the execution status before and after easy instruction step (and/or dump the output into a file). For the purpose of reversing, one could also create complex conditional breakpoints (retaining status across executions), which makes it possible to characterize functions.

David developed a tool called “spin” (a somehow static version of Intel’s Pin tool) which is able to characterize and identify security-critical functions by applying conditions. Additionally, it can automatically hook functions by injecting DLL’s during runtime. He demonstrated this in a little demo by hooking Winzip’s serial verify function so it would accept any serial. Spin is still in early development but it’s aid to the automation of reverse engineering seems really promising. Hopefully David will add support for API-Hooking, which isn’t yet supported due to the lack of 2Byte-Opcode hooking.

## Trusted Friend Attack: Guardian Angels Strike

Ashar Javed from the Ruhr University Bochum presented how an attacker can exploit social networks in order to gain access to user accounts. Especially functions where trusted third parties are involved, like Facebook’s password recovery, are mostly vulnerable to those attacks. Ashar demonstrated that it’s not the implementation of these functions that is vulnerable, but the logic behind. As those trusted third parties are just accounts that are in a users friend list, becoming one of them is a rather easy task, because most people confirm arbitrary friendship requests anyway. The slides are available here.

## The Boomerang Effect – Using Session Puzzling To Attack Apps From The Backend

Shay Chen presented a pretty interesting technique for web application hacking called session puzzling. Instead of directly sending payloads to a web application’s front end, this technique aims at attacking the application from the back end by polluting session related memory in order to prepare payloads across multiple requests. Shay also demonstrated a few ways to attack an application via session puzzling (e.g. authentication bypass) at a self developed training platform called PuzzleMall. For further information, read the blog post as well as Shay’s whitepaper.

## Mutually Assured Pwange

This was the first anti cyber war talk I’ve every heard and I really liked it. Karin Kosina did a great job explaining why this so called “cyberwar” cannot be compared with the cold war. Those of you who are really interested in this topic should take a look at her master’s thesis, which covers this topic as well. The slides are also available.

## Applied Crypto Hardening

Aaron Kaplan and three others presented a project called Applied Crypto Hardening, which was initiated by and Adi Kriegisch (VRVis). It aims at providing a paper for (mainly) system administrators with copy&paste-ready configuration examples for common applications like webservers (Apache, Nginx, …), mail transfer agents (like Postfix and Sendmail), SSHD and many others. So far those configuration examples only cover security related recommendations, mostly about choosing strong cipher suites for various tasks. It would be nice to see some performance related information for those configurations in the future (like suggested by an attendee after the talk) to further improve the quality of this paper. In my opinion this is a really important project but there is still a lot of work to do. I’m a little bit disappointed that there won’t be a SSTP section. Instead they prefer to stick to PPTP. Furthermore I seriously doubt that a paper in PDF format is the right choice for content that’s supposed to be copy&paste’d.

Hopefully the recordings won’t take that long, so we can enjoy the other talks we missed during the conference.