Syscan 2015

Last week Matthias and I went to Singapore to teach our workshop on Hypervisor Exploitation at SyScan. After a very unpleasant Lufthansa strike (which made us arrive late in Singapore) and two intense workshop days, we were free to attend the “last” SyScan. There are few IT security conferences that have such a great reputation in the community and so we had high expectations, which were definitely not disappointed. This year had a lot of really interesting talks so I will just summarize some of the ones I liked the most.

Day 1 of the conference started with a very technical talk by Ian Beer from Google Project Zero who described the internals of IOKit an OS X/iOS driver development framework. Ian highlighted the different interfaces between user space and IOKit drivers and interesting vulnerability types that can often be found in these drivers. IOKit drivers are an interesting attack surface because they can often be reached from inside a browser sandbox, which means that any vulnerability inside these drivers is usable as a sandbox escape. The impressive list of bugs Ian discovered can be viewed at the Google Project Zero webpage and Ian closed his presentation with the statement that the user space attack surface which is reachable from a sandbox is even bigger. So we can probably expect some more interesting research soon.

After a talk on NFC security and the first break, the next speaker from Project Zero James Forshaw presented a talk on symbolic links in Windows. James is one of my favorite researchers and has an incredible talent for finding issues in the most exotic parts of the Windows operating system. James will present the same talk at the Infiltrate conference in Miami next month so I don’t want to spoil too much information, but if you never thought that symlink attacks on Windows might be a problem, you will be surprised. While James presented some vulnerabilities in Windows core software involving symlinks, his work is probably even more relevant for third party applications and will probably a nice source of bugs in the near future. If you want to play around with symbolic links, James also published his toolkit.

The next slot should contain a talk about Blue Coat internals by Raphael Rigo. Unfortunately Blue Coat pressured his employer into cancelling the talk and Raphael instead presented on the security of encrypted hard drives. Even though Raphael only had a day to prepare for the changed topic, his talk was very interesting and demonstrated that many encrypted hard drives are very insecure.

One of the talks I was really looking forward to was “How to own any windows network via group policy hacking attacks” by Luke Jennings from MWR InfoSecurity. Luke did some awesome research involving the Windows group policy engine. The first problem he discovered was that by default SMB signing is disabled for group policy updates. Because manipulation of group policy settings can easily be escalated to SYSTEM privileges on the GPO-managed host, this means that an attacker who is able to MITM the SMB traffic between a domain member and the domain controller can directly compromise the member system. Even more interesting is the second problem, which affected systems that used a hardened configuration enforcing SMB signing. When a group policy update was manipulated by corrupting the reply and therefore invalidating the signature, the system would fall back to the insecure default configuration, therefore allowing the first attack to go through.
The third issue Luke presented involves the update process of user policy settings. When pulling a user policy update, Windows will sign the traffic using a secret based on the domain credentials of the user. However, manipulating user policy updates still allow for the execution of SYSTEM privileged code. This means that an attacker who has access to the credentials of a lowly privileged domain account and is able to MITM the connection to the domain controller can escalate his privileges by faking a malicious user policy update. Luke suggested that the optimal way to fix this issue would be to use machine credentials for user policy updates as well, but this has not happened yet.

In between a lot of schedule shifting, Jacob Torrey presented his work on HARES, which if you trust certain media outlets will solve every security problem on the planet. Even though this is certainly not the case, the combination of TLB splitting and hypervisor based TRESOR encryption allows for very interesting protection of running software with an extremely low performance overhead. After the conference Jacob published a detailed whitepaper about his research.

In the evening Marion Marschalek talked about her recent work involving cartoon animals and APT samples that seem to be originating out of France. Marion talks always give a great insight into her malware analysis research and she has an incredible output of blog posts and technical reports, so you should check out her slides and the linked resources here.

Day 2 of the conference included a talk about IE11 exploitation by Yuki Chen who is part of the 360Vulcan team that successfully participated in this years Pwn2Own. Yuki gave a great presentation about the different ways recent exploit mitigations introduced into IE can be bypassed and concluded his presentation with a demo demonstrating a complete IE11 exploit.

Stefan Essers talk about the technical background of the recent iOS jailbreaks gave a great overview about the bad state of iOS security. Stefan is an excellent speaker and always has top-notch slides so you should check them out.

Alex Ionescu from Crowdstrike presented his work on the Hyper-V IPC mechanisms. Due to our last years research on Hyper-V we were really interested in this talk and of course Alex delivered. He performed an in-depth discussion of the VMBus protocol used for communication between Hyper-V partitions and presented a kernel module he wrote to allow him to directly communicate with the VMBus instead of using existing functions (which would restrict tampering with certain inputs). Similar to our statements from last year Alex stressed the point that not enough researches are actively looking into Hyper-V, which will probably change in the coming years when Hyper-V will be even more integrated into Windows 10. (As a personal note, we were delighted to be credited in his slides!)

Of course interesting talks are only one part of a great conference. Thomas and his team did a fantastic job organizing the conference and making us feel very welcome and part of the SyScan community. We did have an awesome time, met a lot of really interesting people and are looking forward to going back to Singapore for SyScan 16 ;).