blackhatusa

BlackHat talks come in all shapes and sizes – from the philosophical keynotes and high-level to the ultra techie. Narrowing down the list of talks isn’t easy so I chose mine based on their technology flare. If you’re more of the techie sort, I hope this list helps you out as well. The only thing to note is that some unfortunately overlap so you’ll still have to shortlist.

Apart from these talks, I will also be spending some time at the enSilo booth. The company is handing out some cool pool goodies (beach balls and frisbees). If you’re in need of a break between the talks – swing by the booth at International Pavilion #23.

#1: Unicorn: Next Generation CPU Emulator Framework

Date & Time: August 5, 10:20-11:10

Location: South Seas IJ

Abstract: CPU emulator is a program emulating the internal operation of a physical CPU in software. CPU emulator plays a vital role and has a lot of applications in computer security area, such as reversing obfuscated malware or verifying code semantics.

Unfortunately, such a fundamental component does not get the attention it absolutely deserves. At the moment, all the existing CPU emulators suffer from some major issues.

It is unbelievable that the lack of such a fundamental component as CPU emulator has happened forever without a proper fix. We decided to step up and took the problem in our own hands to solve it once and for all. As a result, Unicorn emulator was born and successfully handles all the outstanding problems.

Unicorn offers some unparalleled features, Provide an independent framework to develop independent security tools on top of it. Building plugins for other environment, such as IDA is also well supported.

  • Multi-architectures: Unicorn can emulate all the popular architectures, such as X86 (including X86_64), ARM, ARMv8, M68K, Mips, PowerPC, and Sparc, etc.
  • Multi-platforms: Natively available for Windows, Mac OSX, Linux & *BSD
  • Implemented in pure C, with bindings for Python available. Support for other languages are also in pipeline.
  • Clean/simple/lightweight/intuitive architecture-neutral API.
  • Thread-safe by design.
  • Open source.

Unicorn aims to lay the ground for innovative works. To conclude the talk, some new advanced tools built on top of Unicorn will be introduced to demonstrate its power, so the audience can see how our framework can open up many opportunities for future of security research & development. 

Who: Nguyen Anh Quynh, Hoang-Vu Dang

Why:

  • A good emulator is a powerful tool for security research and as the presenters state, current emulators suffer from many issues. This framework could be the solution.
  • According to the researchers, this emulator is going to be distributed as open-source. Not only will this provide researchers with a freely available emulator to add to their toolkit, but also the opportunity to change and enhance it.

#2: Exploiting the DRAM Rowhammer Bug to Gain Kernel Privileges

Date & Time: August 5, 13:50-14:40

Location: Jasmine Ballroom

Abstract: “Rowhammer” is a problem with DRAM in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. While the industry has known about the problem for a while and has started mitigating the problem in newer hardware, it was rarely mentioned in public until the publication of Yoongu Kim et al's paper in the summer of 2014 which included hard data about the prevalence of the problem. In spite of the paper's speculations about the exploitability of the issue, most people still classified rowhammer as only a reliability issue - the probabilistic aspect of the problem seems to have made people think exploitability would be impractical.

We have shown that rowhammer is practically exploitable in real-world scenarios - both in-browser through NaCl, and outside of the browser to escalate to kernel privileges. The probabilistic aspect can be effectively tamed so that the problem can be reliably exploited.

Rowhammer, to our knowledge, represents the first public discussion of turning a widespread, real-world, physics-level hardware problem into a security issue.

We will discuss the details of our two exploits cause and use bit flips, and how the rowhammer problem can be mitigated. We will explore whether it is possible to cause row hammering using normal cached memory accesses. 

Who: Mark Seaborn, Halvar Flake

Why:

  • Hardware bugs are not patchable. More so, Rowhammer is an example for such which is exploitable.
  • This talk is given by Google’s Project Zero. This team of researchers are known to have found and released their findings of critical vulnerabilities.

#3: SMBv2: Sharing More than just your Files

Date & Time: August 5, 13:50-14:40

Location: South Seas ABE

Abstract: In this presentation, we detail a new attack vector against SMBv2, affecting all versions of IE, including the Spartan version shipped with Windows10. While attacks involving SMB have long time been common in LANs, our attack allows complete user compromise from the internet. By leveraging a series of bugs and malfunctions, we'll see how remote credentials theft or user impersonation can be performed without user interaction, extremely reliably, and from the Internet. 

Who: Jonathan Brossard, Hormazd Billimoria

Why:

  • This seems like a critical vulnerability affecting all relevant Windows versions
  • A remote SMB attack is potentially very powerful. It’ll be interesting to understand how they were able to carry it out and if its impact is as big as it seems

#4: WSuspect – Compromising the Windows Enterprise via Windows Update

Date & Time: August 5, 15:00-15:50

Location: Lagoon K

Abstract: Ever wondered what really happens when you plug in a USB device and Windows begins ‘searching for Drivers’? Who doesn't have that Windows Update reboot dialog sitting in the corner of their desktop? Our talk will take an exciting look at one of the dullest corners of the Windows OS.

WSUS (Windows Server Update Services) allows admins to co-ordinate software updates to servers and desktops throughout their organisation. Whilst all updates must be signed by Microsoft, we find other routes to deliver malicious updates to Windows systems using WSUS. We will demonstrate how a default WSUS deployment can be leveraged to gain SYSTEM level access to machines on the local network.

We also take a look at exactly what happens when you plug in a new USB device into a Windows desktop. There are thousands Microsoft-signed updates for 3rd party drivers available through Windows Update. We show how driver installs can be triggered by low privileged users and look at the insecurities that can be introduced by these Microsoft-blessed drivers.

In addition to some exciting demos we will also describe how to lock down enterprise WSUS configurations to avoid these "on by default" vulnerabilities.

You have 1 malicious update ready to install...

Who: Paul Stone, Alex Chapman

Why:

  • This sounds like a critical vulnerability that can  potentially effect large number of organizations
  • Mostly overlooked, WSUS is certainly an area to investigate given enterprises’ dependency on this feature.

#5: Abusing Windows Management Instrumentation (WMI) to Build a Persistent Asynchronous and Fileless Backdoor

Date & Time: August 5, 16:20-17:10

Location: Mandalay Bay EF

Abstract: Imagine a technology that is built into every Windows operating system going back to Windows 95, runs as System, executes arbitrary code, persists across reboots, and does not drop a single file to disk. Such a thing does exist and it's called Windows Management Instrumentation (WMI).

With increased scrutiny from anti-virus and 'next-gen' host endpoints, advanced red teams and attackers already know that the introduction of binaries into a high-security environment is subject to increased scrutiny. WMI enables an attacker practicing a minimalist methodology to blend into their target environment without dropping a single utility to disk. WMI is also unlike other persistence techniques in that rather than executing a payload at a predetermined time, WMI conditionally executes code asynchronously in response to operating system events.

This talk will introduce WMI and demonstrate its offensive uses. We will cover what WMI is, how attackers are currently using it in the wild, how to build a full-featured backdoor, and how to detect and prevent these attacks from occurring.

Who: Matthew Graeber

Why:

  • As part of enSilo’s research, we have looked into WMI-based malware. It will also be interesting to see advances in this type of research.

#6: Attacking Hypervisors Using Firmware and Hardware

Date & Time: August 5, 16:20-17:10

Location: Mandalay Bay GH

Abstract: In this presentation, we explore the attack surface of modern hypervisors from the perspective of vulnerabilities in system firmware, such as BIOS and in hardware emulation. We will demonstrate a number of new attacks on hypervisors based on system firmware vulnerabilities with impacts ranging from VMM DoS to hypervisor privilege escalation to SMM privilege escalation from within the virtual machines.

We will also show how a firmware rootkit based on these vulnerabilities could expose secrets within virtual machines and explain how firmware issues can be used for analysis of hypervisor-protected content such as VMCS structures, EPT tables, host physical addresses (HPA) map, IOMMU page tables etc. To enable further hypervisor security testing, we will also be releasing new modules in the open source CHIPSEC framework to test issues in hypervisors when virtualizing hardware.

Who: Yuriy Bulygin, Alexander Matrosov, Mikhail Gorobets, Oleksandr Bazhaniuk

Why:

  • Attacks on hypervisors are typically rare and complex. The attack surface explored in this presentation seems to be a new one, mostly overlooked in the past.

#7: Attacking ECMASCcript Engines with Redefinition

Date & Time: August 5, 17:30-18:00

Location: South Seas CDF

Abstract: The dynamic nature of ECMAScript allows for functions and properties to be redefined in a variety of ways - even functions that are vital for internal functionality of the ECMAScript engine. This presentation explores the problems that can arise from ECMAScript redefinition. It goes through the various ways that functions and properties can be redefined in different ECMAScript implementations and describes several vulnerabilities we found as a result of these methods. It also provides some strategies for finding these types of security issues in other targets.

Who: Natalie Silvanovich

Why:

  • Vulnerabilities in scripting engines are generally interesting because many of them lead to powerful and stable exploits. Considering previous research done by Natalie it’s probably the case.

#8: Battle of the SKM and the IUM: How Windows 10 Rewrites OS Architecture

Date & Time: August 6, 9:45-10:35

Location: Jasmine Ballroom

Abstract: In Windows 10, Microsoft is introducing a radical new concept to the underlying OS architecture, and likely the biggest change to the NT design since the decision to move the GUI in kernel-mode.

In this new model, the Viridian Hypervisor Kernel now becomes a core part of the operating system and implements Virtual Secure Machines (VSMs) by loading a true microkernel - a compact (200kb) NT look-alike with its own drivers called the Secure Kernel Mode (SKM) environment, which then uses the Hypervisor to hook and intercept execution of the true NT kernel. This creates a new paradigm where the NT Kernel, executing in Ring 0, now runs below the Secure Kernel, at Ring ~0 (called Virtual Trust Level 1).

But it doesn't stop there - as the Ring 0 NT kernel now has the ability to not only create standard Ring 3 user-mode applications, but also Ring ~3 applications (or Virtual Trust Level 0) that run in Isolated User Mode (IUM). Because VTLs are all more privileged than Ring 0, this now creates a model where a user-mode application running inside a VSM now has data and rights that even the kernel itself cannot modify. Why go through all this trouble? Because it seems like the hottest thing these days is Pass-the-Hash, and attacks must seemingly be mitigated at all costs. And even in Windows 8.1, an attacker with the permissions to load a kernel driver can bypass the existing mitigations (and Mimikatz is signed!). With VTLs, now even the most privileged attacker is only as privileged as the hypervisor will allow it - never able to truly read the hash date that is stored in the secure partition.

How "secure" is this new model really? And what prevents a malicious application from running in such a secure mode to begin with?

Who: Alex Ionescu

Why:

  • This talk couldn’t be more relevant with Windows 10 being released just last week.
  • Windows 10 delivers new architectural changes and considerations. This should provide a deep dive into these updates.

#9: Certifi-Gate: Front-Door Access to PWN’ing Millions of Androids

Date & Time: August 6, 9:45-10:35

Location: South Seas CDF

Abstract: Hundreds of millions of Android devices, including those running Lollipop, the latest and most secure version of Android OS, can be hijacked. A comprehensive study has revealed the existence of multiple instances of a fundamental flaw within the Android customisation chain that leave millions of devices (and users) vulnerable to attack.

These vulnerabilities allow an attacker to take advantage of unsecure apps certified by OEMs and carriers to gain unfettered access to any device, including screen scraping, key logging, private information exfiltration, back door app installation, and more. In this session, Lacoon researchers will walk through the technical root cause of these responsibly-disclosed vulnerabilities including hash collisions, IPC abuse and certificate forging which allow an attacker to grant their malware complete control of a victims device. We'll explain why these vulnerabilities are a serious problem that in some ways can't be completely eliminated, show how attackers exploit them, demonstrate an exploit against a live device, and provide remediation advice.

Who: Avi Bashan, Ohad Bobrov

Why:

  • Just last week, we heard of a vulnerability compromising Android devices through MMS. This sounds big as well.

#10: Social Engineering the Windows Kernel: Finding and Exploiting Token Handling Vulnerabilities

Date & Time: August 6, 15:50-16:40

Location: Mandalay Bay GH

Abstract: One successful technique in social engineering is pretending to be someone or something you're not and hoping the security guard who's forgotten their reading glasses doesn't look too closely at your fake ID. Of course there's no hyperopic guard in the Windows OS, but we do have an ID card, the Access Token which proves our identity to the system and let's us access secured resources. The Windows kernel provides simple capabilities to identify fake Access Tokens, but sometimes the kernel or other kernel-mode drivers are too busy to use them correctly. If a fake token isn't spotted during a privileged operation local elevation of privilege or information disclosure vulnerabilities can be the result. This could allow an attacker to break out of an application sandbox, elevate to administrator privileges, or even compromise the kernel itself. This presentation is about finding and then exploiting the incorrect handling of tokens in the Windows kernel as well as first and third party drivers. Examples of serious vulnerabilities, such as CVE-2015-0002 and CVE-2015-0062 will be presented. It will provide clear exploitable patterns so that you can do your own security reviews for these issues. Finally, I'll discuss some of the ways of exploiting these types of vulnerabilities to elevate local privileges.

Who: James Forshaw

Why:

  • Kernel exploitation is getting harder with each version of windows. The talk is about a new class of vulnerabilities which made lead to more vulnerabilities that suffer from similar issues.

Get Technical!  Check out our researchers' blog - breakingmalware.com