Blackhat USA 2012 – Pushing Past Intrusion Tolerance, Cutting Edge Research

The Blackhat 2012 keynote started the event with Shawn Henry, former Executive Assistant Director of the Fbi, painting a grim, seemingly unspeakable picture of cyberespionage in the US. It was interesting that he continually spoke about the gravity of the situation and the need to apply what he learned at the Fbi to protecting digital assets, but he couldn’t describe a single concrete example. At the same time, other than a weapon of mass destruction, he claimed that cyber threats are the single biggest problem facing this nation. This inability to convey concrete details during the Blackhat keynote only highlights some of the problem in understanding the cyber problem. And it’s the problem of overclassification of computer network exploitation (CNE) incidents and a tangled set of dynamics that silence breach data sharing and exchange. There is a long way to go here to fixing it.

While parts of the talk were very interesting, especially discussion of creating a hostile network for your adversaries and taking intrusion tolerance a step further, it was criticized for being a bit self-promoting. All across the twittersphere, tweets like this one protested signs of this year’s corporate influence.

The two days of talks explored some new territory. Day 1 included “Advanced ARM Exploitation”, where Stephen Ridley and Stephen Lawler provided some more indepth Android exploitation details and the quirks in exploring the software and developing exploits on the platform. For example, ROP techniques are required even to perform the ancient ret2libc technique on Android. They poured over data manipulation on ARM and particular assembly level tricks, specifics of discovering ROP pivots and pushing data into the stack on ARM for control. The talk provided content from their hands-on, 650+ slides across 12 decks, 80 page lab manual, multi-day course “Practical ARM Exploitation”.

Other notable talks included Chris Valesek and Tarjei Mandt’s discussion of Windows 8 Heap Internals. From the offensive security perspective, they blew through new Windows 8 usermode and kernel heap protections that they reversed and analyzed, based on Microsoft’s heavy investment in understanding and addressing past exploitation techniques.

The two presented a list of eight or ten past publicly known heap exploitation techniques effective on Windows 7 and prior that Microsoft for the most part has stamped out on Windows 8 with new protection technologies. An impressive feat on the part of Microsoft, and something the other vendors, like Oracle and Apple, have a difficult time keeping up with.

This presentation was followed by Microsoft’s Matt Miller and Ken Johnson, whose previous work can be found in the Uninformed journal and early ASLR technology implementations. These two “defenders” provided details on the long list of protections from the Microsoft Security Science team previously discussed by the two “attackers” onstage.

Day two brought two talks that were particularly good. For another year, Mark Vincent Yason and Paul Sabanal from IBM X-Force presented their analysis of Adobe’s sandboxing technology, this time focusing on Flash. The talk was very well structured and progressed, probably the best technical talk I attended. They pulled apart details of three different implementations of the Flash sandbox for Firefox and Chrome web browsers, finding that “Pepper Flash” is implemented with the lowest level of privileges and tightest set of policies. Pepper is the plugin API that the Adobe and Google teams are using to develop this more secure plugin that is yet to be complete for chrome.

The end of the day approached with a talk from Jonathan Brossard on “Hardware Backdooring is Practical”, where he presented his tool, “Rakshasa”, focused on permanently backdooring computer hardware. The tool is frankensteined together from various open source projects like Coreboot, SeaBIOS and iPXE, so as to minimize any visibility into this software as malicious, attempting to gain a greater chance of evading anti-malware solutions. Interesting PoC material indeed. But the backdoor does not really backdoor any hardware, it is all software-based. Other interesting functionality included its ability to disable DEP and ASLR, remove CPU updates, and force write permissions on every kernel level memory mapping.

Finally, the end of the conference finished with the Pwnie Awards. It was another tongue in cheek, irreverent review of major security issues of the past year, with “artwork winning out over utility”.

Blackhat USA 2012 – Pushing Past Intrusion Tolerance, Cutting Edge Research

Your email address will not be published. Required fields are marked *



Operation TunnelSnake

A newly discovered rootkit that we dub ‘Moriya’ is used by an unknown actor to deploy passive backdoors on public facing servers, facilitating the creation of a covert C&C communication channel through which they can be silently controlled. The victims are located in Africa, South and South-East Asia.

APT trends report Q1 2021

This report highlights significant events related to advanced persistent threat (APT) activity observed in Q1 2021. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports.

The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Subscribe to our weekly e-mails

The hottest research right in your inbox