BlackHat 2013

[malware]
BINARYPIG - SCALABLE MALWARE ANALYTICS IN HADOOP
BOCHSPWN: IDENTIFYING 0-DAYS VIA SYSTEM-WIDE MEMORY ACCESS PATTERN ANALYSIS
BUGALYZE.COM - DETECTING BUGS USING DECOMPILATION AND DATA FLOW ANALYSIS
END-TO-END ANALYSIS OF A DOMAIN GENERATING ALGORITHM MALWARE FAMILY
HOT KNIVES THROUGH BUTTER: BYPASSING AUTOMATED ANALYSIS SYSTEMS
HOW TO GROW A TREE (TAINT-ENABLED REVERSE ENGINEERING ENVIRONMENT) FROM CBASS (CROSS-PLATFORM BINARY AUTOMATED SYMBOLIC-EXECUTION SYSTEM)
HUNTING THE SHADOWS: IN DEPTH ANALYSIS OF ESCALATED APT ATTACKS
JAVA EVERY-DAYS: EXPLOITING SOFTWARE RUNNING ON 3 BILLION DEVICES
JUST-IN-TIME CODE REUSE: THE MORE THINGS CHANGE, THE MORE THEY STAY THE SAME
MACTANS: INJECTING MALWARE INTO IOS DEVICES VIA MALICIOUS CHARGERS
OPTIROP: HUNTING FOR ROP GADGETS IN STYLE
VIRTUAL DEOBFUSCATOR - A DARPA CYBER FAST TRACK FUNDED EFFORT
SPY-JACKING THE BOOTERS
SMASHING THE FONT SCALER ENGINE IN WINDOWS KERNEL
PRESS ROOT TO CONTINUE: DETECTING OSX AND WINDOWS BOOTKITS WITH RDFU
PREDICTING SUSCEPTIBILITY TO SOCIAL BOTS ON TWITTER
MILLION BROWSER BOTNET

[web]
DISSECTING CSRF ATTACKS & COUNTERMEASURES
THE FACTORING DEAD: PREPARING FOR THE CRYPTOPOCALYPSE
JAVASCRIPT STATIC SECURITY ANALYSIS MADE EASY WITH JSPRIME
') UNION SELECT `THIS_TALK` AS ('NEW OPTIMIZATION AND OBFUSCATION TECHNIQUES’)
TLS 'SECRETS'
SSL, GONE IN 30 SECONDS - A BREACH BEYOND CRIME
PIXEL PERFECT TIMING ATTACKS WITH HTML5


[network]
DEFENDING NETWORKS WITH INCOMPLETE INFORMATION: A MACHINE LEARNING APPROACH
EVADING DEEP INSPECTION FOR FUN AND SHELL
FULLY ARBITRARY 802.3 PACKET INJECTION: MAXIMIZING THE ETHERNET ATTACK SURFACE
HOME INVASION V2.0 - ATTACKING NETWORK-CONTROLLED HARDWARE
OWNING THE ROUTING TABLE - PART II
WHAT'S ON THE WIRE? PHYSICAL LAYER TAPPING WITH PROJECT DAISHO
UNIVERSAL DDOS MITIGATION BYPASS
LESSONS FROM SURVIVING A 300GBPS DENIAL OF SERVICE ATTACK


[social enginnering]
USING ONLINE ACTIVITY AS DIGITAL FINGERPRINTS TO CREATE A BETTER SPEAR PHISHER
PREDICTING SUSCEPTIBILITY TO SOCIAL BOTS ON TWITTER
MALTEGO TUNGSTEN AS A COLLABORATIVE ATTACK PLATFORM

[embeded]
BLUETOOTH SMART: THE GOOD, THE BAD, THE UGLY, AND THE FIX!
EXPLOITING NETWORK SURVEILLANCE CAMERAS LIKE A HOLLYWOOD HACKER
FACT AND FICTION: DEFENDING YOUR MEDICAL DEVICES
HACKING, SURVEILLING, AND DECEIVING VICTIMS ON SMART TV
HONEY, I’M HOME!! - HACKING Z-WAVE HOME AUTOMATION SYSTEMS
THE OUTER LIMITS: HACKING THE SAMSUNG SMART TV
OUT OF CONTROL: DEMONSTRATING SCADA DEVICE EXPLOITATION
UART THOU MAD?

TERIDIAN SOC EXPLOITATION: EXPLORATION OF HARVARD ARCHITECTURE SMART GRID SYSTEMS
STEPPING P3WNS: ADVENTURES IN FULL-SPECTRUM EMBEDDED EXPLOITATION (AND DEFENSE!)
THE SCADA THAT DIDN'T CRY WOLF- WHO'S REALLY ATTACKING YOUR ICS DEVICES- PART DEUX!
RFID HACKING: LIVE FREE OR RFID HARD
POWER ANALYSIS ATTACKS FOR CHEAPSKATES

[mobile]
ANDROID: ONE ROOT TO OWN THEM ALL
BLACKBERRYOS 10 FROM A SECURITY PERSPECTIVE
HOW TO BUILD A SPYPHONE
ROOTING SIM CARDS
REVEALING EMBEDDED FINGERPRINTS: DERIVING INTELLIGENCE FROM USB STACK INTERACTIONS
MULTIPLEXED WIRED ATTACK SURFACES
MOBILE ROOTKITS: EXPLOITING AND ROOTKITTING ARM TRUSTZONE
I CAN HEAR YOU NOW: TRAFFIC INTERCEPTION AND REMOTE MOBILE PHONE CLONING WITH A COMPROMISED CDMA FEMTOCELL

[system]
A TALE OF ONE SOFTWARE BYPASS OF WINDOWS 8 SECURE BOOT
BIOS SECURITY
FUNDERBOLT: ADVENTURES IN THUNDERBOLT DMA ATTACKS
HACKING LIKE IN THE MOVIES: VISUALIZING PAGE TABLES FOR LOCAL EXPLOITATION
HIDING @ DEPTH - EXPLORING, SUBVERTING AND BREAKING NAND FLASH MEMORY
LET'S GET PHYSICAL: BREAKING HOME SECURITY SYSTEMS AND BYPASSING BUILDINGS CONTROLS
PASS-THE-HASH 2: THE ADMIN'S REVENGE
PASS THE HASH AND OTHER CREDENTIAL THEFT AND REUSE: MITIGATING THE RISK OF LATERAL MOVEMENT AND PRIVILEGE ESCALATION

[else]
WITH BIGDATA COMES BIG RESPONSIBILITY: PRACTICAL EXPLOITING OF MDX INJECTIONS
WHAT SECURITY RESEARCHERS NEED TO KNOW ABOUT ANTI-HACKING LAW
TOWN HALL MEETING: CFAA REFORM STRATEGY
POST EXPLOITATION OPERATIONS WITH CLOUD SYNCHRONIZATION SERVICES
MAINFRAMES: THE PAST WILL COME BACK TO HAUNT YOU
LEGAL CONSIDERATIONS FOR CELLULAR RESEARCH
LEGAL ASPECTS OF FULL SPECTRUM COMPUTER NETWORK (ACTIVE) DEFENSE
LAWFUL ACCESS PANEL
IS THAT A GOVERNMENT IN YOUR NETWORK OR ARE YOU JUST HAPPY TO SEE ME?

Paper Reading : Enabling Sophisticated Analyses of x86 Binaries with RevGen

This paper is proposed in HotDep'11.
This paper is aim to ease the difficulty of binary analysis by RevGen, which translating tradition x86 binary into LLVM IR instead of ad-hoc IR, which use by different system.

There are many different system for binary program analysis, for example, BitBlaze and CodeSurfer. However they use their own IR language which hard to migrate to other system and without formalize verify.

LLVM, a popular compiler framework, have been widely used in many analysis tool. For example,
KLEE and Parfait are both LLVM-based.

LLVM

LLVM is a compile framework with a compact RISC-like instruction set. It support unlimit register and only contain 30 opcodes, which ease to analysis. Especially, only load and store can access memory.

LLVM naturelly support Static Single Assignment(SSA) code representation. So data flow and def-use graph can be compute. Moreover function inlining, constant propagation, or dead store removal can also achive.

To translate binary code into LLVM, following issue must be concern

• pointer arithmetic 
• accommodate different stack layouts
• transform accesses to various code and data segments
• deal with indirect call
• semantic equivalent LLVM programs.

Challenge

1. Extracting binary code's semantics
2. Inferring type information

RevGen

Translating Blocks of Binary Code

1. Disassemble into micro-operations, which translate to LLVM instructions later.

2. One to one mapping between micro-operations and LLVM instructions.

Reconstructing the Control Flow Graph (CFG)

1. Each code block is translate to LLVM block, and form the functions.

2. Connect each functions with call instructions.

 Obtaining Analyzable LLVM Programs

This part the symbol table contain library call and relocation table are provide to identify some constant address. Then translation can be complete.

Paper Reading : BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection

BotMiner is proposed in Usenix'08 by College of Computing, Georgia Institute of Technology.
In this paper, authors aim to detect c&c botnet without a priori knowledge. The key concept of this paper is to cluster malicious behaviors and communication traffic separately and mining  relation between them. Their system achieve a good detection rate in their evaluation.

Introduction

In this section, authors introduce current state of botnet. Classificaton of botnet is list below.

IRC Botnet, include 

P2P Botnet, include Nugache and Storm/Peacomm

Related Work

Most related work are specific to IRC and HTTP protocols,which are most widest used by C&C botnet. This paper proposed a system to detect arbitrary protocols communications.

Definition and Assumption

The authors define the botnet as "A coordinated group of malware instances that are

controlled via C&C channels".  That is, it is unavoidable for bot to communicate to other bot/bot server and it necessary for a bot to bring out some malicious activities. 

Proposed Scheme

The architecture of botMiner is in the figure.

In order to detect bot in a network, BotMiner follow two observation, "who is talking to whom" and "who is doing what". Therefore the system is divide to C-Plan and A-Plan.

• C-Plan is responsible for communication
  C-Plan Monitor employ hardware supporting(Cisco, Juniper) to log network traffic. 
• A-Plan is responsible for activities
  Snort with SCADE (Statistical sCan Anomaly Detection Engine) plugin is used to implement A-Plan Monitor.

In C-Plan Cluster, noise connections and white list connection are first filtered out. Then the two-level cluster is processed, from course grain to fine grain. The aggregating of some attributes are calculated

1. the number of flows per hour(fph)
2. the number of packets per flow(ppf)
3. the average number of bytes per packets(bpp)
4. the average number of bytes per second (bps)

After those feature are computed, X-mean, an K-means variant algorithms, is used to cluster in different feature space to implement course grain and fine grain cluster. X-mean can cluster without pre-define clustering number. X-means runs multiple rounds of K-means to find proper number of clustering with help of Bayesian Information Criterion. Similar approach is used in A-Plan cluster.

Finally,  cross-check clusters is taken to find out intersections that infers exists of botnet.

HITCON 2013 Session Summary : Advance Malware Evasion And Hiding Techniques

This session is origin in HITCON 2013, proposed by Chong Rong Hwa from FireEye

Attack Vector

In this session, first three type of infection vectors are discussed

1. Physical, like USB
2. Email
   Compress, Encryption, Password protected compression
3. Web
   Water Hole Attack, which attacker compromise legitimate website to host malicious page.
   ex. May 1 2013, attacker compromise US Department of Labour to host PoisonIvy Backdoor

APT Advanced Malware

Those malware not use advance technique but disguise itself as normal program or user.

Hacker may use old vulnerabilities, but slightly change the exploit code to harden the analysis.

    Add invalid characters in rtf file to confuse parser

    Replace part of shellcode to semantic-equivalent instructions

Save non-malicious code in disk, construct malicious payload in the memory

    Trojan.APT.BaneChant

Employ common used encryption(signature) algorithms with slightly change(ex. DES,AES)

Use public and legitimate service for malicious behaviors, such as : google drive, amazon aws

    Trojan.APT.Seinup

Anti-VM

   Detect human behaviors

APT Attack Source

Not from single source and the control servers are distributed over the world.

      Asia and East Europe are two most source region for APT attack. 

      Most of APT tool made in China, ex. Gh0stRAT

HITCON 2013 Overview

Cyber War

1. People's Republic of Cyber Warfare: Comparing China Iran & Russia Militarization of Cyberspace(駭客人民共和國: 中國伊朗跟俄羅斯網軍的分析與比較)
2. Global Cyber Espionage and Chinese Hacker Threats, Internet Survillance and PRISM(全球間諜：互聯網監控全球趨勢 棱鏡門與中國駭客威脅論)
3. APT1: Technical Backstage(APT1: 反攻網軍後台)
4. How South Korea Makes White-hat Hackers(南韓如何培養白帽駭客？)
5. How does Japan dea with Targeted Attack and SCADA Security(目標鎖定攻擊與工控系統安全：日本如何應對兩大趨勢)

Cyber War is the main topic of HITCON 2013. Hence many session about global cyber activity are included.
In first two presentation talk about national power of cyber war, include China, Iran and Russia. And also mention about chineese hacker and  Internet survillance of U.S.
Second, Paul Rascagneres from malware.lu share their experience to track APT1 hacker,which probable come from china.
Then, national strategy of Japan and Korean, which are two countries near TW, is mentioned. 

APT

1. APT defense from the view of security architecture(從系統設計建置面談 APT 防禦)
2. Visual Data Analytics - Graphing your Indicators(APT 特徵的視覺資料分析法)
3. Digital Eagle Eye System: Use Cyber Intelligence against APT Attacks(數位鷹眼系統: 以網路數位情資對抗 APT 攻擊)
4. APT Cyber Shuttle: From Automated Analysis to TTP Observation(APT網際飛梭：從自動化分析到拆解 APT 後台駭客活動)
5. Light & Shadow about Banking $ecurity @Japan(光與影 日本銀行業的資訊安全)

In HITCON 2013, APT is still one of hottest topic. In those session, management and strategy against APT is discussed. And some forensics technique are also proposed to face APT attack.
Notice that, the session "APT Cyber Shuttle: From Automated Analysis to TTP Observation" proposed by Xecure-Lab & Academia Sinica will give a session in Black Hat US 2013.

Malware

1. Building new weapons for malware analysts(建立惡意軟體分析的新武器)
2. Advance Malware Evasion and Hiding Techniques(惡意軟體的進階免殺技巧)
3. Static Analysis and Dynamic Instrumentation for Intelligent Exploit Analysis(靜態與動態智慧型漏洞文件分析系統)

Malware analysis is a old discussion problem. In this year, some session about malware are also included.

Mobile

1. Escaping Android Dynamic Analysis; Chinese New Year Train Ticket Ordering Day(逃離安卓動態檢測 & 訂票助手一日談)
2. Dex Education 201: Anti-Emulators(深入Dalvik Dex教學:反制模擬器)
3. Android Hooking Attack
4. Review of Security Vulnerabilities on the Android Platform(Android平臺安全性漏洞回顧)
5. GSM Security Research using Open Soruce Tools(以開源軟體進行GSM安全研究)

With exponent usage of mobile device, sessions about mobile are also increasing. The first two sessions mention about how malware evade security analysis mechanism. Then the following two sessions is about technique employed by malware. Especially, "Review of Security Vulnerabilities on the Android Platform" ,proposed by 肖梓航 Claud, which overview the android vulnerabilities in current year is worthy to read.

Exploit & Vulnerability

1. Life of Coder: The adventure through the landscape of bugs(程序員的蟲洞漂流)
2. Analysis on the EPATHOBJ Exploit(請謹慎編碼，哪怕它只是一句錯誤處理— 來自 win32k!EPATHOBJ::pprFlattenRec 漏洞的啟示)
3. Killing AV in x64(戳戳防毒軟體死穴)
4. 0-Day Easy Talk - Happy Fuzzing Internet Explorer(0-Day 輕鬆談 - Happy Fuzzing Internet Explorer)
5. How can i have 100 0day for just 1day(超級祕訣 - 一天擁有 100 個 0day!)
6. Exploiting JRE (JRE安全机制与漏洞挖掘研究)

Exploit and Vulnerability is an interesting topic this year. An 0 day sharing activity is also include in this year's HITCON.
In first three sessions, the authors analysis some known exploit and  share their implementation. The fourth session, the author demonstrate the 0-day he found and share his experience.
The fifth talk present an idea to fuzz numerous of application at once. The last one session conclude java vulnerabilities in current day and the direction to fuzz java platform.

Others

1. The undisclosed files of incidents by the data scientist(資料科學家未曾公開之資安研究事件簿)
2. OS X Rootkits Stuff(那些洞，我們一起追的 OS X Rootkits)
3. Spears and shields on online game(線上遊戲矛盾大對決)
4. Breaking image CAPTCHA for fun(CAPTCHA 好好玩)
5. Protocol and physical analysis of EMV POS devices.(EMV晶片卡POS裝置的實體與溝通協定分析)
6. Browser and Local Zone(瀏覽器和本地域)

The session "The undisclosed files of incidents by the data scientist" talk about some research topic of professor 陳昇瑋. Social network and malicious phone call are both special and interesting topic.

Also web security are widely discussed in Black Hat 2013, there are less topic about web security in this year's HITCON.  

CVE-2013-1763 : Local Privilege Escalation Vulnerability

This vulnerability is published in February, it can make normal user gain power of super user. Ubuntu 12.x is vulnerable. So I download the POC code and test it. The result is successful.

Formal Verification for Cryptography Protocols

In this year's S&P conference, Microsoft and INRIA has proposed a paper "Implementing TLS with Verified Cryptographic Security." In this paper, an F# TLS library was implemented and serial of formal proof were  also given. To understand their survey, some background knowledge are necessary. After some search, the slide published in etaps12 is most easily document. So in this article, I will summary this slide.

Attack Model

The attack model is communication in an insecure network environment as following figure

• The attacker can intercept all messages sent on the network
• He can compute messages
• He can send messages on the network

The term cryptographic primitives means basic cryptographic function which later used to build security protocols.

Symbolic Model and Computational Model 

Model	Symbolic Model	Computational Model
Cryptographic Primitives	blackboxes	functions on bitstrings
Messages	terms on cryptographic primitives	bitstrings
Attack Capability	Compute with cryptographic primitives	Probabilistic polynomial-time Turing machine
Security Assumptions	Verify what attacker can do	Verify what attacker cannot do

Verifying Protocols in the Symbolic Model

The basic idea is to compute the knowledge of attacker. So we exhaust all combination of cryptographic primitives. Then check if any of them violate security policy. It is trivial that those combination can be infinite, thus this model can be undecidable. So some technique like approximation, proper subset or termination state are used.

For example, Horn Clauses can be use to verify symbolic model. With the notation attacker function
                                             attacker(M) means “the attacker may have M”

And there introduce two functions

       Construct f( m1 ,m2 ,m3 ,...,mn ) 

              attacker( m1 ) ^ attacker( m2 ) ^ ... ^ attacker( mn ) -> attacker( f(m1, m2,..., mn) )  

       Destruct g(m1,m2,...,mn) -> m

              attacker( m1 ) ^ attacker( m2 ) ^ ... ^ attacker( mn ) -> attacker( m )

       Example

              attacker(m) ∧ attacker(k) → attacker(sencrypt(m, k))

              attacker(sencrypt(m, k)) ∧ attacker(k) → attacker(m)

Verifying Protocols in the Computational Model

There are thee strategy to verify the computational model

1. Linking the symbolic and the computational models
   First, proof in symbolic model and verify computation soundness in symbolic model. Then we can prove the computatiobal model is secure. 
2. Adapting techniques from the symbolic models
   Some symbolic techniques can also be adapted to the computational model
3. Direct computational proofs
   Proofs in the computational model are typically proofs by sequences of games

Reference 

1. Bruno Blanchet's presentation slide(1)
   http://www.mpi-inf.mpg.de/vtsa11/slides/blanchet/VTSA11intro.pdf
2. Bruno Blanchet's presentation slide(2) 
   http://www.mpi-inf.mpg.de/vtsa11/slides/blanchet/VTSA11proverif.pdf
3. Bruno Blanchet's presentation slide(3)
   http://cs.ioc.ee/etaps12/invited/blanchet-slides.pdf