Day two of the Black Hat USA 2008 Briefings began much better than day one.
- Rod Beckström, Director of the National Cyber Security Center in DHS, delivered today's keynote. I had read articles like WhiteHouse Taps Tech Entrepreneur For Cyber Defense Post so I wasn't sure what to think of Mr. Beckström. It turns out his talk was excellent. If Mr. Beckström had used a few less PowerPoint slides, I would have classified him as a Edward Tufte-caliber speaker. I especially liked his examination of history for lessons applicable to our current cyber woes. He spoke to the audience in our own words, calling the US an "open source community," the Declaration of Independence and Constitution our "code," the Civil War a "fork," and so on. Very smart.
For example, Mr. Beckström provided context for the photo at left of Union Intelligence Service chief Allan Pinkerton, President Lincoln, and Major General John A. McClernand during Antietam (late 1862). Using the photo Mr. Beckström explained the relationship between the intelligence community, the government, and the military. After I answered his question "what made the Civil War unique?" (answer: the telegraph), Mr. Beckström described how Lincoln was the first "wired" President and how electronic warfare against cables first began.
In addition to talking about the French and Indian War and our own Revolution (e.g., Washington learned guerilla tactics, Benedict Arnold as insider threat), Mr. Beckström spoke about how to characterize our current problem. He said "offense is a lot easier than defense." Unlike Moore's Law, we don't have laws for the physics of networking, or the economics of networks or security, or how to do risk management. Mr. Beckström noted security is a cost (so much for "enablement") and that minimization of total cost C (where C equals cost of security S plus expected cost of a loss L) is the main goal. (I wonder if he's read Managing Cyber Security Resources?) Mr. Beckström said the CISO budget should be based on reducing estimated loss, but it's usually based on a percentage of the CTO or CIO's budget that's unrelated to any problem faced by the security team.
Most interesting to me, Mr. Beckström explained how he believes investment in protocols (like security DNS, BGP, SMS/IP, even POTS) could be cheap while yielding large benefits. I will have to watch for developments there.
- Next I saw Felix Lindner present Developments in Cisco IOS Forensics. It seemed like a lot of the ideas were present in his great talk from last year, but I liked this year's presentation anyway. FX is absolutely the authority on breaking Cisco IOS, he's an excellent speaker, and I learned a lot. FX discussed how attacks on IOS take the form of protocol, functionality/configuration, or binary exploitation attacks. Binary exploitation is of most interest to FX, and takes the form of binary modification of the runtime image, data structure patching, runtime configuration changes, and loading TCL backdoors. (The last is "widely used by people fired from ISPs"!)
In order to gain some degree of visibility into binary exploitation attacks against IOS, FX recommends enabling core dumps. This does not affect performance (except slowing reboot time). Core dumps can be written to a FTP server, and will result from unsuccessful binary exploitation attempts or any time a router administrator invokes the "write core" command. Because there are over 100,000 IOS images in use today ("only" 15,000 or so are supported by Cisco), there is a high likelihood that a remote intruder will crash the router when trying a binary exploitation attack. Furthermore, it's possible to find the packets which caused the attack in the router's memory dump, since they will be in the queue of the attacked thread. I look forward to trying this and submitting a dump to Recurity Labs CIR.
- Greg Conti and Erik Dean presented Visual Forensic Analysis and Reverse Engineering of Binary Data. I thought one of their slides (presented at left) was, unintentionally, a powerful partial summary of the skill sets needed for certain levels of analysis of binary data in our field. For example, I am very comfortable in the lowest portion where binary data represents network packets. I am trying to learn more about binary data as memory. I have worked with binary data as files, but there's a lot going on there (as I learned from a talk on Office forensics, noted below).
Greg and Erik demonstrated two new tools they wrote for visual analysis of binary data. Most surprisingly, they showed actual images rendered from the memory of a Firefox crash dump file. An example appears at right. They displayed the image by plotting every three bytes of memory as a RGB entry. They also noted that one day we could expect to see security analysts sitting with recognition posters of common patterns (e.g., diffuse means encryption or compression). That reminded me of the surface-to-air missile (SAM) emplacement images I studied in intel school.
- I joined Detecting & Preventing the Xen Hypervisor Subversions by Joanna Rutkowska and Rafal Wojtczuk. Joanna had to remove slides pending publication of a patch from Intel. (See my last post for notes on why the chipset is the new battleground.) She hinted that Intel is considering working with anti-virus vendors to run scans inside the chipset, which would be a bad idea. Joanna also talked about her company's product, HyperGuard, which can sit inside the Phoenix BIOS to perform integrity checking.
Joanna's research started with Blue Pill as a means to put an OS inside a thin hypervisor (the Blue Pill), but her newest work involves attacking an existing hypervisor (like Xen). This is why her post 0wning Xen in Vegas! says Rafal will discuss how to modify the Xen’s hypervisor memory and consequently how to use this ability to plant hypervisor rootkits inside Xen (everything on the fly, without rebooting Xen). Hypervisor rootkits are very different creatures from virtualization based rootkits (e.g. Bluepill). This will be the first public demonstration of practical VMM 0wning.
This presentation reminded me that I should have a permanent Xen instance running in my lab to improve familiarity with the technology.
- Following Joanna's talk I enjoyed Get Rich or Die Trying - Making Money on the Web, the Black Hat Way by Jeremiah Grossman and Arian Evans. They showed many real and amusing cases of monetizing attacks.
- Bruce Dang discussed Methods for Understanding Targeted Attacks with Office Documents. Everything for Bruce is "pretty easy," like writing custom Office document parsers to examine Office-based malware. Bruce ended his talk early so I moved next door to hear the Sensepost guys. I should have attended earlier -- it sounded like they created some extreme tunnels for getting data in and out of enterprise networks. They concluded by discussing how to load and execute binaries into the address space of SQL Server 2005 via SQL injection, because SQL Server 2005 has an embedded .NET CLR. Wow.
Overall, I think my conclusions from my last Black Hat Briefings still stand. However, I was surprised to see so much more action on the chipset level. I did not hear anything about the other extreme of the digital spectrum, the cloud. Perhaps that will be a topic next year, if the lawyers can be avoided?