EuSecWest 2009 Run Down

By on 4 June, 2009

I recently had the good fortune to attend EuSecWest 2009. EuSecWest is one of those great conferences where it’s full of very knowledgeable, like-minded individuals but is small enough that by the end everybody kind of knows everybody, if they didn’t already! The talks were all very technical and of good quality I had the pleasure of engaging in many interesting discussions. Here are a few highlights from talks that interested me in particular.

Evolving Microsoft Exploit Mitigations

This covered the main exploit mitigations that have been introduced into Windows over the years, such as DEP, SafeSEH, GS Cookies and ASLR. Information on how effective they have been and where they have conflicted with other quality areas outside of security, such as performance, was included. It was interesting to see exactly which historical exploits would have been made completely unexploitable by these mitigations (and it was the majority).

PCI bus based operating system attack and protections

This covered how to compromise a system if you have physical access to the PCI bus through certain card readers etc. Obviously this is possible (in a similar manner to firewire) but it was interesting how they exploited it because they had to use FPGAs and it gets difficult writing high level code exploits in VHDL. Instead, they wrote a CPU emulator for the FPGA so they could then write conventional high level code that would run on the FPGA. Very cool.

Thoughts about Trusted Computing

An overview followed by criticisms. Conclusions are that at the moment it isn’t very effective because the process often only affects the loading and once something has been loaded you can run-time patch it. It isn’t very effective practically against full drive crypto either because you can just write a trojaned bootloader that appears the same as the normal login but stores the passphrase on the MBR and then reboots. Then next time you enter the victims hotel room you have the key.

Pwning your grandmother’s iPhone

An overview of iPhone history and how it used to be much less secure (everything ran as root etc) and how now there is privilege separation, DEP, signed code and security policy files governing what processes can access. Eventually, with a little ninja action he came up with a clever way to get remote code execution using a staged three call return-to-libc style attack followed by shellcode execution. Sadly nobody has found a remote vuln in the iPhone 2 yet to try it out on in practice.

Exploiting Firefox Extensions

Unsigned code, dubious security code reviews, insecure distribution and no security model separating them from the core code. I’m sure we probably all knew we should be wary of firefox extensions but this gave further reason to be very careful of which extensions to use, if any!