EuSecWest 2009 Run Down

EuSecWest is one of those great conferences where it’s full of very knowledgeable, like-minded individuals but is small enough that by the end everybody kind of knows everybody, if they didn’t already! The talks were all very technical and of good quality I had the pleasure of engaging in many interesting discussions. Here are a few highlights from talks that interested me in particular.

This covered the main exploit mitigations that have been introduced into Windows over the years, such as DEP, SafeSEH, GS Cookies and ASLR. Information on how effective they have been and where they have conflicted with other quality areas outside of security, such as performance, was included. It was interesting to see exactly which historical exploits would have been made completely unexploitable by these mitigations (and it was the majority).

This covered how to compromise a system if you have physical access to the PCI bus through certain card readers etc. Obviously this is possible (in a similar manner to firewire) but it was interesting how they exploited it because they had to use FPGAs and it gets difficult writing high level code exploits in VHDL. Instead, they wrote a CPU emulator for the FPGA so they could then write conventional high level code that would run on the FPGA. Very cool.

An overview followed by criticisms. Conclusions are that at the moment it isn’t very effective because the process often only affects the loading and once something has been loaded you can run-time patch it. It isn’t very effective practically against full drive crypto either because you can just write a trojaned bootloader that appears the same as the normal login but stores the passphrase on the MBR and then reboots. Then next time you enter the victims hotel room you have the key.

An overview of iPhone history and how it used to be much less secure (everything ran as root etc) and how now there is privilege separation, DEP, signed code and security policy files governing what processes can access. Eventually, with a little ninja action he came up with a clever way to get remote code execution using a staged three call return-to-libc style attack followed by shellcode execution. Sadly nobody has found a remote vuln in the iPhone 2 yet to try it out on in practice.

Unsigned code, dubious security code reviews, insecure distribution and no security model separating them from the core code. I’m sure we probably all knew we should be wary of firefox extensions but this gave further reason to be very careful of which extensions to use, if any!