CanSecWest 2010

Whether participating to present their latest research to the community or simply to observe, the three day security conference attracts highly respected security professionals from around the globe. The conference consists of a single track of presentations, varying from issues which have been discussed for many years previously to the cutting edge in security research.

This year’s Pwn2Own contest challenged applicants to compromise a number of mobile devices and desktop web browsers for a chance to keep the target device as well as a cash prize. Nils from MWR InfoSecurity entered the contest armed with a zero day for the latest version of Firefox and won a Sony Vaio laptop running a fully patched version of Windows 7 using his exploit. Safari was claimed by Charlie Miller and Internet Explorer 8 by Peter Vreugdenhil with Google Chrome being the only browser left undefeated for the second year running. Out of the four mobile devices up for grabs Vincenzo Lozzo and Ralf Philipp Weinmann were the only contestants to submit and successfully exploit a vulnerability. This one was in Mobile Safari on the iPhone which allowed them to retrieve the phone’s SMS database. The full details of the contest can be seen at: http://dvlabs.tippingpoint.com/blog/2010/02/15/pwn2own-2010.

In no particular order, below is a summary of some of the talks which stood out to us this year:

ShareREing introduced the BinCrowd software used for collaborative sharing of reverse engineering information between team members. This software also provided a way to find and match functions which have been previously analysed by the BinCrowd in other software and thus reduce the amount of analysis a reverse engineer would need to repeat. This software was found to be especially useful because it could perform matching across code generated by different compilers. It seems very likely this software will be useful in future reverse engineering projects. More technical information can be found on the zynamics blog.

This talk consisted of discussing the techniques used to find a number of vulnerabilities in certain vendors’ software. It discussed Charlie’s methods for locating vulnerabilities (fuzzing) and analysis of the results. I found this talk interesting because there tends to be a lack of fuzzing results in the public domain, the methodology used to find the vulnerabilities and what metrics were used to determine the exploitability of them. The trends discussed throughout this presentation demonstrated significant differences between particular software and demonstrated where security had been incorporated into the product’s development life cycle.

There’s a party at ring0 talk covered a number of kernel level vulnerabilities used for privileged escalation on both the Windows and Linux platforms. My personal passion for low level technical details was satisfied and the talk was quite thought-provoking on the challenges faced in defensive kernel security. Although the vulnerabilities found here were very impressive it would have been interesting to expand on some of the vulnerabilities and explain the architecture of the kernel subsystems in greater detail. It’s expected due to the large amount of vulnerabilities and variations in these that time constraints may have prevented this.

Despite the unfortunate technical difficulties which caused the projector to repeatedly cut out throughout the talk, Thorsten delivered a thought provoking presentation that was well received by the audience. Thorsten presented his research into the security issues related to wireless peripheral devices with a primary focus on wireless keyboards. He revealed the results of his analysis of the wireless protocol implemented by Microsoft and Logitech and the implementation of their Keykeriki V2 software which is capable of sniffing keystrokes in real-time as well as performing command injection. The presentation concluded with a demonstration of an attack which successfully executed commands and launched calc.exe on the target system followed by Thorsten stating that “range testing” revealed that the attack could be launched from an impressive 70 meters.

In summary, the high quality of a number of talks, the opportunities to discuss security issues with like-minded people and the motivation produced by the conference all provide a good reason to attend CanSecWest. It is expected that the research demonstrated at CanSecWest will provide a great benefit for the security community and help drive on further work both within MWR InfoSecurity and the industry at large.