Black Hat Digital Self Defense Japan 2007

Black Hat Main Conference Overview

Black Hat Call for Papers Black Hat Training Black Hat Briefings Speakers Black Hat Briefings Schedule Black Hat Sponsors Black Hat Hotel & Venue Black Hat Registration
details Current Sponsors for Black Hat Briefings Japan 2007
Black Hat Japan 2007 Topic descriptions are listed alphabetically by speaker.

Feedback forms will be available at the show. Let us know who was hot, who was not and get a chance to win admission to a future Briefings of your choice.

Black Hat Japan 2006 Sponsors
Return to the top of the page
Black Hat Speakers

[Keynote] Emerging New Technologies for Information Security Management
Suguru Yamaguchi, Nara Institute of Science and Technology

Information systems are now taking the important role to support core competence components of businesses in various industries so that they requires more dependability and sustainability. New technologies for improvement to make information systems more dependable are emerging from R&D field to the actual operational environment, however still more development are expected. In this keynote session, the speaker presents new risk on information security coming up with information systems, then express his views and directions on technical solutions and technologies required.

Suguru Yamaguchi

Suguru Yamaguchi was born in Shizuoka, Japan in 1964. He received the M.E. and D.E. degrees in computer science from Osaka University, Osaka, Japan, in 1988 and 1991, respectively. From 1990 to 1992 he was an Assistant Professor in Education Center for Information Processing, Osaka University. In 1992, he was moved to Information Technology Center, Nara Institute of Science and Technology, Nara, Japan, and served as an Associate Professor till 1993. From 1993 to 2000, he was with Graduate School of Information Science, Nara Institute of Sc ience and Technology, Nara, Japan, as an Associate Professor. In 2000, he was promoted to a Professor with the Graduate School of Information Science, Nara Institute of Science and Technology, Nara, Japan. During his work in Nara Institute of Science and Technology, he has been working very aggressively on research, education and management. Especially from 2002 to 2004, he served as Director of University Library, and devoted himself to i mprove and enhance the digital library system, which was the nation's first digital library system available for national universities, initially funded in 1995.His research interests include technologies for information sharing, multimedia communication over high-speed communication channels, large-scale distributed computing systems, network security and network management for the Internet. Since mid 1980's, he has been working very hard on development the Internet in Japan and Asia and Pacific region. He has been also a member of WIDE project, which is one of pioneer projects for the Internet development, since its creation in 1988. In the project, he has been conducting research on network security system, especially PKI infrastructure for wide area distributed computing environment.

In 2004, he was appointed to Advisor on Information Security, Cabinet Secretariat, Government of Japan. He has been deeply involved to design and implementation of basis of national policy on information security and establishment of National Information Security Center (NISC) in Cabinet Secretariat in 2005. Even though he is still working for his university, he didn't spare himself for this important task in the government. Because of tight relationship with government's information security policy, he was also appointed to Advisor for Government Program Management Office (GPMO) at secretariat office of IT Strategic Headquarter, Government of Japan.

With his contribution for Internet development and network security, he is involved and working with several organizations. Since 1992, he was working for JPCERT/CC, which is a first national CSIRT in Japan, and now serving as a member of its board of trustee. Since 2002, he has been a member of board of trustee of Japan Network Information Center (JPNIC), which is national Internet registry managing IP address and AS number allocations and registrations. For the Internet development in Asia and Pacific region, he is working so long for Asian Internet Interconnection Initiatives (AI3) since its creation in 1996.

Return to the top of the page

Fuzzing Sucks (Or Fuzz Like You Mean It)
Pedram Amini, Tipping Point
Aaron Portnoy, Tipping Point

Face it, fuzzing sucks. Even the most expensive commercial fuzzing suites leave much to be desired by way of automation. Perhaps the reason for this is that even the most rudimentary fuzzers are surprisingly effective. None the less, if you are serious about fuzz testing in as much a scientific process as possible than you have no doubt been disappointed with the current state of affairs. Until now.

This talk is about Sulley. An open source, freely available, full featured and extensible fuzzing framework being released at Black Hat US 2007. Modern day fuzzers are, for the most part, solely focused on data generation. Sulley does this better and more. Sulley watches the network and methodically maintains records. Sulley instruments and monitors the health of the target, capable of reverting to a good state using multiple methods. Sulley detects, tracks and categorizes detected faults. Sulley can fuzz in parallel, significantly increasing test speed. Sulley can automatically determine what unique sequence of test cases trigger faults. Sulley does all this, and more, automatically and without attendance.

Pedram Amini currently leads the security research and product security assessment team at TippingPoint, a division of 3Com. Previous to TippingPoint, he was the assistant director and one of the founding members of iDEFENSE Labs. Despite the fancy titles he spends much of his time in the shoes of a reverse engineer- developing automation tools, plug-ins and scripts. His most recent projects (aka "babies") include the PaiMei reverse engineering framework and the Sulley fuzzing framework.

In conjunction with his passion for the field, he launched OpenRCE.org, a community website dedicated to the art and science of reverse engineering. He has previously presented at DefCon, RECon, ToorCon and taught numerous sold out reverse engineering courses. Pedram holds a computer science degree from Tulane University, finds his current commander in chief rather humerous and recently co-authored a book on Fuzzing titled "Fuzzing: Brute Force Vulnerability Discovery".

Aaron Portnoy, aka deft, is a researcher within TippingPoint's security research group. His responsibilities include reverse engineering, vulnerability discovery, and tool development. Aaron has discovered critical vulnerabilities affecting a wide range of enterprise vendors including: RSA, Citrix, Symantec, Hewlett-Packard, IBM and others.

Additionally, Aaron has contributed mind share and code to OpenRCE, PaiMei, and various white papers and books. On a more personal note, Aaron is the proud owner of a Rottweiler/German Shepherd puppy and he also drives really (really) fast.

Return to the top of the page

Kick Ass Hypervisor
Brandon Baker, Microsoft

Virtualization is changing how operating systems function and how enterprises manage data centers. Windows Server Virtualization, a component of Windows Server 2008, will introduce new virtualization capabilities to the Windows operating system. This talk will focus on security model of the system, with emphasis on design choices and deployment considerations. Aspects of virtualization security related to hardware functions will also be explored.

Brandon Baker is a security developer in the Windows kernel team working on the Windows hypervisor and leading security development and testing for the Windows Server Virtualization project. For the past five years he has worked on security and separation kernels at Microsoft of one form or another. Prior to joining Microsoft, Mr. Baker was a security architect at a managed data center company. He has been working in the computer security field since 1997, when at NSA he co-authored the first guide for the secure configuration of Windows NT for the DoD. Mr. Baker has a B.S. in Computer Science from Texas A&M University.

Return to the top of the page

Automated Unpacking and Malware Classification
Halvar Flake, Founder, SABRE Labs

Halvar Flake is SABRE Labs' founder. Originating in the fields of copy protection and digital rights management, he gravitated more and more towards network security over time as he realized that constructive copy protection is more or less fighting windmills. After writing his first few exploits he was hooked and realized that reverse engineering experience is a very handy asset when dealing with COTS software. With extensive experience in reverse engineering, network security, penetration testing and exploit development he a coveted speaker and trainer.

Return to the top of the page

Greetz from Room 101
Kenneth Geers

Imagine you are king for a day. Enemies are all around you, and they seem to be using the Internet to plot against you. Using real-world cyber war stories from the most tightly controlled nations on Earth, Greetz from Room 101 puts you in the shoes of a king who must defend the royal palace against cyber-equipped revolutionaries. Can a monarch buy cyber security? Are his trusty henchmen smart enough to learn network protocol analysis? Could a cyber attack lead to a real-life government overthrow? Ten case studies reveal the answers. Which countries have the Top Ten most Orwellian computer networks? Come to the talk and find out.

Now imagine that your name is Winston Smith, and that you live in a place called 1984. You don't trust the government, and you don't trust the evening news. You can't send your girlfriend an email because you think that the Thought Police will get it first. Greetz from Room 101 details what Web surfing, email, blogging, and connections to the outside world are like for the half of our planet's population who enjoy little to no freedom online, in places where network security battles can mean life or death. Last but not least, the Black Hat audience will hear about the future of cyber control, and the future of cyber resistance.

Kenneth Geers has worked for many years in a wide variety of technical and not-so-technical disciplines. The oddest job he had was working on the John F. Kennedy Assassination Review Board (don't ask). He also waited tables in Luxembourg, harvested flowers in the Middle East, climbed Mount Kilimanjaro, was bitten by a deadly spider in Zanzibar and made Trappist beer at 3 AM in the Rochefort monastery. Kenneth is the author of Cyber Jihad and the Globalization of Warfare; Hacking in a Foreign Language: A Network Security Guide to Russia; Sex, Lies, and Cyberspace: Behind Saudi Arabia's National Firewall; and IPv6 World Update. His website, chiefofstation.com, is devoted to the intersection of art, the fate of nations, and the Internet. Greetz to Bunny, Izzy, Yofi, and Boo!

Return to the top of the page

The Little Hybrid Web Worm That Could
Billy Hoffman, SPI Dynamics

The past year has seen several web worms attacks against various online applications. While these worms have gotten more sophisticated and made use of additional technologies like Flash and media formats, they all have some basic limitations such as infecting new domains and injection methods. These worms are fairly easily detected using signatures and these limitations have made web worms annoying, but ultimately controllable. Often the source website simply fixes a single flaw and the worm dies.

In this presentation we will examine ways web worms might evolve to overcome these limitations. We describe a hybrid web worm combining both server-side and client side languages to exploit both the web server and the web browser to aid in its propagation across multiple hosts. We will discuss how such a hybrid worm is able to find new vulnerable systems and infect new hosts on different domains from both the client and the server. In addition will we look at how a hybrid worm could upgrade its infection methods while in the wild by fetching and parsing new web vulnerability information from public security sites, preventing a single silver bullet fix from stopping it. We will examine how web worms could implement polymorphism and source code mutation to evade signature detection systems. While these are not new concepts applying them to interpreted languages like Perl or JavaScript inside a browser allowed for some interesting twists and caused some challenges.

While we have not built a fully functioning hybrid worm, we will demo different parts of the worm in isolation to show how these features would function. Specifically we will look at how the worm could upgrade itself with publicly available vulnerability data as well as source code mutation. Based on methodology from the JavaScript vulnerability scanner Jikto, we will also demonstrate DOMinatrix, a JavaScript payload using SQL Injection to extract information from a website's database. Finally we will discuss steps to prevent hybrid web worms from exploiting a website or its users.

Billy Hoffman is a lead security researcher for SPI Dynamics. At SPI Dynamics, Billy focuses on automated discovery of Web application vulnerabilities and crawling technologies. His work has been featured in Wired, Make magazine, Slashdot, G4TechTV, and in various other journals and Web sites. In addition, Billy is a reviewer of white papers for the Web Application Security Consortium (WASC), and is a creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes. Billy is currently coauthoring "Ajax Security", to be published by Addison-Wesley in Summer 2007.

Return to the top of the page

DNS Pinning and Socket API
Mr. Kanatoko

JavaScript, Flash, Java Applet and so on has the ability to access the network. The malware code which uses this kinds of technology mostly works on the user's web browser which visited the page with the trap. Most of those technology has the security restriction which "allow the connection if the host name is the same as the download origin host." However, this restriction can be easily broken by the DNS server which has the malware controlod by the attacker.

This issue is known of "DNS Pinning" and "Anti-DNS Pinning". At this moment, most article explained about this topic is "Expected damage will be the leking information from the web page on the Intranet", but as the matter of fact, there are more serious risks which is not revealed yet. From Java Applet, and new version of the Flash Player, because the API of the TCP level whichi is known as the Socket is available, the attackers can exploit the many protcols other except HTTP as the targets. By this expoit, the victim user's web browser will be the proxy server at the TCP level, the attacks below will be possible.

  • Portscan the host on the Intranet/Internet via the victim user's web browser
  • Send the shell code to the host on the Intranet/Internet via the victim user's web browser
  • Send the spam mail from the victim user's web browser
  • Access to the file sharing network on the Intranet
  • Any Aceess to any TCP level via the victim user's web browser

This presentation will be cover the attacks by using this Socket API and its countermeasure.

Mr. Kanatoko is a programmer, and was born in 1975. He has managed JUMPERZ.NET which offers information related to the network and security since 1998. He has developed several open source tools such as, [email protected](Web Application Firewall), [email protected](Client Side Proxy), and [email protected] (a tool that builds a virtual TCP connection on HTTP). Moreover, he has regularly contributed articles to the online magazine "WizardBible.org" which can be called Japanese version of Phrack.

In the field of DNS Rebinding (Or, Anti-DNS Pinning), he showed the possibility of attacks on FLASH with the Socket Interface, based on the principle of Martin Johns. Moreover, he is well known for having an online demonstration of the various DNS Rebinding attacks opened to the public.

In addition, a whitepaper at Stanford University utilizes his site as a reference. http://crypto.stanford.edu/dns/

Return to the top of the page

Stateful Fuzzing of Wireless Device Drivers in an Emulated Environment
Clemens Kolbitsch, Technical University Vienna
Sylvester Keil

The presentation documents the process of identifying potential vulnerabilities in IEEE 802.11 device drivers through fuzzing. The relative complexity of 802.11 as compared to other layer two protocols imposes a number of non-trivial requirements on regular 802.11 protocol fuzzers.

This paper describes a new approach to fuzzing 802.11 device drivers on the basis of emulation. First, the process of creating a virtual 802.11 device for the processor emulator QEMU is described. Then, the development of a stateful 802.11 fuzzer based on the virtual device is discussed. Finally, we report the results of fuzzing the Atheros Windows XP driver, as well as the official and open source MADWifi drivers.

Clemens Kolbitsch is currently finishing his master studies ("Software Engineering and Internet Computing") at the Technical University in Vienna, Austria. His main research is computer security with a special interest in memory manangement and virtual machines.

Sylvester Keil is also finishing his master studies ("Software Engineering and Internet Computing") at the Technical University in Vienna, Austria.

Besides their research into wireless 802.11 vulnerability detection, they are currently working on linux kernel mode exploitation techniques, both supported by SEC Consult Unternehmensberatung GmbH.

Return to the top of the page

Passive OS Fingerprinting Using DHCP
David LaPorte, Harvard University, UIS Network Operations
Eric Kollmann, Boise State University

Passive OS fingerprinting is not a new topic - tools such as Siphon, p0f, and ettercap have existed for years. These tools perform fingerprinting based on unicast traffic and therefore must sit in the data stream or receive an out-of-band copy of it (eg. a SPAN port). What is new, however, is the use of DHCP as a fingerprinting mechanism.

DHCP is, in part, a broadcast protocol. This fact allows it to be monitored without sitting in the data stream. Any system within the broadcast domain or remote system - through the use of a DHCP relay - can capture broadcast DHCPDISCOVER packets and fingerprint all DHCP-enabled systems on the LAN. One such fingerprinting method uses the order and number of options specified in option 55 of the DHCP packet (parameter request list) to trivially infer the OS.

DHCP is a little known method of fingerprinting which presents an easy means of host profiling and a useful network inventorying tool for IT professionals. Both of these uses are only likely to increase in the future as awareness spreads.

Both presenters have extensive experience with DHCP fingerprinting and each have written software that utilizes it.

Satori is a windows-based passive fingerprinting utility.

David LaPorte is the Network Security Manager for Network and Server Systems at Harvard University. In his off-hours, David works extensively on PacketFence, an open-source network registration and worm mitigation system. David received a BS in Computer Science from Northeastern University and is pursuing an MS in Information Assurance. He holds CISSP, CCNP, and RHCE certifications.

Eric Kollmann works as a Microsoft Systems Engineer. He has written white papers on Active/Passive OS Fingerprinting and most recently on DHCP Fingerprinting. He has been involved in software projects whose purpose is OS Identification, Patch Management, and Security Vulnerabilities. His latest project has been Satori which does passive fingerprinting across multiple DHCP, ICMP, TCP, CDP, HPSP, SMB, SNMP, plus many others.

Return to the top of the page

URI Use and Abuse
Nathan McFeters, Senior Security Advisor, Ernst & Young
Rob Carter, Security Advisor, Ernst & Young

URIs link us to commands and programs which have been written by developers and are subject to all of the same code flaws that any other system might be, what is most interesting is that the usage of URIs links us to that back end application through a browser, making Cross Site Scripting attacks a possible trigger for any flaws we may discover.

This presentation will discuss the subject of URI attacks, glossing over several 0-days that were originally discussed at DEFCON 15 and will move into more recent research that exposes applications functionality resulting in some scary attacks. Examples will include stack overflows, command injections, utilizing an application to send all of a user's pictures to an arbitrary server, etc. All of these attacks are leverageable thru XSS exposures, and thus XSS, CSRF, Phishing, and Anti-DNS Pinning attacks will be combined with the URI attacks to devestating effect.

Nathan McFeters is a Senior Security Advisor for Ernst & Young's Advanced Security Center based out of Houston, TX. Nathan has performed web application, deep source code, Internet, Intranet, wireless, dial-up, and social engineering engagements for several clients in the Fortune 500 during his career at Ernst & Young and has served as the Engagement Manager for the ASC's largest client, leading hundreds of web application reviews this year alone.

Prior to taking the position with Ernst & Young, Nathan paid his way thru undergrad and graduate degrees at Western Michigan University by doing consulting work for Solstice Network Securities a company co-founded with Bryon Gloden of Arxan, focused on providing high-quality consulting work for clients in the Western Michigan area.

Nathan has an undergraduate degree in Computer Science Theory and Analysis from Western Michigan University and a Master of Science Degree in Computer Science with an emphasis on Computer Security, also from Western Michigan University.

Rob Carter is a Security Advisor for Ernst & Young's Advanced Security Center in Houston, TX. He has performed web application, internet, intranet, and wireless reviews and penetration tests for multiple Fortune 500 clients.

Rob's primary area of interest is in web application security research and tool development. He has an undergraduate degree from Western Michigan University in Computer Science.

Return to the top of the page

Hijacking Virtual Machine Execution
Nguyen Anh Quynh, National Institute of Advanced Industrial Science and Technology (AIST)

In general Virtual Machine (VM) technology can guarantee strong isolation between VMs, so even if a VM is hacked, other VMs are still tamper-resistant.

However, this talk demonstrates that if the attacker takes over the host VM, he can do pretty much anything he wants with the guest VMs. Several sophisticated techniques to hijack the execution of a running VM are presented, which can be used to redirect any VM execution at will.

While the proposed methods are not limited to any kind of virtual machine, we demonstrate them in 3 demos, with 3 kinds of Virtual Machines: KVM, Xen and QEMU.

The first demo shows that with only 1 byte injected into a Linux VM, the attacker can capture all the SSH usernames and passwords of users logged in to the OpenSSH service running inside that VM.

In a second demo, the attacker dynamically injects 3 bytes into a Linux VM, then captures (and later replays) all the keystrokes and output screen of the VM's consoles. The hijacking does not generate any negative impact in I/O performance, therefore not likely to cause any suspect to the VM's owner.

Meanwhile, the hijacking technique can also offer great benefit for the defense side. The third demo proves that with less than 10 bytes injected into a protected Linux VM, we can have a file-system integrity tool. Compared to traditional approaches like Tripwire or AIDE, this IDS offers some advantages such as: real-time detection, zero deployment cost, richer intrusion evidence, and less exposed to attacker.

The presented techniques work with any kind of OS-es, and need absolutely no modification to the kernel of the guest VMs or to the hypervisor. Besides, everything is done inside the user-space, thus straightforward to implement, and requires no deep knowledge about OS kernel.

Nguyen Anh Quynh is a postdoctoral researcher at National Institute of Advanced Industrial Science and Technology—AIST, Japan. His research interests include computer security, networking, data forensic, virtualization, trusted computing and operating system. His papers has been published in various academic conferences, such as ACM, IEEE, LNCS, Usenix among others. Quynh is a contributor of numerous open source projects—notably are Xen Virtual Machine and Linux kernel. He is not limited his research to to the academic field though, as he loves to get involved with the industry. He presented his research results at international hacking conferences such as EusecWest, HackInTheBox, Hack.lu, SyScan, VNSECON. Quynh obtained PhD degree in computer science from Keio University, Japan. He is also a member of Vnsecurity, a pioneer information security research group in Vietnam.

Return to the top of the page

Secure Programming with Static Analysis
Jacob West, Fortify Software

Creating secure code requires more than just good intentions. Programmers need to know how to make their code safe in an almost infinite number of scenarios and configurations. Static source code analysis gives users the ability to review their work with a fine tooth comb and uncover the kinds of errors that lead directly to vulnerabilities. This talk frames the software security problem and shows how static analysis is part of the solution.

Highlights include:

  • The most common security short-cuts and why they lead to security failures
  • Why programmers are in the best position to get security right
  • Where to look for security problems
  • How static analysis helps
  • The critical attributes and algorithms that make or break a static analysis tool

We will look at how static analysis works, how to integrate it into the software development processes, and how to make the most of it during security code review. Along the way we'll look at examples taken from real-world security incidents, showing how coding errors are exploited, how they could have been prevented, and how static analysis can rapidly uncover similar errors.

Jacob West manages Fortify Software's Security Research Group, which is responsible for building security knowledge into Fortify's products. Jacob brings expertise in numerous programming languages, frameworks and styles together with knowledge about how real-world systems can fail. In addition, he recently co-authored a book, "Secure Programming with Static Analysis," which was released in June 2007. Before joining Fortify, Jacob worked with Professor David Wagner, at the University of California at Berkeley, to develop MOPS (MOdel Checking Programs for Security properties), a static analysis tool used to discover security vulnerabilities in C programs. When he is away from the keyboard, Jacob spends time speaking at conferences and working with customers to advance their understanding of software security.

Return to the top of the page

Multiplatform Malware Within the .NET Framework
Paul Sebastian Ziegler

Recently there have been a lot of talks going on concerning multiplatform malware and its possibilities. However only very few people have stepped up to the challenge and actually created some multiplatform malware so far. Furthermore the created worms and viruses usually had some gross requirements, as for example requiring a specially patched Linux kernel.

Multiplatform malware is extremely interesting and possesses immense potential. It opens up completely new approaches to system security that might render a lot of what we do up until now useless. Take this for an example:

While it might not be possible to remotely hack into some company's high security network, you might be able to own an employee's kid Xbox360. Now imagine that a worm could jump from there. It could directly infect the family's desktop PC, from there get synced onto a PDA, PocketPC or Smartphone, get physically carried into the company and attack local computers within the network using Wifi, Bluetooth or those computer's synicing mechanisms - thus opening up a completely new attack vector.

I will present a different approach to implementing multiplatform malware. Instead of trying to create complex assembler patterns that will run on multiple kernels in an extremely unstable manner (if you are lucky), it is also possible to make use of runtime frameworks.

I created a worm that runs within the .NET framework. I will present the technique used to make it completely compatible with WindowsXP (.NET/Mono), Linux (Mono), Solaris (Mono), Mac OS X (Mono) and the BSD descendants (Mono/possibly Rotor). The sourcecode of the worm is available under the GPLv2 at observed.de/?download. There is also a blog-entry on that worm at observed.de/?official.

There is very little information on the real potential of multiplatform malware yet. And there is by no means any kind of common understanding concerning it. So let us create that understanding together in order not to be on lost stands once multiplatform malware will start to strike in a couple of years.

Paul Sebastian Ziegler is an autodidact. You can easily tell since he sometimes messes up the pronunciation of technical terms—whitepapers in leetspeak simply don't contain phonetic spellings very often. His mind is just as chaotic with a lot of ideas, concepts and terms lying around and links between them wildly spreading like weeds. This constellation often leads to strange gasps of reality and also of computer security. And as always—"strange" is just another term for "new" and "unusual".

Being a freelancer brings Paul time to write articles (hakin9) and books (O'Reilly), but pentesting and system administration take up most of his time. During free time he enjoys geeking out (e.g. turning record players into voice-controlled wireless mp3-music-stations), programming and swordplay. Also friends tend to keep him distracted a lot.

Paul believes that real security can only come from broad knowledge and that security through obscurity is doomed to failure. Due to this basic assumption most of his research is dedicated to breaking security mechanisms and discovering new attack vectors to raise public awareness—be it by analyzing wireless frames, messing with people's minds or pushing the topic of multiplatform malware.

Return to the top of the page

Pedram Amini

Brandon Baker

Rob Carter

Halvar Flake

Kenneth Geers

Billy Hoffman

Mr. Kanakoto

Clemens Kolbitsch

David LaPorte

Nathan McFeters

Nguyen Anh Quynh

Jacob West

Suguru Yamaguchi

Paul Sebastian Ziegler

Black Hat together with Internet Association Japan will host the fourth annual Black Hat Briefings Japan in Tokyo.

Black Hat Logo
(c) 1996-2007 Black Hat