The Presentations
Beating a less-dead horse: The current state of .NET reversing
All the cool kids are reversing C apps, mobile is the
(relatively) new hotness, and Java is a long-moldering corpse of failure.
It's time to pick on a new, somewhat neglected red-headed stepchild: .NET.
This talk will cover the current state of the art in .NET reversing, down
from PE format of .NET assemblies through various types of obuscation, and
into reversing tools and techniques. Finally, we will get a little
Inception-esque by reversing Reflector inside Reflector in an attempt to
modify its behavior.
Introduction to Dynamic Dalvik Instrumentation (on Android)
As application security becomes more important on Android we need
better tools to analyze and understand applications on the Android platform. Android applications are
written in Java and a run in the Dalvik VM. Until now most analysis
is done via disassembling and monitored execution in an emulator. This
talk presents a new technique to instrument Android applications
executed in the DVM. The talk will introduce the basics of this
technique and show you what can be achieved using it.
On-Chip Debug Interfaces
On-chip debug (OCD) interfaces can provide chip-level control of a target
device and are a primary vector used by hackers to extract program code or
data, modify memory contents, or affect device operation on-the-fly.
Depending on the complexity of the target device, manually locating
available OCD connections can be a difficult and time consuming task,
sometimes requiring physical destruction or modification of the device.
In this session, Joe will present the JTAGulator, an open source hardware
tool that assists in identifying OCD connections from test points, vias,
or components pads. He will discuss traditional hardware reverse
engineering methods and prior art in this field, how OCD interfaces work,
and how JTAGulator can simplify the task of discovering such interfaces.
Portscanning Low Earth Orbit
Satellites are whirring all around our little planet, but the lack of
tools for accessing them have limited past research to stationary
satellites or to ones with documented communications protocols. This
lecture presents the conversion of a maritime L-band dish to be
controlled by a combination of open source hardware and good ol'
fashioned unix daemons. The dish is operated remotely or in a
standalone fashion, scanning the neighborly skies day and night with
little or no supervision.
Weighing in on Issues with Cloud Scale
No, it's not one of those talks. In this new age of computing, more and
more household devices are being connected to the Internet. TVs,
refrigerators, and even coffee machines are some of the first to give in
to the trend. But these devices are old news. In this talk, we'll take
a step back from the ordinary and look at a new target: a
WiFi-enabled... bathroom scale? With the help of a soldering iron and
our good friend IDA, we'll have a go at reverse engineering the device
as well as discuss practical attacks to achieve code execution.
Bypassing all of the things
In between drinks we'll be walking through the discovery and exploitation of
some of these 'vulnerability' things that are all the rage. Reliable exploits
for some Adobe bugs I found (stack-based buffer overflow and memory disclosure)
will be dropped for Windows XP, 7, and 8. I'll show how to bypass /GS, SafeSEH,
full process ASLR (high entropy or whatever), DEP, SEHOP, and the ENHANCED
Mitigation Experience Toolkit (EMET) 3.0/3.5/4.0.
Leaking Addresses with Vulnerabilities that Can't Read Good
Paul and Dion ask: What Would Paul Kocher Do? We will present two methods
for disclosing heap addresses in ECMAScript engines without a traditional
wild read/write primitive. The first technique [1] takes advantage of
timing differences exposed via a popular hastable implementation technique.
The second technique [2] exploits observable weak references and a common
garbage collection implementation technique. We'll demonstrate and discuss
the implementation of each technique. Finally, we'll discuss attempts
applying these techniques to multiple engines including both successes and
failures. Side channels aren't just for cryptographers.
Taint Nobody Got Time for Crash Analysis
The last decade has seen a large focus on vulnerability discovery automation
with various methods of fuzzing and input generation, however little has been
said about crash analysis or triage. This talk will discuss a powerful toolchain
for crash analysis that incorporates the best available approaches for automated
reasoning about memory access violation exceptions and overcomes limitations in
currently available tools such as !exploitable and crashwrangler.
In particular, we will discuss three key areas: dynamic taint analysis to track
areas of memory that are influenced by user-controlled data, forward and backward
taint slicing to isolate input bytes that lead to the crashing state, and finally
forward symbolic execution to determine if the input can be modified to reach an
alternate state giving more control over the execution of the program. In other words,
our system will isolate the input bytes causing the crash and try to determine if your
ReadAV can actually be turned into a WriteAV or code execution
Summercon Security Buffet Panel
Ben, Micheal, Erik, Artem, Andy, Mirek
Keeping with tradition, Summercon will end with a big box of chaos. This panel contains several people
that are experts in their respective areas. Each person will talk for 8 minutes and have 2 minutes for
questions. Topics covered are: cryptography, windows internals, off shore drilling, embedded devices,
and much more. Entertaining does not begin to describe this talk.