Conference Details

We're pleased to announce our 2008 conference lineup. More talks will be added as they are confirmed.

The conference will be composed of 30 and 60 minutes talks on a single track, and will have lightning talks during Recon Party.

Guest Speakers

Ilfak Guilfanov - Building plugins for IDA Pro updated
Michael Strangelove - Hacking Culture

Speakers

Nicolas Brulez - Polymorphic Virus Analysis updated
Pierre-Marc Bureau - How I learned Reverse Engineering with Storm updated
Tiller Beauchamp - RE:Trace - Applied Reverse Engineering on OS X updated
Sharon Conheady and Alex Bayly - Social Engineering for the "Socially Inept"
Bruce Dang - Methods for analyzing malicious Office documents updated
Sébastien Doucet - 64-bit Imports Rebuilding and Unpacking updated
Thomas Garnier - Windows privilege escalation through LPC & ALPC interfaces updated
Cameron Hotchkies - Under the iHood updated
Eric D. Laspe - The Deobfuscator updated
Anthony de Almeida Lopes - Bypassing Security Protections by Backdooring libc updated
Aaron Portnoy and Ali Rizvi-Santiago - Reverse Engineering Dynamic Languages, a Focus on Python updated
Nicolas Pouvesle - NetWare kernel stack overflow exploitation updated
Jason Raber - Helikaon Linux Debuger updated
Gera - Two very small reverse engineering tools: a python disassembling engine and an iterative reverse engineering framework updated
Craig Smith - Creating Code Obfuscation Virtual Machines updated
Pablo Sole - RE over Adobe Acrobat Reader using Immunity Debugger updated
Alexander Sotirov - Blackbox Reversing Of XSS Filters updated

Lunch Time Workshop

Sébastien Doucet - IITAC - Introduction to IDA Pro for OllyDbg users (20 seats)

--------------------------------^

Schedule

Friday June 13th

09.00-10.30 : Breakfast / registration
10.30-11.30 : Pierre-Marc Bureau - How I learned Reverse Engineering with Storm
11.30-12.30 : Bruce Dang - Methods for analyzing malicious Office documents
12.30-14.00 : Lunch / IITAC Workshop Part 01
14.00-15.00 : Ilfak Guilfanov - Building plugins for IDA Pro
15.00-16.00 : Thomas Garnier - Windows privilege escalation through LPC & ALPC interfaces
16.00-16.30 : Break
16.30-17.30 : Nicolas Pouvesle - NetWare kernel stack overflow exploitation
17.30-18.30 : Cameron Hotchkies - Under the iHood

21.00-21.30 : Start of Recon Party - Lighting talks (5mn slots)
21.30-22.30 : Social Time
22.30-23.00 : Lighting talks (5mn slots)
23.00-03.00 : Party

Saturday June 14th

08.00-10.00 : Breakfast
10.00-11.00 : Jason Raber - Helikaon Linux Debuger
11.00-12.00 : Craig Smith - Creating Code Obfuscation Virtual Machines
12.00-12.30 : Eric D. Laspe - The Deobfuscator
12.30-13.30 : Lunch / IITAC Workshop Part 10
13.30-14.30 : Nicolas Brulez - Polymorphic Virus Analysis
14.30-15.30 : Michael Strangelove - Hacking Culture
15.30-16.00 : Anthony de Almeida Lopes - Bypassing Security Protections by Backdooring libc
16.00-16.30 : Break
16.30-17.30 : Alexander Sotirov - Blackbox Reversing Of XSS Filters
17.30-18.30 : Aaron Portnoy and Ali Rizvi-Santiago - Reverse Engineering Dynamic Languages, a Focus on Python
20.00++ : Bar hopping

Sunday June 15th

08.00-10.00 : Breakfast
10.00-11.00 : Sharon Conheady and Alex Bayly - Social Engineering for the "Socially Inept"
11.00-12.00 : Pablo Sole - RE over Adobe Acrobat Reader using Immunity Debugger
12.00-12.30 : Gera - Two very small reverse engineering tools: a python disassembling engine and an iterative reverse engineering framework
12.30-13.30 : Lunch / IITAC Workshop Part 11
13.30-14.30 : Tiller Beauchamp - RE:Trace - Applied Reverse Engineering on OS X
14.30-15.30 : Sébastien Doucet - 64-bit Imports Rebuilding and Unpacking

--------------------------------^_

Building plugins for IDA Pro - Ilfak Guilfanov (Duration: 60 Minutes)

IDA Pro is not just a disassembler but an open platform that can be used to build various binary analysis tools. This presentation will talk about IDA API and show some plugin samples. If you wanted to create your own plugins but did not where to start, you will find all necessary information here.

Material

slides(odp) | slides(ppt)

Bio:

Mr. Guilfanov, the founder and CEO of Hex-Rays SA, holds BSc in Mathematics from Moscow State University. He is the senior architect of several highly regarded software packages including the widely used IDA Pro, a multi-platform, multi-processor, disassembler and debugger. Mr. Guilfanov is also known for having released, on 31 Dec 2005, a highly publicized unofficial fix for the Windows Metafile (WMF) vulnerability in Microsoft Windows operating system.

--------------------------------^_

Hacking Culture - Micheal Strangelove

As more of our shared cultured is privatized and turned into commodities we lose control over the meanings that shape social life. Where first-generation hackers transgressed property rights through the breaking of code, second-generation hackers seek to undermine the corporate control over meaning through the often illegal transformation of privately owned meanings. This appropriation of intellectual property by artist, cultural jammers, and ordinary YouTubers reflects a will to subvert the priority given to private property within capitalism. Appropriation, piracy, hacking, and other techniques of dissent enable a form of asymmetrical cultural warfare to be wage against the terror of capital. Dr. Strangelove will outline the central role that meaning and intellectual property rights play in the reproduction of capitalism and explain how corporations and the state are losing control over the production of meaning in the Internet age.

Bio:

Michael Strangelove is one of Canada's Internet pioneers. The Financial Post Magazine has called Strangelove "an international expert on cyberspace and a netrepreneur." In the commercial Internet field he has many firsts associated with his name. Strangelove coauthored the first directory of scholarly Internet publications (1991), founded and published the world's first print-based magazine to address marketing and advertising on the commercial Internet (The Internet Business Journal, 1993), and wrote what may well be the first book to address Internet advertising and consumer behaviour (How to Advertise on the Internet, 1994). The Globe and Mail Report on Business referred to Strangelove as "one of the first Canadians to make use of the Net as a sales tool."

During the earliest days of the commercial Internet, Strangelove created a company that offered practical, business-related Internet and intranet communication, training and publishing services, long before such services were available through other sources. In light of such accomplishments, Canadian Business magazine referred to Strangelove as the "acknowledged dean of Internet entrepreneurs and the man who literally wrote the book on commercialization of the Net."

Strangelove's book, The Empire of Mind: Digital Piracy and the Anti-Capitalist Movement (University of Toronto Press, 2005), a Governor-General's Award finalist in the category of non-fiction, explores the social implications of piracy and consumer-generated content. Strangelove lectures at the University of Ottawa's Department of Communication.

--------------------------------^_

Polymorphic Virus Analysis - Nicolas Brulez ( Improvised Talk )

NA

Material

slides(odp) | slides(pdf)

Bio

Nicolas is a Senior Virus Researcher at Websense Security Labs, where he analyzes computer viruses, develops tools, and conducts security research. Prior to that, he was the Chief of Security for Digital River/Silicon Realms where he worked on the SoftwarePassport/Armadillo protection system for 4 years and specialized in anti-reverse engineering techniques for defence against attacks on software protection.

He has been doing reverse engineering for over a decade and is an active participant in the field of viral threat research whose results are used by various anti-virus companies and regularly writes for the French security magazine MISC.

Nicolas has authored a number of papers, lectured on assembly programming and reverse engineering at various computer engineering schools, and frequently speaks at international security conferences, including: RECON (Canada), PacSec (Japan), RuxCon (Australia), SSTIC (France), Virus Bulletin, Toorcon (USA), and APWG (Brussels).

Nicolas is an associate researcher at the Virology and Cryptology Laboratory of "Ecole Supérieur et d'Application des Transmissions" and also the official reverse engineering instructor at RECON.

--------------------------------^_

How I learned Reverse Engineering with Storm - Pierre-Marc Bureau (Duration: 60 Minutes)

The Storm Worm is a family of malware that has been present on the Internet for more than eighteen months. It has attracted quite a bit of media attention due to its huge spam campaigns and the size of its botnet. Its authors have invested much time and effort to build a strong and reliable botnet.

From a technical perspective, Storm is fascinating to analyze since it is in constant evolution. It has several unique features, such as infected computers receiving orders from their controllers via encoded peer-to-peer communication. Also, the binaries are protected with various anti-debugging and anti-emulation techniques.

Since I began following the evolution of the Storm Worm in January 2007 it has taught me about reverse engineering, browser exploitation, JavaScript obfuscation and network forensics. In this presentation, I explain how the Storm Worm authors attempt to fool emulators used by antivirus engines by doing fake API calls, show some of the binary obfuscation techniques used by this malware and how they can be bypassed. In terms of browser exploits, I will show how one decodes the obfuscated exploit code using a publicly-available JavaScript interpreter and show which vulnerabilities are being exploited.

In the second part of my presentation, I explain key features of the Storm's peer-to-peer network and how using static analysis found important information about the network: We were able to recover the key used in the network encoding routine and the hash generation routine used by the botnet controller to send commands to its botnet. With this information, we were able to create a tool to connect to Storm's network and learn more about its authors and their operations.

Material

slides

Bio

Pierre-Marc Bureau is senior malware researcher at antivirus company ESET, LLC. In his position, he is responsible of identifying new trends in malware and finding effective techniques to counter these threats. Prior to joining ESET, Pierre-Marc Bureau worked for a network security company where he was senior security analyst. Pierre-Marc Bureau finished his Master degree in computer engineering at Ecole Polytechnique of Montreal in 2006. His studies focused mainly on the performance evaluation of malware. He has presented at various international conferences including InfoSec Paris and Virus Bulletin. His main interests lie in reverse engineering, software and network security.

--------------------------------^_

RE:Trace - Applied Reverse Engineering on OS X - Tiller Beauchamp (Duration: 60 Minutes)

This paper will detail the newest developments in RE:Trace, a reverse engineering framework based on Ruby and DTrace. We will discuss implementations for walking and searching the heap on OS X, tracing for kernel and driver vulnerabilities, pinpointing format string bugs and leveraging custom application probes, such as those built into browser and database software.

Material

slides | demo heap | demo stack | demo hids

Bio

Tiller Beauchamp works as a senior security consultant for SAIC providing security auditing services to large commercial, state and DoD customers. His areas of expertise include network penetration testing, web application security, IPv6 and exploit development. Beauchamp earned his M.S. in Computer Science from the University of Oregon with a specialization in software engineering. He has worked as the lead developer for Team Defend, SAIC's portable computer and network defense exercise. Beauchamp is also responsible for maintaining the company's penetration toolkit and penlab.

--------------------------------^_

Social Engineering for the "Socially Inept" - Sharon Conheady and Alex Bayly (Duration: 60 Minutes)

Social Engineering For the "Socially Inept" will show how skills commonly thought of as "geeky" can be used to great success in social engineering. Social Engineering is traditionally seen, especially in films, as the province of the charismatic hacker, requiring an understanding of Rapport, Neuro-Linguistic Programming, and other techniques for social interaction. This talk will demonstrate how common geek attributes, whether true or part of the stereotype can be used to the social engineer's advantage on an exercise.

Bios

After inventing the Internet alongside Al Gore, Sharon moved on to the development of security protocols that were used to crack 128 bit encryption. She did this with no more than an abacus, a ball point pen and a large pad of paper. Three times winner of the Nobel Prize, Sharon enjoys belly dancing and space travel. Not really. Sharon is a social engineer / penetration tester based in London. She holds a degree in Computer Science from Trinity College Dublin and a MSc in Information Security from Westminster University London. Sharon has previously presented at Recon, IT Security Congress, ISSE/Secure 2007 and SANS Secure Europe.

Alex is a geek and tester working in the UK penetration testing industry. He has worked on social engineering engagements on financial institutions, blue chip companies and sporting venues. Never one to turn down the chance of lying for profit, he has had a passion for social engineering and practices whenever he can. He worked as a system administrator and network engineer prior to working as a security consultant. Alex is a contributor to Johnny Long's latest book, "No Tech Hacking".

--------------------------------^_

Methods for analyzing malicious Office documents - Bruce Dang(Duration: 60 Minutes)

In the last couple years, there has been a lot of press coverage on targeted attacks and Office documents; however, there is a lack of technical information on these attacks (i.e., attack and defense mechanisms). This talk aims to provide:

1) methods for parsing Office documents;

2) structure of a malicious Office document;

3) techniques of analyzing malicious Office documents; and

4) techniques to detect the malicious documents on the wire.

Material

slides

Bio

Bruce Dang is a Security Software Engineer in the Secure Windows Initiative group (SWI) at Microsoft; his daily responsibilities include helping customers and dealing with software vulnerabilities. Prior to joining Microsoft, he performed incident response, malware analysis, and tools development for large companies.

--------------------------------^_

64-bit Imports Rebuilding and Unpacking - Sébastien Doucet (Duration: 60 Minutes)

With 64-bit packers and protectors being released, there is presently a growing need to create new tools to facilitate the manual unpacking process and to make it as trivial as it is now for protected 32-bit executables. I'm proposing two brand-new tools: CHimpREC and CHimpREC-64, allowing the spirit of ImpREC to live on under the best possible compatibility with all the x64 versions of the Windows operating system.

This talk is about explaining the inner-workings of coding a 32-bit imports rebuilder and the problems encountered due to the WoW64 environment and Address Space Layout Randomization. Next, is an overview of the differences between the PE and PE32+ formats and their impact on porting CHimpREC to 64-bit. Finally, 2 or 3 short live unpacking sessions with different examples of 64-bit packers and how trivial it has become to deal with them with the help of CHimpREC-64.

Material

slides | video (local link) | video (external link)

Bio

Sébastien Doucet, a.k.a. TiGa, is an expert in Metropolitan-Area Fiber-Optics Network Engineering (fancy cable guy) and Actuarial Sciences. He works as IT Security Trainer for IITAC - International Institute (www.iitac.org) where he gives trainings on Binary Auditing and IDA Pro.

His video tutorial series on IDA Pro is well-known throughout the world. He is the co-founder of the RCE Video Portal (videos.reverse-engineering.net) and moderator for crackmes.de and reverse-engineering.net, he also is a member of ARTeam (arteam.accessroot.com) and CostCo (www.costco.com). In his free time, he plans to have some free time, some day in the distant future.


--------------------------------^_

Windows privilege escalation through LPC & ALPC interfaces - Thomas Garnier (Duration: 60 Minutes)

This presentation addresses reported security issues on both LPC (Local Procedure Call) and ALPC (Advanced Local Procedure Call) interfaces on Microsoft Windows. The first vulnerability is MS08-002 (LSASS local privilege escalation) and the second is MS07-066 (ALPC kernel code execution). This talk presents their discovery, exploitation and discuss how operating system design could be modified in order to block them.

The LPC interface is an internal communication component in the Windows kernel. This undocumented interface is used in background of known Windows API. Most system components use LPC interface to communicate with lower security level programs. Windows Vista redesigned this interface in a new component called ALPC. The ALPC interface design will be discuss to see its improvement in local communication security.

Material

paper (pdf) | slides (pdf)

Bios

Thomas Garnier is a research engineer in SkyRecon systems research and development team. During latest year, he discovered many vulnerabilities which have resulted in several Microsoft bulletins. He is interested in reverse engineering, vulnerability research and protection design.

--------------------------------^_

Under the iHood - Cameron Hotchkies (Duration: 60 Minutes)

The market share for Apple devices has grown considerably over the past few years, but most reverse engineering topics still focus on Microsoft platforms. This talk will outline what is necessary to begin reversing software on OS X. This will include a rundown of the tools available to an apple based researcher, how Objective-C works and what it looks like in a binary, the basics of the Mach-O file format including the undocumented _OBJC section and comparisons of Windows applications and the OS X counterparts.

Material

slides | ihood.py

Bio

Cameron has been a vulnerability researcher for TippingPoint's DVLabs since 2005. His day to day tasks include verification and analysis of Zero Day Initiative submissions, internal product security audits and a whole lot of reverse engineering. He holds a Bachelor's Degree in Software Engineering from McMaster University.

--------------------------------^_

The Deobfuscator - Eric D. Laspe (Duration: 30 Minutes)

The Deobfuscator is an IDA Pro plug-in that neutralizes anti-disassembly code and transforms obfuscated code to simplified code in the actual binary. This plug-in uses emulation techniques to remove obfuscated code and replace it with a simplified, transformed equivalent. It can be used alone to modify an IDA Pro database for static analysis, or in conjunction with a binary injector to ease dynamic analysis. We developed this tool in assessing strengths of protections and malware analysis for DoD government entities and commercial companies. Since its inception, the Deobfuscator has proven to reduce analysis tasks that previously took days into ones that take mere minutes. The Deobfuscator can currently replace over 49 different obfuscation patterns with simplified code that improves disassembly and human-readability. Most of these patterns are generic in nature--not limited to simple peephole observations. The Deobfuscator can resolve: many forms of anti-disassembly such as jump chains, push-returns, call-returns, return folds, jump indirects, jumps into instructions; several types of move and stack manipulation obfuscations, which try to mask the flow of data; and unnecessary operations having no net effect. In its "aggressive" and "ultra" modes, the Deobfuscator tracks single or multiple register liveness, respectively, and can replace "dead code" with nop instructions. Its "nop remove" and "collapse" modes can then be used to further simplify the display of deobfuscated code.

Material

slides

Bio

Eric Laspe has worked at Riverside Research Institute for two years. Since joining their Red Team in 2006, he has broken software protections for commercial entities, reverse engineered malware, and worked with the Team developing a variety of innovative RE tools. Eric has a B.S. in Computer Engineering from Wright State University, and has co-authored IEEE papers on binary obfuscation removal and specialized debugging tools.

--------------------------------^_

Bypassing Security Protections by Backdooring libc - Anthony de Almeida Lopes (Duration: 30 Minutes)

In this short talk, I will describe several methods obtaining root after obtaining a normal user account without actually exploiting anyhting except the inherent flaws in the typical UNIX security model. This is proof of concept talk to stimulate discussion and motivation for implementing better security models in UNIX.

Material

slides | slides (online view)

Bio

Anthony de Almeida Lopes is a computer security researcher and software developer at Outpost24 AB, in Sweden. Prior to working with Outpost24 AB, he worked for Dyad Security, in California. His research focuses on novel virus technology development and protection and non-specific exploitation of UNIX systems. Previously, at RECON 2006, he gave a talk on a proof of concept virus that took advantage of the NOP areas in executables generated for x86 UNIX, Windows and MacOS X systems for the purpose of increasing difficulty in detection.

--------------------------------^

Reverse Engineering Dynamic Languages, a Focus on Python - Aaron Portnoy and Ali Rizvi-Santiago (Duration: 60 Minutes)

Every day more and more programmers are making the switch from traditional compiled languages such as C to more modern dynamic and interpreted languages such as Ruby and Python. We're seeing software ranging from video games to security tools written in these higher level languages and often released in binary form so as to protect the source. This talk focuses on Python with specific discussions revolving around extracting dynamic type information, disassembling code objects, and modifying runtime state statically. A real world complex example is demonstrated, hacking cheats into an MMORPG written in Python. This results in hilarious video demonstrations.

Material

slides(ppt) | slides(pdf)

Bios

Aaron Portnoy is a researcher within TippingPoint's security research group. His responsibilities include reverse engineering, vulnerability discovery, and tool development. Aaron has discovered critical vulnerabilities affecting a wide range of enterprise vendors including: Microsoft, RSA, Adobe, Citrix, Symantec, Hewlett-Packard, IBM and others. Additionally, Aaron has spoken at BlackHat US, BlackHat Japan, Microsoft BlueHat, Toorcon Seattle, and DeepSec.

Ali Rizvi-Santiago is a researcher within TippingPoint's security research group. His responsibilities include developing RE related tools, and applying RE to his daily tasks. Prior to TippingPoint he has dabbled in various technology related positions, deploying/supporting RAD Communications equipment, heading the network for Data Transfer Solutions and developing GIS applications under Space Imaging.


--------------------------------^_

NetWare kernel stack overflow exploitation - Nicolas Pouvesle (Duration: 60 Minutes)

Although a lot of research has been done into exploiting remote buffer overflows in kernel mode on modern systems like Windows, Linux and BSD, there are really few publications about exploitation on other platforms which are still common in enterprise networks.

The main approach in kernel mode exploitation is to inject a payload in user mode. While this method allows to reuse shellcodes and payloads it may not be the best solution when the system is kernel centric.

The purpose of this presentation is to describe common and less common kernel-land exploitation techniques applied to the NetWare Operating system. As such, the focus will be on the explanation of a full kernel mode stager and of two different kernel mode stages, a shellcode and an adduser payload.

Material

slides

Bio

Nicolas Pouvesle is a security researcher at Tenable Network Security where he works on vulnerability analysis and reverse engineering. While at Tenable, Nicolas has partially implemented and reversed many protocols such as SMB, Oracle, WMI, Skype . He also wrote several of the internal tools used by the Tenable research team to improve vulnerability analysis.

--------------------------------^_

Helikaon Linux Debuger - Jason Raber (Duration: 60 Minutes)

The Linux OS is not immune to malware and viruses. The reverse engineer is faced with fighting though anti-debugging protections when trying to understand these binaries. This can be a tedious and time consuming process. COTS debuggers, such as GDB and IDA Pro, are detected in Linux utilizing a variety of anti-debugging techniques. I have developed a stealthy Linux-driver-based debugger named "Helikaon" that will aid the reverse engineer in debugging a running executables without being detected. Guest Helikaon injects a jump at runtime from kernel land into a user mode running process rather than using standard debugger breakpoints like "INT 3" or DR0-DR7 hardware registers. Find out alternate techniques for dynamic analysis in the Linux environment.

Material

slides

Bio

I serve as the technical lead for the Riverside Research Institute Red Team which provides government and commercial entities with specialized software security support. Focus areas include:

o Reverse Engineering: Specializes in extracting intellectual property from a broad spectrum of software. This includes user applications, DLLs, drivers, OS kernels, and firmware. The software can be based on a variety of platforms (Windows/Linux/Mac/Embedded, etc.).

o Malware/Virus/RootKit Analysis: Identifies and analyzes intrusion software to characterize and/or neutralize the threat.

I have spent seven years in the world of reverse engineering, preceded by five years working at Texas Instruments developing Compiler tools for DSPs (code generators, assemblers, linkers, disassemblers, etc.). Developing C compilers for five years prior to reverse engineering has provided a good foundation for understanding machine language and hardware to be utilized in reverse engineering tasks.


--------------------------------^_

Two very small reverse engineering tools: a python disassembling engine and an iterative reverse engineering framework - Gera (Duration: 30 Minutes)

A couple of years ago in ReCon 2006 Pedram Amini presented PAIMEI. This awesome framework depends on IDA to disassemble binaries and get functions and basic block information. The first tool we present is an incomplete replacement of IDA (in this context) with an extra tweak on how jump-in-the-middle-of-instruction obfuscation is handled.

The second tool may be useful when reversing from binary back to C code. The idea is very simple: The reverser reads assembly and writes C, one function at a time, this new reversed C code can be compiled as a fragment and relinked into the original application. The result is a hybrid application, part original part new. This new application can be debugged, in assembly for the original part, and in C for the new reversed part. The main idea is to have, all the time, a working version of the application which is iteratively reverse engineered into C, while the reverser doesn't have to wait until the end to test the result.

WARNING: The simplicity of the implementation will probably disappoint you.

Material

slides | iterde tool | cuchi tool

Bio

In the last 15 years Gerardo 'gera' Richarte has been dedicated to computer security. He has spoken in different conferences including BlackHat, CanSecWest and PacSec among others, and taught assembly language and exploit writing classes for private, public and military students. For the last 12 years he's been part of Core Security Technologies, where he was a Sr. Security Consulting, Sr. Security Software Engineer and Reverse-Engineer, and has been working, for the last 5 years, as an Expert Exploit Writer, technically leading the exploit writing team for the CORE IMPACT product. During all these years he's published some papers, advisories and open source tools as a humble thank you to the community that has given so much to him.

--------------------------------^_

Creating Code Obfuscation Virtual Machines - Craig Smith (Duration: 60 Minutes)

This is the VM Creation 101 talk. The talk details what a virtual machine is and how they are used. It focuses on embedded virtual machines used for code obfuscation. Specific coding examples are provided on how to write your own opcode interpreter. Code samples on how to embed your newly created VM into a C application is also provided. Additional obfuscation techniques for the VM are discussed and even though this is a 101 course a solid understanding of x86 assembler is required.

Material

slides | minivm | minivmcrackme

Bio

Craig Smith is a Senior Application Security Consultant at Neohapsis. Craig specializes in reverse engineering tools and techniques with emphasis on malware and protection schemes. Before joining Neohapsis he focused on creating forensic tools and automation systems for locating security flaws within binary executables. Tools and techniques used in the presentation are almost always free and open source. Prior knowledge to x86 assembler is recommended.

--------------------------------^_

RE over Adobe Acrobat Reader using Immunity Debugger - Pablo Sole (Duration: 60 Minutes)

Nowadays, security research and vulnerability assessment is becoming more specific and attacks tends to be application-focused. Blind scanning using generic fuzzers and automated generic tools don't have a significant level of success anymore. Vendors tend to use more and more those tools as testbeds on each release. It's necessary to build specialized programs that interact directly with the debugger and modify their behavior according to deep information about protocols and different program state. With this task in mind we created Immunity Debugger, a free distributed debugger, fully script-able that joins the power of a fast and practical GUI, with the robustness and programmatic properties of Python. The presentation will cover how to use Immunity Debugger to achieve this objective, diving deeply in the Adobe Acrobat Reader internals and its Javascript engine as a case-study. Unleashed information on how to find the methods implemented by each JS object and decode each method's arguments. With all these information together, the talk will guide the audience in the elaboration of a custom fuzzer combining SPIKE and the JS information to achieve the maximum goal, finding bugs.

Material

slides (odp) | slides (pdf)

Bio

Pablo Sole (Cordoba, Argentina) is a senior security researcher with Immunity, Inc. He has a background in ISP technology management. After managing several mid-size ISPs he moved to Informar Argentina S.A. where he was responsible for migrating the security infrastructure to IPSEC and certificate-based authentication. Pablo is also an experienced reverse engineer, system administrator and code auditor. His role at Immunity includes reverse engineering, data extraction, vulnerability development and security research. He has written custom tools for Immunity clients as well as several binary analysis tools for the Immunity Debugger.

--------------------------------^_

Blackbox Reversing Of XSS Filters - Alexander Sotirov (Duration: 60 Minutes)

Many of us limit ourselves to what we already know and don't look for new challanges. I've spent a long time reversing x86 code, but there are a lot of other interesting targets out there. Cross site scripting vulnerabilities and web security in general are perceived to not be interesting enough for hardcode reversers, but this talk aims to dispel this notion.

We all know that web apps are the future, but where do we, reversers, fit in this brave new world? I will present the challanges of blackbox reversing and the beauty of reconstructing complicated algorithms based on nothing but some well chosen inputs and outputs. I will demonstrate the tools I've written to make this easier and perhaps drop a few 0days as well :-)

Material

slides | refltr 1.0

Bio

Alexander Sotirov has been involved in computer security since 1998, when he started contributing to Phreedom Magazine, a Bulgarian underground technical publication. For the past ten years he has been working on advanced exploitation, reverse engineering and vulnerability research. His recent work includes the discovery of the ANI vulnerability in Windows Vista and the development of the Heap Feng Shui browser exploitation technique. Alexander is one of the organizers of the Pwnie Awards. He is currently employed as a security researcher at VMware.

--------------------------------^_

Introduction to IDA Pro for OllyDbg users - Sébastien Doucet - IITAC

Summary: This 3-part training focuses on examining the differences between OllyDbg and IDA Pro and using them to your advantage. It is intended for persons who are already familiar with reverse-engineering using OllyDbg or other similar debuggers but have never fully explored the world of IDA Pro.

This training will occur during the 3 lunch breaks. The lunch will be served in the training room.

Prerequisites

If you are registerd to the recon conference and would like to attend the IITAC Workshop please send us a mail with your first name, last name and email to the following address : registration . iitacworkshop2008 recon cx

To attend this class you will need a Legal IDA Pro license, a Windows Virtual Machine and a Linux Virtual Machine.

Availability: 20 seats (10 seats in fifo mode and 10 seats in rand() mode)

Part 1: Graphical View and General Usage

This introductory part focuses on taking your OllyDbg knowledge and successfully applying it to IDA's graphical view. Other IDA-specific features and techniques will also be seen in details. You will learn how to efficiently analyse and restructure graphs to simplify longer reversing projects.

Part 2: Cross-platform and Remote Debugging

This part is about using IDA's remote debugging capabilities through the use of Virtual Machines (Windows, Linux) or emulators (WinCE) to allow easily for cross-platform debugging and OS-specific bug-tracking. You will learn how to turn your laptop into a versatile plug-n-debug reversing station.

Part 3: Graphical Unpacking

This final segment is about using IDA's graphical view to simplify the unpacking process and how to use plugins and scripts to further shorten the unpacking time. You will learn how to quickly unpack executables and apply the usual OllyDbg methods.

Bio

Sébastien Doucet is an expert in Metropolitan-Area Fiber-Optics Network Engineering (fancy cable guy) and Actuarial Sciences. He works as IT Security Trainer for IITAC International Institute (www.iitac.org) where he gives trainings on Binary Auditing and IDA Pro. His video tutorial series on IDA Pro is well-known throughout the world. He is the co-founder of the RCE Video Portal (video.reverse-engineering.net) and moderator for crackmes.de and reverse-engineering.net, he also is a member of ARTeam (arteam.accessroot.com) and CostCo (www.costco.com). In his free time, he plans to have some free time, some day in the distant future.

--------------------------------^_