CanSecWest Applied Security Conference: Vancouver, British Columbia, Canada

Speakers

The Smart-Phones Nightmare - Sergio 'shadown' Alvarez
Sniff keystrokes with lasers/voltmeters: Side Channel Attacks Using Optical Sampling of Mechanical Energy Emissions and Power Line Leakage - Andrea Barisani & Daniele Bianco, Inverse Path
Hacking Macs for Fun and Profit - Dino Dai Zovi & Charlie Miller
Getting into the SMRAM: SMM Reloaded - Loíc Duflot
Network design for effective HTTP traffic filtering - Jeff "rfp" Forristal, Zscaler
Ninja Scanning - Fyodor, Insecure.org
On Approaches and Tools for Automated Vulnerability Analysis - Tanmay Ganacharya & Nikola Livic & Abhishek Singh & Swapnil Bhalode & Scott Lambert, Microsoft
Kicking It Old School: No DNS Packets Were Harmed In The Making Of This Presentation - Dan Kaminski, IOActive
Binary Clone Wars: Software Whitelisting for Malware Prevention and Coordinated Incident Response. - Shane Macaulay, Sean Comeau, and Derek Callaway, Security Objectives
.NET Rootkits - Erez Metula
The Evolution of Microsoft's Exploit Mitigations - Matt Miller and Tim Burrell, Microsoft
An overview of the state of videogame console security. - Victor Muñoz
A Look at a Modern Mobile Security Model: Google's Android - Jon Oberheide, University of Michigan
Bug classes we have found in *BSD, OS X and Solaris kernels - Christer Oberg and Neil Kettle, Convergent Network Solutions
Multiplatform Iphone/Android Shellcode, and other smart phone insecurities - Alfredo Ortega and Nico Economou, Core
Platform-independent static binary code analysis using a meta-assembly language - Sebastian Porst & Thomas "halvar" Dullien, zynamics
Writing User Friendly Exploits - Skylar Rampersaud, Immunity
Persistent BIOS Infection - Anibal Sacco & Alfredo Ortega, Core
Decompiling Dalvik and other JavaFX - Marc Schoenefeld
Automated Real-time and Post Mortem Security Crash Analysis and Categorization - Jason Shirk & Dave Weinstein, Microsoft
SSL, The Sequel: MD5 collisions and EV certificates - Alexander Sotirov & Mike Zusman
Exploiting Unicode-enabled software - Chris Weber, Casaba Security
Chinese Infosec & Malware Overview - Wei "icbm" Zhao, KnownSec

Alfredo Ortega and Nicolas Economou

Nicolas Economou has worked for the last 3 years as Exploit Writer at CORE Security Technologies writing exploits for multiple platforms including Mac OS X, Windows, Linux and iPhone. In his free time he enjoys creating tools (including disassemblers and debuggers) to help the reverse engineering process. He is also a fan of old cars.

Alfredo Ortega works at Core Security Technologies as an exploit writer, OpenBSD, FreeBSD and Linux platform manager. He is pursuing a PhD at ITBA (Instituto Tecnologico de Buenos Aires) and has been a speaker at several security and computer science conferences, including Blackhat, Defcon and Ekoparty. His hobbies are FPGA synthesis, security research and not getting electrocuted while doing security research.

Multiplatform Iphone/Android Shellcode, and other smart phone insecurities

TBA

Christer Oberg and Neil Kettle

Christer Oberg is based in the UK. He enjoys finding and exploiting new vulnerabilities in kernels and other things (not web applications!!). He has previously presented at blackhat, defcon, and sec-t.

Neil Kettle is interested in Theoretical Computer Science, particularly in complexity theory and algorithmics. His research activities involve program analysis and abstract interpretation with specific focus on the applicability of Bolean functions as an abstract domain for program analysis. He also has an “unhealthy” interest in computer security and various types of software related vulnerabilities.

Bug classes we have found in *BSD, OS X and Solaris kernels

This presentation will cover the most common bug classes we have found in *BSD, OS X and Solaris kernels. These are widely used operating systems whose default installation has been reasonably secure for years (all the easy userland overflows / fmt string bugs been hunted to extinction!), yet we still find (sometimes) trivially exploitable kernel vulnerabilities in them. This talk will present a wide range of different types of vulnerabilities we have encountered in kernels and demonstrate how easily they can be exploited. Real zero day vulnerabilities will be used to demonstrate/discuss bug classes and exploitation of the bugs.

Chris Weber

Chris Weber is a co-founder and Managing Principal at Casaba Security where he focuses on software security testing for some of the world's leading software development companies and online properties. He has authored several security books, articles and presentations. He's worked as a security researcher and consultant for over a decade and has identified hundreds of security vulnerabilities in many widely used software products.

Exploiting Unicode-enabled software

The complexities of Unicode offer a ripe area for vulnerability research and exploitation. This presentation's focus will be on providing information to aid in finding and exploiting security flaws relevant to Internationalized and Unicode-enabled software. The intention is to present the security issues around Unicode and Internationalized software, and to give the audience real-world vulnerability examples. More importantly, perhaps, attendees will walk away with the test cases and inputs to find these issues and development practices to avoid them.

Marc Schoenefeld

Marc Schoenefeld graduated from the University of Muenster in 1997. He gave his first Blackhat speech in 2002 and the following year wrote a research paper with iDefense on Java Security. In 2007 he joined the Red Hat Security Response Team. He has done training and presentations at Pacsec, HITB, Blackhat, XCon, Websec, bellua, d-a-ch, dimva, and RSA.

Decompiling Dalvik and other JavaFX

The virtual machine for running the majority of userland applications within Google's Android machine is called "Dalvik". It is a natural successor of the Java VM, improving design and footprint for mobile application scenarios, by avoiding the overhead of Java ME. Although Google chose to use the java toolchain to generate applications, they designed a new compiled representation of the compiled applications, compared to java with different stack semantics and a denser instruction set.

For reverse engineering until now you could either learn Dalvik bytecode or bribe the original author to give you access to the source code. Neither approach delivers fast and readable results, so our "undx" (dx is the java-to-dalvik compiler) provides reverse engineers and software auditors, as well as virus checking software, a reliable technique to process dalvik code by translating those back to Java classes, which opens the opportunity to re-use established tools and techniques from the java world for analysis. Our entire code was created without code knowledge of any Dalvik code internals. For our purpose we solely studied the output of the binary "dexdump" tool and used a decent hex editor to discover helpful structures within the binary.

This talk will cover, among other things, dalvik architecture compared to Java SE, the dalvik instruction set and runtime layout compared to Java Vms, and presentation of an automation approach towards java class recovery.

Matt Miller & Tim Burrell

Matt Miller has been an active member of the security research and development community where he focuses primarily on areas relating to exploitation technology and reverse engineering. Matt joined the Metasploit project in 2004 and contributed to the advancement of the Metasploit framework. Some of these advancements included the Meterpreter, VNC injection, and his work as a core developer on Metasploit 3.0. Matt is also an editor and contributor to the Uninformed Journal which is a free, community-driven outlet for new research. Matt's contributions to the journal have included papers on bypassing PatchGuard and DEP, as well as other techniques that can be used to improve or inhibit exploit reliability. In addition to his work with Metasploit and Uninformed, Matt also developed a functional implementation of Address Space Layout Randomization (ASLR) for Windows 2000, Windows XP, and Windows Server 2003 prior to the integration of ASLR into Windows Vista. Matt recently joined the Microsoft Security Engineering Science team where he is currently focused on program security analysis and exploit mitigations.

Tim Burrell joined Microsoft's Secure Windows Initiative (SWI) team in 2006 with a background in reverse engineering and security evaluation of infosec products. As part of the newly formed security science team within SWI he uses root cause analysis of past MSRC cases to drive the development of security analysis techniques to apply to future Microsoft products.

The Evolution of Microsoft's Exploit Mitigations

Reliable exploitation techniques have been developed and refined over the past decade to the point that most classes of software vulnerabilities can be trivially exploited. The sophistication of these exploitation techniques has warranted the development of equally sophisticated mitigations such as GS, DEP, and ASLR. This presentation explores the technical details of these developments by illustrating the logical evolution of Microsoft's exploit mitigations. This evolution will be shown in terms of the problem each mitigation is attempting to solve, the methods taken to solve it, and how well each mitigation has stood the test of time thus far. This knowledge should provide attendees with a detailed understanding of how Microsoft's exploit mitigations currently work and how developers can best take advantage of them.

Dan Kaminski

Kicking It Old School: No DNS Packets Were Harmed In The Making Of This Presentation

TBA

Gordon "Fyodor" Lyon

Fyodor (known to his family as Gordon Lyon) released the open source Nmap Security Scanner in 1997 and continues to coordinate its development. He also maintains the Insecure.Org, Nmap.Org, SecLists.Org, and SecTools.Org security resource sites and has written seminal papers on OS detection and stealth port scanning. He is a founding member of the Honeynet Project, a popular speaker at security conferences, and author or co-author of the books "Nmap Network Scanning", "Know Your Enemy: Honeynets" and "Stealing the Network: How to Own a Continent". Gordon is President of Computer Professionals for Social Responsibility (CPSR), which has promoted free speech, security, and privacy since 1981.

Ninja Scanning

Nmap newbies often treat this powerful security scanner as a simple host discovery and port scanning tool--rarely useful beyond the initial stages of an assessment. They miss out on more advanced techniques that can make low-level scanning faster and more comprehensive, while also allowing users to move up the stack and attack applications! 2009 versions of Nmap can spider web sites for SQL injection vulnerabilities, brute-force crack and then query MSRPC services to determine what processes are running on the remote host, detect open proxies, and more. This presentation shows off new Nmap features by demonstrating clever ways to solve practical problems. Fyodor will also provide techniques for overcoming firewalls and other obstacles that can thwart less experienced network and security administrators.

Anibal Sacco & Alfredo Ortega

Anibal Sacco is a SSr Exploit Writer and Reverse Engineer at CORE Security Technologies. He has been researching vulnerabilities and developing exploits for Windows, OS X and Linux for 3 years. He first focused on windows kernel-mode vulnerabilities, and lately has moved on to OS X vulnerabilities. He also loves to apply obscure ninjutsu moves to understand and improve any kind of firmware found out there. And he enjoys origami, too.

Alfredo Ortega works at Core Security Technologies as an exploit writer, OpenBSD, FreeBSD and Linux platform manager. He is pursuing a PhD at ITBA (Instituto Tecnológico de Buenos Aires) and has been a speaker at several security and computer science conferences, including Blackhat, Defcon and Ekoparty. His hobbies are FPGA synthesis, security research and not getting electrocuted while doing security research.

Persistent BIOS Infection

TBA

Erez Metula

Erez Metula is a senior application security consultant working as the application security department manager at 2BSecure. He has extensive hands-on experience performing security assessments, secure development consulting, and training for clients in Israel and abroad including banks, financial organizations, military, software development companies, telecom, and more. Erez is also a leading instructor in information security training, especially in secure software development methodologies & techniques. He has lectured on advanced .NET security (and other development platforms) for worldwide organizations and is a frequent speaker at conferences such as the Microsoft .NET Security User Group, OWASP (Open Web Application Security Project), and more. He holds CISSP certification and is working towards an MSc in computer science.

.NET Framework Rootkits - Backdoors inside your Framework

This presentation will introduce a new method that enables an attacker to change the .NET language, and to hide malicious code inside its core. The presentation covers various ways to develop rootkits for the .NET framework, by changing its behavior. It includes demos of information logging, reverse shells, backdoors, encryption keys fixation, and other nasty things.

The talk will also introduce ".Net-Sploit" - a new tool for building MSIL rootkits that will enable the user to inject preloaded/custom payload to the Framework core DLL. Attendees will learn about the .NET Reversing techniques and tools, MSIL coding, GAC flawed protection mechanism, and the process of modifying the .NET framework core.

Alexander Sotirov & Mike Zusman

Alexander Sotirov is an independent security researcher with more than ten years of experience with vulnerability research, reverse engineering and advanced exploitation techniques. His most recent work includes exploiting MD5 collisions to create a rogue Certificate Authority, bypassing the exploitation mitigations on Windows Vista and developing the Heap Feng Shui browser exploitation technique. His professional experience includes positions as a security researcher at Determina and VMware. Currently he is working as an independent security consultant in New York. He is a regular speaker at security conferences around the world, including CanSecWest, BlackHat and Recon. Alexander is a program chair of the USENIX Workshop on Offensive Technologies and is one of the founders of the Pwnie Awards.

Michael Zusman is a Senior Consultant with the Intrepidus Group. Prior to joining Intrepidus Group, Mr. Zusman held the positions of Escalation Engineer at Whale Communications (a Microsoft subsidiary), Security Program Manager at Automatic Data Processing, and lead architect and developer at a number of smaller firms. In addition to his corporate experience, Mr. Zusman is an independent security researcher, and has responsibly disclosed a number of critical vulnerabilities to commercial software vendors including Apple and SonicWall. He has spoken at a number of top industry events including Black Hat and regional OWASP events. Mr. Zusman also speaks and teaches about information security at NYU/Polytechnic University. Mr. Zusman brings 10 years of security, technology, and business experience to Intrepidus Group. He is a CISSP and an active member of the OWASP foundation.

SSL, The Sequel: MD5 collisions and EV certificates

Extended Validation (EV) SSL certificates have been touted by Certificate Authorities and browser vendors as a solution to the poor validation standards for issuing traditional SSL certificates. It was previously thought that EV certificates are not affected by attacks that allow malicious hackers to obtain a non-EV SSL certificate, such as the MD5 collision attack or the widely publicized failures of some CAs to validate domain ownership before issuing certificates.

Unfortunately, it turns out that the security offered by EV certificates is no better than the security of even the cheapest $12 SSL certificate. In this talk, we will show how any attacker who can obtain a non-EV SSL certificate for a website can perform completely transparent man-in-the-middle attacks on any SSL connection to that site, even if the website is protected is by an EV certificate and the users are diligently inspecting all information contained in the SSL certificates.

Dino Dai Zovi and Charlie Miller

Dino Dai Zovi is an information security professional, researcher, and author. Mr. Dai Zovi has been working in information security for over 8 years with experience in red teaming and penetration testing at Sandia National Laboratories, @stake, Bloomberg, and Matasano. He currently manages information security for a technology-based finance firm in New York City. As an independent researcher, he is a regular speaker at industry, academic, and hacker security conferences including presentations of his research on hardware-virtualization assisted rootkits using Intel VT-x, the KARMA wireless client security assessment toolkit, and offensive security techniques and tools at BlackHat USA, Microsoft BlueHat, CanSecWest, the USENIX Workshop on Offensive Technology, and DEFCON. He is perhaps best known in the security and Mac communities for winning the first PWN2OWN contest at CanSecWest 2007.

Charlie Miller is Principal Analyst at Independent Security Evaluators. He is best known as the first to publicly create a remote exploit against the iPhone and has discovered flaws in numerous applications on various operating systems. He has spoken at the Workshop on the Economics of Information Security, Black Hat, DEFCON, ToorCon, ShmooCon, and CanSecWest. He authored the book "Fuzzing for Software Security Testing and Quality Assurance" and the forthcoming "The Mac Hacker's Handbook". He won a MacBook Air by winning the Pwn2Own contest in 2008 for breaking into a fully patched Mac OS X computer. He has a PhD from the University of Notre Dame.

Hacking Macs for Fun and Profit

MacOS X has so far enjoyed a comparatively safe and malware-free existence on today's hostile Internet. While many previously believed that this was due to its superior security, public demonstrations of the Mac's vulnerability to attacks have hopefully proven otherwise. As with any technology, it is important to know both its strengths and weaknesses. This presentation will focus on the exploitatability of memory corruption vulnerabilities in and on MacOS X by applying currently known techniques to a new platform as well as introducing some new techniques.

Both Charlie and Dino have 0wned the Macs in the previous two PWN2OWN contests at CanSecWest. Now they will teach the attendees how easy it is to do for themselves.

Victor Munoz

Victor Munoz has been studying the security systems of closed platforms for the last 8 years, and has exploited vulnerabilities in systems like the Sony Playstation 2, Nintendo Wii, and optical drives such as DVD and HD-DVD readers. Currently he works as an independent consultant, developing IP and digital systems intended for products developed in Asia and Europe.

An overview of the state of videogame console security

Videogame consoles are specialized computers for gaming. They offer a superior throughput per dollar compared to their counterparts, the open platforms. In addition to providing entertainment to the gaming community, they could also provide entertainment to hobby programmers, but sadly development for videogame consoles is a privilege reserved for only a few: the licensed developers. Being limited to run only software that must be licensed by the console manufacturer companies has encouraged some hackers to circumvent their security systems and use them as a hobbyist development platform. As console security has become stronger, it has evolved from simple ofuscation, to the use of out-of-standard optical disks, cryptoprocessors, hypervisors, AES-128 and RSA-4096 digital signatures. This lecture will analyze the specifics of console security and the behind-the-scenes of how systems like Nintendo Wii and Microsoft Xbox360 were 'opened'.

Jason Shirk & Dave Weinstein

Jason Shirk has been in the software industry for 10 years, initially in telecommunications, where he became "reacquainted" with software security, and pursued a degree in Computer Networking and Security. Shirk's nuts-to-bolts security work ranges from corporate software security standards to penetration testing and vulnerability tracking and response. Jason is presently a Security Program Manager for the Microsoft Security Engineering Center (MSEC) Security Science team where he is responsible for Microsoft's fuzzing toolkit and strategy, including !exploitable.

Dave Weinstein has been a professional programmer for more than 20 years, with a career that has spanned military research, academic research, videogame development, and software security. A Senior Security Development Engineer in the Microsoft Security Engineering Center (MSEC) Security Science team, he is the primary designer and developer of the !exploitable tool.

Automated Real-time and Post Mortem Security Crash Analysis and Categorization

As part of modern software development, we need crashes to be evaluated based on both their functional impact and their security implications. Historically, software development has only considered the former, and even in development teams where security expertise is sufficient to analyze exploitability, manual inspection of crashes for security implications simply doesn't scale. To address this, we need to be able to recognize similar crashes, and we need to reduce the need for human analysis by providing automated reporting of security risks where those risks can be determined. This talk will present the details of a Windows Debugger extension !exploitable, which is currently used inside Microsoft for real-time and post-mortem categorization of crash conditions.

Jeff "rfp" Forristal

Jeff Forristal has worked for Neohapsis, SPI Dynamics, and HP doing security research. He contributed to the book Hack Proofing Your Web Apps, and maintained research blogs for SPI Dynamics (http://www.communities.hp.com/securitysoftware/blogs/jeff/default.aspx) and Zscaler (http://research.zscaler.com/). He has presented at multiple security conferences, including Microsoft BlueHat, where his Fall 2007 talk rated exceptionally high with attendees. Jeff was the first person to identify SQL injection vulnerabilities which he presented at the first CanSecWest conference in 2000.

Network design for effective HTTP traffic filtering

A lot of companies are using application-management systems (such as URL filters, DLP detectors, bandwidth controllers, etc.) in order to manage and monitor their employees. However, just taking one of these appliances and throwing it onto your existing network doesn’t guarantee good coverage/enforcement; in fact, odds are your users (well, their applications) are doing sneaky things that cause these inspection and management appliances to fail. This talk will explore how common network architectures hamper the effective use of these type of management controls, and what network changes can be made to ensure users are getting the best ROI from these appliances.

Jon Oberheide

Jon Oberheide is a security researcher at the University of Michigan, where he previously received a B.S. and M.S. in Computer Science and is currently pursuing a PhD. While his interests as an independent researcher span code, network, and physical security, his current academic work focuses on the threats posed by modern malware to organizational and enterprise networks. Prior to his PhD work, Jon held positions at Merit Network in Research and Development and at Arbor Networks in the Arbor Security Engineering and Response Team (ASERT). Jon has presented at numerous security conferences, both in academia (USENIX Security, HotSec, DIMVA, etc) as well as the industry (BlackHat, CSI, Lockdown, NANOG, etc).

A Look at a Modern Mobile Security Model: Google's Android

Modern mobile devices are rapidly approaching the capabilities of standard PCs, and rich application development, extensibility, and high connectivity are allowing these devices to be used in ways never before possible. However, the same properties also make these mobile devices enticing targets for attackers and malware authors. In this presentation, we will delve into the architecture of one of the most recent mobile platforms, Google's Android stack, which features a permission-based security model that is a significant departure from previous approaches. We will discuss the security challenges and implications from the perspective of the attackers targeting mobile devices, the defenders attempting to design protection mechanisms for a resource-constrained device, the application developers working within the bounds of the device's security model, and the end users interacting with the device.

It is important for users to be aware of the security capabilities of modern mobile devices as their adoption reaches critical mass and even more important for administrators to understand the implications of the use of these devices in their computing environment and networks. For technical audience members, we will delve into low-level details of the Android software stack and how its security model is enforced at the Dalvik VM and OS layers. For less technical audience members, accessible high-level themes related to mobile computing and security will be interwoven throughout the presentation.

Sergio 'shadown' Alvarez

Sergio 'shadown' Alvarez is a well known expert in the IT Security area. He has conducted several consulting, training and assessment assignments for international enterprises, financial institutions and government entities. During his time in the security industry he has conducted network and application penetration tests, source code audits, forensic analysis, security tools development, application security design, secure network design, home banking design and testing, protocol analysis/testing and has delivered numerous trainings, seminars and presentations. He has proven his ability as a security researcher and as a developer of powerful security tools to help find vulnerabilities.

The Smart-Phones Nightmare

Smart-Phones have started to play a big role in our lives and in the corporate environment. They are used to access VPNs, Wireless LANs, and Corporate and Private e-mail accounts. Stored inside them, they have confidential data and credentials to access many resources. They are turned on 24/7. They have gps location and motion tracking systems. And if that weren’t enough, they lack many of the security features that most modern desktop and server operating systems have in place to prevent exploitability. This talk will focus on how an attacker may abuse these devices with targeted attacks to steal or misuse them.

Sebastian Porst and Thomas "halvar" Dullien

After finishing his Masters degree in Computer Science, Sebastian Porst joined zynamics GmbH as lead developer of BinNavi. Among other things, he is responsible for developing and implementing new static code analysis algorithms.

Halvar Flake has been working on topics related to reverse engineering (and vulnerability research) for the last 10 years. He has repeatedly presented innovative research in the realm of reverse engineering and code analysis at various renowned security conferences (RSA, Blackhat Briefings, CanSecWest, SSTIC, DIMVA). Aside from his research activity, he has taught classes on code analysis, reverse engineering and vulnerability research to employees of various government organizations and large software vendors.

Platform-independent static binary code analysis using a meta-assembly language

With the help of a platform-independent meta-assembly language, it is possible to write platform-independent static code analysis algorithms. In this talk, we are going to introduce our meta-assembly-language REIL (Reverse Engineering Intermediate Language), why we designed it the way we did and why this design is important for static code analysis. In the second half of the talk we will be describing a generalized binary code analysis framework built on REIL, which allows an easy integration of arbitrary code analysis algorithms into the REIL architecture. Specific focus will be placed on layering abstract interpretation / monotone frameworks on top of the intermediate language and the resulting reduction in implementation complexity.

Loic Duflot

Loic Duflot is a research engineer for the French Central directorate for Information System Security. He holds a PhD in Computer Science. He is mostly interested in PC hardware-related security issues and he is looking at the security of interactions between software and hardware.

Getting into the SMRAM: SMM Reloaded

In this presentation we will show how it is possible for an attacker to use a novel cache poisoning technique to modify the content of the System Management RAM (SMRAM) on x86-based systems and thus to run arbitrary code in System Management Mode even when all chipset security and access control mechanisms are used correctly. This is mostly useful to kernel rootkits that are willing to conceal some or their functions inside of the SMRAM.

Since 2006 many security experts have looked at the highly privileged x86 CPU's System Management Mode. During the Blackhat 08 forum, Sparks showed how this mode could be used by a kernel level rootkit to conceal some of his functions but concluded that only old machines that did not correctly set all chipset security lock bits could be targeted. In this lecture, we will show that this is not true. Another flaw in the overall security model can be exploited by attackers to manage to run arbitrary code in SMM even on newer machines that set all the relevant security bits in the chipset. Our technique can be used by a rootkit, for instance, to bypass innovative security mechanisms such as DeepWatch (proposed by Intel) and Hyperguard (proposed by R. Wojtczuk, J. Rutkowska, and A. Tereshkin), presented during the Blackhat 08 forum.

Tanmay Ganacharya, Nikola Livic, Abhishek Singh, Swapnil Bhalode and Scott Lambert

Tanmay Ganacharya is a Lead Security Researcher in the Microsoft Malware Protection Center (MMPC) at Microsoft Corporation. He leads a team of talented security researchers and is responsible for tracking new security threats, performing vulnerability/malware research and developing mitigations for the same. His team also conducts research aimed at utilizing state-of-the-art static and dynamic analysis techniques to automate the process of identifying vulnerabilities in binaries and developing signatures without access to source or debug information. Prior to Microsoft, he worked as a Security Researcher at Nevis Networks Inc. and SPI Dynamics Inc. and helped build their Research and Response teams. He holds a MS in Computer Science from University of Southern California, LA and a BE from University of Pune, India.

Nikola Livic is currently working as a security researcher at Microsoft, after having spent that last two years implanting and designing an automated worm containment system, Vigilante. Prior to security work at Microsoft, Nikola worked as a systems software developer with Cray Inc. Nikola graduated with a CSE and a Mathematics degree from University of Washington.

Abhishek Singh is working as a security researcher in Microsoft's US Threat Response Team. In information security, his research interest is in Vulnerability Research, firewall, cryptography, applied cryptography and VPN. He holds one patent in two-factor authentication and another patent is pending. He served as a technical editor for Springer's Advanced information Security Series "Vulnerability Analysis and Defense for the Internet" ISBN 978-0-387-74389-9, has authored chapters on VPN in the Syngress title "Firewall Policies and VPN Configurations" (ISBN 1597490881). The book also appeared in the 2008 Firewall Administrator's Professional CD (ISBN 1597492027). Abhishek's research findings in the field of Information Security and Systems have been published in primer conference and journals. He has also served on the review committee of ACSAC. While pursuing his education he was employed with Symantec Corporation as a Senior Software Engineer. He has also held a technical position with Third Brigade Security Center, the research wing of Third Brigade and with Safenet InfoTech Pvt. Ltd. He holds a B.Tech in Electrical Engineering from IT-BHU, a Master of Science in Computer Science and a Master of Science in Information Security from the College of Computing Georgia Tech.

Swapnil Bhalode is working as a security researcher in Microsoft's US Threat Response Team. He is responsible for vulnerability analysis and IPS signature development. Before Microsoft, he was an analyst at Symantec where he performed vulnerability/malware analysis. His interests include vulnerability research, malware research, and researching on security features that can solve a set of problems. He holds a Masters degree in Computer Science from Syracuse University and a Bachelor's degree from University of Mumbai.

Scott Lambert is a Security Program Manager on the Microsoft Malware Protection Center (MMPC) team at Microsoft. He owns advancing internal binary analysis tools in support of vulnerability analysis and automatic signature generation. Prior to joining Microsoft, Lambert developed, maintained and supported numerous computer security applications ranging from Vulnerability Assessment and Risk Management software to Network and Host-Based Intrusion Detection/Prevention Systems for companies such as L-3 Network Security, Veridian Information Solutions, Symantec Corporation and TippingPoint, a division of 3Com. In addition, he developed and implemented test plans for the evaluation of both wired and wireless Intrusion Detection Systems and performed advanced protocol analysis in support of research and validation of various computer and network vulnerabilities and attack techniques.

On Approaches and Tools for Automated Vulnerability Analysis

Many tools have been proposed to aid in the automated analysis of exploits for vulnerabilities against various products. Some of the more recent developments center on the use of dynamic taint analysis systems for automatic signature generation. In this talk we'll present the toolset we use in our Response process and lessons learned with the use of dynamic taint analysis systems. We'll focus on memory corruption issues in Microsoft products for a given period.

This is the first attempt at quantifying the effectiveness of such systems against a large set of vulnerabilities. As a result, we are able to shed further light on the limitations of systems that employ dynamic taint analysis and draw additional conclusions on how to best extend them. Likewise, this is the first attempt to tie the practical use of such systems to aid a security researcher in vulnerability analysis and signature development.

Shane Macaulay, Sean Comeau, and Derek Callaway

Shane Alexander Macaulay is a world class IT Security Specialist. Shane has a deep and broad security view--systems ranging from every major flavor of UNIX, Microsoft and network operating systems. He has made numerous contributions to the security community through various papers, books and revolutionary technical applications.

Sean Comeau has been exploring the details of programmable systems for 15 years. Sean has over a decade of professional experience, in critical production environments, with a wide range of systems. He also has been involved in organizing CanSecWest since 2000.

Derek Callaway is a seasoned computer programmer and security analyst. He is fluent in many programming languages and networking protocols. When he’s not analyzing applications, systems architecture or penetration testing, his preferred areas of study are vulnerability research and security tool development. He is currently working on software and information assurance solutions at Security Objectives. Mr. Callaway has developed numerous security tools and exploits over the years that have been contributed to both the public domain and proprietary environments. They include security scanners for web applications (cgiaudit) and DNS servers (porkbind.) In the past few years he has released several advisories for update mechanisms in various software applications (Lenovo, Cygwin, PartyPoker, etc.) His leadership experience ranges from collegiate organizations at the University of Delaware to managing resources and personnel on lengthy consulting engagements. In his college years, Mr. Callaway developed a keen interest of the software assurance problem. He was most interested by dynamic program analysis and black-box testing techniques in particular. He wrote a research paper on the subject and continues that research today. Mr. Callaway has also been an FCC-licensed amateur radio operator since 1997. His interest piqued when he learned of hobbyist bulletin board systems operating via the AX.25 protocol (also known as “packet radio.”) He participates in amateur radio club events and exercises sponsored by the American Radio Relay League. Mr. Callaway’s employment history in chronological order: ce.net, @stake, Symantec, Creative Business Concepts, Security Objectives Corporation.

Binary Clone Wars: Software Whitelisting for Malware Prevention and Coordinated Incident Response.

A Rapid/Coordinated Malware/Cyber attack response system. During and after a cyber compromise, the individuals responsible for resolving the attack are largely working in the dark. There exists almost no ability for disparate groups of security professionals to co-operatively react and aid or otherwise facilitate resolution. Essentially, the same tasks are forced to be repeated countless times.

Providing a means for cyber attack victims to coordinate rapidly will drastically alter the existing concept that attackers are afforded infinite time. Our system also enables a database of "known-good" applications; the closest current system is provisioned by NIST, the NSRL. We are pioneering a comprehensive model which, is network based, self-organizing (groups may maintain private or semi-private registries) and maintains usefulness across files, memory, network or any other application.

Skylar Rampesaud

Writing User Friendly Exploits

After an exploit has been written and is reliable, there is still a lot of work to be done making it not visible to your targets. This talk will discuss some ways to help achieve this end and will include an "exciting" demo.

Wei "icbm" Zhao

Zhao Wei is the CEO and co-founder of KnownSec Inc, which is a Beijing-based anti-malware company mostly focused on stopping web malware in China. Prior to founding KnownSec, he was a security researcher at VenusTech and McAfee. He has been actively involved in computer security for nearly ten years, and he has found several vulnerabilities in Windows and Linux software. He has helped China Anti-Malware Alliance often in their fight against malware rampancy in China. His focus now is on the most common distribution of malware: vulnerable web browsers and malicious web sites. Because large quantities of the world's malware comes from Chinese web sites, and founders of KnownSec are experts in Chinese security infosec arena, KnownSec is the best company to address this problem and make the internet safer for everyone.