September 19th, 2014

BlackHat 2010 Recap

Here are some of the interesting things that I encountered this year at BlackHat. These are mostly talks that I went to, but there are a few things that I just happened to run across in the course of the conference. Overall it was a good conference and similar to last year. One improvement was that we were able to get our Defcon badges at BlackHat after waiting in a huge line instead of a really really huge line at Defcon. :)

  • I had seen a talk and other information about BitBlaze before, but I mainly went to this talk to see security rockstar Charlie Miller. It ended up being a pretty interesting talk, and covered some of the ways that BitBlaze can help automate binary analysis. Among a lot of other things it has some neat features that allow you to do taint tracking and determine which registers are tainted from controlled input. There was also a white-paper released that has lots of details and examples.
  •  
  • I saw an interesting talk about a new routing protocol infrastructure attack tool called Loki. It’s written in python (yea), and covers many packet generation and attack modules for Layer 3 protocols, including BGP, LDP, OSPF, VRRP and quite a few others. It takes some previously released tools, adds some new functionality and wraps it in a nice GUI. It has some functional similarities to yersinia, but covers some protocols
    that it doesn’t. The live demos were pretty convincing.

  •  
  • javasnoop is an neat looking new tool for tampering and interacting with the internals of java applications, including function hooking/tracing, debugging and instruction overwriting, etc. He made a good point in his talk that Java is easy to decompile (jad), but if you need to interact with the software after that, re-building the software is often prohibitive.
  •  
  • rejava — This came up in the course of the above presentation, and it looks pretty neat as well. It’s another Java decompiler, but this one allows you to interact directly with the byte code, rather than just getting static code dumps.
  •  
  • psudp — I didn’t see this talk, but the tool sounds interesting. It is a tool for passive network-wide covert communication and covert file exfiltration. The basic gist, it seems, is that it encodes data into unused DNS fields. Source and slides are available.
  •  
  • Taviso Ormandy and Julien Tinnes talk on kernel exploits was pretty mind-blowing. They walked through several very technical kernel exploits that they’ve worked on in recent history. It’s amazing that these guys have such a firm grasp on kernels in multiple operating systems.
  •  
  • virt-ice — This was an interesting talk about a virtualization based malware analysis tool. I was slightly more interested before I found out that the tool wasn’t going to be released any time soon though.
  •  
  • libscizzle — Library for quickly detecting shellcode in a large binary stream.
  •  

I was originally going to create just one BlackHat/Defcon post, but it took longer than expected, so I’ll be breaking it into two posts with the Defcon content tomorrow (maybe).

Leave a Response

Imhotep theme designed by Chris Lin. Proudly powered by Wordpress.
XHTML | CSS | RSS | Comments RSS