Black Hat, Day 2: DTrace, (un)Smashing the Stack, Cisco IOS Forensics

Day 2 is done and Black Hat is wrapped up. The second day of talks was power-packed with some really great presentations.

Day 2 is done and Black Hat is wrapped up. The second day of talks was power-packed with some really great presentations. Despite a wicked night of celebration after my successful talk, I still managed to turn up on time for the "DTRACE: The Reverse Engineer's Unexpected Swiss Army Knife" talk by my new friends Tiller Beauchamp and David Weston. This talk was especially interesting to me due to recent difficulties I had with trying to write exploit code for the iPhoto format string flaw that I recently reported. Being a new Mac user and trying to perform vulnerability research is a pain -- basically I was using gdb exclusively (there are probably a number of better ways) which was not a comfortable transition for someone who is primarily an OllyDbg user. One of the biggest difficulties I had with my iPhoto flaw was trying to determine where in the process space my user-controlled string was located. I met with David and Tiller on Day 1 at the bar and with three or four lines of probe code for DTRACE, we'd found everything we needed and were well on our way to developing exploit code.
So what is DTRACE?

  • A kernel based dynamic tracing tool
  • Can work in user-land and kernel-land, in fact it can do so at the same time
  • Allows the creation of "probes" that give a great amount of control over what is going to be found
  • Lot's of other technical details, ask Sun or Tiller and David for more
What did David and Tiller do? They created a Ruby framework around DTRACE to make it infinitely useful to security researchers. They provided an example today that allowed them to setup a probe looking for instances when EIP was overwritten by 41's (i.e. A characters). This is one of the classic ways a researcher would test for stack overflows (supplying a large string of A's), and RE:TRACE will allow you to do any and all fuzzing you'd like and let you know if and when this happens. In fact, it can even make sure you track what caused it. They also mentioned using it for heap overflow detection; clearly we used it for moving through my format string issue, etc. This is a wonderful addition to the security researchers toolkit and it was, in fact, my second favorite talk just behind Rios and Nitesh with the hilarious "Bad Sushi" talk from Day 1. The next talk that I caught was the "(un)Smashing the Stack: Overflows, Countermeasures, and the Real World" by Shawn Moyer. This was a great recap of a lot of the protections that are built into modern operating systems; several countermeasures were discussed (with some discussions of why they don't always work as well), such as ASLR, DEP, Non-Executable heaps, etc. I think that while Shawn's talk was very informative and covered all of these issues, the key point is that we have come a long long way from where we were. Yes, ASLR is still opt in, so is DEP (and definitely not a happy thing for Java, see John Heasman's blog entry), the Mac OS X still has heap issues, etc., but the key is that things are becoming much more difficult to exploit than they used to be. It's a good thing to feel like things are really headed in the right direction. Of course, we should always stay vigilant that new technologies and features not outpace security. I caught Felix 'FX' Lindner's talk on Cisco IOS Forensics after lunch, and while neither Cisco or Forensics are things that I've spent a lot of time working with, I found this to be a very interesting talk, and as with all FX talks, hugely entertaining. FX is one of those guys that I watch their presentations no matter what, even if I'm not sure I will enjoy the subject. Dan Kaminsky is another. The thing that really stays consistent with FX is that he puts on a damn good show. That said, his talk really opened a lot of eyes and his new tool (in development) for analyzing IOS crash dumps sounds hugely interesting. FX is going to be talking about this at Black Hat Europe as well, and I'm looking forward to talking with him about it more there. He left the audience with a very ominous point, stating that hackers will typically attack those devices that seem the easiest to attack, and with all of the aforementioned protections being put into the modern OS, it's not a question of if Cisco IOS will be attacked, but when. I missed the SCADA talk by Jason Larsen and the Virtualization Exploitation talk by Jon Oberheide (from U of M, Go Blue!) which I was really interested in seeing. Unfortunately, I had some work to do that prevented me from making the final two talks, but I'm looking forward to seeing their slides. As with every Black Hat I've been too, it's not just the presentations themselves that are the experience, it's the cast of characters you meet, the side-talks, the after presentation speaker meet and greets, etc. Recently Jeff Moss and crew started using the idea of having speakers move to a side room after their presentations to make themselves available to any and all questions that might come there way. This is truly a great thing for both the attendees and the speakers. As a speaker, it's great to see your research touched someone and that it got their gears moving and made them think. As an attendee (or a speaker wanting to talk to another speaker), it's an excellent way to meet the researcher and have some one on one time to discuss the issues. I'm looking forward to Black Hat Europe three weeks from now for more fun!