At last year's Black Hat conference, one of the hottest events was
researcher Joanna Rutkowska's demo of "Blue Pill,"
technology she said could be used to create 100%
undetectable rootkits and other malware.
She said it showed how
hardware virtualisation technology could become
a major security threat in the coming years, when more
people will use processors with hardware virtualisation support.
The room was jammed, with many attendees standing in the back.
Wild cheers erupted as she finished the demo.
Rutkowska's ideas will come under fire at
Black Hat USA 2007, which starts Wednesday at Caesars Palace,
in a presentation called "Don't Tell Joanna: The Virtualised
Rootkit Is Dead." Researchers Nate Lawson of Root Labs, Peter
Ferrie of Symantec Corp., and Thomas Ptacek of Matasano Security
are scheduled to talk about research they conducted showing that
virtualised rootkits will always be detectable.
Along with that, Black Hat organisers promise a full agenda of
sessions where researchers will demonstrate the insecurities of
such technologies as NAC (Network Admission Control), VoIP (voice
over IP) and Web applications with Ajax-based features. Researchers
from Watchfire Inc. will also show off a reliable method they
discovered to exploit dangling pointers. A
detailed agenda for both days is available on
the Black Hat Web site.A Blue Pill challenge or lecture?
There had been speculation the
virtualised rootkit session wouldn't go off as
planned because of Rutkowska's response. Ptacek said
Rutkowska told them she'd play along if they met some
conditions, including one stipulation that she be paid $416,000.
Ptacek said of the last condition, "Why would we pay you
$416,000 to buy a rootkit we already know we can detect?"
Besides, he said, Rutkowska has conceded that Blue Pill, as it
exists today, could be trivially detected by anyone who knows
how hardware virtualisation works. "Since Matasano itself owns a
hardware-virtualised rootkit, it was clear to everyone that the
'challenge' wouldn't have been interesting," he said.
Nevertheless, Ptacek said there will still be a presentation on
it, though not as the challenge it was originally intended to
be.
"The challenge at Black Hat will likely not proceed, but the
talk will," he said. "We will present the different techniques we
had planned to use against Blue Pill, and explain how our code
works. Joanna will likely be in attendance, and we hope she objects
loudly. She's smart, and I can guarantee the argument would be
interesting."
Ajax and VoIP risks revealed
Billy Hoffman, a researcher with Atlanta-based SPI Dynamics, warned
at last year's conference that
Ajax-based applications are being adopted
quickly without a lot of thought about security. He said
he'll take that theme to the next step with a session called
"Premature Ajax-ulation," which he'll give
with fellow researcher Bryan Sullivan.
Himanshu Dwivedi and Zane Lackey of San Francisco-based digital
security firm iSEC Partners Inc. will discuss the security issues,
attacks and exploits against such VoIP protocols as IAX and H.323.
The latter, they say, is particularly vulnerable to attack but that
most users assume it's secure because not much evidence to the
contrary has been presented.
"We'll talk about the best ways to build a layered defense
around VoIP, going through different attacks scenarios against
these protocols and how to lower the risks," Dwivedi said. He said
the topic is critical because the use of VoIP has exploded in the
last three years without much thought of the security risks. Lackey
agreed, saying, "While companies are in the same mindset with VoIP
as they were a couple years ago, there are more and more tools out
there that can be used to both attack and defend it."
Gadi Evron, a security evangelist with Beyond Security, has
closely followed the recent
coordinated cyberattacks against government and
private computer networks in the Baltic nation of Estonia,
and will talk about who may be behind the onslaught, what went
right on the part of the Estonians and what IT professionals can
learn from it.
Jonathan Afek, a senior security researcher at Watchfire, will
give a presentation on the technique he and colleague Adi Sharabani
discovered to remotely exploit dangling pointers. They stumbled
across the technique by chance while running the company's AppScan
software against a Web server. The server crashed in the middle of
the scan and after some investigation, the pair found that a
dangling pointer had been the culprit. This wasn't a surprising
result, given that these coding errors are well-known for causing
crashes at odd times. But after some further experimentation, Afek
and Sharabani found that they could cause the crash intentionally
by sending a specially crafted URL to the server and began looking
for a way to run their own code on the target machine.
Black Hat surprises
Last year's Black Hat gathering focused heavily on the security
features in Windows Vista, which had not yet been released. At the
time conference attendees joked that Microsoft had purchased a full
track of presentations to promote the new operating system. This
year's agenda includes some sessions on Vista security issues, but
it isn't as dominant a theme as it was last year.
One thing attendees will be watching for is controversy. Two
years ago most of the presentations were overshadowed by a
firestorm that erupted over researcher
Michael Lynn's demonstration of a Cisco router
exploit, which Cisco tried to block with legal action.
Black Hat and Cisco
settled a lawsuit over the Lynn affair after
conference organisers promised not to proliferate Lynn's
findings.
A smaller controversy erupted in March during a smaller Black
Hat gathering in Arlington, Va. A security researcher who said he
was
pressured by radio frequency identification
(RFID) chip maker HID Corp. to scrap his demonstration of a
device that could clone RFID enabled proximity badges ended up
delivering a modified version of his talk anyway, without any
details specific to HID's products.