Black Hat 2007 preview: Blue Pill under scrutiny

Among the highlights at the year's most anticipated hacker event, vulnerability researchers will challenge Joanna Rutkowska's Blue Pill concept. They'll also pick apart flaws in VoIP, NAC and Web applications.

At last year's Black Hat conference, one of the hottest events was researcher Joanna Rutkowska's demo of "Blue Pill," technology she said could be used to create 100% undetectable rootkits and other malware.

She said it showed how hardware virtualisation technology could become a major security threat in the coming years, when more people will use processors with hardware virtualisation support. The room was jammed, with many attendees standing in the back. Wild cheers erupted as she finished the demo.

Rutkowska's ideas will come under fire at Black Hat USA 2007, which starts Wednesday at Caesars Palace, in a presentation called "Don't Tell Joanna: The Virtualised Rootkit Is Dead." Researchers Nate Lawson of Root Labs, Peter Ferrie of Symantec Corp., and Thomas Ptacek of Matasano Security are scheduled to talk about research they conducted showing that virtualised rootkits will always be detectable.

Special Black Hat coverage

Check out special news coverage of Black Hat USA 2007.
Along with that, Black Hat organisers promise a full agenda of sessions where researchers will demonstrate the insecurities of such technologies as NAC (Network Admission Control), VoIP (voice over IP) and Web applications with Ajax-based features. Researchers from Watchfire Inc. will also show off a reliable method they discovered to exploit dangling pointers. A detailed agenda for both days is available on the Black Hat Web site.

A Blue Pill challenge or lecture?
There had been speculation the virtualised rootkit session wouldn't go off as planned because of Rutkowska's response. Ptacek said Rutkowska told them she'd play along if they met some conditions, including one stipulation that she be paid $416,000. Ptacek said of the last condition, "Why would we pay you $416,000 to buy a rootkit we already know we can detect?" Besides, he said, Rutkowska has conceded that Blue Pill, as it exists today, could be trivially detected by anyone who knows how hardware virtualisation works. "Since Matasano itself owns a hardware-virtualised rootkit, it was clear to everyone that the 'challenge' wouldn't have been interesting," he said.

Nevertheless, Ptacek said there will still be a presentation on it, though not as the challenge it was originally intended to be.

"The challenge at Black Hat will likely not proceed, but the talk will," he said. "We will present the different techniques we had planned to use against Blue Pill, and explain how our code works. Joanna will likely be in attendance, and we hope she objects loudly. She's smart, and I can guarantee the argument would be interesting."

Ajax and VoIP risks revealed
Billy Hoffman, a researcher with Atlanta-based SPI Dynamics, warned at last year's conference that Ajax-based applications are being adopted quickly without a lot of thought about security. He said he'll take that theme to the next step with a session called "Premature Ajax-ulation," which he'll give with fellow researcher Bryan Sullivan.

Himanshu Dwivedi and Zane Lackey of San Francisco-based digital security firm iSEC Partners Inc. will discuss the security issues, attacks and exploits against such VoIP protocols as IAX and H.323. The latter, they say, is particularly vulnerable to attack but that most users assume it's secure because not much evidence to the contrary has been presented.

"We'll talk about the best ways to build a layered defense around VoIP, going through different attacks scenarios against these protocols and how to lower the risks," Dwivedi said. He said the topic is critical because the use of VoIP has exploded in the last three years without much thought of the security risks. Lackey agreed, saying, "While companies are in the same mindset with VoIP as they were a couple years ago, there are more and more tools out there that can be used to both attack and defend it."

Gadi Evron, a security evangelist with Beyond Security, has closely followed the recent coordinated cyberattacks against government and private computer networks in the Baltic nation of Estonia, and will talk about who may be behind the onslaught, what went right on the part of the Estonians and what IT professionals can learn from it.

Jonathan Afek, a senior security researcher at Watchfire, will give a presentation on the technique he and colleague Adi Sharabani discovered to remotely exploit dangling pointers. They stumbled across the technique by chance while running the company's AppScan software against a Web server. The server crashed in the middle of the scan and after some investigation, the pair found that a dangling pointer had been the culprit. This wasn't a surprising result, given that these coding errors are well-known for causing crashes at odd times. But after some further experimentation, Afek and Sharabani found that they could cause the crash intentionally by sending a specially crafted URL to the server and began looking for a way to run their own code on the target machine.

Black Hat surprises
Last year's Black Hat gathering focused heavily on the security features in Windows Vista, which had not yet been released. At the time conference attendees joked that Microsoft had purchased a full track of presentations to promote the new operating system. This year's agenda includes some sessions on Vista security issues, but it isn't as dominant a theme as it was last year.

One thing attendees will be watching for is controversy. Two years ago most of the presentations were overshadowed by a firestorm that erupted over researcher Michael Lynn's demonstration of a Cisco router exploit, which Cisco tried to block with legal action.

Black Hat and Cisco settled a lawsuit over the Lynn affair after conference organisers promised not to proliferate Lynn's findings.

A smaller controversy erupted in March during a smaller Black Hat gathering in Arlington, Va. A security researcher who said he was pressured by radio frequency identification (RFID) chip maker HID Corp. to scrap his demonstration of a device that could clone RFID enabled proximity badges ended up delivering a modified version of his talk anyway, without any details specific to HID's products.

Read more on Voice networking and VoIP