The Presentations

Beating a less-dead horse: The current state of .NET reversing


All the cool kids are reversing C apps, mobile is the (relatively) new hotness, and Java is a long-moldering corpse of failure. It's time to pick on a new, somewhat neglected red-headed stepchild: .NET. This talk will cover the current state of the art in .NET reversing, down from PE format of .NET assemblies through various types of obuscation, and into reversing tools and techniques. Finally, we will get a little Inception-esque by reversing Reflector inside Reflector in an attempt to modify its behavior.

Introduction to Dynamic Dalvik Instrumentation (on Android)

Collin Mulliner

As application security becomes more important on Android we need better tools to analyze and understand applications on the Android platform. Android applications are written in Java and a run in the Dalvik VM. Until now most analysis is done via disassembling and monitored execution in an emulator. This talk presents a new technique to instrument Android applications executed in the DVM. The talk will introduce the basics of this technique and show you what can be achieved using it.

On-Chip Debug Interfaces

Joe Grand

On-chip debug (OCD) interfaces can provide chip-level control of a target device and are a primary vector used by hackers to extract program code or data, modify memory contents, or affect device operation on-the-fly. Depending on the complexity of the target device, manually locating available OCD connections can be a difficult and time consuming task, sometimes requiring physical destruction or modification of the device.

In this session, Joe will present the JTAGulator, an open source hardware tool that assists in identifying OCD connections from test points, vias, or components pads. He will discuss traditional hardware reverse engineering methods and prior art in this field, how OCD interfaces work, and how JTAGulator can simplify the task of discovering such interfaces.

Portscanning Low Earth Orbit

Travis Goodspeed

Satellites are whirring all around our little planet, but the lack of tools for accessing them have limited past research to stationary satellites or to ones with documented communications protocols. This lecture presents the conversion of a maritime L-band dish to be controlled by a combination of open source hardware and good ol' fashioned unix daemons. The dish is operated remotely or in a standalone fashion, scanning the neighborly skies day and night with little or no supervision.

Weighing in on Issues with Cloud Scale

Michael Coppola

No, it's not one of those talks. In this new age of computing, more and more household devices are being connected to the Internet. TVs, refrigerators, and even coffee machines are some of the first to give in to the trend. But these devices are old news. In this talk, we'll take a step back from the ordinary and look at a new target: a WiFi-enabled... bathroom scale? With the help of a soldering iron and our good friend IDA, we'll have a go at reverse engineering the device as well as discuss practical attacks to achieve code execution.

Bypassing all of the things

Aaron Portnoy

In between drinks we'll be walking through the discovery and exploitation of some of these 'vulnerability' things that are all the rage. Reliable exploits for some Adobe bugs I found (stack-based buffer overflow and memory disclosure) will be dropped for Windows XP, 7, and 8. I'll show how to bypass /GS, SafeSEH, full process ASLR (high entropy or whatever), DEP, SEHOP, and the ENHANCED Mitigation Experience Toolkit (EMET) 3.0/3.5/4.0.

Leaking Addresses with Vulnerabilities that Can't Read Good

Dionysus Blazakis and @pa_kt

Paul and Dion ask: What Would Paul Kocher Do? We will present two methods for disclosing heap addresses in ECMAScript engines without a traditional wild read/write primitive. The first technique [1] takes advantage of timing differences exposed via a popular hastable implementation technique. The second technique [2] exploits observable weak references and a common garbage collection implementation technique. We'll demonstrate and discuss the implementation of each technique. Finally, we'll discuss attempts applying these techniques to multiple engines including both successes and failures. Side channels aren't just for cryptographers.

Taint Nobody Got Time for Crash Analysis

Richard Johnson and @pa_kt

The last decade has seen a large focus on vulnerability discovery automation with various methods of fuzzing and input generation, however little has been said about crash analysis or triage. This talk will discuss a powerful toolchain for crash analysis that incorporates the best available approaches for automated reasoning about memory access violation exceptions and overcomes limitations in currently available tools such as !exploitable and crashwrangler.

In particular, we will discuss three key areas: dynamic taint analysis to track areas of memory that are influenced by user-controlled data, forward and backward taint slicing to isolate input bytes that lead to the crashing state, and finally forward symbolic execution to determine if the input can be modified to reach an alternate state giving more control over the execution of the program. In other words, our system will isolate the input bytes causing the crash and try to determine if your ReadAV can actually be turned into a WriteAV or code execution

Summercon Security Buffet Panel

Ben, Micheal, Erik, Artem, Andy, Mirek

Keeping with tradition, Summercon will end with a big box of chaos. This panel contains several people that are experts in their respective areas. Each person will talk for 8 minutes and have 2 minutes for questions. Topics covered are: cryptography, windows internals, off shore drilling, embedded devices, and much more. Entertaining does not begin to describe this talk.