OFFICIAL SECURITY BLOG

CanSecWest: Day 2 Recap

March 14, 2014 | BY

Day two of annual CanSecWest conference started bright and early, and when I say bright I mean it. In an uncharacteristic weather trend for Vancouver, we were treated to a second day of sunny skies and balmy weather.

We sat down and listened to highly technical talks:

Copernicus 2, SENTER the Dragon – Xeno Kovah, John Butterworth ; MITRE

At the start of the talk, the researchers covered some of their earlier work, as they are the foundation for their current presentation. Called “BIOS Chronomancy” it demonstrated how to defend from attackers who are in the BIOS, effectively in a very privileged position.

They also spoke of their follow-up research – Copernicus, an application that measures the BIOS from the outside, to compare results with presumed clean BIOS images. Copernicus helps in acquiring the firmware from flashchips, something not typically accessible to the average IT dept.

Finally in their latest research, they demonstrated how Copernicus can be defeated, showcased a proof of concept (POC) called Smite’em. It shows how everything Copernicus does can be subverted by Smite’em and the data it generates can be altered.

They then demonstrated how a side effect of Intel Trusted Execution (TXT) disables Smite’em, and introduced Copernicus 2.

All Your Boot Are Belong To Us – Corey Kallenberg, Yuriy Bulygin ; Intel, MITRE

The talk began by showing many manufacturers are just concerned by the fastest boot, not security. The presenters discussed prior research where they had demonstrated how secureboot can be disabled from userland (within the OS!), forcing the system to reboot into “legacy mode”. (effectively circumventing secureboot)

Platform Firmware Security Assessment with CHIPSEC John Loucaides, Yuriy Bulygin ; Intel

This talk examined BIOS write protections and showcased CHIPSEC, a tool the presenters developed. They showed instances where the BIOS password is stored in the buffer and isn’t cleared. Used the tool to check UEFI SECURE BOOT status. Demonstrated how to show if the BIOS has been infected with malware. Also discussed was badBIOS, and they showed how CHIPSEC could decode the dumped image of a BIOS to facilitate inspection.

This was followed by the Keynote Presentation, given by Hon. Diane Finley Federal Minister of Public Works and Government Services.

Less is more, Exploring code/process-less techniques and other weird-machine methods to hide code (and how to detect them) – Shane Macaulay ; IOActive / Security Objectives

A fascinating presentation, discussing attacks of vmWARE virtual machines. We were shown esoteric techniques to get malicious code to execute in unusual ways. Demonstrated “weird machines” that allow you to execute malicious code and briefly shown the IOActive tool to audit the memory of VMWare virtual machines.

ROPs are for the 99%: A revolutionary bypass technology – Yang Yu a.k.a. “tombkeeper”; NSFOCUS Labs

Which alas, I did not attend, as I was upstairs where “pwnium pwn2own” contest was held and watching VUPEN do the owning.

vupen

Chaouki Bekrar, CEO of VUPEN, seen presenting a successfully “pwned” chromebook.

This is a long running event at CanSecWest, where the contestants are awarded monetary prizes, as well as the machines on which they demonstrate exploits.

Concurrency: a problem and opportunity in the exploitation of memory corruptions – Ralph-Phillipp Weinmann

The last presentation of the day, a highly technical expose of a different technique of exploitation, that relies on concurrency issues. We were explained what Atomicity violations are, order violations, and also shown data races. There was also an example of a concurrency bug in the hardware of the Arm Cortex A9 processor.


  • amazinggrace

    Re: The presentation – “All Your Boot Are Belong To Us – Corey Kallenberg, Yuriy Bulygin ; Intel, MITRE”. How can malicious code “jump” into the ROM of a video card? ROM stands for “Read Only Memory”. It can’t be written to by definition. If they meant RAM, I can understand. But not if they really meant ROM memory.

  • Jean Taggart

    The presentators did mention this: “Malicious code can push itself to the option rom of a video card, with ring 0 privs, defeating secure boot.” I tried to find a second source to confirm this, or better understand what “pushing to the option rom” means exactly. I wasn’t able to, so I elected to take it out.

  • Pingback: CanSecWest: Day 2 Recap | Malwarebytes Unpacked...