Rafe Hart

Thoughts on security, privacy, and building software.

Ruxcon 12

23 October 2016

I’ve spent the last weekend attending Ruxcon 12, which is a technical security conference in Melbourne. For the benefit of those who weren’t there, and because it helps me consolidate my own thoughts, I’d give the following review.

All of the presentations focused on technical detail, and ranged from being quite accessible through to highly specialized. One example of an accessible presentation was a talk by Jack Forshaw of Google’s Zero Day Initiative, who ran through how he had downloaded documentation from MSDN and searched it for API calls with ‘reserved’ parameters for future use. These calls are a fruitful hunting ground for vulnerabilities, and he walked through the process of using differences between the documentation and implementation that lead him to reporting two zero days to Microsoft. On the other end of the scale, there was an excellent fuzzing presentation by Richard Johnson of Cisco Talos who presented a fuzzing framework that has recently incorporated IntelPT (Process Trace) and American Fuzzy Lop, which would be hard to follow for anyone not already somewhat familiar with the area.

The conference is two days in length and was held in the CQ function centre on Queens St. The age profile of most of the attendees ranges from early twenties to late fifties, with the majority clustered around late twenties, early thirties. Most people were quite friendly, though if I’m being honest, the crowd was light on extroverts. There are lots of pentesters, incident responders and reverse engineers.

Is there much here for someone who isn’t directly working on the tools? I would say yes. Most talks featured demonstrations of recently found zero days, and describe the research process in some detail. For anyone who hasn’t had much experience on the red team side of things, it’s a very useful perspective to add.

Some of the presentations don’t provide actionable information (unless you are reverse engineering malware) but they do give an interesting look behind the scenes at some of the services we use in enterprise. For example, Sean Park of Trend Micro gave a presentation on using neural networks with Fourier transforms to detect malware. He ran through how malware is normally detected in ‘outbreaks’ being transmitted over email, and how they go about building a template to detect that malware. Building these templates is made extremely difficult due to the metamorphosism built into the malware, which is where his research has been applied. His team have captured over 2000 binaries using honeypots, and uses a neural network that leverages the Fourier transform to compare machine behaviours to identify the same malware with different patterns.

There were talks on infrastructure, such as a presentation by Trevor Jay from Red Hat on the recent vulnerabilities that have been found in containers, and what defences containers add or expose.  The overall thrust of the talk was to persuade the attendees to go bug hunting, as the codebase for containers is still relatively immature, and the bugs being found are still large and to some extent reasonably basis. For those who use VMs rather than containers, there was a presentation by Qiang Li of Qihoo 360 on QEMU escapes that identified 50 bugs in the last year, 30 of which have resulted in CVEs. Layered defence is probably the key takeaway here, with Trevor Jay suggesting that if you need to use containers in a multitenant environment, having one VM for a container may be inefficient, but it does provide the isolation necessary to have confidence in preventing an attacker from moving laterally between containerized applications.

One of my favourite presentations was on the topic of dangers within AWS, presented by two Atlassian employees, Daniel Grzelak and Mike Fuller. They outlined a range of issues, from users mistaking the AuthenticatedUsers group to be their users as opposed to all AWS accounts (including new signups), to assumptions in security via roles. When you grant a 3rd party a role within your account, you are actually granting anyone in their account access to that role, including anyone who they have granted access to a role within their account, and so on. Worse, role assumptions are only logged in the assumer’s account, so you will have no logs of who is assuming that role within your environment, except that it happened. They also detailed issues such as cloud trails not logging a number of things, including Route 53 calls and Lambda functions, and some of the dangers of using pre-canned AWS roles, which can be updated to include permissions to new API calls when Amazon updates them, even if you never intended the 3rd party to get them.

If you haven’t been to a convention like this before, you should expect presentations with a lot of code examples in C & python that interact directly with syscalls, as well as a lot of dissassemblies. If that isn’t your thing, don’t let that scare you off - many of the presenters summarise the information presented very effectively.

If anyone is interested in going to Ruxcon next year, let me know - it’d be great to meet up.

More Info: https://ruxcon.org.au