I recently attended the USENIX Security Symposium in Boston, MA. I also attended two of the co-located workshops: the Workshop on Hot Topics in Security (HotSec), at which I presented a research paper focusing on a new paradigm for antivirus deployment, and the Workshop on Offensive Technologies (WOOT).
HotSec 2007 Workshop
At HotSec, I presented our paper titled "Rethinking Antivirus: Executable Analysis in the Network Cloud". The abstract follows:
Antivirus software installed on each end host in an organization has become the de-facto security mechanism used to defend against unwanted executables. We argue that the executable analysis currently provided by host-based antivirus software can be more efficiently and effectively provided as an in-cloud network service. Instead of running complex analysis software on every end host, we suggest that each end host run a lightweight process to acquire executables entering a system, send them into the network for analysis, and then run or quarantine them based on a threat report returned by the network service. An executable analysis service run inside an enterprise network or by a service provider could integrate antivirus software, behavioral simulation, and other analysis engines from multiple vendors providing better detection of malware and simplify client software enabling deployment on a broader range of devices. To explore this idea we construct a prototype composed of a Windows based host agent and an in-cloud analysis service and evaluate it using a diverse dataset of 5066 unique malicious executables. By correlating information between multiple detection engines, our system provides over 98% detection coverage of the malicious executables using eight antivirus engines and two behavioral engines compared to a 54% to 86% detection rate using the latest commercial antivirus products.
WOOT 2007 Workshop
The work presented at WOOT was by far the most interesting of the three events. I suppose I'm just a sucker for more technical and practical research. Papers of interest:
Exploiting Concurrency Vulnerabilities in System Call Wrappers
Robert N. M. Watson, Computer Laboratory, University of Cambridge
Robert Watson, of FreeBSD fame, presented weaknesses in syscall wrapping frameworks, leading to an evasion of the access control and auditing functionality they were designed to provide. Robert found that systems such as GSWTK and Systrace are vulnerable to TOCTOU-like concurrency issues in syscall arguments. This also affects other systems such as the Systrace-based sysjail, allowing a malicious user to break out of the jail due to bind(2) races.
Flayer: Exposing Application Internals
Will Drewry and Tavis Ormandy, Google, Inc.
Will's Flayer tool looks great for quick-and-dirty fuzzing sessions. Flayer, based on the Valgrind framework, allows for taint tracking from multiple input sources and conditional jump modification to get past those annoying sanity checks in your fuzzing target. Flayer absolutely tore apart libtiff and also discovered a NULL deref in OpenSSL.
BlueSniff: Eve Meets Alice and Bluetooth
Dominic Spill and Andrea Bittau, University College London
While a lot of bluetooth attacks have been explored in the past, I was particularly interested in Dominic's work since he was using a USRP (Universal Software Radio Peripheral) with the GNU Radio framework, resulting in an attack that is possible on much more affordable hardware.
USENIX Security 2007
A couple papers of interest that caught my attention during the USENIX Security conference:
Language Identification of Encrypted VoIP Traffic: Alejandra y Roberto
Alice and Bob?
Charles V. Wright, Lucas Ballard, Fabian Monrose, and Gerald M. Masson, Johns
Gotta love the work of Fabian's group on VBR-encoded VoIP traffic. The timing characteristics of the encrypted RTP streams allows for decently accurate identification of the language being spoken in the VoIP conversation. Pretty neat stuff, I'm definitely interested in seeing some of the future work on conversation reconstruction that Fabian has hinted at.
OSLO: Improving the Security of Trusted Computing
Bernhard Kauer, Technische Universitat Dresden
Bernhard not only demostrated design and implementation bugs in several TPM-enabled bootloaders and detailed TPM reset and BIOS attacks against trusted computing platforms, but also implemented OSLO, a secure bootloader making use of the senter/skinit instructions on modern CPUs. I wasn't able to catch Bernhard's presentation but had previously read the paper and was happy to see it was accepted at USENIX Security.