23 May 2016 marked the first day of the annual security conference organized by Hack In the Box As usual, the event took place in Amsterdam, Netherlands. This year I had the privilege to attend. HITB is one of the top-notch technical conferences, where elite security researchers from around the world gather to share their research. Not to mention that it is also a great place to hang out with these people to exchange ideas offstage. There were so many great talks in this conference. I am pleased to share a couple of talks here that I feel were particularly interesting.
One of my favorite, and most anticipated talks, was Go Speed Tracer: Guided Fuzzing presented by Richard Johnson. Richard is an expert in fuzzing technology, particularly emphasizing on how to optimize the performance of traditional fuzzers to make them scale extensively. Of course, traditional fuzzing methodologies, such as dump fuzzing, which use simple sample-based mutation still work in most cases. However, they are often limited to discovering minor security issues, and eventually lead to bottlenecking, an issue many security researchers come across when writing their own fuzzer. Feedback driven fuzzing is an evolutionary fuzzing methodology, made possible by the introduction of American Fuzzy Lop (AFL), an approach that is able to enhance the coverage of a fuzzer, thereby increasing the chances that the user can discover more security issues, or even uncover severe security vulnerabilities. After thoroughly studying various open source fuzzers like AFL, Richard shed some light in his presentation on how to customize your own, optimal performance guided fuzzer using existing binary instrumentation technologies like Pin, DynamoRIO, and DynInst. He also performed a couple of demos that showed the performance overhead between Pin and DynamoRIO, which showed that DynamoRIO seems to outperform Pin in term of binary code instrumentation. Unfortunately, he wasn’t able to show the demo of AFL with full support for Windows binary, along with hardware tracing using Intel Processor Tracer via Windows driver, as the prototype has not been completed yet. Nevertheless, it was an inspirational talk for researchers who are interested in developing their own fuzzer.
Another interesting talk was by Yulong Zhang and Tim Xia, in which they shared their approaches on how to patch vulnerable Android devices. In this talk they explained that they have found a lot of unpatched, vulnerable Android devices in China based on their Lab’s telemetry system. The fact is that even though many of these vulnerabilities have already been fixed and patched by Google’s Android security team, it is still very challenging for phone vendors to merge and integrate patches due to the time-consuming patching and verification procedures. So it doesn’t get done. Considering the fact that these devices are wide-open to attackers, the presenters decided to address this problem by releasing a full-blown Android application that allows the user to scan for existing vulnerabilities on their device, and then helps them fix the vulnerability before threat actors can exploited it . It is worth mentioning that the tool itself is interactive. In other word,s it enables the user to choose whether they want to install a permanent patch or one-time patch, which can be easily reverted by simply rebooting the device. Lastly, they emphasized that they are currently working with a number of different Chinese phone vendors to adapt their tool so that customers can be protected before these vendors manage to release a patch to their customers. However, it is still controversial to run third-party kernel patching tool like the one created by them, which is the reason why it takes them extra effort to deploy their tool widely across other Chinese phone vendors. Nevertheless, the methods they introduced in performing live Android kernel patching were still some interesting stuff.
Automotive security is a common topic nowadays, so it was not surprising to see this topic being discussed at this top-level conference. But instead of talking about offensive automotive security, this time Jun Li presented his mitigation techniques against car hacking. He first gave an overview of previous car hacking approaches demonstrated by other researchers. Apparently, this topic requires a solid background in understanding how automobiles work, as the speaker showed. After studying past car hacking approaches published by other researchers, he invented an automobile hacking detection system, combined with a couple of behavioral detection methods, to detect the existence of anomalies when car hacking was attempted. In general, the detection system he introduced was built using machine learning algorithms in order to effectively detect abnormalities. For example, a car that accelerates with an exponential speed that is faster than the predicted speed – something that can evaluated and determined using a machine-learning algorithm coupled with some training data gathered from the normal behavior of the car – can be determined to be abnormal. Additionally, he showed some cool demos that he had pre-recorded to demonstrate how CANsee system can detect the anomalies of a hacked car. Anyone who is interested in automotive security should definitely check out the video presentation when it is released.
Last, but not least, I was honored to have the opportunity to share my research findings of Kernel Exploit Mining and Hunting with my friend Broderick. Basically, in this talk we shared our methodologies on how to proactively discover effective samples of kernel exploits or potential zero-day kernel exploits through a dynamic-analysis system. In addition to that, we also discussed the evolution of kernel exploits that could bypass kernel exploit detection and prevention methodologies used in HIPS by some of software security vendors. Finally, we introduced some of the anomalies that we have observed from real-world kernel exploits that can be used to identify the existence of a kernel exploit. If you are keen to know about the details of this topic, you can check out the details from the full whitepaper or the slides.
There were many great talks that you might find it interesting as well, so feel free to visit the conference official website for the rest of the materials. Interested in the next event? Don’t miss HITB GSEC next August 2016 in Singapore.
-== FortiGuard Lion Team ==-