BlackHat Asia 2016 was once again held in the majestic Marina Bay Sands hotel in Singapore.. This is one of the biggest security conferences in Asia. We attended many of the talks and presentations and wanted to highlight some of the most interesting topics here for those of you who were unable to attend:
- A NEW CVE-2015-0057 EXPLOIT TECHNOLOGY. Security researcher Wang Yu introduced an approach on exploiting the patched Windows kernel vulnerability CVE-2015-0057. This exploit was inspired by a number of other research papers that have been created on the same topic. He started by explaining how Windows 10 security can be further hardened to make exploiting the Windows kernel more challenging. But having said that, he demonstrated how to manipulate an information leak mechanism that Windows 10 is vulnerable to in order to make it easier to exploit the Windows kernel.
- Xiaoning Li has, once again, introduced a number of easy-to-implement techniques designed to detect whether a program has been executed within a Dynamic Binary Instrumentation (DBI) framework. He then explained that it is relatively easy to escape the DBI environment. Based on his research, how showed that is possible for malware or an exploit program to use this escape technique to take over the machine. However, he emphasized that he is not aware of any malware or exploit in-the-wild doing this at the moment. He urged that DBI framework providers should look into this issue before malware starts to employ anti-DBI techniques to target the DBI framework - something which has begun to gain popularity among security researchers to help them automate programs or tasks.
- Chilik Tamir introduced a Su-a-cyder (read like suicider) framework that can leverage developer certificates in order to install malware on non-jailbroken iOS devices. Since the introduction of Xcode7, anyone can get an anonymous developer certificate for free. These developer certificates allow developers to use Xcode to install a new application on an iOS device without going through the Apple Store review process. This approach has one major limitation: the attacker needs physical access to the device in order to install the new application. Even with that limitation, Chilik demonstrated the threat potential of this framework, showing how bad guys can use this weakness to break an enterprise’s trusted model.
- During the same day, Dr Andrei Costin of EURECOM presented his work of the last few years on building a fully automated dynamic firmware analysis framework (firmware.re). This framework enables the analysis of a large number of firmware on different devices from different vendors. He also demonstrated how the framework works, and the outcome of having testing more than 1925 different firmware, which was very impressive.
These highlighted talks were just a small part of the big event. There were many other briefings in different tracks that we didn’t cover here, but you can visit the BlackHat website to access all of the published whitepapers and presentations here.
-= FortiGuard Lion Team =-