Thursday morning the speakers piled into an H2 stretch limo and headed off to the Microsoft campus where approximately 30,000 of Microsoft's employees spend their daily lives. The conference is broken into two sessions spread over two days and consists of both 1-hour technical talks and 30-minute executive briefings to the technically-versed management crowd at Microsoft. Aaron and I had the pleasure of catching the following talks:
Ollie Whitehouse from Symantec kick started the day with an interesting talk on Windows Mobile and embedded security titled "The Elephant Under the Carpet". In essence he clearly demonstrated that the maturity of handling and patching security issues on the CE mobile platform is far behind its desktop cousin. He stressed that the security of the CE platform is not entirely under the control of Microsoft as OEMs can make significant modifications and customizations. Ollie also pointed out that the age old Shatter attack is still wildly applicable on the CE platform. Among the more interesting examples he provided is that there are a collection of known and already patched issues that still affect CE. For example the IGMP DoS vulnerability patched in MS06-007 affected Windows Mobile 5 (CE 5.01) as well as the DHTML bug patched in MS06-013. It took a full year for the desktop patch to trickle down to the mobile platform. All in all an interesting talk which grabbed a lot of attention from the audience, especially when he noted that their largest mobile competitor, Symbian, was ahead of the game.
Roberto Preatoni of WabiSabiLabi came to bat next with hands down the most controversial of the subjects presented at BlueHat, triggering a number of questions and dialog from the Microsoft audience during his talk titled "The Exploit Marketplace Project". For those of you who don't know, WabiSabiLabi is the first company to explicitly create a marketplace for vulnerability auctions. Roberto started off with the very interesting point that by generally accepted standards, no vulnerability "marketplace" existed prior to WabiSabiLabi, stating that "Security researchers' work have been exploited for years". There were a lot of heated questions and debate revolving around specifics such as responsible disclosure and validating the identity and intentions of buyers. The subject is far too interesting to be summarized in a paragraph and will perhaps be the subject of a future dedicated blog entry on the vulnerability market place. My personal favorite slide in his deck was where he revealed the top 10 visitors to the auction site:
- 10. SAP
- 9. Verisign
- 8. Oracle
- 7. US Army
- 6. F-Secure
- 5. Symantec
- 4. Veritas
- 3. IBM
- 2. Microsoft
- 1. Cisco
Our talk titled "Fuzzing Sucks!" came up next. Our talk kicked off with some background on why fuzzing is important and how the massive surge in file format and browser bugs in 2006 can largely be attributed to increased interest and dissemination of fuzzing. The remainder of the talk revolved around the architecture and usage of Sulley, a pure-Python fuzzing framework we released just 2 months ago. While covering how a lot of file format parsing bugs are discovered with little effort we posed the question as to why the Microsoft QA process wasn't uncovering them. Turns out one of the security managers from the Office group was in the audience so we got our answer right there and then. The answer is simple, they just started fuzzing the file formats relatively recently. We can all expect the 2007 Office suite to be far more robust then its predecessors.
During her talk titled "Microsoft's Circle of Life: Patch to Exploit", Lurene Grenier from SourceFire gave Microsoft some insights into the trials and tribulations various security vendors go through each and every month on Microsoft Tuesdays to pinpoint patched software flaws from high level bulletins. She walked through the process the team at Sourcefire goes through to produce exploit code and intrusion detection signatures for issues disclosed solely through a high level Microsoft security bulletin. Like most of the industry, her team heavily relies on IDA Pro and SABRE Security's BinDiff engine. One of the interesting points Lurene conveyed was the revelation that many researchers are accidentally discovering new bugs during the process of pin-pointing old ones. For example during the reversing of an Exchange bug Lurene discovered a new fault in Outlook. Then during the reversing of her Outlook bug, Alex Sotirov of Determina discovered a new fault in Exchange.
The final talk we caught was given by Mark Russinovich of Microsoft titled "Malware, Isolation and Security Boundaries: It's Harder than it Looks". This BlueHat marks the first time Microsoft included employees on the speaker list. Mark is one of the main guys behind all the wonderful SYSInternals tools and the original discoverer of the whole Sony Rootkit debacle. As it turns out Mark can speak as well as he can code, as he kept the crowd engaged while he gave an overview on user and kernel mode security features in Vista, Internet Explorer, and other applications and how despite the fact that they significantly improve defense in depth, they are not true Security Boundaries (SB). This is not to discount the value of these security features but rather stress the difficulty in defining new SBs. According to Mark, in the past decade only a single SB has been added: the Java / .NET virtual machine.
A few other talks were given but unfortunately the conference was split such that we were unable to catch the following talks we otherwise would have liked to see:
- Dan Kaminsky (IO Active) "Black Ops 2007: DNS Rebinding Attacks"
- Robert Hensing (Microsoft) "Office 0-Days and the People Who Love Them!"
- Matt Miller (Leviathan) "An External Perspective to Extending Microsoft’s Phoenix Framework"
- Shane Macaulay "Automated Application Security Testing Models with Cool WPF Visualizations"
- Sean Hunt (Microsoft) "Cellular Safety!"
- Halvar Flake (SABRE Security) "Structural Classification of Malware"
- Mike Reavey (Microsoft) "MSRC - Then and Now"
All in all it was a great conference and we look forward to attending again.