July 26, 2010

Blackhat Vegas 2010


Blackhat Vegas, one of the largest technical and most anticipated security conferences of the year, is just around the corner, and we wanted to let everyone know what talks we'll be giving and how to get in touch with us. So if you're a fellow researcher, security enthusiast, reporter, or customer and you want to talk to a few members of the Security Labs, you'll know how to find us.

Dan Hubbard, CTO of Websense, and a major driving force behind the innovation and research that comes from Websense Security Labs, will be talking at "The Cloud Security Alliance Summit" at Blackhat. Dan will be speaking on the first day of the conference, Wednesday, July 28.

The other member of our team who will be speaking is Jeongwook "Matt" Oh, senior security researcher at Websense Security Labs. Matt will be talking about the third version of a free open source tool that he supports and works on outside of his main research at Websense: DarunGrim. If you haven't used it and are interested in binary diffing—which is very useful when you have to conduct patch diffing analysis to find the code responsible for a particular vulnerability—check out DarunGrim. Having used it myself, I can say that it's quite impressive. Matt will also be speaking on Wednesday, July 28, the first day of the conference. If you want to see the tool in action and ask Matt questions directly, he will be at the Blackhat Tools Arsenal on the 2nd day of the conference, here is the schedule.

Besides the talks by our own team members, we're planning to attend quite a few other presentations. We'd list them here, but this year's schedule is so packed with phenomenal talks that we'd end up listing everything in the schedule having to do with taint analysis, visualizing social networks (Maltego), memory corruption attacks, the state of SSL, and so much more. It is Vegas, after all, so once the talks are done at the end of the day, we're planning to hit up as many of the Blackhat parties as we can (like Thursday night's Microsoft Party), so we hope to see you there!

Jay Liew and I  (Stephan Chenette) will also be attending, and all four of us will be tweeting our locations and opinions of the talks. You can follow our tweets and direct message us to meet up for a drink, discussion, or interview.

Our Websense Twitter account is: WebsenseLabs.

Here are the titles and abstracts for the two talks by Websense Security Labs speakers.

Speaker: Dan HubbardTitle: Cloudy with a chance of miss-informationAbstract:The biggest use today of the cloud is the use of the web and web services, platforms, and content. Users want their information and they want it NOW. With that the several new technologies have been created/added/modified to present data in real-time. One of these is real-time search.Attackers have been utilizing weaknesses within search engine algorithms for some time now. Today it is VERY likely that you will hit a poisoned result on any named current event search. However we have not seen attacks commonly happening within the social web through real-time search.Search engines are embracing the social web through real-time search results. This presentation will demonstrate how to poison the real-time web with your results in real-time.    * Will demonstrate how today’s search engine poisoning works.    * Will demonstrate how to poison the social web through real-time search in various search engines.    * Will include demonstrations and steps to perform actions including mitigation options.    * Will demonstrate future vectors and possibilitiesHere is a link to the schedule for the Cloud Security Alliance:https://www.blackhat.com/html/bh-us-10/bh-us-10-specialevents_csa.html

Speaker: "Matt" Jeongwook OhTitle: ExploitSpotting: Locating Vulnerabilities Out Of Vendor Patches AutomaticallyAbstract:We already have many kinds of binary patching systems available. There are commercial ones and free ones. But the current implementations only concentrate on finding the difference between binaries. But what the security researchers really want from the patch analysis is security patches. Sometimes it's very hard to locate security patches because they are buried inside normal feature updates. The time for locating the security patches will increase drastically as more feature updates are included in the released patches. This is especially true with all the Adobe and Sun product patches. They tend to mix security patches and feature updates.In that case, we need another way to boost the speed of the analysis. The automatic way to locate the security patches! This can be done by analyzing the patched parts and see if it has some specific patterns that the usual security patches have. Some integer overflow will have some comparison against the boundary integer values. And buffer overflow will involve the vulnerable "strcpy" or "memcpy" replaced with safer functions. Even free-after-use type bug has their own patch patterns. We will present all the common patterns that we saw and also present way to locate them using pattern matching. But there can be more thing to be done in addition to this simple approach. You can introduce static taint analysis to binary diffing world. You can trace back all the suspicious variables(expressed as register value or memory location) found in the patch by using binary diffing. And you can see if they are controllable or taint-able from the user controllable input like network packets or user supplied file input.This automatic security patch locating ability will be beneficial to the IPS rule writers. They can spend more time in concentrating on what really matters instead of spending time to find the actual parts to analyze. To achieve all these, I upgraded the current implementation of "DarunGrim(http://www.darungrim.org)" binary diffing system to support pattern matching and static taint analysis. It will become DarunGrim v3. DarunGrim is the most featured open source binary diffing implementation. I will show how fast we can locate the vendor patches that, otherwise, will take few hours using other tools. All the updated source code will be released at the presentation.

We hope to see everyone at Blackhat Vegas!


Forcepoint-authored blog posts are based on discussions with customers and additional research by our content teams.

Read more articles by Forcepoint

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.