2007-03-07.06:10:00.EuSecWest_wrap_up

As usual, the end of the conference caused enough chaos in my life that nothing got posted here in the interim. I did however make it to all the afternoon talks on the second day, despite missing the morning due to door and network issues.

The first talk I saw was Ofir Arkin - Bypassing NAC Systems. For those who don't know, and because he spent about a third of his time defining this, a Network Access Control system controls network access and ensures compliance with a network access policy. Personally, I could have used less time spent on definition of terms, and more spent on attacks, however there was some good points made. For example, the points made about attacking hosts in the quarantine, and the over reliance on dhcp were both solid.

After lunch, Ollie Whitehouse told us all about Symantec's GS and ASLR study to determine which binaries were in fact actually protected. Ollie showed us his process for coming up with a tool to discover if a binary had GS protection enabled or not. The result was 150 binaries discovered in Vista without GS code present. Some were either not compiled in, not required due to no local stack buffers, and some were legacy NT4 binaries. Finally we were shown several ASLR entropy issues which cause biases in the address randomization which will likely result in a fix next service pack.

Mark Russinovich showed us the new User Account Control and Protected Mode IE features. As a recovering NT sysadmin, this was the tool that I wanted 5 years ago, so perhaps I was more interested than the rest of the audience, who were more typical reverse engineering types. Essentially, using a few virtulization tricks, programs which require admin rights for stupid reasons, can be tricked into using regular user permissions instead. As well, switching between a regular user account, and admin privileges has been made easier (but likely not safer). Finally, IE has been isolated from the users other processes which should hopefully make malware installs a bit harder. I was a bit worried about Mark's final statement, "UAC is a convenience not a security boundary" which seems to imply that Microsoft wants to have their cake and eat it too on this. As if to say, "here's a security feature, but we're not gonna call it a security feature, and when it inevitably breaks you're on your own." Too be fair though, Mark was very upfront about the reasons for this, it will make it easier for people to switch away from using admin accounts all the time, even if it isn't as secure as running completely separate accounts.

Our final talk was Richard Johnson - Windows Vista Exploitation Countermeasures. We probably should have scheduled this before Ollie, as it delved into the guts of ASLR (Address Space Layout Randomization for those who can't be bothered to google for it). As with all the Microsoft talks, Richard was very upfront about what it can and can't solve, and the caveats that apply to its use. Probably the two most interesting points of this presentation were the chart showing that Vista now has better memory hardening techniques than any other OS, and the prediction that future heap attacks would still exist, but require high degrees of control of the heap such as in active scripting.

And that was the end of EuSecWest 2007, a second successful conference for us in the UK. We'll be back again next year, though there's some talk about changing things up a bit. Now all that's left is to dig out of the pile of email that has accumulated and start the ramp up to CanSecWest.