dimanche 12 juin 2011

[NDH] Are you ready?

Hello everyone :)!

This will be my first conference as a talker so be tolerant ;).

I will be giving a conference on modern exploitation at NDH 2001 (Night Da Hack 2011) on the 18th of June.
The conference will be in French with English slides. I expect to see more French people than English speaking people like any other NDH I have been to. Moreover, I am more comfortable with French even thought my English is not that bad.

Here is forth my proposal:


Software hacking and counter measures have gone a long way since the dis-
covery of hacking techniques. Techniques have improved over time and made
exploitation harder and harder, most traditional exploits do not work any-
more nowadays.

Since we are speaking about software hacking, a short review of exploita-
tion techniques will be done. It will include format strings and buffer based

Software hacking techniques are now well known for most of them, more
might be discovered. The need of mitigation arose quickly with highly net-
worked environments. One of the first mitigation to be implemented were
security cookies, followed by NX and then ASLR for the major ones. Other
protections such as FORTIFY SOURCE have also been implemented. A
brief look into these protections will be given.

The use of new and advanced techniques have emerged and are developed
either by attackers or academics in order to bypass these new mitigation
schemes against software exploitation. Such techniques includes code re-use
techniques such as Return Oriented Programming, information leaks, heap
spray or SEH (stack cookies).

A thought about the future of software hacking and counter measures will
also be given.

So what is it about?

It is mostly about the requirement needed for an exploit developer to succeed in its task of writing reliable exploit working on the latest Operating Systems and compilers. This is effectively needed as pentests could be carried out more efficiently.

The presented protections:
- DEP/NX: Non executable pages
- ASLR: Address Space Layout Randomization, randomization of pages
- SafeSEH: "Basic" SEH protection ("replaced by" or "upgraded to" SEHOP in Vista SP1)
- Stack Cookies (GS mostly, StackGuard does not work exactly the same): Protection of return address (SEIP) against buffer overflows attacks

All of their bypass will be explained.

A demo on bypassing DEP/NX will be done, it includes a full ROP multistage exploit I developed especially for the occasion.

And finally some thoughts will be given on the future of exploitation and mitigations. It is based on current research, projects and papers so it might not be that far from reality but anyone who try to predict the future will somehow fail in some way. So it is more there to give ideas on what might be good fields in exploitation research.


Waiting to get your hands dirty and having practical knowledge on software exploitation?
It might be a good subject to speak about, but 30 minutes to speak about it is just not enough at all! So don't expect too much technicality even though I will try to.
A lot of stuff had to be taken out in order to make the talk fit the time given, it does not really matter as the most important protection are presented and explained. For those who do not know anything about exploitation, it might be a good (hard) introduction to the field.

Do not hesitate to ask questions ;) (the talk = 30 minutes of talk and 10-15 minutes of questions approximately ;)).

And even more! Do not hesitate with the beers, fun and hacks!
What's a conference if we do not enjoy it? ... work ... ;)

Hope to see you there,



3 commentaires :

  1. Salut,
    bonne NDH, et si c'est possible de poster la vidéo pour ceux qui peuvent pas assister
    et Merci.

  2. Yop,
    tout de bon pour ta présentation. Je ne serai pas à la NDH, donc j'aimerais bien avoir tes slides après coup :). Merci

  3. Salut, c'était vraiment sympa les 2 conf.