Wednesday, May 17, 2006

CONFidence 2006 - trip report

I've just come back from a small conference in Krakow, CONFidence 2006. It was the second edition of this security conference, which is organized by a non-profit organization, PROIDEA, whose primary goal is to promote education in computer science. Apart from CONFidence, they also organize conferences focused on BSD systems and various training courses.

Below I describe some of the talks that I found particularly interesting among those which I managed to see...

Pawel Pokrywka gave a very interesting talk about security issues with DSL infrastructure as used by one of the biggest polish ISP. He discovered the auto-configuration protocol which is used to setup every single DSL modem of that company. He then prepared modem-emulator script which allowed him to get the configuration data (including username and password) for any modem in Poland he wanted. This could allowed an attacker to actually 0wn all the DSL modems belonging to this operator! It was the best presentation in my opinion, not only it was technically interesting, but also was very well presented.

Lukasz Bromirski is a system engineer in Cisco Poland and is a very popular speaker at polish conferences. He gave three (!) lectures there, about BGP Blackholing, Dynamic Routing Protocols (OSPF and BGP) and one more about network attacks on L2 and L3 levels. Lukasz turned out as a very knowledgeable and experienced network engineer who is also a good presenter.

Przemyslaw Frasunek is another frequent speaker at Polish conferences. He is a well known BSD expert, but his talk was about Bluetooth security. Although it wasn't kind of an '0day talk', I think it was a good introduction to Blootooth stack and several basic attacks and was very professionally presented.

I also liked the two talks presented by the members of the Security Team of Supercomputer-Network Center in Poznan. Blazej Miga talked very deeply about Apache architecture and internals, while Jaroslaw Sajko demoed how to write extension modules for IPTables. This team got lots of media attention in Poland last year, after they found several critical bugs in Gadu-Gadu, the most popular Polish IM communicator.

Overall, level of the talks was pretty good. Similarly like on other small conferences, the atmosphere was very cozy and friendly. Organizers took very good care of the speakers, taking us to various nice restaurants and entertaining all the time (even the day after the conference). Krakow is actually a very nice city, probably one of the nicest in Poland. It is a little bit like Prague - it has a very large old town, with lots of nicely decorated restaurants (in an 'old polish' style) serving very tasty food :)

It was also very positive to see how enthusiastic those people are and it was clear to me that they really do this conference for fun and not for profit. I wish them success with the next edition in 2007!

Friday, May 12, 2006

SVV Source Code Made Public!

I decided to publish the full source code of my System Virginity Verifier. The license grants you to do anything with the code, including using it in a commercial product.

Unfortunately I don't have time to further develop SVV, but I still believe that this is the right approach for system compromise detection (which still requires lots of work to be put into it though). It's actually very surprising for me to see only one another product which uses similar idea for detecting system compromises, that is Microsoft's Patch Guard.

I hope that publishing SVV source code might be useful in two situations:

First, it should help to reduce implementation specific attacks, as used by malware against rootkit detectors (remember holly_father's shop?). Having the sources allows anybody to compile his or her own private detector, a little bit different from the one which is targeted by malware's anti-detection engine. This might include changing I/O interface between usermode and kernel mode component of the detector, changing the order of certain actions, etc...

The above statement applies actually not only to SVV, but to any other rootkit/malware detector with open sources.

Second, I hope that having SVV sources opened can encourage people to extend the subset of the sensitive OS elements which are verified by SVV, thus minimizing the "hooking space" which can be used by malware. This should consequently eliminate simple, yet annoying malware from the market...

SVV sources and some presentations about its design can be found here.