Internet Society Frontpage

Events Membership
About the Internet Standards
Publications  Public Policy
About ISOC Education




NDSS Symposium 2006


The NDSS Workshop will feature the members from one of the most
technical, talented, and prolific security vulnerability research teams in the security community.

eEye Digital Security has graciously permitted some of their more talented researchers to present multiple topics and demonstrations relating to Malware. The eEye R&D team is consistently featured and quoted in the national press for their ongoing discoveries and identification of security vulnerabilities in widely deployed software and systems.

The Workshop will consist of talks, demonstrations, and panel
sessions with the following people and the Workshop chairperson Mudge.

Heuristic Attack and Defense - Drew Copley
Heuristic Anti-Virus agents are not about signatureless technology, but about more intelligent signature systems. This talk looks at the heuristic technology out in the wild, briefly, then plunges into two new heuristic systems the speaker has created which take heuristics to varying extremes.

In the first example, an anti-forgery system was created which is purely defensive. This system utilizes entropic measurements of byte code with bayesian analysis in order to have faster fuzzy signature capabilities, amonst other features. In the second example we look at ARS, the Angel Recon System, which performs a heuristic vulnerability analysis of a target system: this system is both an offensive and defensive system.

Skeletons in Microsoft's Closets; Silently Fixed Vulnerabilities - Steve Manzuik / Andre Protas
For years vendors have been criticized over the practice of silently fixing security flaws and not releasing bulletins to notify their customers. While it is easy to find many researchers and experts criticizing alike, it is typically hard to find actual proof that this practice remains ongoing. Regardless of personal opinions over the rational vendors use to justify silently fixing bugs, the reality is that many defensive technologies rely on specific signatures to detect potential attacks and identify specific vulnerabilities as they were reported in vendor advisories.

The basic argument against silently fixing vulnerabilities lies in the above fact. If a security device is signature based, it cannot reliably detect something it does not know exists and most security vendors do not have the resources or time to manually verify that the software vendor has been upfront with all of the threats that were fixed in the patch.

This talk will outline the steps taken to identify potential vulnerabilities silently fixed in a major update release, namely Update Rollup 1 for Microsoft Windows 2000 SP4.

Building Honeypots for Malware Collection - Hugo Samayao
Malware capturing for analysis can be a little tricky. Luckily there are both open source and commercial products that help. One of the down falls is getting a central system together to manage all of this. Taking a modular approach my talk will show how to:

Capture: Honeywall, MwCollect, KFSensor and Nepenthes

Analyze: Store malware based on signatures. Analyze packed binaries for unknown malware. Dump imports for malicious system calls

Alert: Notify based on new malware, Notify which virus scanner(s) found the binary to be malware.

Hacking Embedded Systems - Barnaby Jack
From Automobiles and cell phones, to routers and your kitchen microwave-Embedded systems are everywhere. And wherever there is code, there are flaws.

In this presentation I will be discussing ARM based on-chip architectures-purely due to the popularity of the chipset. The same techniques I will be demonstrating are also applicable to other architectures. I will cover the JTAG and UART interfaces, and how these interfaces can be used in conjunction with an In-Circuit Emulator for real-time on-chip debugging.

You will learn about the components that make up an embedded system, how to disable certain implemented features that thwart hacking attempts, and how to interface with the system to debug the ROM code.

I will walkthrough the remote exploitation of a popular hardware router, demonstrate some nifty shell code, and hopefully open some eyes to the threat insecure embedded devices pose.

No toasters are safe.

PiXiE: A Self-Propagating Network Boot Virus for Windows - Derek Soeder

In July 2005, eEye Digital Security presented eEye BootRoot, a project exploring the feasibility of techniques that bootstrap code can use to infiltrate the Windows kernel. A byproduct of this research was a consideration of the dangerous synergy between network boot and Wake-On-LAN as a means by which an attacker can execute arbitrary boot-time code on a system of his choosing, with only network -- not physical -- access.

As a proof-of-concept of this threat, we present PiXiE, a self-propagating but otherwise harmless network boot virus. The internal mechanisms of PiXiE and some possible applications of the concept it illustrates will be discussed, and a demonstration will follow.