New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

SSTIC Live Blogging – Day 1 Afternoon

January 18, 2009

SSTIC Live Blogging – Day 1 Afternoon

WOMBAT:

The afternoon conferences begin with a presentation of the WOMBAT architecture, used by Symantec for malware monitoring and analysis.

The presentation is not very technical and seems to have as its main, more or less admitted, objective the use of SSTIC to recruit some talent present at SSTIC.

The technologies used are:

  • Anubis for behavioral malware analysis
  • VirusTotal to assess the quality of the antiviral response to the identified threat
  • SGNET (developed by symantec) for collection and distribution between the different nodes of the honeynet.
  • Argos for memory corruption detection (memory tainting)

Malware analysis is done in two ways:

  • A high-interaction machine that uses Argos to detect malware

This machine will generate a state machine for the execution of the malware.

  • A faster state machine that will execute known malware.

If the malware takes an unexpected branch, the malware is sent back to the high-interaction machine.

State machines are automatically distributed between the different nodes of the network.

Limitations of trusted computing:

The second conference of the afternoon is given by Loic Duflot from DCSII, under the title "Limits of Trusted Computing".

The central concept is that of a foundation of trust.

The foundation of trust is the set of components of a platform that must be controlled to ensure the security of the overall system.

In trusted computing, any compromise of a component outside of this core must not impact the security of the system.

The Trusted Computing Group (TCG) is the leading vendor of trusted computing solutions.

Loic therefore gives us a demonstration using a hijacking of the ACPI system management mode (SMM), or more precisely the ACPI interrupt handling routines (SMI) present in memory to modify the kernel memory.
It places a backdoor on the processing of power disconnection/reconnection on a laptop.
This will modify the setuid system call to obtain root privileges (0).

So, this is clearly the most interesting presentation so far (very clear and detailed).

The subject is too complex to be fully addressed in this post, I invite you to consult the proceedings to learn more (or perhaps a future post).

PCI Backdoor

These two people from Thales have ported the winlockpwn type attack to a PCI Card BUS card (it was originally under Firewire).

The basic principle is the use of DMA for full memory access.

According to the authors, this attack is difficult to block or detect, unless glue is put in these PCI ports.
The arrival of IOMMU technology (Intel VT-d) may, however, change things.

The presentation was rather disorganized, so it's difficult to tell you much more. You'll have to check out the paper for a more in-depth look.

ISO27001

Alexandre Fernandez-Toro, a leading expert on ISO 27001 in France, gives us a presentation focused on two main areas:

  • Introduction to ISO 27001
  • Feedback on these ISO 27001 audits

If you are not familiar with the standard, I invite you to consult these slides which are well done (or to buy his book).

Regarding the feedback section, Alexandre Fernandez-Toro stirs up quite a hornet's nest by stating that
ISO 27001 does not provide any real security gains if there is no will to secure beyond compliance with the standard.

For him, it is now necessary to read "between the lines" of the ISO 27001 certificate.

Apart from this statement, their experience indicates that the areas primarily impacted by the ISO 27001 process are:

  • Physical security
  • PCA
  • IAM
  • Taking security into account in the project approach

The real security gains from implementing ISO 27001 for "serious" organizations are:

  • Streamlining security
  • Pooling of efforts for other standards: PCI, SAS 70 (SOX), RGS (public sector)
  • Integrating security into corporate governance
Contact