Presentations

• Hackers To Hackers Conference (Keynote). São Paulo, Brazil (October 2019). [slides]

As software is eating the world, every company is becoming a software company. This doesn’t mean that every company is shipping software products, it means that services and products in every field are becoming increasingly driven, powered, and differentiated by software. Let’s explore what that will do to how cybersecurity is practiced in enterprises of all types.

Peter Drucker famously said that “Culture eats strategy for breakfast.” There have been two large cultural shifts in software engineering over the last 20 years that created the successful strategies behind how software is eating the world. First, there was Agile (2001). In response to the inefficiencies of classic “waterfall” software development, Agile focused on breaking down the barriers between software requirements, development, and testing by having software development teams own their roadmaps as well as their quality. Separate product management organizations evolved into product owners working directly with the software team. Similarly, separate quality assurance organizations evolved into a focus on building quality into the software development process. This should remind us of how we talk about needing to build security in, but most importantly, this change was effected by software teams themselves vs. forced onto them by a separate security organization. There is a lesson to be learned there.

Next came DevOps (2009), which brought the agile mindset to server operations. Software teams now began to own their deployment and their uptime. Treating software teams as the end-user and customer has driven the replacement of traditional ops with the cloud and replacing the traditional stack with serverless models. Ops teams evolved into software teams that provide platforms, tools, and self-service infrastructure to internal teams. They provide value by increasing internal teams’ productivity while reducing costs to the entire organization through economies of scale and other efficiencies. When a cross-functional team owns their features, their quality, their deployment, and their uptime, they fully own their end-to-end value stream. Next, they will evolve to also own their own risks and fully own their end-to-end impact.

There are two big shifts involved as teams begin to own their end-to-end impact: software teams need to own their own security now and security teams need to become full-stack software teams. Just as separate product management and quality assurance organizations diffused into cross-functional software teams, security must now do the same. At his re:Invent 2018 Keynote, Amazon’s CTO Werner Vogels proclaimed that “security is everyone’s job now, not just the security team’s.” But if security is every teams’ job, what is the security team’s job? Just like how classic ops teams became internal infrastructure software teams, security teams will become internal security software teams that deliver value to internal teams through self-service platforms and tools. Security teams that adopt this approach will reduce the risk to the organization the most while also minimizing impact to overall productivity. In this talk, we’ll explore how this is already being done across high-performing companies and how to foster this security transformation at yours.

• BlackHat USA (Keynote). Las Vegas, NV (August 2019). [video]

• Container Security Summit. Seattle, WA (February 2019). [slides]

The landscape of offensive security research has changed significantly since the mid-90's when it just started moving out of the underground and into the professional security world. We can divide its history into three periods based on two landmark events a decade apart: the first BlackHat Briefings conference in 1997 and the first USENIX Workshop on Offensive Technologies in 2007. As I have been involved in offensive security research through much of this timeline, I'll share some perspectives on how the targets, research, and mindsets have changed across these periods. I'll also discuss how to best put offensive security research to work to help guide security engineering. Finally, I'll conclude with some thoughts on what offensive security research will look like 10 years from now.

• WOOT (Keynote). Baltimore, MA (August 2018). [slides]

Do you want a koober netty? Or do you already have one? You may even already have many koober netties (pronounced: "kubernetes"). Either way, it turns out that they can be used for more things than just running your Linux containers in the cloud. They can also be used to give attackers access to thousands more computers than just the one running the container that the attacker got a shell in. How cool is that? In this talk, we'll discuss all of the magical ways that Kubernetes can give attackers access to your entire cluster and cloud environments. We'll also discuss some ways that it can be made to not do this if making attackers sad is your thing.

• SummerC0n. Brooklyn, NY (June 2018). [slides]

Security hardening for containers, clusters, and operating systems is a very important part of setting up infrastructure and always "Plan A". The world of "Plan A" defends the importance of making sure your cluster is set up securly. Dino comes from the world of "Plan B" and will focus on detecting when security boundaries have been breached. This is necessary for environments where you don't have ability to ensure base OS is fully patched, etc.

Step into the world of Linux kernel features such as seccomp, eBPF, kprobes and Kubernetes tunable security features and learn how to detect and defend against attacks at scale.

• KubeCon North America. Austin, TX (December 2018). [video] [slides]

Your datacenter isn't a bunch of computers, it is *a* computer. While some large organizations have over a decade of experience running software-defined datacenters at massive scale, many more large organizations are just now laying the foundations for their own cloud-scale platforms based on similar ideas. Datacenter-level operating systems such as Kubernetes, Mesos, and Docker Enterprise significantly change both the computing and security paradigms of modern production environments, whether they are in the cloud, on-premises, or a hybrid of the two. The focus of a lot of security attention related to containers and DevOps has been on the kernel-level isolation mechanisms, but these modern datacenter orchestration systems make single-node privilege escalation and persistence significantly less useful. We'll go over the background of what security benefits modern datacenter-level orchestration systems provide and what challenges they also bring along with them. We'll also discuss how to think about attacking and defending entire clusters vs. single machines and what common attack patterns (privilege escalation, lateral movement, persistence) look like specific to the orchestration layers instead of through the traditional native operating systems.

• BlackHat USA. Las Vegas, NV (July 2017). [video]

What does it mean to have an open source project at a company? How do small projects differ from large ones? How can you separate the concerns and feature requests of a company with those of a community? What benefits can a company gain from having a healthy open source project? How can you grow a healthy community around a project being led by a company?

Jessica Frazelle and Dino Dai Zovi—technologists who have spent their careers managing the balancing act between community and commercial perspectives—address these questions and discuss how to be effective at open source in your company.

• O'Reilly Velocity NY. New York, NY (October 2017). [video]

• Kubernetes NYC Meetup. New York, NY (March 2017). [video]

Cyberattacks are not like natural disasters or other forces of nature, nor are they like diseases or other autonomously evolving and spreading agents (yet). They are ultimately and fundamentally driven by rational human action. As such, economics is the best way to view attacker and defender strategies. The traditional approach to defense is to raise the cost for your attackers by making attacks as difficult as possible. This approach has the unfortunate tendency to raise costs for the defender and the users of the systems they are defending as well. An alternative and more scalable strategy is to reduce the value to the attacker of a successful attack. What does this look like? This strategy is already in use in many forms around us and we will point out where it is being employed successfully. Does it work? We will examine the phases of an intrusion common to both financially-motivated and state-sponsored attackers in order to show how defenses based on lowering attacker value versus raising attacker cost affect both the attacker and defender. Finally, we will explore what this strategy means for the security threats against the next billion devices.

• BlackHat Asia (Keynote). Singapore (March 2016). [video] [slides] [paper]
• HushCon East (Keynote). Brooklyn, NY (June 2016).

• BSidesNYC (Visionary Keynote). New York, NY (January 2016). [slides]

Common embedded system processor architectures including ARM, PowerPC, and MIPS typically have separate data and instruction L1 caches. Whereas desktop and server x86 and x86-64 processors may also have separate data and instruction caches that are transparently kept coherent by the hardware, these RISC-based embedded processors place the burden of doing so on software. This places additional considerations and requirements for self-modifying code and other situations where data becomes code like in a JIT compilation engine or when memory trespass vulnerabilities are exploited to execute injected native code. This workshop will assume that attendees are more interested in the latter and figuring out how to reliably get remote code execution on their Internet-enabled refrigerators.

• CSAW Workshop Series. Brooklyn, NY (November 2014). [slides]

Attackers, just like defenders, are resource-constrained. The choices of where to look for exploitable vulnerabilities and how to leverage them are shaped by the resources at the attackers' disposal, the relative difficulty of the available attack surfaces and vectors, and the return on attack investment. Malicious attackers, however, are rarely forthcoming with their strategies, expenditures, or forecasts. The jailbreak development community, in contrast, is much more visible with blog posts, Tweets, and public software releases. As the technical development of a jailbreak overlaps significantly with the development of a malicious attack, the high-visibility jailbreak development community can serve as an analysis proxy for the low-visibility malicious attacker communities. An analysis of the jailbreak community's strategies can thus serve as a model for the strategies of malicious attacker communities. These communities, however, are not completely isolated. An advanced public jailbreak community provides information, tools, and know-how that may be leveraged by malicious attackers as well. This presents a choice for an integrated hardware and software platform vendor: should jailbreaking be facilitated in order to discourage the release of advanced jailbreaks that may easily be repurposed as malicious attacks? Or should the jailbreak release and security patch cycle be encouraged in order to identify and fix vulnerabilities that may also be discovered and exploited by malicious attackers?

• SOURCE Boston. Boston, MA (April 2013). [video]
• CSAW THREADS. Brooklyn, NY (November 2012). [video] [slides]
• Blackberry Security Summit. Waterloo, Canada (June 2012).

In this talk, two of the leading iOS experts will take you though the iOS security architecture. They will outline the way iOS protects itself from malware and exploitation, including memory protections, sandboxing, address randomization, privilege separation and code signing. They will walk through the attacks that have occurred against iOS since its inception as well as how the architecture withstood (or didn't) these attacks and why. In addition, the session will discuss how the security posture of iOS has changed over time.

• CodenomiCON. Las Vegas, NV (July 2012). [video]
• RSA. San Francisco, CA (March 2012). [slides]

As the popular smartphone platforms have increased in popularity with consumers, many enterprises and businesses are considering broadening their support beyond their traditionally support platforms. These new smartphone platforms such as iOS and Android, however, come with a lack of detailed understanding of their security features and shortcomings. This presentation is the result of an extended assessment of the security mechanisms and features of Apple's iOS with an emphasis on the concerns of an enterprise considering a deployment of iOS-based devices or allowing employees to store sensitive business data on their personal devices.

iOS 4 implements several key security mechanisms: Trusted Boot, Mandatory Code Signing, Code Signing Enforcement, Sandboxing, Device Encryption, Data Protection, and (as of iOS 4.3) Address Space Layout Randomization. Each of these mechanisms' precise operation is documented in detail as revealed through static and dynamic binary analysis, as well as their strengths and any identified weaknesses.

We examine and document the risks of a lost device or a remote iOS compromise through a malicious web page or e-mail. Finally, based on the strengths and weaknesses identified, concrete recommendations will be made on what compensating measures an organization can and should take when deploying iOS-based devices for business use.

• Hacker Halted. Miami, FL (October 2011).
• BlackHat USA. Las Vegas, NV (August 2011). [video] [slides] [paper] [code]

• Kaspersky Security Analysts' Summit (Keynote). Malaga, Spain (June 2011).
• SummerC0n. Brooklyn, NY (June 2011).
• SOURCE Boston (Keynote). Boston, MA (April 2011). [video] [slides]

Since the publication of "The Mac Hacker's Handbook", a number of key aspects of Mac OS X were changed with the release of Snow Leopard. Most notably, Snow Leopard boasts a number of improvements to application runtime security, including: non-executable stacks, non-executable heaps on 64-bit processes, compiler-generated stack cookies, heap metadata protection, system library randomization, and sandboxing. These security improvements were enough to defeat the code examples in the book, but not the authors, who will demonstrate just how much protection these security improvements actually provide. Among other myths, they hope to also dispel the myth that sequels are always inferior to the originals.

• IT-Defense. Germany (February 2011).

• BayThreat. Mountain View, CA (December 2010). [slides]
• SummerC0n. New York, NY (June 2010). [slides]

This is a high-level talk covering several philosophical areas related to memory corruption vulnerabilities, advanced persistent threats (APTs), and the handling of security vulnerabilities. What differentiates this talk from many others like it, is that the speaker has actually discovered a good number of vulnerabilities and written exploits for them and many more. In addition, the speaker has used his own privately discovered and exploited vulnerabilities in highly-successful penetration tests against large enterprises, simulating the actions of an advanced targeted attack. This talk distills a number of lessons learned from these experiences that attendees may use in defending their networks.

• OWASP NY/NJ. New York, NY (November 2010).
• Security B-Sides SF (Keynote). San Francisco, SF (March 2010). [video] [slides]

The latest advances in exploitation of memory corruption vulnerabilities revolve around applying return-oriented exploitation techniques to evade non-executable memory protections such as Microsoft's Data Execution Prevention (DEP), CPU-supported non-executable memory (NX/XD), and mandatory code-signing such as on iPhone OS. Although the ideas behind these exploitation techniques can be traced quite far back, they are receiving more attention as non-executable memory protections become more prevalent. This presentation will cover the current state of memory corruption exploitation and exploit mitigation as well as an in-depth discussion of a variety of return-oriented exploitation techniques. Finally, the presentation will discuss what ramifications return-oriented exploitation techniques have for exploit developers, software vendors, malware analysts, and enterprise IT security professionals.

• BlackHat USA. Las Vegas, NV (August 2010). [video] [slides]
• REcon. Montreal, Canada (July 2010). [video] [slides]
• ITWeb Security Summit. Johannesburg, South Africa (May 2010).
• SOURCE Boston. Boston, MA (April 2010). [video] [slides]
• RSA. San Francisco, CA (March 2010). [video]

The Mac OS X kernel (xnu) is a hybrid BSD and Mach kernel. While Unix-oriented rootkit techniques are pretty well known, Mach-based rootkit techniques have not been as thoroughly publicly explored. This presentation will cover a variety of rootkit techniques for both user-space and kernel-space rootkits using unique and poorly understood or documented Mac OS X and Mach features.

• BlackHat USA. Las Vegas, NV (July 2009). [slides] [paper]

While Metasploit has had a number of Mac exploits for several years, the exploit payloads available have done little more than give a remote shell. These payloads are significantly simpler than the DLL-injection based payloads for Windows-based targets like the Meterpreter and VNC Inject payloads. This talk will cover the development and use of the fancier Metasploit Mac payloads developed by Dino Dai Zovi (the presenter) and Charlie Miller, including bundle injection, iSight photo capture, and Macterpreter.

• BlackHat USA. Las Vegas, NV (July 2009).
• DEFCON 17. Las Vegas, NV (July 2009).

MacOS X has so far enjoyed a comparatively safe and malware-free existence on today's hostile Internet. While many previously believed that this was due to its superior security, public demonstrations of the Mac's vulnerability to attacks have hopefully proven otherwise. As with any technology, it is important to know both its strengths and weaknesses. This presentation will focus on the exploitatability of memory corruption vulnerabilities in and on MacOS X by applying currently known techniques to a new platform as well as introducing some new techniques.

Both Charlie and Dino have 0wned the Macs in the previous two PWN2OWN contests at CanSecWest. Now they will teach the attendees how easy it is to do for themselves.

• CanSecWest. Vancouver, Canada (March 2009). [slides]

MacOS X has so far enjoyed a comparatively safe and malware-free existence on today's hostile Internet. While many previously believed that this was due to its superior security, public demonstrations of the Mac's vulnerability to attacks have hopefully proven otherwise. As with any technology, it is important to know both its strengths and weaknesses. This presentation will focus on the exploitatability of memory corruption vulnerabilities in and on MacOS X by applying currently known techniques to a new platform as well as introducing some new techniques as well.

Mac OS X Leopard includes a number of runtime protection features intended to hamper exploitation of memory corruption vulnerabilities. These features include the Execute Disable (XD) bit on Intel processors, Library Randomization, and Sandboxing. While some of these features are familiar and can be seen on other systems, some of them are unique to Mac OS X. This presentation will discuss the design, implementation, limitations, and evasions of these defenses.

Unlike other modern systems, the MacOS X Scalable Zone (szone) heap allocator does not protect against heap metadata overwrite exploits. This presentation will also describe the design and implementation of the szone allocator and demonstrate how it may be exploited with basic heap metadata overwrites. Finally, this presentation will discuss exploit payload construction techniques for Mac OS X, including the necessity of vfork() in threaded applications, resolving symbols in loaded libraries, and pure memory library injection into the vulnerable (or any other) process using Mach system calls and dyld function calls.

• SOURCE Boston. Boston, MA (March 2009). [slides]
• HITBSecConf. Kuala Lumpur, Malaysia (October 2008). [video]

In May 2008, a weakness in Debian was discovered which makes cryptographic keys predictable. A Debian-specific patch to OpenSSL broke the pseudo-random number generator two years ago, which led to guessable SSL and SSH keys. The vulnerability allows for impersonation of secure servers, as well as the potential to login to SSH secured systems. Since many popular derivatives like Ubuntu and Xandros are affected, the weak keys are found all over the Internet. The panel will present their approach to generating lists of weak keys using cloud computing and explain how they collected large numbers of SSL certificates of which several thousand are weak.

• The Last HOPE. New York, NY (July 2008). [video]

It is not a surprise or a new discovery that the level of security on internal enterprise networks is significantly less than on the same organization's external-facing networks. Even with draconian patching policies and operating system security settings, the vast scale and heterogeneity of internal networks forces significant security compromises. While an exploit may open the door, especially via a client-side web browser or application vulnerability, compromising enterprise networks rarely requires exploits. In this session, security researcher Dino Dai Zovi evaluates the current and future state of client-side application security and describes attacks that defeat or bypass current enterprise security defenses, such as 802.1x/NAC, Active Directory authentication, and Vista's Protected-Mode Internet Explorer.

• Finanicial Information Security Decisions. New York, NY (June 2008). [slides]

Virtual worlds serve as a new way to deliver exploits to the masses. Besides traditional attacks, they also allow attackers to control the "avatars" of players, including being able to steal the player's virtual money and possessions. When there is a link between the virtual money and real money, this can be an easy way for an attacker to profit. This talk will address these issues and illustrate the technical details of a Second Life exploit.

• Shmoocon IV. Washington, DC (February 2008). [video] [slides]

Hardware-supported CPU virtualization extensions such as Intel's VT-x allow multiple operating systems to be run at full speed and without modification simultaneously on the same processor. These extensions are already supported in shipping processors such as the Intel® Core Solo and Duo processors found in laptops released in early 2006 with availability in desktop and server processors following later in the year. While these extensions are very useful for multiple-OS computing, they also present useful capabilities to rootkit authors. On VT-capable hardware, an attacker may install a rootkit "hypervisor" that transparently runs the original operating system in a VM. The rootkit would be loaded in physical memory pages that are inaccessible to the running OS and can mediate device access to hide blocks on disk. This presentation will describe how VT-x can be used by rootkit authors, demonstrate a rootkit based on these techniques, and begin to explore how such rootkits may be detected.

• Microsoft BlueHat. Seattle, WA (October 2006).
• BlackHat USA. Las Vegas, NV (August 2006). [video] [slides]

Wireless 802.11 networking is becoming so prevalent that many users have become accustomed to having available wireless networks in their workplace, home, and many public places such as airports and coffee shops. Modern client operating systems implement automatic wireless network discovery and known network identification to facilitate wireless networking for the end-user. In order to implement known network discovery, client operating systems remember past wireless networks that have been joined and automatically look for these networks (referred to as Preferred or Trusted Networks) whenever the wireless network adapter is enabled. By examining these implementations in detail, we have discovered previously undisclosed vulnerabilities in the implementation of these algorithms under the two most prevalent client operating systems, Windows XP and MacOS X. With custom base station software, an attacker may cause clients within wireless radio range to associate to the attacker's wireless network without user interaction or notification. This will occur even if the user has never connected to a wireless network before or they have an empty Preferred/Trusted Networks List. We describe these vulnerabilities as well as their implementation and impact.

• CanSecWest. Vancouver, Canada (May 2005). [slides] [code]
• Microsoft BlueHat. Seattle, WA (March 2005). [code]
• Immunity NYC Security Shindig. New York, NY (January 2005). [code]
• PacSec. Tokyo, Japan (November 2004). [slides] [code]

The talk/demonstration is intended for audiences familiar with assembly language and/or stack-based buffer overflows on other architectures (most probably Intel). The topics aren't really anything new, I would just like to present them with the focus on a different processor/paradigm than Intel to better define the concepts in use. I will be covering SPARC assembly language on a fairly low level.

• DEFCON 8. Las Vegas, NV (July 2000). [video] [slides] [code]