2010-08-4 XCon2010 First Day
07:30 - 09:00Registration & Get XCon2010 Data
09:00 - 09:10Begining Speech
09:10 - 10:10 Richard Stallman
Dr. Richard Stallman launched the development of the GNU operating system(see www.gnu.org) in 1984. He is the principal author of the GNU C Compiler, the GNU symbolic debugger (GDB), GNU Emacs, and various other GNU programs. Stallman currently serves as president of the Free Software Foundation.
The Danger of Software Patents
Richard Stallman will explain how software patents obstruct software development. Software patents are patents that cover software ideas. They restrict the development of software, so that every design decision brings a risk of getting sued. Patents in other fields restrict factories, but software patents restrict every computer user. Economic research shows that they even retard progress.
10:10 - 10:30Rest & Coffee Break
10:30 - 11:30 Richard Stallman
Dr. Richard Stallman launched the development of the GNU operating system(see www.gnu.org) in 1984. He is the principal author of the GNU C Compiler, the GNU symbolic debugger (GDB), GNU Emacs, and various other GNU programs. Stallman currently serves as president of the Free Software Foundation.
The Free Software Movement
11:30 - 12:30 XiaoZhen Liu
XiaoZhen Liu, Network ID: Dgguai27. A graduate student on information security in Computer Department of Sichuan Normal University, majors in virtual machine security, software vulnerability analysis and virus behavior detection.
Research on Escape technique of AVM2 Virtual Machine
This paper describes the research scope and value of escape issue, which is inavoidable in High-level Language (HLL) Virtual Machine security. Taking Flash AVM2 (ActionScript Virtual Machine 2) as example, analyses its escape mode, important security points and potential deficiency. With some influential vulnerabilities of recent years, exposes typical escape details of AVM2 form different aspects, and gives several corresponding demos. Finally, discusses some strategies of defense and the study target in the next phase.
12:30 - 14:30Rest & Lunch
14:30 - 15:30 XiaoBo Chen & Jun Xie
XiaoBo Chen is a research scientist of McAfee Labs. He participated in computer security since 2000, working on Scanner, HIPS products. Now he mainly focuses on vulnerabilities and new technologies for vulnerability exploitation.
Xie Jun is a research scientist in McAfee Labs , and used to work in NSFOCUS .At the moment he focuses on developing NIPS signature database , vulnerability research, protocol analysis, P2P network security research, Botnet detection, reverse engineering, malicious traffic detection.
defeat windows 7 browser memory protection
With the release of windows 7, Microsoft has done a lot of impressive research to enhance windows 7 operating system¡¯s security mechanisms with the goal to protect against the well known exploitation vectors on the windows platform. Windows 7 inherited the traditional memory protection mechanisms, such as GS, SafeSEH, DEP and ASLR (IE8 default opens DEP and ASLR in windows 7). This improvement was a big challenge for exploit developers, at least for sometime.In this paper we want to reveal several ways how to bypass windows memory protection mechanisms, such as bypass DEP and ASLR in windows 7 through ie8 by some disclose vulnerabilities£¬and we will use 4 case studies to demonstrate how to exploit success bypass several protection mechanisms in windows.
15:30 - 16:00Rest & Coffee Break
16:00 - 17:00 Wan Ming
Wan Ming works currently in HuaYongXingAn Science & Technology Co., LTD. He works on computer viruses' research, Rootkit/Anti-Rootkit and software protection related work on a long-term basis.
Virtual Viruses' Infection
During viruses¡¯ infection, accessory VMP engine is infected together and brought to the target program. With its VMP engine, it completely simulates the performance of viruses and protects viruses¡¯ code from being analyzed reversely. This topic discusses in detail the structure and design of VMP engine, encrypting from twice code of X86 instructions to every instruction, the construction of the entire VMP code encryption ring, the stack-switch of virtue machine made with real environment during operation, and the stack-switch issue due to recursive invocation by protection function. The end of the topic discusses how to bypass infected algorithm of heuristic killing easily.
17:00 - 18:00 nEINEI
nEINEI is one of the members of bytehero team ,and focus on the field of anti-virus ,especially the anti-virus engine design and malicious code detection .
Anti-AV Detection- Exploring Virus Heredity and Infection Technology
This presentation describes a new way of doing deformation and infection .The new way is similiar to the approach of biological virus infection. It is different from polymorphic viruses which needs to implement decryption device first ,then restores Virus Pattern during the operation .It is also different from metamorphic virus which requires to design complex expander and shrinker. Actually it discards the disadvantage of polymorphic virus and metamorphic virus, and also the complex components in metamorphic engine ,then re-construct a new code deformation mechanism .
2010-08-5 Second Day
09:00 - 10:00 Miao Yu
Miao Yu (ID:Superymk), a graduate student in Shanghai Jiao Tong University, mainly researches on hardware virtualization based trusted computing. A series of papers has been published in several conferences, including topics like HBSP the hardware virtualization based driver framework, adopting Xen as app packer and hardware virtualization enabled anti-debugging.
Software Protection through Anti-debugging Based on Hardware Virtualization
Debugging is a method that usually facilitates the dynamic analysis of run-time application for software development. However, it is also a double-edge sword, as debugging could be adopted by malicious attackers. Nowadays the anti-debugging problem is still an important challenge because the traditional software anti-debugging owns no ability to utilize a higher privilege level than operating system kernel.
This paper proposes SPAD (Software Protection through Anti-Debugging), a tool that detects the behavior of debuggers as well as makes itself imperceptible to debuggers by leveraging hardware virtualization technology. The longitudinal comparison experiment with other 13 anti-debugging methods demonstrates that SPAD can effectively prohibit the debugging behavior from 8 out of 9 popular debuggers. Further, our performance experiment results indicate that the total overhead induced by SPAD is only 0.50% in average in terms of practical application tests.
10:00 - 10:30Rest & Coffee Break
10:30 - 11:30 John Lambert
John Lambert is the Senior Director of the Security Engineering team in the Trustworthy Computing division. He is responsible for the central engineering resources on Microsoft¡¯s proactive and reactive security efforts. On the proactive side, he runs the team that builds the tools for the Security Development Lifecycle (SDL) used by all major products at Microsoft. To counter emerging threats, he founded the Microsoft Security Engineering Center (MSEC) Science team which works on next generation ways to detect vulnerabilities and exploits and neutralize them through digital countermeasures. On the response side, the Microsoft Security Response Center (MSRC) Engineering team under John is responsible for all technical aspects of vulnerabilities reported to Microsoft.
9 Trends Affecting the Future of Exploitation
John Lambert, Senior Director, Microsoft will talk about 9 trends that will affect exploitation over the next decade. A number of technological, social, and environmental trends will change the world of exploitation as we¡¯ve known it in the 2000¡¯s. 64bit computing will be the default, sandboxes will be plentiful, all browsers will have robust memory protections, cyber legislation will be widespread, smart phones will break out of their niche, recovery from the recession will spur a wave of replacement of old systems with modern technology. This has lessons alike for defense, attack, and customers in the middle.
11:30 - 12:30 FunnyWei
FunnyWei is PHD and the member of XFocus Team.
Parsing£¬Dissecting & Fuzzing PDF
PDF is one of the most popular document formats . In recent years , lots of dangerous 0day vulnerability of this kind of reader software has been exposed .This paper is mainly talking about PDF format specific test approach , and analyzing script engine working procedure, and displaying embedded javascript safety testing technique ,PDF embedded javascript engine vulnerability debugging analysis ,the tools assist to judge vulnerability.
12:30 - 14:30Rest & Lunch
14:30 - 15:30 Antiy Labs
Antiy Labs is one of the early security teams doing research on putting the industry-level pipeline thoughts into the real emerged computer virus analysis.
Computer Virus Analysis Pipeline
From the beginning of this current century, most of anti-virus teams have focused on building and optimizing the advanced industry-level back-end architecture to get the analysis processes freely out of the individual art and techniques. Most of them have probably established their own featured analysis architecture, from collecting methods, statics and behavioral analysis to manual analysis. This presentation mainly is used to share the experiences and lessons from our building processes on established the real analysis pipelines, to show the secret of our back-end processing workflow and manual analysis environment and the evolving challenges and confusions against both of AVers.
15:30 - 16:00Rest & Coffee Break
16:00 - 17:00 FlashSky
Fangxing is a security testing expert , deputy manager of Beijing Venusense defense laboratory , the United States EEYE senior researcher , United States Microsoft security testing expert , CEO of Nanjing HanHaiYuan company. He specializes in discovering security vulnerability£¬defense and attack vulnerability, security testing, and has already found hundreds of high-risk vulnerability by himself. He is also XFOCUS core member¡¢the earliest analyst of LSD DCOM RPC vulnerability¡¢Microsoft BLUEHAT speaker ¡¢the fourth time as XCON speaker. Nanjing HanHaiYuan companny for which he works now is focus on security testing and security improvement.
Security Testing Based Data Stream SDL
This paper introduces Microsoft SDL model, and develops SDL model based data stream analysis . It also describes how to depend on the model to support SDL security testing, how to bring in SDL process in a controllable and gradual way .
17:00 - 17:20XCon2010 Lucky Draw
17:20 - 17:30Closing Speech
©2003-2010 XCon Organizing Committee & HuaYongXingAn Science Technology Co., Ltd. All rights Reserved.