Monday, March 21, 2011

Honeynet Project : Day 1 (Public)

Efficient Bytecode Analysis : Linespeed Shellcode Detection (Georg Wicherski - McAfee)
  • GetPC sequences ((call $+5, pop r32), (fnop, fnstenv [esp+0x0c], pop r32), structured exception handling)
  • detecting shellcodes (static) (eg: markov chains)
  • detecting shellcodes (getpc + backtraking + emulation)
  • libscizzle : identification of possible getpc sequences, bruteforce possible starting location around sequence, use efficient sandbox
  • libscizzle Code Execution (disassemble guest code, execute one basic blocks, emulate all other instructions, exception)
  • Performance of libscizzle : 99 MiB/sec to 795 MiB/sec, 1000x faster than libemu
  • Evaluation of libscizzle : no false positives, no false negatives
High performance packet sniffing and traffic mining(Tillmann Wener)
  • pcap file format (straight-forward file format)
  • packet drops (sniffer too slow, lost information cannot be recovered), sniffing performance
  • multicap : minimiez memory allocations, no system calls to get packet times, memory-mapped dump files
  • streams : reassembly tcp streams
  • tools available @
Reversing android malware (Mahmud Ab rahman)
  • Dalvik VM : registered based
  • Dex file format (odex : optimized dex)
  • infection methods : remote install (victim's gmail credential is required, browser market and install)
  • dex (baksmali)-> class (jad)-> java
  • SMS.trojan : oldest android malware
  • Geinimi : infecting legitimate software, C&C server, encrypted data, steal data
  • DroidDream : infecting legitimate software, android official market
  • Need new tools (GSOC Honeynet ?)
VOIP Security (Sjur Usken and Ben Reardon)
  • SIP, request and response type, same familiar status codes as HTTP
  • Major difference between SIP and HTTP (in SIP, all devices are both server and client)
  • used to connect to the PSTN network
Glastopf - Looking for trouble ? (Lukas Rist)
  • Web application honeypot
  • collecting attacks
  • gain intelligence