Welcoming of the Guests

Matt Suiche, (Founder at Comae & OPCDE)

Keynote: Active Measures

We live in the age of disinformation—of organized deception. Spy agencies pour vast resources into hacking, leaking, and forging data, often with the goal of weakening the very foundation of liberal democracy: trust in facts. Thomas Rid, a renowned expert on technology and national security, was one of the first to sound the alarm. More than four months before the 2016 election, he warned that Russian military intelligence was "carefully planning and timing a high-stakes political campaign" to disrupt the democratic process. But as crafty as such so-called active measures have become, they are not new.

Thomas Rid, Johns Hopkins SAIS, Author of ACTIVE MEASURES

Thomas Rid is a professor at Johns Hopkins University. He testified on disinformation in front of the U.S. Senate Select Committee on Intelligence.

TFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln

On December’s Patch Tuesday, I was immediately intrigued by CVE-2019-1458, a Win32k Escalation of Privilege (EoP), said to be exploited in the wild and discovered by Anton Ivanov and Alexey Kulaev of Kaspersky Lab. Later that day, Kaspersky published a blog post on the exploit. The blog post included details about the exploit, but only included partial details on the vulnerability. My end goal was to do variant analysis on the vulnerability, but without full and accurate details about the vulnerability, I needed to do a root cause analysis first. I tried to get my hands on the exploit sample, but I wasn't able to source a copy.

Maddie Stone, (Security Researcher @ Google Project Zero)

Maddie Stone is a Security Engineer on the Project Zero team at Google. She has spent many years deep in the circuitry and firmware of embedded devices including 8051, ARM, C166, MIPS, PowerPC, BlackFin, the many flavors of Renesas, and more.

Security Conversations: Ryan Naraine interviews Bill Demirkapi

Bill Demirkapi, Independent Security Researcher

Ryan Naraine, (Host @ Security Conversations)

Ryan Naraine is a security strategist at Intel Corp and host of Security Conversations podcast. Security Conversations podcasts are available at https://securityconversations.fireside.fm/

An Exploratory Endeavor in the Reverse Engineering of a Multi-platform Compiler

Abstract: Reverse engineering software written in a native programming language requires the understanding of different phases of the compilation process in addition to the libraries involved, code optimizations, language standards, file format, generated code, and other intricacies. For malware, they are mostly written in a native programming language such as x86 Assembly, C, C++, Objective-C, Delphi and other similar languages. For those languages we already have good tooling, knowledge base and understanding of how to reverse engineer them and in particular when it comes to the recognition of compiler and OS standard or, specific libraries.

With the advent of new native programming languages such as the Go language by Google, new research had to be carried out so that RE’ers can have a better understanding and easier time dealing with these language binaries.

In the last couple of years, malware authors started using another native programming language called PureBasic. This language is very powerful and produces native code with extensive library support. Moreover, the compiler generates code for all major platforms including Windows, Linux and MacOS. In this talk, we’ll delve into the inner workings of how the language works, the compiler architecture, reverse engineering of the language libraries, and more importantly, the release of a complete parser for the libraries, IDA FLIRT signatures, and an IDA plugin. This all for the purpose of making reverse engineering of this language easier. To our knowledge, this is the first research that tackles this language.

Description: PureBasic is a sophisticated programming language with an easy syntax. It provides the perfect machinery for malware authors and tool developers to write cross-platform malicious implants and utilities. Moreover, it provides full access to native Windows APIs. Furthermore, it comes with an extensive set of optimized and specialized libraries that makes it the ideal language for prototyping and writing GUI applications, among others.

Those libraries are stored in proprietary file formats that get extracted upon compilation for statically linking relevant libraries with the program’s code. In this talk we will unravel the complete data structure of those different file formats, with a tool that would extract all the stored information, in a contextual manner, targeting Windows, Linux and MacOS versions of the compiler.

Moreover, we will release a full set of IDA FLIRT signatures for all the compiler libraries to make it easier for RE’ers to weed through large binaries compiled with PureBasic. With the release of the parser tool, it should be quite easy to generate the same signatures for other versions of the libraries.

Furthermore, we will release an IDA Pro plugin that would help in annotating all identified PureBasic library functions with a descriptive comment, and attempt to identify binaries compiled with PureBasic compiler.

As a case study, we will demonstrate two binaries that were written in the PureBasic language in an attempt to show the difference between functions identified as part of PureBasic libraries and without.

Mohamad Mokbel, (Security Researcher @ Trend Micro Inc.)

Mohamad Mokbel (@MFMokbel) is a senior security researcher at Trend Micro, member of the Digital Vaccine Lab. He’s responsible for reverse engineering vulnerabilities and malware C&C communication protocols, among others, for the purpose of writing custom filters for TippingPoint NGIPS. Prior to joining Trend Micro, Mohamad worked for CIBC in the security operation center, one of the top five banks in Canada as a senior information security consultant - investigator (L3) where he realized that experience in the operation field is extremely important to understand the real sides of offense and defense. Prior to CIBC, Mohamad worked for Telus Security Lab as a reverse engineer/malware researcher for about 5 years. He’s been doing reverse code engineering for the last 14 years. His research interests lie in the areas of reverse code engineering, malware research, intrusion detection/prevention systems, C++, compiler and software performance analysis, and exotic communication protocols. Mohamad holds a MSc. in Computer Science from the University of Windsor and BSc. in Computer Engineering from the Lebanese International University. Some of his work can be found at https://www.mfmokbel.com.

Closing Remarks

Matt Suiche, (Founder at Comae & OPCDE)

Comae Comae Comae Comae