It's late March, thus time for TROOPERS; this year is the 10th anniversary edition of the fantastic conference in Heidelberg, Germany, so an extra special week to be a part of. As I spoke at a pre-conference workshop, the stress was off so I could reflect and re-cap on the content without worrying about an incomplete slide deck. Below you'll find my short musings on the day if you were unable to attend, or missed some of the talks.
Enno Rey (the ER in ERNW) gave the opening keynote to reflect on the changes he has seen since starting TROOPERS 10 years ago (zeitgeist?). He highlighted a number of talks from TROOPERS that had a large impact on the infosec space, from hacking smart TVs to LangSec.
After the keynote, I stayed for Alex's talk about the hypervisor attack surface and how they at ATR have been augmenting the open-source CHIPSEC tool to provide capabilities for fuzzing and probing this surface. He also walked through a number of vulnerabilities found in this area of research both by ATR and others and how the complexity inherent in emulating a computer (full-virtualization) makes it very hard to ensure a secure interface. As a hypervisor performing full emulation of the legacy devices OSes need to maintain the illusion of being on a dedicated system, the complexity and past mistakes of previous generations of technology cannot be fully depreciated.
With the 7 hour time-zone change still throwing my sleep schedule around, I snuck a few minutes nap before attending Graeme's Vox Ex Machina talk on exploring and exploiting speaker identification APIs. While a newer method of authentication, Graeme's open source tools will help pave the path for future exploration. He demonstrated a brute-force attack in which he was able to synthesize a "voiceprint" allowing him to authenticate as another user (volunteers from the conference). The major take-away is that due to the natural variance in our voices, as well as the compression inherent in the voice-encoding process for phone-based usage, the current technologies for speaker identification is quite insecure and immature.
Following Graeme in the Defense and Management track, Casey and Matt talked about the best practices for deploying Windows Device Guard (start with kernel mode protections then move to user-space). Through a combination of bypasses highlighting common policy weaknesses as well as shortcuts that can harm the security, this talk was a fantastic starting point for anyone planning to deploy application white-listing.
I ended day one by watching Bx's talk on more formally analyzing and modeling the typically-hidden world of OS bootloaders. She created a taxonomy of the components and was able to apply policies about writing to memory to look for "miss-typed" behavior. An example of such a malformed write was a sub-stage of the loader that should only be performing internal book-keeping writing a region of memory used as storage for parts of the OS being loaded.
Check back soon for day 2!
Cyber-security Philosopher and Boffin