The DistriNet CTF team, called The Electronic Mayhem, ended in first place of 17 teams during the Darmstadt Open 2008 Capture the Flag. It was a challenging contest that remained exciting till the end, where our team managed to stay just ahead of teamSparta (of mwcollect.org) and ENOFLAG (from the University of Berlin) who took second and third place respectively. More details on http://ctf.sec.informatik.tu-darmstadt.de/daopen08/final_results/

* Summary:

The DistriNet research group of the Katholieke Universiteit Leuven in Belgium has two scholarships available for PhD-students (4 years) in the area of systems security, more specifically in the area of defense against low level attacks. The goal of this scholarship is to design and implement countermeasures for attacks that exploit vulnerabilities resulting from memory management errors in C or C++. These attacks take advantage of several vulnerabilities like buffer overflows, integer errors, format string vulnerabilities, etc. DistriNet has extensive experience in this area which resulted in several countermeasures that further the state of the art by efficiently protecting against attacks using these vulnerabilities. DistriNet is active in building these types of countermeasures for numerous architectures ranging from desktop to mobile and embedded devices.

The successful candidate will have the following tasks and responsibilities:
- Study the state of the art of the domain
- Design and implement countermeasures for both mobile and desktop systems
- Perform extensive evaluation of these countermeasures in terms of performance, memory overhead and security
- Provide verbal and written reports of both the state of the art and own results

To implement these countermeasures changes could be made to the compiler, the operating system, the underlying architecture or even the language itself. An important design goal is to design countermeasures that have as little impact on performance as possible. Some of the technologies that are currently being used to implement these countermeasures are GCC, Xen, Qemu, Linux, Openmoko, Phoenix, etc.

These countermeasures will be designed in close collaboration with other PhD students, post-doctoral researchers and professors.

The IT-Security Group of University Siegen and the Security and Privacy Research Group of the RWTH Aachen University held the fourth installment of their CTF called Cipher. The DistriNet team, called The Electronic Mayhem, came in 4th out of a total of 32 teams.

I would like to invite you to attend the public defense of my doctoral dissertation entitled:
"Efficient countermeasures for software vulnerabilities due to memory management errors", promoted by Prof. Dr. ir. W. Joosen and Prof. Dr. ir. F. Piessens.

The defense will take place on May 8th at 17h00 in the auditorium of the Department of Computer Science of the Katholieke Unversiteit Leuven:

Room 200A 00.225
Celestijnenlaan 200A
3001 Heverlee

A short description of how to get there can be found at:
http://www.cs.kuleuven.be/cs/algemene_info/plan/images/grondplancw.jpg

After the defense, there will be a small reception.

Abstract:

The next few belhacks are being organised by Thomas Heyman since I'm in the US for a few months.

We took the opportunity to change the format a bit, we're now allowing people to attend even if they don't speak. We do, however, expect some level of participation if you attend.

The CFP is out at http://wiki.belhack.com/index.php/CFP5

The University of South Florida held a CTF on Friday, April 20th. Our team, The Electronic Mayhem came in third out of a total of 20 teams . We were only 23 points from the team in 2nd place.

IT security has an interesting feature article, even though I think they're slightly premature in naming the top influencers for 2007 in March already, it is an interesting read.

See http://www.itsecurity.com/features/top-59-influencers-itsecurity-031407/

Update:
Apparently some people don't like being on IT security's list: http://www.matasano.com/log/723/take-me-off-your-list/

While I did think the list was interesting (I picked up some blogs I didn't know about), he raises a valid point that some people (like Michael Howard) are definitely missing.

If you're a Belgian and reading this, chances are I've already emailed you about this, so you can stop reading now :)
However on the off chance, that I forgot to mail you here goes:

We've started up a project called belhack.com, which is a short for "Belgian Hacker Community". The idea of this community is to have monthly meetings where people interested in computer security talk about different topics. The only requirement to attend is that you present something (5-10 minutes) which the other members may be interested in.

If you're interested, check out http://www.belhack.com

A while ago I mentioned that two of my papers were accepted at ICICS 2006 and ACSAC 2006 respectively.
Since I'm currently at ICICS and going to ACSAC next week, I've finally put those papers online.

The first paper is titled Efficient protection against heap-based buffer overflows without resorting to magic and will be presented at ICICS today.

The second paper is titled Extended protection against stack smashing attacks without performance loss and will be presented at ACSAC on December 14th.

Comments for either paper are, as usual, welcome

The latest issue of IEEE Security and Privacy features an interview (only accessable if you subscribe to IEEE) with Marcus Ranum (the firewall guy). He makes some specific claims in it which I strongly disagree with.

First, he criticizes Microsoft for constantly enhancing their products with new features, which of course result in new security vulnerabilities. He compares this to a website which he made a long time ago, which was really small. The result of the website? Well it's still up today and they never needed to patch it. Talk about bad analogies. Does anyone remember Windows 3.1.1? I do. It sucked. Let's say for the sake of argument that Windows 3.1.1 was hypersecure, would you be willing to trade it for Windows XP (or even Windows ME or whatever other Microsoft security disaster)? I know I wouldn't (which is why I use Mac OS X: it may be terribly insecure, but I like using it). Security is not a goal, security is a non-functional requirement which is very important. More important, however, is that the software has functionality that users need. Requirements also change over time: the website he made may be secure, but it was obviously for a company that is not evolving rapidly. When Office was first released, you couldn't use it to create web pages and saving everything as a Word document was fine. Nowadays people expect to be able to save their files as html or pdf (does Word support this natively these days?). New requirements mean new features which mean new security vulnerabilities. There's no getting around that, unless you are happy with stone age systems. For people that have reliability as an absolute requirement, this may be acceptable. For the rest of us it is not.

I attended hack.lu from thursday evening to saturday afternoon.

It was an interesting conference: mainly because of the attendees rather than the speakers. However, Wietse Venema's talk on Software Engineering Security was very interesting though. He talked about a file wipe program which was badly broken although the code looked reasonably correct. He then demonstrated how a fix was proposed, and how that did not do much either. The main reason that it was broken was because of assumptions the authors (and fixers) made about what the operating system/hardware would do versus how it did things in reality.

Sandip Chaudhari talked about a way to exploit memory allocators by overwriting the memory management information and then abusing a following malloc call rather than a free call. It was a pity that he focussed his research on AIX and Solaris rather than more modern operating systems. I was happy to learn that our malloc (dnmalloc) was not vulnerable to this attack.

I wrote a short paper on Protecting global and static variables from buffer overflow attacks without overhead. The paper mainly describes an idea on how to protect against attacks on these variables, but does not describe an implementation or anything like it yet. So it's still pretty much in a preliminary stage. It was released as a technical report and you can download it from the papers section of this site.

Feel free to comment on it.

The paper i submittted to ICICS (International Conference on Information and Communications Security) was accepted. Only 22 of 119 full papers submitted were accepted.

The title is "Efficient protection against heap-based buffer overflows without resorting to magic". You can read a technical report which had a preliminary version of the work here.

I will update the site sometime in the near future with new content.

Defcon is over, I must say the european conferences are totally different. Very different atmosphere, I prefer the European conferences actually.

However I did meet alot of interesting people that I had known for a while but had never met before, I also met alot of new cool people. So the trip out to Vegas was definitely worth it.

I was disappointed with the organisation of Defcon though, looked very amateuristic: they ran out of badges, programs, just about everything. They had some replacement badges luckily, but they didn't print out any extra programs or anything. There were also no TVs showing the talks anywhere. The organization of CCC is alot more professional.

Anyway because of the lack of programs and basically because the program wasn't very interesting I only ended up going to one talk (basically because I knew the guys speaking): Fun with 802.11 Device Drivers by Johnny Cache and David Maynor, where they talk about hacking into computers by using bugs in the wireless device drivers. Because they are still waiting for Apple (and possibly other vendors) to fix their software, no technical details were released.

Now that Usenix is over, I'm on my way to Defcon, I can finally meet some of the people who I've known for years online but never met because they're US-based.
Hopefully it will be as cool as Usenix was.

PS: Vancouver Airport has free wireless internet!