Black Hat USA 2006 ran 29 July - 3 August. I did not attend in person; the published proceedings have been working their way through my reading queue. Specific notes from the substantive talks.
This is a longer post because the substantive content of the conference deserves careful treatment.
Joanna Rutkowska's hypervisor-rootkit work
The most-discussed talk at the conference. Rutkowska demonstrated "Blue Pill" — a proof-of-concept rootkit that uses x86 hardware-virtualisation extensions (specifically AMD's SVM, Intel's VT-x) to install a thin hypervisor underneath the running operating system. The compromised OS continues running normally; the hypervisor controls all hardware access; detection from within the OS is structurally difficult.
The technique is not entirely novel — academic work on hypervisor-based rootkits has existed for some time — but Rutkowska's implementation is the most public and operational demonstration to date.
Three structural implications.
The detection problem is now harder. Detection of conventional rootkits requires inspecting the OS from outside (off-host inspection, kernel-memory analysis, behavioural detection from external observation). Hypervisor rootkits operate beneath the OS; detection requires inspecting the hardware from outside the hypervisor; the off-system inspection infrastructure is years away from operational deployment.
The trajectory continues. Each generation of rootkit defeats the detection mechanisms of the previous generation. Hardware-level rootkits, hypervisor-level rootkits, SMM-level rootkits — the categories are progressing toward the hardware. The defensive infrastructure must follow.
The structural conclusion: trustworthy execution requires hardware support beyond the rootkit's reach. The current conversation is partly about what hardware-level features (TPM, secure-boot mechanisms, attestation) might support detection of compromise at lower levels than the rootkit operates. The cumulative trajectory will produce specific hardware features over the next several years.
For operators: the current threat model is bounded; future compromise techniques will be harder to detect. The defensive investment in structural disciplines — comprehensive logging, off-host monitoring, behavioural detection, regular comprehensive integrity verification — continues to be the right operational posture.
H D Moore on Metasploit
Moore presented updates on Metasploit Framework 3 — a substantial rewrite of the Metasploit penetration-testing framework. The cumulative trajectory of Metasploit through versions 1.0 (2003), 2.0 (2004), and now 3.0 (in development) is informative.
Three observations from Moore's talk.
The framework approach has matured. Metasploit 3's architecture supports automated exploitation, integrated post-exploitation tooling, scripted attack chains. The cumulative capability is operationally meaningful for both offensive and defensive work.
The cumulative module library has grown substantially. Specific exploits for hundreds of vulnerabilities; specific post-exploitation tools; specific reporting infrastructure. The operational utility is substantial.
The defensive implications are real. Defenders use Metasploit to validate their defensive posture; specific penetration-testing workflows depend on Metasploit; the cumulative defensive capability supported by Metasploit is meaningful.
The cumulative trajectory is positive. Open-source offensive tooling produces better defensive testing; the cumulative effect on the defensive community is meaningful.
David Litchfield on database-server vulnerabilities
Litchfield's continued work on database-server security continues. Specific Oracle, SQL Server, and DB2 vulnerabilities; specific architectural patterns; specific defensive recommendations.
The cumulative observation: database servers continue to be substantially under-protected compared to the operational risk they represent. Specific operators continue to deploy databases with weak default configurations, with limited patching discipline, with insufficient access controls. The cumulative exposure is meaningful.
For operators running databases: the structural disciplines apply. Current patches; rigorous access control; comprehensive logging; specific monitoring for anomalous query patterns. The investment is bounded; the avoided cost is substantial.
Various web-application security work
Multiple talks covered web-application security in various dimensions. The cumulative volume of web-application security work reflects the structural importance of the category.
Specific themes:
- Cross-site scripting techniques, including DOM-based XSS variants.
- Cross-site request forgery as a structural problem.
- Specific browser-feature interactions that produce subtle vulnerabilities.
- Web-application-firewall capabilities and limitations.
The cumulative web-application threat landscape continues to develop faster than most operators' defensive infrastructure. Specific subsequent posts will address the trajectory.
What this teaches
Three observations from the cumulative conference reading.
The offensive-research community continues to produce substantial work. Specific researchers, specific groups, specific cumulative output. The defensive community's reading discipline is what keeps pace with the offensive trajectory; the discipline is non-optional.
The trajectory toward harder-to-detect compromise continues. Hardware-level rootkits, hypervisor-level rootkits, sophisticated tooling. The defensive response requires structural investment that exceeds what most operators have made.
The cumulative knowledge base in the public security community is substantial. Conference proceedings, published research, open-source tooling, specific training resources — all are available. The barrier to learning is now lower than the barrier to applying what is learned.
What I am doing
For my own work: continued reading discipline. Black Hat proceedings, USENIX Security proceedings, various academic and industry publications. The cumulative reading produces structural understanding that operational work alone cannot.
For Gala Coral: specific applicable lessons from the conference reading inform our defensive infrastructure planning. The cumulative reading discipline supports specific operational decisions.
For my structured-log analysis: specific signatures inspired by Black Hat content. The cumulative archive continues growing.
More in time.