Black Hat USA 2007 ran 28 July - 2 August. I did not attend in person; the published proceedings are working their way through my reading queue. Specific notes from the substantive talks.
This is a longer post because the substantive content of the conference deserves careful treatment.
Hardware-virtualisation rootkit work continues
Following Joanna Rutkowska's Blue Pill from 2006, specific further hardware-rootkit work was presented this year. The cumulative trajectory continues; specific implementations are now demonstrably operational.
The defensive trajectory remains the same: detection from outside the rootkit's reach (hardware-level attestation, secure-boot mechanisms, specific lower-than-rootkit infrastructure). Specific commercial implementations are years away from operational deployment; specific research continues.
For practitioners: continued reading discipline on this category. The cumulative archive of writing about hypervisor-level rootkits informs subsequent structural assessment.
Specific browser-exploitation research
Multiple talks covered browser exploitation in various dimensions. Specific themes that recurred:
Web-application worm techniques. Building on the Yamanner precedent, specific subsequent research demonstrates further techniques. The cumulative web-application threat landscape continues to develop faster than most operators' defensive infrastructure.
Cross-site scripting beyond the obvious patterns. Specific subtle XSS techniques, specific browser-feature interactions, specific payload-delivery mechanisms. The category continues to mature; specific defensive responses lag.
Browser-extension vulnerabilities. Specific Firefox extensions and specific Internet Explorer ActiveX controls have shown vulnerabilities; the cumulative attack surface from third-party browser extensions is meaningful.
Specific protocol-level browser issues. Specific HTTP, specific TLS, specific application-layer issues. The cumulative protocol-level work continues.
The trajectory across these themes is consistent. Browser security is structurally hard; specific defensive tools improve; specific offensive techniques continue evolving faster than defences.
Dan Kaminsky's DNS work
Kaminsky presented preliminary work on DNS protocol vulnerabilities. The specific details were partial — the talk indicated substantial structural issues with DNS implementation patterns but did not fully disclose them. Specific subsequent disclosure is expected.
The cumulative implication: DNS may be substantially more vulnerable than previous research has demonstrated. Specific subsequent disclosures will be operationally significant.
For practitioners: tracking Kaminsky's DNS work over the coming months. The full disclosure will likely produce substantial defensive scrambling; specific organisations should be ready.
H D Moore on the Metasploit Framework
Continued updates on Metasploit Framework, building on previous years. The cumulative trajectory is consistent: better integration, broader exploit coverage, more sophisticated post-exploitation tooling.
The cumulative defensive implication: specific penetration-testing capabilities are now widely available. Operators who use Metasploit for defensive validation produce better cumulative defensive outcomes than operators who do not.
Various web-application security work
Multiple talks covered web-application security in specific dimensions. Specific themes:
- Cross-site request forgery as a structural problem.
- Specific cookie-handling vulnerabilities.
- Web-application firewall capabilities and limitations.
- Specific authentication-flow issues.
The cumulative volume of web-application security work continues to grow. Specific subsequent posts will address the broader trajectory.
Specific platform-vulnerability work
Multiple talks covered specific platform-vulnerability research:
- Specific Windows Vista vulnerabilities and bypass techniques.
- Specific Mac OS X research.
- Specific Linux kernel work.
- Specific embedded-platform vulnerabilities (routers, printers, other network devices).
The cumulative observation: every major platform has substantial vulnerability research; specific defensive responses lag the offensive research.
What this teaches structurally
Three observations from the cumulative conference reading.
The offensive-research community is mature and productive. Specific researchers, specific groups, specific cumulative output. The defensive community's reading discipline is what keeps pace with the offensive trajectory.
Specific platform-security improvements are visible. Vista's architectural improvements are producing specific exploitation difficulty increases; specific cumulative defensive trajectory matters.
The cumulative knowledge base in the public security community is substantial. Conference proceedings, published research, open-source tooling, specific training resources. The barrier to learning is now lower than the barrier to applying what is learned.
What I am doing
For my own work: continued reading discipline.
For Gala Coral: specific applicable lessons from the conference reading inform our defensive infrastructure planning. Specific subsequent decisions will reference the cumulative reading.
For the DDoS book project: substantial Black Hat material informs specific chapters. The cumulative reading is substantial substrate for the book.
For my structured-log analysis: specific signatures inspired by Black Hat content. The cumulative archive continues growing.
More in time.