Event Information:
Event Date: July 10th, 2010
Location: SCC Research Park, Auditorium
Time: 8:30AM-5:30PM
Schedule: Scheduled Presentations
Attendance/Registration:
The registration deadline has passed for the event.
OISF Capture The Flag:
This event ran all day during the July Anniversary Event, down the hall from the Auditorium.
OISF CTF Games are based on a real world hacking scenario. Network and system configurations are designed to be similar to real world setups.
If you would like to know more, please visit the Capture The Flag page.
Here is the schedule for the Anniversary Event, followed by the abstracts of each presentation. Click on the name of the presentation to get an abstract.
| Time | Event/Speaker: |
|---|---|
| 8:30-9:00AM | Morning Registration |
| 9:00-9:30AM | Opening Comments |
| 9:30-10:30AM | Adrian Crenshaw: Intro to Mutillidae: Teaching the OWASP Top 10 by example |
| 10:45-11:45AM | Gary Sheehan: 27000 + 20000 + 38500 = IT GRC |
| 11:45AM-1:00PM | Lunch: Pizza for all and a few "Now They Own You" demonstrations |
| 1:00-2:00PM | Dr. James Walden: Security of Web Application Systems with Plugins |
| 2:15-3:15PM | Bill Kimball: Jiseki: An Intra-Procedural Dynamic Data Flow Analysis System |
| 3:30-4:30PM | Dave Russell: And You Thought H1N1 Was Bad |
| 4:30-5:30PM | Anniversary Cake & prizes |
Adrian Crenshaw
Intro to Mutillidae: Teaching the OWASP Top 10 by example
Abstract:
Mutillidae is a deliberately vulnerable set of PHP scripts that implement the OWASP Top 10. It was designed to be an easy to use teaching tool for intruducing web security concepts to students. This talk will cover the basics of Mutillidae, and how it can be used in a classroom setting.
Adrian Crenshaw has worked in the IT industry for the last twelve years. He runs the information security website Irongeek.com, which specializes in videos and articles that illustrate how to use various pen-testing and security tools
Gary Sheehan, CISSP, HISP
27000 + 20000 + 38500 = IT GRC
Abstract:
Governance, Risk Management, Compliance, Security are all terms used by various departments and at various levels within an organization. Though their meanings are somewhat consistent across the organization, the communication and implementation of solutions that address these specific concerns are often inconsistent and incomplete. Regulations, compliance requirements, internal controls, contractual requirements and risk put pressure on an organization from every direction. Failure to implement an effective GRC program can threaten the reputation of your corporate brand and the overall success of your organization
The most efficient and effective way to deal with the ever-growing array of regulations and compliance requirements is to establish a GRC program founded in frameworks. This presentation is going to focus on some of the issues and solutions surrounding GRC, including the three frameworks that when used in an integrated fashion can provide organizations a solid foundation on which to build their IT and enterprise GRC programs.
Gary is the Director of GRC Services for Advanced Server Management Group, Inc. He has over 25 years experience in information technology with over 20 years experience in information security, specializing in security management, assessments, policy and awareness development, compliance and security project management. He has worked in a variety of industries, including manufacturing, chemical, insurance, and banking.
Prior to ASMGi, Gary was a Managing Consultant with Wolcott Group where he advised and assisted customers with their governance, compliance, risk and security needs. Gary has a B.A. in Business Administration from Baldwin-Wallace College. He is the Executive Director for the Northern Ohio InfraGard Members Alliance and founder of the Information Security Summit. He received his CISSP certification in 2002, attended the FBI Citizen’s Academy in 2006 and received his HISP certification 2007.
James Walden, Ph.D.
Security of Web Application Systems with Plugins
Abstract:
Popular open source web applications have evolved into complex software ecosystems, consisting of a core maintained by a set of long term developers and a range of plugins developed by third parties. These plugins accomplish such tasks as adding forms to a content management system, connecting a blog with social networking systems, or even scanning for malware infecting the application. The security of such web applications depends as much on vulnerabilities found in plugins as it does in vulnerabilities in the application core.
In this talk, we will examine the security of open source web applications written in PHP and the impact of adding plugins to the security of those applications. We chose PHP since the large majority of widely deployed open source web applications, such as Drupal and WordPress, are written in PHP. We will look at empirical data, such as the number, types, and locations of vulnerabilities in these web applications, and look at how we can use such data to decide which applications to use and to decide how to focus our efforts security such applications. Our data includes a combination of vulnerabilities from reported vulnerability databases and vulnerabilities detected by automated analysis tools.
Dr. Walden has 17 years of experience in software security, including working at Intel and Carnegie Mellon University. His experience includes designing and implementing secure software, as well as researching software security and security metrics. He maintains an active schedule of publishing papers on software security, giving talks and workshops on a variety of security topics, and teaching security classes at Northern Kentucky University.
His current focus is measuring the security of web applications and studying techniques to predict the security evolution of such applications over time. These measurements will help managers identify which applications to use and help developers improve the security of web applications.
Dr. Walden has a Ph.D. from Carnegie Mellon University. He is a member of the Association for Computing Machinery, the Institute of Electrical and Electronics Engineers, and the Open Web Application Security Project.
Bill Kimball
Jiseki: An Intra-Procedural Dynamic Data Flow Analysis System
Abstract:
Dynamic Data Flow Analysis (DDFA) is a technique used to infer properties of data over time. DDFA may use content addressable memory (CAM) or random access memory (RAM) to associate metadata (tags) to trace data. The metadata provides the mechanism to capture data flow. CAM architectures require that the content being addressed is unique. If data being traced is copied to another location in memory then a collision would occur upon lookup of the data. To solve this problem a separate identifier may be used during lookup for each copy of the data. CAM architectures also lack support for tracking derivatives and substitutions of trace data. For example if data is moved from memory to a register, transformed within the register (arithmetic or logic operation) and then moved back to memory then the data may not be addressed by its content as its content has changed. The data flow would falsely terminate at each derivative of the data. Also, if a substitution occurs by using trace data within an effective address calculation then again data flow would falsely terminate. In order to trace data flow within memory and registers for all moves (X to X mappings), derivatives (X to X’ mappings), and substitutions (X to Y mappings) of arbitrary trace data a new RAM based tagged memory architecture is required.
Jiseki is a software-based tagged memory architecture which uses RAM to trace data throughout memory and general purpose registers on Intel Architecture 32bit (IA32). Jiseki associates a tag byte to every byte of user-level memory and every byte of each general purpose register. Jiseki supports multicore processors and multithreaded applications through the use of a custom thread local storage (TLS) implementation. The TLS stores each threads set of register tags. Jiseki intercepts the debug interrupt on each processor core and forces the trap flag to be set for every thread to be traced. When a debug interrupt occurs Jiseki disassembles the last instruction executed and propagates tag bytes from each byte of source operand that contain trace data to destination operands. For every instruction that propagates data an entry in a trace file containing the thread id, instruction address, type of propagation (move, derivation, or substitution), size of source and destination register or memory address, and the content propagated is created. The trace file may be read into IDA Pro (a popular disassembler/debugger) which creates an interactive flowgraph to further analyze the trace of the data.
Jiseki may be used towards software vulnerability discovery, malware analysis, and other reverse engineering tasks. For example given an application which processes remote signals an analyst needs to determine how to manipulate the signal (the input) to bypass a security policy (i.e. corrupt arbitrary memory). To answer this question the application must be reverse engineered (its internals studied) or fuzz (guess) how to maliciously structure the data. Fuzzing is a fast technique during which time an analyst will change the properties of the data looking for unexpected behavior by the application. Bad behavior may indicate a potential vulnerability given further analysis. In contrast, code analysis is time consuming, but results in a more complete analysis than fuzzing. Analyzing the code which acts upon the data will indicate multiple data dependent execution paths for which every path needs to be analyzed for vulnerabilities. Jiseki enhances the code analysis process by providing a graph of the exact flow and set of instructions (exclusively) that processed the data in question.
Bill Kimball is a Research Associate and Instructor of Computer Science at the Center for Cyberspace Research (CCR). Kimball received an M.S. in Cyber Operations (Distinguished Graduate) from the Air Force Institute of Technology and a B.S. in Computer Science from the University of Dayton. Kimball developed Fylasso Antivulnerability, ShellDeny, L.E.V.I. (released BlackHat U.S. 06), the Vulnerability Discovery Framework, SecureQEMU (released BlackHat U.S. 09), E.S.C.A.P.E, and Jiseki. Kimball was awarded the AOC Academic Research Excellence Award in Information Operations (2009), the GKM Systems International Award for Innovative Programming (2008) and the Learn, Lead and Serve Grant (2005). Kimball has spoken at BlackHat, ISSA, OISG, OAOS, and briefed the Air Force Scientific Advisory Board, National Security Agency, and other US military and government officials on cyber defense.
Dave Russell
And You Thought H1N1 Was Bad...
Abstract:
The past few months have reminded us of just how painful it can be to deal with a malware outbreak. Conficker devastated countless organizations, and its presence is still being felt all over the place. It is, undoubtedly, not the last we'll see of these malware outbreaks. This presentation will focus on ways to respond if/when you ever find yourself on the receiving end of one of these charming events. With a reasonable strategy, outbreaks are a lot more manageable, and can be a teachable moment for management. We will go over such a strategy, and discuss some of the painful lessons that have been learned by those that didn't have such plans in place. We'll even touch on when and how to consider prosecution when it is feasible to do so.
Dave Russell is a security engineer with 403 Labs, headquartered in a lovely suburb of Milwaukee, WI. While his focus is largely application security, he finds himself these days occupied with the joys of PCI (payment card industry) compliance. He is the author of several open-source security tools, notably fgdump and pwdump6, and continues to do research in his copious spare time. Should you find yourself at the Defcon security conference later this month, his latest project, a new Hacker Jeopardy game system, will be available for all to mock during the game.