- GetPC sequences ((call $+5, pop r32), (fnop, fnstenv [esp+0x0c], pop r32), structured exception handling)
- detecting shellcodes (static) (eg: markov chains)
- detecting shellcodes (getpc + backtraking + emulation)
- libscizzle : identification of possible getpc sequences, bruteforce possible starting location around sequence, use efficient sandbox
- libscizzle Code Execution (disassemble guest code, execute one basic blocks, emulate all other instructions, exception)
- Performance of libscizzle : 99 MiB/sec to 795 MiB/sec, 1000x faster than libemu
- Evaluation of libscizzle : no false positives, no false negatives
High performance packet sniffing and traffic mining(Tillmann Wener)
- NIC -> KERNEL -> USERSPACE -> FILE
- pcap file format (straight-forward file format)
- packet drops (sniffer too slow, lost information cannot be recovered), sniffing performance
- multicap : minimiez memory allocations, no system calls to get packet times, memory-mapped dump files
- streams : reassembly tcp streams
- tools available @ http://src.carnivore.it
Reversing android malware (Mahmud Ab rahman)
- Dalvik VM : registered based
- Dex file format (odex : optimized dex)
- infection methods : remote install (victim's gmail credential is required, browser market and install)
- dex (baksmali)-> class (jad)-> java
- SMS.trojan : oldest android malware
- Geinimi : infecting legitimate software, C&C server, encrypted data, steal data
- DroidDream : infecting legitimate software, android official market
- Need new tools (GSOC Honeynet ?)
VOIP Security (Sjur Usken and Ben Reardon)
- SIP, request and response type, same familiar status codes as HTTP
- Major difference between SIP and HTTP (in SIP, all devices are both server and client)
- used to connect to the PSTN network
Glastopf - Looking for trouble ? (Lukas Rist)
- Web application honeypot
- collecting attacks
- gain intelligence
