Kernel-Land Rootkits for Linux 2.6 over x86
Next-Generation Debuggers for Reverse Engineering
Practical (Introduction to) Reverse Engineering
Triaging Bugs with Dynamic Dataflow Analysis
Comments: This was my first presentation in a security conference, it was H2HC 3rd edition. Back then I was doing some research on LKM rootkits and I *thought* I had discovered/invented the SIDT trick for hooking syscalls (a major change between 2.4 and 2.6 kernels was that 2.6 no longer exported 'sys_call_table[]', demanding more creative ways to do the hooking). Later I found out that sd and devik had introduced that technique years before, with Phrack's excellent text 'Linux on-the-fly kernel patching without LKM' and SucKIT. That didn't stop me from doing the presentation anyway, where I also demonstrated a new technique to bypass St. Michael, a rootkit detector maintained by the conference's organizer, BSDaemon (I did it for the lulz ;D). I did this presentation under the flag of the now extinct rfdslabs, a group of friends that discussed hacking and technology, and also released the codes for two projects: 'Captain Hook' and 'Tick-Tock, The Croc'.
Year: 2006
Relevant Cross-References:
Comments: This presentation was the result of the joint work between several of the members of ERESI team. I first presented this with 2 other guys from the team at Black Hat Europe 2007 and later that year presented alone at H2HC 4th edition and Ekoparty 3rd edition, basically because the other guys were too far to come to South America and present it with me. I will, therefore, only include the slides for the last presentation, done at Ekoparty. The content of the slides barely changed between these 3 presentations and, when they did, I believe it was only for the best. Anyway, summing up, this presentation talks about the architecture of ERESI's embedded debugger, the embedded tracer, and our initial efforts of having program analysis features in the project. For a more elaborated description, I suggest the visitor to take a look at the abstract of the paper, linked below.
Year: 2007
Relevant Cross-References:
Comments: I first presented this at H2HC 5th edition following a suggestion by the conference organization after having read an article I had published months earlier (linked below). In the paper I talked a little bit about using basic reverse engineering techniques to defeat 'crackme' challenges. The conference suggested that I transposed that content to a presentation, showing the techniques live. I did that and extended the concept a little bit. I tried to cover some of the tools used by reverse engineers and also tried to do something for the more advanced spectators, which resulted in LEP being conceived. LEP is a dynamic datafllow analyzer. It started as a simple concept and evolved to become the Visual Data Tracer, a project that inspired me to do my presentation at SOURCE Barcelona 2009. I also presented this (not the one from SOURCE) at uCon in early 2009. Just like with the presentation above, I'll publish only the slides from uCon.
Year: 2008/2009
Relevant Cross-References:
Comments: This presentation basically cover the rationale behind the Visual Data Tracer and its implementation. VDT is a dynamic dataflow analyzer designed to aid software vulnerability analysts. It traces across a reproduceable crashing execution while dumping a lot of this trace information into a file. It then runs a backwards DF analysis on that file, trying to correlate the faulting data with the user-input as it was present in the process address space. What it means is that with very little effort, VDT can tell you something like "the input that crashed this program is those 2 bytes at offset 0x1234 of your malicious file". I presented this at SOURCE Barcelona 2009 and shared the VDT binaries with the attendees present (note that VDT is kept private). I also did a demo during the presentation, but it was done part off-line (showing on slides) and part live. Without showing the live part the demo is pretty meaningless but I decided to upload the demo slides too, anyway, in case anyone is that curious.
Year: 2009
Relevant Cross-References: