Talks at THREADS this year focus on mobile security. The talks below have been selected based on the speaker's expertise in the field and the relevance of their work to current and future challenges in mobile security.
Keynote: Exploiting Attacker Economics (9AM)
Dan Guido, CEO, Trail of Bits
iOS Jailbreak Analysis (10AM)
Dino Dai Zovi, CTO, Trail of Bits
Attackers, just like defenders, are resource-constrained. The choices of where to look for exploitable vulnerabilities and how to leverage them are shaped by the resources at the attackers' disposal, the relative difficulty of the available attack surfaces and vectors, and the return on attack investment. Malicious attackers, however, are rarely forthcoming with their strategies, expenditures, or forecasts. The jailbreak development community, in contrast, is much more visible with blog posts, Tweets, and public software releases. As the technical development of a jailbreak overlaps significantly with the development of a malicious attack, the high-visibility jailbreak development community can serve as an analysis proxy for the low-visibility malicious attacker communities. An analysis of the jailbreak community's strategies can thus serve as a model for the strategies of malicious attacker communities. These communities, however, are not completely isolated. An advanced public jailbreak community provides information, tools, and know-how that may be leveraged by malicious attackers as well. This presents a choice for an integrated hardware and software platform vendor: should jailbreaking be facilitated in order to discourage the release of advanced jailbreaks that may easily be repurposed as malicious attacks? Or should the jailbreak release and security patch cycle be encouraged in order to identify and fix vulnerabilities that may also be discovered and exploited by malicious attackers?
Mobile Exploit Intelligence Project (11AM)
Mike Arpaia, iSEC Partners
As organizations look to deploy larger numbers of mobile devices over this year, there is widespread disagreement in the security industry over which platforms are more secure, what mobile security measures are effective, and what the greatest risks of these platforms are. At the same time, the mobile malware community, while still in its infancy, is developing rapidly and several successful attacks have been executed against iOS and Android in the last year.
In this talk, we demonstrate an intelligence-driven approach to mobile defense, focused on attacker capabilities and methods, with data collected from past remote attacks and jailbreaks against Android and iOS. This analysis identifies the means by which exploits are developed and distributed in attacks, separates defenses that work from defenses that don't, and provides analytical tools that attendees can use to objectively evaluate the exploitability of mobile operating systems. Finally, we use this empirical data on attacker capabilities to make projections on where mobile malware is headed in the near to long term.
Probing Mobile Operator Networks (1PM)
Collin Mulliner, Systems Security Lab, Northeastern University
Cellular networks host not only mobile and smart phones but a wide variety of other devices. We investigated what kind of devices currently sit on cellular networks. In this talk we provide a walk through on how to probe cellular networks for these devices from start to finish. Finally we show some of the results from our effort and discuss the security implications of our findings.
A Tale of Mobile Threats
Vincenzo Iozzo, Director, Trail of Bits
Analysis of the Google Native Client Sandbox (3PM)
Chris Rohlf, Principal, Leaf SR
Native Client is Google's attempt at bringing millions of lines of existing C/C++ code to the Chrome web browser in a secure sandbox through a combination of software fault isolation, a custom compiler toolchain and a secure plugin architecture. Sound challenging? It is! Native Client isn't a typical browser extension and it certainly isn't ActiveX. Native Client allows for all sorts of applications to run inside in your browser, everything from games to PDF readers. In this talk I will cover the basics of the Native Client sandbox and general security relevant architecture including PPAPI (the replacement for NPAPI), vulnerabilities I discovered via source review in the PPAPI interface and finally a tool that dynamically generates code to fuzz the Native Client PPAPI interfaces based on the IDL (Interface Description Language) files found in the Chrome source tree. The CSAW version of this talk includes updated content from the BlackHat 2012 conference.
Mobile Vulnerability Assessment: There's an App for That (4PM)
Jon Oberheide, CTO, DUO Security
Conservative carriers frequently leave privilege escalation vulnerabilities unpatched for months and years on today's consumer mobile platforms, a far cry from the near-instant silent updates delivered to desktop platforms. These large windows of vulnerability allow even unsophisticated attackers to reuse off-the-shelf privilege escalation exploits and target users with their malicious mobile apps. This presentation explores how such privilege escalation vulnerabilities can be enumerated with a standard market-delivered application, allowing enterprises and even end users to assess the risk of their mobile devices. Results of a public release of a vulnerability assessment app for the Android platform will be presented.