Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Auditing the Defcon Way

Posted by Zonk on from the hands-on-classes dept.

An anonymous reader writes "Last weekend at Defcon, the best and brightest hackers got together to play Capture the Flag, a weekend long hacking event that is the premier event of its kind. According to the results, Shellphish won (UC Santa Barbara students led by professor Giovanni Vigna). An article at SecurityFocus states that the competition was far more technical than in previous years, focusing on reverse engineering skills and code auditing." From the article: "The game required skills that are also required by both security researchers and hackers, such as ability to analyze attack vectors, understanding and automating attacks, finding new, unpredictable ways to exploit things...It's about analyzing the security posture of a system that is given to you and about which you initially know nothing."

8 of 74 comments (clear)

  1. More technical? by Alex+P+Keaton+in+da · · Score: 3, Insightful

    Sort of like when extreme sports went mainstream... Seems like this is a better way for people to show of their skills for the ever growing, and ever more lucrative security business....

    --
    And All I Ask is a Tall Ship And a Star to Steer Her By
    1. Re:More technical? by xcentrics · · Score: 2, Insightful

      "What it takes to be an elite hacker is to find vulnerabilities in custom software," said the Kenshoto member. "It is not code auditing per se. They have to reverse engineer, and we have made it difficult to reverse engineer."

      real-Reverse Engineering under linux ?!? forget about it.
      i mean the system is free ,98% of software is free.Therefore there are no commercial _exe_packers_ (i've never heard about it) so RE is not as hard as under Win where anything can be packed in example with Asprotect.If there were new asprotect for unix systems then it would be real RE challenge...

      --
      "Kata ton daimona eay toy." (Be true to your soul).
    2. Re:More technical? by Anonymous Coward · · Score: 2, Interesting

      http://protools.reverse-engineering.net/unpackers. htm

      Sorry to tell you this, because just like Shrinker, some bunch of dorks has also broken AsPack (as far as Win32 Portable Executeable format packers/compressors)...

      I use (or have used) both in the past not only to gain the faster loadtime off disk (or, even over LANS, because the decompression process only happens AFTER the read up off of the diskdrive into memory, & thus, runtime & today's modern VERY fast nearly 4ghz CPU's more than makeup for the decompress process 'slowdown' in memory as well as how fast memory is nowadays) but also to 'confuse' debuggers (disassembly tools imo more than anything) via 'obfuscation' of their code, which makes it harder on them.

      You can do what I do though, which makes it HARDER STILL on them (and, as a bonus effect, builds in "native antivirus protection" into the app), which is, believe-it-or-not, hardcoding the application's compressed .exe filesize into the application @ it's initialization (either form/screen creation or show methods), & test it on disk.

      If the Win32 PE file changes its size even 1 byte (less or more) from its on-disk compressed size? DO as you like!

      After all, this IS what std. type "Virus" do, add size & code to the end of the .exe afaik, so this DOES function as a rudimentary form of virus protection & stops your apps from spreading infectors like those, potentially @ least, because they let you know something IS wrong!

      This is what/how I do it in my code @ least. SO, what can you do IF the filesize changes? Well, limits of your imagination, or 'cruelty' I suppose...

      E.G.-> Reboot their machines, shutdown the program being 'hacked' or potentially virus infected since it changed its size (what I do), or if you are crueler than myself, anything you like (i.e./e.g.-> Blow their bootsector, lol).

      There is MORE you can do to protect against various "debuggers" like SoftIce &/or WinDbg for example RIGHT in your code though, even if they uncompress to attempt disassembly.

      API calls like IsDebuggerPresent, or the presence of SoftIce via routines present all over the internet for it (there are many of these).

      * :)

      APK

      P.S.=> It almost amazes me that folks build in .exe decompressors &/or stand-alone "debuggers" (hacker/cracker tools mostly imo), because they're like swords & double-edged, & often used to bypass password protected installers for the illegal filesharing circuits out there where you can get commercially produced software for ZERO cost...

      How's that done?

      Tools like SoftIce or Frog's Ice, WinDbg, & others like them OR techniques like DLL Injection as well! It's unfortunate, but, thievery abounds in this field...

      There is nothing you can really do, but make it TOUGH on those that practice it, via ideas like I use above as an example... & I am sure someone could figure out a way around that too, if not eventually!

      They do it by mis-using 'debuggers' like the ones I mention. I have NO respect for those that do that, by the by/personally... apk

  2. Re:Why do Defcon hackers prefer Linux? by Demogorgo · · Score: 3, Funny

    i wish i had a dollar for every time some bearded lowlife tried to put firefox on my computer. who do they think they're fooling?

  3. "According to the results" by Armchair+Dissident · · Score: 3, Funny

    "According to the results, Shellphish won"

    Who wants to be that Shellphish hacked the results...

    --

    The ways of gods are mysteriously indistinguishable from chance.
  4. X (Hackers) Games by KarMax · · Score: 2, Insightful

    IMHO there is nothing WRONG about this kind of "x hacker games" there is a lot of this kind of stuff, Hollywood movies, popcorn books (like Davinci Code by Dan Brown), among others.

    The problem is when begins to be a serious "news" or "event".

    The article try to remark that the event is "pro" or "serious", dont get it...

    Its just a game!

    --
    Rock and Roll
  5. Re:Well, as for myself, my PC runs OT/NT by Exluddite · · Score: 5, Funny

    Yes and things have really improved from OT to NT. Used to be that when the system crashed, you were down for 40 days, with NT you're back up and running in 3.

    --
    What does this button do...
  6. I would love to see network trace logs by abulafia · · Score: 2, Insightful
    I haven't been to Defcon since the third one... no time (at least I have the t-shirts), and now that I don't live nearby, it is hard to justify the expense and time off. Hell, I can't even have normal vacations, let alone conference junkets. But damn, this seems like it would have been a great year to have gone.

    I'm sure someone watched the wire for this event - if TCPdump (or whatever) traces of it are available anywhere, someone post a link. It would be a fascinating thing to waste my weekend on.

    --
    I forget what 8 was for.