John Heasman

I was invited to present a guest lecture as a recognized industry expert to senior Stanford
undergraduates and first year graduate students on the CS155: Computer and Network
Security course.

The course covers principles of computer systems and network security. My presentation focused on detecting security vulnerabilities through fuzzing.

Who needs Java in a world of Ajax, Flash and Silverlight? Regardless of its oft predicted demise, the simple truth is that the Java browser plugin is ubiquitous among both corporate and home users. With an estimated install base of 300 million desktops, 2.1 billion phones and 11 million TVs, client-side Java presents an attack surface that cannot be ignored.

This presentation covers recently patched vulnerabilities (March 2008) in the Java browser plugin, reported to Sun by the… Show more

Who needs Java in a world of Ajax, Flash and Silverlight? Regardless of its oft predicted demise, the simple truth is that the Java browser plugin is ubiquitous among both corporate and home users. With an estimated install base of 300 million desktops, 2.1 billion phones and 11 million TVs, client-side Java presents an attack surface that cannot be ignored.

This presentation covers recently patched vulnerabilities (March 2008) in the Java browser plugin, reported to Sun by the presenter. These are not run-of-the-mill overflows. They are design flaws that let us violate the fundamental principles of Java security, ultimately leading to full compromise of the browser.

Areas that were addressed include:

- Caveats of handling signed archives: simple but devastating attacks against signed JARs.
- How to defeat the same origin policy and why this leads to sandbox breakout.
- Abusing Java's legacy protocol handlers
- Packaging cross-browser, cross-platform, cross-architecture payloads for Java bugs

This session will be of interest to anyone that follows browser bugs, managed language bugs and design flaws. Show less

Online office suites have proliferated over the last year, improving drastically and providing feasible alternatives to traditional desktop office software in the form of Google Docs, ThinkFree and Zoho. Securing these services presents interesting challenges: web application vulnerabilities intersect the world of macro-viruses, 0-day file format flaws and phone home bugs.

This presentation discusses "Office 2.0" threats demonstrating real world vulnerabilities borne out of the… Show more

Online office suites have proliferated over the last year, improving drastically and providing feasible alternatives to traditional desktop office software in the form of Google Docs, ThinkFree and Zoho. Securing these services presents interesting challenges: web application vulnerabilities intersect the world of macro-viruses, 0-day file format flaws and phone home bugs.

This presentation discusses "Office 2.0" threats demonstrating real world vulnerabilities borne out of the presenter's research. It will cover the following areas:

- Assessing the attack surface of online office suites
- Exploiting the awkward problem of file system access
- Weaknesses in document collaboration implementations
- Phone home bugs and advanced document tracking

Though the focus is on online office suites, the concerns raised and addressed during this
session apply equally well to all Web 2.0 applications. Show less

This much-anticipated revision, written by the ultimate group of top security experts in the world, features 40 percent new content on how to find security holes in any operating system or application.

At Black Hat Federal 2006, I presented a means of persisting a rootkit in the system BIOS via
the Advanced Configuration and Power Interface (ACPI). My more recent research has
focused on using devices on the PCI bus as a means of achieving a similar goal, that is, a
rootkit that has no footprint on disk and can consequently survive reinstallation of the
operating system.

This presentation discusses the technical and operational difficulties that must be overcome
in order… Show more

At Black Hat Federal 2006, I presented a means of persisting a rootkit in the system BIOS via
the Advanced Configuration and Power Interface (ACPI). My more recent research has
focused on using devices on the PCI bus as a means of achieving a similar goal, that is, a
rootkit that has no footprint on disk and can consequently survive reinstallation of the
operating system.

This presentation discusses the technical and operational difficulties that must be overcome
in order to persist a rootkit onto a PCI device. A common assumption is that attacks against
firmware are highly specific not only to every vendor but also down to specific models of
hardware. This in turn suggests that a large scale automated deployment of firmware rootkits
is difficult to accomplish even in homogeneous environments. This session analyzes the
"security through diversity" assumption in detail.

The latter half of this talk focuses on the challenges of firmware rootkit detection in large
environments and the available options when an infection is suspected. Finally, the focus
moves on to prevention techniques and their feasibility within the enterprise together with the
impact of the Trusted Platform Module (TPM) on firmware rootkits. Show less

As rootkit detection tools become more sophisticated, the rootkit writer must strive
to leave less of a footprint and inhabit areas that detection tools do not currently interrogate.

One such area, the BIOS, has many associated difficulties in development and deployment
but offers numerous benefits over 'traditional' rootkits— namely it leaves no trace on disk and
can survive reinstallations in order to infect new operating systems.

This talk discusses how a generic… Show more

As rootkit detection tools become more sophisticated, the rootkit writer must strive
to leave less of a footprint and inhabit areas that detection tools do not currently interrogate.

One such area, the BIOS, has many associated difficulties in development and deployment
but offers numerous benefits over 'traditional' rootkits— namely it leaves no trace on disk and
can survive reinstallations in order to infect new operating systems.

This talk discusses how a generic rootkit may be developed for an ACPI-compliant BIOS.
With the aid of several demonstrations, it covers implementing BIOS rootkits for both
Windows and Linux.

The latter part of the talk considers the defense perspective, investigating the steps required to detect and remove such a rootkit. As software-based rootkit detection and protection tools continue to evolve, this talk broaches the important topic of hardware protection and how current protection and detection models designed to combat a BIOS virus may be insufficient to defend against a BIOS rootkit.

Finally we discuss the impact of initiatives such as the Trusted Computing Platform Alliance (TCPA) on rootkit deployment. Show less

Databases are the nerve center of our economy. Every piece of your personal information is stored there–medical records, bank accounts, employment history, pensions, car registrations, even your children′s grades and what groceries you buy. Database attacks are potentially crippling–and relentless. In this essential follow–up to The Shellcoder′s Handbook, four of the world′s top security experts teach you to break into and defend the seven most popular database servers. You′ll learn how to… Show more

Databases are the nerve center of our economy. Every piece of your personal information is stored there–medical records, bank accounts, employment history, pensions, car registrations, even your children′s grades and what groceries you buy. Database attacks are potentially crippling–and relentless. In this essential follow–up to The Shellcoder′s Handbook, four of the world′s top security experts teach you to break into and defend the seven most popular database servers. You′ll learn how to identify vulnerabilities, how attacks are carried out, and how to stop the carnage. The bad guys already know all this. You need to know it too. Show less

Intrusion detection is the identification of potential breaches in computer security policy. The objective of an attacker is often to gain access to a system that he is not authorized to use. The attacker achieves this by exploiting a (known) software vulnerability by sending the system a particular input. Current intrusion detection systems examine input for syntactic signatures of known intrusions.

This work demonstrates that logic programming is a suitable formalism for specifying… Show more

Intrusion detection is the identification of potential breaches in computer security policy. The objective of an attacker is often to gain access to a system that he is not authorized to use. The attacker achieves this by exploiting a (known) software vulnerability by sending the system a particular input. Current intrusion detection systems examine input for syntactic signatures of known intrusions.

This work demonstrates that logic programming is a suitable formalism for specifying the semantics of attacks. Logic programs can then be used as a means of detecting attacks in previously unseen inputs. Furthermore ILP can be used to induce detection clauses from examples of attacks. Experiments of
learning ten different attack strategies to exploit one particular vulnerability demonstrate that accurate theories can be generated from very few attack examples.
Show less