Hacker Olympics: a shout-out from Vancouver, BC!


Maarten Van Horenbeeck

Senior Program Manager

Slicing covert channels, foraging in remote memory pools, and setting off page faults

The crackling sound of crypto breaking, warm vodka martni

Mando Picker

Dustin Childs

Security Program Manager

Protecting customers, working with security researchers, second Tuesdays, bourbon, mandolins

Using “It’s hard” as an excuse, quitting when it gets tough, banjos

CanSecWest is probably one of the most interesting conferences for the Microsoft Security Response Center (MSRC) team to attend. A leisurely two-and-a-half hour drive from our corporate headquarters it’s organized in the multi-cultural Canadian hub of Vancouver. Easy air connections to Europe, Asia, and anywhere in North America make it a yearly melting pot for capable security researchers from all over the world.

CanSecWest is a laid back conference – with only one track, it allows an attendee to attend every presentation. In addition, it’s well known for the Pwn2Own competition, a yearly hacker standoff in which researchers get their shot at compromising devices equipped with the latest in Web browsers and operating system security mitigations. If the attacker is able to pwn (“perfect own”) the machine, they win a cash prize and a new device to take home.

This year had a special focus on mobile devices, with most of the prize money allotted to that category. Vincenzo Iozzo and Ralf Weinmann each left the competition with a brand new Apple iPhone. Even multiple problems with airport strikes and construction couldn’t keep Vincenzo away.

Charlie Miller proved himself to be a true “Michael Jordan” showing up at his very own slam dunk contest by pwning a fully patched installation of Safari on a MacBook Pro. Microsoft also did not escape unscathed. Peter Vreugdenhil came, saw, and then gave our team homework by unleashing an exploit that tipped over Internet Explorer 8 on Windows 7. Kudos to Peter, and thank you for making us aware of this issue privately. We are investigating the issue and we will take appropriate steps to protect customers when the investigation is complete.

After he was finished with the Pwn2Own contest, Charlie Miller gave a great talk on the result of his extensive fuzzing. Interestingly, the fuzzer he built used only five lines of Python code. After three weeks of fuzzing, he was able to determine a couple dozen potentially exploitable bugs in different applications. Just imagine if he had used seven lines of code in his fuzzer…

Matthieu Suiche gave another great presentation on analyzing Mac OS X physical memory. All of us battling the post-lunch fatigue immediately perked up when he began his demo and ended with plain-text passwords.

Tavis Ormandy and Julien Tinnes from Google played around with the Linux and Windows kernels in their talk, organizing a party at ring 0. Luckily, we had been invited a while back, and we’re happy to say Microsoft customers are currently protected against each of the attacks they presented.

Another fascinating talk was delivered by Halvar Flake and Sebastian Porst from Germany. These Zynamics Care Bears introduced a plug-in for their products which allows investigators to crowd-source reverse engineering, helping to put defenders on better footing when dealing with new pieces of malicious code. This is a great effort and we look forward to seeing others build on the work they are putting in place today. Too bad they couldn’t find a full-size Care Bear outfit.

Our Office team also attended. Tom Gallagher and David Conger gave a great presentation on how they dealt with Office specific vulnerabilities.

The work they did includes building a sandbox for less-trusted documents, and implementation of a validator for any content being loaded into the parser, and theirs was a great talk for those intending to protect word processing applications and other office productivity tools.

The conference dinner on Thursday night was also a great time to get to know people. What we first thought was a bomb scare actually ended up just being a horrible comedian on stage. But once that was done, there were a lot of great conversations to be had with people from all over the world throughout the industry. It is always helpful to get feedback from our customers as to what we are doing right and what could be improved.

As usual, we spent a lot of time talking to our partners in the research community, and we’d like to thank Dragos for setting up another great CanSecWest. See you next year, Vancouver!

Maarten and Dustin

*Postings are provided “AS IS” with no warranties, and confers no rights.*