BlueHat Prize Contest All Entries

*Entries in alphabetical order

Name: Amr Thabet

Bio: Amr Thabet is a Co-Founder of Synapse Co. and a Malware Researcher at EG-CERT and Comodo . He is the Author of Pokas x86 Emulator and Security Research and Development Framework (SRDF) . He was a speaker on numerous events like Cairo Security Camp and in University of Sydney CISS6011.

Entry Abstract: The concept of Memory Levels Gate is to create a gate between two places in memory named “Levels”. The first Level is the Kernel level and it contains the kernel32.dll and ntdll.dll and all necessary DLLs. And the 2nd Level is the User Level and it contains all executable places in memory except kernel32 and ntdll.dll and all the kernel level’s memory. This Gate is based on the Executable Flag of The Memory Pages (like DEP) . This Gate will set the Executable Flag (ON) when you are running in the User Level and Set it to OFF for kernel Level’s Memory. When you call to an API inside the Kernel Level … the Gate will check if there’s a ROP (with numerous well-defined checks) and then swith to the Kernel Level (set Executable Flag on Kernel Level’s Memory ON and for User Level’s Memory OFF) and when return from the Kernel Level to the User Level … it checks if it return to the return address that specified when calling to the Kernel Level and then Switch again to the User Level . there’s also solutions for Multi-Threaded Applications in the Entry and avoiding any incompatibility. It will affect the performance a little bit but it could be the best solution to control the Execution flow and detect ROP with minimum decrease on performance.

Name: Baibhav Singh

Bio: Baibhaitv Singh, is an independent security researcher. Previously he severed in Citrix. Prior to Citrix he was working in McAfee. His area of interest is reverse engineering and vulnerability analysis. Now he is doing security research on virtualization. He is co-author of the book “vulnerability analysis and defense for the internet”.

Entry Abstract: The goal of the protection engine is to check and prevent ROP attack. ROP attack is detected in two stages. First, based on the analyzing instructions resulted in calling API that is called as “entry verification” and second, based on doing some check for the address where control will be transferred by return instruction that is called as “Return verification”.

Name: Balint Lozsadi

Bio: Mr. Lozsadi was born in Budapest, Hungary. He is interested in programming. He uses/used many programming languages (C/C++/C#/Java/PHP/Javascript/BASH/TCL/PASCAL/ASM C64/ASM X86). He has a wife and two children and he works as a system administrator at National Tax and Customs Administration.

Entry Abstract: By default the Data selector segment overlaps the Stack selector segment. To prevent corruption the memory mapping is changed so that they do not overlap.

Name: Dave Heilig

Bio: Independent researcher and programmer.

Entry Abstract: Run time protection against buffer overflows and other memory vulnerabilities. Software does not need to be recompiled for this protection so any existing program can be executed more securely without any code changes.

Name: Didier Stevens

Bio: Didier is a full time security professional, a spare time security researcher and Microsoft MVP and enjoys hacking. You can find his free, open source security tools on blog.DidierStevens.com

Entry Abstract: CounterHeapSpray monitors the private memory usage of an application to guard against heap sprays. When the private memory usage of the application exceeds a predefined threshold, CounterHeapSpray assumes that a heap spray is ongoing and will pre-allocate virtual memory pages and populate these pages with its own shellcode. When the heap spray terminates and the exploit executes, code execution will transfer to CounterHeapSpray’s own shellcode. This shellcode will suspend all threads and display a warning message for the user.

Name: Dmitry Stefankov

Bio: Software Developer for Microsoft Windows, Unix, Linux and other platforms. Author of many computer systems and programs – TPmail, TpNet, TpSearch, DeviceMonitoring, WinEtherBridge, BFPSDK, ftest2, ntest and others.

Entry Abstract: TpSecret is based on the knowing of a secret access key allowing the access to the object. The absence of key or the incorrect key is disallowed the access to the object. In this protection model the protected object is the API function or the access to the API function. The stack and code space are also additionally checked to prevent the unauthorized access to the protected API functions.

Name: Felix Wilhelm

Bio: Felix Wilhelm is a computer science student at the RWTH Aachen University. He is interested in offensive security research, ranging from kernel exploitation to web security.

Entry Abstract: This entry uses stack consistency checks to protect dangerous system calls against ROP attacks. To do this we use the unwinding meta included in 64bit executables, which enables perfect stack traces even when frame pointer and debug data are omitted.

Name: Ilya Rabinovich

Bio: Ilya is the founder of Softsphere Technologies. Also, he is in the expert panel of Anti-Malware Test Lab. He has 15+ years experience in security researches and software development. His original education is in the field of nuclear physics.

Entry Abstract: HeapNG removes all the heap (pool) service information from the heap area, keeping it in specially allocated memory area, guarded from being accessed by an attacker with guard (PAGE_NOACCESS) page from the front. So, it can't be accessible by an attacker on buffer overflow as causing General Protection Fault. Also, in the end of every heap memory block allocated (with HeapAlloc function) we insert four canary dwords- two static and two dynamic. This prevents an attacker from being inserting fake service information into the heap pools (this removes any kind of "unsafe unlinking" attacks), also, we check heap memory blocks on its de-allocation for buffer overflow issues.

Name: Ivan Fratric- 2nd place winner

Bio: Ivan Fratric is a researcher at the University of Zagreb, from where he also holds a Ph.D. degree in computer science. Security research is a passion of his.

Entry Abstract: ROPGuard is a system that can detect and prevent the currently used forms of return-oriented programming (ROP) attacks at runtime. The system works by defining a set of critical functions: functions that need to be called from the ROP code by the attacker in order to leverage the attack. A series of checks is performed on each critical function call to determine if a function was called from the ROP code or as a result of normal program execution. The system can be applied at runtime to any process and has a low CPU and memory overhead.

Name: Jared DeMott - 3rd place winner

Bio: Jared is a security researcher and enjoys teaching his "Application Security: for Hackers and Developers" class. Jared is a part of the ACME Pharm CTF team (2010-present).

Entry Abstract: This novel defensive lowers the effect of address space disclosures and mitigates known ROP exploits. /ROP, as it is named, operates by checking that the target address of every (intended or unintended) return instruction is safe. This works because current ROP exploits contain return instructions. The protection is not perfect, but operates quickly and integrates cleanly with MS technology.

Name: Jeff Six

Bio: Jeff is a senior security engineer at a major financial firm based in Baltimore, Maryland, where he works to secure customer and firm data. He holds bachelors and masters degrees in engineering from the University of Delaware, and is working on his MBA at Loyola University Maryland. Jeff has been a member of the Adjunct Faculty at the University of Delaware since 2000, teaching classes on software development and secure coding practices, and is the author of Application Security for the Android Platform, published by O’Reilly Media in December 2011. Additionally, he has been a lifeguard since 1993 and an instructor since 1995, and is an amateur triathlete, competing at the sprint, Olympic, and 70.3 distances. Come visit at http://jeffsix.com .

Entry Abstract: Exploitation of a vulnerability using return-oriented programming techniques relies on the attacker finding a sequence of existing code snippets that end with RET instructions or equivalent. In order to reliably prevent such a ROP-based exploitation from succeeding, the attacker must be denied the ability to determine what the stack must look like in order to execute an ROP gadget’s sequence of instructions. This can be accomplished by introducing an unpredictable change to the stack pointer immediately before the RET instruction. If the attacker is not able to determine where the stack pointer will reference when the RET instruction is executed, they will not be able to craft the stack in such a way to further allow execution of the gadget sequence. This can be accomplished using a new technique known as stack slack randomization (SSR).

Name: Lenx Tao Wei

Bio: Lenx Tao Wei is a visiting scholar of UC Berkley, and an associate professor of Peking University. He is interested in research on software analysis and system protection. Now he is focusing on finding provable solutions for software protection which industry is likely to adopt.

Entry Abstract: FPGate stops attacks targeting function pointers by limiting indirect transfers to only those targets that are legal in the original program. When deployed together with other existing lightweight protections, FPGate can provide a level of protection comparable to CFI (Control Flow Integrity), stopping almost all control fow hijacking attacks including ROP. FPGate has two main advantages compared with previous solutions: it can inter-operate well with existing non-hardened libraries, so it can be deployed progressively; we also develop a method to recognize all sources and targets automatically in modern security-sensitive binary executables, thus FPGate can be applied directly on these binary files. The performance overhead of FPGate is only 0.36% in average measured using SPECint 2006. FPGate is a joint work of Lenx with Chao Zhang, Zhaofeng Chen, Lei Duan from Peking University, and Laszlo Szekeres, Stephen McCamant, Dawn Song from UC Berkele

Name: Massimo

Bio: Massimo is an experienced software auditor and a security architect. He is author of various DRM schemes and protection technologies.

Entry Abstract: This technique tweaks the Windows Security model to create a perfect sandbox around an application without any hook or driver, preventing memory exploitation issues into an application to affect the system.

Name: Matt Tait

Bio: Matt is a Vulnerabilities Researcher and Security Consultant for NGS Secure with extensive experience in application security, operating system design, reverse-engineering and static analysis. In particular Matt is an established security researcher for the Microsoft Windows® platform, including recent work on securing Windows 8®.

Entry Abstract: Stack Pivot Protect (SPP) is a novel on-processor protection mechanism designed to logically separate stack memory from other memory in order to detect and prevent out-of-stack pivots at runtime. This defeats the return-orientated programming exploitation strategy for applications that store attacker controlled data on the heap instead of the stack.

Name: Piotr Bania

Bio: Piotr is a computer security hobbyist currently especially interested in binary analysis, developing disassemblers, binary differential engines, code modifications engines, dynamic binary instrumentation engines, protection engines etc.

Entry Abstract: The technique used in the usermode part protects against executing protected API functions from regions that were not declared to do so at the first place. The kernel mode technique relies on static binary rewriting and implements features like: control flow monitoring, partial control flow integrity, original code erosion, random code insertion and others.

Name: Rami Kawach

Bio: Rami Kawach is a Software Architect at Qualys specializing in highly scalable client server architectures, self-learning expert systems, as well as automated exploit detection and analysis.

Entry Abstract: This technique allows application developers to self-profile their own application’s behavior and restrict its ability to perform unneeded operations. When these self-profiled applications are exploited, the resulting damage is greatly mitigated.

Name: Sakurai Naoyuki

Bio: I live in Tokyo and am a freshman of the Tokyo Institute of Technology from this spring. I have made a few pieces of freeware.

Entry Abstract: API Address Revelation Prevention Measure (AARPM) is a measure to conceal API function address in the Import Address Table in memory.

Name: Steve Rhoads

Bio: Steve Rhoads, MSEE, PE develops video satellite receivers for Technicolor and developed the open source Plasma CPU (http://plasmacpu.no-ip.org/).

Entry Abstract: During normal program execution, each thread owns a stack that contains function arguments, local variables, and return addresses for when a function returns. When a new function is called, the function arguments are pushed on to the stack, and then the return address is pushed on to the stack, followed by the new function’s local variables. This mitigation incorporates an additional stack for arrays preventing overflow on the executable stack.

Name: Vasilis Pappas - 1st place winner

Bio: Vasilis is currently a PhD student at Columbia University actively researching network and system security.

Entry Abstract: This proposed technique is called kBouncer, an efficient and fully transparent ROP mitigation technique. kBouncer is based on runtime detection of abnormal control transfers using hardware features found on commodity processors.

Name: Young Jun Ko

Bio: Young Jun Ko is a software engineer & security researcher. He holds a Master’s degree in Electronics and Computer Engineering from Hanyang University in South Korea. He is also the author of Phrack 57-3 'NIDS Evasion Method named "SeolMa"'.

Entry Abstract: Hardening Exploit's WINAPI function call via Return Address Check and Hardening ROP Chaining.