1 00:00:00,209 --> 00:00:04,459 For the folks who are on the screen, are we on the record? 2 00:00:04,751 --> 00:00:06,751 Is the transcription running? 3 00:00:07,083 --> 00:00:11,999 Here's the thing with the transcription, you know that this is new this year 4 00:00:11,999 --> 00:00:15,209 and I think it's been very, very cool. 5 00:00:15,250 --> 00:00:19,709 And I've had a lot of questions about how it's working because it 6 00:00:19,709 --> 00:00:22,167 is so darn effective. 7 00:00:22,459 --> 00:00:25,709 So the way that that's actually happening is there 8 00:00:25,709 --> 00:00:30,667 is a live participant of Party Track that is not here. 9 00:00:30,959 --> 00:00:34,542 They are off site and it is a court reporting service. 10 00:00:34,626 --> 00:00:36,584 So ponder that, okay? 11 00:00:36,999 --> 00:00:40,999 When I'm not at DEF CON, I'm an attorney back home. 12 00:00:40,999 --> 00:00:45,417 And court reporters obviously sit there and transcribe court proceedings 13 00:00:45,417 --> 00:00:50,626 and depositions and very bland and boring types of materials. 14 00:00:50,959 --> 00:00:55,834 So, there is a team of court reporters that has now gotten 15 00:00:55,834 --> 00:00:59,626 to transcribe this for all of us and type 16 00:00:59,626 --> 00:01:05,709 the words that have been coming out of all these speakers' mouths 17 00:01:05,709 --> 00:01:10,125 like Dongs, pumpkin poop, booze, okay? 18 00:01:10,209 --> 00:01:12,999 So it may be one of the more interesting types 19 00:01:12,999 --> 00:01:17,334 of projects that they've ever been assigned to. 20 00:01:17,501 --> 00:01:20,999 So my question to our court reporter is: What do 21 00:01:20,999 --> 00:01:22,876 you think? 22 00:01:23,083 --> 00:01:28,626 You are an interesting group. 23 00:01:28,999 --> 00:01:32,501 By far the funnest group I have worked with. 24 00:01:32,501 --> 00:01:36,751 (applause) So how about just one more time 25 00:01:36,751 --> 00:01:41,584 for our court reporter here in Party Track, 26 00:01:41,584 --> 00:01:47,459 let's make applause show up on that screen. 27 00:01:47,459 --> 00:01:57,667 (applause) Awesome stuff. 28 00:01:57,667 --> 00:01:59,167 I will be taking off pretty soon. 29 00:01:59,167 --> 00:02:00,417 You guys have been good. 30 00:02:00,417 --> 00:02:04,083 Party Track totally rocks and I will probably see you all next year. 31 00:02:04,209 --> 00:02:07,751 Without further ado, we are going to learn something 32 00:02:07,751 --> 00:02:10,999 about exploit detection systems now. 33 00:02:10,999 --> 00:02:12,709 Have a good time, everybody. 34 00:02:12,709 --> 00:02:19,417 (applause) AMR THABET: Hello, guys. 35 00:02:19,709 --> 00:02:22,542 Hello, girls, also. 36 00:02:22,542 --> 00:02:23,626 Girls mainly. 37 00:02:23,626 --> 00:02:29,375 Today I will talk about exploit detection system. 38 00:02:29,999 --> 00:02:32,209 First, I am Amr Thabet. 39 00:02:32,542 --> 00:02:33,834 I'm from Egypt. 40 00:02:34,083 --> 00:02:37,167 I am work for Q CERT in Qatar. 41 00:02:37,542 --> 00:02:44,375 I work on open source projects like SRDF and Pokas Emulator. 42 00:02:51,959 --> 00:02:56,626 I wrote about Stuxnet and that's it. 43 00:02:56,999 --> 00:02:59,083 This is my first team here at DEF CON. 44 00:02:59,375 --> 00:03:00,375 (applause). 45 00:03:00,375 --> 00:03:02,083 AMR THABET: Thank you. 46 00:03:05,999 --> 00:03:07,250 Okay. 47 00:03:08,083 --> 00:03:09,999 Let's begin. 48 00:03:10,083 --> 00:03:15,250 As you all know, been testing right now or hacking right 49 00:03:15,250 --> 00:03:21,834 now has become different from the security compliance. 50 00:03:21,834 --> 00:03:26,918 They are not attacking the servers right now. 51 00:03:26,918 --> 00:03:28,999 They are not trying to use Metasploit and attacking 52 00:03:28,999 --> 00:03:30,626 the server. 53 00:03:32,999 --> 00:03:35,918 Right now most of the attacks are advanced 54 00:03:35,918 --> 00:03:38,083 resistance threats. 55 00:03:38,209 --> 00:03:41,334 They are attacking from the client side. 56 00:03:41,334 --> 00:03:44,876 This are using phishing. 57 00:03:44,876 --> 00:03:47,876 They are attacking ways from (inaudible). 58 00:03:48,709 --> 00:03:55,292 From their clients, from their machines, they are attacking the servers. 59 00:03:55,375 --> 00:03:59,999 They can bypass most of the security compliance applications, 60 00:03:59,999 --> 00:04:04,083 firewalls, antivirus prevention systems. 61 00:04:05,167 --> 00:04:07,584 They can bypass everything. 62 00:04:07,834 --> 00:04:11,083 They use some undetectable malwares affecting their clients, 63 00:04:11,083 --> 00:04:13,334 using HTTP connections. 64 00:04:15,083 --> 00:04:17,167 So they are bypassing everything. 65 00:04:17,459 --> 00:04:22,083 They are bypassing the antiviruses and all the security tools right now 66 00:04:22,083 --> 00:04:24,083 become useless. 67 00:04:24,250 --> 00:04:25,999 So what's the solution? 68 00:04:25,999 --> 00:04:28,999 There is a new technology, a new era. 69 00:04:28,999 --> 00:04:31,918 That's what we are talking today. 70 00:04:33,667 --> 00:04:37,375 The latest security technology is from my point of view 71 00:04:37,375 --> 00:04:40,792 the exploitation detection system. 72 00:04:40,999 --> 00:04:45,167 We now need to secure the client like we are securing the server. 73 00:04:45,292 --> 00:04:47,375 We need to secure from the client side attacks 74 00:04:47,375 --> 00:04:49,083 and exploits. 75 00:04:50,250 --> 00:04:53,250 We need to stop the successful exploitation and stop 76 00:04:53,250 --> 00:04:56,501 the using of 0days and make it harder. 77 00:04:58,083 --> 00:05:03,709 Actually, when the security begins, they begin with antivirus 78 00:05:03,709 --> 00:05:06,083 as a technology. 79 00:05:06,999 --> 00:05:11,626 And after a time, it was bypassed and there was other attacks. 80 00:05:11,959 --> 00:05:15,334 They created the firewalls and become very, very vulnerable. 81 00:05:15,584 --> 00:05:19,999 And after a time, bypass the detection systems and now 82 00:05:19,999 --> 00:05:22,751 they are bypassed. 83 00:05:22,999 --> 00:05:24,584 So what is the next? 84 00:05:24,834 --> 00:05:27,999 The next is the exploitation detection system. 85 00:05:27,999 --> 00:05:34,083 That's the era of exploitation detection system. 86 00:05:34,083 --> 00:05:37,584 Today I will talk about the exploit detection system, 87 00:05:37,584 --> 00:05:41,459 a new technology, as a new concept. 88 00:05:41,459 --> 00:05:43,209 That's what I already talked about. 89 00:05:43,584 --> 00:05:48,083 I talk about also my exploit detection system tool, how it can stop 90 00:05:48,083 --> 00:05:52,083 the attacks, how it can mitigate the attacks. 91 00:05:52,709 --> 00:05:56,083 I will also talk about the development, still in the middle. 92 00:05:56,083 --> 00:05:58,999 But I will talk about what we are doing now. 93 00:05:59,083 --> 00:06:02,083 And I have a little bit of advertisement 94 00:06:02,083 --> 00:06:05,834 for my open source (inaudible). 95 00:06:06,083 --> 00:06:08,334 I will talk about it also. 96 00:06:08,876 --> 00:06:13,083 How many people here know about assembly exploits, 97 00:06:13,083 --> 00:06:15,876 understand all that? 98 00:06:17,834 --> 00:06:18,999 Good. 99 00:06:18,999 --> 00:06:20,459 Not too much. 100 00:06:20,709 --> 00:06:24,834 But I will explain everything for you. 101 00:06:25,167 --> 00:06:26,792 No problem. 102 00:06:28,083 --> 00:06:33,417 First, we'll talk about why it is the goals of this tool, 103 00:06:33,417 --> 00:06:36,626 how I created all this. 104 00:06:36,999 --> 00:06:40,542 Then I will talk about the design of this tool and 105 00:06:40,542 --> 00:06:45,667 the mitigations that's used to stop all the attack vectors and I 106 00:06:45,667 --> 00:06:51,334 will talk about the attack vectors, explaining them in detail, in brief, 107 00:06:51,334 --> 00:06:55,999 not huge details, for everyone to understand. 108 00:06:56,125 --> 00:06:59,999 And I will talk about the monitoring system that's also 109 00:06:59,999 --> 00:07:04,709 inside the EDS and then the development and my future point 110 00:07:04,709 --> 00:07:06,999 of view for EDS. 111 00:07:06,999 --> 00:07:08,584 Let's begin. 112 00:07:09,999 --> 00:07:14,999 Simply, as I said, it's created mainly to stop the exploitation. 113 00:07:14,999 --> 00:07:16,792 As I see most of the attacks are using social 114 00:07:16,792 --> 00:07:20,751 engineering and client side attacks on all of this. 115 00:07:21,918 --> 00:07:24,876 That's what I created this tool for. 116 00:07:24,876 --> 00:07:27,083 It's to stop the memory corruption exploits. 117 00:07:27,083 --> 00:07:30,209 Maybe you don't know about memory corruption. 118 00:07:30,667 --> 00:07:32,459 I will describe it right now. 119 00:07:33,209 --> 00:07:36,626 It detects the compromised processes. 120 00:07:36,626 --> 00:07:42,667 If you have a malicious wire running it, it also exploited your process so it tried 121 00:07:42,667 --> 00:07:47,792 to take this process compromised through an unknown behavior 122 00:07:47,792 --> 00:07:53,417 or it has some corruption in its memory and stops that. 123 00:07:53,417 --> 00:07:58,999 It prevents or alerts someone in the company, in the I.T. 124 00:07:59,083 --> 00:08:02,375 administrators or the security team, about there is a machine or there 125 00:08:02,375 --> 00:08:05,125 is a client that has been hacked. 126 00:08:06,626 --> 00:08:12,334 Simply, memory corruption is about if you have a piece 127 00:08:12,334 --> 00:08:20,459 of memory and there is a buffer created, there is verification with username 128 00:08:20,459 --> 00:08:27,334 and password, imagine your name will be 200 characters. 129 00:08:27,542 --> 00:08:32,999 No one has a name longer than this, so it creates a buffer for it. 130 00:08:33,999 --> 00:08:38,999 Take your username, copy all your username inside this buffer, 131 00:08:38,999 --> 00:08:45,083 and you don't check on the size of your username, and then run. 132 00:08:45,083 --> 00:08:49,999 Actually, if I send an username with 1,000 bytes or so, 133 00:08:49,999 --> 00:08:55,999 1,000 character length, he will right on the 200 bytes of his buffer 134 00:08:55,999 --> 00:09:01,918 and then he will overwrite some other place in memory. 135 00:09:02,083 --> 00:09:07,209 These places in memory could be if you are could be a pointer 136 00:09:07,209 --> 00:09:12,167 to this memory, could make some corruption. 137 00:09:12,167 --> 00:09:16,918 Could be a pointer in a code, in the stack, something 138 00:09:16,918 --> 00:09:22,584 in the stack has a pointer named return address. 139 00:09:22,792 --> 00:09:25,999 The processor or the CPU after a time executes, goes 140 00:09:25,999 --> 00:09:31,959 through this pointer and executes the code that this pointer points to. 141 00:09:33,083 --> 00:09:37,999 So if I overwrite this pointer, I can make the CPU go 142 00:09:37,999 --> 00:09:42,417 to another place in your application. 143 00:09:42,417 --> 00:09:45,501 So if it is something that shaked the password, 144 00:09:45,501 --> 00:09:50,209 I can overwrite this pointer and make it return that you win 145 00:09:50,209 --> 00:09:55,959 or you passed or something like this or your username and password are 146 00:09:55,959 --> 00:10:00,959 correct so I can change the behavior of your process using some 147 00:10:00,959 --> 00:10:04,000 modification in your memory. 148 00:10:04,000 --> 00:10:06,542 And that's what's named memory corruption. 149 00:10:07,375 --> 00:10:11,999 You can know about it more in corlan.be. 150 00:10:13,751 --> 00:10:16,584 Corlan team is a very, very good team. 151 00:10:18,584 --> 00:10:23,999 Talking about memory corruption and how to use it, how people use it. 152 00:10:24,209 --> 00:10:29,792 And as you see in these pictures, I show you that there is an overwrite 153 00:10:29,792 --> 00:10:33,999 he overwritten the return address you can see so I can 154 00:10:33,999 --> 00:10:37,999 now modify the behavior of this process. 155 00:10:40,125 --> 00:10:41,375 Okay. 156 00:10:41,626 --> 00:10:44,999 Some people ask, okay, it is good point but what's 157 00:10:44,999 --> 00:10:48,250 the difference between the exploit detection system 158 00:10:48,250 --> 00:10:50,125 and antivirus. 159 00:10:50,334 --> 00:10:55,999 Simply, EDS is not signature based, is not mainly behavior based; 160 00:10:55,999 --> 00:11:01,999 it's simply searching the memory for any corruption. 161 00:11:02,125 --> 00:11:06,959 If there is unknown corruption or unknown overwrite, 162 00:11:06,959 --> 00:11:09,918 you can detect that. 163 00:11:10,209 --> 00:11:12,459 It doesn't detect malware. 164 00:11:13,083 --> 00:11:17,083 To detect there is a new virus or something. 165 00:11:20,999 --> 00:11:25,667 It is just search for exploitation. 166 00:11:25,667 --> 00:11:27,417 So is this something new? 167 00:11:27,417 --> 00:11:28,417 No. 168 00:11:28,751 --> 00:11:36,083 There is combined solutions and the combined solutions was created 169 00:11:36,083 --> 00:11:40,584 by Microsoft like GS cookie. 170 00:11:40,584 --> 00:11:44,125 They had a cookie before the return address that we saw 171 00:11:44,125 --> 00:11:48,918 in the previous slides to check if it was verified or not, 172 00:11:48,918 --> 00:11:51,417 something like this. 173 00:11:51,417 --> 00:11:53,083 But the combined solutions has 174 00:11:53,083 --> 00:11:58,501 a problem that force everyone to recombine the application 175 00:11:58,501 --> 00:12:01,292 to add this feature. 176 00:12:01,375 --> 00:12:04,083 So always there is an exception. 177 00:12:04,083 --> 00:12:07,999 There will be someone, a developer, who will not compile 178 00:12:07,999 --> 00:12:12,459 with the new technology so I can bypass also. 179 00:12:12,626 --> 00:12:15,751 There is other runtime solutions. 180 00:12:15,751 --> 00:12:20,459 One of them was EMET, who talked about his great tool 181 00:12:20,459 --> 00:12:25,709 from two presentations and there's others. 182 00:12:26,083 --> 00:12:34,999 Actually, from my interview, I see it is like enough mitigation. 183 00:12:34,999 --> 00:12:40,083 This action is a malware or there is an exploit or that's not an exploit. 184 00:12:40,626 --> 00:12:42,918 I need something more flexible. 185 00:12:42,918 --> 00:12:47,292 It's one layer of mitigation, one layer of defense. 186 00:12:47,334 --> 00:12:52,167 It can't know it was bypassed or not. 187 00:12:52,417 --> 00:12:54,792 I will talk about this. 188 00:12:55,083 --> 00:12:56,209 Okay. 189 00:12:58,999 --> 00:13:05,834 So what we have what new things we have? 190 00:13:05,834 --> 00:13:07,792 We have cooperative mitigations. 191 00:13:07,792 --> 00:13:08,999 We will talk about this. 192 00:13:08,999 --> 00:13:10,334 We have a scoring assistant. 193 00:13:10,334 --> 00:13:15,918 We have something more flexible to detect exploitation and so on. 194 00:13:16,667 --> 00:13:19,626 We have an additional layer of monitoring system 195 00:13:19,626 --> 00:13:23,542 and this monitoring system, we'll talk about it. 196 00:13:23,542 --> 00:13:25,417 It detects if there is something bypassed 197 00:13:25,417 --> 00:13:29,999 all mitigations and there is an attack already working. 198 00:13:30,083 --> 00:13:33,459 So it's another additional layer to secure. 199 00:13:34,626 --> 00:13:39,250 Simply, the design that there is payload detection, we will talk 200 00:13:39,250 --> 00:13:43,459 about what is shared code and what's chain. 201 00:13:43,501 --> 00:13:45,667 They have shared code detector. 202 00:13:45,667 --> 00:13:47,999 We have chain detect. 203 00:13:47,999 --> 00:13:49,999 We have attack vector detector. 204 00:13:50,999 --> 00:13:55,834 We have security mitigations for the stack and with heap. 205 00:13:55,959 --> 00:14:00,375 Actually, the stack as we saw in the two slides, it's 206 00:14:00,375 --> 00:14:05,125 a place that includes some return addresses. 207 00:14:05,125 --> 00:14:08,167 And this return address, if it was overwritten, it 208 00:14:08,167 --> 00:14:10,999 will create a problem. 209 00:14:10,999 --> 00:14:13,250 It can change the behavior of the application. 210 00:14:13,250 --> 00:14:16,792 The heap has something similar named V table. 211 00:14:16,792 --> 00:14:22,167 V table actually it has some pointers, some functions. 212 00:14:22,167 --> 00:14:27,584 In a time, the processor can execute one of them. 213 00:14:27,584 --> 00:14:31,667 And if they are also overwritten, it will create a problem. 214 00:14:32,083 --> 00:14:34,501 After that, we have the scoring system and 215 00:14:34,501 --> 00:14:36,792 the monitoring system. 216 00:14:38,250 --> 00:14:39,417 Okay. 217 00:14:43,209 --> 00:14:47,667 The scoring system is based on three things. 218 00:14:47,999 --> 00:14:53,918 Based on payload detection, placed on share code, what you see 219 00:14:53,918 --> 00:14:59,667 in your input, if you sent a code or something like this, 220 00:14:59,667 --> 00:15:05,083 if you send a ROP chain or a return address. 221 00:15:05,334 --> 00:15:10,459 Also, it includes it detects the exploitation attack vector. 222 00:15:10,959 --> 00:15:16,083 If there's an attack, there is something suspicious, tries 223 00:15:16,083 --> 00:15:18,250 to stop this. 224 00:15:18,250 --> 00:15:22,083 Also, it scans on something suspicious related 225 00:15:22,083 --> 00:15:24,709 to this process. 226 00:15:31,542 --> 00:15:34,751 It renames a suspicious action so it gives more 227 00:15:34,751 --> 00:15:38,999 score or high score for this attack or this input. 228 00:15:39,167 --> 00:15:41,999 There is something more suspicious. 229 00:15:46,125 --> 00:15:51,999 The monitoring system searches for evidence of exploitation. 230 00:15:54,125 --> 00:15:56,459 Detectors bypassed mitigations. 231 00:15:56,542 --> 00:16:01,667 This promise was compromised, it would include unknown delays. 232 00:16:01,959 --> 00:16:05,667 There is some functions hacked or something like this. 233 00:16:05,667 --> 00:16:08,334 There is something unknown running at this process. 234 00:16:08,667 --> 00:16:11,125 We will talk about it in details. 235 00:16:12,999 --> 00:16:15,999 First, what's (inaudible)? 236 00:16:16,083 --> 00:16:22,999 Simply, as I told you, I can send username 1,000 bytes. 237 00:16:25,083 --> 00:16:27,999 But I can overwrite a return address. 238 00:16:27,999 --> 00:16:32,999 And I can also modify this return address to return to my user input, 239 00:16:32,999 --> 00:16:35,876 to return to my username. 240 00:16:35,876 --> 00:16:38,709 So the processor will execute my username 241 00:16:38,709 --> 00:16:41,083 as it's a code. 242 00:16:46,667 --> 00:16:51,999 shared code is simply a bunch of bytes I can send as an username 243 00:16:51,999 --> 00:16:57,417 and actually it's an assembly code in bytes so I can when I can do 244 00:16:57,417 --> 00:17:02,792 the return address, I can make the processor execute my username 245 00:17:02,792 --> 00:17:08,209 or execute the bytes this bunch of bytes and this bunch of bytes do 246 00:17:08,209 --> 00:17:11,292 an action for myself so I can control 247 00:17:11,292 --> 00:17:13,417 your process. 248 00:17:13,667 --> 00:17:17,584 I can send you a code and this code will get executed. 249 00:17:17,959 --> 00:17:21,167 And I'm like I'm inside your PC. 250 00:17:22,999 --> 00:17:32,709 The shared code simply it gets its place in memory. 251 00:17:32,709 --> 00:17:37,209 That's the first thing it do because it is running in unknown space. 252 00:17:37,209 --> 00:17:39,999 It is just username copied in unknown buffers. 253 00:17:39,999 --> 00:17:42,209 Try to take it the way it is. 254 00:17:42,709 --> 00:17:45,709 And then getting the Windows functions to execute 255 00:17:45,709 --> 00:17:49,667 like I need to execute a new application. 256 00:17:49,667 --> 00:17:51,167 I need to create (inaudible). 257 00:17:51,167 --> 00:17:55,999 I need to connect their Internet so it gets the Windows functions to do 258 00:17:55,999 --> 00:17:57,959 all of this. 259 00:17:57,959 --> 00:17:59,999 And then attack. 260 00:18:00,999 --> 00:18:05,417 There is a good article about this code project. 261 00:18:09,417 --> 00:18:11,501 Is there any problem until now? 262 00:18:14,292 --> 00:18:23,209 Actually, some shared codes are forced to not have any null byte or zero. 263 00:18:23,209 --> 00:18:24,209 Why? 264 00:18:24,209 --> 00:18:28,626 Because when I send an username, the username always is just a string 265 00:18:28,626 --> 00:18:30,999 or a (inaudible). 266 00:18:30,999 --> 00:18:35,959 (inaudible) finishes with mall byte or zero byte. 267 00:18:35,999 --> 00:18:39,375 That means your username was finished. 268 00:18:39,375 --> 00:18:42,709 So the shared codes should not have null bytes. 269 00:18:43,999 --> 00:18:48,083 That's a point or most of them. 270 00:18:48,626 --> 00:18:51,626 They are sometimes encrypted. 271 00:18:51,626 --> 00:18:54,626 If you see Metasploit how many people here use Metasploit? 272 00:18:54,876 --> 00:18:56,125 A lot. 273 00:18:58,834 --> 00:19:02,959 Actually, Metasploit, when you choose the payload, 274 00:19:02,959 --> 00:19:05,999 choose a shared code, you can encode it 275 00:19:05,999 --> 00:19:11,209 to bypass antiviruses and all signature based ways so sometimes 276 00:19:11,209 --> 00:19:15,999 shared codes are encrypted and there will be, like, a loop 277 00:19:15,999 --> 00:19:18,999 to grab it byte by byte. 278 00:19:18,999 --> 00:19:25,167 So there will be a loop, some code execute in, like, a cycle. 279 00:19:25,501 --> 00:19:29,250 And some shared codes are forced to be in ASCII 280 00:19:29,250 --> 00:19:35,459 like they are characters A, B, C and so on because some applications 281 00:19:35,459 --> 00:19:40,125 the username includes some unknown bytes. 282 00:19:40,584 --> 00:19:43,459 That's it. 283 00:19:45,751 --> 00:19:49,999 So we need to detect that this username this 284 00:19:49,999 --> 00:19:57,876 person's name includes some shared code, includes some code inside it. 285 00:19:57,999 --> 00:20:01,876 And you dry to modify the application behavior 286 00:20:01,876 --> 00:20:04,792 to run this share code. 287 00:20:04,999 --> 00:20:08,250 So I created a share code detection tool. 288 00:20:08,459 --> 00:20:11,209 My goal in this tool is to be very fast 289 00:20:11,209 --> 00:20:16,999 because this sample will be sent in small time an action will happen 290 00:20:16,999 --> 00:20:19,999 after that, so I don't need to have 291 00:20:19,999 --> 00:20:23,584 a memory consult any time used. 292 00:20:23,709 --> 00:20:30,999 I need it to be very hard to bypass and to be very strong and I have some 293 00:20:30,999 --> 00:20:35,292 false positives but low as I can. 294 00:20:37,250 --> 00:20:41,751 So I added static share code detection. 295 00:20:41,751 --> 00:20:47,999 Static shared code means maximum disassemble or just checks the bytes. 296 00:20:47,999 --> 00:20:51,876 It doesn't try to when it detects a shared code, it doesn't run it. 297 00:20:51,876 --> 00:20:53,250 That's the mean of static. 298 00:20:53,250 --> 00:20:54,959 It doesn't run the shared code. 299 00:20:55,167 --> 00:20:59,999 It just disassembles it and convert it to assembly and try 300 00:20:59,999 --> 00:21:06,083 to understand this assembly code or just a bunch of bytes. 301 00:21:06,417 --> 00:21:12,584 And we divide this shared code detector into three phases. 302 00:21:12,751 --> 00:21:17,792 The first phase, we research this username. 303 00:21:17,792 --> 00:21:21,417 There is an indication that there is a code, a working code. 304 00:21:21,501 --> 00:21:25,667 And we'll detect how we can do this like we detect that there is a loop, 305 00:21:25,667 --> 00:21:27,999 a working loop inside. 306 00:21:27,999 --> 00:21:32,167 There is something, if I disassemble all the instructions, I jump to one 307 00:21:32,167 --> 00:21:36,834 of the instructions and the code simply is working. 308 00:21:36,999 --> 00:21:40,999 That's the first indication of possible shared codes. 309 00:21:40,999 --> 00:21:46,584 The second, I filter all of the instructions that are invalid 310 00:21:46,584 --> 00:21:50,999 or some set of instructions that are corrupted 311 00:21:50,999 --> 00:21:55,417 or not used in the normal process. 312 00:21:55,959 --> 00:22:00,584 And then I do some flow analysis on all of this shared code. 313 00:22:00,709 --> 00:22:04,999 This code will work fine or it will not work. 314 00:22:04,999 --> 00:22:06,542 It is just a bunch of bytes. 315 00:22:06,542 --> 00:22:07,542 (applause). 316 00:22:07,542 --> 00:22:08,542 Yeah! 317 00:22:08,542 --> 00:22:15,250 AMR THABET: Thank you. 318 00:22:15,250 --> 00:22:28,125 (laughter) Why did you stop speaking? 319 00:22:28,709 --> 00:22:36,876 AMR THABET: Let's take a break. 320 00:22:36,876 --> 00:22:37,876 (laughter). 321 00:22:38,250 --> 00:22:39,999 All right. 322 00:22:39,999 --> 00:22:40,999 You know the drill. 323 00:22:40,999 --> 00:22:42,751 What are we called? 324 00:22:43,999 --> 00:22:46,250 No, it is not fuck this speaker. 325 00:22:48,876 --> 00:22:51,083 (laughter) Shot the n00b. 326 00:22:52,375 --> 00:22:54,125 What are you doing? 327 00:22:54,375 --> 00:22:56,334 All right. 328 00:22:56,584 --> 00:22:59,999 Oh, and we need who's first time Jesus. 329 00:22:59,999 --> 00:23:00,999 (laughter). 330 00:23:02,083 --> 00:23:05,999 I think the guy here in front actually got there first. 331 00:23:05,999 --> 00:23:06,999 All right. 332 00:23:06,999 --> 00:23:08,709 Here you are, sir. 333 00:23:08,709 --> 00:23:09,999 Wait, wait, wait. 334 00:23:09,999 --> 00:23:12,292 I want to interview him. 335 00:23:12,292 --> 00:23:14,334 Yeah, we have to interview him, first. 336 00:23:14,334 --> 00:23:17,083 What's your name? 337 00:23:17,083 --> 00:23:18,083 Orbo. 338 00:23:18,083 --> 00:23:19,125 Where are you from? 339 00:23:19,250 --> 00:23:20,876 Utah. 340 00:23:20,876 --> 00:23:22,167 Why did you come to DEF CON? 341 00:23:22,167 --> 00:23:23,417 Why are you drinking? 342 00:23:23,417 --> 00:23:25,083 Because I'm not Mormon. 343 00:23:27,999 --> 00:23:31,375 Why are you in Utah? 344 00:23:31,375 --> 00:23:32,542 (laughter) Cheers. 345 00:23:32,542 --> 00:23:40,083 All right, cheers to everybody first time at DEF CON. 346 00:23:40,083 --> 00:23:41,667 (applause) How's he doing? 347 00:23:41,667 --> 00:23:43,417 Should we invite him back next year? 348 00:23:43,417 --> 00:23:49,417 (applause) You have five minutes. 349 00:23:52,501 --> 00:23:54,375 We're taking this. 350 00:23:54,375 --> 00:23:55,918 AMR THABET: I will take it. 351 00:23:55,999 --> 00:23:57,834 Is this yours? 352 00:23:57,834 --> 00:24:00,209 AMR THABET: No, no, no, it is not mine. 353 00:24:00,209 --> 00:24:01,209 I'm just joking. 354 00:24:01,209 --> 00:24:02,209 That's awesome. 355 00:24:02,209 --> 00:24:03,209 I don't know. 356 00:24:03,209 --> 00:24:05,999 But we'll just leave it there for the next speakers. 357 00:24:05,999 --> 00:24:06,999 Thank you. 358 00:24:06,999 --> 00:24:08,083 AMR THABET: Thank you. 359 00:24:08,083 --> 00:24:09,083 Thank you, guys. 360 00:24:09,083 --> 00:24:12,959 (applause). 361 00:24:14,667 --> 00:24:15,999 What we said? 362 00:24:23,542 --> 00:24:27,334 (laughter) That's the shared code detection. 363 00:24:27,334 --> 00:24:28,334 (laughter). 364 00:24:30,999 --> 00:24:32,083 Okay. 365 00:24:32,999 --> 00:24:36,999 We search for indication of shared code. 366 00:24:37,083 --> 00:24:40,209 First, we search for a working loop. 367 00:24:40,501 --> 00:24:44,083 How it works, actually the assembly code for X86, 368 00:24:44,083 --> 00:24:49,876 each instruction has variable size, like instruction has three bytes 369 00:24:49,876 --> 00:24:54,167 and instruction has five bytes and so on. 370 00:24:54,375 --> 00:24:58,584 So what we are doing is we assembled from a place 371 00:24:58,584 --> 00:25:03,959 to a research jump to something previous and disassemble 372 00:25:03,959 --> 00:25:06,876 between all of them. 373 00:25:06,999 --> 00:25:12,501 If the assembly code works fine, the last instruction ends 374 00:25:12,501 --> 00:25:20,584 before the jump, so it means that it is something it is a real loop. 375 00:25:20,584 --> 00:25:22,999 So the jump is here, pointing to an instruction and 376 00:25:22,999 --> 00:25:28,999 all of this instruction were running and it will return to this jump and so on. 377 00:25:29,167 --> 00:25:31,167 We search for something like this. 378 00:25:31,167 --> 00:25:33,083 It seems that it's a working loop. 379 00:25:33,709 --> 00:25:37,626 It seems it is a shared code that's just an indication. 380 00:25:37,918 --> 00:25:42,999 We check for in some shared codes, they call to something 381 00:25:42,999 --> 00:25:46,083 to address in previous. 382 00:25:46,083 --> 00:25:47,083 Why? 383 00:25:47,375 --> 00:25:55,083 To try to using a simple way to get whoever they are in the memory. 384 00:25:55,209 --> 00:25:58,626 I don't know I don't need to enter details. 385 00:25:58,626 --> 00:26:03,959 But we can detect there is a call to something previous and disassemble 386 00:26:03,959 --> 00:26:08,417 between the call and between the destination so we can 387 00:26:08,417 --> 00:26:13,876 know it seems a working loop or something like this. 388 00:26:13,959 --> 00:26:16,542 Which also in some loop instructions 389 00:26:16,542 --> 00:26:20,459 inside the X86, that's the first way to indicate there 390 00:26:20,459 --> 00:26:23,709 is a shared code or something. 391 00:26:24,834 --> 00:26:28,751 If we didn't find the loop, we search for high rate 392 00:26:28,751 --> 00:26:32,083 of unknown instruction and push. 393 00:26:32,083 --> 00:26:37,959 Usually it was used in all shared codes. 394 00:26:37,959 --> 00:26:40,834 It must can ASCII, it must be three characters, A, B, C, 395 00:26:40,834 --> 00:26:42,999 something like this. 396 00:26:43,709 --> 00:26:48,584 And we detect there is a high rate of these pushes. 397 00:26:48,584 --> 00:26:53,626 And after that, usually the shared code that include pushes, 398 00:26:53,626 --> 00:26:58,834 it pushes instruction value inside the stack. 399 00:26:58,834 --> 00:27:02,584 So if you have a hundred pushes and then call to the stack, 400 00:27:02,584 --> 00:27:05,834 it simply it could be an encryption way or 401 00:27:05,834 --> 00:27:10,375 a shared code encrypted and will describe all the shared code 402 00:27:10,375 --> 00:27:16,999 in the stack and then (inaudible) it so we can detect something like this. 403 00:27:17,125 --> 00:27:21,999 Also, we have an instruction, an assembly instruction. 404 00:27:22,999 --> 00:27:25,959 But it is used very much with shared codes 405 00:27:25,959 --> 00:27:30,417 because it detects where there are the shared codes. 406 00:27:30,542 --> 00:27:35,083 So with all of these three ways, we can see that it seems 407 00:27:35,083 --> 00:27:42,459 the shared code here, this assembly or this person name is suspicious. 408 00:27:43,918 --> 00:27:50,167 Then we skip some invalid instructions, some of these instructions in and 409 00:27:50,167 --> 00:27:56,083 out and all of this are related to devices and used in kernel, used 410 00:27:56,083 --> 00:28:01,626 by device drivers, not used by normal applications. 411 00:28:02,083 --> 00:28:06,083 Some instructions has unknown behavior, some crazy things 412 00:28:06,083 --> 00:28:08,083 into assembly. 413 00:28:08,876 --> 00:28:13,334 But we skip all of the instructions if we found them, so the shared code 414 00:28:13,334 --> 00:28:16,459 if we found the shared code has this instruction, 415 00:28:16,459 --> 00:28:19,459 it seems corrupted or something. 416 00:28:19,959 --> 00:28:22,999 And then we do some flow analysis. 417 00:28:23,417 --> 00:28:27,417 Simply if you have a loop, the loop should have 418 00:28:27,417 --> 00:28:33,751 if it saves something in the stack, it should give the value that it saves 419 00:28:33,751 --> 00:28:39,959 in the stack because stack is like it is like a cup of water. 420 00:28:39,999 --> 00:28:42,626 You add to it and then you take from it. 421 00:28:42,626 --> 00:28:46,083 So you can't fill it until it overflows. 422 00:28:46,083 --> 00:28:50,999 You just you need to add to it and then take what you added. 423 00:28:50,999 --> 00:28:53,083 So if you have a loop, you should have push 424 00:28:53,083 --> 00:28:55,667 and pull you should have something added 425 00:28:55,667 --> 00:28:58,167 in the stack and another instruction take 426 00:28:58,167 --> 00:29:01,417 from the stack so we check on this. 427 00:29:02,375 --> 00:29:09,876 We check on, compare jumps, and we check for malware bytes. 428 00:29:10,959 --> 00:29:15,751 After I designed this shared code and after I wrote it, 429 00:29:15,751 --> 00:29:20,626 I tested some false positives and some real shared codes 430 00:29:20,626 --> 00:29:22,918 in Metasploit. 431 00:29:22,918 --> 00:29:29,375 For the false positives, I detect that 4% of the shared codes, 432 00:29:29,375 --> 00:29:35,792 4% of junk data, it detected as a shared code. 433 00:29:36,918 --> 00:29:42,918 It's not a very high level of false positives, but not few. 434 00:29:44,501 --> 00:29:47,626 It detects all Metasploit shared codes. 435 00:29:47,999 --> 00:29:52,834 It can detect the (inaudible) for shared codes. 436 00:29:54,334 --> 00:29:58,792 But actually manual elevation is still possible. 437 00:29:59,999 --> 00:30:04,999 ROP chain, it is simply return oriented programming, 438 00:30:04,999 --> 00:30:10,042 and as you can see, it is simply when there is some, 439 00:30:10,042 --> 00:30:15,334 mitigation windows in execution prevention, to prevent 440 00:30:15,334 --> 00:30:22,167 the users from prevent any data sent as username or something like this 441 00:30:22,167 --> 00:30:27,209 to be executed, so some people try to return in side 442 00:30:27,209 --> 00:30:33,000 the application itself and try to find very few instructions 443 00:30:33,000 --> 00:30:40,083 after these instructions are return instruction and to make a call return 444 00:30:40,083 --> 00:30:43,999 or return some instructions. 445 00:30:43,999 --> 00:30:45,667 And then the return to other instructions 446 00:30:45,667 --> 00:30:49,626 inside the shared code section in the application and another 447 00:30:49,626 --> 00:30:52,999 and another and collects these small pieces to create 448 00:30:52,999 --> 00:30:57,667 a working shared code from the code of the application. 449 00:30:58,584 --> 00:31:02,167 So it can bypass an execution detection and it can have 450 00:31:02,167 --> 00:31:04,709 a working shared code. 451 00:31:05,083 --> 00:31:08,167 We detect all of them easily. 452 00:31:08,501 --> 00:31:12,167 We check if the address is we check if the address 453 00:31:12,167 --> 00:31:15,626 is in the executable module. 454 00:31:15,626 --> 00:31:20,083 We check the return address, the return of the call or not, and 455 00:31:20,083 --> 00:31:22,083 all of this. 456 00:31:22,083 --> 00:31:23,083 Okay. 457 00:31:24,999 --> 00:31:29,999 For the stack mitigations, we detect we have a mitigation 458 00:31:29,999 --> 00:31:35,542 in (inaudible) switching and it is simply we detect that there 459 00:31:35,542 --> 00:31:41,375 is a return to a Windows API, the Windows functions or Windows API 460 00:31:41,375 --> 00:31:46,667 are some functions created by Windows tool to do some stuff 461 00:31:46,667 --> 00:31:52,083 like creating a new process or something like this. 462 00:31:52,083 --> 00:31:56,709 We will check if there is a call to it or if it is a return to this call. 463 00:31:56,709 --> 00:32:00,999 If there is a return to this CAPI, it seems return oriented programming 464 00:32:00,999 --> 00:32:03,501 or it seems an attack. 465 00:32:06,334 --> 00:32:09,417 We talk about return robot attack. 466 00:32:09,999 --> 00:32:14,667 Most of this type of attack vector, what they do to bypass 467 00:32:14,667 --> 00:32:19,999 the exploit detection system, they create some pieces of robot text 468 00:32:19,999 --> 00:32:22,167 or ROP objects. 469 00:32:23,999 --> 00:32:29,999 These piece of code call to virtual protected API. 470 00:32:30,167 --> 00:32:34,834 Virtual protects can make the stack executable so 471 00:32:34,834 --> 00:32:40,709 they can use the ROP objects to make the username that I entered 472 00:32:40,709 --> 00:32:43,999 as a shared code or the shared code 473 00:32:43,999 --> 00:32:48,751 inside my username become executable so I can return 474 00:32:48,751 --> 00:32:54,876 to the shared code and bypass the execution prevention. 475 00:32:54,918 --> 00:33:01,083 So what we do is we hook the calls to the system. 476 00:33:01,334 --> 00:33:07,167 There is a kernel mode that includes the Windows device drivers. 477 00:33:07,167 --> 00:33:08,999 And the process the process connects 478 00:33:08,999 --> 00:33:13,751 to the Windows kernel mode using an instruction system enter. 479 00:33:13,959 --> 00:33:19,751 We are working here and do stack back tracing, check every caller to this 480 00:33:19,751 --> 00:33:24,167 to system, check the caller to system and the caller 481 00:33:24,167 --> 00:33:30,083 to the caller until we reach if there is a call from the application 482 00:33:30,083 --> 00:33:37,999 to this API or if there is no callers or if it is return oriented programming. 483 00:33:38,959 --> 00:33:41,999 Actually, in Windows 62, this is dehooking. 484 00:33:41,999 --> 00:33:45,167 But in Win64, we don't we can't create device drivers 485 00:33:45,167 --> 00:33:48,209 that unhook this dehooking. 486 00:33:48,542 --> 00:33:54,167 So we hook the Windows emulator, we can hook any function calling 487 00:33:54,167 --> 00:34:00,667 to the kernel mode, system enter and something like this. 488 00:34:00,999 --> 00:34:07,999 We hooking virtual protect and all of this protection APIs and 489 00:34:07,999 --> 00:34:14,999 the creating process should execute an application. 490 00:34:14,999 --> 00:34:18,999 So I can connect the (inaudible). 491 00:34:18,999 --> 00:34:23,083 We hook the functions that will create a socket connected 492 00:34:23,083 --> 00:34:25,334 to the Internet. 493 00:34:29,501 --> 00:34:35,083 What we do exactly after we do the backtracing and reach the call 494 00:34:35,083 --> 00:34:41,834 to this application, call to this API in the application, we check this call 495 00:34:41,834 --> 00:34:47,959 is really a call to this API or if it is a fake return address created 496 00:34:47,959 --> 00:34:50,209 by the attacker. 497 00:34:50,209 --> 00:34:55,417 We do some checks like we check if there is a call to the API or not. 498 00:34:55,459 --> 00:34:57,584 We check the parameters. 499 00:34:58,999 --> 00:35:05,083 The program remembers are created by this API caller. 500 00:35:05,999 --> 00:35:09,999 Application called the API with this prompter or not. 501 00:35:09,999 --> 00:35:11,417 We will see this again. 502 00:35:11,501 --> 00:35:19,292 We check if the application itself as a call to the function that calls 503 00:35:19,292 --> 00:35:21,584 to the API. 504 00:35:21,584 --> 00:35:22,999 We check other things. 505 00:35:23,999 --> 00:35:27,876 And after that, we give a score to the API. 506 00:35:27,876 --> 00:35:29,999 Yeah, that's a call to the API or not. 507 00:35:33,584 --> 00:35:40,083 We check on different types of calls to see if there is really a call to the API. 508 00:35:41,334 --> 00:35:44,834 We check the parameters. 509 00:35:44,999 --> 00:35:52,083 If there is a reconnaissance prompter, the process give it to the CPI. 510 00:35:55,709 --> 00:35:58,292 It gives the name of the process. 511 00:35:58,999 --> 00:36:03,083 Create process it has a create process API and it gives create 512 00:36:03,083 --> 00:36:07,584 process API a parameter, a specific application and attacker try 513 00:36:07,584 --> 00:36:13,083 to use this part of the code and try to give it another parameter. 514 00:36:13,083 --> 00:36:14,999 We can detect something like this. 515 00:36:16,999 --> 00:36:18,876 Let's see the demo. 516 00:36:43,375 --> 00:36:45,209 Anyone see anything? 517 00:36:50,999 --> 00:36:56,292 Simply we begin by we have FireFox API, 518 00:36:56,292 --> 00:37:05,209 FireFox application and we try to we try to hook this API and hook 519 00:37:05,209 --> 00:37:14,792 the FireFox and check if we run an application using FireFox, if there 520 00:37:14,792 --> 00:37:20,250 is a real call to this API or not. 521 00:37:20,250 --> 00:37:24,999 Is it really FireFox who runs this application or if it 522 00:37:24,999 --> 00:37:28,626 is a fake call or something? 523 00:37:28,918 --> 00:37:33,999 We first hooked the application, and then we here clicked 524 00:37:33,999 --> 00:37:37,918 on an application on FireFox. 525 00:37:37,918 --> 00:37:42,667 So we forced FireFox to execute an application or create a process. 526 00:37:42,751 --> 00:37:47,709 And then we check on the parameters of this. 527 00:37:47,709 --> 00:37:49,999 I don't see the video but no problem. 528 00:37:49,999 --> 00:37:51,334 We check the parameters. 529 00:37:51,334 --> 00:37:52,876 We check on the (inaudible). 530 00:37:52,876 --> 00:37:55,459 We do some stack back tracing and check on the call stack 531 00:37:55,459 --> 00:37:57,999 and check on the parameters. 532 00:37:58,125 --> 00:38:00,125 We check the score. 533 00:38:00,125 --> 00:38:05,334 And we saw the score is 2, so it's a normal call. 534 00:38:07,083 --> 00:38:10,542 And then I don't think see anything. 535 00:38:14,292 --> 00:38:15,501 Okay. 536 00:38:28,417 --> 00:38:33,999 I made a vulnerable application, small vulnerable application which not 537 00:38:33,999 --> 00:38:36,709 call to shell execute. 538 00:38:36,709 --> 00:38:40,083 It gives an input and return to shell execute. 539 00:38:40,083 --> 00:38:43,083 So I tested it. 540 00:38:47,542 --> 00:38:51,584 I run the application and it's vulnerable. 541 00:38:51,999 --> 00:38:55,375 It gives the message in the call in the code. 542 00:38:55,792 --> 00:38:59,375 And then it should return to shell execute which executes 543 00:38:59,375 --> 00:39:01,125 a function. 544 00:39:01,292 --> 00:39:03,167 So we'll check this. 545 00:39:03,792 --> 00:39:07,709 And it detected there is no call. 546 00:39:07,834 --> 00:39:13,459 And it detects there is an attack and gives a high score, 547 00:39:13,459 --> 00:39:17,375 so it can stop this attack. 548 00:39:17,876 --> 00:39:20,209 And then we have a (inaudible) mitigation. 549 00:39:20,709 --> 00:39:25,501 We simply check instruction exception handle something working fine. 550 00:39:25,834 --> 00:39:29,125 And then we have some mitigations for heap. 551 00:39:30,334 --> 00:39:34,083 We detect a heap overflow, heap spray, abuser. 552 00:39:37,083 --> 00:39:43,209 We hook the global look the function that looks in the heap, 553 00:39:43,209 --> 00:39:45,999 runs all of this. 554 00:39:45,999 --> 00:39:51,375 And we defect that we add some cookies in h located buffer and try 555 00:39:51,375 --> 00:39:57,999 to detect if there is an overflow to this buffer in the heap or not. 556 00:39:58,083 --> 00:40:01,918 And for heap spray, we try to detect there 557 00:40:01,918 --> 00:40:06,417 is a large memory location in a very small time 558 00:40:06,417 --> 00:40:12,334 from the same module and try to stop this heap spray or risk 559 00:40:12,334 --> 00:40:14,792 for ROP chain. 560 00:40:14,792 --> 00:40:16,667 If we find the shared code and ROP chain inside, it 561 00:40:16,667 --> 00:40:18,792 is simply heap spray. 562 00:40:23,167 --> 00:40:25,999 We detect there is a (inaudible). 563 00:40:26,459 --> 00:40:29,918 If there is a class including some pointers 564 00:40:29,918 --> 00:40:35,250 or creating something in the V table, we try to make this buffer freed 565 00:40:35,250 --> 00:40:37,751 after we delay it. 566 00:40:37,792 --> 00:40:43,167 So we can stop any use of the free. 567 00:40:44,459 --> 00:40:47,999 And then we have the scoring system. 568 00:40:47,999 --> 00:40:49,792 We described the scoring system. 569 00:40:49,876 --> 00:40:53,375 We stop all types of attack using our scoring system 570 00:40:53,375 --> 00:40:59,709 which I check the payload and the attacking vector and all of this. 571 00:40:59,999 --> 00:41:05,999 And then if we didn't find it's a real attack, we can at least mark it 572 00:41:05,999 --> 00:41:10,999 as suspicious and give it to the bad news trader. 573 00:41:11,250 --> 00:41:13,751 We have the monitoring system. 574 00:41:13,918 --> 00:41:17,667 The monitoring system will check if all of our mitigations were bypassed. 575 00:41:17,667 --> 00:41:18,999 We check the memory. 576 00:41:21,501 --> 00:41:24,751 Check if there is executable place in the stack, if there 577 00:41:24,751 --> 00:41:27,999 is an executable place in heap, if there is an execute place 578 00:41:27,999 --> 00:41:31,709 in memory (inaudible) or something suspicious. 579 00:41:31,709 --> 00:41:33,959 We search for ROP chains in the memory and shared codes and 580 00:41:33,959 --> 00:41:35,751 all of this stuff. 581 00:41:35,751 --> 00:41:37,999 We check if there is a threat running 582 00:41:37,999 --> 00:41:42,999 outside running outside the memory and all of this. 583 00:41:42,999 --> 00:41:45,125 What we are planning for, we are planning 584 00:41:45,125 --> 00:41:49,667 to create any company to have a central server which gets 585 00:41:49,667 --> 00:41:53,209 all the looks from the exploit detection system 586 00:41:53,209 --> 00:41:57,375 applications inside the clients inside the company so 587 00:41:57,375 --> 00:42:01,876 they can get information from all of this detect, if this 588 00:42:01,876 --> 00:42:07,459 is a suspicious action that happens on all of their clients. 589 00:42:09,834 --> 00:42:12,167 Also correlating all this information 590 00:42:12,167 --> 00:42:15,999 with the intrusion detection system and all of the tools, 591 00:42:15,999 --> 00:42:19,834 they can create a timeline of an attack. 592 00:42:19,834 --> 00:42:22,542 They can detect there is an attack and contain it. 593 00:42:23,999 --> 00:42:26,999 That's the future work. 594 00:42:33,999 --> 00:42:38,999 Development, it is based on security session development. 595 00:42:38,999 --> 00:42:42,999 It is a development (inaudible) I already created. 596 00:42:43,751 --> 00:42:46,999 Until now, it is in three contributors. 597 00:42:47,083 --> 00:42:51,999 It simply is in C++, it is for Windows right now. 598 00:42:52,083 --> 00:42:58,334 And we couldn't include the version Linux and version bison. 599 00:43:01,083 --> 00:43:03,999 (inaudible) for writing security tools. 600 00:43:03,999 --> 00:43:08,667 This development framework includes a bunch of security tools inside it. 601 00:43:09,459 --> 00:43:14,584 It includes BE and (inaudible), including Android BRSA. 602 00:43:14,876 --> 00:43:18,751 It includes for static analysis a full assembler and disassembler 603 00:43:18,751 --> 00:43:21,999 engine and the (inaudible) server. 604 00:43:22,292 --> 00:43:24,792 It includes some wildcard standing. 605 00:43:26,417 --> 00:43:31,125 It has dynamic scanning, full process analysis, debugger, 606 00:43:31,125 --> 00:43:38,626 full debugger and later it includes full behavior dehooking and all of this. 607 00:43:42,999 --> 00:43:46,250 Simply, you can build your application using it. 608 00:43:46,250 --> 00:43:49,999 It will you will not waste your time if you have an idea and you need 609 00:43:49,999 --> 00:43:51,999 to implement it. 610 00:43:51,999 --> 00:43:53,626 You will not waste your time. 611 00:43:54,751 --> 00:43:58,083 You can use the SRDF and don't waste your time 612 00:43:58,083 --> 00:44:04,209 in creating and reinventing the wheel and creating all of the tools. 613 00:44:06,083 --> 00:44:10,751 We have packet capturing decision analysis and all of this. 614 00:44:11,999 --> 00:44:15,999 I will talk about it in details in virus bulletin. 615 00:44:17,918 --> 00:44:20,083 Just join us. 616 00:44:20,584 --> 00:44:23,999 That's the GitHub version. 617 00:44:24,292 --> 00:44:26,918 Join SRDF or use it. 618 00:44:32,250 --> 00:44:34,709 You can reach us for exploit detection system 619 00:44:34,709 --> 00:44:37,542 if you want to support this idea, if you have feedback, 620 00:44:37,542 --> 00:44:39,999 if you have any questions. 621 00:44:39,999 --> 00:44:47,999 If you have anything, just email me or send me on Twitter or anything. 622 00:44:49,999 --> 00:44:51,584 That's it. 623 00:44:51,584 --> 00:44:55,292 EDS, exploit detection system, in my opinion, it is a new era. 624 00:44:58,459 --> 00:45:01,751 All people should jump into something like this. 625 00:45:01,999 --> 00:45:06,417 That's the new technology which can stop the (inaudible) attacks. 626 00:45:06,584 --> 00:45:08,250 Join us. 627 00:45:08,417 --> 00:45:09,417 Thank you. 628 00:45:09,417 --> 00:45:11,918 (applause) AMR THABET: We can talk outside. 629 00:45:11,918 --> 00:45:16,626 Thank you.