ToorCon 9 - Day 0 and 1
This weekend I was in San Diego, California for ToorCon 9 and had an absolute blast. On Friday, I had checked out the USS Midway Aircraft Carrier Museum and enjoyed listening to veterans recount fascinating experiences on the ship during the war. I took the morning to “experience” the city, something I have tried doing while attending conferences. It sucks to travel to various cities around the country and not getting the chance to visit local landmarks and famous sites.
While I was out and about around the city, Dre was doing his seminar talk on Continuous Prevention Testing. Stay tuned for an upcoming blog post from Dre soon that goes over the main points of his talk. I was lucky enough to catch Charlie Miller’s seminar talk on Real World Fuzzing. It was a great presentation, and since fuzzing is still new to me, I was able to see the why, what and how aspects of it. There was a lot of talk about code coverage with fuzzing and is interesting given the recent web application scanner code coverage review done by Larry Suto which reported NTOSpider as being best because it can crawl more links in default mode. Dre will have also have some more commentary about Charlie’s talk and Larry Suto’s review as well.
On Saturday, I went to Jason Medeiros’ talk, “The Last Stand: 100% Automatic 0day, Achieved, Explained, and Demonstrated.” Jason wrote a tool that is a debugger, heap analyzer, fuzzer all in one that automagically generates a C exploit. It was pretty awesome; I think he wrote over 80,000 lines of code and spent an entire year doing it. A couple people are skeptical about his demo though, stating it could have been taylored with his demo application.
Afterwards, several of us went out to eat for seafood and sushi. I tried sushi for the first time and well.. now I know I definitely do not like it. LOL. Thanks Erich for letting me try some. Following dinner, we went to the Microsoft sponsored party at Olé Madrid down on Gaslamp, which was pretty good. Pretty much everyone in security was there, and then again at the ninja party.
That’s it for Friday and Saturday… next blog post from me will cover Sunday’s talks.
Update 10/26: Toorcon 9 - Day 2 has been posted
If you read Larry Suto’s paper, NTOSpider had zero false positives and found more valid bugs than the others. Coverage just seem to be something that people picked up and seem to ignore other facts from the report.
I read the paper, and I wished that Larry would have included more information. To me, the information doesn’t say anything because it doesn’t relate to how these applications are being used. Using a default scan mode on these applications is like owning a Vette and never taking it over 3000rpm.
Yeah, i’ve been getting a lot of skepticism lately about it. I had the code with me and was trying to show everyone how its completely modular and blah blah blah, but no one wanted to see code. Everyone was too occupied with drinking, so i just went along with that plan. Either way we’re planning a commercial release soon enough and instead of it just generating exploit source code, it generates multi-payload exploit modules that sit in an exploit list, which is usable for pentests (kinda like Core etc). Its sweet. if you’re ever in San Diego and wanna come have a look, give me an email and we’ll go catch a beer or something. I’m always down to demonstrate for the non-believers. Hehe.
Cheers~
Jason