Shostack + Friends Blog Archive


Blue Hat Report

The other thing I did at Microsoft last week was I participated in Blue Hat. Microsoft invites a selection of interesting researchers to come to Redmond and present a talk to a variety of people within the company. Blue Hat is organized by Kymberlee Price, who works with Andrew Cushman, and they did a great job as hosts.

Thursday was the executive sessions, speakers gave truncated versions of their talks, once in the morning, and once in the afternoon. There were a very senior group of folks in the room, up to people like Jim Allchin, Brian Valentine, and a lot of other names that I recognized, but don’t remember.

Andrew Cushman did a great job of framing the talks, explaining why they were selected, and the reasons that they were important. The audience was engaged, and a couple of times, people turned and asked “Why do we do that?” of the person responsible for a feature that was being (ahem) presented in a new light.

The speakers, myself, and Dan Kaminsky got to have a lunch session with Jim Allchin, and a few other Microsoft folks. Jim talked about new features in upcoming products, and got our thoughts on how Microsoft is doing, and how they could do better.

There’s lots more after the break.

The speakers were:

  • Dave Maynor of ISS talked about “You are the Trojan,” in which he discussed patterns of research, some issues with things like direct memory access.
  • Matt Miller, of Metasploit gave a talk “Temporal Chronomancy.” He discussed how various counters are sometimes interpretable as universal instructions. Very cool.
  • Vinnie Liu (also with Metasploit) talked about the Metasploit’s anti-forensics project. One tidbit he shared was that by changing the extension of a text file to .exe, and the first two bytes to “MZ,” a leading forensics tool would see it as an executable. We learned a few minutes later that MZ, the fellow who used his initials as the first bytes of an executable, was in the room with us, and we had some great conversations with him in the hallway later.
  • yrg and Jussi of Toolcrypt presented “Reinforcing the TCB.” Yrg explained to me that he and Jussi are sensitive about where details go. I’m going to respect their desire for privacy, and simply say it was slick implementations of things we’ve all known to be possible.
  • Brett Moore, of Security Assessment presented SBDA, “Same Bug, Different App,” reinforcing the point that code has patterns, and that the bad guys search for those patterns as new issues are revealed.

Many of the speakers spent time discussing their attacks with the people who wanted to fix them, talking about what changes would be effective, how a new attack might get around a defense. While patch and penetrate is not security engineering, learning from attackers certainly is part of that engineering process.

Each of these talks was given in a longer version on Friday. Before we get there, I’ll mention two other bits: tours of both the Windows build lab, and a really good presentation about the sustaining engineering lab and processes. I have an ongoing interest in patch quality, and got to meet the people who build and ship the hotfixes, and hear lots about their process. John, I hope you get to put that stuff on the web soon.

Friday, we were in what I understand is Microsoft’s largest conference room, and the speakers gave longer, more detailed versions of their talks. Most of the speakers spent most of the day in the speaker lounge, so Microsoft’s employees could discuss what they were hearing without worrying they were going to be quoted here. (Although only once or twice did anyone in earshot of me say that they weren’t comfortable answering a question, and only once did someone get really worked up about an attack. Lots of Microsoft folks gave very deep explanations of why things work the way they do, and the tradeoffs they made.)

At the close of Friday’s session, Dan Kaminsky and I joined the other speakers for a panel discussion with lots of audience questions. We had a lot of panelists, which made for somewhat challenging panel management, and a few of us ended up talking more than others. In a day or two, I’m going to reprise and expand on one of my answers, about separation of code and data.

That evening…well, lets just say, darling, you looked great in aluminum foil, and God Save the Queen!

PS: The New York Times has a report in “At Microsoft, Interlopers Sound Off on Security.” Pete Lindstrom has some comments in “Microsoft’s Blue Hat

[Update: Slashdot has an article, “Microsoft Consults Ethical Hackers at Blue Hat, too.]