Highlights of Xcon 2009

This is my fourth time to attend Xcon (the Xfocus Information Security Conference), and the third time as a speaker. Xcon is the biggest and most influential nongovernmental computer security technical conference in China. Actually for most Chinese security researchers it’s not only a technical event, but also a big party where they can meet old friends, make new friends, and communicate their ideas among a group of security technical geeks.

Xcon 2008 was postponed to November due to the Olympic Games in Beijing; thus the turnout was smaller than usual. Xcon 2009, on August 18-19, was held as expected; but as a consequence of the global economic crisis, I was not able to see many acquaintences, especially some of my foreign friends. Luckily I still met Tomas Lim, Vangelis, and Kana again. They are all well-known organizers of other security conferences, at which I have had the honor to be invited to speak.

This year, there were ten talks in total, which covered almost all the hot topics of computer security (listed below) though there was only one track. The world-famous security researcher Kris Kaspersky was supposed to speak on Linux Rootkits topics, but he didn’t make it due to visa issues. My presentation was the last on the first day, and the presentation was “Go Deep Into The Security of Firmware Update,” which primarily focused on security concerns on firmware updates of various PC components, including system BIOS, embedded controllers in notebooks, Intel AMT, etc. Basically the talk went well, although the demo section had problems because the big LCD projector couldn’t display the BIOS Power-On Self-Update process that was shown on my screen. It worked once the OS kernel and appropriate drivers were loaded, which I didn’t think about beforehand. Interestingly, someone told me this can probably be resolved by pressing a hot key during the BIOS boot phrase.

Presentation Topic Statistics:
Vulnerability/Exploit: 4
Web-Based Security: 2
Firmware/Hardware: 2
Cryptography: 1
Virtualization: 1

There were many honourable mentions in this year’s Xcon, but one of my favorites was the Hardware and Virtualization topic. The presenter, Nguyen Anh Quynh (a Vietnamese researcher who works for AIST Japan), presented for the second time at Xcon, this time talking about VM security in “Detecting Rootkits Inside Virtual Machines.” He ran a new rootkits detector tool called eKimono inside a VM (Xen’s Dom0) and scanned the memory of the guest VM for suspicious things.

This talk brought another recent VM session to mind, a Syscan talk “SADE: Injecting Agents into VM Guest OS,” by Matt Conover. It looks like VM technology as a defensive means is becoming more common than talking about how to exploit VM technology. (One such topic was the super-hot “Virtualized Rootkits” session in the last two years). Antiy Lab’s talk “Rediscovery on the Attack of Equipment and Signal” was also popular; the presenters did a live show on how to remotely intercept and decrypt the keystroking signals emitted by a wireless keyboard device. I can still remember their Xcon 2008 presentation about physical attacks. They demonstrated how to execute arbitrary code by inserting a USB device into a victim’s machine with AutoPlay functionality disabled. While the theory behind it was not disclosed, they declared this is definitely not achieved by physical memory modification through a device’s bus mastering DMA operation. As far as I know unlike Firewire (1394), which is an Expansion Bus Architecture, USB doesn’t have such a capability.

I missed some web-based security talks since I’m not so keen on scripts. (I’m a binary guy ) But I listened carefully to FunnyWei’s “Abnormity Usability Analysis” and Wang Tielei’s “Integer Overflow Vulnerability Auto-Mining,” especially the one by Dr. Wei, who developed a kind of prototype tool that can help in tracking the controllable data and execution flow which would aid in analyzing the usability of an abnormal situation.

One thing I noticed this year was that most topics focused on vulnerability mining or analyzing, but there was no talk directly dealing with exploiting vulnerabilities, such as the most popular and expected topic “Memory Protection Bypassing on Windows 7.” I remember that Alexander Sotirov gave such a speech targeting Windows Vista at last year’s event, and I hope there will be some breakthrough in this field in the coming year.

Looking forward to see you at xKungFoo 2009, in Beijing.