Dan Griffin's Blog
Comments on security, PKI, smart cards, cryptography, and entrepreneurship.
Catch my talk at ToorCon
August 30, 2007
SecPE Tool Now Available
August 28, 2007
1. SafeSEH - the Safe Exception Handler table, which I explained here - http://jwsecure.com/dan/2007/07/the_safe_exception_handler_tab_1.html.
2. GS - this switch for the Visual C++ compiler is explained here - http://msdn2.microsoft.com/en-us/library/aa290051(vs.71).aspx. Anyone know what GS stands for? I suppose "Guard Stack".
Why did we call it SecPE? It stands for Secure Portable Executable (http://en.wikipedia.org/wiki/Portable_executable).
Some light national security reading
August 15, 2007
http://hotair.com/archives/2007/07/16/a-pilot-on-airline-security/
http://www.schneier.com/interview-hawley.html
Permalink | Comments (0)Good introduction to SIP
August 13, 2007
That is, Session Initiation Protocol, a foundation of IP telephony - http://acmqueue.com/modules.php?name=Content&pa=showpage&pid=465.
Permalink | Comments (0)Purdue Univ. has a cool project in which VMware images and a host of test PCs are available for research of potentially destructive software (examples given include malware and new network protocols). Intro is here - http://projects.cerias.purdue.edu/reassure/index.html.
Permalink | Comments (0)Researching WiX
August 12, 2007
WiX is the abbreviation for the Windows Installer XML toolset, which has become a convenient way to create MSI installers. (WiX was also a fairly high-profile foray by Microsoft into the open source development world, although that hype appears to thankfully have died down.)
Anyway, I’m working on an article about WiX right now, having recently used it for some client work and been impressed. The toolset and schema require some ramp-up, but after that I found it to be concise and straightforward. Some helpful references:
WiX schema documentation - http://wix.sourceforge.net/manual-wix2/wix_xsd_index.htm
Integrating WiX with driver installation - http://msdn2.microsoft.com/en-us/library/ms790289.aspx
The obligitory wikipedia page, which is actually a good introduction - http://en.wikipedia.org/wiki/Windows_Installer
Permalink | Comments (0)
I’ve been traveling more than usual for the past year or so, enjoying some of the better-known security conferences. Overall, I’ve had a great experience, and the professional networking opportunities have been excellent. Still, it’s nice to be able to prioritize, and it’s difficult to hit all of the top-tier cons, even in two years. Anybody have any recommendations about which security cons are the best?
Here are the ones I’m familiar with:
I’ve been told that these are good:
http://www.toorcon.org/intro.php
http://conference.hackinthebox.org/
Some lists of others:
http://www.ieee-security.org/Calendar/cipher-hypercalendar.html
Permalink | Comments (0)CardAcquireContext needs to be a dll export
August 7, 2007
Just ran into an interesting compatibility issue between SmartUtil (http://www.jwsecure.com/downloads.html) and a smart card minidriver under development. I suppose this is also at least partially due to the needlessly confusing way that Visual Studio handles dll exports.
In summary, CardAcquireContext (http://msdn2.microsoft.com/EN-US/library/aa375757.aspx) must be exported (un-mangled) from the minidriver dll. No big problem there. The challenge in building with Visual Studio is that the cardmod.h header (which is available via the CNG SDK, not the primary Windows SDK; there’s another Frequently Asked Question), like the majority of the Windows public headers, doesn’t use the __declspec(import/export) attributes. Thus - although I haven’t tried this personally - attempting to adorn a CardAcquireContext implementation with __declspec(dllexport) will probably result in a build failure, since it conflicts with the header.
The particular compatibility issue occurred when, as a work around, the developer modified the function declaration in cardmod.h to use __declspec(dllexport). More importantly, he also happened to drop the calling convention (i.e. WINAPI). The net result was that, during testing, CardAcquireContext would return 0 (success) but, under the covers, SCardUIDlgSelectCard would fail. Thus, SmartUtil would report an error.
The moral of the story is that, in most cases, and always in this one, you should use a .def file to define your exports. A typical minidriver should have three - CardAcquireContext, DllRegisterServer, and DllUnregisterServer. But the latter two are optional. Anyway, this approach fixed the issue above.
One final editorial note: in my opinion, exposing the other minidriver/CARD_DATA interface routines via dll export is an implementation bug, since they’re only supposed to be accessible via function pointers. But perhaps that’s a debate to be had over beers after hours …
CNG SDK download - http://www.microsoft.com/downloads/details.aspx?familyid=1ef399e9-b018-49db-a98b-0ced7cb8ff6f&displaylang=en.
Permalink | Comments (0)Highlights of BlackHat/DefCon 2007
August 5, 2007
This year having been my first visit to either BlackHat or DefCon, I must say I was disappointed by the former. After all, BlackHat is so much more expensive than DefCon. I was also surprised (although shouldn’t have been, in retrospect) to find that many of the speakers simply repeat their presentations at both. That said, the professional networking opportunities at BlackHat were first-rate, and I ran into some colleagues that I hadn’t seen in a while.
The best presentation of the whole lot was given by Dark Tangent (aka Jeff Moss, organizer of both Cons) at DefCon - http://defcon.org/html/defcon-15/dc-15-speakers.html#DT. Entitled Ciscogate (do a web search for that term and you’ll find various accounts of the story), he recounted the saga of two years ago wherein BlackHat, Cisco, and ISS were involved in a legal battle over responsible disclosure of a flaw in IOS. And this all went down during the time that Jeff was actively courting buyers for BlackHat (CMP, the eventual buyer, must not have been too scared). Anyway, Dark Tangent is a heck of a speaker - very entertaining - and I hope to catch him again.
The second-best presentation of the week was also at DefCon: Ben Kurtz (http://defcon.org/html/defcon-15/dc-15-speakers.html#Kurtz) presented a fuzzer called Funk (http://sourceforge.net/projects/funk/), implemented in the Scheme programming language! Actually, the Wikipedia entry for the underlying Scheme implementation used by Funk - called Chicken <http://en.wikipedia.org/wiki/Chicken_(Scheme_implementation)> - does at least a partial job of explaining why any talk involving that language is bound to be cool.
However, I subsequently learned that I actually missed what was probably best fuzzing presentation of the week. At BlackHat, Pedram Amini (http://www.blackhat.com/html/bh-usa-07/bh-usa-07-speakers.html#Amini) presented the Sulley fuzzing framework. More info is available here - http://www.fuzzing.org/2007/08/02/sulley-fuzzing-framework-release/. I can’t write about it in detail, since I didn’t see the talk and the tool only got posted a day or two ago, but it’s apparently quite advanced.
Permalink | Comments (0)
