I posted the second part in my anti-debugging series for the Zero In A Bit blog. This one goes over three of the easiest to implement API based anti-debugging methods. Next week (I promise to finish this series quicker than one post per month) I will post on some more advanced API based techniques.

The slide deck and detailed information for Sotirov and Applebaums talk at 25C3 has been released. Get it here:

Creating a rogue CA certificate

It looks like the partial disclosure monster may be back. This time Alex Sotirov, partner Jacob Appelbaum, and primarily the conference they are presenting at are (directly or indirectly) using the hype machine that is partial disclosure to generate buzz for their forthcoming speech at the 25th Chaos Communication Congress in Berlin. Apparently the talk is about an attack carried out past the hypothetical and into the realm of practical that is dangerous enough to "take down the Internet". At least this time it's only dropped a few days before the talk and not months in advance like other previous hype machine instances. You may even say that this isn't partial disclosure at all and is merely a good PR tactic. However, I think that is a fine line to dance (when is it too early to put gasoline into the hype engine?).

When is it appropriate to start the hype machine for a 0-day speech.. if at all. I can understand why the conference organizers went ahead and started to get the blogosphere buzzing, and I'm absolutely sure that Alex and Jacob's talk will live up to the hype, but whatever happened to the days of dropping the bomb at the talk the day of? Isn't there a bit of a risk one takes when getting the pump primped a few days/months in advance? Doesn't it leave you open to lawsuits and other "stop the presses" type of action? In this instance it's only begun to be speculated about the day or so before, but this could be the start of a trend that other conferences aren't able to execute as safely.

So I leave you with the following links and comments.. couldn't we just have waited until your speech to talk about your speech? Either way, best of luck gents! I for one am sufficiently hyped, and I can't wait to watch the live stream.

Google wrote an interesting paper (Thanks Alex Sotirov for the pointer to it) on a new technology called "Native Client". From my understanding of the paper, Native client is essentially a sandbox for native code to be run securely within a web browser. The paper claims to secure native code by using a dual sandbox approach. The inside sandbox uses static analysis to detect security defects in untrusted x86 binary code, while the outer sandbox limits access to only a white list of syscalls. To achieve these goals, the binary has to compiled with a modified compilation suite that limits the opcodes, structurally aligns the binary, and modifies calls and jmps to support their sandbox techniques. Additionally, the binary can not attempt to use unsupported syscalls as they will fail.

So ... is this really native code being run in the browser or some sort of abomination of native code that can be statically analyzed for security defects while subverting the halting problem? Here is the paper.. read on and decide for yourself.

I also post at this blog: Zero In A Bit. Go read my first post in a series on anti-debugging for developers. Feel free to comment/email me on the topic.