Facebook

The keynote was quite entertaining mainly because it used references to the Greek and Babylonian mythology but on the other side it was very difficult to really understand the message and the ideas that the presenter tried to promote.
But here some ideas that I was able to catch:

assume compromise

business people do not understand the security goals

perimeter defense; you have to win every time; one single mistake and the perimeter can be breach.

attackers are using the speed; the defenders have never the initiative.

Security through design

The presenter believes that the security is seen by the casual user/client as a burden. The security peoples should try to understand why the users try to circumvent the security, try to understand how the peoples are working and must try to adapt the security to fit the user needs.

The possible solutions are not from the IT world; try to apply the design thinking. A good design solution should have the following properties:

is innovative

makes a product useful

makes a product understandable

is long-lasting

is unobtrusive

Some examples of products/companies that are trying to understand better the client: 2g Tuesday at Facebook

Building a Successful Internal Adversarial Simulation Team

The problems with the security testing today :

limited metrics

increase technical debt.

gives limited experience.

Another major problem is that the read team and blue team are acting independently, do not really share knowledge.

The speakers proposed some solutions to this problem; some of the interesting points that I was able to catch:

predict the likelihood of successful attacks before they happen.

creation of an information sharing platform and knowledge base.

assemble your team and tools

create defensive measurements/metrics.

Here are my quick notes from the BruCON 2015 conference. All the slides can be found here.

Intrusion detection on Linux and OSX with osquery

osquery goals:

explore your operation system using sql
host visibility is motivated by intrusion detection
wanted 1 binary; 6MB with no dependencies
done in C++
created and used by facebook (installed on 60 000 osx)

Same osquery query examples:

select pid, name, uid from processes where [constraints]

the sql syntax is the SQL lite syntax.
no Windows version; linux and osx only.
a lot of cool examples: the list of events that happened on the host (files changed, usb sticks inserted).

A second binary that is presented is called osqueryd. osqueryd is a daemon; it uses a json-config config file to set options and define a schedule. The goal of osqueryd is to execute queries peridically and then send the result to an ELK (ElasticSearch+LogStash+Kibana) system.

The queries used by Facebook are packaged in different files; these packages can be also downloaded free of charge.

Kernel Tales: Security Testing of aarch64 Android Kernels

A kernel contains code from various sources; hardware manufacturers, software companies (google, samsung).
An Android kernel is almost a Linux kerner, so the attack surface is through syscalls;
The way to corrupt the kernel: the user space tries to write in the kernel space by using syscalls or even better use the ioctls to replace the syscall.

The overall idea is to fuzzy the parameters passed to ioctls. The fuzzer used (dronity) is based on the trinity fuzzer; dronity is not yet available (it will be soon on github).

The demo contained the following items:

dronity fuzzing a Android development board.
dronity fuzzing a real Android tablet.
dronity fuzzing an aarch64 kernel on qemu.
dronity fuzzing an aarch64 kernel with gdb attached (on qemu) in order to intercept the exception thrown by the kernel.