RealTime IT News

Iron Chef Black Hat

LAS VEGAS -- The majority of presentations at this year's Black Hat security conference here go down quite simply: A researcher takes the stage, talks about an attack vector and then proceeds to demonstrate how he or she can attack the target.

At least one security research group is trying to spice it up this year by taking a page from the Food Network's cookbook. Literally. Source code analysis vendor Fortify Software will be running a session modeled after the popular Iron Chef program that airs on the Food Network.

In the Iron Chef show an iron chef is pitted against another chef in a timed challenge using a mystery ingredient that is revealed at the beginning of the show. A panel of judges decides at the end whose cuisine reigns supreme in the kitchen stadium.

Jacob West, security research group manager at Fortify, explained that the Iron Chef Black Hat will emulate the TV show as closely as possible without involving flour or oil or any of the things you cook with.

"We pick a piece of software that will resonate with people but isn't 10 million lines of code so we can get through in the course of the talk," West explained to internetnews.com. "The contestants don't know anything about it in advance. They have a computer and a sous chef, so to speak, and they will get access to the code at the same time the audience does and then everyone starts looking for bugs."

The only constraint that Fortify has revealed to the contestants is that the piece of software that will be "cooked" will be a Java Web application. The application chosen will not be a deliberately vulnerable version of the target software, either.

West also was quick to note that he doesn't expect the contestants to only use source code analysis tools sold by Fortify. He expects that home brew scripts will be used, as well.

In addition to the iron chefs that will battle it out on stage, West is hoping for a high degree of audience participation, as well. The audience will be given a USB drive with the same materials and source code that the iron chefs get. They will then be able to try and find bugs, too. The audience member that finds what the judges deem to be the most interesting bug will be declared the audience winner.

The judges themselves will not be Fortify employees, but they will be selected in advance by Fortify. West explained that the Iron Chef contestants will be ranked on originality, impact against the software and by impressing two of the three judges.

Simply attacking the Java or operating system layer won't be enough to win either. West classified those types of attacks as being not interesting for the Iron Chef competition as they are testing the ability to hack application software.

West expects the event to be controlled chaos and a real pressure cooker.

"Taking code from scenario to report in 50 minutes is not a scenario you typically would ever do," West said.

Unfortunately for West, the Iron Chef Black Hat presentation occurs at what may well be the worst possible time slot of the conference. Not only is it the last time slot on the last day of the Black Hat briefings, but it is also going up against what is likely the most widely anticipated session of the entire event: the iPhone vulnerability disclosure.

West himself admitted jokingly that he was likely to duck out of his own session to check out at least part of the iPhone session.