Iron Chef Black Hat

LAS VEGAS — The majority of presentations at this year’s Black Hat security
conference here go down quite simply: A
researcher takes the stage, talks about an attack vector and then proceeds
to demonstrate how he or she can attack the target.

At least one security research group is trying to spice it up this year by
taking a page from the Food Network’s cookbook. Literally. Source code analysis vendor Fortify Software will be running a session modeled after the popular Iron Chef program that airs on the Food Network.

In the Iron Chef show an iron chef is pitted against another chef in a timed
challenge using a mystery ingredient that is revealed at the beginning of
the show. A panel of judges decides at the end whose cuisine reigns supreme
in the kitchen stadium.

Jacob West, security research group manager at Fortify, explained that the
Iron Chef Black Hat will emulate the TV show as closely as possible without
involving flour or oil or any of the things you cook with.

“We pick a piece of software that will resonate with people but isn’t 10
million lines of code so we can get through in the course of the talk,” West
explained to “The contestants don’t know anything
about it in advance. They have a computer and a sous chef, so to speak, and
they will get access to the code at the same time the audience does and then
everyone starts looking for bugs.”

The only constraint that Fortify has revealed to the contestants is that
the piece of software that will be “cooked” will be a Java Web application.
The application chosen will not be a deliberately vulnerable version of the
target software, either.

West also was quick to note that he doesn’t expect the contestants to only
use source code analysis tools sold by Fortify. He expects that home brew
scripts will be used, as well.

In addition to the iron chefs that will battle it out on stage, West is
hoping for a high degree of audience participation, as well. The audience
will be given a USB drive with the same materials and source code that the
iron chefs get. They will then be able to try and find bugs, too. The
audience member that finds what the judges deem to be the most interesting
bug will be declared the audience winner.

The judges themselves will not be Fortify employees, but they will be
selected in advance by Fortify. West explained that the Iron Chef
contestants will be ranked on originality, impact against the software and
by impressing two of the three judges.

Simply attacking the Java or operating system layer won’t be enough to win
either. West classified those types of attacks as being not interesting for
the Iron Chef competition as they are testing the ability to hack
application software.

West expects the event to be controlled chaos and a real pressure cooker.

“Taking code from scenario to report in 50 minutes is not a scenario you
typically would ever do,” West said.

Unfortunately for West, the Iron Chef Black Hat presentation occurs at what
may well be the worst possible time slot of the conference. Not only is it
the last time slot on the last day of the Black Hat briefings, but it is
also going up against what is likely the most widely anticipated session of
the entire event: the iPhone vulnerability disclosure.

West himself admitted jokingly that he was likely to duck out of his own
session to check out at least part of the iPhone session.

News Around the Web