Didier Stevens

Tuesday 8 April 2008

Quickpost: Back from Black Hat Europe 2008

Filed under: Hacking,Quickpost — Didier Stevens @ 7:44

Back from Black Hat Europe 2008, my laptop has undergone another lobotomy.

Mikko from F-Secure was in my training class.

Some briefings I really liked:

  • New Viral Threats of PDF Language
    Good overview of the format of PDF files, and the inherent security issues. Good demos (like rewriting the Acrobat reader alert dialog box to mislead the user) and interesting insights (a PDF has a logical and physical structure, changing the physical structure doesn’t change the content of the document: this is polymorphism). The speaker confirmed that his exploits don’t affect Foxit reader. But the slides don’t to this justice, let’s hope they publish more details. And it was fun to see some French military lingo popping up in a BH presentation.
  • Intercepting Mobile Phone/GSM Traffic
    THC explained how they cracked GSM A5/1 encryption, FPGA style and with 2 TB of rainbow tables. Interesting tidbits: mobile operators don’t provide the strongest available encryption A5/3 (my guess as to why: cost), and the GSM status channel will carry permanent subscriber IDs, although the protocol only foresees temporary IDs.
  • Mobile Phone Spying Tools
    Tools mainly used by untrusting spouses, but I see potential uses for industrial espionage: sales man leaves company for competition, installs mobile phone spying tool on his corporate mobile phone just before handing it back.
  • DTRACE: The Reverse Engineer’s Unexpected Swiss Army Knife
    Looks really powerful and flexible, let’s hope someone is brave enough to attempt a Windows port.

And the networking was great, shout-out to Malta Info Security.

Quickpost info


  1. physical and logical structure to pdf files? i’m reminded of ole2 (microsoft office document format) files and how they have in the past been likened to self-contained file-systems (with their own allocation tables and fragmentation problem)… i suppose this suggests the same comparison can be made for pdf files (though fragmentation seems less likely considering how little pdf’s get edited in practice)…

    Comment by kurt wismer — Tuesday 8 April 2008 @ 16:40

  2. The PDF file format is not really a self-contained file-system, I’ll make a new Quickpost to explain the physical & logical file structure.

    Comment by Didier Stevens — Tuesday 8 April 2008 @ 17:09

  3. […] Quickpost: About the Physical and Logical Structure of PDF Files Filed under: Quickpost — Didier Stevens @ 6:57 Here is a post to explain in detail PDF polymorphism mentioned in my BH post. […]

    Pingback by Quickpost: About the Physical and Logical Structure of PDF Files « Didier Stevens — Wednesday 9 April 2008 @ 6:57

  4. i read your follow-up post, thanks for the explanation… i’m sure you’re right that pdf files aren’t really self-contained file-systems – in fact, i’m sure ole2 documents technically aren’t self-contained file-systems either, they simply have a lot of similarities… from your description and graphics i see similarities between pdf file format and FAT based file-systems as well… i know they’re not the same but they have analogous components (discrete logically separate chunks of data, allocation tables that specify the locations of those chunks of data, etc)…

    ultimately, i imagine any sufficiently complex file format is likely going to reflect constructs that are similar to what we saw in simpler/earlier file-systems as on an abstract level they’re really doing very similar things… they’re containers that hold discrete heterogeneous mixtures of data and/or code and provide facilities for accessing those discrete chunks of data reasonably efficiently…

    Comment by kurt wismer — Wednesday 9 April 2008 @ 16:49

  5. I agree there are similar features. And I only explained the simplest form, for example, the PDF file format also supports more than one cross reference table…

    Comment by Didier Stevens — Wednesday 9 April 2008 @ 17:05

  6. […] the blogger coverage, Didier Stevens, Pedram Amini, and Gunter Ollmann posted some good commentary on the event. Only one person covered […]

    Pingback by Black Hat Europe 2008 | Infosec Events — Tuesday 29 April 2008 @ 2:41

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.