Security BSides London, the UK’s biggest community-driven infosec conference is happy to announce its 8th iteration open to all regardless of background, skill level, income or job-title.  
  • Doors to the main event open at 8.30am with talks starting at 9am on 6 June 2018
  • Workshops will be held on 5 June 2018 starting at 10am; Pre-registration is required
Please remember that Security BSides London has a strict code of conduct available here.
Back To Schedule
Wednesday, June 6 • 11:15 - 12:15
Mr Sandman: Timelock puzzles for attack and defence

Log in to save this to your schedule, view media, leave feedback and see who's attending!

Delayed execution is a concept of significant interest to attackers, who seek to use it so that their malware is able to bypass the analysis period of sandboxes and antivirus emulators. Historically, techniques used to delay execution have included Windows API calls, and short, simple loops involving assembly, counters, or loading libraries. However, security tools are increasingly able to detect and prevent these techniques, using methods such as accelerating time, returning false tick counts, intercepting API calls, and performing multipath execution. As a result, attackers are constantly striving to find new and creative ways to delay execution. Delayed execution is also of some interest to defenders, who try to implement it, in either manual or automated solutions, in order to frustrate the attack models of bots, botnets, and spammers.

Enter the timelock puzzle - a relatively unknown cryptographic construct whereby a puzzle is presented, the solution to which requires a certain amount of time or computational effort. Historically, timelock puzzles were proposed for benign applications, such as sealed auction bids, escrow, and the timed release of confidential information. However, they provide an interesting method of delayed execution which to date has been underexplored in security research, particularly as an offensive methodology. Specifically, they may present a significant challenge in malware detection and analysis, particularly for automated solutions such as sandboxes.

In this talk, I cover the history of timelock puzzles and their proposed applications for offence and defence, and examine some case studies. I then demonstrate several timelock puzzles which I have developed, including some novel constructions, and show through demonstrations how they can be weaponised - including both process hollowing within executables, and within VBA macros. For each construction, I explore the advantages and disadvantages for both attackers and defenders, and explain how they work, and why. I then turn to prevention and detection, presenting a heuristic model for generic detection of timelock puzzles, and cover the defender's perspective in the form of attacks against timelock puzzles, including parallelisation, predictability, and enhanced computational processing.

I then cover the challenges and feasibility of using timelock puzzles for good, discussing some of the models presented in previous work and a real-world case study where timelock puzzles could have been used to significant effect, break down a proof-of-concept defensive timelock puzzle I created, and some of the issues identified with it from an attacker's perspective.

Finally, I assess the practicality of timelock puzzles for both attack and defence, share some lessons learned from this research, and outline suggestions for future research in this area.

avatar for Matt Wixey

Matt Wixey

Matt leads on vulnerability R&D for the PwC Cyber Security practice in the UK, working closely with the Ethical Hacking team, and is a PhD candidate at UCL, in the Department of Security and Crime Science and the Department of Computer Science. Prior to joining PwC, Matt led a technical... Read More →

Wednesday June 6, 2018 11:15 - 12:15 BST
Track 3 (upstairs) ILEC Conference Centre 47 Lillie Road London SW6 1UD