Andrew Wesie
Halvar Flake
Adam Donenfeld
Eric Sesterhenn
James Lee
Max Bazaliy
SungHyoun Song
Dennis Giese
Vitaly Nikolenko
YunDing Jian
KaiJern Lau
Luat Nguyen
Sheng-Hao Ma
Julian Rauchberger
Tobias Dam
Niklas Baumstark
Brandon Azad
Nikita Tarakanov
Seunghun Han
 

Keynote

Andrew Wesie / @zoaedk

CTF Evolved

Abstract:
Over the past decade, cyber security competitions have grown to match, and often exceed, the challenges of real-world hacking. As members of Plaid Parliament of Pwning, a capture the flag team, we have experienced this first-hand and contribute with our own competition, PlaidCTF. While it was once possible to compete with a basic knowledge of assembly and reverse engineering, it is now expected that everyone can invent new heap exploitation methodologies on-the-fly and reverse heavily obfuscated binaries. This keeps the competitions interesting for those of us who have competed for years, but it also risks demoralizing those who want to learn and still have fun.
 
While CTFs have been evolving, new competition formats, such as Pwn2Own and HackerOne, provide a completely different vision. The thrill of exploiting real software, with the bonus of a monetary reward, can excite those who have deemed CTF as a waste of time. Why analyze and exploit toy programs when vulnerable real world programs are plentiful?
 
We believe that having this variety of competitions is a good thing. During this talk, we will review the recent history of both CTF and Pwn2Own-style competitions, along with our experiences and how we think they can fit together. We hope everyone will walk away with an appreciation for these competitions, and vision for how they will continue to evolve for the next decade.
 
Bio...
Andrew Wesie is a security researcher at Theori, specializing in exploitation and reverse engineering. He is also an avid CTF player with four wins at DEFCON CTF finals as part of Plaid Parliament of Pwning (PPP). When he is not hacking browsers or playing CTFs, he is developing software-defined radio applications and contributing to the Wine project. 

Speakers

The following are speakers that will be presenting at our event. We will publish the agenda and schedule as soon as we finalize it.

Halvar Flake / @halvarflake

The good 0(ld) days

Abstract:
Software supply chains are complicated. Open-source has allowed for tremendous advances and democratization everywhere, but many organisations do not have good control over what open-source code they are using where - and who is responsible for making sure that code stays up-to-date. Vulnerabilities can often be found by back-porting bugs in open-source software into closed-source environments. This talk discusses some methods for the detection of FOSS code in binaries and examines some particular cases where bugs could be obtained by first identifying the open-source code in binaries and then going from there.
 
Bio...
Thomas Dullien is a security researcher and ex-entrepreneur well-known for his contributions to the theory and practice of vulnerability development and software reverse engineering. He won what was then Germany's biggest privately financed research prize in the natural sciences in 2006 (the Horst-Goertz Prize) for work on graph-based code similarity; started and ran a company to commercialize this research that got acquired by Google, and has worked on a wide range of topics - from the very practical (turning security patches into attacks) and quite concrete (turning physics-induced DRAM bitflips into useful attacks) to the rather theoretical (attempting to clarify the theoretical foundations of exploitation). He currently works for Google Project Zero in Zurich.

Adam Donenfeld /  @doadam

Viewer discretion is advised: (De)coding an iOS vulnerability

Abstract:
Over the years, ring-0 vulnerabilities in mobile devices have become increasingly difficult to find and exploit. Attackers and defenders alike must find new attack vectors, as well as develop tools to expedite the research process and increase coverage. One significant challenge is a more confining sandbox. While vendors usually put less emphasis on the security of mechanisms which are not operable from within the sandbox, sandboxing applications appropriately is not always that easy.

In this talk, a real-world journey of finding, we will be uncovering a deeply buried vulnerability in the iOS kernel cache. The vulnerability, which is hidden within the video-decoder driver, can be triggered by processing maliciously crafted codec frames. The driver is normally not accessible to the standard application. This vulnerability, however, is still exploitable from within a sandboxed process or application. During this talk, concepts and methods of work will be given: from initial investigation till getting familiar with a complete closed-source environment, as well as a real-world example of finding “sandbox-restrictive” vulnerabilities and exploiting them from the most narrowed context nevertheless.
 
Bio...
Adam Donenfeld is a mobile security researcher at Zimperium with vast experience in the mobile research field. Researching vulnerabilities and exploiting them for both PC and mobile environments, Adam has given talks at several international security conferences including Black Hat, DEF CON and HITB. In his past, Adam served in the IDF in an elite intelligence unit.

Eric Sesterhenn / @X41Sec

In Sowjet Russia Smartcard Hacks You

Abstract:
The classic spy movie hacking sequence: The spy inserts a magic smartcard provided by the agency technicians into the enemy's computer, ...the screen unlocks... What we all laughed about is possible!

Smartcards are secure and trustworthy. This is the idea smartcard driver developers have in mind when developing drivers and smartcard software. The work presented in this talk not only challenges, but crushes this assumption by attacking smartcard drivers using malicious smartcards.

A fuzzing framework for *nix and Windows is presented along with some interesting bugs found by auditing and fuzzing smartcard drivers and middleware. Among them classic stack and heap buffer overflows, double frees, but also a replay attack against smartcard authentication.
Since smartcards are used in the authentication process, a lot of vulnerabilities can be triggered by an unauthenticated user, in code running with high privileges. During the authors research, bugs were discovered in OpenSC (EPass, PIV, OpenPGP, CAC, Cryptoflex,...), YubiKey drivers, pam_p11, pam_pkc11, Apple smartcardservices...
 
Bio...
Eric Sesterhenn is working as an principal security consultant for more than 15 years. Currently working mostly in the areas of source code auditing and penetration testing at X41 D-Sec GmbH. In the past he identified vulnerabilities in various software projects including the Linux kernel, X.org and multiple IoT Operating Systems.

James Lee / @windowsrcer

A Journey of Logical Vulnerabilities in Microsoft Browsers

Abstract:
We will have a look and go through some Logical Vulnerabilities in Microsoft Browsers, this includes Vulnerability that allows to escape from Sandbox using specific extensions. There are also Same-Origin Policy bypass vulnerabilities, we are able to conduct UXSS attack using some of them. We'll go through how these Vulnerability works and its methodology of discovery and exploitation.
 
Bio...
James started to tinker around with Security Vulnerability at the age of 16. About a year later he discovered multiple vulnerabilities that lead to Remote Code Execution on Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer. He has also discovered Local Privilege Escalation on Windows OS and occasionally found other design vulnerabilities like Information disclosure, Universal XSS too. Now at the age of, 19, he mostly focuses on discovering RCE on Windows based browser and LPE on Windows OS to develop Full-chain SYSTEM code execution exploit.

Max Bazaliy / @mbazaliy

Dual booting modern iOS devices

Abstract:
In this talk we will investigate and present on the ways in which to boot a custom firmware image on an iOS device. In order to show this we will detail how the secure iOS boot process functions, including many of the details of how the low level component verification works as well as the loading and running of processes at boot time. It’s known that iOS devices tightly integrate their software and hardware components in order to secure the system, but how is this done in practice?
 
We will answer this question and others by focusing on one of these integrations, specifically the boot process for modern iOS devices. The iOS boot process is a critical part of a device’s system security as it helps to ensure that each component of the device can be trusted before it is used by the system. Each step of the iOS boot process contains components that are cryptographically signed by Apple to ensure their integrity and verify the chain of trust before allowing the device to continue booting. The chain of trust for iOS includes the system bootloader, XNU kernel, kernel extensions, SEP, Wi-Fi, and the baseband firmware.
 
From our detailed understanding and explanation of how the boot process functions for iOS we will then discuss ways in which researchers can take these learnings to create and load a custom iOS firmware image on a device, including a custom XNU kernel and system disk image side by side with the device’s original iOS firmware image.
 
Bio...
Max is an offensive security researcher with more than ten years of experience in areas as reverse engineering, software security, vulnerability research and software exploitation. Currently focusing on boot chain attacks, iOS exploitation, and reverse engineering. Max was a lead security researcher at Pegasus iOS malware investigation. In the past few years, Max was a speaker at various security conferences, including Black Hat, CCC, DEF CON, Ruxcon, RSA, and BSides. Max holds a Masters degree in Computer Science and currently is a Ph.D. student at the National Technical University of Ukraine "Kyiv Polytechnic Institute" where he is working on a dissertation in code obfuscation and privacy area.

SungHyoun Song / @decashx

Bypass Android Security Mechanisms using Custom Android

Abstract:
Most Android hackers are researching application vulnerabilities using the rooting tool (SuperSU, MagiskSU) and the hooking framework (FRIDA, Xposed Framework, etc.). However, the rooting tool and the hooking framework are detected and blocked by the security mechanisms of the Android OS and the Application. So hackers have to circumvent the security mechanism applied to the Android OS and Applications which can allow an attacker to spend a lot of time analyzing and bypassing. Security mechanisms are constantly being updated, so the attackers and defenders are continuing to play cat and mouse. So in this lecture I will analyze the security mechanism applied to Android OS and Application in detail at code level, and by creating a new Android Kernel, it creates an undetected privilege escalation backdoor, dynamic intercept and manipulate execution environment, and bypasses security mechanisms.
 
Bio...
SungHyoun Song is a security researcher at FSI(Financial Security Institute), in charge of Mobile Security for Financial Industry in Korea. He has experienced mobile security, reverse engineering, penetration test, malware analysis and authentication mechanism for ten Years. Currently focusing on Linux kernel exploitation and Android runtime. Also he has participated in several international security conferences such as ITU-T, HITCON, JWCAA.

Dennis Giese

Not all IoT Devices are Created Equal: Reverse Engineering of Xiaomi's IoT ecosystem

Abstract:
While most IoT accessory manufacturers have a narrow area of focus, Xiaomi, an Asian based vendor, controls a vast IoT ecosystem, including smart lightbulbs, sensors, cameras, vacuum cleaners, network speakers, electric scooters and even washing machines. Their products are sold not only in Asia, but also in Europe and North America. The company claims to have the biggest IoT platform worldwide.
 
Their devices may have a deep integration in the daily life and are able to collect a lot of personal data. However, not all devices in Xiaomi's ecosystem are created equal. Whereas some devices are designed by Xiaomi itself, many IoT devices were developed by other companies and then integrated into their ecosystem. This results in different quality levels for software and designs.
 
In this presentation, I will provide an overview over the most common Wi-Fi enabled IoT devices in Xiaomi's ecosystem. We will take a look at their platforms, designs, features and vulnerabilities. How can we modify the devices to disconnect them from the cloud or to do something useful? Which device protections are deployed by the developers? And more important: What are the most common mistakes?
 
After having reverse engineered over 40 different models of their ecosystem, I would like to share some interesting things I discovered while reverse engineering Xiaomi's devices and discuss what the developers may have done better.
 
Bio...
Dennis is a grad student at TU Darmstadt and a researcher at Northeastern University. He was a member of one European ISP's CERT for several years. While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kinds of devices. His latest area of research is the Xiaomi IoT ecosystem. He has presented at the Chaos Communication Congress and the REcon BRX.

Vitaly Nikolenko / @vnik5287

Dissecting a 17-old Linux Kernel Bug

Abstract:

In this talk we will present analysis and exploitation of the Linux kernel 0day affecting all major Linux distributions. This bug resulting in local privilege escalation has been around for almost 17 years making it one of the oldest kernel vulnerabilities. It affects all kernels starting from 2.4 and can be triggered reliably on most distributions without any special privileges or system requirements.

We will demonstrate a detailed analysis of the vulnerability and walk through the exploitation steps required to escalate privileges on x86_64.

 
Bio...
Vitaly is a security researcher with a solid academic background in programming languages, algorithms and cryptography. He is currently focused on OS security (kernel space exploitation techniques and countermeasures on POSIX systems) and software hypervisors.

Yunding Jian @WhiteA10n3 / KaiJern Lau @xwings

Wireless Hacking with 'HackCUBE'

Abstract:

This is a small size (9.2cm^3) and battery powered cube box. It integrates Raspberry Pi, Arduino, 2.4/5.8G Wifi and HID etc, and can externally be connected with some SDR hardware, such as HackRF, RTL-SDR, CC2541 etc. The whole system (without external accessories) will be equal to Unicorn HackID Plus (RFID read/write/emulator) + Wifi Pineapple + rfcat (Sub-GHz transceiver). It can provide comprehensive and powerful wireless hacking capability.

In the session, we will talk about daily wiresless hacking with HackCUBE and HackCUBE mini.

We will bring some HackCubes (e.g. ~10) to the lab and the attendees can operate and program it to complete the two experiments, and even can try other ideas they have.

The highlights of the HackCUBE are its portability and multi-function. As a hackers, we also hope to have an unnoticeable and battery powered tool to do wireless hacking so we create this cube. Wish we have this opportunity to introduce it to people.

For beVX, we will officially introduce our brand new HackCUBE with more powerful features and functionality and first time to show a golf ball size HackCUBE mini.

 
Bio...

Yunding Jian is the co-founder of UnicornTeam. He is the leader of RocTeam (Subset of UnicornTeam ) in the Radio Security Research Department of 360 Technology. He is the designer of all pervious SyScan360 Conference badges, HITB2018AMS badges and badges for few other conferences. He paper is being presentations in Blackhat USA, Blackhat Europe&Asia (Arsenal), HITB, DEFCON about his hardware security research and design experience.

KaiJern, Lau (xwings) is the IoT/Blockchain researcher at JD Security (JD.COM), Advisor for UnicornTeam/HACKNOWN Team and also Hack In The Box Security Conference core crew. His research topic mainly on hardware and software of embedded device, blockchain security, reverse engineering and various security topics. He presented his findings in different international security conferences like HITB, Codegate, QCon, KCon, International Antivirus Conference and etc. He conducted Hardware Hacking Course during KCon, Beijing. He is also the review board member for Hack In The Box Security Conference.


Luat Nguyen / @l4wio

Tail of pdfium use-after-free series

Abstract:

pdfium is a pdf reader shipped along with Google Chrome. In this talk, I will talk about how did I choose the target and strategy to beat pdfium. Sharing tips and what I was thinking when doing code-review on a target. After 04 months, I successfully discovered 12 high-severity bugs results in 6 CVEs and $42,000 bounty in total.

 
Bio...

Luat is currently an independent security researcher, a keen CTF player, who love hacking and music. Luat is also member of CLGT/Meepwn CTF team, former member of eee/A*0*E (3rd place at DEFCON CTF Finals 2017).


Sheng-Hao Ma / @aaaddress1

Playing Malware Injection with Exploit thoughts

Abstract:

In the past, when hackers did malicious program code injection, they used to adopt RunPE, AtomBombing, cross-process creation threads, and other approaches. They could forge their own execution program as any critical system service. However with increasing process of anti-virus techniques, these sensitive approaches have been gradually proactively killed. Therefore, hackers began to aim at another place, namely memory-level weakness, due to the breakages of critical system service itself.

This lecture will introduce a new memory injection technique that emerged after 2013, PowerLoadEx. Based on this concept, three new injection methods will be disclosed as well. These makes good use of the memory vulnerability in Windows to inject malicious behavior into system critical services. The content will cover Windows reverse analysis, memory weakness analysis, how to use and utilize, and so on. The relevant PoC will be released at the end of the lecture.

 
Bio...

Sheng-Hao Ma (aaaddress1) is a core member of CHROOT Security Group and TDOHacker security community in Taiwan. He has over 10-year experience in reverse engineering, machine language, and Intel 8086. He experts in Windows vulnerability, and Reverse Engineering. Moreover, Sheng-Hao Ma was also a speaker at Black Hat, DEFCON USA, VXCON, HITCON (Hackers In Taiwan Conference).


Julian Rauchberger / Tobias Dam

Breaking the Bluetooth stack: Where to look and what to expect

Abstract:

From an attacker’s point of view, the Bluetooth stack is a really interesting yet often overlooked target. While there have been a number of practical attacks against the cryptography protocols used in Bluetooth in the past, this talk will focus on discovering memory corruptions that can be found in various layers.

The Bluetooth specification is extremely complex and repeatedly features questionable design decisions that are hard to implement correctly. This includes for instance a high number of length fields and packet fragmentation mechanisms that can be found in multiple places. These issues combined with the fact that the overall code quality suggests that little research has been conducted on common Bluetooth implementations in the past makes it a prime target for exploitation.

This talk will focus on giving an overview of the lower layer protocols of Bluetooth, how to iterate supported protocols and possible targets on a device and where to look for exploits. We will show how to create a test environment to start vulnerability research for anyone interested. An in-depth explanation of two real world vulnerabilities - an info leak and a heap corruption - that were found by the speakers in the BlueZ stack, will be presented as a practical example.

 
Bio...

Julian Rauchberger is a grad student at St. Pölten University of Applied Sciences as well as an independent security researcher in his pastime, interested in everything that contains assembly. He is currently mostly focused on exploiting Linux-based systems.

Tobias Dam is a security researcher, who specialises in privacy, network and web security. He is currently focusing on the security of modern network technologies.


Niklas Baumstark / @_niklasb

Thinking outside the (Virtual)Box

Abstract:

Desktop virtualization solutions like Oracle VirtualBox and VMware Workstation are extremely useful for software development, kernel debugging and security research. They are also often used to isolate the host system from potentially malicious or vulnerable code, and thus present interesting targets for exploitation. While VMware Workstation has been a target at the annual Pwn2Own contest since 2016, this year's edition added VirtualBox for the first time, and it ended up as the only hypervisor that was successfully attacked during the competition.

This talk briefly compares the architecture of VirtualBox to that of the VMware product, with a focus on the guest-to-host attack surface available in their respective default configurations. After laying out the internals of the VirtualBox-specific HGCM and HGSMI protocols, examples of VM escape exploits against VirtualBox on Windows 10 and Linux hosts will be discussed, including the one used at Pwn2Own 2018.

You will find in this presentation basic vulnerability discovery strategies as well as exploitation techniques for VirtualBox, including powerful heap grooming primitives. You will also learn how the weak boundary between the VirtualBox userland and kernel components can be abused to escalate privileges to SYSTEM/root in a reliable manner after achieving code execution on the host.

 
Bio...

Niklas Baumstark is an independent security researcher with a special interest in reverse engineering and binary exploitation. He publicly demonstrated exploits against Safari and VirtualBox at Pwn2Own '17 & '18, respectively. Besides breaking real software, he loves playing and organizing Capture-The-Flag events..


Brandon Azad / @_bazad

Crashing to root: How to escape the iOS sandbox using abort()

Abstract:

Apple has greatly improved iOS security in recent years, but many attack surfaces remain largely ignored. For example: is it possible to elevate privileges by crashing maliciously? I decided to investigate how crash handling is implemented in iOS and whether it poses a viable attack vector. What began as a seemingly absurd question ended with control over every userspace process on the phone.

In this talk, I will share how I reverse engineered a system service to find a critical Mach port replacement vulnerability, how to bypass protections in order to trigger the bug, and how to exploit the bug to escape the application sandbox and execute code with full system privileges. I'll also explain a technique I discovered to obtain the coveted task_for_pid-allow entitlement, which grants control over any userspace process. This technique bypasses recent defenses designed to stop even unsandboxed root processes from taking control of other processes.

The talk will assume basic familiarity with iOS but I'll briefly cover the concepts we'll need (codesigning, sandboxing, Mach ports, MIG, launchd) before diving into the core of the vulnerability. The complete exploit code and documentation is available online.

 
Bio...

Brandon Azad is an independent macOS/iOS security researcher who enjoys finding 0-days, developing elegant exploits, and writing articles about security. His first work in the field was to report on the kernel code execution vulnerability used by the Pegasus iOS spyware before Pegasus was even discovered. Brandon also develops open-source tools to facilitate research, including a macOS/iOS kernel inspection tool called memctl and a kernelcache analysis toolkit for IDA called ida_kernelcache.


Nikita Tarakanov / @NTarakanov

Exploiting Kernel Pool Overflows on Windows 10 RS4

Abstract:

Each new version of Windows OS Microsoft enhances security by adding security mitigation mechanisms - Kernel land vulnerabilities are getting more and more valuable these days. For example, the easy way to escape from a sandbox is by using a kernel vulnerability. That's why Microsoft struggles to enhance security of Windows kernel.

Kernel pool allocator plays a significant role in security of whole kernel. Since Windows 7, Microsoft started to enhance the security of the Windows kernel pool allocator. In Windows 8, Microsoft has eliminated almost all reliable (previously published) techniques of exploiting kernel pool corruptions.

Then Microsoft eliminated "0xBAD0B0B0" technique in Windows 8.1, and there was no easy technique to exploit Pool Overflows on Windows 8.1

Then DKOM/DKOHM technique was present that gave really nice primitives(arbitrary read/write/execute) for kernel exploitation.

Following up Microsoft obfuscated TypeIndex in an object header leaving DKOM/DKOHM technique useless.

But Microsoft left unprotected optional headers that gave born to DKOOHM technique.

Sadly enough, techniques don?t live long life these days and Microsoft eliminated DKOOHM as well leaving all known techniques not working...

This talk presents a new technique of exploiting pool overflows for Windows 10 RS4.

Bonus: overview of enhancement in the upcoming Windows RS5.

Bio...

Nikita Tarakanov is an independent information security researcher. He has worked as an IS researcher in Positive Technologies, Vupen Security, CISS, Intel corporation. He likes writing exploits, especially for Windows NT Kernel. He won the PHDays Hack2Own contest in 2011 and 2012. He has published a several papers about kernel mode drivers and their exploitation. He is currently, engaged in reverse engineering research and vulnerability discovery automation.


Seunghun Han / @kkamagui1

The Last Man Standing: The Only Practical, Lightweight and Hypervisor-Based Kernel Protector Struggling with the Real World Alone

Abstract:

- Rootkits and kernel exploits can neutralize protection mechanisms running in the kernel- level (Ring 0). This means that the protection mechanisms need the higher privilege (Ring - 1). Because of this reason, I presented Shadow-box v1 and v2 at Black Hat Asia. Shadow-box is a security monitoring framework for operating systems using Intel virtualization technologies and ARM TrustZone technologies. Shadow-box has a novel architecture inspired by a shadow play. It supports multi-platform, Intel and ARM, and I made Shadow-box from scratch. I have been developing it as an open-source project.

- Shadow-box v1 (for x86) is primarily composed of a lightweight hypervisor and a security monitor. The lightweight hypervisor, Light-box, efficiently isolates an OS inside a guest machine and projects static and dynamic kernel objects of the guest into the host machine so that the security monitor in the host can investigate the projected images. The security monitor, Shadow-watcher, places event monitors on static kernel elements and tests security of dynamic kernel elements. I manipulate address translations from the guest physical address to the host physical address in order to exclude unauthorized accesses to the host and the hypervisor spaces. Shadow-box v2 (ARM version) also has similar architecture and it was turned for IoT devices. Unlike the mobile phone, the processor of IoT device has lower resources and functions. Because of this reason, I used only security extension, ARM TrustZone, with Open Platform Trusted Execution Environment (OP-TEE).

- In this talk, I propose a Shadow-box as a practical and lightweight security framework and show how it protects the kernel from rootkits and kernel exploits with a demo. Unlike other academic research results, I have been operating and updating Shadow-box in real world for 3 years. I share my know-how about it.

Bio...

Seunghun Han is a senior security researcher at National Security Research Institute of South Korea. He is an expert in the hypervisor and Linux kernel, and had his own lightweight hypervisor, “Shadow-box”. He also had several CVEs on Linux kernel and BIOS/UEFI firmware. He was a speaker at Black Hat Asia and HITBSecConf several times, published a paper to USENIX Security, and authored books, “64-bit multi-core OS principles and structure volume 1 and volume 2”.