Andrew Wesie / @zoaedk
Over the past decade, cyber security competitions have grown to match, and often exceed, the challenges of real-world hacking. As members of Plaid Parliament of Pwning, a capture the flag team, we have experienced this first-hand and contribute with our own competition, PlaidCTF. While it was once possible to compete with a basic knowledge of assembly and reverse engineering, it is now expected that everyone can invent new heap exploitation methodologies on-the-fly and reverse heavily obfuscated binaries. This keeps the competitions interesting for those of us who have competed for years, but it also risks demoralizing those who want to learn and still have fun.
While CTFs have been evolving, new competition formats, such as Pwn2Own and HackerOne, provide a completely different vision. The thrill of exploiting real software, with the bonus of a monetary reward, can excite those who have deemed CTF as a waste of time. Why analyze and exploit toy programs when vulnerable real world programs are plentiful?
We believe that having this variety of competitions is a good thing. During this talk, we will review the recent history of both CTF and Pwn2Own-style competitions, along with our experiences and how we think they can fit together. We hope everyone will walk away with an appreciation for these competitions, and vision for how they will continue to evolve for the next decade.
Andrew Wesie is a security researcher at Theori, specializing in exploitation and reverse engineering. He is also an avid CTF player with four wins at DEFCON CTF finals as part of Plaid Parliament of Pwning (PPP). When he is not hacking browsers or playing CTFs, he is developing software-defined radio applications and contributing to the Wine project.
The following are speakers that will be presenting at our event. We will publish the agenda and schedule as soon as we finalize it.
Halvar Flake / @halvarflake
The good 0(ld) days
Software supply chains are complicated. Open-source has allowed for tremendous advances and democratization everywhere, but many organisations do not have good control over what open-source code they are using where - and who is responsible for making sure that code stays up-to-date. Vulnerabilities can often be found by back-porting bugs in open-source software into closed-source environments. This talk discusses some methods for the detection of FOSS code in binaries and examines some particular cases where bugs could be obtained by first identifying the open-source code in binaries and then going from there.
Thomas Dullien is a security researcher and ex-entrepreneur well-known for his contributions to the theory and practice of vulnerability development and software reverse engineering. He won what was then Germany's biggest privately financed research prize in the natural sciences in 2006 (the Horst-Goertz Prize) for work on graph-based code similarity; started and ran a company to commercialize this research that got acquired by Google, and has worked on a wide range of topics - from the very practical (turning security patches into attacks) and quite concrete (turning physics-induced DRAM bitflips into useful attacks) to the rather theoretical (attempting to clarify the theoretical foundations of exploitation). He currently works for Google Project Zero in Zurich.
Adam Donenfeld / @doadam
Viewer discretion is advised: (De)coding an iOS vulnerability
Over the years, ring-0 vulnerabilities in mobile devices have become increasingly difficult to find and exploit. Attackers and defenders alike must find new attack vectors, as well as develop tools to expedite the research process and increase coverage. One significant challenge is a more confining sandbox. While vendors usually put less emphasis on the security of mechanisms which are not operable from within the sandbox, sandboxing applications appropriately is not always that easy.
In this talk, a real-world journey of finding, we will be uncovering a deeply buried vulnerability in the iOS kernel cache. The vulnerability, which is hidden within the video-decoder driver, can be triggered by processing maliciously crafted codec frames. The driver is normally not accessible to the standard application. This vulnerability, however, is still exploitable from within a sandboxed process or application. During this talk, concepts and methods of work will be given: from initial investigation till getting familiar with a complete closed-source environment, as well as a real-world example of finding “sandbox-restrictive” vulnerabilities and exploiting them from the most narrowed context nevertheless.
Adam Donenfeld is a mobile security researcher at Zimperium with vast experience in the mobile research field. Researching vulnerabilities and exploiting them for both PC and mobile environments, Adam has given talks at several international security conferences including Black Hat, DEF CON and HITB. In his past, Adam served in the IDF in an elite intelligence unit.
Eric Sesterhenn / @X41Sec
In Sowjet Russia Smartcard Hacks You
The classic spy movie hacking sequence: The spy inserts a magic smartcard provided by the agency technicians into the enemy's computer, ...the screen unlocks... What we all laughed about is possible!
Smartcards are secure and trustworthy. This is the idea smartcard driver developers have in mind when developing drivers and smartcard software. The work presented in this talk not only challenges, but crushes this assumption by attacking smartcard drivers using malicious smartcards.
A fuzzing framework for *nix and Windows is presented along with some interesting bugs found by auditing and fuzzing smartcard drivers and middleware. Among them classic stack and heap buffer overflows, double frees, but also a replay attack against smartcard authentication.
Since smartcards are used in the authentication process, a lot of vulnerabilities can be triggered by an unauthenticated user, in code running with high privileges. During the authors research, bugs were discovered in OpenSC (EPass, PIV, OpenPGP, CAC, Cryptoflex,...), YubiKey drivers, pam_p11, pam_pkc11, Apple smartcardservices...
Eric Sesterhenn is working as an principal security consultant for more than 15 years. Currently working mostly in the areas of source code auditing and penetration testing at X41 D-Sec GmbH. In the past he identified vulnerabilities in various software projects including the Linux kernel, X.org and multiple IoT Operating Systems.
James Lee / @windowsrcer
A Journey of Logical Vulnerabilities in Microsoft Browsers
We will have a look and go through some Logical Vulnerabilities in Microsoft Browsers and see what vulnerabilities arise from them, and how to exploit them.
James started to tinker around with Security Vulnerability at the age of 16. About a year later he discovered multiple vulnerabilities that lead to Remote Code Execution on Google Chrome, Mozilla Firefox, Microsoft Edge and Internet Explorer. He has also discovered Local Privilege Escalation on Windows OS and occasionally found other design vulnerabilities like Information disclosure, Universal XSS too. Now at the age of, 19, he mostly focuses on discovering RCE on Windows based browser and LPE on Windows OS to develop Full-chain SYSTEM code execution exploit.
Max Bazaliy / @mbazaliy
Dual booting modern iOS devices
In this talk we will investigate and present on the ways in which to boot a custom firmware image on an iOS device. In order to show this we will detail how the secure iOS boot process functions, including many of the details of how the low level component verification works as well as the loading and running of processes at boot time. It’s known that iOS devices tightly integrate their software and hardware components in order to secure the system, but how is this done in practice?
We will answer this question and others by focusing on one of these integrations, specifically the boot process for modern iOS devices. The iOS boot process is a critical part of a device’s system security as it helps to ensure that each component of the device can be trusted before it is used by the system. Each step of the iOS boot process contains components that are cryptographically signed by Apple to ensure their integrity and verify the chain of trust before allowing the device to continue booting. The chain of trust for iOS includes the system bootloader, XNU kernel, kernel extensions, SEP, Wi-Fi, and the baseband firmware.
From our detailed understanding and explanation of how the boot process functions for iOS we will then discuss ways in which researchers can take these learnings to create and load a custom iOS firmware image on a device, including a custom XNU kernel and system disk image side by side with the device’s original iOS firmware image.
Max is an offensive security researcher with more than ten years of experience in areas as reverse engineering, software security, vulnerability research and software exploitation. Currently focusing on boot chain attacks, iOS exploitation, and reverse engineering. Max was a lead security researcher at Pegasus iOS malware investigation. In the past few years, Max was a speaker at various security conferences, including Black Hat, CCC, DEF CON, Ruxcon, RSA, and BSides. Max holds a Masters degree in Computer Science and currently is a Ph.D. student at the National Technical University of Ukraine "Kyiv Polytechnic Institute" where he is working on a dissertation in code obfuscation and privacy area.
SungHyoun Song / @decashx
Bypass Android Security Mechanisms using Custom Android
Most Android hackers are researching application vulnerabilities using the rooting tool (SuperSU, MagiskSU) and the hooking framework (FRIDA, Xposed Framework, etc.). However, the rooting tool and the hooking framework are detected and blocked by the security mechanisms of the Android OS and the Application. So hackers have to circumvent the security mechanism applied to the Android OS and Applications which can allow an attacker to spend a lot of time analyzing and bypassing. Security mechanisms are constantly being updated, so the attackers and defenders are continuing to play cat and mouse. So in this lecture I will analyze the security mechanism applied to Android OS and Application in detail at code level, and by creating a new Android Kernel, it creates an undetected privilege escalation backdoor, dynamic intercept and manipulate execution environment, and bypasses security mechanisms.
SungHyoun Song is a security researcher at FSI(Financial Security Institute), in charge of Mobile Security for Financial Industry in Korea. He has experienced mobile security, reverse engineering, penetration test, malware analysis and authentication mechanism for ten Years. Currently focusing on Linux kernel exploitation and Android runtime. Also he has participated in several international security conferences such as ITU-T, HITCON, JWCAA.
Having fun with IoT: Reverse Engineering and Hacking of Xiaomi IoT Devices
While most IoT accessory manufacturers have a narrow area of focus, Xiaomi, an Asian based vendor, controls a vast IoT ecosystem, including smart lightbulbs, sensors, cameras, vacuum cleaners, network speakers, electric scooters and even washing machines. In addition, Xiaomi also manufactures smartphones. Their products are sold not only in Asia, but also in Europe and North America. The company claims to have the biggest IoT platform worldwide.
In my talk, I will give a brief overview over the most common, WiFi based, Xiaomi IoT devices. I will focus on the features, computational power, sensors, security and ability to root the devices. Lets explore how you can have fun with the devices or use them for something useful, like mapping WiFi signal strenght while vacuuming your house. I will also cover some interesting things I discovered while reverse engineering Xiaomi's devices and discuss which protections were deployed by the developers (and which not).
Dennis is a grad student at TU Darmstadt and a researcher at Northeastern University. He was a member of one European ISP's CERT for several years. While being interested in physical security and lockpicking, he enjoys applied research and reverse engineering malware and all kinds of devices. His latest area of research is the Xiaomi IoT ecosystem. He has presented at the Chaos Communication Congress and the REcon BRX.