Bio: Nate Fick is CEO of Endgame, a venture-backed security software company that automates the pursuit, containment and mitigation of the most advanced cyber threats. He is also an operating partner at Bessemer Venture Partners, where he works with management teams to build great security companies. Before joining Endgame, Nate was CEO of the Center for a New American Security, a national security research organization. He served as a Marine Corps infantry and reconnaissance officer, including combat tours in Afghanistan and Iraq. His book about that experience, One Bullet Away, was a New York Times bestseller, a Washington Post "Best Book of the Year," and one of the Military Times' "Best Military Books of the Decade." He graduated with high honors in Classics from Dartmouth College and holds an MPA from the Harvard Kennedy School and MBA from the Harvard Business School. Nate serves as a Trustee of Dartmouth, and he is a member of the Young Presidents' Organization and a life member of the Council on Foreign Relations.
Sebastian is co-founder of siberas, an IT security consulting company in Germany. Besides finding bugs in customer networks and applications he enjoys low-level research like bughunting and exploitation. During his career he uncovered and helped to fix dozens of critical flaws in software from Microsoft, Apple, Adobe etc. He won Pwn2own (IE 11 64bit) and was awarded a Pwnie award for “Best Privilege Escalation Bug” in 2014
Pwning Adobe Reader - Abusing the reader's embedded XFA engine for reliable Exploitation
This presentation will be a deep-dive into Adobe Reader internals. The focus will be on how to develop reliable exploits by abusing Adobe Reader’s embedded XFA engine.
Never heard of XFA before? XFA is Adobe’s XML Forms Architecture: You use it every time you fill out a form with Adobe Reader! The seemingly simple process of rendering form layout and handling user input has been implemented in a huge and complex engine.
And we all know that complexity is awesome!
The talk will cover topics such as:
XFA object internals
XFA custom allocator internals
Performing Heap Feng Shui using the custom allocator
Maximizing exploit reliability
Creating Memory Leaks from controlled writes
Why nation-state malwares target Telco Networks: Dissecting technical capabilities of Regin and its counterparts
The recent research in malware analysis suggests state actors allegedly use cyber espionage campaigns against GSM networks. Analysis of state-sponsored malwares such like Flame, Duqu, Uruborus and the Regin revealed that these were designed to sustain long-term intelligence-gathering operations by remaining under the radar. Antivirus companies made a great job in revealing technical details of the attack campaigns, however, it exclusively has almost focused on the executables or the memory dump of the infected systems - the research hasn't been simulated in a real environment.
GSM networks still use ancient protocols; Signaling System 7 (SS7), GPRS Tunneling Protocol (GTP) and the Stream Control Transmission Protocol (SCTP) which contain loads of vulnerable components. Malware authors totally aware of it and weaponing exploits within their campaigns to grab encrypted and unencrypted streams of private communications handled by the Telecom companies. For instance, Regin was developed as a framework that can be customized with a wide range of different capabilities, one of the most interesting ability to monitor GSM networks.
In this talk, we are going to break down the Regin framework stages from a reverse engineering perspective - kernel driver infection scheme, virtual file system and its encryption scheme, kernel mode manager- while analyzing its behaviors on a GSM network and making technical comparison of its counterparts - such as TDL4, Uruborus, Duqu2.
Making a scalable automated hacking system: from DevOps to Pwning
DARPA's Cyber Grand Challenge is a contest to automate vulnerability discovery
and patching. We participated in the qualifying event held this past June, and,
well, we didn't qualify. Our loss is your gain: we can talk about our automated
bug finding system while everyone else is still heads down.
In this presentation, we'll tell the story of our Cyber Grand Challenge adventure, explain how to automatically find and patch bugs in binary code, and announce what’s next for our bug finding system.
First, we'll talk about how our small team of internationally distributed engineers made an automated bug finding system that placed 2nd in vulnerability discovery. We will cover both the fun parts and the necessary-but-boring-parts of automated bug finding. Fun parts include combining existing fuzzing and symbolic execution tools into one coherent system, comparing the merits of various fuzzing and symbolic execution strategies, and making fuzzing fast by identifying and eliminating performance bottlenecks. The necessary-but-boring-parts include automated testing, deployment, and configuration management, otherwise known as devops.
Second, we'll talk about how to patch bugs by translating binaries to LLVM bitcode, patching the bitcode, and re-emitting working patched binaries. We will cover different patching strategies and the requirements for each approach. We will also discuss instrumentation techniques, transformation operations, and analysis passes that are enabled by LLVM translation.
Finally, we will talk about the real-world software we ran through our system and the results we have seen.
The Tao of Hardware, the Te of Implants
Abstract: Embedded, IOT, and ICS devices tend to be things we can pick up, see, and touch. They're designed for nontechnical users who think of them as immutable hardware devices. Even software security experts, at some point, consider hardware attacks out of scope. Thankfully, even though a handful of hardware manufacturers are making some basic efforts to harden devices, there's still plenty of cheap and easy ways to subvert hardware. The leaked ANT catalog validated that these cheap hardware attacks are worthwhile. The projects of the NSA Playset have explored what's possible in terms of cheap and easy DIY hardware implants, so I've continued to apply those same techniques to more embedded devices and industrial control systems. I'll show off a handful of simple hardware implants that can 1) Blindly escalate privilege using JTAG 2) Patch kernels via direct memory access on an embedded device without JTAG 3) Enable wireless control of the inputs and outputs of an off-the-shelf PLC and 4) Hot-plug a malicious expansion module onto another PLC without even taking the system offline. Some of these are new applications of previously published implants - others are brand new. I'll skip the call to action about how to design hardware more robustly and instead dive into technical details of each of the implants, how they can be effectively concealed, and how they can be adapted for different target systems.
Automatic Root-Cause Identification for Crashing Executions
Abstract: Generating crashing inputs for most targets isn’t particularly hard. In fact, often it’s annoyingly easy and, even with the assistance of automated crash prioritisation tools, the task of figuring out why an interesting crash has occurred, and what exploitation primitives it provides, can be quite time consuming. In this talk I will present an approach to root-cause identification which is based on dynamic instrumentation, large-scale repeated execution, and offline static analysis. The analysis narrows down an execution trace to those operations directly contributing to the vulnerability which leads to the crash, as well as providing contextual information on control and data flow amalgamated across multiple runs of the application. This information enables a user to determine why the crash occurred as well as the level of control they have over the application’s state, and thus the usefulness of the vulnerability. This talk differs from previous work on input minimisation and crash exploration in that instead of seeking to categorise a crash as exploitable/non-exploitable or interesting/not-interesting we strive to present the user with the information required to understand the root cause and impact of the underlying flaw. In effect, the system which will be presented fits naturally into the analysis pipeline directly after bucketing/prioritisation. The high level aim is to bootstrap an analyst to the point where their workflow no longer starts from “Why the hell did this thing crash?”, but is instead “What exploitation primitives does this series of operations provide me with and how can I leverage them?”.
Java deserialization vulnerabilities - The forgotten bug class
Abstract: Java deserialization vulnerabilities are a bug class on its own. Although several security researchers have published details in the past, still the bug class is fairly unknown. This talk is about finding and exploiting deserialization flaws in Java. Details on a new gadget will be disclosed, allowing Remote Code Execution. And several vulnerabilities discovered by Code White will be shown as Case Studies.
Genetic Malware: Designing Payloads for Specific Targets
Abstract: Dropping a payload or malware onto a target is usually not an issue given the variety of vulnerable software in use. Your challenge is keeping the payload from working and spreading to unintended targets, eventually leading to malware reverse engineers that pick apart your work, and start an industry to stop your livelihood. This presentation will discuss techniques that keep your malware payloads focused on particular targets; from methods that will not work outside the target environment, to techniques that would drive a malware reverse engineer mad. We will include POCs written in multiple languages and a framework for implementing these techniques that will help keep your hard work from making headlines by hobbyists with too much free time on their hands.
The Secret Life of ActionScript
Adobe Flash continues to be a popular target for attackers in the wild. As an increasing number of bug fixes and mitigations are implemented, vulnerabilities in increasingly obscure corners of Flash are coming to light. This presentation describes the attack surface of Flash, with a focus on recently discovered vulnerabilities.
It will start with an overview of Flash vulnerabilities found in the past year, and discuss how the most common types of vulnerabilities work, the potential for future vulnerabilities in these areas and methodologies for finding them. It will also cover some recently reported vulnerabilities that are less typical, their discoverability and exploitability.
This talk will also discuss recent Flash and platform mitigations, and how they impact bug quality and discoverability. It will also provide some techniques for rapidly reproducing and evaluating new bugs.
At WWDC 2014, Apple introduced Swift, their revolutionary new programming language for the future. Swift promises unapologetic optimization, outstanding speed, and best-in-class language features. Swift is sleek, stunning, and already the most loved language on StackOverflow. Up until now, no reverse engineer has dissected the language or the artifacts it produces and presented their findings.
However, since an hour long presentation discussing Swift class structure and string layouts would be painfully boring, this talk actually presents a systematic approach to binary reverse engineering new foreign ABIs using Swift as a case study. I’ll present approaches for identifying control structures and flow, recovering class layouts, mapping machine code patterns to higher level language constructs, and more!
This presentation will leave you with the knowledge and confidence needed to take on any ABIs — maybe even Haskell.
One more thing: Hex-Rays (and hopefully Binary Ninja) plugins included.
All Your Browsers Belong To Us | Tales of Android Browser Exploitation
The age of Android is upon us, and is taking no prisoners. More and more
Android users flock to the Google Play Store and rummage through apps,
searching for the new hotness to download and install on their devices.
What they don’t know will kill them … nah not really, but they’re probably
going to have a bad time.
This presentation will take a deep dive into the pervasiveness of vulnerability patterns that riddle the most popular of Android Web Browsers, and the techniques can be used to exploit them. Multiple browsers will be used to demonstrate many of the abuse cases, a methodology for vulnerability research and exploit development.
Xenpwn: Breaking Paravirtualized Devices
Instead of simply emulating old and slow hardware, modern hypervisors use paravirtualized devices to provide guests access to virtual hardware. Bugs in the privileged backend components can allow an attacker to break out of a guest, making them quite an interesting target.
In this talk I'll present the results of my research on the security of these backend components and discuss Xenpwn, a hypervisor based memory access tracing tool used to discover multiple critical vulnerabilities in paravirtualized drivers of the Xen hypervisor.
If you like virtualization security, race conditions, vulnerabilities introduced by compiler optimizations or are a big fan of Bochspwn, this is the right talk for you.