Infiltrate Security Conference

APRIL 7-8, 2016

Miami Beach

Exclusive Offense

Nate Fick


Bio: Nate Fick is CEO of Endgame, a venture-backed security software company that automates the pursuit, containment and mitigation of the most advanced cyber threats. He is also an operating partner at Bessemer Venture Partners, where he works with management teams to build great security companies. Before joining Endgame, Nate was CEO of the Center for a New American Security, a national security research organization. He served as a Marine Corps infantry and reconnaissance officer, including combat tours in Afghanistan and Iraq. His book about that experience, One Bullet Away, was a New York Times bestseller, a Washington Post "Best Book of the Year," and one of the Military Times' "Best Military Books of the Decade." He graduated with high honors in Classics from Dartmouth College and holds an MPA from the Harvard Kennedy School and MBA from the Harvard Business School. Nate serves as a Trustee of Dartmouth, and he is a member of the Young Presidents' Organization and a life member of the Council on Foreign Relations.


Sebastian Apelt

Sebastian is co-founder of siberas, an IT security consulting company in Germany. Besides finding bugs in customer networks and applications he enjoys low-level research like bughunting and exploitation. During his career he uncovered and helped to fix dozens of critical flaws in software from Microsoft, Apple, Adobe etc. He won Pwn2own (IE 11 64bit) and was awarded a Pwnie award for “Best Privilege Escalation Bug” in 2014

Pwning Adobe Reader - Abusing the reader's embedded XFA engine for reliable Exploitation

Abstract: This presentation will be a deep-dive into Adobe Reader internals. The focus will be on how to develop reliable exploits by abusing Adobe Reader’s embedded XFA engine. Never heard of XFA before? XFA is Adobe’s XML Forms Architecture: You use it every time you fill out a form with Adobe Reader! The seemingly simple process of rendering form layout and handling user input has been implemented in a huge and complex engine. And we all know that complexity is awesome! Awesome for bughunters (yes, the engine does contain vulnerabilities) and awesome for exploiters: XFA brings us a myriad of objects, multiple DOMs, a custom allocator – and everything can be “controlled” from Javascript.

The talk will cover topics such as:
XFA object internals
XFA custom allocator internals
Performing Heap Feng Shui using the custom allocator
Maximizing exploit reliability
Creating Memory Leaks from controlled writes


Omer Coskun

Omer works as an Ethical Hacker for KPN's (Royal Dutch Telecom) REDteam in Amsterdam, the Netherlands. He enjoys diving into lines of code to spot bugs, tinkering in front of the debugger and developing wise tactics/tools to break applications on his day to day work. Prior to joining KPN REDteam, Omer worked for companies like IBM ISS, Verizon and as an external government contractor. He holds an Honour's Engineering degree in Computer Science. Twitter: @0xM3R

Why nation-state malwares target Telco Networks: Dissecting technical capabilities of Regin and its counterparts

Abstract: The recent research in malware analysis suggests state actors allegedly use cyber espionage campaigns against GSM networks. Analysis of state-sponsored malwares such like Flame, Duqu, Uruborus and the Regin revealed that these were designed to sustain long-term intelligence-gathering operations by remaining under the radar. Antivirus companies made a great job in revealing technical details of the attack campaigns, however, it exclusively has almost focused on the executables or the memory dump of the infected systems - the research hasn't been simulated in a real environment.
GSM networks still use ancient protocols; Signaling System 7 (SS7), GPRS Tunneling Protocol (GTP) and the Stream Control Transmission Protocol (SCTP) which contain loads of vulnerable components. Malware authors totally aware of it and weaponing exploits within their campaigns to grab encrypted and unencrypted streams of private communications handled by the Telecom companies. For instance, Regin was developed as a framework that can be customized with a wide range of different capabilities, one of the most interesting ability to monitor GSM networks.
In this talk, we are going to break down the Regin framework stages from a reverse engineering perspective - kernel driver infection scheme, virtual file system and its encryption scheme, kernel mode manager- while analyzing its behaviors on a GSM network and making technical comparison of its counterparts - such as TDL4, Uruborus, Duqu2.


Artem Dinaburg

Artem Dinaburg is the Principal Investigator for Trail of Bits’ DARPA Cyber Grand Challenge team. He is responsible for the architecture, design, and development of the Trail of Bits’ automated vulnerability discovery system. Mr. Dinaburg has extensive software engineering experience working in application software development, low-level software development, vulnerability research, reverse engineering, malicious software analysis, and program analysis. Mr. Dinaburg has spoken at academic and industry conferences such as ACM CCS, DEFCON, Blackhat, and ReCON.

Making a scalable automated hacking system: from DevOps to Pwning

Abstract: DARPA's Cyber Grand Challenge is a contest to automate vulnerability discovery and patching. We participated in the qualifying event held this past June, and, well, we didn't qualify. Our loss is your gain: we can talk about our automated bug finding system while everyone else is still heads down.
In this presentation, we'll tell the story of our Cyber Grand Challenge adventure, explain how to automatically find and patch bugs in binary code, and announce what’s next for our bug finding system.
First, we'll talk about how our small team of internationally distributed engineers made an automated bug finding system that placed 2nd in vulnerability discovery. We will cover both the fun parts and the necessary-but-boring-parts of automated bug finding. Fun parts include combining existing fuzzing and symbolic execution tools into one coherent system, comparing the merits of various fuzzing and symbolic execution strategies, and making fuzzing fast by identifying and eliminating performance bottlenecks. The necessary-but-boring-parts include automated testing, deployment, and configuration management, otherwise known as devops.
Second, we'll talk about how to patch bugs by translating binaries to LLVM bitcode, patching the bitcode, and re-emitting working patched binaries. We will cover different patching strategies and the requirements for each approach. We will also discuss instrumentation techniques, transformation operations, and analysis passes that are enabled by LLVM translation.
Finally, we will talk about the real-world software we ran through our system and the results we have seen.


Joseph Fitzpatrick

Joe FitzPatrick (@securelyfitz) has spent a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He develops and delivers hardware security training at, including "Applied Physical Attacks on x86 Systems". In between, he keeps busy with contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

The Tao of Hardware, the Te of Implants

Abstract: Embedded, IOT, and ICS devices tend to be things we can pick up, see, and touch. They're designed for nontechnical users who think of them as immutable hardware devices. Even software security experts, at some point, consider hardware attacks out of scope. Thankfully, even though a handful of hardware manufacturers are making some basic efforts to harden devices, there's still plenty of cheap and easy ways to subvert hardware. The leaked ANT catalog validated that these cheap hardware attacks are worthwhile. The projects of the NSA Playset have explored what's possible in terms of cheap and easy DIY hardware implants, so I've continued to apply those same techniques to more embedded devices and industrial control systems. I'll show off a handful of simple hardware implants that can 1) Blindly escalate privilege using JTAG 2) Patch kernels via direct memory access on an embedded device without JTAG 3) Enable wireless control of the inputs and outputs of an off-the-shelf PLC and 4) Hot-plug a malicious expansion module onto another PLC without even taking the system offline. Some of these are new applications of previously published implants - others are brand new. I'll skip the call to action about how to design hardware more robustly and instead dive into technical details of each of the implants, how they can be effectively concealed, and how they can be adapted for different target systems.


Sean Heelan

Sean is a security researcher whose primary interest is R&D on approaches to augment and automate the processes involved in bug finding, exploitation and reverse engineering. Formerly, Sean ran Persistence Labs where he lead the development of security-focused program analysis systems. Prior to that he was a senior security researcher at Immunity Inc, where he worked on bug finding, exploitation and program analysis research.

Automatic Root-Cause Identification for Crashing Executions

Abstract: Generating crashing inputs for most targets isn’t particularly hard. In fact, often it’s annoyingly easy and, even with the assistance of automated crash prioritisation tools, the task of figuring out why an interesting crash has occurred, and what exploitation primitives it provides, can be quite time consuming. In this talk I will present an approach to root-cause identification which is based on dynamic instrumentation, large-scale repeated execution, and offline static analysis. The analysis narrows down an execution trace to those operations directly contributing to the vulnerability which leads to the crash, as well as providing contextual information on control and data flow amalgamated across multiple runs of the application. This information enables a user to determine why the crash occurred as well as the level of control they have over the application’s state, and thus the usefulness of the vulnerability. This talk differs from previous work on input minimisation and crash exploration in that instead of seeking to categorise a crash as exploitable/non-exploitable or interesting/not-interesting we strive to present the user with the information required to understand the root cause and impact of the underlying flaw. In effect, the system which will be presented fits naturally into the analysis pipeline directly after bucketing/prioritisation. The high level aim is to bootstrap an analyst to the point where their workflow no longer starts from “Why the hell did this thing crash?”, but is instead “What exploitation primitives does this series of operations provide me with and how can I leverage them?”.


Matthias Kaiser

Matthias is the Head of Vulnerability Research at Code White. He enjoys bug-hunting in Java Software because it's so easy. He found vulnerabilities in products of Oracle, IBM, SAP, Symantec, Apache, Adobe, Atlassian, etc. Currently, he enjoys researching deserialization bugs and looking for new deserialization gadgets.

Java deserialization vulnerabilities - The forgotten bug class

Abstract: Java deserialization vulnerabilities are a bug class on its own. Although several security researchers have published details in the past, still the bug class is fairly unknown. This talk is about finding and exploiting deserialization flaws in Java. Details on a new gadget will be disclosed, allowing Remote Code Execution. And several vulnerabilities discovered by Code White will be shown as Case Studies.


Travis Morrow / Josh Pitts

iTravis Morrow is a Senior Security Engineer with a SanFran startup where he specializes in mobile and web application penetration testing and reverse engineering. Mr. Morrow spoke at Amazon ZonCon on mobile security and enjoys researching ways to make the defender’s life harder. He spends free time snowboarding, drinking coffee, and learning the hardware side of RE.
Josh Pitts is the core author and creator of The Backdoor Factory (BDF) and BDFProxy - code that patches code into other people's code on disk or via MITM. He has presented these techniques at various conferences such as Black Hat, Shmoocon, and DerbyCon. Mr. Pitts has worked on both the defense and offense side of network security and application security; preferring the offense side of the house.

Genetic Malware: Designing Payloads for Specific Targets

Abstract: Dropping a payload or malware onto a target is usually not an issue given the variety of vulnerable software in use. Your challenge is keeping the payload from working and spreading to unintended targets, eventually leading to malware reverse engineers that pick apart your work, and start an industry to stop your livelihood. This presentation will discuss techniques that keep your malware payloads focused on particular targets; from methods that will not work outside the target environment, to techniques that would drive a malware reverse engineer mad. We will include POCs written in multiple languages and a framework for implementing these techniques that will help keep your hard work from making headlines by hobbyists with too much free time on their hands.


Natalie Silvanovich

Natalie Silvanovich is a security researcher on Google Project Zero. She has spent the last seven years working in mobile security, both finding security issues in mobile software and improving the security of mobile platforms. Outside of work, Natalie enjoys applying her hacking and reverse engineering skills to unusual targets, and has spoken at several conferences on the subject of Tamagotchi hacking. She is actively involved in hackerspaces and is a founding member of Kwartzlab Makerspace in Kitchener, Ontario, Canada.

The Secret Life of ActionScript

Abstract: Adobe Flash continues to be a popular target for attackers in the wild. As an increasing number of bug fixes and mitigations are implemented, vulnerabilities in increasingly obscure corners of Flash are coming to light. This presentation describes the attack surface of Flash, with a focus on recently discovered vulnerabilities.
It will start with an overview of Flash vulnerabilities found in the past year, and discuss how the most common types of vulnerabilities work, the potential for future vulnerabilities in these areas and methodologies for finding them. It will also cover some recently reported vulnerabilities that are less typical, their discoverability and exploitability.
This talk will also discuss recent Flash and platform mitigations, and how they impact bug quality and discoverability. It will also provide some techniques for rapidly reproducing and evaluating new bugs.


Ryan Stortz

Ryan Stortz is a security engineer at Trail of Bits in NYC.

Swift Reversing

Abstract: At WWDC 2014, Apple introduced Swift, their revolutionary new programming language for the future. Swift promises unapologetic optimization, outstanding speed, and best-in-class language features. Swift is sleek, stunning, and already the most loved language on StackOverflow. Up until now, no reverse engineer has dissected the language or the artifacts it produces and presented their findings.
However, since an hour long presentation discussing Swift class structure and string layouts would be painfully boring, this talk actually presents a systematic approach to binary reverse engineering new foreign ABIs using Swift as a case study. I’ll present approaches for identifying control structures and flow, recovering class layouts, mapping machine code patterns to higher level language constructs, and more!
This presentation will leave you with the knowledge and confidence needed to take on any ABIs — maybe even Haskell.
One more thing: Hex-Rays (and hopefully Binary Ninja) plugins included.


Benjamin Watson

Benjamin Watson is a mobile security researcher who focuses on Android and iOS vulnerability exploration and exploit development. Benjamin has been a featured speaker at multiple OWASP and Security BSides events. He spends his free time competing in CTF(s), lifting weights, pounding coffee, and breaking smartphones. Benjamin is also the creator and curator of Lobotomy, a reverse engineering framework for Android applications.

All Your Browsers Belong To Us | Tales of Android Browser Exploitation

Abstract: The age of Android is upon us, and is taking no prisoners. More and more Android users flock to the Google Play Store and rummage through apps, searching for the new hotness to download and install on their devices. What they don’t know will kill them … nah not really, but they’re probably going to have a bad time.
This presentation will take a deep dive into the pervasiveness of vulnerability patterns that riddle the most popular of Android Web Browsers, and the techniques can be used to exploit them. Multiple browsers will be used to demonstrate many of the abuse cases, a methodology for vulnerability research and exploit development.


Felix Wilhelm

Felix is a security researcher working for ERNW Research. His main interests are application security, reverse engineering and virtualization security. Felix has disclosed critical vulnerabilities in popular products such as Xen, Hyper-V, IBM GPFS or FireEye's MPS and has presented his work at international conferences like PHDays, Hack in the Box, 44Con, Infiltrate and Troopers.

Xenpwn: Breaking Paravirtualized Devices

Abstract: Instead of simply emulating old and slow hardware, modern hypervisors use paravirtualized devices to provide guests access to virtual hardware. Bugs in the privileged backend components can allow an attacker to break out of a guest, making them quite an interesting target.
In this talk I'll present the results of my research on the security of these backend components and discuss Xenpwn, a hypervisor based memory access tracing tool used to discover multiple critical vulnerabilities in paravirtualized drivers of the Xen hypervisor.
If you like virtualization security, race conditions, vulnerabilities introduced by compiler optimizations or are a big fan of Bochspwn, this is the right talk for you.