Ray Boisvert [keynote]
Abyss or Turning Point: Strategy, Skills and Tradecraft in the Age of 21st Century Warfare
Bio: Ray Boisvert is the former Assistant Director, Intelligence, for the Canadian Security Intelligence Service (CSIS). In this role, Ray’s teams were responsible for priority setting on intelligence collection, along with the execution of the assessment and dissemination functions at CSIS. As an Assistant Director, Ray was also the senior briefer to Government Ministers, Deputies and key external audiences. In his three decades long career, Ray was involved in broad facets of security intelligence operations, from leadership of the Counter Terrorism domain, to driving national security program development relative to Foreign Collection, Data Exploitation, Human Sources, Operational Risk Management and Special Operations. Since launching I-Sec Integrated Strategies (ISECIS) in 2015, Ray has helped a variety of client organizations, from insurance to transportation, make sense of complex operating environments and gain a deeper understanding of intelligence and security in a global context. As such, he delivers business intelligence solutions and guides resilience building around the principles of “pro-active” defense. As a Senior Associate at Hill + Knowlton Strategies (H+K), Ray is also involved in delivering bespoke advice to clients in the area of mergers and acquisitions with potential National Security complexities. In addition, he serves H+K client requirements relative to cyber and insider threat concerns by conveying intelligence-led insights that ensure a strategic position against emerging risks to organizational integrity and sustainability.
Braden Thomas [technical keynote]
Practical Attacks on DOCSIS
Bio: Braden (@drspringfield) is a Principal Research Scientist at Accuvant, focusing on embedded security research and exploit development. Prior to Accuvant, he worked as a Product Security Engineer at Apple for 6 years. At Apple, Braden focused on fuzzing and performing proactive security reviews. He recently presented at BlackHat USA, Ekoparty, and NoSuchCon on reverse engineering of MSP430 devices.
Modern Objective-C Exploitation
This talk serves to advance the research I published in Phrack 66 (2009) regarding
the exploitation of memory corruption bugs utilizing the Objective-C runtime on Mac OS X.
While the techniques in the paper are still functional to this day, the security features of modern OS's
such as ASLR/NX means that additional information is required to make these constructs useful.
In this talk, I will explore some additional techniques which bring the original set forward to the modern platform. In addition, some investigation of the new features and design decisions of the Objective-C run-time will be presented.
Bio: Nemo is a security researcher from Austin, TX. He has a strong interest in vulnerability research and software security.Over the years he has worked on a variety of projects, mostly focused around Mac OS X exploitation and system internals. He has published a collection of papers relating to offensive security and worked on several books.
Patroklos Argyroudis (argp)
The Mozilla Firefox browser has a new garbage collection (GC) implementation
has introduced significant changes to the way that Firefox's heap is organized.
The GC heap is now divided into two layers; a first layer for short-lived
objects, called the 'nursery', and a second layer for objects that survived
a GC pass in the nursery, called the 'tenured' heap. Apart from these two, the
latest version of Firefox (34 at the time of this writing) continues to use
jemalloc (on all its supported platforms) for Spidermonkey metadata and GC heap
objects that fit certain criteria. These changes directly affect the way that the
browser's heap can be manipulated towards states that aid in the exploitation of
heap memory corruption vulnerabilities.
In this talk we will expand upon previous work we have published on jemalloc heap
exploitation approaches and primitives for Firefox, taking into account its new
GC heap implementation. The presentation will demonstrate a major upgrade of our
'unmask_jemalloc' Firefox heap exploration utility with new features, and support
for Windows (and the WinDbg debugger). The new version of unmask_jemalloc will of
course be released as open source along with the talk.
Bio: Patroklos Argyroudis (argp) is a computer security researcher at Census S.A., a company that builds on strong research foundations to offer specialized IT security services to customers worldwide. His main expertise is vulnerability research, exploit development, reverse engineering and source code auditing. Patroklos has presented his research at several international security conferences (Black Hat USA, Black Hat EU, PH-Neutral, AthCon, etc.) on topics such as kernel exploitation, heap exploitation, kernel protection technologies, and network security protocols. He holds a PhD from the University of Dublin, Trinity College, where he has also worked as a postdoctoral researcher on applied cryptography.
Joaquim Espinhara / Rafael Silva
MIMOSAWRITERROUTER - Abusing EPC on Cisco Router to collect data
Abstract: The goal of this talk is present a way to abuse a default feature of Cisco routers. The feature mentioned is the Embedded Packet Capture (EPC), described by the Cisco: "... a powerful troubleshooting and tracing tool. The feature allows for network administrators to capture data packets flowing through, to, and from, a Cisco router." We were able to abuse this feature and build a system to collecting massive data and store them for analysis purpose. The PoC developed uses multiple Cisco routers configured with default accounts to send their data traffic (input, output or both) to our repository and finally we are able to starting the processes to transform these raw data packet files in useful information. Such as user credentials, pre-shared key keys, URLs and many other potential sensitive data can be extracted, but additional "features", like cyber attacks, are planned for the future. The subject presented by the researchers would help a simple penetration tester during a usual engagement , additionally it's possible configure a larger set of routers to collect data and build a huge database, hack the planet style. The content of this presentation results from independent research conducted by me on my own time and of my own accord. This research was not approved, sanctioned or funded by my employer and is not in any way associated with my employer.
Joaquim Espinhara is a Independent Security Researcher, his independent research focused on forensics, ethical hacking, and application security testing for premier clients. Joaquim has over 9 years experience in Information Technology, where the last 6 years were dedicated to penetration testing. He has performed security focused code reviews, secure development training, forensics analysis and security assessments. He has performed countless network, application and web application penetration tests for various organizations across the globe, including government, banking, commercial sectors, as well as the payment card industry. Recent presentations include Black Hat USA, Black Hat Brazil Summit, HITB Kuala Lumpur, YSTS, H2HC, Roadsec. Previously, he spoke in Silver Bullet and Secure Brasil, etc.
Rafael Silva CTO at @EstuárioTI. He works focused on penetration testing, incident response, web application security, Anti Phishing and coding. He has thirteen years experience and has done security research and security awareness, ,Network Penetration Testing, Database Security. Also has an interest in reverse code engineering and vulnerability research. Enthusiast in cyberwar and also a businessman.
A Link to the Past: Abusing Symbolic Links on Windows
Abstract: The dangers of symbolic links are well known on Unix-like operating systems. Through their misuse a privilege process can be tricked into writing files to a location under the attackers control leading to privilege escalation or disclosing sensitive information. On Windows there is comparatively little comparable research into these sorts of vulnerabilities even though Windows NT has supported symbolic links in various forms since its inception with version 3.1. To make matters worse the functionality is poorly documented making mitigation very difficult for Windows developers in both user and kernel mode applications. This presentation will describe the potential for abusing the various types of symbolic links on the Windows operating system to break out of application sandboxes, gain administrator privileges or disclose sensitive information. Examples of vulnerabilities will be presented to demonstrate some of the attacks, and to allow attendees to better identify other similar issues within Windows and third party applications. It will also describe a few novel techniques for winning TOCTOU races and implementing filename level symbolic links without requiring administrator privileges on current versions of Windows.
Bio: James is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he has numerous disclosures in a wide range of products from web browsers to virtual machine breakouts as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate.
Insection: AWEsomely Exploiting Shared Memory Objects
Abstract: As the barriers to hijacking the kernel and system processes continue to increase with technologies such as Protected Processes, Patchguard, User Mode/Kernel Mode Code Integrity, and Virtual Machine Sandboxes, the pressure on the components managing these boundaries increases -- any bug now becomes a hole through which everything else can be taken down. One interesting aspect of Windows is the ability to share memory between two processes, using a so-called Section Object, and to give such an object a name that is globally visible. Once the name is known, applications can attempt to then map this shared memory and access it as well. While Windows provides the mechanisms to make access to this shared memory protected against a malicious application or account, many developers do not leverage this feature, and accordingly, the shared memory becomes accessible by anyone. In turn, consumers, services, and privileged processes that trust this memory, are now dealing with malicious data. This talk will describe the various insecurities inherent to named objects, and specifically shared memory sections, and show at least one vulnerable major application with an insecure shared memory object. Then, we'll move onto an insecure named object from the Windows kernel itself, and follow the path to exploitation from a user-mode process, bypassing SMEP on the way there using a novel technique that relies on self-referencing PML4 entries and AWE memory.
Bio: I'm Alex Ionescu and Dave Aitel made me do this.
Fuzzing OSX At Scale
Abstract: In this talk Ben Nagy delves into scaling out OSX fuzzfarms on commodity (i.e. non-Apple) hardware. Ben Nagy will demonstrate a fully working (non-hackingtosh) virtualisation of OSX on Linux using KVM and a better instrumentation harness for doing this kind of work, since crashwrangler makes Ben Nagy vomit, as do run-on sentences and bad grammar and things. Ben Nagy also vows to get shiny new tools like AFL working in a scaled park. The infrastructure will function with centralized C2 and result aggregation. Ben Nagy figures he can get all of this done in 8 weeks. Ben Nagy will release code to be private on the Internet(tm) to Infiltrate attendees only. Read on
Many years ago, Ben used to do some network security and reverse
engineering, but then he fell into the field of fuzzing scalability,
and started advocating 'proper' systems for offensive-side bug
hunters, emphasising the weakest areas at the time; delivery scale,
instrumentation and triage. These ideas are now catching on, which
makes him happy. Despite trying to quit the Security Vacation Club, he
still pops up every couple of years to release some code that is,
hopefully, useful to active practitioners and useless to news outlets.
@rantyben lives on a remote Pacific atoll and enjoys SyScan, trollcoding, drunktwitter and fine Islay whisky.
Problems in symbolic fuzzing
Abstract: Fuzzing is undoubtedly one of the most popular methods for both attackers and defenders to find bugs in software. Recent advances in symbolic fuzzing, a technique that allows program logic to direct the fuzzing process, allow their operators to uncover bugs in software applications that would be very difficult to uncover otherwise. However, there are many programs which symbolic fuzzing can fail to test. In some instances, checksums, cryptographic operations, loop constructs, table lookups (such as atoi and character conversion routines), and other constructs (such as sanity checks) can stop bug discovery in its tracks. Moreover, some symbolic techniques fail to handle large programs. This talk will begin with an overview of symbolic fuzzing and how it can help find bugs faster. We’ll explore challenges this technique may face using specific code constructs and examples. Finally the talk will conclude with an analysis of how fuzzers deal with these specific cases and the merits to the approaches.
Bio: Nathan Rittenhouse is a Security Researcher at Area 1 Security. Prior research on symbolic fuzzing techniques was conducted in collaboration with Stelios Sidiroglou-Douskos, Eric Lahtinen, Fan Long, and Paolo Piselli and was supervised by Professor Martin Rinard at the Massachusetts Institute of Technology.
Ram Shankar / Sacha Faust
Data Driven Offense
Abstract: While the industry’s “blue team” of defenders and analysts are racing to make security detections smart by harnessing the power of Big Data, the aim of this talk is to convey that the “red team” of attackers and penetration testers also stand to benefit by taking a data driven approach. Attendees of this session will learn how to employ distributed computing (specifically, HDInsight stack) to automate their attacks at scale and learn Machine learning (“ML”) tools (specifically, contextual bandits, supervised learning, clustering, regression and dimensionality reduction) that can sharpen their attacks and make it adaptive. Through practical systems built by the Azure Red Team and Azure Security Data Science group, audience will learn that the benefits of data driven offense include evading existing anomaly detection systems, automatically finding optimal attack strategies, and effectively decrease both meant-time-to-compromise (MTTC) and mean-time-to-pwnage (MTTP). At the end of the session, the audience will be armed with a tangible framework and the ML toolkits required for large scale attack automation and execution. To attend this talk, no prior knowledge of ML or distributed computing is required.
am Shankar is a Security Data Wrangler in Azure Security Data Science group. He works on the intersection of Machine Learning and Security which resulted in a slew of patents in Large scale Intrusion Detection space (identified by the evaluators as "fundamental and groundbreaking”). His work has been featured in Microsoft’s Engineering Excellence Talk series and also appeared in external conferences like DerbyCon, BlueHat and Practice of Machine Learning. Ram Shankar graduated from Carnegie Mellon University with a Masters in Computer Science and a separate Masters Engineering & Technology Innovation Management. You can find him @ram_ssk
Sacha Faust is a Senior Security Engineer in the Azure Red Team. When he is not breaking things, he focuses on evangelizing the Assume Breach mindset by evaluating Microsoft Azure ability to sustain, detect and recover from attacks. He is a self-taught security enthusiast that started his professional career in 1998 and has work most notably for PricewaterhouseCooper (PWC), SPI Dynamics and Microsoft.
Hardened Anti-Reverse Engineering System
Abstract: Hardened Anti-Reverse Engineering System (HARES), a prototype anti-reverse engineering technique providing a method to seamlessly execute AES-encrypted applications with neither the key nor any decrypted instructions residing in accessible memory (even to a compromised kernel) on an unmodified x86 computer. My work shows that with the combination of a thin-hypervisor implementing Intel's AES-NI instructions in a TRESOR-like configuration and TLB-splitting on Nehalem and newer CPUs can be used to transparently (without hardware modification) decrypt and execute a fully-encrypted (AES-128) application without leaking sensitive instruction information to readable memory (keys will never be in memory, thus additionally protected against cold-RAM attacks). Doing so will prevent any of the application's code from being accessible by software memory acquisition tools, cold-boot RAM attacks or debuggers (in-circuit emulators (ICE) and memory-bus snoopers excepted). The decrypted instructions are stored in "execute-only" memory, ensuring that any attempts to access them, even by a compromised kernel is prevented by hardware. An advantage of the HARES system is that due to the use of TLB-splitting, existing applications can be seamlessly encrypted without access to source code or requiring a re-compile. Our tests with a prototype system built in-house demonstrate successful execution of Windows 7 32-bit PE files (.exe) with an approximate performance hit of ~2% on our synthetic test-suite applications. HARES provides a significant improvement in preventing the theft of algorithm IP by fully-encrypting the code sections of a binary. This proves a much harder technique to bypass than even the most sophisticated code-obfuscation and reordering techniques. An additional advantage of the HARES solution is since TLB-splitting creates a Harvard architecture on a per-process basis, code-injection attacks are thwarted, as well as mining an encrypted binary for ROP gadgets. The current prototype only supports user-space Windows 7 applications, however future versions are envisioned to support kernel-mode drivers as well.
Bio: Jacob Torrey is a Senior Research Engineer at Assured Information Security, Inc. where he leads the Computer Architectures group and acts as the site lead for the Colorado branch. Jacob has worked extensively with low-level x86 and MCU architectures, having written a BIOS, OS, hypervisor and SMM handler. His major interest is how to (mis)use an existing architecture to implement a capability currently beyond the limitations of the architecture.
Rusty Wagner / Jordan Wiens
Hacking Games in a Hacked Game
Abstract: For the last two years, the Ghost in the ShellCode Capture the Flag (CTF) has done something unique -- built a series of CTF challenges inside of a custom MMO. Given that many in security research got their start cracking software or hacking games, we thought it fitting to merge game hacking with more traditional CTF-style challenges. The first half of the talk covers the bigger picture perspective of both game hacking as well as the current state of the CTF scene. It turns out there's a surprising amount of back-and-forth between real-world research and CTF 'games' (and not always in the direction you'd expect). Additionally, as reverse engineering skills and toolsets develop, they're increasingly domain-specific. Much like exploits that are specific to a single target or family of targets, so too are interesting pockets of reverse engineering expertise being applied to specific problems. We'll cover some of the tools and techniques coming out of the game-hacking world as well as those coming out of the CTF scene that you might not be aware of. One particular tool, Binary Ninja was written by Rusty for CTFs for quick analysis and patching of binaries in attack-defense techniques, and has some of the best features of both IDA and a powerful hex editor to allow quick binary modifications when battling live opponents in an attack-defense CTF. We'll also focus on some of the specific hacks we were most entertained by during our two years of running an intentionally-hackable-MMO. These include custom wireshark dissectors, LD_PRELOAD hooking, custom DirectX overlays, and many others. The majority of the techniques were developed over the course of a weekend CTF and demonstrate the breadth of techniques available for run-time modification.
Bio: Both Rusty and Jordan have worked for The Man doing security research and development (as well as playing and hosting dozens of CTFs) over the past decade. They recently quit their day-jobs to pursue their passions on the intersection of CTFs and gaming which is likely crazy, but it at least makes video games a legitimate business expense.
Writing Bad@ss OS X Malware
Abstract: When comparing Microsoft and Apple, Cupertino emerges a winner in pretty much all categories - save for the sophistication of OS X malware. Simply put; while Window malware may leave us in awe (and have entire books dedicated to single specimens), currently, OS X malware really sucks...and that’s not fair! Why should Windows have all the fun? This talk aims to level the playing field by describing exactly how to practically create elegant, bad@ss OS X malware. Starting with persistence, we will banish popular, but easily detected methods such as launch daemons and agents (lame!), instead turning to more subversive methods. The talk will then cover practical anti-analysis and stealth techniques such as abusing OS X’s native support for encrypted binaries and in-memory code execution in order to thwart (or at least complicate) analysis. Of course, persistence and anti-analysis are only half the battle. As such, the talk will then deeply dive into features and capabilities that any worthwhile OS X malware should support. For example the technical aspects of process injection, personal security product bypasses, and network exfiltration will be covered in detail. As OS X isn’t as sexy as its younger brother (sister?) iOS, it’s been awhile since offensive OS X concepts have been comprehensively presented. Moreover due to advances in OS X, many older techniques have been fully depreciated or need some serious TLC to order to regain functionality on OS X Yosemite. It’s time there was pure ‘Yosemite’ compatible OS X malware talk! So unless you work for Apple, come learn how to take your OS X malware skills to the next level. Apple truly produces some amazing products that push the limits of modern engineering and provide an unparalleled user experience. Let’s make the late Mr. Jobs proud and create some OS X malware that is equally elegant.
Bio: Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA, the NSA, and Vulnerability Research Labs (VRL), he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware.