Justin Schuh (Keynote Speaker)
Beset on all sides: A realistic take on life in the defensive trenches
Bio: Justin Schuh is the longstanding engineering lead for Chrome Security at Google. His career started two decades ago in the U.S. intelligence community, including a range of offensive and defensive missions at the U.S. Marine Corps, NSA, and CIA. Upon moving to the private sector in 2004, Justin joined Neohapsis (now a part of Cisco Systems) where he helped build their software security consulting practice. During that time, he coauthored “The Art of Software Security Assessment,” which is still used as a foundational text in the field. Justin later moved on to vulnerability research at ISS X-Force, prior to joining Google in 2009 to help establish the Chrome Security Team.
Sophia is a security engineer at Trail of Bits. Her present work includes techniques for automated software exploitation and software obfuscation using LLVM. She spends too much time playing CTF and going to noise concerts.
Peter is a security researcher and co-founder of Vector35.
Rusty used to break stuff for a living but now makes stuff like Binary Ninja and an assortment of hackable video games.
Be a Binary Rockstar: Next-level static analyses for vulnerability research
Program Analysis is often hampered when source code is not available. Many static program analysis tools depend on the availability of source code and cannot operate on binaries. One solution to this problem is Intermediate Languages that allow advanced analysis, but require lifting or translation from native instructions.
This talk will describe and release an example IL analysis plugin for automated discovery of a simple memory corruption vulnerability, using the Binary Ninja IL. A script for IL based variable signed analysis will also be described and released. The concepts of variable analysis, abstract interpretation, and integer range analysis will be discussed in the context of vulnerability discovery.
Stephanie Archibald is a security researcher from Cylance where she happily spends her time investigating OS internals and developing tools. She has over 9 years of experience in exploit development, reverse engineering, and vulnerability discovery and has co-authored several conference talks and phrack papers.
Sierra Had a Little Lamb: A Userland Kit for MacOS
Long gone are the days of trivially exploiting services to gain root; these days, multiple exploits are typically strung together to form an exploit chain. If sections of the chain fail, an attacker is left with a situation where they must investigate the target while attempting to remain hidden.
In this talk I introduce LAMB, a multi-stage solution to this scenario which attempts to hide an attacker’s activities without requiring system privileges. This talk will cover how this is accomplished, covering a variety of ways including user-space execve and scheduling, virtual file cache, shadow file descriptor tables and more. I will also discuss ways to mitigate the high system resources of the compromised application and ways to operate within the common sandbox profiles on the system.
Jean-Philippe (JP) Aumasson is Principal Research Engineer at Kudelski Security. He designed the popular cryptographic functions BLAKE2 and SipHash, initiated the Crypto Coding Standard and the Password Hashing Competition that developed the Argon2 algorithm. He has spoken at Black Hat, DEFCON, RSA, CCC, SyScan, Troopers about applied cryptography, quantum computing, and platform security. He published the 2015 book "The Hash Function BLAKE", and will publish a new book about cryptography in 2017. JP tweets as @veorq
Markus Vervier is a security researcher from Germany. Software security is his main focus of work. During the last 15 years he collected professional experience in offensive IT security working as a penetration tester and security consultant for highly regarded companies. His experience combined with his personal passion regarding security research made him start his own company in 2015. Besides his daily security work, he is very actively practicing security research and discovers high profile vulnerabilities regularly such as the recent libotr heap overwrite.
Hunting For Vulnerabilities in Signal
Signal is the most trusted secure messaging and secure voice application, recommended by Edward Snowden and the Grugq. And indeed Signal uses strong cryptography, relies on a solid system architecture, and you've never heard of any vulnerability in its code base. That's what this talk is about: hunting vulnerabilities in Signal.
We will present vulnerabilities found in the Signal Android client, in the underlying Java libsignal library, and in example usage of the C libsignal library. Our demos will show how these can be used to crash Signal remotely, to bypass the MAC authentication for certain attached files, and to trigger memory corruption bugs.
Combined with vulnerabilities in the Android system it is even possible to remotely brick certain Android devices. We will demonstrate how to initiate a permanent boot loop via a single Signal message.
We will also describe the general architecture of Signal, its attack surface, the tools you can use to analyze it, and the general threat model for secure mobile communication apps.
Open Whisper Systems, which maintain Signal, rapidly acknowledged and fixed the vulnerabilities.
Andrés Blanco is an independent researcher. His interests and expertise include network security, hardware security, reverse engineering and privacy. He has presented at Defcon, Hack.lu and Ekoparty.
802.11 Protocol Chaos
Over the last few years, IEEE 802.11 standard for wireless connectivity usage has turned massive. Wireless devices are everywhere, from your smartphone to the printer that is in your office.
IEEE 802.11 standard has many versions and 3rd party extensions bringing new features that add complexity to the protocol. Modern devices support several specifications such as Cisco Client Extensions, WiFi Protected Setup, WiFi Direct, AirPlay and AirDrop (just to mention a couple of them). This complexity makes platform implementations more intricate, opening opportunities for attackers.
This presentation will show how attackers could use these specifications to fingerprint devices, abuse of bad implementations to access devices and get internal network information without even connecting to the network.
James has been doing his best to not take life too seriously. He does the odd bit of research on Windows from time to time and enjoys nothing more than putting his feet up and drinking a nice hot cup of Earl Gray.
COM in Sixty Seconds! (well minutes more likely)
The Component Object Model has been part of Windows for over 20 years, in that time it’s gained new abilities such as remoting with DCOM, service component model with COM+ and forms the bedrock of the WinRT library which is used by Universal Windows Applications. This presentation will give an overview of how COM works, what secures it and how you can go about inspecting the attack surface of COM for privilege escalation, remote code execution or persistence. The following topics will be included:
* COM and DCOM Fundamentals
o How COM works.
o DCOM Proxies and Stubs
o Security model and Impersonation
o All the IDs
* Enumerating attack surface
o Tools to inspect and manipulate COM
o Finding objects accessible at Low IL or in App Containers for privilege escalation
o Runtime security model
o Finding new COM objects after application installation
o Marshaling and Persistence
* Reverse Engineering COM components
o Finding component implementation
o Extracting interface information from binaries
Georgi Geshev is a security researcher for MWR InfoSecurity in the UK. Georgi's previous works on MPLS, MQ, and kernel fuzzing have been presented at a number of conferences including PacSec, ZeroNights, NoSuchCon, ekoparty, DEFCON, etc. His main (research) interests revolve around bug hunting, network protocol security, and craft beer.
Robert has worked for MWR InfoSecurity since 2011, working on Android security projects ranging from developer training to application and device security reviews. He now runs the company's Operational Technology team focusing on industrial and embedded device security. Robert has given presentations and workshops on Android security at conferences such as T2 Finland and 44Con London, helping security professionals better understand Android's unique security landscape.
Logic Bug Hunting in Chrome on Android
Memory corruption exploits are requiring greater and greater investment in time and effort to bypass the latest mitigations in applications like Chrome and the underlying operating system. When combined with the competition of everyone in the world running a fuzzer, it becomes hard to find and keep unique bugs.
Instead we want to talk about logic flaws - bugs or simply "features" - that enable the attacker to achieve the same goals without fighting the latest and greatest exploit mitigations. We will show the methodology we use for reviewing products and identifying flaws as well as the process of exploiting them. This involves, among other things, developing better understanding and gaining deeper knowledge of a target and identifying security boundaries that usually give rise to assumptions about security checks performed on both sides.
In our example we will show how a logic bug in Chrome for Android allows an attacker to completely bypass Android Nougat security to access the user's files, emails and even install applications without the need for a single memory corruption bug.
Marco Grassi is currently a Senior Security Researcher of the Keen Lab of Tencent (previously known as Keen Team). He is part of the team that won the "Mobile Master of Pwn" title in Tokyo for Mobile Pwn2Own 2016, working on iOS. He was also one of the main contributors at Desktop Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team who won the title of "Master Of Pwn" at Pwn2Own 2016. His current focus is mainly Android and OS X/iOS and sandbox escapes. When he’s not poking around software, he enjoys developing embedded and electronic systems. He has spoken at several international security conferences such as Black Hat USA, Defcon, CanSecWest, ZeroNights, Codegate, HITB and ShakaCon. You can find him on Twitter at @marcograss.
Liang Chen is a senior security researcher at KeenLab of Tencent (former known as Keen Team). Liang has a strong research experience on software vulnerability exploitation and vulnerability discovery. During these years, Liang's major research area was browser exploitation including Safari, Chrome, Internet Explorer, etc on both PC and mobile platform. Also Liang researches sandbox escape technology on various platforms. Liang led Tencent Security Team Sniper to win "Master of Pwn" in Pwn2own 2016, and Mobile Pwn2own 2016. Liang is also the winner of iPhone Safari category in Mobile Pwn2own 2013 and Mavericks Safari category in Pwn2Own 2014. Liang has spoken at several security conferences including XCON 2013, BlackHat USA 2016/Europe 2014, RECON 2016, CanSecWest 2015/2016, POC 2015/2016, etc.
Remotely Compromising a Modern iOS Device
Achieving a successful remote compromise of a modern Apple iOS device has become in recent years particularly challenging for an adversary, thanks to all the good work done by Apple.
Nevertheless in this talk we will describe our ideas and methods, which lead us to successfully compromise a updated iOS device remotely, at Mobile Pwn2Own 2016 in Tokyo, and other attack chains that couldn't make it at the competition.
In particular, but not limited to, we will cover:
- The sandbox and escaping it
- Rogue Application Install and Codesign Bypass
- Alternative ideas for remote attack chains.
I have 10 years in the cyber security industry, split between time in the military and the private sector. I've spent my career focusing on SIEM/IDS/IPS engineering, malware analysis, and cyber operations. My passion is building and creating, which includes everything from exploit development to the occasional do-it-yourself project.
Forget Enumerating a Network, Hack the SIEM and Win the War
Every company, big and small, is hopping on the SIEM bandwagon. And while they are being sold a solution to help secure their networks the reality is that these systems practice poor security, are generally implemented by people with little to no experience, and create more vulnerabilities than they solve.
In this talk I walk through a common target network where a known and commonly used SIEM has been integrated, show how to exploit onto the SIEM, where to look for the juicy intel, and how to cover your tracks.
Andrew Johnson is a security engineer under the Cloud + Enterprise Red Team. His main area of focus is to find new method to attack Microsoft Azure and services running in the cloud followed by eliminating those vectors.
Sacha Faust is a Principal Technical Lead under the Cloud + Enterprise (C+E) Red Team. When he is not breaking things, he focuses on teaching machines how to do end to end breaches and evangelize the Assume Breach mindset. He is a self-taught security enthusiast that started his professional career in 1998 and joined Microsoft in 2007 and has worked on BPOS, Office365, MSODS, Azure and C+E.
Cloud Post Exploitation Techniques
The cloud is new to many including red teams and the traditionally post exploitation and other common TTP are sometime inapplicable or different due to lack of domain environment and limited surface. The Microsoft Cloud & Enterprise red team will demonstrate some of the post exploitation and persistence vectors they develop and use including but not limited to
* Cloud Pivoting
* Cloud service remote code execution
* Integration of common toolkit but adapted to cloud
* Service level and node persistence approaches
* Automated recon and data driven toolkit
* Indicators of monitoring/detection (IOD/M)
* Future exploration
Vasilis Tsaousoglou (vats) is a computer security researcher at CENSUS S.A. His research interests include vulnerability research, reverse engineering and exploit development. Patroklos Argyroudis (argp) is a computer security researcher at CENSUS S.A. His main expertise is vulnerability research, exploit development, reverse engineering and source code auditing. Patroklos has presented his research at several security conferences (Black Hat USA, Black Hat EU, Infiltrate, ZeroNights, etc.)
The Shadow over Android: Heap exploitation assistance for Android's libc allocator
Abstract: The jemalloc allocator has been adopted as the default libc malloc(3) implementation on Android since version 5.0, and is being used up to the latest one (7.0 - Nougat). We have previously analyzed in depth memory corruption attacks against jemalloc as a standalone allocator and in the context of the Firefox browser. In this talk we will focus on presenting attacks against jemalloc as the main userland allocator of Android devices (smartphones and tablets). We have extended our jemalloc heap exploration and exploitation tool called 'shadow' to support Android (both ARM32 and ARM64), and we will be demonstrating its use on understanding the impact of heap corruption vulnerabilities and developing exploits for them. The new version of shadow (supporting Android ARM32/ARM64 and Firefox x86/x86-64) will be released as open source software along with the talk.
Ralf is the founder and CEO of Comsecuris, a German boutique security research and consulting outfit. He has a passion for breaking embedded and cellular systems and prefers a nice, well-aged bug over a well-aged wine.
Did I hear a shell popping in your baseband?
While the majority of baseband vendors use lightweight real-time operating systems there's a chipset vendor with substantial market share in China that uses a POSIX compliant operating system.
In recent years, Android smartphones using this chipset have also seen increased adotion outside of China; moreover, a German premium car manufacturer allegedly inked a deal to exclusively use chips from this chipset vendor for cellular connectivity.
In this talk I will show how to:
* find your own over-the-air exploitable bugs in this cellular stack (not just limited to GSM)
* gain local access to a shell interface on the baseband chip
* use the built-in debugging facilities to help writing exploits
* inject a LUA interpreter to get use the compromised baseband as a pivot, either towards the network or towards the application processor.
Moreover, I will explain why this platform is ideal for further offensive research on the cellular air interface.
Berend-Jan "SkyLined" Wever is a software security researcher from the Netherlands who focuses on web-browser security and fuzzing. He has been releasing vulnerabilities, exploits, tools, papers and blog posts on security for well over a decade. He has worked as a security engineer at Microsoft on Internet Explorer and Windows, and at Google on Chrome before becoming an independent researcher.
BugID - Automated Bug Analysis
Whether you are looking for vulns, or handling vulns reported by others, at some point you're going to have a repro that crashes an application and you're going to want to know as much as possible about the bug it's triggering, spending as little effort and time as possible doing this. What you want is automated bug detection, analysis, triaging and bucketizing. This is what BugId was designed to do and this talk will explain how it works.
BugId is a python script that runs a Windows application in a debugger, using page-heap to detect memory corruption and out-of-bound access early. It handles exceptions and reports bugs not as "access violation" but as "heap use-after-free", "heap out-of-bounds read", "NULL pointer dereference", etc. It will tell you how big the relevant memory block is and the offset at which the code is trying to access it. It will tell you if the bug is likely to be exploitable and what an attacker might need to do to exploit it. It can collect a large number of details and write these into a human readable, HTML formatted report.
Since I am finding more than one unique bug a day with my fuzzing framework, I've integrated it in my fuzzing framework to triage and bucketize my bugs. It allows me to prioritize the interesting vulnerabilities and jump-starts analysis by telling me most of the basic information I need before I've even started a debugger.