Menu
Buy a ticket

Main Track

Welcome to the Physical Layer

Speaker: Michael Ossmann

I invite you to join me on a journey of discovery. We’ll descend through strata of abstraction and encapsulation, along paths overgrown with ambiguity and ignorance, until we reach the grimy surface underlying all our constructions. You’ll see wonders seldom witnessed except by the intrepid discoverers of such techniques as packet-in-packet and rowhammer. In this wilderness of PHY we’ll uncover ancient trails and make them new again, foraging in a lush jungle of vulnerabilities surprisingly near to terraces all but picked clean. Always near but often overlooked, this homeland of our technological ancestors is now our land of opportunity.

DPTrace: Dual Purpose Trace for Exploitability Analysis of Program Crashes

Speakers: Rodrigo Rubira Branco and Rohit Mothe

This research focuses on determining the practical exploitability of software issues by means of crash analysis. The target was not to automatically generate exploits, and not even to fully automate the entire process of crash analysis; but to provide a holistic feedback-oriented approach that augments a researcher’s efforts in triaging the exploitability and impact of a program crash (or fault). The result is a semi-automated crash analysis framework that can speed-up the work of an exploit writer (analyst).
Fuzzing, a powerful method for vulnerability discovery keeps getting more popular in all segments across the industry – from developers to bug hunters. With fuzzing frameworks becoming more sophisticated (and intelligent), the task of product security teams and exploit analysts to triage the constant influx of bug reports and associated crashes received from external researchers has increased dramatically. Exploit writers are also facing new challenges: with the advance of modern protection mechanisms, bug bounties and high-prices in vulnerabilities, their time to analyze a potential issue found and write a working exploits is shrinking.
Given the need to improve the existing tools and methodologies in the field of program crash analysis, our research speeds-up dealing with a vast corpus of crashes. We discuss existing problems, ideas and present our approach that is in essence a combination of backward and forward taint propagation systems. The idea here is to leverage both these approaches and to integrate them into one single framework that provides, at the moment of a crash, the mapping of the input areas that influence the crash situation and from the crash on, an analysis of the potential capabilities for achieving code execution.
We discuss the concepts and the implementation of two functional tools developed by the authors (one of which was previously released) and go about the benefits of integrating them. Finally, we demonstrate the use of the integrated tool (DPTrace to be released as open-source at Def Con) with public vulnerabilities (zero-days at the time of their release in the past), including a few that the authors themselves discovered, analyzed/exploited and reported.

Hadoop safari – Hunting for vulnerabilities

Speakers: Thomas DEBIZE and Mahdi BRAIK

With the growth of data traffic and data volumetric analysis needs, “Big Data” has become one of the most popular fields in IT and many companies are currently working on this topic, by deploying Hadoop clusters, which is the current most popular Big Data framework. As every new domain in computer science, Hadoop comes (by default) with truely no security. During the past year we dug into Hadoop and tried to understand Hadoop infrastructure and security.
This talks aims to present in a simple way Hadoop security issues or rather its “concepts”, as well as to show the multiples vectors to attack a cluster. By vectors we mean practical vectors or to sum it up: how can you access the holy “datalake” after plugging your laptop onto the target network.
Moreover, you will learn how Hadoop (in)security model was designed explaining the different security mechanisms implemented in core Hadoop services. You will also discover tools, techniques and procedures we created and consolidated to make your way to the so­called “new black gold”: data. Through different examples, you will be enlightened on how these tools and methods can be easily used to get access to data, but also to get a remote system access on cluster members.
Eventually and as Hadoop is the gathering of several services and projects, you will apprehend that patch management in this field is often complicated and known vulnerabilities often stay actionnable for a while.

I know where your page lives: Derandomizing the latest Windows 10 Kernel

Speaker: Enrique Nissim

The latest version of Windows 10 (Anniversary Update) has raised the bar again when it comes to successfully exploiting a kernel vulnerability. Microsoft made a step forward by killing the GDI Objects kernel pointers leakage which was widely used after the infamous hacking team exploit. Also, with the randomization of the paging structures, the system now boosts full KASLR, which leads to the requirement of a memory disclosure bug in order to get control of RIP either by ROPing or DKOM techniques. This presentation is going to show the side-channel attack called DrK aka “De-randomizing Kernel Address Space” (presented at Blackhat 2016) applied to the randomization of the PML4 structure. By Combining the TSX instructions and several tricks to get reliability, one is able to determine the exact location of the “PML4 SelfRef Entry”. After this point, all the known attacks against the paging structures can be carried out as if the KASLR never existed.

Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets

Speakers: Matthias Deeg and Gerhard Klostermeier

Wireless desktop sets have become more popular and more widespread in the last couple of years. From an attacker’s perspective, these radio-based devices represent an attractive target both allowing to take control of a computer system and to gain knowledge of sensitive data like passwords.
We will present the results of our research and will demonstrate ways in which modern wireless desktop sets of several manufacturers can be attacked by practically exploiting different security vulnerabilities.

FIRST: Changing How You Reverse Engineer

Speaker: Angel Villegas

Reverse Engineering benign or malicious samples can take a considerable amount of time. Leveraging disassemblers, like IDA Pro, a reverse engineer can analyze the same routines across several samples over the lifetime of their career. Whether including statically­linked libraries or existing software, code reuse slows reversing efforts. In this presentation we provide a solution for transferring knowledge to similar functions by introducing a new reverse engineering tool, named FIRST (Function Identification and Recovery Signature Tool), to reduce analysis time and enable information sharing.

CICS Breakdown: Hack your way to transaction city

Speaker: Ayoub Elaassal

CICS is the mostly widely deployed transaction system in the world with more than 20 billion transactions a day. It is mainly deployed on IBM z/OS systems.
Indeed for every person that withdraws money, there is a good to fair chance that multiple CICS applications are involved somewhere in the chain of request. Same goes for banking operators when creating a new account, handling refunds, taxes, etc. The talk will demystify this critical system, explain how it works but mostly how to abuse some of its functions in order to illegitimately read and write business files, access other applications, remotely execute code with zero authentication… The tool Cicspwn will be presented to help pentesters check CICS’s security and exploit all the key weaknesses detailed above.

Poking on Macs Recovery OS and Local OS Update Process

Speaker: Patrick Wardle

Let’s discuss the hidden Recovery OS, and show how in virtualized environments, it may be subverted to allow malware to survive a full OS X restore and bypass SIP. Then, we’ll look at how OS X performs OS updates, noting that this process may be locally subverted even on native hardware. This talk will also cover various novel OS X infection and injection strategies, and discuss some general OS X hardening methodologies that may generically thwart, or at least complicate such attacks.

Excite project: all the truth about symbolic execution for BIOS security

Speakers: Ilia Safonov and Alex Matrosov

We are working on Excite project that uses open-source symbolic execution platform S2E and Intel virtual platform Simics to search for BIOS security vulnerabilities including a most known class of vulnerabilities like memory references (call outs) by SMM interrupt handlers in UEFI-compliant implementations of BIOS. All tools and approaches in this talk discussed on real examples of vulnerabilities found with. We want to discuss limitations and problems which we facing with symbolic execution approach for BIOS security validation. The Excite tool currently applies only to interrupt handlers for SMM variables. Given a snapshot of SMRAM, the base address of SMRAM, and the address of the variable interrupt handler in SMRAM, the tool uses S2E to run the KLEE symbolic execution engine to search for concrete examples of a call to the interrupt handler that causes the handler to read memory outside of SMRAM. This is a work in progress. Also we discuss the mixed approach of symbolic execution with fuzzing flavor to improve vulnerability digging capability.

Safeguarding Rootkits: Intel BootGuard

Speaker: Aleksandr Ermolov

Intel BootGuard is a new hardware-level technology to protect BIOS against modifications, which computer system vendors can permanently add on at the production stage. The report will cover the details of the technology , as well as related and unrelated undocumented subsystems (Intel ME, boot code inside the CPU and much more). Moreover, the report will show how an error, cloned by some vendors for years, allows potential hackers to use the technology to create a hidden rootkit, which cannot be removed by even the programming device.

JETPLOW is dead. Long live the JETPLOW!

Speakers: Roman Bazhin and Maxim Malyutin

Documents on NSA software published by Edward Snowden created a stir, but did not allow seeing how it actually worked. That came possible after the Shadow Brokers’ leakage was published. We were not idling during that period and attempted to replicate that work through our independent research. In this report, we will deeply analyze the leaked JETPLOW and compare it against our own results. We will also think about how this situation and such backdoors can be developed further on, and how things stand with other equipment from Cisco. In the last part we will show methods for detecting such backdoors.

Defeating Pin Control in Programmable Logic Controllers

Speakers: Ali Abbasi and Majid Hashemi

Input/Output is the mechanisms through which embedded systems interact and control the outside world. Particularly when em- ployed in mission critical systems, the I/O of embedded systems has to be both reliable and secure. Embedded system’s I/O is controlled by a pin based approach. In this paper, we investigate the security implications of embedded system’s pin control. In particular, we show how an attacker can tamper with the integrity and availability of an embedded system’s I/O by exploiting certain pin control operations and the lack of hardware interrupts associated to them.

The UEFI Firmware Rootkits: Myths and Reality

Speakers: Alex Matrosov and Eugene Rodionov

In recent days the topic of UEFI firmware security is very hot. There is a numerous list publications appeared over the last few years discussing disclosed vulnerabilities in UEFI firmware. These vulnerabilities allows an attacker to compromise the system at one of the most privileged levels and gain complete control over the victim’s system. In this presentation authors will take a look at the state of the art attacks against UEFI firmware from practical point of view and analyze applicability of disclosed attacks in real life scenarios: whether these vulnerabilities can be easily used in real-world rootkits (OS->SMM->SPI Flash).
In the first part of the presentation the authors will dive into different types of vulnerabilities and attacks against UEFI firmware to summarize and systematize known attacks: whether the vulnerability targets one specific firmware vendor, whether an attacker needs physical access to the victims platform and so on. Such a classification is useful to understand possibilities of an attacker. The authors will also look at the attacks and determine whether it can be converted into a real-world rootkit or the possibilities of the attacker are very limited and the attack vector cannot make it beyond the PoC. In the second part of the presentation the authors will look at defensive technologies and how can one reduce severity of some attacks. In modern Intel-based platforms implemented different methods and mitigation technologies against firmware and boot process attacks.

Dissecting complex code-reuse attacks with ROPMEMU

Speaker: Mariano Graziano

Code-reuse attacks based on return oriented programming (ROP) are becoming more and more prevalent every year. They started as a way to circumvent operating systems protections against injected code, but they are now also used as a technique to keep the malicious code hidden from detection and analysis systems. This means that while in the past ROP chains were short and simple (and therefore did not require any dedicated tool for their analysis), we recently started to observe very complex algorithms – such as a complete rootkit – implemented entirely as a sequence of ROP gadgets. Unfortunately, all the available tools have been designed to cope with code injection attacks. This means there are no tools to analyze payloads generated with the code-reuse paradigm. For this reason, I proposed ROPMEMU. ROPMEMU is a framework that adopts a set of different techniques to analyze ROP chains and reconstruct their equivalent code in a form that can be analyzed by traditional reverse engineering tools.

Hacking ElasticSearch

Speaker: Ivan Novikov

This presentation will be devoted to a popular data indexation and search engine ElasticSearch. We will discuss security issues of the entire technological stack required for including this technology into modern wed-apps:
• Wrapper classes (aka drivers) for popular platforms (php, nodejs, Java, python).
• Elastic Search Application Programming Interface (API).
• Embedded interpreter.
• Server interaction with the file system.
We will retrospect all detected vulnerabilities and make assumptions regarding further potential issues. The report will present new vulnerabilities and practical usage methods. We will also provide examples of the most frequent errors made during implementation of this technology based on security audits of web-apps.

Gateway Internals of Tesla Motors

Speakers: Sen Nie and Ling Liu

The Vehicle Gateway is a MCU which manages data communication between different CAN channels. In Tesla Car, it also acts as an interface between Ethernet and CANBus to transfer/filter messages that passed from Infotainment System to internal CANBus network. Nowadays gateway is playing an important role on internal networks of vehicles, especially when car is equipped with Internet access(aka Connected Cars). In this talk, we’ll present the design and Implementation of vehicle gateways, and we’ll reveal the mystery of Gateway in Tesla Car, such as how we reverse firmwares of gateway, how gateway manages its services like shell, filesystem, network, logging etc.

Advanced Web Application Fuzzing

Speakers: Michael Stepankin

The report will discuss web application fuzzing methods for searching injection vulnerabilities (not SQL alone). Automatic scanners of web applications often do general vulnerability checks only, and are easy to be blocked by WAF. At the same time, manual analysis fails not cover all possible cases. The author has developed his own web application fuzzing tool that combines automatic and manual analysis to search for more complicated injections.
The presentation will also cover vulnerabilities in PayPal and Yahoo servers that have been detected by the author with above tools.

Breaking Crypto for Dummies

Speaker: Nikita Abdullin

Can you break cryptography implementations without being a cryptographer? The answer is yes. The talk will cover some novel applications of the less-than-rocket-science attacks on cryptography implementations in software, adapted from similar hardware attacks already being used for decades. The talk will show how to attack any protected crypto, including white-box cryptography, regardless of the obfuscation and with minimal to no reverse engineering, using common-off-the-shelf and FOSS tools.

You’re off the hook: blinding security software

Speakers: Jeffrey Tang and Alex Matrosov

User-mode hooking is dead. It’s also considered harmful due to interference with OS-level exploit mitigations like Control Flow Guard (CFG). At BlackHat US 2016, the “Captain Hook” talk revealed there were multiple serious security issues in AV hooking — we will put the final nail in the coffin by showing how trivial it is to bypass user-mode hooks. We will demonstrate a universal user-mode unhooking approach that can be included in any binary to blind security software from monitoring code execution and perform heuristic analysis. The tool and source code will be released on GitHub after the talk.

How to circumvent AD converter, part 3, or tools for attacking converting analog data to digital

Speaker: Alexander Bolshev

We are used to working with digital systems, but the world around us is analog. Digital devices use tools to transform data from analog to digital from (the most simple one is an analog-digital converter) to deliver an impact on the world or, on the contrary, to gather information about it. Various AD converters differently interpret analog signals with certain features, even if they are connected to the same line. This may lead to a false perception of the state of a system managing a process or incorrect data in the sensor output , which also affects the process. This presentation will be various tools and methods to impact on the analog-to-digital transformation, which enables us to attack SCADA and other systems.

Stories about hacking low-cost phones

Speaker: Alexey Rossovsky

There are many reports on hacking top mobile phones. While low-cost phones are undeservingly deprived of this attention, though they are also sold and used on the market. In this report I will talk about some cases of unlocking or propatching low-cost phones. I will talk about Intel XMM mobile chipset, buggy AT commands, exploitation of OTA with MITM, jailbreak of Qualcomm-based devices, exploitation on ARM devices, getting root with switched on SELinux and others.

Cisco Smart Install. Pentester’s opportunities

Speakers: Alexander Evstigneev and Dmitry Kuznetzov

This speech will cover non-published vulnerabilities in Cisco Smart Install, which help, in total get control over Cisco commutators supporting the Smart Install functions.

The approach to developing LPE exploits on Windows 10 with allowances to the latest security updates

Speakers: Yuri Drozdov and Ludmila Drozdova

The presenter will talk of the challenges of writing LPE exploits on Windows 10 and methods to overcome them. The focus will be go to a new way to control handles to GDI objects (in the latest update of Windows 10), and how it has affected the exploitation process. Other peculiarities of Windows 10 impacting on exploitation will also be briefly discussed.