applied security conferences and training: CanSecWest | PacSec | EUSecWest |


The CanSecWest 2018 agenda is not final and subject to change.

Talks will be posted here as selections finalize.


KEYNOTE: Accelerating Canadian Cyber Innovation - Scott Jones, Senior Assistant Deputy Minister of IT Security, Communications Security Establishment (CSE)
Cyber security innovation is crucial for levelling the playing field against adversaries. Ev ery day, large and well-resourced organizations are compromised because current technology an d practices are no longer effective.

Communications Security Establishment (CSE), Canada's cyber security agency, sees the increas ing need for widespread innovation and collaboration to secure our country's future. As part of its leadership role in the cyber security ecosystem, CSE feels it is critical to innovate while spurring innovation in others. Learn about CSE and how it is developing solutions to ri se to the cyber security challenge, including declassifying and open-sourcing some of its sof tware.

Post exploit goodness on a Mainframe: SPECIAL is the new root - Ayoub Elaassal, PwC France
"Everytime you call an Uber, you trigger a Mainframe transaction." This is a lot to expect from a legacy system dating back to the 60s..or is it? These platforms are literally holding the world's economy, yet very few pentesters take the time to drill down these machines, compared to Windows and Linux. Lack of tools? accessibility? openess about the platform?...So many hurdles that this talk will attempt to address by presenting practical attacks against an IBM Z Mainframe. How to get a shell on the machine? Escalate privileges? Even impersonate other processes on z/OS to wreak havoc on the machine. If you like offensive tools, obscure low level code and esoteric systems, you are most welcome!

TPM Genie: Attacking the Hardware Root of Trust For Less Than $50 - Jeremy Boone, NCC Group
TPM Genie is a serial bus interposer that is designed to aid vulnerability research on Trusted Platform Modules. Levering TPM Genie, I demonstrate how to undermine most of the stated purposes of the Trusted Platform Module - measured boot, remote attestation, sealed storage, and the hardware RNG. Additionally, I show how a TPM interposer can trigger other errors in the fragile host-side response parsing code. Combined, these issues allow an attacker to compromise measured/attested boot on a large number of TPM-enabled machines.

Reverse Engineering x86 Processor Microcode - Benjamin Kollenda and Philipp Koppe, Ruhr-University Bochum
Microcode is an abstraction layer on top of the physical components of a CPU and present in most general-purpose CPUs today. While it is well-known that CPUs feature a microcode update mechanism, very little is known about its inner workings given that microcode and the update mechanism itself are proprietary and have not been throughly analyzed yet. We close this gap by both analyzing microcode and writing our own programs for it. This talk will give an insight into our results and how we achieved them, including live demos of what we can do and technical details.

Grandma's old bag, how outdated libraries spoil Android app security (update 2018) - Marc Schoenefeld
The diverse Android app stores are full of applications, written in multiple languages and frameworks. When it comes to optimize for performance and cutting-edge features the ultimate choice is using specialized components written in C/C++. But with increased power comes increased responsibility, as native components have the tendency to rot over time and turn an installed application into a security nightmare. OWASP has placed this scenario on their Top 10 list as "Using components with known vulnerabilities".

In our research we switched from policy to practice, and examined a sample of prominent (especially Android Antivirus) apps with large downloads counts. Unfortunately even in 2018 major vendors ship their colorful applications with well-known security problems, some having weekly updates on the functionality side, but leaving the ugly backyard of outdated native libraries (even with CVSS- 10 vulnerabilities) untouched, samples were taken from the major download store for Android, but also from the smaller ones.

The presentation will cover this and other Android native deployment antipatterns that leave the user in danger of exploitation, enriched with mitigation recommendations and real-life examples.

Forget NDIS, TDI or NIC Drivers : The Shadow Network Stack Hidden In Windows 8+ - Alex Ionescu
Unbeknownst to most people, Windows 8 and later include a component which allows for sending and receiving network packets in the most extreme of situations: without a working network card driver, without interrupts enabled ("HIGH_IRQL" as we call it in Windows kernel parlance), and without any regular component of the Windows network stack present or enabled. Inspired by Aaron Lemaster's groundbreaking work on accessing low-level disk I/O read & write functions by using the crash dump stack (which has similar restrictions), I went to look for a similar capability on the network side of the house - after all, can't you connect a kernel debugger, over the network, even while the machine is crashing or pre-boot? In this talk, we'll talk about the KDNET component of Windows 8 and later, and how it can be (mis)used to provide a fully working IP stack with the ability to send and receive UDP packets, including ARP and DHCP. Attendees will learn how this component does not require kernel debugging enabled on the target or host, the right sequence of commands to stealthily activate it in-memory and the innards of the KDNET protocol for purposes of implementing a working client/server. Finally, a demo showcase of various practical applications will be shown, including a macOS-like network kernel crash dump collection server and a hypervisor network debugger.

Tunnel War: Attack Android Through Multiple Hidden Interface - Hanxiang Wen (arnow117) and Jiashui Wang (Quhe), Ant Financial Light-Year Security Lab
With more and more mitigations such as improving SELinux and sanitizers on Android system, the job of finding the attack surface in Android is more difficult and usually needs new inspiration. This talk reveals some new attack surfaces which are layind under touchable hidden interfaces, and cover from Android original system to manufacturer's ROMs. In Android application level, we find the FOTA and "LocalSocket" vulnerabilities which can be used to elevate privilege easily. When things come to Android system, we bring the new attack surface in the implement of data transmission from Android system services to HAL, with the tricky trigger path which uses crafted "fake Binder service". This talk will make public these defects, details about how to trigger these problems, attack demos, and sum up the vulnerabilities that are found.

Shellcodes are for the 99% - Bing Sun, Sr. Security Researcher at McAfee, Stanley Zhu, Sr. Security Researcher at Didi Chuxing, and Chong Xu, Sr. Director at McAfee
Today most memory vulnerability exploits execute their second-stage exploit or final payload either by creating an executable memory page with shellcode or by loading a third-party executable module. However, as the new exploitation mitigation features ACG (Arbitrary Code Guard) and CIG (Code Integrity Guard) are introduced to high-risk applications on modern operating systems (for example, Microsoft Edge on Windows 10 x64), current memory vulnerability exploitation methods that rely on executing customized code will no longer function. As a result, a code-reuse attack (such as ROP, COOP, etc.) seems to be the only option that can survive these new mitigations. The main drawback of a code-reuse attack, however, lies in its limited flexibility and extensibility. Due to these limitations, it is extremely difficult to implement complex logic, such as multithreading, with pure code reuse. As a countermeasure to the new mitigation, we propose a new browser exploitation framework that leverages and extends JavaScript to complete tasks that would otherwise need to done by native code. With this framework, we can basically achieve almost anything that native code can do. Moreover, unlike previous works that abuse JavaScript, such as "JS god mode" or "interdimensional execution," our new technique covers the whole exploitation kill chain (from initial RCE to EoP stage to final payload), without using any native code. In this talk, we will discuss various challenges of implementing this new exploitation framework in detail. In the demo section, we will present some examples that show how this new exploitation framework can be easily adopted in real-world exploitation scenarios.

Chainspotting: Building Exploit Chains with Logic Bugs - Georgi Geshev and Rob Miller, MWR InfoSecurity
Last year at CanSecWest, we celebrated the advantages of logic bugs over memory corruptions and showcased a nice and shiny bug in Chrome on Android from Mobile Pwn2Own 2016. But did we overstate the merits of this bug class? After all, logic flaws come in all shapes and sizes. You may occasionally need to combine logic bugs into an extraordinarily long and convoluted exploit chain, which is exactly what happened to us at the competition this year. So how does this compare to chaining memory corruption bugs? Is it still an advantage to use logic bugs in these situations?

We used a whopping chain of 11 bugs across 6 unique applications including Chrome, several Samsung and AOSP components. The chain was glued together using virtually every possible means of Android IPC including activities, broadcast receivers, content and file providers. We even threw in a remote DoS bug in the chain for good measure!

This presentation will cover how to hunt for logic bugs at scale, the types of exploit primitives we used, and the way they fit together to achieve a malicious action such as silently installing an arbitrary APK. We will review the approach we use for discovering these types of bugs and discuss our effort into speeding up and automating this process through both static and dynamic analysis tools. This talk will also cover the limitations of these bugs along with some of the Android mitigations that hindered the exploitation process.

Analyzing & Breaking QNX Exploit Mitigations and PRNGs - Tobias Scharnowski and Jos Wetzels, Independent Security Researcher with Midnight Blue Labs
QNX is a proprietary, real-time operating system used in many sensitive and critical embedded devices in different industry verticals from networking and automotive equipment to military and industrial control systems. While some prior security research has discussed QNX, mainly as a byproduct of BlackBerry mobile research, there is no prior work on QNX exploit mitigations or its secure random number generators.

This work seeks to address that gap by presenting the first reverse-engineering and analysis of the exploit mitigations, secure random number generators and memory management internals of QNX. We dissect the NX / DEP, ASLR, Stack Cookies and RELRO mitigations as well as the /dev/random and kernel PRNGs of QNX versions up to and including QNX 6.6 and the brand new 64-bit QNX 7.0 released in March 2017.

We subsequently uncover a variety of design issues and vulnerabilities in these mitigations and PRNGs which have significant implications for the exploitability of memory corruption vulnerabilities on QNX as well as the strength of its cryptographic ecosystem. Finally, we provide information on available patches and hardening measures available to defenders seeking to harden their QNX-based systems against the discussed issues.

Exploring Qualcomm Baseband via ModKit - Peter Pi, XiLing Gong, and Gmxp, Tencent Security Platform Department
On modern Android device like Google Pixel, Qualcomm Modem is running on DSP called Hexagon. Hexagon is totally a different architecture from ARM, has its own instruction set and execution mechanism. When Modem booting, Linux kernel will load Modem images to physical memory and trigger Hexagon DSP to initialize.

In the Modem booting process, there is a mechanism called MSA(Modem Self Authentication) to authenticate the Modem images, any changes to the original images can't boot sucessful. In this presentation, we will introduce a method to bypass MSA to inject Hexagon code to the Modem image. Based on the bypass, we developed a tool named ModKit. Modkit can run as a debug server on the Hexagon DSP side, then we can issue debug commands(such as set breakpoints) to the Modem just by entering commands from adb shell. ModKit also can run as a in-memory fuzzer on the Hexagon DSP, after reverse-engineering the Modem image we can find the entry point where Modem handles the OTA data, and use ModKit to fuzz it in memory. With ModKit, researchers can easily start their research on Qualcomm Modem.

Detecting Reverse Engineering with Canaries - Collin Mulliner, co-author of The Android Hacker's Handbook.
Reverse engineering software is commonly done and has various goals such as finding vulnerabilities, learning about security mechanisms and countermeasures, and for general understanding and information extraction. Obviously all software will be reverse engineered at some point but you will never really find out. This talk is about detecting if your software is being reverse engineered. Software is complex and reverse engineering is hard. People will "cheat" and search the web for clues about your software. The idea behind this research is that this "cheating" can be detected. The idea is to embed canaries into binaries and application data to help detecting "reverse engineering" at the time when somebody searches the web for your tokens. In the talk we will discuss different ideas around this general idea and how this can be implemented. Finally we show how this can be used to detect different level of adversaries.

Practical JTAG:from 0 to 1 - hyperchem, Tencent's XuanwulLab
JTAG is the most powerful technology in embedded device industry, and is widely used in embedded device development. However it can also be a Swiss Army Knife while doing hardware hacking. In this talk,we are going to introduce this technology not only theory but also pratice. We will demystify how JTAG works, then we will talk about how to setup a JTAG connection and some tricks, which could become a guidance for those who are trying to do some hardware debugging. At last, few demos will be showed.

Scalable Threat Hunting Strategies Built to Last - Dhia Mahjoub, Head of Security Research at Cisco Umbrella (OpenDNS), Thomas Mathew, Senior Security Researcher at Cisco Umbrella (OpenDNS), Scott Sitar, Technical Leader, Cisco Umbrella (OpenDNS)
We describe efficient threat hunting strategies at scale to help augment manual threat hunting techniques commonly used in the industry. The indicators we discuss are long term patterns that can be used to identify a host of malware campaigns. The audience will also learn about the backend infrastructure used to enable large scale quick detection of threats.

UPnP: Unlimited Proxies and Pwnage - Waylon Grange, Senior Threat Researcher, Symantec
Over the years Universal Plug and Play has seen its share of vulnerabilities. However, it took until last year before UPnP attacks really surged. From IoT botnets exploiting UPnP for gain shell access to APT actors building proxy networks, there are thousands of UPnP devices on the internet being abused and over a million more waiting to be abused. See how this one protocol is enabling all the above and what other nefarious deeds it can be used for.

Social Engineering at Scale - Sara-Jayne Terp, AppNexus and Professor of Data Science at Columbia University
In this talk, we explore the online misinformation crisis, how psychology is being used to spread misinformation, and how organizations are using data to combat the issue. We also explore how misinformation might reshape the use and economics of the internet.

Blackhat Ethereum - Ryan Stortz and Jay Little, Trail of Bits, Inc
In the blockchain, there are no secrets. Every transaction is logged and everyone has a copy of all of the code. Nearly all of this code can only be analyzed through reverse engineering. Over the past year, we've seen enterprising hackers use flaws in smart contracts to whisk away millions. This was made possible thanks to Ethereum, the technology that powers cryptocats, and Solidity, a high level language that describes Ethereum's Turing complete smart contracts. This talk will introduce smart contract security, present common vulnerability classes, and demonstrate how to reverse engineer EVM code to identify these vulnerabilities. The talk will also present tools to support vulnerability discovery in EVM code and Solidity