applied security conferences and training: CanSecWest | PacSec | EUSecWest |

Speakers

The CanSecWest 2017 speakers list is not final and subject to change for various reasons such as VISA issuing.

Talks will be posted here as selections finalize.

Please see Agenda page for talk orders.

Speakers

1. Cyberwar and other modern myths - Dr. Michael A. VanPutte, Ph.D, CISSP, author of Walking Wounded: Inside the U.S. Cyberwar Machine
-


2. Secure boot: they're doing it wrong. - Scott Kelly, Netflix
- System security (PCs, mobiles, IoT devices, etc.) depends upon controlling the initial system configuration and boot process to ensure establishment of a secure execution environment. This process is commonly called "secure boot". This talk explains what secure boot is, and why it matters, and describes the basic hardware, software, and cryptographic building blocks you can/should use to implement secure boot. The talk also describes how not to do it, based on several real-world examples of exploitable errors in fielded devices. The talk should be interesting to both white and black hats.


3. Bypassing Different Defense Schemes via Crash Resistant Probing of Address Space - Stefan Esser
- For years now Apple has kept adding new security mitigations to iOS and iOS devices that put them often ahead of their competition. Naturally attackers had to adopt their techniques to break into these new versions of iOS with every new protection. Because of this these techniques have been usually kept private.

In this session the audience will be introduced to a set of iOS kernel exploitation techniques that have been used in private jailbreaks for a while now and only recently have been revealed to the public by a partial iOS 10.2 jailbreak that has been uploaded to GitHub. This session will give a complete walk through of the original techniques and explain how exactly they were intended to be used.


4. Inside Stegosploit - Saumil Shah
- Stegosploit creates a new way to encode "drive-by" browser exploits and deliver them through image files. These payloads are undetectable using current means. This paper discusses two broad underlying techniques used for image based exploit delivery - Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim's browser when loaded.

This talk focusses more on the inner mechanisms of Stegosploit, implementation details, and how certain browser specific obstacles were overcome.

The Stegosploit Toolkit contains the tools necessary to test image based exploit delivery. A case study of a Use-After-Free memory corruption exploit (CVE-2014-0282) shall be presented demonstrating the Stegosploit technique.


5. Privilege escalation on high-end servers due to implementation gaps in CPU Hot-Add flow - Cuauhtemoc Chavez Corona, Intel
- Server systems are characterized among other things by unique features and technologies meant to increase their robustness to cope with mission critical applications while maintaining security. Since these machines are most of the time physically isolated behind the walls of big Datacenters and enterprises, many attacks are considered out-of-scope when ana- lyzing their security objectives (i.e.: physical attacks and attacks that require physical possession of a system). In this work, we demonstrate three cases on how to exploit weaknesses on a server- specific feature known as CPU Hot-Add to escalate privileges. We also demonstrate effective countermeasures to restrain the threats; such countermeasures are implemented today by system Firmware (e.g.: BIOS). We provide a detailed security analysis with a high-level introduction of RAS (Reliability, Availability and Serviceability) features and the CPU Hot-Add flow, which is the central topic of this research.


6. Microsoft's strategy and technology improvements for mitigating native remote code execution - Matt Miller + David Weston, Microsoft
- Microsoft's Windows 10 the Creators updates features a number of new and groundbreaking technologies for mitigating remote code execution. In this talk, we will cover Microsoft's "four strategic pillars" for preventing remote code execution: Code integrity, Stack protection, Control Flow Integrity, and arbitrary code generation prevention and how they work together to make exploit developers lives much harder. We will also include design and technical details on the numerous new innovative prevention features that Microsoft has introduced into Windows 10 and Microsoft Edge in the creator's edition to deliver on this strategy. Along the way, the speakers will provide insights into the challenges' of implementing disruptive mitigation technology into an operating system used by over a billion people. We will also illustrate how Microsoft leverages its own team of world class offensive exploit developers to aide in the development and design of mitigations. This talk is a must see for anyone interested in attacking or defending Windows 10.


7. Lots of Squats: APTs Never Miss Leg Day - Kyle Ehmke, ThreatConnect
- For many of the notable APT breaches over the last two years, domains that spoofed or typosquatted legitimate ones belonging to the target were an essential part of the adversaries' attacks. Notably, Chinese APT actors have leveraged such domains to breach healthcare and government organizations, ultimately compromising personal information for millions of individuals. A Russian APT has also used these types of domains recently to steal and ultimately leak documents from the Democratic political party. An organization can use knowledge of these practices to potentially discover targeted APT activity or proactively identify indicators that attackers may use against them. This presentation will expand on information identified in our research on the Anthem and DNC hacks, and show how an organization can leverage threat intelligence in conjunction with domain registration data to further bolster their defensive efforts. More specifically, ThreatConnect intelligence researchers will detail the process by which they identified potential Chinese APT activity against the pharmaceutical sector using registration information for spoofed and typosquatted domains.


8.


9. Cyber WMD: Vulnerable IoT - Yuhao Song, GeekPwn Lab & KEEN + Huiming Liu, GeekPwn Lab & Tencent Xuanwu Lab
- This topic will share knowledges extracted from more than 100 vulnerabilities in IoT devices, which were submitted to GeekPwn contest. It will introduce some unique problems of IoT, such as attack interfaces, diverse structures etc. It will also demo some exploits against IoT devices, and have the case studies in detail. In the end, some advices will be provided to the vendors to enhance their products' security.


10. Exploring Your System Deeper is Not Naughty - Oleksandr Bazhaniuk, Yuriy Bulygin, Mikhail Gorobets, Andrew Furtak, John Loucaides, Intel Security
- You wanted to explore deep corners of your system but didn't know how? System boot firmware, ROMs on expansion cards, I/O devices and their firmware, microprocessors, embedded controllers, memory devices, low-level hardware interfaces, virtualization and hypervisors. You could discover if any of these have known vulnerabilities, configured insecurely or even discover new vulnerabilities and develop proof-of-concept exploits to test these vulnerabilities. Ultimately, you can verify security state of platform components of your system and how effective are the platform security defenses: hardware or virtualization based TEE, secure or trusted boot, firmware anti-tampering mechanisms, hypervisor based isolation... Or maybe you just want to explore hardware and firmware components your system has.

CHIPSEC framework can help you with all of that. Since releasing it three years ago at CanSecWest 2014 significant improvements have been made in the framework - from making it easy to install and use to adding lots of new security capabilities. We'll go over certain representative examples of what you can do with it such as finding vulnerabilities in SMM firmware, analyzing UEFI firmware vulnerabilities, testing hardware security mechanisms of the hypervisors, finding backdoors in UEFI images and more.


11. Low cost radio wave attacks on modern platforms - Mickey Shakatov + Maggie Jaurequi, Intel
- A very simple attack vector that remains relevant to the vast majority of electronic systems is electro-magnetic interference (EMI). Although EMI has recently been known to be used in security research for passively sniffing crypto keys across walls or performing side channel attacks, these attacks require expensive and delicate equipment. This research reviews EMI's potential as a wireless, low cost active attack vector. We've put together a collection of interesting behavior anomalies in platform components (sometimes even when systems aren't plugged into a power outlet) when exposed to EMI using cheap radio equipment. These attacks could have further reaching applicability scenarios we'd like to bring awareness to.


12. What if encrypted communications are not as secure as we think? - Enrico Branca, OWASP
- A long term study (48 months) has been conducted to analyze and test a large number of cryptographic keys, collected from open and public sources and across a variety of protocols (HTTPS, POP3S, IMAPS, SMTPS, SSH, PGP), in order to identify possible issues and generate metrics. The presentation will discuss data collection and aggregation, how cryptographic keys have been analyzed and tested to find security issues, how the evaluation led to the discovery of large numbers of insecure keys, and how the lack of test suites may make the process very difficult to automate.


13. Attacking DSMx Spread Spectrum Frequency Hopping RC Drone Protcol - Jonathan Andersson, Trend Micro
-


14. Touch-and-Go Elections - How convenience has taken over security, again. - Harri Hursti
-


15. Pwning Nexus of Every Pixel: Chain of Bugs demystified - Qidan He, KeenLab, Tencent
- The security of Android devices has been strengthened a lot since the release of Android Nougat, thanks to the great work by Android Security Team, making the life of attackers harder. However where there is a will, there is a way. After months of research we've successfully come up with a chain of exploitation to tackle this challenge. In October 26th Mobile Pwn2Own 2016 Tokyo, KeenLab scored Master of Mobile Pwn2Own by pwning Nexus and Pixel running newest Android using three bugs, allowing us to install arbitrary applications and take control of all juicy permissions such as SMS, Photo, Microphone and Contact. In this talk we will dive in details about the JIT compiler infrastructures and engines of V8 (e.g. crankshaft), which is rarely talked about before, and how OOBs occur under certain carefully prepared conditions and turned into full exploit. We will then explain how to use two logical bugs, one in Chrome IPC to break out the Chrome Android's sandbox in `unexptected` ways and finally get arbitrary application installation.


16. A platform base on visualization for protecting CAN bus security - Jianhao Liu + Minrui Yan, SkyGo Vehicle Cyber Security Team, Qihoo 360
- With the development of vehicle technology, vehicles become more electronic and intelligent on the basis of inner bus communication network, and draw more attention to the study of vehicle security. To facilitate this process, we developed a platform that evaluates the security of vehicle, which can be used for black-box tests by security researchers and automotive engineers. The software is capable of sniffing CAN bus packets, identifying ECUs, analyzing UDS, as well as launching fuzzing attacks, and brute-force attacks. By visualizing the changes from different packets, it can help us to identify the value range quickly. Users can also share their programmable examples within the platform. This talk will introduce the reverse engineering of CAN packets in details, and present the "CAN-Pick" tool by demonstrations of injecting CAN packets on a car. This tool can also be used as a man-in-the-middle, which can realize full control over the car without adding any actuators on the vehicle.


17. Automotive Intrusion Detection - Jun Li, Qihoo 360
- Car security research Introduction, I will talk about the status quo of car security research, the development of car security research,briefly introduce the famous car hacking incidents.
- Car Working Principles, this part I will introduce the basics required for understanding the contents that I will talk about later
- Status quo of car intrusion detection, this part I will talk about the researches done by other researchers so the audience can tell the differences between the Intrusion Detection methods proposed by other researchers and the word I have done, I will leave themselves to just which method is better.
- Detecting CAN Bus intrusion using Deep Learning, this part I talk about my research in detail.


18. State of Windows Application Security: Shared Libraries - Chuanda Ding, Xuanwu Lab, Tencent
- In recent years, applications codebase becomes increasingly complex, it is almost impossible for one developer or vendor to write an application from scratch without using third party libraries. Shared libraries such as OpenSSL are widely used in most popular applications produced by Adobe, Google, and thousands of smaller vendors.

For example, in 2402 software versions we found using OpenSSL, none of them has upgraded to the latest version of OpenSSL, which are 1.0.1u / 1.0.2j / 1.1.0c, while over a hundred of them are affected by Heartbleed vulnerability.

The Qt runtime, famous for its GUI framework and cross platform capabilities, is one of the most widely used shared library. Its 4.x branch occupied the majority of the version distribution. QtWebKit in Qt 4.x provides a WebKit engine with Javascript functionalities, however this project has been found to have too many security vulnerabilities and is abandoned in favor of QtWebEngine. We found that over 400 software versions are bundled with QtWebKit and could be vulnerable to attacks.


19. How to find the vulnerability to bypass the Control Flow Guard - Henry Li, Trend Micro
- As we know, Control Flow Guard (CFG) is one of the default exploit mitigation technique on Windows 10 platform which significantly increases the difficulty of exploit from attackers. In windows 10, even if you have the ability of arbitrary address read/write, you must still need to find methods to bypass CFG mitigation. However, until now there is no general CFG bypassing methods, so the vulnerability of bypassing CFG is more and more important for exploit. This talk will introduce how to hunt the vulnerability of Microsoft Edge Browser to bypass the Control Flow Guard step by step.


20. Logic Bug Hunting in Chrome on Android - Georgi Geshev + Robert Miller, MWR InfoSecurity
- Memory corruption exploits are requiring greater and greater investment in time and effort to bypass the latest mitigations in applications like Chrome and the underlying operating system. When combined with the competition of everyone in the world running a fuzzer, it becomes hard to find and keep unique bugs.

Instead we want to talk about logic flaws - bugs or simply "features" - that enable the attacker to achieve the same goals without fighting the latest and greatest exploit mitigations. We will show the methodology we use for reviewing products and identifying flaws as well as the process of exploiting them. This involves, among other things, developing better understanding and gaining deeper knowledge of a target and identifying security boundaries that usually give rise to assumptions about security checks performed on both sides.

In our example we will show how a logic bug in Chrome for Android allows an attacker to completely bypass Android Nougat security to access the user's files, emails and even install applications without the need for a single memory corruption bug.