applied security conferences and training: CanSecWest | PacSec | EUSecWest |


The CanSecWest 2019 agenda is not final and subject to change.

Talks will be posted here as selections finalize.


Pointer Authentication in iOS - Xiaolong Bai and Min (Spark) Zheng, Alibaba Inc.
Pointer Authentication is the newest security defense in iOS, which is a hardware feature protecting pointers with cryptographic signatures. In this talk, I will explain how Pointer Authentication protects iOS system with a hands-on practice. Then, most importantly, I will show an astonishing finding in Pointer Authentication's implementation on iOS: there is a fatal flaw in the key management on iOS. Such a flaw would allow an attacker to break through Pointer Authentication protection and compromise privileged system components. This will be the first public talk about practice on Pointer Authentication, and the first to show its weaknesses.

Misinformation frameworks, tatics, techniques and processes - Sara-Jayne Terp, Bodacea Light Industries
In this talk, we map misinformation attack and defense TTPs into existing infosec frameworks, and discuss how to use that mapping to plan misinformation defenses and counters, assess tools and mechanisms, and handle the types of large-scale adaptive threats that mlsec makes possible

A Dive into Windows Hello: Is it Really More Secure than a Password? - Ejin Kim and Hyoung-Kee Choi from HIT Lab-Sungkyunkwan University
We will examine to see if the PIN-based login in Windows Hello is more secure than the traditional password-based login. Vulnerable Windows Hello may result in a hijack of all combined services in Microsoft such as Office365, Microsoft Store, Dropbox and so on. Specifically, we will focus on extracting Windows Hello credentials stored on the victim’s device and migrating victim’s credentials to the attacker’s device for impersonation. In the demonstration we will reveal a detailed procedure of the PIN-based login in Windows Hello including 1) files formats and memory locations related to the login and 2) secret keys’ location and conversions to be used in encryption and decryption 3) a network protocol between a device and Microsoft servers for authenticating credentials.

Danger of using fullly homomorphic encryption, a look at Microsoft SEAL - Zhiniang Peng and Minrui Yan
Recently, Microsoft open source the Microsoft Simple Encryption Math Library version 3.1 (Microsoft SEAL). SEAL aims to provide a library of high performance, easy to use homomorphic encryption library. It has been used in several projects including the Intel Neural Network Compiler nGraph. Many companies are currently using SEAL to construct data security applications based on fully homomorphic encryption. It seems that the full homomorphic encryption is very close to practical. In this presentation, we will analyze the security risks of using SEAL and present several practical attacks on applications based on SEAL, we will also present countermeasures for those problems. Our research shows that fully homomorphic encryption still takes a while to be widely used and it’s extremely dangerous to use it without a crypto expert

Device Driver Debauchery and MSR Madness - Ryan Warns and Tim Harrison, FLARE
This talk is a case study of a systemic security issue when developing a subset of device drivers based on a previously unexplored exploitation vector: unrestricted or improperly validated access to the privileged Model Specific Register (MSR) instructions. The talk will begin with a review of how to audit device drivers for potential vulnerabilities and how to reliably exploit them if an issue is found, including a discussion of Supervisor Mode Execution Protection (SMEP) and other mitigation bypasses. We will then discuss the specific mechanics of how attacker-controlled MSR access can be exploited and how developers and security vendors can prevent these attacks.

From SSRF to RCE - Yongtao Wang and Yang Zhang(izy), Pegasus Team and XDSEC
SSRF(Server-Side Request Forgery) is not a new technology. Over the past decades, many security researchers have proposed various attack methods. In our in-depth research, we explored SSRF from another angle and discovered a new attack surface that most developers and security researchers neglect, which will cause considerable security hazards. Combining the exploitation tricks in our research, we will delve into the far-reaching effects of similar security issues. The new attack surface brings a new exploit technique that can directly lead to the impact of RCE (Remote Command Execution) via once exploiting. According to it, we found there are many high-risk security flaws in JDK. In addition, these vulnerabilities have already been admitted by the official website of Oracle as a critical patch update. In this talk, we will introduce these 0day principles, the discovery process and describe them in real-world attack scenarios which have never been noticed. After that, we will release an exploit tool for these vulnerabilities.

Memsad: why clearing memory is hard. - Ilka van Sprundel, IOActive
NULL POINTER REFERENCE! (talk synopsis will be coming)

Attacking .NET Framework through CLR - Yu Hong(redrain), 360-CERT Analysis Team
The Common Language Runtime ﴾CLR﴿, the virtual machine component of Microsoft’s .NET Framework, manages the execution of .NET programs, which runs the code and provides services that make the development process easier. Microsoft also integrated CLR for its products, E.g SQL Server, Office etc. We have studied CLR since last month. And we found these features could lead to several attack surface. In this talk, we first introduce managed execution environment and managed code under .NET Framework and discuss the security weaknesses of this code execution method . After that, we show a exploit for SQL Server through CLR and we would like to make our automate tools about this exploitation . Next then, we would like to introduce a backdoor with administrator privilege based on CLR hijacking arbitrary .NET Application. In addition, we extend our CLR security study to Microsoft Office used VSTO. The result shows that we could convert a document‐level customizations into a program‐level customizations and execute arbitrary code quietly.

Hacking Microcontroller Firmware through USB - Boris Larin
Modern microcontrollers (MCUs) come with built-in security features aimed at preventing the retrieval of firmware by third parties and eliminating the risk of reverse engineering. Manufacturers rely on the security of MCUs to protect secrets and intellectual property. Often, the prevention of firmware reverse engineering is used as a form of ‘security by obscurity’: if an attacker can’t analyze the code it will be harder to them to find and exploit vulnerabilities. However, firmware sometimes needs to be extracted from microcontroller in order to perform a security analysis. If you consider the vast number of different MCUs out there and the fact that they all come with various security mechanisms, it can be impractical to extract firmware through a hardware attack. In this case, if the target communicates over a USB interface, this can be the best point through which to perform a firmware extraction attack. In this presentation, I will demonstrate all stages of a real attack on a consumer product with an ARM Cortex-M0 processor, and will share my tools and all the nuances I’ve encountered. Besides that, I will reveal how obtaining the firmware of a counterfeit product revealed that it was developed by a big manufacturer of game accessories and how it led to the compromise of security for all products developed that manufacturer.

Mornigari: Overview of the Latest Windows OS kernel exploits - Boris Larin and Anton Ivanov
Momigari (red leaf hunting) is the Japanese tradition of searching for the most beautiful leaves in autumn. In the space of just one month in the autumn of 2018, we found a number of zero-day exploits in the wild for the Microsoft Windows operating system. Two of them were for the newest and fully updated Windows 10 RS4, which until then had no known memory corruption exploits. We also uncovered exploits for vulnerabilities that had been unintentionally fixed with security updates, but which had been unpatched zero-days for a long time leading up to that. These findings shows that exploit writers continue to find new ways to reliably exploit unstable vulnerabilities and bypass modern mitigation techniques for the most secure operating system. The most interesting thing is that many of these exploits are related. This suggests that the masterminds behind them are not afraid of wasting a number of zero-days at a time because their armory is full. In this presentation, we will look at multiple local privilege escalation exploits actively used in the wild and tied into a single framework that was not previously known. This advanced framework shows signs of maturity: the highest standards of code development and a deep technical knowledge of Windows OS inner workings, observed from the shellcodes that are used in the exploits.

Tales from the Bug Mine: Highlights from the 2018 Android Security Bulletin - Lilian Young, Google
Every month, Google releases the Android Security Bulletin, the latest collection of public vulnerabilities found in Android, along with their patches that must be accepted if a device can be considered up-to-date. Join is for this fast, light-hearted retrospective, in which we'll examine some of the most subtle, complicated, or interesting bugs from the last year of the Bulletin. Many of these bugs were submitted through the Android Vulnerability Rewards Program, with cash rewards going to the researchers that discovered them.