applied security conferences and training: CanSecWest | PacSec | EUSecWest |


The CanSecWest 2016 speakers list is not final and subject to change for various reasons such as VISA issuing.

Talks will be posted here as selections finalize.

Please see Agenda page for talk orders.


1. Sandbox Escape with Generous Help from Security Software - Chuanda Ding, Tencent Xuanwu Lab
- Sandbox has become an important part of modern security technology. Microsoft Windows 8.1 and Windows 10 integrated a number of new mitigations and security boundaries that significantly enhanced application level sandboxes, and therefore reduced the damage of various code execution vulnerabilities. However, third-party software is also an integral part of Windows ecosystem. Third-party software that has a large user base directly affects the end-user operating system security.

In our recent studies, we have found that the software developer of third-party vendors failed to understand the basic design principles of sandboxing mechanisms. For their software to work on newer operating systems, they often adopted methods that compromises the sandbox security. Many third-party software actively disables default security mechanisms, usually because the newly added security mechanisms are blocking their "known-good" code from functioning, and their developer does not understand the security implications of doing so. These behaviors did not seem to be a problem in the past. But in recent years, many application starts to implement user mode sandboxing, such as Internet Explorer, Microsoft Edge, Microsoft Office, and Google Chrome.

In this talk, we will discuss different types of third-party software we analyzed that introduced security holes in the sandbox, including software developed by multiple security software companies and other software tool vendors.

2. Don't Trust Your Eye: Apple Graphics Is Compromised! - Liang Chen + Marco Grassi + Qidan He, Keen Labs Tencent
- Apple graphics driver is reachable by most of the sandboxes, including Chrome and Safari sandbox. It is one of the major attack surfaces to get root control of Apple system remotely along with browser exploits on both OS X and iOS.

General IOKit fuzzers revealed a lot of vulnerabilities in the past. However after several rounds of security improvement on graphics driver by Apple, vulnerabilities are much less than before. Smart ways of fuzzing and efficient code auditing can reveal a lot of exploitable bugs in Apple graphics driver and of course that will require deeper understanding on how Apple graphics works.

In this talk we will introduce Apple graphics internals including its architecture and several interfaces(IOAccelDevice, IOAccelSurface, GLContext, etc.) . Then we discuss about strategies on fuzzing and code auditing to efficiently find bugs in Apple graphics, concluding several causes of potential bugs. We also show several vulnerabilities of different types discovered by KeenTeam and discuss their exploitability.

3. Bypassing Different Defense Schemes via Crash Resistant Probing of Address Space - Robert Gawlik, Ruhr University Bochum
- Normally it's game over for the exploitation of memory corruption vulnerabilities if critical access violations are thrown, as the program crashes. In this talk we show the case of CVE-2015-6161 which allows Internet Explorer to survive access violations. Actually, it's even a valuable asset to exploit development as memory can be scanned in a crash-resistant manner. This can be used to bypass ASLR without having leaked any information beforehand. Additionally, crash-resistance can serve as a base to dispatch exported functions in a crash-tolerant fashion to bypass DEP and Control Flow Guard. On the way to code execution, a little bypass of EMET 5.2 will also be shown.

4. APT Reports and OPSEC Evolution: These are not the APT reports you are looking for - Gadi Evron, Cymmetria
- With the advancement of defensive security and the constant release of research papers into their toolsets, advanced threat actors have has to adapt with new operational security practices, as well as with new technology. Examples of this are the length of time it takes for a threat actor to take its operation offline once a public report of its tools is getting released, or the technology the threat actor may be using to cope when its expensive code base that has taken years of development suddenly becomes public property. Two quick examples are the geographical distribution of attacks, which are often (mis)used in attribution, and the use of cryptography for reuse of now public code bases.

5. Having fun with secure messengers and Android Wear - Artem Chaykin, Positive Technologies
- In my talk I'll show that almost every Android messenging app that uses Android Wear (RemoteInput class) is vulnarable for message intercepting and 3rd party apps using such vulnerabilities can not only intercept messages, but also spam the contact list with arbitrary messages. I already found such bugs in Telegram, Signal (TextSecure), Skype. Also I will talk about Android IPC security in general and show another bugs, that could be exploited by 3rd party apps. I'll present my Xposed module for dynamic analyzing of Android apps, which can look for possibly vulnerable apps and fix some unsecure calls in runtime.

6. Automatic Binary Constraint Solving: Automatic Exploit Generation - Sophia D'Antoine, Trail of Bits
- Practical uses of program analysis will be presented and explained. Including Instrumentation, Symbolic and Concolic Execution, both in theory, in practice, and tools for each type. Specifically, this talk will show how to automatically generate an exploit against a complex, stand-alone application. We show how to traverse program control flow to collect path constraints and solve for a desired execution. This process can then be applied to targeting generalized behavior in a program or finding known vulnerability characteristics. A demonstration will conclude the talk by solving an obfuscated 'crackme' challenge using the various methods described in the talk. Two tools will be published alongside a white paper and the power point.

7. Getting Physical: Extreme abuse of Intel based Paging Systems - Nicolas Economou + Enrique Elias Nissim, Core Security Technologies
- Exploiting a kernel vulnerability is not as straightforward as it was in former times. While there used to be a gap between the protection measures implemented in kerneland in comparison with userland, modern OS kernels now include several security mitigations with the goal of preventing the execution of untrusted privileged code.

Write-what-where conditions might allow an attacker to elevate privileges by writing a controlled value into some special region of kernel memory. Tipically, one should somehow leak a kernel address (the where) and then patch that location (with the what) by triggering the vulnerability. Most of previous work on the topic however, do not address all the contemporary protections provided by operating systems. Mitigations such as DEP, KASLR, Null dereference prevention, SMEP and in the case of Windows, integrity levels, KMCS and KPP, limit the successful exploitation of a kernel vulnerability.

In this presentation we discuss several scenarios and approaches that could be taken in order to execute custom ring0 code by altering the behavior of the paging mechanism of the operating system. The present techniques allow to circumvent all the mitigations mentioned above without the end of memory leaks and they even go further by letting an unprivileged user to dump all the kernel-accessible physical memory.
In our demos we are going to show our technique over the lastest Windows/Linux versions.

8. Smart Wars: Attacking Smart Locks with a Smart Phone - Song Li, 0XiD LLC
- In this presentation we demonstrate the possibility to attack a SmartLock using a Smart Phone App. We will also discuss the possiblesolutions to those attacks. Smart locks are one of the many categories in IoT that requires highlevel of security. By presenting the existing smart locks are easy to beattacked, we call for awareness of IoT security and show IoT security isaffecting the physical world we are living in.

9. Execute My Packet (Exodus of Shells from a Firewall) - Alex Wheeler + Jordan Gruskonvjak, Exodus Intelligence
- This talk will go over the entire process of auditing through to exploitation of a leading firewall. Topics will include target selection, retrieving the code from the target, prioritizing audit areas, the specific vulnerability found, debugging on non-standard operating systems, the related exploitation of a heap overflow from a remote anonymous perspective, and finally considerations for exploit maintenance. Along the way, both activities that worked well, and activities that failed will be discussed. This talk will be interesting to product engineers as well as vulnerability researchers.

10. Virtualization device emulator testing technology - Qinghao Tang, Qihoo 360 Marvel Team
- As a key foundation of cloud computing, virtualization technology plays a more and more significant role while cloud platform is widely and rapidly developing. However, in recent years, virtualization systems continue bursting high-risk vulnerabilities, which could bring great challenges to cloud security. This speech will introduce the experience of 360 virtualized security research team, the framework of fuzzing on virtualization systems and the process of 0day vulnerability discovery comprehensively. By using this fuzz framework we have found 8 0day vulnerabilities in qemu software and 2 0day vulnerabilities in vmware workstation during 4 months . All these vulnerabilities would help hackers escape from virtual machine , and execute arbitrary code.
This topic will focus on more comprehensive and deeper vulnerability mining experience sharing. And it will be the 1st time Marvel Team will show the details of POC on virtualization platform. Part of CVES: CVE-2015-5225/CVE-2015-6855/CVE-2015-5279/CVE-2015-6815.

11. KVM-Qemu Escape Technology - Xu Liu, Qihoo 360 Marvel Team
- As a key foundation of cloud computing, virtualization technology plays a more and more significant role while cloud platform is widely and rapidly developing.The combination of KVM and qemu has been widely used by mainstream cloud vendors, however the virtual machine escape vulnerability will bring huge security risk to this software portfolio. In this presentation, Marvel Team will demonstrate the escape techniques by using vulnerability in KVM&qemu environment and analyze the principles, with which we can achieve the effect of executing arbitrary codes on host machine by executing exploit code on the guest machine.

12. Docker Escape Technology - Shengping Wang, Qihoo 360 Marvel Team
- Docker is a popular platform that can package an application in a virtual container that can run on any Linux server . If attackers can directly execute any command out of the container by escaping from virtual machine, the consequences would be devastating. This topic will reveal Docker's security issues which we can use to escape from the Docker container.

13. Pwn a Nexus device with a single vulnerability - Guang Gong, Qihoo 360
- As the exist of sandbox and isolation, most people these days have to exploit several vulnerabilities to get privileged access and load software without interaction. In this presentation, I'll introduce how to pwn a Nexus device with a single vulnerability. I'll first talk about how to get RCE permission by a V8 vulnerability and then introduce "breaking" chrome's sandbox without vulnerability.

14. High Performance Zero Knowledge Binary Hooking and Tracing with ROP Hooks - with A-Trace (Eh-Trace) - Shane "K2" Macaulay, IOActive
- Hooking, tracing and code coverage analysis methods on Microsoft Windows seem to be entirely awesome and complex like API Monitor (awesome) and Deviare2 (awesome/complex). They generally require 3 primitive components to be useful; some sort of logging infrastructure, symbol/argument recovery and hook/trampoline generation (i.e. something to that facilitates installing code "detours" in-line).

Many UNIX like environments have many alternatives dtrace, SystemTap and various syscall or lcall tracing tools which can be similar to the sorts of data recovered when a focused event provider<->subscriber model is established when tuning wevtutil.exe or other default mechanisms.

What I hope to demonstrate is a zero knowledge (does not require symbols or awareness of the count of arguments) hooking and tracing (provides configurable and substantial trace telemetry (register context), sufficient for coverage analysis) platform which executes very fast (not debugging) and requires no binary modifications (RoP hooking) to the application being analyzed.

15. Exploits, 0days, and Bug Bounties - Nicolas Joly, Microsoft
- Dive into the bounty hunter daily's challenges and see how exciting his life can be between travels, contests, exploits, bug collisions and... bounty programs! That talk will discuss various bugs used at the 2015 pwn2own edition and will show how freshly added mitigations impacted the development of exploits. Given the vulnerability trends and based on collisions I had at that moment with other researchers I'll try to show how risky the bug selection is, and why you need a serious amount of luck when you play that contest.

16. Hardsploit project : All-In-One Tool for Hardware Security Audit - Julien MOINARD, Opale Security
- I2C, JTAG, SPI, PARALLEL, UART - Today's electronic devices, connected or not to the internet, integrate one or several chip that use these communication buses. Each of them have specific properties and technical differences, we need to know what data go through in order to perform efficient hardware audits. This paper will give an overview of today's problematic for industrials and IT professionals to secure and audit products at the hardware level. For them, we provide Hardsploit, a dual software / hardware solution, a bridge between human and electronic components.

17. Bypassing application whitelisting in critical infrastructures - Rene Freingruber, SEC Consult Unternehmensberatung GmbH
- Application whitelisting is a concept which can be used to further harden critical systems such as server systems in SCADA environments or client systems with high security requirements like administrative workstations. It works by whitelisting all installed software on a system and after that prevent the execution of not whitelisted software. This should prevent the execution of malware and therefore protect against advanced persistent threat (APT) attacks. In this talk we discuss the general security of such a concept and what holes are still open for attackers. After that we focus on different products which can be used for application whitelisting to see the bypasses in practice. This will include different techniques to bypass the application whitelisting to achieve code execution, bypass read- and write-protections as well as a discussion on user account control (UAC) bypasses on such protected systems. Moreover the security of the memory corruption protections provided by such applications will be discussed because application whitelisting can easily be bypassed by exploiting a memory corruption vulnerability in whitelisted applications. At the end some product related design flaws and vulnerabilities will be presented.

18. BadWinmail and Email Security - Haifei Li + Chong Xu, Intel Security
- Microsoft Outlook, a part of the Microsoft Office suit, has become one of the most popular applications in today's computing world, especially for the enterprise environment. Enterprise employees use Outlook to exchange emails everyday as well as manage various information such as schedules, meeting invitations, etc.
In this presentation, we'll talk about the #BadWinmail* and the broader email security on Outlook.

19. Attack and defense toolkits in High/Low frequency - Haoqi Shan + Qing Yang, Qihoo 360 Unicorn Team
- RFID and contactless smart cards have become pervasive technologies nowadays. IC/RFID cards are generally used in security systems such as airport and military bases that require access control. This presentation introduces the details of contactless card security risk firstly, then the principles of low frequency(125KHz) attack tool, HackID Pro, will be explained. This tool contains an Android App and a hardware which can be controlled by your phone. HackID Pro can emulate/clone any low frequency IC card to help you break into security system, just type on your phone. After 125KHz, this presentation will show you how to steal personal infomation from EMV bank card, whose carrier frequency is high frequency, 13.56MHz, just sitting around you. In the end, our defense tool, Card Defender, will be dissected to explain how this product can protect your card and infomations in both high/low frequency way. And a little bit tricks that this defence tool can make. Last but not least, we'd like to make these products open source and show people how to make your own attack & defense toolkits on this conference.

20. WAVE YOUR FALSE FLAGS! - Deception Tactics Muddying Attribution in Targeted Attacks - Brian Bartholomew + Juan Andres Guerrero-Saade, Global Research and Analysis Team (GReAT), Kaspersky Lab
- In the last year, there has been much debate over the accuracy and usefulness of attribution with regards to APT actors. Investigators have had an increasingly difficult time finding reliable and agreed upon metrics for attributing attacks. To compound this issue, some APT groups have fragmented, leaving them with limited infrastructure to conduct targeted attacks. At the same time, other APT groups have been following publicly-available research on the topic and using this information to introduce false flags into their TTPs. This discussion will show real world examples of false flag operations using previously unpublished research and observations, as well as discuss the relevancy of attribution in the commercial and government sec tors.