applied security conferences and training: CanSecWest | PacSec | EUSecWest |


The CanSecWest 2019 agenda is not final and subject to change.

Talks will be posted here as selections finalize.


PAC-MAn and Ghosts: A practice and breakthrough on Pointer Authentication in iOS - Xiaolong Bai and Min (Spark) Zheng, Alibaba Inc.
Pointer Authentication is the newest security defense in iOS, which is a hardware feature protecting pointers with cryptographic signatures. In this talk, I will explain how Pointer Authentication protects iOS system with a hands-on practice. Then, most importantly, I will show an astonishing finding in Pointer Authentication's implementation on iOS: there is a fatal flaw in the key management on iOS. Such a flaw would allow an attacker to break through Pointer Authentication protection and compromise privileged system components. This will be the first public talk about practice on Pointer Authentication, and the first to show its weaknesses.

Misinformation frameworks, tatics, techniques and processes - Sara-Jayne Terp, Bodacea Light Industries
In this talk, we map misinformation attack and defense TTPs into existing infosec frameworks, and discuss how to use that mapping to plan misinformation defenses and counters, assess tools and mechanisms, and handle the types of large-scale adaptive threats that mlsec makes possible

A Dive into Windows Hello: Is it Really More Secure than a Password? - Ejin Kim and Hyoung-Kee Choi from HIT Lab-Sungkyunkwan University
We will examine to see if the PIN-based login in Windows Hello is more secure than the traditional password-based login. Vulnerable Windows Hello may result in a hijack of all combined services in Microsoft such as Office365, Microsoft Store, Dropbox and so on. Specifically, we will focus on extracting Windows Hello credentials stored on the victim's device and migrating victim's credentials to the attacker's device for impersonation. In the demonstration we will reveal a detailed procedure of the PIN-based login in Windows Hello including 1) files formats and memory locations related to the login and 2) secret keys' location and conversions to be used in encryption and decryption 3) a network protocol between a device and Microsoft servers for authenticating credentials.

Danger of using fullly homomorphic encryption, a look at Microsoft SEAL - Zhiniang Peng and Minrui Yan
Recently, Microsoft open source the Microsoft Simple Encryption Math Library version 3.1 (Microsoft SEAL). SEAL aims to provide a library of high performance, easy to use homomorphic encryption library. It has been used in several projects including the Intel Neural Network Compiler nGraph. Many companies are currently using SEAL to construct data security applications based on fully homomorphic encryption. It seems that the full homomorphic encryption is very close to practical. In this presentation, we will analyze the security risks of using SEAL and present several practical attacks on applications based on SEAL, we will also present countermeasures for those problems. Our research shows that fully homomorphic encryption still takes a while to be widely used and it's extremely dangerous to use it without a crypto expert

Device Driver Debauchery and MSR Madness - Ryan Warns and Tim Harrison, FLARE
This talk is a case study of a systemic security issue when developing a subset of device drivers based on a previously unexplored exploitation vector: unrestricted or improperly validated access to the privileged Model Specific Register (MSR) instructions. The talk will begin with a review of how to audit device drivers for potential vulnerabilities and how to reliably exploit them if an issue is found, including a discussion of Supervisor Mode Execution Protection (SMEP) and other mitigation bypasses. We will then discuss the specific mechanics of how attacker-controlled MSR access can be exploited and how developers and security vendors can prevent these attacks.

From SSRF to RCE - Yongtao Wang and Yang Zhang(izy), Pegasus Team and XDSEC
SSRF(Server-Side Request Forgery) is not a new technology. Over the past decades, many security researchers have proposed various attack methods. In our in-depth research, we explored SSRF from another angle and discovered a new attack surface that most developers and security researchers neglect, which will cause considerable security hazards. Combining the exploitation tricks in our research, we will delve into the far-reaching effects of similar security issues. The new attack surface brings a new exploit technique that can directly lead to the impact of RCE (Remote Command Execution) via once exploiting. According to it, we found there are many high-risk security flaws in JDK. In addition, these vulnerabilities have already been admitted by the official website of Oracle as a critical patch update. In this talk, we will introduce these 0day principles, the discovery process and describe them in real-world attack scenarios which have never been noticed. After that, we will release an exploit tool for these vulnerabilities.

Memsad: why clearing memory is hard. - Ilya van Sprundel, IOActive
This presentation will start off with a simple problem, how do you clear memory that holds sensitive content? It explores numerous possible solutions, and present real live facts and figures. Bugs in common applications will be shown.

Attacking .NET Framework through CLR - Xing Shikang (presenter) and Yu Hong(redrain), 360-CERT Analysis Team
The Common Language Runtime CLR, the virtual machine component of Microsoft's .NET Framework, manages the execution of .NET programs, which runs the code and provides services that make the development process easier. Microsoft also integrated CLR for its products, E.g SQL Server, Office etc. We have studied CLR since last month. And we found these features could lead to several attack surface. In this talk, we first introduce managed execution environment and managed code under .NET Framework and discuss the security weaknesses of this code execution method . After that, we show a exploit for SQL Server through CLR and we would like to make our automate tools about this exploitation. Next then, we would like to introduce a backdoor with administrator privilege based on CLR hijacking arbitrary .NET Application. In addition, we extend our CLR security study to Microsoft Office used VSTO. The result shows that we could convert a document's level customizations into a program's level customizations and execute arbitrary code quietly.

Hacking Microcontroller Firmware through USB - Boris Larin
Modern microcontrollers (MCUs) come with built-in security features aimed at preventing the retrieval of firmware by third parties and eliminating the risk of reverse engineering. Manufacturers rely on the security of MCUs to protect secrets and intellectual property. Often, the prevention of firmware reverse engineering is used as a form of "security by obscurity": if an attacker can't analyze the code it will be harder to them to find and exploit vulnerabilities. However, firmware sometimes needs to be extracted from microcontroller in order to perform a security analysis. If you consider the vast number of different MCUs out there and the fact that they all come with various security mechanisms, it can be impractical to extract firmware through a hardware attack. In this case, if the target communicates over a USB interface, this can be the best point through which to perform a firmware extraction attack. In this presentation, I will demonstrate all stages of a real attack on a consumer product with an ARM Cortex-M0 processor, and will share my tools and all the nuances I’ve encountered. Besides that, I will reveal how obtaining the firmware of a counterfeit product revealed that it was developed by a big manufacturer of game accessories and how it led to the compromise of security for all products developed that manufacturer.

Mornigari: Overview of the Latest Windows OS kernel exploits - Boris Larin and Anton Ivanov
Momigari (red leaf hunting) is the Japanese tradition of searching for the most beautiful leaves in autumn. In the space of just one month in the autumn of 2018, we found a number of zero-day exploits in the wild for the Microsoft Windows operating system. Two of them were for the newest and fully updated Windows 10 RS4, which until then had no known memory corruption exploits. We also uncovered exploits for vulnerabilities that had been unintentionally fixed with security updates, but which had been unpatched zero-days for a long time leading up to that. These findings shows that exploit writers continue to find new ways to reliably exploit unstable vulnerabilities and bypass modern mitigation techniques for the most secure operating system. The most interesting thing is that many of these exploits are related. This suggests that the masterminds behind them are not afraid of wasting a number of zero-days at a time because their armory is full. In this presentation, we will look at multiple local privilege escalation exploits actively used in the wild and tied into a single framework that was not previously known. This advanced framework shows signs of maturity: the highest standards of code development and a deep technical knowledge of Windows OS inner workings, observed from the shellcodes that are used in the exploits.

Tales from the Bug Mine: Highlights from the 2018 Android Security Bulletin - Lilian Young, Google
Every month, Google releases the Android Security Bulletin, the latest collection of public vulnerabilities found in Android, along with their patches that must be accepted if a device can be considered up-to-date. Join is for this fast, light-hearted retrospective, in which we'll examine some of the most subtle, complicated, or interesting bugs from the last year of the Bulletin. Many of these bugs were submitted through the Android Vulnerability Rewards Program, with cash rewards going to the researchers that discovered them.

Vs. - Patroklos Argyroudis, CENSUS S.A.
The iOS sandbox kernel extension implements one of the fundamental security technologies deployed on Apple's devices (iPhones, iPads, etc.) for limiting local privilege escalation and post-exploitation. The sandbox utilizes Apple-specified policies to restrict what operations both system-provided services and user-installed applications can perform. The sandbox kernel extension is closed-source both on iOS and macOS; furthermore the iOS sandbox policies are not available in plain text, but compiled and packed in the binary of the extension itself. In this talk I will initially present how the iOS sandbox kernel extension specifies and enforces policies, along with implementation details that will be useful for the next step. I will then explain in detail the process of reverse engineering the extension in order to unpack and decompile all the sandbox policies embedded in it. All the presented details apply to and have been tested on the latest iOS version (12.1.3 beta 2 at the time of this writing).

ZigWasp - Discovery the secret of ZigBee Firmware and accelerate the analysis - JieFu
This talk will describe the tool's ZigWasp, how to start from the firmware layer and deeply analyze possible problems of ZigBee protocol. ZigBee uses 128-bit keys to implement its security mechanisms. A key can be associated either to a network, being usable by both ZigBee layers and the MAC sublayer, or to a link, acquired through pre-installation, agreement or transport. With ZigWasp you can do most of the work in analyzing ZigBee firmware, especially the keys, the basic functions. Within this tool, you can do your ZigBee attack work easily, even you do not have the ability of reversing. We will also describe all of ZigWasp's features.

Weaponized WiFi Attack Tool - Jun Xie and Jiaheng Wang
We recently found some security risks in a public wireless network protected by WPA/2-Personal standard. The attack can be performed when the network has a weak PSK or the PSK is publicly known, e.g. the public Wi-Fi in a small cafe or hotel. On this condition, attackers can easily get the WPA-PSK and perform this attack. Our research will disclose some specific Wi-Fi attack method, Wi-Fi attack in a God View, we launch attack from MAC level, we can make all of DNS hijack, tcp hijack, IP hijack etc. And how to build low cost attack tool, ability of hidden attack, not easy to forensic, and how we can achieved the massive attack stability use our hardware attack tool.

Adversarial Examples: Using AI to Cheat AI - Mengyun Tang and Xiangqi Huang, Tencent Security Platform Department
Recent deep neural networks have been proven to be very effective in multiple important practical problems, e.g. object detection, speech recognition, language translation and automatic drive etc. However, most existing deep learning algorithms are highly vulnerable to adversarial examples. An adversarial example is an input data which has been modified very slightly that intended to cause a machine learning classifier to misclassify it. But in many cases, the modification cannot be noticed by human eyes. This exposes a potential security problem of artificial intelligence (AI) applications which used these deep learning algorithms. Once the vulnerability is adopted by hackers, it is possible to bring real-life security issues. This talk will give an explanation about the generation of adversarial examples and share some recent research progress which has been published on ECCV 2018. Besides, it will present experiment results of several tasks, including image recognition, object detection, porn identification and so on. Some real-world attack cases on online systems and how to defense adversarial examples will be discussed as well.

Pandora, Cassandra, and Aristotle: An Ancient Greek Perspective on Hardware Trojans - Joeseph FitzPatrick
Over time, our hardware has become smaller, faster, cheaper - and also incredibly more complicated. Just like with software, this complexity brings with it both an increased attack surfaces and a more difficult detection problem. Unfortunately right now - when it comes to hardware implants in the form of trojanized boards, components, and silicon - the discourse is focused on sensationalism. We've got devices few people have heard of doing things few people realize is possible, perhaps happening on a scale fewer people understand. When it comes to hardware details, it's all Greek to laypeople, and even to most software security experts. I'll present on how we can approach modern, rational discourse and investigation into hardware implants by building on a few factors that have been understood since the classical age. Pandora had the curiosity to open the box, even when authority dictated otherwise. Cassandra had the foresight to see what was within the realm of possibility, even while others dismissed her claims as fantasy, paranoia, or madness. Luckily, Aristotle's empiricism is the root of a rational process I will describe which can let us test a Pandora's discoveries and a Cassandra's claims for both potentiality and actuality. Hopefully you'll walk away with a better understanding of the state of hardware security, but more importantly, a few more concepts and a process that will both guide your analysis of hardware and help you gauge the validity of public claims about hardware trojans.

Attack Infrastructure for the Modern Red-Team - Topher Timzen and Michael Leibowitz, Oracle Cloud Infrastructure
While active hacking is the sexy part of red teaming, everybody knows that there is a lot of unsexy prep work prior to an engagement. A robust attack infrastructure is a complicated, yet critical, part of that prep work. . As Red Teams continue to grow in maturity, a successful engagement relies on infrastructure that is suitable for covert activities such as attack modeling and adversarial emulation while also being suitable for overt games. High quality attacks require high quality infrastructure. A single opsec failure could set an operation back days or even weeks, and in some cases might result in having to scrap the op entirely (or worse). Needing a repeatable, modular, auditable, secure and automatic infrastructure for Red Team engagements, the authors have created an easy to use deployment system with recipes so you, too, can have robustness without being tied down by deployment readiness! This presentation will provide all the tooling and automation to make these deployments simple and repeatable. Your Red Team will now be able to deploy infrastructure per engagement, providing you with opsec safety to keep your engagement rolling before the blue team hunts you down. Learn it, love it, live it.

IR-dventures from the vendors basements, Circa early 2000s - Luiz Eduardo, Aruba Threat Labs
This presentation will cover four real Incident Response stories from a hardware vendor's perspective in the early-mid 2000s. These are not stories for the modern life where all organizations are prepared with solid security programs and ready to respond to anything *smirk*. These are adventures for when organizations were (way) less prepared to respond to security related incidents and developers would ask "why would someone ever do this?" once they found out people were either messing with packets or reversing firmware images.

Karta - a source code assisted binary matching plugin for IDA - Eyal Itkin, Checkpoint Research
"Karta" (Russian for "Map") is a source code assisted binary matching plugin for IDA. The plugin is used to identify open source libraries in a compiled binary, and match their symbols. Our tool automatically matches the symbols for various open-source projects such as: OpenSSL, zlib, libpng, and much more... But it gets even more interesting when you're looking for vulnerabilities. Let's assume you found a 0-day in an open-source project, or even a 1-day you want to use for debugging. Many programs embed open-source projects in their code base and rarely pull the most updated version. Karta helps you look for the vulnerable version of the used open source project inside a closed source software, regardless of its size. Thus, pointing you to the desired vulnerability quickly and with no special effort.