Abstracts

While memory safety mitigations have drastically increased the difficulty of exploiting memory corruption bugs in Microsoft Edge, single bugs in the ChakraCore JavaScript engine are often still powerful enough to construct full exploits. As the core engine has matured over time, attackers and researchers turned to specific and complex aspects such as Just-in-Time compilation to find exploitable vulnerabilities.

After introducing some basic ChakraCore internals and the problems of compiling dynamically typed code, this session will dive into ChakraCore's JIT compiler and its compilation phases. Our focus will be on de-mystifying the inner workings of the global optimizer which performs multiple complex optimizations. We’ll examine what kind of bugs can be introduced during this process and how they can be leveraged to compromise the Edge renderer process. As an example, we’ll outline the root cause of CVE-2018-8266, and showcase how to turn it into an arbitrary memory read/write primitive for a full renderer compromise.

  • Back to Schedule >>

    ​Nintendo's Game Boy Advance is a superb embedded system for homebrew development. It has well documented specifications, is complex enough for some impressive software, and yet is adequately simple enough for people to understand virtually every aspect of it. The field of Game Boy emulation is well established and already has a large body of software written for it. I set to research the system with a specific goal in mind, arising from an actual need - connecting an existing, working, emulator, Visual Boy Advance, to a real-world Game Boy Advance.

    The Game Boy communicates over cable with up to three other systems using several proprietary communication protocols. One such protocol allows loading arbitrary code to the RAM of another Game Boy and booting from it. It has been widely used by the homebrew community for easy development and testing on a real device. Another protocol allows sharing of data for multiplayer gaming in real time. Little research has been focused on this protocol, and its implementation in emulation, which is essential for the emulator-Game Boy link.

    This talk discusses the research methods and tools used to reverse engineer the communication specifications, implement an embedded circuit to perform the necessary data transfer, and integrate it into the emulator, spanning all levels from hardware to software.

  • Back to Schedule >>

    Secure boot is essential for secure embedded devices to prevent malicious actors from obtaining persistent runtime control, whether implemented on Internet of Things (IoT) or Electronic Control Units (ECUs) found in modern cars. Numerous public attacks on secure boot have shown, some of which by ourselves, that secure boot can be bypassed using a wide range of attack methods. Whether these attacks leverage software vulnerabilities or hardware attacks like hardware fault injection, there is a clear need across industries to harden secure boot properly.

    In this talk we focus on hardening secure boot against software and hardware attacks. We leverage our decade long experience reviewing and attacking secure boot on embedded devices from different industries. We start by providing the audience with a description of the attack surface of secure boot. Then, we present our vision on secure boot design, which can be used as a starting point for a complete hardened secure boot solution. To be realistic, next to our security relevant requirements, we’ll take into account engineering costs, functional requirements and other non-security relevant requirements of secure boot. Attendees will take away a better understanding of what it takes to design secure boot securely, hopefully resulting in more secure products at reduced costs.

  • Back to Schedule >>

    As mitigations keep rolling in, the complexity of attacking iOS keeps growing. We will look at recent hardware mitigations that affect advanced attackers and analyze the economic impact across different kinds of attackers.

  • Back to Schedule >>

    AFL is a famous and successful feedback-driven fuzzer, originally developed for Linux targets. To increase code coverage, AFL uses execution feedback, with code instrumentation added on compilation. Sadly, this approach is not applicable for most Windows targets, due to the lack of source code. The common solution to this problem is dynamic instrumentation, which hurts performance (like WinAFL). Other solutions require private PDBs for binaries, or support for hardware features that increase cost and decrease scale.

    Our approach to this problem uses Static Binary Instrumentation (SBI), or “binary rewriting”. The combination of AFL and an SBI framework we developed for this use resulted in pe-afl: a new highly performant feedback-driven fuzzer. pe-afl does not require source code, private PDB, or specific hardware. It works on user space binaries, kernel drivers, and even the NTOS kernel. Moreover, the benefit from SBI is not only for highly efficient fuzzing, but also for bug detection and optimization.

    In this talk, we’ll explain our approach to build a high-performance fuzzer for Windows. We will cover the implementation and the problems we had along the way, demo the SBI framework and pe-afl, as well as talk about some of the vulnerabilities that were already found in CLFS, CNG, and other components.

  • Back to Schedule >>

    Given the rise of exposed IoT and home routers, UPnP is quite an interesting attack vector on those devices, enabling the often misconfigured service.

    Indeed in March 2018, Symantec found evidence of attacks from the «Inception Framework» hiding behind an increasingly complex network of proxies and cloud services since 2014. It is said that the protocol can be abused to «hop» through a victim to masquerade your true IP address: "It's not a bug, it's a feature".

    There are hundreds of thousands of vulnerable devices across 80 countries, most of them simply accept SOAP requests from the WAN as if they were from a “trusted” LAN. This exposure can lead to a messy situation. Indeed, the same bug has been used by multiple threat actors to exploit Windows computers behind NAT.

    In this session, we’ll dig in to, explore the potential ways to abuse UPnP, and explain how to create a "malware-less" botnet.

  • Back to Schedule >>

    Most malware performs code injection into other processes. Typical reasons behind it are process impersonation, or hooking and intercepting API calls within the attacked applications. The common defense method, used by anti-malware products, is monitoring and blocking APIs known to be used for injections. This is a constant cat-and-mouse game, since malware authors and offensive researchers try to diversify their methods to evade monitoring.

    PE-sieve is an anti-malware tool that approaches the problem of detecting implants from a different side, by searching suspicious artifacts in the process space, rather than detecting the event of injection. Thanks to this approach, it was able to detect a new method - Process Doppelgänging - immediately on the day of the release. PE-sieve is equally effective even if a malware was loaded in the memory in a fileless way, as it focuses on the payload, and not on the dropper that released it.

    However, the biggest strength of this tool is not just detection, but the ability to collect and classify the injected artifacts, supplying useful material for malware analysts. It precisely reports about the location and size of the added hooks or patches, and in case of implanted PE files it reconstructs and dumps the payloads. That’s why it is also used for automated malware unpacking. Since PE-sieve scans memory, it can help to collect the material even if we can't locate on the disk the sample that started the infection.

    PE-sieve is open-source, actively maintained by a malware analyst, so its precision and abilities are tested and improved on a daily basis. It has a flexible design, and became a part of other community toolkits, such as LOKI scanner, and tknk_scanner.

    The first part of this talk will be a walk-through of PE-sieve’s features, illustrated by real-life examples. The second part will be a dive in the technical details behind the functionality.

  • Back to Schedule >>

    This talk details the approach taken to target Postscript engines (Adobe Distiller & Ghostscript) for the discovery of zero-day vulnerabilities. What is Postscript? How do the engines differentiate in parsing Postscript? Why haven’t these engines been targeted as heavily as other scripting engines? Details regarding the design of a custom fuzzer and auditing methodology will be demonstrated and shared including *some* details of already discovered zero-day vulnerabilities.

  • Back to Schedule >>

    In this talk, we will explain and demo state-of-the-art hardware-assisted memory visualization and analysis. This method highlights a different perspective on the internals of a running system and was used to find the “Total Meltdown” vulnerability.

    We’ll showcase the Memory Process File System, which is a different way of visualizing in-memory Windows internals as files in a file system. It brings an easy, yet powerful, point and click interface for memory analysis of processes and in-memory objects, along with an extensive C and Python API. Combined with PCILeech PCIe DMA hardware memory acquisition devices, it even allows simplified read-write access for the entire memory in real-time.

    In addition to explaining the framework and setup, we’ll demo and show many different uses for this approach: from finding Total Meltdown, to cheating in games, and analyzing malware on physical hardware.

  • Back to Schedule >>

    Where did your computer come from? How many hands could have touched your machine before you powered it on for the first time? They say it takes a village to raise a child; it takes several countries to build a cutting-edge computer. Last October, a report released by Bloomberg Business Week dramatized the security risks incurred by our increasingly global supply chains. Although many details of the report have failed to hold up under scrutiny, the basic scenario is realistic.

    In this talk, we will calibrate expectations about how difficult (or easy) it may be for actors ranging from rogue individuals to Nation-States to infiltrate various points of our global supply chain.

  • Back to Schedule >>

    On March 2018 CTS Labs published an advisory informing the public about the existence of 13 exploitable vulnerabilities in AMD processors. However, the technical details of these flaws has never been published.

    Since the last of AMDFlaws is now patched, our team is ready to reveal the technical details of our 8 months of research into the security of AMD’s latest Ryzen and Epyc processors.

    We have uncovered a total of 13 exploitable vulnerabilities, some inside AMD’s Platform Security Processor, and some inside the Ryzen chipset.

    We will cover the following topics:

    1. The approach we took to reverse engineer the undocumented Platform Security Processor, which runs on an isolated ARM processor located on the CPU die. We’ll explain how we built our own debugging infrastructure for the PSP (which is supposed to be impossible outside of AMD).
    2. How we bypassed digital signature verification to achieve code execution on the Platform Security Processor.
    3. How we leveraged backdoors in the chipset firmware to achieve code execution on the chipset’s internal 8051 processor.
    4. How we exploited flaws in the Platform Security Processor in real-time to inject code into SMM and VTL-1, which then allowed us to bypass Microsoft Credential Guard.
    5. Live demo!

  • Back to Schedule >>

    Looking at the discussions and development of sophisticated attack techniques, it is immediately obvious there is significant gap between the theory and in-the-wild observations. One can easily come up with a list of techniques which have been demonstrated in the past, however, they are not very popular findings across APT researchers. It is especially hard to believe that sophisticated adversaries with huge budgets haven’t been able to implement techniques presented at major conferences 4-5 years ago, right? So, what is missing nowadays from all big APT research announcements?

    Here are a few likely culprits:

    • Virtualization / hypervisor malware - although the infamous Blue Pill was discussed as far back as 2006, we haven’t seen any ItW attacks leveraging this
    • SMM malware - although Dmytro Oleksiuk aka Cr4sh developed an SMM backdoor as far back as 2015, this is something yet to be seen in real world attacks
    • UEFI malware - the hacking of HackingTeam revealed that a UEFI persistence module has been available since at least 2014, but we have still to observe real world UEFI malware (with the exception weaponized Absolute Computrace implants)
    • Malware for the Intel ME

    In this talk we will look at the places which have been neglected in terms of APT research with a focus on UEFI. For the past year, Kaspersky’s Global Research and Analysis Team (GReAT) extracted and processed thousands of UEFI dumps, applying anomaly analysis and code similarity techniques in order to find the “things that lurk in the shadows”.

  • Back to Schedule >>

    As the practice of threat intelligence has matured, machine readable feeds from home-grown OSINT systems or third-party vendors are common. These usually contain IOCs or IOAs with little contextual information. On the other hand, we have rich data describing adversary operations and TTPs contained in blogs and whitepapers that remain unstructured, and require human processing. Here we are bridging that gap by using Natural Language Processing for extracting STIX-like entities from unstructured text.

    This presentation will cover the use of "Custom Entity Extraction" techniques from Natural Language Processing to extract this information from text. Named Entity Extraction/Recognition is a sub-task of information extraction that aims to classify phrases into pre-defined categories (e.g. Threat Actor, Malware Family, attack technique etc.). This is usually a preprocessing step for other more complex tasks like identifying aliases, relationship extraction between actors and TTPs etc.

    This talk will describe our solution for building an entity extraction system from unstructured text specific to the security domain using open source tools; architecture, sources of ground truth, algorithms that worked (and those that didn't) and what problems you can solve using this pipeline.

  • Back to Schedule >>

    The software vulnerability landscape has changed dramatically over the past 20+ years. During this period, we’ve gone from easy-to-exploit stack buffer overruns to complex-and-expensive chains of multiple exploits. To better understand this evolution, this presentation will describe the vulnerability mitigation strategy Microsoft has been pursuing and will show how this strategy has influenced vulnerability and exploitation trends over time. This retrospective will form the basis for discussing some of the vulnerability mitigation challenges that exist today and the strategic shifts that Microsoft is exploring to address those challenges.

  • Back to Schedule >>

    With Microsoft continuously improving kernel mitigations and raising the exploitation bar for native kernel components, third-party kernel drivers are becoming a more appealing target for real attackers and security researchers. A vulnerability in a signed third-party driver can have a dramatic impact as it can be abused by attackers to escalate their privileges, without the complexity of a kernel zero-day.

    Computer manufacturers usually ship devices with software and tools to facilitate device management. This software often contains components running with ring-0 privileges in kernel. With these components installed by default, they must be as secure as the kernel, otherwise they can become the Achilles Heel for the whole kernel security design.

    In this session, we’ll explain exactly how we discovered such a driver. From an anomalous behavior alerted by a kernel sensor of Windows Defender ATP, we dug deeper into a specific device management driver, where we found a highly obscure design. This led us to the discovery of a zero-day vulnerability, which resulted in a local privilege escalation that affected millions of devices.

  • Back to Schedule >>

    For years, you’ve tried to fight mimikatz, first to understand it, and maybe fight it again.

    This little kiwi fruit shaped program has given you a hard time, extracted your password, stolen your credentials, played with your nerves and certificates ...

    But our friends in New Zealand know it best: there are many different kiwis... and perhaps the fruit is the most lucrative, but it's not the most sadistic.

    The kiwi animal may not fly, and it remains complex to build it from source, its effects are not less devastating...I will introduce "kekeo", the little animal brother of mimikatz.

    If you enjoyed playing with Kerberos, ASN1, security providers..., then you'll love adopting this furry, sweet animal. From its birth with MS14-068 to cleartext passwords without local administrator rights, you'll know everything about this animal.

    This talk will embed CredSSP and TSSP with cleartext credential, explore a little bit about PKINITMustiness and the RSA-on-the-fly for Kerberos with PKI!

  • Back to Schedule >>