Alexander Popov has been a Linux kernel developer since 2013. He is a principal security researcher and head of Open Source Program Office at Positive Technologies. In his spare time, Alexander is a maintainer of open source projects connected with Linux kernel security. He is interested in kernel vulnerabilities, exploitation techniques, and defensive technologies.
Conteúdo:
Linux kernel security is a deep and complex topic. It contains many concepts, including vulnerability classes, exploitation techniques, bug detection mechanisms, and defense technologies, which have complicated relations with each other. Moreover, the Linux kernel provides hundreds of parameters that allow configuring operating system security at compile, boot, and run times.
In this talk, Alexander Popov will describe how to learn this complex area and knowingly configure the security hardening of your Linux-based system. He will show the open-source tools for that purpose, which he has been developing in his spare time since 2018. Alexander will present the ideas for future features and invite the audience to join the community around these free software projects.
Publicou diversas vulnerabilidades de segurança em softwares importantes, como FreeBSD, NetBSD, QNX RTOS, Sun Solaris, entre outros. Uma dessas vulnerabilidades foi usada como referência no livro "A Guide to Kernel Exploitation - Attacking the Core", publicado pela Syngress.
Wendel Guglielmetti Henrique possui mais de 25 anos de experiência na área de TI, sendo 20 dedicados à segurança ofensiva. Realizou inúmeros testes de penetração físicos, de engenharia social, redes, wireless, aplicações e ATMs em organizações ao redor do mundo, incluindo empresas da Fortune 500, governos e o setor financeiro.
Em 2002, desenvolveu uma ferramenta para detectar e remover o infame vírus BugBear, antes mesmo de a maioria das empresas de antivírus do mundo terem soluções.
Brian is an independent security researcher / Hacker with experience in
mobile, hardware / embedded, OT, railway, telco equipment and most
resulting cross sections. He very much enjoys hacking, breaking and
understanding new and old equipment and sharing his findings. Being
passionate for security he often goes a step further then necessary.
Conteúdo:
Large cranes lifting materials in building, small cranes lifting products from trucks or ginormous ones building wind parks, cranes are part of everyday life. At least they can be seen or watched in many situations. For quite a few years now, cranes have been equipped with industrial remote-control systems, allowing the operator to control it from an optimal viewpoint. Using RF in various frequency bands, the cranes might be just as much fun for hackers to control as the actually operators. But How?
We’ll have a look at a few exemplary crane remotes and see how they work and how secure and safe they are.
Keynote: False Injections: Tales of Physics, Misconceptions and Weird Machines
Biografia:
Cristofaro Mune is a Co-Founder and Security Researcher at Raelize. He has been in the security field for 20+ years and he has 15+ years of experience in the evaluation of SW and HW security of secure products.
His research on Fault Injection, TEEs, Secure Boot, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.
Conteúdo:
In the brief history of computing, security threats have often been modeled without considering the underlying hardware, conveniently abstracting it away. Micro-architectural attacks reminded us that such convenience can make us oblivious to vulnerabilities rooted in hardware.
In a similar fashion, physics is usually abstracted away by the hardware and pretty much invisible at the computational level. Until things go wrong. Fault injection (FI) attacks are known since decades and have become accessible to a fairly wide audience. Yet, the common understanding is often partial at the best, when not outright incorrect. A "computing-centric" approach, more focused on the effects on software rather than on the faults introduced in the system, may have a played a role in building the current understanding.
In this talk, we will wear our physics hat and discuss the effect physics may have on a computing system and its security. We will be using data from FI testing for challenging some widespread beliefs. By reasoning with physics and data, we will visit rarely explored corners, such as an energy-based interpretation for voltage glitching, which may allow to uncover new, powerful attacks.
We will also discuss how FI has been incorrectly modeled for decades using the "instruction skipping" fault model. This simple fault model allows performing effective attacks, but, at the same time, it has likely hindered the understanding of "what really happens to instructions". To grasp the impact of such a choice, we will show how, by simply switching to an "instruction corruption" fault model, a paradigm shift occurs. Code execution becomes the primary FI goal. Timing constraints can be loosened. Common FI countermeasures are bypassed...and...weird machines arise purely from control of (any) transferred data.
This talk aims to bring more attention to the relationship between physics, computing and security, fostering a holistic discussion on such topics. For a faithful and courageous understanding of computing, it's likely time to face complexity and embrace its chaos, with an open, scientific and inquisitive mindset. Abstracting reality will not make it go away.
Gerardo Richarte is the CTO, CISO and co-founder of Satellogic. Long time ago, Gera co-founded Core Security Technologies and some years later Disarmista, companies dedicated to specialized security products and services. He’s also presented and taught courses at ReCon, BlackHat, CanSecWest, Ekoparty and other Security Conferences and wrote articles to help spread the knowledge on offensive security, exploit writing and reverse engineering.
He’s today at Satellogic, working to remap the surface of the Earth every day, coordinating the security and other technological aspects of the company to build planetary-scale insights for improving life on Earth (rather than preparing to fly away to another planet).
Conteúdo:
It is gera, do we really need an abstract? Ok, so maybe soon...
Ignacio Navarro, an Ethical Hacker and Security Researcher from Cordoba, Argentina. With around 6 years in the cybersecurity game, he's currently working as an Application Security. Their interests include code analysis, web application security, and cloud security.
Speaker at Hackers2Hackers, NorthSec, TyphoonCon, Security Fest, BSides, 8.8, Ekoparty, among others.
Conteúdo:
Since we were children we wanted to go to the arcade and play for hours and hours for free. How about we do it now? In this talk I’m gonna show you some vulnerabilities that I discovered in the cashless system of one of the biggest companies in the world, with over 2,300 installations across 70 countries, from arcades in Brazil, amusement parks in the United Arab Emirates to a famous roller coaster in Las Vegas. We will talk about API security, access control and NFC among other things.
You Can't Detect Me if You Don't Know I Exist - Using OOB Techniques to Break the Rules
Biografia:
Kamel is a veteran car hacker with over 6 years of experience in the automotive cybersecurity industry. He is an organizer for the Car Hacking Village, Automotive Security Research Group, and BSides Tokyo. He has given presentations and technical trainings on many topics relevant to car hacking in the past both at hacker conferences and privately to different companies, militaries, and government organizations.
Conteúdo:
Endpoint security and corporate policy enforcement solutions are commonplace in most enterprise environments today, providing security and stability to the devices used by a business' employees. Sometimes these security measures and policies can be a bit of a pain in the ass, if I'm being real. Join me on this journey to break rules and make life easier by uncovering the secrets of the ancient Mesopotamian art of other computers. And gadgets.
Marion is a security engineer at a large cloud provider, and enjoys reverse engineering and all things binary analysis. With some background in malware analysis, incident response and microarchitecture security, her interests are quite varied. In 2015 Marion founded BlackHoodie, a series of hacker bootcamps which successfully attracts more women to the security industry.
Conteúdo:
Ever wondered how a sophisticated build chain attack can target a compiler to place backdoors and other miscreants? Wonder no more, this talk shows you how to build your own compiler pass, and modify any source code you build to your liking. We'll learn how source code makes its way through the different stages of a compiler into its final binary form, how compilers perform modifications and optimizations of the code, and how they translate their view of the code to a given architecture's binary representation. Attendees will see how some mitigations everybody knows and loves are actually implemented, and how to implement a Clang plugin themselves to sneak a backdoor into otherwise perfectly secure code.
T50: A short tour of its trajectory (15 years' warm-up)
Biografia:
Nelson Brito is the one and only cybersecurity thinker and philosopher, with hacking skills, and occasionally researcher and enthusiast, addicted to computer and network (in)security, being the creator of T50, the only Brazilian researcher to speak at the extinct PH-Neutral Conference (invite-only in Berlin) and H2HC’s top contributor speaker.
Conteúdo:
Are you ready to be part of H2HC history? The T50 is homecoming, and history will be made once again... Remember its trajectory, told by its creator - Nelson Brito. All the behind the scenes, gossip, fights and jealousy. This is a warm-up for what's to come next year, when the T50 completes 15 years of its launch.
Grey Matter and Zero-Days: Outwitting Cognitive Decline in VR, or How Make Brain Do VR Good
Biografia:
Nigel is a vulnerability researcher at L3 Harris Trenchant
Conteúdo:
You are older than you have ever been, and learning or performing cognitively intense tasks, such as Vulnerability Research (VR), come with new challenges as we age. However, age doesn't preclude success in this demanding field. In this presentation, I'll take a brief and lighthearted look at the current scientific understanding of cognitive aging, highlighting both the wrinkles and the wisdom that come with age. Age-related changes in cognition may impact our ability to perform vulnerability research, but these changes can be mitigated or even leveraged. Drawing from both personal experiences and research, I will share strategies that I have used to adapt my approach to VR, emphasizing the importance of working to one's strengths and minimizing weaknesses. This includes adopting new learning techniques, creating a support system, and focusing on areas where
experience and knowledge provide a competitive edge. By sharing my approach and the ‘why’ behind it this talk aims to inspire and equip professionals to thrive in the cognitively demanding field of Vulnerability Research.
What every hacker should know about TLB invalidation
Biografia:
Pawel Wieczorkiewicz is a Security Researcher at Open Source Security Inc., a company developing the state-of-the-art Linux kernel hardening solution known as grsecurity. His research focuses on offensive security aspects of transient and speculative execution vulnerabilities, side-channels, and the effectiveness of defensive mitigations in OSes and hypervisors. Pawel's deep interest in low-level security of software and hardware has resulted in the discovery of a number of vulnerabilities in AMD and Intel processors in addition to the Linux kernel and Xen hypervisor system software.
Conteúdo:
In this presentation we will take a peek into more obscure corners of Translation Lookaside Buffer (TLB) and discuss the very important problem of the TLB invalidation on x86 family of CPUs. Based on examples from real life, we will learn why proper maintaining of the TLB state is very important for operating system stability, performance, and yes, security too. We will also look into page structure caches and analyze some interesting scenarios, where the invalidation requirements become quite counter-intuitive (especially after reading documentation!).
If you are interested into what might go (and actually have gone!) wrong when assumptions meet harsh reality, come and see the talk.
Lessons from the Frontlines: A Journey in Linux Kernel Vulnerability Discovery
Biografia:
Pedro is a security researcher specializing in Linux kernel exploitation. He has competed in major CTF events, including the DEF CON CTF Finals 2022 with ELT and Crusaders of Rust. At Ottersec, he focuses on the low-level aspects of blockchain infrastructure and Linux kernel vulnerability research.
From 2022 to 2023, Pedro researched kernel security and binary exploitation at Northwestern University under the guidance of Professor Xinyu Xing.
In early 2024, Pedro exploited the kernelCTF VRP twice: first by patch-gapping a 1-day vulnerability to develop a universal exploit, and second by exploiting a highly restrictive 0-day, for which he received a reward.
Conteúdo:
Linux kernel vulnerabilities offer a vast landscape for discovery and exploitation. In this talk, I’ll guide you through my research journey, from monitoring kernel commits for 1-day vulnerabilities to customizing a Syzkaller fuzzer for 0-day discoveries. By analyzing key findings and strategies, I’ll showcase how patch gaps and neglected kernel areas can be turned into powerful exploitation opportunities. From developing universal exploits to automating the race for submissions in KernelCTF VRP, this talk reveals the insights and lessons learned on the frontlines of kernel security research.
Unleashing a 0day: Pivoting Capabilities and Conquering the Linux Kernel
Biografia:
Pedro is a security researcher specializing in Linux kernel exploitation. He has competed in major CTF events, including the DEF CON CTF Finals 2022 with ELT and Crusaders of Rust. At Ottersec, he focuses on the low-level aspects of blockchain infrastructure and Linux kernel vulnerability research.
From 2022 to 2023, Pedro researched kernel security and binary exploitation at Northwestern University under the guidance of Professor Xinyu Xing.
In early 2024, Pedro exploited the kernelCTF VRP twice: first by patch-gapping a 1-day vulnerability to develop a universal exploit, and second by exploiting a highly restrictive 0-day, for which he received a reward.
Conteúdo:
Some bugs may seem unlikely to be exploitable but hide a secret power waiting to be awakened. In this talk, I'll explore how seemingly restrictive memory corruption vulnerabilities in the Linux Kernel can be leveraged to support effective and repeatable exploitation strategies. By examining a 0-day vulnerability I discovered and exploited, I'll demonstrate the process of escalating limited capabilities into powerful exploitation techniques, ultimately leading to a successful capture in the KernelCTF VRP and ü§ë.
How to Fuzz Your Way to Android Universal Root: Attacking Android Binder
Biografia:
Eugene Rodionov, PhD, is a Security Researcher at Google on the Android Red Team. In his current position, Eugene focuses on finding and exploiting vulnerabilities in the low-level components of the Android platform and Pixel devices. Prior to that, Rodionov performed offensive security research on UEFI firmware for Client Platforms at Intel, and ran internal research projects and performed in-depth analysis of complex threats at ESET. His fields of interest include reverse engineering, vulnerability analysis, firmware security and anti-rootkit technologies. Rodionov is a co-author of the "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats" book and has spoken at security conferences such as Black Hat, DefCon, REcon, ZeroNights, and CARO.
Zi Fan Tan is a Security Researcher at Google on the Android Red Team. He is currently focused on vulnerability research and exploitation on Android platform, kernel and Pixel devices.
Gulshan Singh is a Security Researcher at Google on the Android Red Team. He is currently focused on vulnerability research and exploitation of the Android platform, kernel, and firmware. He is also an avid CTF player.
Conteúdo:
The Android Binder driver is a keystone of Android’s inter-process communication (IPC) mechanism. The Binder driver is an open-source Linux kernel module accessible by untrusted applications and consists of less than 10,000 lines of C code. Despite its relatively small size, Binder is complex and has had several security vulnerabilities reported and successfully exploited in the past - leading to privilege escalation in Android, including in-the-wild attacks. The complexity of Binder combined with its wide accessibility from unprivileged context makes it a high-risk component for Android platform.
This talk will feature two use-after-free vulnerabilities identified during internal red-teaming of the Binder driver: CVE-2023-20938 (fixed in February 2023) and CVE-2023-21255 (fixed in July 2023) which at the moment of discovery affected multiple versions of Android kernel. In this presentation the authors will focus on technical details of vulnerability discovery and its exploitation to achieve local privilege escalation on Android devices.
After a quick overview of Binder complex object lifetime management and reference counting, we will focus on a novel approach for deterministically detecting concurrency issues in the Linux kernel by fuzzing it in user-space using the Linux Kernel Library (LKL) combined with a custom scheduler implementation. This approach enables the fuzzer to deterministically reproduce concurrency-related bugs in a multi-threaded environment. We will demonstrate the application of this fuzzing approach to the Binder driver which led to identification of CVE-2023-20938 and CVE-2023-21255.
Then, the authors will cover how to exploit CVE-2023-20938 to achieve root privileges from an unprivileged Android application on a device running a fully up-to-date and patched version of Android at the time of the issue discovery. These steps will highlight the cross-cache attack technique used in the exploit and current state of Android kernel mitigations against the exploitation of memory corruption bugs. The authors will conclude the presentation by discussing remediation and future hardening efforts on Android Binder.
Note: This talk will be based on what we presented at OffensiveCon 2024 https://www.offensivecon.org/speakers/2024/eugene-rodionov,-zi-fan-tan-and-gulshan-singh.html with some additional content on Binder internals, Binder fuzzing and static analysis which we didn't managed to fit into the OffensiveCon's talk.
Bate-papo sobre H2HC, Hacking, Comunidade e Carreira (cont.)
Biografia:
Rodrigo Rubira Branco (BSDaemon) is a Vulnerability Researcher and Exploit writer. He held positions as Lead Security Researcher at L3 Harris Trenchant; led CPU and microarchitecture security research at Google; worked as a Senior Principal Engineer at Amazon Web Services (AWS) and before that, was the Chief Security Researcher of Intel Corporation founding/leading the STORM (STrategic Offensive Research & Mitigations) team. Rodrigo also held positions as Director of Vulnerability & Malware Research at Qualys and as Chief Security Research at Check Point where he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. In 2011 he was honored as one of the top contributors of Adobe. Previous to that, he worked as Senior Vulnerability Researcher in COSEINC, as Principal Security Researcher at Scanit and as Staff Software Engineer in the IBM Advanced Linux Response Team (ALRT). He is a member of the RISE Security Group and is one of the organizers of Hackers to Hackers Conference (H2HC), the oldest security research conference in Latin America. Accepted speaker in many security and open-source related events such as Offensivecon, Black Hat, Hack in The Box, XCon, OLS, Defcon, Hackito, Zero Nights, Offzone, PhDays, Troopers, Andsec, Ekoparty and many others. Rodrigo is (and was) also part of the technical committee for many security conferences, such as Offensive Con, Langsec, Black Hat, Enigma and others.
Conteúdo:
Um bate-papo descontraido e totalmente informal sobre a historia da H2HC, sobre a visao pessoal do hacking e da comunidade bem como carreira na area de pesquisas em seguranca da informacao. A intencao eh ser interativa com a audiencia tendo a oportunidade de puxar topicos e fazer perguntas. Irei trazer alguns pontos pre-prontos para discussao apenas para garantir que o ritmo se mantera. Pra quem gosta de estrutura, sugiro ir para a outra palestra, na grade principal. A intencao aqui eh fornecer para as pessoas uma visao de uma longa carreira, de diversos projetos e experiencias, frustracoes e coisas que deram certo para, quem sabe, elas consigam tracar o proprio caminho ainda melhor.
Bate-papo sobre H2HC, Hacking, Comunidade e Carreira
Biografia:
Rodrigo Rubira Branco (BSDaemon) is a Vulnerability Researcher and Exploit writer. He held positions as Lead Security Researcher at L3 Harris Trenchant; led CPU and microarchitecture security research at Google; worked as a Senior Principal Engineer at Amazon Web Services (AWS) and before that, was the Chief Security Researcher of Intel Corporation founding/leading the STORM (STrategic Offensive Research & Mitigations) team. Rodrigo also held positions as Director of Vulnerability & Malware Research at Qualys and as Chief Security Research at Check Point where he founded the Vulnerability Discovery Team (VDT) and released dozens of vulnerabilities in many important software. In 2011 he was honored as one of the top contributors of Adobe. Previous to that, he worked as Senior Vulnerability Researcher in COSEINC, as Principal Security Researcher at Scanit and as Staff Software Engineer in the IBM Advanced Linux Response Team (ALRT). He is a member of the RISE Security Group and is one of the organizers of Hackers to Hackers Conference (H2HC), the oldest security research conference in Latin America. Accepted speaker in many security and open-source related events such as Offensivecon, Black Hat, Hack in The Box, XCon, OLS, Defcon, Hackito, Zero Nights, Offzone, PhDays, Troopers, Andsec, Ekoparty and many others. Rodrigo is (and was) also part of the technical committee for many security conferences, such as Offensive Con, Langsec, Black Hat, Enigma and others.
Conteúdo:
Um bate-papo descontraido e totalmente informal sobre a historia da H2HC, sobre a visao pessoal do hacking e da comunidade bem como carreira na area de pesquisas em seguranca da informacao. A intencao eh ser interativa com a audiencia tendo a oportunidade de puxar topicos e fazer perguntas. Irei trazer alguns pontos pre-prontos para discussao apenas para garantir que o ritmo se mantera. Pra quem gosta de estrutura, sugiro ir para a outra palestra, na grade principal. A intencao aqui eh fornecer para as pessoas uma visao de uma longa carreira, de diversos projetos e experiencias, frustracoes e coisas que deram certo para, quem sabe, elas consigam tracar o proprio caminho ainda melhor.
Abordaremos a governança da internet, com ênfase na delegação de números de AS e faixas de IP. Será mostrado que, com paciência e um investimento razoável, mesmo uma pessoa física pode criar e manter seu próprio AS, e falaremos dos motivos que podem levar a essa decisão.
Por fim, analisaremos o AS214569, um pequeno e econômico sistema autônomo com roteadores de borda no Brasil e no Reino Unido, discutindo seu funcionamento e compartilhando as experiências e aprendizados obtidos durante sua construção.
Testing CPU Vulnerabilities mitigations in the Linux Kernel
Biografia:
Alexandra Sandulescu
I am a security engineer at Google in the Information Security Engineering Team.
In the last 6 years my main focus has been understanding the impact of CPU vulnerabilities
in production systems and researching new vulnerabilities, exploit techniques and
applicability. Previously, I worked as a researcher on Systems Security at IBM Research.
Jakob Koschel
I work as a security engineer at Google in the Information Security Engineering Team. Previously, I did my PhD at VUSec in Amsterdam, focusing on System Security. Specifically, my research interest has been uncovering new classes of kernel vulnerabilities, such as a building a better and more general Spectre gadget scanner, research new side channel attacks, and building new sanitizers for detecting special memory corruptions while fuzzing.
Conteúdo:
Software mitigations for speculative execution vulnerabilities are complex and depend on sometimes, non-public microarchitecture implementation details. Moreover, vendors and Linux have three months to come up with the fix, test it and merge it. Usually the fixes cannot be tested with an actual exploit because the exploit works only on a specific kernel build.
At Google, we rewrite the exploits as Linux selftests and use them to test if the mitigations are effective. With our (still small) suite, we found a number of security issues in existing mitigations implementation.
Hacker math: fundamental research challenges hidden in plain sight
Biografia:
I am the Dartmouth College Distinguished Professor in Cyber Security, Technology, and Society and an Associate Professor of Computer Science. In 2018--2024 I served as a Program Manager at DARPA's Information Innovation Office (I2O), where I created multiple fundamental research programs in cybersecurity, resilience, and sustainment of critical software.
Conteúdo:
Once in a few years, a conference talk manages to capture the major outstanding problems that need to be solved to bring the art and the practice of a hacking discipline to a new level, for years to come. In 2006 at BlackHat and DEFCON Halvar Flake laid out ten problems that needed to be solved to make Reverse Engineeting better [1]. In 2013 at H2HC Julien Vanegue defined the algorithmic problems to make Automated Exploit Generation real for state-of-the-art systems [2]. In 2012-3 at H2HC [3,4] Brad Spengler and the PaX Team framed the hardest challenges of securing the Linux kernel beyond the early 2000s SELinux model. In 2015 at Infiltrate argp's talk [5] redefined the essence of heap exploitation beyond the classic Phrack 57:8 (Once upon a free) and 57:9 (Vudo malloc). In 2010, Meredith L. Patterson's and Len Sassaman's [6] and FX's talks [7] forever changed my world.
Each one of these talks took a problem that was thought to be technically narrow and pretty well-understood, and revealed much bigger first-class research challenges behind it, with unexpected algorithmic or mathematical depths.
These first-class research questions were hiding in plain sight. When they were surfaced, they changed the craft.
What other first-class questions might be hiding in plain sight? I will endeavor to bring a few personal guesses to your attention [*].
[1] "RE 2006: New Challenges Need Changing Tools", https://thomasdullien.github.io/about/#2006
[2] "The Automated Exploitation Grand Challenge", https://openwall.info/wiki/_media/people/jvanegue/files/aegc_vanegue.pdf
[3] "The Case for GrSecurity", https://grsecurity.net/the_case_for_grsecurity.pdf,
Modern Framework for Kernel Exploitation and Research
Biografia:
Eduardo Vela
Eduardo Vela has spent over a decade working on security at Google, particularly around finding and fixing vulnerabilities. He was involved early on in building Google’s bug bounty program and has worked alongside many teams to improve how the industry handles security flaws. Lately, he’s been focusing on Linux kernel and CPU exploits, trying to understand the deeper issues that affect system security. His work is part of a bigger effort to make technology safer for everyone, though there’s always more to learn and improve.
Jordy Zomer
Jordy Zomer is a security engineer at Google specializing in vulnerability research, kernel security, static analysis, and microarchitectural security. His work explores the intersections between software and hardware, tackling fun challenges in kernel and CPU vulnerabilities.
Conteúdo:
Ugh, kernel exploits are the worst, right? Like, who has time for all that 4D chess level stuff? We're here to change the game with some serious skb rizz. Instead of manually slogging through every vulnerability detail, we've built this lit toolkit that basically takes your high-level vulnerability primitive (like "overwrite some memory at offset X") and acts like your personal tour guide through the kernel, pointing out potential exploit targets and highlighting hidden paths to them and required capabilities. Our toolkit simplifies the process, freeing you from the buzz-kill of manual cache targeting and object identification.
Need to trigger a specific code path? No problem. We've got you covered with relevant syzkaller descriptions. This toolkit is high-key bussin'. We're talking about significantly less complexity, so you can focus on the creative part of exploitation, not getting bogged down in the tedious details. It's like, level up your kernel exploitation game without all the stress.
The Kernel Hacker's Guide to the Galaxy: Automated Exploit Engineering
Biografia:
Valentina Palmiotti aka chompie:
Reverse engineer, vulnerability researcher, exploit & post-exploitation developer, and expert weird machine mechanic. She is a professional poster and Pwnie Award winner.
Ruben Boonen aka FuzzySec:
With over a decade of experience in security consulting, research and development, and defence, Ruben is the Computer Network Exploitation Capability Development Lead on the Adversary Services team at IBM. His primary focus is on post-exploitation, vulnerability research, and all things Windows internals.
Conteúdo:
As systems evolve and modern mitigations advance, exploit development becomes more intricate and labor-intensive. Consequently, the cost of exploiting vulnerabilities has risen. Patch gaps can be leveraged to exploit machines that have not yet received necessary updates. The brief window of opportunity before mature clients apply patches puts pressure on the research period for developing N-Day exploits making it demanding and highly time sensitive. To address this, we have implemented many ancillary automation workflows to ease and expedite our exploit development efforts. We will show tradecraft that allows us to programmatically find suitable drop-in exploit objects for specific kernel pools, discover heap spray primitives, identify control flow call targets, perform race condition window analysis, and more, within closed source binaries. These various primitives can be filtered based on the requirements of the vulnerability exploited. Manual root cause analysis allows us to leverage semantic binary search to automatically identify potential vulnerability variants across all Windows kernel subsystems. We illustrate these concepts by showing practical examples using recent vulnerabilities.