SPEAKERS

 

  • Peeeeoow Klonk! - Having fun with Crane Remotes
  Bio:
  •   Brian is an independent security researcher / Hacker with experience in
  •  

  •   mobile, hardware / embedded, OT, railway, telco equipment and most
  •  

  •   resulting cross sections. He very much enjoys hacking, breaking and
  •  

  •   understanding new and old equipment and sharing his findings. Being
  •  

  •   passionate for security he often goes a step further then necessary.
  •  

  Content:
  •   Large cranes lifting materials in building, small cranes lifting products from trucks or ginormous ones building wind parks, cranes are part of everyday life. At least they can be seen or watched in many situations. For quite a few years now, cranes have been equipped with industrial remote-control systems, allowing the operator to control it from an optimal viewpoint. Using RF in various frequency bands, the cranes might be just as much fun for hackers to control as the actually operators. But How?
  •  

  •   We’ll have a look at a few exemplary crane remotes and see how they work and how secure and safe they are.
  •  

  • Keynote: False Injections: Tales of Physics, Misconceptions and Weird Machines
  Bio:
  •   Cristofaro Mune is a Co-Founder and Security Researcher at Raelize. He has been in the security field for 20+ years and he has 15+ years of experience in the evaluation of SW and HW security of secure products.
  •  

  •   His research on Fault Injection, TEEs, Secure Boot, White-Box cryptography, IoT exploitation and Mobile Security has been presented at renowned international conferences and in academic papers.
  •  

  Content:
  •   In the brief history of computing, security threats have often been modeled without considering the underlying hardware, conveniently abstracting it away. Micro-architectural attacks reminded us that such convenience can make us oblivious to vulnerabilities rooted in hardware.
  •  

  •   In a similar fashion, physics is usually abstracted away by the hardware and pretty much invisible at the computational level. Until things go wrong. Fault injection (FI) attacks are known since decades and have become accessible to a fairly wide audience. Yet, the common understanding is often partial at the best, when not outright incorrect. A "computing-centric" approach, more focused on the effects on software rather than on the faults introduced in the system, may have a played a role in building the current understanding.
  •  

  •   In this talk, we will wear our physics hat and discuss the effect physics may have on a computing system and its security. We will be using data from FI testing for challenging some widespread beliefs. By reasoning with physics and data, we will visit rarely explored corners, such as an energy-based interpretation for voltage glitching, which may allow to uncover new, powerful attacks.
  •  

  •   We will also discuss how FI has been incorrectly modeled for decades using the "instruction skipping" fault model. This simple fault model allows performing effective attacks, but, at the same time, it has likely hindered the understanding of "what really happens to instructions". To grasp the impact of such a choice, we will show how, by simply switching to an "instruction corruption" fault model, a paradigm shift occurs. Code execution becomes the primary FI goal. Timing constraints can be loosened. Common FI countermeasures are bypassed...and...weird machines arise purely from control of (any) transferred data.
  •  

  •   This talk aims to bring more attention to the relationship between physics, computing and security, fostering a holistic discussion on such topics. For a faithful and courageous understanding of computing, it's likely time to face complexity and embrace its chaos, with an open, scientific and inquisitive mindset. Abstracting reality will not make it go away.
  •  

  • Security Assessments of Internet Protocols
  Bio:
  •   Fernando Gont is an independent security researcher that participated in the writing, updating and creation of almost all IPv6-related security RFCs.
  •  

  Content:
  •   In this presentation, we will share lessons learned over many years of
  •  

  •   conducting security assessments of Internet protocols. We will shed
  •  

  •   light on key aspects to consider when conducting these assessments and
  •  

  •   offer practical guidelines to tackle common challenges. Along the way,
  •  

  •   we’ll highlight examples where lessons learned have led to protocol
  •  

  •   evolution, as well as cases where repeated mistakes continue to impact
  •  

  •   today’s Internet protocols.
  •  

  • Keynote: 30+ years of exploiting things
  Bio:
  •   Gerardo Richarte is the CTO, CISO and co-founder of Satellogic. Long time ago, Gera co-founded Core Security Technologies and some years later Disarmista, companies dedicated to specialized security products and services. He’s also presented and taught courses at ReCon, BlackHat, CanSecWest, Ekoparty and other Security Conferences and wrote articles to help spread the knowledge on offensive security, exploit writing and reverse engineering.
  •  

  •   He’s today at Satellogic, working to remap the surface of the Earth every day, coordinating the security and other technological aspects of the company to build planetary-scale insights for improving life on Earth (rather than preparing to fly away to another planet).
  •  

  Content:
  •   It is gera, do we really need an abstract? Ok, so maybe soon...
  •  

  • Insert coin: Hacking arcades for fun
  Bio:
  •   Ignacio Navarro, an Ethical Hacker and Security Researcher from Cordoba, Argentina. With around 6 years in the cybersecurity game, he's currently working as an Application Security. Their interests include code analysis, web application security, and cloud security.
  •  

  •   Speaker at Hackers2Hackers, NorthSec, TyphoonCon, Security Fest, BSides, 8.8, Ekoparty, among others.
  •  

  Content:
  •   Since we were children we wanted to go to the arcade and play for hours and hours for free. How about we do it now? In this talk I’m gonna show you some vulnerabilities that I discovered in the cashless system of one of the biggest companies in the world, with over 2,300 installations across 70 countries, from arcades in Brazil, amusement parks in the United Arab Emirates to a famous roller coaster in Las Vegas. We will talk about API security, access control and NFC among other things.
  •  

  • Exploiting Alternate Spectre Vulnerabilities with Alternate Predictions
  Bio:
  •   Johannes Wikner
  •  

  Content:
  •   Under embargo. The committee reviewed the paper/work.
  •  

  • You Can't Detect Me if You Don't Know I Exist - Using OOB Techniques to Break the Rules
  Bio:
  •   Kamel is a veteran car hacker with over 6 years of experience in the automotive cybersecurity industry. He is an organizer for the Car Hacking Village, Automotive Security Research Group, and BSides Tokyo. He has given presentations and technical trainings on many topics relevant to car hacking in the past both at hacker conferences and privately to different companies, militaries, and government organizations.
  •  

  Content:
  •   Endpoint security and corporate policy enforcement solutions are commonplace in most enterprise environments today, providing security and stability to the devices used by a business' employees. Sometimes these security measures and policies can be a bit of a pain in the ass, if I'm being real. Join me on this journey to break rules and make life easier by uncovering the secrets of the ancient Mesopotamian art of other computers. And gadgets.
  •  

  • BYOB - Bring Your Own Backdoor
  Bio:
  •   Marion is a security engineer at a large cloud provider, and enjoys reverse engineering and all things binary analysis. With some background in malware analysis, incident response and microarchitecture security, her interests are quite varied. In 2015 Marion founded BlackHoodie, a series of hacker bootcamps which successfully attracts more women to the security industry.
  •  

  Content:
  •   Ever wondered how a sophisticated build chain attack can target a compiler to place backdoors and other miscreants? Wonder no more, this talk shows you how to build your own compiler pass, and modify any source code you build to your liking. We'll learn how source code makes its way through the different stages of a compiler into its final binary form, how compilers perform modifications and optimizations of the code, and how they translate their view of the code to a given architecture's binary representation. Attendees will see how some mitigations everybody knows and loves are actually implemented, and how to implement a Clang plugin themselves to sneak a backdoor into otherwise perfectly secure code.
  •  

  • Grey Matter and Zero-Days: Outwitting Cognitive Decline in VR, or How Make Brain Do VR Good
  Bio:
  •   Nigel is a vulnerability researcher at L3 Harris Trenchant
  •  

  Content:
  •   You are older than you have ever been, and learning or performing cognitively intense tasks, such as Vulnerability Research (VR), come with new challenges as we age. However, age doesn't preclude success in this demanding field. In this presentation, I'll take a brief and lighthearted look at the current scientific understanding of cognitive aging, highlighting both the wrinkles and the wisdom that come with age. Age-related changes in cognition may impact our ability to perform vulnerability research, but these changes can be mitigated or even leveraged. Drawing from both personal experiences and research, I will share strategies that I have used to adapt my approach to VR, emphasizing the importance of working to one's strengths and minimizing weaknesses. This includes adopting new learning techniques, creating a support system, and focusing on areas where
  •  

  •   experience and knowledge provide a competitive edge. By sharing my approach and the ‘why’ behind it this talk aims to inspire and equip professionals to thrive in the cognitively demanding field of Vulnerability Research.
  •  

  • What every hacker should know about TLB invalidation
  Bio:
  •   Pawel Wieczorkiewicz is a Security Researcher at Open Source Security Inc., a company developing the state-of-the-art Linux kernel hardening solution known as grsecurity. His research focuses on offensive security aspects of transient and speculative execution vulnerabilities, side-channels, and the effectiveness of defensive mitigations in OSes and hypervisors. Pawel's deep interest in low-level security of software and hardware has resulted in the discovery of a number of vulnerabilities in AMD and Intel processors in addition to the Linux kernel and Xen hypervisor system software.
  •  

  Content:
  •   In this presentation we will take a peek into more obscure corners of Translation Lookaside Buffer (TLB) and discuss the very important problem of the TLB invalidation on x86 family of CPUs. Based on examples from real life, we will learn why proper maintaining of the TLB state is very important for operating system stability, performance, and yes, security too. We will also look into page structure caches and analyze some interesting scenarios, where the invalidation requirements become quite counter-intuitive (especially after reading documentation!).
  •  

  •   If you are interested into what might go (and actually have gone!) wrong when assumptions meet harsh reality, come and see the talk.
  •  

  • How to Fuzz Your Way to Android Universal Root: Attacking Android Binder
  Bio:
  •   Eugene Rodionov, PhD, is a Security Researcher at Google on the Android Red Team. In his current position, Eugene focuses on finding and exploiting vulnerabilities in the low-level components of the Android platform and Pixel devices. Prior to that, Rodionov performed offensive security research on UEFI firmware for Client Platforms at Intel, and ran internal research projects and performed in-depth analysis of complex threats at ESET. His fields of interest include reverse engineering, vulnerability analysis, firmware security and anti-rootkit technologies. Rodionov is a co-author of the "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats" book and has spoken at security conferences such as Black Hat, DefCon, REcon, ZeroNights, and CARO.
  •  

  •   Zi Fan Tan is a Security Researcher at Google on the Android Red Team. He is currently focused on vulnerability research and exploitation on Android platform, kernel and Pixel devices.
  •  

  •   Gulshan Singh is a Security Researcher at Google on the Android Red Team. He is currently focused on vulnerability research and exploitation of the Android platform, kernel, and firmware. He is also an avid CTF player.
  •  

  Content:
  •   The Android Binder driver is a keystone of Android’s inter-process communication (IPC) mechanism. The Binder driver is an open-source Linux kernel module accessible by untrusted applications and consists of less than 10,000 lines of C code. Despite its relatively small size, Binder is complex and has had several security vulnerabilities reported and successfully exploited in the past - leading to privilege escalation in Android, including in-the-wild attacks. The complexity of Binder combined with its wide accessibility from unprivileged context makes it a high-risk component for Android platform.
  •  

  •   This talk will feature two use-after-free vulnerabilities identified during internal red-teaming of the Binder driver: CVE-2023-20938 (fixed in February 2023) and CVE-2023-21255 (fixed in July 2023) which at the moment of discovery affected multiple versions of Android kernel. In this presentation the authors will focus on technical details of vulnerability discovery and its exploitation to achieve local privilege escalation on Android devices.
  •  

  •   After a quick overview of Binder complex object lifetime management and reference counting, we will focus on a novel approach for deterministically detecting concurrency issues in the Linux kernel by fuzzing it in user-space using the Linux Kernel Library (LKL) combined with a custom scheduler implementation. This approach enables the fuzzer to deterministically reproduce concurrency-related bugs in a multi-threaded environment. We will demonstrate the application of this fuzzing approach to the Binder driver which led to identification of CVE-2023-20938 and CVE-2023-21255.
  •  

  •   Then, the authors will cover how to exploit CVE-2023-20938 to achieve root privileges from an unprivileged Android application on a device running a fully up-to-date and patched version of Android at the time of the issue discovery. These steps will highlight the cross-cache attack technique used in the exploit and current state of Android kernel mitigations against the exploitation of memory corruption bugs. The authors will conclude the presentation by discussing remediation and future hardening efforts on Android Binder.
  •  

  •   Note: This talk will be based on what we presented at OffensiveCon 2024 https://www.offensivecon.org/speakers/2024/eugene-rodionov,-zi-fan-tan-and-gulshan-singh.html with some additional content on Binder internals, Binder fuzzing and static analysis which we didn't managed to fit into the OffensiveCon's talk.
  •  

  • Testing CPU Vulnerabilities mitigations in the Linux Kernel
  Bio:
  •   Alexandra Sandulescu
  •  

  •   I am a security engineer at Google in the Information Security Engineering Team.
  •  

  •   In the last 6 years my main focus has been understanding the impact of CPU vulnerabilities
  •  

  •   in production systems and researching new vulnerabilities, exploit techniques and
  •  

  •   applicability. Previously, I worked as a researcher on Systems Security at IBM Research.
  •  

  •   Jakob Koschel
  •  

  •   I work as a security engineer at Google in the Information Security Engineering Team. Previously, I did my PhD at VUSec in Amsterdam, focusing on System Security. Specifically, my research interest has been uncovering new classes of kernel vulnerabilities, such as a building a better and more general Spectre gadget scanner, research new side channel attacks, and building new sanitizers for detecting special memory corruptions while fuzzing.
  •  

  Content:
  •   Software mitigations for speculative execution vulnerabilities are complex and depend on sometimes, non-public microarchitecture implementation details. Moreover, vendors and Linux have three months to come up with the fix, test it and merge it. Usually the fixes cannot be tested with an actual exploit because the exploit works only on a specific kernel build.
  •  

  •   At Google, we rewrite the exploits as Linux selftests and use them to test if the mitigations are effective. With our (still small) suite, we found a number of security issues in existing mitigations implementation.
  •  

  • Modern Framework for Kernel Exploitation and Research
  Bio:
  •   Eduardo Vela
  •  

  •   Eduardo Vela has spent over a decade working on security at Google, particularly around finding and fixing vulnerabilities. He was involved early on in building Google’s bug bounty program and has worked alongside many teams to improve how the industry handles security flaws. Lately, he’s been focusing on Linux kernel and CPU exploits, trying to understand the deeper issues that affect system security. His work is part of a bigger effort to make technology safer for everyone, though there’s always more to learn and improve.
  •  

  •   Jordy Zomer
  •  

  •   Jordy Zomer is a security engineer at Google specializing in vulnerability research, kernel security, static analysis, and microarchitectural security. His work explores the intersections between software and hardware, tackling fun challenges in kernel and CPU vulnerabilities.
  •  

  Content:
  •   Ugh, kernel exploits are the worst, right? Like, who has time for all that 4D chess level stuff? We're here to change the game with some serious skb rizz. Instead of manually slogging through every vulnerability detail, we've built this lit toolkit that basically takes your high-level vulnerability primitive (like "overwrite some memory at offset X") and acts like your personal tour guide through the kernel, pointing out potential exploit targets and highlighting hidden paths to them and required capabilities. Our toolkit simplifies the process, freeing you from the buzz-kill of manual cache targeting and object identification.
  •  

  •   Need to trigger a specific code path? No problem. We've got you covered with relevant syzkaller descriptions. This toolkit is high-key bussin'. We're talking about significantly less complexity, so you can focus on the creative part of exploitation, not getting bogged down in the tedious details. It's like, level up your kernel exploitation game without all the stress.
  •  

  • The Kernel Hacker's Guide to the Galaxy: Automated Exploit Engineering
  Bio:
  •   Valentina Palmiotti aka chompie:
  •  

  •   Reverse engineer, vulnerability researcher, exploit & post-exploitation developer, and expert weird machine mechanic. She is a professional poster and Pwnie Award winner.
  •  

  •   Ruben Boonen aka FuzzySec:
  •  

  •   With over a decade of experience in security consulting, research and development, and defence, Ruben is the Computer Network Exploitation Capability Development Lead on the Adversary Services team at IBM. His primary focus is on post-exploitation, vulnerability research, and all things Windows internals.
  •  

  Content:
  •   As systems evolve and modern mitigations advance, exploit development becomes more intricate and labor-intensive. Consequently, the cost of exploiting vulnerabilities has risen. Patch gaps can be leveraged to exploit machines that have not yet received necessary updates. The brief window of opportunity before mature clients apply patches puts pressure on the research period for developing N-Day exploits making it demanding and highly time sensitive. To address this, we have implemented many ancillary automation workflows to ease and expedite our exploit development efforts. We will show tradecraft that allows us to programmatically find suitable drop-in exploit objects for specific kernel pools, discover heap spray primitives, identify control flow call targets, perform race condition window analysis, and more, within closed source binaries. These various primitives can be filtered based on the requirements of the vulnerability exploited. Manual root cause analysis allows us to leverage semantic binary search to automatically identify potential vulnerability variants across all Windows kernel subsystems. We illustrate these concepts by showing practical examples using recent vulnerabilities.
  •