CanSecWest 2017
1. Cyberwar and other modern myths - Dr. Michael A. VanPutte, Ph.D, CISSP, author of Walking Wounded: Inside the U.S. Cyberwar Machine
30min
- (no slides)
2. Secure boot: they're doing it wrong. - Scott Kelly, Netflix
50min
- System security (PCs, mobiles, IoT devices, etc.) depends upon controlling the initial system configuration and boot process to ensure establishment of a secure execution environment. This process is commonly called "secure boot". This talk explains what secure boot is, and why it matters, and describes the basic hardware, software, and cryptographic building blocks you can/should use to implement secure boot. The talk also describes how not to do it, based on several real-world examples of exploitable errors in fielded devices. The talk should be interesting to both white and black hats.
3. Port(al) to the iOS core - Introduction to previous private iOS Kernel Exploitation Techniques - Stefan Esser
50min
- For years now Apple has kept adding new security mitigations to iOS and iOS devices that put them often ahead of their competition. Naturally attackers had to adopt their techniques to break into these new versions of iOS with every new protection. Because of this these techniques have been usually kept private.
In this session the audience will be introduced to a set of iOS kernel exploitation techniques that have been used in private jailbreaks for a while now and only recently have been revealed to the public by a partial iOS 10.2 jailbreak that has been uploaded to GitHub. This session will give a complete walk through of the original techniques and explain how exactly they were intended to be used.
4. Inside Stegosploit - Saumil Shah
50min
- Stegosploit creates a new way to encode "drive-by" browser exploits and deliver them through image files. These payloads are undetectable using current means. This paper discusses two broad underlying techniques used for image based exploit delivery - Steganography and Polyglots. Drive-by browser exploits are steganographically encoded into JPG and PNG images. The resultant image file is fused with HTML and Javascript decoder code, turning it into an HTML+Image polyglot. The polyglot looks and feels like an image, but is decoded and triggered in a victim's browser when loaded.
This talk focusses more on the inner mechanisms of Stegosploit, implementation details, and how certain browser specific obstacles were overcome.
The Stegosploit Toolkit contains the tools necessary to test image based exploit delivery. A case study of a Use-After-Free memory corruption exploit (CVE-2014-0282) shall be presented demonstrating the Stegosploit technique.
5. Privilege escalation on high-end servers due to implementation gaps in CPU Hot-Add flow - Cuauhtemoc Chavez Corona + Rene Henriquez + Laura Fuentes Castaneda + Jorge Gonzalez Diaz + Jan Seidl, Intel
50min
- Server systems are characterized among other things by unique features and technologies meant to increase their robustness to cope with mission critical applications while maintaining security. Since these machines are most of the time physically isolated behind the walls of big Datacenters and enterprises, many attacks are considered out-of-scope when ana- lyzing their security objectives (i.e.: physical attacks and attacks that require physical possession of a system). In this work, we demonstrate three cases on how to exploit weaknesses on a server- specific feature known as CPU Hot-Add to escalate privileges. We also demonstrate effective countermeasures to restrain the threats; such countermeasures are implemented today by system Firmware (e.g.: BIOS). We provide a detailed security analysis with a high-level introduction of RAS (Reliability, Availability and Serviceability) features and the CPU Hot-Add flow, which is the central topic of this research.
6. Microsoft's strategy and technology improvements for mitigating native remote code execution - Matt Miller + David Weston, Microsoft
60min
- Microsoft's Windows 10 the Creators updates features a number of new and groundbreaking technologies for mitigating remote code execution. In this talk, we will cover Microsoft's "four strategic pillars" for preventing remote code execution: Code integrity, Stack protection, Control Flow Integrity, and arbitrary code generation prevention and how they work together to make exploit developers lives much harder. We will also include design and technical details on the numerous new innovative prevention features that Microsoft has introduced into Windows 10 and Microsoft Edge in the creator's edition to deliver on this strategy. Along the way, the speakers will provide insights into the challenges' of implementing disruptive mitigation technology into an operating system used by over a billion people. We will also illustrate how Microsoft leverages its own team of world class offensive exploit developers to aide in the development and design of mitigations. This talk is a must see for anyone interested in attacking or defending Windows 10.
7. Lots of Squats: APTs Never Miss Leg Day - Kyle Ehmke, ThreatConnect
60min
- For many of the notable APT breaches over the last two years, domains that spoofed or typosquatted legitimate ones belonging to the target were an essential part of the adversaries' attacks. Notably, Chinese APT actors have leveraged such domains to breach healthcare and government organizations, ultimately compromising personal information for millions of individuals. A Russian APT has also used these types of domains recently to steal and ultimately leak documents from the Democratic political party. An organization can use knowledge of these practices to potentially discover targeted APT activity or proactively identify indicators that attackers may use against them. This presentation will expand on information identified in our research on the Anthem and DNC hacks, and show how an organization can leverage threat intelligence in conjunction with domain registration data to further bolster their defensive efforts. More specifically, ThreatConnect intelligence researchers will detail the process by which they identified potential Chinese APT activity against the pharmaceutical sector using registration information for spoofed and typosquatted domains.
8. Dig into the qemu security and gain 50+ CVE in one year - Qiang Li + ZhiBin Hu + Mei Wang, Qihoo 360
45min
- QEMU is a fundamental part of modern open source virtualization solution, especially in KVM and Xen. As a complete virtualization solution, QEMU should emulate the processor, memory and peripheral device. These makes QEMU very complex and exposes a lot of attack surfaces. In this year, I did a deep vulnerability discovery in QEMU and discovered 60+ vulnerabilities and got 50+ CVE now. I have summarized kinds of the attack surface and vulnerability types in QEMU.
In this presentation, I will talk about the attack surfaces of QEMU and how to discover vulnerabilities in these attack surface. As I discovered these vulnerabilities by auditing, I will also discuss the pros and cons of auditing and fuzzing which is very popular these days. I will compare the efficiency between auditing and fuzzing. By provide some tricks in auditing I will illustrate the source auditing is still a powerful weapon in vulnerability discovery. Then, I will talk about the various vulnerability types and cases in QEMU for these attack surfaces. Finally I will give a summary of the vulnerabilities I have found.
9. Cyber WMD: Vulnerable IoT - Yuhao Song, GeekPwn Lab & KEEN + Huiming Liu, GeekPwn Lab & Tencent Xuanwu Lab
50min
- This topic will share knowledges extracted from more than 100 vulnerabilities in IoT devices, which were submitted to GeekPwn contest. It will introduce some unique problems of IoT, such as attack interfaces, diverse structures etc. It will also demo some exploits against IoT devices, and have the case studies in detail. In the end, some advices will be provided to the vendors to enhance their products' security.
10. Exploring Your System Deeper is Not Naughty - Oleksandr Bazhaniuk, Yuriy Bulygin, Mikhail Gorobets, Andrew Furtak, John Loucaides, Intel Security
60min
- You wanted to explore deep corners of your system but didn't know how? System boot firmware, ROMs on expansion cards, I/O devices and their firmware, microprocessors, embedded controllers, memory devices, low-level hardware interfaces, virtualization and hypervisors. You could discover if any of these have known vulnerabilities, configured insecurely or even discover new vulnerabilities and develop proof-of-concept exploits to test these vulnerabilities. Ultimately, you can verify security state of platform components of your system and how effective are the platform security defenses: hardware or virtualization based TEE, secure or trusted boot, firmware anti-tampering mechanisms, hypervisor based isolation... Or maybe you just want to explore hardware and firmware components your system has.
CHIPSEC framework can help you with all of that. Since releasing it three years ago at CanSecWest 2014 significant improvements have been made in the framework - from making it easy to install and use to adding lots of new security capabilities. We'll go over certain representative examples of what you can do with it such as finding vulnerabilities in SMM firmware, analyzing UEFI firmware vulnerabilities, testing hardware security mechanisms of the hypervisors, finding backdoors in UEFI images and more.
11. Low cost radio wave attacks on modern platforms - Mickey Shakatov + Maggie Jaurequi, Intel
60min
- A very simple attack vector that remains relevant to the vast majority of electronic systems is electro-magnetic interference (EMI). Although EMI has recently been known to be used in security research for passively sniffing crypto keys across walls or performing side channel attacks, these attacks require expensive and delicate equipment. This research reviews EMI's potential as a wireless, low cost active attack vector. We've put together a collection of interesting behavior anomalies in platform components (sometimes even when systems aren't plugged into a power outlet) when exposed to EMI using cheap radio equipment. These attacks could have further reaching applicability scenarios we'd like to bring awareness to.
12. What if encrypted communications are not as secure as we think? - Enrico Branca, OWASP
45min
- A long term study (48 months) has been conducted to analyze and test a large number of cryptographic keys, collected from open and public sources and across a variety of protocols (HTTPS, POP3S, IMAPS, SMTPS, SSH, PGP), in order to identify possible issues and generate metrics. The presentation will discuss data collection and aggregation, how cryptographic keys have been analyzed and tested to find security issues, how the evaluation led to the discovery of large numbers of insecure keys, and how the lack of test suites may make the process very difficult to automate.
13. Attacking DSMx Spread Spectrum Frequency Hopping RC Drone Protcol - Jonathan Andersson, Trend Micro
60min
- The popularity and public use of radio controlled drones is increasing rapidly. Globally we have already seen several high profile incidents including shootings, radiological scares, interference with public services, airport closures, etc. The security of popular drone protocols is examined in this presentation with a focus on a market leader, DSMx. This frequency hopping, direct sequence spread spectrum protocol is uniquely complex and presents specific challenges to the reversing process, the highlights of which will be discussed. Uniquely identifying a remote drone operator based on recorded radio data will also be discussed. A live demonstration of drone hijacking will be given wherein a target is taken over in flight allowing the attacker full control of the drone while the victim has none.
14. Touch-and-Go Elections - How convenience has taken over security, again. - Harri Hursti
50min
- I was planning to take one actual voting machine with me and also let people to play with it This talk will be technical a, but the focus is will be on anomalies proven by public records and then discussion about the underlying technology.
15. Pwning Nexus of Every Pixel: Chain of Bugs demystified - Qidan He, KeenLab, Tencent
60min
- The security of Android devices has been strengthened a lot since the release of Android Nougat, thanks to the great work by Android Security Team, making the life of attackers harder. However where there is a will, there is a way. After months of research we've successfully come up with a chain of exploitation to tackle this challenge. In October 26th Mobile Pwn2Own 2016 Tokyo, KeenLab scored Master of Mobile Pwn2Own by pwning Nexus and Pixel running newest Android using three bugs, allowing us to install arbitrary applications and take control of all juicy permissions such as SMS, Photo, Microphone and Contact. In this talk we will dive in details about the JIT compiler infrastructures and engines of V8 (e.g. crankshaft), which is rarely talked about before, and how OOBs occur under certain carefully prepared conditions and turned into full exploit. We will then explain how to use two logical bugs, one in Chrome IPC to break out the Chrome Android's sandbox in `unexptected` ways and finally get arbitrary application installation.
16. A platform base on visualization for protecting CAN bus security - Jianhao Liu + Minrui Yan, SkyGo Vehicle Cyber Security Team, Qihoo 360
50min
- With the development of vehicle technology, vehicles become more electronic and intelligent on the basis of inner bus communication network, and draw more attention to the study of vehicle security. To facilitate this process, we developed a platform that evaluates the security of vehicle, which can be used for black-box tests by security researchers and automotive engineers. The software is capable of sniffing CAN bus packets, identifying ECUs, analyzing UDS, as well as launching fuzzing attacks, and brute-force attacks. By visualizing the changes from different packets, it can help us to identify the value range quickly. Users can also share their programmable examples within the platform. This talk will introduce the reverse engineering of CAN packets in details, and present the "CAN-Pick" tool by demonstrations of injecting CAN packets on a car. This tool can also be used as a man-in-the-middle, which can realize full control over the car without adding any actuators on the vehicle.
17. Automotive Intrusion Detection - Jun Li - Unicorn Team + Qing Yang - founder & director of Radio Security Research Department and UnicornTeam, Qihoo 360
45min
- Car security research Introduction, I will talk about the status quo of car security research, the development of car security research,briefly introduce the famous car hacking incidents.
- Car Working Principles, this part I will introduce the basics required for understanding the contents that I will talk about later
- Status quo of car intrusion detection, this part I will talk about the researches done by other researchers so the audience can tell the differences between the Intrusion Detection methods proposed by other researchers and the word I have done, I will leave themselves to just which method is better.
- Detecting CAN Bus intrusion using Deep Learning, this part I talk about my research in detail.
18. State of Windows Application Security: Shared Libraries - Chuanda Ding, Xuanwu Lab, Tencent
30min
- In recent years, applications codebase becomes increasingly complex, it is almost impossible for one developer or vendor to write an application from scratch without using third party libraries. Shared libraries such as OpenSSL are widely used in most popular applications produced by Adobe, Google, and thousands of smaller vendors.
For example, in 2402 software versions we found using OpenSSL, none of them has upgraded to the latest version of OpenSSL, which are 1.0.1u / 1.0.2j / 1.1.0c, while over a hundred of them are affected by Heartbleed vulnerability.
The Qt runtime, famous for its GUI framework and cross platform capabilities, is one of the most widely used shared library. Its 4.x branch occupied the majority of the version distribution. QtWebKit in Qt 4.x provides a WebKit engine with Javascript functionalities, however this project has been found to have too many security vulnerabilities and is abandoned in favor of QtWebEngine. We found that over 400 software versions are bundled with QtWebKit and could be vulnerable to attacks.
19. How to find the vulnerability to bypass the Control Flow Guard - Henry Li, Trend Micro
60min
- As we know, Control Flow Guard (CFG) is one of the default exploit mitigation technique on Windows 10 platform which significantly increases the difficulty of exploit from attackers. In windows 10, even if you have the ability of arbitrary address read/write, you must still need to find methods to bypass CFG mitigation. However, until now there is no general CFG bypassing methods, so the vulnerability of bypassing CFG is more and more important for exploit. This talk will introduce how to hunt the vulnerability of Microsoft Edge Browser to bypass the Control Flow Guard step by step.
20. Logic Bug Hunting in Chrome on Android - Georgi Geshev + Robert Miller, MWR InfoSecurity
50min
- Memory corruption exploits are requiring greater and greater investment in time and effort to bypass the latest mitigations in applications like Chrome and the underlying operating system. When combined with the competition of everyone in the world running a fuzzer, it becomes hard to find and keep unique bugs.
Instead we want to talk about logic flaws - bugs or simply "features" - that enable the attacker to achieve the same goals without fighting the latest and greatest exploit mitigations. We will show the methodology we use for reviewing products and identifying flaws as well as the process of exploiting them. This involves, among other things, developing better understanding and gaining deeper knowledge of a target and identifying security boundaries that usually give rise to assumptions about security checks performed on both sides.
In our example we will show how a logic bug in Chrome for Android allows an attacker to completely bypass Android Nougat security to access the user's files, emails and even install applications without the need for a single memory corruption bug.
21. Introduction - Invite only bug bounty program - Bruce Monroe, Intel
22. Introduction - New bug bounty program - Akila Srinivasan, Microsoft
23. Fuzzflow Framework and Windows Guided Fuzzing - Richard Johnson, Cisco Talos
60min
- Fuzzflow is a distributed fuzzing management framework from Cisco Talos that offers virtual machine management, fuzzing job configuration, pluggable mutation engines, pre/post mutation scripting, crash collection, and pluggable crash analysis. We have recently ported the code from crusty 90s era DHTML to a modern web application and opensourced it on GitHub! We will show off some of the workflow while discussing new mutation engine features driving the client side of the fuzzing system.
In the past year we have also added the Intel PT tracing mode as an engine for targeting Windows binaries in the widely used evolutionary fuzzer, American Fuzzy Lop. This fuzzer is capable of using random mutation fuzzing with a code coverage feedback loop to explore new areas. Using our new Intel PT driver for Windows, we provide the fastest hardware supported engine for targeting binaries with evolutionary fuzzing. We will discuss the design challenges involved with performantly harnessing Intel Processor Trace for fuzzing.
In addition, we have added new functionality to AFL for guided fuzzing, which allows users to specify targeted areas on a program control flow graph that are of interest. This can be combined with static analysis results or known-vulnerable locations to help automate the creation of trigger inputs to reproduce a vulnerability without the limits of symbolic execution. To keep performance as the highest priority, we have also created new methods for efficiently encoding weighted graphs into an efficiently comparable bytemap.
24. The Dark Composition (DComposition) of Win32k - Attacking the Shadow Part of Graphic Subsystem to Gain System Priviledge - Peng Qiu + Shefang Zhong, Qihoo 360
50min
- As modern web browsers keep envoling in secuirty, it becomes more and more difficult to break their sandboxes with user-mode bugs. In such situation, in windows system the kernel bugs become more and more popular. In the recent two years, kernel bugs have been heavily used to break browser sandboxes in various contests such as Pwn2Own, PwnFest, and even used in real target attacks. Most of these kernel sandbox-escape bugs exist in the win32k subsystem, for example, the 2 kernel exploits we demonstrated in Pwn2Own 2016.
In windows 10 RS1, Microsoft added some exploit mitigation techniques to fight against such kernel sandbox-escape exploits. The most effecitve one is the win32k filter, which directly filtered lots of win32k calls. Under such mitigations, we need to find some new kernel attack surfaces.
One of the attack surfaces we find, the DComposition, which we named "Dark Composition" internally, is a nice kernel sandbox-escape attack surface. It is never mentioned by other researchers before, even Microsoft does not provide any document for it. It hides deeply in the windows graphics system, containts complex C++ objects and graphic processing logics, makes it easier toe find exploitable bugs in it than other win32k components. It is not filtered by the win32k filter mitigation which means we can directly use it to escape browser sandboxe on windows system.
25. Hijacking .NET to Defend PowerShell - Amanda Rousseau, Endgame
30min
- You need to have the mind of a hacker to know how to defend. With the rise of attacks implementing PowerShell in the recent months, there hasn’t been a solid solution for monitoring or prevention. Currently Microsoft released the AMSI solution for PowerShell v5 however this can also be bypassed. This talk will focus on utilizing various stealthy runtime .NET hijacking techniques implemented for blue teamer defenses for PowerShell attacks. The presentation will start with a light intro into .NET and PowerShell, then a deeper look into various attacker techniques which will be explained in the perspective of the blue teamer. Techniques include assembly modification, class & method injection, compiler profiling, and C based function hooking.
With the rise of attacks implementing powershell in the recent months, there hasn’t been a real solution for earlier versions of powershell monitoring or prevention. Currently Microsoft released the AMSI solution for powershell v5 however this can also be bypassed and is not applicable to earlier versions. Other solutions such at .NET and PowerShell ETW monitoring does not provide a stealthy preventative solution. This presentation provides various solutions for stealthy runtime monitoring for all versions of powershell and .NET.
26. Inspecting and injecting. IronPython and .NET DLR memory reflection blazing through hundreds of GB in no time. - Shane Macaulay, IOActive
45min
- Forget the password to your cloud infrastructure? Need to inject code into a running cloud server without an agent? Similar functionality like pcileech for cloudleech like functionality. Will cover some of the underlying support code and scripts to digest huge amounts of cloud compute memory for attack and defense needs. https://github.com/ShaneK2/inVtero.net
New performance capabilities in EhTrace https://github.com/K2/EhTrace including a slicing method for dynamically enabling and disabling trace overhead with hot stack patching.
27. Escape from VMware Workstation by using "Hearthstone" - Xinlei Ying + Qinghao Tang, Qihoo 360
45min
- VMware Workstation is a convenient and powerful virtualization product. More and more cloud computing vendors are using it. Hence, Security research about VMware Workstation is an important part of Virtualization security research field. As we know that VMware workstation challenge competition has been added in Pwn2own 2016 and PwnFest 2016. Marvel Team has successfully escaped from VMware Workstation by using "Heartstone" vulnerability in PwnFest 2016. In our topic, we will share the detail of "Heartstone" for first time.