Pwned in Translation - from Subtitles to RCE
What if I told you, that when you're watching a movie on your PC or streamer - someone might also be watching you? And he might be doing so - using subtitles.
Yes, subtitles, those innocent looking text lines at the bottom of your screen.
Millions of people use them without a second thought – never wondering where they come from, where they're parsed or how they are rendered.
You might be surprised to find that there are actually more than 25 subtitle formats out there, most of which support exotic features such as HTML tags, raw images or even freeform binary (What?). Moreover, there is usually no standard library designed to parse subtitles, which leaves this task to be independently implemented by the various media players.
What can go wrong?
Well, basically - everything.
Omri Herscovici is a security researcher at Check Point Software Technologies. Omri is a developer and network security expert with extensive technical experience in software development, exploit and vulnerability research, and security architecture. In his past, Omri served seven years as an officer and R&D leader in an elite Israeli intelligence unit.
Omer has been a security researcher at Check Point Software Technologies LTD for the past year. Omer has diverse security background which includes networking, web application pentesting and exploit research. Previously Omer served in an elite IDF intelligence unit as an IT specialist.
Butterfly Effect and Program Mistake- Exploit an "Unexploitable" Chrome Bug
Does the flap of a butterfly’s wings in Brazil set off a tornado in Texas? I don’t know. But I do know a negligible tiny logical bug in v8 engine can lead to remote code execution in Chrome. In PwnFest contest 2016, I exploited a logical mistake (CVE-2016-9651) in V8 to allow remote code execution. This logical mistake was very small and it appeared unexploitable at first glance. But by the combination of several unusual exploitation tricks, I got a stable exploit at last. The journey of exploiting this vulnerability tells me: Never give up easily on “unexploitable” bugs
Guang Gong(@oldfresher) is a senior security researcher of the 360 Alpha Team. His research interests include Windows rootkits, virtualization and cloud computing. He currently focuses on mobile security, especially on hunting and exploiting Android’s vulnerabilities. He has spoken at several security conferences such as Black Hat, CanSecWest, PHDays, SysCan360, MOSEC, PacSec . He is the winner of Pwn2Own 2015, Pwn0Rama 2016 (the category of mobile devices), and Pwn2Own 2016 (the target: Chrome).
Moniker Magic: Running Scripts Directly in Microsoft Office
In this presentation, we will be looking at a very interesting Office vulnerability that (should be) patched in April. It's a logical bug, it may be a feature, it does everything you want Office to do, and it all comes from one single magic string.
Haifei is a security researcher with McAfee, previously worked for Microsoft and Fortinet. His work include real-world attack surface analysis, trying new ideas for "next-gen" vulnerability discovery and exploitation, as well as (zero-day) exploit detection. He mainly focuses on Microsoft ecosystem, recent years he did something on Office
Bing Sun is a senior information security researcher, and leads the IPS security research team of McAfee. He has extensive experiences in operating system kernel layer and information security R&D, with especially deep diving in advanced vulnerability exploitation and detection, Rootkits detection, firmware security, and virtualization technology.
Enhancing Symbolic Fuzzing with Machine Learning Discovery
This talk presents our recent effort of using various learning efforts to improve symbolic execution’s navigation ability for vulnerability discovery. Our effort benefits from machine learning on multiple fronts, including seed input generation, and path scheduling during symbolic exploration. Our preliminary effort of identifying program phase behaviors on average helped our symbolic execution covers code twice as much as what the popular symbolic engine does. This effort has discovered 21 previously unknown vulnerabilities (and resulted in 7 CVEs) in popular image parsing libraries in Linux, which has been well studied before.
Kang Li is a professor of Computer Science at the University of Georgia, and the director of Cyber Immunity Lab.
TBD Office Vulnerability & Deep Security Engineering
This will be the first time this material will be presented at a conference. This presentation will include deep internal information that others outside the company are unlikely to know.
Tom Gallagher has been intrigued with both physical and computer security from a young age. He has worked on Microsoft Office security since 1999 and is currently the Group Engineering Manager of the Microsoft Office Security team. Tom co-authored the Microsoft Press title “Hunting Security Bugs” and still enjoys finding new vulnerabilities in his time outside of work
Nation-State Capabilities, Lone Wolf Budget
We all know that every action we take with digital devices leaves a footprint. Sometimes this is in the form of logged network traffic with identifiable information or characteristics. Sometimes, it’s wireless transmissions. Sometimes it’s even just RF noise. Some respond to this with extreme paranoia, avoiding ‘smart’ devices and never doing anything online without 7 proxies. The rest of us judge the likelihood and impact of being surveilled by a nation-state against usability and convenience.
Low cost hardware, amazingly capable microcontrollers, and high capacity batteries dramatically reduce the cost and increase the ease of this kind of surveillance. I’ll present hardware and techniques that make it possible to log when vehicles that visit a specific location via TPMS for under $50, collect bulk data on vehicles’ and pedestrians’ routes through a small city for under $1000, and propose methods to thumbprint even ‘radio-silent’ people within a certain range.
As a takeaway, you might be a little better equipped to consider whether you should don a tin foil hat, give up opsec as a lost cause, or something in between.
Joe (@securelyfitz) is an Instructor and Researcher at https://SecuringHardware.com. Joe spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spent the past 5 years developing and leading hardware security related training for security researchers, pen testers and hardware validators worldwide. When not teaching Applied Physical Attacks training, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects.
Exploring Your System Deeper is Not Naughty
You wanted to explore deep corners of your system but didn’t know how? System boot firmware, ROMs on expansion cards, I/O devices and their firmware, microprocessors, embedded controllers, memory devices, low-level hardware interfaces, virtualization and hypervisors. You could discover if any of these have known vulnerabilities, configured insecurely or even discover new vulnerabilities and develop proof-of-concept exploits to test these vulnerabilities. Ultimately, you can verify security state of platform components of your system and how effective are the platform security defenses: hardware or virtualization based TEE, secure or trusted boot, firmware anti-tampering mechanisms, hypervisor based isolation... Or maybe you just want to explore hardware and firmware components your system has.
CHIPSEC framework can help you with all of that. Since releasing it three years ago at CanSecWest 2014 significant improvements have been made in the framework - from making it easy to install and use to adding lots of new security capabilities. We’ll go over certain representative examples of what you can do with it such as finding vulnerabilities in SMM firmware, analyzing UEFI firmware vulnerabilities,testing hardware security mechanisms of the hypervisors, finding backdoors in UEFI images and more.
Oleksandr Bazhaniuk is a security researcher in the Advanced Threat Research team at Intel, Inc. His primary interests are low-level hardware security, bios/uefi security, and automation of binary vulnerability analysis. His work has been presented at many conferences, including Black Hat USA, Hack In The Box, Hackito Ergo Sum, Positive Hack Days, Toorcon, CanSecWest, Troopers, USENIX. He is also a co-founder of DCUA, the first DefCon group in Ukraine.
Yuriy Bulygin (@c7zero) is the lead for Advanced Threat Research team at Intel Security (http://www.intelsecurity.com/atr). Previously, Yuriy led microprocessor vulnerability analysis team at Intel. Yuriy is the author of open source CHIPSEC framework for platform security assessment (https://github.com/chipsec/chipsec).
A Story of Exploiting macOS Sierra Kernel
Teaming up with Lokihardt, we successfully exploited fully patched Apple Safari on macOS Sierra and got root privilege at PWNFEST 2016. After gaining arbitrary code execution in a strictly sandboxed Safari Web Process , we first exploited an uninitialized kernel heap issue to bypass KASLR, and then exploited an uninitialized kernel stack issue to gain arbitrary code execution in the kernel. In this talk, we will uncover such kernel vulnerabilities, and discuss the whole kernel exploitation chain in detail.
Team Pangu consists of several senior security researchers and focuses on mobile security research. Team Pangu is known for the multiple releases of jailbreak tools for iOS 7, iOS 8, and iOS 9. Team Pangu actively shares knowledge with the community and presents the latest research at well known security conferences including BlackHat, CanSecWest, POC, and Ruxcon.
Helium, Argon & Xenon: The Noble Gases of Windows Containers
Windows 10 comes with support for a very interesting technology that Microsoft has barely talked about: Containerization, through native support of Docker for Windows. Anniversary Update extended this capability even further, and Creators Update adds yet another layer for Game Mode and Desktop Bridge applications. In this talk, we'll describe the internals of the Windows "Silo" Object, and dive into Application Silos (Helium) and Server Silos (Argon), while also briefly describing the Hyper-V Container support (Xenon). We'll look at what real security boundaries Silos really offer, and showcase a few ways that the Container boundary can be broken. We'll also talk about interesting ways that Containers can mess with security software on the machine, due to the various virtualization and mirroring technologies applied on the file system, registry, network stack, and object manager. Finally, we'll end with a demo of a live Argon Container-to-Host bypass.
Alex Ionescu is the Vice President of EDR Strategy at CrowdStrike, IncAlex is aworld-class security architect and consultant expert in low-level systemsoftware the founder of Winsider Seminars & Solutions Inc.
Exploit iOS 9.x Userland with LLDB JIT
In this presentation I will talk about an iOS 9.x userland security bug which I found in 2016. Using this bug, We can gain userland code execution and escape from sandbox. I also use this bug to bypass iOS userland restrictions in my private jailbreak.
1. iOS Security Overview
2. How found the bug
3. How to gain code execution
4. How to escape from sandbox - 1st Try
5. How to escape from sandbox - 2nd Try
6. Exploit with LLDB JIT
Wei Wang is senior security researcher of Qihoo 360 Nirvan Team. He is focusing on the security of Apple’s products, including the os, developer toolchain, and fundamental frameworks, and has found many vulnerabilities. He also has 6+ years long experience in software development and software architecture, so he is also good at developing security tools. Twitter: @ProteasWang
The wounded android WIFI driver New attack surface in cfg80211
In the android security bulletin of the past several months, many vendor related vulnerabilities were found. But most vulnerabilities are found in the ioctl interface of the character device registered in the vendor driver.In the Linux kernel based system, ioctl is a universal method to transfer data between kernel and userspace. So, ioctl interface has been the focus of the root fans. But in fact, there are some other ways to connect the kernel and userspace.For example, the netlink socket. Netlink socket family is a Linux kernel interface used for interprocess communication (IPC) between both the kernel and userspace processes, and between different userspace processes, in a way similar to the Unix domain sockets.
Security researcher of 360 Alpha Team.
Perf Vs Security: The Virtio Security in Qemu
QEMU is a fundamental part of modern open source virtualization solution, especially in KVM and Xen.
As a complete virtualization solution, QEMU should emulate the processor, memory and peripheral device.
In order to improve the performance of the virtual machine, the virtio architecture has been proposed.
For now, nearly all of the cloud platform uses the virtio device by default.
But as the history has always demonstrated, you can't get the high performance and high security at the same time.
In this presentation, I will talk about the security of virtio. It will include the detail of virtio architecture and why it improve the performance. I will also discuss the attack surface of virtio with the full data flow/resource management and then the weak link in the data flow chain, include the logical and implementation vulns. As we found a lot of virtio-related vulnerabilities we will also show a lot of cases and with one/two full detail in writing PoC for virtio vulns.
Qiang Li is a security researcher of Gear Team at Qihoo 360, mainly focus on vulnerability discovery and vulnerability analysis. He has been a low level system programmer for several years both on Windows and Linux. He is currently working on cloud and virtualization security and discovered 70+ vulnerabilities in the last year. His talk has been accepted by CanSecWest 2017(But not attend because of visa issue). He has given talks in Ruxcon 2016(Melbourne, AUS), ISC 2016(Beijing, China).
ZhiBin Hu is a security researcher of Gear Team at Qihoo 360, last several years mainly focus on vulnerability discovery and analysis on windows, and receive msrc top 19 in 2015. Recent two years interested in cloud security. He has made talks both in CanSecWest 2017 and Ruxcon 2016(Melbourne, AUS).
Let Math be The Beacon of Your Vulnerability Discovery
This talk will discuss a system used math to assist vulnerability mining of binary program. There are many methods to help security researcher to find vulnerability in software, but no matter fuzz or code audit, it is very difficult to find an effective test path. The presented system uses several defined engines to search different suspicious paths and then use algebraic methods to decide whether the suspicious paths should be manual confirmed or reroute to fuzz next. Compared with the existing technologies similar, our system imports the algebraic calculation method and improves the performance of fuzzing. On the other hand, it is very easy to extend, artificial intelligence will be included as engines in the future work.
Lei Shi is a security researcher of the Gear Team of Qihoo 360 Inc., mainly focus on cryptography security and vulnerability discovery. He has discovered 100+ bugs and gained 9 CVEs on OpenSSL in the last year. He obsesses with math and computer security, and currently is working on kernel security and development of vulnerability discovery tools.
Mei Wang is a security researcher of the Gear Team of Qihoo 360 Inc., mainly focus on vulnerability discovery and fuzz technology. In the last year, she already gained 10+ CVEs from Firefox, Safari, Solr, Libtiff. She has made a talk in CanSecWest 2017. She is currently working on browser security and fuzz tools development using math and machine learning.