Abusing the Mac Recovery OS and Local OS Update Process
Did you know that Macs contain a secondary OS that sits hidden besides OS X? This talk will initially dive into technical details of the Recovery OS, before showing that while on (newer) native hardware Apple verifies this OS, in virtualized environments this may not be the case. Due to this 'flaw' we'll describe how an attacker can infect a virtualized OS X instance with malware that is able to survive a full OS X restore. Though limited to virtual instances, such malware can also abuse this process install itself into SIP'd locations making disinfection far more difficult. It's also worth noting that this attack likely would succeed on older versions of non-virtualized OS X as well.
As a large portion of the logic within the Recovery OS that deals with restoring OS X is logically equivalent to the OS X upgrade process, the talk will pivot to this. For unknown reasons, it appears as Apple does not fully verify such updates (or 'OS installs'), allowing a local attacker (or malware) on native hardware, to inject code into the OS upgrade/installer application. This provide a means of ensuring the malware can control or even be propagated into the upgraded OS.
Moreover, this provides a new (0day!) way to bypass SIP. We’ll discuss exactly how :)
During this talk, we'll also cover various OS X infection and injection strategies, such as the creation of malicious 'proxy' libraries. While this technique has been abused on Windows by nationstate actors, it has yet to be seen or discussed on OS X.
Finally we'll conclude by discussing some general OS X hardening methodologies that may generically thwart, or at least complicate such attacks.
Patrick Wardle is the Director of Research at Synack, where he leads cyber R&D efforts. Having worked at NASA and the NSA, as well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick’s focus is on automated vulnerability discovery, and the emerging threats of OS X and mobile malware. In his personal time, Patrick collects OS X malware and writes free OS X security tools. Both can be found on his personal website; www.Objective-See.com
Browser Bug Hunting and Mobile
This presentation is based on our experience in hunting bugs in desktop and mobile browsers. It aims to cover the whole process that a researcher must know. Identifying the different attack surfaces, different approaches to audit and instrument browsers, covering techniques such as fuzzing that will be our main focus. We will disclose details on real case study, some of our tools and experiences against giants like ClusterFuzz.
Francisco Alonso is a senior security researcher in COSEINC specializing in reverse engineering, fuzzing, vulnerability research, browsers security and mobile technologies. He was formerly a member of the Fedora Security Team of Red Hat Product Security.
Jaime Penalba is a security researcher at COSEINC focused on Linux kernel. During his career he has played different roles going from systems engineer or developer to security consultant. In his personal time, Jaime evangelizes about r2, maintains r2pipe for node and tries to break old and rusty UNIX kernels.
Demystifying the Secure Enclave Processor
The secure enclave processor (SEP) was introduced by Apple as part of the A7 SOC with the release of the iPhone 5S, most notably to support their fingerprint technology,Touch ID. SEP is designed as a security circuit configured to perform secure services for the rest of the SOC, with with no direct access from the main processor. In fact, the secure enclave processor runs it own fully functional operating system - dubbed SEPOS -with its own kernel, drivers, services, and applications.This isolated hardware design prevents an attacker from easily recovering sensitive data (such as fingerprint information and cryptographic keys) from an otherwise fully compromised device.Despite almost three years have passed since its inception, little is still known about the inner workings of the SEP and its applications. The lack of public scrutiny in this space has consequently led to a number of misconceptions and false claims about the SEP.
In this presentation, we aim to shed some light on the secure enclave processor and SEPOS. In particular, we look at the hardware design and boot process of the secure enclave processor, as well as the SEPOS architecture itself. We also detail how the iOS kernel and the SEP exchange data using an elaborate mailbox mechanism, and how this data is handled by SEPOS and relayed to its services and applications. Last, but not least, we evaluate the SEP attack surface and highlight some of the findings of our research, including potential attack vectors.
Mathew Solnik is a managing director at OffCell Research. Where is primary focus is in the mobile, M2M, and embedded space specializing in cellular network, hardware/baseband, and OS security research/exploit development. Prior to founding OffCell, Mathew has held positions in multiple areas of Information Security - including consulting for Azimuth Security, Accuvant LABS, and iSEC Partners where he performed the first Over-the-Air Car Hack (as was featured in a previous Black Hat talk) as well as R&D for Ironkey where he handled in-house penetration testing and design review for multiple DARPA funded projects.
“Cosa Nostra” an open-source malware clusterization toolkit
During the presentation a set of algorithms used for large scale malware clusterization will be shown and explained. Also, the tool and how it works will be explained during the talk. A demo will be shown clustering a few files on stage to show how it works and how it can be used by malware researchers to find malware families from big sets of files as well as to find relationships between apparently different malware families that happen to be the same by using graph based theory based clusterization algorithms that invented myself somewhere around 2010/2011.
Joxean Koret has been working for the past +15 years in many different computing areas. He started working as database software developer and DBA for a number of different RDBMS. Afterwards he got interested in reverse engineering and applied this knowdlege to the DBs he was working with, for which he has discovered dozens of vulnerabilities in products from the major database vendors, specially in Oracle software. He also worked in other security areas like malware analysis and anti-malware software development for an Antivirus company or developing IDA Pro at Hex-Rays. He is currently a security researcher in Coseinc.
Old Skewl Hacking: DVB-T Black Button Pivot
In the 4th talk in my series of “Old Skewl” TV hacking, I will present a practical attack against all current UK TVs that are compliant with the “Freeview” standard. i.e. ALL digital TVs, which, again, is all of them,as we switched off analogue a while back!
The vulnerability is in the MHEG standard (think Teletext on steroids), which powers all data services including the BBC “Red Button” service, so affects all TVs, not just the new “smart” TVs. Additional vulnerabilities exist if the TV is also connected to the internet, but even it is isn't I can attack the TV.
Adam Laurie is a security consultant working the in the field of electronic communications, and a Director of Aperture Labs Ltd. (http://aperturelabs.com) who specialise in reverse engineering of secure embedded systems. He started in the computer industry in the late Seventies, working as a computer programmer on PDP-8 and other mini computers, and then on various Unix, Dos and CP/M based micro computers as they emerged in the Eighties. He quickly became interested in the underlying network and data protocols, and moved his attention to those areas and away from programming, starting a data conversion company which rapidly grew to become Europe's largest specialist in that field (A.L. Downloading Services). During this period, he successfully disproved the industry lie that music CDs could not be read by computers, and wrote the world's first CD ripper, 'CDGRAB'. At this point, he became interested in the newly emerging concept of 'The Internet', and was involved in various early open source projects, the most well known of which is probably 'Apache-SSL', which went on to become the de-facto standard secure web server. Since the late Nineties he has focused his attention on security, and has been the author of various papers exposing flaws in Internet services and/or software, as well as pioneering the concept of re-using military data centres housed in underground nuclear bunkers as secure hosting facilities.
Adam aka “Major Malfunction” has been a senior member of staff at DEFCON since 1997 and is the POC for the London DEFCON chapter DC4420. Over the years has given presentations on forensics, magnetic stripe, EMV, InfraRed, RF, RFID,Terrestrial and Satellite TV hacking, and, of course, Magic Moonbeams. He is the author and maintainer of the open source python RFID exploration library 'RFIDIOt', which can be found at http://rfidiot.org blog: http://adamsblog.aperturelabs.com/ github: https://github.com/AdamLaurie https://github.com/ApertureLabsLtd/ twitter: @rfidiot
Running Code in the TrustZone Land
TrustZone is a security extension for ARM processors designed to allow running a secure operating system and a normal operating system at the same time. To create code to run with as a secure operating system, i.e., with TrustZone privileges we have just a few options like emulation on QEMU or buying an ARM board where we can execute experiments. If you want to run privileged code on an Android phone you will have to exploit TrustZone.
This talk will show methods you can use to run your TrustZone code on a real Android phone and also how to easily create your own framework that allow the researchers to do whatever they want on the phone. I will also present information about TrustZone internals and how the Android OS interacts with TrustZone.
Edgar Barbosa is a senior security researcher with more than 10 years of experience, specialized in reverse engineering, kernel programming, rootkits, virtualization and program analysis.
Look Mom! I Don’t Use Shellcode: A Browser Exploitation Case Study for Internet Explorer 11
The latest version of Internet Explorer 11 running on Windows 10 comes with a plethora of exploit mitigations which try to put a spoke in an attacker’s wheel. Although Microsoft just recently introduced their new flag ship browser Edge, when it comes to exploit mitigations many of the mitigations found in Edge are also present in the latest version of Internet Explorer 11. The goal of these mitigations is to make exploit development as hard and costly as possible. Some mitigations which usually need to be overcome are ASLR, DEP, CFG, Isolated Heap and Memory Protector to just name a few. If you managed to bypass all of these and you successfully turned your bug(s) into remote code execution, you are trapped inside a sandbox which needs to be escaped. This might require even more bugs and in the case of a kernel vulnerability you are confronted with all the kernel exploit mitigations such as Kernel DEP, KASLR, SMEP, NULL Pointer Dereference Protection and so on. If you then aim for an exploit which continues working under the presence of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) things get even more interesting.
Although all of this can make the exploit development process really tough, with the right vulnerability at hand it’s still possible to develop working exploits without caring too much about most of these mitigations. This is particularly true if you don’t go the standard route of ROPing into your shellcode but reuse existing functionality inside the browser itself for remote code execution.
In this presentation we describe all the details about our submission to the Microsoft Mitigation Bypass Bounty program for which we were awarded the highest bounty payout of $100,000 USD. We'll present all the techniques which we used to write a stable exploit for IE 11 (64-bit) running on Windows 10 including an Enhanced Protected Mode (EPM) sandbox escape and a generic way to bypass the latest version of EMET 5.5 as well.
No shellcode or ROP gadgets were used in the whole exploit. We'll talk about the benefits of data-only attacks, take a quick look at how Microsoft fixed/mitigated the reported vulnerabilities and techniques and finally conclude with some future possibilities for similar attacks in IE 11 and other browsers.
Moritz Jodeit is the Director of Research at Blue Frost Security GmbH. He has a strong focus on application security and his main areas of interest are vulnerability research, reverse engineering and software exploitation. Moritz Jodeit presented the results of his research at international security conferences like Black Hat Europe, HITB GSEC, 44CON, DeepSec or OWASP AppSec. Recently he was awarded $100,000 USD for his submission to the Microsoft Mitigation Bypass Bounty program.
Strategies on Securing you banks & enterprises. (From someone who robs banks & enterprises)
Most people who work on the defensive side of computer security only see the landscape from that perspective! In this talk Jayson will show how an attacker views your website & employees then uses them against you. We'll start with how a successful spear phish is created. By using the information gathered from the companies own 'about' page as well as scouring social media sites for useful information to exploit employees. The majority of the talk will be covering successful counter-measures to help stave off or detect attacks. This discussion will draw on the speakers 15 years experience of working in the US banking industry on the side of defense. Also at the same time he'll be drawing on over 6 years of doing engagements where he took on the role of the attacker. If everything turns out well everyone will have learned something new that they can immediately take back to their networks and better prepare it against attacks!
Jayson E. Street is an author of Dissecting the hack: series. Jayson is also the DEF CON Groups Global Coordinator. He has also spoken at DEFCON, DerbyCon, UCON and at several other CONs and colleges on a variety of Information Security subjects. His life story can be found on Google under Jayson E. Street *He is a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time’s persons of the year for 2006.
BadKernel —--- exploit V8 with a typo
Yuan Deng (@scdeny) is a former member of blue-lotus CTF team, security researcher of 360 Alpha team now.
Guang Gong(@oldfresher) is a senior security researcher of the 360 Alpha Team. His research interests include Windows rootkits, virtualization and cloud computing. He currently focuses on mobile security, especially on hunting and exploiting Android’s vulnerabilities. He has spoken at several security conferences such as Black Hat, CanSecWest, PHDays, SysCan360, MOSEC, PacSec . He is the winner of Pwn2Own 2015, Pwn0Rama 2016 (the category of mobile devices), and Pwn2Own 2016 (the target: Chrome).
Analysis of iOS 9.3.3 Jailbreak & Security Enhancements of iOS 10
In this talk, we will firstly disclose details of the kernel vulnerability that was exploited in Pangu9 jailbreak for iOS 9.3.3. Since the vulnerability is triggerable inside the container sandbox, Apple released an update(9.3.4) to fix the single bug in a short time. We will show how to exploit this bug to break KASLR and then gain arbitrary kernel code execution.
After discussing the bug, we will continue to introduce some security enhancements in iOS 10. In fact, iOS 10 has fixed lots of unpublished bugs and enhanced some security mechanisms such as KPP, sandbox and the kernel heap management. In addition, we will talk about new hardware based protection of iPhone7(Plus).
Team Pangu consists of several senior security researchers and focuses on mobile security research. Team Pangu is known for the multiple releases of jailbreak tools for iOS 7, iOS 8, and iOS 9. Team Pangu actively shares knowledge with the community and presents the latest research at well known security conferences including BlackHat, CanSecWest, POC, and Ruxcon.
Security Vulnerabilities on Online Payment: Summary and Detection
The rapid development of mobile internet has brought an increasing number of smart phone users and countless mobile Apps, most of which are embedded with payment modules. It has been recognized that some of these Apps are vulnerable due to the developers’ unawareness of payment security. Payment Security vulnerabilities are more sensitive than other kinds of vulnerabilities because of involving of money. In this presentation, we introduce and summarize fifteen kinds of patterns for payment security vulnerabilities on web and mobile, based on the real-world vulnerabilities found by us and other researchers during the past three years. We highlight that some web payment vulnerabilities are universal on the mobile APPs, while the payment is much more complicated in the mobile platforms. What’s more, the app developers’ development capabilities are of varying quality, which yields more payment vulnerabilities.
In this presentation, we emphatically introduce the order id replacement vulnerability and app function modification vulnerability, followed by the video demos.
At last, a new security payment module based on module checking will be introduced too. This module can protect the users and merchant during the payment under any payment environments in anytime, anywhere.
More details will be given at SyScan360.
ZHANG Qing is a senior Android security researcher, from Vulpecker Team of Qihoo 360 China. Before entering Qihoo, he worked in Model Checking Lab in National University of Singapore, for one years, as a senior inviting scholar. His interests include the security issues in Android and Payment, especially the Android Application’s security, and also other problems in mobile Payment, Android Trojan, Module Checking and automatic detection.
He also is a white hat in wooyun.org. He has found fifteen different kinds of vulnerabilities of Payment Security.
Dr. Bai Guangdong is a faculty member in Singapore Institute of Technology (SIT). He received his PhD degree from National University of Singapore in 2015. His research interest spans across
the broad areas of mobile security, web security, and protocol verification. During his previous research, he has worked on analyzing authentication protocol implementation, online payment, and Android security. His research has helped identify and fix serious security vulnerabilities for major websites like Sina Weibo. His work appears in top security conferences, such as NDSS and Black Hat Europe.
Application of Machine Learning in Threat Intelligence Data Mining
Our presentation will showcase a threat intelligence recognition method which is based on machine learning. The application of automatic procedures ensures a great efficiency in detecting and recognizing threat intelligence information in APT attacks. It helps accelerate the response speed and improve the detection accuracy of the threat intelligence sensor towards APT attacks, so that our researchers are able to carry out reverse engineering analysis as promptly as possible.
The algorithm adopted in our automatic procedures is support vector machine (SVM) learning algorithm. The automatic procedure can customize learning solutions on a case-by-case basis. Built on 360’s big database, the machine learning procedure will firstly extract features for analyzing, and then create the behavior modeling of the extracted data. Afterwards, the machine will come up with the appropriate learning algorithm on its own. This helps build up the malware detection engine which plays a vital role in discovering and tracking down all the APT incidents.
Ashley Zhao is a Senior Security Researcher and Malware Analyst at 360 Helios Team. She has passion in threat intelligence, correlation study and attacker attribution analysis and has participated in revealing several major APT incidents. She also has rich experience in malware analysis and is interested in machine learning.
A platform base on visualization for protecting CAN bus security
With the development of vehicle technology, vehicles become more electronic and intelligent on the basis of inner bus communication network, and draw more attention to the study of vehicle security. To facilitate this process, we developed a platform that evaluates the security of vehicle, which can be used for black-box tests by security researchers and automotive engineers. The software is capable of sniffing CAN bus packets, identifying ECUs, analyzing checksum and timestamps, as well as launching man-in-the-middle attacks, fuzzing attacks, and brute-force attacks. By visualizing the changes from different packets, it can help us to identify the value range quickly. Users can also share their programmable examples within the platform. This talk will introduce the reverse engineering of CAN packets in details, and present the “CAN-PICK” tool by demonstrations of injecting CAN packets on a car. This tool can also be used as a man-in-the-middle, which can realize full control over the car without adding any actuators on the vehicle.
Jianhao Liu is the director of SkyGo Team at Qihoo 360. He specializes in the security of Internet of Things and Internet of Vehicles. He has reported a security vulnerability of Tesla Model S, led a security research on the remote control of a car, and participated in the drafting of security standards among the automobile society. Being a security expert employed by various information security organizations and companies, he is well experienced in security service, security evaluation, and penetration test.
Minrui Yan is a security researcher of 360 vehicle cyber security lab which focus on IoT security. He had participated in Hacking Vehicle project(e.g. Tesla), Author of Intelligent hardware security.
Escape Plans: A Year’s Journey with Microsoft Edge Security Mitigations
With the aim of "Building a safer browser", Microsoft keeps adding security improvements to their Edge Brower. Last year we have discussed the security features of Microsoft Edge as well as a critical bug inside Edge sandbox that could escape from its “safer” sandbox. As a year went by, Microsoft did more works on improving the security of the Edge browser andour escape researches are also continue following.
In Windows 10 annual update RS1, we have seen many new security features been added to the Edge mitigations, such as disabling child process creation, plugin isolation, win32k filter and so on.
In this presentation, we will first go through the important sandbox improvements added in Windows 10 RS1. We will introduce the mechanism of the new security features in Edge sandbox by analyzing how they are implemented, and we will also discuss how those new features can make Edge sandbox stronger, then we will go through the attack surfaces of the Edge sandbox, mainly focusing on OS kernel APIs and sandbox/system RPC calls.
For each attack surface, we will introduce some real bugs (including the kernel bugs we used in this year's pwn2own contest) and show how we exploit those bugs to escape from the sandbox. Then we will introduce the fuzzing tool we used to find RPC bugs in the Edge and some interesting bugs that we found by that tool.
We will also discuss about anotherimportant security mitigation that protects Edge: Control Flow Guard. We will introduce the tricks we used in Pwn2own 2016 to bypass CFG in Edge browser. Besides, how Microsoft fix those bypasses will be mentioned in this presentation.
Yuki Chen is a security research fellow at Qihoo360 and also a core member in 360Vulcan Team. Together with the 360Vulcan Team in Pwn2Own 2016 and 2015 competition, they have succeeded in breaking multiple targets, such as IE, Chrome and Flash and so on. Yuki has over 7 yearsexperiences in the field of information security, and is now leading a team to work on finding security vulnerabilities at Qihoo360. His specialty is onsecurity vulnerability digging and analysis, and developmental area employment. In addition, he hasfound more than 100 high-risk security vulnerabilities from mainstream browsers, Adobe Flash, PDF, Java and other applications. Meanwhile, his talks have been given in Syscan, Syscan360, 44Con, XCon, BlackHat EU, HITCON and other related security conferences.
MJ0011 is a security researcher and the general manager in the Department of Core Security at Qihoo360. He leads the vulnerability research team 360Vulcan which has achieved hundreds of CVEs from Microsoft/Apple/Adobe and won the targets of Pwn2Own2015/2016.
The Hype and Reality of AI in Vulnerability Discovery
The recent CTF competitions (Cyber Grand Challenge and DEFCON CTF) among machines and between humans and machines have brought a hype of applying artificial intelligence in cyber security. As a CGC finalist, the presenter has been asked numerous time about his team’s approach of applying artificial intelligence in analyzing binaries and vulnerability discovery. In this talk, he will reveal the related automation techniques used in binary analysis as a response to those questions. To his knowledge, most of CGC finalist adopted a similar approach with a combination of smart fuzzing and symbolic execution. The presenter will describe the challenged faced by different vulnerability discovery techniques, with emphases on coverage based fuzzing (AFL) and dynamic symbolic analysis (S2E). He will also cover his recent effort of using binary transformation techniques to improve fuzzing and binary analysis efficiency.
Kang is a professor of Computer Science at the University of Georgia, and the director of Cyber Immunity Lab.
Windows Server Container - The New Panacea?
In Windows Server 2016 we introduced Windows Server Containers – a modern way to deploy software. This allows customers to leverage the Windows platform in the cloud architecture model of microservices and continuous integration. Along with Windows Server Containers, we also introduced Hyper-V Containers, which has an enforced isolation boundary that’s built for hostile multi-tenant scenarios. The Windows Container platform also lays the foundation of many future features in Windows Client and Windows Server.
In this talk, we will discuss the architecture of Windows Containers and highlight the structural differences between Hyper-V containers and Windows Server Containers. This will include a comparison of the threat model between the two flavors as well as a deeper look at the changes made to Hyper-V. We will walk through the security review process done for these components, highlighting three case studies where security issues were found and fixed during development. We will dive into specific design impact coming from the security review, including changes in the Storage Subsystem for Hyper-V Containers. We will end the talk by presenting opportunities for external researchers to partner with Microsoft to secure Windows, Hyper-V, and the Windows Subsystem for Linux.
Saruhan Karademir works as a security engineer on the Security Assurance team of the Windows & Devices Group with a focus on Containers, Virtualization, and the Windows Subsystem for Linux. He works directly with development teams to ensure security is considered during the design process and works actively with internal and external teams to validate security promises before release. He likes long walks on the beach and Elevation of Privilege vulnerabilities.