OS X El Capitan - Sinking the S/h\IP
With the release of OS X El Capitan Apple has introduced a new protection to the OS X kernel called System Integrity Protection (SIP). The purpose of this new mitigation is to lock down the system from attackers who have already gained root access.
In the first part of this session we will elaborate what exactly SIP tries to protect against and how its features are implemented and integrated into the kernel. In the second part of this presentation we will then dive into obvious shortcomings of this implementation and discuss design weaknesses and actual bugs that allow to bypass it. All weaknesses will be demoed to the audience.
Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded. In 2010 he did his own ASLR implementation for Apple’s iOS and shifted his focus to the security of the iOS kernel and iPhones in general. Since then he has spoken about the topic of iOS security at various information security conferences around the globe. In 2012 he co-authored the book the iOS Hackers Handbook.
Virtualization System Vulnerability Discovery Technology
As a key foundation of cloud computing, virtualization technology plays a more and more significant role while cloud platform is widely and rapidly developing. However, in recent years, virtualization systems continue bursting high-risk vulnerabilities, which could bring great challenges to cloud security.
This speech will introduce the experience of 360 virtualized security research team, the fuzzing framework on virtualization systems and the process of 0day vulnerability discovery comprehensively. By using this fuzzing framework we have found 120day vulnerabilities in QEMU software and 2 0day vulnerabilities in VMware workstation during 3 months. All these vulnerabilities would help hackers escape from virtual machine, and execute arbitrary code. The cve ids of vulnerabilities which I found by using this fuzzing framework are as follows: CVE-2015-7504, CVE-2015-8345, CVE-2015-5279, CVE-2015-6855, CVE-2015-5225, CVE-2015-6815, CVE-2015-7549.
Tang Qinghao is the team leader of virtualization security team from Qihoo 360 Technology Co. Ltd , He has rich experience in cloud security area . Additionally, he has found a considerable number of virtualization softwares vulnerabilities.
Towards a Secure and Measured Travel Laptop
Physical access to computer devices at borders and in hotel room safes has always been a thing for intelligence collectors. Once Full Disk Encryption took off, firmware and hardware implantation became the method of choice for getting even more persistent access.
In previous work <http://t2.fi/schedule/2015/#speech2>, the author has explained how to to build a safe travel laptop from a firmware and software perspective at low cost using commodity hardware. He will briefly recap this work and how to easily replicate this in less than a day using now published resources.
As novel addition to that, the author will now utilize the Trusted Platform Module (TPM) to measure each stage of the boot process and provide an on-screen secret to verify your system’s integrity locally; and to perform remote attestation to your OpenSSH server(s) to enable secure and authenticated download of additional data once in country (or access to your IRC shell).
When Georg is not busy being a full-spectrum cyber Manager of Information Dominance at CrowdStrike, he enjoys working on x86 and ARM machine-code-level reverse engineering and development. He has co-authored the Android Hacker’s Handbook and given multiple talks at international computer security conferences. Sadly, Georg holds none of the common information security certifications.
Xenpwn: Breaking Paravirtualized Devices
Instead of simply emulating old and slow hardware, modern hypervisors use paravirtualized devices to provide guests access to virtual hardware. Bugs in the privileged backend components can allow an attacker to break out of a guest, making them quite an interesting target.
In this talk Felix will present the results of my research on the security of these backend components and discuss Xenpwn, a hypervisor based memory access tracing tool used to discover multiple critical vulnerabilities in paravirtualized drivers of the Xen hypervisor.
If you like virtualization security, race conditions, vulnerabilities introduced by compiler optimizations or are a big fan of Bochspwn, this is the right talk for you.
Felix is a security researcher working for ERNW Research. His main interests are application security, reverse engineering and virtualization security. Felix has disclosed critical vulnerabilities in popular products such as Xen, Hyper-V, IBM GPFS or FireEye’s MPS and has presented his work at international conferences like PHDays, Hack in the Box, 44Con, Infiltrate and Troopers.
Practical SMEP Bypass Techniques
The Linux kernel has always been an appealing target for exploit developers due to the exploitation complexity associated with user space processes (ASLR, NX, Canaries, Fortify, RELRO, etc.). Common ret2usr (return-to-user) attacks typically redirect kernel control flow to data residing in user space: a corrupted function or data structure pointer that triggers a privilege escalation payload in user space. These attacks were successful until around 2013 before the introduction of 3rd generation Intel Core processors (Ivy Bridge) with SMEP support. SMEP (Supervisor Mode Execution Protection) is a hardware feature that prevents attempts to execute code (at CPL = 0) residing in user space pages. This kernel-hardening approach is now widely adopted and effectively mitigates common exploitation patterns of kernel vulnerabilities.
This presentation introduces practical Linux SMEP bypasses involving in-kernel ROP and spraying techniques. We will demonstrate how to convert an existing exploit code to a fully weaponised SMEP-aware exploit. This talk will concentrate on a specific kernel vulnerability and OS version to demonstrate the bypass but the exploitation techniques presented are generic and can be applied to other Operating Systems that employ explicit sharing of the virtual address space among user processes and the kernel.
Vitaly is a security researcher specialising in malware analysis and exploit development. He has a solid academic background in programming languages, algorithms and cryptography. He is currently focused on Linux kernel exploitation techniques (SMEP/SMAP, ASLR bypasses) and the associated countermeasures.
Memory Corruption is for Wussies!
This is a presentation about a very interesting non-memory corruption bug that exists in every OS X version, El Capitan included. It allows leveraging any binary for privilege escalation and stealing their entitlements. This means that it can be abused to bypass El Capitan System Integrity Protection (SIP) just from userland, and abuse it for persistence for example.
The goal of this presentation is to take the attendees on a ride into OS X kernel internals and a bit about SIP implementation, and of course dive into the details of this bug and how to exploit it. This time the goal is to be able to do it in less than one hundred slides, not an easy challenge!
A leading expert in the field of wearing different colored hats, still working for a next generation AV company and trolling people on Twitter. Some people think I know a thing or two about OS X.
Windows systems & code signing protection
This presentation explains the code signing mechanism (authenticode) developed by Microsoft on Windows systems. The presentation will first explain the kernel implication and the impact on driver development. This protection firstly annoyed rootkit developers but they found several ways to bypass it. Well-know rootkits such as Derusbi, Uroburos or GrayFish use tricks to bypass driver signature. These techniques will be described during the presentation. Finally, the user-land will be discussed with the new library injection protection based on code signing implemented in Windows 10 TH2 and especially for the Edge process.
Paul Rascagnères is a malware analyst and researcher for the Sekoia’s CERT. He is specialized in Advanced Persistant Threat (APT) and incident response. He worked on several complex cases such as government linked malware or rootkits analysis. He is a worldwide speaker at several security events.
Remote code execution via Java native deserialization
Java’s native serialization mechanism does not expose the same obvious RCE vectors as Python Pickle or XStream, and as such it is widely adopted in both commercial and open source applications. It does, however, expose RCE if certain conditions exist in classes on the server’s classpath. This presentation will explain these conditions in detail, examine several instances of vulnerable classes in major Apache components, demonstrate exploitation, and provide best practices to avoid vulnerability.
David has been involved in the security industry for the last 15 years. During this time he has found high-impact and novel flaws in dozens of major Java components. He has worked for Red Hat’s security team, led a Chinese startup that failed miserably, wrote the core aviation meteorology system for the southern hemisphere, and has been quoted in a major newspaper as saying North Korea’s nuclear program is “ready to rock”. He is currently focusing on SDN security, and leads the OpenDaylight and ONOS security teams.
Browsers Bug Hunting and Mobile device exploitation
Can I win Pwn2Own?. Bug hunting experiences (own fuzzer vs ClusterFuzz, code audit, debugging , testing on real devices).
Mobile Security Engineer working on NowSecure, Fedora Security Team member (previously Red Hat Product Security).
Pwning Adobe Reader - Abusing the reader’s embedded XFA engine for reliable Exploitation
The talk will cover topics such as:
Sebastian is co-founder of siberas, an IT security consulting company in Germany. Besides finding bugs in customer networks and applications he enjoys low-level research like bughunting and exploitation. During his career he uncovered and helped to fix dozens of critical flaws in software from Microsoft, Apple, Adobe etc. He won Pwn2own (IE 11 64bit) and was awarded a Pwnie award for “Best Privilege Escalation Bug” in 2014
Key-value injections here!
This paper is continuation of memcached injections research presented at BlackHat USA 2014.
The paper presents two main areas of research: input validation vulnerabilities at different key-value clients for popular platforms (c, java, lua, node.js, php, perl, python and ruby) and vulnerabilities inside it’s engines. Special attention is paid for to the sandboxes inside services.
As a result author found a way to do something like “SQL Injection attacks”, but for key-value storages. Such an attack in practice leads to different effects from authentication bypass to execution of arbitrary interpreter’s code. It’s real world problem found on security audits and existing at different popular web applications
Ivan Novikov is the Lead Security Expert and CEO of the Wallarm Company.
He is the author of numerous research papers in the field of web application security and has been engaged in web applications security research since 2004. He has rewards from various bug-hunting programs, such as Google, Facebook, Nokia, and Yandex. He is also actively engaged in the development of a self-learning web application firewall system. Ivan Novikov is the Lead Security Expert and CEO of the Wallarm Company.
He is the author of numerous research papers in the field of web application security and has been engaged in web applications security research since 2004. He has rewards from various bug-hunting programs, such as Google, Facebook, Nokia, and Yandex. He is also actively engaged in the development of a self-learning web application firewall system.
LoRa the Explorer - Attacking and Defending LoRa systems
LoRa is a Low Powered Wide Area Network (LPWAN) solution designed to enable smart city and IoT devices to communicate securely across cities. It is being rolled out in major cities across the world and being used for everything from Industrial Control Systems, through to domestic alarm systems.
But how secure is it? And if we are planning to use it, how can we prove that our system is safe from attack?
This talk aims to dive into the security of LoRa and the LoRaWAN protocol, to demonstrate its limitations, and to show how developers can build secure LoRa solutions. The talk will include demonstrating methodology to find and exploit vulnerabilities in solutions, and the release of the LoRa the Explorer testing tool.
Robert Miller has worked as a security consultant and researcher for MWR since 2011. In this time he has worked on projects ranging from development of proof-of-concept Android malware (winning at Mobile Pwn2Own 2014), through to development of secure testing methodologies for industrial systems. He has presented security research to audiences at security conferences such as T2 and London B-Sides.
Robert runs MWR's Smart Energy practice which works with clients to develop secure industrial and IoT solutions, and researches the latest attacks against such systems.
Attack and defense toolkits in High/Low frequency
RFID and contactless smart cards have become pervasive technologies nowadays. IC/RFID cards are generally used in security systems such as airport and military bases that require access control. This presentation introduces the details of contactless card security risk firstly, then the principles of low frequency(125KHz) attack tool, HackID Pro, will be explained. This tool contains an Android App and a hardware which can be controlled by your phone. HackID Pro can emulate/clone any low frequency IC card to help you break into security system, just type on your phone. After 125KHz, this presentation will show you how to steal personal information from EMV bank card, whose carrier frequency is high frequency, 13.56MHz, just sitting around you. In the end, our defense tool, Card Defender, will be dissected to explain how this product can protect your card and informations in both high/low frequency way. And a little bit tricks that this defense tool can make.
Shan Haoqi is currently a wireless/hardware security researcher in Unicorn Team. He focuses on Wi-Fi penetration, GSM system, router/switcher hacking etc. Other research interests include mobile phone application security, reverse engineering on embedded devices such as femto-cell base station, video cameras. He gave a presentation at Defcon 23 which named “Build a free cellular traffic capture tool with a vxworks based femoto”.