NVMe: New Vulnerabilities Made easy
Tal Lossos
NVMe technology is part of every Cloud Service Provider, and nowadays, Cloud Services are perhaps the most important cornerstone of modern computing. For this technology to work effectively, there's a need for a reliable communication standard between the different services and their storage, and that's exactly where NVMe comes to play.
In this session, we'll see how I discovered a pre-auth remote vulnerability in the NVMe implementation of the Linux kernel in a matter of minutes and how you can do it as well.
The ease with which such vulnerability can be detected and exploited, combined with the fact that it's done in the pre-auth stage and requires no more than a slight misconfiguration, makes this kind of attack vector very dangerous.
Tal Lossos is a Security Researcher at CyberArk Labs with years of experience in kernel module development with a deep interest in OS internals and currently focuses on bug hunting in the Linux kernel. In his recent works, Tal discovered multiple vulnerabilities in drivers causing elevation of privilege.
Cracking the final frontier: Reverse engineering and exploiting low-earth orbit satellites
Johannes Willbold
This talk presents a comprehensive security analysis of low-earth satellites, which have gained immense popularity in the "New Space" era. Despite their growing numbers, the security of these satellites remains uncertain. After introducing the essential architectural components of satellites, we dive into the approach to reverse engineer satellites and exploit their vulnerabilities. Using emulation, we showcase live on stage the exploitation process and how to seize full control of the satellite.
Johannes Willbold is a doctoral student at the chair for systems security at the Ruhr University Bochum in Germany. In this doctoral thesis, he focuses on the security of space and satellite systems, with a special emphasis on understanding real-world security issues by studying otherwise hard-to-access space software. His first paper on the security of onboard satellite software "Space Odyssey: An Experimental Software Security Analysis of Satellites" was recently accepted to the IEEE S&P 2023 conference. In 2022, Johannes visited the Cyber-Defence Campus in Switzerland for an extended research stay on satellite security, where he investigated the security of VSAT systems.
He is co-founder and co-chair of SpaceSec, the first academic workshop on space and satellite systems security, which is co-located with the top-tier security conference NDSS. He also participated in the Hack-A-Sat 2 finals, spoke at the CySat 2022 on the academic state of satellite security, and was recently invited to ESA for a talk on onboard satellite firmware security.
Unchained Skies: A Deep Dive into Reverse Engineering and Exploitation of Drones
Moritz Schloegel, Nico Schiller;
Talk
Our talk dives into the security of consumer drones from market leader DJI and exposes how to analyze, reverse engineer, and exploit such cyber-physical systems. In this process, we uncover various vulnerabilities in DJI drones, show how to bypass vendor signatures, become root, or even crash the drone mid-flight.
Moritz Schloegel is a binary security researcher at the CISPA Helmholtz Center for Information Security. He is currently in the last year of his PhD and focuses on automated finding, understanding, and exploitation of bugs. Furthermore, he possesses a deep passion for exploring the complexities of (de-)obfuscation, emphasizing automated deobfuscation attacks and their countermeasures.
Nico Schiller is a PhD student and security researcher at CISPA Helmholtz Center for Information Security, specializing in analysis, reversing engineering, and exploitation of consumer drones. He has a keen interest in fuzzing and wireless physical layer analysis, and his research aims to identify and address vulnerabilities in drone technology to improve overall security
A Backdoor Lockpick
Olivia Lucca Fraser
The recently bankrupt Chinese tech giant Phicomm installed a cryptographically locked backdoor on each and every one of the routers they released over the past several years. In this talk, I will show how I reverse engineered the backdoor protocol and discovered a series of zero day vulnerabilities in that protocol's implementation. I will also demonstrate a tool I developed to exploit these vulnerabilities and gain a backdoor on any Phicomm router released since 2017, including models released on the international market, and which can still be found for sale on Amazon. Since Phicomm is no longer in business, it's safe to assume that there will never be an official patch for these routers, which means that the surest path for securing these devices passes through this very backdoor.
Olivia Lucca Fraser is a Staff Research Engineer on Tenable's Zero Day team, and holds a Masters in Computer Science from Dalhousie University. Her thesis developed a method of applying genetic programming to the evolution of ROP chain payloads, breeding them to performing subtle tasks like data classification. She has been an active participant in DARPA's AIMEE and ReMath initiatives, and a PI on the latter.
Ice Ice Baby: Coppin' RAM With DIY Cryo-Mechanical Robot
Ang Cui, Grant Skipper, Yuanzhe Wu
We present the design and construction of a robot that reliably extracts contents of RAM of modern embedded devices at runtime. We discuss the practical engineering challenges and solutions of adapting the traditional cold-boot attack to non-removable DDR chips commonly found on modern embedded devices. Lastly, we present a practical guide to building your own cryo-mem rig from COTS parts for less than a thousand bucks.
Have you noticed that embedded hardware is getting harder to reverse? BGA chips, massively integrated packages, vertical stackups, encrypted firmware at rest, and a pinch of "no jtag or uart" has become standard fare. While these artifacts do not correlate to material improvements in device security, you can't prove it because you can't dump the firmware or debug the hardware. Skip the noise and change up the game. Sometimes it's easier just to grabbing unencrypted firmware from live RAM. All you have to do is keep the chips at -50C on a running system, pull all the chips off on the same CPU instruction, slap it on an FPGA that sort of respects the DDR state machine without punching a whole in your device, or cause shorts due to condensation, and without freezing your eyebrows off. We'll show you how to build a robot to do this in an afternoon for about a thousand dollars.
Ang Cui is an American cybersecurity researcher and entrepreneur. He is the founder and CEO of Red Balloon Security in New York City, a cybersecurity firm that develops new technologies to defend embedded systems against exploitation.
Yuanzhe Wu (Hans) has received a Master of Science in Mechanical Engineering degree with specialization in robotics and control from Columbia University in 2019. He has 5 years of experience in embedded device security analysis and is RBS's leading hardware and firmware reverse engineering expert. Mr. Wu was the engineering lead for the cold-boot robot work as well as in recent work examining root-of-trust for Siemens PLC secure boot implementations.
Handoff All Your Privacy (Again)
Christine Fossaceca
What information is your iPhone, iPad or MacBook giving away about you? iOS, iPadOS and macOS use a variety of proprietary protocols under the "Continuity" umbrella to share information across a user's devices and provide us with a "seamless experience". However, much of this information is passed in the clear and can be sniffed, captured, or mimicked by other nearby devices. This talk will cover privacy considerations and demonstrate the private information being passed in the clear via Apple's proprietary Bluetooth Continuity protocol, including one called "Handoff".
First, the talk will highlight the Bluetooth research performed by the FuriousMAC research team to reverse engineer the Continuity protocol (without any documentation from Apple). Then, it will demonstrate how others can build upon this research using the tools provided by FuriousMAC and others in the Apple researcher community! Next, the talk will give a breakdown the of cryptographic protocols employed in AirTags via the Continuity Protocol and explain "Offline Finding". Finally, this talk will also show its observations to the changes in the Continuity protocol that have occurred over the years since the AirTag's official release in 2021.
Christine Fossaceca is a senior mobile security researcher and reverse engineer Microsoft, focusing on the Defender platform within Microsoft Threat Intelligence. She spends most of her time on Android and iOS mobile device reverse engineering and forensics. Christine is an IDA Pro afficionado, but is learning to like Ghidra, too. She also enjoys using Frida to aid her in dynamic analysis, and tries not to let her dog distract her too much!
Hello 1994: Abusing Windows Explorer via Component Object Model in 2023
Michael Harbison
PlugX, a fully-featured remote access tool with a Chinese nexus, has been active in the wild for over a decade. However, a new variant was recently discovered to be using older, lesser-known Windows APIs via Component Object Model (COM) for staging and concealment - never-before-seen techniques. Leveraging an undesirable behavior in Windows Explorer, the malware uses COM to create folders that the Operating System cannot render or natively access, evading security scans that rely on the underlying Windows APIs. Additionally, this sucker is wormable, spreading across networks via USB air-gap jumping.
Despite rapidly changing and improving security practices, old technology is still an effective means for malicious cyber activity. This presentation will describe how the threat actors used COM to instantiate Windows APIs and abuse Windows Explorer to remain undetected on their victim's machines. It will explain how and why COM is so often overlooked by security researchers and suggest further areas of research on the topic.
Mr. Harbison has been a part of the security community for over 20 years. He has experience in both the public and private sectors, working in cyber threat intelligence and serving as a subject matter expert to multiple US federal agencies. He holds several technical certifications, is a certified forensic examiner, and has a Bachelor of Science degree in Computer Forensics.
Since age twelve, Mr. Harbison has been studying code and continues that today as a Distinguished Engineer for Palo Alto Networks' Unit 42. He strives to understand his work at the deepest level, and has a strong desire to bring awareness to the growing threats in cyberspace and to educate the public on ways to improve security practices.
Press Play to Restart: Under the Hood of the Windows Restart Manager
Mathilde Venault
From the early days of operating systems, malware authors have attempted to hijack legitimate OS components for malicious purposes, which makes it essential to identify and understand the potential threats they represent. Today, let's explore one uncommonly hijacked Windows component: the Restart Manager.
Introduced in Windows Vista, the Restart Manager aims to help reduce the number of reboots required during software updates. During updates, files that need to get updated can be locked by various applications, preventing the process responsible for the update from modifying them. The Restart Manager enables processes to request the lock release of the resource that they need to access, killing processes that are using it if the required conditions are met. However, this mechanism can be hijacked by third parties to serve malicious purposes.
This talk will first introduce the Restart Manager, diving into its architecture and mechanisms to provide a better understanding of how the component works. We'll observe a legitimate use case of the Restart Manager by an installer, and will detail what happens under the hood. Next, we'll look at real world examples to see how the Restart Manager can also be used for several malicious purposes, and will explain the rationale of each technique. Then, we'll play around with the different functionalities of the Restart Manager through a live demo, and will explore one funny use case. Finally, we will conclude this presentation by presenting some of the methods that processes can use to defend themselves against this type of threat.
Mathilde Venault is a security researcher at CrowdStrike, specializing in the Windows operating system. Her work focuses on malware analysis and EDR detection capabilities improvements, and she also likes spending her spare time reverse engineering undocumented Windows mechanisms. Mathilde has spoken at multiple conferences such as Black Hat USA and c0c0n, and has published articles sharing her findings. As a typical French, she's always up to share a meal with some bread and cheese.
Unveiling Secrets in Binaries using Code Detection Strategies
Tim Blazytko
Our talk addresses the challenges faced by reverse engineers in navigating and exploring large, unknown binaries. We introduce a range of efficient, architecture-agnostic heuristics to quickly detect intriguing code locations in real-world applications. This ranges from the detection of cryptographic algorithms and complex state machines in firmware to string decryption routines in malware. Then, we use these techniques to identify API functions in statically-linked executables and pinpoint obfuscated code in commercial applications. Attendees will gain valuable insights and tools to enhance their reverse engineering workflows and discover new code detection strategies applicable to a wide array of scenarios.
Tim Blazytko is a well-known binary security researcher and co-founder of emproof. After working on novel methods for code deobfuscation, fuzzing and root cause analysis during his PhD, Tim now builds code obfuscation schemes tailored to embedded devices. Moreover, he gives trainings on reverse engineering & code deobfuscation, analyzes malware and performs security audits.
