Keynote - From Student of Compilation to Mother of Decompilation
Cristina Cifuentes
Having worked on a machine code interpreter for the Modula-2 language for my Compilers project in 1990 and later integrating it into a mixed GPM Modula-2 compiler/interpreter for the 8086 during the summer of 1990-91 meant that I was familiar with assembly language and had a notion of transforming an intermediate representation into executable assembly code. Enjoying compilers and hearing about the latest viruses that were becoming popular in DOS binaries raised my interest in looking into binaries/executable programs to determine how to reverse compile them back into a high-level language representation, to be able to aid with an automated tool in understanding what the virus code was doing. And hence I enrolled in a PhD in April 1991.
30 years ago, in July 1994, I submitted my PhD thesis on "Reverse Compilation Techniques". Little did I know that such a fun project, looking into 80286 DOS binaries and reading assembly, drawing graphs of groups of assembly instructions, understanding how parameters were passed in assembly language, determining what optimising compilers would do to optimised parameters and code, following variables through a function and the whole program to understand data flows and how variables were stored on the stack or memory; would result in techniques that would be picked up in the 2000s with the growing interest in application security.
In this keynote I give a retrospective on the decompilation PhD work, the growing interest on this technology throughout the past three decades, examples of commercial uses of decompilation, and conclude with an application of decompilation to develop a malware analysis tool.
Tales From The Crypt: Bug Hunting in the Windows CryptoAPI
Erik Egsgard
The Microsoft CryptoAPI provides functionality to perform digital certificate authentication, management and storage, encryption and decryption of data and encoding and decoding of structured data. These are critical pieces of secure communications and present a rich attack surface, much of which is accessible via network protocols. This presentation will look at a vulnerabilitiy research effort into this area of the Windows operating system.
Erik is a Principal Security Developer with Field Effect. With almost 20 years experience in the computer security field he has found vulnerabilities across a wide range of software and operating systems including Windows, MacOS, iOS and Android.
Unleashing AI: The Future of Reverse Engineering with Large Language Models
Tim Blazytko, Moritz Schloegel
In our talk, we take a closer look at Large Language Models (LLMs) in reverse engineering, highlighting both their current uses and future potential. We address the opportunities and challenges presented by LLMs, from enhancing code analysis to navigating issues of inaccuracies and privacy. To address these challenges, we introduce ReverserAI as a platform designed to explore and expand the capabilities of LLMs within this field. We further illustrate how local, privacy-focused LLM setups can overcome existing privacy limitations. Lastly, we explore and showcase ways to significantly improve current LLM outputs by combining them with traditional static analysis techniques, for example in the context of malware analysis. Our discussion also covers the anticipated evolution of LLM technology, underscoring its promise to advance the field.
Tim Blazytko is a well-known binary security researcher and co-founder of emproof. After working on novel methods for code deobfuscation, fuzzing and root cause analysis during his PhD, Tim now builds code obfuscation schemes tailored to embedded devices. Moreover, he gives trainings on reverse engineering & code deobfuscation, analyzes malware and performs security audits.
Moritz Schloegel is a binary security researcher at the CISPA Helmholtz Center for Information Security. He is currently in the last year of his PhD and focuses on automated finding, understanding, and exploitation of bugs. Furthermore, he possesses a deep passion for exploring the complexities of (de-)obfuscation, emphasizing automated deobfuscation attacks and their countermeasures.
Peeling Back the Windows Registry Layers: A Bug Hunter's Expedition
Mateusz Jurczyk;
Talk
Have you ever wondered what lies beneath the graphical interface of the Windows Registry Editor? Despite regedit's unchanged appearance for over 20 years, the underlying kernel registry implementation is far more complex than it seems. From roughly 10,000 lines of decompiled code in Windows NT 3.1 to ten times as many in Windows 11, the registry codebase has seen massive growth throughout its existence. In large part, this is due to introducing new features like transactions, app keys and differencing hives, which may not be obvious to the casual user, but their added complexity certainly affects system security and opens the door to potential local privilege escalation exploits.
Recognizing this vast attack surface, I spent many months in 2022 and 2023 immersed in a thorough audit of the Windows Configuration Manager (the registry's kernel subsystem). This research uncovered over 50 vulnerabilities, ranging from simple coding errors to intricate design flaws that prompted significant code refactors by Microsoft. In this talk, I'll share my registry bug taxonomy, classifying vulnerabilities based on the level of understanding needed to uncover them – from easily "greppable" bugs to deeply hidden logic flaws. Each category will be accompanied by a detailed case study of a recently discovered registry bug. Expect a lot of Windows internals, technical analysis, and some exciting exploit demos.
Mateusz works as a security researcher in the Google Project Zero team. His main areas of interest are client software security, vulnerability exploitation and mitigation techniques, and delving deep into operating system internals with a special emphasis on Microsoft Windows. He has spoken at numerous security conferences including Black Hat, REcon, Infiltrate, PacSec and 44CON.
Hypervisor-enforced Paging Translation - The end of non data-driven Kernel Exploits?
Andrea Allievi, Satoshi Tanda
Would you like to know about the state of Kernel Exploit mitigations in Windows? Are you curious about HVPT, Hypervisor-enforced paging translation, the new technology designed to stop exploiting one of the last weak point in the Windows kernel?
Andrea Allievi is a system-level developer and security research engineer with more than 18 years of experience. He graduated from the University of Milano-Bicocca in 2010 with a bachelor's degree in computer science. For his thesis, he developed a Master Boot Record (MBR) Bootkit entirely in 64-bits, capable of defeating all the Windows 7 kernel-protections (PatchGuard and Driver Signing enforcement). Andrea is also a reverse engineer who specializes in operating systems internals, from kernel-level code all the way to user-mode code. He was the original designer of the first UEFI Bootkit (developed for research purposes and published in 2012), multiple PatchGuard bypasses, and many other research papers and articles. He is the author of multiple system tools and software used for removing malware and advanced persistent threads. In his career, he has worked in various computer security companies-Italian TgSoft, Saferbytes (now MalwareBytes), and Talos group of Cisco Systems Inc. He originally joined Microsoft in 2016 as a Security Research Engineer in the Microsoft Threat Intelligence Center (MSTIC) group. Since January 2018, Andrea has been a Principal Core OS engineer in the Kernel Security Core team of Microsoft, where he mainly maintains and develops new features (like Retpoline, Speculation Mitigations, Function Overrides, ARM64 Import Optimization, Trusted Apps and many more...) for the NT and Secure Kernel. He is one of the main author of the Windows Internals book.
Satoshi is a security researcher, software engineer, and trainer with over 15+ years of experience. He works as a platform engineer for virtualization and security at Sony Interactive Entertainment and previously worked at security software vendors as a developer, researcher, and reverse engineer. In his spare time, he enjoys studying system software security and has discovered vulnerabilities in hypervisors, drivers, and UEFI firmware.
Breaking Z-Waves: How we use Symbolic Execution to find Critical RF Vulnerabilities
Oliver Lavery
New IoT Radio Frequency protocols like ZigBee, Z-Wave, OpenThread, and Amazon Sidewalk are becoming ubiquitous. While these protocols make our lives easier in many ways, they also represent an interesting cyber-security challenge: as an industry we're adding all kinds of complex and novel RF attack surface to IoT devices within our homes and neighborhoods.
In this talk we'll explore how we're securing that new attack surface at Amazon Element55. We'll bring you along on our journey from initial experiments with bug hunting in the Amazon Sidewalk protocol stack using symbolic execution tools like CBMC and Klee, explore some of the challenges we faced along the way with symbolic tools, and finally walk you through the discovery of a group of new critical vulnerabilities in the implementation of SiLabs Z-Wave protocol.
Oliver Lavery's interest in security was born in the Montreal BBS scene, and came of age when he discovered anyone could dial into DATAPAC...
Today he's a Sr. Security Engineer at Element55, Amazon Devices and Services' vulnerability research team. He has a few decades of experience in defensive and offensive software security, reverse engineering, and vulnerability research for clients in hi-tech, finance, and critical infrastructure.
WatchWitch - The Apple Watch Protocol Stack from Scratch
Nils Rollshausen
We take a deep dive into the wireless protocols that power the Apple Watch and its deep integration into the Apple ecosystem, reversing and re-implementing them as we go - starting from foundational transport protocols all the way up to synchronization of sensitive sensor data. Along the way, we will encounter many a proprietary protocol, flawed implementations of standards, and homebrew cryptography endangering Apple's famously strong security.
Somehow - and without ever having owned more than an iPod - Nils fell down the Apple rabbit hole and now spends their days reverse-engineering Apple's devices and uncovering the bits of magic hiding inside the machines that surround us every day. After a long day of breaking things with Frida in new and interesting ways, they also enjoy building new stuff once in a while. Currently, they are pursuing a PhD in computer science at the Secure Mobile Networking Lab (SEEMOO) of TU Darmstadt.
A Tale of Reverse Engineering 1001 GPTs: The Good, the Bad, and the Ugly
Elias Bachaalany
In this talk we go deep down into the world of OpenAI's GPTs: how they are made, what they contain, how to reverse engineer them back to their source code and exfiltrate all their "secrets" and accompanying files. This talk will take you on a fun journey into the mind of GPT writers and explore all the curious, smart and silly things they have been coding into their GPTs.
Elias is a programmer at heart and a passionate reverse engineer with focus on Windows OS and the x86 architecture. Elias loves writing and teaching and is a big fan of IDA Pro and loves sharing his knowledge about that product (he runs the AllThingsIDA YouTube channel).
Open Sesame: stack smashing your way into opening doors.
Lucas GEORGES
Physical security is the forgotten sibling of information security. This part usually is often offloaded to traditional security teams and especially to people that don't "get" what hacking is about.
However Physical Access Control Systems (PACS) bridge the wall between physical security and information security. These systems are more and more ubiquituous and more importantly they are becoming "smart" (aka always connected). Therefore they are becoming hackable.
This talk will feature a complete security audit of Idemia's Sigma Lite, a high-end PACS device that can be found in ministries, embassies or Fortune 500's companies and which controls user access, biometric identifiation and time attendance. It will cover attacks from the hardware, upgrade system and contactless protocol.
Sharing the same curse as Ian Beer, people thinks that Lucas GEORGES is not a real person. Or more precisely that a real person is behind this pseudonym. Honestly, what kind of parents would name their children after a world famous director?
Well, my parents did that. To their defense I don't think they have seen any movie directed by my illustrious homonym.
Apart from that Lucas GEORGES is a veteran reverse engineer with 10 years of work under his belt. He used to be particularly competent on Windows security but as the world is trying to step away from Microsoft prying hands, Lucas tries to do it too.
