|Keynote: Is infosec a game?
Speaker: Alexander ‘Solar Designer’ Peslyak
Yesterday infosec was such an easy game to play. Now we need a place to hide away?
Speaker: Patroklos Argyroudis (argp)
Heap related bugs (such as buffer overflows, use-after-frees, dangling/stale pointers, double frees) leading to corruptions of virtual memory and vulnerable conditions, constitute the most common type of memory corruption bugs. The exploitation of heap vulnerabilities is a process that requires a lot of time and effort. It requires meticulous understanding of the underlying heap allocator; its data structures metadata) and its allocation/deallocation algorithms. It requires understanding of how the target application uses the API provided by the heap allocator to manage dynamic memory and the allocation patterns that emerge due to this use. It also requires understanding of the application-specific data and how/where these are placed on the heap. Finally, it requires studying of the way the user can influence the application and use its provided functionality to control its heap as reliably as possible with the goal to create conditions aiding exploitation. All these must be viewed in the context of complicated bugs, since low-hanging fruits are scarce, and the vendors' adoption of increasingly sophisticated exploitation mitigation technologies. We argue that although the details between the different heap allocators, target applications and bugs at hand obviously vary, the heap exploitation methodologies that have been formed by practical experience can be abstracted to reusable primitives that can be applied to new targets. Project Heapbleed is our attempt to define, clearly articulate, categorize and where applicable implement these primitives, aiming to provide a practical reusable heap exploitation toolset.
Speaker: Dmitry Nedospasov
Everyone has heard about software vulnerabilities, but only a few are familiar with chip vulnerabilities. However, they also exist and are widely used in certain fields. Among special examples of such vulnerabilities are conditional access systems for satellite TV and printer cartridges. There are also counterfeit chips and chips with backdoors, which are a serious problem, especially in military defense. This is what my talk is about. I plan on telling you about the history of chip information security, about how to reverse engineer chips, how to find vulnerabilities in them, and how to exploit the discovered bugs.
|Crypto coding v2
Speaker: Jean-Philippe Aumasson
2014 has seen epic failures of crypto implementations, new projects created in reaction to those failures, which sometimes lead to even more failures: I'll talk about Heartbleed, OpenSSL, LibreSSL Truecrypt, and others, and will present simple guidelines to reduce the risk of crypto bugs, based on the Crypto Coding Standard recommendations.
|Hardware assisted virtualization in AV software
Speaker: Peter Kamensky
AV software strives to become more and more advanced and secure. So, unsurprisingly, the vendors have turned their attention to virtualization and started using it for their security goals. But is it always for the good?
In this research, we will review the internal structure of the antiviruses which are based on hardware assisted (VT-x, AMD-V) virtualization and, of course, we will focus on the attack scenarios, architectural vulnerabilities, their causes and effects.
|Hunting for top bounties
Speaker: Nicolas Gregoire
After one of these stupid bets, I had to look at bug bounty programs. I first tried to apply a typical OWASP Top 10 methodology during the Deutsche Telekom program. Not very efficient... So I decided to participate to other programs with a focus on two narrow fields, XML and SSRF. As expected, few people had a look to this area. As a result, I totally pwned Prezi and Yahoo.
For both of them, I was quickly able to read non-privileged files like /etc/passwd. I later accessed the private key of Prezi's cloud deployment system (using a EC2/OpenStack trick) and got root privileges on every outbound Yahoo proxy (with a vulnerability previously closed as WONTFIX).
Big compromises implying big rewards, I earned the top rewards from both programs. Around 25k$ in a few days, for pwning production networks, that's a hobby that most sane people should enjoy!
|Fuzzer of the state - evolutionary black-box fuzzing
Speaker: Fabien Duchene
Fuzzing is the automatic creation and evaluation of inputs for discovering vulnerabilities. Traditional undirected black-box fuzzing rely on predefined strategies for producing inputs and thus may not be efficient to find a broad range of local optima. In this work, we address the problem of black-box fuzzing of interpreters by adapting Artificial Intelligence (AI) techniques: inference, evolutionary algorithm and anti-random testing. Our work is one of the first applications of a genetic algorithm for black-box fuzzing when searching for vulnerabilities. Such algorithms are generally used in academia for search problems, often related to biology. We here apply them for vulnerability search, in black-box. We designed heuristics for fuzzing PDF interpreters searching for memory corruption vulnerabilities and for fuzzing websites for cross site scripting. Our evolutionary fuzzers ShiftMonkey and KameleonFuzz outperform traditional black-box fuzzers both in vulnerability detection capabilities and efficiency. We report on new results with those fuzzers, including new vulnerabilities that affect millions of users.
|Racing with Droids
Speaker: Peter Hlavaty
In the past few years, the bar for exploitation was raised highly, and in the current state of software security it is harder and harder to make successful exploitation on newest operating systems.
But as some systems continue to evolve and introduce new mitigations, the others just freeze a few years behind. In our talk we will focus on rooting Android by two racing conditions vulnerabilities. We will show the differences between level of exploitation needed, and how some mobile vendors are killing offered security features.
|EMET 5.0 – armor or curtain?
Speaker: Rene Freingruber
EMET (Enhanced Mitigation Experience Toolkit) is an application which can be used to further harden a Windows system by adding additional security protections to running processes. These protections include several ROP (Return-Oriented-Programming) checks, shellcode detection mechanisms, heap-spray mitigations and many more.
The talk covers techniques to bypass EMET 5.0 (the current version) and shows the audience how hard/easy it is for an attacker to accomplish this.
|Steroids for your App Security assessments
Speaker: Marco Grassi
In this talk we will put our skills in apps security assessment on Steroids. We will develop and deploy custom runtime modifications for Android and iOS, both at application level and OS level, in order to perform protections bypass, advanced analysis and bending the application's behaviour to our analysis purposes, with real world examples from our experience.
|De-anonymization and total espionage
Speaker: Dmitry Boomov
This talk is dedicated to de-anonymizing active Internet users. We will give a hands-on demonstration of various Internet resources tracking and/or storing user data, and explain how this data can be used to find out the identity on the other side of the screen for your own (either good or evil) purposes.
|Deobfuscation and beyond
Speakers: Dmitry Schelkunov, Vasily Bukasov
We'll speak about obfuscation techniques which commercial (and not only) obfuscators use and how symbolic equation systems could help to deobfuscate such transformations. We'll form the requirements for these systems. We'll briefly skim over the design of our mini symbolic equations system (Eq project) and show the results of deobfuscation (and not only) by Eq.
|Your Q is my Q
Speaker: Georgi Geshev
Message Queueing concepts are well established in enterprise environments which are already known to be fairly insecure. Now that the Internet of Things is gaining momentum, MQ is also the lightweight mechanism of choice for communicating with your fridge and toaster. We discovered a series of vulnerabilities in several widely adopted MQ implementations that would allow an adversary to cause a mass disruption in your corporate network or maybe pull off the shadow file from your neighbours' microwave. General MQ concepts will be briefly introduced to the audience, followed by a short attack surface walk-through and quick review of the common vulnerabilities and typical misconfigurations and ways to identify and leverage them for fun or profit.
|4x4G: from SIM to GGSN
Speakers: Kirill Nesterov, Alexey Osipov, Timur Yunusov
Spring came to a certain country and brought the urge to compile in nature’s lap rather than in an airless office. Along with snowdrops, the billboards of telecom providers emerged from the ground to offer the best, fastest, and cheapest everything. Before embracing a new gadget and drowning in the Internet, we decided to check how the promises corresponded to reality. Our reality.
We developed a set of tests and researched to what extent the access level of 4G telecommunication networks was directed at protecting customers. We checked: SIM cards, 4G USM modems, radio parts, IP access network. We were mainly interested in vulnerabilities that could be exploited remotely through IP or radio network.
The results were not slow to arrive. In several situations, we were able to attack SIM cards, “update” USB modem firmware remotely, change the self-service portal password via SMS, and even get through to the operator’s internal technological network.
Attack development helped us understand how a simple SMS may allow compromising a USB modem and all communications passing through it and, on top of that, installing a bootkit on the PC which the modem is connected to.
|Unexpected expected exception: think different about web-related vulnerabilities
Speaker: Ivan Novikov
This talk reviews the logic and design vulnerabilities of web applications which exist because of incorrect code exception processing and non-atomicity of operations. Conceptually, the attacks which exploit such vulnerabilities resemble race conditions. The important difference is that the attacker does not try and guess a certain target system condition but rather provokes it intentionally, so that the very attack vector affecting the system makes sure the target condition appears. Classic race conditions can also be exploited this way, but sometimes it is the only way.
|How to *really* piss off the surveillance state with your privacy tool
Speaker: Jake McGinty
For the first time at a hacker con, we’ll combine psychology, cryptography and political/technical evidence from Snowden's leaks to identify what makes for effective defenses against blanket nation-state surveillance, and what technical challenges we face to beat this new onslaught against the free internet we all want. Hint: the answer isn't PGP. Instead, we'll cover the state-of-the-art approaches in our new asynchronous landscape as implemented by the axolotl protocol via TextSecure.
|DTM components: shadow keys to the ICS kingdom
Speakers: Alexander Bolshev, Gleb Cherbov, Svetlana Cherkasova
Today, industrial control system architectures are complex, multilayered networks, based on many popular (now and not so long ago) technologies, such as XML, COM, ActiveX, OLE32, JSON, .Net, and others. FDT/DTM is one of such architectural elements. In short, FDT/DTM standardizes the communication and configuration interface between all (industrial) field devices and host systems. This is archived with the help of DTM - COM, ActiveX or .Net components. Such components exist for many devices used in oil, gas, energy, nuclear, chemical, and other critical industries. Look at any factory, plant, or other industry object, and you'll find an RTU or PLC that is configured by a DTM component.
During our research, we've analyzed the components for hundreds of field devices based on low-level protocols. Many of them are exposed to insufficient filtration of user-supplied data, XSS, XML injections, RCE, SSRF, DoS, and other vulnerabilities. We will provide detailed statistics on the security flaws of DTM components from various vendors.
|Non-cryptographic research of orthodox cryptographic media, or How we tested the security of key data storage on tokens…
Speakers: Sergey Soldatov, Mikhail Egorov
Special cryptographic devices are traditionally used to store encryption keys securely: hardware USB or smart card tokens. As a rule, the universal PKCS#11 interface is used to work with tokens. Many service providers which implement cryptography in Russia can store containers with key data on such cryptographic devices.
The authors of this talk became interested in the security of storing key data on hardware tokens and the possibility of extracting the key data container from a token by software methods, without resorting to complex equipment. In this talk, we will describe the results of our research of common token models and present a self-developed utility which allows extracting key data containers out of some token types.
|The past, the present and the future of software exploitation techniques
Speaker: Nikita Tarakanov
It began with lame stack-based buffer overflows.
Then DEP/NX appeared, that should raise the bar.
Then ROP appeared.
Then it continued with linking and unlinking corrupted heap buffers.
Then ASLR appeared, that should raise the bar.
Then sophisticated techniques continued to bypass NX/ASLR.
Then CFI appeared.
Then sophisticated techniques continued to bypass NX/ASLR/CFI...
In this talk we will show how exploitation techniques have evolved, and what we will see in the nearest future of exploitation techniques.
|Miniaturization (Fitting a full process control attack into a small microcontroller)
Speaker: Jason Larsen
Many papers have discussed hacking into a process control system. Very few papers talk about what to do after control of the process has been achieved. This paper will cover miniaturizing attack coded into a pressure sensor. The code will setup a standing wave in a piping structure by sensing the pressure wave caused by a water hammer and operating a valve in such a way that the pressure wave increases with each pass. The first part will cover a set of algorithms that are very small capable of sensing the process. The second part will cover efficiently inserting the code into the microcontroller’s firmware.
|Security vulnerabilities in DVB-C networks: Hacking cable TV network part 2
Speaker: Rahul Sasi
DVB-C stands for "Digital Video Broadcasting - Cable" and it is the DVB European consortium standard for the broadcast transmission of digital television over cable. This system transmits an MPEG-2 or MPEG-4 family digital audio/digital video stream, using a QAM modulation with channel coding. The standard was first published by the ETSI in 1994, and subsequently became the most widely used transmission system for digital cable television in Europe. We been working with a Cable TV service provider for the past 1 year. With digital cable TV implementations, the transmitted MPEG streams are encrypted/scrambled and users need a setup box to de-scramble/decode the streams. Also service providers can shut down a device remotely if no payment or even display a custom text message that will scroll on top of a video. This is made possible by Middleware servers or applications servers that are used to manage the DVM networks. So in our talks we cover the various attacks we can do on DVB-C infrastructure. That will include the following topics.