briefings

briefings - march 30 & 31

Briefings


Man-in-the-SCADA: Anatomy of Data Integrity Attacks in Industrial Control Systems

There is a continuous evolving gap between SCADA/ICS attackers and the defenders. Once unauthorized access is gained to a control network or a piece of industrial equipment, an attack still needs to be performed. This is where the public literature falls short. This talk will discuss data integrity attacks in industrial sector through the eyes of the attacker.

One would normally think that an analog inputs such as power line voltage or pressure in a pipeline are transmitted in SCADA/ICS network packets in a human-comprehensible way. In reality, these process measurements are scaled and transformed in totally different units each time the data traverse different electric circuits, protocol stacks, applications and DBs located at different layers of the Purdue reference architecture.

This talk will consider a strategic attacker with a specific malicious goal in mind. When the attacker gets a privileged access and is able to intercept and modify the traffic, she/he needs to find a way to interpret SCADA/ICS data. For that the attacker will have to obtain user manuals, best practices, network architecture drawings, configuration files of sensors, RTUs, PLCs and SCADA DB's settings, and exercise A LOT OF ENGINEERING MATH. Only then the attacker will be able to make sense of the observed data units on the wire and perform targeted data manipulation attacks (instead of causing a nuisance).

The talk will analyze real-world RTU-based power substation and DCS-based (petro)chemical plant configurations along with all the challenges that attackers must understand, such as selection of most beneficial network segment/piece of equipment, minimum amount of network and systems configuration analysis, etc. The goal of this talk is to educate the audience about real-world facility configurations and show what the attacker needs to do and why when executing data integrity attacks in Industrial Control Systems. Understanding attacker activities and challenges is crucial for planning further research activities and designing effective defensive approaches and solutions.

Presented By

Marina Krotofil  &  Chris Sistrunk

24 Techniques to Gather Threat Intel and Track Actors

In recent years, we delivered many talks detailing threat actors, their operations, and their tools. How did we conduct such research and gather such intel? In this talk, we share 24 techniques for gathering threat intel and tracking actors, or example: crimeware (undisclosed) vulnerabilities, C&C misconfig, and underground marketplaces. We explain our use of these techniques using 30 real cases.

We will also uncover an underground marketplace that has over 1,400 registered attackers. Products for sale includes webshells, ssh passwords, ftp passwords, email lists, and crimeware. We show how their purchased crimeware contained vulnerabilities that allowed us to track them.

Presented By

Sun Huang  &  Wayne Huang

All Your Emails Belong to Us: Exploiting Vulnerable Email Clients via Domain Name Collision

One of the central points of failure is an email address. We use email addresses used to get access to our bank accounts, social networks and much more. For SMB and Enterprise, email addresses are the most often targeted entry point for advanced persistent threat (APT) attacks.

But how good are we are at protecting our email accounts?

There's always a compromise between security and usability. There were times when you would need to obtain all the information about smtp/pop/imap servers and enter them in order to configure your email account. Now it is as simple as just typing your email and password. But when you rely on technology that simplifies your life, it is always complex and sophisticated inside and there is always a huge risk of failure in implementation. chance of failure to implement it.

In our presentation we will disclose severe vulnerabilities of mail clients as well as software services that could lead an attacker to take over access to sensitive user information - sometimes including usernames and passwords.

We'll also demonstrate how improper email client implementation can leak user credentials and what software developers, server administrators and users can do to prevent it.

Attendees will see a live data feed with popular email client names and who's leaking what. At the final part of our presentation we'll talk about other attacks and what power attackers can potentially get in the case of vulnerable client implementations.

Presented By

Ilya Nesterov  &  Maxim Goncharov

Anti-Plugin: Don't Let Your App Play as an Android Plugin

The Android plugin technology is an innovative application-level virtualization framework that allows a mobile application to dynamically load and launch another app without installing the app. This technology was originally developed for purposes of hot patching and reducing the released APK size. The primary application of this technology is to satisfy the growing demand for launching multiple instances of a same app on the same device, such as log in two Twitter accounts for the personal and business simultaneously. The most popular app powered by this technology, Parallel Space, has been installed 50 million times in Google Play.

However, as we know, it never takes malware authors long to catch on to new mobile trends. In the wild, by applying the plugin technology, a newly discovered Android malware "Dual-instance" dynamically loads and launches the original Twitter app's APK file within itself and also hijacks user's inputs (e.g. password) to launch the phishing attack. Besides, after we have comprehensively analyzed security risks of the Android plugin technology, we find that the data stored by the plugin app can be stolen by the malicious host app or other plugin apps. In our Wildfire product, we have captured 64,058 samples using the Android plugin technology, among which 61,172 samples are malicious or grey. Thus, the Android plugin technology is becoming a new security threat to normal Android apps.

Our proposal demystifies the Android plugin technology in depth, explains the underlying attack vector and investigates fundamental security problems. We propose a lightweight defense mechanism and release a library, named "Plugin-Killer", which prevents an Android app from being launched by the host app using the Android plugin technology. Once a normal Android app embeds the library, the app can detect the Android plugin environment and terminates itself when it is launched.

Presented By

Tongbo Luo  &  Cong Zheng  &  Zhi Xu  &  Xin Ouyang

Beyond the Blacklists: Detecting Malicious URL Through Machine Learning

Many types of modern malware utilize HTTP-based communications. Network-level behavioral signature/modeling in malware detection has some advantages, compared with traditional AV signature, or system-level behavioral models. Here we present a novel malware detection method based on URL behavioral modeling. The method has taken advantage of common practices of code re-use among many types of malware. Based on big data of known malware samples, we can distill concise feature models that represent common similarities in many different malware connection behaviors; the model can be used to detect unknown malware variants that share common network traits.

We focused on HTTP connections because the protocol is the most used connection type for malicious software to phone home, get update, and receive command to start attack. Examining traits at http connection level have proved to be an efficient way to detect malicious connections.

In our next generation firewall appliance, we had algorithms to examine connection domain name, URL path and user-agent using static blacklist and signatures to determine malicious user-agents, URL connection path. Combined with machine learning algorithm for DGA domain detection, we had achieved pretty good malicious URL detection rate. However, the most complex and challenging part is the dynamic content in the URL connection query string. Static signature rules become less effective because those strings are so diversified that they virtually can be anything. Variance and evolution of connection parameters can make signature generation time consuming. It also requires signature library performing frequent updates to emerging new connections features.

The novel clustering algorithm we present in this talk is highly efficient - it could not only detect known malicious URL, but also new variants yet to be exposed (0-day). The model was machine learned from 800,000 URLs from malware samples with about 10k weekly update.

Presented By

Hao Dong  &  Chenghuai Lu  &  David Yu  &  Jin Shang

Breaking Korea Transit Card with Side-Channel Attack - Unauthorized Recharging

Recent side-channel attacks have shown that the security of smart devices is a matter of serious concern. Financial damage by attacking security systems can be the most fatal threat in the real world. We target a real-world smartcard widely used in Korea, embedding cryptographic features. Our attack was conducted in a black-box manner where everything is unknown for the target device except for public information such as standard documents and specifications. As a result of attack, a 128-bit secret key for mutual authentication required when a legitimate user uses functions served by card such as payment, refund, recharging et al. can be completely restored, even although our target device employs some countermeasures against side-channel attacks in hardware level.

More specifically, we provide how to attack the target device in detail, and we show how to profile target information (i.e., cryptographic operation under attack) where only public information is known to an attacker. From the profiled information, we show how to extract the cryptographic key (used in encryption, digital signature, authentication and so on) from side-channel analysis.

Finally, by using this recovered secret key, we constructed a hacking tool to facilitate illegal recharging of balance in the transit card. Therefore, we are able to free recharge balance on the card as much as we want without spending any money.

The most important thing in our contributions is that we offer the know-how obtained by tremendous experiments in order to reduce trial and errors for attacking other secure devices in similar environments to ours. Our results demonstrate that side channel attacks have a serious real-world impact on the security on embedded systems.

Presented By

Tae Won Kim

Cache Side Channel Attack: Exploitability and Countermeasures

Cache attacks have proven to be a big concern for security code designers because they are able to recover a wide range of information, ranging from cryptographic keys to user privacy-related information. These attacks take advantage of the fact that two processes are utilizing the same hardware resource, thus leveraging unexpected leakages that can be exploited by a malicious user. More specifically, Last Level Cache (LLC) attacks make use of the fact that the LLC is shared across cores, thus being able to steal information from users located in different cores. These attacks have been shown to be applicable in a wide variety of scenarios, going from IaaS clouds to web browsing exploitation with embedded javascript code.

This presentation describes the approaches that two of the most dangerous cache attacks follow, i.e., Flush and Reload and Prime and Probe. Indeed their characteristics also determine their applicability; while Flush and Reload requires memory deduplication to succeed (i.e. shared memory between processes), Prime and Probe does not need special requirements to succeed. We evaluate the different examples of everyday usage software that can be targeted by this kind of attacks to violate our privacy. Further, this presentation expands on the scenarios in which each of the attacks succeed - including but not limited to, IaaS and PaaS co-located VMs/processes, web browsing javascript attacks, trusted execution environment attacks or smartphone inter-application attacks.

Finally, this presentation explores the steps that need to be taken to avoid the exploitation of such attacks: at the software level (writing key independent execution flow), at the OS/hypervisor level (Utilizing LLC isolation through mechanisms like page sharing) and at the hardware level (e.g., locking certain portions of the LLC).

Presented By

Xiaofei Guo  &  Gorka Irazoqui

Cross the Wall - Bypass All Modern Mitigations of Microsoft Edge

Address Space Layout Randomization(ASLR) and Data Execution Prevention (DEP) and Control Flow Guard (CFG) are default exploit mitigations technique on Windows 10 platform. ASLR and DEP and CFG mitigation significantly increases the difficulty of exploit. In Windows 10, even if you have the ability to arbitrarily address read/write, you still need to find ways to bypass CFG mitigation.

This talk will be divided into two parts. The first part will introduce a new method to bypass CFG and DEP mitigations; it uses the Edge Shim's dark side to bypass CFG and DEP, get arbitrary code execution with no ROP. This method got the Microsoft Mitigation Bypass Bounty and have the following advantages:

  • No need ROP to exploit
  • The stability of the exploit is good
  • Bypass the CFG and DEP at the same time

The second part will discuss how to bypass ASLR. Dynamic language use garbage collect to management memory. According to whether the distinction between data and pointer, divided into conservative garbage collection and accurate garbage collection. Microsoft Browser Internet Explorer JavaScript engine jscript9 and Microsoft Edge JavaScript engine chakra, use the conservative mark-sweep garbage collection management memory. Using the conservative garbage collection weakness, we can bypass the ASLR mitigation with no vulnerability. This part consists of three aspects:

  • The weakness of conservative garbage collection and How Microsoft do their improvement to defend this weakness
  • How to overcome Microsoft's improvement and use the weakness to exploit Internet Explorer and Microsoft Edge. Because the jscript9 engine and chakra engine have some different in the implemention.so the exploit method may be some different. And Microsoft Edge chakra engine is strong than Internet Explorer jscript9 engine, we will discuss how to overcome the difficult to exploit Microsoft Edge
  • Give three exploit demo. Microsoft Edge Exploit on windows 10, Internet Explorer Exploit on windows 7 and windows 10

Presented By

Henry Li  &  Jack Tang

Daily-Life Peeper: Bug Hunting and Exploit Techniques in IoT

As we know, with the rapid increasing and widespread use of IoT devices, the security of IoT becomes more and more important. The recent massive DDoS attack launched from hacked IoT devices against Dyn was another urgent alert. While there're many bug bounty projects and contests about software security, there is nearly nothing about IoT security.

So, we kicked off our IoT vulnerabilities reward program -- GeekPwn 3 years ago and have already collected over 100 security vulnerabilities and their detailed exploit techniques in routers, cameras, game consoles, and even network protocols etc.

In this presentation, we will summarize all these real-world vulnerabilities and propose maybe the first systematic study of current IoT devices' security situation. In particular, we will explicate the technical details of some brilliant exploits, such as from multiple vulnerabilities (memory information leak CVE-2016-5367, file injection CVE-2016-5366, stack overflow CVE-2016-5365) to get remote root shell of a router, TCP challenge ACK information leak to hijack TCP and manipulate the traffic to the cloud (CVE-2016-5696) and so on.

Our presentation will focus on many design misconceptions and implementation mistakes in the IoT devices, which may be easily overlooked by developers. By sharing those representative lessons, we hope to help IoT vendors improve the security of their products and enlighten security researchers interested in IoT.

Presented By

Yuhao Song  &  Huiming Liu

Delegate to the Top: Abusing Kerberos for Arbitrary Impersonations and RCE

Delegation is the assignment of responsibility or authority to another identity to carry out specific activities. It is one of the core concepts of management, shifting the decision-making authority from one organizational level to a lower one and empowering a subordinate to take responsibility. In Windows networks, delegation allows a service to impersonate a user or computer in order to access resources throughout the network.

While delegation is being used in almost every enterprise, it is still one of the most confusing and least-understood mechanisms in Kerberos and Active Directory. In many cases, the accounts that are running applications and services which are trusted for delegation are misconfigured and, thus, ripe for exploitation.

This talk will review what delegation is, what types of delegation exist, and how they are used in enterprises. The session will include a demonstration of how an attacker can impersonate another user and elevate privileges by exploiting built-in functionalities in Kerberos delegation, enabling remote execution with arbitrary user through unexpected services. In the session, an open source tool for identifying and abusing vulnerable accounts that allow for delegation will be introduced. Finally, some guidance will be shared that will allow tightening up of delegation rights to minimize risk.

Presented By

Matan Hart

Dig Into the Attack Surface of PDF and Gain 100+ CVEs in 1 Year

Portable Document Format (a.k.a. PDF) is one of the most widely used file formats in the world; this complex file format also exposes a large potential attack surface which is important for us to understand. During the last year, by digging into the attack surface of PDF deeply and fuzzing the popular PDF readers efficiently, I discovered nearly 150 vulnerabilities independently in the world's most popular PDF readers including Adobe Reader, Foxit Reader, Google Chrome, Windows PDF Library, OS X Preview, and Adobe Digital Editions. More than 100 of the vulnerabilities have been fixed by vendors and assigned with CVEs.

In this presentation, I will talk about the attack surface of PDF and the methods for finding and testing it. Then, I will talk about how to find enough test cases for each attack surface, and how to fuzz the PDF readers more efficiently. Finally, I will show you the statistical results of each attack surface based on the vulnerabilities I found.

Presented By

Ke Liu

Domo Arigato Mr. Roboto: Security Robots a la Unit-Testing

Security testing is difficult, no matter who is doing it or how it is performed. Both the security and development industries struggle to find reliable solutions to identify vulnerabilities in custom code, but sometimes make things harder than they should be.

Over the past 20 years, the security industry has defined application security testing tools as separate from the traditional QA toolset, although both approaches are similar. Send test data (or payloads, exploits) to an application and inspect the response for appropriate or inappropriate behavior. The one-size-fits-all approach for security testing during the software development lifecycle (SDLC) does uncover security flaws, but leaves something to be desired, as it does not pinpoint the exact file/function where a vulnerability exists. Fuzzing application parameters is a great first step, but requires additional research and work to fix or exploit any identified flaws. Additionally, the traditional approach may not discover regressions in application code with the same speed and precision that unit-tests would.

On the other hand, unit testing frameworks provided by programming languages and application frameworks often lack functionality necessary to perform security testing. This lack of coverage, test data, or even functionality reduces the overall effectiveness of a security unit test. In addition, identification of many security vulnerabilities, including cross-site scripting, requires fully functional application stacks with presentation layers. If the unit testing framework is missing any of these pieces, it is impossible to create a full security test suite.

Due to both the aforementioned limitations as well as traditional security approaches to software security, custom and specific security testing is often overlooked and is not instituted within the typical software security testing tool suite. As developers and security professionals, we can do better. A hammer is not the only tool in our belt, and a scanner is not the only way to find a security vulnerability. Using DevOps practices such as Test Driven Development (TDD) and Continuous Integration (CI), it is possible to overcome both security and development weaknesses around unit testing and implement a custom security unit test suite for any application.

This talk will first address the current limitations in security unit testing applications with existing tools and various frameworks. Next it will introduce a generic framework for creating security unit tests for any application. Then it will review common strategies for building application security-specific unit tests, including function identification, testing approaches, edge cases, regression testing, and payload generation. In addition, it will demonstrate these techniques in Java Spring and .Net MVC frameworks using intentionally-vulnerable applications. Finally, this talk will introduce sputr (https://github.com/sethlaw/sputr), an open-source repository of security unit testing payloads that can be used as a starting point for creating custom security unit tests.

Presented By

Seth Law

Drop the ROP: Fine-Grained Control-Flow Integrity for the Linux Kernel

The introduction of W^X memory policies and the subsequent mitigation of return-to-user attacks, tackled the efficiency of code injection techniques on the exploitation of kernel-level vulnerabilities, rendering return-oriented programming (ROP) into one of the most prominent adversaries for system security. Control-Flow Integrity (CFI) is an effective defense against ROP, but despite its many refinements during the past decade and its recent deployment for the protection of user-space applications, it has received significantly less attention for the kernel setting. The few existing kernel-level CFI proposals either apply an overly permissible coarse-grained policy, which can be easily bypassed by sophisticated ROP attacks, or do not support dynamically loadable kernel modules.

We present the design and implementation of kCFI, a pure CFI implementation with fine granularity for commodity operating systems (OS), and the first of its kind capable of fully supporting the Linux kernel. By combining static analysis at both the source code and
binary level, kCFI generates a more restrictive CFI policy when compared to previous proposals. By injecting control flow checks to kernel binaries during compilation time, kCFI enforces this policy without harming any OS feature. Also, kCFI does not rely on memory secrecy for enforcing its policies, being effective even in the presence of memory disclosure attacks. The observed overheads are of 8% and 2% for micro and macro benchmarks, respectively.

Presented By

João Moreira

Exploiting USB/IP in Linux

USB/IP is a framework for sharing USB devices over the network: it encapsulates USB I/O messages into TCP/IP payloads and transmits them between network-connected hardware. This way, USB devices, plugged into one machine, appear as if they are plugged into another connected machine and can be used without any additional drivers or software.

Being part of the mainline kernel since version 3.17, this framework is immediately available to Linux users. Kernel code supporting this feature is compiled by default as a loadable module and is available for stock kernels in most popular Linux distributions. However, the implementation is rather uncommon for Linux kernel; the USB I/O bearer TCP connection is established by helper user-space applications, but then connected sockets are passed to the kernel and the kernel code itself handles all socket communication. So, most of the application protocol part is directly implemented in the kernel. This is a big shift from the traditional Linux paradigm of "tools only" in kernel code and "policy" in user-space.

The above design puts very strict security requirements on the code implementing the protocol since the code is executed in a highly privileged context (Linux kernel). Not doing proper input validation may create serious security vulnerabilities. Unfortunately, this is the case with USB/IP framework: with specific conditions a malicious party may trigger an out-of-bounds memory access and write arbitrary data to kernel memory. This is especially dangerous here because the potential attacker may do it remotely over the network.

Who is affected? The conditions of the exploitability of the above vulnerability are outlined. Also, some general security recommendations for USB/IP users are presented.

Presented By

Ignat Korchagin

Fried Apples: Jailbreak DIY

In this talk we focus on challenges that Fried Apple team solved in a process of making untethered 9.0-9.3.x jailbreak. We will reveal the internal structure of modern jailbreaks, including low level details such as achieving jailbreak persistence, creating a patchfinder to support all device types and finally bypassing kernel patch protection.

We will cover a sequence of vulnerabilities and exploitation details that were used for initial arbitrary code execution, sandbox bypassing, kernel address leaking, arbitrary code execution in the kernel and finally persistent code signing bypass.

The current talk also covers various tools and techniques used in a process of making a jailbreak. This includes finding ROP gadgets, kernel patch lookup tools (patchfinders), kernel analyzers etc.

Another topic is how to build a jailbreak chain. In other words, how to put everything together to get final, simple to use jailbreak utility.

Finally, we show new exploit mitigations and security enhancements that Apple added in iOS 10, like KPP, including hardware based patch protection in iPhone 7 and 7+, sandbox enhancements and a new heap management techniques.

Presented By

Max Bazaliy  &  Alex Hude  &  Vlad Putin

Go Get My/Vulnerabilities: An In-Depth Analysis of Go Language Runtime and the New Class of Vulnerabilities It Introduces

Golang is rapidly becoming the language of choice for programming both simple applications for embedded hardware and elaborated high end software for computational clusters. Many of the major companies have adopted it as the default choice for new projects and it is starting to be quite widespread even among independent programmers.

One of the main features it introduces are goroutines: a new approach to multithreading that scales better with modern multi-core hardware and operating systems. It allows programmers to handle a higher amount of concurrent tasks with a lower cost in terms of performances.

Goroutines are scheduled by the go runtime and in order to make them more efficient than traditional threads, some features have been taken away from them, like thread-local storage and thread pointers. These and many other changes have been applied in order to grant a competitive task-switching time.

Go's approach makes it the language that performs better in concurrent applications, but like many other optimizations it doesn't come for free. While it is widely known that go is very efficient, there is still little to no information about the implications that come with relying on its internal scheduler. Many guides and documentations treat goroutines as if they were traditional threads, failing to warn programmers on the differences and risks involved, creating a dangerous trend for the next generation of software.

What are the implications of using goroutines instead of threads? Do they introduce new vulnerabilities? Can they be used in a safe way?

Presented By

Roberto Clapis

Hack Microsoft Using Microsoft Signed Binaries

Imagine being attacked by legitimate software tools that cannot be detected by usual defender tools.

How bad could it be to be attacked by malicious threat actors only sending bytes to be read and bytes to be written in order to achieve advanced attacks?

The most dangerous threat is the one you can't see. At a time when it is not obvious to detect memory attacks using API like VirtualAlloc, what would be worse than having to detect something like "f 0xffffe001`0c79ebe8+0x8 L4 0xe8 0xcb 0x04 0x10"?

We will be able to demonstrate that we can achieve every kind of attacks you can imagine using only PowerShell and a Microsoft Signed Debugger. We can retrieve passwords from the userland memory, execute shellcode by dynamically parsing loaded PE or attack the kernel achieving advanced persistence inside any system.


Hello From the Other Side: SSH Over Robust Cache Covert Channels in the Cloud

In this talk, we present the first practical cache covert channel in the cloud. The goal is to secretly exfiltrate sensitive data from one fully isolated virtual machine to another virtual machine on the same physical host. Both communication endpoints require no privileges and run as regular user programs.

Our attack exploits the CPU cache that is present in all modern processors. These caches are crucial to performance; they are shared across virtual machine boundaries and thus violate isolation guarantees. Cache covert channels have been discussed in many academic works; however, a practical application has not been demonstrated so far. One reason is that especially hypervisor activity and external events disrupt communication.

Our covert channel is resilient against noise as we adapt established techniques from wireless transmission protocols. Even with extraordinarily high system activity, our covert channel stays entirely error free while maintaining high throughput and low latency. We sustain transmission rates of more than 45 KB/s on the Amazon EC2 cloud, exceeding state of the art by 3 orders of magnitude. Our protocol allows us to build an SSH connection between two virtual machines, where all existing covert channels fail.

We demonstrate our covert channel attacks on the Amazon cloud live on stage, including interactive SSH sessions and video streaming. Finally, we present an open-source tool that helps security researchers in investigating the underlying hardware problem and assessing the risk for their infrastructure.

Presented By

Michael Schwarz  &  Manuel Weber

MASHaBLE: Mobile Applications of Secret Handshakes Over Bluetooth LE

In this talk, we present new applications for cryptographic secret handshakes between mobile devices on top of Bluetooth Low-Energy (LE). Secret handshakes enable mutual authentication between parties that did not meet before (and therefore don't trust each other) but are both associated with a virtual secret group or community. This property provides strong privacy guarantees that enable interesting applications. One of them is proximity-based discovery for members of private communities. Others are private event organization and head-counting, and smart BLE car-locks.

We will introduce MASHaBLE, a mobile application that enables performing secret handshakes over Bluetooth LE communication. We use direct peer-to-peer communication, rather than relying on a central server which results in interesting applications. We will also discuss the specifics of implementing secret handshakes over Bluetooth LE and present our prototype implementation.

Presented By

Yan Michalevsky

Myth and Truth About Hypervisor-Based Kernel Protector: The Reason Why You Need Shadow-Box

Protection mechanisms running in the kernel-level (Ring 0) cannot completely prevent security threats such as rootkits and kernel exploits because the threats can subvert the protections with the same privileges. This means protections need to be provided with higher privileges. Creating Ring -1 is plausible using VT such as ARM TrustZone, Intel VT-x, and AMD AMD-v. The existing VT (Virtualization Technologies) supports to separate the worlds into a host (normal world, ring -1, host) and a guest (normal world, ring 0 ~ ring 3). Previous research such as NumChecker, Secvisor, NICKLE, Lares, and OSck used VT to protect kernel.

However, there is still room for improvement: OSes running in different worlds have strong semantic gaps, and footprints for running multiple Oses cause system overhead. Well-known hash of LKM and secure VM are also restrictions of previous research for deploying them to real world environment. We want a practical and lightweight kernel protector for defending desktop, stick PC and mobile devices, therefore we needed to design practical and lightweight kernel protector for real world environment.

In this talk, we propose a security monitoring framework for operating systems, Shadow-box, using state-of-the-art virtualization technologies. Shadow-box has a novel architecture inspired by a shadow play. We made Shadow-box from scratch, and it is primarily composed of a lightweight hypervisor and a security monitor. The lightweight hypervisor, Light-box, efficiently isolates an OS inside a guest machine, and projects static and dynamic kernel objects of the guest into the host machine so that our security monitor in the host can investigate the projected images. The security monitor, Shadow-Watcher, places event monitors on static kernel elements and tests security of dynamic kernel elements. We manipulate address translations from the guest physical address to the host physical address in order to exclude unauthorized accesses to the host and the hypervisor spaces. In that way, Shadow-box can properly introspect the guest operating system and mediate all accesses, even when the operating system is compromised.

We deployed and have been successfully operating Shadow-box in real world since last year. Real world environment is different from laboratory environment. So, we have gone through many trials and errors for a year, and have learned lessons from them. We share our know-hows about using virtualization technology and deploying research into the wild.

Presented By

Seunghun Han  &  Junghwan Kang

Never Let Your Guard Down: Finding Unguarded Gates to Bypass Control Flow Guard with Big Data

Control Flow Guard (CFG) is a security mechanism to prevent indirect branches (indirect call/jmp) to redirect control flow to unexpected locations. It was originally released by Microsoft with Windows 8.1 and currently implemented in Window 10 as an enhanced security feature. CFG works by inserting a control-flow check-function before each critical indirect branch at compiling time, while the check-function will validate the target address using CFG bitmap at runtime.

There have been previous studies reported - cases and methods to bypass CFG, including :

  • "Bypass Control Flow Guard Comprehensively" by Yunhai Zhang's at Black Hat 2015, which discussed different attack surfaces and reported a universal bypass approach by making the read-only CF_check_function pointer writable using the destructor behavior of CustomHeap::Heap of Jscript9.
  • "Bypassing Control Flow Guard on Windows 8.1 Update3" by Francisco Falcon at Core Security blog, which reported a bypass case by finding unguarded indirect call in the JIT-generated code from Adobe Flash Player JIT compiler.

Although there have been multiple updates of CFG which fixed most of the vulnerabilities reported, our study is able to find more weak spots that can lead to CFG's bypass under the most recently updated Windows 10, using a very efficient tool set we developed.

We use performance-monitor-unit (PMU) based instrumentation tool to collect the context information of all indirect calls at runtime by triggering interrupt when each indirect call takes place. Then SPARK-based big data approach is used for data screening and analysis.

Several most common applications, including IE11, Adobe Flash Player and Microsoft Edge, are analyzed under Windows 10 using this method. Results from different applications are obtained and will be presented in a comparative way.

In summary, with such method and toolset, we are able to find multiple vulnerabilities that can lead to CFG's bypass in different applications running under Windows 10. This talk will present not only the results, but also the methodology and tools used to find such vulnerabilities.

Presented By

Ke Sun  &  Ya Ou

Open Sourcing Automotive Diagnostics

Automotive systems use a small number of protocols for diagnostic functionality. As researchers, it's very useful to be able to interact with these protocols to look for undocumented features and vulnerabilities. As vehicle owners, it's useful to have access to these protocols, as they implement all the diagnostics needed to repair a modern car.

The problem? There's no low cost tools for dealing with these protocols. Furthermore, the protocol specifications aren't free. While we can't release the specifications, we can release an open source implementation!

In this talk, we'll go over how automotive diagnostics work, and why they're so interesting for attackers. Then, we'll present an open source Unified Diagnostic Services (ISO14229) stack implemented in Python. Finally, we'll have some demos of how to use the stack in a Python interpreter, to quickly explore diagnostic systems.

Presented By

Eric Evenchick

Phishing for Funds: Understanding Business Email Compromise

Business Email Compromise (aka CEO fraud) is a rapidly expanding cybercrime in which reported cases jumped 1300% from 2015 to 2016. This financial fraud scheme can target any market segment or organization regardless of size. Thousands of organizations from more than 100 countries have reported losses. The reasons for this surge is simple - it makes money. Over 3 billion dollars in losses have been reported. It is reasonable to assume that the actual impact could be much larger.

In most cases, Business Email Compromise is a highly targeted attack that starts with significant reconnaissance. Attackers take time to understand the target organization's people and processes. These precise email attacks often get past traditional spam filters and will have the look and feel of a legitimate correspondence.

This talk will cover the attacker methodology and how to defend against the various techniques commonly used by attackers including: sender address spoofing and reply-to alteration, domain impersonation, account compromise, open email relay abuse and end point compromise.

In order to be successful, this attack requires that security controls associated with people, processes and technology all fail. Keep any one of these strong and the likelihood of a successful attack drops significantly. Defenders can employee technical controls to stop certain types of fraudulent email, build robust business processes that interrupt the exploitation or raise user awareness, so they know when to raise an alarm.

When something does get through, and it will, knowing how to respond can make all the difference and that will also be discussed.

Presented By

Keith Turpin

Remotely Compromising iOS via Wi-Fi and Escaping the Sandbox

Wi-Fi is nowadays an established technology - supported on almost all devices - including the Apple iOS ones.

In this talk, we discuss how to exploit an iOS device remotely via Wi-Fi without any user interaction, completely bypassing the iOS sandbox. We will disclose a chain of several vulnerabilities, leading to arbitrary code execution outside of the iOS sandbox and show that the device can be compromised in different ways in the post exploitation phase.

The victim will only have to join the Wi-Fi network, and then the device will be compromised without any user interaction, bypassing all iOS mitigations and sandboxes.

Presented By

Marco Grassi

The Irrelevance of K-Bytes Detection - Building a Robust Pipeline for Malicious Documents

Security teams must address the countless vulnerabilities in popular document formats like PDFs, Office files and legacy textual formats. This session will cover the best practices on how to build a document analysis pipeline including the pros and cons of true type detection, sandboxing, signatures, dynamic/static content inspection, isolation and content disarming and reconstruction. We will also cover the attackers view and the different evasion techniques of malicious payloads going through a carefully designed document analysis pipeline.

We suggest mandatory building blocks for designing such a pipeline: a mapping component to handle classification of byte arrays, a prepare component to support morphism to a more accurate file representation, analysis component to run the different heuristics, an isolation component and then a CDR component. And then finally a workflow that orchestrates and ties these components together to yield low false positive/negatives rate.

Real war stories will be shared including defining the right amount of tolerance for balancing between productivity, performance, vendor integration and success rates, future adaptability of the pipeline and practical implementation details.

Presented By

Dan Amiga  &  Dor Knafo

The Power of Data-Oriented Attacks: Bypassing Memory Mitigation Using Data-Only Exploitation Techniques

As Control Flow Integrity (CFI) enforcement solutions are widely adapted by major applications, traditional memory vulnerability exploitation techniques aiming to hijack the control flow have become increasingly difficult. For example, Microsoft's Control Flow Guard (CFG) is an effective CFI solution against traditional memory exploits. However, due to the CFG implementation limitations, we have seen new exploitation techniques such as using the unprotected ret instruction to bypass CFG. We believe eventually these limitations could all be overcome or improved, and ultimately we expect a fine-grained CFG solution to completely defeat control-flow hijacking. Consequently, attackers have begun to seek alternatives to exploit memory vulnerabilities without diverting the control flow. As a result of this trend, the data-oriented attacks have emerged. As its name suggests, a data-oriented attack focuses on altering or forging the critical data of an application, rather than attempting to alter its control flow. The data-oriented attack may allow the attacker to do some powerful things, such as loading certain unwanted or disabled modules or changing the attributes of certain memory pages. Sometimes this can be achieved by changing only a few bits of data. Today, most successful memory exploits can gain some level of memory read/write primitives during exploitation of memory corruption vulnerability, which makes data-oriented attacks possible. In this talk, we will present some interesting examples that show the power of data-oriented attacks. We then discuss ways to prevent such attacks. We conclude by live demonstrations of CFG/DEP bypass on Windows 10's Edge using data-only exploitation techniques.

Presented By

Bing Sun  &  Chong Xu

What Malware Authors Don't Want You to Know - Evasive Hollow Process Injection

Hollow process injection is a code injection technique used by the malware authors to blend in with legitimate processes on the system and remain undetected; there are documented procedures to detect hollow process injection. This presentation focuses on undocumented hollow process injection techniques. By demonstrating the analysis (reverse engineering and forensics) of real-world malware samples, this presentation uncovers how malware authors (both APT and crimeware actors) are now using variations of hollow process injection techniques - not just to blend in but also to remain stealthy, bypass detection, confuse, divert the forensic analysis tools/techniques to create uncertainty in the minds of the security analyst.The presentation also covers how the malware can further be modified to deflect the forensic analysis tools/techniques there by creating a possible anti-forensic technique. The presentation also covers what to look for while investigating such malware attacks, when to rely on the forensic tools and when not to; from an incident response perspective, understanding such stealth techniques will help in countering and responding to such malware attacks. The presentation contains video demos of the analysis of different real world malware samples and also presents a Volatility plugin to detect such attacks.

Presented By

Monnappa K A