briefings - november 3 & 4

white paper




(Pen)Testing Vehicles with CANToolz

CANToolz is an open-source framework for working with CAN bus. In this presentation we will demonstrate use-cases and examples of black-box analyses of CAN network and ECU devices. This framework based on modules and libraries that can be used all together in different combos to get exactly what researcher/tester needs.

1. What tester could do over OBD2 port?

  • UDS scanning, sub-function scanning
  • Tester tool testing and traffic analysis

2. CAN Switch/Hub scanning
  • What messages could be routed from one bus to another?

3. Understanding the traffic
  • How to find "what means what"
  • Finding control frames
  • Finding status frames

4. Running MitM
  • DIY: anti-thief system

Also, you could use CANToolz for integration/security tests as part of developing process (SDLC), and we will cover this part as well.

Presented By

Alexey Sintsov

50 Thousand Needles in 5 Million Haystacks: Understanding Old Malware Tricks to Find New Malware Families

The malware landscape is characterised by its rapid and constant evolution. Defenders often find themselves one step behind, resulting at best in monetary losses and in most extreme cases even endangering human lives. Corporations with the unique challenges they face, must assume that sooner or later malware infections will get through their security perimeter. Efforts should then be focused on early detection to contain and quickly mitigate the threats before they manage to cause any substantial damage. Even today's most stealth malware, if it's controlled remotely, needs an active network communication for reporting back to the attacker. This activity gives us a competitive visibility advantage. Nowadays we have the computational power and mechanisms to process huge amounts of data. Machine learning give us the algorithms to analyse network data in order to find specific types of behaviour. The challenge is how to use this technology to detect what matters most: malicious behaviours that pose a high risk to companies.

In this talk we address four key challenges related to automatic malware detection in the network traffic: how to detect malware changing its network behaviour over time (e.g. changing different parts of the URL), how to mitigate potential mislabeling of the training data and how to perform large scale multi-class detection. We also introduce a training mechanism that allows to automate the learning process and improves the precision of the classifiers. We present unique algorithms that helps to solve different problems in each of the identified challenges. Results of our research constitute part of a working intrusion detection system that consumes real network traffic from more than 5 million users per day. We show how these methods can be used to learn from well known malware samples, generalise the behaviour and consequently find novel threats. We illustrate the detection performance of each algorithm presenting real examples of malware detected by algorithms described in this work. We also elaborate on how the found infections would have been otherwise missed using traditional detection tools.

Presented By

Veronica Valeros  &  Karel Bartos  &  Lukas Machlica

AI based Antivirus: Can AlphaAV Win the Battle in which Man Has Failed?

This talk will introduce our work on AI based Antivirus using deep learning. We can control the false positive rate less than 0.05% and false negative rate less than 12%. We think it's OK for production and it's already in production since Jan 2016.
Android malware can often evade anti-malware security software if the author changes a few lines of code or designs the program to automatically mutate before each new infection or add shell on their app.

Deep learning involves training an artificial neural network with many layers of simulated neurons using huge quantities of data. The networks trained to recognize the characteristics of malicious code by looking at ten million of examples of malware and non-malware files, could offer a far better way to catch such malicious code.

We build a deep learning system for Android anti-malware. We select high-quality app features data with only a little size, and use innovative normalization preprocessing, unique activation function and advanced multilayer artificial neural network to recognize the unknown malware variants and defense zero-day attacks. Our deep learning system has high precision (99.96%) and high recall (88%).

Presented By

Thomas Lei Wang  &  Liuping Hou  &  Zhijun Jia  &  Yanyan Ji

Another Brick Off the Wall: Deconstructing Web Application Firewalls Using Automata Learning

Web Applications Firewalls (WAFs) are fundamental building blocks of modern application security. For example, the PCI standard for organizations handling credit card transactions dictates that any application facing the internet should be either protected by a WAF or successfully pass a code review process. Nevertheless, despite their popularity and importance, auditing web application firewalls remains a challenging and complex task. Finding attacks that bypass the firewall usually requires expert domain knowledge for a specific vulnerability class. Thus, penetration testers not armed with this knowledge are left with publicly available lists of attack strings, like the XSS Cheat Sheet, which are usually insufficient for thoroughly evaluating the security of a WAF product.

In this presentation we introduce a novel, efficient, approach for bypassing WAFs using automata learning algorithms. We show that automata learning algorithms can be used to obtain useful models of WAFs. Given such a model, we show how to construct, either manually or automatically, a grammar describing the set of possible attacks which are then tested against the obtained model for the firewall. Moreover, if our system fails to find an attack, a regular expression model of the firewall is generated for further analysis. Using this technique we found over 10 previously unknown vulnerabilities in popular WAFs such as Mod-Security, PHPIDS and Expose allowing us to mount SQL Injection and XSS attacks bypassing the firewalls. Finally, we present LightBulb, an open source python framework for auditing web applications firewalls using the techniques described above. In the release we include the set of grammars used to find the vulnerabilities presented.

Presented By

George Argyros  &  Ioannis Stais

ARMageddon: How Your Smartphone CPU Breaks Software-Level Security and Privacy

In the last years, mobile devices and smartphones have become the most important personal computing platform. Besides phone calls and managing the personal address book, they are also used to approve bank transfers and digitally sign official documents, thus storing very sensitive secrets. Their exposure or misappropriation would not only be a fatal infringement of privacy, but could also lead to disastrous consequences in terms of financial security and identity theft. So what if it is possible to silently monitor and track what the user is doing on his smartphone or recovering encryption keys without any permissions or privileges?

In this talk, we will show that all of this is possible by mounting cache side-channel attacks on ARM that have been believed to work solely on x86 architecture. We will discuss how we overcame the challenges to perform such attacks on smartphones and demonstrate their immense attack potential. We prepared a live demo to show an unprivileged app that records the exact timestamps of user input activity. We will also present how two apps on a system can communicate with each other, circumventing the permission system and show how we can attack Bouncy Castles AES implementation. We will release source code that allows the user to perform platform-independent attacks within minutes. It serves as a starting point for research on cache side-channel attacks on smartphones and a foundation to build more sophisticated attacks.

Presented By

Moritz Lipp  &  Clémentine Maurice

Attacking Windows by Windows

Since win8, Microsoft introduced a variety of exploit mitigations into Windows kernel, such as Kernel DEP,KASLR,SMEP; this made the exploit of Windows kernel much more difficult. Suppose that we find a Windows kernel 0day, which can change from 0 to 1, or 1 to 0 - how can we gain system privileges with it? This presentation will introduce a new common method which can be exploited from win2k to win10 to answer this question.

Presented By

Yin Liang  &  Li Zhou

Automating Incident Response: Sit Back and Relax Bots are Taking Over…

Our research focuses on illustrating the value of automating functions and processes within Incident Response. Traditional response capabilities are largely contingent upon highly-skilled, specialized resources. Reduction of such necessities and constraints through automation are a precursor to overcoming inefficiencies, and speeding up response and operations center capabilities.

To prove out our research, we developed an approach leveraging orchestration of cyber architectures and open-source IR tools. Taking into account the limited use of automation, we measure and contrast capabilities in human-driven versus automated incident response processes. Specifically, our solution automatically confirms alerts/events (typically analyzed manually), correlates events likely associated with an incident, and determines scope and context of potential breaches.

While our proposed automated capability may not comprehensively analyze all complex incidents with the highest degree of accuracy, it abstracts and automates processes/tasks typically considered mundane by swamped analysts or responders and further hunts for threats associated with the incident across a network. Machines and intelligence can't solve everything, while qualified human analysts don't scale. As such, IR teams are best served by having automated generation and prioritization of analytics and insights (actionable to humans), as opposed to having responders determine how to best crunch data while attempting to mitigate an incident.

An automated IR capability is most suitable for Security Operations Center (SOC) teams that encounter large swaths of security alerts frequently, have (relatively mature) IR processes, seek to ask more questions of data received, and adopt a more proactive detection, triage, and response capability.

Presented By

Elvis Hovor  &  Mohamed El-Sharkawi

Backslash Powered Scanning: Hunting Unknown Vulnerability Classes

Existing web scanners search for server-side injection vulnerabilities by throwing a canned list of technology-specific payloads at a target and looking for signatures - almost like an anti-virus. In this presentation, I'll share the conception and development of an alternative approach, capable of finding and confirming both known and unknown classes of injection vulnerabilities. Evolved from classic manual techniques, this approach reaps many of the benefits of manual testing including casual WAF evasion, a tiny network footprint, and flexibility in the face of input filtering.

True to its heritage, this approach also manages to harness some pitfalls that will be all too familiar to experienced manual testers. I'll share some of the more entertaining findings and lessons learned from unleashing this prototype on a few thousand sites, and release a purpose-built stealthy-scanning toolkit. Finally, I'll show how it can be taken far beyond injection hunting, leaving you with numerous leads for future research.

Presented By

James Kettle

Breaking BHAD: Abusing Belkin Home Automation Devices

In 2013 and 2014 several high profile vulnerabilities were found in Belkin's WeMo line of home automation devices. Belkin not only patched most of those vulnerabilities, but also maintains a very regular update cycle, which makes them one of the more responsive players in the IoT space. Therefore, we thought it would be interesting to revisit this line of IoT products to see how we could break or abuse them. What we found are multiple vulnerabilities in both the device and the Android app that can be used to obtain a root shell on the device, run arbitrary code on the phone paired with the device, deny service to the device, and launch DoS attacks without rooting the device.

The talk will walk through the details of heap overflow, SQL injection, and code injection zero days, as well as their associated exploits. We will also introduces a new technique for achieving code execution via SQL injection into a SQLite database on an embedded device. The talk will conclude with demonstrations of rooting a WeMo device and injecting code into the WeMo Android app from a WeMo device. That's right, we will show you how to make your IoT hack your phone.

Presented By

Scott Tenaglia  &  Joe Tanen

Breaking Big Data: Evading Analysis of the Metadata of Your Life

You are under surveillance. We all are. If you're targeted by a government, nothing you can do will save you. But even if you aren't, the metadata of your life is being gathered and stockpiled by collection capabilities that even Orwell couldn't have imagined, and it's not just being done by governments. The big data industry is rapidly growing and may soon be on par with NSA-style mass surveillance, but with a different goal: to learn everything they can about you in order to sell your information, and sell you the next new thing.

Encryption is only half the battle. Your metadata is often more valuable than your data. Every route you drive, every social media post you make, every aisle you visit in the grocery store, every email, every check-in, and every site you browse is being collected and correlated. The intelligence community calls this pattern-of-life analysis, and there's not much you can do to prevent it. Hiding behind seven proxies won't protect you from Google, the NSA, or the app on your phone with global permissions. This complete erosion of privacy impacts every one of us, and there is a complete lack of transparency around this.

In this talk, a former NSA professional will cover a variety of the techniques used by the mass surveillance industry to analyze an individual's metadata and develop a profile of you, your activities, your affiliations, and what you are likely to buy next. Techniques that can be used to prevent selected activities from being associated with your true persona will be covered, with a focus on making your true persona blend in with the masses.

Presented By

David Venable

Bypassing Clang's SafeStack for Fun and Profit

SafeStack, a new compiler feature currently only available in clang[1] and underway for GCC[2], protects return addresses on the stack from being overwritten through memory vulnerabilities. SafeStack (-fsanitize=safe-stack) is intended to replace the stack cookies (-fstack-protector). It separates the data and the return addresses on the original stack, and puts the former in the unsafe stack and the latter in the safe stack. We investigate the implementation of the safe stack to see if there are still ways to get to it and overwrite the return addresses.

In this presentation we show implementation issues that allow an attacker to get to the safe stack. In addition, we demonstrate two new fundamental strategies to efficiently find the safe stack, namely through Thread Spraying and allocation oracles. Thread Spraying is a technique to force the application to spawn many safe stacks and to reduce the entropy of the safe stacks significantly. With allocation oracles we can determine the sizes of the unallocated holes in the address space and as such the distance from the known regions to the hidden regions.

[1] http://clang.llvm.org/docs/SafeStack.html
[2] https://gcc.gnu.org/ml/gcc/2016-04/msg00083.html

Bypassing Secure Boot Using Fault Injection

More and more embedded systems implement Secure Boot to assure the integrity and confidentiality of all software executed after power-on reset. These implementations are bypassed using logical flaws, for example as shown in the following iPhone boot ROM exploits: SHAtter [1] and limera1n [2]. However, the early stages of Secure Boot (i.e. ROM or 1st stage bootloader) are often of insignificant size and therefore logically exploitable vulnerabilities are not guaranteed to be present. In such situations, other attacks may be used to exploit the embedded system. An example of such an attack is Fault Injection, which works by injecting faults into the target to change its intended behavior. The early stages of Secure Boot are executed in a privileged context and therefore interesting to gain control of before mounting other attacks compromising the target's assets (e.g. encryption keys, code, data, privileged access).

The community has produced various papers and presentations about Fault Injection and Secure Boot. Some notable examples are: Exide's talk at Recon 2014 [3] and Brett Miller's talk at Blackhat Europe 2015 [4] cover the principles of Fault Injection. Also, Colin O'Flynn's continuous efforts show casing his open source Fault Injection test bench: Chip Whisperer [5][6]. Job de Haas' presentation at HITB 2013 [7] details the complete, but high level, attack surface of Secure Boot.

This talk starts with a brief introduction to both Secure Boot and Fault injection which form the foundation of the rest of the talk. For example, we will introduce the different Fault Injection techniques and briefly describe the characteristics. But we refrain from describing Fault Injection attacks in detail as these are already covered by the community. As this talk builds upon the efforts produced by the community, we go into greater detail about different strategies to bypass Secure Boot.

The Fault Injection attack surface of Secure Boot implementations is determined by the specifics of their design and implementation. Using a generic Secure Boot design we detail multiple vulnerabilities (~10) using examples in source code, disassembly and hardware. We will determine what the impact is of the target's design on its Fault Injection attack surface: from high-level architecture to low-level implementation details. We will consider: dedicated peripherals (e.g. DMA), enforced decryption of the software, specific code constructs, fault injection countermeasures, compiler optimizations and the instruction set. Based on those considerations we describe novel attack strategies, including a combination of fault injection and software exploitation.

Additionally, we provide insights on how to overcome challenges (timing, target modification, glitch shape, etc.) faced when performing Fault Injection attacks on high speed feature rich System on Chips (SOC) such as those found in smart phones.

The practicality of voltage Fault Injection attacks on a fast (~1 GHz) and feature rich system on chip (SOC) is demonstrated using two live demos:
1. Fault injection demo 1: target characterization
2. Fault injection demo 2: bypassing Secure Boot

We conclude this talk with an overview of good and bad practices when implementing software and hardware countermeasures against fault injection. These can be used by the developers of Secure Boot implementations to minimize the risk of Fault Injection attacks.

[1]: https://www.theiphonewiki.com/wiki/SHA-1_Image_Segment_Overflow
[2]: https://www.theiphonewiki.com/wiki/Limera1n
[3]: https://recon.cx/2014/slides/REcon2014-exide-Glitching_For_n00bs.pdf
[4]: https://www.blackhat.com/docs/eu-15/materials/eu-15-Giller-Implementing-Electrical-Glitching-Attacks.pdf
[5]: https://www.cosade.org/cosade14/presentations/session9_c.pdf
[6]: https://www.blackhat.com/us-14/training/advanced-embedded-hardware-hacking-power-analysis-and-glitching-with-the-chipwhisperer.html
[7]: https://conference.hitb.org/hitbsecconf2013kul/materials/D2T3%20-%20Job%20de%20Haas%20-%2020%20Ways%20Past%20Secure%20Boot.pdf

Presented By

Niek Timmers  &  Albert Spruyt

Chasing Foxes by the Numbers: Patterns of Life and Activity in Hacker Forums

Cyber criminals, hacktivists, and the occasional state actor tend to congregate in underground forums and come in many forms - in clear, deep, and dark web, focused geographically and linguistically, and focused by areas - carding, reverse engineering, hacking, etc.

In this presentation we analyze a very large corpus of forum posts from surface and deep web spanning more than 3 years - including forums originating in the United States, Russia, Palestine/Gaza, Ukraine, Iran, China (in local language), etc. Based on this corpus we establish a series of patterns of actor behavior that can be used for targeting illicit behavior and actors, establish research pivot points, and detect actor focus on products, technologies, and vulnerabilities.

The analysis will lay out techniques for how to analyze forum and actor behavior based on meta data analysis, without detailed human analysis of individual messages/posts. We will demonstrate how we can use the below techniques to establish patterns both inside and across forums (tracking actor traversals of the web), and crossing boundaries of clear/deep/dark web.:

  • Natural language processing
  • Temporal pattern analysis
  • Social network analysis, etc.

Presented By

Christopher Ahlberg

Code Deobfuscation: Intertwining Dynamic Static and Symbolic Approaches

Over the years, obfuscation has taken a significant place in the software protection field. The term generally embraces any mean aiming at slowing down the analysis of a program, either by an analyst or an automated algorithm. As such, it has gained a certain popularity in the video-game industry. Unfortunately, it has also gained popularity in the malware underground ecosystem, leading to the need of deobfuscation techniques. The only property that should be preserved by obfuscation is the semantic of the program, i.e. its behavior. Hence, in the broadest sense, deobfuscation is the mean to make the behavior of the malware more intelligible, taken as a fact that recovering the original program is impossible in the general case. The first step toward understanding a binary program is to disassemble it in order to obtain a good representation of its Control-Flow Graph (CFG). As a consequence, obfuscation techniques (also) aim at fooling existing disassembly tools and techniques. Standard obfuscations usually target either static analysis (CFG flattening, self-modification, etc.) or dynamic analysis (anti-debugging tricks, VM detection or runtime monitoring). Thus, taking advantages of different approaches might become essential to handle obfuscated codes. While static analysis cover the whole program but is quickly fooled by obfuscations such as self-modification, dynamic analysis helps getting a real execution trace of the program but is limited to one or a few execution paths. In between, dynamic symbolic execution (DSE) -- aka concolic execution -- helps covering more new paths in the program using symbolic values and automatic solvers. This technique has already been fruitfully applied for various purposes such as test generation [1], vulnerability discovery [2] and more recently deobfuscation [3]. Unfortunately, the main problem is that it hardly scales on large obfuscated codes.

We show in this talk how to combine in a successful way several disassembly techniques -- namely dynamic analysis, several state-of-the-art variants of symbolic execution and static analysis, in order to help recovering a more precise CFG of the obfuscated code under analysis. Especially, dynamic analysis brings robustness to tricky obfuscations such as self-modification, variants of symbolic executions can answer both feasibility and infeasibility queries arising during the deobfuscation process, and standard static analysis can be guided in a safe way to extend the disassembly. These analyses are implemented in the open-source framework BINSEC. They are articulated around three components: * BINSEC/SE: the core dynamic symbolic engine * Pinsec: a Pin-based dynamic instrumenter * IDASec: an IDA plugin allowing to lift analysis data into IDA, making them straightly usable for the reverse-engineer.

This talk will explain in detail the method and how it is implemented in BINSEC. Practical examples will focus on the detection of opaque predicates and call stack tampering, with case-studies based on Tigress, o-llvm and several commercial packers. The end goal is to empower the reverse-engineering by giving the analyst semantic information about the program such as obfuscation in order to hold all the cards in hand for a better and deeper understanding of the binary being analyzed.
[1] {BHUSA2014} Contemporary Automatic Program Analysis. Julian Cohen
[2] {RECON14,HITB14, Shakacon2014} Fuzzing and Patch Analysis SAGEly Advice. Richard Johnson
[3] {CCS15} Symbolic Execution of Obfuscated Code. Babak Yadegari, Saumya Debray

Presented By

Robin David  &  Sébastien Bardin

CTX: Eliminating BREACH with Context Hiding

The BREACH attack presented at Black Hat USA 2013 still has not been mitigated, despite new developments and optimizations presented at Black Hat Asia 2016. This class of attacks presents itself in all practical web applications which use compression, together with encryption, and has not been fixed in even the most recent versions of TLS 1.3.

In this talk, we present a generic defence method which eliminates compression-detectability features of existing protocols. We introduce CTX, Context Transformation Extension, a cryptographic method which defends against BREACH, CRIME, TIME, and generally any compression side-channel attack. CTX uses context hiding in a per-origin manner to separate secrets from different origins in order to avoid cross-compressibility. In this talk, we will show a demo of the defence and illustrate how it eliminates the attack implemented in Rupture. We will release an open source implementation of CTX in popular web frameworks both for client-side and server-side web applications. Our implementation runs at the application layer, is opt-in, and does not require modifications to web standards or the underlying web server.

Cyber Judo: Offensive Cyber Defense

In this talk, we will show how defenders can take a few pages out of the attackers' book in order to better protect their organization against advanced, targeted attacks.

Cyber-attacks and defenses are commonly considered to be very different, or even orthogonal, disciplines. However, these allegedly disperse disciplines have many common aspects, and can use each other methods. In fact, attackers have long been using defensive techniques in their offense in order to make it more successful. Most notably, the more aware attackers are encrypting their network attacks to escape the eyes of defensive monitoring systems. It's time for defenders to rise up and respond by using attackers' methods against them.

Some of the defensive "offensive" methods we would discuss in out talk includes:

  • Using the attacker's technique of injecting Kerberos errors, in order to gracefully mitigate attacks against authentication such as Over-Pass-the-Hash and Pass-the-Ticket
  • Leveraging on the attackers' internal network reconnaissance methods to pin-point identify attackers in real-time
  • Taking advantage of a known encryption vulnerability in NTLM in order to identify attackers Brute-Force attacks

Presented By

Tal Be'ery  &  Itai Grady

Detach Me Not - DoS Attacks Against 4G Cellular Users Worldwide from your Desk

Ever since the public revelation of global surveillance and the exploits targeting the mobile communication backend, the general awareness of security and privacy in telecommunication industry has increased. Misusing the technical features of mobile core network technology - specifically the Signaling System 7 (SS7) - has disclosed numerous ways to locate, track and manipulate the routine cellular activities of cellphone users. In fact, the SMS-based key recovery mechanism becoming vulnerable because of the SS7 vulnerabilities.

Many mobile network operators rush to upgrade their networks to 4G/LTE from 2G and 3G, not only to improve the service, but also the security. With relatively more security and privacy features, Diameter protocol - the successor of SS7 in Long Term Evolution (LTE) networks are believed to guarantee more protection to the network itself and to the end-users. However, Diameter inherits many functionalities and traits of the SS7 network. Therefore, some attacks are also possible there e.g. location tracking in LTE by abusing the Diameter-based interconnection.

In this talk, we dig deeper into the Diameter interconnection to uncover the Denial of Service (DoS) attacks to detach targeted mobile phone users from the network and disrupt the network nodes. We first discuss the current status of interconnection or mobile telephony core network security, followed by outlining several DoS attacks against targeted users and the LTE network itself. We discuss the practicalities of such attacks with the help of live/recorded demo, network logs and wireshark traces during this talk. Our proposed solution includes improvised measures in the interconnection edge nodes, proper security configurations in LTE networks and strategies for improvising filtering policies of firewalls that defend the system from roaming abuses.

Presented By

Dr. Silke Holtmanns  &  Bhanu Kotte  &  Siddharth Rao

DRAMA: How Your DRAM Becomes a Security Problem

In this talk, we will present our research into how the design of DRAM common to all computers and many other devices makes these computers and devices insecure. Since our attack methodology targets the DRAM, it is mostly independent of software flaws, operating system, virtualization technology and even CPU. The attack is based on the presence of a row buffer in all DRAM modules. While this buffer is of vital importance to the way DRAM works physically, they also provide an attack surface for a side channel attack. These side channel attacks allow an unprivileged user to gain knowledge and spy on anybody sharing the same system even when located on a different CPU or running in a different Virtual Machine. We will show that we can exploit this side channel even in the limited environment of a sandboxed JavaScript application despite the countermeasures implemented in modern browsers.

We will demonstrate the attack by sending data from a virtual machine without network hardware to the internet via the DRAM row buffer. The JavaScript library to exploit this attack vector will be made open source. Further these attacks enabled us to reverse engineer the complex addressing function of the CPU. This knowledge has real world implication for other software attacks on hardware, such as the row hammer attack. We will discuss how our finding led to moving the row hammer attack to DDR4 ram and how this research enabled other researchers to do software based fault injection attacks on cryptographic keys. We present an easy-to-use tool that can reverse engineer the CPUs addressing function fully automated. This tool is open source and can be used to reproduce the presented attacks, improve existing rowhammer-based attacks and to find new attacks.

Presented By

Michael Schwarz  &  Anders Fogh

Effective File Format Fuzzing – Thoughts Techniques and Results

Fuzzing, as a native software testing technique, is an extremely popular approach to vulnerability hunting in today's security field. The reasons are plenty: it is relatively easy to start with, features out-of-the-box tools which can be used with little to no development, only requires an initial time to set up, scales extremely well, and most importantly – often achieves good results against modern software. All of the qualities make fuzzing complementary to manual security reviews, if not replacing them altogether in some cases.

However, fuzzing also follows Bushnell's law, as it is "easy to learn, but hard to master." While it is trivial to flip bits in the input data and wait for programs to crash, it is similarly easy to forget that there is much more to it. The overall process consists of a number of stages, and the final outcome is a product of the effectiveness of all of them. In order to get the most out of fuzzing, it is necessary to answer many questions: How to generate or mutate the inputs? How to create an initial corpus of data? How to detect software failures? How to minimize the offending samples, and recognize unique bugs? How to deal with programs expecting user interaction, using data consistency checks, compression or encryption? The list goes on and on.

The aim of the talk is to address each question as comprehensively as possible, sharing the methods, ideas, measurements and algorithms we have developed during many years spent on fuzzing both open and closed-source software. The information will be supported by our corresponding results of two years of fuzzing FreeType, Wireshark, Hex-Rays IDA Pro, Adobe Reader, Adobe Flash Player and the Windows kernel (among other software), for a total of over 130 vulnerabilities fixed in a wide range of commits and bulletins. We will demystify fuzzing as a black box technique that "just works" regardless of the technical details, and show how each of its parts can be taken apart and optimized for maximum performance, enabling us to find new waves of bugs in mature code bases which could have been previously thought of as fuzz-clean.

Presented By

Mateusz Jurczyk

EGO MARKET: When People's Greed for Fame Benefits Large-Scale Botnets

Want to give your blog a push or your "gun show" more views? Then why not buy 50,000 fake followers for $1,000! Click farms from down South or botnets such as Game over Zeus will be more than happy to supply them for you. For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet dubbed Linux/Moose 2.0 that conducts social media fraud. The hunt was fastidious since Linux/Moose 2.0 has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spread and operated. To do so, we performed an HTTPS man-in-the-middle attack to decrypt its traffic. This gave us an impressive amount of information on the botnet's activities: the name of the fake accounts it uses, its modus operandi to create fake followings and the identification of its consumers, companies and individuals.

This talk will be of interest to a wide audience. First, it will present the elaborate methodology that was used to infect custom honeypots with Linux/Moose 2.0 and led to contributions to the open-source Cowrie Honeypot Project. Second, it will describe the technical details behind the man-in-the-middle attack conducted to decrypt the traffic. Analyses from the decrypted traffic will be presented: what's the botnet's sneaky modus operandi to create fake endorsement and what sly techniques it uses to avoid detection. The presentation will further increase its draw by placing the botnet's activities within a larger-scope: the criminal market for social media fraud. With the data gathered from the decrypted traffic and open-source research, market dynamics behind social media fraud will be presented. Finally, we will cover how botnet operators, wholesalers and online merchants leverage each other to create a criminal market that easily supports money laundering.

Flip Feng Shui: Rowhammering the VM's Isolation

We show how an attacker virtual machine (VM) can induce Rowhammer bit flips over memory used by another VM on the same host even under strong hardware-enforced memory isolation in a "fully controlled way". In many cloud settings, memory deduplication is used to reduce the memory footprint of VMs significantly by keeping a single copy of multiple memory pages with the same contents. The memory deduplication process scans the memory periodically to find memory pages with the same contents, then keeps one copy in the physical memory (i.e., the primary page) and releases the copies to the system. We show that by guessing the contents of a target page in a victim VM, an attacker VM can easily control the primary page, or in other words, the location of the victim's memory page on physical memory. By placing the victim page on a physical memory location with the right vulnerable bit offset, determined in the first stage of our exploit, we can perform a reliable and deterministic Rowhammer across VMs. We used this new technique, named flip feng shui, to corrupt the page cache of a victim VM hosting RSA public keys. We exemplify end-to-end attacks (a) breaking OpenSSH public-key authentication, thereby allowing remote OpenSSH access using a newly generated private key, and (b) forging GPG signatures from trusted keys, thereby compromising the Ubuntu/Debian updating mechanism, all without relying on any software vulnerability. Unlike other Rowhammer-based cryptographic fault attacks, ours is quite practical: it does not make any assumption on the environment nor requires the knowledge of the CPU's memory addressing function. We discuss practical defenses against flip feng shui attacks at the end.

Presented By

Kaveh Razavi  &  Ben Gras  &  Erik Bosman  &  Bart Preneel  &  Cristiano Giuffrida  &  Herbert Bos

Ghost in the PLC: Designing an Undetectable Programmable Logic Controller Rootkit

Programmable Logic Controllers (PLCs) are a family of embedded devices used for physical process control. Similar to other embedded devices, PLCs are vulnerable to cyber attacks. Because they are used to control the physical processes of critical infrastructures, compromised PLCs constitute a significant security and safety risk. In this research, we investigate attacks against PLCs from two different perspectives. We show how to circumvent current host-based detection mechanisms applicable to PLCs by avoiding typical function hooking or modifying kernel data structure. We then introduce a novel attack against a PLC that allows the adversary to stealthily manipulate the physical process it controls by tampering with the device I/O at a low level. The attack is feasible due to lack of hardware interrupt on the PLC's SoC and intensified by Pin Control subsystem inability for hardware level Pin Configuration detection. Our study is meant to be used as a basis for the design of more robust detection techniques specifically tailored for PLCs.

Presented By

Ali Abbasi  &  Majid Hashemi

GPU Security Exposed

GPUs are found in millions of devices, allowing for stunning imagery to be generated on phones, tablets, and televisions. However, if we take a deeper look at how GPUs are programmed, the overall picture becomes much more bleak. GPUs directly accessing CPU memory, sensitive images not being cleared from graphics memory, and thin graphic APIs wrapping vendor specific implementations paint a darker picture. Recently discovered privilege escalation and DoS vulnerabilities uncovered by NCC Group will be discussed. These vulnerabilities affect many popular devices.

Presented By

Justin Taft

How to Fool an ADC Part II or Hiding Destruction of Turbine with a Little Help of Signal Processing

We live in the analog world but program and develop digital systems. The key element connecting these two worlds is ADC (analog-to-digital converter), small integrated circuit (IC) that transforms physical variable (amperage or voltage) into a bunch of bytes. Most modern systems that interact with real world (like embedded systems, industrial control systems (ICS) and even a kettle in your kitchen) make decisions based on the value that has been received from ADC. Thus, it is important to use ADC and interpret its data correctly. Ignoring this fact, especially in the ICS and embedded world, could lead to decreasing safety of the process, and in the worst case, to the catastrophic conditions.

Let's look at the ADC mechanisms from security perspective. Imagine that you have an ADC that monitors state of some analog process (e.g. industrial controller sending analog signal to the motor or turbine to change its speed or some other parameter). This ADC could be inside safety system that will shutdown motor in case of incorrect signal value. Will it be possible to generate such analog signal that will be misinterpreted by safety system? For example, could we supply signal that causes vibration issue in the motor or turbine (and will destroy it after some time), but is treated as a correct plain signal (e.g. constant 5V) by the safety ADC? In the previous research, we have proven that it is possible (at least with Successive approximation ADC). However, the most-popular industry type of the ADC is sigma-delta.

In this talk, we will focus on its features, "design vulnerabilities" and attacks leading to the misinterpretations of the analog signal. Various exploit signal variants and crafting methods will be shown; we will review some of the popular "industry standard" ADC behaviors in case of such attacks. Also, we will discuss attack scenarios in the areas of ICS, embedded and radio-frequency systems. The talk will be concluded with possible consequences and mitigations.

Presented By

Alexander Bolshev  &  Gabriel Gonzalez

I Know What You Saw Last Minute - The Chrome Browser Case

Every day, hundreds of millions of Internet users view videos online - in particular on mobile phones whose numbers are clearly going to increase. Currently, most of the video streaming web sites including YouTube are using HTTP Adaptive Streaming (HAS). Dynamic Adaptive Streaming over HTTP (DASH) is de facto standard method for HAS. In DASH, each quality representation is encoded in to variable bit rates (VBRs). VBR vary the amount of output data per time segment and does not attempt to control the output bit rate of the encoder, so that the distortion will not vary significantly. DASH often uses HTTP byte range mode. In this mode, the byte range of each segment request can be different. This depends on the client's network conditions and playout buffer levels. Previous research has shown that information can be extracted from multimedia streams. Saponas et al. uncovered security issues with consumer electronic gadgets that enables information retrieval such as video titles classification. So if it has already been done, what's new?

Since these works have been conducted, there have been several changes in video traffic over the internet:

  • Adaptive byte range selection over HTTP - This means that a single title download from the same quality will look different each time.
  • VBR adaptive streaming with multiple representation layers - Each title can be represent by multiple quality without explicit order. HTTP version 2 - new secure and HTTP multiplexed session network protocol makes the classification much more difficult.

This paper presents an algorithm for encrypted HTTP adaptive video streaming title classification. By Exploiting the HAS multi bit-rate encoding, data mining, network reverse engineering and machine learning, we demonstrate that current network encryption efforts are not enough in order to protect user content anonymity and their viewing titles can be recognized. We evaluated our algorithm on a new YouTube popular videos dataset that was collected from the internet under real-world network conditions. Our algorithm's classification accuracy is 98%.

Presented By

Ran Dubin

Inside Web Attacks: The Real Payloads

When serious vulnerabilities like ShellShock or ImageTragick are revealed, the announcement is often accompanied by PoC code. But what are the real payloads that attackers attempt to use when exploiting these vulnerabilities? Seeing the real payloads people use is often very difficult, but CloudFlare is in a unique position. By offering security services to over 4 million websites and detecting the exploitation of vulnerabilities like ShellShock or ImageTragick, we are able to see the actual payloads that attackers are using.

Presented By

John Graham-Cumming

Locknote: Conclusions and Key Takeaways from Black Hat Europe 2016

At the close of this year's conference, join Black Hat Founder Jeff Moss and members of the esteemed Black Hat Review Board for an insightful conversation on the most pressing issues facing the InfoSec community. This Locknote will feature a candid discussion on the key takeaways coming out of Black Hat Europe and how these trends will impact future InfoSec strategies.

Presented By

Jeff Moss  &  Sharon Conheady  &  Daniel Cuthbert  &  Chris Wysopal

Mobile Espionage in the Wild: Pegasus and Nation-State Level Attacks

This briefing will take an in-depth look at the technical capabilities of mobile attacks that are being leveraged against real targets for the purpose of espionage. We will focus on Pegasus, a lawful intercept product, and the features and exploit chain it used. We will describe how we discovered and tracked the developer's infrastructure prior to the attack, and how we later caught a sample of the elusive malcode being used against a prominent human rights defender. This spyware is professionally developed and highly advanced in its use of 0days, obfuscation, encryption, function hooking, and ability to go unnoticed. We will detail the technical features of the exploit chain including the analysis of various 0day vulnerabilities that the toolkit was using. We will also look in-depth at how this espionage software utilizes remote jailbreaks and backdoors to embed itself into the device. You will learn all of the technical details about this attack and also how to take steps to defend yourself against similar attacks. You will also gain valuable insight into how researchers identify and track sophisticated, nation-state level malware that targets high risk groups (e.g. human rights organizations, corporations, etc).

Presented By

Max Bazaliy  &  Seth Hardy  &  Andrew Blaich

Narcos Counterfeiters and Scammers: An Approach to Visualize Illegal Markets

Counterfeiting is a global issue - one that has become even more complex as this illegal activity has moved online. Cybercriminals create thousands of websites round-the-clock - at almost no cost - as part of their digital marketing strategy to lure unsuspecting shoppers. These fraudsters often stay one step ahead of law enforcement's countermeasures by using false identities and proxies to buy domain names in multiple countries. They are able to react quickly to takedown efforts. If need be, they can set up replacement websites within minutes thanks to an architecture of backup servers.

To prevent scams or abuses, some typically monitor domain registrations and watch for new domain names. This way they hope to identify websites that could, in the future, be host to malicious activity. Unfortunately, this approach has several limitations that we will spell out in our presentation. For instance, the data source used – TLD zonefiles mainly – does not disclose subdomains when some potentially harmfull websites are hosted there. At the contrary, DNS requests disclose fully qualified domain names.

In "Narcos, Counterfeiters and Scammers: An Approach to Visualize Illegal Markets," Andrew Lewman and Stevan Keraudy will present their new research which offers a more effective approach based on the analysis of billions of DNS requests that goes far beyond traditional zonefile studies.

We will share our methodology, which includes an automatic detection, analysis and clustering of illegal websites in order to find relevant information on fraudsters and their online strategy. For a given example, we filtered data from over a billion DNS cache miss requests a day to a few thousand counterfeit websites. Among those, we identify several hundred of domain names that belong to the same illegal organization. We will present our results during the talk. To illustrate our method, we will present use cases on counterfeiters, narcos and scammers networks.

Presented By

Andrew Lewman  &  Stevan Keraudy

Pocket-Sized Badness: Why Ransomware Comes as a Plot Twist in the Cat-Mouse Game

While we have grown accustomed to stealthy malware, specifically written to gain and maintain control of the victim machines to abuse their resources, ransomware really comes as a "plot twist!" After 10+ years of stealthy malware, spread mainly for building botnets and steal information, for the second time we're witnessing a growth of disruptive malware, and an interest for direct and fast profit. Ransomware is a particularly striking example of disruptive malware, both on mobile and desktop targets: While traditional mass malware must fly under the radar to fulfill its goals, a ransomware attack that remains unaccountable has failed miserably. It must show up to inform and frighten the victim! As a result, the human psychological response to the attack plays a significant role in the success of ransomware schemes. And, given the remarkable revenue, the scheme seems to be working fairly well.

This talk will describe the technical impact of disruptive malware and its game-changing approach, which made us (at least) rethink our incident-response plans. We will focus on mobile ransomware as a representative, extreme case study. Albeit not very studied, we are currently tracking 10 distinct families, and collected tenths of thousands distinct samples in three months. In this talk, we will go through the most notorious families such as Koler, SLocker, Svpeng (and mention the other notable ones), overviewing their social-engineering tricks and how they are technically implemented. This will include, for instance, how an app can effectively lock a device to forcefully display the typical threatening message that informs the victim of what just happened, or how crypto and file-system APIs are (ab)used to surreptitiously encrypt the valuable data.

After having overviewed these aspects, we will describe how they can be effectively detected with specific static features. We will present a lightweight Smali emulator to track the instruction sequences that implement device-locking mechanisms. To detect malicious encryption attempts, we will present a static, dataflow-based program-analysis technique and tool that track file-system operations (e.g., file listing, file reading) to determine if they are "connected" to encryption flows. Since the most recent families have started to abuse the device-administration API (e.g., to lock the device), obfuscated method names and reflection to hinder automatic static analysis, we will show a couple of counter-tricks.

Last, we will show how the threatening messages can be recognized from normal text using a language-analysis technique, which classifies text based on the appearance of key terms frequently found in ransomware samples but not in benign sources. Since static program-analysis approaches like ours can be time and resource consuming, we describe a fast triaging pre-filtering technique to quickly discard strikingly benign applications. This filter is generic and ransomware-agnostic. Thus, in principle, it could be applied to any app-vetting pipeline. With this talk we will release the source code of a prototype that implements (part of) the described techniques, and a dataset comprising tenths of thousands of ransomware applications targeting the Android platform, each labeled with the set of features that characterize their statically-extracted behavior.

Presented By

Federico Maggi  &  Stefano Zanero

Randomization Can't Stop BPF JIT Spray

Linux Berkeley Packet Filters (BPF) is a mechanism that was originally introduced in Linux kernel 2.5 as a way to perform fast line-speed filtering of network packets. In Linux kernel 3.0 a Just-In-Time (JIT) compiler was added, effectively transforming it into a general-purpose mechanism to safely support interpreted code injected into a Linux kernel. In fact, it has been even called the "universal in-kernel virtual machine" [1]. Nowadays BPF usages are not limited just by packet filtering, but are also used in mechanisms such as seccomp [2], various tracepoints [3] and others, making it an attractive target for an attacker. The original JIT-spray attack against BPF JIT compiler was first described in 2012 [4] with the proof of concept implementation available [5]. It used the ability to pass the exploit payload as constants in BPF instructions and the fact that filter address was relatively easy to guess given enough filters loaded in the kernel. After that the upstream kernel merged patches that addressed the attack by randomizing the load offset of a filter. However, this didn't remove the actual problem (possibility of providing payload in BPF instructions) but only stopped the original proof of concept code from working. It was thought that this is a sufficient mitigation to the attack because the difficulty of guessing the correct load offset was very high.

This talk will present a modified proof of concept code [6] that demonstrates the possibility of successful BPF JIT-spray attack on the 4.4 upstream Linux kernel. The idea of the modification is to create long enough filters to make sure they spawn beyond one memory page and render the payload in a way that random jumps to page start with a small offset search is enough to guess the payload address. The attack was first announced on Linux kernel-hardening mailing list in march this year and got a considerable attention in the grsecurity forum post [7] and LWN front page [8].The kernel patches that address this attack were merged to upstream kernel [9] and expected to appear for 4.7.

[1] https://lwn.net/Articles/599755/
[2] https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
[3] https://lwn.net/Articles/632686/
[4] http://mainisusuallyafunction.blogspot.fi/2012/11/attacking-hardened-linux-systems-with.html
[5] https://github.com/kmcallister/alameda
[6] https://github.com/01org/jit-spray-poc-for-ksp
[7] https://forums.grsecurity.net/viewtopic.php?t=4463&p=16260#p16260
[8] https://lwn.net/Articles/686098/
[9] http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=4f3446bb809f20ad56cadf712e6006815ae7a8f9

Presented By

Elena Reshetova  &  N. Asokan  &  Filippo Bonazzi

Real-World Post-Quantum Cryptography: Introducing the OpenQuantumSafe Software Project

Almost all of the widely-used cryptography on the internet will be broken or substantially compromised by large-scale quantum computers. It is also true that anything that ever has been - or will be - sent over a network using vulnerable cryptographic algorithms can be subject to storage and later decryption once a quantum computer becomes available. As a consequence, a global movement toward developing quantum-resistant cryptography has begun. In this presentation, I demonstrate the world's first open-source library offering a full range of secure implementations of quantum-safe cryptographic algorithms, as well as key benchmarks, challenges to integration, and forthcoming protocol upgrades and software contributions resulting from our work.

Presented By

Jennifer Fernick

Rooting EVERY Android: From Extension to Exploitation

These years, Keen Lab of Tencent (formerly known as the Keen Team), worked on various Linux kernel bugs and applied some of them to Android devices for rooting. Rooting latest Android devices is more and more interesting and challenging in 2016. With SELinux being enforced more strictly, not many attack surfaces in kernel can be accessed by local user on Android. So, currently Linux Wireless-Extensions(WEXT) IOCTL is a really awesome attack surface in Android kernel. An Android application is able to invoke WEXT IOCTL interface via socket, and escalate privilege with WEXT-related kernel vulnerability. SELinux will not deny these kind of invoking.

Normally, a Wireless-Extension on Android is implemented by Wi-Fi chipset vendor as a Linux kernel module. There are multiple chipsets available for Android devices, so different Android phone may have different implementation of WEXT. Broadcom Wi-Fi chipset is used on Google Nexus 6p, Huawei Mate 8, Samsung Galaxy and many other premium-end smartphones. Mediatek device always have its own Wi-Fi chipset. The rest of the devices, like Nexus 5x and Nexus 7, use Qualcomm chipset. We've found several different kernel bugs in every mentioned implementations of Linux WEXT on Android. With these vulnerabilities, we can gain root privilege on every Android device, no matter what Wi-Fi chipset it has.

In this talk, we will not only introduce how to audit source code of WEXT on Android but also give three case studies of exploiting local privilege escalation vulnerabilities found in Broadcom, Qualcomm and Mediatek's implementation of WEXT.

The first case study is exploiting a stack overflow vulnerability in Qualcomm WEXT, which requires building a special JOP chain to bypass PXN restriction in ARM64 Linux kernel. Only X19~X2n registers can be controlled when the overflow is triggered, so finding proper JOP gadgets to achieve kernel code execution is a challenge.

The second case study is exploiting a data/BSS overflow vulnerability in Mediatek WEXT, which requires controlling PC by overwrite a function pointer in data section. The offset of function pointer is unknown, so another info leak vulnerability in WEXT will also be introduced here. This exploit doesn't need any hardcoded kernel symbol to gain root on most of Mediatek devices.

The third case study is exploiting a use-after-free vulnerability in Broadcom WEXT; it requires two threads race into a kernel function in the same time to trigger a use-after-free issue due to race conditions. So we have to refill the freed object in very short time. Spraying kernel heap stably and quickly is a big challenge. Another interesting point of this case is that attacker (an untrusted application) need to ask 'system_server' process to trigger that UAF vulnerability in kernel via binder IPC.

In summary, this presentation offers all exploitation techniques about rooting Android with mentioned WEXT vulnerabilities. Some ideas (e.g. the method of kernel heap spraying on Android) that have never been discussed before.

Presented By

Di Shen  &  Jiahong (James) Fang

Signing Into One Billion Mobile App Accounts Effortlessly with OAuth2.0

OAuth2.0 protocol has been widely adopted by mainstream Identity Providers (IdPs) to support Single-Sign-On services. Since this protocol was originally designed to serve the authorization need for 3rd party websites, different vulnerabilities have been uncovered when adapting OAuth to support mobile app authentication. To the best of our knowledge, all the attacks discovered so far, including BlackHat USA'16 [3], CCS'14 [2] and ACSAC'15 [7], etc, require the interactions with the victim, for example via malicious apps or network eavesdropping, etc. On the contrary, we have discovered a new type of widespread but incorrect usages of OAuth, which can be exploited remotely by an attacker to sign into a victim's mobile app account without any involvement/ awareness of the victim. The root cause of this vulnerability is a common, but misplaced trust in the authenticating information received by the 3rd party app's backend server from its own client-side mobile app, which in turn, relies on potentially tampered information obtained from the client-side mobile app of the IdP.

To confirm the widespread nature of the vulnerability, we have developed an exploit for this new vulnerability among three top-tier IdPs which support SSO services for many 3rd party mobile apps and serve billions of registered users worldwide. Our empirical findings are alarming: on average, 46.26% of the mobile apps under test are found to be vulnerable to the new attack. Our incomplete list of vulnerable applications include top-ranked mobile apps for travel planning, hotel-reservation, personal-finance-management, private-chatting, dating-service, online-shopping, video/music streaming etc. The total number of downloads for our incomplete list of popular but vulnerable apps already exceeds 2.4 billion. As such, a massive amount of extremely sensitive personal information is wide-open for grab as a result of this vulnerability. For some of the vulnerable apps, the online-currency/ service credits associated with the victim's mobile app account are also at the disposal of the attacker. Although our current attack is demonstrated over the Android platform, the exploit itself is platform-agnostic: any iOS or Android user of the vulnerable mobile app is affected as long as he/ she has used the OAuth2.0-based SSO service with the app before. It is therefore urgent for the various affected parties involved to take immediate preventive and remedial actions when implementing OAuth2.0-based SSO services for mobile applications.

Presented By

Ronghai Yang  &  Wing Cheong Lau

Stumping the Mobile Chipset

Following recent security issues discovered in Android, Google made a number of changes to tighten security across its fragmented landscape. However, Google is not alone in the struggle to keep Android safe. Qualcomm, a supplier of 80% of the chipsets in the Android ecosystem, has almost as much effect on Android's security as Google.

OEMs own some responsibility for low security standards, but the role of chipset manufacturers in the Android project is frequently underestimated. These manufacturers can have a devastating impact on the security of a mobile device. With the ubiquity of the Qualcomm chipsets used in Android devices, and the modifications that are made at the lowest-level in the Android project, a security breach in chipset code is often critical.

In this talk we will present the communication interfaces and protocols of hardware kernel modules. We will show how they work with each other and the security architecture of Qualcomm chipsets -- the most popular Android chipset -- upon which most of OEMs rely. We will show how a few minor cracks in this architecture can have dire effects.

Lastly, we will present multiple zero-day, privilege escalation vulnerabilities affecting most Android devices in the market today in multiple subsystems of Android's Linux kernel, all from code introduced by the chipset vendor. We will demonstrate an exploit for one of these zero-days which allows an attacker to completely compromise a device, running arbitrary code in kernel from any zero privileged application. The exploit dubbed 'Qualaroot,' is just one of the many severe vulnerabilities in Qualcomm's chipset code - used by all the flagship Android devices in the market.

Presented By

Adam Donenfeld

Talking Behind Your Back: Attacks and Countermeasures of Ultrasonic Cross-Device Tracking

Cross-device tracking (XDT) technologies are currently the "Holy Grail" for marketers because they allow to track the user's visited content across different devices to then push relevant, more targeted content. For example, if a user clicks on a particular advertisement while browsing the web at home, the advertisers are very interested in collecting this information to display, later on, related advertisements on other devices belonging to the same user (e.g., phone, tablet).

Currently, the most recent innovation in this area is ultrasonic cross-device tracking (uXDT), which is the use of the ultrasonic spectrum as a communication channel to "pair" devices for the aforementioned tracking purposes. Technically, this pairing happens through a receiver application installed on the phone or tablet. The business model is that users will receive rewards or useful services for keeping those apps active, pretty much like it happens for proximity-marketing apps (e.g., Shopkick), where users receive deals for walk-ins recorded by their indoor-localizing apps.

This talk will describe and demonstrate the practical security and privacy risks that arise with the adoption of uXDT-enabled systems. The uXDT technology has caught the attention of major companies (e.g., IDG Ventures, Google, Nestle, Dominos), many of which either invested in uXDT providers (e.g., SilverPush, Signal360, Audible Magic), or approached such companies as clients. Unfortunately, unbeknownst to the users, we found that numerous mobile applications, some with millions of downloads, include uXDT advertising frameworks that actively listen for ultrasounds, with no opt-out option for the users! Security experts and the authorities (e.g., the Federal Trade Commission) have promptly raised concerns about uXDT, but until now no comprehensive security analysis of the technology has been released.

In this talk, we will explore the uXDT ecosystem, dig into the inner workings of popular uXDT frameworks, and perform an in-depth technical analysis of the underlying technology, exposing both implementation & design vulnerabilities, and critical security & privacy shortcomings that we discovered. In the offensive part of our talk, we will demonstrate (through practical demo sessions) how an attacker can exploit uXDT frameworks to reveal the true IP addresses of users who browse the Internet through anonymity networks (e.g., VPNs or Tor). Moreover, we will describe how an attacker can tamper with the "pairing" process or affect the results of the advertising/bidding algorithms. For example, an attacker equipped with a simple beacon-emitting device (e.g., a smartphone) can walk into a Starbucks at peak hour and launch a profile-corruption attack against all customers currently taking advantage of uXDT-enabled apps.

In the defensive part of our talk, we will introduce three countermeasures that we designed, implemented, and will publicly release. These include (1) a mobile application that detects ultrasound beacons "in the air" with the goal of raising awareness, (2) a browser extension that acts as a personal firewall by selectively filtering ultrasonic beacons, and (3) an brand-new OS permission control in Android that allows applications to declaratively ask access to the ultrasound spectrum. We will go into the technical details and provide remediation advice useful both for the users and developers.

Towards a Policy-Agnostic Control-Flow Integrity Implementation

Control-flow integrity (CFI) is a general defense against code-reuse attacks. In theory, a CFI implementation mitigates control-flow hijacking by verifying that the control-flow transfer follows its legitimate path. However, CFI and its current implementations suffer from deficiencies with regard to either security or practicality: 1) they assume the extraction of a precise control-flow graph, which is not generally possible; 2) prior implementations have resulted in significant performance overhead; and 3) efficient software-based CFI implementations (e.g. Microsoft's Control-Flow Guard, GCC/LLVM's VTable Verification, Google's IFCC) often make concessions in the face of such performance limitations, weakening the policy's security.

To date, almost all "efficient" CFI defenses can be shown to be bypassable. Weakening the CFI policy to achieve improved performance, in one form or another, is the culprit. A signficant amount of research has been conducted to address this singular point. While prior work has demonstrated significant improvements on these fronts, no existing CFI countermeasure has been able to address a new class of stealthy adversaries that bend control-flow hijacking attacks around the CFI policy itself. These attacks maliciously mimick the behavior of an ideally protected CFI application.

To tackle these shortcomings, recent CFI defenses have begun to incorporate architectural or hardware/software co-design principles to strengthen the security guarantees of the defense. Intel has recently proposed its Control-flow Enforcement Technology (CET) along with the NSA and several research solutions. Much like past approaches, however, these systems are making concessions with the CFI policy to handle complex code contstructs, shared-libraries or multi-tasking, or otherwise improve the performance of the protected application.

We present a general-purpose, hardware-enhanced CFI scheme that tackles these issues and allows the enforcement of diverse CFI policies. We provide a detailed analysis of existing hardware-assisted CFI defenses and show that our solution is more secure, efficient, and scalable. We demonstrate how careful systems-software and architectural design considerations can address prior issues with CFI implementations. We will elaborate on a CFI platform that handles shared-libraries with compiler-supported ISA extensions, as well as incorporating features to handle multi-tasking and interoperation with legacy applications. Our evaluation includes a detailed analysis of known bypasses of existing CFI protected systems, both in software and hardware, aimed to highlight why past approaches have failed. We further demonstrate that our approach shows resilience to these attacks and CFI vulnerabilities. Finally, we evaluate our solution against compute-intesive workloads and show high efficiency.

Presented By

Dean Sullivan  &  Orlando Arias  &  Yier Jin  &  Ahmad-Reza Sadeghi

Use-After-Use-After-Free: Exploit UAF by Generating Your Own

This talk will introduce Use-After-Use-After-Free (UAUAF), a novel and relatively universal exploitation technique for UAF vulnerabilities in Adobe Flash. By leveraging a sequence of object occupations and releases, UAUAF can transform a UAF into a multi-class type confusion. Full memory access is gained upon the mitigations recently added by Adobe. More importantly, this talk will illustrate UAUAF by CVE-2016-1097, a real UAF 0day that I reported to Adobe in May. Exploitation process, i.e., from discovering the 0day, gaining full memory access, chaining ROP gadgets, to the final code execution will be presented in detail.

Presented By

Guanxing Wen

When Virtualization Encounter AFL: A Portable Virtual Device Fuzzing Framework with AFL

Along with virtualization technology adopted by both enterprise and customer popularly, virtual machines escape attacking become more and more critical which could NOT be ignored. Because of virtual devices' nature character (virtual device emulation is in host level, guest can access virtual devices with arbitrary data), they are a big attack surface to achieve virtual machine escaping. In fact among those reported virtual machines escape attacking, the virtual device attacking hold big ratio. For example, the VENOM attacking (Reference 8.1).

Several fuzzing methods towards virtual devices have been released including dump I/O traces and replay in guest OS, conformance fuzzing to constraint virtual device in proper internal state and so forth. However, rare of them considered calculating and controlling code coverage and control in intension. And also, rare of them consider keep their fuzzing framework portable for difference virtualization software.

So what happens when virtualization fuzzing encounter with AFL? We would like give you one possible answer. Our portable virtual device fuzzing framework with AFL could solve both of the two challenges—code coverage feedback and portability.

Presented By

Jack Tang  &  Moony Li

WiFi-Based IMSI Catcher

We introduce a new type of IMSI catcher which operates over WiFi. Whilst existing Stingray type IMSI catchers exploit 2-4G radio protocols to track movements of mobile subscribers, in this talk, we introduce two new approaches to track mobile devices which exploit authentication protocols that operate over WiFi. These protocols are now widely implemented in most modern mobile OSes, allowing for the creation of a low cost IMSI catcher.

We demonstrate how users may be tracked on a range of smartphones and tablets including those running iOS , Android and other mobile OSs. This tracking can be performed silently and automatically without any interaction from the tracked user. We have developed a proof of concept system that demonstrates our IMSI catcher employing passive and active techniques.

Finally, we present guidelines for vendors and cellular network operators to mitigate the user privacy issues that arise.

Witchcraft Compiler Collection: Towards Self Aware Computer Programs

With this presentation, we take a new approach to reverse engineering. Instead of attempting to decompile code, we seek to undo the work of the linker and produce relocatable files, the typical output of a compiler. The main benefit of the later technique over the former being that it does work. Once achieved universal code 'reuse' by relinking those relocatable objects as arbitrary shared libraries, we'll create a form of binary reflection, add scripting capabilities and in memory debugging using a JIT compiler, to attain automated API prototyping and annotation, which, we will argue, constitutes a primary form of binary code self awareness.

Finally, we'll see how abusing the dynamic linker internals shall elegantly solve a number of complex tasks for us, such as calling a given function within a binary without having to craft a valid input to reach it. The applications in terms of vulnerability exploitation, functional testing, static analysis validation and more generally computer wizardry being tremendous, we'll have fun demoing some new exploits in real life applications, and commit public program profanity, such as turning PEs into ELFs, functional scripting of sshd in memory, stealing crypto routines without even disassembling them, among other things that were never supposed to work. All the above techniques have been implemented into the Wichcraft Compiler Collection, to be released as proper open source software (MIT/BSD-2 licenses).

Presented By

Jonathan Brossard