Agenda

Expand All +
  • OPCDE 2019 (Day 1)


  • OPCDE 2019 (Day 2)


  • 09:30 - 10:15
    Recently, Microsoft open source the Microsoft Simple Encryption Math Library version 3.1 (Microsoft SEAL). SEAL aims to provide a library of high performance, easy to use homomorphic encryption library. It has been used in several projects including the Intel Neural Network Compiler nGraph. Many companies are currently using SEAL to construct data security applications based on fully homomorphic encryption. It seems that the full homomorphic encryption is very close to practical. In this presentation, we will analyze the security risks of using SEAL and present several practical attacks on applications based on SEAL, we will also present countermeasures for those problems. Our research shows that fully homomorphic encryption still takes a while to be widely used and it’s extremely dangerous to use it without a crypto expert.
    Cryptography

  • 10:15 - 11:00
    Recently, Microsoft open source the Microsoft Simple Encryption Math Library version 3.1 (Microsoft SEAL). SEAL aims to provide a library of high performance, easy to use homomorphic encryption library. It has been used in several projects including the Intel Neural Network Compiler nGraph. Many companies are currently using SEAL to construct data security applications based on fully homomorphic encryption. It seems that the full homomorphic encryption is very close to practical. In this presentation, we will analyze the security risks of using SEAL and present several practical attacks on applications based on SEAL, we will also present countermeasures for those problems. Our research shows that fully homomorphic encryption still takes a while to be widely used and it’s extremely dangerous to use it without a crypto expert.
    Cryptography

  • 11:15 - 12:00
    Coinbase is the go-to place for much of the world to acquire and store cryptocurrency. We are on the absolute cutting edge of attacker innovation in account takeover (ATO) and in ATO defense. We regularly watch techniques attackers pioneer with us trickle down to the rest of the internet. Come get a window into the future of ATO techniques targeting users on the internet and specific measures we use to defend our users.
    Hardware Security

  • 13:30 - 14:15
    This talk is disclosing novel attack vectors targeting Gateway and Message Server components on SAP application servers. We publish new opensource tools and improvements on existing one. Our journey begins from a wild guess on potential issue to reverse of SAP network protocols and implementation of exploits that can do full takeover of SAP servers by abusing some trust issues via anonymous network access.
    Industrial Security

  • 14:15 - 15:00
    "Many hardware vendors armoring modern Secure Boot by moving Root of Trust to the hardware. It is definitely the right direction to create more difficulties for the attacker. But usually, between hardware and firmware exist many layers of code. Also, hardware vendors always fighting for boot performance which creates interesting security issues in actual implementations. In this presentation, I'll explain new security issues to bypass specific implementation of Intel Boot Guard technology in one of the most common enterprise vendors. The actual vulnerability allows the attacker to bypass Intel Boot Guard security checks from OS without physical access to the hardware. Also, I'll cover topics including Embedded Controller (EC) with focus on UEFI Firmware cooperation and Authenticated Code Module (ACM) runtime environment. It is brand new research not based on my previous Boot Guard discoveries."
    Hardware Security

  • 15:00 - 15:45
    "In this talk, we will explain and demo state-of-the-art memory visualization and analysis. This method highlights a different perspective on the internals of a running system and was used to find the ""Total Meltdown"" vulnerability. We'll showcase the Memory Process File System, which is a different way of visualizing in-memory Windows internals as files in a file system. It brings an easy, yet powerful, point and click interface for memory analysis of processes and in-memory objects, along with an extensive C and Python API. Analyze memory dumps or even live memory acquired from local or remote systems by a wide range of memory acquisition methods - including PCIe DMA hardware devices. In addition to explaining the framework and setup, the presentation will revolve heavily among live demos - showing various uses for the Memory Process File System."
    Memory Forensics

  • 16:00 - 16:45
    The security of Industrial Control Systems (ICS) has been attracting increased attention over the past years, following the discovery of real threats targeting industrial environments. Despite this attention, automation of the reverse engineering process of ICS binaries for programmable logic controllers remains an open problem, mainly due to the use of proprietary compilers by ICS vendors. Such automation could be a double-edged sword; on the one hand it could accelerate digital forensic investigations and incident response actions, while on the other hand it could enable dynamic generation of malicious ICS payloads. In this work, we propose a structured methodology that automates the reverse engineering process for ICS binaries taking into account their unique domain-specific characteristics. We apply this methodology to develop the modular Industrial Control Systems Reverse Engineering Framework (ICSREF), and instantiate ICSREF modules for reversing binaries compiled with CODESYS, a widely used software stack and compiler for PLCs. To evaluate our framework we create a database of samples by collecting real PLC binaries from public code repositories, as well as developing binaries in-house. Our results demonstrate that ICSREF can successfully handle diverse PLC binaries from varied industry sectors, irrespective of the programming language used. Furthermore, we deploy ICSREF on a commercial smartphone which orchestrates and launches a completely automated process-aware attack against a chemical process testbed. This example of dynamic payload generation showcases how ICSREF can enable sophisticated attacks without any prior knowledge.
    Industrial Security

  • 09:30 - 10:15

  • 10:15 - 11:00
    "NTLM relay attacks have been around for more than a decade. The oldest attack method is SMB Relay, which can be traced back to a security tool released by Sir Dystic in 2001, it needs to be emphasized that it's independent of application layer protocol (such as SMB). In fact, it's a security issue in the NT-LAN-Manager authentication protocol. As we all know, there are two ways to implement NTLN relay attack. 1. Relay credential to the victim machine (Credential Reflection), Microsoft released MS08-068 patch for this vulnerability. 2. Relay credential to another host (Credential Relay), that is a currently widely-used attack method. Unfortunately, there are no specific patches available. In this talk, we will first review the history of ​​NTLM relay attacks. After that, we will introduce a new attack method and the principle of this vulnerability, that can bypass the patch of MS08-068 and implement the credential reflection attack by relaying The Net-NTLM hash to the machine itself, also the effect of RCE(Remote Code Execution) can be achieved. In the end, we will release an automated exploit tool for this vulnerability."
    Operating System Security

  • 11:15 - 12:00
    This talk explains how we discovered various vulnerabilities in implementations of WPA2’s 4-way handshake. This encompasses both common programming mistakes, but also side-channel vulnerabilities in crypto code. This was accomplished by symbolically executing implementations using KLEE. In the presentation we will first give a high level explanation of what symbolic execution is. This is followed by an overview of the vulnerabilities we discovered. Additionally, a detailed explanation is given of how one of the discovered buffer overflows leads to remote code execution on a router (as the root user), and how another vulnerability can be abused as a decryption oracle to recover the group key used in a Wi-Fi network.

  • 13:30 - 14:15
    In recent years, Windows kernel security has been a very high priority for Microsoft. There are now fewer kernel issues, and it is becoming harder for security researchers to find the kernel issues. This is why I developed a tool to help security researchers to fuzz Windows kernel. Firstly, I will introduce a new method for fuzzing the Windows kernel. Then, I will detail the fuzzing framework, how it works, and will discuss the methods for fuzzing the Windows Kernel. The fuzzer is focused on Windows kernel objects and their relationship with different objects. This paper will cover GDI objects and some other Windows Kernel Objects. And I will also show some crash cases that I discovered with the help of the fuzzing framework. Finally, I will share details about Windows crashed and demonstrate an exploit that I completed last year.

  • 14:15 - 15:00
    This presentation concludes the research and development of a new method of detecting malicious DOM elements (such as malicious redirects, drive-by exploitation aka watering hole and cryptojacking) using machine learning to identify offensive code constructs. This tool was developed because the traditional methods of detection can be easily bypassed and they are not feasible for large volumes of websites.

  • 15:00 - 15:45
    We continue our quest to identify attack vectors for mass hacking IoTs. After our DEF CON 25 talk showing how common code, present in many different brands can lead to RCE on about 200.000 devices worldwide we upped our game and identified multiple vulnerabilities in one product line from one vendor, counting more than 450.000 active units at the time of writing this abstract. Full RCE on all of them is just the tip of a very dark and scary iceberg. In this talk we’ll show the methodology used in the research (you’ll have a chance to learn quick tips & tricks in IoT vulnerability research), all identified vulnerabilities, communication with the vendor (or lack of) and of course, live demos at every step. We’ll also touch a bit on ethics, accountability, standards, crypto, how no IoT vendor makes use of ASLR and how any buffer overflow is virtually guaranteed to lead to RCE.
    IoT Security

  • 16:00 - 16:45
    "If you can reliably find shellcode during an attack, then you can detect and respond to some of the most interesting intrusions. Shellcode isn’t only deployed during exploitation and initial access, it can be found in implants packaged inside custom file formats and processes infected by runtime patching. There are challenges in analyzing shellcode that go beyond standard reverse engineering of PE or ELF malware binaries. Shellcode assumes little about its execution environment, so the reverse engineer must quickly understand the runtime framework carried along with the shellcode to determine what it does. Across hundreds of reverse engineering sessions, we’ve developed novel techniques for analyzing shellcode payloads automatically. In this presentation, we’ll start by teaching you how shellcode implements runtime linking so it can interact with the infected system. Then, we’ll explore how to use emulation and symbolic analysis to automatically resolve functions used by shellcode. With these imports and other features, we can build a system to automatically infer capabilities to remove the human from the loop. Finally, we’ll come full circle and use these generalized techniques to better identify previously-unknown shellcode. Attendees of this presentation will enjoy low-level, technical details such as how to use memory layouts to synthesize Yara rules that match pointer chasing in x86 instructions. Attendees will also learn about trends in shellcode payloads that they can use to identify and analyze shellcode themselves. We’ll perform live demos and release any referenced code via GitHub. "
    Digital Forensics & Incident Response