The Presentations
The Agony and the Ecstasy of .NET Application Exploitation
This talk will cover the current state of .NET security/exploitation, using real-world examples of application-level vulnerabilities to framework bugs. Additionally, I will .NET security features and how to bypass, including bypassing strong-name signing including the GAC. Then, I will provide a short demo on how to modify the behavior of the .NET framework through DLL byte patching. Finally I will discuss defensive programming practices which can be used to guard against .NET vulnerabilities.
Performing Open Heart Surgery on a Furby
No product has fueled more nightmares in children than the satanic toy known only as the Furby. Recent Furbies have received significant upgrades from their predecessors, sporting features such as LCD eyes, interaction with mobile devices, and a new communication method rivaling that of #badBIOS itself.
This talk will dive into the world of hardware hacking, as applied to this demonic toy. We'll discuss various techniques to reverse engineer and instrument the hardware, including identifying unknown chips, dumping memory, and sniffing data buses. We'll also plunge into the world of chip decapping (the art of boiling chips in corrosive acid), discuss different methods of analyzing dies, and apply basic IC reversing techniques.
Choose your own Cryptographic Adventure
We're going to play a 'choose your own adventure' through a cryptographic adventure. Just like the 'find your fate' books of yesteryear, there will be a very long slide deck and the audience will dictate what they want to hear about. The slide deck will have things such as how basic primitives work, some underpinnings, as well as general design and greatest hits of cryptographic screw-ups.
The Automated Exploitation Grand Challenge
In the last few years, interest for automated exploitation has surged both from academic and industry circles. So far, most research has focused on restricted exploit models where mitigations are disabled or very limited. The purpose of this talk is to define the challenges ahead for security researchers who want to tackle full model exploit generation where modern mitigations are considered. As often, the key to solving such hard problem lies in tackling simpler problems and combining results. We hereby formalize a list of eleven central problems in automated vulnerability discovery and exploitation and discuss strategies to solve them. A few tools are presented to help researchers in this journey.
Exploiting Randomness: Fun Attacks Using a Compromised Random Number Generator
Many information security systems rely on cryptographic schemes that need truly random numbers be secure. In recent months there have been several high profile news stories about weaknesses or potential compromises in both software and hardware random number generators. A compromised random number generator is difficult to catch because it can output random looking data that is predictable to an attacker only. In this talk I describe how to go from knowledge of a weakness in a random number generator to a full security compromise.
We will look at examples including how to fully decrypt a TLS stream, how to compromise a bitcoin wallet by looking at the ECDSA signatures on the public block chain, how to factor improperly generated RSA keys, and more. There will be live demos and discussions of interesting ways to pull off these attacks.
Scorched Earth: Attacking Office Telecommunications for Petty Vengeance
*something something* jerks at work *something something* deskphone 0day *something* get the message across *something* display dong pictures *something* attack demo launched from 90s NYNEX payphone *something something* drinking.
SENTER Sandman: Using Intel TXT to Attack BIOSes
At CanSecWest 2014 we presented the first prototype of Copernicus 2, a trustworthy BIOS capture system. It was undertaken specifically to combat our “Smite’em the Stealthy” PoC which can forge the BIOS collection results from all other systems (including our own Copernicus 1, the open source Flashrom, Intel Chipsec, etc). Copernicus 2 makes use of the open source Flicker project from Jon McCune of CMU which utilizes Intel Trusted Execution Technology in order to build a trustworthy environment from which to run our BIOS measurement code. We specifically chose TXT because it has the ability to disable System Management Interrupts (SMIs) effectively putting the SMM MitM, Smit’em, to sleep.
But if you’ve been following our work (specifically “Defeating Signed BIOS Enforcement” and “Setup for Failure: Defeating UEFI SecureBoot”) you will have seen that we have two other attacks where we leverage the ability to suppress SMIs to break into some BIOSes. Thus the Sandman cometh! We will explain how we could implement the PoC Sandman attack using the same infrastructure as Copernicus 2. We will also explain what can be done against this kind of attack, and how the latest Copernicus 2 attempts to prevent opening the door to the Sandman. We will also cover how Copernicus 1 and 2 can check for the problems with BIOSes that make SMI-suppression attacks feasible, how to tell if you’re vulnerable, and what you may be able to do about it.
A Tale of Reversing the Android-based Snow2 HUD
You might be thinking, oh no another Android talk. Well, yes and no.
The way we interact with every day technology is changing. See the Internet of Things (IoT). The time is already now, and this is just a prequel to some of the things we’re beginning to see.
For me, it all started this past winter. I managed to convince my employer to buy me a new pair of snowboarding goggles, as the focus of my *cough* research *cough*. But these aren't just any pair of goggles; these are the Smith I/O’s outfitted with a Recon Snow2 Heads-Up Display (HUD) that reads data from multiple sensors to display GPS coordinates, altitude, speed, barometric pressure, and more. On top of that, they can pair with your Android or iPhone to receive incoming SMS, voice calls, and sync info about currently playing music. It also has onboard WiFi and Bluetooth capabilities, and developers are encouraged to write 3rd party apps for it!
In researching these goggles, I found multiple vulnerabilities that lead to getting root and compromising application data. The goal of this talk is to walk the audience through my methodology and process in assessing the attack surface and identifying security vulnerabilities in the device. Along the way, I had to reverse various applications, write my own applications, analyze BTLE communications, reverse iOS and Android smartphone applications, and dissect a Google Chrome plugin. By attending this talk, you’ll gain a greater understanding of how to assess the security of every day “things”.