The Presentations

No More Free Bugs: ~10 Years Later

Dino Dai Zovi and Charlie Miller

It’s been several years since the “No More Free Bugs” movement started to gain traction, but now it seems as almost everyone has some form of bug bounty for researchers. This presentation will go over the motivations of certain researchers to stop giving away their work for free and demand satisfaction (well, as close to satisfaction as one can get).

How Many Million BIOSes Would You Like to Infect?

Corey Kallenberg

So you think you’re doing OPSEC right, right? You’re going to crazy lengths to protect yourself, reinstalling your main OS every month, or using a privacy-conscious live OS like Tails. Guess what? BIOS malware doesn’t care! BIOS malware doesn’t give a shit!"

Though long thought to be impractical, this talk will dispel the illusion that sophisticated BIOS level malware is exclusively within the realm of possibility for nation state actors. Recent disclosures of firmware level vulnerabilities have given us reliable entry vectors into the firmware on almost all systems we have surveyed.  Furthermore, the well defined nature and modularity of UEFI significantly lower the bar for coherently implanting a firmware rootkit onto a system. This talk will detail the result of our 1 month effort to infect the BIOS of every business class system we could get our hands on.

Picking Fights with Toddlers: Embedded Device & IoT Exploitation

Stephen A. Ridley

There is a latent distrust of the growing "Internet Of Things" market. The data collected by them is becoming more personal all while proliferation of internet connected devices is continuing without regard to privacy or security. Recent news stories has consumers concerned not only with privacy but also surveillance and data handling. There is no trusted third-party "consumer advocacy" for privacy and security of mobile apps and embedded systems. The designs of these systems make traditional software based security (like "anti-virus" or "end-point detection") virtually impossible. And if you don't think this is going to be a huge problem: Recent research demonstrates that a significant number of the nodes used in CURRENT DDoS attacks are actually compromised embedded devices NOT user end-points....So, the shift has already begun.The "internet of things" is not just newfangled consumer devices however. I'll talk a bit about this and a recurring trend we see in these network enabled embedded systems: something we call the "uncanny valley" that gives rise no only to vulnerabilities but also huge tools gaps for software and hardware security research.

This talk will catalog some of our experiences at Xipiter exploiting these kinds of embedded systems. From trivial "exploitation" to the more advanced hardware exploitation and binary exploitation techniques. We'll talk about how we've applied these techniques to everything from Payment systems and Game Consoles to more esoteric devices like Gaming systems (lottery, casino, etc) and Industrial Controls Systems. We'll also talk about about the custom hardware we've developed (and sell to researchers at to help us with this stuff also demonstrates the "tools gap".

Back to the Kitchen: DLP Security Bakeoff, THE SEQUEL

Zach Lanier and Kelly Lum

As we all know, computer security products are completely infallible and, themselves, totally secure. Furthermore, Data Loss Prevention (DLP) solutions are, hands down, the panacea for all data leakage woes. But, we decided to pretend for a minute that they weren't, AND YOU WON'T BELIEVE WHAT HAPPENED NEXT!

Despite a plethora of data security and protection standards and certifications, companies and their systems are still leaking information like a sieve. With deployment models ranging from a fat agent on an endpoint, to a blinky-lights box surveilling all network traffic, to some unified threat management gateway with DLP secret sauce, these solutions are ripe for bypass - or worse.

This talk will discuss our previous and current research into a handful of DLP solutions, including their capabilities and their shortcomings. We will demonstrate flaws in administrative and programmatic interfaces and the inspection engines themselves. Additionally, we will revisit the tools and techniques we used to discover these issues.

OR'LYEH? The Shadow over Firefox

Patroklos Argyroudis

The Mozilla Firefox browser has a new garbage collection (GC) implementation for its JavaScript engine (SpiderMonkey) since version 32. This new GC algorithm has introduced significant changes to the way that Firefox's heap is organized. The GC heap is now divided into two layers; a first layer for short-lived objects, called the 'nursery', and a second layer for objects that survived a GC pass in the nursery, called the 'tenured' heap. Apart from these two, the latest version of Firefox continues to use jemalloc (on all its supported platforms) for SpiderMonkey metadata and GC heap objects that fit certain criteria. These changes directly affect the way that the browser's heap can be manipulated towards states that aid in the exploitation of heap vulnerabilities.

In this talk we will expand upon previous work we have published on jemalloc heap exploitation approaches and primitives for Firefox, taking into account its new GC heap implementation. The presentation will demonstrate a major upgrade of our 'unmask_jemalloc' Firefox heap exploration utility with new features, and support for Windows (and the WinDbg debugger). The new version of unmask_jemalloc, named 'shadow', will be released as open source along with the talk.

You ain't executing this! Exploring Windows Security with Runtime Code Stripping and Process Freezing

Collin Mulliner

Fighting off attacks based on memory corruption vulnerabilities is hard and a lot of research was and is conducted in this area. In our recent work we take a different approach and looked into breaking the payload of an attack. Current attacks assume that they have access to every piece of code and the entire platform API. In this talk we present a novel defensive strategy that targets this assumption. We built a system that removes unused code from an application process to prevent attacks from using code and APIs that would otherwise be present in the process memory but normally are not used by the actual application. Our system is only active during process creation time, and, therefore, incurs no runtime overhead and thus no performance degradation. Our system does not modify any executable files or shared libraries as all actions are executed in memory only. We implemented our system for Windows 8.1 and tested it on real world applications. Besides presenting our system we also show the results of our investigation into code overhead present in current applications.

Render unto the Heap that which is the Voodoos

Julien Vanegue

Over the past 15 years, security researchers have created specific heap exploitation techniques targeting well identified allocators and developed tools to inspect, visualize, force and sometimes predict layout of dynamically allocated memory regions. Nonetheless, the diversity of Heap Allocators makes it hard for exploit writers to come up with generic heap prediction techniques. Among the various most used allocators are DLmalloc, PTmalloc, JEmalloc, the Windows Heap, as well as several flavors of Garbage collected memory allocators in web browsers. Internals of these allocators differ so vastly that coming up with generic tools to predict the dynamic behavior of these different implementations is currently out of reach. This talk aims at surveying the existing work in the field of heap analysis and attempt to introduce a systematic methodology to analyze dynamic behavior of allocators for the exploit writer.

An Examination of Infusion Pump Technology

Billy Rios

Infusion pumps are medical devices that deliver drugs into a patient's body in controlled, prescribed amounts. These devices are instrumental in the delivery of patient care in hospitals across the world. How do these devices work? What do these devices look like under the hood? Are there vulnerabilities that could be leveraged to hurt or kill a patient? Let's take a look at a number of infusion pumps and explore the architecture, protocols, and vulnerabilities associated with these pumps. We'll also cover key aspects of vulnerability research in the medical device industry.