Ajay Pratap Singh
Paper has been accepted
Understanding, attacking & securing DICOM & pentesting medical devices

DICOM (Digital Imaging and Communications in Medicine) is an international standard for retrieve, transfer, storage and communication in imaging modalities. It is used in imaging modalities like CT, MR etc. Initially, interfaces between imaging medical devices were custom designed & posed a huge challenge as far as interoperability was concerned. DICOM standards has come to the rescue by providing interoperability to store, manage & exchange information among one or more devices, product, systems etc. DICOM is supported by majority of vendors and hospitals however secure implementation of DICOM is still a concern as security risks were given less importance. This presentation will be primarily focused on DICOM messages, their implementation, the sensitivity of the information and how to attack these messages. The talk will cover how to pentest medical devices / systems in the hospital network and the approach that needs to be taken to pentest the medical systems. The talk will be concluded by sharing insights on the proper implementation of DICOM standard to better defend healthcare devices & systems against cyber-attacks.

Altaf Shaik
Paper has been accepted
4G to 5G : new attacks

5G raises the security bar a level above 4G. Although IMSI exposure is prevented in 5G, we found new vulnerabilities to attack devices and subscribers. In this talk we expose a set of vulnerabilities in the 5G/4G protocols that are found in network operators equipment and also consumer devices such as phones, routers, latest IoT sensors, and even car modems. Our vulnerabilities affect several commercial applications and use cases that are active in 4G networks and are expected to take off in 5G networks. We developed automated tools to exploit the exposed cellular information and share some of our research traces and data sets to the community. We demonstrate a new class of hijacking, bidding down and battery draining attacks using low cost hardware and software tools. We did a rigorous testing worldwide to estimate the number of affected base stations and are surprised by the results. Finally our interactions with various vendors and standard bodies and easy fixes to prevent our attacks are discussed.

Sergey Mashukov
Paper has been accepted
Creating a fuzzer for telecom protocol. 4G LTE case study.

Diameter is an authentication, authorization and accounting protocol that is widely used between the LTE core nodes by mobile network operators. While multiple methods for connecting subscribers to networks have been used over the years – including exchange and SS7 – Diameter is the latest protocol. While security vulnerabilities in SS7 are well known, it’s often assumed that Diameter is more secure. In this talk, I will describe my experience in creating a tool for fuzzing Diameter protocol.

I will start with short overview of telecom signalling security and then describe vulnerabilities found while using the fuzzing tool. Then, talk about technical and administrative challenges specific to fuzzing telecom equipment using examples from our practice. The talk will cover topics such as:
1) How protocol specifics reflect in fuzzer architecture
2) Use of existing protocol stacks for building fuzzers
3) Which additional tools may be needed in MNO Test Lab environment and how to adapt fuzzer for it
4) How to reproduce issues reliably
5) Lessons learned on communication with MNO representatives when vulnerabilities are discovered

Stefan Esser
Paper has been accepted
Re-creating an iOS 0-day malware/jailbreak out of Apple's security updates

In February 2019 after the release of iOS 12.1.4 Google disclosed that this update fixes two vulnerabilities in iOS that Google has found being used in the wild as part of a remote 0-day iOS jailbreak. That iOS exploitation chains are caught in the wild is a rare thing, because the locked down nature of iOS makes it nearly impossible for defenders to see what is going on inside their iPhone which makes it hard to impossible to catch these attacks. Unfortunately Google did not share the exploitation samples or any further information about the exploit, the attack or the suspected attackers. This has made many iOS security researchers curious about the exact nature of the attack and started multiple parties to use patch diffing techniques to re-discover the vulnerabilities in Apple's update.

In this talk we will discuss the whole process of how we discovered the vulnerabilities within the update and how we developed exploits for each of these vulnerabilities and how we eventually combined these exploits into an iOS jailbreak. The audience will not only take away a detailed process description but also a copy of the jailbreak itself.

lidong LI, Xianzi Kong
Paper has been accepted
Advanced Mutation Fuzzing Method Based on the Wireless protocol

About our topic

1. With the development of networking between IOT and smart cars, more IOT devices and cars have already used the wifi interface, wireless network security will be more and more important, but the wireless (802.11) fuzzing technology is coming The less. The open source fuzzer and the already published fuzzing technology are no longer sufficient. We are fortunate to have researched this technology and achieved research results.We use this technology to find IOT vulnerabilities and also use it in the search for car wireless module vulnerabilities.

1. We will introduce about traditional wireless fuzzing technology

2. We will introduce the shortcomings of the traditional wireless fuzzing technology and the common fuzzer programming library bugs we have found. We will also conduct code audits for open source fuzzers to show you how the traditional fuzzer works and its shortcomings.

3. We will introduce our research results, how to quickly and effectively construct a fuzzing case for the driver, and how to track the crash. And, most importantly, we will explain how to perform Smart Mutation on the payload (fuzzing case) to make the payload more powerful! In terms of the wifi interface, we will analyze the three states of AP and client and WPA. We have prepared four videos DEMO,
We will present an demo demo of the attack on mobile devices (Smart phone wireless interface-Wpa_supplicant component vulnerability)and mediatek wifi chip remote kernel crash(Affects more than 100 models of routers and smart devices) and automotive (IVI) wireless well as classic Windows remote kernel overflow due to wireless network card driver vulnerability .And will explain in detail how to fuzzing according to the wireless state machine and fuzzing for different driver chips!Our fuzz method is especially wonderful and can blur everything wireless devices.! And does not require any physical contact and user interaction ! ^_^

Reasons for writing this report: Automotive networking and IOT equipment have fully entered people's lives. In the future, the demand for car networking will become higher and higher, so the security problem will become more and more serious. I hope that through this technology sharing, everyone will have a deeper understanding of wireless attacks and vulnerability mining. Because it is effective, and it is remote attacks

Chia Ching Fang
Paper has been accepted
What Species of this Fish is ? - Malware Classification with Graph Hash

*** Background and Related Research
- In malware research, threat hunting and security intelligence exchanging, hashes, such as MD5 or SHA256, take a dominant position. Malware researchers search malware on VirusTotal with hashes, exchange security intelligence with IoC (incident of compromise) that include hashes. However, hashes have some characteristics, such as one-to-one relationship between file and its hash, this limit researchers to do files correlation. Of course that isn’t what hashes was made for. Because of that, some other related "enhanced” hashes have been proposed, such as ssdeep, sdhash, TLSH, and imphash, and they help to learn the similarity of binary files.

All of them is calculated from binary point of view, and there are the other methodologies to learn executable files similarity which are from graph point of view. For example, Zynamics bindiff takes a bigger picture of view of executable to learn the similarity/difference of two executable files. It give researchers very detail information about what similarity in which parts of two executable files, however, it could process two files in the same time.

This research, graph hash, tries to combine the advantages of these two types of methodologies, to calculate the hash of executable files from graph view, and it helps to classify malware with consistent and efficient way.

*** The Comparison among Hash, Fuzzy Hash, and Graphic Binary Diff
- This will introduce hash, fuzzy hash and graphic binary diff, and what are the advantages and disadvantages among them.

*** What is Graph Hash
- This will detail what graph hash is and how to calculate the graph hash from ground up.

*** Benefit of Graph Hash
- This will discuss the advantages of graph hash and how to use it in real situations.

*** Live Demo
- This will demonstrate how graph hash applies to malware classification.

*** Testing Results
- This will presents the testing results of about one million malware samples.

*** The Limitations of Graph Hash
- This will discuss the limitations of graph hash in some conditions.

Xiaodong Zou
Paper has been accepted
4G LTE Man in the Middle Attack with a Hacked Femtocell

This talk will presents:
1.How to root a 4G LTE femtocell.
2.How to make the femtocell portable.
3.How to perform man-in-the-middle attack with the femtocell.
4.Show the prototype of Hacking Box of S1 Interface (HBoS).

4G LTE Network Briefing

S1 Interface Briefing

Femtocells offer a user the ability to have a small base station located within their house or other area. These small base stations provide access to the core network where poor reception from an eNodeB would normally prevent consistent coverage. Femtocell has been standardized in LTE since release 8, and is referred as Home eNodeB, or HeNB. UE attach to HeNB like a typical eNodeB. HeNBs are mandated to have an IPsec connection back to a security gateway (SeGW) to protect traffic flowing into and out of a Mobile Network Operator (MNO)’s core network.
If the HeNB is within the physical possession of an attacker, this provides unlimited time to identify a flaw on the HeNB. A compromised HeNB can be used in a manner similar to a rogue base station, but will also provide the attacker access to clear text traffic before it is sent back to the core network.
There are more than ten different types of HeNBs could be found deployed in China. Ericsson ENC-nRBS01B40 is one of them and it’s a TD-LTE base station working on band B40.

Root the Device
To root the femtocell, the first thing I do is to search the Internet for the default LMT (Local Maintenance Terminal) IP address, user name and password of Ericsson base stations. And I found the default web-based LMT’s URL is, user name is root and password is admin001067. It’s not a surprise that I logged in successfully on my first try.
By exploring the web LMT, things I found include: the URL, username and password of the Auto Configuration Server (ACS), the IP address of the MME and the WAN NIC, the cellular network related configurations, etc. And I also noticed that IPsec wasn’t enabled, which means I could easily eavesdrop all the IP packets transferred between the femtocell and the core network. The IP address of WAN NIC was a static address start with 10.x., which means the backhaul of this femtocell is not Internet but MNO’s GPON/EPON or PTN.
The next thing I do is to launch Nmap to scan this femtocell, and port 22 was soon found to be opened, both LAN and WAN interface!
By using the default root password admin001067, I logged in via SSH.
After checking the whole file system, I found everything including tcpdump and gdbserver.
OS: Linux bsc913x #4 SMP PREEMPT RT Thu May 26 14:59:31 CST 2016 ppc GNU/Linux
CPU: PowerPC
Tool-chain: Sourcery G++ Lite 2010.09-55

Eavesdropping LTE Traffic
It is easy to eavesdrop all the network traffic since the IP packets from the eNodeB to the EPC are all in plain text.
Method 1: Tcpdump come with the femtocell.
Method 2: Wireshark running on my laptop computer with 2 NICs.
Since I need to develop the MitM tool later with my laptop, I choose method 2. Divided the net link between femtocell to core network into two parts, then bridged them via my laptop, and set routing rules to forward traffic.
Demo 1: SMS messages
There are two main ways SMS can be delivered over LTE system: SMS Over SGs and SMS Over IP. I will demonstrate both of them.
Demo 2: Phone calls
I will demonstrate how to intercept VoLTE phone calls.
Demo 3: Data traffic
I will demonstrate eavesdropping how to eavesdrop on a user’s HTTP traffic.
Demo 4: Signaling messages
Decoding the S1AP protocol, collecting privacy information including IMSI of UEs.

Make Femtocell Portable
It is more harmful if the attacker could carry a malicious femtocell in his backpack and turn it on at anywhere he wants.
To make the femtocell portable, I purchased a battery-pack and a Huawei WiFi 2 Pro E5885 portable 4G router. The Huawei E5885 has a RJ-45 port, where I could connect the WAN port of the femtocell to it, and give the Internet access to the femtocell.
The femtocell can work for 2 hours with the battery-pack, that’s long enough for a field test.
At the other end, I set up a StrongSwan IPsec VPN server, and connect the core network to the LAN switch of the VPN server. So when the VPN client running on the femtocell connected back to the VPN server, the femtocell should be able to connect to the core network and work just fine.
In order to dump all the net traffic, I need to run tcpdump on the femtocell and save the dump file to /tmp where there was nearly 200MB free disk space.
After I put the femtocell with the battery-pack and Huawei E5885 in my backpack and take it outdoor, find somewhere to sit, turn the femtocell on, wait for 5 minutes, I could see the drive test APP at my mobile phone indicate that the phone was attached to the femtocell sucessfully.

Implement MitM Tool
BTSs that were traditionally located in secure, locked sites are increasingly set up in public places. Although these sites sometimes are enclosed by a fence and protected by a physical security system, it is possible for these defenses to be circumvented.
Despite of this, most of the S1 interfaces are not protected by IPsec today. What could happen if a malicious little box was implanted into the wire link of the S1, and hidden in the dark for a very long time?
I call this little box “Hacking Box of S1 (HBoS)”. HBoS is based on a tiny maker board (e.g. UP2 Board) with 2 NICs, running Linux, standing in the middle of the S1 link, performing man-in-the-middle attack and other attacks including DNS hijacking, spoofing, manipulating, etc.
Just like LTE aLTEr attack, HBoS can do DNS hijacking, but without worry about the AES.

DNS Hijacking.
Most applications rely on the DNS to resolve their servers’ IP addresses before connecting to the servers, for an attacker, the direct way to redirect the UE’s IP packets to a malicious server is DNS hijacking. Once a DNS request packet was received, the DNS hijacking module will change the destination IP address to a malicious DNS server on the Internet, and add the details of this request to a table in the memory. Once a DNS respond packet was received, the DNS hijacking module will look at the table in the memory for the original destination IP address, and modify the destination IP back. So the whole DNS hijacking is transparent to the UE.

Phone Number Collecting.
It’s easy for a rouge femtocell works as an IMSI catcher, but how to map the IMSI to MSISDN (i.e. Phone Number)? By analyzing the SIP packet and mapping the GTP tunnel ID, the HBoS could collect the S-TMSI, phone number and IMSI of all the attached UEs who have VoLTE enabled.

Andreas Wiegenstein
Paper has been accepted
SCARE - Static Code Analysis Recognition Evasion

Companies increasingly rely on static code analysis tools in order to scan (their) (custom) code for security risks. But can they really rely on the results?

The typical SCA tool is designed to detect security issues in code that were created by accident / lack of skill. But how reliable are these tools, if someone intentionally places bugs in code that are not supposed to be found?

This talk explores several nasty concepts how malicious code could be camouflaged in order to avoid detection by SCA algortihms.

On a technical level, the followingconcepts are covered
- covert data flow
- deep call stacks
- circular calls
- source mining
- data hubs
- taint laundering

Based on this, I will provide some code snippets as proof of concept for the audience to test at home.

This talk focuses on general weaknesses of SCA tools. I am not going to point the finger at specific vendors.

Andrey Akimov
Paper has been accepted
Launching feedback-driven fuzzing on TrustZone TEE

ARM TrustZone is now utilized in all modern ARM-driven smartphones. This technology provides hardware isolation for secure processing of sensitive data. The idea of the technology is to divide digital world into two: Normal World and Secure World. While Normal World is normally a traditional Android or Linux with all its userspace and kernelspace, the Secure World is something mythical, not widely known and often without any public accessible documentation and source code.

Even Android kernel doesn't have access to the data processed in TrustZone. And besides this sensitive data, breach to TrustZone can lead to other amazing things like compromising Root Of Trust and achieving rootkit persistence.

We will focus on getting into TrustZone from Android userspace in smartphones of Samsung Galaxy series and its Trustonic implementation of Trusted Execution Environment (TEE). Trusted applications, or trustlets, executed there, is one of the windows to TEE, and they turned out to expose vast attack surface. While they are custom format binaries, designed to run in a special environment, it is still possible to run AFL on them. We will show you our approach to automatically discover vulnerabilities in Trustonic trustlets with such a cool way as having proved itself feedback-driven fuzzing.

Mario Rivas
Paper has been accepted
Why you should fear your "mundane" office equipment

The security of common enterprise infrastructure devices such as desktops and laptops has advanced over the years through incremental improvements in operating system and endpoint security. However, security controls for network devices such as enterprise printers are often ignored and thus present a greater potential for exploitation and compromise by threat actors seeking to gain a persistent foothold on target organisations.

In order to assess the current state of mainstream enterprise printer product security and to challenge common assumptions made about the security of these devices, which sit on key parts of enterprise networks and process sensitive data, we set out on a vulnerability and exploitation research project of six known vendors. We were able to find remote vulnerabilities in all printers tested through various attack vectors, revealing a large number of 0-day vulnerabilities in the process.

In this talk we walk through the entire research engagement, from initial phases such as threat modelling to understand printer attack surfaces to the development of attack methodologies and fuzzing tools used to target printer-specific protocols and functions. Besides of remarking important vulnerabilities found and their respective CVE’s, proof of concept exploits showing how it is possible to gain full control of printers and all of the data they manage will be presented. This will show how to use enterprise printers as a method of persistence on a network, perhaps to exfiltrate sensitive data or support C2 persistence on Red Team engagements.

We also address a number of challenges that researchers can face when performing vulnerability research on devices such as printers and how we used different techniques to overcome these challenges, working with limited to no debugging and triage capabilities. We also present mitigations that printer manufacturers can implement in order to reduce printer attack surfaces and render exploitation more difficult.

* More information about the talk, including a presentation outline, PoCs and advisories related to the talk's content can be found in the attached PDF file.

Alexander Ermolov
Paper has been accepted
Bypassing a hardware-based trusted boot through x86 CPU microcode downgrade

It is widely known Intel CPU microcode is hardcoded into CPU ROM, and for security reasons, should be updated every time CPU is powered on, including situations like waking up from Sleep/Hibernation states. This is usually done by a microcode loader in UEFI BIOS. I've discovered a vulnerability in this loader, which allows tricking it to downgrade the CPU microcode.

One of the obvious consequences of this attack vector is removing fixes (implemented in microcode) for vulnerabilities like Spectre var2. However, I've found out the older versions of microcode allows to load the older versions of Intel ACMs (Authenticated Code Modules).

ACMs are a special code modules developed (and signed) by Intel to support some Intel security technologies, like Intel Boot Guard, Intel BIOS Guard, Intel TXT, Intel SGX. "Supporting" means serving as a Root of Trust. These modules are loaded into CPU L3 cache (sometimes called AC RAM) and executed from there. Like the other code, ACMs can be updated/fixed, and for security reasons running a downgraded version of an ACM is deprecated. This is maintained by a microcode and, like mentioned above, the old version of a microcode loads an old (associated) version of an ACM.

This opens up an opportunity to exploit patched vulnerabilities in ACMs influencing on the technologies they support. Which in turn leads to bypassing the trusted/measured boot (hardware-based).

In this talk I'm going to show how exactly this could be done on a real Intel TXT & Intel BIOS Guard protected platform.

Orange Tsai
Paper has been accepted
Infiltrating Corporate Intranet Like NSA - Pre-auth RCE on Leading SSL VPNs

SSL VPNs protect corporate assets from Internet exposure, but what if SSL VPNs themselves are vulnerable? They’re exposed to the Internet, trusted to reliably guard the only way to intranet. However, we found pre-auth RCEs on multiple leading SSL VPNs, used by nearly half of the Fortune 500 companies and many government organizations. To make things worse, a “magic” backdoor was found to allow changing any user’s password with no credentials required! To show how bad things can go, we will demonstrate gaining root shell from the only exposed HTTPS port, covertly weaponizing the server against their owner, and abusing a hidden feature to take over all VPN clients!

In such complicated closed-source systems, gaining root shell from outside the box certainly ain’t easy. It takes advanced web and binary exploitation techniques to struggle for a way to root shell, which involves abusing defects in web architectures, hard-core Apache jemalloc exploitation and more. We will cover every detail of all the dirty tricks, crazy bug chains, and the built-in backdoor. After gaining root shell into the box, we then elaborate on post exploitation and how we hack back the clients. In addition, we will share the attack vectors against SSL VPNs to kick start researches on similar targets. On the other hand, from our previous experience, we derive general hardening actions that mitigate not only all the above attacks, but any other potential 0days.

In summary, we disclose practical attacks capable of compromising millions of targets, including tech giants and many industry leaders. These techniques and methodologies are published in the hope that it can inspire more security researchers to think out-of-the-box; enterprises can apply immediate mitigation, and realize that SSL VPN is not merely Virtual Private Network, but also a “Vulnerable Point of your Network”.

Minseok Cha
Tick Tock - Activities of the Tick Cyber Espionage Group in East Asia Over the Last 10 Years

The Tick group, also known as Bald Knight, Bronze Butler, Nian, and RedBaldKnight, is a threat actor whose main targets are institutions and companies in Korea and Japan. This group became known in 2016 although it first engaged in attacks on Korea in 2008. The group was first confirmed to be active in 2014.

The Tick group has used various malware, such as Bisodown (Homam), Gofarer, Daserf, NetBoy(Invader), Xxmm, and Datper, for more than 10 years, and various security vendors have reported on this group's activities, malware, and malware builders.

The activities of this group in Japan have been researched and disclosed to some extent, but not as much as their attacks on another main target, Korea. While there are common characteristics in the attack methods, malware, and techniques used for the attacks in Korea and Japan, there are certainly differences. The attacks on the countries shared the same method of creating large files tens or hundreds of megabytes in length when generating malware files in an attempt to bypass security programs. However, it has also used different strategies for each country, such as by exploiting the vulnerabilities of an asset management software widely used in Japan and targeting a secure USB drive in Korea.

In this presentation, I will talk about the Tick group's attack vectors, major activities in East Asia with a focus on Korea, the characteristics of their malware, and its techniques for bypassing security programs. I will also share some new information about them that was mistakenly exposed by the group through various internal tools. I believe that sharing information is essential for minimizing future damages so today, I will share with you my findings with a focus on Korea.



My paper can be found here. (Korean) (Korean)

Sorry, my paper has not been translated into English.

The attached slides (draft version) contain Korean.

Alex Kolchanov
Attacks on IVR-systems and Call-centers in 2019

Attacks on IVR-systems and Call-centers were discussed at some conferences (PHDays, DeepSec 2018). I will show during this talk, how those attacks look in 2019. Some companies tried to prevent these attacks, some new targets and vectors become more popular and interesting (for example, IoT devices).

Those attacks do not change in general: attacker makes a call with spoofed Caller ID (phone number) and performs different actions to bypass authorization.

I will tell about several changes:

* Banks trying to mitigate those attacks. Different methods will be discussed (some are effective, some are insecure). Also, we will discuss fake protection: situation, when the bank tried to do something, that looks secure, but hackers can still bypass it.

* Some banks presented voice recognition systems this year. In general, it looks like advanced IVR-system. I will tell about the main problems and attacks methods.

* Attacks on mobile operators: some dangerous problems still exist here (like attack, that allows to spend money from user's account or get private information), but operators try to prevent spoofed calls. I will tell about attacks on different systems and effective methods, which should be considered.

I will tell about new things:

* Brute force attacks on IVR systems. I will tell in details when it can be effective. Different brute force methods will be considered.

* Using mistakes of employees for effective attacks:
* * When using mistakes can be effective? For example, if an attacker knows only a part of data, which is necessary for the authorization, he can try to call again and again, while new employees will make a mistake and accept this data.
* * Typical mistakes. Employee forgets to ask something (practical case: employee of one bank forgot to ask authorization data and forward me to an automatic line to set new pin-code). Employee changed authorization questions or decided, that some questions are not necessary. The employee regretted the client and made the authorization.
* * "Uncommon situation" attack: the employee can do more mistakes when a user asks something uncommon.
* * When an attacker can expect mistakes? How to protect the company from these mistakes?

* "Call again" attack: an attacker can make call after call which was made by a legitimate user with proper authorization. And try to bypass authorization with something like "Hey, I just called you and forgot to ask...". In several practical cases, it allowed me to bypass authorization.

* Financial attacks: an attacker can make company spend money for paid actions (like sending SMS) via IVR in some cases. If a criminal can make a company send thousands of SMS, it will cause direct financial harm.

* Also, an attacker can enable paid subscriptions via IVR in some cases. It can cause problems and financial harm for the user.

* Attacks on IoT: it is a big new chapter. Some IoT devices (like GSM-alarms, smart homes controllers and industrial GSM-control systems, access control systems) allows to control them with calls. They use small IVR menu with DTMF-commands. In some cases, an attacker can perform different attacks on these devices. Some results of effective attacks:
* * GSM-alarms: an attacker can change settings, disable and enable security mode, add new control phone numbers, listen to an environment.
* * Smart homes control systems: an attacker can switch off and switch on devices, get information, listen to an environment.
* * Industrial GSM-control systems: an attacker can switch off and switch on different industrial systems.
* * Access control systems and locks: an attacker can open doors.
* * Smartwatches for kids: an attacker can send fake messages, make fake calls from parents, get location, listen to an environment.

If it is possible, I will show some attacks in practice (I expect to attack IoT-device).

Sean Park
Build an AI Anti-Malware in 60 min: Detecting Outbreaks

Deep learning is a must for cybersecurity especially today when the sheer volume of diverse morphing threats crush us every second. Despite the overwhelming interest, the cybersecurity world has been quite frustrated with the lack of information in how to apply this Pandora's box to our problems. A bunch of conference presentations and conceptual academic papers barely help us in developing our own deep learning based detection engine. We don't know how to feed the samples to our model, how to analyse the data, what model we need to use, how to debug a model, and whether deep learning even works for our malware sample set! We have never seen how a deep learning researcher from a cybersecurity firm does suffer, fail, learn, grow tall, and finally stand up and declare a triumph. It takes a great length for a security software engineer to go through all this uncharted territory.

In this demo-driven session, you will witness a whole development process and its back story of a working deep learning model for malware outbreak detection, which involves feature transformation, internal model inspection through gradient tracking, neural signature development using semantic hashing, use of the state of the art neural network, debugging math with visualisation, and the deepest agony you want to dodge in every possible way.

The following is an excerpt of the related paper, 'Generative Malware Outbreak Detection', published at IEEE ICIT 2019.

Abstract—Recently several deep learning approaches have been attempted to detect malware binaries using convolutional neural networks and stacked deep autoencoders. Although they have shown respectable performance on a large corpus of dataset, practical defense systems require precise detection during the malware outbreaks where only a handful of samples are available. This paper demonstrates the effectiveness of the latent representations obtained through the adversarial autoencoder for malware outbreak detection. Using instruction sequence distribution mapped to a semantic latent vector, the model provides a highly effective neural signature that helps detecting variants of a previously identified malware within a campaign mutated with minor functional upgrade, function shuffling, or slightly modified obfuscations. The method demonstrates how adversarial autoencoder can turn a multiclass classification task into a clustering problem when the sample set size is limited and the distribution is biased. The model performance is evaluated on OS X malware dataset against traditional machine learning models.

I. Introduction
Statically identifying malware has been the most viable approach when timely detection is critical. This is especially true under current threat environment where malware outbreaks became a daily routine. This paper considers static features for malware detection. Although malware packing problem [21] is crucial when reverse engineering the detailed functional characteristics of the malware is the objective, the surface level static features are sufficient to differentiate malware families from benign samples when the ultimate goal is solely the detection. Therefore this paper does not attempt to propose a method to unpack malware samples.
The observations in the malware battle forefront are malware mutates over time to bypass static signature based detection by upgrading its functions or applying new metamorphic (or obfuscation) techniques. The downside for attackers is this malware mutation requires their time and effort. Due to this development cost, minor tactical modification to the original malware code frequently occurs and arrives in the form of an outbreak while a major strategic code change rarely occurs across a longer period of time. This inevitably causes a similar pattern of instruction sequence either generated by a metamorphic engine or upgraded from previous functions. As a result, there appears a phenomenon typically seen for the instruction sequence of malware samples from a campaign as shown in Figure 1. The method in this paper will exploit the presence of this unique pattern of instruction sequence in the malware samples of a campaign whether or not it forms unpacking routine, metamorphic components, or pure functional modification.
Traditional machine learning algorithms such as SVM, Random Forest and Gradient Boosting commonly use metadata as features such as executable file header fields, n-gram of raw binary file and entropy of sections because they are optimised to work with independent sparse features. In the meantime, encoded high dimensional data such as sequence of program instructions constitutes the substantial body of a sample in malware detection context, which contains rich information of the sample's identity. Although several attempts utilised the instruction sequence as a feature [22][23][24][25], the n-gram reduction they performed simply throws away the sequence order information, leaving those approaches vulnerable to a trivial histogram matching attack [26]. However, adversarial autoencoder used in this paper, like many other deep learning models, fully takes advantage of the input samples with the sequence order retained. In this paper, we use the sequence of program instructions as a feature.
One critical aspect of malware outbreak detection is the scarce number of samples we can train with. The goal of this paper is not only detecting malware variants but also detecting them with extremely small number of samples captured at the very early outbreak as it should be in real world detection scenario. The method as well as various other machine learning models will be evaluated with this scarce training dataset setting.
This paper presents a novel method that detects similar malware samples with high accuracy on malicious samples and low false positives on benign samples, using a single sample of a kind for training with adversarial autoencoder. The techniques described in this paper are applicable to the other domains, such as IoT (Internet Of Things), that require well-generalised detection using a handful of malware samples.

II. Related Works
For binary malware classification, Saxe J [1] used fully connected layers with dropouts over handcrafted independent sparse features from the executable file. The approach does not deal with complex variations of metamorphism well especially when the changes occur globally within the sample let alone the binary classification significantly overfits over limited number of training samples. Li Y [2] recorded 92.1% accuracy over binary classification problem over KDDCUP'99 dataset using stacked RBM (Restricted Boltzmann Machine) autoencoder combined with softmax regression. Although it did not use layer-wise noises for autoencoder and the dataset consists of handcrafted sparse features, it demonstrated the efficacy of autoencoder. David OE [3] demonstrated the use of DBN (Deep Belief Network) for malware detection over a relatively fine-grained number of target classes. Dahl GE [5] tried to solve the most fine-grained malware classification problem using DBN using 136 malware family categories as output classes. However, it still used a sparse feature set. Using convolutional neural network, Davis [6] first adopted raw binary samples as features, which contains program code in it. However the binary distribution of a malware outbreak can significantly vary depending on the packed code and data, and the layout of sections can change with little effort by the attacker. Using highly structured content such as an executable file as a sequence of raw bytes is less likely to generalize the distributions of a malware and its variants. Sean P [18] introduced a method to detect malware metamorphism using stacked de-noising autoencoder and semantic hashing on the features generated by Fourier transform applied to the program instructions. Although the method successfully captures intra-function metamorphism, no sample-wise similarity detection approach was suggested.
The majority of these approaches use a large dataset with the assumption that the dataset has unbiased distribution across different styles of samples. In addition, many approaches attempted to solve binary classification problem where samples are labelled in one of two classes. The proposed approach in this paper attempts to solve multiclass classification problem by leveraging unsupervised learning with no assumptions on the number of training samples and sample distribution.

III. Method
This section discusses features, dataset, model architecture, and training methods.

[Fig 1. Each row represents a per-sample feature, which is a sequence of instructions of a malware sample. Each normalised instruction is rendered as vertical bar with a unique color to differentiate between different instructions. X axis is the feature. Y axis is the sample number. ]

In modern days malware samples are automatically generated by a custom tool created by the attacker. It renders hard-coded static signature based detection obsolete. A run of automatic malware generation tool essentially creates a batch of the functionally same malware in a different look, which can involve different obfuscations [14][15] such as dead code insertion, register reassignment, code transposition and integration and control flow obfuscation. Nonetheless the observation is the distribution of the program instruction sequence remains relatively intact. Figure 1 shows three unique variants of MAC.OSX.CallMe family. The samples in Figure 1 are described below.
MAC.OSX.CallMe.A (3 samples)
MAC.OSX.CallMe.E (1 samples)
MAC.OSX.CallMe.F (1 samples)
As shown in Figure 1, MAC.OSX.CallMe variants have identical instruction sequence until a variation was introduced at approximately instruction 5250. Despite this variation it is visually clear that parts of instructions of sample 2 and sample 3 are merely shifted from the instructions of the rest of the samples. In short, the instruction sequences appear very similar to each other for these three MAC.OSX.CallMe variants. Visual analysis on the majority of malware families shows that program instruction sequence plays a significant role in identifying the variants during outbreaks.

Adversarial Autoencoder (AAE):
The model consists of two independent modules. Firstly the latent representation for the instruction sequence feature that is resilient to metamorphism is acquired by adversarial autoencoder. Then the class number for the latent representation is computed via HDBSCAN with predefined threshold.
Over the past few years, GAN (Generative Adversarial Network) [7] has successfully demonstrated its capability to understand the data distributions by generating realistic samples. The power of GAN primarily comes from its generative nature by jointly training the generator and the discriminator in a tight competitive loop. In a situation like malware outbreaks where a handful of samples are available, adversarial autoencoder is a natural choice so that the scarce number of training samples produce smooth approximated nearby distributions. The core architecture for malware outbreak detection in this paper is borrowed from the original adversarial autoencoder [8] (See Figure 3).

[Fig. 3. Adversarial autoencoder architecture used for malware outbreak detection. The input, x, and the reconstructed input, p(x) are instruction sequence feature.]

As one of the desired properties in malware outbreak detection is to identify relocated functions, the autoencoder used in the proposed model is a stacked convolutional autoencoder [10] to take advantage of translation invariant property of the architecture. This allows the model to capture the program instruction sequence in the presence of code transposition and integration metamorphism [14].
The input vector consists of sparse discrete symbols, which are difficult to train with stochastic gradient descent. Therefore we create an embedding lookup for the symbols, and let the model find the best representations for them during the training. This embedding layer nicely transforms 1D input vector to a 2D array, which can be fed as an input to this convolutional autoencoder. The reconstruction method based on cosine similarity cross entropy is used to deal with sparse discrete input symbols [13].
As outlined in [8], both the adversarial network and the autoencoder are trained jointly with stochastic gradient descent in two phases – the reconstruction phase and the regularization phase – executed on each mini-batch. Specifically, in reconstruction phase, the model is trained by minimizing the cross entropy loss between the input symbol and the decoder output with sigmoid activation. During regularization phase, binary cross entropy is used for the discriminator loss, which is computed by summing the loss between positive samples from Gaussian normal distribution and negative samples from the encoder output. Binary cross entropy is also used for the generator loss. Let x be the one-hot encoded representation of input data distribution and z be the latent code vector of an autoencoder. Let p(z) be the prior distribution imposed on the codes, q(z|x) be the encoding distribution, p(x|z) be the decoding distribution, and p(x) be the model’s reconstructed distribution. Reconstruction loss is described in (1), and discriminator and generator loss are defined by (2).

E_x [E_(q(z|x)) [-log⁡〖p(x|z)〗]] (1)

min┬G⁡max┬D⁡█(E_(x~p_data ) [log D(x)]+@E_(z~p(z)) [log⁡(1-D(G(z))] ) (2)

In order to mitigate the instability caused by standard adversarial autoencoder training, consensus optimization has been adopted. Mescheder L [9] showed that simultaneous gradient descent used in GAN does not generally converge to Nash equilibrium in non-cooperative minmax game. The solution proposed by Mescheder L is to construct a conservative vector field from the original using consensus optimization [9][17].

IV. Evaluation
3,254 in-the-wild OS X malware samples collected from proprietary source and randomly chosen 9,981 benign OS X Mach-O samples were used for evaluation. A snapshot of family distribution of 3,254 in-the-wild malware samples is shown in Figure 4. In order to simulate the outbreak situation, 175 out of 3,254 malicious samples that exhibit unique instruction sequence patterns were manually selected by a human malware expert as core malicious training samples and were assigned a unique label for each sample. Note that no benign samples were included in the training set.
Since there is no generic evaluation metric available to find a core sample of a malware family based on instruction sequence, the instruction sequences of all 3,254 malicious samples were visually explored to obtain the core sample of each family. The properties used to put samples in the same category are summarized as follows.

[Fig. 4. Malicious sample distribution by VirusTotal detection names. The biggest bar at the far left hand side indicates the samples with no detection or with generic name.]

In order to find out the category for the latent representation, HDBSCAN clustering algorithm was used, which shows the most appealing performance against unknown number of clusters [12]. The samples categorized as a noise by HDBSCAN are classified as benign because it indicates no similar cluster was found for the test sample. Overall flow chart is illustrated in Figure 5.

Using raw instruction sequence for classification models significantly reduces the accuracy. Gradient boosting, Support Vector Machine and Random Forest models were chosen as baseline with the feature implemented using n-gram [23] over the instruction sequence. Clustering models such as KNN were not included in the baseline model since they need decent number of training samples to work, which is different to the problem setting put forward in this research.
As shown in Table 1, traditional classifiers perform reasonably well even for a training dataset that consists of a single sample for each class. The proposed model, aae-sh, which is adversarial autoencoder combined with semantic hashing, shows reasonably high detection accuracy against malicious samples. However, all traditional classification models catastrophically fail on benign samples, recording 100% false positives. With the training set of only core malicious samples by which outbreaks are simulated, the traditional classification methods do not work at all. On the contrary, aae-sh, records a 91% accuracy over benign samples with this training setting.

Model Malicious (3,254) Benign (9,981)
gradient-boosting-1gram 0.935 0.000
gradient-boosting-2gram 0.936 0.000
gradient-boosting-3gram 0.931 0.000
svm-1gram 0.934 0.000
svm-2gram 0.944 0.000
svm-3gram 0.968 0.000
randomforest-1gram 0.983 0.000
randomforest-2gram 0.987 0.000
randomforest-3gram 0.989 0.000
aae-sh 0.959 0.910
Table 1. Detection rate against malicious and benign samples for various models.

Visual analysis of the families detected by aae-sh not only shows similar instruction sequences with variations within the family but also it does not exhibit undesirable properties described in the previous subsection. Figure 6 shows aae-sh correctly identifying malware variants whose major feature mass is identical across all samples in the cluster while variations occur in many different ways. These samples are the variants of malware named Blackhole or Freezer. It becomes clear that the names from VirusTotal [16] do not necessarily agree with malware clusters produced by aae-sh because human analysts tag detection names based on analyst-specific heuristics whereas the proposed approach in this paper derives the detection purely from the instruction sequence pattern.

[Fig. 6. Visualisation of instruction sequence of Blackhole or Freezer samples identified by aae-sh. X axis is the feature. Y axis is the sample number.]

Figure 7 shows the detected cluster 49 that contains many Flashback variants. Note that aae-sh detected the samples of different lengths as long as instruction sequences are similar.

[Fig. 7. Visualisation of instruction sequence of malware samples within cluster 49 in Figure 7 identified by aae-sh. X axis is the feature. Y axis is the sample number.]

[Fig. 8. VirusTotal detection names for the samples in cluster 49 that is visualised in Figure 6.]

Figure 8 shows redacted VirusTotal detection names for the samples in Figure 7. It is notable that 447 samples either had no names or had generic names.

V. Conclusion
The research shows that the generative power of adversarial autoencoder creates latent representations that can be used to identify similar samples with minimum number of training samples. It turned out some malware families such as Flashback reuse the same piece of code repeatedly across their variants, which subsequently enables the adversarial autoencoder to identify its family effectively. In addition, the model was found to be effective in discovering multiple variants across heterogeneous malware families that share similar instruction-wise characteristics.

Nimrod Stoler
The Hitchhiker’s Guide to Jenkins: a DevOps Adventure

If you are a red-teamer, dropped to hitchhike your way through an enterprise’s DevOps galaxy, this briefing is for you!

Enterprise DevOps teams today are set to deliver high-quality products and services to market faster and more efficiently than ever before. That is made possible through the use of DevOps methodologies and tools – such as Jenkins.

Jenkins is an open source automation server used to accelerate the software delivery process. It is widely considered the de facto standard in open source continuous integration tools with more than 165,000 active installations, of which more than 65,000 are publicly accessible on the World Wide Web!

Jenkins needs to interface with a myriad of systems and applications throughout DevOps environments. It needs unabridged access to code and artifacts, and to accomplish its role as the ‘butler,’ Jenkins must have access to considerable breadth of credentials.

In this briefing we will guide your red-team step-by-step through Jenkins recent CVEs and attack vectors, using previously undisclosed exploits.
The demos will guide the hitchhiker on how to recognize and categorize the Jenkins master server in the reconnaissance phase; how to launch unauthenticated attacks on the Jenkins master to drop security barriers and expose credentials; how to escalate your privileges from a low-privileged user, such as a user with Overall/Read permissions all the way to becoming a Jenkins admin; and lastly some tips & tricks for playing with the Jenkins session mechanism and Active Directory integration.

This briefing is based on our Jenkins research which yielded 6 CVEs and 5 blog posts on the subject (see

1. Jenkins' roles in the DevOps environment
- This will detail the special roles a Jenkins automation server has in the context of the DevOps environment
- A brief description of some recent attacks on DevOps infrastructure [data exfiltration and cryptomining in particular]

2. Introduction to key Jenkins concepts
- This will detail the basic Jenkins terminology, such as user’s permissions, CLI, Jenkins RESTful API, Java Web Start Agents and more.

3. Jenkins 'Gems’
- Detailing what would be the key benefits, or ‘Gems’, an attacker may find on a Jenkins server and agents when compromising a Jenkins installation

4. Hitchhiking 1: The Reconnaissance Stage
- This stage will guide the hitchhiker through methods of locating the Jenkins master and extracting relevant details, such as Jenkins version, session ID, which plugins are installed and more.

This stage will include the following demos:
o Demo of exploit for CVE-2018-1000192
o Demo: compile a list of active Jenkins properties: Jenkins CLI, API, Java Web Start, Jenkins users on the People page, Jenkins credential IDs

5. Hitchhiking 2: Unauthenticated Attack Vectors
- This stage will guide the hitchhiker through methods of unauthenticated network attacks on Jenkins infrastructure.

This stage will include the following demos:
o Exploit of CVE-2018-1999001, CVE-2018-1999002, CVE-2017-1000353 and more

6. Hitchhiking 3: Privilege Escalations
- This stage will guide the hitchhiker through methods of privilege escalations from users with Overall/Read permissions to admin and Job/Cancel permissions.

This stage will include the following demos:
o Exploit of CVE-2018-6356 and CVE-2018-1999003

7. Hitchhiking 4: Other Tips & Tricks
- This stage will guide the hitchhiker through miscellaneous Jenkins attacks, which include: attacking Jenkins session mechanism to achieve an infinite session [under responsible disclosure], maintaining access to Jenkins after a user has been deleted or disabled on Active Directory [under responsible disclosure] and more.

8. Closing Remarks - Finally, this section summarizes the different attack vectors we presented and offers some mitigations

kaijern xwings Lau
JiuWei: Cross Platform/Architecture Shellcode Executor

Functioning as the first-stage in an exploitation, shellcode play an important role in successfully triggering software vulnerability. Since this part of payload is written in low-level machine code, understanding how it works is not trivial for analysis.

This presentation introduces JiuWei, a cross-platform & cross-architecture machine code analyzer. Based on Unicorn emulator, our tool is able to execute & analyze all kind of shellcodes, regardless of Operating System (Windows, Mac, Linux, Android, etc) or CPU architectures (Intel, Arm, Aarch64, Mips). Thanks to a powerful instrumentation engine, the output report can show what the shellcode does inside, in a friendly high-level output format.

In this talk, we will give a brief introduction on the design & implementation of JiuWei, some technical challenges we had to solve, and some cool live demo on some modern shellcode.

Presented at (VXCON)HK with DEMO. As for HITBGSEC we will be doing new live demo and release this tool after the talk.

Max Bazaliy
iOS Dual Booting Demystified

"In this talk, we will investigate and present on the ways in which to boot a custom firmware image on an iOS device. In order to show this, we will detail how the secure iOS boot process functions, including many of the details of how the low-level component verification works as well as the loading and running of processes at boot time. It's known that iOS devices tightly integrate their software and hardware components in order to secure the system, but how is this done in practice?

We will answer this question and others by focusing on one of these integrations, specifically the boot process for modern iOS devices. The iOS boot process is a critical part of a device's system security as it helps to ensure that each component of the device can be trusted before it is used by the system. Each step of the iOS boot process contains components that are cryptographically signed by Apple to ensure their integrity and verify the chain of trust before allowing the device to continue booting. The chain of trust for iOS includes the system bootloader, XNU kernel, kernel extensions, SEP, Wi-Fi, and the baseband firmware.

From our detailed understanding and explanation of how the boot process functions for iOS we will then discuss ways in which researchers can take these learnings to create and load a custom iOS firmware image on a device, including a custom XNU kernel and system disk image side by side with the device's original iOS firmware image."

Nimrod Stoler
Prisoner Number 6

In the 1967 television series, the Prisoner, a former British intelligence agent is imprisoned on an island with other former spies who “know too much.” Escape is near impossible for the prisoners, who are only referred to by their numbers.
We’ll assume the role of “Number Six” in this session and engage the audience in a game of escape. The only difference is that instead of a coastal island, our prison is within a Docker container.

We’re trapped in Play-with-Docker, Docker’s training and workshop playground website with more than 270,000 average monthly visits.

We’ll set out and try to escape the Play-with-Docker container in an effort to remotely run code on the Docker host. The impact of container escape is similar to escape from a virtual machine, as both allow access to the underlying server. Running code on the Play-with-Docker host server would allow an attacker unabridged root access to the infrastructure on one hand, and to all students’ containers running on the Play-with-Docker hosts on the other hand. Escaping a container may be regarded as the first step in an attack against an enterprise infrastructure, since many enterprises are running public-facing containers nowadays, which may lead the attackers into the enterprise network.

We’ll show how we attempt to escape the Play-with-Docker container to reach the underlying host. Attendees will see how we use a number of different attack methods, such as loading a Linux kernel module into the Play-with-Docker kernel, exploiting devices present in the container to read and write host’s files, and more.

In this session we present a number of novel concepts and techniques for container escape: (1) we demonstrate how to inject a Linux kernel module from one version kernel to another kernel version through a Linux container. See
(2) We present three different methods to access the host’s filesystem from a privileged container, demonstrated using the Play-with-Docker container.
(3) We present our idea of ‘privileged’ containers, which widens the current definition, and prompts security researchers to re-think existing approaches to privileged containers.

Matteo Collura
DES is dead, long live DES!

Who said that bruteforce is not an option?
During the previous years, much effort was spent to create algorithms whose strength was relying on the impossibility to bruteforce all the combinations in due time: this happened mostly because the computational power of traditional von Neumann architectures reached a maximum, due to technological limitations.
One of such algorithms is DES, an old algorithm that is still widely used in our daily life. One of the main examples is probably NetNTLMv1, a Windows authentication protocol that can still be found in working environment and it is still the standard de facto for Wi-Fi enterprise networks all around the world.

That is the reason why DES_CESS (Cracking Environment for Smart Suricates) is born, a simple non-von Neumann hardware tool able to speed up the time to bruteforce a DES key. In the past, multiple attempts have been made to exploit the power of FPGAs to go through the entire DES key space in reasonable amount of time, from Copacobana to PicoCrack and The goal of DES_CESS is to provide an open source, fast and highly scalable tool to bruteforce DES keys on multiple FPGA platforms (from cheap 100$ board to thousands dollars Virtex chips).
The talk will go through what is an FPGA and why, even today, it has advantages over GPU-based cracking, what main challenges have been faced during the development of the project and the next steps for future releases.
Eventually, at the end of the talk we will give away to the attendees free FPGA board(s), so they can start playing with the open source software and, hopefully, be involved in the development!

-1- Introduction and WhoAmI
-2- History of FPGA-based cracking
-3- Why FPGA cracking still makes sense today
-3.1- FPGA v/s GPU cracking
-4- Designing an open source, scalable, portable and fast DES cracker
-4.1- The pipelined approach
-4.2- Multi-core and multi-devices
-5- Results
-6- Future steps
-6.1- More optimized algorithms
-6.2- Wider device support
-6.3- hashcat support (?)
-7- Q&A

// [Comment for review board] : The code will be released to the public right after the talk.

Slava Makkaveev
Do you trust me? Or, how to hack Qualcomm TrustZone apps

Mobile vendors strive to strengthen phone protection on an hourly basis. Currently, even a rooted mobile device is still not fully compromised due to ARM TrustZone and Qualcomm’s Chain Of Trust. That's why we are looking for ways to go even further and bypass this last line of defense in the mobile ecosystem.

We automatically discovered many vulnerabilities in trusted components provided by manufacturers as part of Qualcomm’s Trusted Execution Environment (TEE) backed by ARM TrustZone. Samsung, LG, Motorola and other devices are in the list.

On Application CPU, TrustZone creates an isolated virtual Secure World running on top of a dedicated Qualcomm OS. Secure World’s trusted apps (trustlets) are responsible for the business logic of mobile data security. Those apps must be the most protected part of the mobile device, which makes them crucial and challenging target for security research. In this talk we are going to show that many trustlets are not reliable enough.

We reverse engineered the Qualcomm TrustZone ecosystem and found that trustlets constitute the perfect target for the fuzzing-based vulnerability research due to its internal structure and the TEE architecture itself. In order to be able to fuzz trusted apps, we had to discover ways to execute them in the Normal World (Android OS); to load patched app into the Secure World, bypassing Qualcomm’s Chain Of Trust; to adapt trusted app for running on a device of another manufacturer; and more. We are going to show our way through those challenges to build a workable fuzzer and hunt TrustZone vulnerabilities.

Bhargava Shastry
Fuzzing the Solidity compiler

## Title: Fuzzing the Solidity compiler

0. Talk overview

In this talk, we will
1. Introduce the audience to the Solidity compiler and its high-level architecture
2. Present a threat model for the compiler
3. Present a framework for security testing of Solidity for the presented threat model
4. Present results from our internal security audits
5. Conclude the talk with take-away, future work, and implications for testing other compiler-interpreters such as Python, perl, ruby etc.

We will demo the bug discovery process of a real-world optimizer bug for the lulz.

1. Introduction

Solidity is a programming language (PL) for writing distributed applications, so called smart contracts. The Solidity compiler (also called Solidity) is the most popular compiler that is used to compile and optimize smart contracts and generate Ethereum virtual machine (EVM) bytecode. Production EVM bytecode is then deployed on the Ethereum main network.

Since the Solidity programming language does not have a formal specification, testing the compiler implementation is an important way to obtain assurance about the correctness of code generated by the compiler. Fuzz testing is well-suited for this setting. However, applying fuzzing in the traditional manner (random input generation that is coverage-guided) is inefficient for testing compilers because a significant fraction of randomly generated code is syntactically invalid. If the fuzzer does not generate syntactically correct Solidity programs, the compiler will simply reject it. As a consequence, code optimization and generation subsystems of the compiler will not be tested.

The approach adopted by us is to define a grammar for the Solidity programming language and automatically generate inputs based on this grammar. Grammar based fuzzing ensures that generated programs are successfully parsed by the front-end parser. We make use of libProtobuf and libProtobufMutator for defining the grammar and performing grammar-based mutations, and libFuzzer as the underlying fuzzing engine.

2. Threat Model

The Solidity compiler comprises two high-level subsystems, namely the front-end parser and the back-end code optimizer/generator. The class of bugs we would like to find are those introduced by the optimizer. There are two optimizers within the compiler back-end: (1) the legacy optimizer is the optimizer that is used in production, and (2) the new and experimental Yul optimizer that is available since version 0.5.6.

Our focus is on defining a threat model for the new Yul optimizer so that bugs are caught and fixed before it goes into production. To test the yul optimizer, we employ the following strategy
- write an interpreter that can execute yul programs and output an execution trace
- compare execution traces of unoptimized and optimized yul programs
- if the yul optimizer works correctly, these traces should match

An execution trace is essentially a list of side-effects produced by a program. An optimizer must make a program more efficient to run. However, it should not alter its semantics. The bug class of interest is optimizer bugs that alter program semantics post optimization.

3. A Framework for Security Testing of Solidity

3.1 Yul: Solidity intermediate language

Yul is an intermediate language that is designed to be a common denominator for multiple backends such as EVM, EVM1.5, Wasm etc. It has two flavors: typed and untyped. The former is in active development; the latter is part of the experimental release and the focus of our current testing.
In untyped yul, all values are of type u256 i.e., unsigned 256-bit values.

3.2 Yul interpreter

The yul interpreter interprets untyped yul source code for the EVM 1.0 backend. One of the main features of this interpreter is the ability to log execution traces of interpreted source code.

Execution traces comprise sequence of instructions that led to a side-effect. For example,
MSTORE_AT_SIZE(0,32) : 0000000000000000000000000000000000000000000000000000000000000000

says that there is a store to memory location "0" of a 32-byte value that follows the colon. Execution traces allow us to ensure that side-effects of unoptimized and optimized are the same by simply comparing strings.

3.3 Semi-formal specification of target language

Input generation depends on the specification of the target language i.e., untyped Yul. We write a protobuf specification for untyped Yul. It looks like like an ABNF spec found in network protocol RFCs.

Top-down, we define a function to be a statement "Block" and a "Block" to be a sequence of "Statement". A "Statement" can be one of several possible statements such as variable declaration, assignment, if, for etc.

message Function {
required Block statements = 1;

message Block {
repeated Statement statements = 1;

message Statement {
oneof stmt_oneof {
VarDecl decl = 1;
AssignmentStatement assignment = 2;
IfStmt ifstmt = 3;
StoreFunc storage_func = 4;
Block blockstmt = 5;
ForStmt forstmt = 6;
SwitchStmt switchstmt = 7;

The libprotobufmutator leverages this specification to create "trees" representing various statement sequences.

Note: A block can contain multiple "basic blocks" in compiler-speak.

3.4 Specification to input converter

Input generated by the libprotobufmutator looks like an abstract tree. An example is provided below

statements {
statements {
decl {
expr {
varref {
varnum: 0

This is not a valid Yul program. To convert this abstract representation into a concrete representation, we need a so called proto converter. A proto converter accepts the abstract representation provided by the fuzzer and "pretty prints" it into a Yul program. We have implemented a simple converter in C++.

3.5 Test harness

Once the input has been converted to a concrete representation, we can feed it to the parser and optimizer subsystems of Solidity. At a high level, the pseudo code for the test harness looks as follows

int Fuzz(Proto p)
std::string c = convert(p);
ast = solidity::parse(c);
trace_1 = interpret(ast);
trace_2 = interpret(ast);
assert(trace_1 == trace_2);
return 0;

The bugs the fuzzer flags are those programs that have different side-effects with and without optimization.

4. Results from internal security audit

At least four security-critical bugs were found in the Solidity compiler-optimizer. More bugs will be discussed if they are fixed until the day of the talk. For lack of space, only three bugs will be described in detail in the abstract, but all bugs will be presented should the talk be selected.

4.1 Bug 1: Double shift leads to incorrect computation

Consider the following fuzzer generated Solidity assembly program that simply declares a variable "x" and initializes it "1" left shifted by 2^256 (note that a native word is 256 bits and all operations are mod 2^256)
let x := shl(1, shl(not(0), 2)) // 2 << (2^256)
mstore(0, x) // mem[0] = x

Left (or for that matter, right) shifting any 256 bit constant by more than 255 places should yield zero. It follows that the program above should store the value 0 at memory location "0".

However, the compiler actually optimizes the above program to the following:

On closer inspection, we found that the optimization rule for double logical shifts (both right and left) contained the following rule

Rule 1: shl(a,shl(b,x)) -> shl(min(a+b,256),x)
Rule 2: shl(0,x) -> x

For the fuzzer generated test case `a=1` and `b=(2^256 - 1)` for which `a+b=2^256.` Since a native word was used to compute the sum of shift sizes, it overflowed to zero in this case. Consequently, min(0,256) = 0 which meant that the code in the original snippet was transformed to the constant x (="2")

The fix was to use arbitrary precision integer for storing the result of `a+b` before computing the min. However, since this rule is encoded in the legacy optimizer (that has already been used by contracts on the main net), it required a bug fix release and a security advisory. Fortunately, code like this is highly unlikely to be written or generated, so it was treated as a low-severity bug.

4.2 Bug 2: Incorrect byte opcode optimization rule

The `byte` opcode is used for indexing individual bytes in word (32-byte array). byte(i,x) indexes the ith most significant byte of x, the most significant byte of x being assigned an index of 0.

byte(0,1) = 0x00
byte(1,1) = 0x00
byte(31,1) = 0x01

Now, byte(31, x) is equivalent to applying the following bit mask on x: and(x, 0xff). Here's the fuzzer generated program for which the optimizer generated incorrect code

let x := byte(2,31)

which was optimized to

mstore(0, 2)

This was surprising because byte(2,31) is zero because the second most significant byte of a 256 bit representation of the decimal value "31" is zero. On closer inspection of the byte opcode optimization rule, we found that the rule swapped the order of arguments resulting in the following optimization being applied (-> indicates equivalence)

byte(x,31) -> and(x,0xff)

where as the correct rule should have been
byte(31,x) -> and(x,0xff)

This was a relatively simple fix. However, since this rule is encoded in the legacy optimizer (that has already been used by contracts on the main net), it required a bug fix release and a security advisory. Fortunately, code like this is highly unlikely to be written or generated and even if it is, the bug occurs for a very specific "value" and not the index of what is essentially an array access operation.

4.3 Bug 3: Incorrect code generation for nested arithmetic operations

tl;dr: A bug in the Solidity optimizer led to incorrect computation of basic arithmetic operations.

Context: The Solidity optimizer comprises over 15 different optimization steps. Each step is modular: it accepts code from the previous optimization subsystem, optimizes it further, and outputs the optimized code to be used in the subsequent optimization phase. One such optimization step is the expression simplifier (ES).

The expression simplifier is tasked with simplifying expression statements. Consider the following trivial expression statement that assigns a constant (referenced by a variable `y`) to variable `x`.

y = 1
x = y

This can be obviously simplified to `x = 1`.

The benefits of the ES are the following
- since it folds constants, it enables further optimizations
- it can replace expressions that directly map to built-in EVM opcodes e.g., `x = y & z` can be replaced by `x = and(y,z)`

Bug Root cause:

The ES makes use of the static single assignment component to make it easier to fold constants. Although this usually works out well, in certain corner cases, it is possible that the value of an SSA variable may reference a non-SSA variable whose value has changed from the time the reference happened. When this happens, the "constant" folded can be different than the correct value. Hence, incorrect code is generated. This is a serious issue since an incorrect value for a program variable can influence the outcome of a contract, leading to program flow that was never intended by the contract developer.

Concrete example of bug:

Consider the following code snippet that triggers this issue in the compiler-optimizer.
1. {
2. let a,b := foo()
3. sstore(0, a)
4. sstore(32, b)
5. function foo() -> x, y
6. {
7. y := sub(y,1)
8. x := sub(y,1)
9. }
10. }

This contract does the following
- defines a function called foo that returns two values
- assigns variables `a` and `b` to `foo()`
- stores the value of `a` in storage location 0
- stores the value of `b` in storage location 32
- both `a` and `b` hold 256-bit numbers

A correct execution of the above code should result in the following computation steps:
- As `foo` is called, `x` and `y` are initialized to zero
- On line 7, `y = 0 - 1 = -1` OR 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
- On line 8, `x = y - 1 = -1 - 1 = -2 OR 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe
- On return from foo, `a = x` and `b = y`
- On line 3, the value 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe is stored in storage location 0
- On line 4, the value 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff is stored in storage location 32

Due to the bug described above, the Solidity compiler-optimizer generates the following (incorrect) code instead

sstore(0, 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffd)
sstore(32, 0xffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff)

- Note that while the value of `b` (stored in location 32) is correct, the value of `a` is off-by-one
- The optimized version of the program generates the value `-3` for `a` instead of `-2`

Why -3 and not -2?

This is where the bug kicks in. Let us rewind.

We explained that a bug in the Expression simplifier optimization step led to incorrect values being used during constant folding. Let us dig deeper to understand the bug using the above contract as an example.

At the time the ES step is invoked, this is what the program looks like (bear in mind that prior optimization steps have reduced our original program to this stage. Explaining why the program is transformed so is beyond the scope of this talk)

1. {
2. let a, b := foo()
3. let _1 := 0
4. sstore(_1, a)
5. let _2 := 32
6. sstore(_2, b)
7. function foo() -> x, y
8. {
9. let _3 := 1
10. let y_5 := sub(y, _3)
11. y := y_5
12. let _4 := 1
13. let x_6 := sub(y_5, _4)
14. x := x_6
15. }
16. }

Let us narrow our focus to the computation in the function foo
- On line 9, ssa variable called `_3` is created and assigned a value of one.
- On line 10, ssa var called `y_5` is assigned the expression `sub(y, _3)`
- Note that, at this point, `y_5` is only a reference to the sub expression AND
- The values of `y=0` and `_3=1` are not resolved yet, so they remains references to their values
- On line 11, `y` is assigned the value of `y_5`.
- Now that, since `y` is a non ssa variable, it is further simplified to the value of `y_5`
- Since the value of `y_5` at this point is `-1`, y becomes equal to negative one
- The reference `y_5 = sub(y, _3)` remains intact
- On line 12, ssa var `_4` is assigned a value of one.
- On line 13, ssa var `x_6` is created and assigned the reference `sub(y_5, _4)`
- [BUG!!!] On line 14, `x` is created and assigned the reference `x_6`
- Note that, since `x` is a non SSA variable, it's value needs to be resolved now
- To do this, the compiler resolves the value of the dependent references
- `y_5` references `sub(y, _3)`: At this point, `y=-1` and `_3=1`, therefore `y_5 = sub(-1, 1) = -1 -1 = -2`
- `x_6` references `sub(y_5, _4)`: At this point, `y_5=-2` and `_4=1`, therefore `x_6 = sub(-2, 1) = -2 -1 = -3`
- Therefore x is incorrectly assigned a value of `-3` instead of the correct value of `-2`

The underlying cause of this bug is lazy SSA resolutions of SSAs that reference non-SSA expressions.

The fix is to not depend on lazy SSA resolutions. Specifically, we now depend on the the data flow analyzer subsystem that handles such computation correctly. Since this bug appears in the new optimizer that is still in experimental mode, we treated it as a bug fix and not a security advisory. Nonetheless, it is strongly recommended that users update to the version with the bug fix.

5. Conclusions

The key take-aways are
- Grammar-based fuzzing is useful to find bugs in deep compiler code
- This helped discover multiple security critical bugs in the Solidity compiler
- Assessing impact of bug remains a challenge because bugs don't have bytecode/source code patterns.

- Expand language specification. Include multiple function definitions/calls.
- Fuzz legacy optimizer

Sebastian Osterlund, Pietro Frigo, Alyssa Milburn, Stephan van Schaik
RIDL: Rogue In-Flight Data Load

Speculative execution bugs in modern CPUs popped up out of nowhere, but the worst of the nightmare appears to be over. While Spectre-style attacks will be with us forever, a variety of mitigations have been implemented to protect us against Intel CPU vulnerabilities such as Meltdown and Foreshadow. Browser vendors have implemented process isolation, and Intel even have silicon fixes in their latest CPUs. Do you feel safe?

We destroy these mitigations by taking a skeptical look at their assumptions, and reveal
that unprivileged userspace applications can steal data by simply ignoring security boundaries
-- after all, what do address spaces and privilege levels mean to Intel's CPU pipeline? Using our RIDL attacks (also known under the PG-13 Intel designation: MDS -- Microarchitectural Data Sampling), we'll steal in-flight secrets from SGX using just a bit of JavaScript in a web browser, grab /etc /shadow from another VM without even thinking about the hypervisor in the middle, and despair about our speculatively executed future.

Ali Abdollahi
Hacking Airplane Air to Ground System

One of the most important part of avionic systems is the communication. Airplanes use mobile communication to connect to stations on the ground. In many cases the connection is base on LTE-Advanced technology and in some cases when an airplane is on the seas or somewhere else that there is no base station on the ground, It uses the satellite as a hub. In this presentation I will explain the architecture of the communication between an airplane and a ground station, after that review the technology used like mobile communications. In the next part I will review the vulnerabilities around the mobile communications particularly in radio segment which used by both airplane and the ground base station. In the last part of the presentation I will cover and show how a hacker or criminal can take advantage from the communication line between airplane and the base station to passive sniffing, manipulate the data, active sniffing, airplane functions disruption, privileged escalation to other avionic system which threaten both airplane and passengers.

Sam Lanning
No More Whack-a-Mole: How to Find and Prevent Entire Classes of Security Vulnerabilities

In software development, we frequently see the same logical coding mistakes being made repeatedly over the course of a project’s lifetime, and often across multiple projects. When these mistakes lead to security vulnerabilities, the consequences can be severe. No one knows this better than companies like Google and Microsoft, whose software is used by millions of people every day.

With each code vulnerability discovered, we’re presented with an opportunity to investigate how often this mistake is repeated, whether there are any other unknown vulnerabilities as a result, and implement an automated process to prevent it reappearing. In this talk, I’ll be introducing Variant Analysis, a new process being pioneered by security teams at a number of companies including Google and Microsoft, that does just this. I’ll discuss how it can be integrated into your development and security operations, and also share some stories from the trenches.

Alex Kolchanov
Attacks on GSM alarms, smart homes, industrial control systems and smartwatches for kids

This talk will cover attacks on popular GSM-devices: GSM-alarms, GSM-controllers for smart homes, industrial GSM-controllers, access control systems, GSM-locks, some communication systems and smartwatches for kids. They are very easy to use. Usually, the user can insert a SIM-card in a controller, then the GSM-device is ready to use. Howewer, the security of these devices is questionable.

This talk will cover attacks on GSM controllers present in the aforementioned devices, as those seem ripe with insecurities.
This talk will also cover different problems that were found during research, as well as critical flaws.

Plan for the talk:

* Which GSM-devices exist, where they can be used, why the successful hack is dangerous.

* I will show and describe some devices, also I will present some statistics about using these devices (based on publicly available data).

* I will tell about the latest attacks (based on attacks, where some information are available).

* Financial attacks: why it can be interesting and useful to hack devices in other countries. Sometimes hackers can use vulnerabilities in different devices to steal money by calls to paid numbers.

* Typical threats, what is the difference between GSM-alarms and other types of alarm systems.

* Calls with spoofed Caller ID (phone number) as an effective method of attacks against GSM-alarm systems: different GSM-systems supports control with calls (they use small IVR-menu with DTMF commands). The main method is to make a call with spoofed Caller ID and bypass authorization. We will discuss different issues: using only Caller ID for authorization, brute-force authorization code, default authorization codes, additional configuration codes. After a successful attack hacker can:

* * GSM-alarms: an attacker can change settings, disable and enable security mode, add new control phone numbers, listen to an environment.
* * Smart homes control systems: an attacker can switch off and switch on devices, get information, listen to an environment.
* * Industrial GSM-control systems: an attacker can switch off and switch on different industrial systems.
* * Access control systems and locks: an attacker can open doors.
* * Smartwatches for kids: an attacker can send fake messages, make fake calls from parents, get location, listen to an environment.

* Also, "locking brute-force" will be discussed. It is a special attack against a few well-protected devices, which will lock authorization for some time after several attempts for authorization. An attacker can use it to disable an ability to control a device for the user.

* Special "incoming call attack" will be discussed. Some devices by different reasons cannot make a call or send SMS when the line is used by another call. An attacker can use it to prevent sending an emergency signal for a long time.

* Financial attacks on devices. In several cases, an attacker can make the device perform paid actions (like sending SMS or making calls). It allows for an attacker to make a device spend all money from the account and prevent communications.

* Attacks on mobile operators: criminals can try to attack different systems of mobile operators to disable communication with a device or to get control on SIM-card (and device too). In this part, different attacks will be discussed. In some cases, an attacker can change tariff, spend money from the user's account, block SIM-card, enable call forwarding. I will tell about different methods, that can be used to do it.

* Attacks with spoofed SMS-messages will be discussed. In several cases, it is possible to send SMS with spoofed phone number (mostly, it is based on different vulnerabilities at mobile operators systems).

* Using different jammers will be discussed: when it can be effective or when it can be useless.

* Problems with DIY-devices will be discussed.

* More difficult attacks against well-protected devices will be discussed.

* Also physical attacks will be discussed, in several cases, a hammer can be more effective than high-technology attack.

* Attacks on mobile applications and personal accounts, which can be used to control devices, will be covered.

* Some ideas for secure exploitations of GSM-devices will be discussed.

If it is possible, I will show some practical demonstrations.

Harshit Agrawal
On the Wings of Time: Demystifying IoT/OT attacks

Recent years have seen a flood of novel wireless exploits, from vulnerable medical devices to hacked OT devices, with exploitation moving beyond 802.11 and into more obscure standard and proprietary protocols. While other non-WiFi RF protocols remain a mystery to many security practitioners, exploiting them is easier than one might think. Today, cyber threats have grown not just in its depth (more sophisticated) but also in its breadth (expanded scope). It has grown from threats in Enterprise IT systems to Operation Technologies (OT) and Industrial Control Systems (ICS).

IoT/OT is the backbone of our critical infrastructure and is increasingly under attack. These systems present unique security challenges connecting aging equipment that often predates modern security. The increasing pervasiveness of wireless connectivity has expanded the attack surface of IoT/OT networks by opening them up to those dangers well known and can only be expected to continue to do so. Every device accessible over an electronic network creates another point of attack for malicious operators; every additional connection between information and control networks multiplies the number of attack points that can be addressed. We will be showcasing many of the wireless security and privacy issues.

But is security keeping up with the innovation? The session assesses current IIoT security and discusses how to identify authorized and unauthorized signals in an organization. Smart Homes, Transportations, Communication, and Energy industries are widely considered as the most vulnerable and disruption of their operations to have the greatest and most immediate national impacts. Even Hackers have a new way to profit off our security cameras, smart lighting, and even our fancy new coffee pot, we will show, how can one detect and prevent IoT crypto jacking attacks. The difficulties discussed and the recommendations made are equally applicable to all industries using IoT/OT.

Guillaume Lopes
Abusing Google Play Billing for fun and unlimited credits!

In 2017, the estimated global in-app purchase revenue was projected to exceed $37 billion. Just in the Google Play Store, for 2018, more than 200 000 apps are offering in-app purchases. However, the Google Play Billing API is vulnerable by design and allows an attacker to bypass the payment process. I analyzed several android games and found that it possible to bypass the payment process. This presentation will show real vulnerable applications (Fruit Ninja, Doodle Jump, etc.).
The agenda of the presentation will be divided as follow:
1. Google Play Billing Presentation: Presentation of the workflow and how it works. In addition, a focus will be done on the local validation of the process.
2. Known vulnerabilities: Review of the vulnerabilities found by Dominik Schürmann. Demonstration of why the fixes performed by Google are not enough and how it is still possible to bypass the payment process.
3. Vulnerable applications: Example of vulnerable applications trying to protect the billing process (Doodle Jump, Snoopy Pop, Fruit Ninja, etc.) with different techniques (obfuscation, shared libraries, etc.). The presentation will focus on how the billing process is performed and how by reverse engineering the application, it is still possible to bypass the payment process.
4. Conclusion: Sum up of the numbers of vulnerable applications. Comparison with other billing libraries (Amazon and Samsung).

I’m still working on several Android applications (mainly games) to analyze how the billing process is handled. In my presentation, I’m going to show how different applications implement the process. Different demonstration will be performed regarding the different vulnerable applications.

A preview of my work can be found on the following blogpost:

Ali Abdollahi
Detect IMSI Catchers and defeat surveillance systems (Building a Fake-BTS/IMSI catcher detector)

There are still a lot of ways to manipulate the communication between mobile subscriber and base station from GSM to LTE. An attacker or any surveillance system can run a rogue base station to catch the victim IMSI and sniff the voice or data traffic. In this talk I will illustrate how we can determine the suspicious activity to prevent compromising the radio network.This presentation will completely demonstrate how to build a IMSI Catcher/FakeBTS system to detect the intruders.

Yunfei Yang
Wi-Fi tracking in a Big Data Era

Over last few years, Wi-Fi tracking(track your presence via Wi-Fi)raise privacy concerns, because the MAC address can be linked to individual.

To address privacy issues, Apple, Google, Microsoft added a MAC randomization feature on their latest system to hide the real MAC address. But a large number of devices still do not support this technology, and the randomization usually only works in scanning, actually will be break when get connected. So we can set up fake hotspots to induce clients to connect.

To make things worse, these Wi-Fi tracking devices get greatly improved. With the help from third-party data companies, Wi-Fi tracking can even map the MAC addresses to users' phone numbers, then SMS marketing or telemarketing. In this talk, we will discuss the development of Wi-Fi tracking, and propose a new idea to fight against it.

Tan Kean Siong
Inside the IoT Botnets Universe: From a Honeypot to the Hive

===== Abstract =====

The IoT botnets universe is the fascinating one. With countless of IoT botnets variants emerge in the wild, every bot herder is fighting for marking their territory with insecure devices on the Internet.

In this session, we love to share the interesting stories from single honeypot, lead to discovery of juicy botnet source code repositories on the Internet, and uncover various dramatic scenes within the bot herders behind the curtain.

By tracing the attack trails with OSINT, we discovered multiple source code repositories which surfaced over the Internet for a short duration, with huge collection of IoT botnet source code, exploits, compile tools, screen shots, credential notes, config files, private keys, etc.

During Apr 2019, we came across with recent variant with anti-honeypot technique for evasion purposes. In addition, we stumbled upon various interesting turf war and dramatic territorial battle between the bot herders, e.g takeover and wipe out other's botnet, delivered sneaky backdoor-ed exploit scripts to the peers publicly, 'bashing' well-known IoT botnet security researchers who discovered their botnets in security conference (e.g. HITB 2018).

===== NOTE for CFP reviewers team =====

- Thank you very much for reviewing my submission!
- FYI, I have presented 60% of of these contents in Black Hat Asia March 2019.
- As a HITB crew / volunteer, I feel that this topic could be pretty relevant for our HITB conference, especially we found that the IoT bot herders were watching and discussing HITB GSEC Singapore 2018 Youtube video and 'bashing' the researcher's presentation accents. Pretty interesting.

Thanks again!

Fan Wu
Tracking Down Botnets on Cloud

Botnets have long been a serious threat for Internet security. In recent years with booming development of cloud technology, botnets have also targeted at millions of hosts on cloud, leading to more problems like DDOS attack, data stealing and cryptojacking, etc.

To combat with botnets and protect users on cloud we first need to track them down. Since many botnets are highly infectious, it is necessary to detect new botnets as soon as they appear and understand their behavior, before they spread and cause more harm. We also need to detect changes in botnet behavior whenever they are updated.

We are faced with following challenges:1. there are hundreds of active botnets at the same time, far beyond the number security experts can analyze. 2. It is hard to pick out the botnet that is in early stage of propagation, yet has potential to wreak havoc. 3. It is labor-consuming to put together pieces of information of a botnet to generate useful intelligence.

To address these challenges, we propose a triage framework on cloud to track botnets. The framework is consisted of three modules:

1. Module for collecting intrusion events and IOCs.

High interaction honeypots on cloud and intrusion detection systems (IDS) are used to collect network and host-based information including malicious traffic, malware md5, mining activity, etc.

Specifically, we extract urls from suspicious HTTP request. Different botnet groups use different urls to download files, including dropper, backdoor, malicious scripts.We also put emphasis on wallet addresses and proxy addresses extracted from mining traffic of cryptojacking botnets, because they distinguish different botnets well.

2. Module for clustering IOCs and building causal relationship among events.

Entities are extracted from collected information to build a knowledge graph. Then we run label propagation algorithm(LPA) to further cluster all the IOCs. This step helps to understand botnets' structure and behavior .

3. Module for filtering out botnets that are worth attention.

Multiple statistical and rule-based models are used to scale down the number of botnets to be analyzed.

This framework helped in successful detection of many new botnets and important botnet updates, about which we have written posts to tell our customers what is going on.

During analysis of botnets, we found following tendencies:

1) Technical threshold for botnet builders is becoming lower due to open source tools and exploits

2) Botnets are starting to use more advanced infrastructure (e.g. bulletproof host, TOR hidden service, threat intelligence from shodan, rootkit…)

3) 0-day and 1-day vulnerabilities are used in botnet propagation, and the time interval between vulnerability publication and use in botnet is short.

4) Some botnets are single-purpose, but most of them combine mass scanning, mining, DDOS to gain most profit.

In sum, we really hope to share with you real-world botnet cases, our methods and models to detect them in early stage of propagation, and other findings in the process.

Syue Siang Su
Farewell, WAF - Exploiting SQL Injection from Mutation to Polymorphism

At first, I'll give the audience a brief walkthrough of the history of input validations against SQL Injection. Then, some classic and practical evasions will be shown with the slide, and I'll explain why these evasions work and how validation functions handle afterward. Of course, those de facto well-known WAFs, like ModSecurity, and some common filters, like libinjection, will also be discussed at the end of the walkthrough.
As I finish the introduction of input validations above, I'll then introduce a novel way utilizing the concept of Polymorphism in order to bypass the limitations. The outline probably looks like following: Go through a brief introduction of the mutation technique, the differences among other evasion techniques, the scheme, the algorithm, and the potential risks it may raise in the future. Some new bypasses against ModSecurity and libinjection will be shown and evaluated at last.
In conclusion, I'll talk about future works and possible improvements to the idea. I'll also discuss why there exist such developer UX/ergonomics problems that stop developers from using true solutions such as parameterized queries, strict HTML templating, strong typing and/or taint-tracking systems, and therefore, might lead to the problem of lexical and syntactic equivalences in many input languages as well.

Ilia Barahovsky
Attack of the Clones: Android Malware Strains Detector

How many different malwares are there in the wild? Every cracker breaks your system on his own by creating a brilliant piece that will infect all the world and rule them all? Not so easy, not so simple, not so fast!

Android world is crowded with info stealing SDKs, rough advertising libraries, ready examples for spyware, ransomware and exploitation. Malwares are released in many versions. Malware developers steal from other malware developers and repackage result of their sweat. They seek not to develop and to promote an app, but to embed the malware into many well known apps.

Clones can look the same or completely different at the first glance. Still they have similar malicious piece of code. Multiple obfuscation techniques exist to evade signature-based detection. Manual discovery and analysis of all the variants is almost impossible task. How to find all the versions and repackaged instances with minor code modifications? And even better, to detect them automatically.

In this talk we'll show how to compare malicious code, ignoring insignificant changes and legitimate libraries. After that we'll explain how to refrain from expensive pair to pair comparison by employing similarity hashing techniques. We have developed an efficient automatic detector for the clones. And our life got easier.

Jie Fu
ZigWasp - Discovery the secret of ZigBee Firmware and accelerate the analysis

1.Why ZigBee again?
Not from the perspective of development. This talk will describe how to start from the firmware layer and deeply analyze possible problems of ZigBee protocol.
I: From the bottom firmware, get the secret key and key data, and then reconstruct ZigBee communication;
II: Instrumented and IDA plug-in is going to make ZigBee security research more convenient;
2. What is ZigWasp ?
ZigWasp is an edge tool for analyzing ZigBee firmware.
Within this tool, you can do your ZigBee attack work easily, even you do not have the ability of reversing.
3.Key Features about my tool
--Determine which bytes are CODE and which byte are DATA
--Automatic find and present there IMPORTANT keys in ZMasterKey/defaultKey/defaultTCLinkKey
--Identify system functions
--Identify most static variables
--Detect some sensitive information
4.Using means;
--Decrypt the packet with the secret key;
--According to the disassembly code, find the implementation process of protocol packaging;
--Analyze protocol field design and protocol specific format, and then rewrite zigbee communication module to realize replay attack;
--Extract valuable information from firmware and extract it;

Junyu Zhou
Web2Own: Attacking desktop apps from web security's perspective

Researchers are always talking about binary vulnerabilities when hacking desktop applications, this time let us try something different. Memory corruptions are always costly to find, mitigations introduced by operating systems make them harder to be exploited. Meanwhile, more and more applications are using hybrid technologies, so we can try web security tricks to pwn them reliably with less effort.

Our presentation will summarize attack surfaces in desktop application and introduce methods to find security issues. In particular, we will explicate some real-world cases, such as chaining multiple vulnerabilities (information leaking, CSP bypass, opened debugging port) to achieve RCE in a specialized IDE, sensitive file leaking in some famous editors, privileged APIs abusing in many IM applications and so on. During our research, we find some issues actually reside in popular libraries. These flaws may affect more applications than we will demonstrate in this talk.

Web security knowledge is usually unfamiliar to desktop application developers. Attacking desktop apps using web security tricks is a non-competitive "blue ocean". Our presentation will focus on many design misconceptions and implementation mistakes in desktop applications. By sharing these representative lessons, we hope to help developers improve the security of their products.

Lorin Wu
Trend of Splitting Bamboo: Chained Mobile Phishing Has Been Used To Attack East Asian Countries For 6 Years

This presentation focused on a novel chained mobile phishing, which operated by two seemingly unconnected mobile malware – XLOADER and FAKESPY – a malicious Gang that caused widespread attention from anti-virus vendors, regional police and Interpol - has been attacked to East Asian countries for nearly 6 years with great fanfare and has reached its peak since last year.

We will present how the criminal gang is playing their mobile phishing techniques, which includes SMS Phishing(Smishing), Web Phishing optimized for Mobile Platforms, Popup/Notification Phishing and Social App Phishing and even Voice Phishing(Vishing) is involved. Also, we can see the criminal gang uses these mobile phishing attack vectors without any difficulty, these technologies can be combined to be seen as an independent phishing circle, so called chained mobile phishing.

The mobile phishing campaign employed SMS senders to send tens of thousands of well prepared text messages to mentioned targets ( Phishing), deployed or cloned thousands of fake famous websites as well as new domains to lure victims into downloading malicious apps or installing malicious iOS profiles (Web Phishing), prepared many fake banking/gaming apps to replace with the installed legitimate ones by alerting victims (Popup/Notification Phishing), occupied many social network profiles to hide the real C2 address, such as Baidu, Sohu, QZone, Kinja, Twitter, Instagram and Tumblr (Mobile malware on social networks). Besides, said attack also used Domain Name System (DNS) cache poisoning/DNS spoofing to distribute and install malicious Android apps, during its attacking, the Social App Phishing was also employed as new attack vector to further lure user into hooking up.

Up to now, the six-year transnational campaign is still very active, with a wealth of infrastructure of infect chain and attack vectors, especially good at mobile phishing attacks, and continue to launch a fierce attack on developed countries or regions in East Asia such as Japan, South Korea, Taiwan and so on.

In the course of our research on this mobile phishing campaign , we have learned mobile phishing is more problematic, which is different from and goes beyond traditional PC's, mobile phishing brings together new features of mobile for phishing individuals, the mobile phishing campaign, with its unexpected attack vectors, and the use of tens of thousands of auxiliary facilities, has achieved good attack effects again and again.

Along the course of our research, we outlined the evolution of both XLOADER and FAKESPY malware families. Our research showed that the infrastructure and the victims have spread from Asia to target many other users in various locations. We also share the connections of the two malware families and the Yanbian gang and provide security tips for vendors, ISP and best practices for mobile device usage .

Yunfei Yang
CP Toolkit: The Captive Portal Toolbox

The captive portal feature are supported by most operating systems(iOS/Android/Windows/MacOS), it will automatically pop up a portal page without user interaction when a device connected to a Wi-FI network. Due to the feature, it's often used as a start point for combined exploits, such as exploiting iPhone7, Samsung Galaxy S9 and Xiaomi Mi6 on Mobile Pwn2Own 2017 and Pwn2Own 2018.

CP toolkit is a collection of captive portal exploitation, which enables a researcher setting up a phishing AP to gain sensitive information from victims or directly attack their devices. Most of functions do not require Internet access.

The most important functions include:
- Create hotspot with captive portal (using Hostapd, Dnsmasq and Iptables).
- Automatically redirect to any unsafe applications using URL Scheme on portal pages.
- Exploitation of system vulnerability , like DoS attack to iOS/Mac devices using CVE-2018-4407.
- Exploitation of application vulnerability, like ES File Explorer Open Port Vulnerability.
- Forging popular social software and emails login web pages.
- Information collection form templates which imitate public Wi-Fi networks.
- Web-based imitation of Windows/Mac network manager in order to defraud password of other Wi-Fi. (Idea from wifiphisher project)

Attack Surface of IoT Network: Analyizing, Exploit, Discloser

As the IoT market grow larger, various Iot devices has been created. IoT devices made IoT network to communicate with each other more easily. Most of the other tranditional research focus on IoT devices.

However, one of the important point in IoT network environment is the communication between IoT devices. Thus, we choose a topic 'IoT network', not a single IoT device.

And because of the IoT boom, many hackers found the vulnerabilities of the IoT devices. In other words, recently the security level of IoT devices became much higher than before.

We purchased a dozens of IoT hub and devices which has a managed service, and began analysis and hacking them. We acquired almost every firmwares, using firmware provisioning, MITM, desoldering and others. Also we anlaysed the network packet and tried attacking, grasping and reassembling the form used in IoT network. In addition, we found the vulnerable code in U-Boot source code which is usually used in IoT devices, and proved that they can be the cause of side channel attack.

Finally we will show the 'Live Demo' which can got shell or manipulate functions, using some of vulnerabilities we found. Through this talk we will show hacking method with improved security. Conclusionally, we will let you know the importance of the 'IoT Network' security.

I'm sure that this will be one of the most interesting things in this conference.

ps) attachment file is only about IoT hub.

Mariko Fujimoto
Find the silver behind the gold

In newer version of Windows (Windows 2016 and 10), various security functions are implemented, so it seems to be difficult to attack.
But if attackers once got Domain Administrator privilege, they can create malicious Kerberos tickets called "Golden Ticket" and "Silver Ticket". By using these tickets, attackers can attack against all version of Windows and disguise themselves as arbitrary administrative accounts for a long period.
Golden Ticket is famous for one of the most threatening attacks, but actually Silver Ticket is more troublesome since no trace is left on the Domain Controller.

We will introduce a real-time detection method for attacks using Golden Ticket and Silver Ticket. We also introduce how to detect attacks using "Eternal Romance": an attack tool leveraging the Remote Code Execution vulnerability fixed in MS17-010. Since it is widely used to get administrator privileges, and the attack is quite easy even if the target is a newer version of Windows.

Our detection method can be available for Windows 2008 R2, 2012, 2016. Furthermore it can be implemented easily at low cost because it utilizes only Domain Controller’s Event Logs and minimum Kerberos packets.

Finally, ATT&CK, a knowledge base of adversary tactics and techniques, is getting common recently.
We also introduce the method to identify the possible tactics for each detected attack activity automatically.

Pukhraj Singh
Lessons from an Iranian Influence Operation: Disinformation & Cognitive Cyber Offence

This talk deconstructs the workings of a state-backed influence operation originating from Iran. It weaves the lessons learnt from it into the larger, emerging playbook of cyber-enabled information operations.

Between Aug 2018 and Jan 2019, Twitter and Facebook took down thousands of pages and accounts propagating "inauthentic news."

While rifling through this dataset, the speaker got a peek into the novel and perplexing trade-craft of the actors. From a Russian Business Network-like front in Pakistan to the very actuation of Ayatollah Khomeieni's idea of a 'soft war' in cyberspace -- many nuances skipped the attention of the research community.

Such hybridised templates which combine cyber and information operations open a new facet of warfare where brain becomes the most potent attack surface. By leveraging disciplines like data-driven psychometry and exploiting cognitive vulnerabilities like dissonance and tribalism, it is disrupting the existing notions of cyber offence.

The Western playbook of cyber operations as "deny, disrupt, and degrade" stands upended by this new template.

By incorporating latest research on information weaponisation curated by research groups like SOFWERX, The Credibility Coalition and Misinfosec, the speaker would showcase how we have merely started exploring the brain's attack surfaces. The talk also borrows from the speaker's upcoming book on gluing cyber operations with geo-strategy.

Cognitive vulnerabilities are shockingly predictable and replicable, so data-driven behaviour modelling becomes the future of information weaponisation. The entry barriers to such frameworks are marginally lower compared to contemporary cyber offence while the cost-benefits remain massive. It may encourage its increasing adoption by state and non-state actors.

We may need to write a new set of TTPs (Tools, Tactics & Procedures) from scratch. Information operations may soon fall under the umbrella of conventional cyber defence and threat intelligence – the defenders need to up their game.

Samuel Pua
The Art of Persistence: Lurking Behind the Browser

Enterprise environments have never been more closely monitored, forcing adversaries – real and simulated alike - to focus on novel approaches to evade detection. Blue team capabilities are ever- improving and increasingly focused on expunging adversaries from their networks before they realise their objective, moving attention up the kill-chain.

At MWR, we don’t just simulate adversary techniques, we complete missions, forcing us to adapt and research new techniques where necessary. This talk will explore one of the persistence mechanisms we have developed while breaking into enterprise networks in Singapore and Hong Kong.

Internet Explorer, ubiquitous with its presence in enterprise environments, poses interesting opportunities for adversaries in the form of reliable, quiet, and adaptive persistence mechanism. In this talk, you’ll learn how we use native Internet Explorer functionality within Browser Helper Object, to maintain access to an environment. To realise this, various inbuilt-protection mechanisms were studied and evaded, resulting in our development of new techniques to fully-weaponise this approach.

By the end of the talk, red teamers will learn to leverage the easily-available browser in the corporate environment as a persistence technique. Blue teams benefit too, as they are able to defend against it through understanding the technique’s process and artefacts left behind.

Samuel is a Security Consultant at MWR InfoSecurity, with a background in development. Samuel’s ability to understand and decompose technical hurdles, and then rapidly prototype initial implementations of solutions, has made him invaluable to the fast-paced of world of adversarial simulations.

Mayra Rosario
Internet of Things (IOT) in the Cybercriminal underground: Myth vs Reality

Whether it involves taking over a car’s steering controls or proving that children’s toys are spying on them, hackers love to share their latest IOT hacks. But the media has amplified these stories even more, creating dangerous myths around these technologies. While Mirai-based attacks have been successful, cybercriminals have yet to heavily monetize IOT vulnerabilities outside the business model of extortion and DDOS attacks.
This presentation shares insights about what IoT attacks will look like 2-3 years from now. Through research into online cybercriminal forums, we have determined what level of interest and possible criminal opportunities there may be for IoT-specific attacks. Our research covers current IoT trends in cybercriminal undergrounds forums for Arabic, Japanese, English, Russian, Portuguese, and Spanish languages. Each language forum will have 1 slide to discuss a summary of findings and 1 slide of sample advertisements. A case study of a successful IOT cybercriminal will also be discussed.
Find out which devices cybercriminals are most interested in hacking. Discover what they are thinking in terms of attacking existing IoT infrastructure. Our research has found hacking methods for routers, webcams and printers, but we have also seen tutorials on the inner workings of commercial gas pumps and PLCs (Programmable Logic Controllers) found in factories and other places with industrial machinery to manage these complex devices remotely.
Finally, before IoT attacks become the norm, we will explain the challenges LEA and forensic professionals should be aware of in order to better protect their organizations. Attendees will walk away with suggestions on how to secure their IoT environments. The bad news is that criminals are refining their business plans to include these online devices and, they are finding certain measure of success.

Pukhraj Singh
Emerging Threat Ontologies & Taxonomies: Deconstructing National ‘Cyber Shields’

Over the last decade, governments came to the stark realisation that the contemporary enterprise security architecture actually impedes situational awareness. The commercial product siloes thrive on vendor lock-in, eventually proving detrimental from a national security perspective.

We saw wily APTs crisscrossing enterprise boundaries as if they did not exist. We saw them compromising similar attack surfaces across organisations as governments remained collectively blind.

Mudge pointed out this anomaly way back in 2011, when he declared that we are divergent from the threat [1]. In 2015, he confirmed our suspicions by releasing a DoD study which says that average one-third of vulnerabilities in government systems is in the security software [2].

The enterprise security architecture inherits the human cognitive bias towards spatiality. We created artificial spatial constructs like perimeters, endpoints, DMZs and what not – belying the ‘emergent property’ of networks [3].

Gruqg went at lengths to explain that “the perimeter is not the boundary of your network, but the boundary of your telemetry. [4]” The millions of layers of abstractions are interconnected in ways that we cannot even fathom: what he calls the Shadow Internet [5].

Almost every defensive innovation in the last decade is trying to solve just one problem: security interoperability. The transition from AVs to EDR is fixing it at the instrumentation layer and from SIEMs to SOARs at the decision layer.

Yet, the proverbial defensive blind spots can only be bridged with shared taxonomies and ontologies. It is for this reason that we saw the emergence of machine-to-machine standards like YARA, OpenIoC, MISP, STIX-TAXII, OpenC2, ATT&CK, and CAR. And the standardisation process – much to the chagrin of vendors – is irreversible.

At the very top of CTI’s pyramid of pain lies the geopolitical ontology of the threat actor [6]. JA Guerro-Saade, too, recently hinted at Chronicle/Google’s efforts to derive similar capabilities [7].

This presentation would study the evolution and future of such shared ontologies. We would deconstruct it from the ambit of cross-organisational security response, by briefly understanding how the national ‘cyber shields’ of the US, the UK, Germany, France, Israel, Japan, and South Korea actually operate.

Avinash Naduvath
Think outside the box. A deep dive into containers and their security.

With the advent of all new technologies, there will always be malicious actors creating a new attack surface. According to Kromtech Docker has been consistently failing to be able to keep up with security. The talk will cover three major breaches and vulnerabilities in docker.

One is the crypto-jacking that happened on cloud container docker123321 which lead to almost 5 million pulls which means 5 million+ affected end users. The focus of this attack is not only the vulnerabilities of docker registries but also the importance of source verification.

The second is a more plain-in-sight attack and is based on a research article performed on the Play with Docker site. This allows a user to get access to the host from within the container. A PoC can be performed as well if time permits.

The final section will talk about the doomsday docker container vulnerability which triggered a patch in almost 2 days from docker. This will talk about how similar to the play with docker scenario where we modified kernel files , the runc binary can be modified and forced to run arbitrary code on the host. (CVE-2019-5736)

The student will take away some key concepts in docker security and using the existing use cases they will understand possible problems in docker and how we can solve them out with secure hardening principles.The talk will also cover some important hardening principles including but not limited to hardening of daemons, container privilege, network isolation, image trust etc which we will see exploited as part of the two use cases we will talk about.

ShengHao Ma
Duplicate Paths Attack: Get Elevated Privilege from Forged Identities

In the past years, the most impressive logical trick to bypass UAC (User Account Control) protection is "Elevated COM Object" method leaked from CIA. It abused the privilege of explorer with arbitrarily writing files, and caused *.dll side-loading. However, Microsoft strips off the privilege after Windows 10. It seems that DLL side-loading cannot be used to bypass UAC protection anymore. Is that true? No, there is another way!

In this session, we are going to talk about UAC design concepts and Windows implementation logic flaws. The UAC concepts are (1) Windows redistributes privileges in Windows Process, (2) Directory permission is the last Maginot Line against DLL side-loading. Besides, two logic flaws in Windows are also mentioned, i.e., (3) the path resolution asymmetry problem between handling symbolic link in Kernel layer and Win32 API design in User layer, and (4) the implementation problem inside Windows application loader verifing third-party modules only instead of all system modules.

Through the above flaws, we can use (3) to bypass the protection of directory permissions, and create a tricky attack vector in (4) to accomplish DLL side-loading on most present applications. This Duplicate Paths Attack allows us to make injection on Windows system service, and get UAC elevation.

At the end of this session, a PoC of automated analysis tool will be displayed. This tool can help red-team to can use Duplicate Paths Attack to scan all identities can be forged in Windows, neither destroying any service signature nor changing the program path. Then, hackers can arbitrarily forge their identities into any application, and even achieve universal injections in system services.

Alex Kolchanov
How to create a botnet of GSM-devices

GSM-devices become more popular. Users can setup them fast, use without landline internet and Wi-Fi, control them remotely. But now they are an interesting target for hackers. Usually, GSM-devices have a menu for calls (IVR menu with DTMF commands). This talk will cover the question of mass attacks on those devices. There are some main questions:

1) Which devices are in danger?
2) How hackers can attack them?
3) What about mass attacks and botnets?
4) What hacker can do after successful hack?
5) How you can protect yourself?

1) There are several popular types of GSM-devices:

* GSM-alarms
* Smart homes control systems
* Industrial GSM-control systems
* Access control systems and locks
* Some communication systems
* Smartwatches for kids

Exists different models for every type of devices. I will tell about several models, which are more secure, which are insecure.

2) I will make a short introduction in attacks on GSM-devices:

The main idea of attacks is easy: make a call to a device, bypass an authorization, perform actions.
Main questions of this chapter:
* When it is necessary to spoof Caller ID? When an attacker can make a call with a random number?
* How to bypass authorization? Security of Caller ID check.
* Brute-force attacks: typical rules for passwords (several popular GSM-alarms allow to use 4-digit password only). An attacker can silently find it less than 24 hours.

Those methods (spoofing Caller ID and brute-force) allows to hack most of GSM-alarms and some other GSM-devices fast.

3) The hacking of one device is easy. So, is it possible to perform a mass attack and create a botnet? This question will be covered in this chapter.

There are two main steps for mass attack:
* Find devices.
* Hack found devices.

I will tell, how attackers can find devices: from scanning all phone numbers to a more effective combination of OSINT methods, data leakages and small vulnerabilities at mobile operators systems.

For example, an attacker can scan all live mobile numbers in Russia (my country) and spend less than 10 000 USD.

After successful scanning attacker can hack most devices with methods from the previous chapter.

I will show estimated time for attacks, estimated costs and an estimated amount of victims. Those results show, that it is faster and less expensive than it can be expected. So, this problem of security of GSM-devices should be considered.

Also, I will show a more fast method of mass hacking of GSM-devices. It based on data leakages of contact lists from people. The main idea is to check data leakages (for example, applications like GetContact) and try to find contacts with titles, related with devices (like "home", "door", "car", "village", "alarm", "pump"). This method allows to find devices fast, but the results are not so full.

4) After a successful mass hack, an attacker will control thousands of GSM-devices. I will tell in this chapter, what he can do.

There are some different effective and dangerous methods of exploitation:
* Firstly, an attacker can control thousands GSM-alarms. He can do anything: switch on and switch off an alarm, listen to rooms, switch on ad switch off connected devices. This can be used to collect confidential data (such as conversations in an apartment or office). Also, an attacker can use it for effective burglary (he can listen to rooms to find a moment, when everybody leaves home, disable the alarm and do anything). Also, he can sell this information to other burglars.
* He can hack some smart home system and perform all available actions.
* An attacker can attack some industrial GSM-controllers, It allows to destroy business process in some cases or can cause an emergency.
* An attacker can use it to scare people. What about an alert of alarm every night?
* Some devices are locks. An attacker can remotely open or close doors.
* An attacker can use a botnet of GSM-devices to perform DDOS attacks with SMS or calls.
* Finally, some devices allow to perform USSD or SMS commands. An attacker can use it to gain access to an account at mobile operator site, steal money.

5) In the last chapter, I will tell, how you can protect yourself or your company when you use GSM-systems. Also, I will tell, what you should consider, if you want to create your own device.

Short brief: those attacks methods allows to gain full access to thousands GSM-devices, use it to get private data, hack user's accounts, use as botnet, and perform dangerous actions in a real world.

Aden Chung
You are not hiding from me .NET!


For years, we at Countercept have seen adversaries across the threat pyramid make use of PowerShell tool-kits for lateral movement, data exfiltration and persistence over different environments. As defenders, we have done a pretty good job – PowerShell is a fading threat in time. Mimikatz execution through PowerShell? AMSI and PowerShell logging can handle that relatively well.

However, adversaries being adversaries don’t just give up. They have migrated tool-kits to areas where visibility is still limited – such as .NET. Favoured by adversaries due to its wide range of functionalities, ease of development, and default presence on modern Windows platforms, we have seen a significant increase in exploitation toolkits leveraging .NET to perform usual activities - but in an area where they are relatively hidden.

First, we’ll take a look at these tools - what they do, and how they work. Techniques such as DCOM object abuse run-time code compilation and in-memory assembly loading (performed by the DotNetToJscript project) would be examine in detail. These techniques are used by exploitation tool-kits such as GhostPack, SharpShooter, and SilentTrinity, and thus are very relevant to defenders. We’ll then focus on detection. We’ll examine the indicators such toolkits and techniques leave behind, and how we can detect them utilising various sources of telemetry, collected via open-source tooling, such as process logging, DLLs imports and ETW tracing of JIT compilation or Interop events.

At the end of the day, attendees will walk away with an understanding of the inner workings of various .NET techniques as well as how they can be used to compromise a windows machine stealthily. Additionally, attendees will learn how a defender can leverage on open source tooling to detect and hunt for .NET attacks.

Speaker’s Bio
Aden performs hand to hand detection and response combat, with real world adversaries as part of his life as a Threat Hunter at Countercept. Armed with a rainbow colored keyboard, ensuring no activity is left undetected is Aden’s focus, regardless of toolkit, geographical origin, or sophistication.

Alex Kolchanov
OSINT against IoT: how hackers can find thousands of hidden IoT devices

In the modern world exist different types of IoT devices. Some are used in local networks, some are available on the public Internet, but there is a special type of devices - GSM devices. I will mostly tell about GSM-only devices, which are not available via the Internet (eg GSM-alarms, smart home GSM-controllers, industrial GSM-controllers, access control systems, smartwatches for kids, etc).

In this talk I will cover different questions:

1) Which GSM-devices exist now? How many devices exist? Which type of devices we can expect in the future?

2) How OSINT techniques can help for hackers (and for researchers too) fo find thousands of hidden devices?

3) What hackers can do after finding devices? And how and why it can become a nightmare?

GSM methods of communications (I mean SMS-commands, calls and mobile internet) allows to connect, send commands and get information from different devices, which are not connected to the landline internet. For example, anybody can buy GMS-alarm system, install it in his home in the village (or in a car) and get SMS or calls about an emergency.

There are a lot of different types of GSM-devices:

* GSM-alarm systems
* Smart homes GSM-controllers
* Industrial GSM-controllers
* Access control GSM-systems
* Locks (some electronic locks can be controlled with SMS or calls)
* Some communication systems
* Smartwatches for kids (yes, it is GSM-device too, because it is a small device, which can be controlled with SMS or calls)

Hackers or other criminals are interested in attacks on these devices (there are different reasons, I will show them below). There are two main steps of a successful attack:

1) Find the target device (and some additional information about the owner)
2) Hack it and use for something

Now the second step is easy (because most GSM-devices are insecure and can be easily hacked), but the first step is hard:

* Devices use GSM for communication, so an attacker should know the phone number of the device to do something.
* Exist billions of phone numbers (mostly they are not related with GSM-devices), I think, that not more the 1% of phone numbers are used for GSM-devices.
* It is hard to "scan" all phone numbers for some reasons: it is slow, it is expensive, it is not effective.

During this talk I will share some ideas, how hackers can use OSINT techniques to find GSM-devices:

* How to create a big set of numbers for research.

* Some mobile operators allow to select "pretty" mobile number at the site (for example, a user can select new number with a favorite combination of digits). It allows to select numbers which will be bought and track it.

* Sometimes it is possible to check at mobile operator site if this number used now, if it is business or individuals number (it based on authorization problems).

* How to use search engines, different catalogs of companies, social networks to find numbers, that are in use of companies or individual persons. That numbers will not be used in GSM-devices.

* Searching at sites with a rating of phone numbers: spam numbers, numbers for companies will not be used in GSM-devices.

* Searching in applications like TrueCaller, GetContact to find numbers of individuals or companies and remove this numbers from the set.

* Special trick: searching name and number of a contact in leaked contact lists. If the name is "Alarm", "Home", "Car", "Controller" etc, it can be GSM-device. This method allows you to find some devices very fast. Also, applications like GetContact can be used too.

* Different methods of searching in social networks or messengers. If exist some accounts with this number, it can means, that this is an active personal number, not a number of the GSM-device. You can delete it from the set.

Set with phone numbers becomes very short after all previous steps. Now it contains "unknown" phone numbers (numbers which are not related with any publicly available information from the internet or from any data leakage). Now hacker can check every number and try to understand, does this phone number used in GSM-device? Or is the owner of this number an uncommunicative person?

There are two main methods:

* Call to this number. If you will get an answer with a human voice, it is not a GSM-device. If the subscriber is not available, it is not a GSM-device.

* Make a spoofed call to the support with this phone number in Caller ID and try to get information. I will tell about some methods.

Then it is necessary to create a list of patterns (based on reaction to call) of different GSM devices. It allows to select a type of device, model. Then criminals can hack devices, I will tell some information about it.

How criminals can hack devices: in this short chapter, I will tell about effective attacks on GSM-devices (mostly, they based on attacks with calls with spoofed Caller ID).

What criminals can do after successful finding devices:

* Hacking devices to use in "botnet": SMS and DDOS-attacks with calls, making calls to paid numbers, sending SMS.

* Collecting information (eg listen to rooms, get the location of kids, get other types of information)

* Target attacks: eg find GSM-alarm, switch off it, steal something. Or just make a call and open a lock.

* Attacks on industrial systems: it can destroy everything.

* Hack smart homes.

* Massive attacks: perform random actions to make panic.

* Disable control of the device for an owner, it can be terrible, if the device is far from the user.

In final I will tell, what users (individual users or companies) can do to prevent these attacks.

Short results:

Combination of OSINT and simple attacks allows for criminals to find thousands of hidden GSM-devices. Then they can easily hack them. This allows to bypass the main problem of attacks on GSM-devices: it is hard to find phone numbers of a device.

Gyver Ferrand
Hacking pre-OBD car for fun and horsepower

This talk is about car passionate tuning their jewel over years since adoption of electronic in cars. It will present some car tuner popular tools and methodology to get more
horsepower only with ECU reprogramation. This subject will briefly present OBD programmation hardware and software tools using standard CAN/Kline buses.

The choosen car is an Honda civic from 1987, a year where OBD port was not widly used. Goal is to bring this toy, which has not OBD or programmation port, into modern world.
As we want more horsepower, the car will be tuned to run E85(ethanol) which provide more higher octane rating.

The ECU used on this car is one of the first to provide electronic injection coming from honda F1 development team and still used today in cars and bikes : the PGM-FI.
But in this car version, it is Read-Only and not programmable, no luck to run E85 with this guy.

The solution is to Swap ECU, using a programmable version. We will present here, ECU chipping, engine mapping, and basic ethanol engine theory to wrap things together.

Talk walkthrough :

- Introduction to car tuning.
- Presentation of ECUTek, Open Flash Tablet, OBD port, race-datalogging
- Presentation of softwares (ROMRaider, ECUtek, CANclip, ...)
- Getting power E85

Getting into Honda World :

- Presentation of PGM-FI
- ECU chipping (Raw ROM hex-editing and ROM editors)
- ECU swap (soldering/desoldering the right one and add logging if applicable)
- Running E85 !

More modern world :

- ECUtek closed world
- Introduction to Roborace and Tesla
- More power with OTA update !

Joey Chen
A Closer Look at Attack Chain and How They Infect to Organizations

The majority of threat actors build their custom malware to keep themselves under the radar for a considerable period of time, allowing them to operate unrestricted in the victim's environment. To achieve stealthy communication, multiple stage attack will also be developed and included. The tactics, techniques and procedures (TTPs) which they used became more and more complicate.

In this session we are going to discuss what attackers will do before setup final backdoor in victim’s host, along with various case studies and incidents we have investigated. As an example, we will analyze the details of anti-research and anti-security products techniques such as anti-reversing, anti-sandbox, white-listing for target IPs on C2 server, steganography techniques, encrypted C2 configuration. Moreover, we will talk about recent attack trends. For instance, process hollowing and application whitelist bypasses, shellcode, encrypted payloads, macro use of PowerShell, macro use of VB script, in memory execution.

Following this, we will break apart each TTPs and category them with their purpose. We will explain some of the purpose found in their attack scenario, and why attacker tries to compose them. On the other hand, this talk will more focus on reconnaissance behavior instead of what attacker’s backdoor can achieve. In addition, demonstration of several attacker groups’ (ex: BLACKGEAR, REDBALDNIGHT(TICK), TROPIC TROOPER(KEYBOY), DARKHOTEL, etc.) new tools, builders and controllers that are not yet public.

We will share our experience of the cutting-edge target attack, and improve the skills and tools that the threat actors adopt. In the end, attendees will leave with a suitable defense strategy.

The following topics will be covered:
 Overview of recently well-known threat attack how they deploy backdoor
 Anatomy of each attack chain and separate into different stages
 Analysis different download mechanism and how they bypass network AV product
 Macro use of windows command, PowerShell and VB script
 Load other encrypted file/data which store malicious content
 Creative ways of anti-research and anti-security products
 Demonstrate the attack to the audience by video
 Present some defense proposals

Weiguang Li
WARNING: Magnitude 10 Earthquake Is Coming in One Minute

Public warning system (PWS) based on mobile communication system is used to alert the public to emergency events such as earthquakes, tsunamis, hurricanes, etc. We carefully study the PWS in LTE network and uncover the vulnerability of PWS in LTE air interface, i.e., the warning messages of the PWS are not encrypted or signed when they are transmitted over the air. Thus, it is possible that malicious PWS warning messages can be transmitted.

We simply use a low cost soft define radio (SDR) device and modify not much code of the LTE open source project srsLTE in order to forge the warning messages. Both Apple and Android test mobile phones are affected by our forged warning messages.

Fake PWS warning messages will cause serious panics among the population, they also could be used to send advertising or spam messages. The public warning system may become paralyzed and useless under the threat of the abuse of fake warning messages.

The full demo video can be viewed from

Alex Kolchanov
Timing attacks as fingerprinting and weapon against privacy and effective clusterization method

Timing attacks are a known technique of gaining access to the part of private information. The main idea is easy: an attacker creates a page with a script, that should measure the time for downloading 2 (or more) pages. Usually, the first page is a control page (usually with predicted content), second - is a target. Then hacker can compare downloading time: if the downloading time for target page is more then time for control page (usually used multiple measures), there are some content at target page, that is available for a user.

For example, if the attacker knows, that company uses an internal system for documents, he can try to find the structure of the system without direct access. He should create a page with special code, then he can check, that https://company.internal/VerySecretFile.doc exist and https://company.internal/test.pdf does not exist. An attacker will not able to gain access to file, but he can check, if they exist or not (sometimes it can be useful).

Also, you can find some good examples of timing attack here:

Exist some other types of timing attacks, they will be considered too.

At this talk, I offer to discuss using timing attacks as a fingerprinting method, effective clusterization method and veapon against security. Users and developers should consider this because hackers and other criminals can use it.

Main points for presentations and why it is important:

* An attacker can easily detect good victims for other attacks. For example, user, who visits Gmail, bank services, internal company services, and social networks, is a more interesting victim, than a person, who just reads news sites.

* An criminal can use different methods to find an identity of an actual person. I will tell about different methods:
* * Intersection sets: an attacker can select some users, use different sets (does this user use the special site or no), intersect all set and find one person, who is in all sets.
* * Files in direct messages: an attacker can send different files (eg images) to thousands of users (it looks like it is necessary to use different accounts for is), then he can explicitly find an actual user by checking all URL of files. It can be used to find an account in the social network of the visitor of the website, also it allows to combine profile from the social network and other visited sites.
* * Social actions, like "share" or "like". An attacker can motivate a victim to like a post in a social network (for example, to get discount), it allows to find an identity and to combine with other data.
* * Some others methods

* An attacker can find other contacts and interests of the employee. For example, criminal can find internal services of the company, then he can find popular sites, the employee visits that. Then he can use it for a more effective attack.

* An attacker can use those methods to find peoples from hidden and unprotected communities. For example, if an attacker can find somebody from religion community or LGBT community in special countries (the methods, that can be used to find an identity of this person will be discussed below), he can use it make threats and blackmail.

* In some cases, an attacker can check, if this user with the account at site 1 have the account at site 2. It allows for criminals to break the privacy of users. I will offer some practical examples.

* In some cases an attacker can find the account in a social network for every visitor of the site. It can be used for dark marketing, crimes, and blackmail

I will discuss threats, ideas for protection and basic methods of self-protection.

Bypass cloud host security detection - how to safely reverse shell

Bypass cloud host security detection - how to safely reverse shell
1. Introduction&History
Current cloud host security product research and classification
More and more users or businesses will place their servers in the cloud service provider's host. Common cloud service providers include Google, AWS, Vultr, Digital Ocean, and Alibaba Cloud, which all provide security products that can be used for assets, vulnerability management, and other security features.

2. How do cloud hosts implement security detection?
Cloud hosts usually have intrusion detection capabilities, so how do they implement them? I discovered that several products were mainly implemented in several ways.
A. bash syslog history
B. proc file system detection
C. bash open event
D. Netlink Socket notification
E. Kernel code modification, hook command execution function.
I will explain how these technologies are implemented one by one.

3. How to bypass the security detection?
I will show you how to perform security detection bypassing with the demo. Bypassing the process extends, binary execution, php infrastructure execution ways, etc.I will show you how to perform security detection bypassing with the demo.
A. Bypassing the process extends,
B. Binary execution,
C. php infrastructure execution ways, etc.
Typically, most host security detection software will detect the progress of a process or connection in a user control. At the same time, some detection software in the kernel space to modify some of the execution flow functions in the kernel, and then notify the user space to achieve the monitoring effect. Let me give you an example of how most of the current situations can be bypassed. It is to use a binary program to bypass, the binary program is connected to the remote hacker machine after uploading and executing, bash is inherited under the binary program, although it can be viewed through the connection, but according to the results of my test, There is no security software to report this alarm. Of course, I have written such a binary program that can be provided to my audience. Other bypass methods can be shared with everyone at the conference.

4. Conclusion
A. What methods should we use to bypass during the actual penetration test?
B. Recommended tool for pentest.
C. Suggestions for continuing research.

Stephan Huber
Old bugs in new Phones: The Worrisome State of VoIP Phone Security

"Ring ring, who is there? I am controlling your VoIP phone!" - Have you ever thought about the security of the phone on your desk, or how hard it would be for an attacker to hijack it? Spoiler: It's trivial. A quick internet scan reveald hundreds of vulnerable devices which can easily be compromised and might as well be vulnerable forever due to user unawareness and bad update mechanisms. Desktop phones are a very promising target for attackers. Besides being able to eavesdrop on all of your phone calls, malicious actors can also use the phones as stepping stones into your home or enterprise network.

In this talk, we will present our results of pentesting dozens of VoIP phones from 21 different manufacturers.
Our analysis focuses on the configuration and management interfaces of those devices, which are usually implemented as web applications running on the phones. The vulnerabilities we discovered can be separated into two categories: firstly, vulnerabilities in the web applications itself, and secondly, vulnerabilities in the web server hosting the web applications.
We found a lot of classical web based vulnerabilities like XSS, CRSF and also session hijacking. Further, missing input sanitization issues that allowed us to compromise half of the devices. As we show, without proper input validation, attackers can inject and execute system commands. They can finally gain a root shell, giving the attacker full control over the device. She can eavesdrop on the whole communication (SIP, RDP) even if it is encrypted. Further, she can use the compromised phone as a pivot point for further attacks into the enterprise network.

With an extracted firmware, device emulation, live debugging and fuzzing, we discovered that some web server implementations are vulnerable to memory corruptions which can be abused for Denial of Service attacks and remote code execution in order to establish a root shell as well.
We will share our strategies of how to find these kind of vulnerabilities and present methods for avoiding been vulnerable in the first place.

Jie Zeng
The last feast: Attacking Adobe Flash Player

As everyone knows Adobe will stop updating and distributing the Flash Player at the end of 2020.But in recent years, more hacker attack(APT) for Adobe Flash Player have taken in the wild.This may be the last feast of hackers about Adobe Flash Player.

In the past few years, Adobe Flash manufacturers have higher security requirements,Various of mitigation were added. But as long as there are suitable vulnerabilities, hackers can still bypass these mitigations.So proper vulnerabilities and bypassing techniques are important.

In this talk I will carefully explain a few of the representative vulnerabilities that I have discovered first.And analyzes the root cause of this vulnerabilities, and how the patches are patched.

And then I will talk about the major mitigations that Flash have added in recent years, including memory protect, isolators of heaps, CFG and more.
So in order to bypass these mitigation the exploitation becomes more and more complicated, And I will share a method of memory layout that is still feasible to bypass the isolators of heaps.Because this will be a crucial step in the entire exploitation chain.

Eldar Marcussen
Terminal vertex

While auditing a system administration tool, I spotted what appeared to be a clear vulnerability when skimming some code. What I believed was a command injection flaw failed to execute when tested against a lab system, but it did exhibit behaviour that was somewhat consistent with injection flaws.

This talk describes the pursuit of this bug, from initial discovery, incorrect analysis and how chasing this deeper lead to a number of generic attacks against the common graphing tool (RRDTool), which is in wide use. I then used these attacks to achieve remote code execution where the command injection had failed. The next step was naturally to leverage these attacks against other solutions and collect a number of CVEs.

- Introduction
- Background
- "The flaw"
* Source code
* Misdiagnosis
* Testing
* Root cause analysis
* Re-diagnosis
- Searching for a new vector
- RRDTool introductions
- RRDTool operations
- Generic RRDTool attacks
* DoS
* Information disclosure
* File read
* File write1
* File write2
- Validating attacks
- Bringing it all together
* Chaining with other bugs
* RCE demo
- Further work
* Patch assessment
* Adoption for post patch exploitation
- Future work
- Conclusion
- Q&A

Wei Ting Huang
Hacker’s New Bank : EOS

Please check the materials,updating

EOS is a blockchain network and platform for decentralized applications built on Ethereum. It performs many of the same functions, but with much greater capacity — up to millions of transactions per second. EOS stands for Ethereum Operating System – unofficially. The EOS cryptocurrency token sale raised $4 billion over a year-long ICO.
Ethereum was the first blockchain to support development of decentralized applications. It sounds great in theory, but it was plagued by scalability issues once released into the wild. EOSIO is colloquially known as the “Ethereum Operating System,” because it adds a layer on top of Ethereum to make this dream of a dApp community a reality.
From 2018 to 2019 , Several Attacks cause EOS loss 900K EOS token. Hackers aimed Smart contract and EOS vulnerabilities,become rich men in Blockchain world.

- Fake EOS Attack
- Ramble Table Attack
- CVE-2018–20163 inlineReflex loophole
- Predictable Random number
- CVE-2019-6199 Transaction Congestion Attack

Please check the materials

Paper Selected

You have reached the end of the page.   Back to top