Cybersecurity information flow

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Network Security', 'Enterprise Security'] 无附件
We have all heard this story before - a critical vulnerability is discovered in a VPN server. It's exploited in the wild. Administrators rush to patch. Panic spreads across Twitter. <br><br>Attackers have long sought to exploit VPN servers - they are accessible from the internet, expose a rich attack surface, and often lack in security and monitoring. Historically, VPNs were primarily abused to achieve a single objective: gaining entry into internal victim networks. While this is evidently very valuable, control over a VPN server shouldn't solely be seen as a gateway to the network, and can certainly be abused in various other ways.<br><br>In this talk, we will explore VPN post-exploitation - a new approach that consists of different techniques attackers can employ on the compromised VPN server to further progress their intrusion. To demonstrate this concept, we will inspect two of the most common VPN s

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Reverse Engineering'] 无附件
Python has become a popular choice for creating malware due to its ease of development, wide user base, pre-built modules, and multi-platform compatibility. Python's popularity has induced demand for Python decompilers, but community efforts to maintain automatic Python decompilation tools have been hindered by Python's unstable bytecode specification. Every year, language features are added, code generation undergoes significant changes, and opcodes are added, deleted, and modified. <br><br>Our research aims to integrate Natural Language Processing (NLP) techniques with classical Programming Language (PL) theory to create a Python decompiler that adapts to new language features and changes to the bytecode specification with minimal human maintenance effort. PyLingual uses data-driven NLP components to automatically absorb superficial bytecode and compiler changes, while leveraging engineered programmatic components for ab

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Network Security', 'Application Security: Offense'] 无附件
The Internet routing protocol BGP is vulnerable to routing attacks, like prefix hijacks. The vulnerability of BGP enables a range of attacks, from stealing TLS certificates to crypto-stealing or DoS. RPKI prevents BGP hijacks through cryptographic attestations, which routers can use to detect if a given BGP origin claim is authorized. Over half of all Internet resources are already protected with RPKI. This protection rests on a software component that networks install to interact with the RPKI called a Relying Party (RP) client. RPs download information from RPKI servers, validate the objects cryptographically and provide routers with compiled RPKI information they use to protect against hijacks.<br><br>This talk shows that RPs can be a prime target for hackers attacking supposedly protected systems. We present new critical vulnerabilities in RP clients, allowing a small-scale attacker to dis

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Mobile', 'Exploit Development & Vulnerability Discovery'] 无附件
GPU security is a vital area of mobile security highlighted both by public security research as well as by in-the-wild attacks. Due to the high complexity of the GPU software/firmware along with a widely available attack surface, issues in GPU provide strong exploitation primitives for local privilege escalation attacks by the code running in unprivileged context.<br><br>In this talk, we will focus our research on the Qualcomm Adreno GPU, which is a very popular GPU implementation in mobile devices. We will do a deep dive into Adreno GPU kernel module implementation focusing on the most recent GPU versions, reveal its complex and new attack surfaces, and discuss vulnerabilities we discovered in this component.<br><br>In total we identified 9+ exploitable vulnerabilities in Adreno GPU driver leading to kernel code execution and affecting Qualcomm-based devices using the latest GPU models.

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cryptography', 'Application Security: Offense'] 无附件
The SSH protocol provides secure access to network services, particularly remote terminal login and file transfer within organizational networks and to over 15 million servers on the open internet. SSH uses an authenticated key exchange to establish a secure channel between a client and a server, which protects the confidentiality and integrity of messages sent in either direction. The secure channel prevents message manipulation, replay, insertion, deletion, and reordering. At the network level, SSH uses the Binary Packet Protocol over TCP.<br><br>We show that as new encryption algorithms and mitigations were added to SSH, the SSH Binary Packet Protocol is no longer a secure channel: SSH channel integrity is broken for three widely used encryption modes. This allows prefix truncation attacks where encrypted packets at the beginning of the SSH channel can be deleted without the client or server no

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Platform Security', 'Hardware / Embedded'] 无附件
Modern TEEs depend on highly privileged firmware to securely implement complex features, coordinate between different hardware components, and provide a root of trust. Parts of AMD's SEV-SNP technology are implemented in firmware running on the Platform Security Processor. <br><br>This talk details two vulnerabilities in this firmware and presents novel techniques to exploit such vulnerabilities. This results in a complete loss of confidentiality, as an attacker can decrypt arbitrary guest memory on affected systems. In some cases, an attacker can arbitrarily change the contents of encrypted memory leading to a complete loss of integrity of a running guest.

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Platform Security', 'Application Security: Offense'] 无附件
The security architecture of modern operating systems is complex, If attackers want to breach these security protections, they must audit the OS security policies across multiple dimensions. In July 2023, the speaker shifted their focus from Android and IoT vulnerabilities to macOS vulnerabilities. This shift was driven by an effort to apply the methodologies typical of an Android security researcher to macOS, which led to the discovery of multiple vulnerabilities.<br />
<br />
In this presentation, the speaker will delve into the implementation and vulnerabilities of macOS's security mechanisms, including TCC, sandboxing, and app management systems. They will offer a detailed look at how these systems work and where their weaknesses lie, providing insights into the discovery and exploitation of vulnerabilities within these areas.By unveiling 16 vulnerabilities, some of which have not been 

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Exploit Development & Vulnerability Discovery', 'Reverse Engineering'] 无附件
VMware stands out as one of the most widely used hypervisors, making it a prime target for guest-to-host escape exploits. SVGA is VMware's virtual graphics device that can be used from the guest environment to draw graphics into the monitor. Given its complex nature, SVGA represents a fertile ground for discovering vulnerabilities that facilitate guest-to-host escape exploits.<br><br>This presentation offers a personal account of the speaker's journey in tackling the VMware hypervisor. Beginning with a modest background in hypervisors, the speaker recounts their initial foray into this complex target. He shares insights into his process of uncovering bugs, which were previously undisclosed (now patched), and details the journey towards identifying robust primitives essential for crafting guest-to-host escape exploits. Throughout the presentation, the audience will be treated

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cryptography', 'Network Security'] 无附件
This presentation introduces novel attacks against control protocols of commercial off-the-shelf wireless mesh networks (WMNs). WMNs extend the network coverage of a single gateway node by using extender nodes. The decentralized architecture of mesh networks enables each extender node to independently authenticate wireless clients. Thus, extender nodes need to synchronize access control policies (e.g., Wi-Fi passwords) from the gateway node. Interestingly, different vendors developed their own cryptographic protocols to synchronize these access policies.<br><br>Unfortunately, these heterogeneous cryptographic control protocols have become a novel attack surface. We identify 0-day vulnerabilities by analyzing the binaries that use the cryptographic protocols to carry out network access policy synchronization (NAPS). In-network attackers can exploit these vulnerabilities to wiretap fresh Wi-Fi passwords, evading

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Exploit Development & Vulnerability Discovery', 'Application Security: Offense'] 无附件
Instant messaging application (such as iMessage and WhatsApp) is an important remote attack surface for smartphones, often used by spyware as the first step in APT attacks, and has received great attention in the past. Carrier Based video calling, as a native video calling feature of mobile phones, is also a major remote attack surface for smartphones.<br><br>We have discovered fatal 0-day vulnerabilities in the native Carrier Based video calling of Samsung phones, which have been present for at least 7 years. As long as the target accepts our video call invitation, we can exploit these vulnerabilities to remotely obtain code execution permissions for the target phone's system and implement a remote one-click RCE attack. In this session, we will introduce the fatal vulnerabilities we have discovered and the details of remote one-click exploitation. Finally, we will

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Privacy', 'AI, ML, & Data Science'] 无附件
The deprecation of third-party cookies is reshaping the adtech landscape, with a proliferation of alternative solutions promising privacy-preserving audience targeting and measurement. However, our research reveals that many of these approaches introduce subtle yet significant privacy risks that may undermine compliance with regulations like GDPR and CCPA.<br><br>Through systematic analysis of leading post-cookie adtech solutions, we demonstrate novel techniques to unmask individual users and correlate their behavior across platforms, despite purported anonymization. We show how vulnerabilities in hashed email-based IDs, clean room data matching, and cohort algorithms can be exploited to re-identify users at scale and assemble invasive profiles.<br><br>We also explore the privacy pitfalls of server-side tracking, where first-party data collection exposes users to backdoor third-party sharing without transpare

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Privacy', 'Network Security'] 无附件
Abstract under embargo through May 20th.

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Exploit Development & Vulnerability Discovery', 'Application Security: Offense'] 无附件
It is becoming increasingly challenging to exploit the Chrome browser with V8 JavaScript engine vulnerabilities. This is mainly due to the efforts of the V8 team to constantly improve V8 security. In particular, there is a new in-process sandbox for V8 called V8 Sandbox, which is designed to prevent memory corruption vulnerabilities in the V8 engine from successful code executions even when exploitation primitives are available inside the V8 Sandbox. Recently, the V8 Sandbox beta version was officially released in Chrome M123, which introduced significant improvements that fundamentally broke all publicly disclosed escape techniques and their potential variants, making the V8 exploitation significantly more difficult.<br><br>This presentation discloses the full V8 exploit chain we used against Google Chrome and Microsoft Edge at Pwn2Own Vancouver 2024. This is the 

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Reverse Engineering', 'Application Security: Offense'] 无附件
The term pickle has become synonymous with insecurity in the modern python community and yet it remains one of the most prevalent serialization formats in the python ecosystem. However, pickle, despite its wide use, has been talked to death. <br><br>In this talk, we will take a step back and look at the root problem, the use of bytecode driven serialization formats. We'll dissect both pickle and RDS, R's serialization format, giving a never before seen deep dive into the R language's main serialization format. <br><br>During this process, we will show the audience the inherent insecurity of any deserialization that allows code to be run, even when it has security checks on it. Specifically, we will showcase this by revealing a critical code execution vulnerability in the RDS format which allows attackers to create large supply chain attacks or target any R user directly. <br><br>Finally, we

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Privacy', 'Mobile'] 无附件
Location-based dating (LBD) apps enable users to meet new people nearby and online by browsing others' profiles, which often contain very personal and sensitive data. We systematically analyze 15 LBD apps on the prevalence of privacy risks that can result in abuse by adversarial users who want to stalk, harass, or harm others.  Through a systematic manual analysis of these apps, we assess which personal and sensitive data is shared with other users, both as (intended) data exposure and as inadvertent yet powerful leaks in API traffic that is otherwise hidden from a user, violating their mental model of what they share on LBD apps. <br><br>As one finding of our research, 6 apps allow for pinpointing a victim's exact location, enabling physical threats to users' personal safety. All these data exposures and leaks—supported by easy account creation—enable targeted or large-scale, long-term, and stealthy profiling and tracking o

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Platform Security', 'Malware'] 无附件
Downgrade attacks force software to revert to an older, vulnerable version of itself. In 2023, the notorious BlackLotus UEFI bootkit emerged, downgrading the Windows boot manager to bypass Secure Boot. Microsoft addressed the threat, mitigating downgrade attacks on the boot manager to protect Secure Boot against downgrades. However, we wondered whether Secure Boot was the only critical component vulnerable to downgrade attacks.<br><br>Aiming to find an undetectable downgrade flow, we investigated the least suspicious entity for executing downgrade attacks - Windows Updates, and identified its Achilles' heel, enabling us to fully take control over it. This allowed us to create downgrading updates, bypassing all verification steps performed during updates, including integrity verification and Trusted Installer enforcement.<br><br>Armed with these capabilities, we managed to downgrade critical OS components, includin

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Exploit Development & Vulnerability Discovery', 'Application Security: Offense'] 无附件
OVPNX serves as our internal codename for 4 zero-day vulnerabilities discovered within the repositories of OpenVPN, the world's most popular VPN. Those zero-days affect thousands of companies on major platforms like Windows, iOS, macOS, Android, and BSD. With millions of devices worldwide utilizing OpenVPN, our findings shed light on security risks on a global scale.<br><br>This session will explore the technical intricacies of our research, revealing how we uncovered these zero-days in OpenVPN. OpenVPN, being a complex multi-process system running across different privilege levels, including kernel components, relies heavily on OS APIs. We'll explain how this understanding helped us identify logical vulnerabilities. The actual exploits additionally demanded a deep inspection at the bit and byte level and using reverse engineering. Attendees can expect a comprehens

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cryptography', 'Hardware / Embedded'] 无附件
We've been using HSMs as part of a custody solution used by banks to store cryptocurrency and other tokenized assets, with often billions of dollars worth of value under custody. But merely relying on COTS HSMs' security mechanisms, even if FIPS 140-3 certified, isn't enough for this use case. In this talk, we'll first describe an HSM feature set, internal architecture, security guarantees, and inherent limitations. Then we'll present tricks and techniques we developed to considerably improve the security of a crypto wallet, including attack surface reduction, secure configuration enforcement, request filtering, custom policies, as well as replay protection and state management with minimal statefulness.

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Network Security', 'Exploit Development & Vulnerability Discovery'] 无附件
Abstract under embargo.

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Reverse Engineering', 'Malware'] 无附件
In malware analysis, the arrival of a new programming language introduces an entirely new set of challenges that obstruct our understanding of the malicious intent of a threat actor. Minor idiosyncrasies and newfangled artifacts become minor annoyances, while radical shifts in programming paradigms equate to major analysis blockers. Given the brittle state of our tools and the already steep requisite expertise, you can't blame REs and malware analysts for shying away from disproportionately complex malware. However, this reluctance inadvertently creates blind spots readily exploited by adversaries.<br><br>The Go programming language serves as a prime example of this phenomenon. Its quirks (see: placing unterminated strings in an unparsed blob) and inherent complexities (function prototypes repeatedly broken by handling multiple return values on an ephemeral stack) bred collective reluctance until our hands were 

发布时间:2024-05-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Mobile', 'Exploit Development & Vulnerability Discovery'] 无附件
During our past research analyzing the Android Data Encryption Scheme, we dived into the boot chain of Samsung low-end mobile devices, in particular the Galaxy A family, which is based on Mediatek System-on-Chips. These devices are often overlooked by the security research community, which usually targets high-end ones (e.g., the S family for Samsung). Nonetheless, these devices are extremely popular, and thus represent a big share of the phones in the wild.<br><br>On top of the Mediatek boot chain, Samsung added its own features including Knox Security Bit, support for their recovery tool Odin, a JPEG parser and so on.  In their latest system of chips, Mediatek has improved their security, and fixed an infamous BootROM vulnerability that used to impact most of their chips. Yet, even with the security improvement done by Mediatek and the apparent security brought by Samsung, we were able

影响厂商:Adobe 奖励: 危险等级:low
" Adobe Experience Manager 'Childlist selector' - 跨站脚本攻击（XSS）漏洞在 cbconnection.adobe.com 上"

影响厂商:b'Adobe'(https://hackerone.com/adobe) 
" “Adobe Experience Manager 'Childlist selector' - 在 cbconnection.adobe.com 上的跨站脚本攻击”"

Virtual-machine Translation Intermediate Language

Original proof of concept I submitted to brokers demonstrating the vulnerability in hopes of getting rid of it.

《开源大模型食用指南》基于Linux环境快速部署开源大模型，更适合中国宝宝的部署教程

✅SRepair: Powerful LLM-based Program Repairer with $0.029/Fixed Bug

Python ElasticSearch ORM based on Pydantic

Represent, send, store and search multimodal data

[WIP] Next generation information browser