当前节点:blackhat
时间节点
2022年9月30日 03:31blackhat
发布时间:2022-09-28 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Mobile', 'Reverse Engineering'] 无附件
Media parsing is known as one of the weakest components of every consumer system. It often operates complex data structures in the most performant way possible, which is at odds with security requirements, such as attack surface minimization, compartmentalization, and privilege separation. <br><br>Compared to other operating systems, video decoding on MacOS/iOS is an interesting case for two different reasons. First, instead of running in usermode, a considerable portion of format parsing is implemented in a kernel extension called AppleAVD, exposing the kernel to additional remote attack vectors. Second, recent anonymous reports suggest that AppleAVD may have been exploited in the wild. <br><br>Our talk investigates AppleAVD kernel extension in-depth, covering video decoding subsystem internals, analysis of vulnerabilities, and ways to exploit them.
2022年9月29日 09:30blackhat
发布时间:2022-09-28 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Malware', 'Cloud & Platform Security'] 无附件
<div><span>Wipers are becoming the go-to tool for nation-state cyber warfare in the last decade since the Shamoon attack. Wipers have been used by Russia, Iran, North Korea, and other APTs to support offensive acts. One of the most famous recent attacks was launched during the Russian invasion of Ukraine.</span></div><div><span><br></span></div><div><span>We were curious if we could build a next-gen wiper. It would run with the permissions of an unprivileged user yet have the ability to delete any file on the system, even making the Windows OS unbootable. It would do all this without implementing code that actually deletes files by itself, making it undetectable. The wiper would also make sure that the deleted files would be unrestorable.</span></div><div><span><br></span></div><div><span>Using the wisdom of martial arts, we understood the importance of using the power of our opponents against them in orde
2022年9月28日 03:31blackhat
发布时间:2022-09-27 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Lessons Learned', 'Data Forensics & Incident Response'] 无附件
You've just found out the smart-lights in the cafeteria are connected to your corporate network and can be dimmed from anywhere in the world, the sales team has been spinning up unmanaged AWS accounts to do customer demos, and your organisation engaged full encryption to meet data protection and privacy laws without notifying you. You know you need to accelerate building and adjusting your detection and response capabilities - and you can't risk making mistakes while you identify your priorities. <br><br>Today's cybersecurity operations centers (SOCs) are under more pressure than ever to adjust defense and detection techniques on-the-fly to address adversaries hiding in the corners of your IT. To help you see clear priorities through your often unpredictable operational world, we've cultivated an actionable strategic roadmap for any size organisation to up their security ops game. This is 
2022年9月28日 03:31blackhat
发布时间:2022-09-27 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Mobile', 'Exploit Development'] 无附件
In the past few years, researchers have found hundreds of security vulnerabilities in the AOSP Bluetooth module such as Blueborne and BlueFrag. Almost all of these vulnerabilities are caused by the process not properly validating the remote user-supplied data, when parsing the Bluetooth request packet.<br><br>In this context, in order to improve the security of Bluetooth, Google has adopted a variety of hardening methods:<br>1. Validate the length of incoming Bluetooth packets.<br>2. Implement a new and more secure AVRCP profile.<br>3. Rewrite Bluetooth stack code-named "Gabeldorsche" in Rust.<br><br>However, through some new approaches (focusing on the lifecycle of Bluetooth packet data and specific weak Bluetooth architectural logic), we still found a large number of security vulnerabilities hidden deep in the code.<br><br>In this presentation, we will first introduce the Bluetooth protocol architecture in AOSP
2022年9月28日 03:31blackhat
发布时间:2022-09-27 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cloud & Platform Security', 'Exploit Development'] 无附件
Rowhammer is a severe security problem in DRAM, allowing an unprivileged adversary to gain kernel privileges by inducing electrical disturbance errors. Today, mitigations against Rowhammer, most notably Targeted Row Refresh (TRR), are widely adopted and even part of recent DRAM standards.<br><br>In this talk, we first show that TRR is insufficient by design and counterintuitively assists an attacker in the context of our new Rowhammer type: Half-Double. Unlike all previous Rowhammer attacks, Half-Double hammers from a distance of two. Here, the mitigative refreshes performed by TRR amplify the hammering, breaking the spatial assumptions of state-of-the-art mitigations. We demonstrate the impact of Half-Double in an end-to-end exploit that allows an unprivileged adversary to escalate to root privileges on an off-the-shelf Chrome OS device protected by TRR and ECC. We detail the different phases 
2022年9月28日 03:31blackhat
发布时间:2022-09-27 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cyber-Physical Systems', 'Network Security'] 无附件
CNC machines are largely used in production plants and constitute a critical asset for organizations globally. The strong push dictated by the Industry 4.0 paradigm led to the introduction of technologies for the wide connectivity of industrial equipment, including CNCs. As a result, modern CNCs resemble more fully-fledged systems rather than mechanical machines, offering numerous networking services for smart connectivity. Given this shift into a more complex and software-dependable ecosystem, these machines are left more easily exposed to potential threats. <br><br>Our work explored the risks associated with the strong technological development observed in the domain of numerical controls. We conducted an empirical evaluation of four representative controller manufacturers, by analyzing the technologies introduced to satisfy the needs of the Industry 4.0 paradigm, and conducting a series of practic
2022年9月23日 03:31blackhat
发布时间:2022-09-22 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Cyber-Physical Systems', 'Hardware / Embedded'] 无附件
<div><span style="font-size: 10pt;" data-mce-style="font-size:
10pt;">Siemens SIMATIC PLC is widely used in the world and accounts for a high proportion of the PLC market share, these PLCs are often used in critical infrastructure control scenarios, such as energy, water, power, oil and gas industries. More and more attacks are targeting critical infrastructures. In May 2021, Siemens launched the latest version of the TIA V17, it is important to note that starting from this version there will be a lot of new design features regarding security such as enhanced TLS communication protocols, the configuration of data encryption protection, requiring the use of access protection level to prevent an unauthorized attack, etc. But are there weaknesses in such security design and can it be breached?</span></div><div><span style="font-size: 10pt;" data-mce-style="font-size:
10pt;"><br></span></div><div><spa
2022年9月22日 09:31blackhat
发布时间:2022-09-21 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Network Security', 'Hardware / Embedded'] 无附件
I hear you saying: "MQTT again, that's an old and stale topic." <br><br>It's actually not old or stale. MQTT is still out there and many servers are still open to attack. But even more interesting, what other devices are connected to those open servers and what networks are they sitting on? <br><br>For example, do you know that with MQTT it's possible to open a whole network from the inside out using one simple wall switch? An MQTT attack against a network can also be used for DNS hijacking, DDoS attacks, and control of Bluetooth devices on internal networks among other things.<br><br>We are concerned that MQTT leaks data but I'll show in this talk we really should be focusing on the bigger risk posed by using MQTT to replace the firmware in connected devices. I'll show how attackers can use this vector to jump protocols, poison data or cross perimeter boundaries among other things. <br><br>How deep can
2022年9月22日 09:31blackhat
发布时间:2022-09-21 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Reverse Engineering', 'Cloud & Platform Security'] 无附件
Static code review is an effective way to discover vulnerability variants and exploitation primitives, but two of the most challenging tasks for static analysis are the effective code pattern extraction from huge amounts of various bugs and the efficient code pattern searching from tons of different modules, especially for close source software like Windows.<br><br>This presentation discusses our practices and experiences for these two challenges. It mainly covers how we extract four unique code patterns for different vulnerability types and exploitation primitives, and how we use them to automatically find vulnerabilities and exploitation primitives on Windows with the help of our new binary code pattern searching tool: Leviathan.<br><br>In this presentation we focus on four unique patterns to find classical file hijacking vulnerabilities, reparse point memory corruption vulnerabilities, ACL o
2022年9月22日 09:31blackhat
发布时间:2022-09-21 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Application Security', 'Cloud & Platform Security'] 无附件
All major SQL-based database engines such as Postgres, SQLite, MS SQL, and MySQL have in the last few years started to adopt native JSON features that enable data interactions with complicated JSON-type objects. While these native JSON features are enabled by default, developers and researchers may still not be aware of the risk they introduce. We decided to find out, and whether they can be hacked.<br><br>We've learned that the introduction of native JSON has opened a new, fertile ground for security researchers that could enable attackers to generically bypass web application firewalls (WAF), exploit object-relational mappings (ORM), and even break prepared statements. You'll see how we did so by abusing native JSON syntax in SQL. In this presentation, we'll introduce you to the world of JSON in SQL, including its new operators (what the heck is "?&" or "#>>" ?), syntax, and new SQL injectio
2022年9月20日 03:31blackhat
发布时间:2022-08-31 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Hardware / Embedded', 'Reverse Engineering'] 无附件
The attack surface on modern connected cars is broad – Wi-Fi, Bluetooth, V2X, 2G/3G/4G, custom RF protocols, CAN, OBD2 interfaces, automotive Ethernet, USB ports, remote diagnostics, telematics, and mobile apps. During the presentation, we will show part of the results of penetration testing the modern European electric Volkswagen car model ID3. Our discovered vulnerabilities and security problems in car architecture are also applicable for such Volkswagen models like ID4, ID5, ID6 and affect hundreds of thousands of electric cars on the roads.<br><br>We will demonstrate how hackers can receive root access in Infotainment and Gateway modules in the cars, install backdoors and what hackers can do remotely with hacked cars. We will demonstrate how hackers can bypass digital signatures in software updating procedures in Automotive Grade Linux, exploit arbitrary code execution vulnerability in the networ
2022年9月16日 03:31blackhat
发布时间:2022-09-15 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cloud & Platform Security', 'Cyber-Physical Systems'] 无附件
Modern internet-of-things device manufacturers are taking advantage of the managed Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) IoT clouds (e.g., AWS IoT, Azure IoT) for secure and convenient IoT development/deployment. The IoT access control is achieved by manufacturer-specified, cloud-enforced IoT access policies (e.g., cloud-standard JSON documents, called IoT Policies on AWS IoT) stating which users can access what IoT devices/resources under what constraints. However, IoT access control policy is often complicated to develop or deploy securely, with tremendous space for device manufacturers to program a flawed IoT access policy, leading to severe security loopholes for IoT users and IoT manufacturers whose IoT applications/deployments are based on the modern IoT clouds. <br><br>In this presentation, we'll unearth both design flaws and bad deployment practices of I
2022年9月15日 03:31blackhat
发布时间:2022-09-14 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cloud & Platform Security'] 无附件
Microsoft Defender for Office 365 safeguards your organization against malicious threats posed by email messages, links (URLs), and collaboration tools. Safe Attachments routes all messages and attachments that do not have a virus/malware signature to a special environment, and then uses machine learning and analysis techniques to detect malicious intent. Safe Links provides time-of-click verification of URLs.<br><br>It sounds cool and, in fact, is a black box that we should completely trust. This session is an opening of this black box, based on our own research and discovered vulnerabilities. The vulnerability was reported and confirmed by Microsoft Security Research.<br><br>Live demos will be included in the session.<br><br>The session will explore the following:<br><ul><li>Testing malicious attachments, including an example of attachments that are detected. </li><li>Inside the sandbox. What is Safe Attachments fr
2022年9月15日 03:31blackhat
发布时间:2022-09-14 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Malware', 'Defense'] 无附件
This talk showcases yet another new code injection technique (I know, bear with me), nicknamed "Dirty Vanity". This technique challenges current injection detection and prevention means while opening a wider spectrum of attacks that challenges common concepts of EDR TTPs.<br><br>This technique abuses the lesser-known forking mechanism which is built in Windows operating systems.<br><br>In the talk, we will cover the forking mechanism's internals, and common means to activate it. We will discuss legitimate usage of it, and mention a known malicious usage for LSASS credential dumping. Finally, we will present Dirty Vanity and the research behind it, how it works, and its implications on current detection methods.
2022年9月15日 03:31blackhat
发布时间:2022-09-14 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Exploit Development', 'Reverse Engineering'] 无附件
Reliable exploitation is the key requirement for highly targeted and valuable attacks (such as APT). If the exploitation is not reliable, the exploitation may be fragile and thus fail (e.g., a kernel crash or panic), which would be easily noticed by others. This unexpected exposure results in a tremendous financial loss—i.e., 0-day vulnerability information, and engineering costs to develop exploits.<br><br>In this talk, we will present Pspray, a new memory exploitation technique for the Linux kernel, dramatically improving the exploitation reliability. In particular, we designed a heap exploitation technique effective for most memory vulnerabilities, including heap out-of-bounds, use-after-free, and double-free. The key idea behind this new attack is in developing timing side-channels in Linux's SLUB allocator. Then using this timing side-channel, we carefully redesigned the traditional exploitation
2022年9月15日 03:31blackhat
发布时间:2022-09-14 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['AI, ML, & Data Science', 'Defense'] 无附件
SOCs aim at detecting threats. Credit Agricole's SOC collects more than 10TB of data, including logs and PCAPs on a daily basis.<br>Legacy detection systems are shaped by static rules and thresholds which cannot extract the added value they could from the amount of collected data.<br><br>While we could buy expensive security solutions coming with their own AI models, why not invest money in research and start working on how to enhance our detection capacity by ourselves? Especially if confidentiality is a concern, and if we don't want our data to be given to security vendors for free.<br><br>Data science is not only about nice mathematics and gradient descent, data science is way larger and more complex. Since machine learning models are only as good as the data that they use and the chosen representation of it, why can't we, as security engineers, deep dive into artificial intelligence and machine learning s
2022年9月9日 06:03blackhat
发布时间:2022-09-08 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['AI, ML, & Data Science', 'Network Security'] 无附件
AI-enabled cyber attack is fast becoming a prevalent topic. One of the representative topics is to utilize AI to learn how to bypass web application firewalls (WAFs). The general workflow includes three steps. First, build the original payload dataset that may be blocked by WAF, and collect the mutation operation set such as case substitution and adding comments in SQL injection. Second, use heuristic algorithm or reinforcement learning (RL) to explore a combination of operations to bypass the WAF. Finally, the mutated payloads that can bypass WAF are obtained.<br><br>This workflow has laid a solid foundation for the intelligentization of cyber attacks, but we encounter two key problems in practice. 1) The payloads used in practice are diverse, and their bypass methods are also different. It is difficult for one algorithm to cover all types. 2) Different payloads have different degrees of difficulty 
2022年9月9日 06:03blackhat
发布时间:2022-09-08 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Enterprise Security', 'Cryptography'] 无附件
While the Active Directory implementation of Kerberos prefers to use cryptography based on AES, the deprecated Kerberos encryption type RC4-HMAC-MD5 is still supported by default and widely used in practice. The property that RC4-HMAC-MD5 derives its cryptographic keys from a user's NTLM hash is frequently exploited to authenticate without the original password (overpass-the-hash) or to efficiently brute-force service account passwords offline (Kerberoasting).<br><br>No attacks were yet known that take advantage of the well-known weaknesses in the cryptographic primitives RC4 and MD5. Therefore I decided to take a look at RFC 4757 (which defines RC4-HMAC-MD5 operations) and quickly identified a relatively obvious flaw in the way HMAC was used to produce Kerberos "checksums" (cryptographic MACs). <br><br>However, turning this cryptographic flaw into a practical attack against Kerberos or Active Directory tur
2022年9月9日 06:03blackhat
发布时间:2022-09-08 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Human Factors', 'Community & Career'] 无附件
In 2020, GoDaddy launched a phishing exercise targeting 500 employees, using a Christmas bonus as a lure. Those who failed the test were punished with an extra workload. This caught international media attention and begged the question: Is it morally sound to target people? <br><br>Over the years, pentesting humans leveraging social engineering techniques have become increasingly important to many organizations, and rightfully so. While many focus on the performance of a social engineering engagement, fewer deal with the post-engagement process. How do we deal with the results of a social engineering engagement? How does a target feel afterward knowing they have been duped, and who is helping them? <br><br>Taking care of those affected by social engineering engagements is pivotal in making an engagement a positive learning experience, and avoiding negative outcomes. If the post-engagement process were poor,
2022年9月9日 06:03blackhat
发布时间:2022-09-08 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Mobile', 'Hardware / Embedded'] 无附件
All modern mobile phone SoCs are protected with the secure boot mechanism. Secure Boot's first level is implemented in bootrom's code. This code is in ROM memory and cannot be modified. The Bootrom is trustworthy and it is responsible for loading the next stage in the boot process. This stage is known in mobile devices as Secondary Boot Loader (SBL), which is stored in eMMC or UFS external writable memories and can be overwritten by firmware updates.<br><br>To ensure security while allowing firmware updates, vendors cryptographically sign them, preventing others from modifying the Secondary Boot Loader, otherwise, it would be trivial to break the secure boot chain. In this scenario, either a private key is used to sign a crafted firmware with a modified SBL, or an exploitable software bug is found. Although vulnerable bootroms have been found in the past, they are very tied to particular phones and versions. In a
2022年8月31日 09:31blackhat
发布时间:2022-08-31 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Hardware / Embedded', 'Cyber-Physical Systems'] 无附件
As more and more microcontroller-based embedded devices are connected to the Internet, as part of the Internet-of-Things (IoT), previously less tested (and insecure) devices are exposed to miscreants. To prevent them from being compromised, the memory protection unit (MPU), which is readily available on many of these devices, has the potential to enable many defenses. <br><br>We comprehensively studied the MPU adoption in top operating systems for microcontrollers. Specifically, we investigated whether MPU is supported, how it is used, and whether the claimed security requirement has been effectively achieved by using it. Due to the added complexities and compatibility issues, we found that MPU has not received wide adoption in real products. Moreover, although MPU was developed for security purposes, it rarely fulfills its designed functionality and can be easily circumvented in many settings. We
2022年8月31日 09:31blackhat
发布时间:2022-08-31 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Exploit Development', 'Reverse Engineering'] 无附件
Microsoft Security Response Center receives and examines many interesting bug classes. Often, the exploitability of those bugs is apparent, but this is not always the case. One interesting outlier is an arbitrary kernel pointer read primitive where the attacker cannot retrieve the content of the memory read. Traditionally, these would have an impact of Denial of Service (DoS) or in some cases a second-order Kernel Memory Information Disclosure (where side channels or indirect probing are possible) but could such a limited primitive actually be exploited for code execution / privilege escalation?
2022年8月31日 09:31blackhat
发布时间:2022-08-31 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Lessons Learned', 'Community & Career'] 无附件
Vulnerability researchers and bug hunters love to talk about their successful path to finding a critical vulnerability. However, this is rarely the Cinderella story people tell on stage. Failure, along with a healthy dose of persistence, can lead to tremendous success. <br><br>This session will take a deep dive into all the things that didn't work, along with the many challenges that preceded the findings of critical zero-day bugs across multiple projects. Come learn how to fail harder and see two hackers air their technical dirty laundry on stage, while poking fun at each other's mistakes. <br><br>We will also share the lucky breakthroughs and strokes of <span style="font-size: 12px; background-color: initial; text-decoration-line: line-through;">genius</span><span style="background-color: initial; font-size: 13.34px;"> okay intellect that saved the day for each challenge. Instead of failing harder on yo
2022年8月31日 09:31blackhat
发布时间:2022-08-31 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Mobile', 'Application Security'] 无附件
Parcel is the serialization mechanism in Android and is behind almost every OS cross-process interaction. Parcelable implementations have been the source of vulnerabilities in Android for ~8 years, often rated high severity and weaponized by malware authors to achieve privileged exploits, including silent package installation and arbitrary code execution.<br><br>This talk covers a detailed overview of known exploit techniques that abuse Parcel vulnerabilities, including the well-known yet still active "Bundle FengShui" exploits; and a novel exploit chain that was reported through Google VRP program (CVE-2021-0928) in June 2021, that achieves arbitrary code execution in privileged applications' processes, on Android 12. <br><br>From there, we will discuss why the approach of fixing individual problematic Parcelable classes would not scale and how we broke down the exploits' primitives to fix the root cause. Final
2022年8月31日 09:31blackhat
发布时间:2022-08-31 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Application Security', 'Exploit Development'] 无附件
DataBinding is a mechanism that allows request parameters to be bound to a domain object automatically. It makes development more efficient and code cleaner, and is widely implemented by best web frameworks written in trending programming languages, including Java, JavaScript, Groovy, Python and Ruby.<br><br>The previous research related to DataBinding mainly focuses on Mass Assignment[1], which is caused by improper use of DataBinding. This occurs when a user is able to access a sensitive field of domain object such as salary, and admin flag, which are not intended by the application. However, the security of the DataBinding mechanism itself has been neglected for a long time. <br><br>Therefore, we conducted comprehensive research about it and analyzed top web frameworks including Spring, Struts, Grails, Ruby on Rails, etc. Eventually, we found a lot of security bugs, and 2 of them lead to remote c
2022年8月31日 09:31blackhat
发布时间:2022-08-31 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Reverse Engineering', 'AI, ML, & Data Science'] 无附件
The usage of Deep Neural Networks (DNNs) has steadily increased in recent years. Especially when used in edge devices and embedded systems, dedicated DNN compilers are used to compile DNNs into binaries for the best performance. Security applications such as DNN model extraction, white-box adversarial sample generation, and DNN model patching become possible when a DNN model is accessible. However, these techniques cannot be applied to compiled DNN binaries. No decompilers can recover a high-level representation of a DNN model from its compiled binary code.<br><br>In this paper, we introduce DnD, the first ISA- and compiler-agnostic DNN decompiler. DnD uses the customized symbolic execution to lift the DNN binary into symbolic expressions represented in a novel intermediate representation (IR), which abstracts the high-level mathematical DNN operations in an ISA- and compiler-agnostic fashion. The
2022年8月31日 09:31blackhat
发布时间:2022-08-31 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Privacy', 'Exploit Development'] 无附件
"TotallyNotAVirus 2.app" would like to access the camera and spy on you. To protect your privacy, Apple introduced the Transparency, Consent, and Control (TCC) framework that restricts access to sensitive personal resources: documents, camera, microphone, emails, and more. Granting such access requires authorization, and the mechanism's main design concern was clear user consent. <br><br>In this talk we will share multiple techniques that allowed us to bypass the TCC authorization and as a malicious application get access to protected resources without any additional privileges or user's consent.<br><br>Did you read a similar abstract before? Yeah, this is the brand new version of our TCC bypasses talk. There is so much new to cover that we decided to come back to you with brand new macOS privacy / TCC vulnerabilities and techniques that we never discussed before.<br><br>During this talk, we will give you an ove
2022年8月31日 09:31blackhat
发布时间:2022-08-31 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Policy', 'Community & Career'] 无附件
At the end of 2021, the UK Government launched a new National Cyber Strategy which outlined the UK's approach to being a responsible cyber power, setting a new standard internationally. The broad strategy set out an agenda to build both the UK cyber economy and improve cyber resilience of the UK as a whole, as well as to lead internationally in creating a more safe and secure digital ecosystem. <br><br>We have seen this commitment reflected in numerous public policy consultations, various bills moving through the legislative process, and the UK Government's participation in international cyber diplomacy initiatives. There has been a huge amount of activity and it's hard to keep up, but it's critical for security professionals to do so as they will likely be highly impacted by new policy, and are also those best informed to create positive security outcomes, or avoid unintended harms. <br><br>In this talk, Irfan He
2022年8月31日 09:31blackhat
发布时间:2022-08-31 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Hardware / Embedded', 'Reverse Engineering'] 无附件
The attack surface on modern connected cars is broad – Wi-Fi, Bluetooth, V2X, 2G/3G/4G, custom RF protocols, CAN, OBD2 interfaces, automotive Ethernet, USB ports, remote diagnostics, telematics, and mobile apps. During the presentation, we will show part of the results of penetration testing the modern European electric Volkswagen car model ID3. Our discovered vulnerabilities and security problems in car architecture are also applicable for such Volkswagen models like ID4, ID5, ID6 and affect hundreds of thousands of electric cars on the roads.<br><br>We will demonstrate how hackers can receive root access in Infotainment and Gateway modules in the cars, install backdoors and what hackers can do remotely with hacked cars. We will demonstrate how hackers can bypass digital signatures in software updating procedures in Automotive Grade Linux, exploit arbitrary code execution vulnerability in the networ
2022年8月18日 06:25blackhat
发布时间:2022-06-16 演讲时间:2022-08-10 2:30pm 演讲时长:30-Minute
Tags:['Hardware / Embedded', 'Cloud & Platform Security'] 有附件
<div><span>CPU vulnerabilities undermine the security guarantees provided by software- and hardware-security improvements. While the discovery of transient-execution attacks increased the interest in CPU vulnerabilities on a microarchitectural level, architectural CPU vulnerabilities are still understudied.</span></div><div><span><br></span></div><div><span>In this talk, we systematically analyze existing CPU vulnerabilities showing that CPUs suffer from vulnerabilities whose root causes match with those in complex software. We show that transient-execution attacks and architectural vulnerabilities often arise from the same type of bug and identify the blank spots. Investigating the blank spots, we focus on architecturally improperly initialized data locations.</span></div><div><span><br></span></div><div><span>We discover AEPIC Leak, the first architectural CPU bug that leaks stale data from th
2022年8月9日 03:31blackhat
发布时间:2022-06-16 演讲时间:2022-08-10 2:30pm 演讲时长:30-Minute
Tags:['Cyber-Physical Systems', 'Hardware / Embedded'] 有附件
The programmable logic controller (PLC) is a reliable hardware device implementing complex monitoring and control logic for industrial control systems. The pursuit of new advanced features has driven the ICS vendors to come up with new-generation PLCs, that contain a whole standard OS environment (e.g., Windows or Linux). They are commonly known as PC-based PLCs or SoftPLCs. Siemens' SoftPLC is called ET 200SP and unlike common PLCs (that typically use customized processors), it contains a standard Intel Atom CPU. The PLC runs a hypervisor that controls two VMs: Windows and Adonis Linux, which Siemens calls SWCPU. The Adonis kernel runs the programmable control logic and functions as a software PLC. The SWCPU is encrypted (in the PLC storage) and it is decrypted by the hypervisor during the boot process of the PLC.<br><br>Since the boot process of the ET 200SP is not secure, an attacker can boot hi
2022年7月29日 03:31blackhat
发布时间:2022-07-12 演讲时间:2022-08-11 9:00am 演讲时长:60-Minute
Tags:['Keynote'] 有附件
When Stuxnet was discovered in 2010, it shone a light on vulnerabilities in critical infrastructure that few had noticed before. The security community, largely focused on IT networks, had its eyes opened to a vast sector it had previously ignored — the operational networks and industrial control systems that manage pipelines, railways, the electric grid, water treatment plants, manufacturing and so many other pivotal industries. Cybersecurity suddenly became inextricably linked to national security. But it shouldn’t have been a surprise to anyone.<br><br>Likewise, that same year, the Aurora campaign that hit Google, RSA and dozens of other companies, launched a new era of massive espionage and supply-chain hacks. Threat actors became more sophisticated, and their operations more consequential — witness the OPM hack, DNC breach, NotPetya and SolarWinds. But the growing sophistication of operations shouldn’t have been a surprise to anyo
2022年7月22日 03:31blackhat
发布时间:2022-07-21 演讲时间:2022-08-10 8:00am 演讲时长:
Tags:[] 有附件
<div><span>Breakfast will be served in Shoreline (South Convention Center, Level 2) at 8:00 AM - 9:00 AM.</span></div><div><span> </span></div><div><span>Please wear your badge. Open to Briefings pass holders.</span></div>
2022年7月22日 03:31blackhat
发布时间:2022-07-21 演讲时间:2022-08-10 11:00am 演讲时长:
Tags:[] 无附件
Morning Coffee Break will be served in the following areas for Briefings pass holders.<br><ul><li>Bay View Court North Corridor (North Convention Center)</li><li>Bay View Court South Corridor (North Convention Center)</li><li>Breakers Registration Corridor, Lagoon Corridor (Level 2)</li><li>South Seas Foyer North, Jasmine Foyer North (Level 3)</li></ul>
2022年7月22日 03:31blackhat
发布时间:2022-07-21 演讲时间:2022-08-10 12:00pm 演讲时长:
Tags:[] 无附件
<div><span>Lunch will be served in Shoreline (South Convention Center, Level 2) at 12:00 PM - 1:30 PM.</span></div><div><span><br></span></div><div><span>Please wear your badge.  Open to Briefings pass holders.</span></div>
2022年7月22日 03:31blackhat
发布时间:2022-07-21 演讲时间:2022-08-10 3:00pm 演讲时长:
Tags:[] 无附件
Afternoon Break will be served in the following areas for Briefings pass holders.<br><ul><li>Bay View Court North Corridor (North Convention Center)</li><li>Bay View Court South Corridor (North Convention Center)</li><li>Breakers Registration Corridor, Lagoon Corridor (Level 2)</li><li>South Seas Foyer North, Jasmine Foyer North (Level 3)</li></ul>
2022年7月22日 03:31blackhat
发布时间:2022-07-21 演讲时间:2022-08-11 8:00am 演讲时长:
Tags:[] 无附件
<div><span>Breakfast will be served in Shoreline (South Convention Center, Level 2) at 9:00 AM - 10:00 AM.</span></div><div><span> </span></div><div><span>Please wear your badge. Open to Briefings pass holders.</span></div>
2022年7月22日 03:31blackhat
发布时间:2022-07-21 演讲时间:2022-08-11 11:00am 演讲时长:
Tags:[] 无附件
Morning Coffee Break will be served in the following areas for Briefings pass holders.<br><ul><li>Bay View Court North Corridor (North Convention Center)</li><li>Bay View Court South Corridor (North Convention Center)</li><li>Breakers Registration Corridor, Lagoon Corridor (Level 2)</li><li>South Seas Foyer North, Jasmine Foyer North (Level 3)</li></ul>
2022年7月22日 03:31blackhat
发布时间:2022-07-21 演讲时间:2022-08-11 12:00pm 演讲时长:
Tags:[] 有附件
<div><span>Lunch will be served in Shoreline (South Convention Center, Level 2) at 12:00 PM - 1:30 PM.</span></div><div><span><br></span></div><div><span>Please wear your badge. Open to Briefings pass holders.</span></div>
2022年7月22日 03:31blackhat
发布时间:2022-07-21 演讲时间:2022-08-11 3:00pm 演讲时长:
Tags:[] 无附件
Afternoon Break will be served in the following areas for Briefings pass holders.<br><ul><li>Bay View Court North Corridor (North Convention Center)</li><li>Bay View Court South Corridor (North Convention Center)</li><li>Breakers Registration Corridor, Lagoon Corridor (Level 2)</li><li>South Seas Foyer North, Jasmine Foyer North (Level 3)</li></ul>
2022年7月21日 03:31blackhat
发布时间:2022-07-20 演讲时间:2022-08-10 1:30pm 演讲时长:40-Minute
Tags:['Policy', 'Application Security'] 有附件
Join Rob Silvers (DHS Undersecretary for Policy and Chair of the Cyber Safety Review Board) and Heather Adkins (Deputy Chair and Vice President, Security Engineering, Google) for a discussion about the Cyber Safety Review Board’s inaugural review of the Log4j vulnerability. Rob and Heather will talk about key report findings, how industry and government can implement the recommendations, and how the Board is changing the cyber ecosystem.
2022年7月21日 03:31blackhat
发布时间:2022-07-19 演讲时间:2022-08-11 4:20pm 演讲时长:40-Minute
Tags:['Keynote', 'Lessons Learned'] 有附件
To close out Black Hat USA 2022, join Black Hat Founder Jeff Moss and Review Board members Sheila A. Berta, Chris Eng, Natalie Silvanovich and Matt Suiche for an insightful conversation on the most pressing issues facing the InfoSec community. This Locknote will feature a candid discussion on the key takeaways coming out of the conference and how these trends will impact future InfoSec strategies.
2022年7月20日 03:31blackhat
发布时间:2022-06-28 演讲时间:2022-08-10 1:30pm 演讲时长:40-Minute
Tags:['Mobile', 'Hardware / Embedded'] 有附件
Despite the large number of phone vendors, most Android devices are based on a relatively small subset of system on a chip (SoC) vendors. Google decided to break this pattern with the Pixel 6. From a security perspective, this meant rather than using code that had been tested and used for years, there was a new stack of high value device firmware we needed to get right the first time.<br><br>This talk will go over how Android secured the reimagined Pixel 6 before its launch, focusing on the perspective of the Android Red Team. The team will demonstrate how fuzz testing, black box emulators, static analysis, and manual code reviews were used to identify opportunities for privileged code execution in critical components such as the first end-to-end proof of concept on the Titan M2 chip, as well as ABL with full persistence resulting in a bypass of hardware key attestation. Finally, the Android Red Team will demonstr
2022年7月20日 03:31blackhat
发布时间:2022-07-19 演讲时间:2022-08-11 3:20pm 演讲时长:40-Minute
Tags:['Network Security', 'Application Security'] 有附件
Back with another year of soul-crushing statistics, the Black Hat NOC team will be sharing all of the data that keeps us equally puzzled, and entertained, year after year. We'll let you know all the tools and techniques we're using to set up, stabilize, and secure the network, and what changes we've made over the past year to try and keep doing things better. Of course, we'll be sharing some of the more humorous network activity and what it helps us learn about the way security professionals conduct themselves on an open WiFi network.
2022年7月15日 03:31blackhat
发布时间:2022-06-28 演讲时间:2022-08-10 9:00am 演讲时长:60-Minute
Tags:['Keynote'] 有附件
For twenty-five years, the InfoSec community and industry have been gathering here in the desert. For twenty-five years, we have chipped away at underlying insecurities in the technologies we use every day with new vulnerability research and adversary insights. For twenty-five years we’ve seen vendors and software firms roll out new products and protections.  With the last twenty-five years as prologue and as we look forward to the next twenty-five years, we have to ask ourselves: are we on the right track? <br> <br>We certainly aren’t set up for success, given society’s insatiable and almost pathological need to connect everything. We’re constantly serving up more attack surface to the bad guys and always cleaning up after business decisions that we know will drive bad security outcomes.  All the while factors out of our hands – namely global market realities and shifting geopolitical dynamics – wreck nearly overnight carefully orches
2022年7月14日 03:31blackhat
发布时间:2022-07-13 演讲时间:2022-08-10 3:20pm 演讲时长:40-Minute
Tags:['Hardware / Embedded', 'Mobile'] 有附件
Touchscreen-based electronic devices such as smart phones and smart tablets are widely used in our daily life. While the security of electronic devices has been heavily investigated recently, the resilience of touchscreens against various attacks has yet to be thoroughly investigated. In this presentation, for the first time, we show how touchscreen devices are vulnerable to Intentional Electromagnetic Interference (IEMI) attacks in a systematic and practical way.<br><br>Not only showing how practical IEMI attacks are established on touchscreens, we will also analyze and quantify the underlying mechanism allowing our novel touchscreen attacks in detail. We will show and explain how to calculate the minimum amount of electric field and signal frequency required to induce false touch events. The induced touch events allow attackers to remotely perform short-tap, long-press, and omni-directional gesture on touchscree
2022年7月14日 03:31blackhat
发布时间:2022-07-13 演讲时间:2022-08-10 10:20am 演讲时长:40-Minute
Tags:['Defense', 'Reverse Engineering'] 有附件
Security solutions engineers always find new ways to monitor OS events to mitigate threats on endpoints. These approaches typically reuse different built-in Windows mechanisms that were never designed with security first in mind. <br><br>At Black Hat Europe 2021, we publicly showed how to blind an entire class of endpoint security products by disabling ETW. Our current research focus is Windows Management Instrumentation (WMI), a mechanism that allows filtering without registering kernel callbacks. WMI is a built-in feature designed to manage enterprise infrastructure and provide detailed diagnostics: hardware, firmware, software, and configurations both locally and remotely. WMI is deeply integrated into Windows user-mode apps and kernel drivers. WMI provides rich information about the computing environment which allows monitoring via event filters, consumers, and bindings to get notifications about important O
2022年7月14日 03:31blackhat
发布时间:2022-07-12 演讲时间:2022-08-11 9:00am 演讲时长:60-Minute
Tags:['Keynote'] 无附件
<span>Kim Zetter is an award-winning investigative journalist and author who has covered cybersecurity and national security for more than a decade, initially for WIRED, where she wrote for thirteen years, and more recently for the New York Times, Politico, Washington Post, Motherboard/Vice, The Verge and Yahoo News. She has been repeatedly voted one of the top ten security journalists in the country by security professionals and her journalism peers. She has broken numerous stories about NSA and FBI surveillance, the hacker underground, nation-state hacking, the Russian sabotage of Ukraine's power grid and its use of that country as a testing ground, and election security. She is considered one of the leading experts on the latter, and in 2018 authored a New York Times Magazine cover story on the crisis of election security. She also wrote an acclaimed book about cyberwarfare and Stuxnet -- Countdown to Zero Day: Stuxnet and the Launc
2022年7月1日 03:31blackhat
发布时间:2022-06-28 演讲时间:2022-08-10 1:30pm 演讲时长:40-Minute
Tags:['Mobile', 'Hardware / Embedded'] 无附件
Despite the large number of phone vendors, most Android devices are based on a relatively small subset of system on a chip (SoC) vendors. Google decided to break this pattern with the Pixel 6. From a security perspective, this meant rather than using code that had been tested and used for years, there was a new stack of high value device firmware we needed to get right the first time.<br><br>This talk will go over how Android secured the reimagined Pixel 6 before its launch, focusing on the perspective of the Android Red Team. The team will demonstrate how fuzz testing, black box emulators, static analysis, and manual code reviews were used to identify opportunities for privileged code execution in critical components such as the first end-to-end proof of concept on the Titan M2 chip, as well as ABL with full persistence resulting in a bypass of hardware key attestation. Finally, the Android Red Team will demonstr
2022年6月30日 03:31blackhat
发布时间:2022-06-28 演讲时间:2022-08-10 9:00am 演讲时长:60-Minute
Tags:['Keynote'] 无附件
Chris Krebs is a Founding Partner of the Krebs Stamos Group, founded in 2020 alongside Alex Stamos. He is the Newmark Senior Fellow in Cybersecurity at the Aspen Institute where Chris is the Co-Chair of the Aspen Institute’s Cybersecurity Working Group, and previously Co-Chaired the Aspen Commission on Information Disorder. Chris was the first director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), leading the nation’s civilian cyber defense and business resilience and risk management efforts. Prior to his recent government service, he led Microsoft’s U.S. cybersecurity policy efforts, also previously contributing to key national cyber initiatives including the NIST Cybersecurity Framework. Chris is a CBS News Contributing expert, a Resident Scholar with the University of Virginia Center for Politics, and a Non-Resident Senior Fellow at the Harvard Kennedy School Belfer Center Cybersecurity Project. He serves on t
2022年6月29日 03:31blackhat
发布时间:2022-06-28 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Mobile', 'Hardware / Embedded'] 无附件
Despite the large number of phone vendors, most Android devices are based on a relatively small subset of system on a chip (SoC) vendors. Google decided to break this pattern with the Pixel 6. From a security perspective, this meant rather than using code that had been tested and used for years, there was a new stack of high value device firmware we needed to get right the first time.<br><br>This talk will go over how Android secured the reimagined Pixel 6 before its launch, focusing on the perspective of the Android Red Team. The team will demonstrate how fuzz testing, black box emulators, static analysis, and manual code reviews were used to identify opportunities for privileged code execution in critical components such as the first end-to-end proof of concept on the Titan M2 chip, as well as ABL with full persistence resulting in a bypass of hardware key attestation. Finally, the Android Red Team will demonst
2022年6月15日 06:41blackhat
发布时间:2022-06-16 演讲时间:2022-08-11 11:20am 演讲时长:40-Minute
Tags:['Privacy', 'Application Security'] 有附件
<div><span>A security researcher used a modern bug bounty platform to disclose an accidental dump of personal data of ~50,000 FAANG company's users from that company's servers. The data passes through several 3rd party systems not related to the company and lands on the researcher's laptop. What were the legal obligations of the company running the program to protect the data affected? What were the legal obligations, if any, put on the researcher around protecting the data? Who should be responsible for the cleanup?</span></div><div><span><br></span></div><div><span>You may be surprised to learn this FAANG company never disclosed the dump, and both the researcher and the 3rd parties continued to have access to the data. </span></div>
2022年6月9日 03:31blackhat
发布时间:2022-06-16 演讲时间:2022-08-11 1:30pm 演讲时长:40-Minute
Tags:['Mobile', 'Reverse Engineering'] 有附件
iOS is one of the most valuable targets for security researchers. Unfortunately, studying the internals of this operating system is notoriously hard, due to the closed nature of the iOS ecosystem and the absence of easily-accessible analysis tools.<br><br>To address this issue, we developed TruEMU, which we present in this talk. TruEMU is the first open-source, extensible, whole-system iOS emulator. Compared to the few available alternatives, TruEMU enables complete iOS kernel emulation, including emulation of the SecureROM and the USB kernel stack. More importantly, TruEMU is completely free and open-source, and it is based on the well-known and highly extensible emulator QEMU.<br><br>This talk will start by presenting the challenges and the solutions we devised to reverse engineer current iOS boot code and kernel code, and explain how to provide adequate support in QEMU. Then, to showcase TruEMU's usefulness and
2022年6月9日 03:31blackhat
发布时间:2022-06-16 演讲时间:2022-08-11 2:30pm 演讲时长:30-Minute
Tags:['Community & Career', 'Reverse Engineering'] 有附件
<div><span>In an ideal world, members of a community work together towards a common goal or greater good. Unfortunately, we do not (yet) live in such a world. </span></div><div><span><br></span></div><div><span>In this talk, we discuss what appears to be a systemic issue impacting our cyber-security community: the theft and unauthorized use of algorithms by corporate entities. Entities who themselves may be part of the community.</span></div><div><span><br></span></div><div><span>First, we’ll present a variety of search techniques that can automatically point to unauthorized code in commercial products. Then we’ll show how reverse-engineering and binary comparison techniques can confirm such findings. </span></div><div><span><br></span></div><div><span>Next, we will apply these approaches in a real-world case study. Specifically, we’ll focus on a popular tool from a non-profit organization that was rev
2022年6月9日 03:31blackhat
发布时间:2022-06-16 演讲时间:2022-08-11 3:20pm 演讲时长:40-Minute
Tags:['Cloud & Platform Security', 'Reverse Engineering'] 有附件
Virtualization and containers are the foundations of cloud services. Containers should be isolated from the real host's settings to ensure the security of the host.<br><br>In this talk we'll answer these questions: "Are Windows process-isolated containers really isolated?" and "What can an attacker achieve by breaking the isolation?"<br><br>Before we jump into the vulnerabilities, we'll explain how Windows isolates the container's processes, filesystem and how the host prevents the container from executing syscalls which can impact the host. Specifically, we'll focus on the isolation implementation of Ntoskrnl using server silos and job objects.<br><br>We'll compare Windows containers to Linux containers and describe the differences between their security architectural designs.<br>We'll follow the scenario of an attacker-crafted container running with low privileges. We'll show in multiple ways 
2022年6月9日 03:31blackhat
发布时间:2022-06-16 演讲时间:2022-08-10 2:30pm 演讲时长:30-Minute
Tags:['Reverse Engineering', 'Cloud & Platform Security'] 有附件
Existing kernel analysis tools either instrument the subject kernel to report data from the inside or use QEMU to gain information from the translated execution. Instrumentation based tools are not applicable to binary-only operating systems such as Windows. Users may have to re-compile the whole kernel for even a slight change of the functionality. The QEMU based approach takes a performance toll on the entire kernel execution. <br><br>In this talk, we present the Onsite Analysis Infrastructure (OASIS), a novel framework for dynamic kernel analysis. A programmer can develop her kernel analysis application to control a captured kernel thread execution such as tracing or setting breakpoints that affect the thread only and collecting data from it as if the application runs inside the kernel, i.e., onsite analysis. We also show a few applications benefiting from OASIS, including full-VM memory intr
2022年6月8日 03:31blackhat
发布时间:2022-06-16 演讲时间:2022-08-11 11:20am 演讲时长:40-Minute
Tags:['Hardware / Embedded', 'Cyber-Physical Systems'] 有附件
Fault Injection (FI), also referred to as Glitching, has proven to be a severe threat to real-world computing devices. In this kind of attack, physical faults are injected into a device at runtime, to deliberately alter the target's behavior. In order to address this threat, various countermeasures have been proposed to counteract the different types of fault injection methods at different abstraction layers, either requiring modifying the underlying hardware or firmware at the machine instruction level. <br><br>Moreover, only recently, individual chip manufacturers have started to respond to this threat by integrating certain countermeasures in their products. Multiple Fault Injection (MFI) could theoretically be used against instruction-level based countermeasures, however, as stated by previous work conducting those attacks are considered highly impractical due to the lack of precise MFI tools 
2022年6月8日 03:31blackhat
发布时间:2022-06-16 演讲时间:2022-08-10 4:20pm 演讲时长:40-Minute
Tags:['AI, ML, & Data Science', 'Network Security'] 有附件
<div><span>A key lesson of recent deep learning successes is that as we scale neural networks, they get better, and sometimes in game-changing ways.</span></div><div><span><br></span></div><div><span>In this talk, we'll demonstrate and explain how supercomputer-scale neural networks open new vistas for security, qualitatively changing the horizons for machine learning security applications in surprising and powerful ways. Specifically, we'll demonstrate two applications of large neural networks to security problems that wouldn't have been tractable with smaller models: generating custom, human-readable explanations of difficult-to-parse attacker behavior, and detecting malicious behaviors even when we have very few examples of the kind of behaviors we're looking for.</span></div><div><span><br></span></div><div><span>We'll describe each example application in transparent and reproducible detail, and t
2022年6月8日 03:31blackhat
发布时间:2022-06-16 演讲时间:2022-08-11 11:20am 演讲时长:40-Minute
Tags:['Defense'] 有附件
Over the years, applications increased in size and complexity, and with that also the number of vulnerabilities. Both industry and academia have proposed countermeasures to harden applications against potential attacks. For instance, control-flow integrity (CFI) tries to limit control-flow transfers within an application to transfers that are possible based on the program source code. Unfortunately, such countermeasures only work within one security domain, e.g., only on the userspace level. Once they are circumvented, an attacker can arbitrarily interact with other domains, such as the kernel.<br><br>This talk presents our concept of syscall-flow-integrity protection (SFIP), limiting the control flow across security domains, i.e., user-to-kernel transfers. By design, it is fully compatible with CFI and enhances the system's security in case that CFI is circumvented. SFIP relies on three pillars: syscall sequences that model the contr
2022年6月8日 03:31blackhat
发布时间:2022-06-16 演讲时间:2022-08-11 11:20am 演讲时长:40-Minute
Tags:['Cloud & Platform Security'] 有附件
Kubernetes has become the de-facto way of running containerized applications on the cloud or on premise. Threat actors noticed, launching Kubernetes-tailored campaigns and releasing dedicated malware with the ultimate goal of compromising clusters. On the defensive side, hardening containers remains a top priority. Defenders hope to prevent container escapes, where a malicious container breaks out and gains control over its underlying node VM.<br><br>Unfortunately, even with cutting-edge sandboxing techniques, it's inevitable that zero day vulnerabilities in container runtimes, the Linux Kernel, or Kubernetes itself, would allow sophisticated attackers to break out of a rogue container. That being said, an escape isn't necessarily game over! Defenders can still *contain* container breakouts: ensure a compromised node cannot take over the entire cluster. <br><br>Kubernetes have done a great job at de-privileging the n