当前节点:blackhat
时间节点
2021年10月20日 05:05blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 10:20am 演讲时长:40-Minute
Tags:['Mobile', 'AppSec'] 无附件
PendingIntent, the advanced version of normal Android Intent, provides powerful inter-component communication on Android. A PendingIntent holds a base Intent that can be executed by another app under the creator app's identity (UID) and permissions as if the target app was the creator. To securely deliver a PendingIntent and prevent hijacking, developers should set their PendingIntents explicitly with the target component name. However, this is not the case in many real-world apps.<br><br>Previous research showed a few examples attacking a PendingIntent with the empty base Intent (i.e., no component and action), but they did not know how to exploit a PendingIntent with the implicit base Intent (i.e., no component yet with action) and commonly believed that it is also unexploitable like an explicit PendingIntent. Moreover, previous research did not identify common attack surfaces of retrieving PendingIntents. To address these 
2021年10月15日 05:05blackhat
发布时间:2021-10-14 演讲时间:2021-11-10 1:30pm 演讲时长:40-Minute
Tags:['Community'] 无附件
When it comes to critical software stacks (like embedded network libraries or real-time OSs), is it time to change the way we, as researchers, approach vendors when disclosing vulnerabilities? Shouldn't we start cooperating with them before disclosing vulnerabilities, as early as when the research begins, so that they have both a chance to learn and to help security researchers in finding more vulnerabilities?<br><br>What is needed is more of a relationship between the security research industry and those developing and deploying critical software components. The current status quo is that of conflicting parties trying to become friends, often during the disclosure phase by means of an intermediary broker. Unlike more traditional vulnerabilities reported in Operating Systems or Application stacks, mitigation of vulnerabilities found in critical software components often means the chance of easily patching is a task many shy away from
2021年10月14日 05:05blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 3:20pm 演讲时长:40-Minute
Tags:['Hardware / Embedded', 'Exploit Development'] 无附件
How robust is the security of a fully updated, widely used and locked-down Linux-based device without any known rooting methods? Where the only non-trusted code being executed is heavily sandboxed JavaScript? Which has almost no user-mode binaries and is stripped down to the bare minimum? In this talk, we show how we gained root by inserting a malicious USB device that exploits a forgotten vulnerability in the USB stack of the Linux kernel, known as CVE-2016-2384 and originally found by Andrey Konovalov. Exploiting this vulnerability allows gaining arbitrary code execution in the context of the kernel without any interaction with the device, which we then used to get a root shell.<br><br>While the vulnerability was quickly resolved by (most of) the mainstream Linux distributions, it remains highly relevant in the context of device security. Here major Linux kernel upgrades are much less common and eve
2021年10月7日 05:01blackhat
发布时间:2021-10-05 演讲时间:2021-11-10 9:00am 演讲时长:60-Minute
Tags:['Keynote'] 无附件
None
2021年10月7日 05:01blackhat
发布时间:2021-10-05 演讲时间:2021-11-10 4:20pm 演讲时长:40-Minute
Tags:['Keynote'] 无附件
Humans are the weakest link in cyber security – or so the famous saying goes!  This talk will challenge this age old expression to focus on the human elements of the protection pillars; people, process, and technology.<br><br>Organisations have an overwhelming focus on technology in cyber security defences including offensive red-team operations to highlight weaknesses. Yet the numbers of successful attacks are still increasing; both in frequency and impact.  <br><br>It is time that as an industry we start to think differently about our approach; considering the human-centric notions as part of our technological advances, throughout our entire ecosystem and security lifecycle.  The aviation sector is a pioneer of this technique; so how is this thinking being adopted in the cyber security program of Airbus?  <br>
2021年10月7日 05:01blackhat
发布时间:2021-10-05 演讲时间:2021-11-11 9:00am 演讲时长:60-Minute
Tags:['Keynote'] 无附件
<p>A nerd's eye view of time and timekeeping...</p><p>Moves are finally afoot to secure time! Well, to secure what we consider to be the current time. Or, to be more specific, to secure how we distribute what we consider to be the consensus of what is the "current" time. And by "we" I mean The Internet. And by "current time" I mean time measured by Atomic Clocks, accurate to within 1 second every 100 million years. Or thereabouts.</p><p>So that's nice...</p><p>But what does that actually mean?<br>Why do I care?<br>Is it enough?<br>Is an 0-day that skews time still an 0-day or does it disappear up its own paradox?<br>Only time will tell...</p>
2021年10月5日 10:53blackhat
发布时间:2021-10-04 演讲时间:2021-11-10 11:20am 演讲时长:40-Minute
Tags:['Defense', 'Cloud & Platform Security'] 无附件
Honoring the term, the variety of technologies in the Big Data stack is hugely BIG. Many complex components in charge of transport, storing, and processing millions of records make up Big Data infrastructures. The speed at which data needs to be processed and how quickly the implemented technologies need to communicate with each other make security lag behind. Once again, complexity is the worst enemy of security.<br><br>Today, when conducting a security assessment on Big Data infrastructures, there is currently no methodology for it and there are hardly any technical resources to analyze the attack vectors. On top of that, many things that are considered vulnerabilities in conventional infrastructures, or even in the Cloud, are not vulnerabilities in this stack. What is a security problem and what is not a security problem in Big Data infrastructures? That is one of the many questions that this research a
2021年10月5日 10:53blackhat
发布时间:2021-10-03 演讲时间:2021-11-10 11:20am 演讲时长:40-Minute
Tags:['Malware', 'Data Forensics & Incident Response'] 无附件
Since the introduction of Amazon Web Services (AWS) there has been a steady migration from on-premise to cloud deployments. Misconfigured cloud services can be low-hanging fruit for an attacker. Palo Alto Networks found that Docker services were attacked about every 90 minutes during the Spring of 2021. Of these attacks, around 76% were by cryptojacking threat actors, one of the most active in this field being TeamTNT.<br><br>TeamTNT is one of the predominant cryptojacking threat actors currently targeting Linux servers. This session will present the threat actor's activity and their Tactics, Techniques and Procedures (TTPs) throughout their different campaigns. The first public report on TeamTNT was published in May 2020 by Trend Micro and covered attacks against servers running exposed Docker instances. While this is early activity, it is not the earliest that can be attributed to the threat act
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 3:20pm 演讲时长:40-Minute
Tags:['AppSec', 'Applied Security'] 无附件
In recent years, global e-book sales have shot through the roof and e-book reading applications have sprouted like mushrooms. EPUB, the most popular open e-book format, is supported by free applications on virtually any device, ranging from desktops to smartphones. But how sure are we that these e-books aren't actually reading us?<br><br>To answer this question, we analyzed 97 free EPUB reading applications across seven platforms and five physical e-readers using a self-developed semi-automated testbed. It turns out that half of these applications are not compliant with the security recommendations of the EPUB specification. For instance, a malicious e-book is able to leak local file system information in 16 of the evaluated applications.<br><br>To further demonstrate the severity of these results, we also performed three case studies in which we manually exploited the most popular application on three different plat
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 11:20am 演讲时长:40-Minute
Tags:['Hardware / Embedded', 'Reverse Engineering'] 无附件
In the past years, most of the Android devices were relying on ARM Trustzone for critical security features.<br><br>In 2018, with the release of the Pixel 3, Google introduced the Titan M chip, a hardware security module used to enhance the device security by reducing its attack surface, mitigating classes of hardware-level exploits such as Rowhammer or Spectre, and providing several security sensitive functions, such as a Keystore backend called StrongBox, Android Verified Boot (or AVB) and others. It has been now almost three years since this announcement and yet very little information about it is available online.<br><br>In this presentation, we will deep dive into the Titan M's internals and usages. Our goal is to give an understanding of its attack surface as well as its role in some critical security features such as the StrongBox/Keymaster. We will provide some details on how we performed our
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 10:20am 演讲时长:40-Minute
Tags:['CorpSec', 'Cloud & Platform Security'] 无附件
When analyzing the security of cryptographic systems, a critical part is resiliency against eavesdroppers as well as machine-in-the-middle (MiTM) attacks. Over the years, researchers were able to break many secure protocols using MitM attacks. A common theme in this family of vulnerabilities is the lack of proper validation for any of the communicating parties.<br><br>Focusing on Active Directory environments, the most common authentication protocols are Kerberos and NTLM. We will review previous MitM attacks found on Active Directory authentication protocols and the mitigation strategies previously implemented. We will show that the relay attack technique is not limited to NTLM alone and can be used to attack the newer Kerberos authentication protocol. In addition, we will show several injection attacks compromising client systems.<br><br>We'll show how the lack of validation mistakes can lead to devastat
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 2:30pm 演讲时长:30-Minute
Tags:['Human Factors', 'Policy'] 无附件
Organizations worldwide continue to face waves of digital extortion in the form of targeted ransomware. Digital extortion is therefore now classified as the most prominent form of cybercrime and the most devastating and pervasive threat to functioning IT environments. Currently, research on targeted ransomware activity primarily looks at how these attacks are carried out from a technical perspective. Little research has however focused on the economics behind digital extortions and digital extortion negotiation strategies using empirical methods.<br><br>This session explores three main topics. First, can we explain how adversaries use economic models to maximize their profits? Second, what does this tell us about the position of the victim during the negotiation phase? And third, what strategies can ransomware victims leverage to even the playing field? To answer these questions, over seven hundred attacker-victim negot
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 2:30pm 演讲时长:30-Minute
Tags:['Cloud & Platform Security', 'Exploit Development'] 无附件
The safety and trust promised by the App Store is in large part due to mandatory sandboxing requirements. The required App Sandbox lets users install apps with abandon and without worry, keeping malicious ones contained. This talk will deep dive into a string of logic vulnerabilities in LaunchServices (CVE-2021-30677, CVE-2021-30783, and more) that allowed an attacker to escape the App Sandbox and bypass privacy protections despite the many new security mechanisms introduced in Big Sur and Catalina.<br><br>You'll learn how one deceptively simple issue can be exploited in multiple different ways and surely have a laugh at the same time. We'll release a tool to help reverse the latest versions of macOS and extend an already great tool to help find and detect vulnerabilities like this one. Finally, we'll lay the groundwork for bugs to come and highlight a forgotten attack surface.
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 2:30pm 演讲时长:30-Minute
Tags:['Reverse Engineering', 'Malware'] 无附件
This Briefing presents our research on parser differentials for the PE format. We defined a custom language to write "formal models" of various PE loaders, for different versions of Windows and reverse-engineering tools. We then built a framework that, using these models, can perform a number of analyses that aid reverse-engineering tasks.<br><br>First, given a PE executable, it can determine whether a PE loader would consider it valid. This feature provides a filtering stage for dynamic malware analysis, as it can identify broken samples before running them in sandboxes. Our framework is also able to automatically generate SMT models of the various PE loaders, and it can automatically perform several powerful tasks: given a PE loader, generate a valid executable that can be loaded by it; or, it can perform "differential analysis" and automatically generate PE files that are valid for one PE loader but not for an
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 10:20am 演讲时长:40-Minute
Tags:['Defense', 'Data Forensics & Incident Response'] 无附件
In Windows based environments, RPC is the main underlying protocol required for remote administration and for Active Directory services. As such, it is often used by IT admins, but also by ransomware and advanced attackers to spread by creating remote services, scheduled tasks, DCOM objects, etc. It is also a major component in the persistency phase of attacks such as active directory DCSync, and even DC vulnerabilities such as Zerologon. <br><br>The issue for defenders is that defending against remote RPC attacks is not trivial. Unlike other protocols, such as RDP or WinRM, which can be simply blocked from untrusted assets, RPC plays a crucial part in Active Directory environments, and has to be exposed to any asset in the network. <br><br>To add to the pain, built-in Windows auditing and filtering options are incredibly noisy and don’t offer enough granularity. <br><br>During our research into i
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 1:30pm 演讲时长:40-Minute
Tags:['Malware', 'Cloud & Platform Security'] 无附件
As organizations migrate their computing resources to cloud and container environments, attackers are taking notice -- and following. In August 2020, we discovered the first crypto-mining worm stealing AWS credentials. The attackers are now well known for their cloud-specific attacks. Recently, we discovered they had expanded their toolkit to both steal more credentials from compromised cloud systems and deploy some innovative techniques to exploit containerised Kubernetes systems and more cloud providers.<br><br>In this session, we will discuss the cloud-specific nature of the real-world attacks we've seen, sharing insights and details that have not yet been published. We will walk attendees through the overall attack group operation and their most recent innovations to be on the lookout for. Finally, we will highlight the attack group's recent movements, operational security mistakes and provide a behind 
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 1:30pm 演讲时长:40-Minute
Tags:['AppSec', 'Defense'] 无附件
"Magecart" is the common name for an attack in which hackers compromise 3rd party Javascript code to steal information from web-applications or websites that incorporate the code.<br><br>Over the last two years, we monitored the web for vulnerabilities in online infrastructures that enable Magecart attacks or are leveraged in Magecart attacks. Our research also included monitoring additional methods to abuse third-party scripts and bypass the various defense mechanisms that have been put in place to stop these attacks. During this research, we encountered tens of thousands of vulnerable assets, including those owned by governments and global enterprises. Our conclusion from the analysis is that there is no simple solution to defeating Magecart.<br><br>In our presentation, we will go through real-world examples which demonstrate how hackers exploit these vulnerabilities in order to identify the scale of the challenge. We will 
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 1:30pm 演讲时长:40-Minute
Tags:['Cyber-Physical Systems', 'Hardware / Embedded'] 无附件
We discovered and disclosed vulnerabilities in most of the OMG Data Distribution Service (DDS) implementations. DDS enables crucial technologies like autonomous driving, healthcare machinery, military tactical systems, or missile launch stations. Notably, DDS is used by NASA at the KSC, by SIEMENS for smart grid applications, by Volkswagen and Bosch for autonomous valet parking systems, by NAV CANADA for ATC, and by the Robot Operating System 2 (ROS2) to control industrial and consumer robots.<br><br>Designed around industrial-level requirements, DDS sits deep in the control network, allowing an arbitrary number of endpoints like sensors or actuators to communicate transparently, with an abstract API based on familiar data type specifications (e.g., C structs) and simple function calls, regardless of the complexity of the data.<br><br>We approached DDS from the bottom up, and we will show you how w
2021年10月5日 10:53blackhat
发布时间:2021-10-04 演讲时间:2021-11-11 10:20am 演讲时长:40-Minute
Tags:['Cyber-Physical Systems', 'Hardware / Embedded'] 无附件
Recent years have witnessed a growing volume of research on the security of embedded systems used in industrial process control applications, including Programmable Logic Controllers (PLC) and Remote Terminal Units (RTU). This increased interest reflects both the large number of “low-hanging fruit” vulnerabilities, making industrial controllers attractive research targets, and an increased interest from adversaries to subverting industrial processes. To date, research efforts have predominantly focused on firmware vulnerabilities, or bypassing traditional security controls implemented as part of the PLCs software. In this talk we will introduce a novel exploitation vector, one previously unconsidered in existing works. <br><br>More specifically, we will show how PLC programming practices, user APIs, and memory allocation for function blocks from the Library Functions open the door to automated enu
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 3:20pm 演讲时长:40-Minute
Tags:['AppSec', 'Mobile'] 无附件
When it comes to modern web applications, browsers are the first line of defense. While built-in security features that come compiled with browsers are responsible for preventing a wide array of attacks, any seemingly trivial mistake in browsers' implementation of such security features can have devastating effects. In this session, we will talk about a vulnerability in Webkit (Safari, and all browsers in iOS devices including Firefox and Chrome) and a security feature in browsers which when abused allowed us to leak certain cross-site information which made almost every application using authentication/authorization technologies such as Single Sign-On and OAuth vulnerable, thus giving us instant access to user accounts. The talk will also include our take and workarounds on the latest browser features like ITP, SameSite Cookies, etc., and uses techniques and approaches to bypass common measures implemented to prevent such vul
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 1:30pm 演讲时长:40-Minute
Tags:['Malware', 'Reverse Engineering'] 无附件
Windows Defender is the Windows' built-in antivirus software, giving it a place in most information systems. But still, its signature format is yet undocumented.<br><br>This talk tries to rectify this situation. This knowledge will then be used to demonstrate signature evasion for auditor's common tooling.<br><br>Looking deeper, it will also highlight how Attack Surface Reduction, a technology used to prevent common offending patterns, actually works. It will benefit both Blue teams - to keep an eye on its blind spots - and Red teams - with a bypassing example.<br><br>Finally, the format understanding provides a new possibility: updates diffing - a way to track the current interests of Windows Defender team.
2021年10月5日 10:53blackhat
发布时间:2021-10-01 演讲时间:2021-11-11 11:20am 演讲时长:40-Minute
Tags:['Cloud & Platform Security', 'Policy'] 无附件
The shared responsibility model is broken. Companies are unable to keep up with cloud complexity, while vendors and cloud providers do not provide clear identification, tracking or severity for vulnerabilities discovered in their platforms. Moreover there is an inherent lack of transparency, as cloud providers do not share full details of exposure, impact, or mitigation steps for vulnerabilities discovered in their platform.<br> <br>Join the Wiz Research Team who uncovered several unprecedented cloud vulnerabilities in AWS, GCP and Azure in their journey and conclusions from the disclosure process. We will review key learnings and insights from OMIGOD, ChaosDB and AWS IAM cross-account vulnerabilities we uncovered.<br> <br>In this session we will make the case for extending the current CVE model to be more cloud friendly as the current model is broken and call everyone to join the movement for change.
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 10:20am 演讲时长:40-Minute
Tags:['Human Factors', 'Defense'] 无附件
Have you ever worked on a security team where the decisions, communication, and overall team culture are dominated by one or two "rock stars"? Are constant disagreements and passive-aggression among team members hurting your ability to respond effectively? Does your high-functioning team work well together but not with other teams? This presentation will address these challenges and more based on one of the most comprehensive studies of incident response teams ever conducted, including 80+ focus groups and interviews (over 200 participants) across 17 international organizations. We will show that a lack of attention to social maturity is the main cause of these challenges and provide a framework to address them.<br><br>Cybersecurity Incident Response Teams (CSIRTs) rely on technical and social skills to be successful, though we often focus on technical skills at the expense of communications, collaboration, and teamwo
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 11:20am 演讲时长:40-Minute
Tags:['Cloud & Platform Security'] 无附件
In August 2021, the Wiz Research Team uncovered ChaosDB - a critical cross-tenant vulnerability in Azure Cosmos DB, Azure's flagship managed database solution which is used by countless organizations.  This vulnerability is every company’s worst nightmare: even a flawless environment is affected. Easily exploitable, this bug allowed any Azure user to have full admin access to thousands of customers' databases, including Fortune 500 companies, without any procedural authorization.<br><br>This is an unprecedented cloud vulnerability, considered to be one of the most severe issues ever disclosed in any major cloud platform. This vulnerability triggered many questions regarding the security of managed cloud services. Since this vulnerability allowed stealing long-lasting secrets of the target database, attackers may use these secrets at their convenience, and the only solution is to rotate their secrets and hope they hav
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 1:30pm 演讲时长:40-Minute
Tags:['Mobile', 'Cloud & Platform Security'] 无附件
Apple Pay, Google Pay, and Samsung Pay are the de-facto payment services for mobile users.  Their growth and popularity during COVID-19 have given mobile users the option to pay with ease, often without the need to touch a payment terminal.  Mobile wallets are considered by many to be state-of-the-art when it comes to payment security. But in fact, these brands do not protect their customers well enough against malicious actors. They only protect themselves.<br><br>In our research, we've found inconsistencies in "contactless payments for public transport" schemes that lead to potential fraud using lost or stolen mobile phones.  We successfully defrauded victims using stores located around the planet without the phone ever leaving the victim's pocket. <br><br>This talk will delve into the fascinating world of contactless payments on mobile wallets and the background of its infrastructure and liability rules.
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 3:20pm 演讲时长:40-Minute
Tags:['AI, ML, & Data Science', 'Network Security'] 无附件
Machine learning has so far been relatively unchecked on its way to world domination. As the high pace of ML research continues, ML is being integrated into all manner of business processes – chatbots, sales lead generation, maintenance decisions, policing, medicine, recommendations... However, there are several security concerns that have been unaccounted for which has led to some less than desirable outcomes. Researchers have been able to extract PII from language models, red teamers have stolen (and then bypassed) spam and malware classification models, citizens have been incorrectly identified as criminals, otherwise qualified home buyers have been denied mortgages. This is just scratching the surface. While attacks on AI systems are talked about as futuristic, the consequences of not securing them are already being experienced. This talk will discuss the current state of ML security, the symmetry
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 2:30pm 演讲时长:30-Minute
Tags:['Cyber-Physical Systems'] 无附件
While most protocols in industrial control systems (ICS) rarely implement security features, the OPC Foundation's Unified Architecture (OPC UA) promises security features such as authentication, authorization, integrity, and confidentiality. Nevertheless, researchers have found large numbers of insecurely configured OPC UA devices exposed to the Internet. That means that specified security features will not always lead to secure systems in practice. Challenges in the adoption of those security features by product vendors, libraries implementing the standard, and end-users were not investigated so far. In particular, the initial distribution of public keys is a fundamental issue.<br><br>On the Internet, the initial distribution of public keys is commonly solved by shipping devices (or OS) with certificates of a set of core root certificate authorities (CAs). Servers (identified by unique DNS names) then provide certificat
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 2:30pm 演讲时长:30-Minute
Tags:['AppSec'] 无附件
Web applications commonly rely on proxy servers adding, modifying, or filtering HTTP headers to pass information to back-end servers. Research in recent years has shown how flawed implementations of these actions can lead to severe security vulnerabilities such as HTTP request smuggling, authentication bypasses, and cache poisoning. Recent request smuggling research has developed new ways to modify headers to abuse these flawed implementations, a technique known as "header smuggling". While often overlooked, when explored as its own technique header smuggling can be used to trigger interesting and exploitable behaviours in web applications.<br><br>I will present a new methodology for identifying how HTTP headers can be modified to achieve header smuggling using a small number of requests. I will then show how this methodology was used to bypass IP address restrictions in AWS API Gateway, and to achieve cache poisoning. I will also demon
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 2:30pm 演讲时长:30-Minute
Tags:['Data Forensics & Incident Response', 'Network Security'] 无附件
Since the COVID-19 pandemic, workforces rely even more on VPN technologies for remote access into private networks.<br><br>Pulse Secure by Ivanti is a leading VPN technology. Enterprise VPN devices often are deployed at the intersection between trusted and untrusted networks and secured using multi-factor authentication and integration with Active Directory.<br><br>In April 2021, Mandiant detailed the misuse of Pulse Secure VPN devices, including by suspected Chinese-nexus threat actors for cyber espionage. Mandiant observed the use of a zero-day CVE 2021-22893 to compromise fully patched Pulse Secure appliances, as well as re-use of previously disclosed vulnerabilities.<br><br>Attackers not only gained remote control over VPN devices at a wide variety of victims across the United States and Europe but also:<br>1) Deployed a total of 16 unique malware families observed in the wild, exclusi
2021年10月5日 10:53blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 3:20pm 演讲时长:40-Minute
Tags:['Defense', 'CorpSec'] 无附件
Microsoft's Active Directory Public Key Infrastructure (PKI) implementation, known as Active Directory Certificate Services (AD CS), has unfortunately flown under the radar of the defensive industry. AD CS is widely deployed and provides attackers opportunities for credential theft, machine persistence, domain escalation, and subtle domain persistence. We present relevant background on certificates in Active Directory, briefly overview the attacks possible, and present preventive, detective, and indecent response guidance for how to secure organizations against these abuses. By presenting the most comprehensive guidance on securing AD CS we hope to give organizations the information and tools they need to secure these complex, widely deployed, and often misunderstood systems.
2021年10月5日 10:53blackhat
发布时间:2021-10-04 演讲时间:2021-11-11 4:20pm 演讲时长:40-Minute
Tags:['Community'] 无附件
Join Black Hat Europe Review Board members for an insightful conversation on the most pressing issues facing the InfoSec community. This Locknote will feature a candid discussion on the key takeaways coming out of the conference and how these trends will impact future InfoSec strategies.
2021年9月30日 02:41blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 10:20am 演讲时长:40-Minute
Tags:['Data Forensics & Incident Response', 'Cloud & Platform Security'] 无附件
Attend a talk to learn tips to navigate the jungle of the vulnerabilities scene.  Most likely the oldest task of a security specialist and still high on the agenda of any security organisation is prioritizing and mitigating weaknesses.<br><br>What are the different standards and significant improvements to help?  Let’s dig into 10 years of a vulnerability database maintained by the vfeed.io team and analyze the results.<br>
2021年9月29日 02:41blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 11:20am 演讲时长:40-Minute
Tags:['Community'] 无附件
One only needs to hop on social media in the aftermath of any breach to see the 'hot takes' that abound. It seems many people forget we're all one step away from being in their shoes! So it's little wonder that there is hesitation from many to show any sort of vulnerability (personal, not technical!). Due to the unique nature of many cybersecurity roles, they are naturally insular. When you combine that with a keyboard mob who are ready to ridicule anyone who stumbles, it's no surprise that knowledge sharing in our industry is fundamentally broken. <br><br>As someone who is relatively new to infosec, I have this internal battle every time I learn something new (which is often!). I get so excited about sharing it - and then almost immediately begin to doubt myself. In doing my research for this talk, I spoke to some highly-respected figures from the industry and was shocked to hear that they experienced the same issue. The thought th
2021年9月28日 02:41blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 2:30pm 演讲时长:30-Minute
Tags:['AI, ML, & Data Science', 'Applied Security'] 无附件
Like other software, machine learning frameworks could contain vulnerabilities. Various advanced machine learning frameworks, such as Tensorflow, Pytorch, PaddlePaddle, etc. keep in active development to catch up with increasing demand. The rapid development style brings security risks along with their benefits. For example, from 2019 to 2021, the number of CVEs for Tensorflow increased 15 times.<br> <br>API fuzzing is a common way for vulnerability detection, but it is not enough in machine learning frameworks. In this work, we found that API fuzzing cannot find "deep" vulnerabilities hidden in complicated code logic. These vulnerabilities have to be triggered under a certain semantic context. It is hard for API fuzzing to construct such semantic context from scratch. <br><br>In this session, we will demonstrate a new fuzzing approach for machine learning frameworks. It can help to find deep vulnerab
2021年9月23日 06:30blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 10:20am 演讲时长:40-Minute
Tags:['AppSec', 'Cloud & Platform Security'] 无附件
HTTP/2 is easily mistaken for a transport-layer protocol that can be swapped in with zero security implications for the website behind it. Two years ago, I presented HTTP Desync Attacks and kicked off a wave of request smuggling, but HTTP/2 escaped serious analysis. In this presentation, I'll take you to the frontier of HTTP/2 research, to unearth horrifying implementation flaws and subtle RFC imperfections.<br><br>I'll show you how these flaws enable HTTP/2-exclusive desync attacks, with case studies targeting high-profile websites powered by servers ranging from Amazon's Application Load Balancer to WAFs, CDNs, and bespoke stacks by big tech. I'll demonstrate critical impact by hijacking thick clients, poisoning caches, and stealing plaintext passwords to net multiple max-bounties.<br><br>After that, I'll explore novel techniques and tooling to crack open request tunnelling - a widespread but overlooked r
2021年9月17日 06:11blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 3:20pm 演讲时长:40-Minute
Tags:['Network Security', 'Applied Security'] 无附件
After a short intermission, the Black Hat NOC team is back with what's sure to be a year like no other. With the world going virtual, and Black Hat being no exception, come find out how we've spent the last two years changing, adapting, and preparing for an event that's both in person, and broadcast to the world. We'll share what we're using to stabilize and secure one of the most notorious networks in the world, what worked, what didn't, and all the shenanigans in between. The stakes are high, the outcomes are unknown, and we're going to learn a lesson one way or another.
2021年9月17日 06:11blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 11:20am 演讲时长:40-Minute
Tags:['Cloud & Platform Security'] 无附件
There might be some truth to the joke that "Linux" is what the systemd operating system used to be called. Systemd is one of several system services that run in userspace and communicate via IPC. You could almost imagine it as a micro-kernel design, where most of the operating system is implemented as userspace processes. At the heart of it all is dbus-daemon - a "message bus" that is used for IPC between systemd and other system services, such as polkit, accountsservice, UDisks2, and aptd.<br><br>The D-Bus ecosystem enables unprivileged processes to communicate securely with privileged system services, often with polkit playing a key role in authorizing actions that require higher privileges. In this presentation, I will explain the basics of D-Bus and show how some of the system services, such as polkit and accountsservice, fit together. Some aspects of the architecture, particularly those relating to security, are
2021年9月17日 06:11blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 1:30pm 演讲时长:40-Minute
Tags:['Cloud & Platform Security'] 无附件
In August 2021, the Wiz Research Team uncovered ChaosDB - a critical cross-tenant vulnerability in Azure Cosmos DB, Azure's flagship managed database solution which is used by countless organizations.  This vulnerability is every company’s worst nightmare: even a flawless environment is affected. Easily exploitable, this bug allowed any Azure user to have full admin access to thousands of customers' databases, including Fortune 500 companies, without any procedural authorization.<br><br>This is an unprecedented cloud vulnerability, considered to be one of the most severe issues ever disclosed in any major cloud platform. This vulnerability triggered many questions regarding the security of managed cloud services. Since this vulnerability allowed stealing long-lasting secrets of the target database, attackers may use these secrets at their convenience, and the only solution is to rotate their secrets and hope they have
2021年9月15日 06:37blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 2:30pm 演讲时长:30-Minute
Tags:['Cloud & Platform Security', 'Exploit Development'] 无附件
The safety and trust promised by the App Store is in large part due to mandatory sandboxing requirements. The required App Sandbox lets users install apps with abandon and without worry, keeping malicious ones contained. This talk will deep dive into a string of logic vulnerabilities in LaunchServices (CVE-2021-30677, CVE-2021-30783, and more) that allowed an attacker to escape the App Sandbox and bypass privacy protections despite the many new security mechanisms introduced in Big Sur and Catalina.<br><br>You'll learn how one deceptively simple issue can be exploited in multiple different ways and surely have a laugh at the same time. We'll release a tool to help reverse the latest versions of macOS and extend an already great tool to help find and detect vulnerabilities like this one. Finally, we'll lay the groundwork for bugs to come and highlight a forgotten attack surface.
2021年9月9日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 3:20pm 演讲时长:40-Minute
Tags:['Malware', 'Cloud & Platform Security'] 无附件
As organizations migrate their computing resources to cloud and container environments, attackers are taking notice -- and following. In August 2020, we discovered the first crypto-mining worm stealing AWS credentials. The attackers are now well known for their cloud-specific attacks. Recently, we discovered they had expanded their toolkit to both steal more credentials from compromised cloud systems and deploy some innovative techniques to exploit containerised Kubernetes systems and more cloud providers.<br><br>In this session, we will discuss the cloud-specific nature of the real-world attacks we've seen, sharing insights and details that have not yet been published. We will walk attendees through the overall attack group operation and their most recent innovations to be on the lookout for. Finally, we will highlight the attack group's recent movements, operational security mistakes and provide a behind 
2021年9月9日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 1:30pm 演讲时长:40-Minute
Tags:['Mobile', 'Cloud & Platform Security'] 无附件
Apple Pay, Google Pay, and Samsung Pay are the de-facto payment services for mobile users.  Their growth and popularity during COVID-19 have given mobile users the option to pay with ease, often without the need to touch a payment terminal.  Mobile wallets are considered by many to be state-of-the-art when it comes to payment security. But in fact, these brands do not protect their customers well enough against malicious actors. They only protect themselves.<br><br>In our research, we've found inconsistencies in "contactless payments for public transport" schemes that lead to potential fraud using lost or stolen mobile phones.  We successfully defrauded victims using stores located around the planet without the phone ever leaving the victim's pocket. <br><br>This talk will delve into the fascinating world of contactless payments on mobile wallets and the background of its infrastructure and liability rules.
2021年9月9日 03:18blackhat
发布时间:2021-09-08 演讲时间:0000-00-00 12:00am 演讲时长:30-Minute
Tags:['Cloud & Platform Security', 'Exploit Development'] 无附件
The safety and trust promised by the App Store is in large part due to mandatory sandboxing requirements. The required App Sandbox lets users install apps with abandon and without worry, keeping malicious ones contained. This talk will deep dive into a string of logic vulnerabilities in LaunchServices (CVE-2021-30677, CVE-2021-30783, and more) that allowed an attacker to escape the App Sandbox and bypass privacy protections despite the many new security mechanisms introduced in Big Sur and Catalina.<br><br>You'll learn how one deceptively simple issue can be exploited in multiple different ways and surely have a laugh at the same time. We'll release a tool to help reverse the latest versions of macOS and extend an already great tool to help find and detect vulnerabilities like this one. Finally, we'll lay the groundwork for bugs to come and highlight a forgotten attack surface.
2021年9月9日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 1:30pm 演讲时长:40-Minute
Tags:['Cryptography', 'Hardware / Embedded'] 无附件
Trusted Execution Environment, or TEE, defines an isolation between trusted and untrusted environment. In terms of TEE environment executing the code, the protected area is guaranteed to execute only authenticated code and reject any instructions which are not exclusively provided by a legitimate authority. Furthermore, TEE should protect assets' confidentiality and integrity. To ensure these security requirements, cryptographic measures are applied. These are enclosed in a scheme, for instance - a digital signature scheme. The security level of the system built on top of TEE is reduced to the strength of used primitives and chosen scheme. Even if primitives were proven to be unbreakable within a reasonable time, adversaries may discover vulnerabilities in the implementations, scheme itself or mount an attack against a private key which is used to prove legitimacy to a given code or data. As it occurs, the u
2021年9月9日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 11:20am 演讲时长:40-Minute
Tags:['AppSec', 'Mobile'] 无附件
When it comes to modern web applications, browsers are the first line of defense. While built-in security features that come compiled with browsers are responsible for preventing a wide array of attacks, any seemingly trivial mistake in browsers' implementation of such security features can have devastating effects. In this session, we will talk about a vulnerability in Webkit (Safari, and all browsers in iOS devices including Firefox and Chrome) and a security feature in browsers which when abused allowed us to leak certain cross-site information which made almost every application using authentication/authorization technologies such as Single Sign-On and OAuth vulnerable, thus giving us instant access to user accounts. The talk will also include our take and workarounds on the latest browser features like ITP, SameSite Cookies, etc., and uses techniques and approaches to bypass common measures implemented to prevent such vu
2021年9月9日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 10:20am 演讲时长:40-Minute
Tags:['Network Security', 'Hardware / Embedded'] 无附件
Nowadays, there are fewer and fewer IPv4 addresses, but IPv6 is popular because it has enough addresses. Assuming an attacker scans at a rate of 1 million hosts per second, it will take 500,000 years. So it seems that IPv6 is very secure, and the address scanning attack is invalid. But after thorough research, we found several vulnerabilities to scan or obtain IPV6 addresses effectively. <br><br>One of the vulnerabilities affects all Linux kernel devices! One affects all Android devices!  So it looks like all iPhones, Android phones and smart devices like routers, Smart speakers, and even car entertainment systems are affected. Using these vulnerabilities, we can easily get those random IPv6 addresses, for example, we can get the IPv6 addresses of all devices in a city in one minute. And this kind of attack is universal. This will cause all clients to be directly accessed, just like all the devices in a
2021年9月9日 03:18blackhat
发布时间:2021-09-08 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Cloud & Platform Security', 'Malware'] 无附件
If you ever wondered what malware might look like in Microsoft 365, then this talk is for you. Through the lens of what may be the world's first demos of malware for a multi-tenant cloud, this presentation will discuss the limitations of malware in Microsoft 365, the different attack vectors that it can use, how it could spread on-prem and off-prem and how it could persist and hide in a tenant. Also, how it can remove its traces and exfiltrate the stolen data in multiple channels. This malware is not your usual Office word document with macro and PowerShell. The malware that I developed will use only Microsoft 365 services such as Power Automate, PowerShell, Microsoft utilities, information protection, Outlook rules, etc., and will exist only in the tenant and not on the user's machine.  At the end of the presentation, a demo video will demonstrate the spreading of the malware that I developed, from one te
2021年9月3日 03:18blackhat
发布时间:2021-09-02 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Network Security', 'Hardware / Embedded'] 无附件
Nowadays, there are fewer and fewer IPv4 addresses, but IPv6 is popular because it has enough addresses. Assuming an attacker scans at a rate of 1 million hosts per second, it will take 500,000 years. So it seems that IPv6 is very secure, and the address scanning attack is invalid. But after thorough research, we found several vulnerabilities to scan or obtain IPV6 addresses effectively. <br><br>One of the vulnerabilities affects all Linux kernel devices! One affects all Android devices!  So it looks like all iPhones, Android phones and smart devices like routers, Smart speakers, and even car entertainment systems are affected. Using these vulnerabilities, we can easily get those random IPv6 addresses, for example, we can get the IPv6 addresses of all devices in a city in one minute. And this kind of attack is universal. This will cause all clients to be directly accessed, just like all the devices in a
2021年9月3日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 3:20pm 演讲时长:40-Minute
Tags:['Exploit Development', 'Cloud & Platform Security'] 无附件
In recent years, two types of reparse points: mount point and symlink are frequently used in file redirection vulnerabilities in Windows system services. Hundreds of logic vulnerabilities (from permanent DoS and info leak to privilege escalation) were discovered under this attack surface. Besides fixing those vulnerabilities, Microsoft also released many mitigations to make this bug class harder and harder to exploit successfully and stably. This presentation shows a 0-day logic vulnerability which bypasses all current mitigations with undisclosed exploit techniques and wins Windows EoP category in Pwn2Own 2021. All details, from finding the bug in one day with a unique vulnerability discovery strategy to winning a seemingly impossible race window stably, will be covered.<br><br>But the story does not end here. Microsoft stopped granting bug bounties to that bug class and is releasing more and m
2021年9月3日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 3:20pm 演讲时长:40-Minute
Tags:['AppSec', 'Defense'] 无附件
"Magecart" is the common name for an attack in which hackers compromise 3rd party Javascript code to steal information from web-applications or websites that incorporate the code.<br><br>Over the last two years, we monitored the web for vulnerabilities in online infrastructures that enable Magecart attacks or are leveraged in Magecart attacks. Our research also included monitoring additional methods to abuse third-party scripts and bypass the various defense mechanisms that have been put in place to stop these attacks. During this research, we encountered tens of thousands of vulnerable assets, including those owned by governments and global enterprises. Our conclusion from the analysis is that there is no simple solution to defeating Magecart.<br><br>In our presentation, we will go through real-world examples which demonstrate how hackers exploit these vulnerabilities in order to identify the scale of the challenge. We will 
2021年9月3日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 11:20am 演讲时长:40-Minute
Tags:['AppSec', 'Applied Security'] 无附件
In recent years, global e-book sales have shot through the roof and e-book reading applications have sprouted like mushrooms. EPUB, the most popular open e-book format, is supported by free applications on virtually any device, ranging from desktops to smartphones. But how sure are we that these e-books aren't actually reading us?<br><br>To answer this question, we analyzed 97 free EPUB reading applications across seven platforms and five physical e-readers using a self-developed semi-automated testbed. It turns out that half of these applications are not compliant with the security recommendations of the EPUB specification. For instance, a malicious e-book is able to leak local file system information in 16 of the evaluated applications.<br><br>To further demonstrate the severity of these results, we also performed three case studies in which we manually exploited the most popular application on three different pla
2021年9月3日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 11:20am 演讲时长:40-Minute
Tags:['Exploit Development', 'Defense'] 无附件
In early 2021, an external researcher reported to Google three lines of code indicating the xt_qtaguid kernel module, used for monitoring network socket status, had a Use-After-Free vulnerability (CVE-2021-0399) for 10 years. Unfortunately, the researcher did not provide any additional information or a PoC and stated the vulnerability was not exploitable on some Android devices due to the presence of CONFIG_ARM64_UAO. Thus, the Google Android Security team decided to investigate the likelihood of exploitation of this vulnerability.<br><br>We will discuss and analyze the history of known vulnerabilities in the module xt_qtaguid along with the reported vulnerability. Besides, we will present several ways of exploiting the kernel by the bug. Particularly, we will articulate how to circumvent CONFIG_ARM64_UAO using the ret2bpf technique and show a video demo on pwning Mi9 device to prove that the reported vulnerabil
2021年9月3日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 2:30pm 演讲时长:30-Minute
Tags:['AppSec'] 无附件
Web applications commonly rely on proxy servers adding, modifying, or filtering HTTP headers to pass information to back-end servers. Research in recent years has shown how flawed implementations of these actions can lead to severe security vulnerabilities such as HTTP request smuggling, authentication bypasses, and cache poisoning. Recent request smuggling research has developed new ways to modify headers to abuse these flawed implementations, a technique known as "header smuggling". While often overlooked, when explored as its own technique header smuggling can be used to trigger interesting and exploitable behaviours in web applications.<br><br>I will present a new methodology for identifying how HTTP headers can be modified to achieve header smuggling using a small number of requests. I will then show how this methodology was used to bypass IP address restrictions in AWS API Gateway, and to achieve cache poisoning. I will also demon
2021年9月3日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 10:20am 演讲时长:40-Minute
Tags:['Mobile', 'AppSec'] 无附件
PendingIntent, the advanced version of normal Android Intent, provides powerful inter-component communication on Android. A PendingIntent holds a base Intent that can be executed by another app under the creator app's identity (UID) and permissions as if the target app was the creator. To securely deliver a PendingIntent and prevent hijacking, developers should set their PendingIntents explicitly with the target component name. However, this is not the case in many real-world apps.<br><br>Previous research showed a few examples attacking a PendingIntent with the empty base Intent (i.e., no component and action), but they did not know how to exploit a PendingIntent with the implicit base Intent (i.e., no component yet with action) and commonly believed that it is also unexploitable like an explicit PendingIntent. Moreover, previous research did not identify common attack surfaces of retrieving PendingIntents. To address these 
2021年9月3日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 1:30pm 演讲时长:40-Minute
Tags:['Cryptography'] 无附件
Attribute-based encryption (ABE) implements fine-grained access control on data where the ability to decrypt a ciphertext is determined by the attributes owned by a user of the system. Hence, data can be stored by an entity that is not necessarily trusted to enforce access control. Moreover, multi-authority variants of ABE extend these capabilities to multiple-domain settings and remove the requirement of having a trusted third party. ABE is typically exemplified in the healthcare setting, where all "nurses" of the hospital "A" can only decrypt certain records whereas "doctors" of the same hospital have access to additional information about the patients. Further, ABE has been proposed to secure the Internet of Things and enforce authorization in cloud systems.<br><br>At the CT-RSA 2021 conference, Venema and Alpár presented attacks against 11 ABE and MA-ABE schemes, including the highly cited DAC-MACS scheme with applications to 
2021年9月3日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 3:20pm 演讲时长:40-Minute
Tags:['Defense', 'CorpSec'] 无附件
Microsoft's Active Directory Public Key Infrastructure (PKI) implementation, known as Active Directory Certificate Services (AD CS), has unfortunately flown under the radar of the defensive industry. AD CS is widely deployed and provides attackers opportunities for credential theft, machine persistence, domain escalation, and subtle domain persistence. We present relevant background on certificates in Active Directory, briefly overview the attacks possible, and present preventive, detective, and indecent response guidance for how to secure organizations against these abuses. By presenting the most comprehensive guidance on securing AD CS we hope to give organizations the information and tools they need to secure these complex, widely deployed, and often misunderstood systems.
2021年9月3日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 11:20am 演讲时长:40-Minute
Tags:['Network Security', 'Exploit Development'] 无附件
WiFi, which uses unprotected air as a medium, faces unique challenges in ensuring the security and availability of communication. Throughout the development process of WiFi protocol, it is also the evolution process of WiFi security protocol. Even with the popularization of WIFI6 and WPA3, there are still many flaws in the security of WiFi protocol and its implementation.<br><br>Owfuzz is a WiFi fuzzing tool. It can perform fuzzing tests to any WiFi device, including client and AP. Over the past few months, I've used owfuzz to fuzz WiFi chips of different vendors and found many WiFi vulnerabilities, the affected vendors include Qualcomm, Intel, Espressif, Broadcom, Huawei and others. These vulnerabilities include both design and implementation flaws, some even affect multiple vendors at the same time.<br><br>WiFi vulnerabilities can cause remote zero-click attacks, and will affect a large number of user
2021年9月3日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 3:20pm 演讲时长:40-Minute
Tags:['Defense', 'Data Forensics & Incident Response'] 无附件
In Windows based environments, RPC is the main underlying protocol required for remote administration and for Active Directory services. As such, it is often used by IT admins, but also by ransomware and advanced attackers to spread by creating remote services, scheduled tasks, DCOM objects, etc. It is also a major component in the persistency phase of attacks such as active directory DCSync, and even DC vulnerabilities such as Zerologon. <br><br>The issue for defenders is that defending against remote RPC attacks is not trivial. Unlike other protocols, such as RDP or WinRM, which can be simply blocked from untrusted assets, RPC plays a crucial part in Active Directory environments, and has to be exposed to any asset in the network. <br><br>To add to the pain, built-in Windows auditing and filtering options are incredibly noisy and don’t offer enough granularity. <br><br>During our research into in
2021年9月3日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 2:30pm 演讲时长:30-Minute
Tags:['Reverse Engineering', 'Malware'] 无附件
This Briefing presents our research on parser differentials for the PE format. We defined a custom language to write "formal models" of various PE loaders, for different versions of Windows and reverse-engineering tools. We then built a framework that, using these models, can perform a number of analyses that aid reverse-engineering tasks.<br><br>First, given a PE executable, it can determine whether a PE loader would consider it valid. This feature provides a filtering stage for dynamic malware analysis, as it can identify broken samples before running them in sandboxes. Our framework is also able to automatically generate SMT models of the various PE loaders, and it can automatically perform several powerful tasks: given a PE loader, generate a valid executable that can be loaded by it; or, it can perform "differential analysis" and automatically generate PE files that are valid for one PE loader but not for an
2021年9月3日 03:18blackhat
发布时间:2021-09-30 演讲时间:2021-11-10 3:20pm 演讲时长:40-Minute
Tags:['Exploit Development'] 无附件
The advance of kernel fuzzing techniques significantly benefits the discovery of kernel bugs. According to our statistics on Syzbot, Syzkaller has already unveiled more than 2,000 kernel bug reports on Linux over the past two years. From the security analysts' perspectives, a kernel bug report that demonstrates memory corruption usually receives more attention than those exhibiting only WARNING or NULL pointer dereference. It is simply because memory corruption is typically the prerequisite for exploiting the Linux kernel and obtaining unauthorized root privilege. <br><br>In this talk, we will introduce a new technical method to turn those bugs with seemingly low-risk into memory corruption vulnerabilities. We will demonstrate how we leverage the proposed technique to escalate Linux kernel non-security bugs into exploitable vulnerabilities. Along with our demonstration, we will show unprecedented exploitability against broa
2021年8月27日 06:47blackhat
发布时间:2021-09-30 演讲时间:2021-11-11 1:30pm 演讲时长:40-Minute
Tags:['AI, ML, & Data Science', 'Network Security'] 无附件
Machine learning has so far been relatively unchecked on its way to world domination. As the high pace of ML research continues, ML is being integrated into all manner of business processes – chatbots, sales lead generation, maintenance decisions, policing, medicine, recommendations... However, there are several security concerns that have been unaccounted for which has led to some less than desirable outcomes. Researchers have been able to extract PII from language models, red teamers have stolen (and then bypassed) spam and malware classification models, citizens have been incorrectly identified as criminals, otherwise qualified home buyers have been denied mortgages. This is just scratching the surface. While attacks on AI systems are talked about as futuristic, the consequences of not securing them are already being experienced. This talk will discuss the current state of ML security, the symmetry