Breakpoint

NEEL MEHTA

TLS Under Siege - A Bug Hunter’s Perspective

At first glance, SSL / TLS stacks have taken a beating in 2014, some more than others. TLS stacks are evolving rapidly. Public demand for encryption is at a historical high, and understandably so. To use TLS at this scale required protocol extensions and changes, with more on the way. New features means new code, and sometimes new bugs, including Heartbleed.

From a bug hunter’s perspective, I’ll dissect and compare TLS stacks, with an emphasis on implementation errors (both historical and modern). I’ll also examine their relative structure, feature set, and coding styles, highlighting the attack surfaces and details that matter most.

Is the discovery of implementation flaws really accelerating? Are some TLS stacks riskier than others, and why? Where are the rest of the bugs buried?

NEEL MEHTA BIO

Neel Mehta is a world-renowned vulnerability researcher and reverse engineer. He has found many high-impact bugs, including Heartbleed. Neel works at Google, where he studies state-sponsored attacks and malware. Neel is the co-author of the 'The Shellcoder's Handbook: Discovering and Exploiting Security Holes'. 

MATHEW SOLNIK

Cellular Exploitation on a Global Scale: The Rise & Fall of the Control Protocol

Since the introduction of the smart phone, the issue of control has entered a new paradigm. Manufacturers and Enterprises have claimed control over not just how your phone operates, but the software that is allowed to run on it. However, few people know that Service Providers have a hidden and pervasive level of control over your device. These hidden controls can be found in over 2 billion cellular devices worldwide. Organizations have been quietly deploying these controls in Smart Phones, Feature Phones, Basebands, Laptops, Embedded M2M devices, and even certain Cars. Someone with knowledge of these controls and the right techniques could potentially leverage them for cellular exploitation on a global scale.

We’ve reverse engineered embedded baseband and application space code. We’ve torn apart the Over-the-Air communications and implemented our own code to speak the relevant protocols. Layer by layer, we’ve deconstructed these hidden controls to learn how they work. While performing this work we’ve unearthed subtle flaws in how the communication is handled and implemented. After understanding these flaws we’ve written proof-of-concept exploits to demonstrate the true risk this software presents to the end user.

In this presentation, we will discuss and disclose how Over-the-Air code execution can be obtained on the major cellular platforms and networks (GSM/CDMA/LTE). Including but not limited to Android, iOS, Blackberry, and Embedded M2M Devices. You will come away from this talk armed with detailed insight into these hidden control mechanisms. We will also release open source tools to help assess and protect from the new threats this hidden attack surface presents. These tools will include the ability to dynamically test proprietary system applications and simulate different aspects of a cellular environment.

MATHEW SOLNIK BIO

Mathew Solnik

Mathew Solnik works in consulting and research with Accuvant LABS. Mathew's primary focus is in the mobile, M2M, and embedded space specializing in cellular network, hardware level, and OS level security. Prior to joining LABS, Mathew was a Senior Member of Technical Staff at Appthority, Inc. where he helped design and build an automated mobile threat and malware analysis platform for use in the Enterprise and Defense space. Previous to Appthority, Mathew has held positions in multiple areas of IT and security - including consulting for iSEC Partners where he performed the first Over-The-Air Car Hack (as been featured in a previous Black Hat talk) and R&D for Ironkey where he handled in-house penetration testing and design review for multiple DARPA funded projects.

Marc Blanchou

Marc Blanchou does consulting and research with Accuvant LABS, a division performing security assessments and original research on multiple platforms and environments. Prior to Accuvant, Marc was a Principal Security Consultant with iSEC Partners where he performed security assessments on a wide range of products including Android, iOS, Blackberry, Windows, OS X, Linux and large web clients as well as server-side and various kernel related components. Marc was also a lead application developer on diverse projects and worked on products involving low latency code for a financial and a game company. For his Master's thesis at EPITECH, Marc developed a multi-platform flash file system in C which resulted in several commits to the Linux kernel and which was also accepted into the Microsoft BizSpark program. Marc has presented his research at multiple international security conferences including Black Hat (US and EU), RSA Conference, Hack In The Box, OWASP, and Ruxcon on various topics including compiler/hardware induced bugs in OSes/VMs, building better browser-based botnets and how to audit enterprise class products on Android and iOS. Marc is the author of Introspy-Android, an open-source tool to understand what an Android application is doing at runtime and help identifying vulnerabilities. Marc also authored and co-authored White Papers on password managers and mobile security.

COREY KALLENBERG

Extreme Privilege Escalation on Windows 8/UEFI Systems

The UEFI specification has more tightly coupled the bonds of the operating system and the platform firmware by providing the well-defined "runtime services" interface between the operating system and the firmware.

This interface is more expansive than the interface that existed in the days of conventional BIOS, which has inadvertently increased the attack surface against the platform firmware. Furthermore, Windows 8 has introduced APIs that allow accessing this UEFI interface from a userland process. Vulnerabilities in this interface can potentially allow a userland process to escalate its privileges from "ring 3" all the way up to that of the platform firmware, which includes permanently attaining control of the very-powerful System Management Mode (SMM).

This talk will disclose two of these vulnerabilities that were discovered in the Intel provided UEFI reference implementation, and detail the unusual techniques needed to successfully exploit them.

COREY KALLENBERG BIO

Corey Kallenberg is a Security Researcher for The MITRE Corporation who has spent several years investigating operating system and firmware security on Intel computers. In 2012, he co-authored work presented at DEF CON and IEEE S&P on using timing based attestation to detect Windows kernel hooks. In 2013, he helped discover critical problems with current implementations of the Trusted Computing Group's "Static Root of Trust for Measurement" and co-presented this work at NoSuchCon and Black Hat USA. Later, he discovered several vulnerabilities which allowed bypassing of "signed BIOS enforcement" on a number of systems, allowing an attacker to make malicious modifications to the platform firmware. These attacks were presented at EkoParty, HITB, and PacSec. Recently, Corey has presented attacks against the UEFI "Secure Boot" feature. Corey is currently continuing to research the security of UEFI and the Intel architecture.

BRIAN GORENC

Thinking Outside the Sandbox - Violating Trust Boundaries in Uncommon Ways

Attacking the modern browser and its plugins is becoming harder. Vendors are employing numerous mitigation technologies to increase the cost of exploit development. An attacker is now forced to uncover multiple vulnerabilities to gain privileged-level code execution on his targets. First, an attacker needs to find a vulnerability, leak an address to get around ASLR, and bypass DEP to gain code execution within the renderer process. The attacker then needs to bypass the application sandbox to elevate his privileges, which will allow him to do something interesting. Our journey begins at the sandbox and investigates some of the more obscure techniques used to violate this trust boundary.

What should you focus on when you are auditing a sandbox implementation? There are the traditional approaches: find a memory corruption vulnerability in IPC message handling, attack the kernel to get SYSTEM-level privilege escalation, or abuse shared memory regions. Sure, any of these will work but they may not be the easiest way. Our presentation will examine four bypass techniques successfully used in winning entries at this year's Pwn2Own contest. We will analyze the attack vector used, root causes, and possible fixes for each technique. These uncommon, yet highly effective, approaches have been used to bypass the most advanced application sandboxes in use today, and understanding them will provide a unique perspective for those working to find and verify such bypasses.

BRIAN GORENC BIO

Brian Gorenc

Brian Gorenc is the Manager of Vulnerability Research in HP's Security Research organization where his primary responsibility is running the world's largest vendor-agnostic bug bounty program, the Zero Day Initiative (ZDI). He's analyzed and performed root cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. Brian is also responsible for organizing the ever-popular Pwn2Own hacking competitions. Brian's current research centers on discovering new vulnerabilities, analyzing attack techniques, and identifying vulnerability trends. His work has led to the discovery and remediation of numerous critical vulnerabilities in Microsoft, Oracle, Novell, HP, open-source software, SCADA systems, and embedded devices. He has also presented at numerous security conferences such as Black Hat, DEF CON, and RSA. Prior to joining HP, Brian worked for Lockheed Martin on the F-35 Joint Strike Fighter program where he led the development effort of the Information Assurance (IA) products in the JSF's mission planning environment. He has in-depth knowledge of software vulnerabilities, exploitation techniques, reverse engineering, and secure coding practices. Brian has a MS in Software Engineering from Southern Methodist University and a BS in Computer Engineering from Texas A&M University. He also holds several certifications including ISC2's CISSP and CSSLP.

Jasiel Spelman

Jasiel Spelman is a vulnerability analyst and exploit developer for the Zero Day Initiative (ZDI) program. His primary role involves performing root cause analysis on ZDI submissions to determine exploitability, followed by developing exploits for accepted cases. Prior to being part of ZDI, Jasiel was a member of the Digital Vaccine team where he wrote exploits for ZDI submissions, and helped develop the ReputationDV service from TippingPoint. Jasiel's focus started off in the networking world but then shifted to development until transitioning to security. He has a BA in Computer Science from the University of Texas at Austin.

STEFAN ESSER

iOS 8 - Containers, Sandboxes and Entitlements

With the release of iOS 8 Apple introduces the concept of app extensions to iOS. This is the first time in the history of iOS that Apple allows 3rd party developers to extend Apple's own or other parties' applications. This new feature brings not only new opportunities to developers that were previously only possible on jailbroken iOS devices, but also opens up new attack surfaces and requires modifications to application containers.

In this session we will discuss the changes introduced by this new feature and analyse the new attack surface. We will also have a look into other changes introduced with iOS 8 and revisit the application sandbox implementation that was last publicly discussed around the time of iOS 4/5.

STEFAN ESSER BIO

Stefan Esser is best known in the security community as the PHP security guy. Since he became a PHP core developer in 2002 he devoted a lot of time to PHP and PHP application vulnerability research. However in his early days he released lots of advisories about vulnerabilities in software like CVS, Samba, OpenBSD or Internet Explorer. In 2003 he was the first to boot Linux directly from the hard disk of an unmodified XBOX through a buffer overflow in the XBOX font loader. In 2004 he founded the Hardened-PHP Project to develop a more secure version of PHP, known as Hardened-PHP, which evolved into the Suhosin PHP Security System in 2006. Since 2007 he works as head of research and development for the German web application company SektionEins GmbH that he co-founded.

In 2010 and 2011 he got a lot of attention for presenting about iPhone security topics and supplying the jailbreaking scene with an exploit that survived multiple updates by Apple.

DR SILVIO CESARE

Signatures Aren't dead: Next Generation Signature-based Malware Detection

Signatures aren't dead! These aren't the signatures that your grandma used back in the day - next generation signatures use program analysis to extract features, virtual machines to simulate execution, api call monitoring, static control flow, and everything in between to build mathematical representations and models of programs. These representations can be compared in fuzzy ways using learned decision boundaries. This almost sounds like a signature-less malware model that malware classification employs. It pretty much is, except the decision boundary is different.  

DR SILVIO CESARE BIO

Silvio Cesare is a researcher, writer, and presenter in industry and academia. He is the author of the academic book "Software Similarity and Classification" published by Springer. He has spoken at multiple industry conferences including Black Hat, Ruxcon, Auscert, and Cansecwest. He holds a Doctorate from Deakin University in Australia. He has also worked in industry within Australia, France, and the United States. This work includes time as the scanner architect of Qualys - now the world's largest vulnerability assessment company. At present, he is again at Qualys in developing next-generation malware protection based on his University research.

JOE FITZPATRICK

NSA Playset: PCIe

Hardware hacks tend to focus on low-speed (jtag, uart) and external (network, usb) interfaces, and PCI Express is typically neither. After a crash course in PCIe Architecture, we'll demonstrate a handful of hacks showing how pull PCIe outside of your system case and add PCIe slots to systems without them, including embedded platforms. We'll top it off with a demonstration of SLOTSCREAMER, an inexpensive device we've configured to access memory and IO, cross-platform and transparent to the OS - all by design with no 0-day needed. The open hardware and software framework that we will release will expand your NSA Playset with the ability to tinker with DMA attacks to read memory, bypass software and hardware security measures, and directly attack other hardware devices in the system. Anyone who has installed a graphics card has all the hardware experience necessary to enjoy this talk and start playing NSA at home!

JOE FITZPATRICK BIO

Joe is an Instructor, Consultant, and Researcher at SecuringHardware.com. Joe specializes in low-cost attacks, hardware tools, and hardware design for security. Previously, he spent 8 years doing test/debug and hardware pen-testing of desktop and server microprocessors, as well as conducting security validation training for hardware validators worldwide. In addition to side projects on PCIe, RTL security validation, and simple sidechannel attacks, Joe currently teaches "Secure Hardware Development for Integrated Circuits" and Co-teaches "Software Exploitation via Hardware Exploits" alongside Stephen Ridley. @securelyfitz

MIKE BOND

EMV Security: Cloning, Skimming & Shimming - A Practical Guide to Attack & Defence

EMV is the worlds most widely deployed payment framework, and is a growing target for fraud. The speaker reviews the important attacks on EMV found in the last ten years, describes his own research on skimming cards with the pre-play attack, and using chip cards without PINs. The talk discusses the economic and technical reasons for the failures and discusses how to go about detecting and fixing them in real banking systems.

MIKE BOND BIO

Mike Bond is a visiting researcher at University of Cambridge where he did a PhD in computer security, specialising in the security of Hardware Security Modules and banking systems. He currently works full time in industry for Cryptomathic Ltd, a supplier of authentication and security software for banks, including for EMV card issuance and authorisation.

MIMEFRAME & MCGREW

Homebrew Incident Response

In the past three years, Facebook's Incident Response team has grown from a single person to a full-fledged team. We're going to discuss lessons we've learned and open source some of our tooling and techniques. This talk will cover topics like containment, sinkholing, scaling network intrusion detection, and lifecycle improvements we've made as a result of real situations we've managed. Attendees can expect to walk away with tangible, real-world solutions they can deploy in their enterprise. 

MIMEFRAME & MCGREW BIO

@mimeframe is the manager of Facebook's Incident Response team.

@mtmcgrew is a security engineer on Facebook's Incident Response team.

DR BRADLEY SCHATZ

Smartphone Physical: The Current State of Play

This seminar will examine the current state of play in regard to the lowest level of acquisition and analysis of Android and iOS smart phones. Focusing on the theory of operation underlying open source and commercial tools, rather than the tools themselves, attendees of this this seminar will gain an understanding of the techniques currently employed for acquisition and analysis, and the corresponding limitations and opportunities in forensic practice.

DR BRADLEY SCHATZ BIO

Bradley Schatz divides his time between research and practice in the area of digital forensics. His research ranges from enabling live forensics in the energy sector to digging into the lowest layers of the hardware/software stack, while his practice ranges from investigating claims of IP theft to reconstructing the behaviour of software. The practical outcomes of Bradley’s past research may be found in the AFF4 forensic file format and the Volatility memory forensics framework.

PETER FILLMORE

Crash & Pay: Reading, Cloning and Fuzzing RFID Payment Cards

So, we all know you can clone your building pass, and you can clone you old mifare cards - so why hasn't your paypass/paywave card been cloned yet?  This talk will endeavour to answer this question by showing you how to clone a card. I’ll also be discussing what tools i use to do RFID testing. We'll also show you how to use cheap hardware to create malicious cards to "fuzz" RFID readers (thanks google!), and the results of fuzzing different RFID hardware out there. Areas this talk will cover are NFC, RFID, EMV, ISO14443 and the ever so exciting world of credit-card fraud.

PETER FILLMORE BIO

Peter is payment security consultant who assists clients in the design and certification of payment systems.  A former #1 "musician" who composed such hits as "I Have to Remind you Sully, this is my weak arm" and "O Little Town of Pyongyang" has decided to go to where the money is - by actually looking at money. Other interests include taking things apart, loosing the screws and collecting broken things(that he broke).

IGOR SKOCHINSKY

Intel ME: Two Years Later

At the first Breakpoint I presented my first investigation into what is Intel's Management Engine, what it does and how to look at the code which it runs. In the two years since, I've looked at numerous versions of the ME firmware, discovered many of the internal details and tried out various attacks against it. Some of the new discoveries that I plan to share:

•  Boot ROM code and its operation 
•  Details of the ROM API (RAPI) and Kernel API (KAPI) used by the ME modules 
•  Huffman compression details 
•  Java VM used in the Dynamic Application Loader module, used to implement the Identity Protection Technology (IPT) 
•  Cold boot and hot boot attacks against ME and their outcome 
•  New architecture of the ME core introduced in Bay Trail processors 

IGOR SKOCHINSKY BIO

Igor Skochinsky was interested in "how stuff works" since childhood and got into software reverse engineering while studying Computer Science at the Belarusian State University. After graduating he spent several years at a big software company but continued to pursue his RE hobby in free time. He had brief periods of internet fame after releasing a dumper for iTunes DRM-ed files (QTFairUse6) and hacking the Amazon Kindle. In 2008 he joined Hex-Rays where he is now helping develop the world-famous Interactive Disassembler and Hex-Rays Decompiler. He previously spoke at the Recon conference on embedded RE and C++ compilers' internals.

MIKE RYAN

The NSA Playset: Bluetooth Smart Attack Tools

Check your pocket, or your wrist, or your door lock. From lightbulbs to keyboards and mice, Bluetooth Smart (a.k.a. BLE) just won't stop popping up. Given such a huge proliferation, it's no surprise that the NSA ANT catalog includes tools that target this fundamentally insecure wireless protocol. And this is the NSA we're talking about, they're not after your pedometer.

Build out your own SIGINT capabilities with my Bluetooth Smart Attack tools: modelled on tools from the NSA ANT catalog, built with open source hardware and software, and ready to play with today!

MIKE RYAN BIO

Mike Ryan is a penetration tester ("security consultant") at iSEC Partners. At iSEC, Mike does low-level wireless and embedded testing as much as possible. Too often he's stuck doing mobile and web security, along with red team penetration tests and incident response. In 2013 Mike release a tool called crackle. Crackle cracks the key exchange in Bluetooth Smart (BLE), allowing a *passive* eavesdropper to capture and decrypt all data sent over BLE. He has since gone on to develop an arsenal of BLE active attack tools. Mike has presented ToorCon, ShmooCon, BlackHat, CanSecWest, and USENIX Security. He has been playing the game since 2002 and employs a wide array of skills, tricks, and leet hax on a daily basis.

KAYNE NAUGHTON

Not So Private Mode

This presentation explores the recent history in identifying and tracking users via browser artefacts (with and without "Private mode"), how it's done, how you can defend against it, subverting browser tracking, and detecting and defeating the subverters.

KAYNE NAUGHTON BIO