Alexander Ermolov - Staff Member, Embedi

Alex Matrosov - Principal REsearch Scientist, Cylance

Brian Butterly - Security Researcher, ERNW GmbH

Diego Aranha - Professor Doutor, Universidade Estadual de Campinas

Edmond Rogers - Smart Grid Security Engineer, Information Trust Institute

Marion Marschalek - Security Researcher, Intel Corporation

Matias Katz - CEO, MKIT

Matthias Luft - Security Researcher & CEO, ERNW GmbH

Matt Suiche - Founder, Comae Technologies

Mike Ossmann - Founder, Great Scott Gadgets

Oleksandr Bazhaniuk - Independent Security Researcher

Sergey Shekyan - Engineer, Shape Security

Shay Gueron - Senior Principal Engineer, Amazon AWS



  UEFI BIOS holes: So Much Magic, Dont Come Inside
 Alexander Ermolov
  This report introduces the topic of the vulnerability searching process in the firmware of GA-Q170M-D3H motherboard. It also describes how the CPU level debugger can be obtained with the help of Intel DCI technology at home. Detailed information on how to operate with the debugger will also be provided. We will tell how Intel DCI was used to detect the vulnerability common for all types of motherboards. In addition, we will demonstrate how to exploit the very same vulnerability in Intel NUC Kit NUC7i3BNH despite this vulnerability has been patched.
  Researcher, reverse engineer, and information security expert. A staff member of Embedi. My passion includes low-level design, analysis of system software, BIOS, and other firmware. I love to research undocumented technologies.



  Betraying the BIOS: Where the Guardians of the BIOS are Failing
 Alex Matrosov
  For UEFI firmware, the barbarians are at the gate -- and the gate is open. On the one hand, well-intentioned researchers are increasingly active in the UEFI security space; on the other hand, so are attackers. Information about UEFI implants -- by HackingTeam and state-sponsored actors alike -- hints at the magnitude of the problem, but are these isolated incidents, or are they indicative of a more dire lapse in security? Just how breachable is the BIOS?

In this presentation, I'll explain UEFI security from the competing perspectives of attacker and defender. I'll cover topics including how hardware vendors have left SMM and SPI flash memory wide open to rootkits; how UEFI rootkits work, how technologies such as Intel Boot Guard and BIOS Guard (and the separate Authenticated Code Module CPU) aim to kill them; and weaknesses in these protective technologies. There are few public details; most of this information has been extracted by reverse engineering.
  Alex Matrosov is a Principal REsearch Scientist at Cylance. He has over a decade of experience with reverse engineering, advanced malware analysis, firmware security, and advanced exploitation techniques. Before joining Cylance, Alex served as Principal Security Researcher at Intel Security Center of Excellence (SeCoE) where he lead BIOS security for Client Platforms. Before this role, Alex spent over six years at Intel Advanced Threat Research team and ESET as Senior Security Researcher. He is also author and co-author of the numerous research papers and the book "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats". Alex is frequently invited to speak at security conferences, such as REcon, Ekoparty, Zeronigths, Black Hat and DEF CON. Also, he is awarded by Hex-Rays for open-source plugin HexRaysCodeXplorer which is developed and supported since 2013 by REhint's team.



  Hacks & Case Studies: Cellular Devices
 Brian Butterly
  Hacking is fun and so are learning and playing with new things, as such the choice of utilizing my small GSM network for research was trivial. Having seen various approaches for cellular communications in previous projects, I decided to start collecting connected devices "just to have a closer look". As the title already announces, the talk will cover various devices and shed light on how they communicate with the rest of the world. It will show how each one can be remotely controlled and which reporting channels are in use. Where possible simple hacks will show how most identified security measures can be circumvented and what this can mean for the operator/user of the device. To do so we'll be bringing a few devices like a GPS tracker/vehicle immobilizer live on stage together with our testing setup. Every single case study helps creating a bigger picture of cellular communications - how they work, how they're secured and how they can be broken.
  Brian Butterly is a seasoned security researcher with vast experiences in large and complex enterprise networks. Over the years he focused on evaluating and reviewing all kinds of network protocols and applications. He love to play with packets and use them for their own purposes. In this context he learned how to play around with telecommunication networks, wrote protocol fuzzers and spoofers for testing their implementation and security architecture. He is a pentester and consultant at the German based ERNW GmbH and will happily share his knowledge with the audience.



  Deixem a criptografia em paz!
 Diego Aranha
  A palestra trata de técnicas criptográficas e outras tecnologias para proteção da privacidade sob uma perspectiva histórica, culminando no desenvolvimento da chamada criptografia fim-a-fim implementada em aplicativos modernos para troca de mensagens como WhatsApp e Signal. Discute também abordagens que governos tem sugerido para interceptar conteúdo nessas plataformas, suas limitações fundamentais e correspondente impacto em seguraça. A idéia é desmistificar o debate atual em torno da criptografia e propor alternativas menos intrusivas para fins de investigação.
  Professor Doutor na Universidade Estadual de Campinas (Unicamp) desde 2014. Tem experiência na área de Criptografia e Segurança Computacional, com ênfase em implementação eficiente de algoritmos criptográficos e análise de segurança de sistemas reais. Coordenou a primeira equipe de investigadores independentes capaz de detectar e explorar vulnerabilidades no software da urna eletrônica em testes controlados organizados pelo Tribunal Superior EleitoralBacharel em Ciência da Computação pela Universidade de Brasília (2005), Mestre (2007) e Doutor (2011) em Ciência da Computação pela Universidade Estadual de Campinas. Recebeu em 2015 o prêmio Inovadores com Menos de 35 Anos Brasil da MIT Technology Review por seu trabalho com o voto eletrônico e Google Latin America Research Award para pesquisa em privacidade em 2015 e 2016.



  Cyber Physical Impact Analysis using CyPSA
 Edmond Rogers
  CyPSA is a situational awareness and impact analysis tool. CyPSA was primarily designed to be used for electric grid impact analysis, however, this talk will discuss advances made since the release of this toolset that will allow for the use of impact based analysis to be performed for any mission critical function. Using this toolset for impact analysis in large enterprises with some customization is also an option This talk will begin with an overview of the toolset and then discuss at detail several real world developed use cases including device prioritization based on impact and network attack surface, common modes of failure, stepping stone attacks, and impact based horizontal attack exposure.
  Before joining ITI, Edmond Rogers (CISSP) was actively involved as an industry participant in many research activities in ITI's TCIPG Center, including work on NetAPT (the Network Access Policy Tool) and LZFuzz (Proprietary Protocol Fuzzing). Prior to joining ITI, Rogers was a security analyst for Ameren Services, a Fortune 500 investor-owned utility, where his responsibilities included cyber security and compliance aspects of Ameren's SCADA network. Before joining Ameren, he was a security manager and network architect for Boston Financial Data Systems (BFDS), a transfer agent for 43% of all mutual funds. He began his career by founding Bluegrass.Net, one of the first Internet service providers in Kentucky. Rogers leverages his wealth of experience to assist ITI researchers in creating laboratory conditions that closely reflect real-world configurations.



  50 Shades of Visual Studio
 Marion Marschalek
  Compilers can do ugly things to binary code, we know that, but how ugly does it get when one tries to visualize this? With the help of disassembly tools we can look at the function layout, but also at the actual instructions of compiled binaries. How fun would it be though, if we could look, instead of at individual instructions and functions, at all instructions at the same time? This talk will explore visualization methods applied to distributions of individual instructions and different classes of instructions within Visual Studio compiled binaries, to make it easy for analysts to find things such as encryption or compression algorithms, to distinguish different binary packers; but also to find differences in compiler optimization measures applied to one and the same code base. This kind of visualization helps finding out, how much Visual Studio alters code when applying certain optimization options for compilation. Besides fun, the resulting images are also quite beautiful, just saying. The visualizations presented are fully generated relying on open source tools, such as r2graphity, Gephi and D3JS.
  Marion Marschalek is a former malware analyst and reverse engineer, who recently started work at Intel in order to conquer the field of low level security research. She has spoken at all the conferences and such, and seen all the things, and if you want more details on her current activities you'll have to find your way around Intel's law department. Also, she runs a free reverse engineering workshop for women, because the world needs more crazy researchers \m/



  Medical records black market value
 Matias Katz
  Medical record breaches have a double impact, since they harm the healthcare institutions, but also disclose private and sensitive information about the patients. Because of this, the value of EHR (Electronic Health Records) has exceeded the value of financial records, not only because it opens the door for liability actions, but also because it can damage (or ruin) the patients life.

In this talk I will cover the different ways in which an owned server could be taken advantage of for profit purposes, and then I will discuss about the sell value of medical and financial information in the black market. I will cover a few specific recent cases (like the last one from Equifax), describe the attack vector, calculate how much it cost to the companies and end users, and talk about how it could have been fixed.
  Matias Katz is a Web & Infrastructure Security specialist. He has spoken at BlackHat, H2HC, Hack in Paris, Ekoparty, HackMiami, Campus party, OWASP and many other international conferences. He is the CEO of MKIT (www.mkit.com), a company that specializes in Red Team operations, on-demand incident response services, and personalized strategy planning and execution. He is also the founder of Andsec Security Conference (www.andsec.org)



  Penetration Testing in DevOps Environments
 Matthias Luft
  Everyone has heard of Docker, Kubernetes, etcd, CI/CD -- and many other technologies that own a .io domain. More importantly, those technologies are now starting to be used in enterprise environments which also want to leverage potential development and deployment benefits. These potential benefits partly originate from the approach of the technologies to move complexity (like handling of logging or network architecture) down from the application into the platform, consequently making the platform more complex. This complexity on the one hand increases the likelihood for technical or logical vulnerabilities and misconfiguration, but on the other hand also makes it more difficult for researchers and penetration testers to approach it from a security perspective due to a steep learning and curve and setup requirements. In this presentation, we want to explain Docker, Kubernetes, overlay networking concepts, and supporting services from a penetration tester perspective and describe (anonymously) common vulnerabilities and misconfigurations we found in various environments (but not necessarily in the tools/platforms/technologies) itself.
  Matthias Luft is a security researcher and one of the CEOs of the German security company ERNW. He is interested in a broad range of topics (such as DLP, virtualization, and network security) while keeping up with the daily consulting and assessment work.



  Porosity A Decompiler For BlockchainBased Smart Contracts Bytecode
 Matt Suiche
  Ethereum is gaining a significant popularity in the blockchain community, mainly due to fact that it is design in a way that enables developers to write decentralized applications (Dapps) and smart-contract using blockchain technology.

Ethereum blockchain is a consensus-based globally executed virtual machine, also referred as Ethereum Virtual Machine (EVM) by implemented its own micro-kernel supporting a handful number of instructions, its own stack, memory and storage. This enables the radical new concept of distributed applications.

Contracts live on the blockchain in an Ethereum-specific binary format (EVM bytecode). However, contracts are typically written in some high-level language such as Solidity and then compiled into byte code to be uploaded on the blockchain. Solidity is a contract-oriented, high-level language whose syntax is similar to that of JavaScript. This new paradigm of applications opens the door to many possibilities and opportunities. Blockchain is often referred as secure by design, but now that blockchains can embed applications this raise multiple questions regarding architecture, design, attack vectors and patch deployments.

As we, reverse engineers, know having access to source code is often a luxury. Hence, the need for an open-source tool like Porosity: decompiler for EVM bytecode into readable Solidity-syntax contracts - to enable static and dynamic analysis of compiled contracts.
  Matt Suiche is recognized as one of the world's leading authorities on memory forensics and application virtualization.

He is the founder of the United Arab Emirates based cyber-security start-up Comae Technologies. Prior to founding Comae, he was the co-founder & Chief Scientist of the application virtualization start-up CloudVolumes which was acquired by VMware in 2014. He also worked as a researcher for the Netherlands Forensic Institute.

His most notable research contributions enabled the community to perform memory-based forensics for Mac OS X memory snapshots but also Windows hibernation files. Since 2009, Matt has been recognized as a Microsoft Most Valuable Professional in Enterprise Security due to his various contributions to the community.



  Keynote: Your Ideas Are Worthless
 Mike Ossmann
  As the owner of an open source hardware company, I frequently encounter people who tell me why my business cannot possibly succeed. After six years of continuous growth, I would like to share my thoughts about why those people are wrong and how the mythology of invention affects perception. I'll share lessons from my background as a hacker, researcher, open source developer, and business owner and discuss the past, present, and future of science, technology, and the value of ideas.
  Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and GreatFET projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.



  Software attacks on different type of system firmware: arm vs x86
 Oleksandr Bazhaniuk
  In this research, we've explored attack surface of hypervisor and firmware in two different platforms: arm and x86. We will explain different attack scenarios using interrupts and other interfaces, as well as interaction methods between firmware and hypervisor privilege levels. We will explore common vector attacks for both architectures.

This presentation will demonstrate attacks on windows 10 VBS as well as attacks on hypervisor in ARM based system with Qualcomm Snapdragon 808/810 SoC. Also we will provide new methods to test issues in ARM firmware by releasing ARM support for CHIPSEC framework and fuzzers for different firmware interfaces.
  Alex Bazhaniuk (@ABazhaniuk) is an independent security researcher. Previously, Alex was a member of the Advanced Threat Research and Security Center of Excellence teams at Intel and Intel Security. His primary interest is the security and exploitation of low-level platform hardware and firmware, exploitation and binary analysis automation. His work has been presented at a number of security conferences. He is also a co-founder of DCUA, the first DEFCON group and CTF team in Ukraine.

Yuriy Bulygin (@c7zero) has been the chief threat researcher at Intel Security/McAfee and led the Advanced Threat Research team. Previously, Yuriy led microprocessor vulnerability analysis team at Intel. Yuriy is the author of open source CHIPSEC framework.



  Content Security Policy: Is It Dead Yet?
 Sergey Shekyan
  Content Security Policy (CSP) is an 8 year old browser feature that helps fighting content injections. While an average web surfer most likely loads a page that employs CSP several times a day (thanks to the big dudes), overall adoption is still not perfect.

In this presentation, we will go over the evolution of CSP, browser support levels, caveats and mistakes in deploying an effective policies. We will focus on latest big changes in the specification that should ease the deployment process dramatically, including how to make violation reports useful.

Last but not least we will discuss what is still not covered by the CSP and how it can be abused.
  Sergey Shekyan is an engineer at Shape Security where he is focused on developing tools to detect automated web attacks. He is interested in modern browser security features and contributes to web security specifications, including Content Security Policy. As part of CSP supporting work, he co-develops Salvation, a Java library to work with CSP, which is used by OWASP Zed Attack Proxy, The W3C Markup Validation Service, CSPValidator, and many other projects.



  Keynote: Attacks on encrypted memory: Beyond the single bit conditionals
 Shay Gueron
  Protecting users's privacy in virtualized cloud environments is an increasing concern for both users and providers. A hypervisor provides a hosting facility administrator with the capabilities to read the memory space of any guest VM. Therefore, nothing really prevents such an administrator from abusing these capabilities to access users' data. This threat is not prevented even if the whole memory is encrypted with a single (secret) key. Guest VM's can be isolated from the administrator if each guest VM has its memory space encrypted with a unique per-VM key. Here, while the hypervisor's memory access capabilities remain unchanged, reading a VM memory decrypts the VM's encrypted data with the wrong key and therefore gives no advantage to the attacker. This is indeed the motivation behind some newly released technologies in latest processors.

However, this talk argues that the privacy claim of any technology that uses different encryption keys to isolate hypervisor administrators from guest VM's cannot be guaranteed. To show this, it demonstrates a new instantiation of a 'Blinded Random Block Corruption (BRBC) Attack. Under the same scenario assumptions that the per-VM keying method addresses, the attack allows a cloud provider administrator to use the capabilities of a (trusted) hypervisor in order to login to a guest VM (besides the encrypted memory). This completely compromises the user's data privacy. Furthermore, we also demonstrate that even non-boolean values can be effectively targeted by attackers, forcing the elevation of privileges of a process running in a protected VM as demonstration.

This shows, once again, that memory encryption by itself, is not necessarily a defense-in-depth mechanism against attackers with memory read/write capabilities. A better guarantee is achieved if the memory encryption includes some authentication mechanism.
  Associate Professor and Engineering Fellow, University of Haifa and Amazon. Shay Gueron is an Associate Professor of Mathematics at the University of Haifa, Israel. He holds a Senior Principal Engineer position in Cloud Security at Amazon. Previously he worked at Intel as Senior Principal Engineer, served as Intel's Senior Cryptographer. His interests include cryptography, security and algorithms. Gueron is been responsible for some of Intel processors' instructions such as AES-NI, PCLMULQDQ and coming VPMADD52, and for various micro-architectural features that speed up cryptographic algorithms. He contributed software to open source libraries (OpenSSL, NSS), with significant performance gains for symmetric encryption, public key algorithms and hashing. Gueron was one of the Intel Software Guard Extensions (SGX) technology architects, in charge of its cryptographic definition and implementation, and the inventor of the Memory Encryption Engine.