Alexander Ermolov - Principal Security Researcher, Binarly Inc.

Alexandra Sandulescu - Security Engineer, Google

Alex Ionescu - ReactOS

Brian Butterly - Security Engineer

Edmond Rogers - Academic Researcher

Eduardo Vela - Product Security Response TL/M, Google

Fernando Gont - Security Consultant & Researcher, SI6 Networks

H2HC University: Fernando Merces - Senior Threat Researcher, Trend Micro

H2HC University: Gustavo Scotti - Secure Firmware Engineer, Microsoft Corporation

H2HC University Keynote: Evandro Hora - Socio-Fundador e Diretor da Tempest Security Intelligence

Johannes Wikner - PhD student, ETH Zurich

Matrosov & Ermolov & Vasilenko & Thomas - Binarly Inc.

Pawel Wieczorkiewicz - Security Researcher, Open Source Security Inc

Tarakanov & Labunets - Independent Security Researchers



  Data only Attacks Against UEFI BIOS
 Alexander Ermolov
  What comes to your mind when you hear about UEFI BIOS vulnerabilities? For a long time the obvious answer was issues in SMM (System Management Mode) code, which enables one of the protection mechanisms against UEFI BIOS modifications. This was the reason of creation other platform protective technologies, but still new issues in SMM keep being discovered.

Though, supported not by each OEM/IBV, there are a number of mitigations applied for SMM code. Beyond that, a lot of firmware verification techniques were introduced recently. All measures grown by vendors aimed to protect the firmware code integrity and runtime UEFI BIOS interfaces (like SMI handlers) from software attacks and hardware tampering. However, UEFI firmware architecture still allows to develop attack vectors that has almost none countermeasures nowadays and allows to bypass all known UEFI BIOS mitigations and protection technologies.

In this talk we’ll describe current UEFI BIOS security model and talk about one if its main disadvantages, which could be exploited by recently discovered vulnerabilities.
  Alex Ermolov leads supply chain and platform security research and development at Binarly Inc. With more than 10 yeras of expeirence in researching low-level deisgn, firmware and systems software bulit for various platforms and architectures, he helps to create a solution for protecting devices against firmware threats.



  A researcher\'s take on Spectre exploits
 Alexandra Sandulescu
  Speculative execution attacks are (still) a hot topic because solutions are impractical, insufficient or both. Researching novel attack techniques, mitigation bypasses or new classes of attacks is a real roller coaster and might discourage people outside of academia. My talk discusses the building blocks of a Spectre exploit and how to make them more accessible for the broader security research public. The end goal is to make Spectre attacks practical and less complicated to pull off.
  My name is Alexandra Sandulescu and for the past 5 years I have been working on various security research topics from fuzzing to speculative execution attacks to sandboxing. Currently I am a Security Engineer at Google.



 Alex Ionescu
  Keynote details soon to be announced



  An Insight into Railway Security
 Brian Butterly
  While being obvious for Security professionals, everybody is slowly but surely understanding that securing the IT worlds isn’t sufficient. Thus, most companies are also applying their measure to other domains, like Operational Technology. One potentially even more specific area is the railway domain. From a Hacker’s perspective trains are big, loud, cool, and fun. Sadly, rail is a very closed world, with specific tech that we only rarely get to touch.

During the presentation I will lift some of the fog surrounding the area and give various insights into where rail is really special and where things simply are just the way we as Hacker’s would expect.

The talk will give an overview of the following topics:
• Parts & Components of the overall railway system
• Current developments and directions
• Insights into regulatory requirements
o The German approach, which should at least give some inspiration
• Processes and lifecycles
• Implications of being “special”

All in all the talk will give a bunch of inspiration for interested Hackers and researchers but also explain why caution is highly recommended.
  After a few years of incident response in a very large and crazily diverse environment, Brian has changed back into a more offensive area. Focusing on operational technology and the railway sector, he’s applying his knowledge from past projects in the areas of embedded-, hardware-, mobile- and telecommunications-security to ginormous vehicles driving at high speeds and everything surrounding them. While combining a closed environment and good old hacking spirit results in a fair amount of challenges, he’s doing his best to fuse both world together and carry on sharing fun insights.



  Exploitation tatics discovery using data analytics
 Edmond Rogers
  We have taken memory analysis tools and mapped file access interactions in kernel space. This mapping has allowed us to use a custom written implementation of GNN to visualize these memory interactions to provide baseline geometries to profile “weird machines” and post exploit tactics. In this talk we will introduce this research topic, provide code examples of this new GNN implementation, and discuss initial findings.
  Before joining the University of Illinois Information Trust Institute (ITI) in 2011, Edmond Rogers was actively involved as an industry participant in many research activities in ITI's TCIPG Center, including work on CyPSA Cyber Physical Situational Awaraness, NetAPT (the Network Access Policy Tool) and LZFuzz (Proprietary Protocol Fuzzing). Rogers also has developed and delivers customized training on ICS defense at the TCIPG Sumer School and to utilities directly. Rogers leverages his wealth of experience to assist ITI researchers in creating laboratory conditions that closely reflect real-world configurations. Rogers has spoken across the world regarding defense of critical infrastructure at conferences such as Bsides London, H2HC, Black Hat, Defcon, BsidesLV, Troopres, BerlinSides and he is currently the president of Hackito Ergo Sum.



  The Joy of Exploiting the Kernel on 2022
 Eduardo Vela
  During 2022 we received as part of kCTF dozens of exploits for several vulnerabilities in the Linux Kernel. We spent a lot of time analyzing them and trying to learn from them. In this talk we will present the best and worst lessons to take from these vulnerabilities and exploits and teach the audience how to bake a perfect root shell with the techniques we saw so far with kCTF exploits. No previous knowledge of Kernel security is necessary, just familiarity with the basics of memory corruption vulnerabilities (buffer overflow, use-after-free, double free).
  Eduardo has been cooking vulnerabilities for almost 2 decades, which means he is getting older and older. His love for penguin vulnerabilities started after working on kCTF. He now spends time working on kernel exploit cooking recipes and producing the videos and recipe books for them. He currently does vulnerability stuff at Google and working with the security community to find and exploit all types of vulnz. His lifelong dream is to work at McDonald's. He is a terrible cook.



  State of the Art in IPv6 Attack & Defense
 Fernando Gont
  Many content providers (such as Google) report that over 40% of their network traffic in countries such as Brazil, the USA, or Germany is IPv6-based. Yet, IPv6 security implications are ignored or misunderstood by the vast majority of security professionals, leading to lousy IPv6 pentests and deficient IPv6 defenses.

Over the last few years, a number of advances have been made in IPv6 attack and defense, ranging from improved IPv6 network reconnaissance techniques and tooling, to privacy improvements in IPv6 addressing, resulting in IPv6 security becoming "a moving target".

In this presentation, Fernando Gont will provide a snapshot of the state of the art in IPv6 attack and defense, discussing the latest advancements in each of these areas, and providing concrete practical advice for both red teams and blue teams.
  Fernando Gont has twenty years of industry experience in the fields of Internet engineering and information security, working for both private and governmental organizations from around the world.

He has authored more than 35 Internet Engineering Task Force (IETF) RFCs (many of which focusing on IPv6 security), and has also produced the SI6 Networks' IPv6 Toolkit (a security assessment toolkit for the IPv6 protocol suite).

More information about Fernando Gont is available at his personal web site:



  Don't Blink! A deep dive into Cyclops Blink
 H2HC University: Fernando Merces
  In 2022 Cyclops Blink became known by the world as the next attack from the well-known advanced persistent group Sandworm. Associated to destructive malware like BlackEnergy and Olympic Destroyer, this group also compromises IoT devices around the world to use it as their infrastructure. In 2018, VPNFilter was one such malware family that affected many routers globally from many different vendors – and consisted of multiple payloads and functions. After the industry sinkholed their domains, many infections were left over that could have been utilized by this group.

However, they chose instead to retool and attack new routers with malware that has been dubbed “Cyclops Blink”. In February 2022 NCSC in the UK published about WatchGuard specific Cyclops Blink attacks, and through our investigation Trend Micro was able to acquire different families of Cyclops Blink samples - one specifically attacking ASUS routers. Analyzing these samples, we were able to emulate an infection and track down and monitor more than 150 C&C servers from the threat actor infrastructure. While businesses around the world are spending time and money to stop attacks, nation state attackers are going after consumer devices to gain footholds for future attacks. How can we expect our parents to defend from being part of the next large scale nation attack if businesses already struggle?
  Fernando é Pesquisador de Ameaças na Trend Micro, onde atua como investigador de ciber crime, utilizando engenharia reversa e técnicas de inteligência de ameaças no time de Pesquisa de Ameaças Futuras (FTR). Criador de várias ferramentas livres na área, com frequência apresenta suas pesquisas nos principais eventos de segurança no Brasil e no exterior. É também professor e fundador da Mente Binária, uma instituição de ensino e pesquisa sem fins lucrativos comprometida com o ensino de computação no Brasil.



  Eleicoes Transparentes
 H2HC University: Gustavo Scotti
  Existira' um pais onde o processo das eleicoes publicam todos os logs de todas as urnas para que qualquer pessoa possa apurar os resultados. Partindo desse olhar, quais os requisitos tecnologicos e de seguranca vao garantir que nenhum log seja alterado? Quais os problemas fundamentais das eleicoes? Que problemas existem hoje que possam ser resolvidos com tecnologia existente (block-chain), e quais os problemas que nao tem respostas? O foco da apresentacao e' o debate tecnico. Em nenhum momento irei comparar este cenario hipotetico com as eleicoes do Brasil, nem tampouco irei avaliar se a urna eletronica e' segura ou nao.
  Gustavo Scotti (a.k.a. csh) writes secure firmware to security processors at Microsoft. An old-school hacker who wrote a few exploits, hacked PlayStations, secured Xboxes, and broke a few security systems (hardware and software).



  Ensaio sobre o Recrutamento
 H2HC University Keynote: Evandro Hora
  Reflexoes sobre os desafios em recrutar e reter talentos na area de Seguranca da Informacao
  Socio-Fundador e Diretor da Tempest Security Intelligence



  Retbleed: Arbitrary Speculative Code Execution with Return Instructions
 Johannes Wikner
  Retbleed is the new addition to the family of speculative execution attacks that exploit branch target injection to leak arbitrary information on Intel and AMD CPUs. Unlike its siblings, who trigger harmful branch target speculation by exploiting indirect jumps or calls, Retbleed exploits return instructions with the same outcome. This means a great deal, since it undermines some of our current defenses.
  Johannes Wikner is a PhD student at COMSEC, a research group at ETH Zurich that does security research at the lower levels of the computing stack, including the hardware. His research concerns microarchitectural security of closed source commodity hardware, where he makes CPUs misbehave for fun and profit (and for science!).



  Breaking Firmware Trust from Pre EFI: Exploiting Early Boot Phases
 Matrosov & Ermolov & Vasilenko & Thomas
  Vulnerabilities in System Management Mode (SMM) and more general UEFI applications/drivers (DXE) are receiving increased attention from security researchers. Over the last 9 months, the Binarly efiXplorer team disclosed 42 high-impact vulnerabilities related to SMM and DXE firmware components. But newer platforms have significantly increased the runtime mitigations in the UEFI firmware execution environment (including SMM). The new Intel platform firmware runtime mitigations reshaped the attack surface for SMM/DXE with new Intel Hardware Shield technologies applied below-the-OS.

The complexity of the modern platform security features is growing every year. The general security promises of the platform consist of many different layers defining their own security boundaries. Unfortunately, in many cases, these layers may introduce inconsistencies in mitigation technologies and create room for breaking general security promises, allowing for successful attacks.

In this presentation, we will share our work exploring recent changes in the UEFI firmware security runtime using one of the most recent Intel CPUs as an example. The presentation will cover the evolution of firmware mitigations in SMM/DXE on x86-based CPUs and a discussion about the new attacks on Intel Platform Properties Assessment Module (PPAM), which are often used in tandem with Intel SMI Transfer Monitor (STM).

These topics have never been publicly discussed from the offensive security research perspective.
  Alex Matrosov is CEO and Founder of Binarly Inc. where he builds an AI-powered platform to protect devices against emerging firmware threats. Alex has more than two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. He served as Chief Offensive Security Researcher at Nvidia and Intel Security Center of Excellence (SeCoE). Alex is the author of numerous research papers and the bestselling award-winning book Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats. He is a frequently invited speaker at security conferences, such as REcon, Black Hat, Offensivecon, WOOT, DEF CON, and many others. Additionally, he was awarded multiple times by Hex-Rays for his open-source contributions to the research community.

Alex Ermolov leads supply chain and platform security research and development at Binarly Inc. With more than 10 years of experience in researching low-level design, firmware and system software built for various platforms and architectures, he helps to create a solution for protecting devices against firmware threats.

Yegor Vasilenko is an experienced Security Researcher focused on reverse engineering and firmware analysis. Nowadays he enjoys firmware reverse engineering and tools development. Yegor is one of the maintainers of a popular tool called efiXplorer for UEFI firmware reverse engineering and vulnerability research.

Dr. Sam L. Thomas is a security researcher and former academic from the UK. His interests include reverse engineering, malware detection, and static analysis. Before leaving academia, he completed post-docs in France (at CNRS) and the UK (at the University of Birmingham) and was Maître de conférences at CentraleSupélec, France. His PhD thesis focused on devising novel approaches to detect backdoors in embedded device firmware. He has presented his research at numerous internationally renowned academic conferences, including CHES, RAID, ESORICS, and DIMVA. He has also served on the program committees for DIMVA (2019-2022) and WOOT (2019, 2020).



  To branch or not to branch: security implications of x86 frontend implementations
 Pawel Wieczorkiewicz
  In this talk, we discuss a flaw recently discovered in AMD x86 processors of various microarchitectures: Zen1, Zen2 and Zen3, and its role in a speculative execution vulnerability type called straight-line speculation (SLS). We begin with a brief overview of the AMD BPU specification, focusing on its sub-components involved in branch prediction of direct unconditional and conditional branches. Next, we discuss direct conditional branches misprediction and methods to reliably achieve it across privilege boundaries or cross hyper-threads, followed by a discussion of the resulting speculation window and its potential to create exploitable Spectre v1 gadgets. We also demonstrate why Spectre v1 gadgets are not limited to array out-of-bound access and memory access latency related speculation. Next, we present details of a new and surprising vulnerability of some AMD processors: direct unconditional branch SLS (CVE-2021-26341). After a quick introduction to the SLS topic, we analyze the resulting speculation window, cross hyper-threads influence and potential ways of finding and exploiting the unexpected SLS gadgets. Finally, we take a quick survey over proposed mitigations for the vulnerabilities in direct unconditional and conditional branches speculation.
  Pawel Wieczorkiewicz is a Security Researcher at Open Source Security Inc., a company developing the state-of-the-art Linux kernel hardening solution known as grsecurity. His research focuses on offensive security aspects of transient and speculative execution vulnerabilities, side-channels, and the effectiveness of defensive mitigations in OSes and hypervisors. Pawel's deep interest in low-level security of software and hardware has resulted in the discovery of a number of vulnerabilities in AMD and Intel processors in addition to the Linux kernel and Xen hypervisor system software.



  Cinema Time!
 Tarakanov & Labunets
  Media parsing is known as one of the weakest components of every consumer system. It often operates complex data structures in the most performant way possible, which is at odds with security requirements, such as attack surface minimization, compartmentalization, and privilege separation. Compared to other operating systems, video decoding on MacOS/iOS is an interesting case for two different reasons. First, instead of running in usermode, a considerable portion of format parsing is implemented in a kernel extension called AppleAVD, exposing the kernel to additional remote attack vectors. Second, recent anonymous reports suggest that AppleAVD may have been exploited in the wild. Our talk investigates AppleAVD kernel extension in-depth, covering video decoding subsystem internals, analysis of vulnerabilities, and ways to exploit them.
  Nikita Tarakanov is an independnet security researcher. He has worked as a security researcher in Positive Technologies, Vupen Security, Intel Corporation and Huawei. He likes writing exploits, especially for OS kernels. He won the PHDays Hack2Own contets in 2011 and 2012. He has published a few papers about kernel mode drivers and their exploitation. He is currently engaged in reverse engineering research and vulnerability search automation.

Andrey Labunets is a security researcher with more than a decated of experience in vulnerability resarch and reverse engineering.