H2HC 19 Anos

What comes to your mind when you hear about UEFI BIOS vulnerabilities? For a long time the obvious answer was issues in SMM (System Management Mode) code, which enables one of the protection mechanisms against UEFI BIOS modifications. This was the reason of creation other platform protective technologies, but still new issues in SMM keep being discovered.

Though, supported not by each OEM/IBV, there are a number of mitigations applied for SMM code. Beyond that, a lot of firmware verification techniques were introduced recently. All measures grown by vendors aimed to protect the firmware code integrity and runtime UEFI BIOS interfaces (like SMI handlers) from software attacks and hardware tampering. However, UEFI firmware architecture still allows to develop attack vectors that has almost none countermeasures nowadays and allows to bypass all known UEFI BIOS mitigations and protection technologies.

In this talk we’ll describe current UEFI BIOS security model and talk about one if its main disadvantages, which could be exploited by recently discovered vulnerabilities.

Alex Ermolov leads supply chain and platform security research and development at Binarly Inc. With more than 10 yeras of expeirence in researching low-level deisgn, firmware and systems software bulit for various platforms and architectures, he helps to create a solution for protecting devices against firmware threats.

A researcher's take on Spectre exploits
Alexandra Sandulescu

Speculative execution attacks are (still) a hot topic because solutions are impractical, insufficient or both. Researching novel attack techniques, mitigation bypasses or new classes of attacks is a real roller coaster and might discourage people outside of academia. My talk discusses the building blocks of a Spectre exploit and how to make them more accessible for the broader security research public. The end goal is to make Spectre attacks practical and less complicated to pull off.

My name is Alexandra Sandulescu and for the past 5 years I have been working on various security research topics from fuzzing to speculative execution attacks to sandboxing. Currently I am a Security Engineer at Google.

Keynote: The Golden Age of Windows Exploits (for now)
Alex Ionescu

Keynote

Alex Ionescu is the Technical Director, Platform Operations and Research at CSE (Communications Security Establishment), Canada's National Cryptologic Agency. Previously, he was the VP of Endpoint Engineering at CrowdStrike, Inc., where he started as the Founding Chief Architect in 2011. Alex is a world-class security architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering. He is co-author of the last 3 editions of the Windows Internals series. During the last two decades, his work led to the fixing of dozens of critical kernel vulnerabilities in Windows. Previously, Alex was the lead kernel developer for ReactOS, an open source Windows clone written from scratch, for which he wrote most of the Windows NT-based subsystems. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, and drivers on the original core platform team behind the iPhone, iPad, and AppleTV. Alex is also the founder of Winsider Seminars & Solutions Inc., a company that specializes in low-level system software, reverse engineering and security training for various institutions.

An Insight into Railway Security
Brian Butterly

While being obvious for Security professionals, everybody is slowly but surely understanding that securing the IT worlds isn’t sufficient. Thus, most companies are also applying their measure to other domains, like Operational Technology. One potentially even more specific area is the railway domain. From a Hacker’s perspective trains are big, loud, cool, and fun. Sadly, rail is a very closed world, with specific tech that we only rarely get to touch.

During the presentation I will lift some of the fog surrounding the area and give various insights into where rail is really special and where things simply are just the way we as Hacker’s would expect.

The talk will give an overview of the following topics:
• Parts & Components of the overall railway system
• Current developments and directions
• Insights into regulatory requirements
o The German approach, which should at least give some inspiration
• Processes and lifecycles
• Implications of being “special”

All in all the talk will give a bunch of inspiration for interested Hackers and researchers but also explain why caution is highly recommended.

After a few years of incident response in a very large and crazily diverse environment, Brian has changed back into a more offensive area. Focusing on operational technology and the railway sector, he’s applying his knowledge from past projects in the areas of embedded-, hardware-, mobile- and telecommunications-security to ginormous vehicles driving at high speeds and everything surrounding them. While combining a closed environment and good old hacking spirit results in a fair amount of challenges, he’s doing his best to fuse both world together and carry on sharing fun insights.

From PIX to Reverse Shell
Bruno Cortes

This is a hands-on presentation that addresses details about the BRCODE pattern adopted by BACEN for PIX transactions and demonstrates, based on a pentest finding scenario, the exploitation of Server Side Request Forgery (SSRF) + CRLF Injection -> Remote Code Execution (RCE) chained vulnerabilities. The flaw still affects financial institutions that don't apply the security measures established for PIX transactions with dynamic BRCODE.

Professional with more than 10 years of career in Cyber Security, working at companies in the Technology and Military segments, such as: Brazilian Army, GoHacking and Nubank.

Engenharia Reversa num jogo de Gameboy Advance
Bruno Macabeus

O Gameboy Advance foi um dos videogames mais populares de seu tempo, e com isso, muitas comunidades surgiram para estudar e documentar sua arquitetura, desenvolver ROM hacking, assim como ferramentas próprias para o GBA.

Então, que tal explorarmos engenharia reversa na prática com o seguinte desafio: desenvolver um editor de fases para um jogo de GBA, o "Klonoa: Empire of Dreams"? Esse é um desafio bem interessante, pois precisaremos entender a arquitetura de um hardware em ARM, aplicar engenharia reversa para descobrir a lógica do jogo, escrever patches para a ROM, e enfim usar todas as nossas descobertas para construir um completo editor de fases.

Veremos o passo a passo da engenharia reversa e o desenvolvimento da ferramenta nessa talk.

Repositório do projeto: https://github.com/macabeus/klo-gba.js
Manual sobre o desenvolvimento do projeto:
https://medium.com/@bruno.macabeus/pt-br-engenharia-reversa-num-jogo-de-gameboy-advance-introdu%C3%A7%C3%A3o-21ebffe2f794

Hello, I'm Macabeus!

I'm a Sr. Full-Stack Engineer at Anima, a startup company that improves the experience for designers and front-end developers by automating their workflows.
I work building plugins for design tools such as Figma and Adobe XD, as well as coding on our Python/Node backend.

I learned how to code by contributing to open-source projects, so I love helping them in different ways. I have several personal projects on GitHub, approaching different topics, including reverse engineering, compilers, and VS Code plugins.

Last but not least, I love developer communities, and I have been helping many of them for years now, both as an organizer and speaker.

Check more about me and my projects on my site: https://macabeus.github.io/

Exploitation tatics discovery using data analytics
Edmond Rogers

We have taken memory analysis tools and mapped file access interactions in kernel space. This mapping has allowed us to use a custom written implementation of GNN to visualize these memory interactions to provide baseline geometries to profile “weird machines” and post exploit tactics. In this talk we will introduce this research topic, provide code examples of this new GNN implementation, and discuss initial findings.

Before joining the University of Illinois Information Trust Institute (ITI) in 2011, Edmond Rogers was actively involved as an industry participant in many research activities in ITI's TCIPG Center, including work on CyPSA Cyber Physical Situational Awaraness, NetAPT (the Network Access Policy Tool) and LZFuzz (Proprietary Protocol Fuzzing). Rogers also has developed and delivers customized training on ICS defense at the TCIPG Sumer School and to utilities directly. Rogers leverages his wealth of experience to assist ITI researchers in creating laboratory conditions that closely reflect real-world configurations. Rogers has spoken across the world regarding defense of critical infrastructure at conferences such as Bsides London, H2HC, Black Hat, Defcon, BsidesLV, Troopres, BerlinSides and he is currently the president of Hackito Ergo Sum.

The Joy of Exploiting the Kernel on 2022
Eduardo Vela

During 2022 we received as part of kCTF dozens of exploits for several vulnerabilities in the Linux Kernel. We spent a lot of time analyzing them and trying to learn from them. In this talk we will present the best and worst lessons to take from these vulnerabilities and exploits and teach the audience how to bake a perfect root shell with the techniques we saw so far with kCTF exploits. No previous knowledge of Kernel security is necessary, just familiarity with the basics of memory corruption vulnerabilities (buffer overflow, use-after-free, double free).

Eduardo has been cooking vulnerabilities for almost 2 decades, which means he is getting older and older. His love for penguin vulnerabilities started after working on kCTF. He now spends time working on kernel exploit cooking recipes and producing the videos and recipe books for them. He currently does vulnerability stuff at Google and working with the security community to find and exploit all types of vulnz. His lifelong dream is to work at McDonald's. He is a terrible cook.

Keynote: Ensaio sobre o Recrutamento
Evandro Hora

Reflexoes sobre os desafios em recrutar e reter talentos na area de Seguranca da Informacao

Socio-Fundador e Diretor da Tempest Security Intelligence

The ADCS domain administrator is right there
Fabricio Gimenes

What is ADCS?

Active Directory Certificate Services (AD CS)

ADCS provides customizable services for issuing and managing public key infrastructure (PKI) certificates used in software security systems that employ public key technologies. The digital certificates that AD CS provides can be used to encrypt and digitally sign electronic documents and messages. Further, these digital certificates can be used for authentication of the computer, user or device accounts on a network. Digital certificates are used to provide:
1) Confidentiality - through encryption
2) Integrity - through digital signatures
3) Authentication - by associating certificate keys with the computer, user, or device accounts on a computer network.

What are Templates?

Templates

AD CS Enterprise CAs issue certificates with settings defined by AD objects known as certificate templates. These templates are collections of enrollment policies and predefined certificate settings and contain things like “How long is this certificate valid for?”, “What is the certificate used for?”, “How is the subject specified?”, “Who is allowed to request a certificate?”, and a myriad of other settings:

These certificate services were available starting in Windows 2000 and continue to be available as a server role in Windows Server 2008 R2.

Misconfigured Certificate Templates — ESC1

In order to abuse this misconfiguration, the following conditions must be met:
1) The Enterprise CA grants low-privileged users enrollment rights.
2) Manager approval is disabled.
3) No authorized signatures are required.

NTLM Relay to AD CS HTTP Endpoints — ESC8

In this attack it is possible to obtain domain admin over HTTP Based Authentication. As covered in the “Certificate Enrollment” section, AD CS supports several HTTP-based enrollment methods via additional AD CS server roles that administrators can install. These HTTPbased certificate enrollment interfaces are all vulnerable NTLM relay attacks. Using NTLM relay, an attacker on a compromised machine can impersonate any inbound-NTLM-authenticating AD account. While impersonating the victim account, an attacker could access these web interfaces and request a client authentication certificate based on the User or Machine certificate templates.

And for end point over this attack that explain here is we can obtain total control on ADCS

CA Manager - ESC7

When a user has the Manage CA or Manage Certificates access right on a CA. While there are no public techniques that can abuse only the Manage Certificates access right for domain privilege escalation, we can still use it to issue or deny pending certificate requests.

My name is Fabricio Gimenes, I'm 36 years old. I have worked with information security for about 13 years, I worked in big companies like "Banks, Ensurences, E-commerce, etc". I currently work as an offensive security specialist at Telefônica Brasil.

State of the Art in IPv6 Attack & Defense
Fernando Gont

Many content providers (such as Google) report that over 40% of their network traffic in countries such as Brazil, the USA, or Germany is IPv6-based. Yet, IPv6 security implications are ignored or misunderstood by the vast majority of security professionals, leading to lousy IPv6 pentests and deficient IPv6 defenses.

Over the last few years, a number of advances have been made in IPv6 attack and defense, ranging from improved IPv6 network reconnaissance techniques and tooling, to privacy improvements in IPv6 addressing, resulting in IPv6 security becoming "a moving target".

In this presentation, Fernando Gont will provide a snapshot of the state of the art in IPv6 attack and defense, discussing the latest advancements in each of these areas, and providing concrete practical advice for both red teams and blue teams.

Fernando Gont has twenty years of industry experience in the fields of Internet engineering and information security, working for both private and governmental organizations from around the world.

He has authored more than 35 Internet Engineering Task Force (IETF) RFCs (many of which focusing on IPv6 security), and has also produced the SI6 Networks' IPv6 Toolkit (a security assessment toolkit for the IPv6 protocol suite).

More information about Fernando Gont is available at his personal web site:

Introspeccao de Maquinas Virtuais para Monitoramento de Ameacas em Sistemas ARM
Fernando Menardi

A palestra tem como principal objetivo apresentar técnicas para implementação de VMI (Virtual Machine Introspection) para monitoramento de ameaças no Kernel Linux. Esse monitoramento é feito através do hooking das syscalls no kernel, de maneira furtiva (stealth) utilizando VMI, através da instrumentalização de um Type 1 Hypervisor.

O foco são os recursos dos processadores ARM, mas alguns conceitos possuem equivalência em outras famílias de processadores (como a x86/x64 da Intel). Os tópicos que devem ser abordados na palestra, para devida compreensão teórica e técnica, são:

Hypervisors (Definição, tipos e importância)
ARM (Fundamentos e Recursos para virtualização: Exception Levels, Hypercalls, SLAT)
Xen Hypervisor (Arquitetura, Event Channels, ALTP2M)
VMI (objetivos, implementação de syscall hooking, LibVMI)

Os softwares utilizados são todos open-source.

Meu nome é Fernando, tenho 23 anos e sou estudante de Engenharia de Controle e Automação pela rede Federal de ensino IFSP. Atualmente trabalho em uma startup chamada “Taxpert”, como Dev/DevOps em operações envolvendo Cloud, Docker, Kubernetes, Golang e etc.

Dont Blink! A deep dive into Cyclops Blink
Fernando Merces

In 2022 Cyclops Blink became known by the world as the next attack from the well-known advanced persistent group Sandworm. Associated to destructive malware like BlackEnergy and Olympic Destroyer, this group also compromises IoT devices around the world to use it as their infrastructure. In 2018, VPNFilter was one such malware family that affected many routers globally from many different vendors – and consisted of multiple payloads and functions. After the industry sinkholed their domains, many infections were left over that could have been utilized by this group.

However, they chose instead to retool and attack new routers with malware that has been dubbed “Cyclops Blink”. In February 2022 NCSC in the UK published about WatchGuard specific Cyclops Blink attacks, and through our investigation Trend Micro was able to acquire different families of Cyclops Blink samples - one specifically attacking ASUS routers. Analyzing these samples, we were able to emulate an infection and track down and monitor more than 150 C&C servers from the threat actor infrastructure. While businesses around the world are spending time and money to stop attacks, nation state attackers are going after consumer devices to gain footholds for future attacks. How can we expect our parents to defend from being part of the next large scale nation attack if businesses already struggle?

Fernando é Pesquisador de Ameaças na Trend Micro, onde atua como investigador de ciber crime, utilizando engenharia reversa e técnicas de inteligência de ameaças no time de Pesquisa de Ameaças Futuras (FTR). Criador de várias ferramentas livres na área, com frequência apresenta suas pesquisas nos principais eventos de segurança no Brasil e no exterior. É também professor e fundador da Mente Binária, uma instituição de ensino e pesquisa sem fins lucrativos comprometida com o ensino de computação no Brasil.

Eleicoes Transparentes
Gustavo Scotti

Existira' um pais onde o processo das eleicoes publicam todos os logs de todas as urnas para que qualquer pessoa possa apurar os resultados. Partindo desse olhar, quais os requisitos tecnologicos e de seguranca vao garantir que nenhum log seja alterado? Quais os problemas fundamentais das eleicoes? Que problemas existem hoje que possam ser resolvidos com tecnologia existente (block-chain), e quais os problemas que nao tem respostas? O foco da apresentacao e' o debate tecnico. Em nenhum momento irei comparar este cenario hipotetico com as eleicoes do Brasil, nem tampouco irei avaliar se a urna eletronica e' segura ou nao.

Gustavo Scotti (a.k.a. csh) writes secure firmware to security processors at Microsoft. An old-school hacker who wrote a few exploits, hacked PlayStations, secured Xboxes, and broke a few security systems (hardware and software).

Techniques for publishing statistical information without violating individual's privacy according to the LGPD and GPDR
Jeroen van de Graaf

Cada vez mais são coletados dados contendo informações detalhadas sobre indivíduos: das suas pesquisas na internet, telefonemas, localização, saúde, genoma, etc. E cada vez mais esses dados estão sendo usados para análises estatísticas. No entanto, para evitar violações de privacidade, esses dados devem ser protegidos de uma forma ou outra, seja concedendo apenas acesso privilegiado à base de dados, seja modificando ou excluindo dados. Essas técnicas são conhecidas como controle de divulgação estática.

Vários casos proeminentes mostraram que as técnicas mais óbvias, como a anonimização ou a pseudonimização, quase nunca funcionam. Isso foi confirmado num estudo da UFMG sobre a divulgação anual de dados estudantis do MEC/INEP.
Além disso, muitas das técnicas mais sofisticadas (anonimato-k, diversidade-l, proximidade-t) também apresentam várias desvantagens. Isso se deve em parte ao fato de que definir a privacidade corretamente é de facto bastante difícil.

Apresentaremos a intuição por trás da *privacidade diferencial*, uma definição que incorpora quaisquer ataques futuros e, portanto, praticamente a única abordagem bem-sucedida na proteção da privacidade nesse contexto. Em essência, a privacidade diferencial consiste em adicionar sutilmente ruído aos dados, de modo que a privacidade individual seja protegida enquanto a inferência estatística significativa ainda é possível. Um problema aqui é que nem sempre se sabe de antemão qual fato estatístico será considerado interessante.

Claramente é impossível ter privacidade perfeita ("não publique nada") e inferência estatística perfeita ("publique tudo") ao mesmo tempo, então a privacidade diferencial oferece um equilíbrio calibrado entre os dois extremos. De fato, adicionar ruído a dados perfeitos e pristinos pode parecer estúpido, mas é a única maneira de preservar um mínimo de privacidade em um mundo orientado a dados. Desistir da privacidade não é uma opção, portanto escolhas terão que ser feitas. A sociedade precisa se conscientizar desse dilema e discutir os prós e os contras das várias soluções.

ABSTRACT

Increasingly data is collected containing detailed information about individuals: about internet searches, phone calls, location, health, genome, etc. And increasingly such data is being used for statistical analysis.
However, to avoid privacy violations, this data should be protected one way or another, either by conceding only previleged access to the data base, or by modifying or deleting data. These techniques are known as statictical disclosure control.

Several high profile cases have shown that the most obvious techniques, like anonymization or pseudonymization, almost never work. This has been confirmed in UFMG's study of MEC/INEP annual release of student data.
In addition, many of the more sophisticated techniques (k-anonymity, l-diversity, t-proximity) have several drawbacks too. This is in part due to the fact that defining privacy correctly is actually quite difficult.

We will present the intuition behind *differential privacy*, a definition which incorporates any future attacks, and therefore virtually the only approach successful in protecting privacy in this context. In essence, differential privacy consists of subtly adding noise to the data such that individual privacy is protected while meaningful statistical inference still remains possible. A problem here is that it is not always known beforehand which specific statistical fact will be considered interesting.

Clearly it is impossible to have perfect privacy ("publish nothing") and perfect statistical inference ("publish everything") at the same, so differential privacy offers a calibrated trade-off between the two extremes. Indeed, adding noise to perfect, pristine data may seem like a no-brainer, but it is the only way to preserve a minimum of privacy in a data-driven world. Giving up on privacy is not an option, so choices will have to be made. Society needs to become aware of this dilemma and discuss the pros and cons of the various solutions.

I am a cryptographer focussing on the theoretical and the applied aspects of cryptographic protocols. I am particularly interested in unconditional privacy, including topics such as: quantum cryptography; protocols based on noise; authentication based on signal reconciliation; election and mixing protocols; general two- and multi-party computation; privacy-preserving data mining etc. Many of these protocol borrow techniques from information theory and coding theory. I have a Master's in mathematics from the Universiteit van Amsterdam (1985) and a PhD in Informatics from the Université de Montréal (1998). From August 2008 until February 2011 I was an Assistent Professor at the Universidade Federal de Ouro Preto. Since March 2011 I moved to the Universidade Federal de Minas Gerais.

Retbleed: Arbitrary Speculative Code Execution with Return Instructions
Johannes Wikner

Retbleed is the new addition to the family of speculative execution attacks that exploit branch target injection to leak arbitrary information on Intel and AMD CPUs. Unlike its siblings, who trigger harmful branch target speculation by exploiting indirect jumps or calls, Retbleed exploits return instructions with the same outcome. This means a great deal, since it undermines some of our current defenses.

Johannes Wikner is a PhD student at COMSEC, a research group at ETH Zurich that does security research at the lower levels of the computing stack, including the hardware. His research concerns microarchitectural security of closed source commodity hardware, where he makes CPUs misbehave for fun and profit (and for science!).

Browser Exploitation and JIT Compilers
Jorge Buzeti

Browsers são softwares extremamente complexos com duzias de módulos e submódulos com responsabilidades vastas, desde renderização, execução de código, compiladores, JIT e entre outros. Por seu uso vasto e uma superfície de ataque mais vasta ainda, não é de se assustar uma intensa área de pesquisa em cada segmento de funcionamento dos navegadores.

Nessa palestra sera abordado uma introdução a browser exploitation abordando o funcionamento geral de um navegador, a execução de JavaScript, o processo de compilação JIT, os principais tipos de bugs e técnicas e uma visão detalhada da CVE-2021-21220.

Jorge é um jovem de 16 anos apaixonado por hacking, principalmente em áreas de low-level entre programação em C e pwn, trabalha atualmente na ISH como Cyber Security Analyst, é membro fundador da HardDisk(https://harddisk.com.br) e atua em projetos open-source como o brokepkg, rookit para o Linux.

Aprendizado de Maquina em Seguranca
Lourenco A. Pereira

Segurança Cibernética é um elemento essencial para a transformação digital em que vivemos. Percebemos que cada vez mais a complexidade e a integração de sistemas computacionais é alta. Com isso, temos o desafio de entender profundamente as tecnologias para saber lidar com a descoberta e mitigação de ameaças e ações maliciosas que subvertem nossos sistemas. A situação de fragilidade em que estamos fica evidente quando observamos infraestruturas físicas em que sistemas computacionais provocam consequências cinéticas, causando baixas e danos nas mais variadas esferas de valor. Muito embora, o avanço tecnológico tenha proporcionado melhora na comunicação entre as pessoas e também promovido melhores serviços em geral; percebe-se que ainda há muita fragilidade nos sistemas e nos recursos humanos que desenvolvem estes sistemas.

Nesse contexto, é feita uma explanação sobre infraestruturas críticas e sistemas computacionais de modo que podemos estudá-las exaustivamente para caracterizar ataques conhecidos e detectar anomalias na carga de trabalho típica do sistema em análise. Assim,

Aprendizado de Máquina é apresentado como ferramental capaz de auxiliar neste processo pois possibilita uma avaliação em uma escala com ordens de magnitude maior daquela que um ser humano é capaz de lidar.

Doutor (2016) e Mestre (2010) em Ciências de Computação e Matemática Computacional pela Universidade de São Paulo, Bacharel em Ciência da Computação pela Universidade de Alfenas (2006). Atualmente Professor no Instituto Tecnológico de Aeronáutica - ITA nas áreas de Segurança Cibernética e Redes de Computadores. Foco no estudo de sistemas operacionais e implementações de pilhas de protocolos de redes. Atualmente realizando pesquisas em segurança cibernética em infraestruturas críticas que envolvem 5G/6G, Internet das Coisas, Sistemas de Transportes Inteligentes e malwares. Tópicos de interesse: detecção de tráfego malicioso por meio de assinaturas e anomalias para desenvolvimento de nova geração de sistemas de detecção e prevenção de intrução; implementação de mecanismo de proteção (firewall) baseado em zero-trust; enumeração e exploração de firmware em grande escala; exploração de tecnologias de redes veiculares (WAVE e 5G); e orquestração de cadeia de comando e controle de malware. Responsável pelo Laboratório de Comando & Controle e Defesa Cibernética do ITA, onde conduz projetos de científicos e orienta alunos de doutorado, mestrado, e iniciação científica.

Instituto Tecnológico de Aeronáutica
Membro Efetivo da Sociedade Brasileira de Computação e da IEEE

GitHub Actions: Vulnerabilities, Attacks and Counter Measures
Magno Logan

This talk plans to demonstrate how GitHub Actions work and show security measures to protect your Actions from misuse by attackers. First, we'll do a deep dive into the Runners, the servers provided by GitHub to run your Actions, and the risks of using them. Then, we'll show how attackers can leverage these runners to mine cryptocurrencies, pivot into other targets, and more. Lastly, we'll demonstrate how to maliciously distribute backdoors into different repositories via the GitHub Actions Marketplace.

This presentation results from detailed research published earlier this year on the topic where the author investigated abuse case scenarios such as how attackers were leveraging this free service to mine cryptocurrencies on their behalf and behalf of other users, among other attack vectors. We'll also demonstrate how to perform interactive commands to the Runner servers via reverse shell, which are technically not allowed via traditional means. Ultimately, we'll show the problem of third-party dependencies via the GitHub Actions Marketplace. Showing how easy it is to create a fake GitHub Action that, if used unwillingly by other projects, can make their runners act as bots to target other victims and even be used in supply-chain attacks by tampering with the result of the pipeline.

Full research article:
https://research.trendmicro.com/GitHubActions

Follow-up article:
https://www.trendmicro.com/en_us/research/22/g/unpacking-cloud-based-cryptocurrency-miners-that-abuse-github-ac.html

Research repositories:
https://github.com/magnologan/gha-test
https://github.com/magnologan/fake-gha

Magno Logan works as an Information Security Specialist for Trend Micro. He specializes in Cloud, Container, and Application Security Research, Threat Modelling, and DevSecOps. In addition, he has been tapped as a resource speaker for numerous security conferences around the globe.

Breaking Firmware Trust from Pre EFI: Exploiting Early Boot Phases
Matrosov & Ermolov & Vasilenko & Thomas

Vulnerabilities in System Management Mode (SMM) and more general UEFI applications/drivers (DXE) are receiving increased attention from security researchers. Over the last 9 months, the Binarly efiXplorer team disclosed 42 high-impact vulnerabilities related to SMM and DXE firmware components. But newer platforms have significantly increased the runtime mitigations in the UEFI firmware execution environment (including SMM). The new Intel platform firmware runtime mitigations reshaped the attack surface for SMM/DXE with new Intel Hardware Shield technologies applied below-the-OS.

The complexity of the modern platform security features is growing every year. The general security promises of the platform consist of many different layers defining their own security boundaries. Unfortunately, in many cases, these layers may introduce inconsistencies in mitigation technologies and create room for breaking general security promises, allowing for successful attacks.

In this presentation, we will share our work exploring recent changes in the UEFI firmware security runtime using one of the most recent Intel CPUs as an example. The presentation will cover the evolution of firmware mitigations in SMM/DXE on x86-based CPUs and a discussion about the new attacks on Intel Platform Properties Assessment Module (PPAM), which are often used in tandem with Intel SMI Transfer Monitor (STM).

These topics have never been publicly discussed from the offensive security research perspective.

Alex Matrosov is CEO and Founder of Binarly Inc. where he builds an AI-powered platform to protect devices against emerging firmware threats. Alex has more than two decades of experience with reverse engineering, advanced malware analysis, firmware security, and exploitation techniques. He served as Chief Offensive Security Researcher at Nvidia and Intel Security Center of Excellence (SeCoE). Alex is the author of numerous research papers and the bestselling award-winning book Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats. He is a frequently invited speaker at security conferences, such as REcon, Black Hat, Offensivecon, WOOT, DEF CON, and many others. Additionally, he was awarded multiple times by Hex-Rays for his open-source contributions to the research community.

Alex Ermolov leads supply chain and platform security research and development at Binarly Inc. With more than 10 years of experience in researching low-level design, firmware and system software built for various platforms and architectures, he helps to create a solution for protecting devices against firmware threats.

Yegor Vasilenko is an experienced Security Researcher focused on reverse engineering and firmware analysis. Nowadays he enjoys firmware reverse engineering and tools development. Yegor is one of the maintainers of a popular tool called efiXplorer for UEFI firmware reverse engineering and vulnerability research.

Dr. Sam L. Thomas is a security researcher and former academic from the UK. His interests include reverse engineering, malware detection, and static analysis. Before leaving academia, he completed post-docs in France (at CNRS) and the UK (at the University of Birmingham) and was Maître de conférences at CentraleSupélec, France. His PhD thesis focused on devising novel approaches to detect backdoors in embedded device firmware. He has presented his research at numerous internationally renowned academic conferences, including CHES, RAID, ESORICS, and DIMVA. He has also served on the program committees for DIMVA (2019-2022) and WOOT (2019, 2020).

To branch or not to branch: security implications of x86 frontend implementations
Pawel Wieczorkiewicz

In this talk, we discuss a flaw recently discovered in AMD x86 processors of various microarchitectures: Zen1, Zen2 and Zen3, and its role in a speculative execution vulnerability type called straight-line speculation (SLS). We begin with a brief overview of the AMD BPU specification, focusing on its sub-components involved in branch prediction of direct unconditional and conditional branches. Next, we discuss direct conditional branches misprediction and methods to reliably achieve it across privilege boundaries or cross hyper-threads, followed by a discussion of the resulting speculation window and its potential to create exploitable Spectre v1 gadgets. We also demonstrate why Spectre v1 gadgets are not limited to array out-of-bound access and memory access latency related speculation. Next, we present details of a new and surprising vulnerability of some AMD processors: direct unconditional branch SLS (CVE-2021-26341). After a quick introduction to the SLS topic, we analyze the resulting speculation window, cross hyper-threads influence and potential ways of finding and exploiting the unexpected SLS gadgets. Finally, we take a quick survey over proposed mitigations for the vulnerabilities in direct unconditional and conditional branches speculation.

Pawel Wieczorkiewicz is a Security Researcher at Open Source Security Inc., a company developing the state-of-the-art Linux kernel hardening solution known as grsecurity. His research focuses on offensive security aspects of transient and speculative execution vulnerabilities, side-channels, and the effectiveness of defensive mitigations in OSes and hypervisors. Pawel's deep interest in low-level security of software and hardware has resulted in the discovery of a number of vulnerabilities in AMD and Intel processors in addition to the Linux kernel and Xen hypervisor system software.

Desenvolvimento de um servico de email privativo
pirata & belphegor

Essa palestra visa discutir com a comunidade os principais detalhes técnicos (implementação segura de um servidor SMTP minimalista, análise de código, fortificação do ambiente, escolha de tecnologias como linguagens de programação e hardware, etc) e não técnicos (casos de uso, requisitos de segurança e privacidade, etc) por trás da criação de um serviço de e-mail temporário 100% gratuito e de código livre, com foco em privacidade e segurança. Esse é um projeto voluntário que visa prover para a comunidade uma alternativa segura e privativa para obter contas de e-mail, sem a necessidade de se registar, para os mais diversos fins como cadastro em fórums, serviços online, sites, etc.

Por mais que a palestra seja epecífica para o serviço de e-mail em questão, as ideais discutidas podem ser aplicadas a outros projetos de segurança nas mais variadas áreas da computação.

pirata & belphegor are friends and have been working together for more than a decade. They constantly try to find new challenges that have nothing to do with their direct work, as a way to prevent boredom. They can be found in different corners of the underweb criticizing big techs and developing new technologies that could otherwise become startups but instead are provided to the community for free.

Brocando EDR na vida real, um estudo de caso
SWaNk Rafael Salema Marques

Sobrepujar as defesas da rede atacada é uma necessidade para equipes agressoras. Um Endpoint Detection and Response (EDR) dificulta o trabalho do atacante pois busca por ameaças em diversos computadores em tempo real, e reage de forma automatizada com base em diferentes abordagens de detecção. Sendo assim, uma das primeiras tarefas em um engajamento geralmente é neutralizar o EDR da rede alvo. Nessa palestra apresentaremos com detalhes uma metodologia e um estudo de caso real de engajamento cujo objetivo era sobrepujar as defesas do alvo, de forma a executar um ransomware sem que o EDR (líder de mercado) tomasse conhecimento.

Rafael Salema Marques (SWaNk) tende a se definir como um entusiasta do malware. Suas principais habilidades estão ligadas à análise de malwares, engenharia reversa e desenvolvimento de novas técnicas e códigos maliciosos necessários para penetrar as defesas das redes auditadas provendo apoio às tarefas da equipe agressora do Red Team que lidera. É mestre em Defesa Cibernética pelo Instituto Tecnológico de Aéronáutica (ITA) e doutorando na Universidade de Wolverhampton (Reino Unido), onde atualmente desenvolve pesquisas inovadoras com foco em detecção de ameaças.

Cinema Time!
Tarakanov & Labunets

Media parsing is known as one of the weakest components of every consumer system. It often operates complex data structures in the most performant way possible, which is at odds with security requirements, such as attack surface minimization, compartmentalization, and privilege separation. Compared to other operating systems, video decoding on MacOS/iOS is an interesting case for two different reasons. First, instead of running in usermode, a considerable portion of format parsing is implemented in a kernel extension called AppleAVD, exposing the kernel to additional remote attack vectors. Second, recent anonymous reports suggest that AppleAVD may have been exploited in the wild. Our talk investigates AppleAVD kernel extension in-depth, covering video decoding subsystem internals, analysis of vulnerabilities, and ways to exploit them.

Nikita Tarakanov is an independnet security researcher. He has worked as a security researcher in Positive Technologies, Vupen Security, Intel Corporation and Huawei. He likes writing exploits, especially for OS kernels. He won the PHDays Hack2Own contets in 2011 and 2012. He has published a few papers about kernel mode drivers and their exploitation. He is currently engaged in reverse engineering research and vulnerability search automation.

Andrey Labunets is a security researcher with more than a decated of experience in vulnerability resarch and reverse engineering.

ORGANIZAÇÃO

PATROCINADORES PLATINUM

PATROCINADORES GOLD

PATROCINADORES SILVER

HACKING

APOIO