Joe FitzPatrick - Technical Keynote
Making the most of your Hard(ware) workIt's true. Hardware is hard, and the cards are stacked against it. Longer dev cycles, fewer iterations, tangible costs and nonzero risk of bricking stuff makes software look warm and fuzzy by comparison. On the flip side, a little bit of hardware goes a long way. Due to ignorance or laziness, it often catches the blind eye, which makes for some surprisingly vulnerable entry points to a system. I'll start by showing off a few simple tricks (including a couple new ones) that depend on electrical, logical, and physical access to a system that might seem trivia, insignificant, or out of scope - but then we'll take a look at several scenarios where we could chain those tricks and escalate to full-blown system pwnage. I'll then pick apart each scenario to see what we can learn from a strategy perspective - how we make the most of a little hardware know-how, and how we can leverage simple hardware solutions to hard software problems - as well as how we can measurably harden a system against basic hardware attacks with just a little effort. Hopefully you'll come away realizing that hardware isn't always as hard as it seems, so both attacking with and defending against it are not only feasible, but essential.
Bio:Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at SecuringHardware.com. Joe has spent over a decade working on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontroller. He has spent the past 5 years developing and leading hardware security-related training, instructing hundreds of security researchers, pen-testers, hardware validators worldwide. When not teaching classes on applied physical attacks, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.
Peter Gutmann - Technical Keynote
Cyberwar before there was Cyber: Hacking WWII Electronic Bomb FusesWhile the Allies went to war with mechanical and chemical bomb fuses whose origins dated back to the 19th century, Germany put a large amount of effort in the 1920s and 1930s into designing and fielding high-tech electronic fuses, which were far more reliable and versatile than standard chemical and mechanical ones. This led to an ongoing arms race that lasted throughout most of the war, with Allied bomb disposers coming up with increasingly ingenious ways of hacking the fuses and German armourers countering with ever-more-fiendish fuse designs. "Cyberwar before there was Cyber: Hacking WWII Electronic Bomb Fuses" covers the details of the contest between the attackers and defenders.
Bio:Peter Gutmann is a researcher in the Department of Computer Science at the University of Auckland working on design and analysis of cryptographic security architectures and security usability. He helped write the popular PGP encryption package, has authored a number of papers and RFC's on security and encryption, and is the author of the open source cryptlib security toolkit, "Cryptographic Security Architecture: Design and Verification" (Springer, 2003), and an upcoming book on security engineering. In his spare time he pokes holes in whatever security systems and mechanisms catch his attention and grumbles about the lack of consideration of human factors in designing security systems.
"Program analysis for reverse engineers: from T to ⊥"
"unrubby: reversing bytecode for the lazy"
"Secure Corroding with Rust"
"seL4 & Family: Fast, Trustworthy, Cheap, Deployed"
"It's a UNIX System - Intel ME, JTAG and FOSS BIOSes"
"BSides Entertainment System - Wearable gaming but your princess is in another castle"
"Contactless Access Control 2: Life, uh, finds a way"
"How much can commodity hardware help on closing microarchitecture timing channels?"
"Spectre and Meltdown: Speculative Execution Considered Harmful"
"Microarchitectural attacks: reflecting on 45 years of research since 'A note on the confinement problem'"
Social, OSINT & Locksport
"Freedom of Information - Hacking the Human Black Box"
"Operation Luigi: How I hacked my friend without her noticing"
"Low-Tech Answers to High Security Locks - Keying the Lockwood V7"
"The Count's A-to-Z of Windows Privilege Esclation"
"AWS Serverless Exploitation Public Attack Vectors"
"Get-GPTrashFire: Identifying and Abusing Vulnerable Configurations in MS AD Group Policy"
"Zero clients in the enterprise - Skating on THIN ice"
"A Wolf Among the Crowd"
"Hacking Deterministic Bitcoin Addresses"
"Demystifying SharePoint Security"
"Just because it works doesn't mean it's not broken"
Program analysis for reverse engineers: from T to ⊥Program analysis is about developing tools and techniques to automatically reason about other programs. It has been an active research area for decades, and as a reverse engineer you probably use tools that do some sort of program analysis all the time - whether it’s generating a control flow graph in IDA Pro or monitoring the execution of malware in Cuckoo Sandbox. This talk will focus on some of the more “academic” program analysis techniques, and how we can apply them to reverse engineering. We’ll throw away most of the dense mathematical notation in favour of practical applications of techniques such as abstract interpretation, automated theorem proving and symbolic execution. The aim is to make a dense research field accessible to all!
Bio:Adrian is a research engineer with the Australian Defence Science and Technology (DST) Group and a visiting researcher at the Australian National University (ANU). His interests are in reverse engineering, program analysis and software security. For the last three years he has focused on applying program analysis techniques to reverse engineering problems. He spent the last year at the École polytechnique fédérale de Lausanne (EPFL) in Switzerland, where he worked on the latest release of the S2E symbolic execution engine (http://s2e.systems). He continues to maintain and improve S2E.
unrubby: reversing bytecode for the lazy
richö buttsObfuscating code is typically the domain of native code, or at least statically dispatched bytecode VM's. Despite this, the rise of SaaS companies, combined with the existing enterprise market is producing increased interest in attempts to obfuscate more dynamic, and higher level languages. Presented will be a tool call unrubby, which uses a novel technique to generally defeat all obfuscation engines currently on the market. Instead of analyzing the obfuscated source, we abuse the dynamism of the containing vm to insert our instrumentation after the loader has run. Furthermore, by instrumenting runtime behaviour of the VM itself, attempts to obfuscate the resulting bytecode can be largely overcome without paying much heed to the techniques used, providing significant durability against upstream development, and excellent coverage on black box targets. While the implementation presented is targeted toward MRI, the gold standard ruby interpreter, the techniques are applicable to all languages with a dynamic bytecode VM.
Bio:richö is one of them security jerks. He used to live in 'straya but then he sold out and moved to the US of A. If we're to be honest he spends the bulk of his time testing gravity still works so you don't have to- but he also works on mitigations at stuff at Stripe where they pay him to push the buttons on computers, and in his spare time he's been known to poke around inside bytecode VMs, move data about with noises, and debug processes.
ZemmiContain Yourself! is a talk some of the hard lessons I’ve learned running Docker and Kubernetes in production. In this talk I’ll be taking you on a wild ride, showing you how to exploit “standard configurations” for fun and how to mitigate these features for profit.
Bio:Eliza is a recovering Systems Administrator now working as a Security Engineer for a little software company based out of Melbourne working on the next big thing™
It's a UNIX System - Intel ME, JTAG and FOSS BIOSes
James "ec0" HebdenIn this talk I will explain the current threats to security and freedom presented by the various processor management engines (Intel ME, AMD PSP), the security footprint, and steps that can be taken to mitigate them. I will include a complete breakdown of where the ME and BIOS fit into hardware initialisation and how they interact with the host operating system, and host CPU, including memory access and control potential. I will also include a practical demonstration of building and installing coreboot, discuss free BIOS/UEFI payloads and implementations, including secured boot processes such as Heads, including the tools required, as part of demonstrating what can be done to reduce the risk posed to your computing by these technologies. I'll also discuss the newly discovered JTAG interface which allows dumping and inspection of the ME via USB on the host, and what it means for ME and host security. I will also have with me the tools needed for flashing compatible laptops and will bring it with me to the HHV. I'm probably going to try convince you to run Linux on your machine, too.
Bio:Voider of warranties, old hardware and FOSS enthusiast.
BSides Entertainment System - Wearable gaming but your princess is in another castle
PeterJust before Christmas 1995, mum purchased a Nintendo Entertainment System and asked “how long should I let them play?” to which the answer was “let them use it as much as they want, the will get sick of it”. She is still waiting for that day. In a never ending quest to make things work where they shouldn’t, the BSides NES emulator was born. Come with me across the mushroom kingdom to find hardware power ups and software pitfalls in a quest to build a device fit for a princess. Topics covered will include Arduino IDE, C/C++, MVC design, NES internals, Emulator basics, SPI, NodeMCU, Graphics and hardware optimisations.
Bio:Peter is a secure software developer for the Australian Department of Defence where he spends his time writing software applications for critical systems. Outside of work he enjoys making devices do things they shouldn’t and then never using them. Peter has previously worked as a software engineer for Robert Bosch and Thales Australia.
Low-Tech Answers to High Security Locks - Keying the Lockwood V7
Oliver ClaytonThe Lockwood V7 is a well known high-security lock. The interesting pin setup coupled with the restricted keyway makes creating keys for the V7 a challenge. Learn how to create your own keys from easily accessible tools and materials.
Bio:Oliver is a Security Analyst and locksport enthusiast. He has a particular interest in the mechanics behind high security locks and the different ways you can bypass them.
Freedom of Information - Hacking the Human Black Box
Elliott BrinkFOIA (otherwise known as the Freedom of Information Act or FOI/Freedom of Information in Australia) are government-based initiatives to permit the public to request information on various government records. In practice, these acts enable transparency of the operations of government to the masses with relative ease. For the past couple of years I've been hacking this human black box in order to determine the boundaries/limitations of what could be considered potentially malicious requests. I have been performing various technology-focused FOI requests in an attempt to answer one simple argument: Can you utilise freedom of information to enumerate technical information from government agencies? Do you ever wonder if a government employee would provide you with such information if you asked really really nicely? Let's find out together! Together we will study case studies of actual FOI requests performed on Australian and USA-based government institutions and (some) of the data revealed. Attendees will gain practical knowledge about: what FOI is, the caveats of FOI, how can you utilise FOI on red team engagements and other open source intelligence gathering activities and finally (for the gov employees) how to monitor for and prevent such attacks against your institution.
Bio:Elliott Brink (Twitter: @ebrinkster) Elliott is an information security consultant based out of Melbourne, Australia. He specialises in internal/external pentesting, security architecture and social engineering. He loves computer history, tracking bad guys, honeypots, sparkling shiraz, an expertly crafted bloody mary, and traveling the globe.
Operation Luigi: How I hacked my friend without her noticing
"Alex"Yep so I asked my friend if I could hack her and she said yes. This is about what worked, what went wrong, all the flubs I made, the critical business services of LinkedIn, and how to not suffer the same fate as her. Also Mario's green brother is there, and then that part takes a sinister turn.
Bio:Alex is your best pal, a five-time celebrity MasterChef winner, and your sweet mango boy. He fell off the back of a gently glowing ute 17 years ago, and now /haunts the Earth/. Critics have called him "aggressively wonky". He works on the Blue Team at Atlassian, doing incident detection and response. In his "spare" "time" he blogs at https://mango.pdf.zone.
The Count's A-to-Z of Windows Privilege Esclation
Lukasz GogolkiewiczThis talk is a humorous view into the art of escalating ones privileges within a Windows environment. Lukasz plans to run through the alphabet, and correspond a Windows privilege escalation technique to be used offensively with each letter (there are so, so many). The idea behind this talk is to highlight the many ways one can escalate within a Windows environment, from Low to High, not from High to Higher.
Bio:Lukasz is a Managing Consultant with Alcorn Group, a Brisbane based company that provides security assurance services. Lukasz has been testing pens for a while now, working both in Australian and abroad, testing many many pens.
How much can commodity hardware help on closing microarchitecture timing channels?
Qian GeWe investigate how different categories of microarchitectural state on recent ARM and x86 processors can be used for covert timing channels and how effective architecture-provided mechanisms are in closing them. We find that in recent Intel processors there is no effective way for sanitising the state of the branch prediction unit and that, contrary to often held belief, flushing the translation lookaside buffer on Intel processors does nothing to mitigate attacks based on this component. We further show that in both ARM and x86 architectures flushing all the hardware caches is not effective to close cache-based timing channels. The implication of this is that resetting the microarchitecture state is basically impossible with operations provided on the commodity hardware.
Bio:Qian Ge s a fourth year PhD student who is working on eliminating timing side channels from seL4 with lightweight countermeasures. Qian is supervised by Prof. Gernot Heiser and Assoc. Prof. Kevin Elphinstone. My main research interests are in operating systems. Currently, the main theme of my research is inventing highly optimised operating system mechanisms for managing system resources. In particular, I am working on offering flexible kernel mechanisms to deploy information flow policies for enforcing temporal isolation. For example, I am investigating mechanisms for cloning kernel window mappings in order to mitigate the hidden information low through a shared kernel image. I implement research prototypes on the seL4 microkernel and the Linux kernel.
seL4 & Family: Fast, Trustworthy, Cheap, Deployed
Ihor KuzSince the breakthrough of the world’s first formally verified OS kernel in 2009, seL4 has been extended with new features, ported to new platforms, embedded with high-assurance user-level software, demonstrated to protect against cyber attacks in unmanned helicopters, robot, autonomous trucks… In this talk we will give an overview of the latest achievements to make verified software a reality in real-world deployed systems and of the progress towards the remaining challenges to make verified software become mainstream.
Bio:Ihor has spent a lifetime playing with and programming computers and is now a principal research engineer at Data61/CSIRO working on microkernel-based operating systems and high-assurance software. He is part of the team responsible for seL4 - the formally verified operating systems kernel. He is also a senior lecturer at UNSW, teaching distributed systems and supervising amazing students.
When not at the computer Ihor likes to spend time outdoors doing activities that could lead to bruises and broken bones, but is smart enough to (usually) avoid those results.
Spectre and Meltdown: Speculative Execution Considered Harmful
Yuval YaromSpectre and Meltdown are two recently disclosed attacks that exploit a vulnerability in speculative execution, a processor design feature aims at improving processor utilisation. Due to the widespread use of speculative execution, most modern processors, and, by extension, most computing devices are vulnerable to the attack. This talk provides an introduction to the Spectre and Meltdown attacks, describe how they work and reviews suggested mitigation strategies.
Bio:Yuval is a Senior Lecturer at the University of Adelaide. His interests are in computer security and in cryptography, with a focus on microarchitectural attacks.
Secure Corroding with Rust
Cameron FordWe all want to make our programs more secure and thankfully we have things to help us like static code analysis and coding standards. But what if you wanted to make a programming language more secure? That's one of the questions that motivated the development of the Rust programming language. Rust is a systems programming language with 3 goals: safety, speed and concurrency. This talk will look at 3 common bug classes (buffer overflows, use after free and data races) explore how they occur in code and then examine how Rust tries to contain or even prevent these bugs in it's programs.
Bio:Cameron is enthusiastic about security and software development. As a day job this means leading a team developing tools to make red teaming faster and more reliable. In his own time Cameron can be found deving on other interesting problems that have caught his attention.
AWS Serverless Exploitation Public Attack Vectors
Matt FlanneryFunctions-as-a-Service (FaaS) is an emerging application architecture quickly replacing traditional monolothic application architecture. Applications are moving towards microservices Service Oriented Architecture (SOA) which has presented an entirely new set of problems, of which education is sparse. During the talk, Matthew will demonstrate how functions implemented within AWS Lambda can be used to exfiltrate sensitive customer data in absence of best security practices, which are unfortunately often neglected due to suggested default policies and application architecture experience. Some of the examples included will be:
- Common enumeration /recon paths for identifying a FaaS based architected application
- Exploitation vectors within the newly identified application
- Realistic exploitation attack vectors
- Methodologies for exfiltration of sensitive data, regardless of the security controls following best practices you may have implemented