Presentations for CanSecWest 2022
KEYNOTE: Is the Future of AppSec Human?
Do you want to know how to build a top-ranked competitive security team?. Learn our proven system for building an elite team of hackers that we’ve maintained for over a decade. It’s surprisingly easy, but not what you’d think.
KEYNOTE: A Brief and Mostly Incorrect History of Fully-Remote Mobile Vulnerabilities
In recent years, the threat of fully-remote vulnerabilities to mobile devices has become increasingly apparent. But are they really a new phenomenon?
The printer goes brrrr
This talk will present how we compromised a Canon printer, during the Pwn2Own 2021 - Austin Edition. We will cover the whole process of compromising the device, going from firmware extraction to shellcode execution.
Defeating Stack Canaries and Memory Safety with Speculative Execution
In this talk, we present a sub-class of transient execution attacks, we call SPEAR. This sub-class enables an attacker to repurpose memory corruption primitives that cannot be used in the context of traditional exploitation to achieve arbitrary memory read. In our talk, we discuss how SPEAR change the game in three main use-cases: control flow integrity (CFI), memory safety languages and stack smashing protectors (SSP) .
Launching EMUX - A framework for emulating ARM and MIPS IoT Devices
This presentation will cover the following:
EMUX internals and architecture
How to add new CPU architectures to EMUX (beyond ARM and MIPS)
Challenges in emulation
Live demo: Extracting firmware from SPI flash and emulating an entire IoT device in EMUX
Matryoshka Trap: Recursive MMIO Flaws Lead to VM Escape, [Presented Remotely]
In this talk, we will present our security research on QEMU/KVM, a hypervisor widely used in cloud computing, and analyze the root cause and common consequences of recursive MMIO, thus disclosing a new attack surface.
Exploiting Relational and Non-Relational Java Databases [Presented Remotely]
Step 1: Learn about Java Databases, Relational and Non-Relational
Step 2:
a.) Exploit Diverse Relational Databases
b.) Exploit Diverse Non-Relational Databases
Step 3: PWN!
Kubernetes Attack and Defense: Break Out and Escalate!
Container break-out seems inevitable. Once outside of a container, an attacker can escalate privilege and possibly end up owning the entire cluster. As attackers, how do we break out of the container and then how do we escalate privilege? As defenders, how do we reduce the odds of a container break-out, while reducing its blast radius? In this demo-heavy presentation, we'll answer these questions, demonstrating attacks and defenses that you can take back and repeat on your own clusters.
Thanks for Leaving the Lights On
This talk is a discussion about low-level remote management systems and protocols; how even with the best security on our systems, and inside our VMs, out-of-band management interfaces often remain unprotected, unpatched, and unmonitored. All while being connected in some cases directly to the Internet. EDR does nothing if a threat actor can re-initialize the RAID array your VMs are stored on.
When eBPF meets TLS!
Currently a work in-progress that will be extended for the final version, this submission aims at demystifying the eBPF technology for the security community. While it is currently well-known in cloud environments (such as process visibility and programmable network flows), eBPF has had little experimentation when it comes to its usage as a building block of security focused tools.
Talk To Your Doctor About If Protocols Are Right For You: Vulnerabilities in HL7 Protocols
This talk will review both the historical and technical aspects of two HL7 protocols, HL7v2 and FHIR, in depth.
FirmWire: Taking Baseband Security Analysis to the Next Level
This talk will provide an introduction to FirmWire, our open-source emulation platform for cellular baseband images. The platform allows researchers to dynamically debug, introspect, and interact with complex baseband firmware, providing insights about its inner workings in real-time.
Bad ALAC: One codec to hack the whole world
We have discovered serious vulnerabilities in the open source ALAC that many third-party vendors have inherited into their projects. Looking for a way to hack a mobile phone or a PC remotely? We know one way…
Project TEMPA - Demystifying Tesla's Bluetooth Passive Entry System
The security of Tesla's cars has been a hot topic in recent months. In addition to being one of the safest cars on the road, it is also well-protected from hacks and attacks. But how does Tesla make sure their vehicles are safe and secure?
This case study sheds light on the inner workings of Tesla's Passive Entry System and core VCSEC protocol, and reveals possible attack vectors.
Bypassing Falco: Cluster Compromise without Tripping the SOC
In this talk I will present my research on various techniques to silently bypass the default Falco ruleset (based on pre-latest v0.30.0). I will demonstrate nine different classes of bypasses, seven of which are novel and have never been presented.
Securing the 3rd Party Software Life Cycle
Supply chain attacks have been on the rise in the past two years and are proving to be common and reliable attack vectors that affect all consumers of software. In this talk we are going to present our proposed solution - Securing the 3rd Party Software Life Cycle, an end-to-end framework for ensuring the security of third-party software throughout its lifecycle.
Mystique Hits: Vulnerability Chain that breaks the Android Application Sandbox
Mystique Hits: Vulnerability Chain that breaks the Android Application Sandbox by the Dawn Security Group