CanSecWest 2024
Presentations
From March 20 to 22
Armored Witness: Building a Trusted Notary for Bare Metal.
We are building an Open Source https://transparency.dev/ witness, in collaboration with Google. This project entailed creating new hardware (USB armory LAN with PoE) software (Trusted OS and Applet) leveraging on TamaGo and GoTEE frameworks. This presentation aims to discuss the journey of this project, achievements (such as bare metal Go IRQ handlers…in space!) and results.
Electric Vehicle Chargers: Observations from Pwn2Own Automotive 2024
This presentation will discuss the architectures employed by six electric vehicle chargers targeted by contestants in the inaugural Pwn2Own Automotive competition in Tokyo, Japan in January 2024. We will discuss the charger hardware, firmware, and software, and the relevant attack surfaces discovered by Trend Micro researchers during the months-long preparation for the competition. We will also discuss vulnerability classes that were exploited during Pwn2Own Automotive 2024 and the current state of automotive EV charger security. We will look at the potential impacts of EV (Electric Vehicle) charger vulnerabilities, which could include impacts to the electric vehicles, the chargers, or to the electric grid itself.
The Cat is Out of the Bag: Regulating AI in Canada
The Artificial Intelligence and Data Act (Bill C-27) is in the first reading stage in Parliament. The legislation purports to regulate AI as part of sweeping reforms related to technology in Canada. Will this regulation change the application of AI to cybersecurity? Are there loopholes? Is it too early for regulation? Will regulation go too far or not far enough?
How we attempt to regulate AI tells us much about how we view emerging technologies from both philosophical and practical perspectives. I’ll review the legal landscape of AI in Canada and discuss our attempts to regulate emerging technologies in the broader social and political context of who we are and where we’re going.
Developing Secure Software in 2024
As humanity increases its dependence on computer systems, the need for safe and secure software becomes paramount. Today, everything from planes, trains, and automobiles to toothbrushes and cooktops contain a multitude of tiny computers. Each of these systems, in turn, contain software written to tell these computers how to do their jobs and connect them with other computers. Security problems in these systems, while context dependent, have led to consequences ranging from minor annoyance to loss of human life.
During this presentation, the speaker will discuss problems that erode our trust in computers and propose solutions that can lead to a better future. Trust suffers due to problems that arise from within both the software development and computer security industries. If humanity hopes to achieve a better future, we will need to learn from our collective mistakes and invest in not repeating them. Luckily, modern tools and techniques can help us get there. Just a few key shifts in our approach can make a world of difference.
The DL on LLM Code Analysis
Welcome to the New World Order, the Age of Artificial Intelligence, the unavoidable evolution of technology that is here to assimilate human knowledge in its natural language form! You've parleyed with the perceptrons, you've dreamed deeply with dall-e, but how do we harness this emerging capability to perform security analysis tasks such as looking for vulnerabilities and malware in source or binaries? In this hour I will give you the down low download of deep learning applications for code analysis!
Fuzzing at Mach Speed: Uncovering IPC Vulnerabilities on MacOS/iOS
This research presents an in-depth investigation of MacOS Inter-Process Communication (IPC) security, with a focus on Mach message handlers. It explores how Mach message handlers are utilized to execute privileged RPC-like functions and how this introduces vectors for sandbox escapes and privilege escalations. This involves a detailed examination of MacOS internals, particularly the calling and processing of Mach messages, their data formats, and statefulness. The core of the study is the development and application of a custom fuzzing harness targeting these identified IPC function handlers. The fuzzing process, aimed at inducing crashes indicative of memory corruption vulnerabilities, is discussed in detail. Several generated crashes will be discussed, one of which may be exploitable to obtain remote code execution. The research culminates in the open-sourcing of a bespoke Mach message corpus generation script and custom fuzzing harness, contributing to the broader cybersecurity community and laying groundwork for future exploration in this area.
Applying Physical Discipline to Cybersecurity Challenges
Cybersecurity has failed to learn from the physical world. More and more attacks have real world consequences including shutting down pipelines and casinos. This talk explains how Failure Mode and Effects Analysis (FMEA), which is a disciplined method to design reliable and robust systems and processes, can be applied to cybersecurity. FMEA compliments and goes beyond threat modeling and attack graphs by incorporating the probability of detection into the risk equation.
As professionals, we were taught to calculate risk as probability times impact. While this was good for a start, we now have expensive detection systems that need to be included in the risk equation. Luckily, FMEA already includes detection so we can leverage something that has been around since WWII.
Both attackers and defenders will benefit from analyzing the probability that an attack is detected.
The Pool Party You Will Never Forget: New Process Injection Techniques Using Windows Thread Pools
In this talk, we will delve into the internals of the Windows user-mode thread pool, a component that seems to have been overlooked by security researchers in the past. Our exploration begins with an introduction to the thread pool architecture, its work item queuing mechanism, and the execution process managed by the scheduler.
Moving forward, we will uncover how an attacker can take over the thread pool, being able to insert any type of work item into any process on the system.
We will unveil the "PoolParty" tool for the first time, a collection of new and fully undetectable process injection techniques that leverage the Windows user-mode thread pool.
Concluding our presentation, we will demonstrate how by utilizing "PoolParty" attacks we bypass additional detection mechanisms such as ransomware and credential dumping detections.
Successfully Fuzzing High Value Targets with Low tech Strategies
In our talk we present our approach to apply low-tech fuzzing to pursue bug finding in high profile software products. For example well-chosen corpus computed ahead of time can be as powerful as collecting coverage data while fuzzing. Also threshold information such as meta-data tipping points can allow to fine tune bug hunting campaigns. Which means the applied techniques can be supplemental, and by replacing one with the other, bugs would still be found, while aiming for simplicity in the harness setup.
Rolling in the Dough: How Microsoft Identified and Remediated a Baker’s Dozen of Security Threats in the Windows DNS Server
This talk is a collaboration between the team who identified several vulnerabilities in the Windows DNS Server and the team who fixed them. As a security researcher in the Microsoft Security Response Center, George will discuss the motivations behind exploring this attack surface, the prior research that inspired this work, and the significance of this attack surface for future researchers.
Rooting Android Devices in One Shot: Simple Bug, Complex Exploit (incl. Memory Tagging Extension)
In the past few years, the kernel attack surfaces that can be accessed by untrusted applications have been significantly reduced. And nowadays it becomes more and more difficult to hunt the bugs of high quality. With more and more hardware and software mitigations, it's common to label bugs of low quality as unexploitable bugs. From my own perspective, advanced exploitation techniques can significantly improve the exploitability of low-quality bugs. In this talk, I will first analyze a low-quality bug fixed last year. Back in 2015, there's no doubt that it's exploitable. But now the mitigations can hinder the exploitation directly. To exploit the bug, I will detail the idea of partially bypassing the KASLR mitigation and introduce a practical method to predict the addresses of attacker-controlled kernel objects. Then, I will detail how to gain the arbitrary physical memory Read/Write ability in one shot. Last but not least, since the affected devices are shipped with custom mitigations, I will also detail how to bypass them and gain the root privilege. During the presentation, I will give the exploit demos of rooting the affected Android devices.
Death by a Thousand Cuts: Compromising Automotive Systems via Vulnerability Chains
In recent years, with the continuous development of electic vehicles (EV), intelligent networking and traditional auto manufacturing have collided intensely, blurring the boundary between cyber security and physical security. In the past, many attacks against cars focused on car keys, but nowadays, are cars adequate to deal with attacks from the internet? In this presentation, our goal is to hack an EV without physical contact. We will introduce our team's black box security testing on several EV models, starting from a situation where we had no debugging access, to finally chaining multiple vulnerabilities together into exploit chains for stealing the vehicle through an attack.
Glitching in 3D: Low Cost EMFI Attacks
This talk describes utilizing open-source tools to perform an EMFI attack on an STM32F4 microcontroller, allowing for a full RDP (read-out-protection) bypass via a targeted EMP. This research will release the open-source tooling used to instrument a generic 3D printer and examples of how we integrated it into the workflow utilizing the ChipWhisperer Husky and PicoEMP.
There will be Bugs: Exploiting Basebands in Radio Layer Two
Baseband exploitation in public originally focused on message decoding bugs in layer 3 (NAS and RRC) and more recently in layer 4 (traffic over IP). In this presentation we uncover a new area of exploration for remote baseband exploitation in layer 2. In the past, this part of cellular specifications has been overlooked due to its function and packet size limitations. However, a deeper dive uncovers possibilities that show up in both old and new standards. Importantly, this is a layer that is below the ciphering applied to cellular communications, providing an attack surface reachable not only with fake base stations but with direct MITM-ing of legitimate cell tower communications too. The presentation will describe the chain of vulnerabilities we have found and explain how to exploit them for remote code execution in the baseband of flagship Samsung smartphones.
URB Excalibur: The New VMware All-Platform VM Escapes
Virtual machine escape has always been a challenging task for hackers. VMware's hypervisor, as a popular closed-source commercial hypervisor, presents even greater difficulty in vulnerability discovery and exploitation. With each security update and the patching of old exploits, how can we find new vulnerabilities and write exploits to complete virtual machine escape? This talk will first systematically introduce the current architecture and attack surfaces of VMware's hypervisor. We will then analyze the changes that have occurred in recent years, as well as the relevant security patches and mitigations. Our new research focuses on the virtual USB controller, which is one of the main attack surfaces of hypervisor. A computer that can be used normally needs USB interfaces and related USB devices. Virtual machines also require USB, so there is a natural risk of security vulnerabilities when communicating with the virtual USB controller. We will, for the first time, systematically introduce VMware's virtual USB 2.0 controller (EHCI). Compared to QEMU's, it is more complex and interesting. URB (USB Request Block) is an object used to transmit USB packets in VMware's hypervisor. Our research will be the first to reveal its powerful role and huge security risks in virtual machine escape exploitation. In this talk, we will detail the structure, function, and lifecycle of URB and related important objects.
Malice in Chains: Supply Chain Attacks using Machine Learning Models
This past year marked a rapid acceleration in the adoption of artificial intelligence. As AI-based solutions have started to dominate the market, a new cyber attack vector opened up taking CISOs by surprise: the exploitation of the underlying machine-learning models. These models are often treated as black boxes that process the input data and compute the output, communicating with users through an API/UI while their internals are hidden away. However, it is crucial to understand that these models are essentially code - and as such, can be manipulated in unexpected and potentially malicious ways.