About
SPEAKERS
We first provide a small introduction to what TEEs are and how TrustZone is used to support a TEE. We follow up with introducing the Kinibi OS and explaining how to start reversing and bug hunting on Kinibi TAs and TDs.
Next, we focus on three types of vulnerabilities
[more info]
Selling 0-days is a fascinating process that not a lot of people are familiar with.
In my presentation I will try to answer the following questions from 3 different angels (researcher/ broker/client).
[more info]
In our talk we will first give you a overview of the virtualization solutions, and their attack surface.
Then we will first switch to VirtualBox, explaining the architecture and attack surface, and showing a VM escape.
After that we will focus on QEMU, discussing a VM escape from QEMU, both the bug and the exploitation.
[more info]
If an attacker want to construct full exploit chain against linux kernel, He first should find a way to bypass KASLR.
The one way to bypass it is information leak caused by carefully exploiting uninitialized use vulnerability.
[more info]
Bitcoin has been developed for ten years, and since then countless digital currencies have been created. But the discussion of double-spend attacks seems to still concentrate on 51% Attacks.
[more info]
Last year, the cybersecurity community was wrapped up in the discussion about the vulnerability of Broadcom BCM43xx Wi-Fi chipsets. By exploiting the firmware vulnerability of these chipsets, researchers could develop exploits enabling them to gain access to a device without any need to interact with its user.
[more info]
In this talk, I will first introduce a type confusion kernel bug I found last year, which affects all the Android devices. Since the affected slab caches are all dedicated, I will detail how to shape Heap Fengshui and convert it to a Use-After-Free vulnerability.
[more info]
In the first half of our talk, we will focus on DOM fuzzing. Existing generation-based DOM fuzzers, such as domato developed by Google Project Zero, rely on static grammar rules and thereby the generated testcases suffer from runtime errors. We will propose a new generation-based DOM fuzzer ...
[more info]
Brief biography
Eloi works as a Security Researcher at Blue Frost Security, where he focuses on vulnerability research and exploitation on Android platforms.
In the past, he spent 9 years performing security evaluations of smart cards and embedded systems. This included analysis from the silicon layer up to the software layer. During this period, he gained experience in auditing the
hardware and software side of Trusted Execution Environments.
Abstract
We first provide a small introduction to what TEEs are and how TrustZone is used to support a TEE. We follow up with introducing the Kinibi OS and explaining how to start reversing and bug hunting on Kinibi TAs and TDs.
Next, we focus on three types of vulnerabilities Finally, we look into post-exploitation opportunities after compromising a Trusted Application. For this we present the API between TAs and TDs and zoom into how we exploited SVE-2018-12881 to compromise the Linux kernel and the RKP hypervisor.
Brief biography
Maor Shwartz
Abstract
Selling 0-days is a fascinating process that not a lot of people are familiar with.
In my presentation I will try to answer the following questions from 3 different angels (researcher/ broker/client).
Who (researcher profile) is selling 0-days to governments / offensive security companies?
What is the process of selling 0-days?
How to sell 0-days?
At the end of my presentation, I will give a few tips for researchers that want to sell 0-days to offensive security companies/governments.
Brief biography
Marco Grassi(@marcograss) is currently a Senior Security Researcher of the KeenLab of Tencent (previously known as Keen Team). He is part of the team that won the ""Mobile Master of Pwn"" title in Tokyo for Mobile Pwn2Own 2016, working on iOS. He was also one of the main contributors at Desktop Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team who won the title of ""Master Of Pwn"" at Pwn2Own 2016. He found a VMWare escape at Desktop pwn2own 2017, and baseband RCE and wifi iOS at Mobile pwn2own 2017 where we were awarded ""Master Of Pwn"" for the third time. He has spoken at several international security conferences such as Black Hat USA, DEF CON, Infiltrate, CanSecWest, ZeroNights, Codegate, HITB and ShakaCon.
Kira(Xingyu Chen) is a senior student at Zhejiang University, also an intern at Tencent Keenlab. He has a lot of interests in security fields, virtualization in particular. He plays CTF in team AAA ( sometimes A*0*E ), which participated in DEFCON 25 & 26. He has made a VirtualBox escape ( together with Marco Grassi ) and a QEMU escape.
Abstract
In our talk we will first give you a overview of the virtualization solutions, and their attack surface.
Then we will first switch to VirtualBox, explaining the architecture and attack surface, and showing a VM escape.
After that we will focus on QEMU, discussing a VM escape from QEMU, both the bug and the exploitation.
Brief biography
Park Jinbum has been working at Samsung Research, Security Team. He focuses on developing security solution, writing an academic paper on system security, in particular, kernel security, side channel attack/defense, hw-assisted secure platform such as TrustZone, Hypervisor.
and He enjoys to spend a time to bring something new and novel methods for finding and exploiting vulnerabilities.
Abstract
If an attacker want to construct full exploit chain against linux kernel, He first should find a way to bypass KASLR.
The one way to bypass it is information leak caused by carefully exploiting uninitialized use vulnerability.
In this presentation, I'll introduce KptrTools that is the set of tools to exploit the vulnerability, next I'll show you how an exploit developer can make a perfect exploit with the KptrTools.
Brief biography
Dr. Zhiniang Peng is a security researcher at Qihoo 360 core security. He has over 10 years of experience in both offensive and defensive security and published many academic papers in the field of information security. Dr. Peng has designed several security products in data security and discovered several critical vulnerabilities in various fields. His current research interests include software security and applied cryptography.
Yuki Chen is a member of 360 Vulcan Team. He has over 9 years experience in the security industry and currently works as the director of a vulnerability research group at Qihoo 360. He is mostly interested in vulnerability hunting and analyzing and exploit development. He has discovered and exploited vulnerabilities in a wide range of products including IE, Edge, Safari, FireFox, Adobe flash/pdf, Java, block chain software and so on. He has spoken at several security conferences such as BlackHat EU, SysCan, 44Con, HitCon, PacSec, SysCan360 and XCon.
Abstract
Bitcoin has been developed for ten years, and since then countless digital currencies have been created. But the discussion of double-spend attacks seems to still concentrate on 51% Attacks. In fact, our research has found that there are many other ways to achieve double-spend attacks, we got more than USD 300K+ bounty from the vedor for reporting these new bugs resulting double-spend. In this presentation, by intruducing a number of double-spend attack vulnerabilities that we have foud in EOS, NEO, ONT and other large blockchain paltforms, we summarized various reasons for causing double-spend attacks.
Brief biography
Denis Selanin
Abstract
Last year, the cybersecurity community was wrapped up in the discussion about the vulnerability of Broadcom BCM43xx Wi-Fi chipsets. By exploiting the firmware vulnerability of these chipsets, researchers could develop exploits enabling them to gain access to a device without any need to interact with its user. Regardless of the degree to which the OS of a device was protected, in a system, there was a separate chip that was responsible for Wi-Fi frames parsing and operated with no anti-exploitation functionality. This talk will cover the internals and structure of the Marvell Avastar Wi-Fi chips. We will also discuss the techniques of detecting and exploiting firmware vulnerabilities, as well as the mechanisms and operation algorithms of the ThreadX real-time OS. ThreadX is the OS used as a basis for the firmware of these devices. The last topic addressed in this report will be the tools/techniques that simplify the process of analyzing devices of the kind.
Brief biography
Ki Chan Ahn
Abstract
Brief biography
WANG, YONG(@ThomasKing2014) is a security researcher of Alibaba Security, currently focusing on Android and Browser vulnerability hunting and exploitation. These years he has reported several vulnerabilities in Android system core components and kernel, which were credited in multiple advisories.
Abstract
With more strict SELinux policies and mitigations, Android rooting is becoming an "impossible" challenge.
In this talk, I will first introduce a type confusion kernel bug I found last year, which affects all the Android devices. Since the affected slab caches are all dedicated, I will detail how to shape Heap Fengshui and convert it to a Use-After-Free vulnerability.
Next, I will detail how to leverage the freed objects and bypass KASLR/PXN/PAN mitigations effectively.
Android 9 introduces KCFI mitigation. In reality, some Android vendors have had implemented the KCFI mitigation on their Android 8 devices. To build the universal Android rooting solution, I will detail their KCFI implementation, how to bypass it and gain the root privilege.
Brief biography
Wen Xu is a Ph.D. student in computer science at Georgia Tech, advised by Prof. Taesoo Kim. His research focuses on developing automatic systems for finding bugs in modern software. He holds the B.S. degree (2016) in computer science from Shanghai Jiao Tong University.
Soyeon Park is a Ph.D. student in computer science at Georgia Tech, advised by Prof. Taesoo Kim. Her research focuses on hardware-assisted security and finding bugs in modern software. She holds the B.S. degree (2017) in computer science and engineering from Pohang University of Science and Technology (POSTECH).
Abstract
From then till now, browsers have always been one of the most popular targets for attackers to compromise user clients. Due to the complexity of modern browsers, fuzzing is considered the most effective and practical approach to discover their security vulnerabilities. In recent years, researchers have proposed a number of fuzzers targeting DOM engines and JavaScript engines, which are two largest sources of browser bugs, and found thousands of security critical bugs. In this talk, we will summary the existing approaches of these fuzzers, point out their shortcomings and propose the design of our new fuzzers that improve the state-of-the-art techniques.
In the first half of our talk, we will focus on DOM fuzzing. Existing generation-based DOM fuzzers, such as domato developed by Google Project Zero, rely on static grammar rules and thereby the generated testcases suffer from runtime errors. We will propose a new generation-based DOM fuzzer which supports fuzzing various DOM components more effectively, including WebGL. We note that there is no past talk about WebGL fuzzing in browsers, which involves generating not only JS calls but also shader programs. Next, We will discuss JS fuzzing. Recently, a lot of JIT compiler bugs in JS are found and exploited in hacking events. However, there is no public JS fuzzer that specifically targets JIT compilation. Existing generation-based or mutation-based JS fuzzers, such as jsfunfuzz developed by Mozilla security team and IFuzzer all face many syntax and semantic errors, which are not suitable for JIT fuzzing. We will propose a new JS fuzzer which innovatively leverages JIT byte codes and reduce syntax and semantic errors to generate code based on our pre-defined rules.
We will present several DOM and JS bugs we found in Edge, Safari and Chrome, and demonstrate how to exploit one Safari RCE bug on macOS regardless of the isolated heap introduced in 2018.
Brief biography
Stephen Röttger(@_tsuro) is working on the Google security team working on a broad range of topics from production security, sandboxing and offensive security exercises to web security and browser vulnerability research. In his free time he's playing CTFs with Eat Sleep Pwn Repeat, qualified repeatedly for the DEF CON CTF and organizes the yearly CCC CTF.
Abstract
TurboFan is the optimizing compiler of Chrome's javascript engine V8. In this talk, I will explain the inner workings of the compiler and its optimization passes from the point of view of a vulnerability researcher. I will give an overview over common vulnerability patterns and guide you through all the steps from vulnerability discovery, the analysis workflow and exploitation using crbug.com/880207 as an example.
After we achieved code execution in the renderer, I will discuss the attack surface of the browser process and how site isolation comes into play.
Brief biography
Sergey Ivanov
Abstract
During recent years, OS vendors efforts in introducing new mitigations, as well as improved code quality, leads to raising the bar to find a reliable & remotely exploitable vulnerability in OS components. At the same time, Personal Security Products (or commonly called Anti-Viruses to HIPS) still present on a majority of desktops and have high-level capabilities; moreover without user request, they scan emails, content on shared folders, and web pages. This creates a perfect target for an attack.
I want to show, using as the example Kaspersky Anti-Virus, how to discovery a vulnerability in the emulator. Apply several approaches to effectively fuzz and reverse engineering internals of the AV engine. And finally, gain RCE via a web browser without users interaction.
SCHEDULE
April 11, 2019
TIME | SPEAKER | TITLE |
09:00 ~ 09:30 | Registration | |
09:30 ~ 10:00 | Welcome & Introduction | |
10:00 ~ 11:00 | Eloi Sanfelix | TEE Exploitation by example: exploiting Trusted Apps in Samsung's TEE |
11:00 ~ 11:20 | Break Time | |
11:20 ~ 12:20 | WANG, YONG | From zero to root: Building universal Android rooting with a type confusion vulnerability |
12:20 ~ 13:20 | Lunch | |
13:20 ~ 14:20 | Maor Shwartz | Selling 0-days to governments and offensive security companies |
14:20 ~ 14:30 | Break Time | |
14:30 ~ 15:30 | Marco Grassi Kira | Vulnerability Discovery and Exploitation of Virtualization Solutions for Cloud Computing and Desktops |
15:30 ~ 16:20 | Social Break | |
16:20 ~ 17:20 | Park Jinbum | Leak kernel pointer by exploiting uninitialized uses in Linux kernel |
17:20 ~ 17:30 | Break Time | |
17:30 ~ 18:30 | Zhiniang Peng Yuki Chen | All roads lead to Rome Many ways to double spend your cryptocurrency |
TIME | SPEAKER | TITLE |
10:00 ~ 11:00 | Sergey Ivanov | Getting RCE in Personal Security Products from scratch |
11:00 ~ 11:30 | Break Time | |
11:30 ~ 12:30 | Ki Chan Ahn | The Journey on Exploiting the Magellan Bug to Exploit Chrome |
12:30 ~ 14:00 | Lunch | |
14:00 ~ 15:00 | Denis Selanin | Researching Marvell Avastar Wi-Fi: from zero knowledge to over-the-air zero-touch RCE |
15:00 ~ 16:00 | Social Break | |
16:00 ~ 17:00 | Wen Xu Soyeon Park | Comprehensive Browser Fuzzing: From DOM to JS |
17:00 ~ 17:30 | Break Time | |
17:30 ~ 18:30 | Stephen Röttger | A guided tour through Chrome's javascript compiler |
19:00 ~ | Dinner Party for Speaker, All Attendees |
TRAINING
The training courses of Zer0Con focus on bug hunting and exploitation.
Trainer | Date | Subject | USD | KRW |
Nikita Tarakanov | April 7 ~ 10 | Diving Into Development Of Microsoft Windows Kernel Exploits | $3,500 | 3,981,810원 |
Joffrey Guilbon Maxime Peterlin | April 9 ~ 10 | $3,100 | 3,526,740원 |
(Exchange Rate: $1 = KRW 1,137.66)
- Training course fee does not include a Zer0Con conference ticket.
- Training course includes hotel lunch.
- Zer0Con issues CISSP CPE certificate, etc.
- After your registration, you will see the detailed information about payment.
- A training course may be canceled if the number of the registered is less than a trainer specifies
If you want to run your training course, send us email with the followings.
- Self introduction, Abstract, Curriculum, ETC.
- zer0con@ pocsec.com (PGP public key)
VENUE
- ADDRESS: 70, Baumoe-ro 12-gil, Seocho-gu, Seoul, Korea
- TEL: +82-2-571-8100
- WEB: http://thek-hotel.co.kr/e_seoul/main.asp
- If you want more information, click the map below.
“If there is no empty room in the venue hotel,
check
this file for your hotel rooms.”
CONTACT
If you have any questions, contact us.
* We recommend you to use the pgp key (PGP KEY)
Also, we are looking for sponsors.
There are several benefits for sponsors, so please feel free to contact us.