0%

Brief biography
Ki Chan Ahn (@externalist) is Android Technical Lead working for Dataflow Security. His research covers various domains in Android and iOS, with a special focus on Browser based exploit chains.

Abstract
For decades, there was a battle between attackers and defenders in the mobile exploitation domain. Some early battles were an easy-win, while others would pose a great challenge to the attackers. This talk is about the meta-game between attackers and defenders, how it used to be in the past, how it's changing, and what to expect in the future. The talk will focus mainly on 1-click based browser chains, with some short comments on other domains as well.

Brief biography
Valentina Palmiotti(@chompie) is a Vulnerability and Exploit Researcher at IBM X-Force. She is focused on low-level vulnerabilities, exploit development, and post-exploitation offensive security. She has published security research exploiting various targets, such the Linux kernel, Windows, and Android.

Abstract
Finding a target that is both accessible from everywhere with no public vulnerabilities is a jackpot for a security researcher. Popular attack surfaces have been thoroughly audited and easy "wins" for these targets have become harder to achieve. This talk will discuss discovering and choosing the SPNEGO negotiation protocol as an attack surface, which up until now has had no reported vulnerabilities. The implication for bugs found there is severe, as the code that parses the protocol is reachable from any Windows protocol that does authentication, both remote and locally, such as SMB, RDP, and many more. I will cover a memory corruption bug I discovered, discuss exploitation, and why Microsoft incorrectly evaluated the impact of the bug the first time (and later modified). Finally, I'll discuss lessons learned from the experience and incorporating them into future security research.

Brief biography
Thomas Corley is an independent security researcher with a majority focus on Android kernel exploitation and auditing.

Abstract
Android GPU drivers are a very interesting attack surface for security researchers for various reasons. They are reachable from untrusted_app context,generally not as high quality code as mainline Linux Kernel, and vulnerabilities will affect large range of devices as only three(Adreno, Mali, PowerVR) GPUs have vast majority of market share. This can be seen by the fact that there were six GPU driver kernel vulnerabilities found in the wild in 2021/2022.

In this talk I will present three GPU vulnerabilities, one from each major vendor, and provide a detailed analysis on how to exploit them to gain arbitrary kernel read and write generically and reliably. Notably, I will explain how features of the kernel drivers themselves lend well to elegantexploitation of both logic and classical memory corruption vulnerabilities. I will also briefly go into post exploitation techniques for generic privilege escalation and defeating SELinux on Android devices.

There will be a live demonstration of all three vulnerabilities being exploited to gain a root shell on vulnerable devices.

Brief biography
Maddie Stone (@maddiestone) is a Security Researcher on Google Project Zero where she focuses on 0-days actively exploited in-the-wild. Previously, she was a reverse engineer and team lead on the Android Security team.

Abstract
In 2022, 38 0-day vulnerabilities were detected as exploited in-the-wild. This talk covers what we can learn from the 0-days detected in-the-wild in 2022: the trends, the lessons learned, the novel bugs & methods. What’s stayed the same and what’s changed? What attack surfaces and bug types do we expect to continue in 2023? What may be promising targets for further research? And what was 2022's coolest bug? In this talk, I’ll deep dive into many of the most notable vulnerabilities and walk through the most interesting exploits from the year.

Much of security research is trying to emulate or guess what attackers who use 0-days are actually doing. In this talk, we’ll dive into what attackers actually are doing with 0-day exploits across most of the major consumer platforms: Chrome, Safari, Windows, iOS, macOS, Android, and more!

Brief biography
Hao Xiong is a master student at Zhejiang University, China, under the supervision of Rui Chang. He is a pwner of the AAA CTF Team. He has been an intern at Ant Security Light-Year Lab, focusing on Linux Kernel bug exploitation. He has reported vulnerabilities to Linux kernel and Samsung. He was inducted into the Samsung Mobile Security Hall of Fame 2022.

Qinming Dai is a master student at Zhejiang University, China, under the supervision of Rui Chang. He is a member of the AAA CTF Team, and also plays CTFs as a member of A*0*E. His research focuses on System Security, especially Software Security. He has reported several vulnerabilities in Samsung, which have been confirmed and credited. He was inducted into the Samsung Mobile Security Hall of Fame 2022.

Abstract
Due to inherently high privilege, android system APIs have always been charming targets for mobile security researchers. Android vendors, like Samsung, have introduced lots of customized libraries to handle input from users. Although previous researchers have analyzed them before, we found that even Samsung still did not test their customized system APIs well and some vulnerable APIs have even been around for years.

In our work, we found 75 unique security bugs and got 17 CVEs from Samsung, including Heap OOB R/W, NPD, Stack overflow, UAF, BSS overflow, and Integer overflow types. And some of the vulnerabilities could be used to achieve RCE. Besides, we are introduced to the Samsung Mobile Security Hall Of Fame 2022.

In this talk, we will summarize former researches on fuzzing Android close-source system APIs. Then we will present our fuzzing framework. This framework helps us eliminate fuzzing on physical devices and provides the necessary android JVM runtime environment. Besides, with this framework, we can write high-quality and concise fuzzing harnesses without much reversing work. Finally, we will discuss the limitations of our framework and put forward our thoughts on future work.

Brief biography
Sina Karvandi(@Intel80x86) is a security researcher at the Institute For Research In Fundamental Sciences (IPM) and Chosun University. He is particularly passionate aboutWindows Internals, hypervisors, and low-level programming. In addition to this, he is also interested in digital hardware design, microarchitecture, and microarchitectural security. As a developer of the HyperDbg debugger, Sina spends a significant amount of time creating open-source reverse engineering tools for the benefit of the community. Apart from his work in the field of computers, Sina is also a professional Badminton player.

Abstract
Hypervisors are an indispensable component of contemporary software systems. While the primary purpose of hypervisors is to virtualize the system resources. There are various other applications for hypervisors besides their conventional use, and our focus lies in employing them for security and reverse engineering purposes; thus, this presentation is divided into two parts. The first part is about how hypervisors and solutions derived from hypervisors can help us in finding bugs in kernel-mode and user-mode routines as well as discussing the possibilities of using hypervisor debuggers in reverse engineering. The second part is about finding different types of bugs within the hypervisors (type 1 and type 2).

The study involves using various bug-finding techniques, including static analysis, dynamic analysis, and finding attack vectors, to identify vulnerabilities in both types of hypervisors. The presentation also highlights the importance of bug finding in hypervisors and the potential consequences of leaving vulnerabilities unaddressed. The findings can inform developers and security professionals in their efforts to improve the security of hypervisors and mitigate the risks associated with virtualization.

Brief biography
Amat Cama

Abstract
ASN.1 (Abstract Syntax Notation One) is a standard language used for describing data structures and encoding data in a way that can be transferred between different systems.
Data Structures, Encoding and Parsing are keywords that usually indicate an interesting attack surface in any target.
In this talk, we will take a look at the Intel Infineon Baseband's ASN.1 parser which is a key component of a number mobile devices and embedded systems.
It has been used in various iPhone models in the past, as well as Tesla cars. We will take a deep dive into the work done in identifying, debugging and exploiting a vulnerability found in this code.

Brief biography
Gengming Liu (@dmxcsnsbh) is a security researcher at Singular Security Lab. He has mostly focused on browser security in recent years. He participated in Pwn2Own in 2016 & 2017 and won "Master of Pwn" with Tencent Security Team Sniper. He has also won Chrome Pwnium Bounty in 2019. He is the fan of CTF games. He was the captain of A*0*E & eee CTF team and won first place on DEFCON 2020 Quals&Finals. Gengming has spoken at several security conferences including BlackHat USA, POC, Zer0Con, CanSecWest.

Zhutian Feng (@FengPolaris) is a security researcher at Singular Security Lab, focusing on v8 security research. He has found several v8 vulnerabilities and achieved RCE successfully. He was a member of CTF team 0ops and A*0*E which won first place on DEFCON CTF 28. Zhutian has spoken at several security conferences including Zer0Con, ISC.

Abstract
As a single-threaded language, JavaScript traditionally had relatively few issues with race conditions in its engines. However, with the development of JS engines, some mainstream ones such as JSC and V8 have started implementing concurrent optimization techniques to enhance performance. This introduces the threat of race condition issues to its security.

In this talk, we will present two exploitable vulnerabilities found in JSC and V8. Both vulnerabilities are race condition issues due to concurrent optimization. Our presentation will offer a detailed analysis of the root causes of these issues, along with an introduction to techniques for exploiting them.

Brief biography
Nikita Tarakanov is an independent Security Researcher

Arsenii Kostromin is an independent Security Researcher

Abstract
This talk will uncover the unpleasant reality of software code quality of two major software giants (Apple & Microsoft) in 2023 with low-hanging 0days in the latest versions of Windows and macOS

Brief biography
Jun Luo（De4dcr0w） is a security researcher of 360 Vulnerability Research Institute focus on android and ubuntu and other distribution kernel vulnerability mining and exploit. Found multiple privilege escalation vulnerabilities on Ubuntu.

Yanfeng Wang is a security researcher of 360 Vulnerability Research Institute He has been engaged in security research for 10 years. Focus on android and ubuntu and other distribution kernel vulnerability mining and exploit. Reported vulnerabilities to Google, Qualcomm, Samsung, Huawei and other manufacturers.

Abstract
Winning the race is a common challenge in exploiting use-after-free vulnerabilities. There are some common methods in the industry like pinning CPU core, using appropriate heap objects and using thread priority for preemption to help heap Feng Shui succeed in dealing with race problems. This problem is more difficult when the window is very tiny. Project zero once proposed a method to win the race by using thread priority and clock interrupts for the kernel. But the applicable scenarios of this method is limited in that it is only applicable when two user threads are executed in kernel mode.

To solve the problem when the tiny race is between a user thread and a softirq handler in the kernel, we propose a new method named "Busy2Nice" that is able to win the race for tiny Windows with a high success rate. This method can solve the problems that the softirq handler is uncontrollable by user and is called very quickly, which also can not use pinning CPU core method or other common methods to widen the race window.

In this talk, we will use a use-after-free vulnerability that we found in the Linux kernel which affects versions 5.13.x - 5.15.x to demonstrate this new method. Our exploit can complete the ROOT privilege escalation on Ubuntu 20.04 and 22.04 under the default configuration. Besides, we will share the principle of the vulnerability, and describe in detail the exploitation process and how to win the race through "Busy2Nice".