1. POC
2. 2017
3. Event

Events of poc2017

Zer0Fest by POC

Zer0Fest is a bug pwning 'festival' for better security organized by POC with the help of vendors. You can enjoy Zer0Fest every year. 


DATE: 2017.11.9 ~ 10
VENUE: TheK-Hotel


Belluminar by POC

Belluminar, hacking contest of POC, started at POC2015 in KOREA for the first time. Belluminar is from ‘Bellum’(war in Latin) and ‘seminar’. It is not a just hacking contest but a kind of festival consisted of CTF & seminar for the solution about challenges. Only invited teams can join Belluminar. Each team can show its ability to attack what other teams want to protect and can defend what others want to attack. 

DATE: 2017.11.9 ~ 10
VENUE: TheK-Hotel



Power of XX by POC

Who can show the power of XX this year? 'Power of XX' is the only one hacking contest for women. 


DATE: 2017.10.14(preliminary round, online)
           2017.11.09(the final)
VENUE: TheK-Hotel
EMAIL: SISSofsookmyung@gmail.com
OPERATING: SISS & Demon Team & Layer7


 
KIDS CTF by POC

'KIDS CTF' is a hacking contest for kids: Elementary school & middle school students in Korea. This event encourages young boys and girls to study information security and make ethical attitudes themselves. 

DATE: 2017.10.14(online)
VENUE: Space POC
EMAIL: SISSofsookmyung@gmail.com
OPERATING: SISS & Demon Team & Layer7


 Speed Hack  by Theori

How soon can we solve our challenges? 

- You should solve 3 challenges(Web, ARM, x86-64)
- Each challenge needs to solved within 5~10 mins.
- Python, C/C++ compilers, Pwntools, pwndbg are provided.
- Only one try per person(15mins maximum)
- Select the order of solving challenges.

* We are going to hand out a certain amount of goods to the top players 

DATE: 2017.11.10
VENUE: TheK-Hotel
HOST/OPERATING: Theori

 Wireless tracking  by KITRI "Best of the Best"

We know that you are here at POC Conference! In our network event, we can let you know your trace. Since we can not identify the user with a wireless network interface address itself, our event is not intended to track users but not limited to identify how many participants were around the booth and to find out how many of certain wireless devices were near by the booth. 

Check your timeframe you stayed at POC Conference without cracking CCTV & Access log. 

DATE : 2017.11.9 ~ 10
VENUE : TheK-Hotel
MAIL : eclipsemode.g0host@gmail.com
OPERATING / SUPPORT : KITRI “Best of the Best” / TE4M G0Host



          

1. POC
2. 2017
3. Speaker

Andrew Wesie, "1-Day Browser and Kernel Exploitation"

Andrew Wesie is a security researcher at Theori, specializing in exploitation and reverse engineering. He is also an avid CTF player with four wins at DEFCON CTF finals as part of Plaid Parliament of Pwning (PPP). When he is not hacking browsers or playing CTFs, he is developing software-defined radio applications and contributing to the Wine project. 

[Abstract]
==========

Browsers remain a ripe source of vulnerabilities, with 80+ CVEs during 2017 for Microsoft Edge alone. These vulnerabilities are often fueled by new features in the Javascript language and deeper analysis of the backend JIT engines by security researchers. At the same time, browser vendors have continued to improve security through additional mitigations and sandboxing. We will discuss the methodology of exploiting browsers in 2017 by analyzing recent patches and developing 1-day exploits for Microsoft Edge. We will also analyze a recent vulnerability in the Windows kernel and use it to escalate our privileges.




          

Ben Gras, "MMU Magic in JavaScript: Breaking ASLR from a Sandbox"

Ben Gras has been in this group since 2015. He has worked on software reliability, defensive research projects, and most recently, offensive research. Offensive research was most noticeably making cross-VM Rowhammer exploitation reliable and a cache-based MMU sidechannel attack. 
In feb-july of 2017 he did a research internship with Cisco in the security research group in Knoxville, TN, where he developed an anti-router malware detection protocol, countering network infrastructure attacks.
He is presently pursuing a PhD in mischief. 

[Abstract]
==========

This talk presents a novel cache side-channel attack on the memory management unit (MMU) of contemporary processors. This attack, which we call ASLR^Cache or AnC for short, allows us to break 64-bit ASLR in the browser from JavaScript. With AnC in place, attackers no longer need to leak pointers before engaging in for example control-flow diversion attacks. Unlike existing side-channel attacks on ASLR, AnC is not easy to mitigate due to its hardware-only nature. 
AnC relies on the fact that during address translation, MMU's page table walk end up in the processor's data caches. This research is the first publication to find and confirm this fact. This allows a cache attack compromising ASLR. 
We show how we can perform AnC even from Javascript, which made it necessary to find a accurate memory access timing mechanism, previously unavailable. We found 2 and have working POCs for Firefox and Chrome. New for POC, we also develop a measurement noise reducing technique. 

Dan Austin, "Fuzzing AOSP for the Masses"

Dan Austin is technical lead of the Android Security Development Lifecycle Research team, where he works on scalable vulnerability research techniques and automating all the things. 

[Abstract]
==========

Android is a complex system, and, as a complex system, it will have bugs. Some of these will be security bugs, and some of these security bugs will be remotely exploitable. Fuzzing has been shown as an effective method to discover bugs in complex systems, and, as this is the case, Android Security has included many tools in AOSP that allow for easy fuzz testing and bug analysis. This presentation will take a look at how tools provided in AOSP can be used to set up an effective, scalable fuzzing environment on Android. We will start looking into how to write fuzzers for Android components, focusing on the native code components and the kernel. We will move on to showing how testing infrastructure in AOSP can be used to provision fuzzers, distribute workload, manage corpora for fuzzing sessions, and keep track of results. Finally we'll go a bit into analysis to show how to measure fuzzer status, including code coverage achieved by the fuzzing sessions and how to produce repeatable crashes.

George Nosenko, "How to cook Cisco. The exploit development for Cisco IOS"

George Nosenko is a security researcher at Embedi. He looks for vulnerabilities in software & hardware and takes part in improving the company's products. 

[Abstract]
==========

In his talk, he is going to describe the steps to execute an arbitrary code in Cisco IOS, according to all the relevant mitigations to the given moment (DEP, Code Integrity, etc.). These steps reflect the experience of 0-day exploitation demonstrated at contest GeekPwn 2017 (Hong-Kong).

HuiYu Wu, "Hybrid App Security:Attack and defense"

HuiYu Wuis an security researcher at Tencent Security Department.Currently,his research is mainly focused on IoT security and Mobile Security. He is also a bug Hunter，found many high risk vulnerabilities in Alibaba,Baidu,Huawei,,Qihoo,Lenovo,Line and more.Winner of GeekPwn 2015. 

[Abstract]
==========

hybrid application is one that combines elements of both native and Web applications. Nowadays, working in hybrid mobile app development makes life easier for developers as they are able to write once and build mobile applications that run on the main platforms with no extra effort. The application will run on Android and iOS and the code can be reused for progressive web applications。 Many companies have developed their own Hybrid App. Such as Facebook, Amazon, Tencent，Paypal, Alibaba, Line。
Hybrid App mainstream platforms include Cordova (PhoneGap), AppCan, appMobi, Titanium, etc. This talk will cover the Hybrid app’s mainstream implementation, and security architecture。Of course, I will also introduce how to bypass the hybrid app security mechanism,and attack Hybrid App to achieve remote code execution or privilege leak and information disclosure.

James Lee, "Playing with IE11 ActiveX 0days"

[Speaker Info]
==========
James Lee was a speaker of Zer0Con2017.
And he is a crazy math geek. 

[Abstract]
==========

ActiveX is a feature that has been present on Internet Explorer almost since its inception. We'll go through this feature and look into the way I discovered the vulnerability while I play around with.

Jeff Chao, "From Zer0 to Persistence: A Complete Exploit Chain against Samsung Galaxy Series"

Jeff Chao is Sr. Vulnerability Researcher at Team T5. CTF Player, won 2nd place in Defcon 22 & 25 as team member of HITCON. Focus on linux and android binary exploitation. 

[Abstract]
==========

Samsung Knox Active Protection provides many protection to against unauthorized changed on its devices. Especially, there is a one time fuse(KNOX Bit) to prevent un-trusted boot. If the device try to boot from modified image, it will set up the fuse. Once the fuse is set, the device can no longer access KNOX container, Samsung Pay and previous stored keys in Keychain.
We combined 2 CVE and 1 privately patched vulnerabilities to achieved remote persistence root without KNOX bit blew.
First vulnerabilities is CVE-2016-3861, heap overflow during UTF16 string conversion in libutil. We port the Project zero’s POC on Nexus to Samsung device. Due to Samsung has modified libmedia.so, the object used in the POC can’t directly use for Samsung device. Since the structure size and offset was changed, we need another method to leak the address and control the program flow.
Then we need a privilege escalation, we use dirtycow(CVE-2016-5291) to gain root permission. But only root is not enough, we have to conquer the SELinux context limitation. In the end, Cadmium, a exploit brief leaked from Vault7, can hijack device boot flow. In other words, we have a very early code execution that can bypass the KNOX protection. With these vulnerabilities, we complete a perfect remote root on Samsung Galaxy S6.

Kang Li, "Exposing Vulnerabilities in Deep Learning Frameworks"

Kang Li is a professor of computer science and the director of the Institute for Cybersecurity and Privacy at the University of Georgia. His research results have been published at academic venues, such as IEEE S&P, ACM CCS and NDSS, as well as industrial conferences, such as BlackHat, SyScan, and ShmooCon. Dr. Kang Li is the founder and mentor of multiple CTF security teams, including SecDawg and Blue-Lotus. He was a founder and player of Team Disekt, one of the finalist teams in the 2016 DARPA Cyber Grand Challenge. . 

[Abstract]
==========

Advance in deep learning algorithms overshadows their security risk in software implementations. This presentation discloses a set of vulnerabilities in popular deep learning frameworks including TensorFlow, Torch and Caffe. Contrast to the small code size of deep learning models, these deep learning frameworks are complex and contains heavy dependencies on numerous open source packages. By exploiting these framework implementations, this presentation demonstrates attacks on common deep learning applications such as as voice recognition and imaging classifications. The cases to be demonstrated include denial-of-service attacks that crash or hang an deep learning applications, and control-flow hijacking attacks that cause either system compromise or recognition evasions.

Liang Chen, “A Hacking and Security Story from Post iOS 10 to 11”

Liang Chen is a senior security researcher at KeenLab of Tencent (formerly known as Keen Team). Liang has a strong research experience on software vulnerability exploitation and vulnerability discovery. During these years, Liang's major research area was browser exploitation including Safari, Chrome, Internet Explorer, etc on both PC and mobile platform. Also Liang researches sandbox escape technology on various platforms. Liang led Tencent Security Team Sniper to win "Master of Pwn" in Pwn2own 2016. Liang is also the winner of iPhone Safari category in Mobile Pwn2own 2013 and Mavericks Safari category in Pwn2Own 2014. Liang has spoken at several security conferences including XCON 2013, BlackHat Europe 2014, CanSecWest 2015/2016, POC 2015, etc. 

Lucas Apa & Cesar Cerrudo, "Hacking Robots Before Skynet"

Lucas Apa is an information security expert and entrepreneur. He currently provides comprehensive security services with cutting-edge firm IOActive (Seattle, USA), both onsite and remotely, for most of Global 500 companies and organizations.
Focused on offensive security, he publicly disclosed critical vulnerabilities and exploits for widely used operating systems, industrial control systems, modern robots, access controls, embedded devices and other groundbreaking technology that shapes the future world. 
Lucas’ security research and ideas have been presented at world-renowned security conferences including Black Hat USA, PacSec Japan, Black Hat Europe, Ekoparty, AppSec USA, SecTor and EnergySec. His technical work and opinions have been featured in media outlets such as: The New York Times, Reuters, The Wall Street Journal, Forbes, CNN, CNBC, Financial Times, FOX, VICE and much more. He is currently based in Argentina and advises regularly with local media as a commentator and security analyst.
With an envisioned sense of adventure and experience, Lucas gives the companies he works with the opportunity to partner with global authorities by leading, managing and executing highly technical projects and missions. 

Cesar Cerrudo is Chief Technology Officer for IOActive Labs, where he leads the team in producing ongoing, cutting-edge research in areas including Industrial Control Systems/SCADA, Smart Cities, the Internet of Things, Robots and software and mobile device security. Cesar is a world-renowned security researcher and specialist in application security.
Throughout his career, Cesar is credited with discovering and helping to eliminate dozens of vulnerabilities in leading applications including Microsoft SQL Server, Oracle database server, IBM DB2, Microsoft Windows, Yahoo! Messenger, and Twitter, to name a few. He has a record of finding more than 50 vulnerabilities in Microsoft products including 20 in Microsoft Windows operating systems. Based on his unique research, Cesar has authored white papers on database and application security as well as attacks and exploitation techniques. He has presented at a variety of company events and conferences around the world including Microsoft, Black Hat, Bellua, CanSecWest, EuSecWest, WebSec, HITB, Microsoft BlueHat, EkoParty, FRHACK, H2HC, Infiltrate, 8.8, Hackito Ergo Sum, NcN, Segurinfo, RSA, and DEF CON.
He recently started Securing Smart Cities (http://www.securingsmartcities.org), a non profit initiative to make cities around the world safer.
Cesar collaborates with and is regularly quoted in print and online publications. His research has been covered by Wired, Bloomberg Businessweek, TIME, The Guardian, CNN, NBC, BBC, Fox News, The New York Times, New Scientist, Washington Post, Financial Times, The Wall Street Journal, and so on. 

[Abstract]
==========

Robots are going mainstream. In the very near future robots will be everywhere, on military missions, performing surgery, building skyscrapers, assisting customers at stores, as healthcare attendants, as business assistants, as sex partners, cooking in homes, and interacting with our families.

While robot ecosystems grow and become more of a disrupting force in our society and economy, they pose more of a significant threat to people, animals, and organizations if the technology is not secure. When vulnerabilities are exploited in robots, physical features can be utilized by attackers to damage property, company finances, or cause unexpected consequences where human life can be endangered. Robots are essentially computers with arms, legs and wheels, so the potential threats to their physical surroundings increase exponentially and in ways not widely considered before in computer security.

In recent research, we discovered multiple critical vulnerabilities in home, business and industrial collaborative robots from well-known vendors. With responsible disclosure now completed, it’s time to reveal all the technical details, threats, and how attackers can compromise different robot ecosystem components with practical exploits. Live demos will showcase different exploitation scenarios that involve cyber espionage, harmful insider threats, property damage, and more.

Through realistic scenarios we will unveil how insecure modern robot technology can be and why hacked robots could be more dangerous than other insecure technologies. The goal is to make robots more secure and prevent vulnerabilities from being exploited by attackers to cause serious harm to businesses, consumers, and their surroundings.

Ilya Nesterov, Max Goncharov, "We Can Wipe Your Email!!"

lya Nesterov is currently an engineering manager at Shape Security. Prior to Shape, Ilya worked at F5 Networks, and earned his master's degree from Tomsk Polytechnic University. His interests include, but are not limited to, modern Web Application security threats and countermeasures, botnets, malware infrastructure, exploits and honeypot development. Ilya also works as an independent security researcher and is a speaker on security topics. 

Maxim Goncharov is a Threat Analyst with 16 years working experience in the field of computer security. He is equipped with knowledge in research and development of threat analytics systems, producing white papers based on research work and presenting these research results at security conferences. Maxim participates as speaker at various security conferences and training seminars regarding the topic of cybercrime and related issues (e.g.cyberterrorism, cybersecurity, underground economy, etc.), like PacSec,Power of Community, DeepSec, VB, APWG. He performs underground research and the development of secure analytics tools are some of the most important parts of his day- to-day work. 

[Abstract]
==========

One of the central points of failure is an email address. We used to get access to our bank accounts, social networks and much more. For SMB and Enterprise - email address most often targeted entry point for advanced persistent threat (APT) attacks.
But how good we are at protecting our e-mail accounts? 
There is always a compromise between security and usability. Still remember times when you need to enter obtain all information about smtp/pop/imap servers and enter them in order to configure your e-mail account. Now it is as simple as just typing your email and password. But when you rely on technology that simplifies your life, it is always complex and sophisticated inside and there is always huge chance of failure to implement it.
In our presentation we will disclose severe vulnerability of mail clients ,as well, as software services that could lead an attacker to take over the access to sensitive user information, sometimes including usernames and passwords. 
We’ll also demonstrate how improper email client implementation leak user credentials and what software developers, server administrators and users can do to prevent it.
Attendees will see live data feed with popular email client names and who’s leaking what. We will demo Apple iPhone wiping using above mentioned vulnerability. 

Patrick Paumen, "Hack your body, one implant at a time"

Patrick Paumen is a biohacker who has been experimenting with implants since 2011. He has 14 implants total; 5 biomagnets and 9 RFID transponders from biohacking company Dangerous Things. The biomagnets allow Patrick to sense magnetic fields, as well as lift small objects. The different RFID implants are mostly for access control applications like unlocking doors at his home, office, and car, as well as unlocking his smartphone and logging into his laptop. He can also share contact details or other data, control electronics, and measure body temperature. His latest implant is VivoKey from Dangerous Things which is capable of running security software and performing cryptographic tasks. Patrick has been featured in multiple national and international media publications, including the Wallstreet Journal and a German documentary about Cyborgs. 

[Abstract]
==========

I'll show and demonstrate how I use my 9 RFID & RFID/NFC tag implants to interact with different RFID readers in door locks and other electronics. How I've used cloning devices to clone different RFID cards/keyfobs to my implants. I'll demonstrate the newest prototype implant (VivoKey) which I use for PGP encryption/decryption/signing and for 2-factor authentication. Also answers to common questions like "what if you have to go through security at an airport? can the implants break? what if you need an MRI?"

Patrick Wardle, "FruitFly & Friends

Patrick Wardle is the Chief Security Researcher at Synack, and founder of Objective-See. Having worked at NASA and the NSA, and as well as presented at many security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Currently, Patrick's focus is on automated vulnerability discovery, and the emerging threats of macOS and mobile malware. In his personal time, Patrick collects macOS malware and writes free security tools. 

[Abstract]
==========

For better or worse, now is great time to be a Mac malware analyst! 2017 saw the emergence of new macOS threats such as Xagent, Proton, MacRansom, and FruitFly. In this talk, we'll begin by providing a brief overview of these threats, before diving into a full analysis of FruitFly. 

FruitFly, the first Mac malware of 2017, is a rather intriguing specimen. Targeting mainly US victims in an attempt to spy on them, it is thought to have flown under the radar for many years and even now, is only detected by a handful of security products. In order to gain a comprehensive understanding of this insidious threat, instead of relying on traditional methods of analysis (such as debuggers and disassemblers), the talk will discuss the creation of a custom command and control server. Armed with this server, we'll show how we could coerce FruitFly to reveal its full capabilities....simply by asking the right questions!

Of course this approach hinges on the ability to closely observe the malware's actions. As such, we'll discuss macOS-specific tools that can monitor various events, and where necessary detail the creation of custom ones (e.g. a 'mouse sniffer' that locally observes and decodes commands sent from the malware to the OS, in order to control the mouse).

Qinghao Tang, "An awesome toolkit for testing the virtualization system "

Qinghao Tang has rich experience in cloud computing security and linux kernel security . He was the speaker of Pacsec 2015 , Syscan 2016 and hitb 2016, CanSecWest 2017. 

[Abstract]
==========

The public cloud and private cloud have become the infrastructure of high-tech enterprises, and I implement a toolkit to help researchers test the security of the cloud environment. This toolkit includes virtualization system vulnerability attack components and side channel attack components. The toolkit can be used to check co-residence and escape from virtual machine or container .

In this topic, I will share several components and describe the principles that implement them.
- Co-residence check component : memory bus channel module
- Qemu vulnerability attack component: info leak & rip control module for any address read and write vulnerability, rop module
- Xen vulnerability attack component: info leak & rip control module for any address read and write vulnerability, rop module
- Docker vulnerability attack component: switch namespace module
- Vmware workstation vulnerability attack component: heap allocation module, rip control module for heap overflow vulnerability, rop module

Shengbao Cai, Zhang Lu, and Li Fu, "Deluge – How to generate 2TB/s reflection DDoS data flow via a family network"

Shengbao Cai, Zhang Lu, and Li Fu are members of the 0Kee Team from Information Security Department of Qihoo 360 Technology Co.. The department is dedicated to protect the security of the entire business line of the company. 0Kee Team have independently designed the business security automatic defense system and many other defense tools / platforms for company. It has been invited to make presentations at BlackHat, Kcon etc. 

[Abstract]
==========

DDOS is the most prominent security threat the internet network facing now. Among all DDOS methods, reflective DDOS is most popular and powerful attack due to low cost, low threshold and excellent effort. Meanwhile, the real reflective DDOS attack leads to more and more powerful network flow. 

During our research, we found a new way to exploit a specific UPD protocol which widely used in public network and obviously gains high multi reflective network flow. The multiple can reach at 50000 which is the highest known. In this case, our researcher can exploit a 2TB/s DDOS attack only via a family network. That also means we could make most network paralyzed in a simple way.

Tim Yunusov, Yar Babin, "7 sins of ATM protection against logical attacks"

Tim Yunusov is the senior expert of banking security and author of multiple researches in field of application security including "Apple Pay replay attacks" showed at the BlackHat USA 2017, "Bruteforce of PHPSESSID", rated in Top Ten Web Hacking Techniques by WhiteHat Security and "XML Out-Of-Band" showed at the BlackHat EU. Professional application security researcher.

Yar Babin is the specialist of Web application and Banking systems security depts. Social engineering field's enthusiast. 

[Abstract]
==========

Everyone is perfectly familiar with logical and black-box attacks on ATMs. But hardly any countermeasures have been taken so far: banks are sure that their devices are perfectly protected until hackers prove them wrong. The most frequent reason why this happens is developers, engineers, and security staff' lack of expertise: they have a vague idea on attacks sources and vectors and what they should monitor and improve.

During the last year alone, we assessed 10 different application control products during ATM security assessments. Each product was found to have bypass methods. Whilst the most versatile bypass method was discovered a long time ago we have found 0-days in leading products (CVE-2016-8009, GVM Checker, Kaspersky KESS, M3Defender), as well as some universal 0-day techniques. 
In this presentation, we will focus on Application Control bypass, in the reason why Application Control is one of the main protection mechanisms in ATM, and the current state of this type of security software is really poor and has a lot of weaknesses and bypasses. Nevertheless, it could be made in absolutely another manner, which will satisfy requirements for necessary security level.

Jeonghoon Shin, "Javascript Fuzzing"

Jeonghoon Shin is mainly interested in software bug hunting. He has tired eyes all the time because he is doing parenting and hacking at the same time. He is looking for browser bugs every day to be the winner of POC's pwn contest someday. 

[Abstract]
==========

This presentation will show how to find browser bug via fuzzing. It will focus on automated testing and crash detection methods for JavaScript Engines.

 

Yeongjin Jang, "Tampering with Encrypted Memory Blocks of Trusted Execution Environment"

[Speaker Info]
==========
Dr. Yeongjin Jang is an Assistant Professor of Electrical Engineering and Computer Science at Oregon State University. His research focuses on operating system security, and he is particularly interested in identifying and analyzing emerging attacks on computer systems and building countermeasures against these attacks. Besides academic research, he has participated in several CTF (Capture The Flag) competitions. His team, DEFKOR won the DEF CON CTF in 2015, and Disekt competed in the final stage of the DARPA Cyber Grand Challenge in 2016. He received his B.S. degree from KAIST (2010), M.S. Degree (2016) and Ph.D. (2017) from the Georgia Institute of Technology. 

 

Yu Pan,Yang Dai, Ye Zhou, "The android vulnerability discovery in SoC"

Yu Pan,Yang Dai and Ye Zhou are members of the Vulpecker Team from Information Security Department of Qihoo 360 Technology Co.Ltd. They are focusing on vulnerability discovery and exploit develpment.They have found a lot of mobile phone vulnerabilities，including Qualcomm,MediaTek,NVIDIA,Samsung,Huawei,XiaoMi,etc. 

[Abstract]
==========

We are focusing on the Android driver research and found all vendor's vulnerability,including Qualcomm,MediaTek,NVIDIA,Samsung exynos,Huawei Hisi,etc.Not only have we found 60 vulnerabilities,but we also found some attack points which widely existing in Android driver.Some of them have been confirmed by vendors and we have received more than 10 CVE. We offered the advanced fuzzing technique and the experience of auditing source code to discover vulnerabilities.
We will introduce our fuzzing tools and analyse the vulnerability we found
 

Yunhai Zhang, "Make LoadLibrary Great Again"

Yunhai Zhang is a security researcher of NSFOCUS security team. He has worked on computer security for more than a decade. He has spoken at BlackHat, BlueHat, CSS TSec, XCon. He has won Microsoft Mitigation Bypass Bounty 4 years in a row since 2014. 

[Abstract]
==========

LoadLibrary is an old but powerful technique, and it plays an important role in Windows exploit. Therefore, Microsoft has introduced a series of mitigations, such as Image Load Policy, Strict Mode Control Flow Guard, Code Integrity Guard, and Arbitrary Code Guard, to restrict its ability.
This talk will discuss those mitigations and show some tricks to bypass them. With these tricks, all mitigations currently enabled in Windows 10 can be bypassed, and LoadLibrary can be used to achieve arbitrary code execution again.

1. POC
2. 2017
3. Sponsor

Sponsors