[Speaker Info]
==========
Dr. Chao Zhang is an Associate Professor at Tsinghua University. He was a member of the CTF team Blue-Lotus and now the coach. His research interest lies in system and software security, especially in vulnerability analysis. His automated vulnerability detection solutions have found over 200 CVE vulnerabilities. He co-led a team CodeJitsu from UC Berkeley and built an automated system Glactica which did excellently in the Cyber Grand Challenge launched by DARPA.

[Abstract]
==========

Vulnerability assessment, especially exploitability assessment, is important for both defenders and attackers. Automated exploit generation (AEG) is an important way to assess the exploitability of vulnerabilities. However, AEG is an open challenge. In some cases, the given proof-of-concept (PoC) input, which triggers the vulnerability, could exercise a crashing path but could not enter an exploitable program state. In this talk the speaker will introduce a solution Revery to this specific challenge.

[Speaker Info]
==========
Cristofaro Mune
Niek Timmers

[Abstract]
==========

Unprivileged data is often transferred across multiple security boundaries. Think about a memcpy() occurring at kernel/hypervisor level, where the transferred data has been provided by userspace. In secure systems, such data is carefully checked, handled and sanitized, often leaving little chance for exploitable software vulnerabilities.
Let's assume we have a perfectly secure system, where no exploitable software vulnerability is present at any given privilege level (i.e. user, kernel, hypervisor, etc.). Even for these 'unexploitable' systems, we have already demonstrated that the following is possible by means of fault injection:
- [2016]: precise control of Program Counter from user data (to be used in userspace exploits)
- [2017]: Linux privilege escalation, achieving kernel code execution from userspace.
- [2019]: Encrypted Secure Boot bypass without knowledge of the actual encryption key.

In our talk, we go through techniques that allows turning a seemingly harmless transfer of attacker-controlled data into a fully fledged execution primitive.
Some of the techniques we discuss have already been demonstrated by us on ARMv7, where the PC register is directly addressable. Nonetheless, the full potential of the underlying concept has not been publicly discussed until now.
Additionally, we share for the first time, techniques that allow PC control on architectures where PC is not directly addressable
These techniques can be used, for example, to exploit ARMv8 devices, including mobile phones, without relying on a software vulnerability.

[Speaker Info]
==========
Gengming Liu

[Abstract]
==========

TBA

[Speaker Info]
==========
James Forshaw is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he’s been listed as the #1 researcher for MSRC, as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate.

[Abstract]
==========

Finding privilege escalation in local Windows RPC servers is the new hotness. Unfortunately the standard Microsoft tooling only generates code for C/C++ which presents a problem for anyone wanting to write proof-of-concepts in a .NET language such as C# or PowerShell.
This presentation will go through the various tasks I undertook to implement a working including:
- Assessing the best approaches to implementing an RPC client in .NET.
- Reverse engineering the APIs to identify the low-level ALPC implementation.
- Implementing NDR parsing and serialization.
- PowerShell Integration.
The presentation will finish up with some details one of the bugs I discovered with the new tooling. The tooling itself will be available to all.

[Speaker Info]
==========
Jaanus Kääp works as a security researcher, penetration tester, and developer at Clarified Security. Over the last years he has mostly focused on finding vulnerabilities in Windows and software around it. He has been in the MSRC top list for 4 years and currently trying to find energy to convert his Hyper-V research into a master degree thesis. This talk is about this research.

[Abstract]
==========

Until this year's BlackHat presentation from Apple the highest bug bounties were offered by Microsoft for Hyper-V vulnerabilities. But even now when the bug bounties are not the highest in the industry any longer they are still highly motivating. Therefore it is interesting that only a few vulnerabilities are reported and out of these only very few are reported from non-Microsoft researchers. This might be because the entry level to Hyper-V research is quite high and there is not enough public information nor tools available about it. While Microsoft has released more information about it over the last years there is still lack of tools and knowledge about Hyper-V outside Microsoft itself.
This talk tries to change this a bit by describing the attack surface, inner workings, necessary engineering methods and tools for testing it from an outside researcher's perspective. Speaker will make his toolset public, that will hopefully help in testing, fuzzing and analyzing Hyper-V for newcomers to this topic.

[Speaker Info]
==========
Kushal Arvind Shah is working at Fortinet's FortiGuard Labs. His research areas are vulnerablity discovery, pentetration test and etc... He has many 0-day credts and Hall of Fames(Microsoft, Google, Adobe, Cisco, Intel, Samsung, Facebook, Tableau, Nvidia, Foxit Software, Hancom, Schneider Electric, Amazon, SAP and Many More.)

[Abstract]
==========

Software Zero [0]-Day Discovery has been pursued by many researchers since the time soft-wares were first developed. Over the years, many researchers have shared their strategies, tools, etc., in the hope of aiding others Researchers in the field in this Art.
This talk is about several things Critical BUT Not Explained in the whole Software Zero-Day Discovery approach, such as the following: -
1) How to find recent Zero-Day Vulnerabilities Details & their PoCs?
2) Which Target to select and How to Build/Use them?
3) How to find and build corpus for the Selected Targets?
4) Brief Intro to the Common methods involved in 0Day Discovery like Fuzzing.
5) LASTLY, How to find Critical Vulnerabilities by Neither Fuzzing Nor Reverse Engineering. ;)
This talk would also include a “Live Demo” about some Recent Critical Vulnerabilities (in a Widely Used Product by a Big Vendor) I discovered, and most importantly "How I discovered them without Reversing or Fuzzing!!"

[Speaker Info]
==========
Liang Chen has a strong research experience on software vulnerability exploitation and vulnerability discovery. During these years, Liang's major research area was browser exploitation including Safari, Chrome, Internet Explorer, etc on both PC and mobile platform. Also Liang researches sandbox escape technology on various platforms. Liang led Tencent Security Team Sniper to win "Master of Pwn" in Pwn2own 2016. Liang is also the winner of iPhone Safari category in Mobile Pwn2own 2013 and Mavericks Safari category in Pwn2Own 2014. Liang has spoken at several security conferences including XCON 2013, BlackHat USA 2016/2018, BlackHat Europe 2014, CanSecWest 2015/2016, POC 2015/2016/2017/2018, MOSEC 2017, RECon 2016, Infiltrate 2017 etc.

[Abstract]
==========

TBD

[Speaker Info]
==========
Luca Todesco(@qwertyoruiop) has spent the past 4 years doing iOS-focused independent security research, and has been passionate about iOS for a decade. As a result, he has contributed to several public and private jailbreaks for iOS and PlayStation 4, and continues to research to this day.

[Abstract]
==========
TBD

[Speaker Info]
==========
Nafiez(@zeifan) is an independent security researcher. He is a fan of memory corruption and discovered numbers of vulnerability. He has passion in vulnerability research, reverse engineering and malware analysis. Occasionally blog about his security findings in https://nafiez.github.io/​. He has been helping organizing international CTF for HITB and local CTF, Wargames.MY.
Jaan Yeh(@iamyeh) has experience more than 10 years in the Anti-Virus field. Currently working in Carbon Black as Threat Researcher. Hack In The Box (HITB) Core Crew and Capture the Flag (CTF) 3.0 Developed challenges for the CTF in HITB and Wargames Malaysia for the past 8 years.

[Abstract]
==========
These days, Antivirus has been part of computers, servers, smart phone, ATM machine and even large corporation / enterprise still relying on Antivirus as one of their methods to detect and prevent malicious attacks and outbreaks. Of course, Antivirus software has its pros and cons, but Antivirus has always been mislead and untrusted due to the mechanism of the software failed to protect users. We will discuss more on security perspective in various Antivirus software. Antivirus product known to be poor quality from security perspective, something that needs to get attention from vendors. Antivirus software prone to vulnerable with different types of vulnerabilities. For some cases, Antivirus issue were at the lowest hanging fruit and quite trivial to exploit it. In this talk, we will discuss why Antivirus fail in security perspective, how does one can simply find a critical vulnerability, and attack classes. Besides that, we will discuss how we rate the criticality of the security issue found in Antivirus product. In our discussion, we will include the methodology of the assessment, techniques, tools and how it can be exploited.

[Speaker Info]
==========
Qian Chen is a security engineer of Qihoo 360 Nirvan Team. He mainly focuses on the security of embedded devices.

[Abstract]
==========

Network Attached Storage (NAS) is a device that makes storage available on a network. It's mainly used for providing centralized and shared storage for digital files. Synology, which is the leader in the small-business and home NAS area, offers a wide range of network-attached storage choice for every occasion.
With the increasing usage of Synology NAS, it's essential to secure these devices because they can contain sensitive information and are often exposed to the Internet.
In this talk, we will introduce the steps to prepare the environment for bug hunting, the protocol used to search the devices in the local area network, the flows to process the requests and so on. Then we will share some vulnerabilities found from both the local attack perspective and the remote attack perspective.

[Speaker Info]
==========
Yongtao Wang(@by_Sanr) is Leader of Red Team at BCM Social Corp.He has profound experience in wireless security and penetration testing, and His research interests include Active Directory、Threat hunting.He shares research achievements at China Internet Security Conference (ISC), Blackhat, Codeblue, POC, CanSecWest, HackInTheBox etc.
Yang Zhang(izy) is a security researcher in BCM Social Corp, with rich experience in application security and penetration testing, leader of Back2Zero Team and core member of XDSEC Team. Currently focusing on the security research of application security, cloud security, blockchain security. International renowned security conference speaker.
Kunzhe Chai (Anthony) is a Chief Information Security Officer at BCM Social Corp, Founder of PegasusTeam and author of the well-known security tool MDK4. He is the maker of China's first Wireless Security Defense Product Standard and he also is the world's first inventor of Fake Base Stations defense technology, He leads his team to share the research results at HackInTheBox(HITB), BlackHat, DEFCON, Cansecwest, CodeBlue, POC, etc. Follow him on Twitter at @swe3per

[Abstract]
==========

In this presentation, we will start with some traditional SSRF attack chains before introducing our research. After that, we will exhibit a new attack surface and demonstrate it how to ignore SSRF protections, even results in RCE(Remote Command Execution). In the end, we will also disclose a number of vulnerabilities that existed in prevalent programming languages and fundamental libraries, and describe them in real-world attack scenarios which have never been noticed.

[Speaker Info]
==========
Zhiyang Zeng(a.k.a Wester) currently works as a security researcher at Tencent Blade Team, mainly focusing on penetration testing, browser and web security. He has been acknowledged by famous vendors including Apple, Google, Microsoft, and PayPal for his contribution in discovering vulnerabilities in their systems and improving the security of their products.

[Abstract]
==========

Browser is a perpetual topic in the field of Cyber Security, and what we are witnessing today is a more mature and somewhat less-fluctuating browser market. According to the latest market statistics report, Safari is the second most popular browser behind Chrome. The main part of this presentation will focus on the "Safari Adventure", we'll take a deep dive into Safari internals and explain different kind of attack vectors campaign targeting multiple components, such as User-Interface, Security-Feature, Just-in-time compiler, and SafariServices framework. Specifically, I am going to illustrate how I found 6+ CVEs in Safari within one year.