SPEAKERS  


List arranged in speakers' names alphabetically.

 


   Aaron Adams, "How CVE-2018-8611 can be exploited to achieve privilege escalation on Windows 10 1809 and earlier."

[Speaker Info]
==========
Aaron Adams(@fidgetingbits) is a security researcher in NCC Group's Exploit Development Group. He has been working with computer security for over 15 years, over that time working on vulnerability and malware analysis, code auditing, reverse engineering, and exploitation. Since joining NCC Group he has published some research on exploiting public vulnerabilities in the Windows kernel, Samba, Xen, Cisco ASA, etc..


[Abstract]
==========

This talk will discuss how CVE-2018-8611 can be exploited to achieve privilege escalation on Windows 10 1809 and earlier. This research was done without getting a chance to analyze the in-the-wild 0day exploit that lead to the bug being patched by Microsoft, but rather by patch diffing and following some minimal public information as a starting point.

This presentation will go through the following:
- Windows Kernel Transaction Manager (KTM) internals
- Analyzing and winning the CVE-2018-8611 race condition vulnerability
- Abusing a fairly restrictive while loop to build a limited write primitive
- Building an arbitrary read primitive
- Escalating privileges and escaping the loop



   Chao Zhang, "Revery: from POC to EXP"

[Speaker Info]
==========
Dr. Chao Zhang is an Associate Professor at Tsinghua University. He was a member of the CTF team Blue-Lotus and now the coach. His research interest lies in system and software security, especially in vulnerability analysis. His automated vulnerability detection solutions have found over 200 CVE vulnerabilities. He co-led a team CodeJitsu from UC Berkeley and built an automated system Glactica which did excellently in the Cyber Grand Challenge launched by DARPA.

[Abstract]
==========

Vulnerability assessment, especially exploitability assessment, is important for both defenders and attackers. Automated exploit generation (AEG) is an important way to assess the exploitability of vulnerabilities. However, AEG is an open challenge. In some cases, the given proof-of-concept (PoC) input, which triggers the vulnerability, could exercise a crashing path but could not enter an exploitable program state. In this talk the speaker will introduce a solution Revery to this specific challenge.



   Cristofaro Mune & Niek Timmers, "Using Fault Injection for Turning Data Transfers into Arbitrary Execution"

[Speaker Info]
==========
Cristofaro Mune has 15+ years of experience in SW & HW security assessment of highly secure products. He has given talks at renown security conferences, like BlackHat, BlueHat, HITB, WarCon, hardwear.io, on Fault Injection (EoP and Encrypted Secure Boot bypass), TEEs, White-Box cryptography, IoT exploitation and mobile security.
Niek Timmers(MSc) is an independent Device Security Expert at TwentyTwo Security. Niek has been analyzing and testing the security devices for over 10 years. Usually Niek’s interest is sparked by technologies where the hardware is fundamentally present. Niek shared his research on topics like secure and fault injection at various conferences like Black Hat, Bluehat and hardwear.io.

[Abstract]
==========

Unprivileged data is often transferred across multiple security boundaries.
In secure systems, such data is carefully checked, handled and sanitized, often leaving little chance for exploitable software vulnerabilities.

We have already demonstrated that fault injection could achieve the following on ARMv7 systems (PC directly addressable):

1) [2016]: precise control of Program Counter from data transfers
2) [2017]: Linux kernel code execution from userspace.
3) [2019]: Encrypted Secure Boot bypass without knowledge of the actual encryption key.

Nonetheless, the full potential of the underlying concepts has not been publicly discussed until now.
In our talk, we go through techniques for turning a transfer of attacker-controlled data into a fully fledged execution primitive.

Additionally, we share for the first time techniques that allow for PC control on architectures where PC is not directly addressable.
Such techniques could be applied to ARMv8 devices, including mobile phones, potentially achieving 1), 2) and 3), without relying on any software vulnerability.



   Denis Kolegov & Anton Nikolaev, "Machine learning implementation security in the wild"

[Speaker Info]
==========
Denis Kolegov is a principal security researcher at BiZone LLC and an associate professor of Computer Security at Tomsk State University.
His research focuses on network security, machine learning security, web application security, cryptography engineering and covert communications. He holds a PhD and an associate professor degree. Denis presented at various international security conferences including Power of Community, DeepSec, Area41, SecurityFest, Zero Nights, Positive Hack Days, InsomniHack and SibeCrypt.
Anton Nikolaev is a security developer at BiZone LLC and a post-graduate student at Computer Security department of Tomsk State University. Anton also is the lead developer of the open-source Grinder framework and a contributor of SD-WAN New Hope and AISec projects. He gave talks at different international security conferences, such as Zero Nights and Positive Hack Days.

[Abstract]
==========

In this talk, we will present the results of the Internet-wide survey on implementation security of practical machine learning systems. We will show that many machine learning related systems suffer from low-hanging fruit implementation vulnerabilities that can compromise the security of machine learning. In our presentation, we will describe the methodology of the survey and the used automation framework. We will also disclose the vulnerabilities found in widespread and most popular machine learning products and technologies.



   Gengming Liu & Jianyu Chen, "Chrome Exploitation"

[Speaker Info]
==========
Gengming Liu is a security researcher at KeenLab of Tencent. He has mostly focused on browser security in recent years. He participated in Pwn2Own in 2016 & 2017 and won "Master of Pwn" with Tencent Security Team Sniper. He has also won Chrome Pwnium Bounty in 2019. He is also the fan of CTF games. He is the captain of eee CTF team and the former captain of AAA CTF team. Gengming has spoken at several security conferences including BlackHat USA 2019, CanSecWest 2017.
Jianyu Chen is a security researcher at KeenLab of Tencent. His interest lies on penetration test and browser security. He is also a member of CTF team AAA (sometimes A*0*E) and had participated in DEFCON 26 & 27. He has made a chrome sandbox escape(together with Gengming Liu).

[Abstract]
==========

Browser security is always a prevalent topic in security research. Due to the great design and long-term effort, browsers have been more and more secure. The last time Chrome was pwned in Pwn2Own dates back to Mobile Pwn2Own 2016. In that contest, we, Keen Security Lab of Tencent, pwned Nexus 6P via Chrome browser. This year, we won the Chrome Pwnium(Guest to guest persistence root via webpage), which is the most valuable award in Chrome bounty.
As we all know, exploitation is also a key point in Pwning contest. It requires full and in-depth knowledge of the target. In our talk, we will share some novel exploitation techniques we used in Pwn2Own and Pwnium. For instance, although most researchers have realized JIT is a good target for bug hunting on Javascript, few people notice it could also be used to do exploitation. We will show how we used some general JIT fragments to exploit low-quality bugs.
Besides, we'll share our research on Chrome sandbox escape. We will introduce some practical methods in sandbox exploitation, including a data-only attack to do CFI bypass.
Finally, we will bring a demo of full-chain exploitation of Chrome on Linux.



   James Forshaw, "Reimplementing Local RPC in .NET"

[Speaker Info]
==========
James Forshaw is a security researcher in Google’s Project Zero. He has been involved with computer hardware and software security for over 10 years looking at a range of different platforms and applications. With a great interest in logical vulnerabilities he’s been listed as the #1 researcher for MSRC, as well as being a Pwn2Own and Microsoft Mitigation Bypass bounty winner. He has spoken at a number of security conferences including Black Hat USA, CanSecWest, Bluehat, HITB, and Infiltrate.

[Abstract]
==========

Finding privilege escalation in local Windows RPC servers is the new hotness. Unfortunately the standard Microsoft tooling only generates code for C/C++ which presents a problem for anyone wanting to write proof-of-concepts in a .NET language such as C# or PowerShell.
This presentation will go through the various tasks I undertook to implement a working including:
- Assessing the best approaches to implementing an RPC client in .NET.
- Reverse engineering the APIs to identify the low-level ALPC implementation.
- Implementing NDR parsing and serialization.
- PowerShell Integration.
The presentation will finish up with some details one of the bugs I discovered with the new tooling. The tooling itself will be available to all.



   Jaanus Kääp, "Attacking Hyper-V"

[Speaker Info]
==========
Jaanus Kääp works as a security researcher, penetration tester, and developer at Clarified Security. Over the last years he has mostly focused on finding vulnerabilities in Windows and software around it. He has been in the MSRC top list for 4 years and currently trying to find energy to convert his Hyper-V research into a master degree thesis. This talk is about this research.

[Abstract]
==========

Until this year's BlackHat presentation from Apple the highest bug bounties were offered by Microsoft for Hyper-V vulnerabilities. But even now when the bug bounties are not the highest in the industry any longer they are still highly motivating. Therefore it is interesting that only a few vulnerabilities are reported and out of these only very few are reported from non-Microsoft researchers. This might be because the entry level to Hyper-V research is quite high and there is not enough public information nor tools available about it. While Microsoft has released more information about it over the last years there is still lack of tools and knowledge about Hyper-V outside Microsoft itself.
This talk tries to change this a bit by describing the attack surface, inner workings, necessary engineering methods and tools for testing it from an outside researcher's perspective. Speaker will make his toolset public, that will hopefully help in testing, fuzzing and analyzing Hyper-V for newcomers to this topic.



   JingLi Hao, "Threat From The Satellite"

[Speaker Info]
==========
JingLi Hao is from 360 Company ,a member of 360 Unicorn Team and researcher of 360 Security Research Institute,a satellite hacker from China,spacker of the HITB 2019 and MOSEC 2019.
Wanqiao Zhang is a member of 360 security institute and UnicornTeam. She is focusing on the security research of Communication, Radio of Civil Aviation, Satellite Communication etc.Speaker of DEFCON, POC, RUXCON, MOSEC.

[Abstract]
==========

In the current global satellite communication field, the main components of satellite communication are transponders. The types of transponders are used in different communication systems. Due to the preciousness and insufficiency of the power on the satellites, the devices traditionally used on the ground cannot be completed. The application to the satellite, and due to certain characteristics of the satellite, such as the failure to change the hardware equipment after the launch,the traditional system maintenance can not meet the needs of satellite communications.
Therefore, the satellite transponder contains a large number of "pent-pipe" payload that have been left to date and are being manufactured. This type of load has been widely used in satellite systems. This topic will discuss the principles and defects of this load, including this. Some technical parameters and frequency information commonly used in class load, for this load, the attacker can easily achieve interference, forgery, eavesdropping and other attack means for satellite communication, posing a great threat to the communication data.
At the same time, as a necessary device for satellite communications: modems, after research found that some of the world's most widely used brands - Comtech's modem, there are loopholes in the device's remote control function, which will allow illegal users to falsify control information The normal satellite communication link is shutdown.
This issue will show the attack video of this attack and the effect on data forgery. This vulnerability was first disclosed in a meeting.And this vulnerability does not only exist in the combech brand.



   Kang Li, "Checking Defects in Deep Learning AI Models"

[Speaker Info]
==========
Kang Li is a professor of computer science and the director of the Institute for Cybersecurity and Privacy at the University of Georgia. His research results have been published at academic venues, such as IEEE S&P, ACM CCS, USENIX Security and NDSS, as well as industrial conferences, such as BlackHat, DEFCON, SyScan, and ShmooCon. Dr. Kang Li is the founder and mentor of multiple CTF security teams, including SecDawg and Blue-Lotus. He was also a founder and player of the Team Disekt, a finalist team in the 2016 DARPA Cyber Grand Challenge.

[Abstract]
==========

As AI applications gain popularity, deep learning neural networks are increasingly deployed in smartphones, edge servers, and cloud. At the heart of these deep learning applications are AI models, which include a structure of various types of neural network layers, and the weights (parameters) used by each layer.

Although the core concept inside an deep learning AI model is common, currently there is no uniformed standard for representing AI models. Each popular DL framework, such as TensorFlow and Caffe2, uses its own formats. In addition, vendors, such as XiaoMi, Qualcomm, Tencent, all come up their own model formats. Because of the lack of unified standard, some vendors also introduce vendor specific information in the AI models, for the purpose of better description or obfuscation. Some even include embedded hardware instructions in the model. Most of DL framework and run-time systems make some sanity check to the AI models before loading them from applications. However, the properties being checked are ad-hoc. A framework or its run-time environment can load an AI model with defects or containing malformed neural networks.

This talk presents a static checker that find defects in AI models. We inspect AI models from multiple applications, covering seven different formats of AI models. The checker can detect flaws such as inconsistency of data dimensions, topology errors in neural networks. The checker also highlights the vendor specific content in AI models. We show that, such defects, if not detected, can cause damages to the run-time environments and cause security risks to deep learning applications. The danger to be shown in this presentation includes system hangs, crashes, and leak of critical application and user information. These flaws affect DL frameworks from well-known mobile vendors, and DL systems that support cloud-based AI services.



   Kushal Arvind Shah, "Software Zero-Day Discovery - How To? Targets/Seeds? Methods - Fuzzing, Reverse-Engg, 'Neither'??"

[Speaker Info]
==========
Kushal Arvind Shah is working at Fortinet's FortiGuard Labs. His research areas are vulnerablity discovery, pentetration test and etc... He has many 0-day credts and Hall of Fames(Microsoft, Google, Adobe, Cisco, Intel, Samsung, Facebook, Tableau, Nvidia, Foxit Software, Hancom, Schneider Electric, Amazon, SAP and Many More.)

[Abstract]
==========

Software Zero [0]-Day Discovery has been pursued by many researchers since the time soft-wares were first developed. Over the years, many researchers have shared their strategies, tools, etc., in the hope of aiding others Researchers in the field in this Art.
This talk is about several things Critical BUT Not Explained in the whole Software Zero-Day Discovery approach, such as the following: -
1) How to find recent Zero-Day Vulnerabilities Details & their PoCs?
2) Which Target to select and How to Build/Use them?
3) How to find and build corpus for the Selected Targets?
4) Brief Intro to the Common methods involved in 0Day Discovery like Fuzzing.
5) LASTLY, How to find Critical Vulnerabilities by Neither Fuzzing Nor Reverse Engineering. ;)
This talk would also include a “Live Demo” about some Recent Critical Vulnerabilities (in a Widely Used Product by a Big Vendor) I discovered, and most importantly "How I discovered them without Reversing or Fuzzing!!"



   Liang Chen, "TBD"

[Speaker Info]
==========
Liang Chen has a strong research experience on software vulnerability exploitation and vulnerability discovery. During these years, Liang's major research area was browser exploitation including Safari, Chrome, Internet Explorer, etc on both PC and mobile platform. Also Liang researches sandbox escape technology on various platforms. Liang led Tencent Security Team Sniper to win "Master of Pwn" in Pwn2own 2016. Liang is also the winner of iPhone Safari category in Mobile Pwn2own 2013 and Mavericks Safari category in Pwn2Own 2014. Liang has spoken at several security conferences including XCON 2013, BlackHat USA 2016/2018, BlackHat Europe 2014, CanSecWest 2015/2016, POC 2015/2016/2017/2018, MOSEC 2017, RECon 2016, Infiltrate 2017 etc.

[Abstract]
==========

TBD



   Luca Todesco, "TBD"

[Speaker Info]
==========
Luca Todesco(@qwertyoruiop) has spent the past 4 years doing iOS-focused independent security research, and has been passionate about iOS for a decade. As a result, he has contributed to several public and private jailbreaks for iOS and PlayStation 4, and continues to research to this day.

[Abstract]
==========
TBD



   Nafiez, Jaan Yeh, "Hunting Vulnerability of Antivirus product"

[Speaker Info]
==========
Nafiez(@zeifan) is an independent security researcher. He is a fan of memory corruption and discovered numbers of vulnerability. He has passion in vulnerability research, reverse engineering and malware analysis. Occasionally blog about his security findings in https://nafiez.github.io/​. He has been helping organizing international CTF for HITB and local CTF, Wargames.MY.
Jaan Yeh(@iamyeh) has experience more than 10 years in the Anti-Virus field. Currently working in Carbon Black as Threat Researcher. Hack In The Box (HITB) Core Crew and Capture the Flag (CTF) 3.0 Developed challenges for the CTF in HITB and Wargames Malaysia for the past 8 years.

[Abstract]
==========
These days, Antivirus has been part of computers, servers, smart phone, ATM machine and even large corporation / enterprise still relying on Antivirus as one of their methods to detect and prevent malicious attacks and outbreaks. Of course, Antivirus software has its pros and cons, but Antivirus has always been mislead and untrusted due to the mechanism of the software failed to protect users. We will discuss more on security perspective in various Antivirus software. Antivirus product known to be poor quality from security perspective, something that needs to get attention from vendors. Antivirus software prone to vulnerable with different types of vulnerabilities. For some cases, Antivirus issue were at the lowest hanging fruit and quite trivial to exploit it. In this talk, we will discuss why Antivirus fail in security perspective, how does one can simply find a critical vulnerability, and attack classes. Besides that, we will discuss how we rate the criticality of the security issue found in Antivirus product. In our discussion, we will include the methodology of the assessment, techniques, tools and how it can be exploited.



   Qian Chen, "Bug Hunting in Synology NAS"

[Speaker Info]
==========
Qian Chen is a security engineer of Qihoo 360 Nirvan Team. He mainly focuses on the security of embedded devices.

[Abstract]
==========

Network Attached Storage (NAS) is a device that makes storage available on a network. It's mainly used for providing centralized and shared storage for digital files. Synology, which is the leader in the small-business and home NAS area, offers a wide range of network-attached storage choice for every occasion.
With the increasing usage of Synology NAS, it's essential to secure these devices because they can contain sensitive information and are often exposed to the Internet.
In this talk, we will introduce the steps to prepare the environment for bug hunting, the protocol used to search the devices in the local area network, the flows to process the requests and so on. Then we will share some vulnerabilities found from both the local attack perspective and the remote attack perspective.



   Ryan Sherstobitoff, "Inside HIDDEN COBRA, North Korea’s cyber offensive programs "

[Speaker Info]
==========
Ryan Sherstobitoff is a Senior Analyst for Major Campaigns – Advanced Threat Research in McAfee.
Ryan specializes in threat intelligence in the Asia Pacific Region where he conducts cutting edge research into new adversarial techniques and adapts those to better monitor the threat landscape. He formerly was the Chief Corporate Evangelist at Panda Security, where he managed the US strategic response for new and emerging threats. Ryan is widely recognized as a security & cloud computing expert throughout the country.

[Abstract]
==========
In 2018 McAfee ATR began to re-focus on identifying and tracking the operations attributed to Hidden Cobra / Lazarus group in an effort to better understand and reveal activity never seen before. In this talk we will present research conducted by McAfee Advanced Threat Research into the threat actor known as Hidden Cobra and the various operations targeting different sectors over the years.

The actor known as Hidden Cobra is thought to have been linked to the North Korean intelligence services and has been involved in numerous operations dating back to 2007. Over the course of 2018, McAfee ATR discovered several major campaigns linked to Hidden Cobra using complex and hidden implants aimed at gathering intelligence on targeted victims, disrupting their operations and generating hard currency for the regime through fraud operations. This talk will take a deep dive look into the techniques, tactics and procedures of Hidden Cobra as well as the developments in this actor’s complex toolkit including several new implant frameworks. This talk goes into detail about McAfee ATR’s various investigations into Hidden Cobra and what we have learned as a result of our investigations. We will also discuss the various partnerships with International law enforcement in our efforts to uncover backend systems used by this actor. Thus, we will discuss the behind the scenes of Operation Sharpshooter case that took us from the Rising Sun implant to the exposure of the backend C2 server.



   Yongtao Wang, "A Whole New Perspective In SSRF: MAKE IT GREAT AGAIN AND Ignore Most Of SSRF DEFENSE SOLUTIONS THAT WE KNOWND"

[Speaker Info]
==========
Yongtao Wang(@by_Sanr) is Leader of Red Team at BCM Social Corp.He has profound experience in wireless security and penetration testing, and His research interests include Active Directory、Threat hunting.He shares research achievements at China Internet Security Conference (ISC), Blackhat, Codeblue, POC, CanSecWest, HackInTheBox etc.
Yang Zhang(izy) is a security researcher in BCM Social Corp, with rich experience in application security and penetration testing, leader of Back2Zero Team and core member of XDSEC Team. Currently focusing on the security research of application security, cloud security, blockchain security. International renowned security conference speaker.
Kunzhe Chai (Anthony) is a Chief Information Security Officer at BCM Social Corp, Founder of PegasusTeam and author of the well-known security tool MDK4. He is the maker of China's first Wireless Security Defense Product Standard and he also is the world's first inventor of Fake Base Stations defense technology, He leads his team to share the research results at HackInTheBox(HITB), BlackHat, DEFCON, Cansecwest, CodeBlue, POC, etc. Follow him on Twitter at @swe3per

[Abstract]
==========

In this presentation, we will start with some traditional SSRF attack chains before introducing our research. After that, we will exhibit a new attack surface and demonstrate it how to ignore SSRF protections, even results in RCE(Remote Command Execution). In the end, we will also disclose a number of vulnerabilities that existed in prevalent programming languages and fundamental libraries, and describe them in real-world attack scenarios which have never been noticed.



   Zhiyang Zeng, "Safari Adventure: A Dive into Apple Browser Internals"

[Speaker Info]
==========
Zhiyang Zeng(a.k.a Wester) currently works as a security researcher at Tencent Blade Team, mainly focusing on penetration testing, browser and web security. He has been acknowledged by famous vendors including Apple, Google, Microsoft, and PayPal for his contribution in discovering vulnerabilities in their systems and improving the security of their products.

[Abstract]
==========

Browser is a perpetual topic in the field of Cyber Security, and what we are witnessing today is a more mature and somewhat less-fluctuating browser market. According to the latest market statistics report, Safari is the second most popular browser behind Chrome. The main part of this presentation will focus on the "Safari Adventure", we'll take a deep dive into Safari internals and explain different kind of attack vectors campaign targeting multiple components, such as User-Interface, Security-Feature, Just-in-time compiler, and SafariServices framework. Specifically, I am going to illustrate how I found 6+ CVEs in Safari within one year.




Speakers will be added soon / More information will be added soon.



POC will show you only technical, creative and very interesting topics. Marketing and commercial presentation is not allowed!


SPONSORS
















SUPPORTING FRIENDS



Copyright(c) 2006 ~ Powerofcommunity All rights reserved.