SPEAKERS   


Listed speakers' names in alphabetical order.

 


  Alex Plaskett, "Pwning the Windows 10 Kernel with NTFS and WNF"

[Speaker Info]
==========
Alex Plaskett is a Security Researcher at NCC Group. He specialises in vulnerability identification and exploitation and has found and exploited vulnerabilities in a wide range of high profile products. Alex was previously leading teams in multiple areas of security (Fintech, Mobile Security), competing at multiple Pwn2Own’s and just generally causing vendors to patch things.


[Abstract]
==========

A local privilege escalation vulnerability (CVE-2021-31956) 0day was identified as being exploited in the wild by Kaspersky. At the time it affected a broad range of Windows versions (right up to the latest and greatest of Windows 10).
With no access to the exploit or details of how it worked other than a vulnerability summary the following plan was enacted:

1. Understand how exploitable the issue was in the presence of features such as the Windows 10 Kernel Heap-Backed Pool (Segment Heap).
2. Determine how the Windows Notification Framework (WNF) could be used to enable novel exploit primitives.
3. Understand the challenges an attacker faces with modern kernel pool exploitation and what factors are in play to reduce reliability and hinder exploitation.
4. Gain insight from this exploit which could be used to enable detection and response by defenders.

The talk covers the above key areas and provides a detailed walk through, moving from introducing the subject, all the way up to the knowledge which is needed for both offense and defence on modern Windows versions.




  ALT & Kang Li, "AI Model Fuzzing: Finding Vulnerabilities in TensorFlow"

[Speaker Info]
==========
ALT is a senior security researcher from Baidu Security. He is experienced in both offensive and defensive security on confidential computing, system security, and mobile security. Over the years, he has also discovered various TEE and iOS framework vulnerabilities with 20+ CVEs credited by Google, Microsoft, and Apple.

KANG is the director of Baidu Security Research. He is a frequent speaker at BlackHat and POC. Over the years, he has discovered vulnerabilities in various systems from CDN to DNS, and from Mobile Bootloader to Deep Learning Frameworks.


[Abstract]
==========

Due to data scalability and training cost considerations, developers often use third-party AI models to build AI applications. Consequently, the risk of using bad AI models as an attack vector arises. Bad AI models can trigger AI framework vulnerabilities in different phases, including model optimization, training, inference, etc. However, traditional fuzzing methods based on input mutation become ineffective given the complexity of modern AI frameworks. In this talk, we will share our experience and results on fuzzing TensorFlow.




  Dawn Security Lab, "Mystique in the House: The Droid Vulnerability Chain That Owns All Your Userspace"

[Speaker Info]
==========
Chris is the Director and Chief researcher of Dawn Security Lab. He has got hundreds of CVEs from Google, Apple, Samsung etc and is one of the top researchers of Android Security Rewards Program. He has won Pwn2Own champion multiple times and was the speaker of BlackHat, DEFCON, CanSecWest, RECON, MOSEC, etc.


[Abstract]
==========

The Android Application Sandbox is the cornerstone of the Android Security Model, which protects and isolates each application’s process and data from the others. Attackers usually need kernel vulnerabilities to escape the sandbox, which by themselves proved to be quite rare and difficult due to emerging mitigations and attack surfaces tightened.

However, we found a vulnerability in the current newest Android 11 stable that breaks the dam purely from userspace. Combined with other 0days we discovered in major Android vendors forming a chain, a malicious attacker app can totally bypass the Android Application Sandbox, owning any other applications such as Facebook and WhatsApp, reading application data, injecting code or even trojanize the application ( including unprivileged and privileged ones ) without user awareness. We named the chain "Mystique" after the famous Marvel Comics character due to the similar ability it possesses.

In this talk we will give a detailed walkthrough on the whole vulnerability chain and bugs included. On the attack side, we will discuss the bugs in detail and share our exploitation method and framework that enables privilege escalation, transparently process injection/hooking/debugging and data extraction for various target applications based on "Mystique", which has never been talked about before. On the defense side, we will release a detection SDK/tool for app developers and end users since this new type of attack differs from previous ones, which largely evade traditional analysis.




  Igor Sak-sakovskiy, "Fuzzing web-app messages"

[Speaker Info]
==========
Igor Sak-sakovskiy is a senior specialist, Positive Technologies and PT SWARM Team member


[Abstract]
==========

This talk details a new technique which exploits the logic of html parsers to produce client-side attack vectors against website chat and messenger functions. This area of application testing is mature, having developed over the last ten years and includes established security standards. As a result, new attack techniques are hard to come by.




  JingLi Hao, "Hackers who come from the sky"

[Speaker Info]
==========
JingLi Hao is a researcher of 360 company, Satellite and network security expert, Long engaged in satellite communication security research, The pioneer of China's satellite security, Speaker of HITB, MOSEC, CIS, POC, Core member of Space Hacker Group, Personal website: http://openats.cn.


[Abstract]
==========

This topic will start with the DVB-S2 protocol commonly used in satellite Internet, and analyze the communication data from the satellite network by calling and writing the function of the satellite modem card. There are security problems in the network, and explain the data leakage caused by the insecure application of its iDirect X3 modem and how to tamper with the ID of the modem to deceive the network management system and invade the satellite network from the air.




  Lei Cao, "Discovering Vulnerabilities by Studying 0-Day In the Wild"

[Speaker Info]
==========
Lei Cao(@iamelli0t) from Sangfor Deepinsight Lab


[Abstract]
==========

0-day is the silver bullet for APT (Advanced Persistent Threat). By studying 0-day exploits which were captured in the wild, we may be able to infer the capabilities and tendentiousness of real-world attackers.
In August 2020 Windows Security Update, Microsoft patched some in the wild 0-day exploits. It is revealed that attackers used one vulnerability in Internet Explorer to get remote code execution and chained with another vulnerability in splwow64 to get privilege escalation. By analyzing the two vulnerabilities, I reproduced the full exploit chain successfully and discovered some similar vulnerabilities which maybe has been exploited by real-world attackers already.
This topic presents the root cause analysis of the two vulnerabilities, shows how to reproduce the full exploit chain and discloses the details of some similar vulnerabilities I found by studying 0-day in the wild.




  Man Yue Mo, "Attacking Race Conditions in Chrome"

[Speaker Info]
==========
Man Yue Mo is a senior security researcher at GitHub Security Lab. He specializes in Chrome and Android security and had discovered and published exploits for a number of vulnerabilities in these platforms.


[Abstract]
==========

Race condition is not a type of vulnerability that is commonly associated with Chrome. With javascript being single-threaded and the browser process running only on two threads (the UI and the IO thread), it is not difficult to see why this type of bugs is overlooked. Yet a cursory look at the publicly disclosed vulnerabilities in Chrome reveals that many of them, including some that are exploited in the wild, involve some kind of race conditions or timing issues.

For example, CVE-2019-5786(Clement Lecigne, Google TAG) and CVE-2019-13720(Anton Ivanov and Alexey Kulaev at Kaspersky Labs) are both UAF due to race conditions that had been exploited in the wild, while many the sandbox escapes also involves race conditions (e.g. Issue 1062091 (Tim Becker), Issue 1125614 (myself)).

In this talk, I'll use a number of publicly disclosed vulnerabilities and to illustrate some typical situations where race conditions can arise in Chrome, as well as discussing some techniques that an attacker can use to manipulate the timing and exploit these issues.




  Mathy Vanhoef, "Exploiting WPA3 Networks: New Vulnerabilities and Defenses"

[Speaker Info]
==========
Mathy Vanhoef is a professor at KU Leuven University in Belgium. He previously presented at Black Hat, DEF CON, CCC, and other conferences worldwide. Most notably, he discovered the KRACK attack against WPA2 and the Dragonblood attack against WPA3. He's interested in computer security with a focus on network and wireless security, software security, and applied cryptography. In these areas, Mathy tries to bridge the gap between specifications and real-world code.


[Abstract]
==========

In the last few years, we've seen major advancements in Wi-Fi security. Most notably, on the defense side we have had the release of WPA3, and on the attack side we've seen vulnerabilities such as KRACK and more recently FragAttacks. How does this change how we should test the security of Wi-Fi networks? And how do we securely configure Wi-Fi networks nowadays?

To answer these questions, this presentation starts by giving an overview of recent Wi-Fi vulnerabilities. This includes a recap of the KRACK and FragAttacks vulnerabilities as well as other notable implementation vulnerabilities. While doing so, two new Wi-Fi vulnerabilities in the OnePlus 6 smartphone will be released.

The second part of the presentation discusses two new defenses that can mitigate future Wi-Fi vulnerabilities: beacon protection and operating channel validation. These defenses are part of the latest Wi-Fi standard and you can think of them as the stack canaries of Wi-Fi. I will discuss the advantages and limitations of both defenses, how you can test whether they are enabled, and how to configure them on Linux.




   Mengyun Tang & Tony Huang & Kevin Zhang, "From Attack to Defense: Towards AI Model Security Protection"

[Speaker Info]
==========
Mengyun Tang is currently working as a senior researcher at Tencent Zhuque Lab and holds broad experience in AI security and computer vision. Her research results have been published on NDSS, TIFS, and ECCV, etc. She is also a speaker of DEF CON, CanSecWest, HITB, and CIS.

Tony Huang is an intern as a security researcher at Tencent Zhuque Lab. His research interests include AI security and computer vision.

Kevin Zhang is an undergraduate student at Peking University. He is interested and conducting research in privacy security and AI attack methods.


[Abstract]
==========

With the development of deep learning, AI models have made great progress in various fields, such as computer vision and natural language processing. Until now, training a high-quality AI model is still a burdensome and costly task, requiring well-designed networks, large amounts of data, strong computing power, and etc. Consequently, well-trained AI models may value up to millions of dollars.

Usually, an AI model only provides an API interface and is isolated from users. Thus the remote deployed AI model typically to be considered safe and secure. However, in this talk, we will show how to steal a deployed AI model with distillation easily, which uses the outputs of the model as ground truth to retrain a surrogate model. The results show that the surrogate model has a similar performance to the deployed one. Thus the attackers can sell the stolen surrogate model for profit. Such an attack sounded the importance of AI model copyrights. Unfortunately, due to the nature of AI models, proving "ownership" and catching this cyber thief can be especially hard.

To mitigate the threats brought by the attack mentioned before, we introduce model watermarks, serving as a copyright trap. Such a watermark is added into the outputs of the models and is imperceptible to human eyes. Therefore, it has high concealment, and is hard for the model stealers to notice whether a model is protected by our model watermark. Predetermined model information (e.g., text or image identifiers) can be embedded in this watermark and can be extracted by a well-trained extractor. Once someone tries to steal the model, the watermark will also be embedded into the surrogate model. The owner of the original model can use the extractor to verify the outputs of suspicious models for identifying whether the model is a derivative one. Moreover, our proposed watermark has excellent robustness against common watermark attacks, meaning it can reliably safeguard valuable AI models without being maliciously removed.

To sum up, this talk will discuss the security of AI models from the sides of attack and defense. From the attack side, we will give an overview of how an AI model is created and deployed, and then show how to steal it with model distillation. From the defense side, we will detail our exploitation method based on the model watermark and share our experience on AI model copyright protection.




  Orange Tsai, "The Proxy Era of Microsoft Exchange Server"

[Speaker Info]
==========
Cheng-Da Tsai, aka Orange Tsai, is the principal security researcher of DEVCORE, CHROOT security group member, and captain of HITCON CTF team in Taiwan. He is the Pwn2Own 2021 "Master of Pwn" champion and also as the speaker in conferences such as Black Hat USA/ASIA, DEF CON, HITCON, HITB GSEC/AMS, CODE BLUE, and WooYun!

Orange participates in numerous CTF and won second place in DEF CON CTF 22/25/27 as team HITCON. Currently, Orange is a 0day researcher focusing on web/application security, his research is not only the Pwnie Awards winner for "Best Server-Side Bug" 2019/2021 but also the first place in "Top 10 Web Hacking Techniques" of 2017/2018. Orange also enjoys bug bounties in his free time. He is enthusiastic about the RCE bugs and uncovered RCEs in numerous vendors such as Twitter, Facebook, Uber, Apple, GitHub, Amazon, and so on.

You can find him on Twitter @orange_8361 and blog http://blog.orange.tw/


[Abstract]
==========

Microsoft Exchange Server is an email solution widely deployed within government and enterprises, and it is an integral part of both their daily operations and security. Needless to say, vulnerabilities in Exchange have long been the Holy Grail for attackers, hence our security research on Exchange. Surprisingly, we've found not only critical vulnerabilities such as ProxyLogon, but a whole new attack surface of Exchange.

This new attack surface is based on a significant change in Exchange Server 2013, where the fundamental protocol handler, Client Access Service (CAS), splits into frontend and backend. In this fundamental change of architecture, quite an amount of design debt was incurred, and, even worse, it introduced inconsistencies between contexts, leading us to discover this new attack surface.

To unveil the beauty of this attack surface and our novel exploitation, we'll start by analyzing this architecture, followed by 8 vulnerabilities that consist of server-side bugs, client-side bugs, and crypto bugs found via this attack surface. In the end, these vulnerabilities are chained into 4 attack vectors that shine in different attack scenarios: ProxyLogon, ProxyShell, ProxyOracle and ProxyRelay. These attack vectors enable any unauthenticated attacker to uncover plaintext passwords and even execute arbitrary code on Microsoft Exchange Servers through port 443, which is exposed to the Internet by ~400K Exchange Servers.

This attack surface has its unparalleled impact for a reason: security researchers tend to find vulnerabilities from a certain perspective, such as digging for memory bugs, injections, or logic flaws, but we took a different approach by looking at Exchange from a high-level architectural view and captured this architecture-level attack surface, which yielded multiple vulnerabilities. We hope this brings a new paradigm to vulnerability research and inspires more security researchers to look into Exchange Server. Last but not least, we'll provide hardening actions to mitigate such types of 0days in Exchange.




  Tamir Zahavi-Brunner, "Elevating the TrustZone to Achieve a Powerful Android Kernel Exploit"

[Speaker Info]
==========
Tamir Zahavi-Brunner's main areas of focus are reverse engineering and vulnerability research of mobile and low-level embedded software. Previously, Tamir was a security researcher at Zimperium where he discovered and reported many Android vulnerabilities.


[Abstract]
==========

In today's mobile security world, where attack surfaces are constantly being tightened and new mitigations keep being introduced, kernel exploits are a highly complex matter. This imposes multiple obstacles for anyone looking to develop such exploits. First, reliability is an issue. The involvement of many moving parts (e.g. race conditions, heap grooming) makes reliably exploiting the kernel a very hard task. Second, even once you manage to build a successful exploit, there is then the cumbersome process of carefully adapting it for each device/version you wish to run it on.

In this talk, I will present a different approach to Android kernel exploitation, intended to overcome the obstacles mentioned above. I will describe a vulnerability I found in the Android kernel (CVE-2021-1961), and the interesting way I exploited it.

My exploitation method revolves around utilizing an even higher privileged component, the TrustZone. By doing this, I managed to overcome all existing security mitigations in the Android kernel, creating a 100% reliable exploit. Not only that, but the exploit is powerful enough to work on all combinations of devices/versions without requiring any code adaptation. In the talk, I will discuss what makes this exploitation technique so powerful, how come it bypasses existing mitigations so easily and why it should probably even bypass future expected mitigations.

Besides the exploit itself, I will go into details about the communication protocol between the kernel and the Qualcomm TrustZone (AKA QSEE), and where its weaknesses lie. Additionally, I will explain how you can start your own research in this area.

To complete the talk, I will describe another Android vulnerability I found and exploited, and how they both could be chained together in order to achieve a full Android root exploit.




  Yunhai Zhang, "How Did Printers Become Nightmares?"

[Speaker Info]
==========
Yunhai Zhang is Director of NSFOCUS TIANJI LAB. He has worked on information security for more than a decade.
He has spoken at many security conferences in the past, such as Blackhat, Bluehat, DEFCON, POC, TSec, XCon, etc. He has won the Microsoft Mitigation Bypass Bounty 5 years in a row since 2014. He was nominated for Pwnie Award in 2021.


[Abstract]
==========

PrinterNightmare is one of the most popular topics on security this summer. You may wonder why it came again and again. This is because it is not just one vulnerability, but a series of interesting logical vulnerabilities in printer spooler services.

This presentation will review these printer spooler vulnerabilities and their predecessors to explain how they are found, and then analyze the patches for each of them to figure out why they fail to solve the problem and how to fix properly. Finally, some improvement proposal will be given to make printer spooler services more secure.





Speakers & More information will be added soon.



POC will show you only technical, creative and very interesting topics. Marketing and commercial presentation is not allowed!


SPONSORS










SUPPORTING FRIENDS



Copyright(c) 2006 ~ Powerofcommunity All rights reserved.