Alex Ionescu is the Vice President of Endpoint Engineering, Founding Chief Architect at CrowdStrike, Inc., and Founder of Winsider Seminars & Solutions Inc. As a world-class security architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering, his work has led to the fixing of many critical kernel vulnerabilities, as well as dozens of non-security bugs and has also contributed to patches and development in two major commercially used operating system kernels. He is coauthor of the last three editions of the Windows Internals series, along with Andrea Allievi, Mark Russinovich, and David Solomon.
Responsible for identity, corporate infrastructure, adversarial incident response, and security infrastructure; Ben leads LinkedIn's Security Engineering and Operations organization.
David Weston is the Director of OS Security at Microsoft where he currently leads the Windows Device Security and Offensive Security Research teams. David has been at Microsoft working on penetration testing, threat intelligence, platform mitigation design, and offensive security research since Windows 7. He has previously presented at security conferences such as Black Hat, CanSecWest, and DEF CON.
Giulia is a security software engineer working in the Cloud+AI security division at Microsoft. Her focus is on the design and development of automated monitoring tools with the purpose of detecting malicious behaviors. Her job includes reverse engineering of malware and analysis of attack techniques uncovered in malicious campaigns. She works primarily in the context of Office365 ATP. She has also contributed to the development of Sysmon and improved the security of the Office suite, which she presented to the Virus Bulletin and SAS conferences. She comes from a background in maths, in which she holds a B.Sc. degree from the University of Genoa, and prior to joining Microsoft she obtained an M.Sc. in security and forensics from Dublin City University. Her favorite hobbies are travelling and jogging.
Holly has been in the security industry since 1997. She's held roles in many types of disciplines, such as product and program management, incident response, communications, and data science. Holly started working for Microsoft in 2010 and is currently a Principal Research Manager for the Windows Defender Advanced Threat Protection team. Her team of researchers and data scientists use machine learning, automation, and other next generation capabilities to protect people from malware.
John Lambert, Distinguished Engineer at Azure Security heads the flagship Microsoft Threat Intelligence Center group. Previously, he managed the Network Security and Science team in the Trustworthy Computing division and is responsible for monitoring the security of Microsoft's network and the development of novel defenses protecting systems from attack.
John founded the Microsoft Security Engineering Center (MSEC) Science team which works on cutting edge methods to detect vulnerabilities and exploit activity and neutralize them through advanced technological countermeasures. Previously at Microsoft, John managed the Microsoft Security Response Center's (MSRC) Engineering team which is responsible for the technical aspects of software vulnerability investigations when vulnerabilities are reported to Microsoft.
Marion Marschalek is a Security Engineer within Intel's STORM team in Portland, Oregon. Prior to that she held different positions in the threat detection industry, as a malware reverse engineer and incident responder. Marschalek is a frequent speaker at major security conferences, including Black Hat, DEF CON, HITB, RSA, and SyScan, among others. Until recently she was teaching reverse engineering classes at University of Applied Sciences St. Poelten, from where she graduated in 2011 with a Master's Degree in Information Security. In 2015 she started a hacker bootcamp for women titled BlackHoodie, which over the years established itself as a global initiative to attract more diverse talent to the security industry.
Matt Miller is a security engineer working as part of the Microsoft Security Response Center (MSRC). In this role, Matt drives strategy and engineering related to proactive vulnerability defense across Microsoft's products and services. Prior to joining Microsoft ten years ago, Matt was a core contributor to the Metasploit framework and an editor for the Uninformed journal.
Ping Look is passionate about bringing people together to solve problems. She is currently the Senior Director for Microsoft's Global Cyber Resilience and Incident Response Team whose mission is to respond to security incidents and help Microsoft's customers become cyber-resilient. Prior to joining Microsoft, Ping was engaged at Optiv, formerly known as Accuvant LABS, where she managed one of the most technically proficient research teams in the world before transitioning to focus on Security Awareness, Education and Culture (aka it isn't a technology problem but a people problem). Prior to Optiv, Ping had a long tenure in the security events industry building the iconic brands of Black Hat and DEF CON. Ping still serves on the Black Hat Briefings and Training Global Review Board.
Ram is a Data Cowboy in Azure Security at Microsoft, working in the intersection of Machine Learning and Security. At Microsoft, he focuses on modeling massive amounts of security logs to surface malicious activity. For instance, how do you detect an attacker is moving through the system when you have to analyze billions of events per second? He also heads the Trustworthy Machine Learning group in Azure Security that aims to secure machine learning systems from Compromise.
His work has appeared in industry conferences like BlueHat, DerbyCon, MIRCon, Infiltrate, Strata+Hadoop World Practice of Machine Learning as well as academic conferences like NIPS, IEEE Usenix, ACM - CCS. Ram is also an affiliate at the Berkman Klein Center at Harvard University, and Technical Advisory Board Member at University of Washington. He graduated from Carnegie Mellon University with a masters in Computer Engineering and a second masters in Innovation Management.
Thomas Dullien / Halvar Flake is a security researcher and ex-entrepreneur known for his contributions to the theory and practice of vulnerability development and software reverse engineering. He pioneered patch diffing, started and ran a company to commercialize this research that got acquired by Google, won several awards, and has worked on a wide range of topics - from the very practical (turning security patches into attacks) and quite concrete (turning physics-induced DRAM bitflips into useful attacks) to the rather theoretical (attempting to clarify the theoretical foundations of exploitation). After a recent stint in Project Zero he has started a new company focused on efficient computation in the cloud (optimyze.cloud AG).
Date
Workshop
Trainer
Description
October 22-23
10:00AM - 6:00PM
Florian Gilcher & Tyler Neely, Ferrous Systems
Rust is a new, strongly typed and safe systems programming language. Its type system is built to enable the construction of memory-safe programs at scale, without the need of a runtime component like a garbage collector. Rust can be integrated into existing projects very easily and is rapidly becoming the language of choice for safety-minded systems programming.
This workshop covers the general usage of the Rust Programming Language, and some advanced Rust subjects. This rendition of the course will have a specific eye on safety-related features, along with explanations of background and motivations.
Prerequisites:
• None, please bring your computer.
• Feel free to install Rust using https://rustup.rs beforehand.
October 22-23
10:00AM - 6:00PM
Joe FitzPatrick
This hands-on class will introduce you to the common interfaces on embedded MIPS and ARM systems, and how to exploit physical access to grant yourself software privilege.
This course focuses on UART, JTAG, and SPI interfaces. For each, we'll do a brief architectural overview, followed by hands-on labs identifying, observing, interacting, and eventually exploiting each interface. We'll also do basic analysis and manipulation of firmware images.
Designed for newcomers to hardware, over 70% of our time will be hands-on with current off-the-shelf hardware, supported by lectures to fill in the background.
UART:
Once we've learned a little bit about it, we will use a logic analyzer to find a UART on our target device. Once we've done that, we'll hook up the proper cable to communicate with it, find out what's inside, and see what's exposed.
SPI:
After a brief introduction, we'll look for clues to tell us how to connect to the SPI device on our system. We'll use a logic analyzer to observe what's going on, then use a dedicated SPI adapter to extract firmware from our system.
Firmware:
Using the firmware we previously extracted, we'll use the firmware image to guide simple patches to the device's memory, make simple changes to the firmware image to permit further access to the system, and do some basic binary analysis to help us find some remotely vulnerable issues.
JTAG:
As soon as we've covered a bit of background information, we'll connect a JTAG adapter to our system and use it to examine the contents of memory. Once we get over that thrill, we'll see how easy it is to attach a debugger to the kernel and take control of the system.
JTAG Exploitation:
Once we've got full debugger access to the system over JTAG, we'll test out a few methods of escalating privilege on the system to enable a root shell.
Audience:
This course is geared toward pen testers, red teamers, exploit developers, and product developers who wish to learn how to take advantage of physical access to systems to assist and enable other attacks. In addition, security researchers and enthusiasts unwilling to 'just trust the hardware' will gain deeper insight into how hardware works and can be undermined.
Prerequisites:
• No hardware or electrical background is required.
• Computer architecture knowledge and low-level programming experience helpful but not required.
• Familiarity with Linux command line allows students to focus on the tools being used instead of struggling with the command line itself.
October 22
10:00AM - 6:00PM
Austin Taylor & Charles Givre
This interactive course will teach security professionals how to use data science techniques to quickly manipulate and analyze network and security data and ultimately uncover valuable insights from this data. The course will cover the entire data science process from data preparation, feature engineering and selection, exploratory data analysis, data visualization, machine learning, model evaluation and optimization and finally, implementing at scale—all with a focus on security related problems.
Participants will learn how to read in data in a variety of common formats then write scripts to analyze and visualize that data. A non-exhaustive list of what will be covered include
• Using machine learning to detect network attacks within your organization
• Hunting anomalous indicators of compromise and reducing false positives
• Quickly and efficiently parsing executables, log files, pcap and extracting artifacts from them
• Writing scripts to efficiently read and manipulate CSV, XML, and JSON files
• Using the Pandas library to quickly manipulate tabular data
• Preprocessing raw security data for machine learning and feature engineering
• Building, applying and evaluating machine learning algorithms to identify potential threats
• Automating the process of tuning and optimizing machine learning models
• Using supervised learning algorithms such as Random Forests, Naive Bayes, K-Nearest Neighbors (K-NN) and Support Vector Machines (SVM) to classify malicious URLs and identify SQL Injection
• Applying unsupervised learning algorithms such as K-Means Clustering to detect anomalous behavior
• Rapidly and effectively visualizing data using Python
October 23
10:00AM - 6:00PM
Graph for Security
Ram Shankar Siva Kumar, John Lambert & more
The allure of using graphs for security is evident: when interconnected data is collected and analyzed, it should give a broader picture of the security state within the organization. This crystallized into a rally cry after the "Attackers think in Graphs, Defenders in lists" blog post from John Lambert, since then there has been in a proliferation of using graphs for security in the Industry.
The goal of the workshop is for engineers to gain an industry wide perspective and understand best practices for using graphs directly in line with the security problems that they are solving.
Structure of the Workshop:
This is a full day, single track workshop. We will have two distinct parts: A "lecture" style series of 20-minute talks from practitioners in the security followed by discussion in the morning followed by an "unconference" style birds-of-a feather meetings in the afternoon, followed by a report out. The emphasis of the event will be discussion and interaction between graph practitioners in Microsoft and industry partners.
The intended audience is Security Engineers, Security Analysts and Security data scientists.
Attendee Objectives:
1.I can advance my understanding of securing network, host and cloud services using graphical analysis
2.I can hear from practitioners from major cloud business such as Google, and learn about their problems and approach
3.I can connect with my peers in the graph analytics space
October 22-23
10:00AM - 6:00PM
Intro to Reverse Engineering Malware
Bhavna Soman & Michelle Bergeron, Microsoft
Bhavna Soman and Michelle Bergeron will be teaching Introduction to Reverse Engineering Malware. Students will go over the basics of x86 and IDAPro, and use that to analyze real world malware samples (VM set up instructions will be provided beforehand). They will learn common techniques that malware authors use to evade detection and analysis. Finally, they'll be provided with challenge binaries to test their new RE skillz.
Prerequisites:
• Ideally some form of computer science background
• Laptop with minimum 8GB RAM and 25GB free disk space for VM
October 22-23
10:00AM - 6:00PM
Hands-on introduction to web application security
Niru Ragupathy & Jenna Kallaher, Google
This course is structured to start from the basics of web application security and explores common web attacks. Half of the first day will be packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in this course. At the end of the course you will have understood the concept, exploited and learnt to fix - XSS, CSRF and SQL injection. You will also get an opportunity to dabble in more esoteric attacks like XXE and SSRF on the second day.
Day 1:
• Theory - CIA model, HTTP, DOM, Cookies, Same Origin Policy, HTTP Methods, HTTP Headers and CORS
• Attacks - CSRF*, SQLi*, Command Injection, Broken session management*, Insecure Direct Object Reference*, Missing function access control, Logic Errors*
Day 2:
• Attacks - Reflected XSS*, Stored XSS*, DOM XSS*, CSP*, Vulnerability chaining, SSRF*, XXE*
• has hands - on exercises
Prerequisites:
• A basic understanding of HTML, JS
• A laptop with Burp proxy setup (Link to setup guide), a community version is sufficient for this course
October 22-23
10:00AM - 6:00PM
How to Auto-Feed Your Dragon: Hatchlings First Ghidra Script
Morgan Whitlow, MITRE
Two-day workshop focused on exposing students to creating and using scripts in Ghidra. Topics will include a brief overview and tour of Ghidra itself highlighting some of its features, various ways of integrating scripting into the reverse engineering workflow (e.g. headless analysis), Java vs Python scripts, and a quick overview of some of the functions in Ghidra's Flat API. Students will be guided through writing basic scripts of their own, with an eye towards aiding analysis.
This course is intended to be at an intermediate level. While proficiency is not expected, students should have at least a cursory understanding of an assembly language (ARM or x86 is acceptable) and at least one higher level programming language such as Python, Java, or C/C++.
October 22
10:00AM - 6:00PM
Purple Perspectives: When Blue Meets Red
Michelle Lam & Tera Joyce, Microsoft
In this workshop, we will be discussing the cat and mouse game that the red and blue teams need to navigate as part of the hunt for adversaries. One of the roles of a red team is to help with the first step of defending: understanding the adversary's point of view, motive, and tooling. As part of the blue team, we follow the breadcrumbs left behind by an attack to piece together a story and ways to catch this activity in the future. Combining these perspectives helps build the full picture of an attack.
October 23
10:00AM - 6:00PM
Bypassing ARM Exploit Mitigations
Maria Markstedter aka Azeria
In this 1-day workshop, attendees will learn how hackers break into Arm-based IoT devices using memory-corruption vulnerabilities such as buffer overflows, how developers can defend against these types of attacks using "exploit mitigations", and what the limits of these mitigations are. During the labs, attendees will be writing their own exploits against vulnerable programs, and learn how to bypass exploit mitigations such as NX, ASLR, and Stack Canaries.
Workshop prerequisites:
• Able to read simple code written in the C programming language
• Familiar with writing and editing basic scripts written in the Python programming language
• Willing to dive into a Linux debugging environment
• Willing to read and interact with Arm assembly language for several hours
• Have a strong desire to learn, and be ready to think outside-of-the-box
• Comfortable with troubleshooting the laptop's host operating system
• Comfortable with administering Linux from the command line
• Able to use VMware to access the hands-on labs
Date
Speaker
Company
Talk Title
8:30AM - 9:30AM
Breakfast and Registration
9:30AM - 9:50AM
Opening Remarks - Bharat Shah & Eric Doerr
10:40AM - 11:25AM
Cristin Flynn Goodwin
Amy Hogan Burney
Microsoft
"I'm Calling My Lawyer!": Helping Hunters and Analysts Fight Nation State and Advanced Actors
Security research, threat intel, and analysts need data to hunt. Often, the same data that law enforcement and intelligence community experts want to have. On this panel you'll hear from the head of Microsoft's Digital Crimes Unit, the head of Microsoft's Law Enforcement and National Security Team, and the head of Microsoft's Advanced Cyber / Nation State group on how Defenders and Hunters can work within the law, areas of concern, and when you're at risk. You'll hear about how we've successfully stopped or blocked nation state attacks, and managed government risks and needs at the same time. Each of us will share expertise, lessons learned, case studies, and recommendations on how to manage legal risks while pursuing our important and shared objectives of stopping nation state attackers and protecting our customers.
11:30AM - 12:15PM
Li Chen
Ravi Sahita
Intel
The good, the bad and the ugly of machine learning based approaches for ransomware detection
In this talk, we juxtapose the resiliency and trustworthiness of composition of DL and classical ML algorithms for security, via a case study of evaluating the resiliency of ransomware detection via the generative adversarial network (GAN). We propose to use GAN to automatically produce dynamic features that exhibit generalized malicious behaviors that can reduce the efficacy of black-box ransomware classifiers. We examine the quality of the GAN-generated samples by comparing the statistical similarity of these samples to real ransomware and benign software. Further we investigate the latent subspace where the GAN-generated samples lie and explore reasons why such samples cause a certain class of ransomware classifiers to degrade in performance. The automatically generated adversarial samples can then be fed into the training set to reduce the blind spots of the detectors.
There has been a surge of interest in using machine learning (ML) particularly deep learning (DL) to automatically detect malware through their dynamic behaviors. These approaches have achieved significant improvement in detection rates and lower false positive rates at large scale compared with traditional malware analysis methods. ML in threat detection has demonstrated to be a good cop to guard platform security. However it is imperative to evaluate - is ML-powered security resilient enough?
To generate reliable traces of system activity, we can utilize CPU-based telemetry such as Intel Processor Trace which can be extracted via a hypervisor without guest instrumentation. We advocate that file I/O events extracted from Intel processor trace together with algorithmic improvements have shown potential stronger defense in ML -based model deployment in the wild to combat ransomware attack. Our results and discoveries should pose relevant questions for defenders such as how ML models can be made more resilient for robust enforcement of security objectives.
12:15PM - 1:15PM
Lunch Break
1:15PM - 1:40PM
Santiago Pontiroli
Kaspersky
The cake is a lie! Uncovering the secret world of malware-like cheats in video games
With more than 2.5 billion gamers from all over the world, it's no wonder that at least a fraction of them would bring into action additional tools to gain an unfair advantage over their opponents in the virtual world. This is one of the many reasons behind the existence and rapid growth of a multi-million dollar industry that thrives on selling cheats, hacks and modifications to desperate gamers seeking to gain the upper hand in their next match. Let's dissect these tools and understand how modern games and anti-cheating technologies can be easily bypassed, all while we get a glimpse of the dubious market and supporting crews that develop, sell, and maintain the commodities in this illegal economy. It's not unusual for cheats to be more expensive than the actual games they are trying to profit from, or for players to buy a single title over and over until they can avoid being banned by the protective measures implemented in the first place. Fortnite? Overwatch? League of Legends? If you've heard about these games but you don't know what an aim-bot, a wall-hack, or an ESP means, then you might finally understand why all those competitive matches you played have made you feel like a fish out of water. Join me in this presentation and learn the inside-out of an industry that has remained in the shadows for a very long time. I will be presenting real world cheats used by gamers worldwide that in some cases closely mimic techniques that would rival numerous advanced threat actors in the malware ecosystem. Game over? Maybe not….
1:45PM - 2:30PM
Tony Chen
Microsoft
Guarding Against Physical Attacks: The Xbox One Story
Every game console since the first Atari was more or less designed to prevent the piracy of games and yet every single game console has been successfully modified to enable piracy. However, this trend has come to an end. Both the Xbox One and the PS4 have now been on the market for close to 6 years, without hackers being able to crack the system to enable piracy or cheating. This is the first time in history that game consoles have lasted this long without being cracked. In this talk, we will discuss how we achieved this for the Xbox One. We will first describe the Xbox security design goals and why it needs to guard against physical attacks, followed by descriptions of the hardware and software architecture to keep the Xbox secure. This includes details about the custom SoC we built with AMD and how we addressed the fact that all data read from flash, the hard drive, and even DRAM cannot be trusted. We will also discuss the corresponding software changes needed with the custom hardware to keep the system and the games secure against physical attacks.
2:30PM - 3:00PM
Afternoon Break
3:00PM - 3:25PM
Chris Eng
Veracode
Are We There Yet: Why Does Application Security Take So Long?
Why does it take so long to fix insecure code? We pair new data about the lifecycle of a vulnerability with learnings from application security programs to answer this perennial question. This analysis is not based on a survey – it's real data from real application scans. The data set contains 85,000 unique applications and 1.4 million individual assessments over a 12-month period, easily the largest application security data set of its size.
Chris will describe the analysis process and some of the techniques, such as survival analysis, that were applied to the data set in order to measure and visualize outcomes. We'll focus specifically on identifying the factors that correlate most strongly (or not at all!) with fix rates. Finally, we'll provide data-backed insights on the contentious question of whether DevOps practices are a boon or a burden for security.
3:30PM - 4:15PM
Jay Beale
InGuardians
Kubernetes Practical Attack and Defense
We will attack a real Kubernetes cluster called Bust-a-Kube, which was released in 2019 as a free learning tool. The demonstration will start by compromising a real application running in a Kubernetes pod's container, gaining low privileged remote code execution inside that container. Next, we will explore what that compromised container can see on the cluster, finding the boundaries of its privileges. We will move laterally from that container to attack microservices on the cluster, gaining remote code execution in other containers, with higher privilege. We'll find that one of those can interfere with a final highest-privilege container. That highest privilege container will permit us to abuse the Kubernetes API to compromise the entire cluster. This demonstration will involve graphic "flags," allowing attendees to repeat the attack afterward as a downloadable solitaire "capture the flag" game. We'll then discuss and perform a second demo to teach defenses, working backward to defeat necessary steps in the first demo's chain of attacks. We'll demonstrate using pod security policies to force an AppArmor profile onto any pod (container) being deployed. We'll show how volume whitelists can block an attack, then demonstrate an evasion that defeats this defense. We'll then weaken this attack with root capability limits and AppArmor. We'll demonstrate an attack path where a bad actor can use a low-privilege Kubernetes cluster compromise to abuse the cloud provider APIs. This, in turn, leads to compromising the Kubernetes cluster more fully. We'll discuss how to break this attack using a cloud metadata API security feature that's Kubernetes-specific. In the course of these demonstrations, we'll conduct the attacks both manually and with an open source attack tool called Peirates. Finally, we'll discuss defenses that we did not use, including seccomp syscall whitelists, read-only root filesystems, and freely-available service meshes.
4:20PM - 5:05PM
Nico Waisman
GitHub
Open Source Security, vulnerabilities never come alone
Open source has won and is here to stay, but it comes with challenges. Open Source security is one of them that we face as an industry. We all consume it but what about its code quality, security practices,
… Over the last 3 months, Github's
5:10PM - 5:35PM
Anamitra Dutta Majumdar
Anubhav Saini
Building Secure Machine Learning Pipelines : Security Patterns and Challenges
Increasing adoption of Machine Learning and Artificial Intelligence by data-driven organizations like LinkedIn is posing some important challenges related to data security and privacy. On the one hand, member data is an asset that unlocks unlimited business potential whereas, on the other hand, the consumption of the data must happen in a secure and privacy-preserving manner. This poses an interesting challenge for security and operations teams in the organization. In this presentation, we will walk through all the well-known use cases of machine learning at LinkedIn and also the phases of a machine learning pipeline. We will identify key security gaps and the corresponding security controls to address the gaps at each phase of any machine learning pipeline. The associated scalability and operational challenges for the application of security control will be explained. Controls in each phase would be put into the perspective of the Productive Machine Learning pipeline phases being built at LinkedIn There will be a section on how Blueshift will impact the application of security controls once compute and data have been decoupled. By the end of the talk, we would have described what a secure machine learning pipeline looks like and what are the key security patterns to be put in place to secure the pipeline
6:00PM - 10:00PM
Bytes of BlueHat: Networking Reception
Date
Speaker
Company
Talk Title
8:30AM - 9:30AM
Breakfast and Registration
9:30AM - 9:35AM
Opening Remarks - David Weston
9:35AM - 10:20AM
Dirk-jan Mollema
Fox-IT
I'm in your cloud: A year of hacking Azure AD
How does one research the cloud? With solutions such as Azure AD and Office 365, the underlying platform architecture and designs are not publicly documented or accessible in the same way as on-premise. This makes analyzing the security of the platform harder for external researchers. In this talk I will explain the journey and discoveries of a year of trying to understand Azure AD, including the vulnerabilities discovered in the process. This ranges from gathering information about Azure AD via undocumented APIs to installing invisible backdoors and escalating privileges via limited roles or via the link with on-premise. While some of these vulnerabilities have been resolved, several of these are unintended consequences of Azure AD's architecture and thus are important to consider when evaluating the security of your Azure AD environment. A basic understanding of Azure AD, Office 365 and its terminology is assumed for this talk.
10:25AM - 11:10AM
John-Luke Peck
CI Security
Autopsies of Recent DFIR Investigations
This presentation will review in hindsight and retrospect several recent incident response engagements performed over the last 12 months by a 3rd-party (non-Microsoft affiliated) security and incident response services provider. During the talk the presenter will review what went well and what did not go well during the various engagements, with a particular focus on the data, services , and support available from Microsoft & Office365/AzureAD, and how they were and were not able to be leveraged during the various engagements.
This will include a focus on areas where:
* Necessary data was not available because the client had not taken, or were unaware of the need to take, steps to enable collection of the data
* The data & services available were successfully used during response efforts
The presentation will highlight:
* Lessons learned about Office365/AzureAD and Incident Response
* How Office365, AzureAD, and ATP services and data were used in the response efforts
* Recommendations for Office365/AzureAD tenants to improve their security & IR capabilities /before/ an incident occurs
All presented examples and incidents will be de-identified to maintain and protect privacy and operational security.
What this is NOT:
* A service provider's sales presentation
11:15AM - 12:00PM
Wei Huang
Yueqiang Cheng
University of Toronto
Baidu USA
Aion Attacks: Exposing SGX Software Timers
Intel Software Guard Extension (SGX) is a hardware feature that provides a trusted execution environment (TEE) for user-level applications to securely run in a shielded environment called enclave. Unfortunately, there is no trusted hardware timer in SGX environment. To fill this gap, there are many software timers proposed in the past years. In these software SGX timers, there is a timer thread that maintains a counter and increases it in an infinite loop. There is also an application thread that executes certain application logic and reads the counter before and after the logic to measure the timing cost. Such software timers are widely used in many security-sensitive scenarios, e.g., side-channel detections and co-location testing, etc. In this talk, we propose two generic attacks, named Aion attacks, which are able to break ALL existing software SGX timer schemes, proving the illusion that the software SGX timers are reliable to be incorrect. Specifically, in the first attack, we significantly reduce the CPU frequency for the timer thread and run the application thread with maximum speed. As a result, the timing cost measured from the application thread is reduced significantly. In the other attack, we propose a cache interference attack that deterministically and efficiently evicts the targeted timer counter from LLC, slowing down the timer speed. We will demonstrate these two novel attacks with the real hardware settings and show the live demos during the presentation. The SGX timer issue is very serious, and even worse, we cannot even find any straightforward software solution to mitigate them effectively. We call for more researchers and parties to join this effort to improve the security of Intel SGX as well as the whole systems.
12:00PM - 1:00PM
Lunch Break
1:00PM - 1:45PM
Elvis Collado
Exodus Intelligence
Don't forget to SUBSCRIBE.
This talk is about how an unauthenticated heap-based buffer overflow vulnerability was discovered and exploited within a router distributed by a market-leading ISP. Despite the targeted process utilizing mitigations such as DEP and ASLR, it still fell prey to known exploitation techniques. This talk will go over the thought process, failures, and road-blocks that were encountered and how they were overcame.
1:50PM - 2:35PM
Jordan Wiens
Peter LaFosse
Vector 35 Inc
Modern Binary Analysis with ILs
Modern binary analysis, whether for discovering vulnerabilities or analyzing malware needs automation to deal with the volume of code under inspection. And yet, while Intermediate Languages (ILs) have been used for decades in compiler design and implementation, too few reverse engineers have any experience with them even though many reverse engineering tools (Binary Ninja, Ghidra, IDA) are built on top of ILs. Given that, it's time to demystify this space and make it accessible beyond just computer scientists and researchers. There's many potentially unfamiliar concepts related to ILs: single-static assignment, value-set analysis, three argument form versus tree-based designs, and others. But what matters is how these ILs can help you build better binary analysis tools. This talk not only gives you an overview of existing ILs used in reverse engineering, but more importantly, shows you how your tooling can benefit from them. From cross-platform analysis (follow a botnet from an x86-64 desktop to a mobile arm, to an embedded MIPS), to leveraging existing data-flow capabilities that brings some of the benefits both dynamic and static analysis together, this talk will demonstrate several examples of plugins that leverage ILs to improve your ability to automatically reason over compiled code.
2:35PM - 3:05PM
Afternoon Break
3:05PM - 3:50PM
Tao Yan
Palo Alto Networks
Pool Fengshui in Windows RDP Vulnerability Exploitation
Heap Fengshui is one of the most important techniques in userland vulnerability exploitations under modern mitigations, seemingly Pool Fengshui plays the same role in Windows RDP vulnerability exploitations. In this topic, we will not only introduce three inovative methods for Pool Fengshui with RDP PDUs, but also introduce the idea about how to find those Pool-Fengshui-Friendly PDUs in tons of legitimate PDUs from massive RDP documents. Details from how to construct three different PDUs in the RDP client to how to parse these PDUs and what these PDUs looks like in the kernel memory in the RDP server will all be discussed. Besides, we will also use BlueKeep (CVE-2019-0708) as an example to show how useful and universal these techniques are in Windows RDP vulnerability exploitations. At last, we will show the BlueKeep exploit demo.
3:50PM - 4:00PM
Closing Remarks - Kymberlee Price
4:00PM - 5:00PM
Happy hour!
2019 has seen a phenomenal BlueHatIL in February followed by a wildly successful BlueHat Shanghai in May… now it's time to come back home for BlueHat Seattle!
2 days of hands-on technical training
2 days of conference talks from industry leading security researchers and cyber defenders
great creative spaces ready to spark thought provoking conversations and collaborative partnerships
Please join your fellow security researchers and Microsoft representatives for the Bytes of BlueHat: Networking Reception on Thursday, October 24.
If you have any questions regarding the BlueHat Seattle conference
please feel free to contact bluehat@microsoft.com
October 22-25, 2019
Showbox SoDo, 1700 1st Ave S, Seattle, WA 98134
Living Computer Museum, 2245 1st Ave S, Seattle, WA 98134