Alex Ionescu

Alex Ionescu @aionescu

Alex Ionescu is the Vice President of Endpoint Engineering, Founding Chief Architect at CrowdStrike, Inc., and Founder of Winsider Seminars & Solutions Inc. As a world-class security architect and consultant expert in low-level system software, kernel development, security training, and reverse engineering, his work has led to the fixing of many critical kernel vulnerabilities, as well as dozens of non-security bugs and has also contributed to patches and development in two major commercially used operating system kernels. He is coauthor of the last three editions of the Windows Internals series, along with Andrea Allievi, Mark Russinovich, and David Solomon.

Benjamin Purgason

Benjamin Purgason Benjamin Purgason

Responsible for identity, corporate infrastructure, adversarial incident response, and security infrastructure; Ben leads LinkedIn's Security Engineering and Operations organization.

David Weston

David Weston @dwizzzleMSFT

David Weston is the Director of OS Security at Microsoft where he currently leads the Windows Device Security and Offensive Security Research teams. David has been at Microsoft working on penetration testing, threat intelligence, platform mitigation design, and offensive security research since Windows 7. He has previously presented at security conferences such as Black Hat, CanSecWest, and DEF CON.

Giulia Biagini

Giulia Biagini @giulia_scrammed

Giulia is a security software engineer working in the Cloud+AI security division at Microsoft. Her focus is on the design and development of automated monitoring tools with the purpose of detecting malicious behaviors. Her job includes reverse engineering of malware and analysis of attack techniques uncovered in malicious campaigns. She works primarily in the context of Office365 ATP. She has also contributed to the development of Sysmon and improved the security of the Office suite, which she presented to the Virus Bulletin and SAS conferences. She comes from a background in maths, in which she holds a B.Sc. degree from the University of Genoa, and prior to joining Microsoft she obtained an M.Sc. in security and forensics from Dublin City University. Her favorite hobbies are travelling and jogging.

Holly Stewart

Holly Stewart @ollijoi

Holly has been in the security industry since 1997. She's held roles in many types of disciplines, such as product and program management, incident response, communications, and data science. Holly started working for Microsoft in 2010 and is currently a Principal Research Manager for the Windows Defender Advanced Threat Protection team. Her team of researchers and data scientists use machine learning, automation, and other next generation capabilities to protect people from malware.

John Lambert

John Lambert @JohnLaTwC

John Lambert, Distinguished Engineer at Azure Security heads the flagship Microsoft Threat Intelligence Center group. Previously, he managed the Network Security and Science team in the Trustworthy Computing division and is responsible for monitoring the security of Microsoft's network and the development of novel defenses protecting systems from attack.

John founded the Microsoft Security Engineering Center (MSEC) Science team which works on cutting edge methods to detect vulnerabilities and exploit activity and neutralize them through advanced technological countermeasures. Previously at Microsoft, John managed the Microsoft Security Response Center's (MSRC) Engineering team which is responsible for the technical aspects of software vulnerability investigations when vulnerabilities are reported to Microsoft.

Marion Marschalek

Marion Marschalek @pinkflawd

Marion Marschalek is a Security Engineer within Intel's STORM team in Portland, Oregon. Prior to that she held different positions in the threat detection industry, as a malware reverse engineer and incident responder. Marschalek is a frequent speaker at major security conferences, including Black Hat, DEF CON, HITB, RSA, and SyScan, among others. Until recently she was teaching reverse engineering classes at University of Applied Sciences St. Poelten, from where she graduated in 2011 with a Master's Degree in Information Security. In 2015 she started a hacker bootcamp for women titled BlackHoodie, which over the years established itself as a global initiative to attract more diverse talent to the security industry.

Matt Miller

Matt Miller @epakskape

Matt Miller is a security engineer working as part of the Microsoft Security Response Center (MSRC). In this role, Matt drives strategy and engineering related to proactive vulnerability defense across Microsoft's products and services. Prior to joining Microsoft ten years ago, Matt was a core contributor to the Metasploit framework and an editor for the Uninformed journal.

Ping Look

Ping Look Ping Look

Ping Look is passionate about bringing people together to solve problems. She is currently the Senior Director for Microsoft's Global Cyber Resilience and Incident Response Team whose mission is to respond to security incidents and help Microsoft's customers become cyber-resilient. Prior to joining Microsoft, Ping was engaged at Optiv, formerly known as Accuvant LABS, where she managed one of the most technically proficient research teams in the world before transitioning to focus on Security Awareness, Education and Culture (aka it isn't a technology problem but a people problem). Prior to Optiv, Ping had a long tenure in the security events industry building the iconic brands of Black Hat and DEF CON. Ping still serves on the Black Hat Briefings and Training Global Review Board.

Ram Shankar Siva Kumar

Ram Shankar Siva Kumar @ram_ssk

Ram is a Data Cowboy in Azure Security at Microsoft, working in the intersection of Machine Learning and Security. At Microsoft, he focuses on modeling massive amounts of security logs to surface malicious activity. For instance, how do you detect an attacker is moving through the system when you have to analyze billions of events per second? He also heads the Trustworthy Machine Learning group in Azure Security that aims to secure machine learning systems from Compromise.

His work has appeared in industry conferences like BlueHat, DerbyCon, MIRCon, Infiltrate, Strata+Hadoop World Practice of Machine Learning as well as academic conferences like NIPS, IEEE Usenix, ACM - CCS. Ram is also an affiliate at the Berkman Klein Center at Harvard University, and Technical Advisory Board Member at University of Washington. He graduated from Carnegie Mellon University with a masters in Computer Engineering and a second masters in Innovation Management.

Shawn Davenport

Shawn Davenport @nothingstrivial

Thomas Dullien

Thomas Dullien @halvarflake

Thomas Dullien / Halvar Flake is a security researcher and ex-entrepreneur known for his contributions to the theory and practice of vulnerability development and software reverse engineering. He pioneered patch diffing, started and ran a company to commercialize this research that got acquired by Google, won several awards, and has worked on a wide range of topics - from the very practical (turning security patches into attacks) and quite concrete (turning physics-induced DRAM bitflips into useful attacks) to the rather theoretical (attempting to clarify the theoretical foundations of exploitation). After a recent stint in Project Zero he has started a new company focused on efficient computation in the cloud (optimyze.cloud AG).


line line





October 22-23

10:00AM - 6:00PM

Rust for Safety

Florian Gilcher & Tyler Neely, Ferrous Systems

Workshop Details

Rust is a new, strongly typed and safe systems programming language. Its type system is built to enable the construction of memory-safe programs at scale, without the need of a runtime component like a garbage collector. Rust can be integrated into existing projects very easily and is rapidly becoming the language of choice for safety-minded systems programming.

This workshop covers the general usage of the Rust Programming Language, and some advanced Rust subjects. This rendition of the course will have a specific eye on safety-related features, along with explanations of background and motivations.


 • None, please bring your computer.

 • Feel free to install Rust using https://rustup.rs beforehand.

October 22-23

10:00AM - 6:00PM

Applied Physical Attacks on Embedded and IOT Systems

Joe FitzPatrick

Workshop Details

This hands-on class will introduce you to the common interfaces on embedded MIPS and ARM systems, and how to exploit physical access to grant yourself software privilege.

This course focuses on UART, JTAG, and SPI interfaces. For each, we'll do a brief architectural overview, followed by hands-on labs identifying, observing, interacting, and eventually exploiting each interface. We'll also do basic analysis and manipulation of firmware images.

Designed for newcomers to hardware, over 70% of our time will be hands-on with current off-the-shelf hardware, supported by lectures to fill in the background.


Once we've learned a little bit about it, we will use a logic analyzer to find a UART on our target device. Once we've done that, we'll hook up the proper cable to communicate with it, find out what's inside, and see what's exposed.


After a brief introduction, we'll look for clues to tell us how to connect to the SPI device on our system. We'll use a logic analyzer to observe what's going on, then use a dedicated SPI adapter to extract firmware from our system.


Using the firmware we previously extracted, we'll use the firmware image to guide simple patches to the device's memory, make simple changes to the firmware image to permit further access to the system, and do some basic binary analysis to help us find some remotely vulnerable issues.


As soon as we've covered a bit of background information, we'll connect a JTAG adapter to our system and use it to examine the contents of memory. Once we get over that thrill, we'll see how easy it is to attach a debugger to the kernel and take control of the system.

JTAG Exploitation:

Once we've got full debugger access to the system over JTAG, we'll test out a few methods of escalating privilege on the system to enable a root shell.


This course is geared toward pen testers, red teamers, exploit developers, and product developers who wish to learn how to take advantage of physical access to systems to assist and enable other attacks. In addition, security researchers and enthusiasts unwilling to 'just trust the hardware' will gain deeper insight into how hardware works and can be undermined.


 • No hardware or electrical background is required.

 • Computer architecture knowledge and low-level programming experience helpful but not required.

 • Familiarity with Linux command line allows students to focus on the tools being used instead of struggling with the command line itself.

October 22

10:00AM - 6:00PM

Applied Data Science and Machine Learning for Cybersecurity

Austin Taylor & Charles Givre

Workshop Details

This interactive course will teach security professionals how to use data science techniques to quickly manipulate and analyze network and security data and ultimately uncover valuable insights from this data. The course will cover the entire data science process from data preparation, feature engineering and selection, exploratory data analysis, data visualization, machine learning, model evaluation and optimization and finally, implementing at scale—all with a focus on security related problems.

Participants will learn how to read in data in a variety of common formats then write scripts to analyze and visualize that data. A non-exhaustive list of what will be covered include

• Using machine learning to detect network attacks within your organization

• Hunting anomalous indicators of compromise and reducing false positives

• Quickly and efficiently parsing executables, log files, pcap and extracting artifacts from them

• Writing scripts to efficiently read and manipulate CSV, XML, and JSON files

• Using the Pandas library to quickly manipulate tabular data

• Preprocessing raw security data for machine learning and feature engineering

• Building, applying and evaluating machine learning algorithms to identify potential threats

• Automating the process of tuning and optimizing machine learning models

• Using supervised learning algorithms such as Random Forests, Naive Bayes, K-Nearest Neighbors (K-NN) and Support Vector Machines (SVM) to classify malicious URLs and identify SQL Injection

• Applying unsupervised learning algorithms such as K-Means Clustering to detect anomalous behavior

• Rapidly and effectively visualizing data using Python

October 23

10:00AM - 6:00PM

Six Degrees of Mallory:

Graph for Security

Ram Shankar Siva Kumar, John Lambert & more

Video Workshop Details

The allure of using graphs for security is evident: when interconnected data is collected and analyzed, it should give a broader picture of the security state within the organization. This crystallized into a rally cry after the "Attackers think in Graphs, Defenders in lists" blog post from John Lambert, since then there has been in a proliferation of using graphs for security in the Industry.

The goal of the workshop is for engineers to gain an industry wide perspective and understand best practices for using graphs directly in line with the security problems that they are solving.

Structure of the Workshop:

This is a full day, single track workshop. We will have two distinct parts: A "lecture" style series of 20-minute talks from practitioners in the security followed by discussion in the morning followed by an "unconference" style birds-of-a feather meetings in the afternoon, followed by a report out. The emphasis of the event will be discussion and interaction between graph practitioners in Microsoft and industry partners.

The intended audience is Security Engineers, Security Analysts and Security data scientists.

Attendee Objectives:

1.I can advance my understanding of securing network, host and cloud services using graphical analysis

2.I can hear from practitioners from major cloud business such as Google, and learn about their problems and approach

3.I can connect with my peers in the graph analytics space

October 22-23

10:00AM - 6:00PM


Intro to Reverse Engineering Malware

Bhavna Soman & Michelle Bergeron, Microsoft

Workshop Details

Bhavna Soman and Michelle Bergeron will be teaching Introduction to Reverse Engineering Malware. Students will go over the basics of x86 and IDAPro, and use that to analyze real world malware samples (VM set up instructions will be provided beforehand). They will learn common techniques that malware authors use to evade detection and analysis. Finally, they'll be provided with challenge binaries to test their new RE skillz.


 • Ideally some form of computer science background

 • Laptop with minimum 8GB RAM and 25GB free disk space for VM

October 22-23

10:00AM - 6:00PM


Hands-on introduction to web application security

Niru Ragupathy & Jenna Kallaher, Google

Workshop Details

This course is structured to start from the basics of web application security and explores common web attacks. Half of the first day will be packed with theory, while we are all for jumping into exercises having a solid grasp of the fundamentals will be crucial to your success in this course. At the end of the course you will have understood the concept, exploited and learnt to fix - XSS, CSRF and SQL injection. You will also get an opportunity to dabble in more esoteric attacks like XXE and SSRF on the second day.

Day 1:

 • Theory - CIA model, HTTP, DOM, Cookies, Same Origin Policy, HTTP Methods, HTTP Headers and CORS

 • Attacks - CSRF*, SQLi*, Command Injection, Broken session management*, Insecure Direct Object Reference*, Missing function access control, Logic Errors*

Day 2:

 • Attacks - Reflected XSS*, Stored XSS*, DOM XSS*, CSP*, Vulnerability chaining, SSRF*, XXE*

 • has hands - on exercises


 • A basic understanding of HTML, JS

 • A laptop with Burp proxy setup (Link to setup guide), a community version is sufficient for this course

October 22-23

10:00AM - 6:00PM


How to Auto-Feed Your Dragon: Hatchlings First Ghidra Script

Morgan Whitlow, MITRE

Workshop Details

Two-day workshop focused on exposing students to creating and using scripts in Ghidra. Topics will include a brief overview and tour of Ghidra itself highlighting some of its features, various ways of integrating scripting into the reverse engineering workflow (e.g. headless analysis), Java vs Python scripts, and a quick overview of some of the functions in Ghidra's Flat API. Students will be guided through writing basic scripts of their own, with an eye towards aiding analysis.

This course is intended to be at an intermediate level. While proficiency is not expected, students should have at least a cursory understanding of an assembly language (ARM or x86 is acceptable) and at least one higher level programming language such as Python, Java, or C/C++.

October 22

10:00AM - 6:00PM


Purple Perspectives: When Blue Meets Red

Michelle Lam & Tera Joyce, Microsoft

Workshop Details

In this workshop, we will be discussing the cat and mouse game that the red and blue teams need to navigate as part of the hunt for adversaries. One of the roles of a red team is to help with the first step of defending: understanding the adversary's point of view, motive, and tooling. As part of the blue team, we follow the breadcrumbs left behind by an attack to piece together a story and ways to catch this activity in the future. Combining these perspectives helps build the full picture of an attack.

October 23

10:00AM - 6:00PM


Bypassing ARM Exploit Mitigations

Maria Markstedter aka Azeria

Workshop Details

In this 1-day workshop, attendees will learn how hackers break into Arm-based IoT devices using memory-corruption vulnerabilities such as buffer overflows, how developers can defend against these types of attacks using "exploit mitigations", and what the limits of these mitigations are. During the labs, attendees will be writing their own exploits against vulnerable programs, and learn how to bypass exploit mitigations such as NX, ASLR, and Stack Canaries.

Workshop prerequisites:

 • Able to read simple code written in the C programming language

 • Familiar with writing and editing basic scripts written in the Python programming language

 • Willing to dive into a Linux debugging environment

 • Willing to read and interact with Arm assembly language for several hours

 • Have a strong desire to learn, and be ready to think outside-of-the-box

 • Comfortable with troubleshooting the laptop's host operating system

 • Comfortable with administering Linux from the command line

 • Able to use VMware to access the hands-on labs




Talk Title

8:30AM - 9:30AM

Breakfast and Registration

9:30AM - 9:50AM

Opening Remarks - Bharat Shah & Eric Doerr

9:50AM - 10:35AM

Alex Stamos

Stanford University

10:40AM - 11:25AM

Cristin Flynn Goodwin
Amy Hogan Burney


"I'm Calling My Lawyer!": Helping Hunters and Analysts Fight Nation State and Advanced Actors


Security research, threat intel, and analysts need data to hunt. Often, the same data that law enforcement and intelligence community experts want to have. On this panel you'll hear from the head of Microsoft's Digital Crimes Unit, the head of Microsoft's Law Enforcement and National Security Team, and the head of Microsoft's Advanced Cyber / Nation State group on how Defenders and Hunters can work within the law, areas of concern, and when you're at risk. You'll hear about how we've successfully stopped or blocked nation state attacks, and managed government risks and needs at the same time. Each of us will share expertise, lessons learned, case studies, and recommendations on how to manage legal risks while pursuing our important and shared objectives of stopping nation state attackers and protecting our customers.

11:30AM - 12:15PM

Li Chen
Ravi Sahita


The good, the bad and the ugly of machine learning based approaches for ransomware detection

Deck Video Abstract

In this talk, we juxtapose the resiliency and trustworthiness of composition of DL and classical ML algorithms for security, via a case study of evaluating the resiliency of ransomware detection via the generative adversarial network (GAN). We propose to use GAN to automatically produce dynamic features that exhibit generalized malicious behaviors that can reduce the efficacy of black-box ransomware classifiers. We examine the quality of the GAN-generated samples by comparing the statistical similarity of these samples to real ransomware and benign software. Further we investigate the latent subspace where the GAN-generated samples lie and explore reasons why such samples cause a certain class of ransomware classifiers to degrade in performance. The automatically generated adversarial samples can then be fed into the training set to reduce the blind spots of the detectors.

There has been a surge of interest in using machine learning (ML) particularly deep learning (DL) to automatically detect malware through their dynamic behaviors. These approaches have achieved significant improvement in detection rates and lower false positive rates at large scale compared with traditional malware analysis methods. ML in threat detection has demonstrated to be a good cop to guard platform security. However it is imperative to evaluate - is ML-powered security resilient enough?

To generate reliable traces of system activity, we can utilize CPU-based telemetry such as Intel Processor Trace which can be extracted via a hypervisor without guest instrumentation. We advocate that file I/O events extracted from Intel processor trace together with algorithmic improvements have shown potential stronger defense in ML -based model deployment in the wild to combat ransomware attack. Our results and discoveries should pose relevant questions for defenders such as how ML models can be made more resilient for robust enforcement of security objectives.

12:15PM - 1:15PM

Lunch Break

1:15PM - 1:40PM

Santiago Pontiroli


The cake is a lie! Uncovering the secret world of malware-like cheats in video games

Deck Video Abstract

With more than 2.5 billion gamers from all over the world, it's no wonder that at least a fraction of them would bring into action additional tools to gain an unfair advantage over their opponents in the virtual world. This is one of the many reasons behind the existence and rapid growth of a multi-million dollar industry that thrives on selling cheats, hacks and modifications to desperate gamers seeking to gain the upper hand in their next match. Let's dissect these tools and understand how modern games and anti-cheating technologies can be easily bypassed, all while we get a glimpse of the dubious market and supporting crews that develop, sell, and maintain the commodities in this illegal economy. It's not unusual for cheats to be more expensive than the actual games they are trying to profit from, or for players to buy a single title over and over until they can avoid being banned by the protective measures implemented in the first place. Fortnite? Overwatch? League of Legends? If you've heard about these games but you don't know what an aim-bot, a wall-hack, or an ESP means, then you might finally understand why all those competitive matches you played have made you feel like a fish out of water. Join me in this presentation and learn the inside-out of an industry that has remained in the shadows for a very long time. I will be presenting real world cheats used by gamers worldwide that in some cases closely mimic techniques that would rival numerous advanced threat actors in the malware ecosystem. Game over? Maybe not….

1:45PM - 2:30PM

Tony Chen


Guarding Against Physical Attacks: The Xbox One Story

Deck Video Abstract

Every game console since the first Atari was more or less designed to prevent the piracy of games and yet every single game console has been successfully modified to enable piracy. However, this trend has come to an end. Both the Xbox One and the PS4 have now been on the market for close to 6 years, without hackers being able to crack the system to enable piracy or cheating. This is the first time in history that game consoles have lasted this long without being cracked. In this talk, we will discuss how we achieved this for the Xbox One. We will first describe the Xbox security design goals and why it needs to guard against physical attacks, followed by descriptions of the hardware and software architecture to keep the Xbox secure. This includes details about the custom SoC we built with AMD and how we addressed the fact that all data read from flash, the hard drive, and even DRAM cannot be trusted. We will also discuss the corresponding software changes needed with the custom hardware to keep the system and the games secure against physical attacks.

2:30PM - 3:00PM

Afternoon Break

3:00PM - 3:25PM

Chris Eng


Are We There Yet: Why Does Application Security Take So Long?

Deck Video Abstract

Why does it take so long to fix insecure code? We pair new data about the lifecycle of a vulnerability with learnings from application security programs to answer this perennial question. This analysis is not based on a survey – it's real data from real application scans. The data set contains 85,000 unique applications and 1.4 million individual assessments over a 12-month period, easily the largest application security data set of its size.

Chris will describe the analysis process and some of the techniques, such as survival analysis, that were applied to the data set in order to measure and visualize outcomes. We'll focus specifically on identifying the factors that correlate most strongly (or not at all!) with fix rates. Finally, we'll provide data-backed insights on the contentious question of whether DevOps practices are a boon or a burden for security.

3:30PM - 4:15PM

Jay Beale


Kubernetes Practical Attack and Defense

Deck Video Abstract

We will attack a real Kubernetes cluster called Bust-a-Kube, which was released in 2019 as a free learning tool. The demonstration will start by compromising a real application running in a Kubernetes pod's container, gaining low privileged remote code execution inside that container. Next, we will explore what that compromised container can see on the cluster, finding the boundaries of its privileges. We will move laterally from that container to attack microservices on the cluster, gaining remote code execution in other containers, with higher privilege. We'll find that one of those can interfere with a final highest-privilege container. That highest privilege container will permit us to abuse the Kubernetes API to compromise the entire cluster. This demonstration will involve graphic "flags," allowing attendees to repeat the attack afterward as a downloadable solitaire "capture the flag" game. We'll then discuss and perform a second demo to teach defenses, working backward to defeat necessary steps in the first demo's chain of attacks. We'll demonstrate using pod security policies to force an AppArmor profile onto any pod (container) being deployed. We'll show how volume whitelists can block an attack, then demonstrate an evasion that defeats this defense. We'll then weaken this attack with root capability limits and AppArmor. We'll demonstrate an attack path where a bad actor can use a low-privilege Kubernetes cluster compromise to abuse the cloud provider APIs. This, in turn, leads to compromising the Kubernetes cluster more fully. We'll discuss how to break this attack using a cloud metadata API security feature that's Kubernetes-specific. In the course of these demonstrations, we'll conduct the attacks both manually and with an open source attack tool called Peirates. Finally, we'll discuss defenses that we did not use, including seccomp syscall whitelists, read-only root filesystems, and freely-available service meshes.

4:20PM - 5:05PM

Nico Waisman


Open Source Security, vulnerabilities never come alone

Deck Video Abstract

Open source has won and is here to stay, but it comes with challenges. Open Source security is one of them that we face as an industry. We all consume it but what about its code quality, security practices, … Over the last 3 months, Github's Semmle Security Research Team has been triaging all open source CVEs and engaging on a subset of those performing variant analysis trying to uncover what it was missed. During this talk we will present some of these cases where we used QL to perform variant analysis, in addition to some others where we performed the full research (seed vulnerability and variant analysis) such as u-boot.

5:10PM - 5:35PM

Anamitra Dutta Majumdar
Anubhav Saini


Building Secure Machine Learning Pipelines : Security Patterns and Challenges

Deck Video Abstract

Increasing adoption of Machine Learning and Artificial Intelligence by data-driven organizations like LinkedIn is posing some important challenges related to data security and privacy. On the one hand, member data is an asset that unlocks unlimited business potential whereas, on the other hand, the consumption of the data must happen in a secure and privacy-preserving manner. This poses an interesting challenge for security and operations teams in the organization. In this presentation, we will walk through all the well-known use cases of machine learning at LinkedIn and also the phases of a machine learning pipeline. We will identify key security gaps and the corresponding security controls to address the gaps at each phase of any machine learning pipeline. The associated scalability and operational challenges for the application of security control will be explained. Controls in each phase would be put into the perspective of the Productive Machine Learning pipeline phases being built at LinkedIn There will be a section on how Blueshift will impact the application of security controls once compute and data have been decoupled. By the end of the talk, we would have described what a secure machine learning pipeline looks like and what are the key security patterns to be put in place to secure the pipeline

6:00PM - 10:00PM

Bytes of BlueHat: Networking Reception




Talk Title

8:30AM - 9:30AM

Breakfast and Registration

9:30AM - 9:35AM

Opening Remarks - David Weston

9:35AM - 10:20AM

Dirk-jan Mollema


I'm in your cloud: A year of hacking Azure AD

Deck Video Abstract

How does one research the cloud? With solutions such as Azure AD and Office 365, the underlying platform architecture and designs are not publicly documented or accessible in the same way as on-premise. This makes analyzing the security of the platform harder for external researchers. In this talk I will explain the journey and discoveries of a year of trying to understand Azure AD, including the vulnerabilities discovered in the process. This ranges from gathering information about Azure AD via undocumented APIs to installing invisible backdoors and escalating privileges via limited roles or via the link with on-premise. While some of these vulnerabilities have been resolved, several of these are unintended consequences of Azure AD's architecture and thus are important to consider when evaluating the security of your Azure AD environment. A basic understanding of Azure AD, Office 365 and its terminology is assumed for this talk.

10:25AM - 11:10AM

John-Luke Peck

CI Security

Autopsies of Recent DFIR Investigations

Deck Video Abstract

This presentation will review in hindsight and retrospect several recent incident response engagements performed over the last 12 months by a 3rd-party (non-Microsoft affiliated) security and incident response services provider. During the talk the presenter will review what went well and what did not go well during the various engagements, with a particular focus on the data, services , and support available from Microsoft & Office365/AzureAD, and how they were and were not able to be leveraged during the various engagements.

This will include a focus on areas where:
* Necessary data was not available because the client had not taken, or were unaware of the need to take, steps to enable collection of the data
* The data & services available were successfully used during response efforts

The presentation will highlight:
* Lessons learned about Office365/AzureAD and Incident Response
* How Office365, AzureAD, and ATP services and data were used in the response efforts
* Recommendations for Office365/AzureAD tenants to improve their security & IR capabilities /before/ an incident occurs
All presented examples and incidents will be de-identified to maintain and protect privacy and operational security.

What this is NOT:
* A service provider's sales presentation

11:15AM - 12:00PM

Wei Huang
Yueqiang Cheng

University of Toronto
Baidu USA

Aion Attacks: Exposing SGX Software Timers


Intel Software Guard Extension (SGX) is a hardware feature that provides a trusted execution environment (TEE) for user-level applications to securely run in a shielded environment called enclave. Unfortunately, there is no trusted hardware timer in SGX environment. To fill this gap, there are many software timers proposed in the past years. In these software SGX timers, there is a timer thread that maintains a counter and increases it in an infinite loop. There is also an application thread that executes certain application logic and reads the counter before and after the logic to measure the timing cost. Such software timers are widely used in many security-sensitive scenarios, e.g., side-channel detections and co-location testing, etc. In this talk, we propose two generic attacks, named Aion attacks, which are able to break ALL existing software SGX timer schemes, proving the illusion that the software SGX timers are reliable to be incorrect. Specifically, in the first attack, we significantly reduce the CPU frequency for the timer thread and run the application thread with maximum speed. As a result, the timing cost measured from the application thread is reduced significantly. In the other attack, we propose a cache interference attack that deterministically and efficiently evicts the targeted timer counter from LLC, slowing down the timer speed. We will demonstrate these two novel attacks with the real hardware settings and show the live demos during the presentation. The SGX timer issue is very serious, and even worse, we cannot even find any straightforward software solution to mitigate them effectively. We call for more researchers and parties to join this effort to improve the security of Intel SGX as well as the whole systems.

12:00PM - 1:00PM

Lunch Break

1:00PM - 1:45PM

Elvis Collado

Exodus Intelligence

Don't forget to SUBSCRIBE.

Deck Video Abstract

This talk is about how an unauthenticated heap-based buffer overflow vulnerability was discovered and exploited within a router distributed by a market-leading ISP. Despite the targeted process utilizing mitigations such as DEP and ASLR, it still fell prey to known exploitation techniques. This talk will go over the thought process, failures, and road-blocks that were encountered and how they were overcame.

1:50PM - 2:35PM

Jordan Wiens
Peter LaFosse

Vector 35 Inc

Modern Binary Analysis with ILs

Deck Video Abstract

Modern binary analysis, whether for discovering vulnerabilities or analyzing malware needs automation to deal with the volume of code under inspection. And yet, while Intermediate Languages (ILs) have been used for decades in compiler design and implementation, too few reverse engineers have any experience with them even though many reverse engineering tools (Binary Ninja, Ghidra, IDA) are built on top of ILs. Given that, it's time to demystify this space and make it accessible beyond just computer scientists and researchers. There's many potentially unfamiliar concepts related to ILs: single-static assignment, value-set analysis, three argument form versus tree-based designs, and others. But what matters is how these ILs can help you build better binary analysis tools. This talk not only gives you an overview of existing ILs used in reverse engineering, but more importantly, shows you how your tooling can benefit from them. From cross-platform analysis (follow a botnet from an x86-64 desktop to a mobile arm, to an embedded MIPS), to leveraging existing data-flow capabilities that brings some of the benefits both dynamic and static analysis together, this talk will demonstrate several examples of plugins that leverage ILs to improve your ability to automatically reason over compiled code.

2:35PM - 3:05PM

Afternoon Break

3:05PM - 3:50PM

Tao Yan

Palo Alto Networks

Pool Fengshui in Windows RDP Vulnerability Exploitation


Heap Fengshui is one of the most important techniques in userland vulnerability exploitations under modern mitigations, seemingly Pool Fengshui plays the same role in Windows RDP vulnerability exploitations. In this topic, we will not only introduce three inovative methods for Pool Fengshui with RDP PDUs, but also introduce the idea about how to find those Pool-Fengshui-Friendly PDUs in tons of legitimate PDUs from massive RDP documents. Details from how to construct three different PDUs in the RDP client to how to parse these PDUs and what these PDUs looks like in the kernel memory in the RDP server will all be discussed. Besides, we will also use BlueKeep (CVE-2019-0708) as an example to show how useful and universal these techniques are in Windows RDP vulnerability exploitations. At last, we will show the BlueKeep exploit demo.

3:50PM - 4:00PM

Closing Remarks - Kymberlee Price

4:00PM - 5:00PM

Happy hour!


2019 has seen a phenomenal BlueHatIL in February followed by a wildly successful BlueHat Shanghai in May… now it's time to come back home for BlueHat Seattle!

  • 2 days of hands-on technical training

  • 2 days of conference talks from industry leading security researchers and cyber defenders

  • great creative spaces ready to spark thought provoking conversations and collaborative partnerships

Bytes of BlueHat: Networking Reception

Please join your fellow security researchers and Microsoft representatives for the Bytes of BlueHat: Networking Reception on Thursday, October 24.


Registration for BlueHat Seattle 2019 is now closed. Join us next year!

Recap Video


If you have any questions regarding the BlueHat Seattle conference

please feel free to contact bluehat@microsoft.com

October 22-25, 2019

Showbox SoDo, 1700 1st Ave S, Seattle, WA 98134

Living Computer Museum, 2245 1st Ave S, Seattle, WA 98134

You have turned off the paragraph player. You can turn it on again from the options page.