Keynote. How to statically detect insecure uses of cryptography - at scale and with almost perfect precision

Video. YouTube

Slides. PDF

Abstract. During the 1980s, the intelligence agencies sought to maintain information dominance via export controls on crypto hardware. During the 1990s, once crypto could be done in software, they tried to mandate government access to keys. During the 2000s, as communications came to rely on the server farms of Hotmail, Gmail and Facebook, they harvested most of their material from there. After Ed Snowden told us this in 2013, people started using end-to-end crypto, so the agencies turned their attention to our phones and other devices. We now face a twin attack. Laws proposed in the EU, the UK and elsewhere will mandate client-side scanning, with the usual rhetoric about terrorists and kids. The second front is the EU's Digital Markets Act which will mandate interoperability. If government access to keys was undesirable because of the complexity it introduced, even if escrow keys were kept perfectly secure, then mandated interoperability is complexity on steroids. A coherent response from academia and civil society must engage many issues, from cryptographic protocol design through antitrust economics to strategies to combat violence against women and girls.

Biography. Ross Anderson is Professor of Security Engineering at the Universities of Cambridge and Edinburgh. He made early contributions to the study of cryptographic protocols, hardware tamper-resistance, security usability and the economics of information security, and has worked with a range of applications from payment networks and electronic health records to vehicle tachographs and prepayment utility meters. He is a Fellow of the Royal Society and the Royal Academy of Engineering, and won the Lovelace Medal, Britain's top award in computing. He is the author of the standard textbook "Security Engineering – A Guide to Building Dependable Distributed Systems".

@rossjanderson

Keynote. Towards High-Assurance Cryptographic Software

Video. YouTube

Slides. PDF

Abstract. The threat of quantum computing, the promise of blockchains, and the need for privacy against pervasive surveillance has ushered in a golden era for the design and deployment of new cryptography, with multiple cryptographic algorithms and protocols being standardised every year. Despite all these exciting developments, however, correctly designing and securely implementing cryptographic systems remains a challenging and error-prone task, even for experts. In this talk, we will see how formal verification and security-oriented programming languages can be used to help build high-assurance cryptographic software. We will discuss their use in the design of recent cryptographic standards like HPKE and MLS, and in the implementation of cryptographic libraries like HACL*. We will conclude by looking at how these methods can be made more widely usable by cryptographic engineers in the future.

Biography. Karthikeyan Bhargavan (Karthik) is a directeur de recherche (DR) at Inria in Paris, where he leads a team of researchers working on developing new techniques for programming securely with cryptography. He was born in India and did his undergraduate studies at the Indian Institute of Technology Delhi before pursuing his PhD at the University of Pennsylvania. He then worked at Microsoft Research in Cambridge until 2009 when he moved to France. Karthik’s research lies at the intersection of programming language design, formal verification, and applied cryptography. Most recently, his work has focused on the design and analysis of the TLS 1.3 Internet standard and the design and deployment of the HACL* cryptographic library. Karthik is also a co-founder of Cryspen, a company that specializes in high-assurance cryptographic solutions.

Talk. Content-Type: multipart/oracle - Tapping Into Format Oracles in Email End-to-End Encryption

Video. YouTube

Slides. PDF

Abstract."Email is an offline protocol - oracle attacks against its end-to-end encryption are impractical." - This statement has been made time and time again. However, is it really true? Can we perform “real” oracle attacks, like Vaudenay's CBC Padding Oracle Attack and Bleichenbacher’s infamous Million Message Attack against E2EE email?
We survey how the decryption state of E2EE email can be made visible through the interplay of MIME and IMAP and describe side-channels caused by specific MIME trees. We analyze 19 OpenPGP and S/MIME email clients and exploit side-channels to decrypt S/MIME messages in iOS Mail and Google Workspaces.
Finally, we discuss why exploiting the other clients is impractical and that the unintended countermeasures create dangerous conflicts between usability and security. Finally, we present more rigid countermeasures for developers and the standards.

Biography. Fabian Ising is a security researcher and PhD candidate at Münster University of Applied Sciences and Ruhr Uni Bochum. He is interested in applied cryptography, especially in email security and network protocols. Apart from applied cryptography, he spends time on medical security and web security. He also has experience as a penetration tester and code auditor. When not working, he loves hiking and doing jigsaw puzzles.

@murgi
@murgi@infosec.exchange

Talk. CPU Fuzzing: Automatic Discovery of Microarchitectural Attacks

Video. YouTube

Slides. PDF

Abstract.Over the last two decades, researchers discovered different new attacks on modern CPUs. These attacks include side-channel attacks capable of leaking secret keys or breaking security mitigations. More recently, even more powerful attacks such as Spectre and Meltdown were discovered In this talk, we explore approaches that we developed to automatically find such attacks. First, we present Osiris, a tool to automatically find side channels. Second, with Transynther, we find new variants of Meltdown-type attacks. Third, we discuss MSRevelio, a tool searching for undocumented MSRs.

We also present the found attacks ranging from side-channel attacks over KASLR breaks, to Meltdown-type attacks. Along the way, we will elaborate on the challenges and limitations these tools face despite their success and comment on what we believe are the most important lessons we can learn from them.

Biography. Daniel Weber is a PhD student researching in the field of microarchitectural attacks, such as side-channel and transient-execution attacks. His work focuses on improving the process of finding such attacks via automation. He is part of Michael Schwarz' research group at the CISPA Helmholtz Center for Information Security. Before that, he obtained a Bachelor's degree in Cybersecurity from Saarland University. In his free time, Daniel regularly participates in Capture the Flag competitions as part of the team saarsec.

@weber_daniel

Michael Schwarz is Faculty at the CISPA Helmholtz Center for Information Security, Germany, with a focus on microarchitectural attacks and system security. He obtained his PhD in 2019 from TU Graz. He holds two master's degrees in computer science and software engineering. He is a regular speaker at both academic and hacker conferences. He was part of one of the research teams that found the Meltdown, Spectre, Fallout, LVI, PLATYPUS, and ZombieLoad. He was part of the team developing the KAISER patch, the basis for the widely Meltdown countermeasure deployed in every modern operating system.

@misc0110

Talk.Everything You Wanted to Know About DOM Clobbering (But Were Afraid to Ask)

Video. YouTube

Slides. PDF

Abstract. XSS has been a major threat to webapps for the past 20 years, often achieved by script injection, and mitigated by disallowing or controlling script execution. But what if the attackers can obtain XSS with script-less markups? DOM Clobbering is a type of namespace collision attack that enables attackers to transform seemingly benign HTML markups to executable code by exploiting the unforeseen interactions between JS code and the runtime environment. Unfortunately, attack techniques, browser behaviours, and code patterns that enable DOM clobbering has not been studied yet, and in this work, we undertake that. Our study shows that DOM clobbering vulnerabilities are ubiquitous, affecting 9.8% of the top 5K sites, and that existing defenses may not completely cut them. This talk covers clobbering techniques, vulnerability detection, prevalence, indicators, and defenses.

Biography. Soheil Khodayari is a PhD candidate at CISPA, Germany, researching in the area of Web security and privacy testing, and Internet measurements. Soheil has presented and published his works on top tier security venues like IEEE S&P, NDSS, USENIX Security, Stanford SecLunch, and OWASP AppSec. He also serves as the AE PC of security conferences like USENIX and ACSAC. Among his contributions, Soheil proposed the first taxonomy and detection of XS-leaks, one of the first studies about client-side CSRF, the state of the SameSite adoption, and other client-side vulnerabilities.

@Soheil__K

Talk. Federated Learning and Its Application for a Privacy-Respecting Android Malware Classifier

Video. YouTube

Slides. PDF

Abstract. Federated Learning (FL) has gained popularity as a mechanism to address privacy threats in the training process of a machine learning model. Instead of sharing raw data, users can share locally trained models to stop service providers from getting access to their personal information. FL has been deployed in a popular Android application, the Gboard mobile keyboard, and researchers are investigating new ways to make it more accurate and more secure.
In this talk, we introduce the basics for understanding FL and discuss three important shortcomings of vanilla FL. First, users are required to provide the system with ground truth to enable local training in their own devices. Second, the introduction of malicious users to the federation may break the integrity of the model in order to lower performance. And third, an honest-but-curious service provider may break user privacy by attacking their individual models. Our solution is based on semi-supervised machine learning techniques that, on the one hand, allow users to learn from their unlabeled data, and on the other hand, reduce the attack surface of the federated model.
We demonstrate the feasibility of our design by implementing LiM, an Android malware classifier that is resistant against poisoning and inference attacks while providing state-of-the-art results without user supervision. We end by giving an overview of potential applications of LiM beyond malware detection.

Biography. Veelasha Moonsamy is a tenured research faculty at the Chair for System Security at Ruhr University Bochum in Germany. She was previously an Assistant Professor in the Digital Security group at Radboud University (The Netherlands) and was briefly affiliated with the Software Systems group at Utrecht University (The Netherlands) in 2018. She received her PhD degree in 2015 from Deakin University (Australia). Her research interests revolves around security and privacy for embedded devices, in particular side- and covert-channel attacks, malware detection, and mitigation of information leaks at application and hardware level.

@veelasha_m
@veelasha@infosec.exchange


Rafa Gálvez is a recent PhD graduate from the COSIC research group at KU Leuven working on privacy engineering for AI. He is interested in delivering high-quality, state-of-the-art AI products that respect user privacy and solve real-world needs of as many (vulnerable) people as possible.

@artificialphilosopher@scholar.social

Talk. Hand Sanitizers in the Wild: A Large-Scale Study of Custom JavaScript Sanitizer Functions

Video. YouTube

Slides. PDF

Abstract. Input Sanitization is the main defense strategy against the ever present class of injection vulnerabilities. Needing to process complex input data, such as HTML fragments, makes writing correct sanitizers very demanding. Are developers up to the task? This is the question we will answer during this talk with a focus on Client-Side Cross-Site Scripting. We will cover how to detect sanitization logic on websites, automatically assess their security and bypass them if they are insecure. With this toolkit we present the results of our study on the state of HTML sanitization on the Web at large. This includes various examples how developers try and fail at writing such routines.
Finally, we will discuss ways to actually protect yourself as a developer as well as a glimpse towards upcoming mitigations built into the browser. Maybe these will finally aid to ridden the web of this vulnerability class.

Biography. David is a PhD candidate at the Institute for Application Security at Technische Universität Braunschweig. His research interests include Web Security with a focus on (breaking) protection mechanisms, as well as approaches on making existing software more privacy preserving. David has presented both at academic venues as well as industrial conferences such as SAP DKOM, IT-DEFENSE and OWASP Global AppSec.

@ncd_leen
@leeN@chaos.social

Talk. Security of Push Messaging

Video. YouTube

Slides. PDF

Abstract. Push services like SMS, e-mail and instant messaging are one of the foundations of digital communications. However, their security differs significantly. Researchers are enthusiastic about new security paradigms implemented in instant messaging applications like SIGNAL and WhatsApp, and despair about the security of OpenPGP and S/MIME. But is either enthusiasm or despair justified? This talk gives an overview on recent research and novel solutions to these problems.

In this talk, the speaker will demonstrate how a popular app with over 100 million downloads conducts their mobile fraud operation and performs a commonplace mobile fraud technique: Click Injection.

Biography. Since September 2003, Prof. Dr. Jörg Schwenk heads the Chair for Network and Data Security at the Ruhr University Bochum. The chair belongs to the renowned Horst Görtz Institute for IT Security. Professor Schwenk is an internationally recognized expert in the areas of cryptography and IT security. After completing his doctorate in the Department of Mathematics at the University of Gießen he moved in 1993 to Darmstadt, where he worked at the Telekom Technology center for applied research in the field of IT security. Professor Schwenk is an author of numerous international publications in renowned conferences (for example USENIX Security, ACM CCS), author of textbooks on cryptography and Internet security, and about 60 patents in the field of IT security.

@JoergSchwenk

Talk. Server-Side Browsers: Exploring the Web's Hidden Attack Surface

Video. YouTube

Slides. PDF

Abstract. As websites grow ever more dynamic and load more of their content on the fly, automatically interacting with them via simple tools like curl is getting less of an option. Instead, headless browsers with JavaScript support, such as PhantomJS and Puppeteer, have gained traction on the Web over the last few years. For various use cases like messengers and social networks that display link previews, these browsers visit arbitrary, user-controlled URLs. To avoid compromise through known vulnerabilities, these browsers need to be diligently kept up-to-date.
In this talk, we investigate the phenomenon of what we coin 'server-side browsers' at scale and find that many websites are running severely outdated browsers on the server-side. Remarkably, the majority of them had not been updated for more than 6 months and over 60% of the discovered implementations were found to be vulnerable to publicly available proof-of-concept exploits.
By attending, you will not only learn about this new and unique attack surface, but also how to discover these vulnerabilities on your own. Moreover, you will learn how defenses against traditional SSRF attacks are insufficient in the context of this attack and what can be done about that.

Biography. Marius Musch is a web security researcher at the Institute for Application Security at Technical University Braunschweig, where he obtained his PhD in November 2022. His research interests focus on the intersection of client-side web attacks and large-scale studies. So far, Marius has given presentations at venues such as Usenix Security, AsiaCCS, OWASP Global AppSec, and the Chaos Communication Congress.

@m4riuz
@m4riuz@infosec.exchange

Talk. ShowTime: CPU Timing Attacks With the Human Eye

Video. YouTube

Slides. PDF

Abstract. Are precise timers required for successful timing attacks?
While machines are accomplishing feats previously thought to require human-like intellect, this talk exposes how humans can achieve a task previously thought to require machine-like precision: observing phenomena happening at the nanosecond scale.

We propose ShowTime, a general attack framework that exposes arbitrary microarchitectural timing channels to coarse-grained timers. ShowTime converts microarchitectural leakage from one type to another, and amplifies minuscule initial leaks into huge timing differences.

Among other case studies, we explore whether the time difference arising from a single cache hit or miss can be amplified so that even the human eye can see the difference. Overall, our findings imply that CPU timing attacks remain a threat, even in the face of severe timer restrictions.

Biography. Antoon (Toon) Purnal is a PhD researcher in the hardware security group at COSIC under the supervision of professor Ingrid Verbauwhede. His research interests include microarchitectural attacks and defences, and efficient and secure cryptographic implementations. Before joining COSIC, he obtained a Master’s degree in Electrical Engineering from KU Leuven.

@purnaltoon
@PurnalToon@infosec.exchange

Marton is a Ph.D. candidate at the DistriNet research group of KU Leuven under the supervision of Frank Piessens. His interest lies in the intersection of side-channel attacks, hardware design, and formal verification. He is active in both offensive and defensive research.

@martonbognar

Talk. SQUIP or Why We Need to Study Processors Like Nature

Video. YouTube

Slides. PDF

Abstract. As CPU microarchitectures have been the subject of security research over decades, one might think that we are close to exhaustively understanding them. However, we argue that this is not the case. We overview prior attacks and present a new case study: SQUIP - Scheduler Queue Usage Interference Probing.
We provide background on modern CPU pipelines and out-of-order execution. We discuss scheduler queues and their security implications, showing how scheduler queue contention can leak up to 2.7 MBit/s in a cross-process covert-channel scenario and up to 0.89 MBit/s across virtual machines. Our end-to-end SQUIP attack on AMD CPUs leaks full RSA private keys within 1 hour, across processes and virtual machines. Finally, we outline how to go forward, both on mitigating SQUIP and on microarchitectural security research in general, showing that we need to study microarchitectures like nature.

Biography. Stefan Gast started his PhD in Daniel's research group at Graz University of Technology in August 2021. His research focuses on software-based microarchitectural CPU attacks and defenses. SQUIP was the first publication for his PhD thesis. Stefan is also passionate about teaching and has been doing so for more than 10 years.

@notbobbytables
@notbobbytables@infosec.exchange

Daniel Gruss is a Professor at Graz University of Technology. He has a great passion for teaching, which he started doing in 2009. Daniel's research focuses on microarchitectural security, covering both attacks as well as efficient and effective defenses. He implemented the first remote fault attack running in a website, known as Rowhammer.js. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018. He frequently speaks at top international venues. In 2022, he was awarded an ERC Starting Grant to research how to make security more sustainable.

@lavados
@lavados@infosec.exchange

Talk. We Really Need to Talk About Session Tickets: A Large-Scale Analysis of Cryptographic Dangers With TLS Session Tickets

Video. YouTube

Slides. PDF

Abstract. Session tickets improve the TLS protocol performance and are therefore widely used. For this, the server encrypts secret state and the client stores the ciphertext and state. Anyone able to decrypt this ciphertext can passively decrypt the traffic or actively impersonate the TLS Server on resumption. To estimate the dangers associated with session tickets, we perform the first systematic large-scale analysis of the cryptographic pitfalls of session ticket implementations.
We found significant differences in session ticket implementations and critical security issues in the analyzed servers. Vulnerable servers used weak keys or repeating keystreams in the used tickets. Among others, our analysis revealed a widespread implementation flaw within the Amazon AWS ecosystem that allowed for passive traffic decryption for at least 1.9% of all servers in the Tranco Top 100k servers.

Biography. I am a PhD student at the System Security Chair at Paderborn University, supervised by Juraj Somorovsky. I'm Interested in TLS, cryptographic and configuration issues, as well as odd behavior of implementations in edge cases but also network security in general. Along the way, I have gathered some experience in large scale scanning and working with networks. Occasionally you can also find me in a Kayak.

@xoimex

Talk.You Can't Always Get What You Want – How Web Sites (Often) Lack Consistent Protection

Video. YouTube

Slides. PDF

Abstract.Client-side security policies are designed to protect against various types of Web attacks and are communicated to the browser through HTTP response headers. To ensure protection, these headers must be consistently deployed and enforced across all pages within the same origin and for all clients.
In this talk, you will get a refresher on the most important security headers and see examples of seemingly innocuous misconfigurations that can lead to significant threats. Moreover, you’ll learn about how many of the top sites fall victim to such mistakes (based on our scientific measurement studies). Finally, you’ll learn how to avoid them for your own pages, and hear about a new proposal to overcome all these issues.

Biography. Sebastian Roth is a last-year PhD Candidate (submitted in January 2023) at Saarland University / CISPA. My research interest is focused on client-side Web security as well as developer-centric usable security and is regularly published at Top Tier academic venues. But I also enjoy giving non-academic talks such that I can stay in contact with folks from the industry. In addition to that I have taught other students as a tutor and teaching assistant in several different lectures. During my leisure time, I regularly organize and participate in CTF (Capture the Flag) competitions together with saarsec.

@s3br0th

Ben Stock is a tenured faculty at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany. Ben leads the Secure Web Application Group at CISPA, and his research focuses on various aspects of Web security, with a recent focus in particular on CSP and its connections to aspects of usability. His group regularly publishes at major security conferences such as USENIX Security, CSS, and NDSS, and Ben also serves on the PC and as track chair of the venues. His group also regularly shares insights outside the scientific community, such as at OWASP AppSec or Ruhrsec.

@kcotsneb

Talk. Your Wi-Fi Is the Eavesdropper's Radar: How to Counter Privacy Threats of Wireless Sensing

Video. YouTube

Slides. PDF

Abstract. Today's ubiquitous wireless devices are attractive targets for passive eavesdroppers to launch reconnaissance attacks. Regardless of cryptographic measures, adversaries can overhear standard communication signals on the physical layer to obtain estimations of wireless propagation channels. These are known to contain information about the surrounding environment, which can be extracted using wireless sensing methods. In this way, adversaries may gain sensitive information which poses a major privacy threat. For instance, it is easily possible to infer human motion, allowing to remotely monitor premises of victims
In this talk, we first review wireless sensing and its privacy implications. We then introduce IRShield - a countermeasure against adversarial wireless sensing based on recent advances on intelligent reflecting surfaces. IRShield is designed as a plug-and-play privacy-preserving extension to existing wireless networks. We demonstrate that IRShield defeats a state-of-the-art human motion detection attack proposed in the literature.

Biography. Paul Staat received his B.Sc. degree in electrical engineering and the M.Sc. degree in communication systems and networks from the University of Applied Sciences Cologne, Germany, in 2016 and 2018, respectively. He is currently working towards the Ph.D. degree at the Max Planck Institute for Security and Privacy in Bochum. His research interests include physical-layer and wireless security and tamper-resistant hardware.

Talk. For Smarter Authentication, We Might Need to Use the Brain

Video. YouTube

Abstract. We deserve smarter authentication mechanisms to move on from the current password-dominated scene. With the democratization of neurotechnologies, the usage of brain biometrics in everyday life becomes a tangible possibility. In this talk, we will present research contributions towards practical brainwave-based user authentication, covering both security and usability aspects.

Biography. Patricia Arias-Cabarcos is Professor of IT Security at Paderborn University. Her research interests lie in the area of human-centered security and privacy, with a special focus on usable authentication, behavioral data protection, and data-driven transparency. She publishes in major conferences in the field, such as CCS and USENIX Security, having also served on the technical program committee for this type of venues, including CCS, ESORICS and EuroUSEC.

@patriAriasC

Talk. The Cyber-Triad - TTPs, Nightmares and Epic Fails All Things IR, Reverse Engineering and Red Teaming

Video. N.A.

Abstract. IT security incidents occur in many forms and characteristics. The reasons for a successful attack and the resulting incident are also diverse.

Using current examples from the last two years, this presentation explains in a realistic manner how Reverse Engineering, Incident Response/Readiness and various topics from the offensive side interact when dealing with an incident and where are limitations. Furthermore, fundamental obstacles and show-stoppers in the area of analyzing and dealing with IT security incidents are also discussed.

Biography. Jasper Bongertz is a network security expert with a focus on network forensics and incident response. He works as Head of Incident Response at G DATA Advanced Analytics in Bochum.

Tatjana Ljucovic is studying for her Master's degree in Internet Security. Over the past 10 years, she has gained profound knowledge in various fields of IT security and has focused in particular on secure network communication.

Talk. DoubleX: Statically Detecting Vulnerable Data Flows in Browser Extensions at Scale

Video. YouTube

Abstract. Browser extensions have elevated privileges compared to web pages, thus attracting the interest of attackers. While prior work focused on detecting malicious extensions, we consider vulnerable extensions. In fact, a web page under the control of an attacker can send malicious payloads to a vulnerable extension, leading to, e.g., universal XSS.

To uncover such attacks, we built DoubleX, our static analyzer detecting suspicious external data flows between an attacker and security- or privacy-critical APIs in extensions. On the 155k Chrome extensions analyzed, DoubleX has both high precision (89%) and recall (93%). Overall, we could exploit 184 extensions under our threat model (2021), 87% of which were already vulnerable in 2020.

We hope that our work will increase the awareness of well-intentioned developers toward unsafe programming practices leading to security and privacy issues.

Biography. Aurore Fass is a Visiting Assistant Professor of Computer Science at Stanford University (U.S.) and a Research Group Leader at CISPA (Germany). Aurore got her PhD from CISPA & Saarland University in 2021, jointly supervised by Michael Backes and Ben Stock. Her PhD thesis revolves around studying JavaScript security through static analysis.

Aurore's research focuses on Web Security & Privacy, Web Measurements, and Machine Learning. Specifically, she is interested in detecting malware & vulnerabilities on the Web and collecting data to better understand and improve user security and privacy.

@AuroreFass

Talk. Secure Cache Designs: The State of the Art and Beyond

Video. YouTube

Abstract. In recent years, the advent of microarchitectural attacks has brought with it a renewed interest in secure cache designs. The prominent strategies that have emerged in secure cache designs to mitigate side-channel attacks are randomization or partitioning. Following initial designs, other works have shown that even these improved designs are limited in the face of more advanced attacks, starting a theoretical (cache) arms race.

In this talk, we give an overview of traditional and secure caches designs, as well as their respective attacks. We outline the mechanisms of the most prominent designs and discuss their properties. We take a detailed look at which design assumptions were broken by new attacks and where designs may have had flaws to begin with. Finally, we present a new cache design that aims to avoid currently known attacks and sidestep the mechanisms on which they are built.

Biography. Lukas Giner is a PhD Student at Graz University of Technology in the CoreSec group of Daniel Gruss. His research focuses on microarchitectural security, from attacks like Fallout to secure hardware designs like Scattercache.

@redrabbyte

Daniel Gruss is an Assistant Professor at Graz University of Technology. He has been involved in teaching operating system undergraduate courses since 2010. Daniel's research focuses on side channels and transient execution attacks. He implemented the first remote fault attack running in a website, known as Rowhammer.js. His research team was one of the teams that found the Meltdown and Spectre bugs published in early 2018. He frequently speaks at top international venues.

@lavados

Talk. Why TLS is better without STARTTLS

Video. YouTube

Abstract. TLS is one of today's most widely used and best-analyzed encryption technologies. However, for historical reasons, TLS for email protocols is often not used directly but negotiated via STARTTLS. This additional negotiation added complexity and was prone to security vulnerabilities such as naive STARTTLS stripping or command injection attacks in the past.

We performed the first structured analysis of STARTTLS in SMTP, POP3, and IMAP and introduced a semi-automatic testing toolkit (EAST) to analyze email clients. We used EAST to analyze 28 email clients and 23 email servers, resulting in over 40 STARTTLS related issues. Only 3 out of 28 clients and 7 out of 23 servers did not show any STARTTLS-specific security issues. We conclude that STARTTLS is error-prone to implement, under-specified in the standards, and should be avoided.

Biography. Fabian Ising is a security researcher and PhD candidate at Münster University of Applied Sciences and Ruhr Uni Bochum. He is interested in applied cryptography, especially in email security and network protocols. Apart from applied cryptography, he spends time on medical security and web security. He also has experience as a penetration tester and code auditor. Bugs love him and tend to jump at him as soon as he uses software. He/Him.

@murgi

Damian Poddebniak is a software engineer and security researcher interested in email security, network protocols, and applied cryptography. He recently defended his dissertation about the limitations of end-to-end encrypted email and now seeks opportunities to sustainably improve the status quo of software security. He believes in free software, open access to knowledge, and a world with net-zero greenhouse gas emissions. Rustacean. He/Him.

@dues__

Talk. Modern Single Sign-On: On the Security of Single Sign-On Flows in Popups and IFrames

Video. YouTube

Abstract. Single Sign-On (SSO) protocols like OpenID Connect are cornerstones of user authentication on the web. Until now, HTTP redirects empowered the login flow to transfer authentication tokens from identity providers like Facebook and Google to arbitrary websites. With a rising demand for streamlined login experience, many websites adopted proprietary modern login flows that are executed in popups and iframes. Thereby, in-browser communications gradually replace the redirects, shifting SSO security closely towards the web security's territory. In this talk, we dive into the deployment of modern SSO. We discuss its new attack surface and showcase real-world vulnerabilities on popular sites like AliExpress and NYTimes to demonstrate our research impact. Further, we summarize the lessons learned and security best practices mitigating the issues such that developers can protect their login flows.

Biography. Louis Jannett is a first-year PhD candidate at the Chair for Network and Data Security at Ruhr University Bochum, supervised by Jörg Schwenk. His current research interests are focused on how web security threats enable new attacks on the security and privacy of user authorization and authentication on the web. He especially investigates the prevalence, security, and privacy of popular Single Sign-On protocols like OAuth and OpenID Connect, paying close attention to SDKs and custom implementations in the wild.

@iphoneintosh

Talk. I Wanna Deploy You, but My Senses Tell Me to Stop! – CSP’s Past, Present and Future?

Video. YouTube

Abstract. The Web has improved our ways of communicating, collaborating, teaching, and entertaining us and our fellow human beings. However, this cornerstone of our modern society is also one of the main targets of attacks, most prominently Cross-Site Scripting (XSS). A correctly crafted Content Security Policy (CSP) is capable of effectively mitigating the effect of those Cross-Site Scripting attacks. Throughout the last years we have conducted several research projects that deal with topics around the Content Security Policy. In this talk, we want to highlight the lessons learned from those research projects. We show how the seemingly straightforward task of getting your own site CSP-compliant is undermined by third parties. Further, we discuss the insights of our study with 12 developers and the roadblocks that they face, such that you can avoid them when deploying a CSP for your Web applications.

Biography. Sebastian Roth is a third-year PhD student in the Secure Web Applications Group at the CISPA Helmholtz Center for Information Security, where he is supervised by Ben Stock. His research interest is focused on client-side Web Security as well as Usable Security for developers. Thus, he is collaborating with the research group of Katharina Krombholz. Currently, he is specifically looking into the prevalence, the usage, and the usability of security header present in Web applications.

@s3br0th

Ben Stock is a tenured faculty at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany. Ben leads the Secure Web Application Group at CISPA, and his research focuses on various aspects of Web security, with a recent focus in particular on CSP and its connections to aspects of usability. His group regularly publishes at major security conferences such as USENIX Security, CSS, and NDSS, and Ben also serves on the PC and as track chair of the venues. His group also regularly shares insights outside the scientific community, such as at OWASP AppSec or Ruhrsec.

@kcotsneb

Talk. Analysis of DTLS Implementations Using Protocol State Fuzzing

Video. YouTube

Abstract. Recent years have witnessed an increasing number of protocols relying on UDP. Due to UDP's simplicity and performance advantages over TCP, it is being adopted in Voice over IP, tunneling technologies, IoT, and novel Web protocols. To protect sensitive data exchange in these scenarios, the DTLS protocol has been developed as a cryptographic variation of TLS. DTLS's main challenge is to support the stateless and unreliable transport of UDP. This has forced the protocol designers to make choices that affect the complexity of DTLS, and to incorporate features that need not be addressed in the numerous TLS analyses. We present the first comprehensive analysis of DTLS implementations using protocol state fuzzing. To that end, we extend TLS-Attacker, an open-source framework for analyzing TLS implementations, with support for DTLS tailored to the stateless and unreliable nature of the underlying UDP layer. We build a framework for applying protocol state fuzzing on DTLS servers and use it to learn state machine models for thirteen DTLS implementations. Analysis of the learned state models reveals 4 serious security vulnerabilities, including a full client authentication bypass in the latest JSSE version, as well as several functional bugs and non-conformance issues. It also uncovers considerable differences between the models, confirming the complexity of DTLS state machines.

Biography. Robert Merget is a PhD Student at the Chair for Network and Data security at Ruhr University Bochum. The focus of his research is practical TLS implementations and their analysis. He is the main developer of TLS-Attacker and TLS-Scanner.
@ic0nz1

Talk. Code emulation for reverse engineers: a deep dive into radare2's ESIL

Video. YouTube (slides and demos)

Abstract. Code emulation is a well-known technique widely used in many scenarios non related to reverse engineering. However, it can also be leveraged as a great tool aiding in different reversing processes and it is becoming more and more popular for this purpose recently.

We will start by providing an overview of the capabilities and basic usage of the radare2 free and open source reverse engineering framework.

Then, we will explain the basics of code emulation, focusing on the reasons why it can be useful in reverse engineering processes and how it is implemented and used within radare2 by ESIL (Evaluable Strings Intermediate Language). In particular, we will explain the workings behind its implementation as a "stack machine on steroids".

Finally, we will explore practical examples and live demos that will show how to make the most out of it in different case scenarios related to reverse engineering, ranging from simple CTF challenges up to pseudo-debugging and analysis of non-native architectures, safe dynamic analysis of untrusted code and recovering original code from encryption/decryption routines inside obfuscated malware code.

The main goal of the talk is to introduce the radare2 reversing framework, mainly its emulation engine ESIL, and highlight the different ways in which reverse engineers can take advantage from code emulation techniques for daily tasks in different scenarios.

Biography. Arnau, 22 years old, is a student of Mathematics and Computer Engineering at the University of Barcelona, specially interested in the field of reverse engineering and focusing his research in advanced techniques for code deobfuscation. He has worked as a software developer in a project of the European Research Council and has been a DFIR summer intern at Arsenal Consulting. Speaker at seminars and university meetings as well as in several security conferences (RootedCON, OverdriveConference, r2con, HITB...). He collaborates in the organization of the radare2 congress (r2con) and is co-founder and president of @HackingLliure, a non-profit association of ethical hacking and computer security.
@arnaugamez

Talk. Efficient Forward Security for TLS 1.3 0-RTT

Video. YouTube

Abstract. The TLS 1.3 0-RTT mode enables a client reconnecting to a server to send encrypted application-layer data in "0-RTT" ("zero round-trip time"), without the need for a prior interactive handshake. This fundamentally requires the server to reconstruct the previous session's encryption secrets upon receipt of the client's first message. The standard techniques to achieve this are session caches or, alternatively, session tickets. The former provides forward security and resistance against replay attacks, but requires a large amount of server-side storage. The latter requires negligible storage, but provides no forward security and is known to be vulnerable to replay attacks.

In this talk, we discuss which drawbacks the current 0-RTT mode of TLS 1.3 has and which security we actually would like to achieve. We then present a new generic construction of a session resumption protocol and show that it can immediately be used in TLS 1.3 0-RTT and deployed unilaterally by servers, without requiring any changes to clients or the protocol. This yields the first construction that achieves forward security for all messages, including the 0-RTT data.

Biography. Kai Gellert is a PhD student at the chair of IT Security and Cryptography at the University of Wuppertal, where he is supervised by Tibor Jager. The focus of his research is the construction and security analysis of forward-secure 0-RTT protocols. His results are published at leading security and cryptography conferences such as Eurocrypt and the Privacy Enhancing Technologies Symposium.
@KaiGellert

Talk. Hacker Rights

Video. YouTube

Abstract. Sixty percent of hackers don't submit vulnerabilities due to the fear of out-of-date legislation, press coverage, and companies misdirected policies. This fear is based on socially constructed beliefs. This talk dives into the brain's response to fear while focusing on increasing public awareness in order to bring legislation that supports ethical hackers, ending black hoodie and ski mask imagery, and encourage organizations to support bilateral trust within their policies.

Biography. Chloé Messdaghi is the VP of Strategy at Point3 Security. She is a security researcher advocate who supports safe harbor and strongly believes that information security is a humanitarian issue. Besides her passion to keep people safe and empowered online & offline, she is driven to change the statistics of women in InfoSec. She is the President and cofounder of Women of Security (WoSEC) and heads the SF Bay Area chapter. As well, she created WomenHackerz, a global online community that provides support and resources for hundreds of women hackers at all levels.
@chloemessdaghi

Talk. HideNoSeek: Camouflaging Malicious JavaScript in Benign ASTs

Video. YouTube

Abstract. Given the popularity of the Web platform, attackers abuse JavaScript to mount different attacks on their victims. Due to the plethora of such malicious scripts, detection systems rely on static analysis to quickly process JavaScript inputs, sending only suspicious scripts to dynamic components. For an accurate detection of previously unseen JavaScript files, static approaches combine an abstraction of the source code at a lexical or syntactic level (based on the Abstract Syntax Tree (AST)) with machine learning algorithms.

In this talk, we present HideNoSeek, a novel and generic camouflage attack, which evades the entire class of detectors based on syntactic and lexical features, without needing any information about the system it is trying to evade. Our attack consists of automatically rewriting the ASTs of malicious JavaScript files into existing benign ones, while keeping the initial malicious semantics. In particular, HideNoSeek uses malicious seeds and searches for similarities at the AST level between the seeds and traditional benign scripts. Specifically, it replaces benign sub-ASTs by identical malicious ones and adjusts the benign data dependencies--without changing the AST--, so that the malicious semantics is kept after execution.

In practice, we leveraged 23 malicious seeds to generate 91,020 malicious scripts, which perfectly reproduce ASTs of Alexa top 10k web pages. Overall and by construction, a standard trained classifier has 99.98% false negatives on such crafted inputs, while a classifier trained on such samples has over 88.74% false positives, rendering the targeted static detectors unreliable. Similar to Android malware in repackaged applications, HideNoSeek could automatically alter benign JavaScript libraries and present them as an improved version of the original ones, for malicious purpose. In particular, such a modification of jQuery 1.12.4 would affect over 30% of the websites.

Biography. Aurore Fass is a third-year Ph.D. student at the CISPA Helmholtz Center for Information Security (Germany), jointly supervised by Michael Backes and Ben Stock. Her areas of interest include static malware analysis and detection (with special focus on JavaScript code), machine learning, and adversarial attacks. She presented her research work at several academic and non-academic venues like CCS, ACSAC, DIMVA, MADWeb, and Blackhoodie.
@AuroreFass

Talk. Restricting the scripts, you're to blame, you give CSP a bad name

Video. YouTube

Abstract. In a current research project, we investigated the longitudinal evolution of the Content Security Policy header over the course of the last seven years. Throughout this analysis of the 10.000 highly ranked sites, we conducted case studies that illustrate the struggle of Web sites that try to deploy a CSP in a secure fashion and examples of sites that give up on CSP. In addition to that, we shed light on the other security capabilities of CSP, especially regarding framing control and TLS enforcement.

The CSP can be used to enforce that resources are only loaded via TLS secured connections. This can be achieved by either forbid the loading of HTTP resources by specifying the block-all-mixed-content directive in CSP or by using the upgrade-insecure-requests directive. This directive forces the automatic rewriting of all HTTP URLs to HTTPS upon page loading. This is useful to gracefully implement a transition from HTTP to HTTPS while preventing warnings and breakage due to the use of mixed content. Based on an analysis of live Web sites, we show that most sites could deploy upgrade-insecure-requests right now to avoid any mixed content without errors.

In case of framing control, we have investigated that within the Top 10K sites 3,253 made use of XFO, whereas only 409 used frame-ancestors. Due to the inconsistencies of the XFO header, the protection of the 3,253 sites might be weaker in comparison to the protection offered by the frame-ancestors Web sites. The ALLOW-FROM mode of XFO is not supported in some of the major browsers (including Google Chrome). Thus, an operator that uses this mode would not secure all user of this browser, because unsupported headers will be ignored. In addition to that, the SAMEORIGIN mode of XFO is in some cases susceptible to so-called Double Framing attacks. This is caused by the fact that the XFO standard does not define whether the top-most frame, the parent frame, or even all frame ancestors (like the CSP directive) have to be hosted within the same origin.

Due to this inconsistencies, we send notifications to 2,700 Web sites that suffer from this problem. By investigating the responses, we were able to get valuable information regarding the roadblocks of CSP deployment in the wild. While most of the Web developers were aware of the protection that CSP can offer, they are massively intimidated by the complexity of CSPs content restriction. Due to this complexity or because of the unawareness of the additional capabilities of CSP, they do not consider framing control or TLS enforcement as legitimate use cases of the CSP.

In this talk, we want to raise the awareness regarding issues of some of the widely used security header as well as presenting and explaining the more secure CSP alternatives for them. Furthermore, we want to involve the audience to discuss with us about their “horror stories” and roadblocks for CSP deployment such that we can build better tools and improve informational material regarding the CSP.

Biography. Sebastian Roth is a first-year PhD student in the Information Security and Cryptography Group at the CISPA Helmholtz Center for Information Security, where he is supervised by Michael Backes. His research interest is focused on client-side Web Security as well as Usable Security for developers. Thus his work is done in collaboration with the Secure Web Applications Group headed by Ben Stock. Currently, he is specifically looking into the prevalence and the usage of security header present in Web applications.
@s3br0th

Ben Stock is a Tenure-Track Faculty at the newly founded CISPA-Helmholtz Center for Information Security. In his PhD, Ben focussed on the detection and mitigation of Client-Side Cross-Site Scripting. During his PhD, he worked closely with SAP Research and interned with Microsoft Research. After his PhD, he joined CISPA as a postdoc, focussing on both Web Security as well as Usable Security research. He currently heads the Secure Web Applications Group at CISPA and is a regular speaker at academic and non-academic venues like CCS, USENIX Security, NDSS, Blackhat, and OWASP AppSec.
@kcotsneb

Talk. Towards Cognitive Obfuscation

Video. YouTube

Abstract. In a world in which interconnected digital systems permeate almost all facets of our lives, cybersecurity attacks form devastating threats with catastrophic consequences. Hardware components are the root of trust in virtually any computing system and are valuable targets of cyberattacks. In order to conduct malicious manipulations, hardware reverse engineering is usually the tool-of-choice. While hardware reverse engineering is a highly complex and universal tool for legitimate purposes, it can also be employed with illegitimate intentions, undermining the integrity of ICs via piracy, subsequent weakening of security functions, or insertion of hardware Trojans. In particular, Intellectual Property (IP) piracy has become a major concern for the semiconductor industry which causes losses in the range of several billion dollars. Due to the serious threats posed by attacks based on hardware reverse engineering, strong countermeasures, e. g. obfuscation, are indispensable. The security of most existing obfuscation techniques is assessed exclusively based on technical measures. However, the process of hardware reverse engineering cannot be fully automated, yet, and the lack of holistic tools forces human analysts to combine several semi-automated steps. Accordingly, cognitive processes and strategies applied by humans in the context of hardware reverse engineering must be considered for the development of cognitively difficult countermeasures (cognitive obfuscation).

Our research focuses on understanding how human analysts reverse parts of unknown hardware designs in realistic scenarios. Therefore, we perform several psychological studies and analyze the behavior of engineers at different levels of expertise. Based on an initial investigation we were able to derive a model of reverse engineering, consisting of three phases: (1.) Candidate Identification, (2.) Candidate Verification, and (3.) Realization. Furthermore, we analyzed more and less efficient strategies of reverse engineers and took cognitive abilities (e.g., working memory capacity) into account. In our talk, we will give an overview of the technical and cognitive aspects of hardware reverse engineering. In more detail, we will present our study design, the applied methods, and present our results. At the end of our talk, we will discuss implications for novel cognitive obfuscation techniques based on our findings.

Biography. Steffen Becker is currently working towards his Ph.D. degree under the supervision of Prof. Christof Paar at the Embedded Security Group, Ruhr University Bochum, Germany. He is also a member of the SecHuman graduate school and the Horst Görtz Institute for IT Security. His research focuses on human factors in reverse engineering. In particular, he explores underlying processes of hardware reverse engineering to facilitate the development of sound obfuscation methods.

Carina Wiesen is a research assistant at the Educational Psychology Lab in the Institute of Educational Research at Ruhr University Bochum, Germany (supervisor Prof. Dr. Nikol Rummel). She is also a Ph.D. candidate in the SecHuman graduate school which is part of the Horst Görtz Institute for IT Security. Her research focuses on problem-solving and learning processes in cybersecurity. In particular, she is strongly interested in analyzing the so far understudied cognitive processes and factors of human analysts which determine the success of hardware reverse engineering.

Talk. How to statically detect insecure uses of cryptography - at scale and with almost perfect precision

Video. YouTube

Abstract. For decades, static code analysis has been notorious for being ineffective, due to high false positive rates. Yet, recent algorithmic breakthroughs have now given us the capability to build static analysis tools that not only rapidly analyze code bases with millions of lines of code, but also yield perfect precision in most practical cases.
In this talk I will highlight the main ideas behind those breakthroughs and will demonstrate CogniCrypt, a recent practical security code analysis tool that makes us of this leap in technology. CogniCrypt (www.cognicrypt.de) is an official Eclipse project integrating with various IDEs and CI environments, which allows code developers to precisely pinpoint security-critical misuses of APIs, particularly crypto APIs. It currently supports the analysis of Java and Android projects, but a variant for C/C++ is in the works as well.
I will conclude my talk with results from a large-scale study in which we applied CogniCrypt to security-sensitive Android apps and to all software artifacts on MavenCentral.

Biography. Eric Bodden is one of the leading experts on secure software engineering, with a specialty in building highly precise tools for automated program analysis. He is Professor for Software Engineering at Paderborn University and director for Software Engineering and IT-Security at Fraunhofer IEM, where he is collaborating with the leading national and international software development companies. Further, he is a member of the directorate of the Collaborative Research Center CROSSING at TU Darmstadt.

Prof. Bodden's research was awarded numerous times. At the German IT-Security Price, his group scored 1st place in 2016 and 2nd place in 2014. In 2014, the DFG awarded Bodden the Heinz Maier-Leibnitz-Preis, Germany's highest honour for young scientists. Prof. Bodden's research has received five ACM Distinguished Paper Awards in different communities.
@profbodden

Talk. Publish-and-Forget: Longitudinal Privacy Techniques and User Behaviour

Video. YouTube

Abstract. Technological development and the collection of digital data prompt individuals to rethink the boundaries of their privacy. At times of social media and our digital society where online opinion, images, and connections are what counts, longitudinal privacy techniques gain importance. The decision and action of sharing or withholding information cannot be left to the individual alone but need to be facilitated by technical and legal means. Data that is no longer relevant, whose original purpose has been satisfied, or where the owner is withdrawing consent for its online presence represent valid conditions that demand for means and techniques for data fading and disappearance. In this talk, we will review technical, legal, psychological, and usability-related aspects of sharing, withholding, and removing information and discuss how computer scientists and security researchers can contribute to address open challenges for providing better data control to users.

Biography. Christina Pöpper is a computer scientist with a focus on information and communication security. Her research goal is to better understand and enhance the security and privacy of current and future IT and communication systems. Specific interests are the security of wireless systems and applications, where she is working on topics like secure localization and jamming-resistant communication, mobile-, protocol- and system-level security as well as on aspects of privacy. She is teaching computer/IT security and general computer science classes. She is affiliated with the Center for Cyber Security at NYUAD.

Prior to joining NYUAD, Christina Pöpper was an assistant professor at Ruhr University Bochum, Germany, where she headed the Information Security Group at the Electrical Engineering and Information Technology Department / Horst-Görtz-Institute for IT-Security. In the past, she taught specialized courses on wireless security as well as on private and anonymous communication. She received her doctoral and graduate degrees in computer science from ETH Zurich, Switzerland.

Her research interest is cybersecurity and privacy. One focus area is wireless and communication security, in particular securing wireless radio transmissions against jamming as well as securing localization techniques. She likes to combine systems and security mechanisms in different application settings. She addresses secure systems where cryptography alone is often not enough.

Talk. 1 Trillion Dollar Refund – How To Spoof PDF Signatures

Video. YouTube

Abstract. The Portable Document Format (PDF) is the de-facto standard for document exchange worldwide. To guarantee authenticity and integrity of documents, digital signatures are used. Several public and private services ranging from governments, public enterprises, banks, and payment services rely on the security of PDF signatures.

In this talk, we present the first comprehensive security evaluation on digital signatures in PDFs. We introduce 3 novel attack classes which bypass the cryptographic protection of digitally signed PDF files allowing an attacker to spoof the content of a signed PDF.

We analyzed 22 different PDF viewers and found 21 of them to be vulnerable, including prominent and widely used applications such as Adobe Reader DC and Foxit. We additionally evaluated 8 online validation services and found 6 to be vulnerable. These results are due to the absence of a standard algorithm to verify PDF signatures – each client verifies signatures differently, and attacks can be tailored to these differences. We therefore propose the standardization of a secure verification algorithm, which we describe in this paper. All findings have been responsibly disclosed and the affected vendors were supported during fixing the issues. As a result 3 generic CVEs for each attack class were issued (CVE-2018-16042, CVE-2018-18688, CVE-2018-18689).

Biography. Vladislav Mladenov works as a security researcher at the Chair of Network and Data Security at the Ruhr University Bochum since 2012. In his dissertation he analyzed the security of Single Sign-On protocols such as SAML 2.0, OpenID, OpenID Connect and OAuth and discovered various vulnerabilities. After completing his doctorate Vladislav Mladenov works as a PostDoc and additionally devotes his attention to the security of data description languages, e.g. JSON, XML and PostScript. Since 2018, Mr. Mladenov focused his research on the security of PDF files and recently published several attacks on PDF signatures.
@v_mladenov

Talk. Are Microarchitectural Attacks still possible on Flawless Hardware?

Video. YouTube

Abstract. In recent years, we have seen that optimizations in processors often enable new microarchitectural side channels. The severity of side-channel attacks varies widely, from small annoyances for which developers have to introduce workarounds in software, to highly critical attacks leaking arbitrary memory contents. While new attacks pop up regularly, finding defenses is not a trivial task.
In this talk, we first briefly overview the state of the art of microarchitectural attacks and defenses. We then assume that we have a futuristic CPU which magically hides all microarchitectural side effects, rendering all known attacks useless. Even in this thought experiment, we show that such attacks are not dead. In fact, we present ways of mounting well-known microarchitectural attacks without relying on any hardware effects, making these attacks hardware agnostic. We show that attack primitives exploiting the hardware can be shifted to the software level, making these attacks easier to mount and independent of the CPU. The attacks that we present work on Windows, Linux, and Android, both on x86 and ARM processors.

Biography. Erik Kraft is a master's student in Information and Computer Engineering at Graz University of Technology focusing on secure and correct systems. He holds a bachelor's degree in Information and Computer Engineering. In the past, he has been invited to teach computer science courses on undergraduate level. In his current research, he focuses on software-based side-channel attacks.
@ekraft95

Michael Schwarz is an Infosec PhD candidate at Graz University of Technology with a focus on microarchitectural side-channel attacks and system security. He holds two master's degrees, one in computer science and one in software development with a strong focus on security. He frequently participates in CTFs and has also been a finalist in the European Cyber Security Challenge. He was a speaker at Black Hat Europe 2016, Black Hat Asia 2017 & 2018, and Black Hat US 2018, where he presented his research on microarchitectural side-channel attacks. He authored and co-authored several papers published at international academic conferences and journals, including USENIX Security 2016 & 2018, NDSS 2017, 2018 & 2019, IEEE S&P 2018 & 2019. He was part of one of the four research teams that found the Meltdown and Spectre bugs published in early 2018.
@misc0110

Talk. Artifical Intelligence in Cyber Security: Threat, Tool or Target?

Video. YouTube

Abstract. Recent machine learning algorithms such as Convolutional Neural Networks or LSTMs fueled by modern GPUs have produced astonishing results unimaginable only a few years ago. These developments bring a number of challenges and opportunities in the cyber security field. First, using AI maliciously can potentially result in threats that are faster, more complex and more difficult to detect. Second, recent developments in AI can be leveraged to improve our protection capabilities against cyber-attacks. Last, as AI technology becomes increasingly popular and available in more systems and services, new challenges emerge as this technology needs also to be protected from cyber threats. In this session we will present current developments in the field of AI and their relevance for cybersecurity. We will then cover some concepts and examples for each of the T's (threat, tool and target) both in the industry and research. We will close the session by presenting our views on trends and potential future scenarios.

Biography. Although having an academic background in Economics, Tobias Burri became interested in programming during his studies and started his professional career as a developer for a web-analytics platform. Today, he is a senior consultant in Live Reply's Cyber Security unit where he supports companies in both assessing their current security landscape and integrating new security components. Tobias is strongly focused on the rising relevance of AI in the field of cyber security, both in terms of malicious use as well as leveraging current developments for new security applications.
@tobias_burri

Elias Hazboun is a security consultant at Live Reply Cyber Security unit with expertise in security assessment and testing. His responsibilities revolve around helping clients secure their current and future solutions, whether it is API, network equipment or cloud infrastructure. He is also a certified Penetration Tester (OSCP) and has worked on multiple offensive security projects including websites, VoIP and Chat-bots. He is currently contributing towards securing next generation carrier-grade software defined networks. Elias is a passionate advocate of security by design, privacy and the study of the intersection between future technology and society. He is also the recipient of DAAD Study Scholarship that allowed him to complete his Master studies with distinction in computer science at the Technical University of Munich.

Talk. Automate the generation of security documentation

Video. YouTube

Abstract. Formal security documentation is usually a neglected task. However, it’s a basic requirement to have comprehensive and recent documents in place, not only if you are facing some sort of audit. We will compare the aims and structure of "classical" security documentation and will show common shortcomings of these documents. Especially when moving from waterfall to a more agile approach there are new challenges:
- changes occur more frequently and must be reflected in the security documents,
- increasing numbers of (micro-) services require significantly more documentation efforts,
- resource-oriented services do not match well with usually established process-focused approaches,
- security documentation is the first victim in high frequency deployment environments.
The proven way to solve these issues is automation! We will outline an approach to take advantage of already existing meta information to derive a solid foundation of a security documentation. The process can be integrated into the usual build process and liberates the dev team from annoying documentation tasks.

The talk will be completed with a summary of documentation parts that can be produced by automation and parts that need human expertise. We will also give an outlook on aspects that maybe addressed in later stages of automation.

Biography. Andreas Kuehne is the founder of trustable Ltd., a security consultancy company and member of the FutureTrust project. He is an active initiator and contributor of several open source projects as well as the co-chair of the OASIS DSS-X committee.

Jens Neuhalfen is Information Security Officer at Deutsche Post DHL Group and lives and breathes IT since 20 years. He is convinced that the interface between IT and non-IT is the most important lever to run a successful business for IT-centric ventures. Further, Jens is convinced that sensible IT security not only saves money but opens new business opportunities.

Talk. The Bicho: backdooring CAN bus for remote car hacking

Video. YouTube

Abstract. Attacks targeting connected cars have already been presented in several conferences, as well as different tools to spy on CAN buses. However, there have been only a few attempts to create “something similar” to a useful backdoor for the CAN bus. Moreover, some of those proofs of concept were built upon Bluetooth technology, limiting the attack range and therefore tampering its effects.

Now we are happy to say, “those things are old”!

We have successfully developed a hardware backdoor for the CAN bus, called “The Bicho”. Due to its powerful capabilities we can consider it as a very smart backdoor. Have you ever imagined the possibility of your car being automatically attacked based on its GPS coordinates, its current speed or any other set of parameters? Even more, have you ever imagined the possibility that your car suddenly stopped working, when you least expected it, due to a remote attack? Now all of this is possible.

The Bicho supports multiple attack payloads and it can be used against any vehicle that supports CAN, without limitations regarding manufacturer or model. Each one of the payloads is related to a command that can be delivered via SMS, this way it allows remote execution from any geographical location. Our backdoor is an open-hardware tool and it has an intuitive graphical interface, called “Car Backdoor Maker”, which is open-sourced too and allows payload customization.

The attack payload can be configured to be automatically executed once the target vehicle is proximate to a given GPS location. The execution can also be triggered by detecting the transmission of a particular CAN frame, which can be associated with any given factor, such as: the speed of the vehicle, its fuel level, and some other factors. Moreover, in our talk we will be presenting a new feature, that allows us to remotely kill the car’s ECU and consequently causing the car to stop working suddenly.

Biography. Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years-old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in several countries. Over the years, Sheila has discovered lots of vulnerabilities in popular web applications and softwares. She also has given courses of Hacking Techniques in universities and private institutes. Sheila currently works as Security Researcher who specializes in offensive techniques, reverse engineering and exploit writing. She is also a developer in ASM (microcontrollers, x32/x64), C/C++, Golang and Python. Sheila is an international speaker who has spoken at important security conferences such as Black Hat EU 2017, DEFCON 26, DEFCON 25 CHV, HITBSecConf, HackInParis, Ekoparty Security Conference, IEEE ArgenCon, Hack.Lu, OWASP Latam Tour and others.
@UnaPibaGeek

Talk. Browser fingerprinting: past, present and possible future

Video. YouTube

Abstract. Browser fingerprinting has grown a lot since its debut in 2010. By collecting specific information in the browser, one can learn a lot about a device and its configuration. It has been shown in previous studies that it can even be used to track users online, bypassing current tracking methods like cookies. In this presentation, we will look at how this technique works and present an overview of the research performed in the domain. We will then see how this technique is currently used online before looking at its possible future.

Biography. Pierre Laperdrix is currently a postdoctoral researcher in the Secure Web Applications Group at the CISPA-Helmholtz Center for Information Security working with Ben Stock. Previously, he was a postdoctoral researcher in the PragSec lab at Stony Brook University working with Nick Nikiforakis. His current topics of research are Security and privacy on the Web. He obtained his PhD at Inria in Rennes working on the topic of browser fingerprinting. As part of his thesis, he developed the AmIUnique.org website to understand fingerprinting and worked with the Tor organization to improve the Tor browser fingerprinting defenses.
@RockPartridge

Talk. Content-Security-Policies in mass-distributed web apps - doing the undoable

Video. YouTube

Abstract. Content-Security-Policy is a well-established technology that is able to catch Cross-Site-Scripting attacks in modern browsers. However, regardless of the benefits, usage in mass-distributed web-apps like WordPress or Joomla is still close to be non-existant. In this talk, we will talk about the concepts of CSP, the huge challenges that web app developers face during the implementation and potential workarounds to get CSP out of the door.

Biography. Born and living in Cologne, Germany, David got in touch with web development during school in 2002. After a few years working with plain HTML sites, he started to develop his own CMS in 2004 and switched to Mambo shortly after. He quickly became an active member of the German community and met them in person for the first time during JoomlaDay Germany 2006. After school, he started his business as a freelance webdeveloper and quickly got more involved in the community by giving support in the forums, co-organizing the German JoomlaDay and the J&Beyond conference, starting a Joomla Usergroup in his home town, developing own extensions and joining the board of the German Joomla association "J&Beyond e.V.". In 2012, he joined the Bug Squad and started contributing to the CMS code. In late 2012, he co-founded the CMS-Garden project, which is cooperation of 12 opensource CMS. In the CMS-Garden, volunteers from all participating systems combine their forces to improve their marketing and reach new potential users.
@SniperSister

Talk. Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Video. YouTube

Abstract. The Web has become highly interactive and an important driver for modern life, enabling information retrieval, social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious attacks against Web clients. Research has long focused on three categories of XSS: reflected, persistent, and DOM-based XSS. We argue, however, that this classification lacks a key threat in the modern Web: persistent Client-Side XSS.

In this talk, we not only provide an improved notion of the classes of XSS, but rather report on a real-world study which shows that of the Alexa Top 5,000 domains, around 2,000 make use of persisted data on the client. We conduct this study using a combination of taint tracking and a fully automated exploit generation pipeline. Doing so, we find that of these 2,000, over 20% make that use in an insecure way which enables an attacker to execute a persisted payload on every page load, allowing for nefarious long-term attacks such as JavaScript-based keyloggers, credential extraction from password managers, or cryptojacking. In addition, we analyze the end-to-end exploitability of the flaws we discovered based on two attacker models, showing that at least 70% of the sites with an insecure data flow can succesfully be infected with a malicious payload. We also discuss a number of real-world case studies to highlight the severity of this threat.

Based on our insights, we show that in many cases, the use case requires the execution of persisted JavaScript code. We identify four distinct classes of intended uses for the persisted data, and end our talk with a discussion of applicable countermeasures tailored for those cases.

Biography. Marius Steffens is a first year PhD student in the Secure Web Applications Group at the CISPA-Helmholtz Center for Information Security, where he is supervised by Ben Stock. Marius is currently interested in the area of Web Security, and specifically looking into the prevalence of vulnerabilities in client-side Web applications.
@steffens_marius

Ben Stock is a Tenure-Track Faculty at the newly founded CISPA-Helmholtz Center for Information Security. In his PhD, Ben focussed on the detection and mitigation of Client-Side Cross-Site Scripting. During his PhD, he worked closely with SAP Research and interned with Microsoft Research. After his PhD, he joined CISPA as a postdoc, focussing on both Web Security as well as Usable Security research. He currently heads the Secure Web Applications Group at CISPA and is a regular speaker at academic and non-academic venues like CCS, USENIX Security, NDSS, Blackhat, and OWASP AppSec.
@kcotsneb

Talk. Greybox Automatic Exploit Generation for Heap Overflows

Video. YouTube

Abstract. In this talk we will introduce a completely grey-box approach to automatic exploit generation for heap overflows. Heap overflows are difficult to generate exploits for as they require reasoning over another dimension not present when considering stack overflows, namely the layout of the heap. We will show how this problem can be compartmentalised and addressed separately from the remainder of the exploit generation task. Furthermore, we will show how dynamic analysis and learning from existing inputs can be used in place of expensive white-box techniques that are traditionally used for exploit generation.

Biography. Sean Heelan is a co-founder of Optimyze and a PhD candidate at the University of Oxford. In the former role he works on full-stack software optimisation, and in the latter he is investigating automated approaches to exploit generation. Previously he ran Persistence Labs, a reverse engineering tooling company, and worked as a senior security researcher at Immunity Inc. His primary interest is in building program analysis tools that allow the integration of static and dynamic techniques with expert knowledge.
@seanhn

Talk. "Johnny, you are fired!" – Spoofing OpenPGP and S/MIME Signatures in Emails

Video. YouTube

Abstract. OpenPGP and S/MIME are the two major standards to encrypt and digitally sign emails. Digital signatures are supposed to guarantee authenticity and integrity of messages. We show practical forgery attacks against various implementations of OpenPGP and S/MIME email signature verification in five attack classes: (1) We analyze edge cases in S/MIME's container format. (2) We exploit in-band signaling in the GnuPG API, the most widely used OpenPGP implementation. (3) We apply MIME wrapping attacks that abuse the email clients' handling of partially signed messages. (4) We analyze weaknesses in the binding of signed messages to the sender identity. (5) We systematically test email clients for UI redressing attacks.

Our attacks allow the spoofing of digital signatures for arbitrary messages in 14 out of 20 tested OpenPGP-capable email clients and 15 out of 22 email clients supporting S/MIME signatures. While the attacks do not target the underlying cryptographic primitives of digital signatures, they raise concerns about the actual security of OpenPGP and S/MIME email applications. Finally, we propose mitigation strategies to counter these attacks.

Biography. Marcus Brinkmann is a PhD student at the Ruhr University Bochum, and interested in end-to-end security. He is a free software enthusiast with contributions in the Debian and GnuPG projects.
@lambdafu

Damian Poddebniak is a PhD student at the University of Applied Sciences in Münster. He is co-author of the Efail attack paper and interested in email security, cryptography and privacy-related topics.
@dues__

Talk. Reversing Fraudulent Apps

Video. YouTube

Abstract. Wherever there is money, there is fraud. Companies invest massive amounts on their ad campaigns to showcase their product to the world. In reality, however, most of that money goes to fraudsters and malicious app makers.

In this talk, the speaker will demonstrate how a popular app with over 100 million downloads conducts their mobile fraud operation and performs a commonplace mobile fraud technique: Click Injection.

Biography. Abdullah Joseph works as a security specialist at Adjust, a mobile analytics company, as part of the company’s fraud team. His responsibilities include researching current and future mobile fraud schemes, reversing malicious apps and developing appropriate countermeasures. He is the holder of both GREM and GMOB certifications.
@malwarecheese

Talk. Social Engineering through Social Media: profiling, scanning for vulnerabilities and victimizing

Video. YouTube

Abstract. Online presence is undeniably important. But despite the benefits social networking can create, a strong online presence can also create vulnerabilities. Christina will explain how the online presence of a company's employees on social media can attract social engineers to target them and victimize them to "open doors" through the organizational security. The talk covers the topic of information gathering through social media and explains how even seemingly innocent information can be used to manipulate targets, and in what way. Case studies will be provided. A two-part demonstration is included on how a hacker's mind works when harvesting information on social media; The first part includes real examples of posts that expose vulnerabilities, attract attackers and ultimately lead to security breaches. The second part includes a demonstration on how personal information provided online are gathered, categorized, analyzed and then used to craft an attack, as well as how one ends up revealing online more than he intends to. The talk closes with practical recommendations and best practices. The purpose on this talk is not to make everyone delete their online presence but rather, to urge them to use it responsibly. Training and awareness are often a catalytic factor between a successful and an unsuccessful attack attempt.

Biography. Christina Lekati is a psychologist and a social engineer. With her background and degree in psychology, she learned the mechanisms of behavior, motivation, decision making, as well as manipulation and deceit. She became particularly interested in human dynamics and passionate about social engineering.

Contrary to typical career paths, her history and involvement in the cybersecurity field started quite early in her life. Being raised by George Lekatis, a sought-after cyber security expert, she found herself magnetized by the security field at a very young age. Growing up, she was able to get involved in different projects that were often beyond her age, that gave her an edge in her own knowledge and experience.

Christina has participated among other things in penetration tests, in training to companies and organizations, and in needs and vulnerability assessments.

She is working with Cyber Risk GmbH as a social engineering expert and trainer. Christina is the main developer of the social engineering training programs provided by Cyber Risk GmbH. Those programs are intertwining the lessons learned from real life cases and previous experiences with the fields of cybersecurity, psychology and counterintelligence. They often cover unique aspects while their main goal is to inspire delegates with a sense of responsibility and a better relationship with security.
@ChristinaLekati

Talk. Securing the Development Lifecycle in Productions Systems Engineering

Video. YouTube

Abstract. Power plants and many other industrial plants are an integral part of a country’s critical infrastructure. As systems become more automated and networked and complicated software systems control entire systems, IT security is playing an increasingly important role. Previous attacks have mostly exploited existing vulnerabilities, future attackers will strive to intervene in the development process to build in vulnerabilities themselves.

Biography. After graduating with a Ph.D. from the TU Wien, Edgar worked in a research startup for two years. He then spent one year teaching as an Assistant Professor at Beloit College, WI. From 2002 to 2004, while with the software vendor ISIS Papyrus, he worked as a consultant in New York, NY and Albany, NY, and in Frankfurt, Germany. In 2004 he joined the TU Wien and founded the research center SBA Research together with A Min Tjoa and Markus Klemen. Edgar R. Weippl (CISSP, CISA, CISM, CRISC, CSSLP, CMC) is member of the editorial board of Computers & Security (COSE), organizes the ARES conference and is General Chair of SACMAT 2015, PC Chair of Esorics 2015, General Chair of ACM CCS 2016, and PC Chair of ACM SACMAT 2017.
@weippl

Talk. Weird machines, exploitability and unexploitability

Video. YouTube

Abstract. In spite of being central to everything that is going on in IT security, the concept of "exploit" is surprisingly poorly formalized and understood only on an intuitive level by security practitioners. This lack of clear definition has all sorts of negative side-effects: From ineffictive teaching to muddled thinking about mitigations. In this talk, I will make an attempt to more clearly define what it is that attackers do when they write an exploit – and then talk about what this means for mitigations and secure coding.

Biography. Thomas Dullien / Halvar Flake started work in reverse engineering and digital rights management in the mid-90s, and began to apply reverse engineering to vulnerability research shortly thereafter. He pioneered early windows heap exploitaiton, patch diffing / bindiffing and various other reverse engineering techniques. In 2004, he started zynamics, a company focused on reverse engineering technologies. He continued to publish about reverse engineering, ROP gadget search, and knowledge management technologies in relation to reverse engineering. In 2011, zynamics was acquired by Google, and Halvar spent the next few years working on defensive technologies that leveraged the then hot buzzwords "big data" and "machine learning". In summer 2015, Halvar received the lifetime achievement Pwnie, and decided to take a year off to travel, read, and surf. Since November 2016, he is back at Google.
@halvarflake

Talk. Consequences of Complexity in Group Instant Messaging using the Example of WhatsApp and Signal

Video. YouTube

Abstract. Group instant messaging is a complex primitive – due to the number of involved users and dynamic modifications to groups – that at the same time needs to provide high efficiency – for providing instant delivery of messages. As we show in our paper (Roesler, Mainka, Schwenk EuroS&P '18), most widespread messengers do not reach expected and required security guarantees for this primitive. This talk aims to provide an overview on the underlying reasons for this lack of security as well as on approaches how this issue can be solved, both on the constructive side and for the developers' view. After presenting the most severe attacks on WhatsApp and Signal, we aim to shed a light on the topic in a more general way. Thereby we want to motivate the reasons for end-to-end encryption more intuitively, provide an overview on what future secrecy means and how ratcheting can be used to reach this property. Of course the talk will include the protocol descriptions of the analyzed protocols and the respective attacks, but the focus will be more constructive. The talk will conclude with outlook questions (and answers): What are the expectable problems of intensive key protocols? How might they be solved by protocol and software developers? Is there a sensible threshold on which security guarantees should be achieved and which attacks can be disregarded when designing a protocol for instant messaging?

Biography. Paul Rösler is PhD student at the Chair for Network and Data Security, Ruhr University Bochum. Instant messaging protocols and key exchange with special properties such as forward and future secrecy are some of his research topics. During his bachelor and master studies he worked for Qabel – a cloud software that converts established protocols via proxies into a security preserving wrapper-protocol.
@roeslpa

Talk. Don't trust the DOM: Breaking XSS mitigations via Script Gadgets

Video. YouTube

Abstract. Cross-Site Scripting is a constant problem of the Web platform. Over the years many techniques have been introduced to prevent or mitigate XSS. Most of these techniques, thereby, focus on script tags and event handlers. HTML sanitizers, for example, aim at removing potentially dangerous tags and attributes. Another example is the Content Security Policy, which forbids inline event handlers and aims at white listing of legitimate scripts.

In this talk, we present a novel Web hacking technique that enables an attacker to circumvent most XSS mitigations. In order to do so, the attacker abuses so-called script gadgets. A script gadget Is a legitimate piece of JavaScript in a page that reads elements from the DOM via selectors and processes them in a way that results in script execution. To abuse a script gadget, the attacker injects a benign looking element into the page that matches the gadget's selector. Subsequently, the gadget selects the benign-looking element and executes attacker-controlled scripts. As the initially injected element is benign it passes HTML sanitizers and security policies. The XSS only surfaces when the gadget mistakenly elevates the privileges of the element.

In this talk, we will demonstrate that these gadgets are present in almost all modern JavaScript libraries, APIs and applications. We will present several case studies and real-world examples that demonstrate that many mitigation techniques are not suited for modern applications. As a result, we argue that the Web should start focusing more on preventive mechanisms instead of mitigations.

Biography. Sebastian Lekies is a senior software engineer and a web security researcher at Google. He is specializing in client-side web application security and automated web application security testing. At Google, Sebastian is a Tech Lead of the web security scanning and the security inventory teams. Before joining Google, Sebastian was part of SAP’s Security Research team, where he conducted academic research in the area of client-side Web application security. He is regularly speaking at academic and non-academic security conferences such as BlackHat US/EU/Asia, OWASP AppSec EU, DeepSec, Usenix Security, CCS, and many more.
@slekies

Talk. Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels

Video. YouTube

Abstract. OpenPGP and S/MIME are the two prime standards for providing end-to-end security for emails. We describe novel attacks built upon a technique we call malleability gadgets to reveal the plaintext of encrypted emails. We use CBC/CFB gadgets to inject malicious plaintext snippets into encrypted emails that abuse existing and standard conforming backchannels, for example, in HTML, CSS, or x509 functionality, to exfiltrate the full plaintext after decryption. The attack works for emails even if they were collected long ago, and is triggered as soon as the recipient decrypts a single maliciously crafted email from the attacker. The attack has a large surface, since for each encrypted email sent to n recipients, there are n+1 mail clients that are susceptible to our attack.

We devise working attacks for both OpenPGP and S/MIME encryption, and show that exfiltration channels exist for 23 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients. While it is necessary to change the OpenPGP and S/MIME standards to fix these vulnerabilities, some clients had even more severe implementation flaws allowing straightforward exfiltration of the plaintext.

Biography. Christian Dresen is PhD student at the University of Applied Sciences in Muenster and Ruhr University Bochum. His field of research is IT security and he is also an enthusiastic CTF player.
@dr4ys3n

Damian Poddebniak is a PhD student at the University of Applied Sciences in Münster. During his master's thesis he worked on fault attacks and applied them against deterministic signature schemes. He is interested in cryptography and privacy-related topics.
@dues__

Talk. Exploring ROCA: Fun & troubles with RSA keypairs

Video. YouTube

Abstract. The talk will cover our recent work which resulted in the discovery of an algorithmic flaw (CVE-2017-15361) in the construction of primes for RSA key generation in a widely-used library of a major manufacturer of cryptographic hardware. The primes generated by the library suffer from an entropy loss so severe, that practical factorization of commonly used key lengths up to 2048 bits is possible. Our method based on an extension of Coppersmith’s factorization attack requires no additional information except for the value of the public modulus and does not depend on a weak or a faulty random number generator. The library in question is found in NIST FIPS 140-2 and CC EAL 5+ certified devices used for a wide range of real-world applications, including citizens identity cards, Trusted Platform Modules, secure email, and tokens for authentication or software signing. The findings directly resulted in the revocation of millions of certificates in Estonia, Slovakia, Spain and other countries and major security update rolled by Microsoft, Google, HP, Lenovo, and others. The talk will discuss how the vulnerability was found, our experience from the responsible disclosure process and an options for mitigation including the systematic prevention using the secure multiparty computation efficient enough to run on cryptographic smartcards.

Biography. Petr is a security researcher at Masaryk University, Czech Republic. He engages in the area of cryptographic protocols for resource-limited devices like smartcards or wireless sensor networks including use and misuse of random number generators. He pushes for more openness and support for FOSS development on JavaCard platform and smartcards in general. He also focuses on a utilization of cryptographic smartcards in the complex scenarios and the development of secure applications on such platforms in Enigma Bridge, Cambridge, UK.
@rngsec

Talk.

Video. YouTube

Abstract. Fuzzing is a very powerful technique to detect flaws and vulnerabilities in software. The aim of this talk is to demonstrate different techniques which can be used to fuzz applications or libraries. Choosing the correct and most effective fuzzing technique will be discussed with real-world examples. Moreover, hints according common problems and pitfalls during fuzzing will be given. The first part of the talk discusses general concepts of fuzzing whereas the second part covers important areas which influent the fuzzing results. A special focus of the talk will be the difference of fuzzing applications with source code available versus fuzzing closed-source applications.

Biography. René Freingruber has been working as a professional security consultant for SEC Consult for several years. He operates research in the fields of malware analysis, reverse engineering and exploit development. He also studies modern mitigation techniques and how they can be bypassed by attackers. In the course of that research he came across Microsofts Enhanced Mitigation Experience Toolkit and gave various talks about the (in)security of it at conferences such as RuxCon, ToorCon, ZeroNights, IT-Secx, DeepSec, 31C3 and NorthSec.
@renefreingruber

Talk. From Discovering Vulnerabilities to Getting Them Fixed At Scale

Video. YouTube

Abstract. Security researchers are often faced with a dilemma once they have discovered a new type of flaw, potentially affecting many servers or Web sites in the wild. On the one hand, their discovery may allow adversaries to find such flawed systems with ease and attack them quickly (as famously shown by the Drupageddon attack). On the other hand, there are no well-established channels which can be used reliably to notify the affected administrators.

In this talk, we will first discuss how the Web’s security evolved over time, highlighting that the need for notifications at scale is bigger then ever. Afterwards, we present results from two experiments on notifications at scale, trying to help site operators to secure their sites from nefarious attackers. We also discuss numerous roadblocks, starting from a complete lack of a usable email address to issues of trust arising when a non-native speakers calls people in the US.

Biography. Ben Stock is a Tenure-Track Faculty at the newly founded CISPA Helmholtz Center i.G., which is built from the Center for IT-Security, Privacy and Accountability (CISPA) at Saarland University. In his PhD, Ben focussed on the detection and mitigation of Client-Side Cross-Site Scripting. During his PhD, he worked closely with SAP Research and interned with Microsoft Research. After his PhD, he joined CISPA as postdoc, focussing on both Web Security as well as Usable Security research. He currently heads the Security Web Applications Group at CISPA and is a regular speaker at academic and non-academic venues like CCS, USENIX Security, NDSS, Blackhat, and OWASP AppSec.
@kcotsneb

Talk. How client-side compilers help attackers to gain code execution

Video. YouTube

Abstract. Compilers of interpreter languages aim at speeding up execution in the race for web browser performance. Various compilers and analysis stages are involved to turn JavaScript code into machine code of the architecture the browser runs on. In order to maximize the performance of our indispensable browsers, Just-In-Time (JIT) compilation gained widespread adoption. It achieves near-native run time for otherwise slowly interpreted JavaScript code. But it is only the beginning, and Ahead-of-Time (AOT) compilers such as ASM.JS and its successor WebAssembly are emerging and won't disappear any time soon. Despite the intended performance gain, security concerns arise.

Attackers started to abuse JIT compilers by emitting desired machine code derived from controlled script constants. Armed with the ability to fill predictable address regions with hidden assembly instructions, they invented the JIT-Spray technique. Since then, many client-side JIT-Spray primitives were developed to ease the exploitation of various memory errors, which we'll revisit in the beginning of this presentation. Furthermore, we analyze flaws we found in ASM.JS of Mozilla Firefox, tracked as CVE-2017-5375 and CVE-2017-5400, allowing an attacker to jump to "JIT" sprayed executable code. Moreover, we take a look at three different Firefox CVEs and demonstrate alternative exploitation with ASM.JS JIT-Spray. On the road to remote code execution, we show how arbitrary ASM.JS payloads are generated and transformed automatically, allowing you to run your favorite code implant on vulnerable Firefox versions.

Biography. Robert is a security researcher at the Ruhr University Bochum. He obtained his PhD in 2016 at the Systems Security Chair where he is currently working as PostDoc. His work focuses on various aspects of fuzzing, memory corruption vulnerabilities, and static/dynamic analysis of binary programs. He is experienced in low-level security such as detecting and analyzing client-side bugs, exploit development, and bypassing exploit mitigations.

Talk. Is there any Security (and Privacy) in the Internet of Things?

Video. YouTube

Abstract. Embedded (IoT) devices have become commonplace in many areas of our daily life, ranging from smart home assistants to resource-constrained medical devices. Unfortunately, the firmware of such devices is often closed-source and thus, the vendor's security and privacy promises cannot be independently verified. In this talk, we will discuss techniques to address this issue, for example by means of firmware extraction and analysis.

In the first of two case studies, we focus on the Amazon Echo product line and cover methods to extract complete filesystem images from both newer and older devices. We then describe the (solid) security measures implemented in the Echo (e.g. for software updates), and will also outline how Amazon handles the transmission of voice data from and to the backend.

Our second example is the Dexcom G4, a wide-spread continous blood glucose meter used in the treatment of diabetes. Through black-box analysis of the RF interface, we find that the Dexcom G4 does not implement cryptographic protections, which enables a range of attacks, including malicious modification of the transmitted measurements.

The talk concludes with lessons learned from these (and other) case studies and with ideas how the security and privacy of future embedded devices can be improved.

Biography. David Oswald is a lecturer (assistant professor) in the Security and Privacy Group at the University of Birmingham, UK. His main field of research is the security of embedded systems in the real world. On the one hand, the focus is on attack methods that exploit weaknesses in the physical implementation of mathematically secure cryptographic algorithms. Those techniques include both (passive) side-channel analysis and (active) fault injection, as well as reverse engineering. On the other hand, David is working on the practical realization of security systems in embedded applications. He is co-founder of the Kasper & Oswald GmbH, offering innovative products and services for security engineering. His research on vulnerabilities of various wide-spread systems (e.g. DESFire RFID smartcards, Yubikey two-factor authentication tokens, electronic locks, and VW/Hitag2 RKE systems) has created awareness for the crucial importance of security among developers of embedded devices.

Talk. Revisiting the X.509 Certification Path Validation

Video. YouTube

Abstract. In this work we present a new testing tool for the X.509 certification path validation that was developed for the German Federal Office for Information Security (BSI). Furthermore, we report on the errors that were uncovered by applying the tool's default test suite to various test subjects such as cryptographic libraries and applications. The tool is free and open source, and allows the dynamic creation of test cases involving certificate chains and certificate revocation lists based on XML test specifications. It also facilitates the testing of TLS and IPsec applications as well as e-mail clients supporting S/MIME. The errors uncovered by the tool range from compatibility issues to actual security vulnerabilities.

Biography. After his physics diploma from TU Darmstadt in 2006, Falko Strenzke entered FlexSecure GmbH, where he worked in the areas of of trust center software, security certifications, cryptographic implementations and embedded security. He also led a number of security-oriented research projects. In 2013, he received his PhD in computer science for a work on efficient and secure cryptographic implementations, which he conducted in parallel to his job. Since 2014 Falko is the founder and managing director of cryptosource GmbH, a small start-up that focusses on software development and analysis in the areas of cryptography and security. His activities since then are various consulting and development projects in different industries and the development of a new TLS library for embedded systems.

Talk. The ROBOT Attack

Video. YouTube

Abstract. 20 years ago Daniel Bleichenbacher discovered an attack against RSA as it was used in SSL and the padding mode PKCS #1 v1.5. Obviously such an old attack doesn't work any more today, because everyone has fixed it. Okay... That was a joke. It still works. With some minor modifications we were able to discover the ROBOT attack (Return Of Bleichenbachers Oracle Threat). It affected nine different vendors and we were able to sign a message with the private key from facebook.com. More info at https://robotattack.org/ and in the full paper at https://eprint.iacr.org/2017/1189

Biography. Hanno Böck is a freelance journalist and regularly covers IT security topics for Golem.de and other publications. He also writes the monthly Bulletproof TLS Newsletter. In 2014 he started the Fuzzing Project, an effort to improve the security of free software applications. This work is supported by the Linux Foundation's Core Infrastructure Initiative.
@hanno

Talk. The Story of Meltdown and Spectre

Video. YouTube

Abstract. In this talk we will tell the story of Meltdown and Spectre. We will outline how research from the past two decades was the foundation of the discovery of these vulnerabilities while providing preliminary information. We will point out and illustrate how what the root causes of Meltdown and Spectre are. In the main part of the talk we will describe how Meltdown and Spectre work. We will discuss different attack scenarios and the impact of these attacks. Finally, we will outline countermeasures against the attacks.

Biography. Daniel Gruss is a PhD Student at Graz University of Technology. He has done his master's thesis on identifying and minimizing architecture dependent code in operating system kernels. Daniel's research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating system. In July 2015, he and his colleagues demonstrated the first hardware fault attack performed through a remote website, known as Rowhammer.js.
@lavados

Jann Horn is a security researcher working with Google Project Zero. He focuses primarily on kernel and hypervisor security.

Talk. Vulnerability handling process at Joomla!

Video. YouTube

Abstract. In this talk, I will give you some first-hand insights into the work that the Joomla security team does. You will learn what attack vectors we are facing, how real-world exploits in popular web apps work and how we as a team try to keep up with these ongoing threats to keep millions of our users secure.

Biography. Born and living in Cologne, Germany, David got in touch with web development during school in 2002. After a few years working with plain HTML sites, he started to develop his own CMS in 2004 and switched to Mambo shortly after. He quickly became an active member of the German community and met them in person for the first time during JoomlaDay Germany 2006. After school, he started his business as a freelance webdeveloper and quickly got more involved in the community by giving support in the forums, co-organizing the German JoomlaDay and the J&Beyond conference, starting a Joomla Usergroup in his home town, developing own extensions and joining the board of the German Joomla association "J&Beyond e.V.". In 2012, he joined the Bug Squad and started contributing to the CMS code. In late 2012, he co-founded the CMS-Garden project, which is cooperation of 12 opensource CMS. In the CMS-Garden, volunteers from all participating systems combine their forces to improve their marketing and reach new potential users.
@SniperSister

Talk. How to Build Hardware Trojans

Video. YouTube

Abstract. Countless systems ranging from consumer electronics to military equipment are dependent on integrated circuits (ICs). A surprisingly large number of embedded systems are already security-critical, e.g., medical devices, automotive electronics, SCADA systems or network routers. If the underlying ICs in an applications are maliciously manipulated through hardware Trojans, the security of the entire system can be compromised. In recent years, hardware Trojans have drawn the attention of governments and the scientific community.

Even though hardware Trojans have been studied over the last 10 years or so, little is known about how they might look, especially those that are particularly designed to avoid detection. In this talk we introduce several approaches with which a sophisticated attacker could insert Trojan into hardware platforms. We will look at hardware Trojans realized on both, ASICs (application specific integrated circuits) and FPGAs, i.e., programmable hardware.

Biography. Christof Paar has the Chair for Embedded Security at Ruhr University Bochum, Germany, and is research professor at the University of Massachusetts Amherst. He co-founded CHES (Cryptographic Hardware and Embedded Systems), the leading international conference on applied cryptography. His research interests include efficient crypto implementations, hardware security, and security analysis of real-world systems. He also works on applications of embedded security, e.g., in cars or consumer devices. He holds an ERC Advanced Grant in hardware security and is spokesperson for the doctoral training school SecHuman. Christof has over 180 peer-reviewed publications and he is co-author of the textbook Understanding Cryptography (Springer, 2009). Christof is Fellow of the IEEE and the IACR and has given invited talks at MIT, Yale, Stanford, IBM Labs and Intel. Christof co-founded ESCRYPT GmbH, a leading system provider for automotive security, which is now part of Bosch.

Talk. SSH: Beyond Confidentiality and Integrity in Practice

Video. YouTube

Abstract. This talk presents a systematic analysis of symmetric encryption modes for SSH that are in use on the Internet, providing deployment statistics, new attacks, and security proofs for widely used modes. We will also look at the on-going development of new encryption modes for SSH that offer superior security to the currently deployed modes at low additional cost.

Joint work with Martin Albrecht, Jean Paul Degabriele and Torben Brandt Hansen.

Biography. Prof Kenneth Paterson obtained a BSc in 1990 from the University of Glasgow and a PhD from the University of London in 1993, both in Mathematics. He was then a Royal Society Fellow at Institute for Signal and Information Processing at the Swiss Federal Institute of Technology, Zurich, from 1993 to 1994. After that, he was a Lloyd's of London Tercentenary Foundation Research Fellow at Royal Holloway, University of London from 1994 to 1996. In 1996, he joined Hewlett-Packard Laboratories Bristol, becoming a project manager in 1999. He then joined the Information Security Group at Royal Holloway in 2001, becoming a Reader in 2002 and Professor in 2004. From March 2010 to May 2015, he was an EPSRC Leadership Fellow working on a project entitled "Cryptography: Bridging Theory and Practice". In May 2015, he reverted to being a Professor of Information Security.

Kenny was program chair of Eurocrypt 2011, invited speaker at Asiacrypt 2014, and currently serves as Editor-in-Chief for the Journal of Cryptology. He is a co-founder of the "Real World Cryptography" workshop series. He also serves on the Executive Steering Board of the IoT Security Foundation, as co-chair of the Crypto Forum Research Group of the IRTF, and on the technical advisory board of SkyHighNetworks.

His research over the last decade has mostly been in the area of Cryptography, with a strong emphasis being on the analysis of deployed cryptographic systems and the development of provably secure solutions to real-world cryptographic problems. He is a winner of an Applied Networking Research Prize from the IRTF for his work on the Lucky 13 attack on TLS; a PETS award for Outstanding Research in Privacy Enhancing Technologies for his work with Mihir Bellare and Phil Rogaway on the Security of symmetric encryption against mass surveillance published at CRYPTO 2014; and a winner of a best paper award at ACM CCS 2016, with Martin Albrecht, Jean Paul Degabriele and Torben Hansen, for their work on SSH.

Talk. 0-RTT Key Exchange with Full Forward Secrecy

Video. YouTube

Abstract. Reducing latency overhead while maintaining critical security guar- antees like forward secrecy has become a major design goal for key exchange (KE) protocols, both in academia and industry. Of particular interest in this re- gard are 0-RTT protocols, a class of KE protocols which allow a client to send cryptographically protected payload in zero round-trip time (0-RTT) along with the very first KE protocol message, thereby minimizing latency. Prominent ex- amples are Google’s QUIC protocol and the upcoming TLS protocol version 1.3. Intrinsically, the main challenge in a 0-RTT key exchange is to achieve forward secrecy and security against replay attacks for the very first payload message sent in the protocol. According to cryptographic folklore, it is impossible to achieve forward secrecy for this message, because the session key used to protect it must depend on a non-ephemeral secret of the receiver. If this secret is later leaked to an attacker, it should intuitively be possible for the attacker to compute the session key by performing the same computations as the receiver in the actual session.

We show that this belief is actually false. We construct the first 0-RTT key exchange protocol which provides full forward secrecy for all trans- mitted payload messages and is automatically resilient to replay attacks. In our construction we leverage a puncturable key encapsulation scheme which permits each ciphertext to only be decrypted once. Fundamentally, this is achieved by evolving the secret key after each decryption operation, but without modifying the corresponding public key or relying on shared state. Our construction can be seen as an application of the puncturable encryption idea of Green and Miers (S&P 2015). We provide a new generic and standard- model construction of this tool that can be instantiated with any selectively secure hierarchical identity-based key encapsulation scheme.

Biography. Tibor Jager teaches IT security and cryptography at Paderborn University. His research interests include applied and theoretical cryptography, with emphasis on the design and security analysis of digital signatures, public-key encryption schemes, and protocols, as well as practical attacks and countermeasures. He contributed to the discovery of security weaknesses in and practical attacks on major cryptographic standards and software libraries, including TLS, EAP-TLS, the W3C XML Encryption standard, and JSON Web Encryption/Web Signature.
@tibor_jager

Talk. Advanced SSL/TLS Deployment Strategies

Video. YouTube

Abstract. The web has evolved from hypertext to a powerful application platform. Powerful features like Geolocation, Push Notifications and Service Workers raise the stakes for application security.

Only HTTPS can guarantee integrity, confidentiality and authenticity of those web applications. We will cover deployment best practices that to strike a practical balance between security and compatibility. This includes a small digression into the inner guts of TLS to discuss cipher suites as well as certificate switching.

This talk also covers major deficiencies of the certificate ecosystems and demonstrates how to thwart the risks of misbehaving or even compromised Certificate Authorities with techniques like HTTPS Public Key Pinning or Certificate Transparancy.

Following this overview, common bypasses and shortcomings of these security mechanisms will also be discussed.

Biography. Frederik Braun is a Senior Security Engineer who works on Mozilla Firefox. Besides enhancing the built-in security checks, he has also been involved in web and mobile security. Frederik contributes to the W3C Web Application Security Working Group and co-authored the Subresource Integrity standard. He's also a former student of the Ruhr University in Bochum and co-founded the CTF team Fluxfingers. When not working on computer security, Frederik spends time with his family in Berlin.
@freddyb

Talk. Black-Box Security Analysis of State Machine Implementations

Video. YouTube

Abstract. State machines play an important role when implementing any protocol. They specify which messages are to be sent at which state and how incoming messages should be processed at different stages of the protocol. Especially in security protocols, when mistakes are made in the implementation of the state machine this can lead to serious issues. In this talk we will show how black-box analysis techniques can be used to extract state machines from implementations and what kind of security issues this can reveal.

We applied this analysis on several protocols, including EMV and TLS. The analysis of TLS resulted, for example, in the discovery of a serious vulnerability in Java's TLS implementation, which made it possible to bypass encryption and certificate verification. The technique was also applied on 145 different version of OpenSSL and LibreSSL, which gave an interesting insight in the evolution of the implemented state machine and showed how several severe issues in the past can be observed.

The technique can also be used to analyse devices where physical input is required: with the help of a Lego robot we analysed handheld readers used for online banking. This could identify a vulnerability in the device where it is possible to bypass the acknowledgement from the user used to authorise a transaction.

The tool used in this research (StateLearner) is available as open source, and can easily be extended to support more protocols and systems.

Biography. Joeri de Ruiter is a researcher in the Digital Security group at the Radboud University in Nijmegen, The Netherlands. His research interests are in the analysis and design of real-world security protocols, such as TLS and EMV.
@cypherpunknl

Talk. Breaking and Fixing a Cryptocurrency

Video. YouTube

Abstract. Bitcoin has been hailed as a new payment mechanism, and is currently accepted by millions of users. One of the major drawbacks of Bitcoin is the resource intensive Proof-of-Work computation. Proof-of-Work is used to establish the blockchain, but otherwise it does not bring any benefits and arguably is a waste of energy. To address this problem, several alternative cryptocurrencies have been presented. One of them is Gridcoin which rewards the users for solving BOINC problems. In our work we conducted the first security analysis of Gridcoin. We identified two critical security issues. The first issue allows an attacker to reveal all the e-mail addresses of the registered Gridcoin users. Even worse, the second issue gives an attacker the ability to steal the work performed by a BOINC user, and thus effectively steal his Gridcoins. These attacks have severe consequences and completely break the Gridcoin cryptocurrency. We practically evaluated and confirmed both attacks, and responsibly disclosed them to the Gridcoin maintainers, together with the proposed countermeasures.

Biography. Martin Grothe is a research assistant at the Chair for Network and Data Security at the Ruhr University Bochum. Martin's research focuses on attacks against real-world protocols and security implementations. In August 2016, he and his colleagues demonstrated the first attacks against Microsofts Enterprise Rights Management (ERM) System, well known as Active Directory Rights Management Services (RMS). Further, in joined work with his colleagues at the Chair for Network and Data Security, he showed a new attack against PPTP VPNs, which utilizes RADIUS authentication.
@ashitaka007

Talk. Five Years of Android Security Research: the Good, the Bad, the Ugly

Video. YouTube

Abstract. Android security and privacy research has boomed in recent years, far outstripping investigations of other "appified" platforms. In this talk, we present an overview of the different research areas that have emerged around the Android ecosystem, their current state and outlook, as well as the lessons learned we can draw from Android for other contemporary or future appified platforms. In particular, in the last part of this talk, we will take a short look at ongoing investigations of third party code and tool-chain providers and their partly significant impact on the overall security state of the Android ecosystem.

Biography. Sven Bugiel is an Independent Research Group Leader and head of the Trusted Systems Group at the Center for IT-Security, Privacy and Accountability (CISPA), Saarland University. His research interests lie in the area of systems security and secure computing, where a particular focus is on mobile security, e.g., Android. In the past years, Sven’s research put a strong emphasis on novel access control solutions across the various layers of mobile software stacks, while more recently the ecosystem surrounding mobile platforms, such as third-party libraries, is of particular interest to him.
@svebug

Talk. How to Hack Your Printer

Video. YouTube

Abstract. The idea of a paperless office has been dreamed for more than three decades. However, nowadays printers are still one of the most essential devices for daily work and private people. Instead of getting rid of them, printers evolved from simple printing devices to complex network computer systems installed directly in company networks, and carrying lots of confidential data in their print jobs. This makes them to an attractive attack target.

In this paper we conduct a large scale analysis of printer attacks and systematize our knowledge by providing a general methodology for security analyses of printers. Based on our methodology we implemented an open-source tool called PRinter Exploitation Toolkit (PRET). We used PRET to evaluate 20 printer models from different vendors and found all of them to be vulnerable to at least one of the tested attacks. These attacks included, for example, simple Denial-of-Service (DoS) attacks or skilled attacks extracting print jobs and system files.

On top of our systematic analysis we reveal novel insights that enable attacks from the Internet by using advanced cross-site printing techniques combined with printer CORS-Spoofing. Finally, we show how to apply our attacks to systems beyond typical printers like Google Cloud Print or document processing websites. We hope that novel aspects from our work will become the foundation for future researches, for example, for the analysis of IoT security.

Biography. Jens Müller received his M.Sc. degree in IT Security / Networks and Systems from the Ruhr University Bochum in 2016. He has experience as a freelancer in network penetration testing and security auditing. In his spare time he develops free open source software, at present tools related to network printer exploitation.
@jensvoid

Talk. The (In)Security of Automotive Remote Keyless Entry Systems revisited

Video. YouTube

Abstract. Remote keyless entry (RKE) systems, usually based on so-called rolling codes, are the most widespread way of (un)locking vehicle doors, opening the trunk, and disarming the alarm system. RKE is based on the unidirectional transmission of an (increasing) counter value, authenticated by means of symmetric cryptography. There are two major ways of attacking RKE systems: (i) by exploiting vulnerable key distribution schemes, and (ii) by making use of cryptographical weaknesses in the employed ciphers. In this talk, we will give practical example for both cases (based on our Usenix Security 2016 paper). First, we show that the RKE system used by the VW group (Audi, Seat, Skoda, Volkswagen) was based on only a handful global keys over the past 20 years. By extracting these keys from ECU firmware, an adversary is able to clone the owner's remote control from a distance of up to 100m, using a single rolling code. Second, we present novel attacks on the Hitag2 RKE scheme (employed by Alfa Romeo, Peugeot, Lancia, Opel, Renault, and Ford among others). Based on black-box reverse-engineering of the protocol, we devise a new cryptanalytical attack on Hitag2 for full key recovery, requiring four to eight rolling codes and negligible computation. Finally, our talk also includes a brief survey of the state of automotive security in general, a discussion of the responsible disclosure process, and recommendations for designing more secure RKE systems.

Biography. David Oswald is a lecturer (assistant professor) in the Security and Privacy Group at the University of Birmingham, UK. His main field of research is the security of embedded systems in the real world. On the one hand, the focus is on attack methods that exploit weaknesses in the physical implementation of mathematically secure cryptographic algorithms. Those techniques include both (passive) side-channel analysis and (active) fault injection, as well as reverse engineering. On the other hand, David is working on the practical realization of security systems in embedded applications. He is co-founder of the Kasper & Oswald GmbH, offering innovative products and services for security engineering. His research on vulnerabilities of various wide-spread systems (e.g. DESFire RFID smartcards, Yubikey two-factor authentication tokens, electronic locks, and VW/Hitag2 RKE systems) has created awareness for the crucial importance of security among developers of embedded devices.

Talk. A new categorization system for Side-channel attacks on mobile devices & more

Video. YouTube

Abstract. Side-channel attacks on mobile devices have gained increasing attention since their introduction in 2007. While traditional side-channel attacks, such as power analysis attacks and electromagnetic analysis attacks, required physical presence of the attacker as well as expensive equipment, an (unprivileged) application is all it takes to exploit the leaking information on modern mobile devices. Given the vast amount of sensitive information that are stored on smartphones, the ramifications of side-channel attacks affect both the security and privacy of users and their devices.

In this talk, I will begin with an overview of existing side-channel attacks on mobile devices and argue for the need of a new categorization system as side-channel attacks have evolved significantly since their introduction during the smartcard era. I will explain how our proposed categorization system will help to facilitate the development of novel countermeasures and provide insights into possible future research directions.

In the second part of my talk, I will present our latest work on how an adversary can exploit side-channel information, in this case power from the phone battery, to maliciously control a public charging station in order to exfiltrate data from a smartphone via a USB charging cable (i.e. without using the data transfer functionality).

Biography. Veelasha Moonsamy is a postdoctoral researcher in the Digital Security group at Radboud University in The Netherlands. She obtained her PhD from Deakin University in Melbourne (Australia), under the supervision of Prof. Lynn Batten. Her research interests revolves around security and privacy on mobile devices, in particular side- and covert-channel attacks, malware detection and mitigation of information leaks at application and hardware level.
@veelasha_m

Talk. Rowhammer Attacks: A Walkthrough Guide

Video. YouTube

Abstract. In the past 2 years the so-called Rowhammer bug has caught the attention of many academic and non-academic researchers. The scary aspect of the Rowhammer bug is that is entirely invalidates software security assumptions. Isolation mechanisms are ineffective to a degree where an attacker can run in a website and compromise the entire host system.

In this walkthrough guide I will walk you through all Rowhammer attacks that have been presented so far. We will start with the seminal work by Kim. et. al. 2014 and discuss the basic idea of triggering bitflips in software. Subsequently we will discuss how to use their findings in exploits, as demonstrated by Google researchers in 2015. The results from the works of these two groups is still of vital interest for the discussion of countermeasures that now may find their way into the Linux kernel.

Subsequently, we will discuss several attacks that are derived from these initial Rowhammer attacks. We will discuss attacks that lower requirements: Rowhammer.js, non-temporal-access-based attacks, DRAMA and Drammer. These attacks move Rowhammer from the strictly x86 native setting on DDR3 memory to new environments like the JavaScript sandbox, DDR4, or even mobile devices.

Another branch of attacks combine Rowhammer with other attack primitives. We will discuss attacks using deduplication (Dedup est Machina, Flip Feng Shui) and their impact. Furthermore, we will discuss the first Rowhammer attacks on cryptographic primitives that have been presented in 2016.

Finally, we will discuss countermeasures, i.e. Rowhammer detection and Rowhammer mitigation. While several countermeasures have been discussed and some have even been deployed, the problem is widely unsolved. We will shed light on the ongoing discussion amongst Linux kernel developers and point out dead ends that should be avoided in the future.

Biography. Clémentine Maurice is a postdoctoral researcher in the Secure Systems group at the Graz University of Technology, in Austria. She obtained her PhD from Telecom ParisTech in October 2015 while working at Technicolor in Rennes, jointly with the S3 group of Eurecom in Sophia Antipolis. Among other topics, she is interested in microarchitectural covert and side channels and reverse-engineering processor parts. Her research aims at finding new attack vectors on modern commodity devices such as servers, laptops, desktops and mobile devices. She also led the research on Rowhammer hardware fault attacks in JavaScript through a remote website, an attack also known as Rowhammer.js. She presented her work at several academic conferences and venues like the 32nd CCC and BlackHat Europe.
@BloodyTangerine

Daniel Gruss is a PhD Student at Graz University of Technology. He has done his master's thesis on identifying and minimizing architecture dependent code in operating system kernels. Daniel's research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating system. In July 2015, he and his colleagues demonstrated the first hardware fault attack performed through a remote website, known as Rowhammer.js.
@lavados

Talk. Secrets of the Google Vulnerability Reward Program

Video. YouTube

Abstract. In Google VRP, we receive and process over 600 vulnerability reports a month. While the majority of them end up being invalid, some of the vulnerabilities reported by our bughunters from all over the world are amazing, in terms of their severity, impact and/or the difficulty of patching them on a Google scale. While some of them were already described in the past at various security conferences or writeups, most of them remain unknown to the security community.

In this presentation, we'll highlight the most interesting bug reports submitted through Google VRP, with the root causes both in our products, open source libraries or common software stacks. We'll analyze the security patches to the libraries we helped create, and reveal the full story behind them. For example, you'll get to know what has the reason behind a couple of Angular security releases.

Additionally, we'll give insights on how we evaluate and deal with vulnerability reports internally. Special focus will be put on the remediation process - making sure that a given vulnerability is not only patched, but prevented from happening ever again.

Biography. Krzysztof Kotowicz is an Information Security Engineer at Google and a panel member of Google's Vulnerability Rewards Program. He's a web security researcher specialized in Javascript, browser extensions and client-side security. Author of multiple open-source pentesting tools, and recognized HTML5/UI redressing attack vectors. Speaker at international IT security conferences & meetings (Black Hat, BruCON, Hack In Paris, CONFidence, SecurityByte, HackPra, OWASP AppSec, Insomni'Hack).
@kkotowicz

Talk. Teach a Man to Phish and You Feed Him for a Lifetime

Video. YouTube

Abstract. Phishing might seem like a simple attack vector relying on gullible users to happily give up their credentials. When digging deeper into the topic however, one will find many interesting aspects of phishing that have not been widely reported.

This talk will dive into the analysis of so-called phishing kits: archives of server-side (mostly PHP) code that can be used to quickly turn a compromised or launched server into a phishing ground for the selected target. Leveraging the phishing detection capabilities of our team, we crawled known compromised servers and were able to download over five thousand phishing kits over the last couple of months.

Being able to analyze the server-side source code of phishing pages at large scale yields insights into the workings of phishing campaigns and opens new possibilities to the motivated security researcher:
- Finding and abusing bugs in the kits
- Evading evasion
- Automating the creation of robust detection
- Geographically tracking the phishers

Biography. Armin Buescher is a security researcher focused on the analysis of attack trends and transferring research results into the development of novel detection/prevention technologies and analysis tools. He has over 8 years of experience working in the security industry for companies with changing points of view ranging from the endpoint and malware sandboxes to network security and web gateways.
@armbues

Talk. Using Microarchitectural Design to Break KASLR and More

Video. YouTube

Abstract. Typically, hackers focus on software bugs to find vulnerabilities in the trust model of computers. In this talk, however, we'll focus on, how the micro architectural design of computers and how they enable an attacker to breach trust boundaries. Specifically, we'll focus on how an attacker with no special privileges can gain insights into the kernel and how these insights can enable further breaches of security. We will focus on the x86-64 architecture. Unlike software bugs, micro architectural design issues have applications across operating systems and are independent of easily fixable software bugs. In modern operating systems the security model is enforced by the kernel. The kernel itself runs in a processor supported and protected state often called supervisor or kernel mode. Thus the kernel itself is protected from introspection and attack by hardware. We will present a method that'll allow for fast and reliable introspection into the memory hierarchy in the kernel based on undocumented CPU behavior and show how attackers could make use of this information to mount attacks on the kernel and consequently of the entire security model of modern computers. Making a map of memory and breaking KASLR Modern operating systems use a number of methods to prevent an attacker from running unauthorized code in kernel mode. They range from requiring user-privileges to load drivers, over driver signing to hardware enabled features preventing execution in memory marked as data such as DEP (Data Execution Prevention) or more resonantly SMEP that prevents execution of user allocated code with kernel level privileges. Often used bypasses modify either page tables or use so called code reuse attacks. Either way an attacker needs to know where the code or page tables are located. To further complicate an attack modern operating system is equipped with "Kernel Address Space Randomized Layout" (KASLR) that randomizes the location of important system memory.

We'll present a fast and reliable method to map where the kernel has mapped pages in the kernel mode area. Further, we'll present a method for locating specific kernel modules thus by passing KASLR and paving the way for classic privileged elevation attacks. Neither method requires any special privileges and they even run from a sandboxed environment. Also relevant is that our methods are more flexible than traditional software information leaks, since they leak information on the entire memory hierarchy. The core idea of the work is that the prefetch instructions leaks information about the caches that are related to translating a virtual address into a physical address. Also significant is that the prefetch instruction is unprivileged and does not cause exceptions nor does it have any privilege verification. Thus it can be used on any address in the address space. Physical to virtual address conversion A number of micro-architectural attacks is possible on modern computers. The Row hammer is probably the most famous of these attacks. But attacks methodologies such as cache side channel attacks have proven to be able to exfiltrate private data, such as private keys, across trust boundaries. These two attack methodologies have in common that they require information about how virtual memory is mapped to physical memory. Both methodologies have thus far either used the "/proc/PID/pagemap" which is now accessible only with administrator privileges or by using approximations. We will discuss a method where an unprivileged user is able to reconstruct this mapping. This goes a long way towards making the row hammer attack a practical attack vector and can be a valuable assistance in doing cache side channel attacks. Again we use the prefetch's instructions lack of privilege checking, but instead of using the timing that it leaks we now use the instructions ability to load CPU caches and that timing of memory access instructions depend heavily on the cache state. Finally, we will shortly outline a possible defense.

Biography. Anders Fogh has led numerous low level engineering efforts in the past 11 years. Prior to that he worked at VOB GmbH and Pinnacle System where he was responsible for major developments in video and CD/DVD recording software. Since 1993 he has been an avid malware hobbyist and has reverse engineering experience with operating systems from DOS to present day OSs as well as devices ranging from DVD players to USB sticks. He holds a master's degree in economics from the University of Aarhus. He was the first to suggest a software solution to the row hammer bug and spoke at Black Hat 2015 with Nishat Herath on the topic of using performance counters for security out comes.
@anders_fogh

Talk. Code-Reuse Attacks and Beyond

Video. YouTube

Abstract. Code-reuse attacks have become a prevalent technique to exploit memory corruption vulnerabilities in software programs. The focus of most attacks is on modifying code pointer and a variety of corresponding defenses has been proposed, of which many have already been successfully bypassed — and the arms race continues. In this talk, we provide an overview of some recent work we performed at Ruhr University Bochum towards code-reuse attacks with and without modifying code pointers. On the one hand, we present some recent results on a technique called counterfeit object-oriented programming (COOP). We demonstrate that many existing defenses that do not consider object-oriented C++ or Objective-C semantics precisely can be generically bypassed in practice. On the other hand, we focus on non-control data attacks. We demonstrate some potential attacks and focus on data-only attacks that can bypass many of the existing defenses. We conclude the talk with an overview of potential other targets of code-reuse attacks and an outlook of future challenges.

Biography. Thorsten Holz is a professor in the Faculty of Electrical Engineering and Information Technology at Ruhr University Bochum, Germany. His research interests include systems oriented aspects of secure systems, with a specific focus on applied computer security. Currently, his work concentrates on automated analysis of malicious software, reverse engineering, and studying latest attack vectors. He received the Dipl.-Inform. degree in Computer Science from RWTH Aachen, Germany (2005), and the Ph.D. degree from University of Mannheim (2009). Prior to joining Ruhr University Bochum in April 2010, he was a postdoctoral researcher in the Automation Systems Group at the Technical University of Vienna, Austria.
@thorstenholz

Talk. Transport Layer Security – TLS 1.3 and backwards security issues

Video. YouTube

Abstract. Since the publication of CRIME and BEAST, many new attacks on TLS implementations surfaced each year. It turned out that some of the basic designs of TLS were flawed, e.g. the MAC-then-PAD-then-ENCRYPT construction of the TLS Record Layer. The IETF has therefore initiated work on TLS version 1.3, a major revision of the TLS standard. This new standard is influenced by Google's QUIC protocol, has lower latency, and improved security features.

In this talk, the outlines of the new standard will be sketched, and the current state of standardization described. In addition, we will have a look at backwards compatibility attacks, and ask if simply adding a new TLS version without deactivating the older ones will really improve security.

Biography. Since September 2003, Prof. Dr. Jörg Schwenk is the owner of the Chair for Network and Data Security at the Ruhr University Bochum. The chair belongs to the renowned Horst Görtz Institute for IT Security. Professor Schwenk is an internationally recognized expert in the areas of cryptography and IT security. After completing his doctorate in the Department of Mathematics at the University of Giessen he moved in 1993 to Darmstadt, where he worked at the Telekom Technology center for applied research in the field of IT security. Professor Schwenk is an author of numerous international publications in renowned conferences (for example Eurocrypt, Asiacrypt or Communications and Multimedia Security), author of textbooks on cryptography and Internet security, and about 60 patents in the field of IT security.
@JoergSchwenk

Talk. An Abusive Relationship with AngularJS v2

Video. YouTube

Abstract. Some voices claim that "Angular is what HTML would have been if it had been designed for building web applications". While this statement may or may not be true, is certainly accounts as one of the bolder ones a JavaScript web framework can ever issue. And where boldness is glistening like a German Bratwurst sausage in the evening sun, a critical review from a grumpy old security person shouldn’t be too far away.

This talk will have a stern, very stern look at AngularJS 1.x in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its
own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0?

Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base?

This talk is a reckoning with a modern JavaScript framework that promises a lot and keeps even more, not necessarily for the best for developers and users. We will conclude in deriving a general lesson
learnt and hopefully agree that progress doesn't invariably mean an enhancement.

Biography. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) “security researcher” is from Berlin, likes everything between lesser- and greater-than, leads the small yet exquisite pen-test company called Cure53 and pesters peaceful attendees on various 5th tier conferences with his hastily assembled powerpoint-slides. Other than that, Mario is a very simple person and only parses three-word sentences so don’t even bother addressing him with complex topics or rhetoric.

Talk. Automatic Extraction of Indicators of Compromise for Web Applications

Video. YouTube

Abstract. Indicators of Compromise (IOCs) are forensic artifacts that are used as signs that a system has been compromised by an attack or that it has been infected with a particular malicious software. In this paper we propose for the first time an automated technique to extract and validate IOCs for web applications, by analyzing the information collected by a high-interaction honeypot. Our approach has several advantages compared with traditional techniques used to detect malicious websites. First of all, not all the compromised web pages are malicious or harmful for the user. Some may be defaced to advertise product or services, and some may be part of affiliate programs to redirect users toward (more or less legitimate) online shopping websites. In any case, it is important to detect those pages to inform their owners and to alert the users on the fact that the content of the page has been compromised and cannot be trusted. Also in the case of more traditional drive-by-download pages, the use of IOCs allows for a prompt detection and correlation of infected pages, even before they may be blocked by more traditional URLs blacklists. Our experiments show that our system is able to automatically generate web indicators of compromise that have been used by attackers for several months (and sometimes years) in the wild without being detected. So far, these apparently harmless scripts were able to stay under the radar of the existing detection methodologies – resisting for long time on public web sites.

Biography. Marco Balduzzi holds a Ph.D. in applied IT security from Télécom ParisTech and a M.Sc. in computer engineering from the University of Bergamo. His interests concern all aspect of computer security, with particular emphasis on real problems that affect systems and networks. Some topics on which he worked on are web and browser security, code analysis, botnets detection, cybercrime investigation, privacy and threats in social networks, malware and intrusion detection systems.
@embyte

Talk. The beast within - Evading dynamic malware analysis using Microsoft COM

Video. YouTube

Abstract. Microsoft Common Object Model (COM) is technology which aims at providing binary programming interface for Windows programs. Despite its age almost ancient age, it still forms the internal fundament of many new Microsoft technologies such as .NET. However, in more than twenty years of further development, the inevitable pressure to retain backwards compatibility have turned the COM runtime into a obscure beast. These days, many COM interfaces exist that mirror almost the same functionality provided by common Windows APIs. Malware authors can easily execute almost any operation (creating files, starting new processes, etc.) only using COM calls. Dynamic malware analyzers must deal with this accordingly without getting lost in the shadowy depths of the COM runtime. The talk presents various aspects of automated dynamic COM malware analysis and shows which approaches are actually realizable and which ones are hopeless.

Biography. Ralf achieved his Ph.D. in computer science / IT-security at the Ruhr University of Bochum in 2013. During his studies he focused on new analysis methods for binary software, with a strong focus on malware. Since then, he has been one of the co-founders and the CTO of VMRay GmbH, a Bochum-based IT-security company focusing on 3rd generation threat analysis and detection using advanced hypervisor-based dynamic analysis. He has experience in malware research and software development for more than 15 years and is an active speaker at various academic and industrial conferences. His special interests lie in virtualization techniques and its application to software analysis.

Talk. Cache Side-Channel Attacks and the case of Rowhammer

Video. YouTube

Abstract. Software security relies on isolation mechanisms provided by hardware and operating system.  However, isolation mechanisms are often insufficient, for instance due to the existence of  caches in hardware and software. Caches keep frequently used data in faster memory to reduce access time and to reduce the access frequency on slower memory. This introduces timing differences that can be exploited in side-channel attacks.

The first half of this talk is about state-of-the-art cache side-channel attacks. Most cache attacks target  cryptographic implementations and even full key recovery attacks cross-core, cross-VM in public clouds have been demonstrated. We recently found that cache attacks can be fully automatized, cache attacks are not limited to specific architectures, and cache attacks can be implemented based on a variety of  hardware features. This broadens the field of cache attacks and increases their impact significantly.

The second half of this talk is about the so-called Rowhammer effect, which can be exploited to gain  unrestricted access to systems. Recent studies have found that in most DDR3 DRAM modules random bit flips can occur due to the Rowhammer effect. These hardware faults can be triggered by an attacker without accessing the corresponding memory location, but by accessing other memory locations in a high frequency. The first attacks used cache maintenance operations as caches would prevent such frequent accesses. Frequent accesses from JavaScript would allow a remote attacker to exploit the Rowhammer effect. For this purpose it is necessary to defeat the complex cache replacement policies. We showed that this is possible last year. In this talk we will detail how to evaluate the huge parameter space of eviction strategies, discuss intuitive and counter-intuitive timing effects, and thereby close the gap between local Rowhammer exploits in native code and remote Rowhammer exploits through websites.

Biography. Daniel Gruss is a PhD Student at Graz University of Technology. He has done his master's thesis on identifying and minimizing architecture dependent code in operating system kernels. Daniel's research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating system. In July 2015, he and his colleagues demonstrated the first hardware fault attack performed through a remote website, known as Rowhammer.js.
@lavados

Talk. Cheshire Cat's Grin

Video. N.A.

Abstract. There is malware, and then, there is m.a.l.w.a.r.e. Last year we got our fingers on a set of exquisite binaries which were definitely not the usual kind. No I'd never call malware sophisticated, after all thats not what it takes to be dangerous; or interesting. But those were a challenging beast, unusually intriguing.

For the lack of a better name, and given all the whacky traits the binaries come with, we dubbed the family CheshireCat. Thats the pink cat in Alice's wonderland with the most stupid grin. The CheshireCat binaries have been around since 2002, some are built for workstations as old as Windows NT4, they support dial-up connections and executable header checks for the NewExecutable file format. Go figure. We came to the conclusion, someone very dedicated has built CheshireCat for very special networks and kept his operation under the radar for more than a decade.

This talk will introduce CheshireCat's implementation traits, stealth tactics and wonderous functionalities. The term attribution might appear, once, to leave some clues about where CheshireCat might have come from.

Biography. Marion Marschalek is Principal Malware Researcher at GData AdvancedAnalytics, focusing on the analysis of emerging threats. Marion startedher career within the anti-virus industry and also worked on advancedthreat protection systems where she built a thorough understanding ofhow threats and protection systems work and how both occasionally fail.Next to that Marion teaches malware analysis at University of AppliedSciences St. Pölten and frequently contributes to articles and papers.She has spoken at international conferences around the globe, amongothers Blackhat, RSA, SyScan, hack.lu and Troopers. Marion came off aswinner of the Female Reverse Engineering Challenge 2013, organized by REprofessional Halvar Flake. She practices martial arts and has a vividpassion to take things apart. Preferably, other people's things.

Talk. The DROWN Attack

Video. YouTube

Abstract. We present DROWN, a novel cross-protocol attack thatcan decrypt passively collected TLS sessions from up-to-dateclients by using a server supporting SSLv2 as aBleichenbacher RSA padding oracle. We implemented theattack and can decrypt a TLS 1.2 handshake using 2048-bit RSA in under 8 hours using Amazon EC2, at a costof $440. Using Internet-wide scans, we find that 33% ofall HTTPS servers and 22% of those with browser-trustedcertificates are vulnerable to this protocol-level attack,due to widespread key and certificate reuse.

Biography. Sebastian is a professor for computer security at Münster University of Applied Sciences since 2013. His research topics include penetrationtesting techniques, applied cryptography, side channel attacks, and he speaks regularly at information security conferences.
@seecurity

Talk. Eavesdropping on WebRTC Communication with Funny Cat Pictures

Video. YouTube

Abstract. WebRTC is one of the newest additions to the ever growing arsenal of Web browser-based technologies. In a shift away from the Web's classic Server-client architecture, WebRTC enables the creation of peer-to-peer channels between browsers, that do not traverse the Web server after initialization, allowing direct data transfer as well as audio/video chat. Well established protocols, such as HTTPS and DTLS/SCTP, outfit WebRTC's network communication (Both the browser-server as well as the browser-to-browser connections) with strong security guarantees, that render Man-in-the-Middle attacks virtually impossible. But -- not uncommon in Web scenarios -- the weakest link of the chain can be found on the JavaScript layer in the browser.

In this talk, we will show how a single Cross-site Scripting vulnerability, a compromised signaling server, or a malicious CDN can be utilized to fully intercept Web RTC communication and leak video & audio of both participants of the communication to a malicious third party. The attack is fully hidden from the compromised parties and requires no server infrastructure on the attacker's site.

Biography. Dr. Martin Johns is a Research Expert in the Security and Trust group within SAP AG, where he leads the web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990s and the early years of the new millennium, he earned his living as a software engineer in German companies (including Infoseek Germany, and TC Trustcenter). He holds a diploma in Computer Science from the University of Hamburg and a Doctorate from the University of Passau. Martin has a track record of over eight years applied WebAppSec research, published more than 20 papers on the subject, and is a regular speaker at international security conferences, including Black Hat, the OWASP AppSec series, CCS, ACSAC, ESORICS, PacSec, HackInTheBox, RSA Europe, and the CCC Congress.
@datenkeller

Talk. Hacking with Unicode in 2016

Video. YouTube

Abstract. This presentation explores common mistakes made by programmers whendealing with Unicode support and character encodings on the Web. Foreach mistake, I explain how to fix/prevent it, but also how it couldpossibly be exploited.

Biography. Mathias is a Belgian web standards freak. He likes HTML, CSS, JavaScript, Unicode, performance, and security. At Opera Software he’s a member of the Developer Relations team.
@mathias

Talk. Java deserialization vulnerabilities - The forgotten bug class

Video. YouTube

Abstract. Java deserialization vulnerabilities are a bug class on its own. Although several security researchers have published details in the past, still the bug class is fairly unknown. This talk is about finding and exploiting deserialization flaws in Java. Details on a new gadget will be disclosed, allowing Remote Code Execution. And several vulnerabilities discovered by Code White will be shown as Case Studies including a 0day.

Biography. Matthias is the Head of Vulnerability Research at Code White. He enjoys bug-hunting in Java Software because it's so easy. He found vulnerabilities in products of Oracle, IBM, SAP, Symantec, Apache, Adobe, Atlassian, etc. Currently, he enjoys researching deserialization and looking into COM/OLE.
@matthias_kaiser

Talk. On the Security of Browser Extensions

Video. YouTube

Abstract. In an everlasting struggle to find the balance between security, privacy and that toolbar which slipped in after you've installed Java, browser extension systems constantly evolve. Three years after Kotowicz has pwned our stuff, we will explore old and new attack techniques for both Firefox and Chrome. Finally, we will engage in a jolly expedition to long-forgotten extension types and convince them to exploit the browser itself.

Biography. Nicolas is a soon-to-be former student of the Ruhr University Bochum. After finishing his master's degree, he will move to Zurich to join Google's web security efforts. Due to being a HackPra supervisor for roughly three years, Nicolas had the pleasure of listening to many great speakers and is eager to show that he has learned quite a few tricks of their trade over time.
@_qll_

Talk. On Securing Legacy Software Against Code-Reuse Attacks

Video. YouTube

Abstract. Code-Reuse attacks such as return-oriented programming constitute a powerful exploitation  technique that is frequently leveraged to compromise software on a wide range of architectures. These attacks generate malicious computation based on existing code (so-called gadgets) residing in linked  libraries. Both academia and industry have recently proposed defense techniques to mitigate code-reuse attacks. However, a continuous arms race has evolved between attacks and defenses. In this talk, we  will elaborate on the evolution of code-reuse attacks. In particular, we explore prominent defense  techniques that are based on control-flow integrity (CFI) enforcement and code randomization. Further, we discuss promising research directions such as hardware-assisted defenses and protection against  these attacks at the kernel layer.

Biography. Lucas Davi is an independent Claude Shannon research group leader of the Secure and Trustworthy Systems group at Technische Universität Darmstadt, Germany. He received his PhD from Technische Universität Darmstadt, Germany in computer science. He is also a researcher at the Intel Collaborative Research Institute for Secure Computing (ICRI-SC). His research focuses on software exploitation technique and defenses. In particular, he explores modern software exploitation attacks such as return-oriented programming (ROP) for ARM and Intel-based systems.

Talk. Security Nightmares in the Internet of Things: Electronic Locks and More

Video. N.A.

Abstract. Wireless embedded devices have become omnipresent in applications such as access control (to doors or to PCs), identification, and payments. The talk reviews the security of several commercial devices that typically employ cryptographic mechanisms as a protection against ill-intended usage or to prevent unauthorized access to secured data. A combination of side-channel attacks, reverse-engineering and mathematical cryptanalysis helps to reveal and exploit weaknesses in the systems that for example allow opening secured doors in seconds. At hand of the real-world examples, the implications of a key extraction for the security of the respective contactless application are illustrated. As a powerful tool for security-analyzing and pentesting NFC and RFID systems, the open source project  "ChameleonMini" is presented: Besides virtualization and emulation of contactless cards, the device allows to log the NFC communication, and in its latest revision acts as an active RFID reader.

Biography. Timo Kasper studied electrical engineering and information technology at the Ruhr University Bochum and at the University of Sheffield, UK. In 2006, his Diploma thesis "Embedded Security Analysis of RFID Devices" won the first place award for IT security (CAST, Darmstadt). Timo Kasper has been research assistant at the Chair for Embedded Security of the Horst Görtz Institute for IT Security (HGI) since October 2006. He completed his studies 2011 with a PhD in Engineering. In 2012, his PhD thesis "Security Analysis of Pervasive Wireless Devices - Physical and Protocol Attacks in Practice" won the first place award for IT security (CAST, Darmstadt). Timo is co-founder of Kasper & Oswald GmbH offering innovative products and services for security engineering.