CanSecWest 2022: Full Schedule

10:00 PDT

CanSecWest Registration

Please come and get your badge and registration materials.

Wednesday May 18, 2022 10:00 - 11:00 PDT

11:00 PDT

Launching EMUX - A framework for emulating ARM and MIPS IoT Devices

EMUX (formerly known as ARMX) has been under regular development for over 5 years. The latest release brings MIPS emulation capabilities to the framework, expanding the set of targets that can be emulated. EMUX has been actively used in my training classes, and students have found a number of 0-days using EMUX as an emulation, fuzzing, and debugging platform.
This presentation will cover the following:

EMUX internals and architecture
How to add new CPU architectures to EMUX (beyond ARM and MIPS)
Challenges in emulation
Live demo: Extracting firmware from SPI flash and emulating an entire IoT device in EMUX

MUX is publicly available as a Docker image on https://github.com/therealsaumil
EMUX Website and Documentation: https://emux.exploitlab.net/

Speakers

Saumil Shah

CEO, Net-Square

Saumil Shah is the founder and CEO of Net-Square, providing cutting edge information security services to clients around the globe. Saumil is an internationally recognised speaker and instructor, having regularly presented at conferences like Blackhat, RSA, CanSecWest, PacSec, EUSecWest... Read More →

Wednesday May 18, 2022 11:00 - 12:00 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

12:00 PDT

Reconfiguration Break

Light Lunch

Wednesday May 18, 2022 12:00 - 12:30 PDT
CanSecWest Jr. Ballroom Foyer - Sheraton Wall Centre 1000 Burrard St, Vancouver, BC V6Z 2R9

Catering Service

12:30 PDT

Hands On EMUX: Emulating ARM and MIPS IoT Firmware

EMUX (formerly known as ARMX) has been under regular development for over 5 years. The latest release brings MIPS emulation capabilities to the framework, expanding the set of targets that can be emulated. This workshop shall be in two parts:

Part 1 (30 minutes)
- Setting up EMUX in 7 minutes
- A tour of EMUX internals
- Case study of how IoT devices are emulated

Part 2 (90 minutes)
- Emulating an IP Camera from flash firmware
- Firmware extraction hands-on
- Building a emulation compatible kernel from scratch
- Managing the root file system
- Putting it all together in EMUX

Students are expected to bring their laptops with a working Docker instance. EMUX is publicly available as a Docker image on https://github.com/therealsaumil

EMUX Website and Documentation: https://emux.exploitlab.net/

Speakers

Saumil Shah

CEO, Net-Square

Wednesday May 18, 2022 12:30 - 14:30 PDT
CanSecWest Workshop Room 1 - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Workshop

12:30 PDT

Practical Mobile App Attacks by Example

In this workshop I will get you up and running with CodeQL avoiding common pitfalls that usually make people abandon attempts to use a new tool. Once this friction is behind our back, we will focus not on solving the halting problem but translating auditing ideas into queries that will guide you through a target codebase.

Speakers

Abraham Aranguren

Lead Security Engineer, 7A Security

After 15 years in itsec and 22 in IT Abraham is now the CEO of 7ASecurity (7asecurity.com), a company specializing in penetration testing of web/mobile apps, infrastructure, code reviews, and training. Co-Author of the Mobile, Web, and Desktop (Electron) app 7ASecurity courses. Security... Read More →

Wednesday May 18, 2022 12:30 - 14:30 PDT
CanSecWest Workshop Room 3 - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Workshop

14:30 PDT

Coffee Break

Wednesday May 18, 2022 14:30 - 14:45 PDT
CanSecWest Jr. Ballroom Foyer - Sheraton Wall Centre 1000 Burrard St, Vancouver, BC V6Z 2R9

Break

14:45 PDT

Security Lessons From COVID-19

Lessons, or reminders, of important information security operations concepts which have been pointed out by the CoVID-19 pandemic crisis. Using the SARS- CoV-2/CoVID-19 pandemic as a giant case study, and structured by the domains of information security, this looks at security aspects of the crisis, pointing out specific security fundamentals where social, medical, or business response to the crisis failed, or needed to make specific use of those concepts. For the most part, these lessons are simply reminders of factors that get neglected during times of non-crisis, and particularly point out the importance of advance planning and resilience in systems and business.

Speakers

Rob Slade

Past President, Vancouver Security SIG

Rob Slade is an information security and management consultant from North Vancouver, British Columbia, Canada. (Or he may be an AI experiment gone horribly wrong, and hooked up to various email addresses.) He has consulted for Fortune 100 companies, has taught on six continents, gets... Read More →

Wednesday May 18, 2022 14:45 - 16:45 PDT
CanSecWest Workshop Room 2 - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Workshop

16:45 PDT

Reconfiguration Break

Wednesday May 18, 2022 16:45 - 17:00 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Break

17:00 PDT

Project TEMPA - Demystifying Tesla's Bluetooth Passive Entry system

The security of Tesla's cars has been a hot topic in recent months. In addition to being one of the safest cars on the road, it is also well-protected from hacks and attacks. But how does Tesla make sure their vehicles are safe and secure?

Tesla is a company that has been innovating in the automobile industry for many years. They have been designing and manufacturing electric vehicles which are environmentally friendly and sustainable. Tesla has also been pioneering and implementing new technologies in the automotive industry. One of these innovations is their Bluetooth interface which is used for locking and unlocking vehicles and can be used to uniquely identify cars, as well as to track them in real-time with apps like "Tesla Radar".

The introduction of Tesla's Bluetooth passive entry system, previously only used by model 3 and model y, into new product lines like the Tesla 2021 Model S/X facelift variant, shows the strategic importance of this technology for Tesla in the years to come.

This case study sheds light on the inner workings of Tesla's Passive Entry System and core VCSEC protocol, and reveals possible attack vectors.

Speakers

Martin Herfurt

Researcher, trifinite.group

Martin is an independent security researcher focusing - but not exclusively - on various aspects of product security related to Bluetooth wireless technology. As one of the co-founders of the trifinite.group, Martin worked with the Bluetooth SIG, helping the technology and its adopters... Read More →

Wednesday May 18, 2022 17:00 - 18:00 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

08:30 PDT

Breakfast

Thursday May 19, 2022 08:30 - 09:00 PDT
CanSecWest Jr. Ballroom Foyer - Sheraton Wall Centre 1000 Burrard St, Vancouver, BC V6Z 2R9

Catering Service

09:00 PDT

KEYNOTE: A Brief and Mostly Incorrect History of Fully-Remote Mobile Vulnerabilities

Speakers

Natalie Silvanovich

Security Researcher, Google

Natalie Silvanovich is a security researcher on Google Project Zero. Her current focus is messaging applications and video conferencing. Previously, she worked in mobile security on the Android Security Team at Google and as a team lead of the Security Research Group at BlackBerry... Read More →

Thursday May 19, 2022 09:00 - 10:00 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Keynote

10:00 PDT

Second Breakfast

Thursday May 19, 2022 10:00 - 10:30 PDT
CanSecWest Jr. Ballroom Foyer - Sheraton Wall Centre 1000 Burrard St, Vancouver, BC V6Z 2R9

Catering Service

10:00 PDT

An Introduction to ARM Assembly and Shellcode

Rescheduled from Wednesday, 2:45pm-4:45pm (May 18), to Thursday, 10am to 12pm (May 19).

This workshop is a hands-on crash course on ARM Assembly Language and writing simple shellcode from the ground up. This workshop shall be presented in two parts:

Part 1 (60 minutes)
- An Introduction to the ARM 32-bit Instruction Set
- ARM Assembly for x86 practitioners
- From C to ARM Assembly
Part 2 (60 minutes)
- ARM execve() Shellcode
- ARM Reverse Shell

Students are expected to bring their laptops with a working Docker instance. The workshop shall make heavy use of the EMUX Firmware Emulation Framework. EMUX is publicly available as a Docker image on https://github.com/therealsaumil
EMUX Website and Documentation: https://emux.exploitlab.net/

Speakers

Saumil Shah

CEO, Net-Square

Thursday May 19, 2022 10:00 - 12:00 PDT
CanSecWest Workshop Room 1 - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Workshop

10:30 PDT

KEYNOTE: Is the Future of AppSec Human?

Did you know that GitHub reports 500 times more developers than security experts? That means we’re developing software faster than we can manually check it.

Unfortunately, it also means the status quo gives offense a permanent advantage. We all know that defense needs to check software at the speed and scale of development, while offense just needs to find one exploitable bug in deployed software.

In 2016, DARPA asked if there was a better approach. They asked whether it was possible to build an autonomous appsec stack – a sort of autopilot for appsec – that could run at machine speeds and scale. The answer was yes, but using technology that few would have initially guessed. The base of the tech stack was fuzzing and symbolic execution.

The question we now face: how do we change the world to adopt the proven fully automatic approach? How does the automatic tech stack differ from what’s found in practice, and what are the barriers to making the world safer? Is the future of appsec human, or a machine?

Speakers

David Brumley

CEO, ForAllSecure

Dr. David Brumley is CEO and co-founder of ForAllSecure and a full professor at Carnegie Mellon University. His accomplishments include winning the DARPA Cyber Grand Challenge, a United States Presidential Early Career Award for Scientists and Engineers (PECASE) from President Obama... Read More →

Thursday May 19, 2022 10:30 - 11:30 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Keynote

11:30 PDT

Bad ALAC: One codec to hack the whole world

The Apple Lossless Audio Codec (ALAC) is an audio coding format developed by Apple Inc. in 2004 for lossless data compression of digital music. After initially keeping it proprietary, in late 2011 Apple made the codec open source. Since then, the ALAC format has been embedded in many non-Apple audio playback devices and programs, including Android-based smartphones, and Linux and Windows media players and converters.

We have discovered serious vulnerabilities in the open source ALAC that many third-party vendors have inherited into their projects.

Looking for a way to hack a mobile phone or a PC remotely? We know one way…

We discovered that MediaTek and Qualcomm, the two largest mobile chipset makers, ported the vulnerable ALAC code into their audio decoders, which are used in more than half of all smartphones worldwide. We will show how the issues we found could be used by an attacker for RCE on a mobile device through a malformed audio file, or for LPE from an unprivileged Android app to access media data and user conversations.

Speakers

Slava Makkaveev

Researcher, Check Point Research

Slava Makkaveev is a Security Researcher at Check Point Research. Holds a PhD in Computer Science. Slava has found himself in the security field more than ten years ago and since that gained vast experience in reverse engineering and vulnerability research. Recently Slava has taken... Read More →

Netanel Ben Simon

Researcher, Microsoft

Netanel Ben Simon is a Security Researcher at Microsoft and a former employee of Check Point Research. Netanel specializes in Windows exploitation (Userspace & Kernel) and development of custom fuzzers for bug hunting.

Thursday May 19, 2022 11:30 - 12:30 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

12:30 PDT

Lunch

Thursday May 19, 2022 12:30 - 13:15 PDT
CanSecWest Pavilion - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Catering Service

13:15 PDT

Bypassing Falco: Cluster Compromise without Tripping the SOC

The explosive growth in the usage of Kubernetes container clusters has left security professionals scrambling to find and deploy innovative tools to address the inherent security risks. One such tool is The Falco Project, originally created by Sysdig. It's an incubating CNCF open source cloud native runtime security tool. Falco makes it easy to consume kernel events and enrich those events with information from Kubernetes and the rest of the cloud native stack. Falco has a rich set of security rules specifically built for Kubernetes, Linux, and Cloud. If a rule is violated, Falco will send an alert notifying of the violation and its severity.

In this talk I will present my research on various techniques to silently bypass the default Falco ruleset (based on pre-latest v0.30.0). I will demonstrate nine different classes of bypasses, seven of which are novel and have never been presented. I will also introduce the special container image and multiple code snippets built specifically for Falco bypasses. The bypasses allow for stealthy target enumeration, privilege escalation and lateral movement. To wrap up, I will apply the bypass techniques on the example of the GKE Kubernetes cluster and demonstrate how an attacker can achieve full cluster compromise without tripping the SOC.

This research was presented to Falco team in July and a partial sequence of fixes has made it into v0.31.0. The material for the talk is kept in a private github repo and will be made available to the public before the talk.

Speakers

Shay Berkovitch

Researcher, Blackberry

Shay is a Security Researcher at BlackBerry working with the Security Research Group on various aspects of container security. He worked previously at Blue Coat Systems and Symantec on WAF, SWG and other network security solutions. Shay holds a Masters’ degree from UW with (somewhat... Read More →

Thursday May 19, 2022 13:15 - 14:15 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

14:15 PDT

FirmWire: Taking Baseband Security Analysis to the Next Level

This talk will provide an introduction to FirmWire, our open-source emulation platform for cellular baseband images. The platform allows researchers to dynamically debug, introspect, and interact with complex baseband firmware, providing insights about its inner workings in real-time.

FirmWire’s integrated ModKit builds upon these powerful capabilities to create and inject custom tasks inside the emulated baseband. We leverage this ModKit to enable full-system fuzzing via AFL++ by creating custom fuzzing tasks interacting with the host, using special hypercalls. With this setup, we uncovered one pre-authentication vulnerability in MediaTek's MTK and several pre-authentication vulnerabilities in the LTE and GSM stacks of Samsung’s Shannon baseband implementation, affecting millions of devices.

FirmWire is the outcome of a more than two-year-long international research collaboration between the University of Florida, Vrije Universiteit Amsterdam, TU Berlin, and Ruhr-University Bochum. We will release it to the public in 2022.

Speakers

Dominik Maier

Software Engineer, Google

Dominik is part of the Open Source AFLplusplus project, which maintains the AFL++ and LibAFL fuzzing frameworks.During his PhD at TU Berlin he worked on fuzzing weird targets, including cellular basebands. He recently joined Google.In his spare-time he likes to travel.

Marius Muench

Researcher, Vrije Universiteit Amsterdam

Marius is a postdoctoral researcher at Vrije Universiteit Amsterdam. Hisresearch interests cover (in-)security of embedded systems, as well asbinary and microarchitectural exploitation. He obtained his PhD fromSorbonne University in cooperation with EURECOM. He developed andmaintains... Read More →

Grant Hernandez

Security Researcher

Grant is a mobile vulnerability researcher. He previously worked on Qualcomm's QPSI OTA team with a modem security focus. He completed his PhD on embedded firmware analysis in 2020 from the University of Florida where he explored symbolic execution of USB firmware, exposed how AT... Read More →

Thursday May 19, 2022 14:15 - 15:15 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

15:15 PDT

Kubernetes Attack and Defense: Break Out and Escalate!

Container break-out seems inevitable. Once outside of a container, an attacker can escalate privilege and possibly end up owning the entire cluster. As attackers, how do we break out of the container and then how do we escalate privilege? As defenders, how do we reduce the odds of a container break-out, while reducing its blast radius? In this demo-heavy presentation, we'll answer these questions, demonstrating attacks and defenses that you can take back and repeat on your own clusters.

Speakers

Jay Beale

CEO and CTO, InGuardians

Jay Beale is CTO and CEO for InGuardians. He works on Kubernetes, Linux and Cloud-Native security, both as a professional threat actor and an Open Source maintainer and contributor. He's the architect of the open source Peirates attack tool for Kubernetes and Bustakube CTF Kubernetes... Read More →

CanSecWest 2022 JayBeale Kubernetes pdf

Thursday May 19, 2022 15:15 - 16:15 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

16:15 PDT

Coffee Break

Thursday May 19, 2022 16:15 - 16:30 PDT
CanSecWest Jr. Ballroom Foyer - Sheraton Wall Centre 1000 Burrard St, Vancouver, BC V6Z 2R9

Break

16:30 PDT

Defeating Stack Canaries and Memory Safety with Speculative Execution

After decades fighting memory corruption vulnerabilities, several defenses have been developed to increase the bar for attackers to carry out exploitation. Defenses like control flow integrity (CFI) and stack smashing protector prevent completely the direct use of memory corruptions primitives, and require an attacker to employ bypass techniques to complete an attack. After the introduction of the new class of transient execution attacks, it is natural to wonder how these well established defenses perform in the post-spectre era.

In this talk, we present a sub-class of transient execution attacks, we call SPEAR. This sub-class enables an attacker to repurpose memory corruption primitives that cannot be used in the context of traditional exploitation to achieve arbitrary memory read. In our talk, we discuss how SPEAR change the game in three main use-cases: control flow integrity (CFI), memory safety languages and stack smashing protectors (SSP) . We present our end-2-end attack in which we achieve information leakage through a SPEAR attack against a buffer overflow mitigated by SSP in libpng. We also present the first application of speculative ROP in an real world attack and discuss its differences with traditional ROP.

Speakers

Andrea Mambretti

System Security Researcher, IBM Research Zurich

Andrea Mambretti is a system security researcher at the IBM Research Zurich laboratory.He holds a PhD in Cybersecurity from Northeastern University, and a Bachelor's and a Master's degree in Computer Engineering from Politecnico di Milano.His research interests lie in systems and... Read More →

Anil Kurmus

Security Researcher, IBM Research Zurich

Anil Kurmus is a security researcher at the IBM Research Zurich laboratory. His interests are mainly on systems security, software security, operating systems as well as CPU microarchitecture, both in terms of offensive and defensive research. He holds a PhD degree (Dr.-Ing) from... Read More →

Thursday May 19, 2022 16:30 - 17:30 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

17:30 PDT

Talk To Your Doctor About If Protocols Are Right For You: Vulnerabilities in HL7 Protocols

In the modern healthcare environment, health care is provided by different departments all using various software solutions. Various protocols are used to send information between the departments. These protocols are used for everything from tracking patient admittance, dispensing medication, and transmitting health records between hospitals. They are essential for the delivery of care in the modern healthcare sector, but are largely unknown outside of healthcare IT. The goal of this talk is to cover research into HL7 protocols, protocols that are not widely known but are becoming the most broadly deployed interoperability protocols in the United States, components of healthcare worldwide, and whose implementations are legally mandated is some circumstances. These protocols shows up everywhere from your phone to your local hospital to Google Cloud to the DEF CON Bio-hacking Village CTF, and is supported by an overwhelming majority of EMRs.

This talk will review both the historical and technical aspects of two HL7 protocols, HL7v2 and FHIR, in depth. First, we'll quickly discuss the reason why these protocols were created, and explain the structure of modern healthcare environments like hospitals and doctor's offices. Next, we'll cover HL7v2, the mostly widely deployed of these protocols, covering its construction, structure, and use. We'll talk about implementations of the protocol, the attack surface of these implementations, and issues to look out for while interacting with them. Next, we'll talk about FHIR and implementations of FHIR, including the most widely used implementation. Then we'll talk about design issues which significantly weaken both protocols such as lack of authentication, and discuss and demonstrate methods to MITM the traffic. We'll also discuss several methods of fingerprinting environments and discovering resources in FHIR environments. We'll demonstrate two CVEs discovered as part of this research, CVE-2021-32053 and CVE-2021-32054, which allow attackers to deny service to an entire medical records system and to upload and serve arbitrary resources and webpages or upload malware on critical infrastructure running affected versions. We'll close with a short discussion of FHIR's future, the security of EMRs in general, and best practices that can be used by organizations to securely deploy these protocols.

Speakers

Zachary Minneker

Senior Security Engineer, Security Innovation

Zachary Minneker is a senior security engineer and security researcher at Security Innovation. His first computer was a PowerPC Macintosh, an ISA which he continues to defend to this day. At Security Innovation, he has performed security assessments on a variety of systems, including... Read More →

Thursday May 19, 2022 17:30 - 18:30 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

21:00 PDT

PWN2OWN 15th Anniversary Gala

Thursday May 19, 2022 21:00 - 23:30 PDT
CanSecWest Lounge - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Catering Service

08:30 PDT

Breakfast

Friday May 20, 2022 08:30 - 09:00 PDT
CanSecWest Jr. Ballroom Foyer - Sheraton Wall Centre 1000 Burrard St, Vancouver, BC V6Z 2R9

Catering Service

09:00 PDT

Securing the 3rd Party Software Life Cycle

Supply chain attacks have been on the rise in the past two years and are proving to be common and reliable attack vectors that affect all consumers of software. Securing an organization from third party software attacks is quite complicated, with numerous threats along the software lifecycle from Selection? Choice of Third Party Software, Deployment, Updates and finally Retirement. While point-in-time assessments help in uncovering risk before the software is selected, its practically impossible to review all solutions beforehand and these point in time assessments cannot withstand the continuous feature enhancements or updates a software may go through in its lifetime. There is no comprehensive end-to-end framework that defines both how to mitigate threats across the software supply chain and provides reasonable security guarantees. There is an urgent need for a solution in the face of the eye-opening, multi-billion-dollar attacks in recent times.

In this talk we are going to present our proposed solution - Securing the 3rd Party Software Life Cycle, an end-to-end framework for ensuring the security of third-party software throughout its lifecycle.

Speakers

Kesav Nimmagadda

Senior Security Program Manager, Microsoft

Kesav leads the operations and strategy for Software Supply Chain Security Assurance program and works with various engineering teams at Microsoft to ensure they are aligned with Microsoft’s security strategy. Kesav is passionate about solving the software supply chain security... Read More →

Neha Shukla

Sr Security Program Manager, Microsoft

Neha leads the Software Supply Chain Security Assurance program and works with various engineering teams at Microsoft to ensure they are aligned with Microsoft’s security strategy. Neha is passionate about solving the software supply chain security problem for Microsoft and share... Read More →

Friday May 20, 2022 09:00 - 10:00 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

10:00 PDT

Second Breakfast

Friday May 20, 2022 10:00 - 10:30 PDT
CanSecWest Jr. Ballroom Foyer - Sheraton Wall Centre 1000 Burrard St, Vancouver, BC V6Z 2R9

Catering Service

10:30 PDT

Thanks for Leaving the Lights On

This talk is a discussion about low-level remote management systems and protocols; how even with the best security on our systems, and inside our VMs, out-of-band management interfaces often remain unprotected, unpatched, and unmonitored. All while being connected in some cases directly to the Internet. EDR does nothing if a threat actor can re-initialize the RAID array your VMs are stored on.

Speakers

Adam Doherty

Senior Consultant, Strategic Advisory, CrowdStrike

Automator of things, mechanical keyboard enthusiast, and most likely to keep the coffee industry afloat; Adam has been working in IT for over 20 years in various sectors. He is very passionate about making security accessible to anyone old enough to have used VHS tapes, and payphones... Read More →

Friday May 20, 2022 10:30 - 11:30 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

11:30 PDT

When eBPF meets TLS!

Currently a work in-progress that will be extended for the final version, this submission aims at demystifying the eBPF technology for the security community. While it is currently well-known in cloud environments (such as process visibility and programmable network flows), eBPF has had little experimentation when it comes to its usage as a building block of security focused tools.

The purpose of this proposal is to achieve a step by step introduction to eBPF by providing working examples of four different eBPF programs and tools:

Identify the network traffic of a specific process
Detect processes doing TLS traffic
Dump TLS session from a process memory
Intercept a process traffic transparently

Ultimately, this collection of programs could be used to develop a tool that can seamlessly intercept a process TLS traffic and modify it.

Speakers

Guillaume Valadon

Director of Security Resarch, Quarkslab

Guillaume Valadon is the Director of Security Resarch at Quarkslab and holds a PhD in networking. He likes looking at data and crafting packets. In his spare time, he co-maintains Scapy and learns reversing embedded devices. Also, he still remembers what AT+MS=V34 means! Guillaume... Read More →

Friday May 20, 2022 11:30 - 12:30 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

12:30 PDT

Lunch

Friday May 20, 2022 12:30 - 13:15 PDT
CanSecWest Pavilion - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Catering Service

13:15 PDT

The Printer goes brrrr

Network printers are good target candidates from an attacker perspective since they are rarely reinstalled or supervised and thus constitute a perfect place to hide on a network. Moreover they provide the attackers with persistent access to sensitive documents that may be scanned or printed.

This kind of device has been featured for the first time at Pwn2Own competition in Austin 2021. Three popular LaserJet printers were included in the competition: HP, Lexmark and Canon. During the event, we (Synacktiv) managed to compromise all of them, which among other targets allowed us to win the whole competition. In this talk, we will focus on how we achieved code execution on the Canon printer.

The primary step was to obtain the firmware to start reverse analysis. These are distributed through custom packages that are obfuscated. In this research, we will dissect the package format. Specifically, we will present how the primary analysis of the bootloader that we extracted from the flash memory allowed us to identify the deobfuscation routine, enabling us to decode further package updates available from Canon's website. The firmware is based on DryOs, a real-time OS powering several Canon products including cameras and printers.

The Canon printer exposes several network services that we have analysed. In particular, we will present the CADM service as part of the attack surface and how we identified a heap-based overflow in one of the numerous operations handled by that protocol. The exploitation of the vulnerability requires an understanding of the DryOs allocator which will also be presented to the audience. Thanks to the DryOS console available via UART, we were able to dump the heap state and to elaborate a generic scenario to attack the allocator. We will present our exploitation strategy and how one could reuse it to exploit similar heap-based overflows. We will finally showcase how we managed to display an arbitrary image on the printer's LCD screen thanks to a shellcode that directly encodes pixel values in the framebuffer.

Speakers

Rémi Jullian

Computer Security Researcher, Synacktiv

Thomas Jeunet

Computer Security Researcher, Synacktiv

Thomas Jeunet is a long time pentester and now computer security researcher at Synacktiv. This research is his first publication and presentation. His main interests are vulnerability research, exploit development, and reverse engineering, particularly on exotic architecture.

Mehdi Talbi

Computer Security Researcher, Synacktiv

Mehdi Talbi, PhD, is a computer security researcher at Synacktiv. His main interests are vulnerability research, exploit development, reverse engineering, and source code auditing. Mehdi has published his work in several peer-reviewed journals (Journal in computer Virology) and magazines... Read More →

Friday May 20, 2022 13:15 - 14:15 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

14:15 PDT

PWN Windows: From Low to System Privilege via RASMAN Service

Windows is an operating system with a long history, which also means that it has a lot of codes that have been used for many years. These codes may not be fully considered for their security when they are written. I found an attack surface called rasman (remote access connection manager) that has been hidden for a long time, at least since the windows nt4 version has existed.

In this talk, I will introduce the architecture of this module in detail, and introduce how I can find 10+ vulnerabilities in this module in a short period of time. Finally, I will introduce two vulnerabilities which bypasses all current mitigations, and won the windows EOP project in Tianfu cup 2021

Speakers

Ziming Zhang

Researcher, Ant Security Light-Year Lab

Security researcher of Ant Security Light-Year LabWorking on virtualization security and kernel security2021 Tianfu Cup Windows project winner2021 Q2 Microsoft Most Valuable Security Researchers2020 Tianfu Cup paralles desktop project winnerBefore, I researched vulnerabilities related... Read More →

Friday May 20, 2022 14:15 - 15:15 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

15:15 PDT

Coffee Break

Friday May 20, 2022 15:15 - 15:30 PDT
CanSecWest Jr. Ballroom Foyer - Sheraton Wall Centre 1000 Burrard St, Vancouver, BC V6Z 2R9

Break

15:30 PDT

Matryoshka Trap: Recursive MMIO Flaws Lead to VM Escape

When a hypervisor handles MMIO VM-exit to do DMA transfers, another MMIO handler might be called later if the destination overlaps with its MMIO region. This kind of bug can damage the virtual device’s state machine even crash the hypervisor. However, little effort has been spent to study whether they are critical security issues – Are they exploitable?

In this talk, we will present our security research on QEMU/KVM, a hypervisor widely used in cloud computing, and analyze the root cause and common consequences of recursive MMIO, thus disclosing a new attack surface. Interestingly, we found Oracle VirtualBox is also affected. To facilitate the hunting and exploiting process, we use CodeQL to find flaws and exploit primitives automatically. We will explain the CodeQL queries and some vulnerabilities we found.

Additionally, we will share the details of our exploit development on a recursive MMIO vulnerability (CVE-2021-3929), and demonstrate a VM escape in the end. Furthermore, we find that recursions can happen between different devices, which brings more possibilities to exploit the hypervisor. As far as we know, this is the first public guest-to-host exploit by constructing recursive MMIO chains.

Finally, we will give some thoughts about mitigations and the lessons we’ve learned.

Speakers

Qiuhao Li

Graduate Student, Harbin Institute of Technology

Qiuhao Li (@QiuhaoLi) is a graduate student at Harbin Institute of Technology, supervised by professor Hui He. His main research areas are cloud security and fuzzing. He has reported multiple vulnerabilities to QEMU, Oracle VirtualBox, and Parallels Desktop... Read More →

Gaoning Pan

Ph.D. student, Zhejiang University

Gaoning Pan (@hades24495092) is a Ph.D. student at Zhejiang University, China, under the supervision of Chunming Wu. He is a member of the AAA CTF Team. His research focuses on System Security, especially Virtualization Security. He has reported several vulnerabilities in QEMU and Oracle VirtualBox, which were... Read More →

Friday May 20, 2022 15:30 - 16:30 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

16:30 PDT

Exploiting Relational and Non-Relational Java Databases

Step 1: Learn about Java Databases, Relational and Non-Relational
Step 2:

a.) Exploit Diverse Relational Databases
b.) Exploit Diverse Non-Relational Databases

Step 3: PWN!

Speakers

Xu Yuanzhen (pyn3rd)

Senior Security Engineer

Xu Yuanzhen (pyn3rd) is a senior security engineer. He focuses on Java security and cloud security. He presented the results of his research to international security conferences such as Xcon2019, HITB 2020, HITB 2021. Also, he has reported vulnerabilities to Oracle, Apache, Amazon... Read More →

Chen Hongkun (Litch1)

Security Engineer, Eagle Cloud

Chen Hongkun (Litch1) is a security engineer in Eagle Cloud. He is responsible for enhancing the terminal security protection capability of SASE and related attack & defense technology research.HITB and XCON speaker.has reported a number of critical vulnerabilities to Oracle, Sonatype... Read More →

Friday May 20, 2022 16:30 - 17:30 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation

17:30 PDT

Mystique Hits: Vulnerability Chain that breaks the Android Application Sandbox

The Android Application Sandbox is the cornerstone of the Android Security Model, which protects and isolates each application’s process and data from the others. Attackers usually need kernel vulnerabilities to escape the sandbox, which by themselves proved to be quite rare and difficult due to emerging mitigations and attack surfaces tightened. However, we found a vulnerability in the Android 11 stable that breaks the dam purely from userspace, which is CVE-2021-0691. Combined with other 0days (CVE-2021-25450, CVE-2021-25485, CVE-2021-25510, CVE-2021-25511 and CVE-2021-23243 etc) we discovered in major Android vendors forming a chain, a malicious attacker app can totally bypass the Android Application Sandbox, owning any other applications such as Facebook and WhatsApp, reading application data, injecting code or even trojanize the application (including unprivileged and privileged ones) without user awareness. We named the chain "Mystique" after the famous Marvel Comics character due to the similar ability it possesses. These findings have been acknowledged and fixed by Google and major Android vendors such as Samsung. In this talk we will give a detailed walkthrough on the whole vulnerability chain and bugs included. On the attack side, we will discuss the bugs in detail and share our exploitation method and framework that enables privilege escalation, transparently process injection/hooking/debugging and data extraction for various target applications based on "Mystique". We will also share insights on our static program data-flow analysis framework that automatically identifies large portion of bugs in this chain on multiple vendors. On the defense side, we will talk about the detection SDK/tool for app developers and end users since this new type of attack differs from previous ones, which largely evade traditional analysis.

Speakers

Dawn Security Group

Dawn Security Lab

Dawn Security Lab mainly focuses on system and iOT security research. The Lab has found more than hundreds of CVEs on Google, Apple, Samsung, etc and members consisting of formal Pwn2Own champions. The Lab's twitter is @dawnseclab.

Friday May 20, 2022 17:30 - 18:30 PDT
Main CanSecWest Ballroom - Sheraton Wall Center 1000 Burrard St, Vancouver, BC V6Z 2R9

Presentation