| Location: | Canberra Rex Hotel 150 Northbourne Ave Braddon ACT 2612 |
| Time: | 6.00pm |
| Afterwards: | Swan & King Bar Canberra Rex Hotel |
| Organisers: | Kylie McDevitt Silvio Cesare |
17th Apr 2025: TBA
2nd May 2025: Android bug walkthrough, Angus
6th Jun 2025: Cole Cornford, Leslie Cartwright
This talk will look at the many ways string handling in the C programming language can go wrong.
Dr Silvio Cesare
Dr Silvio Cesare is a founder and CTO at InfoSect, a vulnerability research company. He has worked in technical roles and been involved in computer security for over 29 years. This period includes time in Silicon Valley in the USA, France, and Australia. He has worked commercially in both defensive and offensive roles within engineering. He was previously the Director for Education and Training at UNSW Canberra Cyber, ensuring quality content and delivery. In his early career, he was the lead architect and developer for the startup Qualys, now the industry standard in vulnerability management. He has a Ph.D. from Deakin University and has published in academia, having been cited over 800 times on google scholar. He is a 4-time speaker and also a trainer at the international industry leading Black Hat conference. He has taken his University research through commercialisation and authored a book (Software Similarity and Classification, published by Springer)
Google, Microsoft and others have estimated that over 70% of severe security vulnerabilities in memory-unsafe codebases are due to memory safety bugs. Rust is a memory-safe language suitable for system-level programming. Rust guarantees thread safety, no memory corruption and no undefined behaviour, without imposing the performance overhead of a garbage collector. How does it do that? In this talk we reinvent Rust's concept of Ownership, which enables it to make these guarantees at compile-time.
Ben Williamson
Ben graduated from engineering at UQ in 1996, and has spent eight years working in Silicon Valley. His background spans embedded development, safety-critical systems, browser security, network security and cryptographic protocols. He recently resigned from Apple, where he worked on autonomous systems, iCloud Keychain sync protocols, and a Rust implementation of IPsec that secures network traffic across Apple's data centres. He also developed and ran Apple's internal Rust training since 2015.
In October last year, InfoSect competed in Pwn2Own Ireland. They focussed their efforts on three devices, successfully exploiting two of them. This talk is about the third, unhacked device - the Synology TC500 smart camera. It discusses the process of finding a format string vulnerability in the firmware, how it could be exploited to gain a reverse shell, and the experience of competing in Pwn2Own.
Sam Hinwood
By day, Sam is a vulnerability researcher at InfoSect. By night, Sam is asleep.
IoT devices have become pervasive in the way we live and interact with the world. In order to provide security assessments on the wide variety of devices on the market, InfoSect has had to expand their capabilities. This talk will walk through InfoSect’s improved process for performing security assessment on embedded devices.
Kylie McDevitt is a security researcher at her own company, InfoSect, specialising in Linux and embedded devices. Before starting at InfoSect, she was a Technical Director at the Australian Signals Directorate (ASD). Kylie graduated from ANU with a Bachelor of Engineering and worked for Australia’s largest telco as a radio engineer in MobileNet before moving into computer security, where she has been for the last 16 years. She has a Masters in Computer Networking, as well as multiple industry certifications. Kylie has taught as a casual lecturer at UNSW Canberra and spends her free time organising community events such as BSides Canberra and the CSides monthly security meetup.