2020 Speakers
Main Track
"Modern 0days - Browsers, JavaScript Engines, and JIT compilers"
"Constellation for cyber security analysis"
"Modern Heap Exploitation"
"Reinventing Rust Memory Safety"
"Good vibrations, X-rays and kitchen condiments - Beyond lock picking "
"Extracting crypto routines with Ghidra – Get the firehose"
"Rocking the Cyber Truck: Failure Modes and Fundamental Limits of Security Tools"
"It's The Only Way To Be Shor - Benchmarking Post-Quantum and Hybrid Key Exchange in TLS"
"MacOS volatile memory acquisition and analysis"
"Practical Formal Methods for SCADA and Operational Tech"
"Introducing Threat Pursuit VM: An open-source community Cyber Threat Intelligence toolkit"
"Rise from Your Grave – The Art of Digital Grave Robbing"
"Exploitation of Amazon's Blink Security Systems"
"Discovery and exploitation of Windows host-based vulnerabilities"
"Electronic Hardware Design"
"Oh my Pod: Lessons from building one of Australia’s biggest CTFs"
Modern 0days - Browsers, JavaScript Engines, and JIT Compilers
Syed Faraz Abrar (Faith)
Web browsers are hugely complex pieces of software that are arguably the most widely used out of all software in the world. Because of this, they are very valuable targets for threat actors as well as security researchers that hunt for zero days.Due to their complexity, browsers are split up into several different components. One of these components, which is what we will cover in this talk, is the JavaScript engine. It handles parsing and executing JavaScript code, which, a lot of the time due to its very nature, is untrusted. This, coupled with the fact that the JavaScript engine is very exposed and easily accessible, makes them a very interesting "initial" target.
Since JavaScript engines contain hundreds of thousands of lines of code, it only makes sense that they're composed of several components as well. Since it is difficult to provide an in-depth analysis for all of them in a single talk, this talk will focus on one of the most complex components: the JIT compiler(s). It will still however provide an overview of all the other components as well as a vulnerability for each of them, so anyone interested can do more research into them if they choose to.
For this presentation, I have specifically chosen arguably the most popular JavaScript engine in use right now as part of the Chromium project, called V8. The talk will include:
- An overview of the various components that make up a browser.
- An overview of the various components that make up a JavaScript engine.
- An overview of the various bug classes that can exist within JavaScript engines.
- A deep dive into JIT compilers, specifically geared towards V8's JIT compiler, known as TurboFan.
- Analyses of some previous vulnerabilities found within TurboFan.
- A rundown of the main types of exploitation primitives that are built to achieve code execution within the browser's renderer process.
- A summary of what a compromised renderer process really means for the security of the browser as a whole.
Bio:
Faraz is currently in his final year at Curtin University, completing a Bachelors degree in Computer Science (specializing in Cyber Security).He is currently working as an Intern Security Researcher at InfoSect Canberra where he's doing research into Browsers and JavaScript engines.
He is also an occasional CTF player, playing as part of the Australian team 0x1. His primary role in the team is to solve binary exploitation challenges.
Modern Heap Exploitation
Silvio Cesare
For the past 20 years, heaps have been progressively hardened in every OS. Surely then, a classic string-based buffer overflow on the heap can’t lead to code execution in a modern system? Well, in many modern heap allocators, with appropriate heap grooming, and a little application-logic, that is enough to gain an arbitrary write primitive. And from that, with an information leak, code execution or privilege escalation can take place.This talk looks at a variety of heap allocator implementations, all with weaknesses, and how to convert memory corruption, from say a buffer overflow, into code execution. These allocators are used in environments like default Linux userland, Docker Linux images, embedded systems, Arduino, FreeBSD, and browsers such as Chrome and Firefox.
Attend this talk to learn about modern exploitation techniques against userland heaps.
Bio:
Dr Silvio Cesare is the Managing Director at InfoSect. He has worked in technical roles and been involved in computer security for over 20 years. This period includes time in Silicon Valley in the USA, France, and Australia. He has worked commercially in both defensive and offensive roles within engineering. He has reported hundreds of software bugs and vulnerabilities in Operating Systems kernels. He was previously the Director for Education and Training at UNSW Canberra Cyber, ensuring quality content and delivery. In his early career, he was the scanner architect and a C developer at Qualys. He is also the co-founder of BSides Canberra – Australia’s largest cyber security conference. He has a Ph.D. from Deakin University and has published within industry and academia, is a 4-time Black Hat speaker, gone through academic research commercialisation, and authored a book (Software Similarity and Classification, published by Springer).Reinventing Rust Memory Safety
Ben Williamson
Rust guarantees that if your program compiles, it is free of memory corruption bugs - including data races in threaded code. AND: It does this at compile-time, without imposing garbage collection or other runtime overheads. It either compiles down to basically the same binary you would have gotten from C or C++, or it gives you a startlingly helpful error message. AND: The compiler does this with only local reasoning about each function, no crazy whole-program static analysis or theorem-solving.To get our heads around how that can be possible, we are going to reinvent it. We start with C, we take away the unsafe language features, and then we introduce the concepts of Rust's ownership model to arrive at a safe but useful systems language. If you've been curious about Rust, this presentation will give you the concepts first so that you can confidently dive into learning the syntax.
Bio:
Ben is a software engineer now based in Canberra, after two stints in Silicon Valley. Back in the day he worked on the Palm VII browser, various failed Linux-based handhelds (digiBLAST, Thummer), assorted microcontroller devices, the BoM's weather radar network, and later the Mac version of Bromium's vSentry. He is intimately familiar with the pain, and security consequences, of memory corruption bugs and data races in C, C++ and Objective C. Rust's promise to eliminate those bug classes transformed his relationship with systems-level programming, from the time of his first encounter at around v0.4. He is an experienced advocate of Rust inside multiple security-focussed development teams, and is grateful to call Rust development his day job.Good vibrations, X-rays and kitchen condiments - Beyond lock picking
Topy
There's been a lot of talks about how traditional pin tumbler lock picking works using the same tools everyone can buy. This talk will go beyond that and look at both exotic tools and attacks against all types of locking systems, digital and analogue. We will look at tools not generally available to the public and see what we can learn about weaknesses in various locking systems based on iterations of lock designs and tools used to beat them.Bio:
Topy is a physical security enthusiast, red-teamer and consultant. He likes unlocking things and being places he shouldn't.Extracting crypto routines with Ghidra – Get the firehose
Peter Rankin
Ever bricked a phone? Not a fun experience. Even when you have no fastboot, adb and a black screen – don’t worry, there is still hope. Some vendors provide tools that allow you to unbrick an un-brickable phone, and when you do this, it opens up a whole new attack surface. These tools are often bundled with Firehose programmers – which give you much more capability than just re-flashing a phone.I will show you how Ghidra was used to extract a Firehose programmer for a OnePlus 5 phone by reverse engineering a firmware updater. I will also talk about QualComm’s Emergency Download (EDL) mode, Firehose programmers and how to peek/poke memory before you even get to Android.
I will also dive into using Unicorn and Capstone engines to automate finding some useful addresses in memory (stack/vector handlers).
Bio:
Peter Rankin is a secure software developer and vulnerability researcher for Azimuth. Outside of work he enjoys making devices do things they shouldn’t and then never using them. Recent tinkerings include porting a NES emulator to the ESP8226 chip and writing his own Nintendo Joycon driver for the Linux kernel. Peter has previously worked as a software engineer for Penten and the Australian Department of Defence.He has volunteered for BSides Canberra the last 3 years and wrote the firmware for last year’s BSides badge - the “Nopia 1337”. He is volunteering again this year and has supported development of the BSides 2020 badge firmware.
Rocking the Cyber Truck: Failure Modes and Fundamental Limits of Security Tools
Josh Green
In security we are highly adept at finding the failure modes in software and systems; in breaking the assumptions of developers and in seeking out the fundamental limits. Yet often we don’t apply such a mindset to our own security analysis tooling. In academic and professional environments we frequently gloss over limitations and mostly discuss the circumstances where our tools work, while vendor land tends to be dominated by unsubstantiated claims and inscrutable magic boxes.In this presentation we will look at some of the analysis methods that underpin discovery and detection tools, for things like software vulnerabilities, malware, and malicious network traffic. Part consideration of theoretical limits, part practical examples of failure, we will touch on Computability and Information Theory and explore the real world consequences. Ultimately, the better that we understand the strengths AND weaknesses of our security tooling, the more able we are to effectively layer or combine them, and the more focused our efforts to improve the state of the art.
Bio:
Josh Green (@_josh_green) is the Group Leader Counter Cyber Threats in the Cyber and Electronic Warfare Division of DST Group. In this role he leads R&D teams developing new technologies to defend military systems. Josh has a 16 year background in software analysis, vulnerability research, reverse engineering, and operational capability development.It's The Only Way To Be Shor - Benchmarking Post-Quantum and Hybrid Key Exchange in TLS
James Longmore
"Quantum Supremacy" has supposedly been achieved and NIST is trying to decide on new standards. Here we take several of the candidates from NIST's Round 2 submissions and benchmark them as the key exchange method in a TLS 1.3 session to a webserver to identify potential use cases and tradeoffs for each candidate suite.Bio:
James works for Cogito Group, a Canberra based company providing digital identity and security solutions. He likes (im)properly implemented crypto and large primes.MacOS volatile memory acquisition and analysis
Penny Le
Analysing memory acquired from running machines is among important parts of digital forensics. RAM can shows the in-depth of the system and pieces of evidence which might not be obtainable from hard drives.My talk will be about the process of acquisition MacOS memory dump and some interesting findings in applications like Notes, Calendar, Contacts. I will also talk about the master key to open the file login.keychain which is used by Keychain application and how it might show plaintext passwords without user’s awareness.
Bio:
Penny is a final year student at UNSW and enjoys doing bug bounty and HackTheBox with her friends during free time.Practical Formal Methods for SCADA and Operational Tech
Mehdi Sabraoui
Adding new devices to a control network can be tenuous. The nature of a typical SCADA installation does not allow for much variance in network traffic: networks are relatively static and the devices on these networks are notoriously fragile. However, the growing interconnectedness of SCADA networks introduces a greater need for cyber security measures and appliances to counteract the larger attack surface. When you are designing a new device for your control network, you need to understand both your needs and solution as much as possible to minimize the chance of errant, or even malicious, network traffic wreaking havoc. Formal methods can help, but formal methods are hard. However, a design and implementation does not need to match seL4 in verification to add value. This presentation will cover what questions need to be asked in the design of a safe and secure SCADA device before any level of verification work can be done, and how to add formal verification to a design without busting your budget with TLA+.Bio:
Mehdi Sabraoui is a Ph.D. security and verification researcher with professional interests in OT/SCADA security. Research Engineer on the Nessus Vulnerability Scanner at Tenable Network Security.Introducing Threat Pursuit VM: An open-source community Cyber Threat Intelligence toolkit
Dan
The Cyber threat Intelligence landscape in certain cases is a contested domain hinged delicately between soul enriching cat pics or dank memes to orgs pwned by CVE-2019-19781, Shadowderpers, and immortal Nigerian Billionares down on their luck.. Just like your spam inbox the CTI domain is filled with plenty of activity, resources, tools and information that you could literally segfault on. When your boss or leadership are heavily breathing down your neck to spin up answers or results? Are we exposed? What do we need to have? Have they been compromised? China? LOUD NOISES!! You stare and etch a half smile knowing that you’ve got some work ahead to do.. Never fear.. We got your back.. with ThreatPursuit VM..A dedicated CTI virtual machine with the primary goal to enable the community with a freely accessible toolkit to hunt evil. Aimed anywhere between juniors to seasoned pros across a diverse range of roles or skillsets e.g (“malware analysts, defensive cyber operations, intelligence analysts, data scientists”) to operate creatively and enable their mission success, you may find yourself needing to;
- Collect, analyse and pivot across multiple open-sourced intelligence source feeds
- Harvest and share indicators/feeds across a community
- Emulate adversarial behaviours to create or validate playbooks
- Leverage or develop machine learning algorithms & train models on intrusion data
- Develop, grip-up or apply advanced analytical methods across intrusion datasets
- Visualise, model and explore cyber-led crime networks
- Create yara rules, IOCs and produce finished intelligence products
The VM contains a curated range of tooling, resources and capability packaged into an easy to install and portable virtual machine. Run the PowerShell script on a Windows 10 virtual machine with sufficient resources is all that is required. Takes about an hour or two so enjoy a beverage while that happens.
Bio:
Dan is a Senior Analyst within the Threat Pursuit team situated in FireEye Sydney Office in Australia. At FireEye and previously Mandiant, Dan explores nodes and edges to hunt and research evil, as-well as develop adversarial emulation methods within Verodin. Dan is an avid researcher, tool author and practitioner of offensive security and a reservist in the Australian Army.Rise from Your Grave – The Art of Digital Grave Robbing
Steph Jensen
Have you ever wondered what happens to your old abandoned email addresses? Or have you ever pondered the question that if no one knows your complex Paypal password when you die, what happens to the money in your account? Much like living things, online accounts have a digital life cycle. Creation, general use, abandonment, inactivity and eventual death (deletion). In this talk we will go through an account takeover technique that leverages the death of a human being to take over online accounts the deceased have left behind. Mapping the death of a person to over 200 online account types, this talk will delve into what you can loot from the dead and the techniques in how to do it.Bio:
Steph is currently a pentester/Security Consultant with Shearwater Solutions/CyberCX. With a background in digital forensics, threat intelligence and threat hunting Steph love's understanding systems and poking at them until they generate unintended reactions.Exploitation of Amazon's Blink Security Systems
Jimi Sebree
There’s been a surge of consumer-oriented security cameras hitting the market over the last few years. Amazon’s Blink security cameras are marketed as budget-friendly with long-lasting battery life. As such, they’ve become quite popular, but there hasn’t been a ton of information published on their security precautions. In this talk, we’ll take these cameras and their corresponding sync modules apart and see what makes them tick.Bio:
Jimi Sebree is a principal research engineer on Tenable’s Zero Day Research team. With a strong background in software engineering and security, he bounces between research disciplines in an effort to appear knowledgeable about a variety of topics. Occasionally he succeeds in tricking someone into listening to his ramblings.Discovery and exploitation of Windows host-based vulnerabilities
Christopher Vella
This talk focuses on identifying the various attack surfaces common on windows machines, with a few examples from recent vulnerabilities I’ve exploited during red team engagements or research.This covers attacks that can be used for privilege escalation or even remote code execution. Various components will be looked at including kernel drivers, named pipes, permission and configuration issues, and more.
By identifying the attack surface of a host we can discover some easy to exploit issues, and also other risks that require deeper analysis and reverse engineering to exploit.
Lots of the commands and techniques used can be easily applied to your company’s corporate build machines or any other windows host to identify low-hanging fruit and other potential risks that can be created from various software, including endpoint security tools.
Bio:
Researcher & red teamer. Primarily windows internals & PE32/32+ reverse engineer. Likes poking holes in security software.Electronic Hardware Design
Josh Johnson
Whether it be in your car, vacuum cleaner, or light bulb, embedded electronic devices are playing an increasingly important role in our lives. This talk will discuss how to design electronic hardware at home, allowing the benefits of modern technology to increase our quality of life. It will provide a high level, tool agnostic overview of the hardware design process, taking the audience from concept generation through to an assembled product, discussing key steps along the way with tips to ensure success in their project.Bio:
Josh is passionate about electronic design and spends his days designing the next generation of vehicles at Ford. He utilises his spare time to work on varying projects spanning embedded systems to RF, along with educating others about the wonderful world of electronics.Oh my Pod: Lessons from building one of Australia’s biggest CTFs
Sam
What will Western Australia export when we can’t dig anything more out of the ground? Could it be hackers? For three consecutive years, a volunteer team of pentesters, incident response specialists, software engineers, and infosec professionals from the Perth community have come together to build and run Australia’s largest (we think) standalone CTF.WACTF 0x03 was a two-day event that saw some 250 hackers in one location compete for more than $14,000 in prizes. With 2,200+ Docker containers, 506Ghz of compute, and 440GB of RAM – the challenges we overcame as volunteers while building and scaling WACTF would put some enterprise teams to shame.
Let me show you how we do it. From development through DevOps, infrastructure through Internet, stickers through sponsorship. We’ll explore the challenges of building an environment designed to be hacked and takeaways applicable to conventional networks. We’ll run through our efforts to minimise the Kubernetes attack surface, the difficulties of hard multi-tenancy, and how to own clusters in the real-world (or other CTF’s 😉). Lastly, we’ll share what’s instore for WACTF 0x04.