Black HatIn-depth discussion and review of the red team engagement of Iowa courthouses which resulted in an unprecedented outcome. Gary and Justin will take you through the engagement, arrest, and ensuing legal battle, and wrap up with lessons learned and how the community can benefit.
We Went to Iowa and All We Got were These Felony Arrest RecordsBlack Hat2020-11-13 | In-depth discussion and review of the red team engagement of Iowa courthouses which resulted in an unprecedented outcome. Gary and Justin will take you through the engagement, arrest, and ensuing legal battle, and wrap up with lessons learned and how the community can benefit.
By Justin Wynn & Gary Demercurio
Full Abstract: blackhat.com/us-20/briefings/schedule/#we-went-to-iowa-and-all-we-got-were-these-felony-arrest-records-20970IAM The One Who KnocksBlack Hat2022-11-28 | This talk presents the hidden risks of managing identities and access in a multi-cloud environment. We will expose access flaws and misconfigurations that attackers can easily abuse to gain access to confidential and sensitive information. We will discuss the inner workings of each cloud provider's Identity and Access Management (IAM) layers and highlight the differences between each cloud service. We then detail how inconsistent entitlements across cloud resources and services can lead to unintended access and how accountability confusion in the shared responsibility model can enable privilege escalation.
Presented by Igal Gofman & Noam Dahan
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#iam-the-one-who-knocks-27257I Am Whoever I Say I Am: Infiltrating Identity Providers Using a 0Click ExploitBlack Hat2022-11-28 | To begin with, I will cover the foundational use-case for IAM solutions and some past in the wild attacks (ITW) attacks with the extent of their impact. Continuing, I will present the approach I took with the audit including the challenges and pitfalls that I was faced with and how I overcame them. The result concluding with an unauthenticated remote code execution as root by chaining multiple vulnerabilities on a very popular IAM solution used by several Fortune 500 companies and government organizations.
Presented by Steven Seeley Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#i-am-whoever-i-say-i-am-infiltrating-identity-providers-using-a-click-exploit-26946Human or Not: Can You Really Detect the Fake Voices?Black Hat2022-11-28 | Voice is an essential medium for humans to transfer information and build trust, and the trustworthiness of voice is of great importance to humans. With the development of deep learning technologies, attackers have started to use AI techniques to synthesize and even clone human voices. To combat the misuse of such techniques, researchers have proposed a series of AI-synthesized speech detection approaches and achieved very promising detection results in laboratory environments. Can these approaches really be as effective in the real world as they claim to be?
In this talk, we will focus on the difference between the old and new ways of detecting malicious activity on macOS, speaking to why both are relevant today. We will break down how we use ESF data, both in its basic form, as well as a pivot point to perform more advanced detections.
Presented by Jaron Bradley & Matt Benyo
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#leveraging-the-apple-esf-for-behavioral-detections-26526Black Hat USA Speaker Orientation CallBlack Hat2022-11-28 | ...Lets Dance in the Cache - Destabilizing Hash Table on Microsoft IISBlack Hat2022-11-28 | Hash Table, as the most fundamental Data Structure in Computer Science, is extensively applied in Software Architecture to store data in an associative manner. However, its architecture makes it prone to Collision Attacks. To deal with this problem, 25 years ago, Microsoft designed its own Dynamic Hashing algorithm and applied it everywhere in IIS, the Web Server from Microsoft, to serve various data from HTTP Stack. As Hash Table is everywhere, isn't the design from Microsoft worth scrutinizing?
Presented by Orange Tsai
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#lets-dance-in-the-cache---destabilizing-hash-table-on-microsoft-iis-27199Is WebAssembly Really Safe? Wasm VM Escape and RCE Vulnerabilities Have Been Found in New WayBlack Hat2022-11-28 | WebAssembly (Wasm) supports binary format which provides languages such as C/C++, C# and Rust with a compilation target on the web. It is a web standard with active participation from all major browser vendors (Chrome, Edge, Firefox, Safari). Also, Wasm runtime can be widely used for edge computing.
Previous research on Wasm security mostly focuses on exploitation at the compiler and linker level, but few people focus on Wasm VM escape. Therefore, we design a new fuzz framework based on Wasm standard to explore the runtime vulnerability itself. The framework can be compatible with all programs or projects containing Wasm design standards.
Presented by Zhao Hai, Zhichen Wang, Mengchen Yu & Lei Li
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#is-webassembly-really-safe---wasm-vm-escape-and-rce-vulnerabilities-have-been-found-in-new-way-27237Invisible Finger: Practical Electromagnetic Interference Attack on Touchscreen-based DevicesBlack Hat2022-11-28 | Touchscreen-based electronic devices such as smart phones and smart tablets are widely used in our daily life. While the security of electronic devices has been heavily investigated recently, the resilience of touchscreens against various attacks has yet to be thoroughly investigated. In this presentation, for the first time, we show how touchscreen devices are vulnerable to Intentional Electromagnetic Interference (IEMI) attacks in a systematic and practical way.
Presented by Haoqi Shan, Boyi Zhang, Yier Jin & Shuo Wang
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#invisible-finger-practical-electromagnetic-interference-attack-on-touchscreen-based-electronic-devices-27230Kubernetes Privilege Escalation: Container Escape Cluster Admin?Black Hat2022-11-28 | In this talk, Yuval and Shaul will reveal the powerful system pods quietly installed by popular Kubernetes platforms. They'll show how attackers may abuse these pods, and demo new privilege escalation techniques. Covering managed Kubernetes services and common open-source add-ons, they'll demonstrate how on the most popular platforms today - a single container escape is often enough to take over the entire cluster.
Looking ahead, they'll present tools that flush out powerful pods and identify privilege escalation paths in a cluster, alongside mitigations that can detect and prevent such attacks. Join them as they embark on the journey of ensuring container escape != cluster admin.
Presented by Yuval Avrahami & Shaul Ben Hai
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#kubernetes-privilege-escalation-container-escape--cluster-admin-26344Internal Server Error: Exploiting Inter-Process Communication in SAPs HTTP ServerBlack Hat2022-11-28 | More than 400,000 organizations, including 90% of Fortune 500 companies, rely on SAP's software to keep their business up and running. At the core of every SAP deployment is the Internet Communication Manager (ICM), the piece of software in charge of handling all HTTP requests and responses.
This talk will demonstrate how to leverage two memory corruption vulnerabilities found in SAP's proprietary HTTP Server, using high-level protocol exploitation techniques. Both techniques, CVE-2022-22536 and CVE-2022-22532, were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet.
Presented by Martin Doyhenard
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#internal-server-error-exploiting-inter-process-communication-in-saps-http-server-27189Industroyer2: Sandworms Cyberwarfare Targets Ukraines Power Grid AgainBlack Hat2022-11-28 | Industroyer2 – a new version of the only malware to ever trigger electricity blackouts – was deployed in Ukraine amidst the ongoing Russian invasion. Like in 2016 with the original Industroyer, the aim of this recent cyberattack was to cause a major blackout – this time against two million+ people and with components amplifying the impact, making recovery harder.
We believe the malware authors and attack orchestrators are the notorious Sandworm APT group, attributed by the US DoJ to Russia's GRU.
Our talk covers the technical details: our reverse engineering of Industroyer2, and a comparison with the original. Industroyer is unique in its ability to communicate with electrical substation ICS hardware – circuit breakers and protective relays – using dedicated industrial protocols. While Industroyer contains implementations of four protocols, Industroyer2 "speaks" just one: IEC-104.
Presented by Robert Lipovsky & Anton Cherepanov
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#industroyer-sandworms-cyberwarfare-targets-ukraines-power-grid-again-27832In Need of Pair Review: Vulnerable Code Contributions by GitHub CopilotBlack Hat2022-11-28 | On June 29 in 2021 GitHub announced and released their newest tool, 'Copilot' - an 'AI-based Pair Programmer', a deep learning model trained over vast quantities of open-source GitHub code. However, we humans wrote most of that code. And much of it isn't great. It has bugs, it contains dated coding practices, and many repositories even contain dangerously insecure code. Given the vast quantity of garbage code that Copilot has learned from, is it reasonable to trust the code suggestions that it generates? In this talk, we demonstrate that GitHub Copilot is susceptible to writing vulnerabilities in multiple axis, from SQL injections to buffer overflows, use-after-free to cryptographic issues.
Presented by Hammond Pearce, Benjamin Tan, Brendan Dolan-Gavitt & Baleegh Ahmad
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#in-need-of-pair-review-vulnerable-code-contributions-by-github-copilot-27264Harm Reduction: A Framework for Effective & Compassionate Security GuidanceBlack Hat2022-11-18 | This presentation will explore the core principles of harm reduction, review the body of research that informs its strategies, and propose a framework for applying harm reduction to cybersecurity risks. It will explain why fully eradicating risk taking behaviors is not possible, and how abstinence based guidance may actually increase harm for individuals and populations. More importantly, it will look at the efficacy of harm reduction strategies and show that a pragmatic, compassionate approach to security may be more effective, cost less, and even reduce burnout among cybersecurity practitioners.
Presented by Kyle Tobener Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#harm-reduction-a-framework-for-effective--compassionate-security-guidance-26723Monitoring Surveillance Vendors: A Deep Dive into In-the-Wild Android Full Chains in 2021Black Hat2022-11-17 | Over the past 12 months, Google's TAG (Threat Analysis Group) and Android Security teams have discovered and analyzed several in-the-wild 1day/0day exploits by surveillance vendors. We will present in-the-wild browser and kernel LPE exploits found in 2021 such as CVE-2021-28663 (Mali GPU), CVE-2020-16040/CVE-2021-38000 (Browser), CVE-2021-1048 (Linux kernel) and CVE-2021-0920 (Linux kernel). CVE-2021-0920 is an in-the-wild 0day Linux kernel garbage collection vulnerability; not publicly well-known, it's much more sophisticated and arcane in contrast with the other aforementioned exploits. We will do a deep dive into the CVE-2021-0920 exploit and its attribution. Furthermore, we will present a novel and previously unseen in-the-wild kernel exploitation technique for fully bypassing a hardware level mitigation.
Presented by Xingyu Jin, Richard Neal, Christian Resell & Clement Lecigne
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#monitoring-surveillance-vendors-a-deep-dive-into-in-the-wild-android-full-chains-in--26629The 8th Annual Black Hat USA NOC ReportBlack Hat2022-11-17 | Back with another year of soul-crushing statistics, the Black Hat NOC team will be sharing all of the data that keeps us equally puzzled, and entertained, year after year. We'll let you know all the tools and techniques we're using to set up, stabilize, and secure the network, and what changes we've made over the past year to try and keep doing things better. Of course, we'll be sharing some of the more humorous network activity and what it helps us learn about the way security professionals conduct themselves on an open WiFi network.
Presented by Neil Wyler & Bart Stump
Full Abstract: blackhat.com/us-22/briefings/schedule/#the-th-annual-black-hat-usa-noc-report-28802A New Trend for the Blue Team: Using a Symbolic Engine to Detect Evasive Forms of Malware/RansomwareBlack Hat2022-11-17 | Blue Teams and anyone on the defensive side face various challenges when it comes to reverse engineering suspected malware or ransomware binaries, especially ones with obfuscation techniques such as variants, embedded exploits and complex ransomware. First, identifying whether the sample is even worth the effort (what makes it unique/challenging/new), and second, choosing either static, dynamic analysis, or both!...Ret2page: The Art of Exploiting Use-After-Free Vulnerabilities in the Dedicated CacheBlack Hat2022-11-17 | In this talk, I will introduce "Ret2page" - a new and generic exploitation technique. The key idea behind the new exploitation technique is to tame both the SLUB and BUDDY allocator. It aims to reduce time and memory consumption, and improve the success rate of physical page reuse. Moreover, to evaluate the effectiveness of the new exploitation technique and compare it with the well-known cross-cache attack techniques, I will analyze two typical Use-After-Free vulnerabilities fixed last year. Last but not least, to achieve the arbitrary kernel memory R/W ability and gain the root privilege, I will respectively detail how to exploit those two vulnerabilities, bypass the general mitigations(KASLR, PAN, etc), and build the universal Android rooting solutions.
Presented by: Yong Wang
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#retpage-the-art-of-exploiting-use-after-free-vulnerabilities-in-the-dedicated-cache-26290Attacks From a New Front Door in 4G & 5G Mobile NetworksBlack Hat2022-11-17 | ...This talk brings to light for the first time the practical details of the APIs that enable next-generation AI, MEC, and IoT applications using the latest 4G and 5G networks. A security investigation on hundreds of APIs from 10 commercial providers and operators reveals that all of them contain several of the top ten most critical API weaknesses...
By: Shinjo Park , Altaf Shaik , Matteo Strada
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#attacks-from-a-new-front-door-in-g--g-mobile-networks-26971Automatic Protocol Reverse EngineeringBlack Hat2022-11-17 | Protocol reverse engineering is the process of extracting the specification of a network protocol from a binary code that implements it. Extraction of protocol specification is useful in several security-related contexts, such as finding implementation bugs, determining conformance to a standard, or discovering a botnet's command and control (C&C) protocol.Manual reverse engineering of a protocol can be time-consuming. We present a tool that automatically reverse engineers a protocol directly from the binary...
By: Ron Marcovich , Gabi Nakibly
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#automatic-protocol-reverse-engineering-27238Backdooring and Hijacking Azure AD Accounts by Abusing External IdentitiesBlack Hat2022-11-17 | External identities are a concept in Azure Active Directory which makes it possible to collaborate with users outside of an organization. These external users, often called guest users, can be granted permissions to certain resources and work together with users within the organization. The identities of these users are managed in a different Azure AD tenant, or are unmanaged accounts outside of Azure AD. This talk explains how these external identities work in Azure AD and how concepts such as B2B collaboration are facilitated...
By: Dirk-jan Mollema
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#backdooring-and-hijacking-azure-ad-accounts-by-abusing-external-identities-26999AEPIC Leak: Architecturally Leaking Uninitialized Data from the MicroarchitectureBlack Hat2022-11-17 | ....In this talk, we systematically analyze existing CPU vulnerabilities showing that CPUs suffer from vulnerabilities whose root causes match with those in complex software. We show that transient-execution attacks and architectural vulnerabilities often arise from the same type of bug and identify the blank spots...
We demonstrate the first downgrade attacks against RPKI, which allows remote adversaries to disable RPKI validation, hence exposing to prefix hijacks. In our attacks a malicious RPKI publication point stalls the relying party implementations, disabling the RPKI validation on those networks.
Presented by Philipp Jeitner , Haya Shulman, Michael Waidner, Donika Mirdita & Tomas Hlavecek
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#stalloris-rpki-downgrade-attack-27348No One Is Entitled to Their Own Facts, Except in Cybersecurity?Black Hat2022-11-17 | In December of 2021, Harvard's Belfer Center released a report based on a workshop involving over 100 international experts. Our project investigated how the aviation industry draws lessons learned from aviation incidents and how a process could be applied to cyber incident investigations. Based on this, we have created the Major Cyber Incident Investigations Playbook. This new document, pending publication at Harvard and being released here at Black Hat, is a playbook to make major cyber incident investigations more actionable by setting up an independent review board for major cyber incidents. This can be how we build a shared historical narrative.
Presented by Sveva Vittoria Scenarelli & Allison Wikoff
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#talent-need-not-apply-tradecraft-and-objectives-of-job-themed-apt-social-engineering-27108Return to Sender - Detecting Kernel Exploits with eBPFBlack Hat2022-11-17 | One of the fastest growing subsystems in the Linux Kernel is, without any doubt, eBPF (extended Berkeley Packet Filter). Although eBPF initially targeted network monitoring and filtering use cases, its capabilities have been broadened over time. With each new kernel version, the capabilities of eBPF are getting closer to that of a kernel module with additional benefits: system safety and stability.
Presented by Guillaume Fournier
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#return-to-sender---detecting-kernel-exploits-with-ebpf-27127New Memory Forensics Techniques to Defeat Device Monitoring MalwareBlack Hat2022-11-17 | In this presentation, we present our effort to develop algorithms capable of detecting userland device monitoring malware across all major operating systems. Our efforts led to several Volatility plugins being created that are capable of automatically locating all information about processes that are monitoring hardware devices. We plan to contribute our Volatility additions to the community during Black Hat.
Presented by Andrew Case, Gustavo Moreira, Austin Sellers & Golden Richard
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#new-memory-forensics-techniques-to-defeat-device-monitoring-malware-27403A Fully Trained Jedi, You Are NotBlack Hat2022-11-17 | As software organizations try to bring security earlier in the development processes, what can or should regular software or operations engineers know about security? Taking as given that we want them to build secure systems, that demands a shared understanding of the security issues that might come up, and agreement on what that body of knowledge might entail. Without this knowledge, they'll keep building insecure systems...
By: Adam Shostack
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#a-fully-trained-jedi-you-are-not-26650A Journey Into Fuzzing WebAssembly Virtual MachinesBlack Hat2022-11-17 | ...During this talk, we will introduce what is WebAssembly, dive deeper into WebAssembly VM architecture, identify the attack surface and explain our fuzzing strategy to target each different VM component, from module parsing to runtime execution engine. Also, since we are not targeting only one implementation, we will maximize our success rate by using different fuzzing frameworks and techniques such as coverage-guided, structural, and differential fuzzing.This journey leads us to the discovery of more than 50 bugs/vulnerabilities across a dozen of C/C++/Rust projects. We will conclude with a global result overview with a focus on some concrete impactful vulnerabilities.
By: Patrick Ventuzelo
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#a-journey-into-fuzzing-webassembly-virtual-machines-26522Perimeter Breached! Hacking an Access Control SystemBlack Hat2022-11-17 | The first critical component to any attack is an entry point. As we lock down our firewalls and sophisticated routers, it can be easy to overlook the network-connected physical access control systems. According to a study done by IBM in 2021, the average cost of a physical security compromise is 3.54 million dollars and takes an average of 223 days to identify a breach.
Presented by Steve Povolny & Sam Quinn
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/index.html#perimeter-breached-hacking-an-access-control-system-26455Better Privacy Through Offense: How To Build a Privacy Red TeamBlack Hat2022-11-17 | ... In this talk, you'll learn what a privacy red team is, how it's different from a security red team, the challenges we faced, and examples of real operations we performed. You'll walk away with a better understanding of how privacy red teaming can benefit your organization, and the role that offense can play in your privacy defense.
By: Scott Tenaglia
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#better-privacy-through-offense-how-to-build-a-privacy-red-team-27036Pwning Cloud Vendors with Untraditional PostgreSQL VulnerabilitiesBlack Hat2022-11-17 | Our team explored PostgreSQL-as-a-Service offered by multiple cloud providers and found a series of vulnerabilities related to its implementation as a multi-tenant service, including severe isolation issues. The impact of these vulnerabilities can be wide-reaching as they may become the starting point for a cross-account access attack; as we recently demonstrated in the “ExtraReplica” vulnerability, a Postgres vulnerability leads to cross-account access of customer databases in Azure Postgres Flexible server service.
Presented by Shir Tamari & Nir Ohfeld
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#pwning-cloud-vendors-with-untraditional-postgresql-vulnerabilities-26964(Long) Dragon Tails – Measuring Dependence on International Vulnerability ResearchBlack Hat2022-11-17 | This talk will present results of a study on the reliance of critical proprietary and open source software on Chinese software vulnerability disclosures. The increasingly difficult environment for Chinese security researchers became acute with the September 2021 passage of a law requiring vulnerabilities also be reported to the MIIT alongside the affected vendor. As yet however, the impact of these restrictions has not been systematically evaluated in public.This talk will present results of a quantitative analysis on the changing proportion of Chinese based vulnerability disclosures to major software products from a selection of proprietary vendors as well as several major open source packages...
By: Yumi Gambrill , Trey Herr , Frances Nettles , Stewart Scott
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#long-dragon-tails--measuring-dependence-on-international-vulnerability-research-26940AAD Joined Machines - The New Lateral MovementBlack Hat2022-11-17 | ...This talk will cover new research of an authentication mechanism designed to allow authentication between Azure AD joined machines. We will examine and understand the foundation of the new network protocol, present a way (and a tool) to perform Pass-The-Certificate attack and finally, we will go over an open-source solution that can help you hunt for attacks....
By: Mor Rubin
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#aad-joined-machines---the-new-lateral-movement-26889Attack on Titan M, Reloaded: Vulnerability Research on a Modern Security ChipBlack Hat2022-11-17 | The Titan M chip was introduced by Google in their Pixel 3 devices, and in a previous study, we analyzed this chip and presented its internals and protections. Based on this acquired background, in this new talk we will focus on how we performed software vulnerability research on such a constrained target, despite the limited information available...
By: Damiano Melotti , Maxime Rossi Bellom
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#attack-on-titan-m-reloaded-vulnerability-research-on-a-modern-security-chip-27330Trace Me if You Can: Bypassing Linux Syscall TracingBlack Hat2022-11-17 | In this talk, we will present novel vulnerabilities and exploitation techniques that reliably bypass Linux syscall tracing. A user mode program does not need any special privileges or capabilities to reliably avoid system call tracing detections by exploiting these vulnerabilities. The exploits work even when seccomp, SELinux, and AppArmor are enforced.
Presented by Rex Guo & Junyuan Zeng
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#trace-me-if-you-can-bypassing-linux-syscall-tracing-26427Android Universal Root: Exploiting Mobile GPU / Command Queue DriversBlack Hat2022-11-17 | Rooting modern Android devices using kernel bugs from an unprivileged process without any hardcoded offsets/addresses and with almost a 100% success rate is exceptionally rare. After reporting the in-the-wild CVE-2020-0069 in Mediatek's Command Queue device driver, we conducted a security review on ImgTec's PowerVR GPU device driver during which we discovered and reported several such rare vulnerabilities (e.g. GPU CVE-2021-39815). In total, we discovered 35+ exploitable bugs.This talk will primarily focus on GPU hacking....
By: Jon Bottarini , Xingyu Jin , Richard Neal
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#android-universal-root-exploiting-mobile-gpu--command-queue-drivers-27239A Dirty Little History: Bypassing Spectre Hardware Defenses to Leak Kernel DataBlack Hat2022-11-17 | The initial disclosure of Spectre in 2018 led to an unforeseen era of transient execution attacks. These attacks usually allow a lower-privileged attacker to leak arbitrary data from higher privileged security domains by observing the side-effects of transiently executed instructions. One especially powerful attack variant, Branch Target Injection (BTI), abuses misprediction and resulting mispeculation on indirect branches to transiently execute attacker-controlled instructions....
By: Enrico Barberis, Pietro Frigo & Marius Muench
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#a-dirty-little-history-bypassing-spectre-hardware-defenses-to-leak-kernel-data-26638Blasting Event-Driven Cornucopia: WMI-based User-Space Attacks Blind SIEMs and EDRsBlack Hat2022-11-17 | Security solutions engineers always find new ways to monitor OS events to mitigate threats on endpoints. These approaches typically reuse different built-in Windows mechanisms that were never designed with security first in mind. At Black Hat Europe 2021, we publicly showed how to blind an entire class of endpoint security products by disabling ETW. Our current research focus is Windows Management Instrumentation (WMI), a mechanism that allows filtering without registering kernel callbacks...
By: Andrey Golchikov , Igor Korkin , Claudiu Teodorescu
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#blasting-event-driven-cornucopia-wmi-based-user-space-attacks-blind-siems-and-edrs-27211No Mr. Cyber Threat! - A Psychological Approach To Managing the Fail-to-Challenge VulnerabilityBlack Hat2022-11-17 | An unrecognised individual enters a busy workplace. They are not wearing any ID and they are asking people if they can use their laptops or plug in an unauthorised USB device. Even though people typically know this is a problem, staff often fail to challenge resulting in an exploitable vulnerability. But our individual is wearing a brightly coloured t-shirt with the words CHALLENGE ME in large friendly letters on the chest and they are overtly trying to engineer risky behaviours. It is all far too obvious - almost like they want to be caught doing something wrong…
By: Stephen Dewsnip & Simon Pavitt
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#no-mr-cyber-threat---a-psychological-approach-to-managing-the-fail-to-challenge-vulnerability-27067All Your GNN Models and Data Belong to MeBlack Hat2022-11-17 | Many real-world data come in the form of graphs. Graph neural networks (GNNs), a new family of machine learning (ML) models, have been proposed to fully leverage graph data to build powerful applications. In particular, the inductive GNNs, which can generalize to unseen data, become mainstream in this direction. Those models have facilitated numerous practical solutions to real world problems, such as node classification, community detection link prediction/recommendation, binary similarity detection, malware detection, fraud detection, bot detection, etc.To train a good model, a large amount of proprietary data as well as computational resources are needed, leading to valuable intellectual property....
By: Azzedine Benameur , Yun Shen , Yang Zhang
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#all-your-gnn-models-and-data-belong-to-me-26671Unlimited Results: Breaking Firmware Encryption of ESP32-V3Black Hat2022-11-17 | ESP32 is one of the most widely used microcontrollers, and is present in hundreds of million devices such as IoT applications, mobile devices, hardware wallets, etc. In 2019, Limited Results published a fault injection attack at Black Hat Europe which resulted in breaking the security of ESP32-V1 chip family. Therefore, Espressif patched this vulnerability and then advised its customers to use ESP32-V3, which is a hardened silicon revision.
In this talk, we present an in-depth hardware security evaluation for ESP32-V3. The main goal of this evaluation is to extract the firmware encryption key in order to decrypt the encrypted flash content that may possibly contain secret data.
Presented by: Karim Abdellatif, Olivier Hériveaux & Adrian Thillard
In this talk we'll answer these questions: "Are Windows process-isolated containers really isolated?" and "What can an attacker achieve by breaking the isolation?"
Before we jump into the vulnerabilities, we'll explain how Windows isolates the container's processes, filesystem and how the host prevents the container from executing syscalls which can impact the host. Specifically, we'll focus on the isolation implementation of Ntoskrnl using server silos and job objects.
Presented by Eran Segal
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#the-cow-container-on-windows-who-escaped-the-silo-26885Keynote: Black Hat at 25: Where Do We Go from Here?Black Hat2022-11-17 | For twenty-five years, the InfoSec community and industry have been gathering here in the desert. For twenty-five years, we have chipped away at underlying insecurities in the technologies we use every day with new vulnerability research and adversary insights. For twenty-five years we’ve seen vendors and software firms roll out new products and protections. With the last twenty-five years as prologue and as we look forward to the next twenty-five years, we have to ask ourselves: are we on the right track?
Presented by: Chris Krebs
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#keynote-black-hat-at--where-do-we-go-from-here--28699Oops..! I Glitched It Again! How to Multi-Glitch the Glitching-Protections on ARM TrustZone-MBlack Hat2022-11-17 | Fault Injection (FI), also referred to as Glitching, has proven to be a severe threat to real-world computing devices. In this kind of attack, physical faults are injected into a device at runtime, to deliberately alter the target's behavior. In order to address this threat, various countermeasures have been proposed to counteract the different types of fault injection methods at different abstraction layers, either requiring modifying the underlying hardware or firmware at the machine instruction level.
Presented by: Ahmad-Reza Sadeghi, Richard Mitev & Marvin Saß
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#oops-i-glitched-it-again-how-to-multi-glitch-the-glitching-protections-on-arm-trustzone-m-27352Process Injection: Breaking All macOS Security Layers With a Single VulnerabilityBlack Hat2022-11-17 | macOS local security is shifting more and more to the iOS model, where every application is codesigned, sandboxed and needs to ask for permission to access data and features. New security layers have been added to make it harder for malware that has gained a foothold to compromise the user's most sensitive data. Changing the security model of something as large and established as macOS is a long process, as it requires many existing parts of the system to be re-examined. For example, creating a security boundary between applications running as the same user is a large change from the previous security model, introducing new vulnerabilities such as process injection.
Presented by Thijs Alkemade
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#process-injection-breaking-all-macos-security-layers-with-a-single-vulnerability-27334Real Cyber War: Espionage, DDoS, Leaks, and Wipers in the Russian Invasion of UkraineBlack Hat2022-11-17 | The Russian invasion of Ukraine has included a wealth of cyber operations that have tested our collective assumptions about the role that cyber plays in modern warfare. The concept of 'Cyber War' has been subject to all kinds of fantastic aberrations fueled by commentators unfamiliar with the realities and constraints of real world cyber.
Presented by: Juan Andres Guerrero-Saade & Tom Hegel
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#real-cyber-war-espionage-ddos-leaks-and-wipers-in-the-russian-invasion-of-ukraine-27206CastGuard: Mitigating Type Confusion in C++Black Hat2022-11-17 | ...This talk introduces a new mitigation called CastGuard which uses a tiny instruction sequence in combination with the virtual function table pointer of an object to deterministically prevent illegal static down-casts in C++ code. CastGuard is currently being deployed to a set of Windows components with more coming in the future.
By: Joe Bialek
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#castguard-mitigating-type-confusion-in-c-26754Bug Bounty Evolution: Not Your Grandsons Bug BountyBlack Hat2022-11-17 | ...Then, in 2016 came Hack The Pentagon, and suddenly everyone was either running a bug bounty program or wanted to run one.Where are we now and what have we learned since 2010? Were the myths of being able to compete on price with the offense market true or was it all just marketing by VC-backed bug bounty platforms? Is there an alternative solution for hackers who currently get treated like disposable workers? What's the best path forward for hackers, organizations, and the security industry now that we have seen over a decade of modern bug bounty programs in practice?...
By: Katie Moussouris
Full Abstract & Presentation Materials: blackhat.com/us-22/briefings/schedule/#bug-bounty-evolution-not-your-grandsons-bug-bounty-27543Trust Dies in Darkness: Shedding Light on Samsungs TrustZone Keymaster DesignBlack Hat2022-11-17 | In this work, we expose the cryptographic design and implementation of Android's Hardware-Backed Keystore in Samsung's Galaxy S8, S9, S10, S20, and S21 flagship devices. We reverse-engineered and provide a detailed description of the cryptographic design and code structure, and we unveil severe design flaws. We present an IV reuse attack on AES-GCM that allows an attacker to extract hardware-protected key material, and a downgrade attack that makes even the latest Samsung devices vulnerable to the IV reuse attack. We demonstrate working key extraction attacks on the latest devices.
Presented by Alon Shakevsky, Eyal Ronen & Avishai Wool
Full Abstract and Presentation Materials: blackhat.com/us-22/briefings/schedule/#trust-dies-in-darkness-shedding-light-on-samsungs-trustzone-keymaster-design-26736Whip the Whisperer: Simulating Side Channel LeakageBlack Hat2022-11-17 | Cryptographic side channels are well-understood from a mathematical perspective, and many countermeasures exist that reduce leakage. Yet, there are many implementations in the field that leak. This is caused by a combination of lack of security experts, the fact that upon implementation countermeasures can become leaky, and the absence of good pre-silicon side channel analysis tools.
In this presentation, we show how common hardware design tools can be used to perform pre-silicon power simulations, and how that can be used to detect leaky implementations. We show a case study of how countermeasure implementations that look fine in source are actually leaky, and how simulation can help pinpoint individual leaky elements, both in software and hardware.