Talk Schedule - Talk Lineup - Speaker Bios
Phase Modulation Side Channels and Reinventing the Wheel
Time: Friday @ 1500
Speaker: Colin O’Flynn
In the year 2024, is it really possible that a researcher can still be finding new side channel leakage mechanisms? Despite the rich history of side channels and the large body of work, this talk discusses a “new” (but actually old) leakage mechanism that exploits timing jitter of the ubiquitous JTAG signals. But more importantly, this talk discusses how “everything old is new again” is not just a famous quip, but a mantra for serious researchers. This talk links several early results to recent talks, and shows how you can use low-cost hardware to recreate these results. One can expect that more side channels and interesting results are lurking in our systems, and hopefully you may find some you can exploit for fame and glory.
Hunting Privileged File Operation Vulns
Time: Friday @ 1600
Speakers: Asher Davila Loranca, Malav Vyas
The Microsoft Detours library was utilized to develop a tool capable of deep system inspection, specifically targeting the process environments of various computing systems. This tool enabled a comprehensive analysis of privileged file operations, leading to the discovery of multiple vulnerabilities that could be exploited. The project highlights the power of Detours for sophisticated security analysis and how the vulnerabilities found can be exploited.
This presentation will discuss how a custom dynamic-link library (DLL) developed with Detours enabled a systematic examination of file operations, i.e, having a solid hunting strategy, which in this case was conducted using instrumentation, leading to the discovery of security flaws that were then exploited. The talk will showcase these exploitations, providing insight into the types of vulnerabilities that were uncovered and the potential implications for system security. The focus will be on demonstrating the importance of having an effective vulnerability hunting strategy in critical environments and showing real exploitation scenarios of the vulnerabilities found through this methodology.
Successfully Fuzzing High-Value Targets with Low Tech Strategies
Time: Friday @ 1700
Speaker: Marc Schoenefeld
While AFL, libfuzzer and their derivates are mighty tools to discover bugs, they are still very complex, which requires a certain learning curve prior successful usage. Also memory or other restrictions may prevent usage in all scenarios. In our talk we present our approach to apply low-tech fuzzing to pursue bug finding in high profile software products. For example well-chosen corpus computed ahead of time can be as powerful as collecting coverage data while fuzzing. Also threshold information such as meta-data tipping points can allow to fine tune bug hunting campaigns. Which means the applied techniques can be supplemental, and by replacing one with the other, bugs would still be found, while aiming for simplicity in the harness setup To back up this claim we present the workflow steps towards finding several of our findings, most prominently CVEs in OpenSSL and in the cryptography code of nodeJS. The talk starts from a theoretical background towards a step-by-step guidance building your own low-tech fuzzing tool setup. From a practical end, the necessary tool usage steps are shown via demos in a (Ubuntu 22) Linux context. The audience may benefit from this to jumpstart their own discoveries.
DNP3 Security: The most important protocol you’ve never heard of
Time: Saturday @ 1030
Speaker: Dan Petro
The Distributed Networking Protocol 3 (DNP3) is a core part of communications in what we collectively call ““critical infrastructure””. It’s responsible for carrying commands to actuate physical components in stuff like electric generating facilities and power transmission equipment.
Despite its importance, DNP3 has been difficult to implement security on. Demanding operational requirements, legacy hardware, and an impenetrable wall of jargon have been just some of the impediments towards security.
Let’s talk about DNP3 from a pentester’s perspective. What issues has the protocol had in the past, where does DNP3 security stand currently, and where is the protocol going in the future to solve them (DNP3 SAv6)?
SUIT: Secure Undervolting with Instruction Traps
Time: Saturday @ 1130
Speakers: Daniel Gruss, Jonas Juffinger
Modern CPUs dynamically scale voltage and frequency for efficiency. However, too low voltages can result in security-critical errors. Hence, vendors use a generous safety margin to avoid errors at the cost of higher energy overheads.
In this work, we present SUIT, a novel hardware-software co-design to reduce the safety margin substantially without compromising reliability or security. We observe that not all instructions are equally affected by undervolting faults and that most faultable instructions are infrequent in practice. Hence, SUIT addresses infrequent faultable instructions via two separate DVFS curves, a conservative and an efficient one. For frequent faultable instructions, SUIT statically relaxes the critical path in hardware. Consequently, the instruction is not faultable anymore on the efficient DVFS curve at the cost of performance overheads for this specific instruction. For infrequent faultable instructions, SUIT introduces a trap mechanism preventing execution on the efficient curve. With this trap mechanism, SUIT temporarily switches to the conservative DVFS curve and switches back if no faultable instruction was executed within a certain time frame. We evaluate all building blocks of SUIT, using both measurements on real hardware and simulations, showing a performance overhead of 3.79 %, and a CPU efficiency gain of 20.8 % on average on SPEC CPU2017.
Evolutionary Echos in Modern OT
Time: Saturday @ 1330
Speaker: Justin Leiden
Detroit, the cradle of civilization of industrial control systems, served as the innovation development center of what would become our modern process control systems. The priorities of process innovation in Motown in the middle of the twentieth century would go on to carve paths-of-least-resistance still traced in the development of industrial control systems. These paths have created issues in confidentiality, access-control, non-repudiation, overuse of legacy equipment, lack of on-site expertise, and, most importantly, create risks to personnel safety and pose a major risk to modern socioeconomic stability. In this presentation, Justin Leiden will walk viewers through the early advancements in automation, all the way from analog relay panels to modern industrial control systems, then use this development period as a map on which to trace the cyber-physical security concerns we face in critical infrastructure today.
Deception & Operations Planning
Time: Saturday @ 1400
Speaker: Russ Handorf
Conventional tools and practices are not always sufficient to secure the assets you are charged with protecting. In his presentation, former FBI Computer Scientist Dr. Russell Handorf describes a real-world dilemma where it was necessary to add an element of deception to protect an asset. He then ties that experience into how deception can - and should – be customized and applied to IT environments in order to deter and degrade the capabilities of adversaries. You’ll learn how to best apply deception practices in your technical operations through first hand experience and examples.
Side Channel Attacks: Lessons Learned or Troubles Ahead?
Time: Saturday @ 1500
Speaker: Daniel Genkin
The security and architecture communities will remember the past five years as the era of side channels. Starting from Spectre and Meltdown, time and again we have seen how basic performance-improving features can be exploited to violate fundamental security guarantees. Making things worse, the rise of side channels points to a much larger problem, namely the presence of large gaps in the hardware-software execution contract on modern hardware.
In this talk, I will give an overview of this gap, focusing on new security issues on emerging CPUs. First, I will give a high-level survey on speculative execution attacks such as Spectre and Meltdown. I will then talk about iLeakage, showing how speculative attacks are still a threat to browser isolation primitives, despite numerous mitigation attempts. Finally, I will discuss security issues involving violation of constant time guarantees due to data-memory prefetching, resulting in the GoFetch attack.
The talk will be interactive and include attack demonstrations.
Revitalizing Mimir’s Wisdom: PTES Reborn for Modern Pentesting
Time: Saturday @ 1600
Speaker: Kevin Johnson
Join Kevin Johnson of Secure Ideas as he discusses how the OpenSBK team is updating the Penetration Testing Execution Standard (PTES). Discover how this revamped framework can guide modern infosec testers, much like Mimir’s head guided Odin in Norse mythology. Using real world experiences and modern techniques, this presentation will walk attendees through the newest parts of PTES and how they can implement them today.
Securing Interconnected IT and OT Systems
Time: Saturday @ 1700
Speakers: John Hamilton, Gabriel De Conto, Noam Gariani, William Tatum
This paper covers a wide range of topics focusing on the security of programmable logic controllers (PLCs) in an interconnected operational technology (OT) information technology (IT) environment. PLCs interact with the physical environment and give direct input to machines. The focus is speed and availability and therefore lacks security. Industrial control systems (ICS) are used widely for transportation systems, physical access controls, monitoring systems, and more. In many cases, these systems act as critical infrastructure and people count on them for day-to-day operations. In this document, common vulnerabilities are identified and shown such as Device Manipulation, DoS, and MITM attacks, and potential mitigation strategies to protect against these attacks. Additionally, the paper covers potential cyber laws and policy that could be implemented to address these issues as well as how compliance will be enforced. OT security is an emerging field and there are few strategies in place for most companies in case of an attack. This is becoming a greater threat since the world is transitioning to networking PLCs with the Internet of Things (IoT) devices. Connecting PLCs to the internet will open machines that previously required a physical connection, to be able to access them from anywhere else in the world. These emerging capabilities for devices that were never designed with them in mind paint a grim picture of the future security of our nation.
Repercussions from the Absence of Threat Actor Taxonomy
Time: Sunday @ 0930
Speaker: Jeffrey Bell
There is little collaboration between threat research programs (TRPs). This issue is exemplified when you look at a particular North Korean threat actor, tracked with 16 different names from different TRPs. This naming fragmentation breeds confusion and benefits the threat actors we are trying to stop. We will explore why different taxonomies exist and how we can use MITRE ATT&CK’s blueprint to inform an open-source solution to this issue.
Informing your ICS Sec Roadmap w/ Threat Modeling
Time: Sunday @ 1000
Speaker: Hudson Bush
With numerous threats and vulnerabilities emerging in the ICS domain, prioritizing security efforts can be overwhelming. This presentation introduces a practical method for leveraging MITRE ATT&CK for ICS and MITRE D3FEND to enhance threat modeling and refine your security roadmap. Attendees will gain insights into how these frameworks can help identify and prioritize the most impactful threats, leading to more effective and strategic security measures. This approach ensures that resources are allocated efficiently, and defenses are focused where they will make the greatest difference, moving beyond reactive responses to a more data-driven and strategic security posture.
A More PERFect World: Automated Architecture Agnostic Low-Level Performance Instrumentation
Time: Sunday @ 1030
Speaker: James Warne
In this talk, Jay will introduce an open-source, architecture agnostic tool under development designed to provide developers with processor performance telemetry below the function level without requiring manual instrumentation. Traditional monitoring tools are designed to work at the function-level or require manual insertion before compilation. This tool, when appropriately paired with control flow information, helps highlight inefficiencies and the execution contexts in which they arise without burdening the developer, requiring them to acquire domain and implementation specific knowledge, or dramatically increasing execution time.