BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.recon.cx//recon-2026//talk//DZUQYU BEGIN:VTIMEZONE TZID:EST BEGIN:STANDARD DTSTART:20001029T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10;UNTIL=20061029T070000Z TZNAME:EST TZOFFSETFROM:-0400 TZOFFSETTO:-0500 END:STANDARD BEGIN:STANDARD DTSTART:20071104T030000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=11 TZNAME:EST TZOFFSETFROM:-0400 TZOFFSETTO:-0500 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000402T030000 RRULE:FREQ=YEARLY;BYDAY=1SU;BYMONTH=4;UNTIL=20060402T080000Z TZNAME:EDT TZOFFSETFROM:-0500 TZOFFSETTO:-0400 END:DAYLIGHT BEGIN:DAYLIGHT DTSTART:20070311T030000 RRULE:FREQ=YEARLY;BYDAY=2SU;BYMONTH=3 TZNAME:EDT TZOFFSETFROM:-0500 TZOFFSETTO:-0400 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-recon-2026-DZUQYU@cfp.recon.cx DTSTART;TZID=EST:20260621T143000 DTEND;TZID=EST:20260621T153000 DESCRIPTION:The proliferation of AI agents is quickly becoming one of the f oremost concerns of security teams. Engineering teams are clamoring for th e increase in velocity afforded by AI coding agents. Non-technical teams h ave noticed\, and employees of all job types are asking for agentic AI too ls to facilitate their work. Security teams need to have a clear understan ding of how these tools operate\, what their security features are\, and w here the security failures lie. Armed with this knowledge\, security teams can enable these new agentic work paradigms while protecting all the thin gs.\n\nThis talk presents the complete reverse engineering of Anthropic's Claude Code\, Claude Desktop\, and Claude Cowork. The recent release of Cl aude Cowork provides the LLM agent with extraordinary host privileges -- s pawning VMs\, mounting host directories\, taking screenshots\, typing into terminals\, automating browsers and applications -- all decided by a lang uage model one prompt injection away from hostile intent. We take a look a t the two personalities of Claude Cowork. One component of Cowork is Claud e Code\, running inside a Linux VM using multiple isolation strategies to constrain LLM agent access to user resources\, and another is Claude with agentic access to dive the desktop user interface\, with capabilities for reading and interacting with anything on the screen.\n\nIn this talk\, we also present the power of agent-assisted research and development for not only understanding the features and attack surface of these Claude agents\ , but we demonstrate newly-discovered vulnerabilities in components of Cla ude. We also identify attack surfaces that in some cases are obvious to se e\, and other attack surfaces that are completely surprising to discover.\ n\nWe investigate binaries spanning multiple languages\, including Swift\, Rust\, Go\; two JavaScript runtimes\; recovering the complete VM hardware configuration from decompiled Swift\; the full vsock RPC protocol from a stripped Go guest agent\; examine Claude's cloud based and local configura tion systems\; perform analyses of the Linux VM container isolation strate gies\; and uncover a hidden BLE hardware companion protocol that provides auto-approve capabilities (effectively 'dangerous permission mode') for ev ery tool request the model makes. We present confirmed vulnerabilities in multiple subsystems.\n\nFinally\, we draw some conclusions about the secur ity architecture of Claude Desktop as a whole\, identifying some glaring g aps in which threats the architecture prioritizes\, and which seem to have been woefully ignored. We investigate strategies for improving isolation of the agent\, and consider where these might fall short. DTSTAMP:20260612T181517Z LOCATION:Grand Salon Opera SUMMARY:Putting the Genie Back in the Bottle: Agentic Reverse Engineering o f Claude's Security Architecture - Todd Manning URL:https://cfp.recon.cx/recon-2026/talk/DZUQYU/ END:VEVENT END:VCALENDAR