Recon 2024

To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
09:30
09:30
30min
Opening ceremony

Opening ceremony

Party
Grand Salon
10:00
10:00
60min
From Student of Compilation to Mother of Decompilation -- 30 Years Edition
Cristina Cifuentes

From Student of Compilation to Mother of Decompilation -- 30 years edition
Cristina Cifuentes
VP, Oracle Software Assurance

Having worked on a machine code interpreter for the Modula-2 language for my Compilers project in 1990 and later integrating it into a mixed GPM Modula-2 compiler/interpreter for the 8086 during the summer of 1990-91 meant that I was familiar with assembly language and had a notion of transforming an intermediate representation into executable assembly code. Enjoying compilers and hearing about the latest viruses that were becoming popular in DOS binaries raised my interest in looking into binaries/executable programs to determine how to reverse compile them back into a high-level language representation, to be able to aid with an automated tool in understanding what the virus code was doing. And hence I enrolled in a PhD in April 1991.

30 years ago, on 4th July 1994, I submitted my PhD thesis on "Reverse Compilation Techniques". Little did I know that such a fun project, looking into 80286 DOS binaries and reading assembly, drawing graphs of groups of assembly instructions, understanding how parameters were passed in assembly language, determining what optimising compilers would do to optimised parameters and code, following variables through a function and the whole program to understand data flows and how variables were stored on the stack or memory; would result in techniques that would be picked up in the 2000s with the growing interest in application security.

In this keynote I give a retrospective on the decompilation PhD work, the growing interest on this technology throughout the past three decades, examples of commercial uses of decompilation, and conclude with an application of decompilation to develop a malware analysis tool.

To learn more about Cristina:

LinkedIn: https://www.linkedin.com/in/drcristinacifuentes
Twitter: @criscifuentes
Oracle: https://labs.oracle.com/pls/apex/f?p=94065:11:10856631025365:21

Keynote
Grand Salon
11:00
11:00
60min
Breaking Z-Waves: How we use Symbolic Execution to find Critical RF Vulnerabilities
Oliver Lavery

New IoT Radio Frequency protocols like ZigBee, Z-Wave, OpenThread, and Amazon Sidewalk are becoming ubiquitous. While these protocols make our lives easier in many ways, they also represent an interesting cyber-security challenge: as an industry we're adding all kinds of complex and novel RF attack surface to IoT devices within our homes and neighborhoods.

In this talk we'll explore how we're securing that new attack surface at Amazon Element55. We'll bring you along on our journey from initial experiments with bug hunting in the Amazon Sidewalk protocol stack using symbolic execution tools like CBMC and Klee, explore some of the challenges we faced along the way with symbolic tools, and finally walk you through the discovery of a group of new critical vulnerabilities in the implementation of SiLabs Z-Wave protocol.

Presentation Hardware
Grand Salon
12:00
12:00
60min
Lunch Friday

Lunch

Lunch
Grand Salon
13:00
13:00
60min
An unexpected journey into Microsoft Defender's signature World.
Silvio, Davide Fontana, Antonio Villani

This workshop explores adversary emulation activities, focusing on creating false flags to mimic real attacks. Using Microsoft Defender as a case study, we analyze signature formats to create samples that trigger specific detections. Participants will learn how to generate working samples which triggers specific detection gaining insights into Windows Defender's signature mechanisms.

Workshop Software
Soprano B
13:00
120min
Chip Decapsulation Demo
Travis Goodspeed

We can learn a lot from looking at a microchip under a microscope, but most stubbornly come encased in hard plastic. This live demo will show you how the HNO3 Bath Method is used to tear away such packaging without damaging the glass inside.

Time and location might change as the weather allows.

Workshop Hardware
Hotel Terrace
13:00
270min
Lockpick Village Friday
TOOOL

Tired of staring at a monitor trying to reverse some nasty code...come try your hand [literally] at hacking hardware! The Open Organisation Of Lockpickers [TOOOL] is set up and ready to give you a new kind of challenge. Gaining access has a different meaning here. TOOOL uses their knowledge to guide you through different types of locks, their vulnerabilities, and how to exploit them. Scrape pin tumblers instead of data!

Village
Creation
13:00
60min
Path of rev.ng-ance: from raw bytes to CodeQL on decompiled code
Alessandro Di Federico, Pietro Fezzardi

This is an hands-on talk about what you can do with the rev.ng decompiler, a FLOSS decompiler based on LLVM and QEMU.

We will guide the audience step-by-step through how to go from the raw bytes of a file (think, a firmware) to decompiled C code.

Then we'll dig into rev.ng intermediate representation, based on LLVM IR, and show what tools can be used on it (e.g., KLEE for symbolic execution).

Finally, we'll show how you can use standard tools such as CodeQL and clang-static-analyzer to find bugs in the decompiled C code emitted by rev.ng, which is always syntactically valid.

Everything that will be shown will be 100% reproducible by the audience in real-time using rev.ng.

Presentation Software
Grand Salon
14:00
14:00
60min
Tips & Tricks for better debugging with WinDbg
Chris Alladoum

When it comes to debugging on Windows, there are many existing tools (OllyDbg, Immunity Debugger, x64dbg) but none come close to the functionalities offered by WinDbg. Often seen as harder tool, we'll use this workshop to focus on the latest version of WinDbg (previously known as WinDbgX or WinDbg Preview) to share some (lesser known) insights and useful techniques, for both user and kernel mode debugging during this hands-on workshop.

Workshop Software
Soprano B
14:00
30min
Unleashing AI: The Future of Reverse Engineering with Large Language Models
Tim Blazytko, Moritz Schloegel

In our talk, we take a closer look at Large Language Models (LLMs) in reverse engineering, highlighting both their current uses and future potential. We address the opportunities and challenges presented by LLMs, from enhancing code analysis to navigating issues of inaccuracies and privacy. To address these challenges, we introduce ReverserAI as a platform designed to explore and expand the capabilities of LLMs within this field. We further illustrate how local, privacy-focused LLM setups can overcome existing privacy limitations. Lastly, we explore and showcase ways to significantly improve current LLM outputs by combining them with traditional static analysis techniques, for example in the context of malware analysis. Our discussion also covers the anticipated evolution of LLM technology, underscoring its promise to advance the field.

Presentation Software
Grand Salon
14:30
14:30
30min
Tales From The Crypt: Bug Hunting in the Windows CryptoAPI
Erik Egsgard

The Microsoft CryptoAPI provides functionality to perform digital certificate authentication, management and storage, encryption and decryption of data and encoding and decoding of structured data. These are critical pieces of secure communications and present a rich attack surface, much of which is accessible via network protocols. This presentation will look at a vulnerabilitiy research effort into this area of the Windows operating system.

The road to finding remote code execution vulnerabilities is often paved with tears. Bugs may appear obvious in hindsight but in practice finding a weakness in the code and then actually triggering it can be anything but simple. Several RCE vulnerabilities were discovered during the research, the techniques used to find them and the journey to reaching them via a remote code path will be presented.

Presentation Software
Grand Salon
15:00
15:00
30min
Coffee break Friday

Coffee break

Coffee Break
Grand Salon
15:30
15:30
120min
GameBoy ROM Extraction
Travis Goodspeed

The Game Boy has a mask ROM bootloader that validates the Nintendo logo in the cartridge, then disables itself before executing the cartridge memory, making it difficult to extract. In this workshop, we'll begin with a die photograph of the console's CPU, then use Mask ROM Tool to annotate and decode bits. By the end of the workshop, you will have made a ROM image suitable for emulation or disassembly.

Workshop Hardware
Soprano A
15:30
120min
Reversing Rust Binaries: One step beyond strings (workshop)
Cindy Xiao

Are you a seasoned reverse engineer, but you tremble when a Rust binary lands on your desk? When you encounter a Rust binary, do you just run strings on it and hope for the best?

We will take a single problem - string recovery from a Rust binary - and uses it as an approachable starting point for exploring reversing Rust binaries. We will cover:

What are the practical steps we need to take to recover strings? How are strings represented in memory, passed between functions, and manipulated throughout the program?

Once we recover the strings, what do the strings mean? What can the strings we recover tell us about the compiler, language runtime, standard library, and third-party libraries in the binary?

This workshop is intended for reverse engineers and malware analysts who are familiar with reversing C or C++ binaries, but who are unfamiliar with the Rust programming language.

Soprano B
15:30
30min
Smash the blackbox: Owning a car remotely by chaining up exploits
Yingjie Cao

Previously, extensive research has been conducted on remote attacks on vehicles. However, in the exploitation of system vulnerabilities, most scenarios typically require researchers to access the debugging interfaces of relevant components and set up a test bench environment for experimentation. The high price of getting the target components and connecting them correctly hurdles the security researchers to conduct vulnerability research.

In our study, we took a different approach. With only the rental of a vehicle (belonging to a brand that sold over 100,000 units in 2023), and without the disassembling / purchase of any components, we embarked on gaining remote control of a vehicle without prior knowledge of any hardware or software debugging interfaces (which are not straightforward to trigger). By exploiting a software upgrade vulnerability, we got access to the applications and reverse-engineered the debugging logic, exploited kernel vulnerabilities under restricted trigger conditions, obtained system privileges, acquired kernel offsets, and finally escalated privileges using another kernel vulnerability to gain system root access.

Ultimately, we chained this series of vulnerabilities into a 1-click exploit to control the car, including the car windows, doors, and the truck.

Presentation Hardware
Grand Salon
16:00
16:00
30min
The Art of Malware C2 Scanning - How to Reverse and Emulate Protocol Obfuscated by Compiler
Takahiro Haruyama

Internet-wide malware command-and-control (C2) server scanning based on protocol emulation is a game changing technique as one of the most proactive threat detection approaches. It allows real time blocking of malicious communications of a variety of known malware families. On the other hand, protocol reversing is a challenging task, especially when the code is obfuscated at compiler-level.

In this presentation, I will detail how to reverse the C2 protocol of the malware used by one of the PRC-linked cyberespionage threat actors. The malware was obfuscated with multiple methods likely applied at compile time. In order to identify the protocol format and its encryption algorithm, I not only extended an existing tool to defeat more control flow flattening (CFF) and mixed boolean arithmetic (MBA) expression cases but also implemented another one to decode strings constructed polymorphically in stack area under the CFF conditions.

I will also explain how to emulate the C2 protocol. I validated the request/response data by implementing a fake C2 server and catching a real one. Then I developed a PoC scanner to narrow down true positives based on multiple clues such as TLS handshake errors, JARM fingerprints and HTTP header values authenticated by C2. I will demonstrate the scanner in the presentation.

The presented research techniques and findings will be beneficial to those who need deep malware RE.

Presentation Software
Grand Salon
16:30
16:30
60min
Peeling Back the Windows Registry Layers: A Bug Hunter's Expedition
Mateusz Jurczyk

Have you ever wondered what lies beneath the graphical interface of the Windows Registry Editor? Despite regedit's unchanged appearance for over 20 years, the underlying kernel registry implementation is far more complex than it seems. From roughly 10,000 lines of decompiled code in Windows NT 3.1 to ten times as many in Windows 11, the registry codebase has seen massive growth throughout its existence. In large part, this is due to introducing new features like transactions, app keys and differencing hives, which may not be obvious to the casual user, but their added complexity certainly affects system security and opens the door to potential local privilege escalation exploits.

Recognizing this vast attack surface, I spent many months in 2022 and 2023 immersed in a thorough audit of the Windows Configuration Manager (the registry's kernel subsystem). This research uncovered over 50 vulnerabilities, ranging from simple coding errors to intricate design flaws that prompted significant code refactors by Microsoft. In this talk, I'll share my registry bug taxonomy, classifying vulnerabilities based on the level of understanding needed to uncover them – from easily "greppable" bugs to deeply hidden logic flaws. Each category will be accompanied by a detailed case study of a recently discovered registry bug. Expect a lot of Windows internals, technical analysis, and some exciting exploit demos.

Presentation Software
Grand Salon
17:30
17:30
60min
Decompilation Panel
Ilfak Guilfanov, Cristina Cifuentes, Chris Wysopal, Sergey Bratus, Rusty

Decompilation Panel

Panel
Grand Salon
09:30
09:30
30min
Seeing Through Themida's Code Mutation
Erwan Grelet

Themida is a popular commercial software obfuscator which provides code
virtualization and code mutation features.

While Themida's code mutation is unanimously considered a weaker obfuscation
scheme than code virtualization, there's little to no public information on the
feature's implementation. As a result, it's difficult to estimate the code
mutation's impact on an attacker's reverse engineering flow. In this talk we
fill a bit of that gap by studying Themida's code mutation in details and looking
for potential shortcomings.

We'll use Binary Ninja and Python to understand how the code mutation works for
x86-64 executables, ultimately automating its deobfuscation using Miasm and
symbolic execution.

Presentation Software
Grand Salon
10:00
10:00
30min
Manipulating Malware: Forcing Android Malware to Self-Unpack
Laurie Kirk

Malicious Android applications use packing as the core technique to conceal payloads from manual and automated analysis. But what if we could force malicious Android applications to drop their payloads by unpacking themselves?

This presentation will introduce an automated and platform-independent method to autonomously unpack Android APKs. Java-based Android packers generate a unique stub per app whose sole purpose is to decrypt and load the malicious payload from inside Android’s Application subclass. I will describe the process for extracting and translating the Dalvik Bytecode, resources, and native code from these stubs into self-unpacking entities. Because the Android Framework is built on top of Java, the automation process must strip all Android-specific API calls and replace them with equivalent Java invocations. The new app can then be produced in one of two forms: a purely Java application that avoids Android emulator requirements, or a defanged version of the original APK after bytecode manipulation. This technique eradicates the need to write custom decryptors for packed Android applications while remaining entirely packer-agnostic.

I will demonstrate and equip attendees with BadUnboxing, a new open-source tool that automatically generates benign versions of Android malware to dump malicious payloads. I will also share my methodology for repackaging defanged APKs.

Presentation Software
Grand Salon
10:30
10:30
30min
A Tale of Reverse Engineering 1001 GPTs: The Good, the Bad, and the Ugly
Elias Bachaalany

In this talk we go deep down into the world of OpenAI's GPTs: how they are made, what they contain, how to reverse engineer them back to their source code and exfiltrate all their "secrets" and accompanying files. This talk will take you on a fun journey into the mind of GPT writers and explore all the curious, smart and silly things they have been coding into their GPTs.

Presentation Software
Grand Salon
11:00
11:00
60min
Control Flow Intergrity on IBM i
Bálint Varga-Perke

IBM i (aka. AS/400, iSeries, etc.) is a vertically integrated platform implementing revolutionary features such as an object-oriented operating system, single-level storage and an architecture-independent development environment. The performance and reliability of the system made IBM i a crucial component of several critical infrastructure providers such as telecommunication companies and financial institutions. The unique features of IBM i are underpinned by hardware-assisted memory tagging, allowing the translator (IBM i's "integrated compiler") to embed critical security checks inside program objects it generates.

In this talk we show how this architecture (released in 1988!) implements a form of control flow integrity not only to protect its applications but also to keep its security guarantees at Security Level 40. For this research we extended PowerPC support in Ghidra to support IBM's proprietary POWER-AS instruction set and object serialization protocol. These developments allow us to show how the system operates at RISC instruction level, below the Machine Interface. Of course we plan to share these analysis tools with the community as well. Aside of showing that the implemented security scheme is in fact robust, we will also demonstrate an - admittedly convoluted - memory corruption-based exploit on IBM i to inspire the community for further research on this platform.

Presentation Software
Grand Salon
12:00
12:00
60min
Lunch Saturday

Lunch

Lunch
Grand Salon
13:00
13:00
120min
.NET Exploitation WorkShop
Sina Kheirkhah

.NET Reverse engineering for vulnerability researchers, how to map the attack surface, interesting areas of focus, tools of the trade for .NET Exploitation.

Prerequisites:

A windows 10 VM Visual studio 2022 installed .NET Framework 4.0 to 4.8
A copy of https://github.com/pwntester/ysoserial.net.

Workshop Software
Soprano B
13:00
60min
Bare Metal Firmware Dev: Forwards and Backwards
Caleb Davis, Kyle Shockley

Developing firmware is an essential skill that cyber security professionals should be familiar with to gain a deeper understanding of the foundation of most systems that are being relied on. Additionally, a fundamental understanding of firmware development is a valuable asset in the realm of firmware reverse engineering. This presentation aims to tackle both directions of firmware (development/reversing) to give the audience a better understanding of the intricacies with each process. The firmware development portion of the presentation will walk the audience through the basic steps to deploy a firmware application on an embedded microcontroller (STM32). The application will be developed in such a way that it is intended to be reversed. The second half of the presentation deals with the firmware binary and the steps necessary to fully recover the firmware as much as possible. An important note is that these tools and firmware will be open-source and therefore the audience can attempt this work on their own. Takeaways from this talk include an understanding of bare metal development environments, embedded C code, memory mapping and peripherals, as well as an intermediate understanding of Ghidra.

Workshop Software
Soprano A
13:00
60min
Hypervisor-enforced Paging Translation - The end of non data-driven Kernel Exploits?
Andrea Allievi, Satoshi Tanda

Would you like to know about the state of Kernel Exploit mitigations in Windows? Are you curious about HVPT, Hypervisor-enforced paging translation, the new technology designed to stop exploiting one of the last weak point in the Windows kernel?

Presentation Software
Grand Salon
13:00
240min
Lockpick Village Saturday
TOOOL

Tired of staring at a monitor trying to reverse some nasty code...come try your hand [literally] at hacking hardware! The Open Organisation Of Lockpickers [TOOOL] is set up and ready to give you a new kind of challenge. Gaining access has a different meaning here. TOOOL uses their knowledge to guide you through different types of locks, their vulnerabilities, and how to exploit them. Scrape pin tumblers instead of data!

Village
Creation
14:00
14:00
60min
JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and DCI/EXDI
Alan Sguigna, Ivan Rouzanov

For the first time, JTAG debugging tools for x64 are available to the general public. Using EXDI to connect WinDbg with the SourcePoint debugger, and Intel Direct Connect Interface (DCI) on the AAEON UP Xtreme i11, Windows Hyper-V and Secure Kernel can be debugged as never before. This presentation and demonstration will cover run-control, VMM breakpoints, Intel Processor Trace, Architectural Event Trace and other new technologies on an off-the-shelf HV/SK/VBS enabled target.

Presentation Hardware
Grand Salon
15:00
15:00
30min
Coffee break Saturday

Coffee break

Coffee Break
Grand Salon
15:30
15:30
180min
Guerilla Reversing: SMALI steps towards Android reversing
Gabi Cirlig, Lindsay Kaye

As consumers move to using their phones as their primary device, the financial opportunity for threat actors to deploy mobile malware becomes more appealing. People store their money, memories and digital identities in their pockets, making their phones a ripe avenue for attackers. From the high level threat landscape, down to the nitty gritty of the implementation of mobile malware TTPs, understanding the basics of Android reverse engineering can give an analyst the necessary cutting edge. This workshop will take people from zero to hero in order to give them a more thorough understanding of the Android malware landscape through hands-on labs using Android malware.

Workshop Software
Soprano B
15:30
30min
Reverse Engineering the PowerG Wireless Protocol
James Chambers, Sultan Qasim Khan

The PowerG protocol for wireless security systems is proprietary and has no public specification or tooling for analysis. We will present our work on reverse engineering PowerG to understand the protocol, assess its security claims, and identify protocol-level issues. We will also release tooling for capturing PowerG packets with SDRs such as the HackRF, as well as decrypting and analyzing PowerG packets.

Presentation Hardware
Grand Salon
15:30
120min
Workshop for JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and DCI/EXDI
Alan Sguigna

This is the Workshop that will follow the "JTAG debug of Windows Hyper-V / Secure Kernel with WinDbg and DCI/EXDI" session.

Workshop Hardware
Soprano A
16:00
16:00
60min
DaBootZone: Breaking the DA1469x BootROM
Chris Bellows

The Renesas DA1469x family of chips are used in various industrial and IoT applications due to their low power consumption, high integration capabilities, and advanced security features, including SecureBoot and firmware encryption. In this presentation, we will present a novel BootROM vulnerability allowing the bypass of secure boot and recovery of encrypted firmware images, as well as walking through the process of discovering and exploiting these vulnerabilities.

Presentation Hardware
Grand Salon
17:00
17:00
60min
Binary Golfing UEFI Applications
netspooky

Have you ever wondered how UEFI applications are loaded? Have you ever wondered what the smallest possible UEFI application could be? Let's make an ultra tiny self-replicating UEFI application and answer both of these questions!

Presentation Software
Grand Salon
09:30
09:30
30min
Cryptography is hard: Breaking the DoNex ransomware
Gijs Rijnders

In recent years, ransomware has been one of the most prolific forms of cybercrime with financial gain as primary motive. The problem keeps getting bigger with a new operation seeing the light almost every month. While reverse engineering ransomware is fun, it also serves a greater purpose: can we find a vulnerability that allows us to decrypt a victim’s files without interacting with the criminals?

Enter the DoNex ransomware, a new operation that has entered the scene very recently. They have a leak website on the dark web where some victims have been named and shamed. Reverse engineering of a DoNex sample revealed a vulnerability that allowed us to decrypt every encrypted file for victims under a trivial condition. To help victims recover from a ransomware attack, we published a decryption tool on the NoMoreRansom platform, an initiative from a number of parties including the Dutch National Police to keep ransomware operators from extorting victims.

In this talk, we will dive into the technical details of DoNex and how we exploited a vulnerability to decrypt files affected by DoNex without the need to negotiate with the cybercriminals.

Presentation Software
Grand Salon
10:00
10:00
60min
Smoke and Mirrors: Driver Signatures Are Optional
Gabriel Landau

In this talk, we’ll uncover a previously-unnamed vulnerability class in Windows, showing how long-standing incorrect assumptions in the design of core Windows features can result in undefined behavior and security vulnerabilities. We will demonstrate how one such vulnerability in the Windows 11 kernel can be exploited to achieve arbitrary code execution with kernel privileges.

Digital code signatures provide a cryptographically-verifiable, tamper-evident way to attest that code was produced by a particular entity. Starting with Windows Vista, Microsoft requires all kernel drivers to be digitally signed - a feature called Driver Signing Enforcement (DSE). DSE allows Microsoft to control which entities are allowed to execute code with kernel privileges, keeping rootkits and other malware from tampering with core OS components in memory and on disk.

After defining the vulnerability class and covering its brief history, we will demonstrate how the Windows 11 kernel can be exploited to bypass DSE and load arbitrary unsigned drivers without the use of any third-party code such as Bring-Your-Own-Vulnerable-Drivers. We will then describe a small kernel change that can fix this vulnerability, and show how defenders can detect this attack today.

Beyond Windows itself, this class of vulnerability can affect any user- or kernel-mode software that relies on documented Windows behavior. This talk will be accompanied by the release of a tool demonstrating the DSE exploit, alongside a mitigation that detects and stops it.

Presentation Software
Grand Salon
11:00
11:00
60min
Architecture Analysis of VMProtect 3.8: Demystifying the Complexity
Holger Unterbrink

VMProtect stands as one of the most sophisticated software protection systems employed in obfuscating malware. Increasingly utilized by malware authors, it is crucial for reverse engineers to understand potential attack vectors and key functionalities. This presentation delves into the latest architectural changes of VMProtect 3.8, sharing insights from our extensive research.

Presentation Software
Grand Salon
12:00
12:00
60min
Lunch Sunday

Lunch

Lunch
Grand Salon
13:00
13:00
120min
Lockpick Village Sunday
TOOOL

Tired of staring at a monitor trying to reverse some nasty code...come try your hand [literally] at hacking hardware! The Open Organisation Of Lockpickers [TOOOL] is set up and ready to give you a new kind of challenge. Gaining access has a different meaning here. TOOOL uses their knowledge to guide you through different types of locks, their vulnerabilities, and how to exploit them. Scrape pin tumblers instead of data!

Village
Creation
13:00
60min
Mobile Visualization for Reverse Engineering & Debugging
Luke McLaren

Mobile reverse engineering can be significantly accelerated through generating visualizations of execution paths. This workshop will demonstrate the tools and methods required to visualize execution for Android's Java and Native layers as well as the Objective-C layer for iOS.

Content will be based upon previous work: https://datalocaltmp.com/visualizing-android-code-coverage-pt-2.html as well as introduce new methods for Java and Objective-C visualization.

Workshop Software
Soprano A
13:00
60min
Open Sesame: stack smashing your way into opening doors.
Lucas GEORGES

Physical security is the forgotten sibling of information security. This part usually is often offloaded to traditional security teams and especially to people that don't "get" what hacking is about.

However Physical Access Control Systems (PACS) bridge the wall between physical security and information security. These systems are more and more ubiquituous and more importantly they are becoming "smart" (aka always connected). Therefore they are becoming hackable.

This talk will feature a complete security audit of Idemia's Sigma Lite, a high-end PACS device that can be found in ministries, embassies or Fortune 500's companies and which controls user access, biometric identifiation and time attendance. It will cover attacks from the hardware, upgrade system and contactless protocol.

Presentation Hardware
Grand Salon
14:00
14:00
60min
Automating Malware Deobfuscation with Binary Ninja
Joshua Reynolds

With the ever-increasing complexity of malware comes the need to automate tasks related to its analysis. Binary Ninja is a robust reverse engineering platform that provides a plethora of useful functionality when analyzing malware. This functionality includes a powerful Python API that can be used to automate a number of common malware reverse engineering tasks.

Throughout this workshop we will automate the deobfuscation of a real-world malware sample using Binary Ninja and freely available open-source tools.

Workshop Software
Soprano B
14:00
60min
WatchWitch — The Apple Watch Protocol Stack from Scratch
Nils Rollshausen

We take a deep dive into the wireless protocols that power the Apple Watch and its deep integration into the Apple ecosystem, reversing and re-implementing them as we go — starting from foundational transport protocols all the way up to synchronization of sensitive sensor data. Along the way, we will encounter many a proprietary protocol, flawed implementations of standards, and homebrew cryptography endangering Apple's famously strong security.

Presentation Hardware
Grand Salon
15:00
15:00
30min
Coffee break Sunday

Coffee break

Coffee Break
Grand Salon
15:30
15:30
60min
Project 0xA11C: Deoxidizing the Rust Malware Ecosystem
Nicole Fishbein, Juan Andres Guerrero-Saade

In malware analysis, the arrival of a new programming language introduces an entirely new set of challenges that obstruct our understanding of the malicious intent of a threat actor. Minor idiosyncrasies and newfangled artifacts become minor annoyances, while radical shifts in programming paradigms equate to major analysis blockers. Given the brittle state of our tools and the already steep requisite expertise, you can't blame REs and malware analysts for shying away from disproportionately complex malware. However, this reluctance inadvertently creates blind spots readily exploited by adversaries.

The Go programming language serves as a prime example of this phenomenon. Its quirks (see: placing unterminated strings in an unparsed blob) and inherent complexities (function prototypes repeatedly broken by handling multiple return values on an ephemeral stack) bred collective reluctance until our hands were forced by high-profile incidents like the Solarwinds supply-chain attack. To remedy the situation, we crafted an analysis methodology with accompanying atomic scripts, dubbed AlphaGolang. The result was the surprising realization that once underlying data is put back in its rightful context, reversing Go is often easier than traditional languages.

We've observed a similar trend with Rust malware. Rust's features, such as memory safety, aggressive compiler optimizations, borrowing, intricate types and traits translate into a perplexing tangle of code that surpasses even C++ in the complexity of its abstractions. APTs and ransomware groups alike have embraced Rust and yet we avert our gaze.

Let's tackle this problem head-on. Drawing on insights derived from the development of AlphaGolang, we introduce 'Project 0xA11C' (‘Oxalic’)– a practical methodology and accompanying tools to make Rust reverse-engineering approachable. We’ll showcase the benefits by reanalyzing in-the-wild examples of APT malware like RustDown, RustBucket, and Spica – No ‘Hello World!’s found here! With added clarity, we’ll finally glimpse at the true size of the Rust malware ecosystem and see what lies ahead.

Presentation Software
Grand Salon
16:30
16:30
60min
GOP Complex: Image parsing bugs, EBC polymorphic engines and the Deus ex machina of UEFI exploit dev
Nika Korchok Wakulich

BIOS Hacking is back and it’s badder than ever.
Legacy BIOS is old news and UEFI is the new reigning queen bee of Platform Firmware implementations. This changing of the guard brings new challenges and mitigations for bootkit writers to thwart and bypass, as well as the opportunity for creative exploits and groundbreaking techniques in UEFI exploit development.

This talk is a deep-dive on UEFI reverse engineering and exploit development, with a focus on new and creative UEFI exploit dev techniques. It will also cover strategies for finding new exploit targets within UEFI. Applicable both to seasoned veterans of UEFI/BIOS exploit dev, and those looking to break into the space, I’ll cover both UEFI RE and exploit dev essentials and new techniques to take your UEFI PoCs to the next level. This talk combines hardware hacking and platform firmware reverse engineering and exploit development and will cover the following:

  • UEFI software testing/debugging techniques with emulators
  • UEFI hardware debugging and testing techniques
  • UEFI reverse engineering
  • Assembly programming techniques for developing UEFI shellcode on different architectures (x86-64, aarch64 and EBC)
  • PCI Option ROM hacking

What happens when you combine the exploit primitives in a vulnerable image parsing driver impacted by LogoFAIL, PCI Option ROM hacking, the oft-forgotten and neglected EBC (EFI Byte code) architecture and a dash of low-level graphics programming?
GOP Complex.

Presentation Software
Grand Salon
17:30
17:30
30min
Closing ceremony

Closing ceremony

Party
Grand Salon