JSC is a JS engine used in Safari (Webkit), and many optimization measures are used to improve the quality and speed of code during JIT.

I will combine 1-2 the most complex bugs I've encountered so far, involving how to use profile trick to generate the opcode patterns I need, and many details of DFG optimization, such as DFGAI, opcode hoist, CFG Analysis, etc. I hope this slide can help you for finding and exploiting bugs.

@S0rryMyBad is a security researcher in Qihoo 360 Vulcan Team. He pwned multiple browsers and iPhone in Pwn2Own and TianfuCup.

Rank 2 in MSRC TOP 100.

Winner of Pwnie 2019 for best privilege escalation bug.

Nowadays coverage-guided and structure-aware fuzzing cannot be more popular, with tools like AFL and libfuzzer ready-to-use for various OSS libraries. But closed source ones are almost absent in this party, with few discussions and no public tools on how to apply coverage guided fuzzing to them.

Fuzzing closed-source android libraries proposes new challenges, how do we apply instrumentation to them? How do we emulate syscalls and runtime on a different architecture? How do we effectively catch minor memory errors? Last but not least, since speed is the crucial part for fuzzing campaign, what efforts can be taken to reduce performance overhead? In a word, can we come up with a framework that enables us to fuzz them as easily and effective as for OSS libraries?

The answer is yes. In this presentation I will come up with a new fuzzing framework - DroidCorn, which can be used to fuzz android closed-source libraries out-of-the-box, scalable across cluster of x86 servers (no arm device needed), written with performance in mind. We will discuss previous work on this topic and what we have done for the ultimate goal, and real-world actions&findings.

Qidan He (a.k.a Flanker) is Head of Security at a Nasdaq-listed company, formerly senior researcher at KeenTeam/KeenLab, Tencent. His major experience includes vulnerability hunting & exploitation on *nix platforms and browsers and security defense-in-depth of large-scale system and enterprise. He is frequently credited on various security bulletin and advisories, most of them are Google and Apple's. He is the winner of Pwn2Own 2016 OS X Category & Mobile Pwn2Own 2016 Android Category and member of Master of Pwn Champion team at 2016 and 2017. He has spoken at conferences like QMSS, BlackHat, REcon, CanSecWest, DEFCON, HITCON and PoC.

Starting from iOS 13 and macOS 10.15 Catalina, Apple refactored the architecture of the 80211 Wi-Fi client drivers and renamed the new generation design to IO80211FamilyV2. Compared with IO80211Family (V1), modules such as Version 2 and AppleBCMWLANCore integrate the original AirPortBrcm series drivers and further expand features such as Sidecar and Skywalk. These latest changes provide better support and protection for communication and data sharing between devices. Of course, we should also realize that new features are always accompanied by new vulnerabilities and potential risks of being attacked.

This research will delve into each of the affected Wi-Fi kernel components and explore new attack surfaces. I will also share with you more than a dozen iOS/macOS vulnerabilities. Through these brand new cases, this presentation will help you better understand the design and security challenges of Apple's 80211 Wi-Fi subsystem.

Wang Yu is a senior staff engineer at Didi Research America. He loves everything regarding OS kernel, from kernel architecture, device driver development, rootkit/anti-rootkit solutions to vulnerability hunting, exploitation and mitigation. He has previously presented his research on Syscan360 2012/2013, Hitcon 2013, Black Hat USA 2014/2020, Black Hat ASIA 2016, DEF CON 26 and other conferences.

The SoC shipped with new flagship phones is always the hottest topic among geeks. Qualcomm and MediaTek are the major players in SoC market, some manufacturers like Apple, Huawei and Samsung have designed their own SoCs. To our surprise, Xiaomi also developed its own SoC.

In 2017, Xiaomi released its first and only SoC, Surge S1, which is shipped with Mi5c. However, the new device was suspended in a few months, leaving us in the dark about Surge S1.

Never before had we been so passionate and curious about Chinese chips. In this talk, I will explore Mi5c and Surge S1 from a security researcher’s view, inspecting the surge in the dark.

slipper, a security research from Pangu Team. He used to play Pwn2Own, DEFCON CTF and GeekPwn. Sometimes he livestreams hackings. He had done live shows about remote jailbreaking of PlayStation 4 and iPhone 8.

From iPhone 5S, Touch ID and Face ID could be used to unlock the phone. To secure user's biological data, Apple introduce SEP(Secure Enclave Processor) to handle passcode and biological data.

SEP has its own dedicated environment to run its own SEPOS and APPs based on that. The only way of communication between SEP and AP(Application Processor) is secure mailbox. So even attacker controls AP, he can not directly impact code and data from SEP. The isolation architecture of SEP and AP maximumly secures user's data.

And I guess most of you are already familiar with secure boot of AP on iPhone. Actually SEP also has its own secure boot to load SEPOS. In this topic, we will reverse the SEPROM to understand the initializing process of SEP. More specifically, we will detail the messages between SEP and AP as well as how the shared memory is setup. Meanwhile, checkm8 exploit allows us to execute our code during iBoot to talk to SEP for testing. At last I will reveal some vulnerabilities for old devices which could enlarge the attack surface of secure boot of SEP.

Hao Xu is co-founder of Team Pangu. He has been involved in information security for more than 10 years. His research interests range from Windows/macOS/iOS vulnerabilities, malware analysis, hardware virtualization technology, and reverse engineering. He is a regular speaker at Blackhat, Syscan, POC, Xcon.