MOSEC (Mobile Security Conference) is co-hosted by the Pangu Team and the organizer of POC. The first MOSEC conference will be held in Shanghai, China. MOSEC will invite distinguished security professionals and researchers to present frontier research on security of mobile devices.
The Pangu Team consists of several senior security researchers and has focused on iOS security. The Pangu Team successively released untethered jailbreak tools for iOS 7.1.x and iOS 8.0-8.1 in 2014 and was the first to jailbreak iOS 8.
POC, the biggest hacker conference in South Korea, is highly reputable in Asia and in the world. The POC 2015 will mark the 10th anniversary of this great conference.
Pangu Team
The Design, Implementation and Bypass of the Chain-of-trust Model of iOS
The closed software ecosystem of iOS heavily replies on the rigorous security mechanisms of iOS. This talk will analyze the design, implementation, and evolution of the security mechanisms in iOS along the timeline from device boot, kernel initialization, to creation and execution of a userland process, review the key steps in previous jailbreak tools for breaking the chain-of-trust model of iOS, share the critical techniques exploited by Pangu 7 and Pangu 8, and analyze and forecast potential attack surfaces for future jailbreaks.
The Pangu Team is a team of senior security researchers focusing on iOS security. The Pangu Team successively released untethered jailbreak tools for iOS 7.1.x and iOS 8.0-8.1 in 2014, becoming the first team in China to independently develop untether jailbreaks and the first team in the world to jailbreak iOS 8.
Di Shen
Exploiting Trustzone on Android
These years fingerprint scanning has been supported in many Android devices.Fingerprint scanning on ARM always need an implementation of TrustZone.While we enjoy unlocking device and paying by fingerprint,we also figure out these new features bring out some new attack surface.
Attacking the kernel of Android or the "Secure world" of TrustZone may be not impossible.
Theoretically,devices developed with TrustZone technology can support a full Trusted Execution Environment(TEE).TEE runs in a special CPU mode called “secure mode”,so memory for secure mode and security functions can be hidden to “normal world”. In this way,Android vendors can supply many secure features such as fingerprint scanning,DRM,kernel protection,secure boot and so on.
In this talk,I’ll provide some new attack surface in software architecture of Android phone with Trustzone,and show how to analyze a “secure world” and find some new vulnerabilities in such a “undocumented black hole”.Finally I’ll exploit a bug in two ways,one way for rooting Android’s "normal world” and disable the newest SE for Android,the other way for running shellcode in “secure world”.With these exploits we can get the fingerprint image or bypass some other security features.
Di Shen(@returnsme) is a security researcher of Qihoo360.Recently focus on vulnerabilities of Android application,framework and kernel.His hobby is console game,watching animation and English Premier League.He is also a speaker of SyScan360,2014.
Jiahong Fang
How to Root 10 Million Phones with one Exploit
Android rooting is challenging, especially when you want to cover thousands of combinations of device+ROM. We are going to discuss following topics which may help you to achieve the goal:
James Fang is co-founder and researcher of Keen Team. He has been working on multiple research projects and for the past year he was mostly focusing on Android kernel vulnerabilities and exploitation. He's interested in writing root solutions which works on dozens of millions of Android devices.
Shuai Zhao
Yongkui Liu
Peel the onion
The prevalent usage of packer for android app becomes an obstacle for security audit and malware detection. In order to get a whole picture and reveal the real intent of an app, we analyze the most popular packers used by android app. To conquer shortcomings of the now existing android app analysis tool, we devise an assistant toolkit. By combining this toolkit and others, IDA Pro, etc., a reverse engineer can fast locate the key code and look insight of an app. At last, we illustrate the procedure by taking the packer as example.
Shuai Zhao, Mobei Security, reseacher, focus on static analysis of android app. Speaker of xkungfoo.
Yongkui Liu, Mobei Security, reseacher, focus on dynamic analysis of android app.
Nicolas Joly
Pwning a Windows Phone, from shadow to light
Although Windows has a long history of vulnerabilities and exploit techniques, Windows Phone OS has proven to be much harder to exploit than its cousin. Low market share, little public research, high focus on IOS and Android, but also strong security policies made that target highly resistent to massive pwnage. But as often happens with exploits, a good vulnerability such as a write-what-where condition is usually enough to defeat all mitigations in place. Based on research conducted for mobile Pwn2Own 2014, this talk will depict the road taken to get a working exploit for Internet Explorer Mobile running on WP 8.1.
Nicolas Joly is an independant security researcher focused on client side vulnerabilities and a multiple Pwn2Own winner. He has seven years of experience in research and exploitation and spends his spare time growing trees and playing with cats.
SysSec Lab
(KAIST)
Exploiting Sensing Channel for Embedded Systems
Due to advances in embedded hardware and software technologies, embedded systems are becoming smaller and smaller every day. Today, many embedded devices such as wearable devices, medical devices, and drones have mobility. These embedded devices are basically sensing-and-actuation systems. For these embedded devices, therefore, the sensors are necessary to sense electro-magnetic signal (antenna), sound (speaker), rotation (gyroscope) and so on. The sensors can be suffering for intentional interference through not only legitimate channels, but also non-legitimate channels. Then the failure in the embedded systems can occur by the abnormal sensing data. In this talk, we will suggest an existence of an actual threat related to sensing or sensors with some proof of concept cases.
SysSec (System Security) is a security research lab in KAIST Graduate School of Information Security (Korea). We are interested in security of emerging and current systems. Our research involves design/implementation of novel attacks, and developing countermeasures against such attacks. We currently focus on 1) security issues for Cyber Physical Systems (CPSs) such as sensors, medical devices, smart grid, and automobiles, 2) control plane security of mobile networks, Internet and 3) Penetration testing of Korean cyber infrastructure.
Jason Shirk
Microsoft Bug Bounty Program: Data Behind the Scenes
Microsoft has been working with security researchers for a long time as part of a robust security regimen, which we continue to value and drive passionately. Bug bounties are an increasingly important part of the vulnerability research and defense ecosystem. We believe that bounties will continue to evolve over time, and will be regularly managing the Microsoft Bounty Programs. In this talk Jason will be talking about what we've seen to date, what we've learned, and diving more deeply into the data behind running the Bug Bounty Programs at Microsoft.
Jason Shirk is a Principal Security Strategist at Microsoft and runs their Bug Bounty Program (aka.ms/bugbounty). He has spent a number of years in both the software security & user data privacy spaces with roles from owning Microsoft’s Fuzzing Strategy and toolkit to the Security Architect for Bing, penetration test and endpoint security at Bell Labs/Avaya, to now driving overall Security Ecosystem Strategy for Microsoft.. Jason speaks regularly at external Security & Privacy conferences, as well as advising program owners across Microsoft and the industry on the evolving nature of building secure software, with user privacy in the forefront.
08:00 - 09:00 |
On-site Registration |
||
09:00 - 09:10 |
Welcome Speak |
||
09:10 - 10:00 |
Exploiting Trustzone on Android |
Di Shen |
|
10:00 - 10:50 |
Pwning a Windows Phone, from shadow to light |
Nicolas Joly |
|
10:50 - 11:10 |
Break |
||
11:10 - 12:00 |
How to Root 10 Million Phones with one Exploit |
Jiahong Fang |
|
12:00 - 13:30 |
Lunch |
||
13:30 - 14:20 |
Microsoft Bug Bounty Program: Data Behind the Scenes |
Jason Shirk |
|
14:20 - 15:10 |
Peel the onion |
Shuai Zhao/Yongkui Liu |
|
15:10 - 16:30 |
Break |
||
15:30 - 16:20 |
Exploiting Sensing Channel for Embedded Systems |
SysSec Lab (KAIST) |
|
16:20 - 17:10 |
The Design, Implementation and Bypass of the Chain-of-trust Model of iOS |
Pangu Team |
|
17:10 - 17:30 |
Close |