MOSEC

The closed software ecosystem of iOS heavily replies on the rigorous security mechanisms of iOS. This talk will analyze the design, implementation, and evolution of the security mechanisms in iOS along the timeline from device boot, kernel initialization, to creation and execution of a userland process, review the key steps in previous jailbreak tools for breaking the chain-of-trust model of iOS, share the critical techniques exploited by Pangu 7 and Pangu 8, and analyze and forecast potential attack surfaces for future jailbreaks.

These years fingerprint scanning has been supported in many Android devices.Fingerprint scanning on ARM always need an implementation of TrustZone.While we enjoy unlocking device and paying by fingerprint,we also figure out these new features bring out some new attack surface.

Attacking the kernel of Android or the "Secure world" of TrustZone may be not impossible.

Theoretically，devices developed with TrustZone technology can support a full Trusted Execution Environment(TEE).TEE runs in a special CPU mode called “secure mode”,so memory for secure mode and security functions can be hidden to “normal world”. In this way,Android vendors can supply many secure features such as fingerprint scanning,DRM,kernel protection,secure boot and so on.

In this talk,I’ll provide some new attack surface in software architecture of Android phone with Trustzone,and show how to analyze a “secure world” and find some new vulnerabilities in such a “undocumented black hole”.Finally I’ll exploit a bug in two ways,one way for rooting Android’s "normal world” and disable the newest SE for Android,the other way for running shellcode in “secure world”.With these exploits we can get the fingerprint image or bypass some other security features.

Android rooting is challenging, especially when you want to cover thousands of combinations of device+ROM. We are going to discuss following topics which may help you to achieve the goal:

• 1. Picking a suitable vulnerability, or find your own
• 2. Say no to hard-code offsets
• 3. Defeating SELinux and other root "mitigations"

The prevalent usage of packer for android app becomes an obstacle for security audit and malware detection. In order to get a whole picture and reveal the real intent of an app, we analyze the most popular packers used by android app. To conquer shortcomings of the now existing android app analysis tool, we devise an assistant toolkit. By combining this toolkit and others, IDA Pro, etc., a reverse engineer can fast locate the key code and look insight of an app. At last, we illustrate the procedure by taking the packer as example.

Although Windows has a long history of vulnerabilities and exploit techniques, Windows Phone OS has proven to be much harder to exploit than its cousin. Low market share, little public research, high focus on IOS and Android, but also strong security policies made that target highly resistent to massive pwnage. But as often happens with exploits, a good vulnerability such as a write-what-where condition is usually enough to defeat all mitigations in place. Based on research conducted for mobile Pwn2Own 2014, this talk will depict the road taken to get a working exploit for Internet Explorer Mobile running on WP 8.1.

Due to advances in embedded hardware and software technologies, embedded systems are becoming smaller and smaller every day. Today, many embedded devices such as wearable devices, medical devices, and drones have mobility. These embedded devices are basically sensing-and-actuation systems. For these embedded devices, therefore, the sensors are necessary to sense electro-magnetic signal (antenna), sound (speaker), rotation (gyroscope) and so on. The sensors can be suffering for intentional interference through not only legitimate channels, but also non-legitimate channels. Then the failure in the embedded systems can occur by the abnormal sensing data. In this talk, we will suggest an existence of an actual threat related to sensing or sensors with some proof of concept cases.