Ian Beer
Build your own iOS kernel debugger
Time 2018/06/22
Introduction
In this talk I'll cover the development of an iOS kernel debugger for stock devices. The talk will cover the low-level details of ARM64 exception handling in XNU, the KDP remote debugger protocol and how it's possible to build a local kernel debugger with breakpoint support without modifying kernel code.
Speaker
I do vulnerability research and exploit development at Google on the Project Zero team.
Amat Cama
A walk with Shannon - A walkthrough of a pwn2own baseband exploit
Time 2018/06/22
Introduction
Mobile devices have become quite complicated in the past 10 years. Today they feature a number of embedded chips which are tasked with handling things such as Wifi, Bluetooth and cellular communications. These chips run firmware with which a malicious third party can interact over the air but unfortunately have not had too enough scrutiny from the security community. This talk will focus on the Samsung Shannon Baseband and how it was successfully exploited at Mobile Pwn2Own 2017.
First, we will give an overview of cellular technologies (GSM, 3G, 4G) from a security standpoint. Then we will delve into the internals of the Shannon Baseband and show how to identify vulnerabilities that are exploitable over the air. Finally we will show how to exploit one of these vulnerabilities.
Speaker
Amat is an independant security researcher based in Senegal. He has previously worked as a Penetration Tester at Virtual Security Research, a Research Assistant at the University of California, Santa Barbara Seclab, a Product Security Engineer at Qualcomm and a Senior Security Research at Beijing Chaitin Technology Co.. In 2016 he won a hall of fame prize at Geekpwn Shanghai for his demo of a remote exploit against the Valve Source Engine. In 2017, he successfully demonstrated a baseband exploit against the Samsung Galaxy S8 at Mobile Pwn2Own in Tokyo as an individual contestant. acez is also an avid CTF player.
Arthur Garipov
Chaouki Kasmi
Smash the Stack: Security of LTE-enabled Smartphones
Time 2018/06/22
Introduction
The evolution of the telecom networks and architecture has shown to improve the security level of mobile communications. While the 5G technology is under standardization and the 3G has prevented main authentication and confidentiality issues of the 2G, 4G/LTE standards defined in 3GPP Release 8 and later enriched with new features has shown to be the last security upgrade of mobile networks. Nevertheless, security and privacy issues remain by essence in the mobile network as devices are still exposed to IMSI-catchers and related attacks as well as the retro-compatibility with 2G. Many studies were devoted to the analysis of the security of the 2G, 3G and 4G networks thanks to a dynamic open source community. Starting with the OpenBTS projects for GSM to 4G eNodeBs and core network components, multiple vulnerabilities have been uncovered either in the stack implemented in the smartphone's baseband or in network component (e.g. Femtocell). Interestingly, an open source solution fully implemented in Python, namely Pycrate, has shown to be very effective to detect vulnerabilities in basebands. The test setup to test mobiles was the combination of Pycrate with an open source implementation of the eNodeB or a commercial one (Amarisoft). Interesting vulnerabilities have been uncovered.
In the framework of the Mobile and Telecom Lab research activities for hardening user equipment, it has been decided to build a dedicated testbed to test baseband of various manufacturers. The testbed consists of the combination of the OpenAirInterface /OpenLTE with Pycrate and a specific plugin. This plugin has been developed in order to be able to craft and sent specific messages through the core network which will be delivered by the eNodeB to the targeted device. Known vulnerabilities triggered thanks to the modification of the eNodeB have been re-implemented to be served from the implemented plugin. One of the example is the LTE DoS/redirection presented during DEFCON 2016. During the presentation, we will show how to configure and connect Pycrate with open source eNodeBs. The designed and implemented plugin will be described. Finally, the implemented messages will be discussed and resulting vulnerabilities will be exposed. Additional results will be shown to the audience.
Speaker
Arthur Garipov and Chaouki Kasmi are security researchers at Mobile and Telecom Lab, DarkMatter LLC.
AArthur has been working 2.5 years at Positive Technologies on DPI and Telecom after his 3-year experience in SCADA/ICS. His work on Wireless Security and Embedded devices has been published in multiple conferences.
Chaouki has been working 8 years at the Wireless Security Lab of the French Network and Information Security Agency as Electromagnetic and Wireless Security researcher. During the last 8 years he has published more than 70 papers in national and international conferences and received several awards and prices. He is HPEM Life fellow of the High Power Electromagnetic community since 2016 – Summa Foundation.
Linan Hao
Long Liu
Qixun Zhao
Remote Code Execution in Mobile Browser - The Mobile Pwn2Own Case Study
Time 2018/06/22
Introduction
Recent years, mobile browser security has always been one of the most popular security research topics. The browser vendors keep patching bugs, adding new exploit mitigations both in browser and OS level, which makes it harder and harder to get remote code execution in modern mobile browsers. In Mobile Pwn2Own 2017, 360 Vulcan team successfully achieved remote code execution in iPhone 7 twice, by attacking WiFi and Mobile Safari. In this topic, we will discuss the remote code execution bugs we prepared (used and not used) for Mobile Pwn2Own 2017, including WebKit JIT bug, WebKit DOM bug, and chrome JS engine bug. We will disclose the details of these bugs as well as how we find them and how we exploit them. It is worth to mention that, we used 2 WebKit JIT bugs in the contest. In the past year, JIT bugs in browser are getting more and more attention from security researchers. We will also have some discuss on such bugs.
As a generic exploit mitigation technique, isolated heap has been successfully used in many web browsers such as chrome, firefox, edge and internet explorer. We noticed that starting from later 2017, Apple also tries to add this mitigation to WebKit and JavaScriptCore. The isolated heap mitigation brings significant impacts on remote code execution exploits in WebKit. It makes the exploitation of DOM UAF bugs much harder, and many DOM UAF bugs become not exploitable. It also makes exploit technique such as heap spraying and arbitrary memory read/write harder. In this speech, we will introduce the implementation and impacts of isolated heap mitigation. We will also introduce the backup safari exploit plan we prepared for the contest, assuming that the isolated heap will be turned on at the time of contest (while it was not?). By comparing the difference between the original exploit and the backup exploit, we can better understand the impacts of this mitigation.
Speaker
Hao Linan(@holynop) works at 360 Vulcan Team. He has participated pwn2own 2015/2016/2017/pwnfest 2016/mobile pwn2own 2017 contests with vulcan team. He also joined Microsoft Mitigation Bypass Bounty, Microsoft Edge Bounty and won MSRC Top 100 2015/2016/2017. He gave various talks at Blackhat/44CON/HITB conferences.
Liu Long is security researcher of 360 Vulcan Team. He joined Pwn2Own 2017/Mobile Pwn2Own 2017 and won de prize. He was on the MSRC Top 20 list for three years.
Zhao Qixun works at 360 Vulcan Team. He focused on browser and macOS/iOS security. He joined Pwn2Own 2017/Mobile Pwn2Own 2017 and won the prize. He pwned Edge multiple times and rank 43 in MSRC 2017. He also found many Chrome/Safari bugs and got credit by Google and Apple.
Alec Guertin
Bread: When SMS Fraud is on a Roll
Time 2018/06/22
Introduction
In 2010 the first sample of malware discovered on the Android operating system, FakePlayer, sent premium SMS messages without users’ consent. Eight years later, SMS fraud is still a popular way for malware authors to monetize their applications. However, as prevention efforts increase and detection methods become more advanced, malware authors have to go to greater lengths to avoid detection.
In this talk we introduce Bread, one of the largest malware families seen by Google Play Protect. We will cover the evolution of this family and provide an in-depth analysis of the creative techniques used by the authors to attempt to evade detection and trick users. A few of these techniques include tailoring content based on the runtime environment, fake disclosure statements and sending SMS with native code or Javascript loaded from a remote server.
Speaker
Alec works as a software/reverse engineer for Google Play Protect. He focuses on researching and developing methods for detecting malicious software targeting the Android operating system.
Shmarya Rubenstein
A Tale of Two Mallocs: On Android libc Allocators
Time 2018/06/22
Introduction
Android's libc allocator uses one of two malloc implementations: dlmalloc or jemalloc. This talk explores the technical details of these malloc implementations with a deep dive into the pertinent details of each of them, with the goal of understanding exactly how they function. Details of the allocation and free algorithms will be discussed, as well as the data structures and metadata used by each allocator. We will also discuss various techniques that can be used when trying to perform heap shaping and exploitation of heap buffer overflows on Android devices using these allocators. The talk discusses the allocators from the perspective of an exploit implementer trying to exploit an Android heap memory corruption bug.
Speaker
Shmarya Rubenstein has been working as a professional offensive security researcher for over 12 years. He was a senior technical leader at Cisco’s Security Threat Analysis and Reverse Engineering center before moving to NSO group to function as an offensive security researcher. He is a born in the blood hacker, whose greatest joy is breaking complex software and hardware systems. He has worked on a large range of targets, specializing in reverse engineering, vulnerability discovery and exploit development focusing on embedded and mobile platforms. He is at home with reversing on multiple architectures and operating systems, as well as with soldering irons, oscilloscopes and logic analyzers. He has contributed to multiple open source projects, including porting of the Frida binary instrumentation framework to MIPS, ARM-linux and ARM-QNX. One of the challenges he faces on a day-to-day basis is creating stable, widely applicable exploits for vulnerabilities on the Android platform.
Xerub
A look back at Apple's iBoot
Time 2018/06/22
Introduction
One of the cornerstones of a secure mobile device is the secure bootchain. In this talk I'll cover the development and framework of an exploit for Apple's iOS iBoot, as well as other security aspects, weaknesses and bugs.
Speaker
Xerub has been working as a professional security researcher for about 12 years. Defender by day and hacker by night, he specialized in reverse engineering, malware analysys, emulation and occasional iOS exploit development for fun.