Apple continues to introduce hardware mitigations to make iPhone exploitation more difficult. In this talk we'll analyze Apple's implementation of Pointer Authentication on the A12 SOC, which was significantly hardened over the original ARM design to protect against kernel attackers. Starting with kernel read/write, we'll analyze the behavior, speculate about the implementation, and try and find ways to bypass it. I'll walk through 5 different techniques I discovered to bypass PAC and gain kernel code execution.

Brandon Azad is a security researcher at Google Project Zero specializing in macOS and iOS.

Processors nowadays are consistently equipped with debugging features to facilitate the program debugging and analysis. Although the debugging architecture has been presented for years, the security of the debugging features is under-examined since it normally requires physical access to use these features in the traditional debugging model.

ARM introduces a new debugging model that requires no physical access since ARMv7. In this new debugging model, a host processor is able to pause and debug another target processor on the same chip (inter-processor debugging). The idea of Nailgun attack is to misuse the debugging architecture with the inter-processor debugging since it allows the debug host to pause and debug the target even when the target owns a higher privilege.

Our experiments discover a number of vulnerable devices including IoT devices like Raspberry PI, all commercial ARM-based cloud platforms, and mobile phones from Huawei, Motorola, and Xiaomi. For further verification, we show that Nailgun attack can be used to access the Secure Configuration Register (which is only accessible in the secure state) on Raspberry PI and extract the fingerprint image stored in the secure memory of Huawei Mate 7 with a non-secure kernel module.

Zhenyu Ning is a Ph.D. candidate with the Computer Science Department at Wayne State University. He received his master degree in computer science from Tongji University in 2011. His research interests are in the areas of hardware-assisted system security, embedded systems, and trusted execution environments.

Fengwei Zhang is the Director of the COMPASS (COMPuter And Systems Security) Lab and Assistant Professor at the Department of Computer Science at Wayne State University. He received his Ph.D. degree in computer science from George Mason University in 2015. His research interests are in the areas of systems security, with a focus on trustworthy execution, hardware-assisted security, transportation security, and plausible deniability encryption. Fengwei has more than 10 years working experience in systems security. His work has been well recognized by the security community and he published more than 30 top-tier conferences/journal papers.

Nearby sharing apps are very convenient and fast when you want to transfer files and have been pre-installed on billions of devices. However, your convenience comes with a price. We found that most of them will also open a door for attackers to steal your files and even more.

First, we did a comprehensive research about all top mobile vendors' pre-installed nearby sharing apps by reverse engineering. Many serious vulnerabilities are found on most of them and reported to vendors. Algorithm and design flaws in these apps can lead to file leaking and tampering, privacy leaks, arbitrary file downloads and even remote code execution. In this talk, we will present all the related vulnerabilities' details and exploit techniques. Next, we conducted the same research on lots of third-party file sharing apps and found that they are even worse about security and are used by surprising more than 1 billion users. Files transferred between them are nearly naked when our MITM attack devices are nearby. Finally, we will summarize all the attack vectors and two common attack models. We will also present the attack demos and related tools.

Besides, we will present our practical mitigations. Currently, we are working with most of the top vendors of android to mitigate these vulnerabilities. Through this talk, we want to notify users and mobile vendors to pay more attention to this serious situation and fix it better and sooner.

Xiangqian Zhang is a security researcher at Tencent Security Xuanwu Lab and his research focuses on Mobile Security. He found multiple Android kernel and system security vulnerabilities.

Huiming Liu is a security researcher at Tencent Security Xuanwu Lab and his research focuses on Mobile Security and IOT Security. Huiming has spoken at several security conferences including CanSecWest and BlackHat Asia.

 

The International Cospas-Sarsat Programme is a satellite-based search and rescue system，when analyzing these signals, it was found that this system was seriously disturbed. At the same time, it also found other vulnerable parts of the system and the possibility of being attacked.

JingLi Hao, Security researcher of 360 Security Research Institute, member of Unicorn Team,a satellite hacker.

To prevent unexpected failures, LTE security features have been defined in standards bodies such as 3GPP but several studies disclosed LTE vulnerabilities such as DNS hijacking, DoS attack using a false base station and user location tracking. However, none of these studies focused on analyzing network-side problems in operational LTE networks although vulnerabilities of this nature can influence a number of their subscribers once exploited. Motivated by the fact that the control plane components in LTE are still under-explored, we investigated potential problems of the control plane procedures in operational LTE networks (as well as cellular modem) by dynamically analyzing the core network responses resulting from carefully crafted malicious inputs.

In this presentation, I will present LTEFuzz, a semi-automatic testing tool for LTE, which performs an extensive investigation of the security aspects of LTE control plane procedures. LTEFuzz dynamically generates and sends the test cases to a target network or a device, and further deterministically classifies problematic behavior by only inspecting the responses in the tester and victim device from the target. To generate the test cases systematically, we first created three security properties by extensively analyzing the correct behavior of network components and their security requirements mandated in the 3GPP specifications. By conducting tests against the operational network, we found 51 vulnerabilities (36 new and 15 previously known), which are mainly caused by the improper handling of 1) unprotected initial procedures, 2) crafted plain requests, 3) messages with invalid integrity protection, 4) replayed messages, and 5) security procedure bypass. I will show new attack scenarios by exploiting the vulnerabilities we found in the operational network. I will present precise root cause analysis and potential countermeasures to address these problems.

Yongdae Kim is a Professor in the Department of Electrical Engineering, an affiliate professor in the Graduate School of Information Security and a director of Cyber Security Research Center at KAIST. He received PhD degree from the computer science department at the University of Southern California under the guidance of Gene Tsudik. Between 2002 and 2012, he was an associate/assistant professor in the Department of Computer Science and Engineering at the University of Minnesota - Twin Cities. Before coming to the US, he worked 6 years in ETRI for securing Korean cyberinfrastructure. He served as a KAIST Chair Professor between 2013 and 2016, and received NSF career award on storage security and McKnight Land-Grant Professorship Award from University of Minnesota in 2005. Currently, he is serving as an associate editor for ACM TOPS, and he was a steering committee member of NDSS between 2012 - 2018. His main research includes novel attacks and analysis methodologies for emerging technologies, such as Cyber Physical Systems such as drone/self-driving cars, 4G/5G cellular networks and Blockchain.

Over the last two years, the Rowhammer bug transformed from a hard-to-exploit DRAM disturbance error into a fully weaponized attack vector. Researchers demonstrated exploits not only against desktop computers, but also used single bit flips to compromise the cloud and mobile devices, all without relying on any software vulnerability. This talk will dive into that last category, covering a technical walkthrough of the Drammer (2016) and Rampage (2018) privilege escalation exploits for Android.

After a brief recap of the Rowhammer bug and how we can trigger it on mobile (ARMv7/ARMv8) devices, we dive into Phys Feng Shui (PFS), our technique for surgically manipulating the layout of physical memory. We present how Android's /dev/ion enables PFS attacks by providing the attacker an interface to a physically contiguous memory allocator. Exploiting the ion interface, we land page tables at precise locations in memory, forming the base for the first deterministic Rowhammer-based privilege escalation attack, Drammer. We then evaluate Google's deployed fixes: the removal of this ion contiguous heap. This sets the stage for the second part of this talk where we detail our second attack, Rampage. We describe novel techniques to re-enable PFS, without having to rely on a contiguous memory allocator anymore.

In our conclusion, we touch on possible Rowhammer mitigations and speculate what Rowhammer will bring us in the future.

Victor van der Veen is a product security engineer at Qualcomm. Before joining the San Diego-based chip maker, he pursued his PhD in the VUSec group at Vrije Universiteit Amsterdam, where he also obtained his MSc. degree in Computer Science. Under the wings of prof. dr. ir. Herbert Bos, his research revolved around memory errors, both in software (code-reuse attacks) and hardware (Rowhammer exploitation). Victor was the first to show that mobile devices are vulnerable to the Rowhammer bug. This work - Drammer, Rampage, and Guardian - was covered by international media and was rewarded with multiple awards, including a Pwnie at Blackhat US in 2017. He was also involved with the development of TraceDroid and Andrubis, two publicly available services for analyzing (malicious) Android apps.

It is really once in a blue moon to see a complete escalation of privilege case in Android user space, due to the well-designed Android security framework: a generic, extensible multi-layered access control framework.

To make exploiting much more difficult, Android adopts some mitigations to prevent shellcode excutation. From Android N, a set of strict SELinux rules have been added to limit the system_server to create an executable memory, which makes it is almost impossible to perform shellcode executation.

To bypass these mitigations, we propose an entirely new way that employs the java VM environment to run java bytecode, other than traditional native shellcode. Since it's shelldata, there is no need for executable memory any more.

As a case study, we will introduce a interesting vulnerability which root cause is in kernel space but affects the process in the user space. It can be used to attack any privileged processes that the normal application can talk with through binder. We will exploit it to gain system privilege and run the evil code with the mitigation bypass technology.

Chi Zhang is a security researcher at C0RE Team of Qihoo 360 Inc, focusing on Android framework vulnerability hunting and exploitation.

Hongli Han(@hexb1n) is a security researcher at C0RE Team of Qihoo 360 Inc. He is interested in AOSP&KERNEL bug hunting and exploitation. In the past years, he has already submitted a series of vulnerability reports to Google's Android Security Rewards program and got corresponding public recognition for the vulnerabilities disclosed.

XNU use reference counting mechanism to manage many kernel objects' life cycle. I will introduce the mechanism, its exploit mitigation and two bugs of it in my talk.

The first bug is CVE-2019-6225 which I used in TianfuCup 2018 Remote Jailbreak.I will talk about how to find this bug and how to use it to get tfp0 in detail.

The second similar bug is CVE-2019-8528 which fixed in iOS 12.2. Both vulnerabilities were reachable from any sandbox so they were very critical.

Qixun Zhao(@S0rryMybad), a security researcher of Qihoo 360 Vulcan Team.

Focus on major browsers and macOS/iOS.

Pwned safari category in Pwn2Own 2017/Mobile Pwn2Own 2017.

Remote Jailbreak(from Safari to Kernel) on iPhoneX and finished Edge, Chrome, Safari(macOS) RCE in TianfuCup 2018.The "Best Solo Pwning" in TianfuCup 2018.

Rank 23 in MSRC 2018 Top 100.

In the past year there was a lot of talking about new radio technologies, especially 5G.

In this talk we will take a look at a modern smartphone baseband and also the future technologies that are approaching this area, and how they will affect smartphones, IoT devices, cars, and critical infrastructure.

We will see how a baseband looks like today on the iPhone with the new Intel Baseband, and speculate how baseband might look like tomorrow.

Marco Grassi(@marcograss) is currently a Senior Security Researcher of the KeenLab of Tencent (previously known as Keen Team). He is part of the team that won the "Mobile Master of Pwn" title in Tokyo for Mobile Pwn2Own 2016, working on iOS. He was also one of the main contributors at Desktop Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team who won the title of "Master Of Pwn" at Pwn2Own 2016. He found a VMWare escape at Desktop Pwn2Own 2017, and baseband RCE and wifi iOS at Mobile Pwn2Own 2017 where we were awarded "Master Of Pwn" for the third time. He has spoken at several international security conferences such as Black Hat USA, DEF CON, Infiltrate, CanSecWest, ZeroNights, Codegate, HITB and ShakaCon.

What will happen if you'd find a remotely exploitable vulnerability in one of your peripherals?

What would happen if it would be in one of your most crucial communication processors your device has?

Baseband research merely has a high entry barrier that keeps out all but the most well funded organizations.

While baseband analysis remains one of the least well-explored in the public domain, many researchers don’t know that it is not rocket science.

Even though the baseband is not well explored, some vulns, exploitable by the air were found and patched, these will be examined and explained.

In this talk I will show my methods and experience with reverse engineering and root causing several vulnerabilities which were reported by various researchers and patched in the past year.

Guy(@shiftreduce), is a Freelance Security Researcher mostly interested in Low Level Research.

While he's not reversing embedded stuff, he usually plays Zelda BOTW, Super Smash Bros Ultimate and creates super cute gifts for his gf.

ARM TrustZone technology is widely deployed on modern devices. Current implementations of TrustZone divide the privilege into 4 levels (EL0 to EL3) and 2 worlds (secure and non-secure). Normal world kernel privilege only provides a non-secure-EL1 level of view, many interesting details of the device are still hidden/encrypted in the secure world. Related researches in the past mainly focus on Trusted Application and Kernel. Though some of them managed to gain secure-EL0/EL1 privilege via exploits, very few have touched the field of EL3, especially on Android phones.Starting from non-secure EL1, this talk will take a deep dive into the EL3 implementation of a very popular Android phone.

This subjects will include an overview of the relationship between EL3 and two worlds; attack surface analysis and the procedure of finding an exploitable vulnerability (fixed in last July) on this particular device; exploit to run shellcode under EL3 privilege step by step; and finally an example on how powerful the EL3 privilege could be.

Guanxing Wen is member of Pangu Team. His focus includes performing root-cause analysis and exploit development. His primary interests are low-level and firmware security for Android devices. Previously, his work has been presented at Infiltrate, Black Hat, 44con, Xcon, etc.

The landscape of RCE vulnerabilities for iOS is quickly changing due to ever-increasing mitigations. This talk will go through an old WebKit RCE vulnerability to demonstrate a common bug class and the impact of mitigations on its exploitations. Additionally, an example of a high quality bug in the JavaScript engine capable of bypassing all current mitigations will be shown.

Luca(aka @qwertyoruiopz) is a talented young Italian security researcher who likes looking into hardened devices. He released Yalu jailbreak for 10.2 last year and introduced way to fully bypass KPP. He has hacked devices like iPhone, PS4 and Nintendo Switch.