The Mobile Security Conference (MOSEC) is organized by Team Pangu and PoC and was first started in 2015. MOSEC focuses on cutting-edge research topics the area of mobile security, fosters information exchange among researchers and practitioners, and received high praise from both the attendees and the community.

MOSEC 2020 will be held on Friday, July 24, 2020 at the Wanda Reign hotel, in Shanghai, China. Following the success of the past events, MOSEC 2020 will continue to facilitate the most advanced knowledge and technology sharing. MOSEC 2020 will bring excellent security researchers to present their frontier studies to the world.

Founded by Team Pangu, the Pangu Lab is a security laboratory consisting of many senior security professionals with rich experience across a wide range of security research and industrial development. The members of the Pangu Lab discovered hundreds of 0day vulnerabilities in major operating systems and applications, and presented many papers and talks at the premier forums such as Black Hat, CanSecWest, Syscan, RUXCON, HITCon, PoC, XCon , IEEE S&P, USENIX Security, ACM CCS, and NDSS.

Pangu Lab’s current research focuses on mobile security. Team Pangu is known for its multiple releases of untethered jailbreak tools for iOS 7, iOS 8, and iOS 9. Team Pangu was also the first to jailbreak iOS 8 and iOS 9 in the world. Besides iOS, Pangu Lab also made great progress in Android security research, and developed various products for discovering vulnerabilities in Android apps, detecting malicious Android apps, and mining mobile threat information.

POC started in 2006 and has been organized by Korean hackers & security experts. It is the biggest international security & hacking conference in Korea. POC concentrates on technical and creative discussion and shows real hacking and security. POC will share knowledge for the sake of the power of community. POC believes that the power of community will make the world safer. POC has been making a history with sincere staffs, hackers from the world, and sponsors since 2006.

Speakers
Explain JSC optimization measures in depth
@S0rryMybad
ABSTRACT

JSC is a JS engine used in Safari (Webkit), and many optimization measures are used to improve the quality and speed of code during JIT.

I will combine 1-2 the most complex bugs I've encountered so far, involving how to use profile trick to generate the opcode patterns I need, and many details of DFG optimization, such as DFGAI, opcode hoist, CFG Analysis, etc. I hope this slide can help you for finding and exploiting bugs.

SPEAKER BIO

@S0rryMyBad is a security researcher in Qihoo 360 Vulcan Team. He pwned multiple browsers and iPhone in Pwn2Own and TianfuCup.

Rank 2 in MSRC TOP 100.

Winner of Pwnie 2019 for best privilege escalation bug.

A pratical New Framework for Blackbox Android Binary Fuzzing
Qidan He
ABSTRACT

Nowadays coverage-guided and structure-aware fuzzing cannot be more popular, with tools like AFL and libfuzzer ready-to-use for various OSS libraries. But closed source ones are almost absent in this party, with few discussions and no public tools on how to apply coverage guided fuzzing to them.

Fuzzing closed-source android libraries proposes new challenges, how do we apply instrumentation to them? How do we emulate syscalls and runtime on a different architecture? How do we effectively catch minor memory errors? Last but not least, since speed is the crucial part for fuzzing campaign, what efforts can be taken to reduce performance overhead? In a word, can we come up with a framework that enables us to fuzz them as easily and effective as for OSS libraries?

The answer is yes. In this presentation I will come up with a new fuzzing framework - DroidCorn, which can be used to fuzz android closed-source libraries out-of-the-box, scalable across cluster of x86 servers (no arm device needed), written with performance in mind. We will discuss previous work on this topic and what we have done for the ultimate goal, and real-world actions&findings.

SPEAKER BIO

Qidan He (a.k.a Flanker) is Head of Security at a Nasdaq-listed company, formerly senior researcher at KeenTeam/KeenLab, Tencent. His major experience includes vulnerability hunting & exploitation on *nix platforms and browsers and security defense-in-depth of large-scale system and enterprise. He is frequently credited on various security bulletin and advisories, most of them are Google and Apple's. He is the winner of Pwn2Own 2016 OS X Category & Mobile Pwn2Own 2016 Android Category and member of Master of Pwn Champion team at 2016 and 2017. He has spoken at conferences like QMSS, BlackHat, REcon, CanSecWest, DEFCON, HITCON and PoC.

Understanding the Apple IO80211Family Subsystem
Wang Yu
ABSTRACT

Starting from iOS 13 and macOS 10.15 Catalina, Apple refactored the architecture of the 80211 Wi-Fi client drivers and renamed the new generation design to IO80211FamilyV2. Compared with IO80211Family (V1), modules such as Version 2 and AppleBCMWLANCore integrate the original AirPortBrcm series drivers and further expand features such as Sidecar and Skywalk. These latest changes provide better support and protection for communication and data sharing between devices. Of course, we should also realize that new features are always accompanied by new vulnerabilities and potential risks of being attacked.

This research will delve into each of the affected Wi-Fi kernel components and explore new attack surfaces. I will also share with you more than a dozen iOS/macOS vulnerabilities. Through these brand new cases, this presentation will help you better understand the design and security challenges of Apple's 80211 Wi-Fi subsystem.

SPEAKER BIO

Wang Yu is a senior staff engineer at Didi Research America. He loves everything regarding OS kernel, from kernel architecture, device driver development, rootkit/anti-rootkit solutions to vulnerability hunting, exploitation and mitigation. He has previously presented his research on Syscan360 2012/2013, Hitcon 2013, Black Hat USA 2014/2020, Black Hat ASIA 2016, DEF CON 26 and other conferences.

Surge in the dark
slipper
ABSTRACT

The SoC shipped with new flagship phones is always the hottest topic among geeks. Qualcomm and MediaTek are the major players in SoC market, some manufacturers like Apple, Huawei and Samsung have designed their own SoCs. To our surprise, Xiaomi also developed its own SoC.

In 2017, Xiaomi released its first and only SoC, Surge S1, which is shipped with Mi5c. However, the new device was suspended in a few months, leaving us in the dark about Surge S1.

Never before had we been so passionate and curious about Chinese chips. In this talk, I will explore Mi5c and Surge S1 from a security researcher’s view, inspecting the surge in the dark.

SPEAKER BIO

slipper, a security research from Pangu Team. He used to play Pwn2Own, DEFCON CTF and GeekPwn. Sometimes he livestreams hackings. He had done live shows about remote jailbreaking of PlayStation 4 and iPhone 8.

Attack Secure Boot of SEP
Hao Xu
ABSTRACT

From iPhone 5S, Touch ID and Face ID could be used to unlock the phone. To secure user's biological data, Apple introduce SEP(Secure Enclave Processor) to handle passcode and biological data.

SEP has its own dedicated environment to run its own SEPOS and APPs based on that. The only way of communication between SEP and AP(Application Processor) is secure mailbox. So even attacker controls AP, he can not directly impact code and data from SEP. The isolation architecture of SEP and AP maximumly secures user's data.

And I guess most of you are already familiar with secure boot of AP on iPhone. Actually SEP also has its own secure boot to load SEPOS. In this topic, we will reverse the SEPROM to understand the initializing process of SEP. More specifically, we will detail the messages between SEP and AP as well as how the shared memory is setup. Meanwhile, checkm8 exploit allows us to execute our code during iBoot to talk to SEP for testing. At last I will reveal some vulnerabilities for old devices which could enlarge the attack surface of secure boot of SEP.

SPEAKER BIO

Hao Xu is co-founder of Team Pangu. He has been involved in information security for more than 10 years. His research interests range from Windows/macOS/iOS vulnerabilities, malware analysis, hardware virtualization technology, and reverse engineering. He is a regular speaker at Blackhat, Syscan, POC, Xcon.

Schedule

08:00 - 09:00

On-site Registration

09:00 - 09:50

Understanding the Apple IO80211Family Subsystem

09:50 - 10:40

A pratical New Framework for Blackbox Android Binary Fuzzing

10:40 - 11:00

Break

11:00 - 11:50

Explain JSC optimization measures in depth

12:00 - 13:30

Lunch

13:30 - 14:20

Surge in the dark

14:20 - 15:10

Attack Secure Boot of SEP

15:10 - 15:30

Break
 

15:30 - 17:20

BaiJiuCon (hosted by Thomas Lim)

17:20 - 17:30

Close

 

 

Hotel
Wanda Reign on the Bund
2020/07/24 (Friday)
No 538 Zhong Shan Dong Er Road Huangpu District