The Mobile Security Conference (MOSEC) is organized by Team Pangu and PoC and was first started in 2015. MOSEC focuses on cutting-edge research topics the area of mobile security, fosters information exchange among researchers and practitioners, and received high praise from both the attendees and the community.
MOSEC 2021 will be held on Friday, July 30, 2021 at the Wanda Reign hotel, in Shanghai, China. Following the success of the past events, MOSEC 2021 will continue to facilitate the most advanced knowledge and technology sharing. MOSEC 2021 will bring excellent security researchers to present their frontier studies to the world.
Founded by Team Pangu, the Pangu Lab is a security laboratory consisting of many senior security professionals with rich experience across a wide range of security research and industrial development. The members of the Pangu Lab discovered hundreds of 0day vulnerabilities in major operating systems and applications, and presented many papers and talks at the premier forums such as Black Hat, CanSecWest, Syscan, RUXCON, HITCon, PoC, XCon , IEEE S&P, USENIX Security, ACM CCS, and NDSS.
Pangu Lab’s current research focuses on mobile security. Team Pangu is known for its multiple releases of untethered jailbreak tools for iOS 7, iOS 8, and iOS 9. Team Pangu was also the first to jailbreak iOS 8 and iOS 9 in the world. Besides iOS, Pangu Lab also made great progress in Android security research, and developed various products for discovering vulnerabilities in Android apps, detecting malicious Android apps, and mining mobile threat information.
POC started in 2006 and has been organized by Korean hackers & security experts. It is the biggest international security & hacking conference in Korea. POC concentrates on technical and creative discussion and shows real hacking and security. POC will share knowledge for the sake of the power of community. POC believes that the power of community will make the world safer. POC has been making a history with sincere staffs, hackers from the world, and sponsors since 2006.
We shared a port type confusion vulnerability in the XNU kernel on Zer0Con’21, and demonstrated how to exploit the vulnerability to gain the root privilege on macOS Big Sur with M1 chip. In this talk, we will continue to analyze this vulnerability and discuss its giant attack vector. Based on this type confusion primitive, we will explore different ways to trigger other kernel memory corruption issues including UAF, overflow and out-of-bounds access, and also bypass the sandbox to access any Mach services on iOS.
Tielei Wang a member of Team Pangu. He was a research scientist at the Georgia Institute of Technology from 2012 to 2014 and received his Ph.D. degree in 2011. His research interests include system security, software security, and mobile security.
Binder is the most widely used communication mechanism for inter process communication in Android system, and it is also one of the few drivers that can be accessed in sandbox, so it has always been the focus of security research.
We have found several vulnerabilities in Binder, and some of them have been proved to be able to be used to elevate the privilege to root or system.
In this topic, we will introduce how to achieve sandbox escape through a Binder vulnerability, and how to achieve remote root with a RCE vulnerability in browser.
Hongli Han (@hexb1n) is a security researcher at 360 Alpha Lab. He is interested in Aosp&Kernel bug hunting and exploitation. He has published related topics on BlackHat USA, HITB, MOSEC and QPSS.
Rong Jian (@__R0ng) is a security researcher at 360 Alpha Lab. His research focuses on Browser security. He was a winner of the Chrome category in the Tianfu Cup 2020 Cybersecurity Contest.
Xiaodong Wang (@d4gold4) is a security researcher at 360 Alpha Lab. He has found many vulnerabilities in the Linux Kernel. He was a winner of the CentOS category in the TianFu Cup 2020 Cybersecurity Contest.
Peng Zhou(@bluecake) is a security researcher at 360 Alpha Lab. He focuses on kernel vulnerability hunting and exploitation. He has published related topics on BlackHat USA.
Cellular communications and baseband have always been obscure and not publicly explored topics, until the very last couple of years where more public research has surfaced. Recently we saw widespread adoption of 5G, especially in China.
In our talk we will analyze and exploit a modern 5G smartphone modem. The exploit is a remote memory corruption over the air affecting the 5G network part of the phone without user interaction. We will also show what mitigations are enabled and what is not and what difficulties we had triggering the bug.
Marco Grassi (@marcograss) is currently a Senior Security Researcher of the KeenLab of Tencent (previously known as Keen Team). He is part of the team that won the "Mobile Master of Pwn" title in Tokyo for Mobile Pwn2Own 2016, working on iOS. He was also one of the main contributors at Desktop Pwn2Own 2016 for the Safari target with sandbox escape to root. He is a member of the team that won the title of "Master Of Pwn" at Pwn2Own 2016. He found a VMWare escape at Desktop Pwn2Own 2017, and baseband RCE and wifi iOS at Mobile Pwn2Own 2017 where they were awarded "Master Of Pwn" for the third time. He has spoken at several international security conferences such as Black Hat USA, DEF CON, Infiltrate, CanSecWest, ZeroNights, Codegate, HITB and ShakaCon.
Xingyu Chen (@0xKira233) is a security researcher at Keen Lab of Tencent. He has a lot of interests in bug hunting. He currently focuses on virtualization and mobile security. He has found many critical vulnerabilities in different cloud products and low-level firmware in smartphones. He is also a CTF player in team eee & A*0*E, which participated in DEFCON 25 & 26. He has spoken at conferences such as OffensiveCon, Zer0Con, and Tensec.
Both geeks and hackers are super interested in the GPU of modern mobile devices. However, they are attracted by the mutually exclusive features: performance and security. In this talk, we are going to review a few logical bugs in the most popular Android GPU kernel drivers. In addition, we will discuss some advanced techniques in kernel exploitation.
slipper, a security researcher from Pangu Team. He used to play in hacking games like Pwn2Own/DEFCON CTF/GeekPWN/TianfuCup. He has hacked many targets in public: iPhone8/PlayStation4/Cisco ASA/Safari/Firefox/MacOS/Docker/Cent OS/Ubuntu/Adobe Reader. Sometimes he livestreams hackings.
PAC is a hardware level mitigation that Apple introduced into the iPhone since A12. Its introduction greatly enhances the security of the iPhone, at least after 2018 when introduced iPhone XS series with PAC, the iPhone was no longer broken in public competition.
In the Tianfu cup 2020, we have pwned the iPhone 11 with PAC protection in the open competition for the first time in the world.
In this topic, we will talk about the principle and mechanism of PAC briefly.Then we will explain the rce bug we use in the competition in detail, and how to bypass PAC mitigation after we have AARB R/W in render process and get RCE at last.
@S0rryMybad:Senior Security Researcher at Beijing CyberKunlun Technology Co., Ltd,Mainly focus on browser and iOS system security and related mitigations.
In pwn2own / Tianfu cup, he pwned iPhone and got remote jailbreak, pwned browsers of Edge (edgehtml) / Chrome / Safari / Firefox,the first Grand Slam of browsers items in China. He is the first security researcher in China to win the Pwnie Award, ranking 2 in the world in MSRC 2019 In Tianfu cup 2020, for the first time in the world, he pwned the iPhone 11 with PAC protection in the open competitionThe bootrom is the first significant code that runs on a Smartphone. It will load and verify code from external storage, hand over its execution step by step to the generally speaking OS. Finding exploits in the bootrom level is a big achievement since it affects the entire secure boot chain from the very beginning.
checkm8, which is a very spectacular vulnerability inside the bootrom of iDevice, has been a game changer ever since its release. Many people are benefit from this sky ladder to get into iOS security research.
This presentation, checkm30 (checkmate30), based on a similar concept, is also about vulnerabilities of bootrom. However, the target is Huawei Hisilicon Smartphones.
We will start by introducing the secure boot chain of Huawei Smartphones.
Then we will discuss the running environment of bootrom, usb communication protocol, vulnerability and exploit in turn.
Finally, let us enjoy several demos that utilize the exploit to achieve: unlocking the bootloader, JTAG debugging and etc.
Guanxing Wen is member of Pangu Team. In recent years, his primary interests are low-level security, such as kernel, bootloader, trustzone. Previously, his work has been presented at Infiltrate, Black Hat EU, 44CON, etc.
slipper, a security researcher from Pangu Team. He used to play in hacking games like Pwn2Own/DEFCON CTF/GeekPWN/TianfuCup. He has hacked many targets in public: iPhone8/PlayStation4/Cisco ASA/Safari/Firefox/MacOS/Docker/Cent OS/Ubuntu/Adobe Reader. Sometimes he livestreams hackings.
08:00 - 09:00 |
On-site Registration |
09:00 - 09:50 |
Exploiting a Modern 5G Phone Modem |
09:50 - 10:40 |
Exploitations of XNU Port Type Confusion |
10:40 - 11:00 |
Break |
11:00 - 11:50 |
The Achilles' Heel of Android |
12:00 - 13:30 |
Lunch |
13:30 - 14:20 |
Hacking Android GPU For Fun |
14:20 - 15:10 |
Use JIT Compiler to bypass iOS PAC mitigation |
15:10 - 16:00 |
checkm30 |
16:00 - 16:30 |
Break |
16:30 - 18:00 |
BaiJiuCon (hosted by Thomas Lim) |
18:00 - 18:10 |
Close |
|
|