Speakers
GPU Accelerated Android rooting
Yong Wang
ABSTRACT

With more and more both hardware and software mitigations, Android rooting now requires better bugs and more advanced exploitation techniques. The modern mobile GPU subsystem is appealing for multiple reasons. The kernel driver is accessible to untrusted applications. Additionally, certain features within the subsystem can be leveraged for exploitation.

In this talk, I will first briefly review some mitigations of Android 13. Then I will detail several bugs, which have been fixed and also found by me. To root the Android 13 flagship devices, I will delve into advanced exploitation techniques that are specifically related to the GPU MMU feature, and give the exploitation demo.

SPEAKER BIO

Yong Wang(@ThomasKing2014) is a Security Engineer at Alibaba Cloud Pandora Lab. Yong currently focuses on Android/Browser vulnerability hunting and exploitation. He was a speaker at several security conferences including Black Hat (Asia, Europe, USA), HITB Amsterdam, Zer0Con, POC, CanSecWest and QPSS. Over the years, he has reported several vulnerabilities, and one of them was nominated for Pwnie Award 2019.

An interesting research journey : Over-the-air attack surface of Wi-Fi
Xie Haikuo Xing Yu
ABSTRACT

Wi-Fi is one of the most crucial foundations in our current stage of technology. Various devices like phones, computers, smart home , and even vehicles and components of smart cities heavily rely on Wi-Fi for internet connections. This widespread usage has turned Wi-Fi into a common target for cyberattacks. One of the most attractive aspects for hackers is the over-the-air attack surface of Wi-Fi.

In this presentation, we mainly introduce the WiFi function from the perspective of security researchers and how it can become a backdoor for mobile devices. To start, we will introduce the research methods used by our team in recent years to hunting the vulnerabilities of Wi-Fi devices from various leading manufacturers. We'll introduce different types of vulnerabilities in Wi-Fi devices and share previously undisclosed cases of these vulnerabilities.Lastly, we will discuss our attempt at a Wi-Fi over-the-air attack on the Pixel4 XL. This involved an endeavor to achieve a '0-click' over-the-air exploit, enabling us to remotely manipulate the device to make arbitrary phone calls. Our presentation aims to shed light on the evolving landscape of Wi-Fi security and the potential risks associated with its vulnerabilities.

SPEAKER BIO

Xie Haikuo (@Thankkong), a security researcher at Singular Security laboratory, focuse on communication protocol security and vehicle security,His recent discoveries are about short distance protocols such as WiFi/Bluetooth, He presented his research at Black Hat ASIA 2020,USA 2021 and ASIA 2022.

Xing Yu, a security researcher at singular security laboratory, focuses on the field of Linux Kernel and driver research. Has experience in kernel LPE and EL2 Real-Time Kernel Protection bypass.

A Discussion on GPU Security
Yu Wang
ABSTRACT

From the initial 2D and 3D rendering to hardware-based high performance video decoding and then to various applications on GPGPU, GPU technology has achieved amazing progress in the past few decades. While excited about the development of new technologies, the security community will of course evaluate this unicorn from the perspective of system architecture and security enhancement. The GPU subsystem has obvious latecomer advantages, measures such as firmware and root of trust verification, virtualization, data integrity checking and side-channel attack mitigation have greatly raised the bar for vulnerability hunting and exploitation. However, as another version of the story, new features always mean new attack surfaces. From exposed ioctl style kernel interfaces, rendering components to high-level applications and extensions represented by neural engine, high-risk vulnerabilities have emerged frequently in recent years.

This presentation will share with you the author's experience in researching GPU subsystems, including: architecture analysis, vulnerable component audit, kernel vulnerability case study, etc. Additionally, we will also look ahead to the latest kernel security issues.

SPEAKER BIO

Yu Wang is the co-founder and CEO of CyberServal. He enjoys everything regarding operating system kernels, from architecture, device driver development, rootkit/anti-rootkit solutions to vulnerability hunting, exploitation and mitigation. He has previously presented at MOSEC 2020/2022, Black Hat USA 2014/2020/2022/2023, Black Hat Asia 2016/2021, Black Hat Europe 2020 and other conferences.

Securing Web3 Mobile Wallets with TEE: Delving into the Security Guarantees and Real-world Implementation Pitfalls
Yuan Zhuang
ABSTRACT

Web3 mobile wallet security is a crucial aspect of the blockchain ecosystem, especially in the face of threats posed by rooted devices. Among many proposed approaches, using Trusted Execution Environment (TEE) technology has become widespread and promising. Modern mobile providers widely adopt TEEs, enhancing security across the Web3 credentials lifecycle and offering advanced security primitives for wallet apps, boosting their resilience to threats.

Despite TEE's fundamental role in wallet security, the implementation of this technology requires rigorous attention to ensure the preservation of its protective functions. As TEE advocates, we've evaluated the security of recently introduced TrustZone TA security primitives and found vulnerabilities, potentially enabling privileged attackers to overcome this protection.

In our presentation, we highlight TEE's importance in safeguarding Web3 wallets and expose TrustZone TA's implementation pitfalls identified in our research. We share our journey overcoming challenges during the vulnerability discovery process. We delve into an analysis of three identified vulnerabilities, shed light on their implications, and show how memory read/write primitives and data leakage channels from TrustZone can be leveraged. We emphasize how these vulnerabilities could potentially facilitate arbitrary memory read/write access, possibly leading to unintended data leakage within TrustZone. We wrap up by stressing the need for detailed inspection, secure programming practices, and thorough auditing during TEE implementation.

In summary, TEE is an integral approach in fortifying the Web3 wallet security. However, it's vital to identify potential pitfalls and ensure proper safeguards to maintain the effectiveness of the technology, thus fostering a secure and trustworthy blockchain ecosystem.

SPEAKER BIO

Yuan Zhuang is a security researcher focusing on the Trusted Execution Environment and Web3 security. She has spoken at the HITB and BlackHat.

A Silicon Bug in Apple's A7 SoC
Wei Wang
ABSTRACT

In this presentation, we will begin by reviewing the fundamental communication mechanisms of AP and SEP. Subsequently, we will introduce the hardware vulnerability residing within the MMU unit of Apple's A7 SoC. Leveraging the capabilities provided by this vulnerability, it will break the memory isolation between the AP and SEP. Successfully exploiting this vulnerability could lead to full control of the SEP from the AP.

SPEAKER BIO

Proteas is a security researcher of QiAnXin's Pangu Lab, he is mainly focusing on security research related to Apple's products. @ProteasWang

Killing the Ethereum VM of Ethereum killers
PwningETH slipper
ABSTRACT

Many public blockchains have claimed to be Ethereum killers, asserting that they will replace Ethereum as the mainstream next-generation blockchain. However, during their development, they have still had to propose solutions to be compatible with Ethereum's virtual machine implementation. The security vulnerabilities that have emerged in these virtual machine implementations have nearly brought about their own downfall.

Fortunately, we detected and reported these software vulnerabilities in a timely manner, thereby safeguarding billions of digital currency assets. In this talk, we will share the research details and demonstrate how we rescued these vulnerable public chains.

SPEAKER BIO

PwningETH, CTO of Offside Labs. He helped safeguarding hundreds of millions of dollars in the Web3 world and won millions of bug bounty.

slipper, CEO of Offside Labs. He established 0ops team and was a key member of both Pangu Lab and Order of Overflow. His research covers a wide range of critical topics in system security, including IoT, boot chain, virtualization, blockchain, browser and operating system. He is currently dedicated to the web3 security.

Schedule

08:00 - 09:00

On-site Registration

09:00 - 09:50

A Discussion on GPU Security

Yu Wang

09:50 - 10:40

Securing Web3 Mobile Wallets with TEE: Delving into the Security Guarantees and Real-world Implementation Pitfalls

Yuan Zhuang

10:40 - 11:00

Break

11:00 - 11:50

GPU Accelerated Android rooting

Yong Wang

12:00 - 13:30

Lunch

13:30 - 14:20

A Silicon Bug in Apple's A7 SoC

Wei Wang

14:20 - 15:10

An interesting research journey : Over-the-air attack surface of Wi-Fi

Xie Haikuo
Xing Yu

15:10 - 16:00

Killing the Ethereum VM of Ethereum killers

PwningETH
slipper

16:00 - 16:30

Break
 

16:30 - 18:00

BaiJiuCon(hosted by Thomas Lim)

18:00 - 18:10

Close

 

 

Hotel
Wanda Reign on the Bund
2023/09/26 (Tuesday)
No 538 Zhong Shan Dong Er Road Huangpu District