Solar Designer
Keynote
OffensiveCon24 Keynote Read more...
OffensiveCon24 Keynote Read more...
In 2023 Apple fixed a full-chain which used a vulnerability in the WebKit GPU process to escape the WebContent sandbox and compromise an iPhone. After this attack, a lot of new security hardening have been introduced to kill the exploitation methods and reduce even more the WebContent attack surface. Read more...
With some of the first phones with MTE hitting the market, we are once more facing the seemingly imminent doom of our beloved industry. Wait! What about our trusty old friends, the logic bugs? While some turn their attention to weaker SoC components, we're back at Mobile Pwn2Own to show you how a few silly bugs can be chained to effortlessly pwn the latest Samsung and Xiaomi flagships. Read more...
A few months ago, I stumbled upon a 24 years old buffer overflow in the glibc. Despite being reachable in multiple well-known libraries or programs, it proved rarely exploitable. Indeed, this was not a good bug: with hard-to-achieve preconditions, it did not even provide a good primitive. Read more...
The V8 JavaScript engine is investing in a new architecture based on a lightweight, in-process sandbox. This talk will discuss the motivation behind this sandbox, explore its current design and implementation, and finally look at the sandbox from an attacker’s perspective. Read more...
Exploits leveraging memory corruption vulnerabilities typically require some knowledge about the target environment, such as the binary, OS, and allocator. These insights are required to e.g. prepare the heap and deploy ROP chain gadgets. As a result, exploits typically target client-side software such as browsers and phones. Read more...
There are many local security boundaries in Windows where an attacker may want to elevate privileges. The lower the privilege level the less attack surface there is it to find vulnerabilities. Applications may make use of sandboxes, such as browser or AppContainer sandboxes, to limit the access of untrusted code. Read more...
This talk details the exploit chain demonstrated at pwn2own automotive 2024, showcasing the remote code execution (RCE) on Tesla's infotainment system via the cellular network. Read more...
In this talk I'll take a deeper look at WebP from an zero-click exploitation perspective: what options are there? What possible weird machines could you build? Do you even need one? And what did the attackers actually do? Read more...
This talk will show how to use a combination of hardware, firmware, reverse-engineering, side-channel analysis and fault-injection to gain code-execution on a completely custom chip, enabling further security research on an under-explored but security relevant part of Apple devices. Read more...
The emergence of smart glasses, a novel category of tech devices, has been gaining traction over the past three years. These devices, typically capable of recording video and audio, playing music, and facilitating phone calls, pose a unique privacy threat. Read more...
Secure Boot is integral in shielding a computer’s boot environment from unauthorized code. By only allowing the execution of modules signed by Microsoft or the UEFI Certificate Authority (CA), it raises a barrier against attackers, primarily restricting them to vulnerabilities in legitimate code. Read more...
The Android Binder driver is a keystone of Android’s inter-process communication (IPC) mechanism. The Binder driver is an open-source Linux kernel module accessible by untrusted applications and consists of less than 10,000 lines of C code. Read more...
Walter Benjamin’s 1923 essay “The Task of the Translator” is a foundational text in the field of translation theory and its insights and commentary are evergreen as a framing device for approaching modern UEFI exploit development. Read more...
The registry is a very prominent but largely unexplored local attack surface in the Windows kernel. It has all the qualities of an attractive research target: it is over 30 years old, written in C, highly complex, and generally reachable from unprivileged user-mode contexts. Read more...
During our past research analyzing the Android Data Encryption Scheme, we dived into the boot chain of Samsung low-end mobile devices, in particular the Galaxy A family, which is based on Mediatek System-on-Chips. Read more...
In 2023, we have discovered several vulnerabilities, including RCE, in a family of cellular modems manufactured by Telit, which can lead to their complete compromise. We identified a number of security-related problems in user applications – MIDlets, and the OEM–developed firmware of these modems. Read more...
Physical security is the forgotten sibling of information security. This part usually is often offloaded to traditional security teams and especially to people that don't "get" what hacking is about. Read more...
Microsoft Exchange Server is a popular mail server, both with enterprises and attackers. As a compromise of Exchange leads to the exfiltration of confidential data, it has a long story of abuse and it is frequently targeted by nation-state actors. Read more...
Violating the Von Neumann sequential processing principle at the micro-architectural level is commonplace to reach high performing CPU hardware — violations are safe as long as software executes correctly at the architectural interface. Read more...
