Halvar Flake
Keynote
Keynote Offensivecon 2020 Read more...
Keynote Offensivecon 2020 Read more...
In this work we will be investigating the emulation of proprietary Hypervisors in the Android ecosystem under QEMU. We will be providing information about ARM virtualization extensions and demonstrating key concepts with a framework implemented to allow execution of Samsung S8 hypervisor under QEMU. Finally, fuzzing implementations under this setup will be examined. Read more...
This talk will be about a Binder vulnerability that was first disclosed to Google by the Qihoo 360 C0RE Team, but also found by Jann Horn (who else?) and ourselves before it was fixed. The vulnerability was assigned CVE-2019-2025 and the Qihoo 360 guys named it "Waterdrop". Read more...
This talk will describe different bug hunting strategies for finding sandbox escapes in Safari. I describe strategies that actually worked, which helped finding exploitable bugs for userland daemons. The talk begins by going over the attack surface, covering basic IPC internals, explains details of the bug hunting process, and finally lays out some thoughts on bug hunting in general. Read more...
Cellular communications and baseband have always been obscure and not publicly explored topics, until the very last couple of years where more public research has surfaced. The Cellular modem are an interesting remote attack surface and they lack often of modern mitigations, making them an attractive target for a "0-click" compromise over the air. Read more...
Over the past few years many hardware vulnerabilities like rowhammer and Spectre were released. But even though they come with cool demos, we haven’t seen them exploited in the wild. Is that because they’re all mitigated or just too slow to exploit in practice? Read more...
Lateral movement is essential for offensive operations during CNO. Exploiting the inherent trust relationships is what makes spreading within the chewy inside of a network so easy once the crunchy outside is broken. Read more...
So called “0-click” exploits, in which no user interaction is required to compromise a mobile device, have become a highly interesting topic for security researchers, and not just because Apple announced a one million dollar bug bounty for such exploits against the iPhone. This talk will go into the details of how a single memory corruption vulnerability in iMessage was remotely exploited to compromise an iPhone. Read more...
There is increasing evidence that ‘0-click’ or ‘interaction-less’ vulnerabilities in messaging applications are being used by attackers. This talk will discuss how to evaluate a messaging application for fully remote vulnerabilities. Read more...
Booting the iOS kernel on QEMU with an interactive bash shell and a live debugger attached to the kernel. A major step forward in the direction of having a full iOS open source system emulator on QEMU. The research details and demo will be presented in this talk. Read more...
This talk will discuss my process for hunting, finding, exploiting, and reporting CVE-2019-2215, a local privilege escalation vulnerability in the Android kernel that was used in an in-the-wild exploit. Read more...
This talk is about exploiting CVE-2019-18683 in the Linux kernel for a local privilege escalation. Read more...
With almost everybody having a smartphone nowadays that is used to record and share pretty much every detail of our lives, who ever wonders* how secure your data actually is? And how is it possible you can unlock your phone by holding it in front of your face? Read more...
This talk will share our new approach for coverage-guided grammar fuzzing the Windows Kernel, and enhancements to the known approaches for fuzzing Windows Applications, triaging the bugs from the vulnerabilities, and being acknowledged in the MSRC Top 100. Read more...
During this session, I will give a quick review of modern-day mobile phone forensic extraction technology, and discuss the forces shaping this domain, as well as cover the dramatic changes overturning the industry in recent years. Read more...
This talk is about how an unauthenticated heap-based buffer overflow vulnerability was discovered and exploited within a router distributed by a market-leading ISP. Despite the targeted process utilizing mitigations such as DEP and ASLR, it still fell prey after spending weeks finding all of the required primitives. This talk will go over the thought processes, failures, and road-blocks that were encountered and how they were overcame. The techniques developed in this talk are not tied down to just one specific application||library. Read more...
This talk will discuss how CVE-2018-8611 can be exploited to achieve privilege escalation on Windows 10 1809 (RS5) and earlier. This research was done without getting a chance to analyze the in-the-wild 0day exploit that lead to the bug being patched by Microsoft, but rather by patch diffing and following some minimal public information as a starting point. The following steps will be detailed: race condition -> use-after-free -> memory disclosure -> increment primitive -> arbitrary read -> arbitrary write -> privilege escalation Read more...
Xbox 360 video game console had a number of widely known hacks for firmware of its optical disc drives. However, it was never the case with Blu-ray disc drives of Sony PlayStation video game consoles. In fact, up until recently there was no much information available on this subject publicly. In this presentation, I would like to share my journey of delving deep into internals and security of Sony PlayStation Blu-ray disc drives. Read more...
This talk will be all about security analysis of all known types of ACMs and how to exploit vulnerabilities in them (keeping in mind that they are sometimes encrypted and running only from L3 cache). Read more...
