• October 17th
  • October 18th


Hacking Humans


Barnaby Jack is a Research Architect with the TRACE research team at McAfee. Jack's role within TRACE involves researching new and emerging threats with a specific focus on embedded technology. Jack has over 10 years of experience in the security research space and previously held research positions at IOActive, Juniper Networks, eEye digital Security, and FoundStone. Over the course of his career, Jack has targeted everything from low-level Windows drivers to the exploitation of Automated Teller Machines. He has been credited with the discovery of numerous vulnerabilities, and has published multiple papers on new exploitation methods and techniques. Jack's work has been featured in many major media outlets including CNN, Forbes, MSNBC, Reuters and Wired. Jack has been an invited speaker at international security conferences in both the government and private sector including Black Hat, CanSecWest, IT-Defense and SysCan. Jack is often called upon for his opinions regarding the future of security research.



iOS6 Security

In recent years, iOS security has become a hot topic, largely due to the unprecedented popularity of Apple iDevices. One of the major exploitation targets within iOS that has received a significant amount of public scrutiny is the kernel, as it encapsulates the security extensions that govern access to the device. A variety of kernel exploits have been publicly released that employ relatively simple attack methodologies, largely due to the fact that very few kernel-level exploit mitigation technologies have been put in place. Apple has addressed this problem in iOS 6 with the addition of a variety of kernel hardening technologies that are intended to thwart popular exploitation strategies that are typically used by attackers. This presentation introduces these technologies, discusses their impact and effectiveness against popular attack methodologies, and also outline their limitations (where appropriate). It is hoped that attendees will gain an understanding of the current state of iOS kernel exploitation, what techniques have been rendered useless, and the kinds of techniques that will need to be employed in future kernel-level exploits.


Mark Dowd is an expert in application security, specializing primarily in host and server based Operating Systems. His professional experience includes several years as a senior researcher at a fortune 500 company, where he uncovered a variety of major vulnerabilities in ubiquitous Internet software. He also worked as a Principal Security Architect for McAfee, where he was responsible for internal code audits, secure programming classes, and undertaking new security initiatives. Mark has also co-authored a book on the subject of application security named "The Art of Software Security Assessment," and has spoken at several industry-recognized conferences.



Modeling the exploitation and mitigation of memory safety vulns

The increased difficulty of developing reliable exploits for memory safety vulnerabilities has also made it more difficult to characterize their exploitability. As a result, there is currently no well-defined or broadly agreed upon standard by which exploitability is determined. There are certainly good reasons for this: exploitability is influenced by many variables and exploit writing is generally a highly skilled and creative process. Still, the lack of an established model for determining exploitability tends to force an analyst to either prove exploitability through a working exploit or make a conservative and coarse-grained estimate of exploitability. In practice, both of these are undesirable as the first approach does not currently scale and the second approach typically assumes a worst-case scenario that does not take into account the effects that mitigations and contextual factors may have on exploitability. This can lead to an overestimation of actual risk and has made it challenging to measure how these variables are contributing to the increased difficulty of exploiting vulnerabilities.

To help improve on this situation, this presentation describes an experimental model that can be used to classify memory safety vulnerabilities and reason about their exploitability. In this model, the invariants of a vulnerability are specified using a structured and well-defined format that can be independently reviewed and verified. This specification then forms the initial state for an automata that provides an abstract representation of the primitives and techniques that facilitate or mitigate exploitation. To demonstrate the utility of this model, this presentation will demonstrate how it can be used to aid in the process of classifying a vulnerability, measuring exploitability, and enabling intelligent investment in vulnerability prevention and exploit mitigation technologies.


Matt Miller works on the Security Science team within Microsoft's Security Engineering Center (MSEC) where he primarily focuses on researching and developing exploit mitigation technology. Some of Matt's past contributions in this space have included a functional implementation of Address Space Layout Randomization (ASLR) for Windows 2000/XP/2003 and a mitigation for SEH overwrites that is now known as SEHOP. Prior to joining Microsoft, Matt was involved with the Metasploit framework where he helped develop Metasploit 3.0 and contributed features like Meterpreter and VNC injection. Matt also co-founded the Uninformed Journal and has written articles on exploitation techniques, reverse engineering, and program analysis.



Advanced Exploitation of Mobile/Embedded Devices:the ARM Microprocessor

We are currently entering into a "post-PC" exploitation environment where threats to mobile devices are becoming more of a reality. The mini computer in your pocket that is always internet connected, tracks your location, performs financial transactions, holds your address book, and is equipped with a microphone is emerging as a more valuable a target than the computer you leave on your desk after close of business. Go figure Shifts shifts towards these platforms for vulnerability research and the emergence of malware on mobile devices are all indicative of this.

Early last year (2011) the maintainers of http://www.DontStuffBeansUpYourNose.com debuted a talk entitled "Hardware Hacking for Software People" (see: http://bit.ly/pGAGlO). In that talk we covered a range of topics from hardware eavesdropping and bus tapping to simple integrated circuit interfacing and debugging. That talk concluded with demonstration of a real-world bug in a home cable modem. However, it did not dive into the gritty details of exploitation on embedded processors. Late last year (2011) we developed and privately delivered 5 day courses that taught Advanced software exploitation on ARM microprocessors (used in iPhones, appliances, iPads, Androids, Blackberries, et al.) We opened that course to the public for CanSecWest 2012 and Blackhat 2012 (see http://bit.ly/wKHKsG).

In this talk we will share the more interesting bits of the research that went into developing the Practical ARM Exploitation course such as reliably defeating XN, ASLR, stack cookies, etc. using nuances of the ARM architecture on Linux and Android (for embedded applications and mobile devices). We will also demonstrate these techniques and discuss how we were able to discover them using several ARM hardware development platforms that we custom built (see: http://bit.ly/zaKZYH ).


Stephen A. Ridley

Stephen A. Ridley is a security researcher with more than 10 years of experience in software development, software security, and reverse engineering. Before becoming an independent researcher, Mr. Ridley served as the Chief Information Security Officer of a financial services firm. Prior to that: Senior Researcher at Matasano, a Manhattan based security research and development firm. He also was Senior Security Architect at McAfee, and a founding member of the Security and Mission Assurance (SMA) group at a major U.S defense contractor where he did vulnerability research and reverse engineering in support of the U.S. Defense and Intelligence community.

Within that last few years, he has presented his research and spoken about reverse engineering and software security research on every continent except Antarctica (Industry conferences such as: BlackHat, ReCon,EuSecWest, CanSecWest, Syscan and others.) Mr. Ridley calls Manhattan home and frequently guest lectures at New York area universities such as NYU and Rensselaer Polytechnic Institute.

Stephen Lawler

Stephen Lawler is the Founder and President of a small computer software and security consulting firm. Mr. Lawler has been actively working in information security for over 7 years, primarily in reverse engineering, malware analysis, and exploit development. While working at Mandiant he was a principal malware analyst for high-profile computer intrusions affecting several Fortune 100 companies.

Prior to this, as a founding member of the Security and Mission Assurance (SMA) division of a major U.S. Defense contractor where he discovered numerous 0-day vulnerabilities in "Commercial-Off-The-Shelf" (or COTS) software and pioneered several exploitation techniques that have only been recently discovered and published publicly.

Prior to his work at a the major defense contractor, Stephen Lawler was the lead developer for the AWESIM sonar simulator as part of the US Navy SMMTT program.

He has spoken at (and given trainings) at BlackHat and other security conferences and is the technical editor of "Practical Malware Analysis" published by No Starch Press



Binary Instrumentation For Android

Bug hunting on Android becomes more and more challenging. Analyzing more interesting targets require more then logcat and the debugger, sometimes you really want to change the target process. This talk will present an simple and easy way to do binary instrumentation on Android (ARM). We will do a full walk through of the instrumentation tool and show a few examples of what we did with it.


Collin Mulliner is a researcher in the Systems Security Lab at Northeastern University. Collin's main interest is the security and privacy of mobile and embedded devices with an emphasis on mobile and smart phones. Since 1997 Collin has developed software and did security work for Palm OS, J2ME, Linux, Symbian OS, Windows Mobile, Android, and the iPhone. In 2006 he p0wnd Windows Mobile using MMS and broke iOS, Android, and Windows Mobile with SMS in 2009. Collin's specifically interested in the areas of vulnerability analysis and offensive security.



Radium: Auto Data Collection & Visualization in Maltego

Maltego has been a long time favourite tool of many IT security and cyber intelligence practitioners. The real power of Maltego does not lie in the transforms itself but in the sequencing of transforms – building a construct of interlinked data block by block. Up to now transform sequence choices have been totally up to the user. This flexibility came at a price – not everyone knew the direction their choices would take them. Sadly, a lot of Maltego’s potential was never realised by everyday users. With the new release we introduce machines - a way to include proper logic within the application – thereby realising the full potential of the tool. Not only do we provide five fully working machines (ranging from automated foot printing to Twitter monitoring to company stalking), we also give every user the ability to construct their own transform pipelines.

During the talk we will demo the power of scripting in Maltego. We will explain how pipelines work and how to construct your own machines by creating sequences of transforms.. We get into the nitty-gritty of filters, perpetual monitoring machines and parallel paths. And we show with live examples how this changes the game forever.


Roelof Temmingh has been working in the security industry for the last 15 years. He started SensePost with some friends in 2000, left SensePost in 2007 and has been running Paterva ever since. He developed many successful security assessment tools, contributed to several books and spoke at numerous international security conferences (Black and Bluehat, Cansecwest, Defcon, FIRST, Ekoparty, RSA, HiTB, Ruxcon amongst others). Recently Roelof is mainly thinking about intelligence and information gathering,virtual identities and social botnets. He likes to create new and innovative technology is and the driving force behind Maltego.



Emulating DFU to Quickly Reverse and Exploit USB Devices

The USB Device Firmware Update (DFU) protocol is used by a number of devices to accept firmware updates. Better still for the reverse engineer, this bootloader is often implemented in a mask-programmed ROM that cannot be patched or removed!

This lecture will introduce you to USB device emulation with the Facedancer board, then demonstrate how a fake DFU device can be written to catch firmware updates with little prior knowledge of the specific device being emulated. These techniques allow you to quickly get a firmware dump from a USB device, then patch that firmware for installation onto a real device.


Travis Goodspeed is a neighborly reverse engineer from the Smoky Mountains in Southern Appalachia. His projects include the Pwnie Award winning Packets-in-Packets attack on the PHY layer of digital radio, a series of memory-extraction exploits for microcontrollers, and a hacker conference badge that can sniff packets from Microsoft wireless keyboards. Most recently, he has been working on the Facedancer, a tool for emulating USB devices and exploiting device drivers.




Detecting Bugs Using Decompilation and Dataflow Analysis

Bugwise is a free online web service to perform static analysis of binary executables to detect software bugs and vulnerabilities. It detects bugs using a combination of decompilation to recover high level information, and data flow analysis to discover issues such as use-after-frees and double frees. Bugwise has been developed over the past several years and is implemented as a series of modules in a greater system that performs other binary analysis tasks such as malware detection. This entire system consists of more than 100,000 lines of C++ code and In this talk, I will explain how Bugwise works. The system is still in the development stage but has successfully found a number of real bugs and vulnerabilities in Debian Linux.


Silvio Cesare is a PhD student at Deakin University. His research interests include malware detection and automated vulnerability discovery using static analysis of executable binaries. He has previously spoken at conferences including Blackhat, Cansecwest, Ruxcon, and academic outlets. He is an author of the book Software Similarity and Classification, published by Springer and has worked in industry within Australia, France and the United States. This work includes time as the scanner architect of the vulnerability management company, Qualys.



Maverick: Adding the Apple Touch to Qualcomm's Baseband Bootrom

Apple customized the Qualcomm baseband bootrom to allow for personalized BBTickets. This presentation will dig into this "Maverick" protocol and compare it to Apple's APTickets. It will also cover the evolution of both BBTickets and APTickets and delve into the Qualcomm QMI protocol as implemented in the iPhone.


Eric McDonald ("MuscleNerd") is a Staff Engineer at a southern Calfornia high-tech firm where he specializes in reverse engineering BIOSes. He is a member of the iPhone Dev Team, which has been developing free iPhone jailbreaks and carrier unlocks since the first iPhone in 2007. He was previously involved in hacking the first two generations of TiVo hardware and was Technical Editor of both the "iOS Hacker's Handbook" (2012) and "Hacking the TiVo, 2nd Edition" (2004). Originally from the Boston area, he holds S.B and S.M. degrees from M.I.T.



Tackling the Android Challenge

Android is currently the world's most popular smartphone operating system. This kind of popularity traditionally draws the eye of security researchers and attackers alike. It is not surprising that Android security is an exploding research area within the security community.

Android presents a number of challenges to security practioners. Several of these challenges will be discussed in detail during this presentation. Specific topics covered range from business relationships to deeply technical design and implementation weaknesses. Finally, methods and processes for dealing with these challenges will be offered.


Joshua J. Drake is a Senior Research Scientist with Accuvant LABS. Joshua focuses on original research in areas such as vulnerability discovery, exploitation and reverse engineering. He has over 10 years of experience in the information security field, including serving as the lead exploit developer for Metasploit and a vulnerability researcher at iDefense Labs. Most recently he, along with Charlie Miller and Georg Wicherski, presented a reliable Android 4.0.1 browser exploit at BlackHat USA 2012.



Unravelling Windows 8 Security and the ARM Kernel

There has been a lot of attention given lately to Windows 8 and its new "Metro"/Modern UI. But much less attention has been given to the new security features and mitigations coming in this new release (other than Tarjei's talk at SyScan 2012 about the new pool mitigations and improvements, and Matt Miller's talk at BlackHat). This talk aims to fulfill that void, and introduce major new Windows 8 security features and the internals behind their implementation, including:


  • App Containers (LowBox), the key sandboxing architecture behind Modern/Metro Applications, including support for per-logon-session handle tables, and per-container object namespace and atom tables, and many new other improvements.
  • Signing Policy and Signing Levels, which will enable iOS-style code signing requirements, enforceable through Secure Boot.
  • Capability SIDs (Contracts) which enable iOS and Android-style application authorization for access to contacts, file system, network, etc...
  • Claim SIDs, the backing behind ABAC (Attribute-Based Access Control) in Windows 7 for AppLocker, and extended in Windows 8 for Dynamic Access Control/Centralized Access Policy support in Windows 8 Server.
  • Measured Boot and Secure Boot, part of the new TPM implementation
  • ELAM (Early-Launch Anti Malware), the new driver technology designed for security drivers

... and more ...

On top of these new features, the security and kernel teams at Microsoft have been busy adding dozens of new mitigations, some of which have been made public, such as HEASLR and the new pool mitigations, while others have not yet been formally announced. This talk will cover a laundry list of about 20 new mitigations, including a bit of brief history into their evolution from developer, to consumer, to release preview, and finally RTM.

A few of the things that will be shown:


  1. NULL-page protection
  2. Information leakage plugs
  3. ASLR improvements (other than HEASLR) such as MEM_TOP_DOWN randomization
  4. SMEP support
  5. Changes to how system calls are done

When relevant/possible, anti-mitigations to the new changes will also be described

Finally, a brief discussion of how the Windows RT (previously Windows on ARM) kernel and system works compared to x86/x64, for purposes of exploitation (how to find the KPCR, where is KUSER_SHARED_DATA, how are ring levels defined, what's at 0xFFFF0000, etc...?)


Alex Ionescu is the founder of Winsider Seminars & Solutions Inc., specializing in low-level system software for administrators and developers as well as reverse engineering and security trainings for government intelligence and defence agencies; he also teaches Windows internals courses for David Solomon Expert Seminars, notably at Microsoft. He is coauthor of the Windows Internals series (since the 5th Edition), along with Mark Russinovich and David Solomon. 

From 2003-2007, Alex was the lead kernel developer for ReactOS, an open source clone of Windows XP/Server 2003 written from scratch, for which he wrote most of the Windows NT–based kernel. During his studies in Computer Science, Alex worked at Apple on the iOS kernel, boot loader, firmware, and drivers on the original core platform team behind the iPhone, iPad and AppleTV. Returning to his Windows security roots, Alex is now Chief Architect at CrowdStrike, a security startup focused on nation-state adversaries and other highly sophisticated actors.

Alex continues to be very active in the security research community, discovering and reporting several vulnerabilities related to the Windows kernel and presenting talks at conferences such as Blackhat, SyScan, and Recon. His work has led to the fixing of many critical kernel vulnerabilities, as well as to over a few dozen non-security bugs.



Rootkit in your Laptop: Hidden Code in your Chipset

Since several years ago, Intel has started putting a dedicated microcontroller ("Management Engine" aka ME) into their motherboard chipsets. Originally intended for chipset management tasks, with each generation the ME gets a more and more active role. It works independently from the main CPU, can be active even when the rest of the system is powered off, and has a dedicated connection to the network interface for out-of-band networking which bypasses the main CPU and the installed OS. In recent models, the ME is responsible for features like:


  • Intel Active Management Technology: remote management of PCs even when they're powered off, remote KVM, IDE redirection for remote boot and more.
  • Intel Identity Protection Technology: hardware-based two-factor authentication which can't be affected by the host software
  • Intel Anti-Theft Technology: remotely disable a stolen or lost PC (over network or over cellular connection if the PC has one)
  • and more

The talk will describe the internals of the ME.


  1. Where and how the ME firmware is stored
  2. The layout of the firmware area
  3. How to extract components and analyze them
  4. The modules of the ME and their tasks
  5. Interactions between OS, BIOS and ME firmware


Igor Skochinsky was interested in "how stuff works" since childhood and got into software reverse engineering while studying Computer Science at the Belarusian State University. After graduating he spent several years at a big software company but continued to pursue his RE hobby in free time. He had brief periods of internet fame after releasing a dumper for iTunes DRM-ed files (QTFairUse6) and hacking the Amazon Kindle. In 2008 he joined Hex-Rays where he is now helping develop the world-famous Interactive Disassembler and Hex-Rays Decompiler. He previously spoke at the Recon conference on embedded RE and C++ compilers' internals.



The Case for Semantics-Based Methods in Reverse Engineering

This presentation argues for a paradigm shift in the way that reverse engineering is conducted, and the relevant tools constructed, by examining five real-world problems through the lenses of theoretical computer science and mathematics. In particular, we present an appetizer of techniques for automated input crafting (in the form of automated key generator generation), equivalence checking for verification of the correctness of obfuscating transformations, generic deobfuscation for certain classes of obfuscators, as well as two other interesting problems in reverse engineering tool construction. While focusing on solutions to real-world problems, the presentation is conducted informally without excessive mathematical notation.


Rolf Rolles has been reverse engineering for fifteen years. He has worked in the areas of malware analysis, vulnerability research, teaching, and tool construction (such as coding BinDiff v1.99 from scratch and also authoring the first two prototypes of VxClass). Rolf created and continues to moderate the reverse engineering reddit. He currently serves as the Vice President of Automation at Exodus Intelligence.



Android Forensic Deep Dive

This lecture will provide a detailed introduction to forensic acquisition and analysis of Android devices, with a focus primarily on interpretation of the YAFFS2 filesystem. The techniques of acquiring the flash memory of such devices will be described and the limitations and advantages of each approach identified. These will include the use of jailbreak/OS tools, JTAG hardware debug interfaces, and the physical removal of flash memory. Techniques for analysing the YAFF2 filesystem of Android will then be described, including recovery of past versions of deleted files. Finally, an overview of key evidential artefacts present within the filesystem will be presented.


Bradley Schatz divides his time between research and practice in the area of digital forensics. His research ranges from enabling live forensics in the energy sector to digging into the lowest layers of the hardware/software stack, while his practice ranges from investigating claims of IP theft to reconstructing the behaviour of software. The practical outcomes of Bradley’s past research may be found in the AFF4 forensic file format and the Volatility memory forensics framework.