“Practical exploitation of rounding vulnerabilities in internet banking applications”

Speaker: Adrian Furtuna

This talk discusses rounding vulnerabilities which are often present in internet banking applications. Several techniques for exploiting these vulnerabilities are presented, including a machine that abuses the digipass/security token in order to allow an attacker to perform a high number of transactions automatically, in a short period of time.

“The Machines that Betrayed their Masters”

Speaker: Glenn Wilkinson

The devices we carry betray us to those who want to invade our privacy by emitting uniquely identifiable signals. Such signals may be used to track you, or be used toward more malicious intent. This talk will discuss the process the author has gone through to build a resilient, modular, reliable, distributed, tracking, data interception, and profiling framework.

“Endpoint security via application sandboxing and virtualization — past, present, future”

Speaker: Rafal Wojtczuk

Modern large applications, e.g. browsers, are so complex that there is little hope to author them in a bug-free way. Instead, many vendors have adapted an alternative approach — run them in a container, that is intended to isolate a compromised application from the rest of the operating system. Such a container can be implemented (among others) via application-level sandboxing, or whole OS virtualization. The question is: how reliable and secure a given method of isolation is.

In this talk, we will summarize and compare the strengths and weaknesses of both methods of isolation. Concrete examples — Sandboxie, Google Chrome, Qubes OS, Bromium vSentry — will be discussed. We will look at the evolution of these solutions, and attempt to guess what future may bring.

“JSMVCOMFG — To sternly look at JavaScript MVC and Templating Frameworks”

Speaker: Mario Heiderich

There is a way to build common, classic web applications. You know, servers, databases, some HTML and a bit of JavaScript. Ye olde way. Grandfather still knows. And there is a way to build hip and fancy, modern and light-weight, elastic and scalable client-side web applications. Sometimes with a server in the background, sometimes with a database — but all the hard work is done by something new: JavaScript Model-View-Controller and templating frameworks.

Angular, Ember and CanJS, Knockout, Handlebars and Underscore… those aren't names of famous wrestlers but modern JavaScript fame-works that offer a boost in performance and productivity by taking care of many things web-app right there in the browser, where the magic happens. And more and more people jump on the bandwagon and implement those frameworks with great success. High time for a stern look from the security perspective, ain't it not?

This talk will show you how those frameworks work, how secure their core is and what kind of security issues spawn from the generous feature cornucopia they offer. Do their authors really know the DOM well enough to enrich it with dozens of abstraction layers? Or did they open a gate straight to JavaScript hell introducing a wide range of new injection bugs and coding worst-practices? Well, you'll know after this talk. You'll know…

“Virtually Impossible: The Reality Of Virtualization Security”

Speaker: Gal Diskin

This talk will demonstrate why it is virtually impossible to secure virtual machines implementations properly.

In the talk I will try to give an overview of the basics of hardware virtualization technology, the existing attack techniques against virtualization and also explain why it is such a complex problem to create a secure hypervisor. I will eventually try to delve into future directions for attack techniques against hypervisors.

When you get out of this talk you I hope that you will reconsider your trust of virtualized cloud platforms and

VMM implementations like XEN, KVM and VMWare as well as virtualization based sandboxing solutions.

The talk will touch on the following subjects / attack methods / virtualization failures (among others):
  • SMM as a shared component between VMs and why it is dangerous
  • STM — why it is never implemented?
  • Shared MSRs and their dangers (TSC anyone?)
  • SR-IOV fundamental flaw
  • VT-d / IOMMU challenges
  • Memory configuration, views and the complexity of memory management (re-mappings, PEG, System, IGD, …)
  • MMIO
For those less familiar with some computer architecture details — don’t worry. During this talk I will provide a brief introduction to subjects required to understand the technical challenges presented.

“DbiFuzz framework”

Speaker: Peter Hlavaty

Code coverage in fuzzing, dynamic unpacking or emulation are dependent on various tracers / dbi tools. Some of them are debugger based, some alter binaries and insert instrumentation. This talk will present DbiFuzz framework. DbiFuzz will use another approach, which allows you to trace at different scope separated from targeted application. Natively support x64 binaries, multithreading and tracing multiple applications by single user mode tracer.

“Windows Kernel Trap Handler and NTVDM Vulnerabilities — Case Study”

Speaker: Mateusz Jurczyk

The trust in the security of client applications widely used nowadays is slowly but surely moving towards relying on the solid posture of operating system kernels, with mitigation mechanism such as sandboxing or Mandatory Access Control becoming of more and more importance. While ring-0 security research is continuously gaining in popularity among the security community, the enormously large scope of the kernel attack surface makes it effectively impossible to cover the entirety of security threats with manual auditing. In this presentation, we will highlight several interesting kernel-mode flaws discovered through both automatic and manual techniques and recently fixed by Microsoft, including their corresponding exploitation techniques and working demonstration exploits. The issues explained during the talk involve low-level CPU mechanisms such as x86 trap handling, as well as support for 16-bit DOS programs implemented by Microsoft at the very core layer of the kernel.

“Mining Mach Services within OS X Sandbox”

Speaker: Meder Kydyraliev

With the recent rise of sandboxing technologies and their increasing adoption by major software vendors, the day when memory corruption vulnerabilities will be used primarily for cookie stealing are not that far away. In the meantime, there are still interesting avenues for reaching “hidden” attack surface from within sandboxed applications to achieve a sandbox escape. After a brief overview of OS X sandboxing I will cover one such avenue and will release fuzzing tools for it.

“State of Crypto Affairs”

Speaker: Gregor Kopf

In the last months, quite a number of crypto related problems have been revealed. Can we still trust cryptography or are we all doomed and the crypto-nihilists were right from the beginning? This talk will analyze the current situation and scratch the surface of the problems we have, aiming to provide a better understanding of the situation. We will be exploring common mistakes and identify interesting areas for crypto related work.


Speaker: Sahand

Home automation systems provide a centralized control and monitoring function for heating, ventilation and air conditioning (HVAC), lighting and physical security systems. The central control panel and various household devices such as security sensors and alarm systems are connected with each other to form a mesh network over wireless or wired communication links and act as a “smart home”. As you arrive home, the system can automatically open the garage door, unlock the front door and disable the alarm, light the downstairs, and turn on the TV. According to a study by the consulting firm AMA Research, in 2011, the UK home automation market was worth around 65 million pounds with 12% increase on the previous year. The total number of home automation system installations in the UK is estimated to be 189000 by now. The home automation market in the US was worth approximately $3.2 billion in 2010 and is expected to exceed $5.5 billion in 2016.

Zigbee and Z-wave wireless communication protocols are the most common used RF technology in home automation systems. Zigbee is based on an open specification (IEEE 802.15.4) and has been the subject of several academic and practical security researches. Z-wave is a proprietary wireless protocol that works in the Industrial, Scientific and Medical radio band (ISM). It transmits on the 868.42 MHz (Europe) and 908.42MHz (United States) frequencies designed for low-bandwidth data communications in embedded devices such as security sensors, alarms and home automation control panels. Unlike Zigbee, no public security research on Z-Wave protocol was available before our work. Z-wave protocol was only mentioned once during a DefCon 2011 talk when the presenter pointed the possibility of capturing the AES key exchange phase without a demonstration.

The Z-Wave protocol is gaining momentum against the Zigbee protocol with regards to home automation. This is partly due to a faster, and somewhat simpler, development process. Another benefit is that it is less subjected to signal interference compared to the Zigbee protocol, which operates on the widely populated 2.4 GHz band shared by both Bluetooth and Wi-Fi devices.

Z-wave chips have 128-bit AES crypto engines, which are used by access control systems, such as door locks, for authenticated packet encryption. An open source implementation of the Z-wave protocol stack, openzwave, is available but it does not support the encryption part as of yet. Our talk will show how the Z-Wave protocol can be subjected to attacks.

“IP fragmentation attack”

Speaker: Tomas Hlavacek

Recent work has indicated transport- and link-level fragmentation issues are a concern for the DNS. CZ.NIC Labs have been working on a proof of concept to illustrate these potential problems and what might be done to defend against them. Latest results proved one of the attacks on DNS caching resolvers using IP fragmentation attack vector real and exploitable and therefore potentially dangerous for the whole internet community.

“HART (in)security”

Speakers: Alexander Bolshev, Alexander Malinovsky

What do you know about current loop and the industrial protocols which use it to transmit data? In this talk, the HART protocol will be reviewed together with various ways of attacking it as well as the software and hardware that use it. We will tell (and show!) you how to read and inject packets into current loop and cause SCADA, OPC and PAM systems to crash. If you want to know how one temperature transmitter can crash a whole PCS, this is the talk for you.

“Exploitation of AVR & MSP microchips”

Speaker: Vadim Bardakov

The issue of microcontroller security is usually considered with respect to securing the firmware inside them without any regard to defending systems from vulnerability exploitation. This talk reviews the specifics of exploiting microcontroller vulnerabilities on the example of AVR and MSP.

“Filesystem timing attacks practice”

Speaker: Ivan Novikov aka “Vladimir d0znpp Vorontsov”

Gathering information about the file system is the primary method of black box security audits. The classical method of this attack is dirbusting - brute force files and directories full names to obtain their contents. In this paper author consider new methods of attack, based on timings, which can significantly reduce the time to observing files and directories. Classic divergent bruteforce problems are reduced to convergent analogue of search. Timing techniques are investigated for both hardware and for software. Also, the author researched overall theory of such effects.

“Reversing data formats: what data can reveal”

Speaker: Anton Dorfman

Any software works with data in one way or the other: receives input, processes it, and returns output. Understanding the data formats which are used in a program greatly facilitates reverse engineering and allows fuzzing the program effectively. There are a lot of patterns pertaining to data formats, and they will be considered in the talk. We will also review the methods and utilities for automatic data structure analysis of network protocols and various data formats. The author will suggest his own view of the problem and provide examples for all of the introduced concepts.

“When Documents Bite”

Speaker: Vlad Ovtchinikov

In 1999, the Melissa virus changed the industries attitude on how malware could be spread. Seemingly safe formats, such as Microsoft Word and Adobe PDF were now being used to deliver malicious payloads. A recent report on the subject found that malicious documents, as a method for delivering malware, are now the preferred method of delivery amongst attackers. In the Red October Diplomatic Cyber Attacks, Microsoft Office and PDF document files were used as the primary malware delivery vector.

The primary reason why this attack vector has had such a high rate of success in social engineering attack campaigns, is directly linked to its ability to effectively circumvent email filtering solutions by distributing a ubiquitous file type (such as *.doc, which is considered to be safe and an industry standard in document formats) that in most cases, able to reach the intended target.

As a result, analysis of the real world attack techniques, used in malicious office documents, is a key in defending against such targeted attacks that are one of the major IT security concern for enterprise networks.

This talk will look into the details of those attack techniques, as well as cover a few detection methods that can be implemented by enterprises to counter such threats.

“Strike to the infrastructure: a story about analyzing thousands mobile apps”

Speaker: Alexey Troshichev

A lot of modern applications are just an interface between the user and the infrastructure, which can be a much sweeter attack target than some guy and his phone. I will present a tool which can automatically retrieve potentially useful data along with the results of the analysis of 10000 App store applications including both statistics and case reviews.

“SCADA deep inside: protocols, security mechanisms, software architecture”

Speakers: Alexander Timorin, Alexander Tlyapov

This talk will feature a technical description and a detailed analysis of such popular industrial protocols as Profinet DCP, IEC 61850-8-1 (MMS), IEC 61870-5-101/104, based on case studies. We will disclose potential opportunities that those protocols provide to attackers, as well as the authentication mechanism of the Siemens proprietary protocol called S7.

Besides protocols, the results of the research called Siemens Simatic WinCC will be presented. The overall component interaction architecture, HTTP protocols and interaction mechanisms, authorization and internal logic vulnerabilities will be shown.

The talk will be concluded with a methodological approach to network protocol analysis, recommendation, and script release.

“Anatomy and metrology of DoS/DDoS”

Speaker: Alexander Lyamin

Media quite often buzz about fearsome DDoS attacks scoring hundreds of Gbps: press loves large round numbers. Network guys like to compare PPS. Web developers talk about RPS. CDN operators measure them in IOWA. In our opinion, the most troublesome stories all begin with “everything is as usual, we do not read any abnormalities, it is just that nothing works” — and this is a sign that the coverage of your metrics is flawed.

We have tried and deduced a universal classification of DoS/DoS attacks and a minimum set of metrics which are necessary to completely describe the processes which occur in a network application. In this talk, we will see how these metrics describe the currently popular DoS/DDoS methods and try to find new perspective vectors for this class of attacks.

Official support:
With participation of:
Gold sponsor:
Silvers sponsor:
Official beverage:
General Media Partner:
Gold Media Partner:
Media Partners:
Information Partners: