Alexander Ermolov - Staff Member, Embedi

Alex Matrosov - Principal REsearch Scientist, Cylance

Butterly & Schmidt - Security Researchers, ERNW GmbH

Diego Aranha - Professor Doutor, Universidade Estadual de Campinas

Fernando Gont - Security Consultant & Researcher, SI6 Networks

Gabriel Negreira Barbosa - Principal Security Researcher, Intel Corporation

Glaudson Ocampos a.k.a. Nash Leon - Analista de Seguranca Senior - Conviso Application Security

Gustavo Scotti - Software Engineer, Microsoft Corporation

Isnaldo Francisco de Melo - PhD Student, UdM

Janine Medina a.k.a. Nina Alli - Project Manager, DEFCON BioHacking Village

Joao Filho Matos Figueiredo - Independent Security Researcher

Luckas Faria - Professor, Universidade Anhembi Morumbi (UAM)

Marion Marschalek - Security Researcher, Intel Corporation

Matias Katz - CEO, MKIT

Matthias Luft - Security Researcher & CEO, ERNW GmbH

Matt Suiche - Founder, Comae Technologies

Mike Ossmann - Founder, Great Scott Gadgets

Nelson Brito - Cybersecurity Thinker And Philosopher in Brazil

Oleksandr Bazhaniuk - Independent Security Researcher

Rodrigo Branco - Senior Principal Security Researcher, Intel Corporation

Sergey Shekyan - Engineer, Shape Security

Shay Gueron - Senior Principal Engineer, Amazon AWS

Thais Moreira Hamasaki - Independent Malware Researcher

Victor Pasknel - Consultor, Morphus Seguranca da Informacao

Ygor da Rocha Parreira a.k.a. dmr - Red Team Lead, Threat Intelligence



  UEFI BIOS holes: So Much Magic, Dont Come Inside
 Alexander Ermolov
  This report introduces the topic of the vulnerability searching process in the firmware of GA-Q170M-D3H motherboard. It also describes how the CPU level debugger can be obtained with the help of Intel DCI technology at home. Detailed information on how to operate with the debugger will also be provided. We will tell how Intel DCI was used to detect the vulnerability common for all types of motherboards. In addition, we will demonstrate how to exploit the very same vulnerability in Intel NUC Kit NUC7i3BNH despite this vulnerability has been patched.
  Researcher, reverse engineer, and information security expert. A staff member of Embedi. My passion includes low-level design, analysis of system software, BIOS, and other firmware. I love to research undocumented technologies.



  Betraying the BIOS: Where the Guardians of the BIOS are Failing
 Alex Matrosov
  For UEFI firmware, the barbarians are at the gate -- and the gate is open. On the one hand, well-intentioned researchers are increasingly active in the UEFI security space; on the other hand, so are attackers. Information about UEFI implants -- by HackingTeam and state-sponsored actors alike -- hints at the magnitude of the problem, but are these isolated incidents, or are they indicative of a more dire lapse in security? Just how breachable is the BIOS?

In this presentation, I'll explain UEFI security from the competing perspectives of attacker and defender. I'll cover topics including how hardware vendors have left SMM and SPI flash memory wide open to rootkits; how UEFI rootkits work, how technologies such as Intel Boot Guard and BIOS Guard (and the separate Authenticated Code Module CPU) aim to kill them; and weaknesses in these protective technologies. There are few public details; most of this information has been extracted by reverse engineering.
  Alex Matrosov is a Principal REsearch Scientist at Cylance. He has over a decade of experience with reverse engineering, advanced malware analysis, firmware security, and advanced exploitation techniques. Before joining Cylance, Alex served as Principal Security Researcher at Intel Security Center of Excellence (SeCoE) where he lead BIOS security for Client Platforms. Before this role, Alex spent over six years at Intel Advanced Threat Research team and ESET as Senior Security Researcher. He is also author and co-author of the numerous research papers and the book "Rootkits and Bootkits: Reversing Modern Malware and Next Generation Threats". Alex is frequently invited to speak at security conferences, such as REcon, Ekoparty, Zeronigths, Black Hat and DEF CON. Also, he is awarded by Hex-Rays for open-source plugin HexRaysCodeXplorer which is developed and supported since 2013 by REhint's team.



  Hacks & Case Studies: Cellular Devices
 Butterly & Schmidt
  Hacking is fun and so are learning and playing with new things, as such the choice of utilizing my small GSM network for research was trivial. Having seen various approaches for cellular communications in previous projects, I decided to start collecting connected devices "just to have a closer look". As the title already announces, the talk will cover various devices and shed light on how they communicate with the rest of the world. It will show how each one can be remotely controlled and which reporting channels are in use. Where possible simple hacks will show how most identified security measures can be circumvented and what this can mean for the operator/user of the device. To do so we'll be bringing a few devices like a GPS tracker/vehicle immobilizer live on stage together with our testing setup. Every single case study helps creating a bigger picture of cellular communications - how they work, how they're secured and how they can be broken.
  Brian is a security researcher, analyst and simply a hacker at Heidelberg (Germany) based ERNW GmbH. Coming from the field of electronic engineering he tends to choose alternate approaches when hitting new projects. He currently works on the intersection of embedded-, mobile and telco-security, with tasks and research ranging from evaluating apps and devices through to analyzing their transport networks and backend infrastructures. Resulting from the broad range of practical experience and natural curiosity he has developed a very diverse set of skills and knowledge. He enjoys cracking open black boxes and learning about their details down to the electronic circuits and creating the tools he needs on the way. He is always happy to share his knowledge and findings.

Hendrik Schmidt is a seasoned security researcher with vast experiences in large and complex enterprise networks. He is a pentester at the German based ERNW GmbH with focus on telecommunication networks. Over the years he evaluated and reviewed all kinds of network protocols and applications. He loves to play with complex technologies and networks and demonstrated several implementation and design flaws. In this context he learned how to play around with core and backhaul networks, wrote protocol fuzzers and spoofers for testing implementations and security architecture. As his profession of pentester, security researcher and consultant he will happily share his knowledge with the audience.



  Deixem a criptografia em paz!
 Diego Aranha
  A palestra trata de técnicas criptográficas e outras tecnologias para proteção da privacidade sob uma perspectiva histórica, culminando no desenvolvimento da chamada criptografia fim-a-fim implementada em aplicativos modernos para troca de mensagens como WhatsApp e Signal. Discute também abordagens que governos tem sugerido para interceptar conteúdo nessas plataformas, suas limitações fundamentais e correspondente impacto em seguraça. A idéia é desmistificar o debate atual em torno da criptografia e propor alternativas menos intrusivas para fins de investigação.
  Professor Doutor na Universidade Estadual de Campinas (Unicamp) desde 2014. Tem experiência na área de Criptografia e Segurança Computacional, com ênfase em implementação eficiente de algoritmos criptográficos e análise de segurança de sistemas reais. Coordenou a primeira equipe de investigadores independentes capaz de detectar e explorar vulnerabilidades no software da urna eletrônica em testes controlados organizados pelo Tribunal Superior EleitoralBacharel em Ciência da Computação pela Universidade de Brasília (2005), Mestre (2007) e Doutor (2011) em Ciência da Computação pela Universidade Estadual de Campinas. Recebeu em 2015 o prêmio Inovadores com Menos de 35 Anos Brasil da MIT Technology Review por seu trabalho com o voto eletrônico e Google Latin America Research Award para pesquisa em privacidade em 2015 e 2016.



  Hacking Smart Home Devices
 Fernando Gont
  Smart home devices such as IP cameras have become ubiquitous. This presentation explore some of such devices and analyze the protocols and security properties associated with them. Common flaws will be identified and, where possible, advice on how to mitigate the associated issues will be provided. Live demonstrations will be provided for some of the identified issues, with a new version of the IoT Toolkit to be released as part of this presentation.
  Fernando Gont specializes in the field of communications protocols security, working for private and governmental organizations from around the world.

Gont has worked on a number of projects for the UK National Infrastructure Security Co-ordination Centre (NISCC) and the UK Centre for the Protection of National Infrastructure (CPNI) in the field of communications protocols security. As part of his work for these organizations, he has written a series of documents with recommendations for network engineers and implementers of the TCP/IP protocol suite, and has performed the first thorough security assessment of the IPv6 protocol suite.

Gont is currently working as a security consultant and researcher for SI6 Networks (https://www.si6networks.com). Additionally, he is a member of the Centro de Estudios de Informatica (CEDI) at Universidad Tecnológica Nacional/Facultad Regional Haedo (UTN/FRH) of Argentina, where he works in the field of Internet engineering. As part of his work for these organizations, he is active in several working groups of the Internet Engineering Task Force (IETF), and has published 30 IETF RFCs (Request For Comments) and more than a dozen IETF Internet-Drafts. Gont has also developed the SI6 Network's IPv6 Toolkit (): a portable and comprehensive security toolkit for the IPv6 protocol suite.

Gont runs the IPv6 Hackers and the IoT Hackers mailing-lists (), and has been a speaker at a number of conferences and technical meetings about information security, operating systems, and Internet engineering, including: CanSecWest 2005, Midnight Sun Vulnerability and Security Workshop/Retreat 2005, FIRST Technical Colloquium 2005, Kernel Conference Australia 2009, DEEPSEC 2009, HACK.LU 09, HACK.LU 2011, DEEPSEC 2011, IETF 83, LACSEC 2012, Hackito Ergo Sum 2012, Hack In Paris 2013, German IPv6 Kongress 2014, H2HC 2014, and Troopers 2016. Additionally, he is a regular attendee of the Internet Engineering Task Force (IETF) meetings.

More information about Fernando Gont is available at his personal web site: .



  Introducao a Virtualizacao
 Gabriel Negreira Barbosa
  Seja como um simples artifício para teste de software ou como base para mecanismos de segurança implementados em sistemas operacionais modernos, a virtualização é amplamente utilizada nos dias de hoje para os mais diversos fins. Mas como ela realmente funciona? O que está por trás das máquinas virtuais? Essa palestra tem o objetivo de prover uma introdução a alguns conceitos sobre virtualização importantes para a compreensão de alguns de seus aspectos de segurança.
  Gabriel Negreira Barbosa trabalha como pesquisador de segurançaPrincipal na Intel. Anteriormente, trabalhou como engenheiro de segurança de software 2 na Microsoft e como pesquisador de segurança líder na Qualys. Recebeu o título de bacharel em ciência da computação pela PUC-SP; e de mestre pelo ITA, onde participou de projetos de segurança para o governo brasileiro e a Microsoft Brasil. Já apresentou trabalhos em algumas conferências, como H2HC, SACICON, Troopers, Black Hat USA e BSides (PDX e DFW).



  Utilizando Inteligencia Artificial para Atacar Aplicacoes Web
 Glaudson Ocampos a.k.a. Nash Leon
  A Inteligência Artificial tem sido bem sucedida em resolver diversos problemas complexos em ramos tão distintos como jogar Xadrez, Poker, criação de carros autônomos, etc. Nessa palestra, veremos como é possível aplicar conceitos e algoritmos de IA para automatizar ataques WEB de maneira inteligente e bem-sucedida.
  Analista de Segurança Sênior da Conviso Application Security. Profissional de Teste de Intrusão com mais de 15 anos de experiência. Executou diversos projetos de Segurança defensiva e ofensiva tais como desenvolvimento de WAF, IPS etc. Criou exploits para diversas falhas em servidores e aplicativos. Seu foco atual de pesquisa é IA aplicada à Segurança da Informação e Criptanálise Aplicada.



  Parasite OS
 Gustavo Scotti
  Typically, post-exploitation is an intelligence game. Accessing any of the host operating system resources exposes the attacker to defensive systems. Still relying on execve/ProcessCreate family to run your arsenal? It’s time to review your concepts. Parasite OS is a rogue operating system to manage its own tiny resources (memory, IO, CPU) on top of the host operating system. Starting with the simplest process management, it can run on a single and unique thread at user mode, managing multiple rogue processes (no rootkit required to hide your processes).
  Gustavo Scotti (aka csh): did some cool stuff in the security space - including the infamous tsl-bind exploit, PS2 reverse engineering, and the Axur05 e-zine. Software engineer at Microsoft, worked from Xbox One's secure boot, content protection, and anti-piracy to cryogenic computing research. Currently playing with FPGA in data centers.



  Introduction to data mining using tracing and profiling tools
 Isnaldo Francisco de Melo
  In this presentation, I will show some useful tools for general development and testing. It will be the basic introduction for tracing, profiling, and debugging tools. Some basic information regarding Linux, iOS and Windows will be explained, basic explaining the architecture relation with those tools.
  Isnaldo Francisco de Melo jr Did his bachelor degree at Mackenzie University, in Sao Paulo, sandwich program in Halifax, Canada at university Saint Marys. He worked in several tech companies in Sao Paulo and also computer science education He started masters at UFABC in deep learning He is currently doing PhD at UdM in data mining and operating systems Co­supervising a honours thesis of Gabriel Alabarse, at Universidade Anhembi



  DIYBio community helping SUS
 Janine Medina a.k.a. Nina Alli
  Brasil has one of the first single payor medical systems (Sistema Único de Saúde, SUS) in the world. In such a large and diverse country, the system is faced with different obstacles (difficult terrain, lack of medical personnel, equipment, and funding). This is where I believe the DIYBio community can help - we have come up with new ways to get care to patients that is less expensive, easy to produce, and can be handled by the patient to send in for care management. I will discuss ways that the Brasilian system can teach the rest of the world how to make a single payor system successful with citizen scientists at its core.
  Nina Alli is the Project Manager of the DEF CON BioHacking Village and works in biomedical and health engineering as well as information security research. My current research is on gynecological care for women around the world and leveraging technology to protect Personally Identifiable and Protected Health Information to eliminate patient data integrity loss.



  Um overview sobre as bases das falhas de desserializacao nativa na JVM
 Joao Filho Matos Figueiredo
  Essa palestra é complementar ao artigo da revista e visa abordar, didaticamente, os mecanismos internos que tornam a desserialização na JVM um potencial ponto exploração. Serão discutidos os conceitos fundamentais dessa classe de vulnerabilidades, de forma a permitir um melhor entendimento - seja para quem trabalha como testador, quanto para aqueles que pretendem melhor se proteger destes problemas. A teoria será consolidada com a demonstração prática da exploração de duas CVEs (tendo sido uma delas publicada especialmente para ser usada neste paper/palestra), além da apresentação de um Lab desenvolvido para auxiliar nos testes de payloads. Por fim, serão sugeridas algumas medidas de remediação.
  Possui formação em Ciência da Computação e Mestrado em Sistemas Distribuídos, ambos pela Universidade Federal da Paraíba (UFPB). Foi pesquisador no Laboratório de Arquitetura e Sistemas de Software no Centro de Informática da UFPB, onde trabalhou com criptografia e segurança aplicada a sistemas de saúde - tendo recebido algumas premiações acadêmicas na área. Atuou como instrutor em treinamentos para servidores públicos e militares (exército brasileiro) pela Escola Superior de Redes (ESR-RNP) e em pós-graduações. Costuma realizar pentests independentes, tendo notificado vulnerabilidades de execução remota de código (RCE) afetando empresas como: samsung.com, blackberry.com, Oracle Cloud, Departamento de Defesa Americano (DoD) e outras dos setores financeiro e governamental. É autor da ferramenta JexBoss - publicada em 2014 para verificação e exploração de vulnerabilidades de desserialização e misconfigurations em servidores de aplicação Jboss (atualmente a ferramenta independe de servidor de aplicação).



  Cripto Hardware com FPGA, como ir de do 0 ao 1
 Luckas Faria
  Considerando o mundo Open-Hardware e Open-source muito tem-se evoluído nos últimos tempos, isto graças ao barateamento da tecnologia o que tem feito que FPGAs tenham ficado cada vez mais acessíveis. Outra tecnologia que tem popularizado é FPGAs SOC (com uma interface CPU + FPGA, as vezes até no mesmo chip) o que tem ajudado muito no processo de teste e desenvolvimento dos módulos em hardware por uma interface de comunicação mais facilitada. Assim, nesta palestra, consideraremos estes recursos de desenvolvimento e guiaremos o processo de construção do nosso Cripto Hardware tendo como alvo estruturas de curvas elípticas criptográficas. Dentro desta implementação abordando dois aspectos, um com a máxima segurança e outro com o máximo throughput.
  Professor na Universidade Anhembi Morumbi (UAM), Mestre em Eng. da Computação pela Universidade de São Paulo (USP) e formado em Ciência da Computação pela Universidade Estadual de Londrina (UEL). Atua como maker, tendo experiência com diversas plataformas de sistemas embarcados. Ganhador de vários prêmios em competições de sistemas embarcados. Atua principalmente com o desenvolvimento de hardwares criptográfico em plataforma FPGA. É membro de diversas comunidades de tecnologia, dentre elas a Papo De Sysadmin, organizando e participando como mentor de vários eventos na cidade de São Paulo. Tem em seu histórico palestras na CPBR, TDC-SP, TDC-PoA, TDC-Floripa, Latinoware, Forum de Hardware Livre, CryptoRave, BSides SP, BSides Latam, entre outros.



  50 Shades of Visual Studio
 Marion Marschalek
  Compilers can do ugly things to binary code, we know that, but how ugly does it get when one tries to visualize this? With the help of disassembly tools we can look at the function layout, but also at the actual instructions of compiled binaries. How fun would it be though, if we could look, instead of at individual instructions and functions, at all instructions at the same time? This talk will explore visualization methods applied to distributions of individual instructions and different classes of instructions within Visual Studio compiled binaries, to make it easy for analysts to find things such as encryption or compression algorithms, to distinguish different binary packers; but also to find differences in compiler optimization measures applied to one and the same code base. This kind of visualization helps finding out, how much Visual Studio alters code when applying certain optimization options for compilation. Besides fun, the resulting images are also quite beautiful, just saying. The visualizations presented are fully generated relying on open source tools, such as r2graphity, Gephi and D3JS.
  Marion Marschalek is a former malware analyst and reverse engineer, who recently started work at Intel in order to conquer the field of low level security research. She has spoken at all the conferences and such, and seen all the things, and if you want more details on her current activities you'll have to find your way around Intel's law department. Also, she runs a free reverse engineering workshop for women, because the world needs more crazy researchers \m/



  Medical records black market value
 Matias Katz
  Medical record breaches have a double impact, since they harm the healthcare institutions, but also disclose private and sensitive information about the patients. Because of this, the value of EHR (Electronic Health Records) has exceeded the value of financial records, not only because it opens the door for liability actions, but also because it can damage (or ruin) the patients life.

In this talk I will cover the different ways in which an owned server could be taken advantage of for profit purposes, and then I will discuss about the sell value of medical and financial information in the black market. I will cover a few specific recent cases (like the last one from Equifax), describe the attack vector, calculate how much it cost to the companies and end users, and talk about how it could have been fixed.
  Matias Katz is a Web & Infrastructure Security specialist. He has spoken at BlackHat, H2HC, Hack in Paris, Ekoparty, HackMiami, Campus party, OWASP and many other international conferences. He is the CEO of MKIT (www.mkit.com), a company that specializes in Red Team operations, on-demand incident response services, and personalized strategy planning and execution. He is also the founder of Andsec Security Conference (www.andsec.org)



  Penetration Testing in DevOps Environments
 Matthias Luft
  Everyone has heard of Docker, Kubernetes, etcd, CI/CD -- and many other technologies that own a .io domain. More importantly, those technologies are now starting to be used in enterprise environments which also want to leverage potential development and deployment benefits. These potential benefits partly originate from the approach of the technologies to move complexity (like handling of logging or network architecture) down from the application into the platform, consequently making the platform more complex. This complexity on the one hand increases the likelihood for technical or logical vulnerabilities and misconfiguration, but on the other hand also makes it more difficult for researchers and penetration testers to approach it from a security perspective due to a steep learning and curve and setup requirements. In this presentation, we want to explain Docker, Kubernetes, overlay networking concepts, and supporting services from a penetration tester perspective and describe (anonymously) common vulnerabilities and misconfigurations we found in various environments (but not necessarily in the tools/platforms/technologies) itself.
  Matthias Luft is a security researcher and one of the CEOs of the German security company ERNW. He is interested in a broad range of topics (such as DLP, virtualization, and network security) while keeping up with the daily consulting and assessment work.



  Porosity A Decompiler For BlockchainBased Smart Contracts Bytecode
 Matt Suiche
  Ethereum is gaining a significant popularity in the blockchain community, mainly due to fact that it is design in a way that enables developers to write decentralized applications (Dapps) and smart-contract using blockchain technology.

Ethereum blockchain is a consensus-based globally executed virtual machine, also referred as Ethereum Virtual Machine (EVM) by implemented its own micro-kernel supporting a handful number of instructions, its own stack, memory and storage. This enables the radical new concept of distributed applications.

Contracts live on the blockchain in an Ethereum-specific binary format (EVM bytecode). However, contracts are typically written in some high-level language such as Solidity and then compiled into byte code to be uploaded on the blockchain. Solidity is a contract-oriented, high-level language whose syntax is similar to that of JavaScript. This new paradigm of applications opens the door to many possibilities and opportunities. Blockchain is often referred as secure by design, but now that blockchains can embed applications this raise multiple questions regarding architecture, design, attack vectors and patch deployments.

As we, reverse engineers, know having access to source code is often a luxury. Hence, the need for an open-source tool like Porosity: decompiler for EVM bytecode into readable Solidity-syntax contracts - to enable static and dynamic analysis of compiled contracts.
  Matt Suiche is recognized as one of the world's leading authorities on memory forensics and application virtualization.

He is the founder of the United Arab Emirates based cyber-security start-up Comae Technologies. Prior to founding Comae, he was the co-founder & Chief Scientist of the application virtualization start-up CloudVolumes which was acquired by VMware in 2014. He also worked as a researcher for the Netherlands Forensic Institute.

His most notable research contributions enabled the community to perform memory-based forensics for Mac OS X memory snapshots but also Windows hibernation files. Since 2009, Matt has been recognized as a Microsoft Most Valuable Professional in Enterprise Security due to his various contributions to the community.



  Keynote: Your Ideas Are Worthless
 Mike Ossmann
  As the owner of an open source hardware company, I frequently encounter people who tell me why my business cannot possibly succeed. After six years of continuous growth, I would like to share my thoughts about why those people are wrong and how the mythology of invention affects perception. I'll share lessons from my background as a hacker, researcher, open source developer, and business owner and discuss the past, present, and future of science, technology, and the value of ideas.
  Michael Ossmann is a wireless security researcher who makes hardware for hackers. Best known for the open source HackRF, Ubertooth, and GreatFET projects, he founded Great Scott Gadgets in an effort to put exciting, new tools into the hands of innovative people.



  Keynote: Where is my identity?
 Nelson Brito
  Hacking has been on of the most exciting innovation drivers in the security industry... For long years, hacking was the most influence actor in the security industry, the security has been headed by us, we create it, we built it... But.. Have we lost our influence?
  'm merely another cybersecurity thinker and philosopher, occasionally researcher and enthusiast, addicted to computer and network (in)security, being the creator of the T50 and the only Brazilian to talk at the extinct PH-Neutral (invite-only) in Berlin.

Also, I've been playing key-roles in the security industry and community as a regular and sought-after speaker in the most influence conferences in Brazil: BSides, H2HC, YSTS, etc.

My researches are: POP, ESF, T50 and Inception — highlight to T50, a tool widely used by companies validating their infrastructures, incorporated by ArchAssault, BackTrack, BlackArch, Debian, Kali and Ubuntu.



  Software attacks on different type of system firmware: arm vs x86
 Oleksandr Bazhaniuk
  In this research, we've explored attack surface of hypervisor and firmware in two different platforms: arm and x86. We will explain different attack scenarios using interrupts and other interfaces, as well as interaction methods between firmware and hypervisor privilege levels. We will explore common vector attacks for both architectures.

This presentation will demonstrate attacks on windows 10 VBS as well as attacks on hypervisor in ARM based system with Qualcomm Snapdragon 808/810 SoC. Also we will provide new methods to test issues in ARM firmware by releasing ARM support for CHIPSEC framework and fuzzers for different firmware interfaces.
  Alex Bazhaniuk (@ABazhaniuk) is an independent security researcher. Previously, Alex was a member of the Advanced Threat Research and Security Center of Excellence teams at Intel and Intel Security. His primary interest is the security and exploitation of low-level platform hardware and firmware, exploitation and binary analysis automation. His work has been presented at a number of security conferences. He is also a co-founder of DCUA, the first DEFCON group and CTF team in Ukraine.

Yuriy Bulygin (@c7zero) has been the chief threat researcher at Intel Security/McAfee and led the Advanced Threat Research team. Previously, Yuriy led microprocessor vulnerability analysis team at Intel. Yuriy is the author of open source CHIPSEC framework.



  Firmware is the new Black: Analyzing Past Three Years of BIOS&UEFI Security Vulnerabilities
 Rodrigo Branco
  In recent years, we witnessed the rise of firmware-related vulnerabilities, likely a direct result of increasing adoption of exploit mitigations in major/widespread operating systems - including for mobile phones. Pairing that with the recent (and not so recent) leaks of government offensive capabilities abusing supply chains and using physical possession to persist on compromised systems, it is clear that firmware is the new black in security. This research looks into BIOS/UEFI platform firmware, trying to help making sense of the threat. We present a threat model, discuss new mitigations that could have prevented the issues and offer a categorization of bug classes that hopefully will help focusing investments in protecting systems (and finding new vulnerabilities). Our data set comprises of 90+ security vulnerabilities handled by Intel Product Security Incident Response Team (PSIRT) in the past 3 years and the analysis was manually performed, using white-box and counting with feedback from various BIOS developers within the company (and security researchers externally that reported some of the issues - most of the issues were found by internal teams, but PSIRT is involved since they were found to also affect released products).
  Rodrigo Rubira Branco (BSDaemon) works as Senior Principal Security Researcher at Intel Corporation in the Security Center of Excellence where he leads the Core Client and BIOS Teams. Rodrigo released dozens of vulnerabilities in many important software in the past. In 2011 he was honored as one of the top contributors of Adobe. He is a member of the RISE Security Group and is the organizer of Hackers to Hackers Conference (H2HC), the oldest security research conference in Latin America. He is an active contributor to open-source projects (like ebizzy, linux kernel, others). Accepted speaker in lots of security and open-source related events as Black Hat, Hack in The Box, XCon, OLS, Defcon, Hackito, Zero Nights, PhDays, Troopers and many others. Rodrigo is also part of the committee for many security conferences, such as Black Hat (invited reviewer), PhDays, Hackito, NoSuchCon, Opcde, CCNC, LACSEC and others.

Vincent Zimmer is a Senior Principal Engineer in the Software and Services Group at Intel Corporation. Vincent Has been developing firmware for the last 25 years and has led the efforts in EFI, now UEFI, security since 1999. In addition to chairing the UEFI Security Subteam in the UEFI Forum www.uefi.org and writing specifications and papers, Vincent has written several books on firmware https://www.amazon.com/Vincent-Zimmer/e/B002I6IW4A/. Vincent has spoken at several events, including Cansecwest, BSides, Toorcamp, Open Compute, and the Intel Developer Forum. Vincent also coordinates efforts on the EDKII security http://www.tianocore.org/security/ and represents Intel for the UEFI Security Response team www.uefi.org/security

Bruce Monroe is the team lead for the Intel Product Security Incident Response Team (Intel PSIRT) Intel's Security Center of Excellence (SeCoE). The PSIRT team is responsible for leading Intel's product security response efforts for escapes in our shipping products and services. Bruce started with Intel in September 1996 and has held numerous roles throughout Intel including working in IT Operations and Product Security. Bruce was a founding member of Intel Security Operations Center following 9/11, and was the first full time hire for Intel's PSIRT team in 2007. He is the Intel's technical representative to the Internet Consortium for the Advancement of Security of the Internet, and to the Forum of Incident Response Team's Vendor Special Interest Group. Bruce helped to draft the Common Vulnerability Scoring System Version 3 that is an industry standard for vulnerability scoring. He's very active in industry incident response circles and has a broad network of security minded professionals both internally and externally. He's contributed to several industry standards on computer forensics, vulnerability, and incident response. He's handled numerous high profile incident response events including a number of talks impacting Intel products at Blackhat.



  Content Security Policy: Is It Dead Yet?
 Sergey Shekyan
  Content Security Policy (CSP) is an 8 year old browser feature that helps fighting content injections. While an average web surfer most likely loads a page that employs CSP several times a day (thanks to the big dudes), overall adoption is still not perfect.

In this presentation, we will go over the evolution of CSP, browser support levels, caveats and mistakes in deploying an effective policies. We will focus on latest big changes in the specification that should ease the deployment process dramatically, including how to make violation reports useful.

Last but not least we will discuss what is still not covered by the CSP and how it can be abused.
  Sergey Shekyan is an engineer at Shape Security where he is focused on developing tools to detect automated web attacks. He is interested in modern browser security features and contributes to web security specifications, including Content Security Policy. As part of CSP supporting work, he co-develops Salvation, a Java library to work with CSP, which is used by OWASP Zed Attack Proxy, The W3C Markup Validation Service, CSPValidator, and many other projects.



  Keynote: Attacks on encrypted memory: Beyond the single bit conditionals
 Shay Gueron
  Protecting users's privacy in virtualized cloud environments is an increasing concern for both users and providers. A hypervisor provides a hosting facility administrator with the capabilities to read the memory space of any guest VM. Therefore, nothing really prevents such an administrator from abusing these capabilities to access users' data. This threat is not prevented even if the whole memory is encrypted with a single (secret) key. Guest VM's can be isolated from the administrator if each guest VM has its memory space encrypted with a unique per-VM key. Here, while the hypervisor's memory access capabilities remain unchanged, reading a VM memory decrypts the VM's encrypted data with the wrong key and therefore gives no advantage to the attacker. This is indeed the motivation behind some newly released technologies in latest processors.

However, this talk argues that the privacy claim of any technology that uses different encryption keys to isolate hypervisor administrators from guest VM's cannot be guaranteed. To show this, it demonstrates a new instantiation of a 'Blinded Random Block Corruption (BRBC) Attack. Under the same scenario assumptions that the per-VM keying method addresses, the attack allows a cloud provider administrator to use the capabilities of a (trusted) hypervisor in order to login to a guest VM (besides the encrypted memory). This completely compromises the user's data privacy. Furthermore, we also demonstrate that even non-boolean values can be effectively targeted by attackers, forcing the elevation of privileges of a process running in a protected VM as demonstration.

This shows, once again, that memory encryption by itself, is not necessarily a defense-in-depth mechanism against attackers with memory read/write capabilities. A better guarantee is achieved if the memory encryption includes some authentication mechanism.
  Associate Professor and Engineering Fellow, University of Haifa and Amazon. Shay Gueron is an Associate Professor of Mathematics at the University of Haifa, Israel. He holds a Senior Principal Engineer position in Cloud Security at Amazon. Previously he worked at Intel as Senior Principal Engineer, served as Intel's Senior Cryptographer. His interests include cryptography, security and algorithms. Gueron is been responsible for some of Intel processors' instructions such as AES-NI, PCLMULQDQ and coming VPMADD52, and for various micro-architectural features that speed up cryptographic algorithms. He contributed software to open source libraries (OpenSSL, NSS), with significant performance gains for symmetric encryption, public key algorithms and hashing. Gueron was one of the Intel Software Guard Extensions (SGX) technology architects, in charge of its cryptographic definition and implementation, and the inventor of the Memory Encryption Engine.



  Deobfuscating malware with logic: The use of SMT solvers in the IT Security
 Thais Moreira Hamasaki
  IT security is becoming increasingly important to protect company assets. Analysis tools help analysts identifying vulnerabilities and issues before they cause harm downstream. Understanding how software and hardware can be secured using tools and techniques beyond standard debuggers ensures higher security and integrity. This talk is about the applications of SMT solvers in IT security and how I use them to analyze malicious binaries. (WiP)
  She’s been educated on two different continents in both physics and computer science, programming went from “just a tool” to an art for problem solving in her life, leading her to the amazing world of malware analysis and information security. Outside of the university, she teaches x86 and reverse engineering at the local hackerspace, cooks every evening something different, sings Karaoke and spends whole weeks offline climbing outdoor. She is the one with the SMT solvers and malware analysis.



  Hacking ultrasound machines for fun and profit
 Victor Pasknel
  Hospitais e clinicas são ambientes ricos em dados sensíveis. Protocolos de comunicação e tecnologias especificas da área médica podem ser exploradas para causar vazamentos de informações sobre pacientes. Esta palestra tem como objetivo apresentar os resultados de minha pesquisa sobre a segurança de equipamentos médicos e tecnologias frequentemente utilizadas em ambientes hospitalares (DICOM e PACS).
  Doutorando em Ciência da Computação pela Universidade de Fortaleza. Consultor de segurança na Morphus Segurança da Informação e professor universitário com ênfase em segurança da informação.



  PenTest: Evolution and Tricks
 Ygor da Rocha Parreira a.k.a. dmr
  Ao longo dos últimos 15 anos as empresas tem empregado computação ofensiva como ferramenta de auxílio na melhoria da segurança de seus sistemas e ambientes. A primeira parte desta apresentação vai discutir a evolução dos testes de intrusão durante este período, desde as análises de vulnerabilidade até os atuais exercícios de Red Team. Você entenderá as diferenças entre os diversos tipos de testes, e onde empregar cada um deles em sua organização. A segunda parte desta apresentação vai mostrar diversas técnicas altamente eficazes durante um teste de intrusão contemporâneo.
  Ygor tem extensiva experiência em testes de intrusão focado em ataques low-level, infraestrutura de rede, ataques a protocolos, problemas de corrupção de memória, auditoria de código fonte, aplicações web, wireless, RFID, PoS e sistemas de cartão de pagamento (cartão de crédito), ATMs, aplicações mobile (iOS e Android), phishing, exploração de client-side e execução coordenada de testes de negação de serviço distribuída (DDoS). É líder do time de Red Team da Threat Intelligence responsável por criar metodologia e ferramentas para a execução deste tipo de teste