Alfredo Ortega - Independent Security Researcher

Anh Quynh & Lau - Security Researchers

Artem Shishkin - Security Researcher, Intel Corporation

bigezy - Researcher, University of Illinois

Brian Butterly - Security Researcher, Major SCADA-dependent company

Dino Covotsos - CEO, Telspace

H2HC University: Edgar Barbosa - Security Researcher, Intel Corporation

H2HC University: Gabriel Negreira Barbosa - Principal Security Researcher, Intel Corporation

H2HC University: Gustavo Scotti - Principal Security Researcher, Intel Corporation

H2HC University: Joao Matos - Independent Security Researcher

H2HC University: Julio Della Flora - Professor

H2HC University: Lucas Teske - Independent Security Researcher

H2HC University: Maycon Vitali - Consultor de Seguranca Senior, Trustwave SpiderLabs

H2HC University: Michelle Ribeiro - Independent Security Researcher

H2HC University: Paulo Matias - Professor, Department of Computing at the Federal University of São Carlos

H2HC University: Rener Silva aka Gr1nch - Security Researcher, DcLabs Security Team

H2HC University: Thais Moreira Hamasaki - Malware Researcher, F-Secure

Ivan A. Barrera Oro - Independent Security Researcher

Jasiel Spelman - Security Researcher, Trend Micro's Zero Day Initiative

Jason E. Street - InfoSec VP, SphereNY

Luft & Harrie - Head, ERNW Research

Marion Marschalek - Security Researcher, Intel Corporation

Matveychikov & f0rb1dd3n - Independent Security Researchers

Natalie Silvanovich - Security Researcher, Google Project Zero

Nina Alli - Independent Security Researcher

Stone & McRoberts - Reverse Engineer, Google's Android Security team



  Sonic attacks to spinning hard drives
 Alfredo Ortega
  Regular spinning Hard disk drives can be used to detect movement and sound by carefully measuring variations on read/write operations. Additionally, depending on the nature of sound a temporal or permanent denial-of-service attack can be done on HDD devices. In this talk we will explore this topic, do live-demonstrations and present the state-of-the-art on sonic attacks to this class of devices.
  Alfredo Ortega has almost two decades of experience in the fields of reverse engineering, exploit development and vulnerability research. Presented on several security conferences like RSA, Blackhat, Defcon, Syscan, Ekoparty and others. Alfredo Ortega has traveled a total of 550000 km, has no major diseases andd can lift heavy objects weighting over 15 kg. He also can operate dangerous software like IDA Pro.



  Finding 0days in embedded systems with code coverage guided fuzzing
 Anh Quynh & Lau
  Coverage guided fuzzing becomes a trending technique to discover vulnerabilities in powerful systems such as PC, and is a main contributor to countless 0days in the last few years.

Unfortunately, this breakthrough methodology is not yet applied to find bugs in embedded devices (like network routers, IP cameras, etc). We found some of the reasons as follows:

- As closed ecosystems, embedded devices usually come without built-in shell access or development facilities such as compiler & debugger. This makes it impossible to introduce a fuzzer to directly run & find bugs inside them.
- In case available for download (rarely), most embedded firmware are not open source, which limit usage of available guided fuzzers such as AFL & LibFuzzer, as these tools require source code to inject basic block instrumentation at compile time.
- Most existing work focus on Intel architecture, while all embedded devices run on other CPUs such as ARM, MIPS or PowerPC. Our study reveals that fuzzing tools on these architectures are sorely lacking.

This research aims to overcome the mentioned issues to build a new guided fuzzer for embedded systems.

- We emulate the firmware so we can put in our fuzzing & debugging tools. We will first explain how we directly extract firmware from physical devices, then emulate them in Virtual Machine with a lot of tricks involving static binary dependency duplication, patching firmware for NVRAM simulation in order to feed actual response for program configuration.
- We will introduce a new lightweight dynamic binary instrumentation (DBI) framework that supports all platforms & embedded architectures in use today, including Arm, Arm64, Mips, PowerPC & Sparc (plus, we also support Intel X86). The design & implementation of this framework will be presented in details, so the audience can also see many other applications of our DBI beyond this project.
- We will discuss how we built a powerful guided fuzzer to run inside emulated firmware. Using our own DBI at the heart for basic block instrumentation, this requires no firmware source code, and can find vulnerabilities in binary-only applications on all kind of embedded CPUs available.

Our fuzzer discovered many 0days in some widely popular embedded network devices. Among them, several vulnerabilities allow pre-authenticated remote code execution that affect multi-million users, and can be potentially turned into a new botnet-worm with massive-scale infection. These bugs will be released to public in our talk if the vendors fix them in time.

The audience can expect a deeply technical, but still entertaining presentation, with some exciting demos.
  Dr.Nguyen Anh Quynh is a regular speaker at industrial information security conferences such as Blackhat USA/Europe/Asia, DEFCON, RECON, Syscan, HackInTheBox, Shakacon, Opcde, ZeroNights, Hack.lu, Deepsec, XCon, Confidence, Hitcon, Eusecwest, etc. He also presented his researches in academic venues such as Usenix, IEEE, ACM, LNCS, etc. As a passionate coder, Dr. Nguyen is the founder and maintainer of the Reversing trilogy frameworks: Capstone (http://capstone-engine.org), Unicorn (http://unicorn-engine.org) & Keystone (http://keystone-engine.org).

KaiJern, Lau is a senior security researcher at Radio Security Department of Qihoo 360 Technology, a core member of UnicornTeam and also HITB core crew. His research topic mainly on hardware and software of embedded device, reverse engineering, and various security topics. He presented his findings in different international security conferences like HITB, Codegate, QCon, KCon, International Antivirus Conference and etc. He conducted Hardware Hacking Course during KCon. He is also the review board member for HITB security conference.



  SMAPwn: a faster way for detecting double fetch vulnerabilities in Windows kernel
 Artem Shishkin
  Windows kernel is permissive in terms of accessing the usermode memory: there are almost no restrictions for reading or writing a process memory from the drivers. That fact leads to existence of a double-fetch vulnerability class in Windows kernel, and you may want to know if it's there in your particular case. Of course, you've probably also heard about Bochspwn project by Mateusz "j00ru" Jurczyk and Gynvael Coldwind, but what I can offer you in this talk is a way to improve the method, i.e. how to dramatically improve the speed and bypass some limitations of Bochspwn using the hardware features of Intel CPUs.
  A security researcher at Intel Corporation. Interested in Windows kernel security. Did some talks on Windows SMEP bypass, kernel patch protection bypass and abusing virtualization capabilities for security research. Accepted speaker for such conferences as PHDays and Zeronights.



  Is visualization still necessary?
  In this talk, we hope to bring out discussions of issues that we are encountering as we build tools that provide data visualization of enterprise grade data feeds. These feeds are provided typically from taps such as gigamon, and they provide data regarding thousands of simultaneous flows. Interesting though is also the fact the even individual data visualizations of edge devices provide an overwhelming amount of session data that is difficult to visually depict over time.
  Edmond Rogers - bigezy - Before joining the University of Illinois Information Trust Institute (ITI), Edmond Rogers was actively involved as an industry participant in many research activities in ITI's TCIPG Center, including work on CyPSA Cyber Physical Situational Awareness, NetAPT (the Network Access Policy Tool) and LZFuzz (Proprietary Protocol Fuzzing). Prior to joining ITI, Rogers was a security analyst for Ameren Services, a Fortune 500 investor-owned utility, where his responsibilities included cyber security and compliance aspects of Ameren's SCADA network. Before joining Ameren, he was a security manager and network architect for Boston Financial Data Systems (BFDS), a transfer agent for 43% of all mutual funds. He began his career by founding Bluegrass.Net, one of the first Internet service providers in Kentucky. Rogers leverages his wealth of experience to assist ITI researchers in creating laboratory conditions that closely reflect real-world configurations.



  DSL: Dismantling Secret Layers
 Brian Butterly
  CPE is the typical abbreviation ISPs use for the first node on a customers site. For most users the Customer Premises Equipment is a simple Home Router. Depending on the ISP's terms & conditions the user might be forced to use a provided device. In some situations, even though use of a custom device may be allowed, certain configuration information (credentials, VLAN IDs) will not be provided. The required data will be provisioned automatically when the device is connected for the first time, or pushed when there are further updates. The user himself does not have direct access. From a security perspective having a rather untrusted device in your home or even corporate network, which can be configured remotely (backdoor?) is never very comforting. Especially as many routers have had a long history of fail, i.e. the large router outages in Europe in 2016 due to a combination of a vuln, a bug and a Botnet. The talk will cover a simple setup based on a broadly available DSLAM / DSL master modem which brings us into a direct MitM position between the CPE and the ISP's network. Then, well known networking tools will be utilized to find out what typical ISPs do when configuring a DSL router, which protocols are used and how these and the routers themselves are protected. The talk will be finalized by a few results from off the shelf routers. Or in short: Everything you need to start breaking DSL clients.
  Brian currently works in incident response in a very large and crazily diverse environment for a German company. There he aims at developing new methods for protecting even the strangest control systems and the overall surrounding networks. Still, at heart, he is an open minded security researcher and into breaking everything he can get his finger onto. Having worked in the areas of embedded-, hardware-, mobile- and telecommunications-security he has a lot of war stories and experience at hand and is always happy to share.



  Hacking the international RFQ Process #killthebuzzwords
 Dino Covotsos
  Thanks to the “boom” in the information security industry combined with the latest buzzwords, more and more large corporate companies are looking for the latest “next gen” anti-haxor services and technologies. In doing so they often go out publicly on tender and / or issue an RFP/RFQ in order to obtain the best possible solution to meet their requirements and budget (usually cost *wins*).

Due to this and a lack of maturity in the field, companies issue public RFQs / RFPs that contain classified and confidential / secret information such as network diagrams, architectural designs, software versions etc. This type of information would usually require that an attacker spend an extensive amount of time performing enumeration and / or gaining access to the internal network first and taking a significant amount of time to learn about that environment. Targeting the procurement process of an organisation exposes a largely unexplored attack surface.

This new research and presentation aims to demystify the above and give practical examples of large international organisations, which unfortunately fail at the RFP/RFQ process badly. This opens a “free and easy” attack vector for attackers to exploit without even conducting extensive enumeration and fingerprinting, or anything close to intrusive attacks. As a result, an attacker often has access to an extensive amount confidential information about the organisation, which could be utilised to launch more targeted attacks. Depending on the type of information gathered, such attacks, could be likened to an attacker that has insider knowledge.

We will also be demonstrating, via real world examples, the dangers of going out blindly and looking for specific services and products in the information security industry, with real life networks being shown on stage.
  Dino Covotsos is founder and CEO of Telspace, a South African-owned IT security firm, which started in 2002. Covotsos has many years of experience in the information security sector and has been involved in hundreds of information security projects worldwide. He is also a presenter at well-known local and international conferences and is heavily involved in the security community worldwide. Covotsos is on the advisory board for the ITWeb Security Summit and has several industry certifications, such as the OSCP and OSWP.



  Constraint solvers for Reverse Engineering
 H2HC University: Edgar Barbosa
  Can get no satisfaction with current reverse engineering tools? Wait no more! Modern constraint solvers are here to help you (except when they crash). This presentation will provide a quick overview of how to integrate these powerful friends to your reverse engineering workflow. No need to worry about academic lingo. Your satisfaction is our highest priority.
  An old, grumpy security researcher who still blames himself for believing SMT solvers could satisfy all his need for SIGSEGV. After almost 2 decades doing security research he concluded exhaustive search algorithms are the only true elegant solution for everything. He enjoys reversing engineering, kernel-mode stuff, CPU microarchitecture and is currently trying to learn Rust. Don't take him seriously.



  Abusando da Virtualizacao
 H2HC University: Gabriel Negreira Barbosa
  Diversas empresas utilizam virtualização devido a seus inúmeros benefícios. No entanto, essa poderosa tecnologia também pode ser utilizada para fins maliciosos. Essa palestra NÃO tem o objetivo de mostrar técnicas para quebrar sistemas de virtualização. O objetivo é discutir, na teoria e na prática, algumas formas de se utilizar a virtualização para fins maliciosos do ponto de vista de um atacante que já possua acesso às camadas mais baixas dessa tecnologia.
  Gabriel Negreira Barbosa trabalha como principal security researcher no time STORM (STrategic Offensive Research & Mitigations) da Intel. Anteriormente, trabalhou como engenheiro de segurança de software 2 na Microsoft e como pesquisador de segurança líder na Qualys. Recebeu o título de bacharel em ciência da computação pela PUC-SP; e de mestre pelo ITA, onde participou de projetos de segurança para o governo brasileiro e a Microsoft Brasil. Já apresentou trabalhos em algumas conferências, como H2HC, SACICON, Troopers, Black Hat USA e BSides (PDX e DFW).



  Cracking the Craptcha
 H2HC University: Gustavo Scotti
  Websites in need to do anti-robot test (i.e. human test) by providing an image that must be entered by the user, but not cracked by machines. Cracking such mechanism requires advanced knowledge in computer vision, and optical character recognition (OCR). Learn how to hack two or three things together and get a decent Captcha resolver. This talk will walk you through the entire process, and the choices I made to take shortcuts, and how the gods of statistics always win.
  csh is one of those guys who curiosity drives his life. If I am not learning new stuff, experimenting with dangerous things, or living life at its fullest, csh is a dull boy. I am an enthusiast of mechanical engineer, electrical engineer, computer engineer, physics engineer, and music engineer. To fund all my hyperactive mind, I work as a Security Researcher at Intel Corporation, hacking cool stuff, at the lowest level you could imagine. Known by some exploits, axur05 e-zine, reversed engineered the PS2, wrote some rootkits, sniffers, and some other stuff.



  A little bit about Code and Command Injection flaws in Web Applications Frameworks and Libraries with bonus: 0day RCE
 H2HC University: Joao Matos
  In this talk we will explain some mechanisms that result in Command Injection flaws in web applications. As a case study, we will address flaws present in important Java ecosystem frameworks that have come to the mainstream recently. It will also show a 0day that was used in one of the steps needed to exploit an OS Command Injection in PayPal (and in other important vendors). Finally, we will discuss possible mitigation measures for such vulnerabilities.
  He is a Brazilian independet security researcher and developer, having notified critical vulnerabilities (ie remote command execution) affecting important products and companies, among them: Apple.com, PayPal.com, Samsung.com, Blackberry.com, Oracle Cloud, U.S. Department of Defense (DoD) - multiples, Red Hat, Sony Pictures, GM, Banks, Digital Coins Platforms, Telecommunications Companies, Governments and others. Member of the Pride Security's team of researchs/pentesters (http://www.pridesec.com.br/). Has bachelor's degree in Computer Science and a Master's Degree in Distributed Systems, both at the Federal University of Paraíba (UFPB), Brazil, and is the author of the JexBoss security audit tool.



  Fault Injection Attacks com Enfase em Ultrassom
 H2HC University: Julio Della Flora
  A palestra pretende apresentar informação acerca de ataques de fault injection em hardware, buscando definições para esse tipo de ataque, bem como classificações desses ataques baseado em seu método. Variações de tensão/clock, temperatura, luz eletromagnetismo e ultrassom são tipos classificados como ataque de injeção de falhas.

Após a definição, partiremos para contextualização dos ataques de fault injection baseados em ultrassom, trazendo informações sobre como o fenômeno da ressonância afeta os sistemas microeletromecânicos (giroscópios e acelerômetros).

Por fim, a ultima porção da palestra traz informações sobre o ataque e montagem do ambiente de testes com aplicações e pesquisas futuras.
  Certificação Microsoft em servidores Windows, bacharel em Ciência da Computação, especialista em Redes de Computadores e Segurança de Dados, Mestre em Ciência da Informação, Especialista em Docência para o Ensino Superior. Atuou como professor de graduação e pós graduação em diversas faculdades como: Unopar, Unifil e FAG, ministrou cursos em parceria com o Senai-Londrina, Atuou como professor de Eletrônica Digital e Instrumentos de Medida na Fundação de Ensino Técnico de Londrina, Coordenador da Pós-graduação em Segurança da Informação e Ethical Hacking, Coordenador da Pós-graduação em Ethical Hacking e Cybersecurity EAD. Consultor em segurança da informação e entusiasta em hardware hacking.



  SegDSP (Segmentation Digital Signal Processor)
 H2HC University: Lucas Teske
  A palestra é sobre o SegDSP (Segmentation Digital Signal Processor), que é um projeto que comecei para estudos de monitoramento automatizado de comunicações de RF. A ideia é um software onde há os demoduladores / decodificadores de sinais mais comuns, e um identificador de sinais emitidos (caso não seja reconhecido o tipo de sinal, gravar ele bruto para analisar depois).

A palestra na def con foi bem por cima (cyberspectrum era mais focada em radios em si), pretendo aprofundar um pouco pro povo da H2HC, e talvez até fazer uma demonstraçãozinha dele funcionando e de como operar e analisar sinais de radio.

O projeto é feito inteiramente em Go, e está disponível já no github como um WIP funcional: http://github.com/racerxdl/segdsp/

A ideia é ele ser monolito e portátil, a ponto de poder rodar num raspberry pi ou coisa do tipo e poder armazenar as gravações, decodificações e metadados tanto em midias locais quanto em mídias distribuídas.
  Software Architect at Quanto



  Internet of Sh!t: Hacking de Dispositivos Embarcados
 H2HC University: Maycon Vitali
  Dispositivos embarcados estão presentes em todos os lugares, desde smartwatches até lâmpadas inteligentes. Porém o que poucos dizem/assumem é que o termo Internet of Things (IoT) surgiu a partir da gourmetizaçao dos dispositivos embarcados.

Quando tratanmos segurança nesses dispotivos, muitas vezes precisamos voltar para o século passado, onde não existe qualquer camada de proteção entre o usuário/atacante e o hardware do dispositivo, seja fisicamente, seja logicamente.

Nessa palestra, Maycon pretente demonstrar os passos necessários para a exploração de dispositivos embarcados desde a obtenção do firmware, seja por download na página do vendor ou por extração direta da memória flash através de SPI; engenharia reversa e análise de alguns binários em arquitetura MIPS (desde binários ELF até o bootload propriamente dito), a análise da superfície de ataque (e como podemos alterar o entry point para agilizar o processo), a exploração de algumas vulnerabilidades Web (CVE-2017-093[2-5]) e o processo do setup de um ambiente para depuração remota para a exploração de vuln. de corrupcãp de memória <3, seja em ambiente simulado ou diretamnete no dispositivo.
  Maycon eh consultor de seguranca senior pela SpiderLabs e pesquisador independente pela Hack N' Roll, grupo que fundou em meados de 2008. Apaixonado por escovacao de bits e low-level, Maycon tem mantido o foco de sua pesquisa nos ultimos anos em seguranca de dispositivos embarcados, onde em umunico mes do ultimo ano reportou aproximadamente 10 vulnerabilidades em dispositivos de um vendor especifico.



  Cyber Mercenaries: When States Exploit the Hacker Community
 H2HC University: Michelle Ribeiro
  This study applies the 'new wars' framework from Mary Kaldor (2012) to conflicts in cyberspace, giving special attention to the blurring effects of what is done for economic or political interests, what is done for non-state actors and nation states.

Motivated by recent events of cyber attacks that generated considerable controversy such as the 2007 cyber attacks against Estonia, the 2016 American Presidential elections and the ongoing cyberwar imposed upon Ukraine, the finds of this paper demonstrates that in the new digital social environment, population control can be exercised through coercion instead of violence and that the nature of Internet incentives states to empower and finance proxy actors to act on their behalf.

The presentation will discuss to what extent is the current body of international laws and norms is adequate to answer this new strategic environment and how individuals and companies of the hacker community can be impacted if used as cyber mercenaries.
  Michelle Ribeiro recently finished her Master degree in International Studies and Diplomacy at SOAS, University of London, funded by the British FCO, through a Chevening Scholarship.

Her research, supervised by Mr Ewan Lawson, Senior Research Fellow for Military Influence at the Royal United Services Institute (RUSI), examined the challenges presented by the blurring effects of conflicts in the cyberspace.

Following her graduation, the Foreign Policy Magazine and the Harvard Belfer Center Cyber Security Project selected Michelle as one of the 25 next leaders in cybersecurity and invited her to take part in the 2017 Future Diplomats Peace Game in Abu Dhabi.

Formerly an IT Executive, she acted as a Tech Policy Advisor for governmental initiatives and have contributed to publications and conferences worldwide. Michelle is also involved in different open source organisations such as the Linux Foundation and the Debian Project.



  Hacking the Brazilian Voting System
 H2HC University: Paulo Matias
  Abstract (en):

Maybe you have already watched one of our presentations about the results in the last Public Security Tests of the Brazilian electronic voting system. But do you understand how the exploit against the voting machine was developed? If you put your hands in a voting machine, would you be able to pwn it? In this lecture, we will conduct a live coding session to introduce a didactic and technical approach to how the Brazilian voting machine was hacked. We will conclude by addressing the countermeasures implemented by the SEC and the structural fragilities still present in the system, which could serve as a basis for future exploitations.

Abstract (pt):

Talvez você já tenha assistido a alguma de nossas palestras sobre os resultados dos últimos Testes Públicos de Segurança do sistema eletrônico de votação brasileiro. Mas você entende como o exploit contra a urna foi desenvolvido? Se você colocasse suas mãos em uma urna, conseguiria owná-la? Nesta palestra, faremos uma sessão de live coding para explicar didaticamente e com uma abordagem técnica como a urna eletrônica brasileira foi hackeada. Por fim, abordaremos as contramedidas implementadas pelo TSE e as fragilidades estruturais do sistema que persistem e podem ser utilizadas como base para explorações futuras.
  Bio (en):
Paulo Matias is an assistant professor in the Department of Computing at the Federal University of São Carlos. He has a ph.D. in Computational Physics from the São Carlos Institute of Physics at the University of São Paulo. His professional experience is related to embedded systems and custom hardware architectures, with a special interest on their security properties. He is a member of the Epic Leet Team, an interinstitutional team which participates in Capture-The-Flag security competitions, and which has conducted attacks to execute arbitrary malicious code in the Brazilian voting machine during the Public Security Tests of 2017.

Bio (pt):
Paulo Matias é professor adjunto no Departamento de Computação da UFSCar. Ele é doutor em Física Computacional pelo Instituto de Física de São Carlos da USP. Sua experiência profissional está relacionada a sistemas embarcados e arquiteturas de hardware customizadas, com interesse especial em suas propriedades de segurança. Ele é membro do Epic Leet Team, equipe interinstitucional que participa de competições de segurança da informação estilo Capture-The-Flag, e que efetuou ataques capazes de executar software malicioso na urna eletrônica brasileira durante os Testes Públicos de Segurança de 2017.



  SPLITTER: An Approach to Difficult Correlation, Traffic Analysis and Statistical Attacks Inside TOR Network
 H2HC University: Rener Silva aka Gr1nch
  This paper is the result of 5 months of research aiming to difficult or stop Traffic Analyses and Correlation related attacks in the TOR network. More than 5 different de-anonymization techniques have been analyzed and a new tool has been created to allow the user to difficult or even broke the correlation and traffic analysis of these de-anonymization techniques. As a bonus this paper shows how to improve the speed and stability of TOR network and allow the user to have a better TOR experience, watching High Definition(1080p 60fps) movies from Youtube even using TOR network. After applying the proposed approach of this paper the adversary will be able to capture only 0.5% of the total amount of data transferred by the user for each compromised TOR NODE/RELAYS under his control. The paper shows that it's possible to reduce the total amount of data intercepted by the adversary and keep a better performance and stability of TOR NETWORK.
  My name is Rener Alberto F. Silva and I'm Brazilian living in Krakow, Poland. I'm a member of DcLabs Security Team, and also a founder member of Area 31 Hacker Space. I'm graduated in Computers Network by Pitagoras University and I have 9+ years of experience focused on Penetration Test and vulnerability assessment. More details about my professional career are available on my Linkedin Profile: https://www.linkedin.com/in/reneralberto/

I have the opportunity to speak in H2HC related event at 2013 during the BSides event organized by Garoa Hacker Club. At that time I presented how to use an Android Device running Kali Linux to perform a full penetration test. I have the opportunity to speak at other great security conferences in Brazil and Europe, however, to speak in H2HC is one of my personal professional goals.



  The (not so profitable) path towards automated heap exploitation
 H2HC University: Thais Moreira Hamasaki
  The modern world depends and rely on the security (and safety!) of software. To protect privacy, intellectual property, customer data and even national security are goals for most of us. Analysis tools can help us to get new insights that can be used to secure software and hardware by identifying vulnerabilities and issues, before they cause harm downstream. The automatic exploit generation is an old challenge in the industry that is not totally solved (and it will never be - undecidability and so on...) - in fact, we are far away from it, as Julien Vanegue stated in May this year. Furthermore, AEG is limited right now to stack-based buffer overflows and format string exploits as the semantic information about user bytes in memory is not available.

In this talk I am showing a proof of concept for automated heap exploit generation on an x86 architecture, using symbolic execution and SMT solvers.
  Thaís Moreira Hamasaki is a malware researcher @F-Secure, who focus on static analysis, reverse engineering and logical programming. Thaís started her career within the anti-virus industry working on data and malware analysis, where she developed her knowledge on threat protection systems. She won the "best rookie speaker" award from BSides London for her very first talk about "Using SMT solvers to deobfuscate malware binaries". Recent research topics include binary deobfuscation, generic unpacking and static analysis automation. She is an active member of the Düsseldorf Hackerspace, where she also leads the groups for Reverse Engineering and x86 Assembly. In her free time, you can find Thaís building tools, cooking or climbing somewhere offline.



  Evoting from Argentina to the World
 Ivan A. Barrera Oro
  We will expose and discuss about different voting systems used in Argentina in different kinds of election, their vulnerabilities (theoretical, probed and/or exploited) and discuss a bit about how some of those systems ended up in different parts of the world, to be used on other elections (say, Democratic Republic of Congo).
  ### Iván A. Barrera Oro

Known in the bits world as HacKan, he's passionate about electronics and informatics. He enjoys gaming, coding, designing stuff, sometimes building stuff, travelling, skiing, making devices work the way he wants to, whether they were designed to do so or not... He also loves wine and pwn.

### Alfredo Ortega

A.K.A CyberGaucho, he's always disrupting systems, from BSD, KVM and Android to electoral voting machines and the Chamber of Deputies. He has a large list of CVE's to his credit, and enjoys being called a whitehat.



  Exploring the Safari: JustInTime Exploitation
 Jasiel Spelman
  Apple Safari has a JavaScript engine with a rather simple name, JavaScriptCore, however the engine itself is anything but simple. One common feature within JavaScript interpreters is to have a just-in-time (JIT) engine to increase performance of the executed JavaScript. JavaScriptCore takes an interesting approach to this by supporting multiple tiers of optimization levels, even allowing for switching between them within a single function depending on collected statistics.

As with other JIT engines, the optimization strategies employed by Safari's JIT engine have also resulted in a number of vulnerabilities. The downside to applying typical compiler optimizations in order to JIT compile custom user-supplied code is that basic assumptions can be broken.

This talk will cover low level internals of JavaScriptCore before going over a few JIT vulnerabilities as well as how they were patched.
  Jasiel Spelman is a security researcher with Trend Micro's Zero Day Initiative (ZDI). In this role, he analyzes and performs root-cause analysis vulnerabilities submitted to the program, which represents the world's largest vendor-agnostic bug bounty. His focus includes performing root-cause analysis on hundreds of zero-day vulnerabilities submitted by ZDI researchers from around the world. He has presented at numerous security conferences including Black Hat, DEFCON, REcon, Power of Community, and BreakPoint. When not researching the latest bugs in software, Jasiel Spelman enjoys rock climbing and playing musical instruments.



 Jason E. Street
  "Stupid user clicked on a link", "Social engineering, because there's no patch for human stupidity" and "Make it simple enough that the CEO can understand it". Blaming users is not helpful. Instead of hiding our failures behind simplified excuses and jokes, let's address the elephant in the room. We need to find a solid way to approach and rectify the issues at hand. Technology is not our problem, human behaviour is! In this presentation, we will discuss topics related to human behaviour, which need to be modified for the sake of better security.

A mirror will be held up to our industry as we inspect how we can better teach and interact with others Examine some important questions head-on and walk away with a better path for understanding the true issues we are facing
  Jayson E. Street is an author of the "Dissecting the hack: Series". Also the DEF CON Groups Global Ambassador. Plus the VP of InfoSec for SphereNY. He has also spoken at DEF CON, DerbyCon, GRRCon and at several other 'CONs and colleges on a variety of Information Security subjects. *He was a highly carbonated speaker who has partaken of Pizza from Beijing to Brazil. He does not expect anybody to still be reading this far but if they are please note he was chosen as one of Time's persons of the year for 2006.



  Attacking VMware NSX
 Luft & Harrie
  In this presentation we will describe how we performed and still are performing an offensive security analysis of VMware's SDN solution NSX. NSX integrates deeply into VMware's virtualization infrastructure and provides netwok filtering features in a centrally managed, hypervisor-based micro segmentation way. The deep virtualization integration resulted in challenges that we will address in this talk. For example, we will detail how to analyze ESXi kernel modules, both in a debugging and static code analysis way. We will also provide an attack vector analysis based on the NSX architectue and communication protocols as well as fuzzing results and technologies for the kernnel modules and overlay networking components. We striving to discuss at least one discovered vulnerability during the talk!
  Matthias Luft is a security researcher and heads the German security research company ERNW Research. He is interested in a broad range of topics (such as DLP, virtualization, and network security) while keeping up with the daily consulting and assessment work.



  GCC is the new pink: Compiler plugins and what they can do for code security
 Marion Marschalek
  GCC is a mystic wonderland, full of elfs and dwarfs, and countless adventures. In my head. In reality, GCC is a collection of compiler tools, easy and very handy to use, but a migraine to modify. I'll take you on a tour through GCC wonderland, and show how amateurs like myself go about domesticating the weird creatures, that enable the compiler to do its magic.

An interesting avenue to investigate for security researchers is provided by the GCC plugin infrastructure, which allows extension of GCC without modifying its humongous code base itself. GCC plugins make it surprisingly straight forward to build nice obfuscation gadgets into binaries without worrying about source code modifications. Plugins are also a great playground if one wants to design and test compiler based mitigations. On the insecurity side, with such plugin, one can compile little security glitches straight into the output bytecode. Try to teach a code reviewer to find THAT.

The presentation will introduce existing research covering the use of GCC plugins for security and insecurity, as well as demos of new nifty magic tricks to take home and try out yourself.
  Marion Marschalek is a former Malware Analyst and Reverse Engineer who recently started work at Intel in order to conquer the field of low level security research. She has spoken at all the conferences and such, and seen all the things. Also, she runs a free reverse engineering workshop for women, because the world needs more crazy researcherettes.



  Linux Kernel Rootkits
 Matveychikov & f0rb1dd3n
  Talk about Linux kernel rootkits & techniques used
  Ilya Matveychikov is a Linux kernel addict, security researcher, reverse engineer (https://github.com/milabs)



  All the Tiny Features
 Natalie Silvanovich
  JavaScript is an ever-evolving standard, and new features, such as WebAssembly and WebRTC are continuously being added to browsers. This talk discusses the security of several new browser features. It will describe the attack surface of each feature and give examples of vulnerabilities in each. Learn to find bugs in the newest parts of the browser!
  Natalie Silvanovich is a security researcher on Google Project Zero. Her current focus is on script engines, particularly understanding the subtleties of the scripting languages they implement and how they lead to vulnerabilities. She is a prolific finder of vulnerabilities in this area, reporting over a hundred vulnerabilities in Adobe Flash in the last year. Previously, she worked in mobile security on the Android Security Team at Google and as a team lead of the Security Research Group at BlackBerry, where her work included finding security issues in mobile software and improving the security of mobile platforms. Outside of work, Natalie enjoys applying her hacking and reverse engineering skills to unusual targets and has spoken at several conferences on the subject of Tamagotchi hacking.



  Mobile Medical Records and Storage
 Nina Alli
  What happens in case of an emergency, if someone gets into an accident and cant verbalize your medical condition to the clinicians attending to you? What if you had the ability to store the data on a chip and they could scan it to ensure the right patient get the right treatment at the right time. Lets discuss the pros and cons of self containment (corporal) storage on implantable chips.
  First and foremost I am a guru of trivial knowledge. For exercise I run from rabid dogs, wrestle alligators while simultaneously participating in eating contests, and running for public office. For fun, I drive with my eyes open, play hopscotch in the rain, race big wheels, Have staring contests with wolverines, and pass out band aids to gunshot victims. I frequently use onomatopoeias, especially in casual encounters. My favorite word is "interesting", since it has multiple meanings and all appear positive on the surface. I am not a vegetarian. Nina Alli has been in the medical and bioinformatics game for a while…and has worked on various medical projects (Got one you want to talk about? Find me!). Educationally I have two degrees, biomedical informatics and translational medicine - with a focus on medical devices).



  Getting Malicious in 2018: A Deep Dive into 2018s Most Impactful Malware in the Android Ecosystem
 Stone & McRoberts
  Android is the world's most widely-distributed mobile platform with more than 2 billion monthly active devices worldwide. It's critical to keep people safe from Potentially Harmful Apps (PHAs) that may put their data or devices at risk. By scanning and verifying over 50 billions apps every day, we shed light on the most impactful families of PHA that were active in the first half of 2018 and provide insights into their distribution, techniques, and evolutions. This talk highlights the malware that had an impact across the Android ecosystem, not just from the Google Play Store. With deep dives into several of 2018's most-prevalent PHA families, such as Bread SMS fraud, Gooligan trojan, and ViewSDK click fraud, we explain how they complete their malicious behaviors and attempt to evade detection, as well as the reverse engineering process of these maliciously-engineered families.

Attendees will learn about malware detection in the Android ecosystem, the most current malicious and evasion techniques, and how to reverse engineer these families.
  Maddie Stone (@maddiestone) is a Reverse Engineer on Google's Android Security team where she reverses all the bytes to keep malware off the phones of Android users. Maddie has previously spent many years deep in the circuitry and firmware of embedded devices including 8051, ARM, C166, MIPS, PowerPC, BlackFin, the many flavors of Renesas, and more. She is the creator of the IDAPython Embedded Toolkit. Maddie has previously spoken at international security conferences including BlackHat USA, OffensiveCon, REcon Montreal, and DerbyCon.

Kylie McRoberts is a Program Manager on Google's Android Security team where she oversees projects for Google Play Protect. Previously, she was a senior strategist with Google's Safe Browsing where she focused on binary analysis and the distribution of malicious and deceptive downloads in support of enforcement of Safe Browsing policies. Before joining Google, she conducted political and military analysis for the Australian Department of Defence.