SPEAKERS


Fermin J. Serna - Head of Product Security Engineering, Google

Marion Marschalek - Security Researcher, Intel Corporation

Natalie Silvanovich - Security Researcher, Google Project Zero

The Grugq - Threat Intelligence VP, Comae

 

 

  Keynote
 Fermin J. Serna
  During this talk, Fermin will present what the ISE (Information Security Engineering) team does to accomplish its mission: “Making sure that Google ships secure software, by any means necessary”. Fermin will present the different parallel efforts to prevent on scale web security issues, run third party software securely, web and native code mitigations,, crypto consulting/frameworks, the vulnerability reward program and offensive security.

This last part, VRP and offensive security, are key to validate and measure success.
  Fermin J. Serna is a Computer Science Engineer graduated at the UCM, and currently works for Google at the Seattle offices as Head of ISE (Information Security Engineering team) - Product security. Previously he has worked for Microsoft at the MSRC Engineering team.

Fermin has lots of things that attract his attention, mainly security ones such as exploitation techniques, fuzzing, binary static analysis, reverse engineering, coding... but also Artificial Intelligence, chess...

Fermin has found and published multiple security vulnerabilities on software developed by Microsoft, Google, Adobe, Oracle, ... Fermin is also a regular speaker at security conferences such as BlackHat, Syscan, Bluehat, H2HC, Rootecon, DeepSec, Source, Summercon, ...

 

 

  GCC is the new pink: Compiler plugins and what they can do for code security
 Marion Marschalek
  GCC is a mystic wonderland, full of elfs and dwarfs, and countless adventures. In my head. In reality, GCC is a collection of compiler tools, easy and very handy to use, but a migraine to modify. I'll take you on a tour through GCC wonderland, and show how amateurs like myself go about domesticating the weird creatures, that enable the compiler to do its magic.

An interesting avenue to investigate for security researchers is provided by the GCC plugin infrastructure, which allows extension of GCC without modifying its humongous code base itself. GCC plugins make it surprisingly straight forward to build nice obfuscation gadgets into binaries without worrying about source code modifications. Plugins are also a great playground if one wants to design and test compiler based mitigations. On the insecurity side, with such plugin, one can compile little security glitches straight into the output bytecode. Try to teach a code reviewer to find THAT.

The presentation will introduce existing research covering the use of GCC plugins for security and insecurity, as well as demos of new nifty magic tricks to take home and try out yourself.
  Marion Marschalek is a former Malware Analyst and Reverse Engineer who recently started work at Intel in order to conquer the field of low level security research. She has spoken at all the conferences and such, and seen all the things, and if you want more details on her current activities you'll have to find your way around Intel's legal department. Also, she runs a free reverse engineering workshop for women, because the world needs more crazy researcherettes.

 

 

  All the Tiny Features
 Natalie Silvanovich
  JavaScript is an ever-evolving standard, and new features, such as WebAssembly and WebRTC are continuously being added to browsers. This talk discusses the security of several new browser features. It will describe the attack surface of each feature and give examples of vulnerabilities in each. Learn to find bugs in the newest parts of the browser!
  Natalie Silvanovich is a security researcher on Google Project Zero. Her current focus is on script engines, particularly understanding the subtleties of the scripting languages they implement and how they lead to vulnerabilities. She is a prolific finder of vulnerabilities in this area, reporting over a hundred vulnerabilities in Adobe Flash in the last year. Previously, she worked in mobile security on the Android Security Team at Google and as a team lead of the Security Research Group at BlackBerry, where her work included finding security issues in mobile software and improving the security of mobile platforms. Outside of work, Natalie enjoys applying her hacking and reverse engineering skills to unusual targets and has spoken at several conferences on the subject of Tamagotchi hacking.

 

 

  Keynote
 The Grugq
  Keynote Talk
  The Grugq, VP of Threat Intelligence at Comae, is a pioneering information security researcher with two decades of experience. He has worked extensively with threat intelligence, digital forensic analysis, binary reverse engineering, rootkits, mobile phone security, Voice over IP, telecommunications and fi nancial services security. The Grugq's professional career has included Fortune 100 companies, leading information security fi rms and innovative start-ups.

 

 

 

 

 

 

 ORGANIZATION

 

 

 PLATINUM SPONSORS

 

 

 SILVER SPONSORS

 

 

 HACKING