Industroyer is the first ever malware specifically designed to attack power grids. This unique and extremely dangerous malware framework was involved in the December 2016 blackout in Ukraine. What sets Industroyer apart from other malware targeting infrastructure, such as BlackEnergy (a.k.a. SandWorm), is its ability to control switches and circuit breakers directly via 4 different industrial communication protocols.
In addition to explaining why Industroyer can be considered the biggest threat to industrial control systems since the infamous Stuxnet worm, we will take a look at the 2016 power outage in the context of the other numerous cyberattacks against Ukrainian critical infrastructure in the recent years.
As the protocols and hardware targeted by Industroyer are employed in power supply infrastructure, transportation control systems, and other critical infrastructure systems, like water and gas, worldwide, the malware can be re-purposed to target vital services in other countries. This discovery should serve as a wake-up call for those responsible for security of these critical systems.

In this talk, we are going to disclose two unconventional Use-after-free kernel bugs on Android we found last year, and introduce the new techniques we used to make these exploits 100% reliable.

The first bug is CVE-2017-0403, which we used to gain root privilege on almost all devices shipped with 3.10 or earlier Linux kernel last year. So far more than 14 million users have successfully rooted their smartphones with this exploit. With this vulnerability, an attacker only can overwrite the freed object at a fixed offset with a pointer to object itself. How to achieve kernel code execution with this bug can be very challenging.To solve the problem, we propose a new method which is using iovec to re-fill the freed object and compromising the pipe subsystem in kernel.In this way we can covert this unusual memory corruption to arbitrary kernel memory overwriting.
The second bug is CVE-2016-6787. The bug is an UAF due to race condition, may corrupt a critical kernel structure, and lead to the kernel crash when scheduler switched context back to attacker's process. So we'll introduce a way to freeze the attacker's process soon after UAF happened ,stop kernel from crashing, and make the exploit reliable.
In summary, this presentation gives out the new techniques of exploiting use-after-free bugs we just found in Android kernel. The ideas of exploitation are fresh, detail of bugs is also never discussed before.

NFC (Near Field Communication) technology is widely used in security, bank, payment and personal information exchange field now, which is highly well-developed. Corresponding, the attacking methods against NFC are also emerged in endlessly. What if we want to “steal” from someone’s EMV. QuickPass, VisaPay bank card without “get” his wallet? To solve this problem, we build a hardware tool which we called “UniProxy”. This tool contains two self-modified high frequency card readers and two radio transmitters, which is a master-salve way. The master part can help people easily and successfully read almost all ISO 14443A type cards no matter what kind of this card is, bank card, ID card, Passport, access card, or whatever, no matter what security protocol this card uses, as long as it meets the ISO 14443A standard, meanwhile replaying this card to corresponding legal card reader via slave part to achieve our “evil” goals. The master and slave communicates with radio transmitters and can be part between 50 – 200 meters.

An embedded system has a stub to connect with a host PC and debug a program on the system remotely. A stub is an independent control program that controls a main program to enable debugging by a debugger. A stub is simplified by only processing the simple controls such as reading or writing of the register or of a memory, and a debugger processes a complicated analysis on the host PC.
Communication with a debugger on the host PC and a stub on the embedded system is performed by a protocol called Remote Serial Protocol (RSP) over a serial communication or TCP/IP communication. If this communication is taken away, it becomes possible to operate a stub arbitrarily. We considered what kind of attack possibility there was in that case, and identified that execution of arbitrary code constructed from pieces of machine code, combined with (SOP: Step-Oriented Programming) is possible by repeating step execution while changing the value of the program counter. Therefore it is possible to construct an arbitrary code and execute it from existing machine code, even if execution of the injected machine code is impossible because execution on data area is prevented by DEP or only machine code on the flash ROM are allowed execution.
I will explain about an attack principle by SOP and the results from constructed attack code and actual inspection.

In the Spring 2017, news that an IT asset management software vulnerability was exploited by cyber attackers outside Japan made headlines in TV and national newspapers. IT asset management software is used to protect companies from employees attempting to steal internal information and is deployed on to each employees’ client machine by their IT administrator. Many of the software allow IT administrators to execute code on the employees’ machines, and allows remote control of the machines as well. According to the news, the attackers were able to spoof the IT administrator’s communication and executed a malicious code on the client machine. There are several other famous Japanese IT asset management software other than the one exploited by the attack. There are even software that advertise as “secure” because it has been used by thousands companies. Can we say the other IT asset management software are secure? To answer the question, we did a vulnerability assessment on four of these softwares. The results we found were vulnerabilities that allowed anyone remotely control the employees’ machines, vulnerabilities that let an attacker steal any information from the IT administrator’s server, and other multiple vulnerabilities similar to the one exploited by the cyber attack. This presentation will cover the technical details of the vulnerabilities we found and the common ways to attack that are used to find vulnerabilities in IT asset management software.

We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.

HTTP/2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred “on the wire” by introducing a full binary protocol that is made up of TCP connections, streams, and frames, rather than a plain-text protocol. Such a fundamental change from HTTP/1.x to HTTP/2, means that client-side and server-side implementations have to incorporate completely new code in order to support new HTTP/2 features. This introduces nuances in protocol implementations, which, in return, might be used to passively fingerprint web clients.
Our research is based on more than 10 million HTTP/2 connections from which we extracted fingerprints for over 40,000 unique user agents across hundreds of implementations.
In the presentation, we intend provide the following:
*HTTP/2 Overview
- Introduction into the basic elements of the protocol
- a review the different components chosen for the fingerprint format (alongside a discussion on those left out)
- Potential use cases of the proposed fingerprint
- Usage Statistics - prevalence of HTTP/2 usage on Akamai’s platform

*Examples of common HTTP/2 Implementations & Client fingerprints collected during the research
*HTTP/2 support (or the lack of) among common web security tools (Burp suite, sqlmap, etc.)
*Review of attacks over HTTP/2 observed on Akamai’s platform

Android does not provide explicit APIs to reclaim memory from sensitive objects which are not "used" ahead in the program. "java.security.*" library does provide classes for holding sensitive data (like KeyStore.PasswordProtection) and API's (like destroy()) to remove sensitive content. However, the onus of calling these APIs is on the developer. Developers may invoke these APIs at a stage very late in the code or may even forget to invoke them.
In this work, we propose a novel approach to determine at every program statement which security critical objects will not be used by the app in the future. Using results from our 'data flow analysis' we can decide to flush out the security sensitive objects immediately after their last use, thereby preventing an attacker from dumping security critical information. This way an app can truly provide defence in depth.
We incorporate support for tracking objects in all possible scopes (instance field, static field, local) in our tool called Androsia, which uses static code analysis to perform a summary based inter-procedural data flow analysis to determine the points in the program where security sensitive objects are last used. Androsia then performs bytecode transformation of the app to flush out the secrets resetting the objects to their default values.

White-box cryptography aims to protect cryptographic primitives and keys in software implementations even when the adversary has a full control to the execution environment and an access to the implementation of the cryptographic algorithm. It combines mathematical transformation with obfuscation techniques so it’s not just obfuscation on a data and a code level but actually algorithmic obfuscation. ​
In the white-box implementation, cryptographic keys are mathematically transformed so that never revealed in a plain form, even during execution of cryptographic algorithms. With such security in the place, it becomes extremely difficult for attackers to locate, modify, and extract the cryptographic keys. Although all current academic white-box implementations have been practically broken by various attacks including table-decomposition, power analysis attack, and fault injection attacks, There are no published reports of successful attacks against commercial white-box implementations to date. When I have assessed Commercial white box implementations to check if they were vulnerable to previous attacks, I found out that previous attacks failed to retrieve a secret key protected with the commercial white-box implementation. Consequently, I modified side channel attacks to be available in academic literature and succeeded in retrieving a secret key protected with the commercial white-box cryptography implementation. This is the first report that succeeded to recover secret key protected with commercial white-box implementation to the best of my knowledge in this industry. In this talk, I would like to share how to recover the key protected with commercial white-box implementation and present security guides on applying white-box cryptography to services more securely.

Recently, various IoT devices such as Smart Appliance, Smart Grid and Smart Car have been developed. IoT devices collects users information to provide better personalized services and conveniences. The need for IoT devices forensics has also increased.
Smart TV is the most popular and pervasive IoT devices in the our home. Originally data collected through computer forensics, but Smart TVs have a lot of data that can track the behavior of users in the home. As a result, you can use Smart TV data as legal proof. In reality, according to the US Forbes in 2015, the Global Media company used the video search records of Samsung Smart TV as legal proof to prosecute child sex offenders.
An experimental study of the first Smart TV forensics was conducted about Samsung Smart TV(model:UN46ES8000) in 2014. This study, conducted by KIISC(Korea Institute of Information Security & Cryptology), obtained storage data through vulnerabilities in web browsers and identified various data that can trace user's actions. After that, in 2015, research for Smart TV forensics analyzing different version of Samsung Smart TV was done through same analysis procedure. However, each Smart TV manufacturers have different operating systems and default applications, It is necessary to conduct forensics study for Smart TV of other manufacturers. Though two forensic study for their LG webOS 2.0 Smart TV is conducted, studies have difficulties in obtaining forensics data. So, We conducted forensic research on LG webOS 3.0 Smart TV and identified key data that could be collected on the TV. We will also announce comparison result of forensics study for LG with Samsung Smart TV.

In response to the emerging use of PowerShell by attackers, Microsoft released a feature called Anti-Malware Scan Interface (AMSI) in Windows 10, allowing 3rd party companies, as well as Microsoft itself, to gain more visibility into PowerShell and other scripting engines. Since this release, various research has been done on the effectiveness of AMSI, revealing its efficacy as well as its inherent weaknesses.
Despite this advance, however, many security vendors have yet to add AMSI support in their products, perhaps due to its limited platform coverage. On the other hand, red teamers and adversaries have quickly equipped themselves with techniques which attack the weaknesses of AMSI and bypass it, making detection and prevention of PowerShell attacks even harder.
This talk will discuss how to gain greater visibility into managed program execution, especially for PowerShell, using a .NET native code hooking technique to help organizations protect themselves from such advanced attacker techniques. In this session, we will demonstrate how to enhance capabilities provided by AMSI and how to overcome its limitations, through a realistic implementation of the technique, all while analyzing the internals of .NET Framework and the PowerShell engine.

In many targeted attack cases, once the attacker gains entry into the network, malware infection will spread laterally. In incident responses, investigating this lateral movement activity is very important. Methods for investigating lateral movement include log analysis of infected hosts and forensic analysis of disk images. However, in many cases, useful logs for incident investigation are not recorded in infected hosts, making it difficult to trace the attackers' behavior. This often results in not being able to get a clear picture of how the infection spreads across the network.
Therefore, we conducted investigation on attackers' C2 servers and malware to gain insight into their actives. By decoding the malware's communication logs and C2 server logs, we were able to understand the attackers’ activity after the network intrusion. We also found common patterns in how infection spread laterally. Also, even in different campaigns with different malware deployed, many common tools were used by attackers.
Taking advantage of the similarity, we figured that tracking these tools is effective in understanding lateral movements. In Windows PCs, which are the main target of APT attacks, certain

Trueseeing is an automatic vulnerability scanner for Android apps. It is capable of not only directly conducting data flow analysis over Dalvik bytecode but also automatically fixing the code, i.e. without any decompilers. This capability makes it resillent against basic obfuscations and distinguishes it among similar tools -- including the QARK, the scanner/explotation tool shown by Linkedin in DEF CON 23. Currently it recognizes the most class of vulnerabilities (as in OWASP Mobile Top 10 (2015).) We have presented it in DEF CON 25 Demo Labs. Our tool is at: https://github.com/monolithworks/trueseeing .

More and more security vulnerability of device drivers on mobile platform have been exposed in recent years. If you open the Android or CodeAurora security advisories, you will be inundated with various device driver vulnerabilities. Currently, there exist many popular fuzzing systems to hunt vulnerabilities for both Android device driver and Linux kernel, however, rare of them are designed as both smart (guiding to generate less fuzz data to cover more code) and quick (high speed of instruction trace). Hence, we introduce another practical fuzzing system in harness of both ARM64 hardware trace technology and hybrid execution technology(mix Angr symbolic execution method with trace information leverage) to be more smart and quick.

AlphaBay Market was, by far, the largest and most prolific provider of cybercrime and fraud-related services in the world, prior to its seizure and arrest of its administrator Alpha02 by the FBI on July 4, 2017. While the Tor-based marketplace was most famous for the sale of narcotics, firearms and stolen goods, the AlphaBay's forum was also the epicenter of the English-speaking cybercriminal community. This community used AlphaBay as a platform to target governments and businesses all over the world, including Japan's financial services sector. During AlphaBay's tenure as the leading criminal marketplace, it provided a hugely rich source of intelligence on the tactics, techniques and operations of cybercriminal groups targeting a wide range of business verticals, then selling exfiltrated data through the marketplace securely and anonymously. While the marketplace is now offline, these groups remain and are using the same attack techniques.

This talk reveals iDefense's research into AlphaBay, including its history and unique qualities that helped the marketplace achieve such a dominant position within the underground economy. Our findings include evidence of a uniquely sophisticated financial model, including cryptocurrency manipulation at a large scale, AlphaBay's deep ties with the Russian cybercriminal community and as a staging point for cyber criminals to build groups of expertise once they had identified an opportunity for profit. This talk will also reflect on the future for criminal marketplaces following the seizure of AlphaBay and what features we are likely to see in the next market to rise to the top.

JPCERT/CC analyzes APT attack campaigns observed in Japan by investigating C&C servers used in the attack and information collected by affected organizations.

In order to capture the whole picture of APT attack campaigns targeting Japanese organizations, JPCERT/CC is now developing a system to describe incident information in STIX format and store in a database. We plan to release this system on GitHub as an open source software.

This system aims to analyze attack methods and targets chronologically according to attack campaign, adversary, malware as well as method for initial intrusion and lateral movement, which is visualized as a timeline.

Based on the analysis using this system, this presentation will introduce an overview of APT attack campaigns targeting Japan in order of time, as well as the relation to other campaigns by focusing on similarities in attack methods. By focusing on the targets’ characteristics in various campaigns, we will examine each adversary’s purpose behind the attack.

In addition, technical features of this system will be covered, along with some observations gained through our analysis using STIX-based incident description.

The high level of pervasiveness of technologies and the Internet in every field of today’s social fabric has completely changed every aspect of our society, service delivery and management, access to information – in both its quality and quantity – as well as the relationship between the aforementioned elements and the citizens, what’s more, in a rather limited stretch of time. From this perspective, the public-private partnership looks like a growing functional need in cybersecurity, mainly due to two elements: first, the fact that the majority of critical infrastructures are owned and managed by privates; secondly, the use of ICT technologies in such systems has become widespread, their level of interconnection being significantly high. This research analyses the strategic approach of some of the most important States to the public-private partnership for cybersecurity, highlighting strengths and weaknesses, and outlining also the essential requirements to plan and structure an effective and efficient partnership.

In this talk, I investigate several exploiting ideas for iOS kernel jailbreak using recently exposed vulnerabilities. Recently, Ian Beer found the following promising vulnerabilities:
CVE-2016-7637: Broken kernel mach port name ‘uref’ handling on iOS/MacOS can lead to privileged port name replacement in other processes,
CVE-2016-7644: XNU kernel UaF due to lack of locking in set_dp_control_port,
CVE-2016-7661: MacOS/iOS arbitrary port replacement in powerd.
However, naive combination of the above vulnerabilities cannot easily break recent mitigations implemented in iOS versions. Recent iOS provides the kernel level mitigations against exploitation such as kernel patch protection, sandboxing, AMFI(Apple Mobile File Integrity), MAC(Mandatory Access Control) policy, KASLR(Kernel ASLR) etc. These mitigations will be briefly explained.

While handling security vulnerabilities always entails legal risk, there is a great deal of ambiguity regarding what exactly is legal due to a lack of judicial precedent. We will not only introduce legal theories and what precedent we have but also examine the logical process behind the interpretation and application of law. First, we will consider what kind of circumstances allow the public disclosure of vulnerability details. Freedom of expression, the right to know, and public order and morality are relevant points of discussion. We will also discuss civil and criminal liability in regards to obstruction of business and defamation, and analyze the legal characteristics of vulnerability disclosure with the importance of knowing the details and the extent of damage possible through abuse hanging in the balance. Specifically, we will take a look at Information-Technology Promotion Agency (IPA), an Independent Administrative Institution which operates a vulnerability reporting program, and whether information concerning vulnerabilities is in scope of disclosure for Administrative Information Disclosure laws which apply to IPA.
In addition, we will evaluate what constitutes violation of the Act on the Prohibition of Unauthorized Computer Access in the process of discovering vulnerabilities, the validity of anti-reverse engineering clauses in contracts, and whether immunity from criminal liability is granted for validation studies for vulnerabilities.