January 15, 2019

Remarkable talks from 35C3

The 35th Chaos Communication Congress was held at the end of December 2018 in Leipzig, Germany. I have attended a lot of interesting lectures. In this article I'll share the list of great technical talks which I liked the most.

1. Hanno Böck gave a great presentation on the history of SSL and TLS up to the new TLS 1.3, including attacks on the implementations of these protocols and the countermeasures taken. I was especially interested in the difficulties with moving the entire Internet over to the new protocol versions.

[Link to the schedule]



2. Thomas Roth, Josh Datko, and Dmitry Nedospasov jointly researched the security of hardware crypto wallets. They took a look at the security of the supply chain, firmware, and — the most interesting — device hardware. For example, they used a special antenna to remotely recognize the signal between the device display and CPU. They also successfully performed a glitching attack against the hardware crypto wallet and extracted the seed. Impressive work!

[Link to the schedule]



3. Hardware security was also covered by Trammell Hudson, in the context of the Supermicro implant story. He tried to give an objective overview of the controversy but reached some contradictory conclusions. Trammell tried to show that it was possible for the hardware backdoor described in the notorious Bloomberg article to exist. He even gave a demo in which he launched some BMC firmware in qemu and ran arbitrary commands as root by image-spoofing on the qemu side. But some experts have serious doubts about his arguments.

[Link to the schedule]



4. Researchers from Ruhr University delved into the structure of AMD CPU microcode. Their talk provides deep technical details on the topic. This is a continuation of last year's talk from the same team. What I really liked is that the researchers made a custom microcode for a hardware Address Sanitizer that works without the memory access instrumentation. Unfortunately, this approach was tried out only on a toy operating system, so it's unclear how much faster it is comparing to KASAN in the Linux kernel.

[Link to the schedule]



5. Saar Amar's talk was a superb overview of bypassing the userspace anti-exploitation protections in Windows 7 and 10. Live demos were great! This talk would be also interesting for researchers specializing on security of other operating systems, since the described techniques are generic.

[Link to the schedule]



6. Claudio Agosti told about a browser plug-in that monitors how Facebook personalizes and filters the content depending on user properties. This tool made its debut during the Italian elections, producing some very interesting statistics. The goal of the project is not to reverse-engineer Facebook's algorithms, but to get a better understanding of how any given public event is covered on social media.

[Link to the schedule]



7. The researchers from Graz University of Technology gave an entertaining overview of Meltdown and Spectre vulnerabilities. They presented a complex classification covering all public variants of these vulnerabilities. The researchers also disclosed some new Meltdown variants. Surprisingly, this information is not under embargo now and OS developers are not currently working on the mitigations. Maybe the industry is waiting for a real PoC exploit to appear?

[Link to the schedule]



8. Joscha Bach gave a very neat and sophisticated talk on the similarities and differences between the human mind and AI. Expect a heady mix of philosophy, math, neurophysics, and offbeat humor.

[Link to the schedule]



9. An 18-year-old guy from Israel described how he found an RCE vulnerability in the ChakraCore engine of Microsoft Edge browser. His discovery involves a classic example of type confusion, when a floating-point number turns into a pointer and is dereferenced.

[Link to the schedule]



10. I really liked Carlo Meijer's talk about breaking SSD self-encryption (which is trusted by BitLocker, incidentally). The presentation included discussion of the threat model (which is always nice), hacking of Self-Encrypting Drives (SEDs) from several manufacturers (all with demos), and the conclusion that SSD self-encryption in all cases is less secure than the full disk encryption performed by OS. Definitely worth watching.

[Link to the schedule]



11. Hacking the PlayStation Viva was a blast: the researchers even managed to extract the platform's most important key from its security-hardened ROM. Watching this talk was a treat, thanks to top-notch research and great presentation of the material.

[Link to the schedule]



12. Curious about blocking of Telegram in Russia? I was dreading that I would have to hear political propaganda, but instead was delighted by a lively technical talk. The researcher gave a history of the steps taken by the Roskomnadzor, showed statistics, explained some of the technical gaps, and gave a good-natured trolling to the authorities.

[Link to the schedule]



13. An inspiring talk on the software and hardware inside the Curiosity rover, which went to Mars. Beautiful slides and smooth presentation – I recommend it.

[Link to the schedule]



14. Everyone is in deep trouble, at least judging by this talk about the vulnerabilities in Broadcom's Bluetooth firmware. Updating or fixing it is not feasible for a number of reasons. Moreover, affected devices include nearly all smartphones made in the last five years, cars, and the IoT. Maybe we all just need to turn off Bluetooth?

[Link to the schedule]



These talks are just a starter list — I highly recommend checking the 35C3 recordings!

Enjoy!

Author: Alexander Popov, Positive Technologies

No comments:

Post a Comment