logo

2020-12-07 ~ 2020-12-10

Presentations (with video): 39 (39)

Black Hat provides attendees with the latest in research, development, and trends in Information Security. Here the brightest professionals and researchers in the industry come together for a total of four days—two or four days of deeply technical hands-on Trainings, followed by two days of the latest research and vulnerability disclosures in the Briefings. Black Hat Europe 2020 will be entirely virtual this year, held December 7-10 in Greenwich Mean Time.

Sort by:  

Conference:  BlackHat EU 2020
Authors:
2020-12-10

tldr - powered by Generative AI

The presentation discusses a novel attack targeting the design flaws of the reachable IPC and their associated WebViews by utilizing the classic web security attack, i.e., Cross-Site Scripting (XSS) to achieve native code execution outside the sandbox. The talk revisits the big picture of Safari sandbox attack surfaces, especially those forgotten by previous publications, analyzing various WebViews in different contexts and their weakness.
  • Sandbox escape plays a vital role in a full chain exploit
  • Underrated attack surfaces like private API, platform-specific features, and legacy components on macOS are discussed
  • A novel attack targeting the design flaws of the reachable IPC and their associated WebViews by utilizing the classic web security attack, i.e., Cross-Site Scripting (XSS) is presented
  • Three unique standalone exploits respectively affecting from OS X Yosemite (or even earlier) to macOS Catalina 10.15.2 are detailed
  • The talk revisits the big picture of Safari sandbox attack surfaces, especially those forgotten by previous publications, analyzing various WebViews in different contexts and their weakness
Tags:
Conference:  BlackHat EU 2020
Authors:
2020-12-10

tldr - powered by Generative AI

The presentation discusses the vulnerability of voice assistants and IoT devices to light commands and injection attacks, and the need for better security measures to minimize attack surfaces.
  • Voice assistants and IoT devices are vulnerable to light commands and injection attacks, which can compromise their security and allow unauthorized critical operations to be executed.
  • Device manufacturers have applied software patches to mitigate this attack, but security checks may still be overlooked, allowing for unauthorized operations.
  • The success of the attack depends on the attacker's ability to aim at the device's acoustic ports and have a line of sight to the device.
  • Future research is needed to understand the effects of different injection attacks and to develop software and hardware solutions to prevent them.
  • Sacrificing security for usability is not always a good idea, especially when all devices are connected to each other.
Tags:
Conference:  BlackHat EU 2020
Authors:
2020-12-10

tldr - powered by Generative AI

The presentation discusses the use of adversarial attacks to bypass next-generation antivirus (NGAV) systems and the importance of explainability algorithms in understanding the impact of feature modifications.
  • NGAV systems can be bypassed by modifying features in a way that does not harm the malicious functionality of the malware
  • Explainability algorithms can help attackers understand which features are more impactful and focus on them
  • The order in which perturbations are made can make a difference in the results
  • Small perturbations can eventually have a significant impact due to the non-linear nature of the classifier
Tags:
Conference:  BlackHat EU 2020
Authors:
2020-12-10

tldr - powered by Generative AI

The presentation discusses the use of machine learning to discover vulnerabilities in software dependencies and the limitations of current approaches.
  • Continuous vigilance is necessary to identify vulnerabilities in software dependencies
  • Machine learning can be used to discover vulnerabilities, but it is not self-sufficient and requires continuous improvement
  • Data imbalance can cause bias in machine learning models, and self-training can be used to address this issue
  • Discovering vulnerabilities in software dependencies is complex and requires a multi-faceted approach
Tags:
Conference:  BlackHat EU 2020
Authors:
2020-12-10

tldr - powered by Generative AI

The presentation discusses new methods for hypervisor detection in sandboxes using microarchitectural research. The speaker introduces two novel hypervisor detection primitives that current anti-evasion approaches seem incapable of handling.
  • Hypervisors are important for scalability and transparency in malware analysis, but they introduce discrepancies due to virtualization.
  • The speaker presents two new methods for hypervisor detection: a high-resolution covert time source using a dedicated counter thread and a prime+probe attack on the last-level cache.
  • These methods can detect hypervisors that are hiding discrepancies from classic time sources and current anti-evasion approaches.
  • The speaker suggests that sandbox architects should explore code analysis and performance counters to detect counter threads and microarchitectural attacks.
  • There is potential for further research in the intersection between microarchitectural research and malware analysis.
Tags:
Conference:  BlackHat EU 2020
Authors:
2020-12-10

tldr - powered by Generative AI

The presentation discusses an exploit for the PS4 firmware version 6, which allows for arbitrary read and write access and code execution. The exploit is not stable and could be improved.
  • The exploit uses an arbitrary decrement to get a primitive and find the address of objects in memory.
  • A relatively primitive is used to leak the address of a specific object, which allows for arbitrary data read and write.
  • The exploit uses a GSR buffer view to achieve arbitrary read and write access.
  • The instruction pointer can be controlled to implement the next stages of the exploit.
  • The exploit is not stable and could be improved by improving the ASL brute force step and finding a better exploitation path.
  • The exploit was attempted on PS4 firmware version 7 but did not succeed.
  • A Raspberry Pi was used to attempt to bypass the ASL on firmware version 7 but did not yield any results.
Tags:
Conference:  BlackHat EU 2020
Authors:
2020-12-10

tldr - powered by Generative AI

The presentation discusses the use of hunting engines in cybersecurity and the next generation of IoT and ICS rate hunting systems. It also covers the process of deploying new hunting engines and the importance of automating the hunting process.
  • Hunting engines are used to quickly classify and investigate attacks on particular protocols
  • The next generation of hunting systems will focus on IoT and ICS rate hunting
  • Machine learning will be used for more precise hunting
  • Automating the hunting process can reduce malware investigation time
  • The process of deploying new hunting engines involves checking configuration files and deploying new images
  • The hunting process involves collecting data, analyzing it, and generating IOCs
Tags:
Conference:  BlackHat EU 2020
Authors:
2020-12-10

Type confusion bug (or bad casting) is a popular vulnerability class that attacks C++ software like web browser, document reader. This bug occurs once a program typecasts and uses an object as an incompatible type. An attacker can exploit this vulnerability to execute malicious code in the target software.Previous research to detect type confusion bugs has been performed at the source-level. It inserts codes that verify type compatibility in the typecasting operator to perform detection at runtime. These approaches cannot be applied in binary-level, because high-level information such as class hierarchy and the typecasting operator does not exist in the compiled binary. However, many popular software such as Adobe Reader, Microsoft Office, third-party software, and legacy software are provided in binary format.In this talk, we propose BinTyper, a type confusion detection tool that can be used in binary-level. BinTyper splits internal layout of classes into multiple areas via static analysis. After that BinTyper recovers the minimum type information required for the binary to be executed without triggering the type confusion bug via dynamic analysis. Based on this information, the target binary can be executed with the verification to detect the type confusion bug.
Tags:
Conference:  BlackHat EU 2020
Authors:
2020-12-10

tldr - powered by Generative AI

The presentation discusses the practicality of fingerprint jacking attacks on Android devices and how they can be executed despite Android's mitigation measures.
  • Fingerprint jacking is a UI attack that tricks users into authorizing dangerous actions without their knowledge.
  • Android has mitigation measures to block this type of attack, but they can be bypassed.
  • The Android activity lifecycle is a state machine model for Android activities.
  • Normal apps go through the create, start, resume, pause, and stop states when doing fingerprint authorization.
  • Fingerprint jacking attacks involve launching a malicious app disguised as a benign app, launching the fingerprint activity in the target app, using a coloring activity to cover the fingerprint activity, and luring the victim to input their fingerprints.
  • Two examples of fingerprint jacking attacks are demonstrated: one involving a diary app and one involving a payment app.
Tags:
Conference:  BlackHat EU 2020
Authors:
2020-12-10

tldr - powered by Generative AI

The presentation discusses the iOS sandbox design and its weaknesses, as well as the improvements made by Apple over the years. The speaker also shares their personal experience with jailbreaking and visiting libraries in America.
  • The iOS sandbox design is a powerful access control mechanism that neutralizes many vulnerabilities with almost no overhead added.
  • The restrictions placed on a process depend on four conditions: all files must have a code signature to run, processes are limited to their own sandbox, processes cannot access other processes' memory, and processes cannot execute unsigned code.
  • The iOS sandbox design has improved over the years, with Apple implementing stronger restrictions and adding new features like entitlements.
  • The speaker shares their personal experience with jailbreaking and visiting libraries in America, highlighting the positive aspects of free access to libraries and makerspaces.
Tags: