logo
ArticlesConferencesPresentations
Dates
Author
Conferences
Tags

Sort by:  

Legend of Zelda: Use After Free (TASBot glitches OoT)

Conference:  Defcon 31
Authors: Allan Cecil keeper of TASBot, Liam "MLink" Taylor, Sauraen
2023-08-01
How can a Use After Free exploit in Ocarina of Time lead to a cute robot taking over an entire N64 to put the future (and the Triforce) in the game using only button presses? This talk dives into the technical details of how a Use After Free exploit, Arbitrary Code Execution, and multiple bootstrap stages allowed TASBot to take full control of an original, unmodified cart and console in front of a live audience during SGDQ 2022 with the help of Sauraen and Savestate, helping raise more than $228k for charity. This talk uses engaging explainer graphics courtesy of RGME to dig into how a Use After Free vulnerability can be exploited as well as a live demo showing the significant social impact of the exploit Here Together, in the past year and into the future.
Tags:
Ocarina of Time
Use After Free
exploit
TASBot
SGDQ

Building Images for the Secure Supply Chain

Conference:  Cloud Native SecurityCon North America 2022
Authors: Adrian Mouat
2022-10-24

tldr - powered by Generative AI

The talk discusses techniques and tooling to address security concerns in building images for the secure supply chain.
  • Provenance and reproducibility are major issues in the current state of security in IT.
  • The distroless philosophy and using smaller base images can save from scan report purgatory.
  • Updating images and dependencies is crucial.
  • Using apko to build container images with SBOMs and complete reproducibility.
  • Signing images with Sigstore.
  • Cutting down dependencies by using smaller base images and keeping them up to date.
  • Verifying signatures and using policy management tools to check for vulnerabilities.
  • The vulnerability exploitability exchange can help filter vulnerabilities and cut down noise.
  • Google container tools and digital images are small and perfect for running statically compiled binaries.
  • The drawbacks of using Google container tools include a hard-to-extend list and difficulty in installing apps.
  • Cutting down images to the minimum set of dependencies can drastically reduce noise in vulnerability reports.
Tags:
scans
users
images
exploit