Non-profit IT security conference
RuhrSec is the non-profit security conference at the Ruhr University Bochum. As one of the organizers of the famous lecture called HackPra, we are hosting a high-quality and low-priced security conference in the heart of Bochum near the river Ruhr. We provide awesome academic and industry talks from smart international speakers, the typical Ruhr University feeling and the highly recommended HackPra social event at G Data. From the University, this event is supported by UbiCrypt and the Horst Görtz Institute for IT security.
All profits from the conference ticket income will be donated to the local Gänseblümchen NRW e.V. for an assistance to support children with cancer. Please look at the program guide and grab your ticket.
Update (29/06/2016): Thanks to our attendees for helping children. We spend RuhrSec's profit to Gänseblümchen-NRW e.V.: 1,181.25 EUR.
|08:00 – 09:00||Registration and Biscuits/Coffee|
|09:00 – 09:15||Opening, Marcus Niemietz – YouTube|
|09:15 – 10:00||Keynote 1: "Transport Layer Security – TLS 1.3 and backwards security issues", Jörg Schwenk – YouTube|
|10:00 – 10:30||Coffee Break|
|10:30 – 11:15||"Cache Side-Channel Attacks and the case of Rowhammer", Daniel Gruss – YouTube|
|11:15 – 12:00||"Java deserialization vulnerabilities - The forgotten bug class", Matthias Kaiser – YouTube|
|12:00 – 13:30||Lunch|
|13:30 – 14:15||"The beast within - Evading dynamic malware analysis using Microsoft COM", Ralf Hund – YouTube|
|14:15 – 15:00||"Cheshire Cat's Grin", Marion Marschalek|
|15:00 – 15:30||Coffee Break|
|15:30 – 16:15||"Security Nightmares in the Internet of Things: Electronic Locks and More", Timo Kasper|
|16:15 – 17:00||"On the Security of Browser Extensions", Nicolas Golubovic – YouTube|
|17:00 – Open End||InfoSec course with Udo & Social Event at G Data (incl. Dinner)|
|08:30 – 09:00||Biscuits/Coffee|
|09:00 – 10:00||Keynote 2: "Code-Reuse Attacks and Beyond", Thorsten Holz – YouTube|
|10:00 – 10:30||Coffee Break|
|10:30 – 11:15||"Automatic Extraction of Indicators of Compromise for Web Applications", Marco Balduzzi – YouTube|
|11:15 – 12:00||"Hacking with Unicode in 2016", Mathias Bynens – YouTube|
|12:00 – 13:30||Lunch|
|13:30 – 14:15||"Eavesdropping on WebRTC Communication with Funny Cat Pictures", Martin Johns – YouTube|
|14:15 – 15:00||"An Abusive Relationship with AngularJS v2", Mario Heiderich – YouTube|
|15:00 – 15:30||Coffee Break|
|15:30 – 16:15||"On Securing Legacy Software Against Code-Reuse Attacks", Lucas Vincenzo Davi – YouTube|
|16:15 – 17:00||"The DROWN Attack", Sebastian Schinzel – YouTube|
|17:00 – 17:15||Closing – YouTube|
Prof. Dr. Jörg Schwenk
(Ruhr University Bochum)
Talk. Transport Layer Security – TLS 1.3 and backwards security issues
Abstract. Since the publication of CRIME and BEAST, many new attacks on TLS implementations surfaced each year. It turned out that some of the basic designs of TLS were flawed, e.g. the MAC-then-PAD-then-ENCRYPT construction of the TLS Record Layer. The IETF has therefore initiated work on TLS version 1.3, a major revision of the TLS standard. This new standard is influenced by Google's QUIC protocol, has lower latency, and improved security features.
In this talk, the outlines of the new standard will be sketched, and the current state of standardization described. In addition, we will have a look at backwards compatibility attacks, and ask if simply adding a new TLS version without deactivating the older ones will really improve security.
Biography. Since September 2003, Prof. Dr. Jörg Schwenk is the owner of the Chair for Network and Data Security at the Ruhr University Bochum. The chair belongs to the renowned Horst Görtz Institute for IT Security. Professor Schwenk is an internationally recognized expert in the areas of cryptography and IT security. After completing his doctorate in the Department of Mathematics at the University of Giessen he moved in 1993 to Darmstadt, where he worked at the Telekom Technology center for applied research in the field of IT security. Professor Schwenk is an author of numerous international publications in renowned conferences (for example Eurocrypt, Asiacrypt or Communications and Multimedia Security), author of textbooks on cryptography and Internet security, and about 60 patents in the field of IT security.
Dr. Timo Kasper
(Kasper & Oswald GmbH)
Talk. Security Nightmares in the Internet of Things: Electronic Locks and More
Abstract. Wireless embedded devices have become omnipresent in applications such as access control (to doors or to PCs), identification, and payments. The talk reviews the security of several commercial devices that typically employ cryptographic mechanisms as a protection against ill-intended usage or to prevent unauthorized access to secured data. A combination of side-channel attacks, reverse-engineering and mathematical cryptanalysis helps to reveal and exploit weaknesses in the systems that for example allow opening secured doors in seconds. At hand of the real-world examples, the implications of a key extraction for the security of the respective contactless application are illustrated. As a powerful tool for security-analyzing and pentesting NFC and RFID systems, the open source project "ChameleonMini" is presented: Besides virtualization and emulation of contactless cards, the device allows to log the NFC communication, and in its latest revision acts as an active RFID reader.
Biography. Timo Kasper studied electrical engineering and information technology at the Ruhr University Bochum and at the University of Sheffield, UK. In 2006, his Diploma thesis "Embedded Security Analysis of RFID Devices" won the first place award for IT security (CAST, Darmstadt). Timo Kasper has been research assistant at the Chair for Embedded Security of the Horst Görtz Institute for IT Security (HGI) since October 2006. He completed his studies 2011 with a PhD in Engineering. In 2012, his PhD thesis "Security Analysis of Pervasive Wireless Devices - Physical and Protocol Attacks in Practice" won the first place award for IT security (CAST, Darmstadt). Timo is co-founder of Kasper & Oswald GmbH offering innovative products and services for security engineering.
Dr. Mario Heiderich
Talk. An Abusive Relationship with AngularJS v2
This talk will have a stern, very stern look at AngularJS 1.x in particular and shed light on the security aspects of this ever-popular tool. Did the super-hero framework do everything right and follow its
own super-heroic principles? Does AngularJS increase or rather decrease the attack surface of a web application? How does AngularJS play along with the Content Security Policy, and was it a good idea to combine this kind of security with futuristic feature creep? And what about AngularJS version 2.0?
Beware that we won’t stop at glancing at the code itself, investigating security best practices, and verifying compatibility and other common things that contribute to robust security (or lack thereof). We will cross the moral border and see if the AngularJS team could notice rogue bug tickets. A pivotal question that everyone is wondering about is: Have they successfully kept evil minds like yours truly speaker here from introducing new security bugs into the code base?
learnt and hopefully agree that progress doesn't invariably mean an enhancement.
Biography. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) “security researcher” is from Berlin, likes everything between lesser- and greater-than, leads the small yet exquisite pen-test company called Cure53 and pesters peaceful attendees on various 5th tier conferences with his hastily assembled powerpoint-slides. Other than that, Mario is a very simple person and only parses three-word sentences so don’t even bother addressing him with complex topics or rhetoric.
Talk. The beast within - Evading dynamic malware analysis using Microsoft COM
Abstract. Microsoft Common Object Model (COM) is technology which aims at providing binary programming interface for Windows programs. Despite its age almost ancient age, it still forms the internal fundament of many new Microsoft technologies such as .NET. However, in more than twenty years of further development, the inevitable pressure to retain backwards compatibility have turned the COM runtime into a obscure beast. These days, many COM interfaces exist that mirror almost the same functionality provided by common Windows APIs. Malware authors can easily execute almost any operation (creating files, starting new processes, etc.) only using COM calls. Dynamic malware analyzers must deal with this accordingly without getting lost in the shadowy depths of the COM runtime. The talk presents various aspects of automated dynamic COM malware analysis and shows which approaches are actually realizable and which ones are hopeless.
Biography. Ralf achieved his Ph.D. in computer science / IT-security at the Ruhr-University of Bochum in 2013. During his studies he focused on new analysis methods for binary software, with a strong focus on malware. Since then, he has been one of the co-founders and the CTO of VMRay GmbH, a Bochum-based IT-security company focusing on 3rd generation threat analysis and detection using advanced hypervisor-based dynamic analysis. He has experience in malware research and software development for more than 15 years and is an active speaker at various academic and industrial conferences. His special interests lie in virtualization techniques and its application to software analysis.
Prof. Dr. Sebastian Schinzel
(Münster University of Applied Sciences)
Talk.The DROWN Attack
Abstract. We present DROWN, a novel cross-protocol attack thatcan decrypt passively collected TLS sessions from up-to-dateclients by using a server supporting SSLv2 as aBleichenbacher RSA padding oracle. We implemented theattack and can decrypt a TLS 1.2 handshake using 2048-bit RSA in under 8 hours using Amazon EC2, at a costof $440. Using Internet-wide scans, we find that 33% ofall HTTPS servers and 22% of those with browser-trustedcertificates are vulnerable to this protocol-level attack,due to widespread key and certificate reuse.
Biography. Sebastian is a professor for computer security at Münster University of Applied Sciences since 2013. His research topics include penetrationtesting techniques, applied cryptography, side channel attacks, and he speaks regularly at information security conferences.
(University Of Technology Graz)
Talk. Cache Side-Channel Attacks and the case of Rowhammer
Abstract. Software security relies on isolation mechanisms provided by hardware and operating system. However, isolation mechanisms are often insufficient, for instance due to the existence of caches in hardware and software. Caches keep frequently used data in faster memory to reduce access time and to reduce the access frequency on slower memory. This introduces timing differences that can be exploited in side-channel attacks.
The first half of this talk is about state-of-the-art cache side-channel attacks. Most cache attacks target cryptographic implementations and even full key recovery attacks cross-core, cross-VM in public clouds have been demonstrated. We recently found that cache attacks can be fully automatized, cache attacks are not limited to specific architectures, and cache attacks can be implemented based on a variety of hardware features. This broadens the field of cache attacks and increases their impact significantly.
Biography. Daniel Gruss is a PhD Student at Graz University of Technology. He has done his master's thesis on identifying and minimizing architecture dependent code in operating system kernels. Daniel's research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating system. In July 2015, he and his colleagues demonstrated the first hardware fault attack performed through a remote website, known as Rowhammer.js.
Dr. Marco Balduzzi
(Trend Micro Research)
Talk. Automatic Extraction of Indicators of Compromise for Web Applications
Abstract. Indicators of Compromise (IOCs) are forensic artifacts that are used as signs that a system has been compromised by an attack or that it has been infected with a particular malicious software. In this paper we propose for the first time an automated technique to extract and validate IOCs for web applications, by analyzing the information collected by a high-interaction honeypot. Our approach has several advantages compared with traditional techniques used to detect malicious websites. First of all, not all the compromised web pages are malicious or harmful for the user. Some may be defaced to advertise product or services, and some may be part of affiliate programs to redirect users toward (more or less legitimate) online shopping websites. In any case, it is important to detect those pages to inform their owners and to alert the users on the fact that the content of the page has been compromised and cannot be trusted. Also in the case of more traditional drive-by-download pages, the use of IOCs allows for a prompt detection and correlation of infected pages, even before they may be blocked by more traditional URLs blacklists. Our experiments show that our system is able to automatically generate web indicators of compromise that have been used by attackers for several months (and sometimes years) in the wild without being detected. So far, these apparently harmless scripts were able to stay under the radar of the existing detection methodologies – resisting for long time on public web sites.
Biography. Marco Balduzzi holds a Ph.D. in applied IT security from Télécom ParisTech and a M.Sc. in computer engineering from the University of Bergamo. His interests concern all aspect of computer security, with particular emphasis on real problems that affect systems and networks. Some topics on which he worked on are web and browser security, code analysis, botnets detection, cybercrime investigation, privacy and threats in social networks, malware and intrusion detection systems.
Dr. Martin Johns
Talk. Eavesdropping on WebRTC Communication with Funny Cat Pictures
In this talk, we will show how a single Cross-site Scripting vulnerability, a compromised signaling server, or a malicious CDN can be utilized to fully intercept Web RTC communication and leak video & audio of both participants of the communication to a malicious third party. The attack is fully hidden from the compromised parties and requires no server infrastructure on the attacker's site.
Biography. Dr. Martin Johns is a Research Expert in the Security and Trust group within SAP AG, where he leads the web application security team. Furthermore, he serves on the board of the German OWASP chapter. Before joining SAP, Martin studied Mathematics and Computer Science at the Universities of Hamburg, Santa Cruz (CA), and Passau. During the 1990s and the early years of the new millennium, he earned his living as a software engineer in German companies (including Infoseek Germany, and TC Trustcenter). He holds a diploma in Computer Science from the University of Hamburg and a Doctorate from the University of Passau. Martin has a track record of over eight years applied WebAppSec research, published more than 20 papers on the subject, and is a regular speaker at international security conferences, including Black Hat, the OWASP AppSec series, CCS, ACSAC, ESORICS, PacSec, HackInTheBox, RSA Europe, and the CCC Congress.
Prof. Dr. Thorsten Holz
(Ruhr University Bochum)
Talk. Code-Reuse Attacks and Beyond
Abstract. Code-reuse attacks have become a prevalent technique to exploit memory corruption vulnerabilities in software programs. The focus of most attacks is on modifying code pointer and a variety of corresponding defenses has been proposed, of which many have already been successfully bypassed — and the arms race continues. In this talk, we provide an overview of some recent work we performed at Ruhr-University Bochum towards code-reuse attacks with and without modifying code pointers. On the one hand, we present some recent results on a technique called counterfeit object-oriented programming (COOP). We demonstrate that many existing defenses that do not consider object-oriented C++ or Objective-C semantics precisely can be generically bypassed in practice. On the other hand, we focus on non-control data attacks. We demonstrate some potential attacks and focus on data-only attacks that can bypass many of the existing defenses. We conclude the talk with an overview of potential other targets of code-reuse attacks and an outlook of future challenges.
Biography. Thorsten Holz is a professor in the Faculty of Electrical Engineering and Information Technology at Ruhr-University Bochum, Germany. His research interests include systems oriented aspects of secure systems, with a specific focus on applied computer security. Currently, his work concentrates on automated analysis of malicious software, reverse engineering, and studying latest attack vectors. He received the Dipl.-Inform. degree in Computer Science from RWTH Aachen, Germany (2005), and the Ph.D. degree from University of Mannheim (2009). Prior to joining Ruhr-University Bochum in April 2010, he was a postdoctoral researcher in the Automation Systems Group at the Technical University of Vienna, Austria.
(Ruhr University Bochum)
Talk. On the Security of Browser Extensions
Abstract. In an everlasting struggle to find the balance between security, privacy and that toolbar which slipped in after you've installed Java, browser extension systems constantly evolve. Three years after Kotowicz has pwned our stuff, we will explore old and new attack techniques for both Firefox and Chrome. Finally, we will engage in a jolly expedition to long-forgotten extension types and convince them to exploit the browser itself.
Biography. Nicolas is a soon-to-be former student of the Ruhr University Bochum. After finishing his master's degree, he will move to Zurich to join Google's web security efforts. Due to being a HackPra supervisor for roughly three years, Nicolas had the pleasure of listening to many great speakers and is eager to show that he has learned quite a few tricks of their trade over time.
Talk. Hacking with Unicode in 2016
Abstract. This presentation explores common mistakes made by programmers whendealing with Unicode support and character encodings on the Web. Foreach mistake, I explain how to fix/prevent it, but also how it couldpossibly be exploited.
Dr. Lucas Vincenzo Davi
(Technical University of Darmstadt)
Talk. On Securing Legacy Software Against Code-Reuse Attacks
Abstract. Code-Reuse attacks such as return-oriented programming constitute a powerful exploitation technique that is frequently leveraged to compromise software on a wide range of architectures. These attacks generate malicious computation based on existing code (so-called gadgets) residing in linked libraries. Both academia and industry have recently proposed defense techniques to mitigate code-reuse attacks. However, a continuous arms race has evolved between attacks and defenses. In this talk, we will elaborate on the evolution of code-reuse attacks. In particular, we explore prominent defense techniques that are based on control-flow integrity (CFI) enforcement and code randomization. Further, we discuss promising research directions such as hardware-assisted defenses and protection against these attacks at the kernel layer.
Biography. Lucas Davi is an independent Claude Shannon research group leader of the Secure and Trustworthy Systems group at Technische Universität Darmstadt, Germany. He received his PhD from Technische Universität Darmstadt, Germany in computer science. He is also a researcher at the Intel Collaborative Research Institute for Secure Computing (ICRI-SC). His research focuses on software exploitation technique and defenses. In particular, he explores modern software exploitation attacks such as return-oriented programming (ROP) for ARM and Intel-based systems.
Talk. Cheshire Cat's Grin
Abstract. There is malware, and then, there is m.a.l.w.a.r.e. Last year we got our fingers on a set of exquisite binaries which were definitely not the usual kind. No I'd never call malware sophisticated, after all thats not what it takes to be dangerous; or interesting. But those were a challenging beast, unusually intriguing.
For the lack of a better name, and given all the whacky traits the binaries come with, we dubbed the family CheshireCat. Thats the pink cat in Alice's wonderland with the most stupid grin. The CheshireCat binaries have been around since 2002, some are built for workstations as old as Windows NT4, they support dial-up connections and executable header checks for the NewExecutable file format. Go figure. We came to the conclusion, someone very dedicated has built CheshireCat for very special networks and kept his operation under the radar for more than a decade.
This talk will introduce CheshireCat's implementation traits, stealth tactics and wonderous functionalities. The term attribution might appear, once, to leave some clues about where CheshireCat might have come from.
Biography. Marion Marschalek is Principal Malware Researcher at GData AdvancedAnalytics, focusing on the analysis of emerging threats. Marion startedher career within the anti-virus industry and also worked on advancedthreat protection systems where she built a thorough understanding ofhow threats and protection systems work and how both occasionally fail.Next to that Marion teaches malware analysis at University of AppliedSciences St. Pölten and frequently contributes to articles and papers.She has spoken at international conferences around the globe, amongothers Blackhat, RSA, SyScan, hack.lu and Troopers. Marion came off aswinner of the Female Reverse Engineering Challenge 2013, organized by REprofessional Halvar Flake. She practices martial arts and has a vividpassion to take things apart. Preferably, other people's things.
(Code White GmbH)
Talk. Java deserialization vulnerabilities - The forgotten bug class
Abstract. Java deserialization vulnerabilities are a bug class on its own. Although several security researchers have published details in the past, still the bug class is fairly unknown. This talk is about finding and exploiting deserialization flaws in Java. Details on a new gadget will be disclosed, allowing Remote Code Execution. And several vulnerabilities discovered by Code White will be shown as Case Studies including a 0day.
Biography. Matthias is the Head of Vulnerability Research at Code White. He enjoys bug-hunting in Java Software because it's so easy. He found vulnerabilities in products of Oracle, IBM, SAP, Symantec, Apache, Adobe, Atlassian, etc. Currently, he enjoys researching deserialization and looking into COM/OLE.
Event venue address: Veranstaltungszentrum, Ruhr-Universität Bochum, Universitätsstraße 150, 44801 Bochum
Google Maps: Link to the building
Directions: RuhrSec will be held at the Ruhr University Bochum (RUB). The conference location is directly located under the cafeteria/Mensa in our event center (German: Veranstaltungszentrum). You can find parking slots for your cars directly under the conference location (University Center/ Universität Mitte, parking deck P9). Otherwise you can use the train station (U35 - "Ruhr-Universität"). From the train station, it is a five minutes walk to get to the conference building.
Flight and Train Information
The closest airport is "Düsseldorf Flughafen" (DUS). From DUS, the shortest and fastest way to get to Bochum is via train. Please take the "Sky Train" from the airport to the railway station "Düsseldorf Flughafen". After that you should drive to "Bochum Hauptbahnhof" (aka. "Bochum Hbf."). From there we recommend to take a taxi driver to the conference center (about 10 Euro). Otherwise you can take the underground station (U-Bahn) train U35 to "Ruhr Universität Bochum".
- Please pay for the sky train (a few euros).
- To get your tickets, you can use a ticket machine after the sky train. They allow you to choose English for the UI and you can pay (often) with your credit cards. Please also take money (Euro) with you if credit cards are not accepted. The ticket price should be something around €3 (SkyTrain) and €20 (train).
- Please do not forget to stamp your train ticket with one of the stamp machines. Otherwise it is not valid/used.
If you want to check out when your train will arrive you can use this web page: http://www.bahn.com/i/view/DEU/en/index.shtml
We do not offer any hotel room reservation service. From our experience, it is cheaper to use common hotel booking portals instead of booking the rooms directly at the hotel or with a reservation code.
Directly in the heart of Bochum and near the train station, we recommend two hotels:
Ibis has renewed their hotel a few years ago and it is, depending on the view, sufficient to spend a few nights in it. More luxury is given in the Mercure Hotel, which was a Park Inn hotel in the past. Both hotels are not far away from Bochum's famous Bermuda Dreieck (with a lot of good bars and German beer).
Anfahrt zum Veranstaltungszentrum
(German, pdf, 5.04 MB)
(German, JPG, 487.36 kB)
Conference location with way-description
(English, pdf, 1.39 MB)
Conference location with way-description - details
(English, pdf, 1.37 MB)
G Data Social Event
Next to their anti-virus products, G DATA is known as the evening sponsor of the Ruhr University's HackPra lecture. As it is in the case of HackPra, RuhrSec will have an awesome evening event too.
Every participant with a valid ticket is invited to be our guest at the social event. G Data provides awesome people and tasty food and as well as high quality drinks. Feel free to join us and to talk with other security interested people, including the speakers.
Location: G DATA Academy, Königsallee 178, D-44799 Bochum
How to get there: After the conference we will go together to the location by using public transport systems. More information is given before the first conference keynote.
German way description: Download PDF
Time: After the conference (>=17:00 o'clock)
This event will be provided by our company Hackmanit. Our organisation team consists of Marcus Niemietz, Christian Mainka and Juraj Somorovsky. We are security researchers with a strong relationship to the Horst Görtz Institute for IT security. The sponsors of this non-profit event are: G Data, Ubicrypt, HGI, Wirtschaftsförderung Bochum, Context Information Security and Hackmanit.
Please note that we do not have any CFP for this conference (maybe in the next edition). In case that you have any questions regarding the conference: please contact us via mail:Email us
Universitätsstraße 150 (ID 2/469)
T: (+49)(0)234 / 45930961
(+49)(0)234 / 45930960
Find us elsewhere
©2016 RuhrSec. All rights reserved.