Training. Exploiting Websites by using offensive HTML, SVG, CSS and other Browser-Evil

Abstract. More and more web applications delegate business logic to the client. HTML.next, JavaScript, SVG, Canvas, ES6, AngularJS and ReactJS are just some terms that describe the contents of the modern web stack. But how does the attack surface look for those? What if there's not GET parameters anymore that our scanner scan tamper with? What can we do when the server just delivers raw data and the rest is done by the browser? Classic web-pentests are "so nineties" in this realm. And keeping up the pace with progress is getting harder and harder. But there is hope. The focus of this workshop is on the offensive and dangerous parts of HTML, JavaScript and related technologies, the nasty and undocumented stuff, dozens of new attack techniques straight from the laboratory of horrors of those maintaining the HTML5 Security Cheatsheet. We'll learn how to attack any web-application with either unknown legacy features - or the half-baked results coming to your browser from the labs of W3C, WHATWG and the ES6 mailing lists. Whether you want to attack modern web applications or shiny browser extensions and Chrome Packaged Apps - we have that covered. Whoever works with or against the security of modern web applications will enjoy and benefit from this workshop. A bit of knowledge on HTML and JavaScript is required, but rookies and rocket scientists will be satisfied equally. HTML is a living standard. And so is this workshop. Course material will be provided on-site and via access to a private Github repo so all attendees will be receive updated material even months after the actual training.

Course Outline

First Segment
• The very Basics
• HTTP / Encoding
• Character Sets
• CSRF en detail
• Cross Site-Scripting
• DOM Clobbering
• Drag&Drop / Copy&Paste
• DOMXSS
• Legacy Features

Second Segment
• HTML5 Attacks & Vectors
• SVG
• XML
• Mutation XSS / mXSS
• Scriptless Attacks
• SOP Bypasses
• Filter Bypasses
• Optimizing your Payload

What to bring? Laptop, ideally a VM with several browsers (MSIE, FF, Chrome)

Prerequisites. Basic knowledge on HTTP, HTML and Scripting, fascination for weird technical behaviors and a love for crazy code

Who Should Attend? Penetration testers, security engineers, security developers, technical people interested in browser and client-side web-security

What to expect? A very technical, very intense, in-depth course starting from the very basics (HTTP, Charsets, Strings) and going up to advanced client-side attacks. Small focus on exploitation but huge focus on how to get there.Execute script where no one ever executes script before.

What not to expect? A trainer with bad hair. The trainer has excellent hair which is in remarkably great shape. Also don't expect the standard XSS attack 101. This course goes beyond the limits and shows attacks known to few if ever.

About the trainer. Dr.-Ing. Mario Heiderich, handsome heart-breaker, bon-vivant and (as he loves to call himself) "security researcher" is from Berlin, likes everything between lesser- and greater-than, leads the small yet exquisite pen-test company called Cure53 and pesters peaceful attendees on various 5th tier conferences with his hastily assembled powerpoint-slides. Mario also did his PhD in Bochum, the most beautiful city of Germany if not the entire world. The Pneumoconiosis he caught during these days will always remind him of those golden times.

Training. Systematically Breaking and Fixing Single Sign-On

Abstract. Single Sign-On belongs to the group of the most important Internet technologies. However, in recent years, it has been shown that these technologies are target of serious attacks. As part of our research we systematically analyzed different Single Sign-On protocols like SAML, OpenID, OAuth, and OpenID Connect and came up with a large range of attacks partially or totally breaking the security of these protocols. On the example of OpenID Connect, the last standardized SSO protocol used by companies like Google and PayPal, we came up with 15 different attacks resulting in Broken-End-User authentication, information leakage, Server-Side-Request-Forgery (SSRF) and Denial-of-Service (DoS).

In this training we will give an overview of the Single Sign-On authentication scheme in general and will present insights into three most used protocols: SAML, OAuth and OpenID Connect. Participants will get the opportunity to carry out manually the introduced attacks in a prepared environment. In addition, existing tools facilitating the analysis of Single Sign-On will be introduced. Finally, we will show techniques strengthening the SSO authentication scheme and mitigating the attacks for each protocol.

Course Outline

First Segment
• Basics: HTTP and Single Sign-On
• Basics: HTTP attacks
• Basics: SAML
• SAML: Attacks on Service Providers
• SAML: Attacks on Identity Providers
• SAML: Countermeasures and Additional Security Features

Second Segment
• Basics: OAuth 2.0
• OAuth 2.0: Attacks on Service Providers
• OAuth 2.0: Attacks on Identity Providers
• Basics: OpenID Connect
• OpenID Connect: Single-Phase attacks
• OpenID Connect: Cross-Phase attacks
• OAuth and OpenID Connect: Countermeasures and Additional Security Features

What to bring? Laptop, VirtualBox, BurpSuite

Prerequisites. Basic knowledge on HTTP and HTML

Who Should Attend? Penetration testers, security engineers and security developers.

What to expect? Very technical and in-depth course regarding the security of modern Single Sign-On protocols like SAML, OAuth and OpenID Connect. You will learn how to recognize Single Sign-On protocols, how to systematically analyze them. You will get a good overview of the current technologies, known attacks and mitigation techniques.

A quick peek on a small subset of attacks you will cope with can be found in his OWASP AppSec EU 2016 presentation: YouTube.

What not to expect? Simple and standard attack techniques. This course goes deep into the world of SSO attacks.

About the trainer. Vladislav Mladenov is a PhD Student at the Ruhr University Bochum, and a freelance penetration tester. He is interested in the security of XML-based services. Additionally, he investigates different Single Sign-On protocols like OAuth, OpenID, OpenID Connect and SAML. Other topics of interest are Identity Management and Cloud Computing.

Talk. How to Build Hardware Trojans

Abstract. Countless systems ranging from consumer electronics to military equipment are dependent on integrated circuits (ICs). A surprisingly large number of embedded systems are already security-critical, e.g., medical devices, automotive electronics, SCADA systems or network routers. If the underlying ICs in an applications are maliciously manipulated through hardware Trojans, the security of the entire system can be compromised. In recent years, hardware Trojans have drawn the attention of governments and the scientific community.

Even though hardware Trojans have been studied over the last 10 years or so, little is known about how they might look, especially those that are particularly designed to avoid detection. In this talk we introduce several approaches with which a sophisticated attacker could insert Trojan into hardware platforms. We will look at hardware Trojans realized on both, ASICs (application specific integrated circuits) and FPGAs, i.e., programmable hardware.

Biography. Christof Paar has the Chair for Embedded Security at Ruhr University Bochum, Germany, and is research professor at the University of Massachusetts Amherst. He co-founded CHES (Cryptographic Hardware and Embedded Systems), the leading international conference on applied cryptography. His research interests include efficient crypto implementations, hardware security, and security analysis of real-world systems. He also works on applications of embedded security, e.g., in cars or consumer devices. He holds an ERC Advanced Grant in hardware security and is spokesperson for the doctoral training school SecHuman. Christof has over 180 peer-reviewed publications and he is co-author of the textbook Understanding Cryptography (Springer, 2009). Christof is Fellow of the IEEE and the IACR and has given invited talks at MIT, Yale, Stanford, IBM Labs and Intel. Christof co-founded ESCRYPT GmbH, a leading system provider for automotive security, which is now part of Bosch.

Talk. SSH: Beyond Confidentiality and Integrity in Practice

Abstract. This talk presents a systematic analysis of symmetric encryption modes for SSH that are in use on the Internet, providing deployment statistics, new attacks, and security proofs for widely used modes. We will also look at the on-going development of new encryption modes for SSH that offer superior security to the currently deployed modes at low additional cost.

Joint work with Martin Albrecht, Jean Paul Degabriele and Torben Brandt Hansen.

Biography. Prof Kenneth Paterson obtained a BSc in 1990 from the University of Glasgow and a PhD from the University of London in 1993, both in Mathematics. He was then a Royal Society Fellow at Institute for Signal and Information Processing at the Swiss Federal Institute of Technology, Zurich, from 1993 to 1994. After that, he was a Lloyd's of London Tercentenary Foundation Research Fellow at Royal Holloway, University of London from 1994 to 1996. In 1996, he joined Hewlett-Packard Laboratories Bristol, becoming a project manager in 1999. He then joined the Information Security Group at Royal Holloway in 2001, becoming a Reader in 2002 and Professor in 2004. From March 2010 to May 2015, he was an EPSRC Leadership Fellow working on a project entitled "Cryptography: Bridging Theory and Practice". In May 2015, he reverted to being a Professor of Information Security.

Kenny was program chair of Eurocrypt 2011, invited speaker at Asiacrypt 2014, and currently serves as Editor-in-Chief for the Journal of Cryptology. He is a co-founder of the "Real World Cryptography" workshop series. He also serves on the Executive Steering Board of the IoT Security Foundation, as co-chair of the Crypto Forum Research Group of the IRTF, and on the technical advisory board of SkyHighNetworks.

His research over the last decade has mostly been in the area of Cryptography, with a strong emphasis being on the analysis of deployed cryptographic systems and the development of provably secure solutions to real-world cryptographic problems. He is a winner of an Applied Networking Research Prize from the IRTF for his work on the Lucky 13 attack on TLS; a PETS award for Outstanding Research in Privacy Enhancing Technologies for his work with Mihir Bellare and Phil Rogaway on the Security of symmetric encryption against mass surveillance published at CRYPTO 2014; and a winner of a best paper award at ACM CCS 2016, with Martin Albrecht, Jean Paul Degabriele and Torben Hansen, for their work on SSH.

Talk. Advanced SSL/TLS Deployment Strategies

Abstract. The web has evolved from hypertext to a powerful application platform. Powerful features like Geolocation, Push Notifications and Service Workers raise the stakes for application security.

Only HTTPS can guarantee integrity, confidentiality and authenticity of those web applications. We will cover deployment best practices that to strike a practical balance between security and compatibility. This includes a small digression into the inner guts of TLS to discuss cipher suites as well as certificate switching.

This talk also covers major deficiencies of the certificate ecosystems and demonstrates how to thwart the risks of misbehaving or even compromised Certificate Authorities with techniques like HTTPS Public Key Pinning or Certificate Transparancy.

Following this overview, common bypasses and shortcomings of these security mechanisms will also be discussed.

Biography. Frederik Braun is a Senior Security Engineer who works on Mozilla Firefox. Besides enhancing the built-in security checks, he has also been involved in web and mobile security. Frederik contributes to the W3C Web Application Security Working Group and co-authored the Subresource Integrity standard. He's also a former student of the Ruhr University in Bochum and co-founded the CTF team Fluxfingers. When not working on computer security, Frederik spends time with his family in Berlin.

Talk. Teach a Man to Phish and You Feed Him for a Lifetime

Abstract. Phishing might seem like a simple attack vector relying on gullible users to happily give up their credentials. When digging deeper into the topic however, one will find many interesting aspects of phishing that have not been widely reported.

This talk will dive into the analysis of so-called phishing kits: archives of server-side (mostly PHP) code that can be used to quickly turn a compromised or launched server into a phishing ground for the selected target. Leveraging the phishing detection capabilities of our team, we crawled known compromised servers and were able to download over five thousand phishing kits over the last couple of months.

Being able to analyze the server-side source code of phishing pages at large scale yields insights into the workings of phishing campaigns and opens new possibilities to the motivated security researcher:
- Finding and abusing bugs in the kits
- Evading evasion
- Automating the creation of robust detection
- Geographically tracking the phishers

Biography. Armin Buescher is a security researcher focused on the analysis of attack trends and transferring research results into the development of novel detection/prevention technologies and analysis tools. He has over 8 years of experience working in the security industry for companies with changing points of view ranging from the endpoint and malware sandboxes to network security and web gateways.

Talk. Five Years of Android Security Research: the Good, the Bad, the Ugly

Abstract. Android security and privacy research has boomed in recent years, far outstripping investigations of other "appified" platforms. In this talk, we present an overview of the different research areas that have emerged around the Android ecosystem, their current state and outlook, as well as the lessons learned we can draw from Android for other contemporary or future appified platforms. In particular, in the last part of this talk, we will take a short look at ongoing investigations of third party code and tool-chain providers and their partly significant impact on the overall security state of the Android ecosystem.

Biography. Sven Bugiel is an Independent Research Group Leader and head of the Trusted Systems Group at the Center for IT-Security, Privacy and Accountability (CISPA), Saarland University. His research interests lie in the area of systems security and secure computing, where a particular focus is on mobile security, e.g., Android. In the past years, Sven’s research put a strong emphasis on novel access control solutions across the various layers of mobile software stacks, while more recently the ecosystem surrounding mobile platforms, such as third-party libraries, is of particular interest to him.

Talk. Using Microarchitectural Design to Break KASLR and More

Abstract. Typically, hackers focus on software bugs to find vulnerabilities in the trust model of computers. In this talk, however, we'll focus on, how the micro architectural design of computers and how they enable an attacker to breach trust boundaries. Specifically, we'll focus on how an attacker with no special privileges can gain insights into the kernel and how these insights can enable further breaches of security. We will focus on the x86-64 architecture. Unlike software bugs, micro architectural design issues have applications across operating systems and are independent of easily fixable software bugs. In modern operating systems the security model is enforced by the kernel. The kernel itself runs in a processor supported and protected state often called supervisor or kernel mode. Thus the kernel itself is protected from introspection and attack by hardware. We will present a method that'll allow for fast and reliable introspection into the memory hierarchy in the kernel based on undocumented CPU behavior and show how attackers could make use of this information to mount attacks on the kernel and consequently of the entire security model of modern computers. Making a map of memory and breaking KASLR Modern operating systems use a number of methods to prevent an attacker from running unauthorized code in kernel mode. They range from requiring user-privileges to load drivers, over driver signing to hardware enabled features preventing execution in memory marked as data such as DEP (Data Execution Prevention) or more resonantly SMEP that prevents execution of user allocated code with kernel level privileges. Often used bypasses modify either page tables or use so called code reuse attacks. Either way an attacker needs to know where the code or page tables are located. To further complicate an attack modern operating system is equipped with "Kernel Address Space Randomized Layout" (KASLR) that randomizes the location of important system memory.

We'll present a fast and reliable method to map where the kernel has mapped pages in the kernel mode area. Further, we'll present a method for locating specific kernel modules thus by passing KASLR and paving the way for classic privileged elevation attacks. Neither method requires any special privileges and they even run from a sandboxed environment. Also relevant is that our methods are more flexible than traditional software information leaks, since they leak information on the entire memory hierarchy. The core idea of the work is that the prefetch instructions leaks information about the caches that are related to translating a virtual address into a physical address. Also significant is that the prefetch instruction is unprivileged and does not cause exceptions nor does it have any privilege verification. Thus it can be used on any address in the address space. Physical to virtual address conversion A number of micro-architectural attacks is possible on modern computers. The Row hammer is probably the most famous of these attacks. But attacks methodologies such as cache side channel attacks have proven to be able to exfiltrate private data, such as private keys, across trust boundaries. These two attack methodologies have in common that they require information about how virtual memory is mapped to physical memory. Both methodologies have thus far either used the "/proc/PID/pagemap" which is now accessible only with administrator privileges or by using approximations. We will discuss a method where an unprivileged user is able to reconstruct this mapping. This goes a long way towards making the row hammer attack a practical attack vector and can be a valuable assistance in doing cache side channel attacks. Again we use the prefetch's instructions lack of privilege checking, but instead of using the timing that it leaks we now use the instructions ability to load CPU caches and that timing of memory access instructions depend heavily on the cache state. Finally, we will shortly outline a possible defense.

Biography. Anders Fogh has led numerous low level engineering efforts in the past 11 years. Prior to that he worked at VOB GmbH and Pinnacle System where he was responsible for major developments in video and CD/DVD recording software. Since 1993 he has been an avid malware hobbyist and has reverse engineering experience with operating systems from DOS to present day OSs as well as devices ranging from DVD players to USB sticks. He holds a master's degree in economics from the University of Aarhus. He was the first to suggest a software solution to the row hammer bug and spoke at Black Hat 2015 with Nishat Herath on the topic of using performance counters for security out comes.

Talk. Rowhammer Attacks: A Walkthrough Guide

Abstract. In the past 2 years the so-called Rowhammer bug has caught the attention of many academic and non-academic researchers. The scary aspect of the Rowhammer bug is that is entirely invalidates software security assumptions. Isolation mechanisms are ineffective to a degree where an attacker can run in a website and compromise the entire host system.

In this walkthrough guide I will walk you through all Rowhammer attacks that have been presented so far. We will start with the seminal work by Kim. et. al. 2014 and discuss the basic idea of triggering bitflips in software. Subsequently we will discuss how to use their findings in exploits, as demonstrated by Google researchers in 2015. The results from the works of these two groups is still of vital interest for the discussion of countermeasures that now may find their way into the Linux kernel.

Subsequently, we will discuss several attacks that are derived from these initial Rowhammer attacks. We will discuss attacks that lower requirements: Rowhammer.js, non-temporal-access-based attacks, DRAMA and Drammer. These attacks move Rowhammer from the strictly x86 native setting on DDR3 memory to new environments like the JavaScript sandbox, DDR4, or even mobile devices.

Another branch of attacks combine Rowhammer with other attack primitives. We will discuss attacks using deduplication (Dedup est Machina, Flip Feng Shui) and their impact. Furthermore, we will discuss the first Rowhammer attacks on cryptographic primitives that have been presented in 2016.

Finally, we will discuss countermeasures, i.e. Rowhammer detection and Rowhammer mitigation. While several countermeasures have been discussed and some have even been deployed, the problem is widely unsolved. We will shed light on the ongoing discussion amongst Linux kernel developers and point out dead ends that should be avoided in the future.

Biography. Daniel Gruss is a PhD Student at Graz University of Technology. He has done his master's thesis on identifying and minimizing architecture dependent code in operating system kernels. Daniel's research focuses on software-based side-channel attacks that exploit timing differences in hardware and operating system. In July 2015, he and his colleagues demonstrated the first hardware fault attack performed through a remote website, known as Rowhammer.js.

Talk. Breaking and Fixing a Cryptocurrency

Abstract. Bitcoin has been hailed as a new payment mechanism, and is currently accepted by millions of users. One of the major drawbacks of Bitcoin is the resource intensive Proof-of-Work computation. Proof-of-Work is used to establish the blockchain, but otherwise it does not bring any benefits and arguably is a waste of energy. To address this problem, several alternative cryptocurrencies have been presented. One of them is Gridcoin which rewards the users for solving BOINC problems. In our work we conducted the first security analysis of Gridcoin. We identified two critical security issues. The first issue allows an attacker to reveal all the e-mail addresses of the registered Gridcoin users. Even worse, the second issue gives an attacker the ability to steal the work performed by a BOINC user, and thus effectively steal his Gridcoins. These attacks have severe consequences and completely break the Gridcoin cryptocurrency. We practically evaluated and confirmed both attacks, and responsibly disclosed them to the Gridcoin maintainers, together with the proposed countermeasures.

Biography. Martin Grothe is a research assistant at the Chair for Network and Data Security at the Ruhr University Bochum. Martin's research focuses on attacks against real-world protocols and security implementations. In August 2016, he and his colleagues demonstrated the first attacks against Microsofts Enterprise Rights Management (ERM) System, well known as Active Directory Rights Management Services (RMS). Further, in joined work with his colleagues at the Chair for Network and Data Security, he showed a new attack against PPTP VPNs, which utilizes RADIUS authentication.

Talk. 0-RTT Key Exchange with Full Forward Secrecy

Abstract. Reducing latency overhead while maintaining critical security guar- antees like forward secrecy has become a major design goal for key exchange (KE) protocols, both in academia and industry. Of particular interest in this re- gard are 0-RTT protocols, a class of KE protocols which allow a client to send cryptographically protected payload in zero round-trip time (0-RTT) along with the very first KE protocol message, thereby minimizing latency. Prominent ex- amples are Google’s QUIC protocol and the upcoming TLS protocol version 1.3. Intrinsically, the main challenge in a 0-RTT key exchange is to achieve forward secrecy and security against replay attacks for the very first payload message sent in the protocol. According to cryptographic folklore, it is impossible to achieve forward secrecy for this message, because the session key used to protect it must depend on a non-ephemeral secret of the receiver. If this secret is later leaked to an attacker, it should intuitively be possible for the attacker to compute the session key by performing the same computations as the receiver in the actual session.

We show that this belief is actually false. We construct the first 0-RTT key exchange protocol which provides full forward secrecy for all trans- mitted payload messages and is automatically resilient to replay attacks. In our construction we leverage a puncturable key encapsulation scheme which permits each ciphertext to only be decrypted once. Fundamentally, this is achieved by evolving the secret key after each decryption operation, but without modifying the corresponding public key or relying on shared state. Our construction can be seen as an application of the puncturable encryption idea of Green and Miers (S&P 2015). We provide a new generic and standard- model construction of this tool that can be instantiated with any selectively secure hierarchical identity-based key encapsulation scheme.

Biography. Tibor Jager teaches IT security and cryptography at Paderborn University. His research interests include applied and theoretical cryptography, with emphasis on the design and security analysis of digital signatures, public-key encryption schemes, and protocols, as well as practical attacks and countermeasures. He contributed to the discovery of security weaknesses in and practical attacks on major cryptographic standards and software libraries, including TLS, EAP-TLS, the W3C XML Encryption standard, and JSON Web Encryption/Web Signature.

Talk. Secrets of the Google Vulnerability Reward Program

Abstract. In Google VRP, we receive and process over 600 vulnerability reports a month. While the majority of them end up being invalid, some of the vulnerabilities reported by our bughunters from all over the world are amazing, in terms of their severity, impact and/or the difficulty of patching them on a Google scale. While some of them were already described in the past at various security conferences or writeups, most of them remain unknown to the security community.

In this presentation, we'll highlight the most interesting bug reports submitted through Google VRP, with the root causes both in our products, open source libraries or common software stacks. We'll analyze the security patches to the libraries we helped create, and reveal the full story behind them. For example, you'll get to know what has the reason behind a couple of Angular security releases.

Additionally, we'll give insights on how we evaluate and deal with vulnerability reports internally. Special focus will be put on the remediation process - making sure that a given vulnerability is not only patched, but prevented from happening ever again.

Biography. Krzysztof Kotowicz is an Information Security Engineer at Google and a panel member of Google's Vulnerability Rewards Program. He's a web security researcher specialized in Javascript, browser extensions and client-side security. Author of multiple open-source pentesting tools, and recognized HTML5/UI redressing attack vectors. Speaker at international IT security conferences & meetings (Black Hat, BruCON, Hack In Paris, CONFidence, SecurityByte, HackPra, OWASP AppSec, Insomni'Hack).

Talk. Rowhammer Attacks: A Walkthrough Guide

Abstract. In the past 2 years the so-called Rowhammer bug has caught the attention of many academic and non-academic researchers. The scary aspect of the Rowhammer bug is that is entirely invalidates software security assumptions. Isolation mechanisms are ineffective to a degree where an attacker can run in a website and compromise the entire host system.

In this walkthrough guide I will walk you through all Rowhammer attacks that have been presented so far. We will start with the seminal work by Kim. et. al. 2014 and discuss the basic idea of triggering bitflips in software. Subsequently we will discuss how to use their findings in exploits, as demonstrated by Google researchers in 2015. The results from the works of these two groups is still of vital interest for the discussion of countermeasures that now may find their way into the Linux kernel.

Subsequently, we will discuss several attacks that are derived from these initial Rowhammer attacks. We will discuss attacks that lower requirements: Rowhammer.js, non-temporal-access-based attacks, DRAMA and Drammer. These attacks move Rowhammer from the strictly x86 native setting on DDR3 memory to new environments like the JavaScript sandbox, DDR4, or even mobile devices.

Another branch of attacks combine Rowhammer with other attack primitives. We will discuss attacks using deduplication (Dedup est Machina, Flip Feng Shui) and their impact. Furthermore, we will discuss the first Rowhammer attacks on cryptographic primitives that have been presented in 2016.

Finally, we will discuss countermeasures, i.e. Rowhammer detection and Rowhammer mitigation. While several countermeasures have been discussed and some have even been deployed, the problem is widely unsolved. We will shed light on the ongoing discussion amongst Linux kernel developers and point out dead ends that should be avoided in the future.

Biography. Clémentine Maurice is a postdoctoral researcher in the Secure Systems group at the Graz University of Technology, in Austria. She obtained her PhD from Telecom ParisTech in October 2015 while working at Technicolor in Rennes, jointly with the S3 group of Eurecom in Sophia Antipolis. Among other topics, she is interested in microarchitectural covert and side channels and reverse-engineering processor parts. Her research aims at finding new attack vectors on modern commodity devices such as servers, laptops, desktops and mobile devices. She also led the research on Rowhammer hardware fault attacks in JavaScript through a remote website, an attack also known as Rowhammer.js. She presented her work at several academic conferences and venues like the 32nd CCC and BlackHat Europe.

Talk. A new categorization system for Side-channel attacks on mobile devices & more

Abstract. Side-channel attacks on mobile devices have gained increasing attention since their introduction in 2007. While traditional side-channel attacks, such as power analysis attacks and electromagnetic analysis attacks, required physical presence of the attacker as well as expensive equipment, an (unprivileged) application is all it takes to exploit the leaking information on modern mobile devices. Given the vast amount of sensitive information that are stored on smartphones, the ramifications of side-channel attacks affect both the security and privacy of users and their devices.

In this talk, I will begin with an overview of existing side-channel attacks on mobile devices and argue for the need of a new categorization system as side-channel attacks have evolved significantly since their introduction during the smartcard era. I will explain how our proposed categorization system will help to facilitate the development of novel countermeasures and provide insights into possible future research directions.

In the second part of my talk, I will present our latest work on how an adversary can exploit side-channel information, in this case power from the phone battery, to maliciously control a public charging station in order to exfiltrate data from a smartphone via a USB charging cable (i.e. without using the data transfer functionality).

Biography. Veelasha Moonsamy is a postdoctoral researcher in the Digital Security group at Radboud University in The Netherlands. She obtained her PhD from Deakin University in Melbourne (Australia), under the supervision of Prof. Lynn Batten. Her research interests revolves around security and privacy on mobile devices, in particular side- and covert-channel attacks, malware detection and mitigation of information leaks at application and hardware level.

Talk. How to Hack Your Printer

Abstract. The idea of a paperless office has been dreamed for more than three decades. However, nowadays printers are still one of the most essential devices for daily work and private people. Instead of getting rid of them, printers evolved from simple printing devices to complex network computer systems installed directly in company networks, and carrying lots of confidential data in their print jobs. This makes them to an attractive attack target.

In this paper we conduct a large scale analysis of printer attacks and systematize our knowledge by providing a general methodology for security analyses of printers. Based on our methodology we implemented an open-source tool called PRinter Exploitation Toolkit (PRET). We used PRET to evaluate 20 printer models from different vendors and found all of them to be vulnerable to at least one of the tested attacks. These attacks included, for example, simple Denial-of-Service (DoS) attacks or skilled attacks extracting print jobs and system files.

On top of our systematic analysis we reveal novel insights that enable attacks from the Internet by using advanced cross-site printing techniques combined with printer CORS-Spoofing. Finally, we show how to apply our attacks to systems beyond typical printers like Google Cloud Print or document processing websites. We hope that novel aspects from our work will become the foundation for future researches, for example, for the analysis of IoT security.

Biography. Jens Müller received his M.Sc. degree in IT Security / Networks and Systems from the Ruhr University Bochum in 2016. He has experience as a freelancer in network penetration testing and security auditing. In his spare time he develops free open source software, at present tools related to network printer exploitation.

Talk. The (In)Security of Automotive Remote Keyless Entry Systems revisited

Abstract. Remote keyless entry (RKE) systems, usually based on so-called rolling codes, are the most widespread way of (un)locking vehicle doors, opening the trunk, and disarming the alarm system. RKE is based on the unidirectional transmission of an (increasing) counter value, authenticated by means of symmetric cryptography. There are two major ways of attacking RKE systems: (i) by exploiting vulnerable key distribution schemes, and (ii) by making use of cryptographical weaknesses in the employed ciphers. In this talk, we will give practical example for both cases (based on our Usenix Security 2016 paper). First, we show that the RKE system used by the VW group (Audi, Seat, Skoda, Volkswagen) was based on only a handful global keys over the past 20 years. By extracting these keys from ECU firmware, an adversary is able to clone the owner's remote control from a distance of up to 100m, using a single rolling code. Second, we present novel attacks on the Hitag2 RKE scheme (employed by Alfa Romeo, Peugeot, Lancia, Opel, Renault, and Ford among others). Based on black-box reverse-engineering of the protocol, we devise a new cryptanalytical attack on Hitag2 for full key recovery, requiring four to eight rolling codes and negligible computation. Finally, our talk also includes a brief survey of the state of automotive security in general, a discussion of the responsible disclosure process, and recommendations for designing more secure RKE systems.

Biography. David Oswald is a lecturer (assistant professor) in the Security and Privacy Group at the University of Birmingham, UK. His main field of research is the security of embedded systems in the real world. On the one hand, the focus is on attack methods that exploit weaknesses in the physical implementation of mathematically secure cryptographic algorithms. Those techniques include both (passive) side-channel analysis and (active) fault injection, as well as reverse engineering. On the other hand, David is working on the practical realization of security systems in embedded applications. He is co-founder of the Kasper & Oswald GmbH, offering innovative products and services for security engineering. His research on vulnerabilities of various wide-spread systems (e.g. DESFire RFID smartcards, Yubikey two-factor authentication tokens, electronic locks, and VW/Hitag2 RKE systems) has created awareness for the crucial importance of security among developers of embedded devices.

Talk. Black-Box Security Analysis of State Machine Implementations

Abstract. State machines play an important role when implementing any protocol. They specify which messages are to be sent at which state and how incoming messages should be processed at different stages of the protocol. Especially in security protocols, when mistakes are made in the implementation of the state machine this can lead to serious issues. In this talk we will show how black-box analysis techniques can be used to extract state machines from implementations and what kind of security issues this can reveal.

We applied this analysis on several protocols, including EMV and TLS. The analysis of TLS resulted, for example, in the discovery of a serious vulnerability in Java's TLS implementation, which made it possible to bypass encryption and certificate verification. The technique was also applied on 145 different version of OpenSSL and LibreSSL, which gave an interesting insight in the evolution of the implemented state machine and showed how several severe issues in the past can be observed.

The technique can also be used to analyse devices where physical input is required: with the help of a Lego robot we analysed handheld readers used for online banking. This could identify a vulnerability in the device where it is possible to bypass the acknowledgement from the user used to authorise a transaction.

The tool used in this research (StateLearner) is available as open source, and can easily be extended to support more protocols and systems.

Biography. Joeri de Ruiter is a researcher in the Digital Security group at the Radboud University in Nijmegen, The Netherlands. His research interests are in the analysis and design of real-world security protocols, such as TLS and EMV.