• Take your seats

    Trainings: 27.05.2019 (Monday)

    Conference: 28.–29.05.2019 (Tuesday – Wednesday)

  • RuhrSec 2018

    Over 210 participants – thank you.

  • RuhrSec 2017

    Over 180 participants – thank you.

  • RuhrSec 2016

    Over 135 participants – thank you.

Ruhr's IT security conference

Since 2016, RuhrSec is the annual English speaking non-profit IT security conference with cutting-edge security talks by renowned experts. The conference is hosted at the Ruhr-University Bochum in Germany, directly in the heart of Bochum near the river Ruhr. RuhrSec provides academic and industry talks, the typical University feeling, and a highly recommended social event.

In 2019, all profits from the conference ticket income will be again donated to a local non-profit organization. Do you want to recommend one? Contact us please.



Program

Trainings (Mercure Hotel Bochum City): Monday, 27.05.2019

Microarchitectural Attacks, Ass.Prof. Dr. Daniel Gruss, Moritz Lipp, Michael Schwarz
Putting Security Checks into Your Build Pipeline, Christian Schneider
Attacking and Defending TLS, Dr. Juraj Somorovsky, Robert Merget

08:00 – 09:00Registration and Biscuits/Coffee
09:00 – 13:00Training
13:00 – 14:00Lunch
14:00 – 18:00Training
19:30 – 22:30Speakers' Dinner

Conference (Ruhr University Bochum): Tuesday, 28.05.19

08:00 – 09:00Registration and Biscuits/Coffee
09:00 – 09:15Opening, Marcus Niemietz
09:15 – 10:00Keynote: TBA, Ass.Prof. Dr. Christina Pöpper
10:00 – 10:30Coffee Break
10:30 – 11:15Reversing Fraudulent Apps, Abdullah Joseph
11:15 – 12:00
12:00 – 13:30Lunch
13:30 – 14:15The Bicho: backdooring CAN bus for remote car hacking, Sheila Berta
14:15 – 15:00
15:00 – 15:45Coffee Break
15:45 – 16:30
16:30 – 17:15
17:15 – Open EndSocial Event (incl. Dinner)

Conference (Ruhr University Bochum): Wednesday, 29.05.19

08:45 – 09:15Biscuits/Coffee
09:15 – 10:00
10:00 – 10:30Coffee Break
10:30 – 11:15Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild, Marius Steffens & Dr. Ben Stock
11:15 – 12:00Content-Security-Policies in mass-distributed web apps - doing the undoable, David Jardin
12:00 – 13:30Lunch
13:30 – 14:15
14:15 – 15:00
15:00 – 15:30Coffee Break
15:30 – 16:15
16:15 – 17:00
17:00 – 17:15Closing

Talks & Trainings

Microarchitectural Attacks

Training by Ass.Prof. Dr. Daniel Gruss, Moritz Lipp, Michael Schwarz (TU Graz)

Training. Microarchitectural Attacks

Abstract. With the beginning of 2018, microarchitectural attacks received a lot of attention by the computer security community and other fields. Meltdown and Spectre break isolation between processes and security domains on a hardware level. In this training, we provide a hands-on experience on microarchitectural attacks.

Starting with the basics, we first learn how caches work and then implement three very basic microarchitectural side-channel attacks. We start with Flush+Reload and use it to implement two different attacks; one on a cryptographic algorithm and one template attack. We also see how performance counters can reveal interesting information for microarchitectural attacks.

After having learned how to mount Flush+Reload attacks on shared libraries, we go one step further and get rid of the requirement of shared memory step by step. For this purpose, we learn how to build eviction sets and implement an Evict+Reload attack. Continuing from there, we implement Prime+Probe, an attack which does not require any shared memory. Finally, we implement a Meltdown and a Spectre attack, based on the Flush+Reload implementation we already have implement in the first third of the course.

This course teaches attendees where microarchitectural attack surface is created and how it can be exploited. This provides engineers with valuable knowledge for building more secure hardware and software resilient to these attacks.

Course Outline.

  • Introduction
  • Flush+Reload
  • Attacking Weak Crypto I
  • Template Attacks
  • Performance Counters
  • Evict+Reload
  • Prime+Probe
  • Attacking Weak Crypto II
  • Covert Channel
  • Meltdown
  • Spectre

What to bring? Laptop, VirtualBox

Prerequisites. Operating system with at least 4GB of RAM (8GB recommended) and at least 25 GB of free disk space.

Who Should Attend? Security and computer engineers, computer security researchers, people interested in microarchitectural attacks.

What to expect? This course will teach attendees how microarchitectural attacks work and how to automate them. They will learn how to combine different side channels and use different side channels to achieve the same goal in different privilege scenarios. This will give engineers the ability to find and address microarchitectural vulnerabilities in hardware and software.

What not to expect? "Exploits", Fault attacks (Rowhammer).

About the trainers. Daniel Gruss, Moritz Lipp, and Michael Schwarz have been teaching at Graz University of Technology for several years. They are one of the leading groups in microarchitectural attack and defense research and have spoken about this topic at various international venues.

Putting Security Checks into Your Build Pipeline

Training by Christian Schneider

Training. Putting Security Checks into Your Build Pipeline

Abstract. This course gives insight into automation capabilities of security scans, which perfectly fit into many build pipelines. Taking frontends (Web) as well as backends (APIs) into account, you will learn what steps of a security analysis can be best automated - and how. By focussing on OpenSource solutions, you will get a tool arsenal with different automation options ready to test your applications' security on every build.

In order to get the most out of the training day you can (optionally) follow exercises with Kali Linux and a specially for this workshop created demo application to test. And for those without a laptop during the workshop: Even without one to be able to take part in the practical tasks, you’ll obviously pick up a lot of information from the workshop anyway.

Course Outline.

  • DevOps pipelines
  • Security tool landscape
  • Automation capabilities and integration styles
  • Overcoming crawler problems
  • Alternative traffic generators
  • Coping with tokens, CAPTCHAs, and other automation problems
  • Configuration recommendations for different automation and scan types
  • Scan scheduling & APIs
  • How to NOT just break builds
  • Handling findings from automated scans
  • Organizational aspects (especially for agile teams)

What to bring? Laptop (with VMware or VirtualBox).

Prerequisites. If you want to attend the exercises: Kali Linux installed and running (inside VM is absolutely ok).

Who Should Attend? DevOps Engineers, QA / Test Engineers, Developers, Penetration Testers, Technical Managers.

What to expect? This course will teach attendees how to use security tools in an automated way to assess the security of their applications as part of build pipelines. At the end of this course attendees will be able to consider different techniques and utilize security tools to security-enhance the software development process of agile DevOps projects.

What not to expect? One-fits-all solutions, offensive stuff (i.e. we're not covering post exploitation techniques as part of automated build chains).

About the trainer. Christian (@cschneider4711) has pursued a successful career as a freelance Java software developer and expanded it to include the focus on IT-Security. His major areas of work are Security Architecture Consulting and Penetration Testing. Aside from trainings he coaches agile projects to include security in the SDLC by applying Security DevOps concepts. Christian enjoys speaking at conferences and blogs at Christian-Schneider.net.

Attacking and Defending TLS

Training by Dr. Juraj Somorovsky, Robert Merget (Ruhr University Bochum)

Training. Attacking and Defending TLS

Abstract. Transport Layer Security (TLS) is the most important cryptographic protocol on the Internet. It is responsible for securing connections between browsers and web servers, or between web services peers. Recent TLS history is however full of new attacks, which makes it challenging to deploy applications securely.

We give an overview of the most critical TLS attacks and show how to detect these attacks with different tools. Afterward, we present best practices to establish secure TLS connections.

Course Outline.

  • Short intro into crypto
  • The TLS protocol
  • TLS attacks
  • Secure TLS configuration
  • Security evaluation with open-source tools

What to bring? Laptop, VirtualBox

Prerequisites. Operating system with at least 4GB of RAM (8GB recommended) and at least 25 GB of free disk space.

Who Should Attend? Developers, Penetration Testers

What to expect? You will learn the concepts behind the most important cryptographic protocol and the relevant attacks from recent years. You will gain knowledge on how to analyze your server configuration with open source tools and how to deploy TLS securely.

What not to expect? 0days

About the trainers. Dr. Juraj Somorovsky is a security researcher at the Ruhr University Bochum, and a co-founder of Hackmanit GmbH. He is the main developer of a flexible tool for TLS analyses called TLS-Attacker and a co-author of several well-known TLS attacks. For example, his attacks DROWN and ROBOT received Pwnie Awards for Best cryptographic attacks in years 2016 and 2018. Juraj Somorovsky presented his work on renowned scientific and industrial conferences, including Usenix Security, Blackhat, Deepsec and OWASP Europe.

Robert Merget (@ic0nz1) is a PhD Student at the Chair for Network and Data security at Ruhr University Bochum. The focus of his research is practical TLS implementations and their analysis. He is a co-author of TLS-Attacker and the main developer of TLS-Scanner.


Ass.Prof. Dr. Christina Pöpper

(NYU Abu Dhabi) – Keynote

Talk. TBA

Abstract. TBA

Biography. Christina Pöpper is a computer scientist with a focus on information and communication security. Her research goal is to better understand and enhance the security and privacy of current and future IT and communication systems. Specific interests are the security of wireless systems and applications, where she is working on topics like secure localization and jamming-resistant communication, mobile-, protocol- and system-level security as well as on aspects of privacy. She is teaching computer/IT security and general computer science classes. She is affiliated with the Center for Cyber Security at NYUAD.

Prior to joining NYUAD, Christina Pöpper was an assistant professor at Ruhr-University Bochum, Germany, where she headed the Information Security Group at the Electrical Engineering and Information Technology Department / Horst-Görtz-Institute for IT-Security. In the past, she taught specialized courses on wireless security as well as on private and anonymous communication. She received her doctoral and graduate degrees in computer science from ETH Zurich, Switzerland.

Her research interest is cybersecurity and privacy. One focus area is wireless and communication security, in particular securing wireless radio transmissions against jamming as well as securing localization techniques. She likes to combine systems and security mechanisms in different application settings. She addresses secure systems where cryptography alone is often not enough.

Sheila Berta

(Freelancer) – Talk

Talk. The Bicho: backdooring CAN bus for remote car hacking

Abstract. Attacks targeting connected cars have already been presented in several conferences, as well as different tools to spy on CAN buses. However, there have been only a few attempts to create “something similar” to a useful backdoor for the CAN bus. Moreover, some of those proofs of concept were built upon Bluetooth technology, limiting the attack range and therefore tampering its effects.

Now we are happy to say, “those things are old”!

We have successfully developed a hardware backdoor for the CAN bus, called “The Bicho”. Due to its powerful capabilities we can consider it as a very smart backdoor. Have you ever imagined the possibility of your car being automatically attacked based on its GPS coordinates, its current speed or any other set of parameters? Even more, have you ever imagined the possibility that your car suddenly stopped working, when you least expected it, due to a remote attack? Now all of this is possible.

The Bicho supports multiple attack payloads and it can be used against any vehicle that supports CAN, without limitations regarding manufacturer or model. Each one of the payloads is related to a command that can be delivered via SMS, this way it allows remote execution from any geographical location. Our backdoor is an open-hardware tool and it has an intuitive graphical interface, called “Car Backdoor Maker”, which is open-sourced too and allows payload customization.

The attack payload can be configured to be automatically executed once the target vehicle is proximate to a given GPS location. The execution can also be triggered by detecting the transmission of a particular CAN frame, which can be associated with any given factor, such as: the speed of the vehicle, its fuel level, and some other factors. Moreover, in our talk we will be presenting a new feature, that allows us to remotely kill the car’s ECU and consequently causing the car to stop working suddenly.

Biography. Sheila Ayelen Berta is an Information Security Specialist and Developer, who started at 12 years-old by herself. At the age of 15, she wrote her first book about Web Hacking, published by RedUSERS Editorial in several countries. Over the years, Sheila has discovered lots of vulnerabilities in popular web applications and softwares. She also has given courses of Hacking Techniques in universities and private institutes. Sheila currently works as Security Researcher who specializes in offensive techniques, reverse engineering and exploit writing. She is also a developer in ASM (microcontrollers, x32/x64), C/C++, Golang and Python. Sheila is an international speaker who has spoken at important security conferences such as Black Hat EU 2017, DEFCON 26, DEFCON 25 CHV, HITBSecConf, HackInParis, Ekoparty Security Conference, IEEE ArgenCon, Hack.Lu, OWASP Latam Tour and others.

David Jardin

(Joomla!) – Talk

Talk. Content-Security-Policies in mass-distributed web apps - doing the undoable

Abstract. Content-Security-Policy is a well-established technology that is able to catch Cross-Site-Scripting attacks in modern browsers. However, regardless of the benefits, usage in mass-distributed web-apps like WordPress or Joomla is still close to be non-existant. In this talk, we will talk about the concepts of CSP, the huge challenges that web app developers face during the implementation and potential workarounds to get CSP out of the door.

Biography. Born and living in Cologne, Germany, David got in touch with web development during school in 2002. After a few years working with plain HTML sites, he started to develop his own CMS in 2004 and switched to Mambo shortly after. He quickly became an active member of the German community and met them in person for the first time during JoomlaDay Germany 2006. After school, he started his business as a freelance webdeveloper and quickly got more involved in the community by giving support in the forums, co-organizing the German JoomlaDay and the J&Beyond conference, starting a Joomla Usergroup in his home town, developing own extensions and joining the board of the German Joomla association "J&Beyond e.V.". In 2012, he joined the Bug Squad and started contributing to the CMS code. In late 2012, he co-founded the CMS-Garden project, which is cooperation of 12 opensource CMS. In the CMS-Garden, volunteers from all participating systems combine their forces to improve their marketing and reach new potential users.

Abdullah Joseph

(Adjust) – Talk

Talk. Reversing Fraudulent Apps

Abstract. Wherever there is money, there is fraud. Companies invest massive amounts on their ad campaigns to showcase their product to the world. In reality, however, most of that money goes to fraudsters and malicious app makers.

In this talk, the speaker will demonstrate how a popular app with over 100 million downloads conducts their mobile fraud operation and performs a commonplace mobile fraud technique: Click Injection.

Biography. Abdullah Joseph works as a security specialist at Adjust, a mobile analytics company, as part of the company’s fraud team. His responsibilities include researching current and future mobile fraud schemes, reversing malicious apps and developing appropriate countermeasures. He is the holder of both GREM and GMOB certifications.

Twitter: @malwarecheese

Marius Steffens

(CISPA Helmholtz Center i.G.) – Talk

Talk. Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Abstract. The Web has become highly interactive and an important driver for modern life, enabling information retrieval, social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious attacks against Web clients. Research has long focused on three categories of XSS: reflected, persistent, and DOM-based XSS. We argue, however, that this classification lacks a key threat in the modern Web: persistent Client-Side XSS.

In this talk, we not only provide an improved notion of the classes of XSS, but rather report on a real-world study which shows that of the Alexa Top 5,000 domains, around 2,000 make use of persisted data on the client. We conduct this study using a combination of taint tracking and a fully automated exploit generation pipeline. Doing so, we find that of these 2,000, over 20% make that use in an insecure way which enables an attacker to execute a persisted payload on every page load, allowing for nefarious long-term attacks such as JavaScript-based keyloggers, credential extraction from password managers, or cryptojacking. In addition, we analyze the end-to-end exploitability of the flaws we discovered based on two attacker models, showing that at least 70% of the sites with an insecure data flow can succesfully be infected with a malicious payload. We also discuss a number of real-world case studies to highlight the severity of this threat.

Based on our insights, we show that in many cases, the use case requires the execution of persisted JavaScript code. We identify four distinct classes of intended uses for the persisted data, and end our talk with a discussion of applicable countermeasures tailored for those cases.

Biography. Marius Steffens is a first year PhD student in the Secure Web Applications Group at the CISPA-Helmholtz Center for Information Security, where he is supervised by Ben Stock. Marius is currently interested in the area of Web Security, and specifically looking into the prevalence of vulnerabilities in client-side Web applications.

Dr. Ben Stock

(CISPA Helmholtz Center i.G.) – Talk

Talk. Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Abstract. The Web has become highly interactive and an important driver for modern life, enabling information retrieval, social exchange, and online shopping. From the security perspective, Cross-Site Scripting (XSS) is one of the most nefarious attacks against Web clients. Research has long focused on three categories of XSS: reflected, persistent, and DOM-based XSS. We argue, however, that this classification lacks a key threat in the modern Web: persistent Client-Side XSS.

In this talk, we not only provide an improved notion of the classes of XSS, but rather report on a real-world study which shows that of the Alexa Top 5,000 domains, around 2,000 make use of persisted data on the client. We conduct this study using a combination of taint tracking and a fully automated exploit generation pipeline. Doing so, we find that of these 2,000, over 20% make that use in an insecure way which enables an attacker to execute a persisted payload on every page load, allowing for nefarious long-term attacks such as JavaScript-based keyloggers, credential extraction from password managers, or cryptojacking. In addition, we analyze the end-to-end exploitability of the flaws we discovered based on two attacker models, showing that at least 70% of the sites with an insecure data flow can succesfully be infected with a malicious payload. We also discuss a number of real-world case studies to highlight the severity of this threat.

Based on our insights, we show that in many cases, the use case requires the execution of persisted JavaScript code. We identify four distinct classes of intended uses for the persisted data, and end our talk with a discussion of applicable countermeasures tailored for those cases.

Biography. Ben Stock is a Tenure-Track Faculty at the newly founded CISPA-Helmholtz Center for Information Security. In his PhD, Ben focussed on the detection and mitigation of Client-Side Cross-Site Scripting. During his PhD, he worked closely with SAP Research and interned with Microsoft Research. After his PhD, he joined CISPA as a postdoc, focussing on both Web Security as well as Usable Security research. He currently heads the Secure Web Applications Group at CISPA and is a regular speaker at academic and non-academic venues like CCS, USENIX Security, NDSS, Blackhat, and OWASP AppSec.

Conference location

Directions

Training address: Mercure Hotel Bochum City (website), Massenbergstraße 19-21, 44787 Bochum

Google Maps: Link to the hotel


Conference address: Veranstaltungszentrum, Ruhr-Universität Bochum, Universitätsstraße 150, 44801 Bochum

Google Maps: Link to the conference building

Directions: RuhrSec will be held at the Ruhr University Bochum (RUB). The conference location is directly located under the cafeteria/Mensa in our event center ("VZ" or "Veranstaltungszentrum"). You can find parking spaces for your car directly under the conference location (University Center/"Universität Mitte", parking space P9). Otherwise, you can take the subway ("U-Bahn") U35 to the station "Ruhr-Universität". From the station, it is a 5-10 minutes' walk to the conference building.

Flight and Train Information

The closest airport is "Düsseldorf Flughafen" (DUS). From DUS, the shortest and fastest way to get to Bochum is via train. Please take the "Sky Train" from the airport to the train station "Düsseldorf Flughafen". Afterwards, you should take a train to "Bochum Hauptbahnhof" (aka. "Bochum Hbf"). From there we recommend to take a taxi to the conference center (about 10 euro). Otherwise, you can take the subway ("U-Bahn") U35 to the station "Ruhr-Universität". From the station, it is a 5-10 minutes' walk to the conference building.

Please notice:

  • Please pay for the sky train (about 2 euro).
  • To get your train tickets, you can use a ticket machine after the sky train. They allow you to choose English for the UI and you can (often) pay with your credit cards. Please be sure to bring enough cash (euro) with you, because it is possible that the ticket machine does not accept your credit card. The ticket price should be about 2 euro (SkyTrain) and 20 euro (train).
  • Please do not forget to validate your train ticket with one of the stamp machines. Otherwise, it is not valid.

If you want to check when your train will arrive you can use this web page: https://reiseauskunft.bahn.de/bin/query.exe/en

Accommodation

We do not offer any hotel room reservation service. From our experience, it is cheaper to use common hotel booking portals instead of booking the rooms directly at the hotel or with a reservation code.

Directly in the heart of Bochum and near the central station, we recommend two hotels:

Ibis has renewed their hotel a few years ago and it is, depending on the view, sufficient to spend a few nights in it. More luxury is given in the Mercure Hotel, which was a Park Inn hotel in the past. Both hotels are not far away from Bochum's famous "Bermuda Dreieck" - with a lot of good bars and German beer.

Social Event

Besides their anti-virus products, G DATA is known as the evening sponsor of the Ruhr University's HackPra lecture. As in the case of HackPra, RuhrSec will have an awesome evening event too.

Every participant with a valid conference ticket is invited to be our guest at the social event. G Data provides awesome people, tasty food and high quality drinks. Feel free to join us and to talk with other security interested people, including the speakers.

Details

Location: G DATA Academy, Königsallee 178, D-44799 Bochum

How to get there: After the conference we will go to the location by using public transport systems together. More information is given before the keynote on the first conference day.

German way description: Download PDF

Time: After the first conference day (>=17:00 o'clock)