[Speaker Info]
==========
Alex Birnberg is a vulnerability researcher with extensive expertise in operating systems and web security. He specializes in uncovering critical security issues in enterprise software and has been credited for reporting vulnerabilities in Windows, Exchange, and SharePoint. Recently, Alex had one of the winning entries in the Windows PE category at TyphoonPWN 2024. He is currently pursuing a Master of Computer Security at Vrije Universiteit Amsterdam (@vu5ec).

[Abstract]
==========

Over the past few years, the Cloud Files Mini Filter driver has become a popular target for achieving privilege escalation on Windows from medium integrity. This is the component of the Windows kernel that allows One Drive and other cloud sync engines to provide a seamless experience to the user when interacting with a remote cloud file system. Given that the Cloud Files API can be accessed by an unprivileged process, any user being able to create their own custom cloud sync engine, paired with the fact that the mini filter driver is enabled by default on Windows installations, makes this an ideal target to get kernel control.

In this talk, I will introduce you to the design and architecture of this driver, explaining its unique and complex attack surface. Next, I will guide you through the history of vulnerabilities and each of the components that they impact, focusing on the design patterns that led to those vulnerabilities. After understanding the history of vulnerabilities, I will walk you through what made the vulnerabilities I showcased at TyphoonPWN possible, explaining where they fit within the bigger picture. Lastly, I will discuss the challenges that arose while preparing for the hacking competition.

[Speaker Info]
==========
Andrey Konovalov is a security researcher focusing on the Linux kernel.
Andrey found multiple zero-day bugs in the Linux kernel and published proof-of-concept exploits for these bugs to demonstrate the impact.
Andrey contributed to several security-related Linux kernel subsystems and tools: KASAN — a fast dynamic bug detector; syzkaller — a production-grade kernel fuzzer; and Arm Memory Tagging Extension (MTE) — an exploit mitigation.

See [xairy.io](http://xairy.io/) for all of Andrey's articles, talks, and projects.

[Abstract]
==========

Are you one of the people who cover the laptop webcam with a sticker to avoid being secretly recorded? Even though the LED indicator supposedly shows whether the camera is actually active. As it turns out, your fear of being recorded without an indication is well-grounded!

This talk shows how malicious software can turn off the LED indicator of the webcam module used in a few classic ThinkPad laptops while keeping the camera recording. Demonstrating this required finding a way to reprogram the camera's 8051-based controller's EEPROM firmware over USB, leaking and reverse engineering the controller's Boot ROM, and infecting the camera's firmware to add custom USB commands for controlling the LED indicator.

[Speaker Info]
==========
Carl Smith is a Security Engineer on Google's V8 Security Team. He previously interned at Exodus Intelligence and Google Project Zero. He is interested in fuzzing, compilers and security research. He can be reached on twitter, mastodon and bsky: @cffsmith / cffsmith@infosec.exchange / rwx.page

[Abstract]
==========

The fuzzing of Wasm is not a new concept. Since Wasm is a binary format, it's relatively easy to employ a modern binary fuzzer like AFL++ to create modules and subsequently invoke them. However, this approach has limitations. Wasm modules can be utilized in more intricate contexts within web applications, typically collaborating with JavaScript code to accomplish more complex tasks. Linking and combining modules is possible, but it often requires the developer or fuzzer to possess in-depth knowledge of the modules involved.To address this challenge, we extended Fuzzilli's intermediate language to include instructions that describe Wasm modules. This allows us to comprehensively track and infer the module and its associated data. By doing so, we open up new possibilities for fuzzing. It becomes feasible to combine JavaScript and Wasm code within a single fuzz test case, enabling cross-language type tracking and inference. These test cases exhibit more intricate behavior and, when combined with Fuzzilli's templating capabilities, facilitate the generation of complex and compelling test cases. We will look at some advanced browser fuzzing and some of the exciting test cases and bugs this has found in V8.Speaker

[Speaker Info]
==========
Chih-Yen Chang, aka Pumpkin (@u1f383), is a security researcher at DEVCORE and a member of the Balsn CTF team. He focuses on Linux kernel, hypervisor, and browser security, and has received multiple CVEs for vulnerabilities in the Linux kernel ksmbd and net/sched subsystem, QEMU, and Chrome. He recently competed in the Ubuntu LPE category at Pwn2Own Vancouver 2024.

[Abstract]
==========

The network scheduling (net/sched) subsystem in the Linux kernel manages the queuing and scheduling of network packets. To provide more flexibility, it supports a variety of scheduling algorithms and fine-tuning options, consequently increasing its complexity. In preparation for Pwn2Own Vancouver 2024, we decided to delve into this subsystem, anticipating that its complexity might conceal potential vulnerabilities.

After thoroughly reviewing all algorithms, we uncovered an out-of-bounds (OOB) write vulnerability in the TAPRIO algorithm caused by incorrect type usage. However, further analysis revealed significant limitations that makes exploitation daunting. For instance, the data and the location of the write are range-bounded, and the OOB write occurs in the vmalloc memory space, rendering existing attack methods ineffective. To overcome these limitations, we innovated a new exploit approach and successfully compromised the latest version of Ubuntu. We are also confident that this method is reusable for vulnerabilities with similar primitives.

In this talk, we will briefly introduce the net/sched subsystem architecture and the root cause of the vulnerability. Then, we will primarily focus on the exploitation. Initially, we will analyze the primitive provided by the vulnerability. Subsequently, we will detail how to leverage this restricted primitive to inject BPF bytecode, even when eBPF is disabled by default, to achieve arbitrary writing of kernel data. Additionally, we will explain how we performed "Heap Feng Shui" in the vmalloc space and utilize the Linux signal mechanism to increase the success rate of the exploit. Finally, we will share some intriguing anecdotes from our first participation in Pwn2Own, making the competition thrilling and challenging.

[Speaker Info]
==========
Csaba Fitzl graduated in 2006 as a computer engineer. He worked for 6 years as a network engineer, troubleshooting and designing big networks. After that, he worked for 8 years as a blue and red teamer focusing on network forensics, malware analysis, adversary simulation, and defense bypasses. Then he moved on to the macOS world and developed a "macOS Exploitation and Penetration Testing" training at OffSec. Currently he works as a Principal macOS Security Researcher at Kandji. He gave talks and workshops at various international IT security conferences, including Hacktivity, BlackHat, Troopers, SecurityFest, DEFCON, and Objective By The Sea. Csaba spends his free time with his family, hikes and runs in the mountains.

[Abstract]
==========

In this talk I will share the details about four different vulnerabilities all related to disks. We will start by understanding how the diskarbitrationd system daemon works, what preventive measures it has. Then I will go through sandbox escape and full TCC bypass vulnerabilities impacted this daemon. Then we will move on to a new field and talk about diskutil, and storagekitd - what they are and what they can be used for. Once we are familiar with the tools I will detail several vulnerabilities, including full TCC bypasses and privilege escalations. Finally we will divert to diskutil's big brother, Disk Utility. There I will show how someone can use that to elevate privileges from admin to root if GUI access is available, for example in unattended workstations.

[Speaker Info]
==========
Haidar Kabibo is working as middle application security specialist in Kaspersky HQ in Moscow. He is part of industrial security service team. He is interested in windows internals, communication systems, network protocols and industrial infrastructure.

[Abstract]
==========

This presentation explores the details of MSRPC interfaces, focusing on the no authentication landscape thorough security research approach. The session starts by explaining the basics of Remote Procedure Call (RPC). Then, the research will discuss the link between famous null session and MS-RPC interfaces. As the result of this research will be new path for enumerating domain information including domain users.

In the research I will take you on a journey through my security research methodology against MS-RPC interfaces, which I developed after observing some interesting behavior from one of the Windows interfaces. As a result of this research, I will show how we can link this behavior to null sessions. Putting it all together, I will demonstrate how we can revive the legacy of null sessions by enumerating information from the domain controller and, most importantly, enumerating domain users without triggering any alerts and without being stopped by defenders.

A new Python tool will be introduced, implementing this innovative enumeration path alongside a corresponding Metasploit module.
The research will analyze why this type of enumeration cannot be effectively halted, providing examples related to some Windows services. The research will also show how the native Windows audit policy fails to effectively monitor such enumerations, and explore alternative methods that can be used.

This presentation is designed for security researchers, penetration testers and blue teamers eager to deepen their understanding of MSRPC interfaces and enhance their research techniques.

[Speaker Info]
==========
Ling hanqin is a security researcher at Pangu Team, focusing on Linux and mobile security.

Lu yutao is a security researcher at Pangu Team, focusing on Linux and mobile security.

[Abstract]
==========

The Binder driver is the foundation of the inter-process communication mechanism in Android. It can be accessed by untrusted applications and isolated processes, making it the most targeted attack surfaces on the Android platform.

Fortunately, with the implementation of multi-dimensional mitigation measures on modern Android phones, the traditional method of exploiting memory corruption vulnerabilities to escalate privileges has become increasingly complex or even unexploitable. In order to obtain arbitrary read/write primitives, it is necessary to master ptmx/file/node techniques and trigger memory corruption multiple times, walking on a path with a very low probability of exploitation.

In this work, we will propose a general exploitation method for recent vulnerabilities in the Binder component (2022, 2023, 2024). Our technique involves constructing a stable path from Binder memory corruption to PageTable memory corruption. By understanding the management method from Binder, we will discuss in depth the impact of various locks and multiple ref counts on exploitation, which ultimately leads to arbitrary physical read/write and universal root.

Finally, we will demonstrate rooting on multiple Android devices and explore some effective vulnerability mitigation strategies for Binder and MMU.

[Speaker Info]
==========
Heyi Wu graduated from Southeast University majoring in network security, has rich security work experience, has participated in the construction of multiple central ministries and commissions-level network security systems, as well as offensive and defensive drills and actual combat. End-to-end implementation of research and products in AI security, data security, cloud security, security development, intelligence hunting and other fields. Delivered speeches at well-known network security conferences at home and abroad, such as BH MEA, HITB, BSides, Kanxue SDC, XCon, Geekpwn, etc., participated in the compilation of multiple security standards at home and abroad (IEEE P2841, China self-developed operating system security, etc.), published many EI/SCI papers and patents , has a number of security certificates at home and abroad (CISP, CCSK, CDPSE, etc.), and has submitted several 0day vulnerabilities, general security issues of self-developed linux systems and advanced attack hunting traceability reports to the regulatory authorities.

[Abstract]
==========

Chinese government and enterprise organizations will replace domestic operating systems and application software on a large scale. However, most security vendors are currently unable to cover this area. Moreover, the domestic terminal security software has weak capability in detecting and killing malicious ELF samples. Some hackers and attack teams have targeted products that use domestic operating systems, and the existing detection capabilities are easily bypassed by attackers. Worse still, there is no established channel for exchanging malicious ELF samples among vendors. The situation is: There are very few domestically produced ELF malicious sample databases; There is zero work on the generation of adversarial malicious software targeting ELF; Currently, the existing work on countermeasures against PE malicious samples cannot generate executable binary files; there is no work on AI-based generation of malicious ELF samples. Thus, a system that generates adversarial malicious samples in the domestic environment using AI technology is needed to establish an advantage in the malicious sample library, and enhance the capability to detect and kill malicious software. We develop such a system and solve the above problems.

[Speaker Info]
==========
Jaewon Min is a vulnerability researcher focusing on browser exploitation working at Binary Gecko.

Kaan Ezder is a security researcher at Binary Gecko, focusing on browser security

[Abstract]
==========

With introduction of new mitigations and sandboxes, it is becoming more hard to exploit modern web browsers. In the past, a single V8 RCE vulnerability was enough to totally compromise the renderer process in Chrome but things have changed. With the new V8 Sandbox in place, additional bypass vulnerability is required to compromise the Chrome renderer.

In this presentation, we will explore the inner workings of the V8 Sandbox, a critical component of V8 Javascript engine that ensures the safe execution of the code within the Chrome browser. It is designed to isolate and protect the execution environment from potentially malicious code, thereby protecting user's system. We will delve into its architecture, and review how bypasses have evolved over time.

Next, we will look at the V8 Sandbox bypass vulnerability which was publicly disclosed earlier this year. Bypass was possible due to raw Heap pointer being writable inside the sandbox. According to the crbug tracker, this issue was known to Google since June 2022 but the fix was landed in April 2024. How we developed the exploit by creating a fake Isolate before it was patched will be explained in detail.

Finally, presentation will be concluded with upcoming changes to the V8 Sandbox implementation and ideas for future V8 Sandbox bypasses.

[Speaker Info]
==========
Luca Todesco (@qwertyoruiopz) is Co-founder & Managing Partner at Dataflow Security. Dedicated most of his research career to *OS & continues to focus on its new challenges. Recognized Forbes Magazine in 30 under 30 for Europe in 2017.

[Abstract]
==========

This keynote delves into the dynamic world of the cyber offensive industry, from an insider’s viewpoint. Covering aspects from discovering a vulnerability throughout the exploit development process, ethical aspects and business dimensions. Moreover, attendees will gain insights into how this industry niche operates, the challenges it faces, and the significant role it plays in digital intelligence and offensive cyber capabilities.

[Speaker Info]
==========
Meysam Firouzi is a software security researcher, with expertise in hypervisors, Windows, Unix-based systems, and XNU(macOS and iOS). You can read about him here https://r00tkitsmm.github.io/about/

[Abstract]
==========

This presentation will cover Pishi, an innovative method for structure-aware,feedback-driven fuzzing macOS kernel and its kernel extensions. Pishi is a static binary rewriting tool designed to instrument basic blocks in the XNUkernel and its macOS kernel extensions (kexts). It allows you to instrument the XNU kernelat a function, file, or folder level or address ranges. you can instrument everything in the XNU/bsd/net/ directory, all functions in content_filter.c, or just one specific function in theXNU source code, such as vnode_getfromfd. This enables targeted fuzzing. In the caseof KEXTs, you can also target one specific IOKit class or just one or more methods of a class.Similar to Linux and macOS’s KCOV, it collects the coverage and shares it with a fuzzer. You can hook Pishi into any off-the-shelf fuzzers.Pishi includes modified versions of LibFuzzer and libprotobuf-mutator, which have been adapted to be Pishi-aware, enabling them to fuzz the macOS kernel in a structure-aware, feedback-driven manner.

[Speaker Info]
==========
Mickey Jin (@patch1t) is an independent security researcher with a keen interest in malware analysis, threat campaign research, and vulnerability research.
Over the past few years, he has received over 200 CVEs from Apple, Inc.
He was also a speaker at various conferences such as HITB2021SIN/HITB2022SIN, PoC2022, and Objective By The Sea.

[Abstract]
==========

In the macOS system, most processes are running in a restricted sandbox environment, whether they are Apple's own services or third-party applications. Consequently, once an attacker gains Remote Code Execution (RCE) from these processes, their capabilities are constrained. The next step for the attacker is to circumvent the sandbox to gain enhanced execution capabilities and broader file access permissions.

But how to discover sandbox escape vulnerabilities? Upon reviewing the existing issues, I unearthed a significant overlooked attack surface and a novel attack technique. This led to the discovery of multiple new sandbox escape vulnerabilities: CVE-2023-27944, CVE-2023-23414, CVE-2023-32404, CVE-2023-41077, CVE-2023-42961, and CVE-2024-27864. Additionally, there are two other vulnerabilities affecting only beta versions that have been resolved and rewarded, but no specific CVE numbers have been assigned. There are three more sandbox escape issues currently awaiting processing by Apple’s security team.

In this presentation, I will delve into each of these new vulnerabilities - discussing their root causes while demonstrating how they can be exploited and explaining how Apple addressed them.

[Speaker Info]
==========
Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) is a security researcher at STARLabs, focusing on Browser/Virtualization/IoT bug hunting and exploitation.
In the past few years, I participated in several Pwn2Own events, and successfully demo exploitation on multiple targets (IoT, mobile and Virtual Machine).

[Abstract]
==========

VMware is a leading and widely used virtualization product. From a security perspective, it is one of the most challenging targets, alongside Hyper-V and KVM. This complexity inspired me to explore this targets further.

My research journey into VMware Workstation began in 2022. After extensively exploring its architecture, I discovered a new attack surface: the Virtual Bluetooth Device. By default, VMware Workstation guests can communicate with other Bluetooth devices through its Virtual Bluetooth Device. Although VMware has only implemented basic Bluetooth functions, the protocol's complexity increases potential for bugs. This attracts me and I decided to look deeper into this component.

In this talk, I will share my journey of working on the Virtual Bluetooth Device, providing fundamental knowledge about its architecture and focusing on several bugs I discovered. This includes two exploitations I successfully demonstrated at Pwn2Own Vancouver in 2023 and 2024. I will discuss the root causes, exploitation methods, and mitigation bypass techniques.

[Speaker Info]
==========
Pan Zhenpeng is a mobile security researcher at STAR LABS SG, focusing on Mobile(iOS/Android) and Web security, he was the speaker of Zer0Con, POC, OffensiveCon, 0x41Con and HITB Armory.

Jheng Bing Jhong is a security researcher at STAR LABS SG, focusing on Linux, VM and mobile security.

[Abstract]
==========

In July this year, Qualcomm patched a bug which was also discovered by us. By leveraging this specific vulnerability, we were able to root all affected Qualcomm-based Android phones.

In this presentation, we will first analyze the root cause of the bug and demonstrate how we turned it into a GPU Page Use-After-Free (GPUAF). We will then show how to exploit this bug through two distinct paths on different Samsung devices, bypassing all mitigations such as KNOX, physical address ASLR, and DEFEX. Next, we will share our experience on porting the exploit to other Qualcomm-based phones, detailing the challenges we faced during this process.

Finally, we will summarize the implications of this vulnerability for device security and provide recommendations for mitigating such risks in the future.

[Speaker Info]
==========
Sagi Tzadik (@sagitz_ ) is a security researcher on the Wiz Research team. Sagi specializes in cloud security research, application security, and in finding vulnerabilities in complex high-level systems. He has been recognized for his work and featured on the MSRC Top Security Researcher Leaderboard.

[Abstract]
==========

The demand for AI services has increased dramatically in recent years, as companies and organizations rush to enhance their offerings with AI capabilities. AI-as-a-Service providers help facilitate this demand by offering scalable cloud-based infrastructure. As a result of their business model, AI-as-a-Service providers face a significant security challenge: They must handle potentially untrusted inputs, in the form of AI models, within a multi-tenant environment.

Over the past year, our team has been researching popular AI-as-a-Service platforms with key questions in mind: Could a determined attacker hack their way into the private AI models of industry leading companies? What unique attack surface do these services expose?

In this session, we will discuss the security concerns faced by multi-tenant AI-as-a-Service providers. To illustrate our findings, we'll examine a case study based on our recent research into Hugging Face, a leading platform in the AI industry. Together, we'll craft a malicious AI model to achieve Remote Code Execution on the platform's underlying infrastructure, exploit a Kubernetes misconfiguration to escape our container, and eventually reach the stage where we could potentially compromise all models hosted on the platform. Additionally, we'll discuss our collaboration with Hugging Face to address the issues we uncovered.

[Speaker Info]
==========
Seunghyun Lee, a.k.a. Xion (@0x10n), is a Ph.D. student in the Computer Science Department at Carnegie Mellon University. He received his bachelor's degree in CS/EE at KAIST, where he worked as a research intern in Hacking Lab. His research focuses on system security, binary analysis, automatic vulnerability discovery and exploit generation.

His recent works involve vulnerability research and exploitation of browsers and the Linux kernel, and have found and exploited multiple vulnerabilities in hacking competitions. His notable achievements include winning two browser entries in Pwn2Own Vancouver 2024, winning the top payout on TyphoonPWN 2024 with a Chrome entry, and winning multiple entries in Google kernelCTF and v8CTF. He has presented his research in domestic and international security conferences including POC2023. He is also an occasional CTF player and has received the DEF CON Black Badge for winning DEF CON CTF in '23/'24 as part of Maple Mallard Magistrates.

[Abstract]
==========

Browsers are a complex piece of software with multiple components integrated together. Every one of these components, as well as the integration layers between them, are potential sources of bugs. However, not all bugs are equal - exploitability of the initial bug is sometimes questionable, and mitigation bypasses are often required to obtain fully arbitrary code execution even within the renderer. In Chrome this mitigation is known as the V8 Sandbox, which attempts to prevent any memory corruption within the V8 Sandbox region from affecting any other memory region. This makes exploiting the initial bug to a fully arbitrary code execution much more challenging... or so was considered as such.

In this talk, I demonstrate how WebAssembly still serve as a great attack vector that provide troves of both the initial bug and V8 Sandbox bypass. I first share the story behind finding a WASM bug in V8 through variant analysis and exploiting it at TyphoonPWN 2024, and show how fixing this bug revealed another stunningly simple variant-of-a-variant bug exploited in v8CTF. I also introduce another bug in WASM TurboFan compiler caused by an innocent typo, and show how analyzing a seemingly unexploitable bug can reveal significant exploitability in some configurations and platforms. I continue on to a massive list of 10+ V8 Sandbox bypasses in WASM, opening up a whole new paradigm of bypass techniques that require significant efforts to fully patch. This research, while spanning over only a short period of approximately 2 months, enabled me to win multiple hacking competitions and VRPs for a total of $250K+.

Throughout the talk, I provide both the big picture and detailed technical walkthrough on finding bugs in Chrome's WASM implementation and exploiting them in the modern Chrome environment. I challenge the common misconception that "browser bugs are hard", whereas quite a few of them can be found and exploited without breaking a sweat. The talk will conclude with a sneak peek of future works on WASM implementation in other major browsers and a demonstration of the exploits.

[Speaker Info]
==========
Zhaofeng Chen is a security researcher at CertiK, specializing in Web3 infrastructure security, confidential computing, system security, and mobile security. With expertise in both offensive and defensive techniques, he has earned recognition for uncovering critical vulnerabilities in blockchain infrastructure, earning substantial bounties across multiple blockchain ecosystems. Beyond blockchain security, he has been acknowledged with over 30 CVEs by Samsung, Google, Microsoft, and Apple. These findings earned his team the MSRC Most Valuable Security Researcher award, and the Samsung Mobile Security Hall of Fame award.

[Abstract]
==========

Blockchain technology forms the backbone of Web3, prized for its decentralized, trustless nature and high availability. Innovations in VM layers, such as WebAssembly and Move Lang, aim to provide more secure programming paradigms and ease developer efforts. However, these security enhancements place an additional burden on on-chain validators. The assumption that distributed nodes inherently enhance reliability is increasingly questioned, especially when security flaws in critical paths, such as publishing and executing untrusted smart contract payloads, are exposed.

At POC 2023, we demonstrated methods to compromise on-chain security verifiers in Move-based blockchains. Our presentation revealed how to bypass type-safety enforcement to fabricate arbitrary crypto tokens and circumvent gas meters to introduce infinite loops into the blockchain network.

For POC 2024, we aim to expand our focus to a broader attack surface. We will explore the resource usage of various VM’s on-chain validators, specifically targeting how a single transaction can exhaust the resources of validator nodes, thereby disrupting the entire blockchain network's ability to produce new blocks. Over the past years, we have responsibly disclosed variants of such attack vectors in different blockchain ecosystems, earning more than $1.2 million in bounties.

We will discuss the fundamental reasons why this attack surface is common across modern blockchain VMs. Our presentation will detail three variants of resource exhaustion attacks in 2 popular blockchain ecosystems, demonstrated with real bug bounty vulnerabilities.

[Trainer Info]
==========
Hardik Shah (@hardik05) is an experienced cyber security professional with 17+ years of experience in the computer security industry. Currently works as a Principal Security Researcher at Vehere where he is responsible for analysing latest threats, detecting them and product improvements. In the past he has worked with various security companies like Sophos, McAfee, and Symantec, where he has built research teams from ground zero, managed various critical cyber threats to provide protection to customers, implemented various product features and has mentored many people.

Hardik is also known for his skills in fuzzing and vulnerability discovery and analysis. He has discovered 50+ vulnerabilities in Microsoft and various open source software. He had conducted workshops at various industry leading cyber security conferences such as Defcon, Bsides, RSA dark arts, and many others. Hardik enjoys analysing latest threats and figuring out ways to protect customers from them.

[Abstract]
==========

Fuzzing is a powerful technique for identifying vulnerabilities in software. This hands-on training will cover the theory and practical aspects of fuzzing, including coverage-guided fuzzing, basic blocks and binary instrumentation, corpus collection and minimization, target selection, crash triage and root cause analysis, and real-life CVE analysis. Attendees will have the opportunity to practice fuzzing on Linux and apply the concepts and techniques learned in the training to fuzz real world software. This training is suitable for attendees with a basic understanding of software development and testing and is beginner friendly.

This training will start from user mode fuzzing and later on covers topics like linux kernel fuzzing and firmware fuzzing etc.

In this training, attendees will also learn about the different types of vulnerabilities that can be found through fuzzing, including buffer overflows, heap overflows, integer overflows, use-after-free errors, and out-of-bounds read/write errors. We will discuss the underlying causes and potential impacts of these vulnerabilities, as well as how to identify and address them through fuzzing. In addition to coverage-guided fuzzing, we will also introduce other types of fuzzer, such as dumb fuzzers and mutation fuzzers, and discuss their benefits and limitations. Attendees will also learn how to use tools such as GDB and Crashwalk to debug and analyze crashes, and to perform root cause analysis to identify the underlying cause of vulnerabilities.

[Trainer Info]
==========
Dr. Silvio La Porta is CEO and Co-Founder at RETooling defining and developing Threat Actor emulation platform enabling red team to recreate a realist attack scenario. Previously he was a Senior Cyber Security Architect designing security products and researching advanced detection technology for complex malware/APT. Silvio previously was a lead research scientist with EMC Research Europe based in the Centre of Excellence in Cork, Ireland. His primary research focus areas were real-time network monitoring and data analysis in smart grids to detect malware activity in SCADA systems and corporate networks. He was also leading Security Service Level Agreement (Sec-SLA) and end user security/privacy protected data store projects for hybrid Cloud environment. He is a frequent speaker in professional and industry conferences. Before joining EMC, Silvio worked as a Malware Reverse Engineer in Symantec’s Security Response team in Dublin, Ireland. Silvio holds a PhD in Computer Network Security from the University of Pisa, Italy.

Dr. Antonio Villani is the Co-Founder of RETooling. He is working full-time on the development of red-team and adversary emulation capabilities for his company. Previously he spent most of his time in the blueteam, reversing high level implants for top tier customers and providing detailed information to support cyber-defense and cyber threat intelligence teams. Now he analyzes complex implants to gain a deep understanding of the TTPs used by threat actors and to provide a high-quality reimplementation of them. As a researcher he published in top tier conferences and journals, and he participated in European research projects in the field of cyber resilience and data security. During his PhD he worked in the field of malware research and digital forensics.

[Abstract]
==========

This course offers an in-depth look at the techniques used in contemporary malware to evade detection by security products such as antivirus software, IPS, IDS, and EDR. We will explore how attackers design and operate their implants to ensure quick redeployment following detection or public disclosure by researchers or security vendors.

The training includes real-world scenarios that effectively hinder reverse engineering efforts, making the job of first responders more challenging. These techniques will be demonstrated in two ways: by reversing real malware samples and by re-implementing an improved version of the malware code. The training is designed from an attacker’s perspective, providing red teams with strategies to make their implants stealthier, while also teaching defenders how to counteract these anti-reversing and OPSEC techniques.