[Speaker Info]
==========
Name: Bien Pham Nguyen Ngoc
Twitter handle: @bienpnn
Currently a security engineer of Sea Ltd Security Team. I'm interested in exploiting C/C++ native applications, as well as the Linux kernel and IoT hardware. First known publicly for exploiting RCE in Valve's games such as Counter-Strike: Global Offensive. Recently I participated in Pwn2Own Austin 2021 in Router category, and Pwn2Own Vancouver 2022 in Linux LPE category.

Name: Howard Nguyen
Twitter handle: @ngtrh1eu
Howard Nguyen is an application security engineer by day and a security researcher by night with strong interests in browser vulnerability research and exploitation. As someone who loves the thrills and spills of finding and leveraging vulnerabilities in the Linux kernel, he recently participated in Pwn2Own Vancouver 2022 in the Linux LPE category with Team Orca of Sea Security

[Abstract]
==========
Netfilter is a framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. One of the modules is Netfilter tables (`nf_tables`), which replaces the legacy iptables in configuring networking rules. This talk explains how Netfilter tables works in detail, how to communicate with the module using Netlink, and how our team found and exploited a bug in the module at Pwn2Own Vancouver 2022, as well as reviewing the recent patches for the bug, which also fixed other similar patterns.

[Speaker Info]
==========
- PhD. “Business Administration”
- BoB(Best of Best) mentor at Security Consulting track
- Holds numerous patents
- Retaining a CTF tournament winning career


[Abstract]
==========
It's about crime cases on the blockchain, how to track them when they happen, and how to respond. This topic will explain not only the amount of damage caused by virtual money, why such an accident occurs, and why an attack occurs, but also based on an immediate detection method and a long-term detection method in case of an accident. I hope that it will be a place to explain the way and effect I actually used in the business. Thank you.

[Speaker Info]
==========
Chen Nan is a security researcher at Zeekr Zero Research LABS. He has over 8 years of information security experience.
In the past few years, his work involves bug search and exploitation technology, mainly in automotive & iot & Kernel & Network & Virtualization.
He was named Microsoft's 2019 Most Valuable Researcher. He is the winner of the TianfuCap 2021 Kernel and Docker category He is one of the authors of the RealWorldCTF competition. He has also spoken at several conferences including Zer0Con, HITB, GoGoHack, 44Con, CSS2018, and Insomnihack.

Chongyang Bao is a Security Researcher of Zeekr Zero Research Lab.The reverse engineer. Good at reverse development,chip reverse analysis, vehicle bus security mechanism research, vulnerability mining, hardware security analysis.
He has cracked many well-known games and software. He has won the technology innovation award, technology model and other awards.

Jiaming Tao is a security researcher at Zeekr Zero Research Laboratories. He has more than three years of experience in vehicle diagnosis.
In the past few years, he has written many technical cases, which are included in China National Knowledge Infrastructure (CNKI).
He won the second prize of BAJA SAE CHINA and the first prize of Zhejiang Skills Competition. He was awarded the title of "Zhejiang Technical Expert" by Zhejiang Provincial Human Resources and Social Security Department Awarded the title of "Class D High-level Talents in Hangzhou" by Hangzhou Talent Office of CPC Hangzhou Shangcheng district mechanic trade union member


[Abstract]
==========
With the rapid development of intelligent vehicles, more and more attention has been paid to vehicle safety. The electrical and electronic architecture of modern cars is also changing.
Car networks are also becoming more complex. We usually call them "buses".
Compared with traditional vulnerability mining, vehicular bus is difficult to rely on manual work because it generates millions of signals per second. And many functions do not have specific performance, black box is particularly difficult.
Therefore, it is very important to find out the security problem of the complex network inside the car.
This topic describes some of the effective attack surfaces in Automotive. And our fuzzification framework is effective in practice.

Agenda:

1. Our presentation will reveal the attack surface of vehicular networks. Such as CAN network, FlexRay network, Lin network, Ethernet network and so on.
2. Next, we'll explain what threat scenarios these attack surfaces have. Such as cross-domain attack, malicious message, replay attack, DOS attack; CAN, FLEXRAY, and UDS protocol stack attacks.
3. Next, we will introduce the UDS protocol and the vehicle network protocol stack. Such as DOCAN, DoflexRay, DOIP and so on.
4. In particular, the internals of the flexray protocol are almost unknown. It has many difficulties.
5. And how to analyze these protocols in a black box environment.
6. Next, we will introduce how to use blur to explore complex vehicular black box networks. For example, CAN Fuzz, FlexRay Fuzz, UDS Fuzz.
7. We will demonstrate a real case.
8. We will open the source code of our fuzzy code.

[Speaker Info]
==========
Hector Peralta is a bug bounty hunter and came into the security field 2 years ago after losing his job. Since then, he managed to earn recognition from bug bounty platforms and Microsoft Security Response Center for reporting high impact vulnerabilities in a short time without an IT background. This includes a place among Microsoft top security researchers for 2021 and 2022 annual leaderboards, a bounty winner of pwn2own 2022 and being a speaker at the Latin American security conference Ekoparty.


[Abstract]
==========

Electron framework is used to build cross-platform software. It is a framework for creating native applications with web technologies like JavaScript, HTML, and CSS.
Due to the nature of this framework, it is exposed to common web vulnerabilities such as XSS, in order to prevent the use of this bugs to take advantage of the nodeJS environment, the electron documentation offers a guide to best practices and security flags. Originally these measures were optional, and it was developer’s choice to implement them, since this approach was prone to errors, over time the security measures were transferred to default configuration.
I have identified that the traditional way of exploiting electron-based applications isn’t viable due to default configuration being hardened, lowering the chance for common misconfigurations to be found and exploited. Therefore, through targeting application logic and the electron framework itself I found different attack vectors that allowed me to gain arbitrary code execution despite the security flags and best practices being applied.
This presentation will demonstrate how to find misconfigurations both in the Electron framework itself, which can be exploited in different applications, as in the logic of a particular flow of each application, for example by looking for event listeners that could be leveraged to expand the attack surface in order to bypass restrictions on a process with safe security flags.

[Speaker Info]
==========
Ivan Fratric is a security researcher at Google Project Zero, where he currently focuses on browser security, remote attack surfaces in applications and fuzzing. Previously, he worked on the Google Security Team and, before that, at the University of Zagreb where he received his PhD. He has been publishing security research for over a decade and is the author of multiple open-source security tools.


[Abstract]
==========

XMPP is an instant messaging protocol used in messenger apps, online games, industrial and other applications. This talk describes XMPP stanza smuggling, a new way of attacking XMPP client software using subtle quirks in XML parsing. A zero click remote code execution exploit against Zoom client will be demonstrated. This is an updated version of the talk I gave at Black Hat USA on this topic. It will showcase additional bugs and techniques, including how the attack on Zoom and others could be performed even without the victim accepting the attacker's contact request.

[Speaker Info]
==========
Linus Henze is founder and CEO of Pinauten GmbH, a German company specialized in the security of iOS and macOS. In their spare time, Linus is also the developer of Fugu (iOS 13 checkm8 based jailbreak), Fugu14 (iOS 14 untethered jailbreak - the first publicly available untethered jailbreak since iOS 9) and Fugu15 (iOS 15 permasigned jailbreak), as well as other stuff.


[Abstract]
==========

With the introduction of new mitigations in iOS 15 (and especially 15.2), creating a jailbreak became significantly more difficult. Before, a kernel vulnerability was enough for jailbreaking but now a PAC or PPL bypass is required as well.
In my talk I will explain the inner workings of Fugu15 and especially how the kernel exploit, PAC and PPL bypass work in detail. Additionally, I will also describe some of the new mitigations introduced in iOS 15.2, how they affect jailbreaking and what Fugu15 does to bypass them.

[Speaker Info]
==========
Man Yue Mo works at GitHub Security Lab. He specializes in Chrome and Android security and had discovered and written exploits for a number of vulnerabilities in these platforms.


[Abstract]
==========
While object allocations in the V8 heap generally follows a straightforward linear pattern, making it easy to calculate offsets between objects, it is however, non trivial to obtain addresses of objects or controlled data without a sufficiently powerful bug, such as an out-of-bounds access in V8, or a separate info leak bug. This can make exploiting memory corruption bugs in blink and third party libraries, such as ANGLE and SQLite, much more difficult. While in the post spectre/meltdown world, the entire address space within the renderer process is, in principle, readable from malicious Javascript [1] and there are also other techniques, such as those detailed in this ticket [2], that can be used, object addresses can in fact be found in a much simpler way.
In this talk I'll examine some details of the V8 heap initialization and the randomness that is involved, showing just how easy it can be to predict addresses of objects in V8.

1. https://v8.dev/blog/spectre#site-isolation
2. https://bugs.chromium.org/p/chromium/issues/detail?id=1144662

[Speaker Info]
==========
Manfred Paul(@_manfp) is a freelance vulnerability researcher, focusing on kernel and browser bugs. He has successfully participated in Pwn2Own Vancouver 2020, 2021 and 2022 and has found critical vulnerabilities affecting all major browsers.


[Abstract]
==========
JavaScript JIT compilers are still a major focus of web browser exploitation. Research often focuses on stages of the compiler pipeline with a direct security impact, like bounds-check elimination and the closely related value range analysis. However, correctness of these optimizations can equally be affected by bugs in later, seemingly unrelated stages: If an expression is wrongly evaluated, the incorrect result might not match the computed value-range type, even if the type itself was assigned correctly. These "time-traveling" vulnerabilities - where a bug in a later stage is used to break assumptions of an earlier one - can however be somewhat tricky to exploit. In this talk I will show some recent examples of such misevaluation bugs, focusing on what is necessary to get from wrong result to memory corruption, and ultimately code execution.

[Speaker Info]
==========
Matt Suiche is the Director for Memory & Incident Response R&D at Magnet Forensics, which he joined through the acquisition of Comae Technologies, an incident response start-up he founded. Matt is also the co-founder of application virtualization start-up CloudVolumes which was acquired by VMware in 2014.

Matt frequently appears as a technology subject matter expert on TV in Bloomberg, Associated Press, and digital media like Cyberscoop, Haaretz, WIRED, WashingtonPost, Motherboard, Techcrunch, The New York Times. Additionally, Matt is a review board member for various cybersecurity conferences, including Microsoft BlueHat Israel and BlackHat USA/Europe.


[Abstract]
==========

Rust 🦀 is the most loved language by Stack Overflow Developer Survey for 7 years in a row, and its adoption rate by developers keeps growing. Rust is probably one of the most important programming languages of our generation due to its versatility and adoption from open-source firmwares, kernel drivers to web services.
I will share my experience as a software engineer who switched from C/C++ to Rust for product development including the benefits and limitations as a software engineer - but I will also share my thoughts as a security researcher on existing, and potential future security issues that may be encountered.

[Speaker Info]
==========
Mickey Jin (@patch1t) works for Trend Micro as a security researcher with strong interests on malware analysis, threat campaign research and vulnerability research.
He has quite a lot of public reports for threat campaigns and vulnerabilities published in Trend Micro Research site.
He previously discovered the 0-days used by Mac Malware XCSSET and has been publicly credited for 80+ CVEs for his research on macOS/iOS and other platforms.


[Abstract]
==========
MacOS Rootless, aka SIP (System Integrity Protection), is an essential security feature and the last line to protect the entire system from malware.
However, after I dived deep into the PackageKit framework, I found many new attack surfaces and disclosed 15+ critical logic vulnerabilities. They can be easily exploited to bypass SIP and compromise the system completely.

Apple had already addressed 13 of them as CVE-2022-22646, CVE-2022-22583, CVE-2022-26688, CVE-2022-22676, CVE-2022-22617, CVE-2022-26690, CVE-2022-26712, CVE-2022-26727, CVE-2022-32794, CVE-2022-32826, CVE-2022-32786, CVE-2022-32800 and CVE-2022-32900.

In this talk, I will share the details for half of them. I will talk about their root causes, how I exploited them, and how Apple addressed them. Finally, of course, I will also demonstrate the exploitations.

[Speaker Info]
==========
Mohamed Ghannam is a security researcher who enjoys discovering and exploiting vulnerabilities. His primary interests are mobile kernels and messaging apps, with an emphasis on iOS for the time being.


[Abstract]
==========

Machine learning is a popular topic that is constantly evolving and affecting the world around us. Apple is taking part in this evolution by providing a variety of technologies adopted for both newcomers who wish to start in machine learning and for professionals who want to migrate their work onto Apple’s devices. Due to the complexity of this subsystem, I decided to take a deep look into the ANE to understand its undocumented implementation and to audit its (huge) attack surface. As a result, +15 exploitable vulnerabilities (both in user-space and kernel) were discovered and reported to Apple.

In this talk, I’ll briefly walk through Apple’s Neural Engine architecture and how it works, followed by various interesting vulnerabilities I uncovered while reverse engineering ANE components. Then I’ll demonstrate how I chained some of those findings to achieve arbitrary kernel r/w on modern Apple devices. I’ll also talk about the exploitation techniques involved, including some recent iOS 15 changes that make exploiting memory corruption bugs harder.

[Speaker Info]
==========
Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) is a security researcher at STARLabs, focusing on Virtual machine/Mobile/IoT bug hunting and exploitation. I participated in Pwn2Own Tokyo 2020 and Pwn2wn Austin 2021 in Router, NAS and Mobile phone category, and Pwn2Own Vancouver 2022 in the Virtual Machine category


[Abstract]
==========

Netatalk is a freely-available Open Source AFP fileserver. It is used widely in routers and NAS devices. A UNIX, Linux or BSD system running Netatalk is capable of serving many Macintosh clients simultaneously as an AppleShare file server (AFP).

In Pwn2Own Austin last year, I found many bugs in Netatalk and used them to hack 3 different NAS devices successfully. Moreover, I discovered that Samba also had the same bug pattern as Netatalk.

This attack surface has its unique impact for a reason and we hope this brings a new paradigm to vulnerability research and inspires other security researchers. This talk tries to change this a bit by describing the attack surface and the inner workings. We will give a detailed walkthrough of the different exploits included. We will also discuss the bugs in detail and share our exploitation method.

[Speaker Info]
==========
I'm a proud hacker from web2 who jumped into the web3 world recently. Now it's time to share my anecdotes from the crypto world with my friends in the traditional security community!


[Abstract]
==========
Security is the most serious topic in financial systems, especially in the decentralized and anonymous crypto world. Anything in the crypto world is INSANE! We have seen so many criminals hacking the blockchains gaining astronomical profit. Many of the rekt DeFi protocols are related to bridges​, the common infrastructures that allow people to transfer digital assets between blockchains.
In this talk, I will share a few novel vulnerabilities and exploits of the Rainbow Bridge, the official bridge connecting Ethereum, Aurora and NEAR protocol. I reported one of the critical bugs, protected more than $200M funds from hacking and won the $6M bug bounty program.

[Speaker Info]
==========
Qian Chen (@cq674350529) is a senior security engineer from Codesafe Team of Legendsec at QI-ANXIN Group, and mainly focus on the IoT and protocol security. He has found various vulnerabilities on devices from Cisco, Synology, MikroTik, Ubiquiti and so on. He was a speaker of POC and HITB.


[Abstract]
==========
MikroTik RouterOS is a stand-alone operating system based on Linux, mainly for MikroTik manufactured routers. Thanks to its rich features, easy to use interface, and affordable price, Mikrotik router has been widely used around the world. Every coin has two sides. Because of its significant role in the network and wide usage, Mikrotik router has been a valuable target in the past few years.

RouterOS, which powers the devices, will pose a severe impact if been exploited. However, hunting bugs in RouterOS is not easy. RouterOS is designed in a modular fashion, andre-implement many low-level stuff. It provides a proprietary interprocess communication(IPC) mechanism for individual processes to communicate with each other, and introduces a custom "Nova Message" for data exchange. Hence, digging into its dense, hand-rolled C++ binaries filled with custom library calls is a daunting task. Gratefully, there are some awesome research against MikroTik RouterOS.
Inspired by them, in this talk, we will focus on the interprocess communication(IPC) mechanism, and show our attempts to test its robustness with a simple "fuzzer", which resulted in nearly 60 bugs. We will show our way to find the recently disclosed FoisHandler vulnerability, and depict another new vulnerability to achieve jailbreak on the latest stable 7.4 version.

[Speaker Info]
==========
Sergey Toshin, also known as @bagipro, is the #1 hacker on the Google Play Security Rewards program. He earned his first million dollars at 23 years by hacking Android apps. He created Android and iOS vulnerability scanners to automatically detect vulnerabilities in mobile apps. Then he founded a mobile security company Oversecured and is now its CEO.


[Abstract]
==========

We all know that there are many Android vendors like Google, Samsung, Xiaomi, and many others. When we pick an Android device, we often look at hardware characteristics like battery life, camera, or screen size. However, internally, their underlying Androids are very different!

We passed the whole summer finding differences in Google-d and Samsung-ed Androids, including system managers, services (system AIDLs), and how they are used by the Framework and system apps. As a result, Samsung already filed over a hundred CVEs.

In this presentation, Sergey will tell about the differences between Androids of Google and Samsung and some interesting vulnerabilities Oversecured discovered.

[Speaker Info]
==========
Shaked Reiner (@shakreiner) is a principal security researcher at CyberArk Labs focused on vulnerability research, OS security, and decentralized technologies. In his free time, Shaked likes to reverse engineer random pieces of software, solve CTF challenges and make cocktails.

[Abstract]
==========

The promise of Decentralized Identity (or DID) is to set us free from corporations owning our digital identity (be it Google, Apple, etc.) by distributing it to a blockchain. In this talk, we'll learn the fascinating technology behind DID and see how we were able to completely own one of the most popular DID networks currently active by uncovering a critical CVSS 10 vulnerability in it.

[Speaker Info]
==========
Dr. Shinjo Park is a telecommunication security solution designer at GSMK mbH. Before joining GSMK in 2022, he finished his doctoral studies in TU Berlin. His research work includes RAN security in offensive and defensive perspects, fake base stations, security analysis of cellular and IoT products ranging from consumer products to very specific telco equipments. Outside of his usual areas, he is interested in making software localized in Korean.

Dr. Altaf Shaik is currently a senior researcher at the Technical University of Berlin in Germany. He conducts research in telecommunications, esp., 6G, 5G radio access and core network security. He combines a professional background in programming, wireless communications and offensive network security. His renowned research exposed several vulnerabilities in the commercial 4G and 5G specifications and commercial networks that allow attackers to perform powerful attacks affecting millions of base stations, handsets, M2M and NB-IoT devices. Altaf is a frequent speaker at various prestigious international security conferences such as Black Hat USA & Europe, T2, SECT, Nullcon, Hardware.io and HITB and many others. His accomplishments landed him in the hall of fame of Google, Qualcomm, Huawei and GSMA. He also trains various companies and organizations in exploit development, and also building secure mobile n


[Abstract]
==========

As the 5G mobile technology slowly proliferates all over the world, the operational nature of mobile networks migrates from traditionally closed to newly open interfaces. This upgrade comes with a raft of potential security exposures. The new interfaces that operators have set up to manage the most awaited totally connected society are riddled with security vulnerabilities.
This talk exposes the critical security risks of these new interfaces that enable industries to integrate their infrastructure with the latest mobile networks over standardized REST APIs. A massive new population of 5G-capable devices, from smart-city sensors to agriculture robots and beyond, are already part of this integration which can be compromised and hijacked just through a simple API access.
Our security investigations on hundreds of such APIs from 10 commercial service providers allow a remote attacker to execute arbitrary code inside the network and take over the underlying IoT infrastructure.
We also demonstrate the powerful abilities of a future 5G attacker capable of extracting sensitive SIM information and sending malicious payloads to arbitrary devices on the network. We help to build the security considerations for the design and deployment of APIs in 5G networks.

[Speaker Info]
==========
Temel is a penetration tester, vulnerability researcher and ICS/SCADA security expert currently working for Ernst and Young Turkiye. His expertise comes from his personal interests and he utilizes these in professional area. Special interests of his includes smart contract security as well. He also provides training in aforementioned feilds.



[Abstract]
==========

In my research, besides the use of a new technique as compressed file(hpi,deb,jar etc.) manipulation in the field of remote code execution; this includes implementing this on jira,jenkins,openmediavault and publishing this 0day at the time of presentation. In most web applications, uploading harmful files is allowed with the precautions taken in the file upload section. One of these protection methods is file hash,extension,head,type etc control mechanisms. However, in this presentation, you will see how we can add a file to the system that we can run the code remotely with compressed file manipulation, how we can become an authorized user in the system, and how to increase the privileges of the seized application user on a popular applications. You will be able to see both a new method and 0Day in the presentation.

[Speaker Info]
==========
Xuefeng Li (@lxf02942370) is a security researcher at Sangfor. He has focused on Windows vulnerability hunting and exploitation for almost. ranked #10, #22, #23 on the MSRC Most Valuable Security Researcher list in 2020, 2021 and 2022
Dr. Zhiniang Peng (@edwardzpeng) is the Principal Security Researcher & Chief Architect at Sangfor. His current research areas include applied cryptography, software security and threat hunting. He has more than 10 years of experience in both offensive and defensive security and published many research in both academia and industry.

[Abstract]
==========
Windows Error Reporting (WER) provides the functionality for users to collect application faults, kernel faults and other application specific errors. Developers can use this infrastructure to receive information that can be used to improve their applications on Windows. Several years ago, a in-the-wild exploit (CVE-2019-0863) of WER made the security community start to do research on the internal of WER, and then many Logical bugs of WER have been discovered by security researchers in the recents years. Almost all of these bugs are related with the Path Redirection Attack. Attackers can abuse the junction to read/write/delete privileged filesystems then get EOP in the victim's system. To mitigate the Path Redirection Attack, Microsoft provides a Junctions Mitigation Policy to block these kinds of attacks. Nowadays, many windows services have enabled this mitigation policy which means Such kinds of bugs have become less and less. However, this does not mean that there are no other types of bugs in WER. After digging into the internal implementation of WER, we found a more subtle logical bug that has existed for many years.
In this talk, We will introduce the basic infrastructure of WER, The history of its bugs, the new bug we found and our exploitation.

[Speaker Info]
==========
Zhanglin He is a Principal Researcher in Palo Alto Networks, focuses on Web security, sandboxing, and cloud security. Speaker in KCON.

Royce Lu is a Distinguished research engineer in Palo Alto Networks, focuses on kernel security, system vulnerability, machine learning, and cloud security. Speaker in BlackHat, Virus Bulletin, and KCON. (twitter @RoyceLu)


[Abstract]
==========

Pattern-based malware detection has been prevailing in the security industry for years. The traditional workflow usually takes a lot of time to collect and analyze new samples.
How to automatically cluster samples?
How to automatically evaluate the quality and value of each cluster?
How to automatically verify the quality of patterns extracted from one cluster?
These are common problems researchers are dealing with on hundreds of thousands of samples every day.

In this topic, we propose a new system, DiDe, to address all of these problems. By consuming streaming data from VirusTotal, this system can cluster samples with high quality at scale. After a signature is generated, DiDe keeps monitoring its performance, by comparing the detections of the signature and the cluster the signature is generated from, it can keep evaluating and updating the quality of the signature. In addition, this topic also discusses the different ways of sample clustering and why we chose label aggregation.

[Speaker Info]
==========
Zhenpeng Pan(@Peterpan0927) is a security researcher at STARLabs, focusing on iOS/macOS bug hunting and exploitation. He used to work in Alibaba Security Pandora Lab and Qihoo 360 Nirvan Team. He was a speaker of Zer0Con2021.


[Abstract]
==========
As more and more mitigations have been introduced into Apple devices, many bugs in XNU Kernel, which is well known for the UAF and Type Confusion bugs, become unexploitable. So the drivers will be a much more valuable target than before.

After checking a lot of pocs in driver, an idea of building a Hybrid Fuzzer to combine code audit and fuzzing together suddenly came to my mind. This talk will first introduce the newly added mitigations, and then cut into the idea and detail of two tiers hybrid fuzzing. The first tier will do the lightweight fuzzing to collect all reachable services in the system and generate a plist for second tier to do enhanced fuzzing based on code audit. Several bugs had been found in this way, such as CVE-2021-30923/CVE-2022-22661/CVE-2022-32814 and over 15+ DOS bugs, and there are also other critical bugs on the way to fix for iOS 16.x/macOS 13.x.

In this talk, I will also cover in details about some unpublic bug found by the fuzzer and the future plan of it. Then I will also share how to use one of them 100% stable leaking the kernel slide on macOS 13, regardless of the powerful random mitigations. This is also an interesting infoleak attack surface that had not been talked about before.

[Speaker Info]
==========



[Abstract]
==========