Presentations – IT-DEFENSE 2017
The Future Has Arrived and it’s Effin’ Hilarious! - Adam Laurie
Everything must be connected right now! Go! Do it! It’ll be great…
Then I’ll be able to order my Iced Half Caff Ristretto Venti 4-Pump Sugar Free Cinnamon Dolce Soy Skinny Latte so I can pick it up on the way to work as I cycle past the coffee shop without breaking a sweat… Marvelous!
Wait, did I say “I’ll be able to order”? Sorry, what I meant was: “My bicycle will be able to order”, because, obviously, my bicycle saddle is connected to my home WiFi, so when it detects my bum hitting its surface, it will immediately notify my Home Automation system to take a picture of the pinboard in the kitchen, which has an e-paper display showing a QR code of exactly what’s today’s flavor of the month, which will be decoded and sent to the central Node.js system, which will…. Oh, f*ck it. I’ll just have a nice cup of tea instead.
In this talk, we will discuss the fact that although time (mostly) moves in a linear direction, security doesn’t. In fact, it has an alarming tendency to go backwards, sideways, and, very often, around and around in circles.
In our work at Aperture Labs, we spend our lives pulling embedded systems apart, only to find the same old issues hiding amongst the silicon and bits and bytes. There was a time when this didn’t matter too much… Yes, we could bypass some copy protection code and load a pirated game, or we could hop over an authentication routine and p0wn your router… Of course, that is BAD with a capital B, but nobody died. Cities didn’t go dark. Planes didn’t fall out of the sky…
So what happens when we take all our tech and connect it up to everything around it, including our fridges, freezers, TVs, thermostats and anything else we can think of? And then we connect that to the Internet. And then, just for the hell of it, why not pass some laws that say we should connect our electricity, gas and water meters up as well? Sounds like a plan?
Did I say hilarious?
I think I meant something else…
Cache-Side-Channel attacks – CPU design as a security problem – Anders Fogh
Introduction
In a casual conversation with Thomas “Halvar Flake” Dullien, I suggested that performance counters could be used as a software mitigation for the row hammer exploit he and Mark Seaborn had developed. Thomas encouraged me to research it, and it became the first software solution for row hammer. I presented this research with Nishat Herath during Black Hat 2015. While researching row hammer, I noticed that the methodology I was developing could be important in mitigating cache-side channel attacks, and this led me into an almost yearlong project researching these attacks. This talk will introduce cache-side-channel attacks and present some of the results I’ve obtained during the last year.
What are cache-side-channel attacks?
Typically, hackers focus on software bugs to find vulnerabilities in the trust model of computers. In this talk, however, we’ll focus on how the micro-architectural design of modern computers enables an attacker to breach trust boundaries. Specifically, we’ll focus on how the cache subsystem of modern x86 computers can be abused to gain access to private data. Cache-side-channel attacks have been around for years but have had a renaissance due to the emergence of a large, shared 3rd-level cache and gained relevance through the introduction of cloud computing. There are many side channels possible in modern computers; however, the cache is most likely the most important due to its central position in the computer. Given that cache-side-channel attacks are enabled by the CPU design, software defenses become notoriously difficult, and yet at the same time in many cases they become the only viable solution.
Why are cache-side-channel attacks relevant?
Cache-side-channel attacks are relevant when an attacker already has access to the same hardware as the victim but is stopped by local restrictions such as user privileges, virtual machines or sandboxes. At first this seems restrictive, but modern computing is full of examples of such scenarios. Cloud computing based on virtual machines is the classic example, and cache-side-channel attacks easily reach across otherwise iron-clad boundaries between virtual machines. Thin clients, JavaScript running locally on web pages or multi-user systems are other common examples. Despite modern cache-side-channel attacks being relatively new, many important attacks have already been demonstrated:
- Exfiltration of RSA 2048 private keys from co-located VM hosted in the Amazon cloud
- AES key extraction
- ECDSA key extraction
- Spying on keyboard input
- Spying on mouse cursor
- Breaking KASLR (Kernel Address Space Layout Randomization)
How does cache-side-channel work?
Almost every memory read is placed into the cache. This effectively means the cache becomes a mirror image of current memory activity on the computer. The micro architecture of the x86 (and many other CPUs) feature three traits that enables an attacker to use the cache to gain information on a victim:
- The cache is shared between all code running on a computer
- The cache state can be manipulated by the attacker
- The attacker can query the state of the cache
The attacker can manipulate the cache through a number of means. The most common methods are either accessing memory systematically to fill the cache with attacker data – called priming – or using the unprivileged clflush instruction to flush the cache. Once the attacker has manipulated the cache so he knows which memory is in the cache and which isn’t, he waits for victim memory activity. By measuring the latency of subsequent memory operation, he can tell if his memory was served from the cache or from physical memory as the cache is significantly faster. Thus the attacker is able to map victim memory activity. While this cannot be used to read victim memory directly, memory access pattern very often gives away information on private data. For instance, different code paths are taken depending on the private key in some RSA implementations, and thus it’s possible to deduct individual bits from an RSA key from memory access patterns.
Detecting cache-side-channel attacks
x86 CPUs feature a vast number of performance counters that allow a supervisor or hypervisor a deep view into what is going on in the micro architecture of the processor. Performance counters were originally meant as an assistance to developers for optimizing software. Increasingly, they’ve been used to optimize the processor by Intel and by now allow deep introspection into the inner workings of the processor and the cache sub system. My research shows that cache usage patterns can be quantified using performance counters. Furthermore, these usage patterns show abnormalities when an attacker uses the cache to extract information from a victim. Thus using performance counters, we are able to detect and deflect cache-side-channel attacks in real time. It is interesting to note here that the row hammer memory bug found by Mark Seaborn can be detected by the same method since row hammer needs to bypass the cache to access physical memory in order to exploit the bug and thus also causes abnormal cache usage patterns. The method has been shown to have very little performance overhead. Also the method shines with very few false negatives or false positives, making it a viable solution for a defense against cache-side-channel attacks in the real world.
Stealth-side-channel attacks
However, this detection method led to an evolution in cache-side-channel attacks and a new method to bypass the above-mentioned detection method was discussed in a recent paper by Daniel Gruss, Clémentine Maurice & Klaus Wagner, on which I served as a reviewer. The method cleverly works around generating the cache patterns used to detect non-stealth cache attacks by using another micro-architectural information leak in the cache sub system.
Detecting stealth-side-channel attacks
To detect these new side channel attacks, a different approach has to be applied. My research shows that we can detect this new attack due to the fact that it has a distinctive code layout that is unlikely to be seen in benign code and that can be detected by carefully automated run time analysis of the code running. Instead of just relying on performance counters, this detection adds additional information gained from monitoring access to exact timers required for stealth-side-channel attacks.
International terrorism – how big is the threat to Germany actually? – Jörg Ziercke
The following questions will be examined:
- Is there a command center of international terrorism?
- Would a victory over the IS change the threat situation for Germany?
- Has terrorism only arrived in our country with the attacks of Paris and Brussels?
- What role does the refugee debate in Germany play from the perspective of the IS strategy?
- What are the security concerns associated with the entry of approx. 300,000 unidentified refugees?
- Why has there been no large terrorist attack in Germany yet, such as in Spain, England, France or Belgium?
- Looking behind the scenes: How is Germany positioned regarding the fight against terrorism? How strong is our security architecture?
- What role do „resonance crimes“ from the right-wing extremist and left-wing extremist spectrum play for the security in Germany?
- How large are the Islamist spectrum and the potential threat in Germany?
- What role does organized crime play in the fight against terrorism?
- Are we facing a new threat posed by the so-called cyberterrorism?
How to Build Hardware Trojans – Christof Paar
Countless systems ranging from consumer electronics to military equipment are dependent on integrated circuits (ICs). By definition, the Internet of Things and cyber-physical systems are formed by smart devices. A surprisingly large number of such systems are already security-critical, e.g. medical devices, automotive electronics, or SCADA systems. If the underlying ICs in an application are maliciously manipulated through hardware Trojans, the security of the entire system can be compromised.
In recent years, hardware Trojans have drawn the attention of governments and the scientific community. Initially, the primary attacker model was a malicious foundry that could alter the design, i.e. introduce hardware Trojans that could interfere with the (security-sensitive) functionality of a chip. Many other attacker models exist, too. For instance, a legitimate IC manufacturer, e.g. a consumer electronics company abroad, might be in cohorts with a foreign intelligence agency to alter its products in a way that compromises their security.
Even though hardware Trojans have been studied over the past 10 years or so, little is known about how they might look, especially those that are particularly designed to avoid detection.
In this talk, we introduce several approaches with which a sophisticated attacker could insert Trojans into hardware platforms. We will look at both ASICs (application-specific integrated circuits) and FPGAs (i.e. programmable hardware).
The Jalapeño Strategy:
Assert yourself to do good
For you, your company and society! – Prof. Dr. Jens Weidner
a. The personality profile of successful people: 80% do-gooder – 20% devil!
b. The general principle of assertive people: an evil action a day keeps the psychiatrist away.
c. How much natural, positive aggression do you have?
d. How much drive do you need to be successful and when do you cross the line?
Hidden Voice Commands – Tavish Vaidya
Voice interfaces are becoming more ubiquitous and are now the primary input method for many devices, driven in part by their ease of use and in part by the decrease in the size of modern devices like wearable devices that make physical interaction difficult. Many devices have adopted an always-on model, in which they continuously listen for possible voice input.
While voice interfaces allow for increased accessibility and potentially easier human-computer interaction, they are at the same time susceptible to attacks, voice being a broadcast channel open to any attacker that is able to create sound within the vicinity of a device. This opens up an opportunity for attackers to try to issue unauthorized voice commands to these devices.
This talk will focus on how the voice channel can be attacked with "hidden voice commands" that are unintelligible to human listeners but are interpreted as valid commands by devices. We will also discuss various defenses against the attack.
The Smart Fuzzer Revolution – Dan Guido
The last two years have seen greater advances in automated security testing than the 10 before it. afl incorporated known best practices into an easy-to-use tool, the DARPA Cyber Grand Challenge provided a reliable competitive benchmark and funding for new research, and Project Springfield (aka SAGE) is now available to the public. These new technologies have the potential for massive impact on our industry.
How do these tools work and what does them set apart from past approaches? Where do they excel and where are their limitations? Is it possible to use them today? How will these technologies advance and what further development is needed? How much longer do humans have as part of the secure development lifecycle? I will discuss answers to these questions and more in the “The Smart Fuzzer Revolution”.
Strategies on securing your banks & enterprises (from someone who robs banks & enterprises) – Jayson E. Street
Most people who work on the defensive side of computer security only see the landscape from that perspective! In this talk, Jayson will show how an attacker views your website & employees and then uses them against you. We'll start with how a successful spear phish is created. By using the information gathered from the companies’ own 'About' pages as well as scouring social media sites for useful information to exploit employees. The majority of the talk will be covering successful countermeasures to help stave off or detect attacks. This discussion will draw on the speaker’s 15 years’ experience of working in the US banking industry on the side of defense. At the same time, Jayson will be drawing on over 6 years of doing engagements where he took on the role of the attacker. If everything turns out well, everyone will have learned something new that they can immediately take back to their networks and better prepare them against attacks!
Why Windows OS Gets Hacked - Sami Laiho
Sami Laiho, one of the world's leading operating systems security specialists, will demonstrate the operating system structures that actually allow attacks to succeed. In this session, you won't hear "how" mimikatz is able to steal your credentials but "why". This session focuses on concepts that people don't understand, leaving their environments vulnerable, and how to fix these issues. This is a fast-paced, demo-heavy bombardment against the Windows OS you don't want to miss!
Exploit Kits - What Happens When Kits Disappear – Nick Biasini
What happens when the biggest players in a market just get up and quit? That's exactly what has happened to the exploit kit landscape over the last year. Now that Angler, Neutrino, and Nuclear are gone, we're left to pick up the pieces. What's been created is a vacuum with Rig and Sundown jockeying for position, but none have taken the lead. We've observed adversaries changing kits frequently and gates switching from one kit to the next.
Just like any other threat, adversaries are going to evolve and change. Oddly, the kits don't appear to have evolved much, but looks can be deceiving. This talk will discuss the state of exploit kits today. There will also be a section related to how exploit kits will evolve in the future and the impact it may potentially have on the threat landscape overall.
Rearchitecting a defendable internet - Thomas Dullien / Halvar Flake
One fundamental problem with our computing infrastructure is that nobody can truly tell if it is compromised—the technology stacks are not designed for this. Our inability to truly detect and remediate compromise carries all sorts of downstream costs (information asymmetries, bad security products, etc.).
Thomas Dullien explores how our software and hardware stacks could be rearchitected to allow reliable detection of compromise, and he outlines a number of different technologies that are needed for this, including reproducible builds, public ledgers like certificate transparency and hardware with non-updateable checksumming that is user-inspectable.
Surveillance & cryptography - Jaya BalooSpeakers
As the legislation around data privacy erodes, the demand for surveillance from state agencies is increasing. Furthermore, the legitimization of offensive cyber capabilities means that the new world order will be fighting non-sanctioned wars in the digital arena.
It is therefore more important than ever to jealously safeguard our demands for confidentiality and integrity of communications and demand higher standards.
Information on further presentations will be following after it has been released by the speakers.