44CON 2024 Talks and Workshops

Here are the talks and workshops our CFP panel have selected for 44CON 2024. The schedule is available now.

Talks

Yelp has been using docker for development and deployment for about a decade, but our development process has always relied heavily on shared development infrastructure which creates a nasty security problem in exchange for faster development: privilege escalation.

Docker (and containerizers inspired by docker) have an architecture that’s built around allowing developers to iterate quickly and have a similar deployment environment to the one they develop in, but that architecture is based entirely on making privileged operations easy by running dockerd and containerd as root, and fundamentally assumes a single-tenant system as evidenced by the lack of authn/z controls or audit logging.

The writing was always on the wall for our growing security team – one day we would have to try to get the toothpaste back in the tube, and in March 2024 we finally switched the toggle to make our containerized development unprivileged at no extra infrastructural cost… Other than the year and a half of blood, sweat and tears to try to thread the needle of securing development without affecting developer velocity, which was only possible through technical know-how, perseverance and timing.

This talk will go into how we did it and the tradeoffs we had to make along the way. Various haircuts in the interminable yak shave included:

Setting up unprivileged user namespaces to allow users to continue to act as root with no additional permissions
Deduplicating base images now that everyone needs a copy with brand new magical mount features to overcome permission problems
Building a solution to tell us which base image layers we can clean up without breaking images and containers
Utilizing podman as a drop-in replacement for docker (and then repeatedly backporting patches to its API to actually make it behave like one)
Leveraging in-house development patterns to pre-instantiate privileged networking stacks on user log-in using systemd
Building an authz system for Docker that users can’t just turn off
Adapting over a decade’s worth of accumulated antipatterns, assumptions and vestigial code in disparate codebases

Technical details aside, however, also threading its way through this story is the narrative that “best practices” are not replacement for deep technical and business understanding, timing can be everything and that integrating with your engineering culture is the only way to get the toothpaste back into the tube or, more critically, to not have to.

Matt is a security engineer and tech lead on the newly formed Incident Detection and Response team at Yelp, having worked in site reliability engineering and infrastructural security at the company for over a decade.

He has been poking at the guts of Linux for 20 years having fallen in with a bad crowd at school and subsequently given career advice by goths on the internet, most recently focusing on securing containerization and leveraging eBPF for detection and logging.

In his spare time, Matt enjoys reading historical grimoires and insisting that all the best ideas in Linux come from Plan 9.

One of the fundamental blockers to reproducing most research focused on developing machine learning approaches for reverse engineering and vulnerability research is the dependency on proprietary tools such as Binary Ninja or IDA Pro for the data generation. Whilst these tools are proven and very good, the costs can inhibit non-professional, hobbies or academic use and also make it difficult to independently verify report results. In response to this, as part of my PhD research, I have developed a tool called bin2ml which leverages radare2 to extract and then process a range of different data types from software binaries to support a wide range of models and approaches whether that be graph neural networks, language models or tree-based approaches. This proposal seeks to expose this tool to the community as well as provide a follow-on workshop that can provide folks with hands-on experience with processing and then training a model for binary function similarity search.

Josh Collyer is a machine learning researcher who has worked at the intersection of machine learning and cyber security for 8+ years. This research has ranged from firmware security to autonomous cyber response and recovery. He is currently pursuing a PhD focused on developing machine learning approaches for reverse engineering and vulnerability research leveraging advanced models such as Transformers and Graph Neural Networks. He is the author of bin2ml, a tool that generates machine learning ready data from software binaries and is passionate about open source software and reproducible research.

In recent years, the use of internet-connected devices has become more prevalent in the healthcare sector, particularly as a means to communicate patient data. Therefore, it is essential that security testing is carried out against these devices to identify misconfigurations that could cause a severe impact, such as the prescription of incorrect drugs.
Modern healthcare protocols such as FHIR (Fast Healthcare Interoperability Resources) use the HTTP protocol to communicate, making security testing relatively straightforward. However, the use of older protocols such as HL7 (Health Level Seven) is more widespread across medical devices in the industry. These protocols are bespoke and difficult to read or intercept using current commercial and open-source security tooling, making testing of these devices challenging and cumbersome.
To address this challenge, I have developed a tool (HL7Magic) to provide security testers with an easier method of intercepting and changing HL7 messages sent to and from medical devices. This tool was created for the purpose of being integrated into Burp Suite as an extension, although it can exist independently.
After talking about how the HL7Magic was created, I will give a short demonstration using the tool for security research purpose or to identify existing CVE’s across your estate.

Katie has 7 years’ experience in the security industry, both in consulting and in-house, and currently leads WithSecure’s Attack Surface Management team.

Katie has spoken about topics such as ASM and healthcare security at conferences such as DEFCON, BlueTeam Con and ConINT.

Dancing has been Katie’s hobby for 26 years and she also loves to listen to and play music.

Forensics techniques aim at finding evidences to prove or disprove the guilt of someone being prosecuted. Antiforensics techniques aims at the contrary: building a wrong landscape to fool the forensics expert and drive the investigating judge into a wrong conclusion. While antiforensics techniques are very difficult in the physical sphere, it is far easier in the digital sphere. Indeed either a prosecuted one can hide his crime or an attacker can wrongfully incriminate an innocent people. Hence the concept of “digital evidence” must be taken with the greatest care.

This talk aims at showing how digital antiforensics techniques can be used in this context when considering both the intelligence and technical aspects. The talk is illustrated with real but anonymized cases involving metadata, cryptography manipulation (non trivial deniable cryptography) and data recovery manipulation. A final scenario combines all three techniques in a deadly antiforensics scheme.

Éric Filiol is a Head of Discipline Cyberdefense and senior expert in information and systems security, data security, cyber security and intelligence at Thales Digital Factory, Paris. He is also associate professor at ENSIBS, France and formerly at various engineer schools and universities in the field of information and systems security. In the last three years he has been in charge of risk and threat assessment, security certification (restricted EU, NATO, Export Control level) of a restricted private cloud in the Defense sector. He directed the research and the cyber security laboratory of a French engineer school for 12 years. He spent 22 years in the French Army (Infantry/French Marine Corps). He holds an engineering degree in Cryptology, a PhD in Applied Mathematics and Computer Science from Ecole Polytechnique and a Habilitation to Conduct Research (HDR) in Information from the University of Rennes. He holds several NATO certifications in the field of intelligence. He is still deeply involved in R&D (mathematics, programming, code security, information security).

He is editor-in-chief of the research journal in Computer Virology and Hacking Techniques published by Springer. He regularly gives international conferences in the field of security (Black Hat, CCC, CanSecWest, PacSec, Hack.lu, Brucon, H2HC, Hacktivity…).

In the previous decade we saw a huge pivot to endpoint based attacks, which the security industry was initially ill prepared for. In particular, common intrusion detection approaches of the past had been largely network sensor focused and were not well suited to dealing with endpoint focused attacks. This led to the explosion of endpoint-orientated approaches which eventually led to the creation of the entire EDR market.

Fast-forward to the current decade and we are in the midst of a rapid shift towards identity-based attacks and SaaS attack techniques due partly to the increasing difficulty of endpoint attacks and partly to the ever increasing attack surface posed by SaaS usage and spiraling numbers of cloud identities. These attacks rarely touch the endpoint and so security teams are facing a loss of visibility once again.

This talk will cover why the browser is becoming the new frontline battleground in the increasingly identity attack-based world. We’ll then consider how browser extensions provide defenders with a unique opportunity to gain unparalleled visibility into attacks targeting both users themselves and the cloud identities that they have access to via their own browsers. We’ll also consider why hunting in the browser can be a more advantageous approach with modern web technologies and working practices than network based tools like the web proxies of yesterday.

Luke Jennings is a security researcher from the UK. He spent most of his early career focused on red teaming and offensive security research at MWR, before moving on to developing new detection and response techniques and designing EDR software as the Chief Research Officer for Countercept. He has now pivoted away from the endpoint to focusing on the emerging identity attacks as VP of R&D at Push Security.

Machine Learning/Artificial Intelligence is a hot topic in academia for Binary Code Similarity Analysis or, as the information security industry calls it, Binary Diffing, or bindiffing for short. In this talk I will discuss how a ML based engine was added to Diaphora, the initial steps, what problems were found, which dataset(s) were used, how they were built & cleaned up, how it works in Diaphora, how it enhanced Diaphora, etc.

Joxean Koret has been working for the past +15 years in many different computing areas. He started working as database software developer and DBA for a number of different RDBMS. Afterwards he got interested in reverse engineering and applied this knowledge to the DBs he was working with, for which he has discovered dozens of vulnerabilities in products from the major database vendors, specially in Oracle software. He also worked in other security areas like malware analysis and anti-malware software development for an Antivirus company or developing IDA Pro at Hex-Rays. He is currently working as a security engineer.

Windows is one of the most widely used operating systems in the world, and also one of the most frequently updated. Every month, Microsoft releases patches that fix hundreds of bugs and flaws in Windows binaries. But these patches are often shrouded in mystery, with vague or incomplete descriptions of the vulnerabilities they address. This leaves security researchers and system administrators guessing about the true impact and risk of the patches.

A common technique to reveal the secrets of Patch Tuesday is to perform patch diffing, which compares the binaries before and after the patch to identify the changes. This way, you can peek inside the black box of Patch Tuesday and see what Microsoft really fixed. Patch diffing is a well-known and widely used method, but there is an inherent problem with the process. There is no direct mapping from CVE to binary. Researchers have to search manually for the right binary to diff based on the CVE description and experience. This is a time-consuming and error-prone process. The biggest hurdle to decoding Patch Tuesday is understanding which binary maps to a particular CVE, or at least it used to be.

In this talk, we will show you how we reverse engineered Patch Tuesday. For each Patch Tuesday, we can identify specific changes and disclose which binaries actually have critical updates. By using a combination of publicly available information, some clever data analysis, and a bit of Windows internals knowledge, we have created an algorithm that covers ~70% of all Microsoft CVEs since 2016. We will share with you the insights we used to develop the algorithm, improve it, and provide automated CVE diffing.

We will also show you what you can do with this information. You will learn how to build binary biographies. These “binographies” tell the story of a binary over time and reveal critical security changes for each CVEs. With Patch Tuesday Binographies, you will no longer guess about the details of Patch Tuesday, you will just see them.

John McIntosh (@clearbluejar) is a security researcher at @clearseclabs. He specializes in reverse engineering and offensive security, with expertise in binary analysis, patch diffing, and vulnerability discovery. John has created several open-source security tools for vulnerability research available on his GitHub page. His website, https://clearbluejar.github.io/, features detailed write-ups on reversing recent CVEs and building RE tooling with Ghidra. With over a decade of offensive security experience, John has spoken and taught at prominent security conferences worldwide. He is always eager to share his latest research, learn new things along the way, and collaborate with other security enthusiasts.

In this presentation we will have multiple demos, including demonstration of tooling and exploits against the device to obtain a shell. For fun we will also show a lightshow running on the EV charger demonstrating full control of the device.

Finally, we will conclude with our thoughts on building a robust security architecture for EV charging deployments.

Alex Plaskett (@alexjplaskett) is a security researcher within the Exploit Development Group (EDG) at NCC Group. Alex is a five times Pwn2Own winner (desktop, mobile, embedded, and automotive) and has over 15+ years of experience in vulnerability research and exploitation. Alex has exploited vulnerabilities in a large range of high-profile products across many different areas of security.

Alex is a frequent speaker at security conferences (e.g. OffensiveCon, 44CON, Hexacon, HITB, BlueHat, POC, Troopers etc).

Alex was previously leading security teams in Fintech, Mobile Security and Security Research) and just generally causing vendors to patch things on a regular basis!

McCaulay Hudson (@_mccaulay) is a Security Researcher in NCC Group’s Exploit Development Group (EDG).

He has previously competed in multiple Pwn2Own competitions and has publicly published work on exploiting embedded devices such as consumer routers and the PlayStation 5 console.

Mobile networks, once hailed as technological marvels, have danced with vulnerabilities that refuse to fade away. From SMS phishing to the silent whispers of IMSI catchers, the haunting symphony includes phone tapping, death by SMS, data leaks over SS7/Diameter interfaces, data fraud, SIM jacking, SIP spoofing. Join me in a captivating talk where we dive into the surreal world of persistent vulnerabilities that still lurk in the shadows of mobile networks, even in the midst of 5G.

Embark on a journey through my research, where I’ve delved into the relevance, wild occurrences, attack success probabilities, impact, and the haunting ease of fixing these old vulnerabilities. Overall a substantial gap between theoretical security frameworks and their practical implementation, particularly in 5G and LTE technologies. A staggering 80% of networks tested across North America, Europe, Asia, and the Middle East exhibit these vulnerabilities. Implementing systematic testing and mitigation measures can address many of these vulnerabilities, fortifying networks against large-scale attacks that could escalate with the interconnection of 5G networks.

This isn’t just a talk; it’s an exploration into the ghostly persistence of mobile network vulnerabilities and a questioning gaze into the future. Will the zero-trust and security-by-design mantras of 5G shield us entirely, or will they birth new specters of vulnerability through private networks, and open RAN? When will the echoes of these old bugs finally fade away?

Dr. Altaf Shaik is an expert in wireless security and currently a senior researcher at the Technische Universität Berlin in Germany, and conducts advanced research in telecommunications esp., in 6G security architecture, openRAN, and 5G security. He holds more than 11 years of experience in Telecom security and combines a professional background in embedded programming, wireless communications, and offensive network security. Dr. Shaik spent his career as a security engineer and expert at various leading telecommunication companies including Gemalto (currently Thales), Deutsche Telekom (Germany), and Huawei Technologies (Sweden).

His PhD research assisted in improving the 3GPP 4G security standards and also exposed several vulnerabilities in commercial mobile networks affecting millions of base stations, networks, and handsets worldwide. His post-doctoral research exposed vulnerable API designs in latest 5G networks and slicing vulnerabilities in the 5G security specifications leading to serious attacks.

Dr. Shaik is a frequent speaker at various prestigious international security conferences such as Blackhat USA & Europe, T2, SECT, Nullcon, Hardware.io and HITB, and many others. His accomplishments landed him in the hall of fame of organizations like Google, Qualcomm, Huawei, and GSMA. He is also the founder of Kaitiaki labs and FastIoT that trains internationally various companies and governmental organizations in exploit development and also building secure mobile and IoT networks including their testing and security assessment.

Working on a different project, we stumbled across some NFS bugs, then realized that the BSD implementations were less than robust to put it mildly. Digging deeper more bugs were found (not memory corruption bugs…) and that pretty much every implementation we could find was vulnerable. These bugs are super trivial to exploit and present pretty much everywhere NFS is (take FreeBSD for the earliest version we managed to install in a VM to the latest is vulnerable).

Signedness are a duo:

a beer drinker/brewer/expert and glorious eternal leader of SOG
a fat chef who likes vuln hunting, exploitation, coding, beer and food.

This talk explores a newly discovered technique that resulted in bypassing security controls to perform privilege escalation to Global Administrator in Entra ID (Azure AD), as well as some other actions against privileged users.

Part conversation about the research background, part exploration of the foundations that permitted this technique, this talk will walk through the entire path to privilege escalation step-by-step. We’ll also look at how organizations can determine if they were vulnerable to this discovery.

Throughout his 24-year career in the IT field, Eric has sought out and held a diverse range of roles, including technical manager in the public sector, Sr. Premier Field Engineer at Microsoft, and Security and Identity Architect in the Microsoft Partner ecosystem. Currently he is a Senior Security Researcher working as part of the Security Research team at Semperis. Eric is a Microsoft MVP for security, recognized for his expertise in the Microsoft identity ecosystem.

Outside of work, Eric supports the professional community, providing his insights and expertise at conferences, participating on the IDPro Body of Knowledge committee, and blogging about Entra and related cloud security topics.

Workshops

This workshop follows Josh’s talk. It will focus on re-creating the seminal GEMINI model from raw binaries to trained model and will be structured as follows:

Briefly describe GEMINI, the data structure it uses and the features
Briefly describe what a graph neural network is and how they differ from other types of neural networks
Provide attendees with links to download a pre-compiled small dataset of binaries
Walk attendees through building bin2ml using rust’s cargo
Guide attendees through the data generation process using the commands available
Provide attendees with a skeleton jupyter notebook with model training code available and train the model
Provide attendees with a skeleton jupyter notebook to evaluate the model against real N-day vulnerabilities within device firmware taken from a TP-link router

Main objectives

Provide attendees with hands on experience with bin2ml and demonstrate how easy it is to use
Inspire machine learning (ML) people who may be skilled in ML but get stuck or do not understand how to transform raw data (in our case binaries) into data ready for ML to apply their skills to this area
Lower the barrier of entry for non-ML people who may be interested in ML but need support with getting the data prepared to get training models and familiarise themselves with ML as a whole

Requirements

Attendees will need the following:

a laptop
docker installed
rust tool chain
git
about 50GB of space
It would also be good to have an x86-64 SRE tool to check the binaries and explore how the binary ends up as a ml input.

During the workshop, participants will delve into the intricacies of .NET reverse engineering and gain a comprehensive understanding of the techniques involved. Starting with an overview of the .NET framework, the workshop will gradually progress towards advanced topics such as deserializations, bypassing mitigations, and a lot more, empowering attendees with the necessary skills to identify and exploit vulnerabilities.

Workshop requirements

Windows 10 or 11 virtual machine
A copy of dnspy debugger, make sure you are able to debug a normal program on your machine: https://github.com/dnSpyEx/dnSpy
Latest copy of ysoserial .net project: https://github.com/pwntester/ysoserial

Meet Sina Kheirkhah, widely recognized as @SinSinology in the cybersecurity community. Sina is a dedicated full-time vulnerability researcher with a passion for breaking into various systems. From cracking server-side enterprise solutions to targeting hardware and delving into reverse engineering, Sina’s expertise covers a wide spectrum. He specialize in low-level exploitation, attacking .NET/Java stacks, bypassing security measures, and chaining bugs seamlessly. Notably, Sina has competed in Pwn2Own for three consecutive years, demonstrating his dedication to the field.

A workshop to use Diaphora for scenarios other than just doing patch diffing, writing scripts for Diaphora, automation of common tasks, as adding new heuristics, consuming Diaphora generated databases from your own tools, etc.

Prerequisite

A valid IDA 8.X license.

Join us for “Everyday Ghidra,” a comprehensive workshop designed to equip participants with the skills to tackle “everyday” reverse engineering challenges using the Ghidra Software Reverse Engineering Framework. This immersive experience will guide attendees through static and dynamic analysis techniques to reverse engineer modern Windows binaries. This workshop will highlight Ghidra’s debugger with its unique ability to treat all binaries as if they included source code.

The workshop is structured into three distinct sessions, each focusing on key aspects of RE.

Session 1: Static Analysis Workflow
Learn a practical workflow using Ghidra for analyzing Windows binaries, set clear RE goals, and tackle reversing Windows RPC servers through hands-on exercises.
Session 2: Dynamic Debugging Techniques
Gain insights into the Ghidra debugger and dynamic application debugging techniques. Engage in practical exercises to debug a Windows RPC service, step through decompiled code, and reverse engineer RPC calls.
Session 3: Petitpotam Case Study
Dive into the Petitpotam NTLM authentication bypass case study. Explore NTLM relay attacks, analyze the Petitpotam exploit using NtObjectManager, and apply your skills in building and debugging an RPC client with NtObjectManager to trigger the exploit.

Participants will gain a thorough understanding of reverse engineering Windows binaries and a practical Ghidra workflow. They will appreciate how decompilation can enable powerful analysis typically exclusive to developers with source access and learn to apply these techniques to real-world targets.

Over the years we have developed and customized tools to suite our needs for finding and exploiting vulnerabilities. In this workshop we will, for the first time, release the tools used to find and exploit the NFS vulnerabilities that we discovered in 15+ OS, including all versions of FreeBSD, NetBSD and OpenBSD that we managed to install in a virtual machine.

This includes a userland implementation of the NFSv3 protocol in a single, easy to move around static binary for exploiting all the vulnerabilities and explore NFS servers in general. It supports 99.5% of the NFSv3 spec and comes with an interactive shell to upload, download and even hexdump and patch files at given offsets. Not to mention that IP spoofing is integrated to simplify access to those shares only meant for certain hosts.

The NFS project was a detour from our regular hunt for memory corruption bugs using (among others) a tool that has served us well for over a decade: our network protocol fuzzer. The second generation network protocol fuzzer operates on single packets at the mbuf layer in a FreeBSD kernel with an easy to use configuration file. It consists of a set of kernel modules and are mostly configured to operate on a transparent bridge, making it really quick to get dumb fuzzing up and running. The third generation is currently under development.

Prerequisites

Bring a laptop capable of running VirtualBox and perhaps client/server VM’s running protocols that you want to fuzz and we will provide a USB stick with tools and virtual machines as well as hands on exercises to trigger real world remote kernel krasches …

Signedness are a duo:

a beer drinker/brewer/expert and glorious eternal leader of SOG
a fat chef who likes vuln hunting, exploitation, coding, beer and food.

In the digital age, the Internet of Things (IoT) has become a ubiquitous presence, promising enhanced connectivity and convenience. However, my workshop delves into the stark reality that the security of IoT devices has not significantly advanced over the past 18 years. Despite the proliferation of smart devices, the foundational security measures remain alarmingly static, leaving a landscape rife with vulnerabilities. I will argue that this stagnation is not due to a lack of technology or solutions but is rooted in the persistent failure of manufacturers to prioritize and implement robust security measures. This workshop will examine the persistent challenges and shortcomings in IoT security. It will argue that without a fundamental shift in the approach to IoT security, where security is an integral part of the design and not an afterthought.

Through demonstration, this workshop aims to ignite a discourse on the necessity for a paradigm shift in the approach to IoT security, advocating for a future where security is not an afterthought but a cornerstone of technological innovation and development. My workshop will demonstrate the same security failures on two devices 18 years apart, both from the same manufacturer, and the speed in which they can be leveraged.

Pre-requirements

A NIC (network interface card) with the facility to connect via ethernet cable – so you can connect to the network
At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before the workshop.
A copy of a penetration testing distro i.e. Kali Linux (Virtualised might be best i.e. Virtual box).
A copy of routersploit installed.
Burp Suite/ZAP installed.

Alex Teague PCSP CTL is an assessor and instructor at the Cyber Scheme. Where he focusses on assessing CSTM Exams and delivering the CSIP IoT & ICS hacking course.

Prior to joining the Cyber Scheme. Alex had several roles in both the public and private sector that focused on operational technologies, with a particular focus on automotive applications. During these roles he gained considerable knowledge in reversing and exploit development, which allowed him to review the security posture for these environments.

Have you ever felt like you’re losing a fight against WinDbg? We have, many times. So to end this, we developed our own weapons to fight back, and we eventually tamed the native Windows debugger.

This workshop aims to share the tips and tricks we wish we knew when we started reverse engineering, to help you to navigate WinDbg. We will cover the basics of interacting with the debugger, from correctly setting your breakpoints, to understanding the output of the functions you’re debugging. But most importantly, we will share our secret weapon for the first time: a tool named DrawMeATree we developed to make dynamic analysis easier. It relies on the WinDbg wt command, which executes through a target function and shows all of the subsequent functions called until the function returns. Though this large amount of information is very useful to understand how a feature operates, wt displays up to thousands of lines of results that can be hard to read through and understand. DrawMeATree solves this problem by visualizing wt’s output as customizable graphic trees, to synthesize and simplify the information. We will learn how to use this tool, and how to incorporate it into our reverse engineering toolbox.

Together, we will practice using real Windows Internals examples, exploring some little known components of the OS through the debugger, and understanding how they work. By the end of the workshop, our goal is for you to be ready to face WinDbg armed to the teeth. Time for revenge!

Prerequisites

Basic knowledge of assembly and application programming interfaces (no need to be familiar with Windbg, this is not an advanced Windbg workshop)
Updated Windows 10/11 VM with an internet connection
WinDbg installed on the VM

Mathilde Venault (@MathildeVenault) is a security researcher at CrowdStrike, specializing in the Windows operating system. While her work mostly focuses on malware analysis and EDR detection capabilities improvements, she also likes reverse engineering undocumented Windows mechanisms. Mathilde has spoken at multiple conferences to share her findings such as Black Hat USA, REcon and c0c0n, for which she is now a review committee member.

As a typical French, she’s always up to share a meal with some bread and cheese.

Check the schedule Buy your ticket

Talks

Workshops

Main objectives

Requirements

Workshop requirements

Prerequisite

Prerequisites

Pre-requirements

Prerequisites

Share this:

Info