Follow live coverage on Twitter: #JailbreakSec
The world's only security summit held at a production brewery.
Join some of the world's best security researchers as they talk about advanced RE tools, techniques and sophisticated malware at the only computer security event held at a production brewery. Attendance is limited to 100 to keep the Security Summit small and encourage conversation between speakers, attendees, and sponsors.
Tickets include breakfast, lunch, and an awesome time to chat with fellow security experts.
Come participate in the talks, the conversation, and the beer!
Friday, May 18, 2018
Jailbreak Brewing Company
9445 Washington Blvd N
Laurel, MD 20723
Happy Hour 5p-6p
Synthetic Reality; Breaking macOS One Click at a Time
Patrick Wardle is the Chief Research Officer at Digita Security and founder of Objective-See. Having worked at NASA and the NSA, and as well as presented at countless security conferences, he is intimately familiar with aliens, spies, and talking nerdy. Patrick is passionate about all things related to macOS security and thus spends his days finding Apple 0days, analyzing macOS malware and writing free open-source security tools to protect Mac users.
In today's digital world the mouse, not the pen is arguably mightier than the sword. Via a single click, countless security mechanisms may be completely bypassed. Run untrusted app? click ...allowed. Authorize keychain access? click ...allowed. Load 3rd-party kernel extension? click ...allowed.Authorize outgoing network connection? click ...allowed. Luckily security conscious users will (hopefully) heed such warning dialogues - stopping malicious code in its tracks. But what if such clicks can be synthetically generated and interact with such prompts in a completely invisible way? Well, then everything pretty much goes to hell.
Of course OS vendors such as Apple are keenly aware of this 'attack' vector,and thus strive to design their UI in a manner that is resistant againstsynthetic events. Unfortunately they failed.
In this talk we'll discuss a vulnerability found in all recent versions of macOS that allowed unprivileged code to interact with any UI component including 'protected' security dialogues. Armed with the bug, it was trivial to programmatically bypass Apple's touted 'Secure Kext Loading' security feature, dump all passwords from the keychain, bypass 3rd-party security tools, and much more! And while it may seem that such synthetic interactions with the UI will be visible to the user, we'll discuss an elegant way to ensure they happen completely invisibly!
asm2vec: Binary Learning for Vulnerability Discovery
Sophia d’Antoine is a Senior Security Researcher at Trail of Bits. She has spoken and keynoted at more than a dozen global security conferences worldwide and sits on the program committee for USENIX WOOT.
Her current work involves developing novel tooling to assist in research and discovery of vulnerabilities in a spectrum of targets; including Ethereum smart contracts.
A graduate of RPI, Sophia earned her MS on exploiting CPU optimizations. While at RPI, Sophia helped create and teach Modern Binary Exploitation.
This talk will present a novel application of a machine learning model and a corresponding tool, asm2vec, for vulnerability discovery. Treating both program disassembly as a natural language, we construct embeddings of identifiers at scale using a concept similar to word2vec, in which the output is a vector of related identifiers and their proximity.
Identifiers in assembly vary but for this talk include: function contexts, variables, data flow, memory cells, and operations of interest (reads and writes). Unique tokens or features are extracted from these identifiers and mapped into a co-occurrence matrix. This matrix is then used to train our model and produce embeddings. The trained model will then be used to maps identifiers, and their vector associations, to bug patterns but even more simply, to discover code anomalies which may be of interest.
This work builds on top of Facebook’s StarSpace project as well as Tensorflow’s Swivel to calculate the co-occurrence matrix.
Mario Vuksan is the Co-Founder and Chief Executive Officer at ReversingLabs Corporation. Mr. Vuksan served as a Director of Research and Knowledgebase Services at Bit9 Inc. He also served as Program Manager and Consulting Engineer at Groove Networks (acquired by Microsoft), working on Web based solutions, P2P management, and integration servers. Before Groove Networks, Mr. Vuksan developed one of the first Web 2.0 applications at 1414c, a spin-off from PictureTel. He is a regular presenter at RSA, Black Hat, Defcon, Caro Workshop, Virus Bulletin, CEIC, FSISAC, and AVAR Conferences, and has also authored numerous texts on security. He supports AMTSO, IEEE Malware Working Group and CTA, and holds a BA from Swarthmore College and an MA from Boston University.
It's Alive! Evolving assemblers using disassembler oracles
In 1997, Andrew got AOL dialup and found 40hex zines and zen cracking tutorials. It was incomprehensible, but became a challenge and after several years of ruining COM files, he could write a bit of assembly. Andrew continues taking on low level challenges today, but shares this time with innumerable hobbies, games, and four babbies
There are a number of options for assemblers to be able to patch binaries. You could use keystone, llvm, build your own, or use any number of other public assemblers. But what if you want to be able to perfectly round-trip and match an existing disassembler? It turns out this is a surprisingly good problem for a genetic algorithm with a fitness function that carefully measures "distance" to a disassembler's output. Since speed is important, pre-fit offspring are precomputed for every mnemonic to jump start convergence. Andrew prototyped a PowerPC assembler and the results were so promising it's now shipping as the default for that platform in Binary Ninja. So what pitfalls are there? Which architectures will and won't work with such an approach? And what are other advantages of applying this unique technique?
Alexei Bulazel is a security researcher with River Loop Security. He has previously presented and published at conferences including Jailbreak Security Summit, Black Hat USA, REcon Brussels, USENIX WOOT, ROOTS/DeepSec, and ShmooCon, among others. A member of RPISEC, and a 2015 graduate of RPI, Alexei completed his MS under Dr. Bulent Yener.
We’ll cover reverse engineering the JS engine, including how it works (types, memory management, JS/ECMAScript features, integration with Defender’s antivirus system, etc.), building tooling to interact with it, non-security JS runtime bugs, anti-analysis tricks for malicious scripts, and a bit on the engine’s attack surface for exploitation.
We’ll conclude by considering other subsystems within the remaining 98% of this enormous binary.
It only seems fitting...
That the world's only security summit held at a production brewery be held at Jailbreak Brewing Company. Jailbreak Brewing Company was founded by computer security professionals looking to liberate themselves from cubicle jobs and to create a product that helps free you from whatever drama is present in your life.
While some of the world's finest security researchers are talking about security topics, our brew team will be hard at work on the other side of the gigantic window making the next batch of creative juice for your enjoyment. During breaks in the summit, tours of the brewery will be given to those who want to see the magic happening.
Our tasting room provides the perfect venue for creative discussion over some cold, fresh beer.