PACific SECurity - applied security conferences and training in Pacific Asia: CanSecWest | PacSec | EUSecWest |

PacSec 2019 Speakers

Speakers for PacSec 2019 will be updated upon confirmation. Speaker, talk topic, and date might be changed without notice due to various reasons such as visa issuing by Japanese government, etc.

For Talks / Slides inquiries:
"pacsec.submission [(at)]"
(other general inquiries: here )

PacSec 2019 Speakers

"boot2root: Auditing Boot Loaders by Example"
Ilja Van Sprundel and Joseph Tartaro, IOActive

The achilles heel of your product is the secure boot chain. In this presentation we will show our results from auditing commonly used boot loaders and walk through the attack surface you open yourself up to. You would be surprised at how much attack surface exsists when hardening and defense in depth is ignored. From remote attack surface via network protocol parsers to local filesystem and various BUS parsing, we will walk through the common mistakes we've seen by example and showcase how realistic it is for your product's secure boot chain to be compromised.

Insecure Boot
Andrea Barisani, F-Secure
Secure Boot schemes are a fundamental security feature which enables hardware trust anchor necessary to achieve unattended confidentiality and integrity on embedded systems deployed in the field. An ever increasing number of safety critical embedded systems, such as vehicle infotainment or telematics units, leverage on such feature to protect sensitive assets such as Intellectual Property, certificates or Personally Identifiable Information (PIP).

This presentation delves in real-life experiences in developing, testing and compromising Secure Boot schemes of all kind, aimed at proposing practices, techniques and frameworks to improve the security of its various implementations.

Andrea Barisani is the Head of Hardware Security at F-Secure and one of the founders of Inverse Path.

"Get Off The Kernel If You Can't Drive"
Mickey Shaktov and Jessee Michael, Eclypsium

For software to communicate with hardware, it needs to talk to a kernel-mode driver that serves as a middle-man between the two, helping to make sure everything operates as it should. In Windows that is done using the Kernel-Mode Driver Framework (KMDF).

These drivers are used to control everything in your computer, from small things like CPU fan speed, color of your motherboard LED lights, up to flashing a new BIOS.

However, as the code in these drivers runs with the same privileges as the rest of the kernel, malicious drivers can be used to compromise the security of the platform. To that end, Microsoft relies on WHQL, code signing, and EV Signing to prevent drivers which have not been approved by Microsoft from being loaded into the kernel.

Unfortunately, security vulnerabilities in signed drivers can be used to as a proxy to read and write hardware resources such as kernel memory, internal CPU configuration registers, PCI devices, and more. These helpful driver capabilities can even be misused to bypass and disable Windows protection mechanisms.

Let us teach you how these drivers work, show you the unbelievable risk they pose, and enjoy our walk of shame as we parade all the silly and irresponsible things we discovered in our research.

Jesse Michael is an experienced security researcher focused on vulnerability detection and mitigation who has worked at all layers of modern computing environments from exploiting worldwide corporate network infrastructure down to hunting vulnerabilities inside processors at the hardware design level. His primary areas of expertise include reverse engineering embedded firmware and exploit development.

Mickey Shkatov, a principal researcher at Eclypsium, His areas of expertise include vulnerability research, hardware / firmware security, embedded device security, IT Red Team.

"Mobile Network hacking, IP Edition"
Karsten Nohl and Luca Melette, Security Research Labs

Mobile networks have gone through a decade of security improvements ranging from better GSM encryption to stronger SIM card and SS7 configurations. These improvements were driven by research at this and other hacking conferences. Meanwhile, the networks have also mushroomed in complexity by integrating an ever-growing number of IT technologies from SIP to WiFi, IPSec, and most notably web technologies. This talk illustrates the security shortcomings when merging IT protocols into mobile networks. We bring back hacking gadgets long thought to be mitigated, including intercepting IMSI catchers, remote SMS intercept, and universal caller ID spoofing. We explore which protection measures are missing from the mobile network and discuss how to best bring them over from the IT security domain into mobile networks.

"Applying Security Throughout the Device Lifecycle - A Practical Analysis of Supply Chain Security"
Jeff Williams, FiveBy

In the construction of any consumer electronic device, there are a wide number of people involved. There are the developers themselves, those who build and test prototypes, manufacturing partners who bring production to scale, logistics and transportation people who take the finished product from manufacturing through to retail, the retailers, the customers, and any aftermarkets. At any of these stages problems can be introduced which create issues for security, physical safety, protection of intellectual property, and overall brand experience. In this talk we will speak to threats throughout the entire lifecycle from idea to thriving, globally pervasive platform and call out methods in data analysis, design, investigation, and materials science which can prevent or detect issues at the various phases. We will cover provenance and genealogy, materials variance, investigations at scale and at depth and share lessons learned around Oculus and Portal.

Jeff Williams is Chief Strategy Officer of FiveBy Solutions- a high end consultancy focused on data driven solutions to complex security challenges such as fraud, piracy, counterfeiting and risk intelligence.

"New Exploit Technique for Java Deserialization Attacks"
Yongtao Wang, Zhang Yang, and Kunzhe Chai, Red Team at BCM Social Corp.

Java deserialization attack has been proposed around 2015 by Foxglove Security Team. Afterward, another attack surface named Marshalsec Attack has been developed. It allows an attacker to gain Remote Command Execution, which affects a number of applications. It's one of the most crucial security issues in Java security history. Many security researchers and developers mitigate Java deserialization attack by maintaining a deserialization blacklist. Taking Weblogic as an example, by maintaining the blacklist of deserialization constantly to mitigate deserialization attack. So far it is really hard to find gadget chains which can be exploited and gain Remote Command Execution. We found a serious flaw in Java deserialization from another perspective, and we will mainly talk about it in this presentation. We found a new attack vector in the fundamental classes of JDK. Actually, It's really prevalent in Java applications, which involves most of the request library, such as URLClassLoader, official HTTP request class, Apache HTTP client and so on. Combining this attack vector, we found a lot of new gadget chains that can be utilized, according to these gadget chains and the attack vector, we can bypass all of the blacklists and gain Remote Code Execution.

Yongtao Wang(@by_Sanr)Leader of Red Team at BCM Social Corp. He has comprehensive experience in wireless security and penetration testing, and His research interests include Active Directory Threat hunting.

Yang Zhang(izy) Security researcher at BCM Social Corp, with rich experience in application security and penetration testing, leader of Back2Zero Team and core member of XDSEC Team. Currently focusing on the security research of application security, cloud security, blockchain security. International renowned security conference speaker.

Kunzhe Chai (Anthony) Founder of PegasusTeam and Chief Information Security Officer in BCM Social Corp, author of the well-known security tool MDK4. He is the maker of China's first Wireless Security Defense Product Standard and he also is the world's first inventor of Fake Base Stations defense technology, He leads his team to share the research results at HackInTheBox(HITB), BlackHat, DEFCON, Cansecwest, CodeBlue, POC, etc. Follow him on Twitter at @swe3per

"A Survey of Programmable Software Security Assessment Frameworks for Vulnerability Discovery"
Julien Vanegue and Shane Macaulay, Bloomberg

In the last twenty years, automatic vulnerability analysis tools went from academic exercises to mainstream industry "must-haves" as part of a CI/CD pipeline. Today, all major software companies rely on automated testing capabilities to find issues early. While the typical mature workflow consists of fuzz testing and static analysis, emerging techniques such as symbolic execution are being used to find new vulnerabilities. More recent developments employing machine learning are starting to be published at top-tier security conferences. Julien and Shane will review the state-of-the-art in automatic vulnerability assessment, and share which tools work (based on their experience), and the limits revealed by some tools when pushed to a large-scale software security pipeline.

Julien and Shane are part of the Software Security team in the Office of the CTO at Bloomberg in New York, USA. Their job is to find new ways of securing Bloomberg's large distributed software stack.

"Exploiting speculative control flow hijacks"
Anil Kurmus and Andrea Mabretti

ince early 2018, with Spectre and Meltdown, a novel attack surface related to speculative execution was discovered and successfully exploited. These new attacks are able to break privilege boundaries and leak sensitive data. New attacks and variants were presented ever since, but we believe much of the attack surface is still unexplored due to the different environment these attacks take place and the lack of tools to proper explore and debug such attacks.

"CommanderSong: A Systematic Approach for Practical Adversarial Voice Recognition"
Bin Zhao and Shengzhi Zang,, Boston University

The popularity of automatic speech recognition (ASR) systems, like Google Assistant, Cortana, brings in secu- rity concerns, as demonstrated by recent attacks. The impacts of such threats, however, are less clear, since they are either less stealthy (producing noise-like voice com- mands) or requiring the physical presence of an attack device (using ultrasound speakers or transducers). In this paper, we demonstrate that not only are more practical and surreptitious attacks feasible but they can even be auto- matically constructed. Specifically, we find that the voice commands can be stealthily embedded into songs, which, when played, can effectively control the target system through ASR without being noticed. For this purpose, we developed novel techniques that address a key technical challenge: integrating the commands into a song in a way that can be effectively recognized by ASR through the air, in the presence of background noise, while not being detected by a human listener. Our research shows that this can be done automatically against real world ASR applica- tions1. We also demonstrate that such CommanderSongs can be spread through Internet (e.g., YouTube) and radio, potentially affecting millions of ASR users. Finally we present mitigation techniques that defend existing ASR systems against such threat.

"Crash Analysis with Reverse Tainting (Powered by Taintgrind)"
Marek Zmyslowski, Cycura

n recent years, fuzzing has become a popular and powerful method for vulnerability research. There are dozens of free and open frameworks available, with new ones arriving each month, but fuzzing itself is only part of the equation. Another part comes with triaging; or how to find only the relevant crashes when a fuzzer might find them in hundreds or even thousands. Often, these are sorted and binned based on the artefacts around the crash itself, but this is both naïve and superficial. In this talk, we will cover the use of taint analysis via reverse tainting as a potent alternative.

"Security Risks in Zero Knowledge Proof Cryptocurrencies (Zcash, Tron, Monero...)"
Zhiniang Peng, Qihoo 360

A zero-knowledge proof (ZKP) is a cryptographic method which allows one person (the prover) to prove to another person (the verifier) that they have the possession of some information without revealing the information to the verifier. Its widely used in many cryptocurrencies such as Zcash, Tron, Monero to enhanced privacy. However, the security of ZKP is not well known even to the security community.
Can we trust project using ZKP?
How to find vulnerability in ZKP implementation?
Can we track down the criminals using ZKP?
How can we use ZKP to protect our privacy? for example: Can I sell a zero-day using zero-knowledge with zero-trust and leaving zero trace?
To answer these questions, I have conducted a security research on the both theory and implementation of ZKP and found some critical vulnerabilities and undisclosed security risks in this area. The aim of the presentation is to help the audience understand the security of zero-knowledge proof. In this presentation, I will introduce the technology of ZKP to security guy in an understandable way, present some security vulnerabilities as well as security risk in ZKP cryptocurrencies, and teach you how to protect your privacy by using ZKP.

"Analysis of BaaS Black Industry Chain Operation Mode"
Tiejun Wu and Guangyuan Zhao, NSFOCUS

The topic is mainly about our research result about how the dark industry practitioners who operate botnets, we summarize it as BaaS. We will introduce the concept of BaaS, enumerate the exclusive data we have observed to prove this concept, briefly describe the specific reasons for the BaaS phenomenon, and describe the upstream and downstream relationship of the industry chain. Finally, we think about this phenomenon and predict its development. .

Tiejun Wu, head of NSFOCUS Fuying laboratory, 13 years of experience in the security industry, a senior DDoS protection expert in China, worked at Huawei, and served as technical director and senior researcher. He has participated in the research and development of security products such as Anti-DDoS, WAF, and DNS protection. He is now focusing on network threat analysis technology research and black product analysis.Speaker of Botconf2018: .

Guangyuan Zhao, security researcher at NSFOCUS "Fuying" lab,focus on botnet research,malware analysis and CTF. Speaker of KCon2018,Speaker of Botconf2018:.

"Insight of Attacker behavior"
Tiejun Wu and Guangyuan Zhao, NSFOCUS

The topic is mainly about our research result about botnets.IoT botnets family usually use scripts to spread,if it write by same person or team,it's will be more similarity with scripts.Therefore, we propose a method to use the attack script to image the attacker, and combine the traditional traceability analysis method to dig deep into the controller behind the botnet.We will first introduce how to judge a malicious file to produce variants, then introduce the traditional traceability tracking method, and finally how we use the attack script to mine the operational gang behind the botnet and the relationship between different variants.

Tiejun Wu, head of NSFOCUS Fuying laboratory, 13 years of experience in the security industry, a senior DDoS protection expert in China, worked at Huawei, and served as technical director and senior researcher. He has participated in the research and development of security products such as Anti-DDoS, WAF, and DNS protection. He is now focusing on network threat analysis technology research and black product analysis.Speaker of Botconf2018: .

Guangyuan Zhao, security researcher at NSFOCUS "Fuying" lab,focus on botnet research,malware analysis and CTF. Speaker of KCon2018,Speaker of Botconf2018:.

*note: Due to various circumstanses, speakers, topics, date and stage order may be changed without notice.