Our Vulnerability Researchers are just returning from their trip to Berlin where they attended OffensiveCon 2023! With about 450 attendees, OffensiveCon is broadly recognized as one of the biggest offensive security conferences, and the audience comes from all over the world to enjoy its in-depth technical content.
OffensiveCon is not only about Clean Code or code security. It covers a broader range of IT security topics, such as advances in security mitigations, the exploitation of security issues in hardened environments, and insights into vulnerability research trends. This is a great opportunity for our researchers to peek into broader application security problems, understand state-of-the-art attack techniques, and take home new ideas and inspiration that can foster new innovations in our domain.
Sonar was a Diversity Sponsor
For the first time, Sonar sponsored OffensiveCon for their Diversity Equity and Inclusion program. This program is established with OPCDE, She Hack KE, and Women in Security and Privacy to give full access to OffensiveCon to hackers who wouldn't usually be able to join. This includes the flights, accommodation, ticket, and access to training offered by the trainers themselves. Blue Frost Security also matches the sponsor's contributions.
This is an important step to bring more diversity to this community, more perspectives, and break down the barriers around technical security. We are happy that other conferences like Hexacon are joining this effort, and it aligns very well with our culture at SonarSource.
Our Favorite Talks at OffensiveCon 2023
It is challenging for us to summarize how qualitative the talks were in a few lines. We encourage curious readers to keep an eye on the OffensiveCon YouTube channel and watch the recorded talks; they are usually released about three months after the event.
Among our favorite presentations, we were delighted with ASN.1 and Done: A Journey of Exploiting ASN.1 Parsers in the Baseband by Amat Cama (Principal Security Research at Vigilant Labs). He went back on his journey to identify vulnerabilities in the baseband (i.e., cell network stack) used by some iPhones and other mobile devices for Pwn2Own. While the vulnerability was simple to exploit due to the general lack of security mitigation on these constrained systems, the competition forced Amat to approach it by looking at the most complex features first–those more likely to hide security bugs. We've been seeing an increasing interest in baseband research in the past months (publications by Google Project Zero, training by Amat Cama, and now Pedro Ribeiro), and it's interesting to see that shallow bugs are still around.
Then, Martijn Bogaard (Principal Security Analyst at Riscure) presented New Phones, Software & Chips = New Bugs?, research that went on for over eight months, where he took Google’s flagship phone, Pixel, and studied the intricacies of the Trusted Execution Environment (TEE) of the phone. Two vulnerabilities allowed Martijn to access the TEE, whose role is to protect sensitive data such as biometrics from being accessed through unintended means. This research goes into impressive depths to exploit the vulnerabilities and give a glimpse into Martijn's expertise.
On the second day, Yarden Shafir (Senior Security Engineer at Trail of Bits) came back on Windows security features in Your Mitigations are My Opportunities. For instance, we dived into the Windows implementation of Intel's Control-flow Enforcement Technology (CET) and the potential attack vectors that it introduces. We've also seen how Protected Process Light (PPL), designed to isolate important processes like anti-malware from the rest of the system, still left the door open to some attacks.
Then we had a peek into Advancements in JavaScript Engine Fuzzing with Samuel Gross and Carl Smith, both working in Google's V8 Security Team at Google. V8 is the JavaScript engine used by Google Chrome, and their security team employs fuzzing to identify potential security vulnerabilities in their software. Over the last few years, a considerable effort was made to develop Fuzzilli and introduce ways to diverge from the usual coverage-based fuzzing methods and obtain more diverse results. This was a 30-minute presentation, thus more concise than most other talks. However, the delivery was excellent and gave interesting insights into the security processes behind a project at a scale that only a handful of companies will ever have.
Finally, we loved how Thomas Roth, an independent Security Researcher also known as stacksmashing, approached his research on Apple's lightning cables. Contrary to what one would think, these cables embed some circuitry and communicate with the devices they are connected to. Thomas studied these messages to understand how features are negotiated and created an open-source firmware to simulate these exchanges – the Tamarin Cable. It allowed him to simplify operations that are very useful for security research, like obtaining debugging logs through JTAG or programmatically restarting the attached device.
We also want to give a shout-out to the two keynotes, Information Security Is an Ecology of Horrors and You Are the Solution by Dave Aitel, founder of Immunity Inc., and Changing and Unchanged Things in Vulnerability Research by Hao Xu, known for his work on iOS and macOS with Team Pangu.
And Everything Else!
OffensiveCon's reputation also comes from its battle-tested organization, parties, and warm atmosphere. We had fascinating discussions with other participants and enjoyed every moment of the event; many thanks to everybody involved!
In summary, we are seeing a trend that code vulnerabilities persist but often require an increasing level of sophistication from attackers to successfully exploit them. Modern security mitigations are designed against very specific exploitation methods but that shouldn't be considered enough; with powerful enough vulnerabilities, creative attackers are still likely to get around, so code security and mitigation have to work hand-in-hand. The bar is higher, but the cat-and-mouse game continues!
We are now looking forward to seeing you at our next confirmed events, where we'll be presenting the fruits of our security research:
- TyphoonCon, June 14-15 in Seoul
- TROOPERS, June 26-30 in Heidelberg
- WeAreDevelopers Word Congress, July 27-28 in Berlin
And many more to come; we hope to see you there!