HITB Security Conference in Amsterdam is all about advanced research

The agenda for Day 2 of the 9th annual HITB Security Conference in The Netherlands has been announced with even more advanced research including new sandbox evasion techniques, a ground breaking method for establishing covert channels over GSM mobile networks, a tool for backdooring cars and much more.

hitb amsterdam 2018 advanced research

Reference This: Sandbox Evasion Using VBA Referencing

The sandbox, last line of defense for many networks, isn’t what it used to be. This talk shows how attackers can bypass sandbox security, insert malicious code on servers without getting flagged, by taking advantage of basic rules of how VBA macros and sandboxes operate. If once a sandbox could “arrest” a VBA macro based on its anomalous structure or attempted activity, the method the authors demonstrate shows how attackers can hide their capabilities and change their actions to evade detection by sandboxes.

Mallet: Towards a Generic Intercepting Proxy

This talk will focus on a new open-source intercepting proxy named Mallet, based on the mature and high-performance Netty framework, that wraps it with a drag and drop graph-based graphical user interface and a datastore. In doing so, we gain access to an existing library of protocol implementations, including TLS (and SNI), various compression algorithms, HTTP, HTTP/2, MQTT, REDIS, and many others, and most important, an existing community of developers creating new protocol decoders and encoders, and the associated body of knowledge in this area.

Uncovering the Android Patch Gap Through Binary-Only Patch Level Analysis

Using a novel analysis approach, researchers find missing Android patches on phones or from firmware files. The analysis compares function signatures to large collections of pre-compiled samples. Their binary-only analysis technique applies to Android and many other domains where patch levels need to be measured without access to source code.

Over The Edge: Pwning The Windows Kernel

Tencent ZhanluLab started to look into the Windows graphics subsystem for sandbox escapes and to date they have discovered 15+ kernel vulnerabilities and successfully exploited Windows 10 from the Edge sandbox several times. This talk will be divided into two parts. In the first part, the researchers will explain in detail how we analyze the graphics subsystem in depth and discuss several special attack vectors we have found. The second part will discuss the syscall filter mechanism of the Edge sandbox and introduce three methods to escape from the sandbox to SYSTEM from the Edge content process.

In Through The Out Door: Backdooring Cars With The Bicho

Researchers have successfully developed a hardware backdoor for the CAN bus, called “The Bicho”. Due to its powerful capabilities they consider it as a very smart backdoor. Have you ever imagined the possibility of your car being automatically attacked based on its GPS coordinates, its current speed or any other set of parameters? The Bicho makes it all possible.

A New Fuzzing Method for Android

In this presentation, the authors will introduce a new and novel fuzzing method for Android. They present ways to find vulnerabilities from quantitative change to qualitative change and our fuzzer exploits the combinations of function points to find vulnerabilities. Their fuzzing method borrows the ideology of model checking by generating combinations to drive the exploration of the state space in a comprehensive way.

Establishing Covert Channels By Abusing GSM AT Commands

In this talk, the authors are going to contextualize some phreaking practices and introduce new threats including a way to modify the behaviour of GSM antennas in a mobile phones using AT commands to establish covert channels.

Exposing Hidden Exploitable Behaviors Using Extended Differential Fuzzing

When fuzzed applications don’t crash, you can still potentially find more than 20 different types of issues. This talk exemplifies the capabilities of differential fuzzing with practical examples identifying which undocumented functions could allow OS command execution, when sensitive file contents may be partially exposed in error messages, how native code is being unexpectedly interpreted – locally and remotely – and when constant’s names could be used as regular strings for OS command execution.

Suborigins: A Journey Through the Land of CSP and What’s Next

With increased adoption new challenges arise: dealing with CSP report noise – generated by buggy browsers, extensions, malware and security software – devising an effective monitoring infrastructure, and keeping on top of bypassing techniques. In this presentation the authors reveal how their internal CSP infrastructure works and how they solved problems, they show real-world examples, best practices and common pitfalls.

Look Ma, No Win32_Process Needed: Expanding Your WMI Lateral Movement Arsenal

This talk will exhibit various never-before-seen techniques for authenticated (file-based and fileless) remote execution, using only pure-WMI methods, along with stealthier enhancements of known techniques, all of which subvert many host and network-based methods of detection without using the notorious Win32_Process class.