This talk discusses the challenges of starting and running a company that specialises in vulnerability research. The typical problems likely faced include:

• How do you build a new team?
• And how do you encourage knowledge transfer and upskilling within your team?
• What targets do you focus on?
• How much engineering is required to support research?

This talk will give insights and answer these questions, for the purpose of maintaining reliable, consistent, and high quality research outputs.

It’s too easy to find problems in software today. Not enough people understand how attacks really work, and this is bad for defense. Both attackers and defenders need this knowledge, but we are always busy fixing today’s problems.

There’s not always enough time for making things stronger long-term. In this talk, I share how my teams have used offense to make defense better. We use weaknesses and exploits, study how they work, and then use this data to help organizations decide how to move forward. We’ll discuss using exploits to prioritize patches, motivate process changes, and ultimately create systems that are more resilient. Sometimes, we offer money to break things in new ways – and show us where to focus, sometimes, we turn on the heat on a broken system so it transforms into something better.

This is not always about fancy new insights, ideas or attacks. It’s just about working together to make systems safer for everyone.

During our past research analyzing the Android Data Encryption Scheme, we dived into the boot chain of Samsung low-end mobile devices, in particular the Galaxy A family, which is based on Mediatek System-on-Chips. These devices are often overlooked by the security research community, which usually targets high-end ones (e.g., the S family for Samsung). Nonetheless, these devices are extremely popular, and thus represent a big share of the phones in the wild.

On top of the Mediatek boot chain, Samsung added its own features including Knox Security Bit, support for their recovery tool Odin, a JPEG parser and so on. In their latest system of chips, Mediatek have improved their security, and fixed an infamous BootROM vulnerability that used to impact most of their chips. Yet, even with the security improvement done by Mediatek and the apparent security brought by Samsung, we were able to break the boot chain of most of the Samsung phones powered by Mediatek SoCs.

We will present several 0-day vulnerabilities that, chained together, can be used by an attacker with physical access to a wide range of Samsung devices (mainly from the A* family), to bypass the secure boot, execute code on the chip, reach persistency and ultimately leak the secret keys protected by the hardware-backed keystore.

This presentation brings together two important concepts of modern mobile architectures: the secure boot and the Trusted Execution Environment. It gives a comprehensive view of how these features work and how they can be targeted by security researchers, focusing on the offensive approach.

Since October 2021, we have been continuously chasing the latest in-the-wild Windows CLFS (Common Log File System) LPE exploits. During this process, we captured two in-the-wild Windows CLFS 0days and at least seven in-the-wild Windows CLFS 1days. Meanwhile, through variant analysis of the itw exploits, we identified two new CLFS vulnerabilities and reported them to Microsoft. Interestingly, two of the captured 1day exploits utilized the vulnerabilities that we discovered through variant analysis.

In this talk, we will share how we are using the combination of “threat hunting” and “variant analysis” to assist Microsoft in patching four CLFS 0day vulnerabilities (two in-the-wild 0days and two independently discovered 0days). We believe that the approach combining “threat hunting” and “variant analysis” is more effective than traditional defense methods, and we want to share our practical and insights into this process: why we selected CLFS vulnerabilities, how we chased in-the-wild CLFS exploits, how we analyzed captured vulnerability exploits, and how we conduct variant analysis. At the end of this talk, we will incorporate the latest findings to give some insights on the in-the-wild Windows LPE 0days trends.

As a well-known attack surface in Windows system, the Win32k has caused many security problems in history. But with the efforts of Microsoft and security researchers, peoples believe that Win32k has become secure enough that it’s no longer harmful. Especially with the continuous updates of the mitigation measures added by Microsoft, vulnerabilities in Win32k have become difficult to exploit, It has caused attackers to lose interest in the Win32k. In this topic, we will present the results of our work, which will completely bypass all security mitigation mechanisms and revitalize the ancient attack surface of the Win32k, so we named it “Next Level”.

More specifically, We will present 5 Win32k vulnerabilities we discovered, which can lead to privilege escalation not only in normal environments. And it can also be used in the sandbox environment, causing the escape of the security sandbox. Also, we will introduce the various restrictions Microsoft has imposed on Win32k and how to bypass them. Finally, we will also summarize whether there is universality in vulnerability exploitation and vulnerability mining methods, and what suggestions we have for future win32k security.

Continuous fuzzing has become an integral part of the Linux kernel ecosystem, discovering thousands of bugs over the past few years. Interestingly, only a tiny fraction of them were turned into real-world exploits that target downstream distributions, e.g., Ubuntu and Fedora. This contradicts the conclusions of existing exploitability assessment tools, which classify hundreds of those bugs as high-risk, implying a high likelihood of exploitability.

Our study aims to understand the gap and bridge it. Through our investigation, we realize that the current exploitability assessment tools exclusively test bug exploitability on the upstream Linux, which is for development only; in fact, we find many of them fail to reproduce directly in downstreams. Through a large-scale measurement study of 230 bugs on 43 distros (8,032 bug/distro pairs), we find that each distro only reproduces 19.1% of bugs on average by running the upstream PoCs as root user, and 0.9% without root. Remarkably, both numbers can be significantly improved by 61% and 1300% times respectively through appropriate PoC adaptations, necessitated by environment differences.

During car hacking, the first consideration typically revolves around the manufacturer or Tier 1 provider’s hidden services. This spans from common engineer mode applications to deeply concealed mechanisms. However, due to regulatory requirements and increased manufacturer security awareness, high-level privilege hidden services have dramatically decreased. Through analyzing dozens of Intelligent Connected Vehicles, we’ve discovered new tactics for managing hidden services.

In this talk, we’ll demonstrate multiple methods to access hidden functions and thoroughly analyze underlying theories which involving both traditional and new era approaches. Once we understand the background mechanisms, we attempted to bypass security protections and share our journey, including some bypass skills. Such as use Fipper Zero crack the engineer mode pincode. Upon gaining access to hidden services, we’ll show how to leverage these functions to attain root privileges, execute lateral movement to other Electronic Control Units (ECUs), and gain control of the vehicle.

Lastly, I’ll introduce a self-developed graphical hacking tool designed to reveal hidden services. This tool extracts information from firmware and automatically generates a graphical representation of the hidden services relationships. By using this tool, we’ve successfully identified entry paths for many vehicles, including deeply hidden ones.

By chaining various messaging APIs in browsers and browser extensions, I demonstrate how we can jump from web pages to “universal code execution”, breaking both Same Origin Policy and the browser sandbox. I provide two new vulnerability disclosures affecting millions of users as examples. In addition, I demonstrate how such vulnerabilities can be discovered at scale with a combination of large dataset queries and static code analysis.

As is well known, there are numerous mature fuzz testing tools on the market, including iconic ones like AFLplusplus for general objects, syzkaller for Linux kernel. However, despite the continuous and round-the-clock efforts of these powerful fuzzers to test these targets, several longstanding vulnerabilities have exposed in recent years, posing significant risks for privilege escalation.

This suggests that many secrets still lie deep within the code, beyond the reach of fuzzing techniques. Therefore, by investigating the pain points of fuzzers and conducting manual code audits targeted at high-value objectives such as the Linux kernel and mobile RCE-involved decoders, we have successfully uncovered dozens of high-value vulnerabilities. These vulnerabilities, which are not easily detected by existing fuzzers, may enable privilege escalation to obtain root access. Through analysis of these vulnerabilities, we have devised methods to enhance fuzzers and discovered multiple new 0days.

Last year, we developed an advanced exploit technique capable of transforming a conventional out-of-bounds (OOB) bug into a more potent exploit primitive, specifically a page Use-After-Free (UAF). Utilizing this technique, we successfully exploited a vulnerability in the Pixel series, achieving Kernel Code Execution.

This presentation will commence with a thorough examination of the component where we identified eight vulnerabilities, all of which were patched this year. We will delve into the root causes of these vulnerabilities. Subsequently, we will demonstrate how we applied our exploit technique to convert one of these bugs into a Page UAF (PUAF), and subsequently construct a physical memory read/write primitive on a Pixel 8 with Memory Tagging Extension (MTE) enabled. Furthermore, this talk will address the challenges we encountered during the development of this exploit, highlighting the differences in exploitation techniques between the Pixel 6 and Pixel 8 models.

During the last year, numerous vulnerabilities were patched, and some of them were proven to be exploitable, as they were exploited in the wild, Pwn2Own, and so on. We have continuously tracked these issues and written the Proof-of-Concepts and exploits to keep them in our vulnerability database. Although each vulnerability itself has a critical impact, we think it would become more powerful if they are chained into a full chain exploit. Therefore, we wrote an exploit chaining several vulnerabilities chosen from our database and demonstrated the exploit on X; the exploit starts from a Chrome browser running in a VMware guest and then manages to achieve SYSTEM privileges in a Windows host. This scenario mimics a situation where a security analyst clicks a malicious link in a virtual machine. The N-Day full chain includes six unique vulnerabilities; three of them were exploited in the wild, two of them were used in Pwn2Own 2023, and the last one, a variant of a Pwn2Own 2023 vulnerability, was found by one of our team members.

In this presentation, we will explain the root causes and the exploit techniques of each vulnerability and how we connected them into a full chain exploit. We will also discuss chaining details to glue our exploit pieces together successfully, including how to bypass V8 pointer compression, implant browser sandbox escape vulnerability in JavaScript code, escape the browser sandbox with the pickup window, and drop the exploit binary on the host of VMware. This presentation will cover overall concepts from browser to virtualization and OS, and you will have a comprehensive understanding of them after this talk.

While AI holds promise for assisting bug hunting, its actual impact remains unclear. This presentation addresses this gap by introducing Crash-Benchmark, a standardized evaluation framework for AI-driven static analysis tools. We’ll share results from a simple bug-hunting AI agent, AK1, and discuss the implications for optimizing AI-based bug hunting in C/C++ codebases.

AI-bughunting presents unique challenges: Early models lacked sophistication, struggling to comprehend long codebases. Moreover, privacy concerns often necessitate exclusive use of local models, which are inherently less capable than commercial AI models offered by industry leaders such as OpenAI and Google. To illustrate this challenge, we’ll showcase AK1, a simple rule-based AI agent capable of autonomously identifying various bug classes within C/C++ codebases. Notably, its model-agnostic design allows it to improve performance with each new model release. Nevertheless, evaluating the effectiveness of AI-based tools poses difficulties due to the subjectivity of the output.

The multi-user functionality of the Android platform plays a critical role in safeguarding the security and privacy of data and settings isolation. During a comprehensive investigation conducted in 2023, we discovered a number of high-severity vulnerabilities that pertained to cross-user interactions. These vulnerabilities encompassed unauthorized access to sensitive media photos and manipulation of privacy settings. During this presentation, we will explore the common underlying pattern behind these vulnerabilities and discuss the measures taken by Google to mitigate their impact.

JIT compilers have been the subject of numerous vulnerability discoveries. This is due to the nuances of optimization phases and their potential to introduce subtle bugs. This talk aims to unravel some key optimization phases in JavaScriptCore, WebKit’s JavaScript engine that powers Apple Safari. The focus will be mainly on DFG intermediate representation and how optimization phases on this can give rise to vulnerabilities.

Through specific examples and case studies, we will examine vulnerabilities resulting from logic errors in the compiler. These examples will showcase the real-world impact of optimization phase vulnerabilities, highlighting their severity and potential exploitation scenarios.

Content Management System (CMS) platform is still one of the best options to build a website quickly. CMS provides a user-friendly interface that allows non-technical users to easily create, edit, and publish content without requiring extensive HTML, CSS, or Javascript programming language knowledge.

WordPress is still the most popular CMS platform, powering 43.2% of the websites online, with a CMS market share of 63.5%. With its popularity, it’s prone to massive exploit attempts. The WordPress Core itself is not the actual target, the plugins and themes are the actual target of an attacker with the vast majority of the security bugs being found in plugins and themes. This talk will cover deep technical details of overlooked impactful vulnerabilities discovered in WordPress Core and across the most popular WordPress plugins, with each component having more than a hundred thousand active installations. We will also cover vulnerability in one of the most popular libraries used in plugins and themes, which could affect more than 7 million websites.

We will use multiple cases of overlooked XSS and privilege escalation attack vectors which could be easily exploited in the wild. We will show how we found these vulnerability cases and how to secure the code from these potential vulnerabilities.

Join us for the journey of exploiting the WordPress ecosystem (An Exploit demo is included too !)