Behind the scenes of 5G security [Slides]
Ravishankar Borgaonkar (@raviborgaonkar)
There are so much discussions around 5G security than its benefits to our digital society. Though 5G security architecture has been evolved from 4G, it does introduce a new service-based architecture to the existing complex and multi-layer cellular networks.This talk will provide some ground truth on 5G security evolution and outline potential risks in the post-deployment era. In addition, we reveal vulnerabilities in different parts of the 5G network.
Binary Code Similarity Search – State of the Art and Applications
Jonas Wagner (@_jwagner)
Finding binary code similarities has always been a valuable tool for vulnerability detection, actor attribution and reverse engineering. One successful approach is comparing control flow graphs of code functions based on hand-crafted features (BinDiff, Diaphora, etc.) to identify similarity. This approach has major drawbacks due to its high computational complexity, which makes it inherently hard to scale and the reliance on expert knowledge about well suited features for binary code similarity.
Recently, new approaches from academic and non-academic sources have emerged, which started using machine learning techniques to embed code functions as similarity preserving representations with low dimensionality. These representations are learned based on large corpuses of data and try to reduce the reliance of expert knowledge as much as possible. Furthermore, the low dimensionality of these representations allow for efficient similarity searches, even when considering millions of code functions. We will present one of these approaches and go into the details of its functionalities, as well as experiments showing the quality of search results over large binary corpuses. As good as these new approaches are, finding binary code similarities at scale is still a hard problem and many intricacies lead to some irrelevant or incorrect results.
Microarchitectural Attacks – hype or serious threat?
Michael Kurth (@mik__)
Since the discovery of Spectre and Meltdown at the beginning of 2018, microarchitectural attacks have gained increased attention outside of InfoSec academia and industry. With the release of the MDS attacks in May this year, speculative execution attacks moved away from using the CPU cache as shared medium between the attacking and victim process further down the pipeline to CPU-internal buffers. You might ask yourself, where are these vulnerabilities coming from, how do they work, what can an attacker achieve with them and how does it impact my threat model? In my opinion it is important for InfoSec people to understand what goes beyond “normal” software vulnerabilities, how to classify them and how they affect our threat models. There is a lot of hype and fear mongering in the media around these kind of CPU vulnerabilities. This talk will provide you with the background facts, the understanding and give you the right mindset in order to make your own educated decisions for the infrastructure you are responsible for. During the talk we will touch on speculative execution vulnerabilities like Spectre and Meltdown as well as the latest MDS attacks. We will discuss how such attacks can be used to read out local passwords or compromise shared cloud infrastructure. All these attacks require some knowledge on how CPUs and memory accesses work which will be presented in a short computer architecture primer.
Nos Oignons – Operating large Tor relays in France [Slides]
Julien Voisin
Nos Oignons is a French association (https://nos-oignons.net) created in 2013 with the goal of running large Tor (https://torproject.org) exit nodes. Running this kind of service can be challenging, both from a technical than from a social point of view: interactions with Law Enforcement Officers, dealing with attacks and spams, fighting the negative image of the Tor network, etc. But in 2019, we’re still alive and doing great, so we think that it could be interesting to share our experience, and maybe inspire other people to come together, and create similar entities, by building on top of what we’ve learned in 6 years of existence, controlling around 2% of the exit capacity of the Tor network!
Swiss Cybervoting PIT(falls) [Slides]
Jannis Kirschner (@xorkiwi)
The Swiss democracy is one of it’s kind. Digitalization affects even our most critical processes, such as voting. When a piece of code suddenly gets responsible for democracy, it’s only natural that the voices get loud and it raises many questions. Is our democracy at stake? Do we have to fear for our privacy? Is electronic voting even feasible in Switzerland? Is such a solution secure? As part of a mandatory Public Intrusion Test (PIT), the Swisspost released their source code to the world and started a heated debate – far beyond the Swiss borders. Not only the codebase revealed several problems during the PIT. Interesting scoping, redefining the term “open source” and unreleased security audits were only some of the issues that caused controversy. We will have a look at many technical and non-technical aspects of the e-voting solution and PIT. This talk provides an exclusive “behind the scenes” view from the perspective of a security researcher. It invites researchers and C-level alike to have an interesting discussion about voting security, bug bounty programs and critical infrastructure.
Why Johnny can’t scan at hyperscale – Tales and adventures building security scanning at Google [Slides]
Claudio Criscione (@paradoxengine), Sebastian Lekies (@slekies)
How do you lock an entire building worth of engineers out in the cold? How do you wreck hard-science experiments worth thousands of dollars? How do you bring down the most widely used application in the world (ok, not quite down – let’s say how do you give a hard time to its Service Reliability Engineers)? Is it some sort of ultra-advanced ROP-based CyberAPT?
We’ve got bad news and good news for you. The bad news is that all it takes to do these things might be a security scan. The good news is that it can also do good things for you, like preventing that VM from being owned 5 minutes after going online.
This talk presents a few years worth of experiences scanning the hyperscale environment at Google, with an overview of the landscape of security scanning technologies and plenty of war stories. We have built security scanners covering all layers of the stack, integrated them with vendor-built systems, operated them for many quarters and watched them fail in all sorts of interesting ways.
The security scanning world, in particular at scale, is largely dominated by hand-wavy white papers and by internet-wide security scan research focusing on a small subset of the problem space. Having to identify vulnerabilities on millions of devices and countless web applications and actually get them fixed, presents its own set of technological and process-related challenges beside maximizing network throughput on a single machine.
Traditional one-size-fits-all approaches to security scanning with regular scheduled network scans or even the more modern Agent-based variants, don’t always work at hyperscale. The audience will walk away with the understanding of a whole new set of challenges for the field: real-world-compatible continuous scanning, faster-than-humans preemptive automation, logical inventorying and targeting, and transparent scanner engineering. While they are exacerbated by scale and particularly nasty at hyperscale, they are just as real in smaller environments.