AHaving certain influence in the world, XCon Information Security Conference is one of the largest and most authoritative and famous information security conferences in China. For more than a decade, XCon has been upholding its rigorous work style and inviting the information security experts and fans, network security consultants from abroad and home. XCon commits to create a friendly, harmonious platform for communication.

Every summer XCon will come in time and meet you in Beijing--the capital of China. There will be hundreds of information security experts, scholars, researchers and related professionals come from different countries invited to present and give speeches. The meeting covers everything and new fields’ information security technologies. If you have new technologies, new discoveries or successful experiences in some fields and welcome to share with us!

The Advanced Exploitation of 64-bit Edge Browser Use-After-Free Vulnerability on Windows 10

Jin Liu

Machine learning in security -- through ANON

Song Lin

Advbox, a toolbox to generate adversarial examples

Yan Liu

iOS jailbreak internals: how to escape iOS 11 sandbox in an elegant way

Xiaolong Bai

iOS jailbreak internals: how to escape iOS 11 sandbox in an elegant way

Min (Spark) Zheng

From Null Pointer Dereference to RCE - There is more than meets the eye

Yunhai Zhang

Breaking the Amazon Echo Smart Speaker

Yuxiang Li

USB-HID parse vulnerability

Sen Zhang

Modern Fuzz for embedded device from new perspective

Feng Ren

Modern Fuzz for embedded device from new perspective

He Qu

Modern Fuzz for embedded device from new perspective

Yu Zhou

A Common Method in Attacking Convolutional Network

Wan Ming

AM

TBD 8:30-9:00

TBD 9:30-9:40

TBD 9:40-10:40

TBD 10:40-11:40

TBD 11:40-12:30

PM

TBD 12:30-14:00

TBD 14:00-15:00

TBD 15:00-16:00

TBD 16:00-16:20

TBD 16:20-17:10

AM

TBD 09:30-10:30

TBD 10:30-11:30

TBD 11:30-12:30

TBD 12:30-14:00

PM

TBD 14:00-15:00

TBD 15:00-16:00

TBD 16:00-16:20

TBD 16:20-17:10

TBD 17:10-17:20

LOCATION

Organizer

Sponsor

Previous Review

XCon2017 XFocus Information Security Conferense XCon2016 XFocus Information Security Conferense XCon2015 XFocus Information Security Conferense XCon2014 XFocus Information Security Conferense XCon2013 XFocus Information Security Conferense XCon2012 XFocus Information Security Conferense XCon2011 XFocus Information Security Conferense XCon2010 XFocus Information Security Conferense XCon2009 XFocus Information Security Conferense XCon2008 XFocus Information Security Conferense XCon2007 XFocus Information Security Conferense XCon2006 XFocus Information Security Conferense XCon2005 XFocus Information Security Conferense XCon2004 XFocus Information Security Conferense XCon2003 XFocus Information Security Conferense XCon2002 XFocus Information Security Conferense

Registration fee will include: Access to 2 days conference (28 -29th August), coffee breaks and lunch per day, conference souvenirs and free to attend XPwn2018 on 30th August at 751D-Park.

Registration before 24th June

$450/per person

Registration before 13rd July

$550/per person

Registration before 24th August

$650/per person

At door

$750/per person

Mail us your registration information and it should cover with: Last name, first name, email address, company, country, city, address and special diet (None, Vegetarian, Muslim). Please use the subject as XCon2018 Registration and send to xcon@xfuturesec.com.

XCon organizing committee could help you booking the room of conference hotel at a better price, if you need us help please send email to us XCon2018 Room reservation including: Last name, first name, passport number and check-in and check-out time.

Topic:The Advanced Exploitation of 64-bit Edge Browser Use-After-Free Vulnerability on Windows 10

SPEAKER:Jin Liu

Jin Liu is a security researcher of McAfee IPS Research Team. Jin is mainly focused on vulnerability research, and he is specialized in vulnerability analysis and exploitation, with especially deep diving in browser vulnerability research on Windows platform.

Brief introduction

UAF(Use-After-Free)is a common vulnerability in object-oriented applications. In history, a large number of exploitable UAF vulnerabilities have been found in the major browser application, such as Internet Explorer, Chrome and Safari. However, in the latest Windows 10 operating system, with the introduction of many mitigation features such as isolated heap, delayed free and MEMGC. Many UAF vulnerabilities have become unexploitable. Only those high quality UAF vulnerabilities may still be exploitable, but their exploitation will become less generic and much more difficult to achieve. In view of this, this presentation aims to provide the audiences some perspectives about exploiting Edge UAF vulnerabilities on Windows 10 x64, such as how to leverage the JS object Fengshui technique to occupy the freed memory and how to convert an UAF vulnerability to other type of vulnerability etc. Arbitrary address read/write is a crucial step of modern vulnerability exploitation, this talk will focus on discussing how to convert UAF vulnerabilities into arbitrary address read/write primitives, and it will conclude with some live attack demo.

Topic:Machine learning in security -- through ANON

SPEAKER:Song Lin

Song Lin, mainly engaged in machine learning practical research and industrial application. In 2017, he was named the first machine learning Google Developer Expert (ML GDE) in Greater China.

Brief introduction

Anon is a movie talking about “In a near-future world where there is no privacy, ignorance or anonymity, people’s private memories are recorded and crime almost ceases to exist, a detective investigate a girl who has the ability to modify identity and history record”. But it is not just in the movie.

During past few years, as more and more Artificial Intelligence softwares and hardwares are entering our lives, their machine learning algorithms’ being attacked may result in security hazard and risk.

So different methods of attacks and defenses will we analyzed and discussed in this topic.

Topic:Advbox, a toolbox to generate adversarial examples

SPEAKER:Yan Liu

Yan Liu is the leader of AI security, Baidu X-Lab, and the leader of development for Baidu Web security. He leads development and engineering for all Baidu web security products, including DDoS defense, WAF, web threat perception, and big data analytics. His research interests include machine learning, web security, botnets, and threat intelligence. He has published three books on machine learning for web security.

Brief introduction

Most existing machine learning classifiers are highly vulnerable to adversarial examples. Advbox is a toolbox to generate adversarial examples that fool neural networks and Advbox can benchmark the robustness of machine learning models. The Advbox is based on PaddlePaddle Fluid and is under continual development, always welcoming contributions of the latest method of adversarial attacks and defenses.

Topic:iOS jailbreak internals: how to escape iOS 11 sandbox in an elegant way

SPEAKER:Xiaolong Bai

Xiaolong Bai (twitter@bxl1989, github@bxl1989) is a security engineer in Alibaba Orion Security Lab. Before joining Alibaba, he received his Ph.D. degree in Tsinghua University. He has published several research papers on top conferences including IEEE S&P, Usenix Security, CCS, NDSS, and presented his research in Black Hat USA and Hack In The Box. He has been acknowledged by famous vendors, including Apple, Google, Facebook, Evernote, and Tencent for his contribution in discovering the vulnerabilities in their systems and improving the security of their products. He is a member of the OverSky team for private jailbreaking development.

Brief introduction

Sandbox, the most well-known security feature enforced on Apple devices, was first introduced as “SeatBelt” on macOS 10.5. With its successful trial on macOS, Apple has deployed sandbox on every kind of Apple operating system, especially on iOS. iOS enforces many strict sandbox policies on applications to control their access to critical system resources. In the system implementation, sandbox enforcement is accomplished by placing hooks in dozens of critical operations, e.g., system calls. With the growth of system complexity and more security protections, the number of sandbox hooks increases a lot and the control granularity becomes more and more strict. Especially, Apple has replaced the original black list sandbox policies with white list ones, in which the system denies all operations except for those Apple trusts.
But, the sandbox mechanism is not as strong as it supposed to be. There always exist vulnerabilities that attackers can exploit to escape sandbox. In this talk, we will share our experience of escaping iOS sandbox. Specifically, after an introduction of Apple’s sandbox mechanism and discussion of some classic sandbox escape methods, we will illustrate two zero-day vulnerabilities we recently discovered on the latest iOS 11.4, which can be exploited to escape sandbox. Besides the explanation of why these 0-days occur, we will further elaborate some innovative exploitation strategies by OOL msg heap spray and ROP (return-oriented programming) via iOS IPC (inter-process communication) mechanism. Moreover, a new exploitation technique leveraging “task port” to control system services will also be explained. With these innovative exploitations, an attacker could control user-mode system services and taker a further step to control the kernel.

Topic:iOS jailbreak internals: how to escape iOS 11 sandbox in an elegant way

SPEAKER:Min (Spark) Zheng

Min (Spark) Zheng (twitter@SparkZheng, github@zhengmin1989) is a security expert in Alibaba Orion Security Lab. He received his Ph.D. degree in the CSE department of the CUHK. His research focuses on malware analysis, smartphone (Android & iOS) security, system design and implementation. Before receiving Alibaba A-Star offer award in 2015, he worked in FireEye, Baidu and Tencent. He was the champion of GeekPwn 2014 and AliCTF 2015. He won the"best security researcher" award in FIT 2016 for detecting the iOS/macOS vulnerabilities, XcodeGhost virus and WormHole RCE vulnerability. He is a member of the OverSky team for private jailbreaking development. He presented his research in DEF CON, HITB, BlackHat, RUXCON, etc.

Brief introduction

Sandbox, the most well-known security feature enforced on Apple devices, was first introduced as “SeatBelt” on macOS 10.5. With its successful trial on macOS, Apple has deployed sandbox on every kind of Apple operating system, especially on iOS. iOS enforces many strict sandbox policies on applications to control their access to critical system resources. In the system implementation, sandbox enforcement is accomplished by placing hooks in dozens of critical operations, e.g., system calls. With the growth of system complexity and more security protections, the number of sandbox hooks increases a lot and the control granularity becomes more and more strict. Especially, Apple has replaced the original black list sandbox policies with white list ones, in which the system denies all operations except for those Apple trusts.
But, the sandbox mechanism is not as strong as it supposed to be. There always exist vulnerabilities that attackers can exploit to escape sandbox. In this talk, we will share our experience of escaping iOS sandbox. Specifically, after an introduction of Apple’s sandbox mechanism and discussion of some classic sandbox escape methods, we will illustrate two zero-day vulnerabilities we recently discovered on the latest iOS 11.4, which can be exploited to escape sandbox. Besides the explanation of why these 0-days occur, we will further elaborate some innovative exploitation strategies by OOL msg heap spray and ROP (return-oriented programming) via iOS IPC (inter-process communication) mechanism. Moreover, a new exploitation technique leveraging “task port” to control system services will also be explained. With these innovative exploitations, an attacker could control user-mode system services and taker a further step to control the kernel.

Topic:From Null Pointer Dereference to RCE - There is more than meets the eye

SPEAKER:Yunhai Zhang

Yunhai Zhang is a security researcher of NSFOCUS Security Team, working on information security for more than a decade.

He has spoken at many security conferences in the past, such as Blackhat, Bluehat, DEFCON, POC, TSec, XCon, etc.

He has won the Microsoft Mitigation Bypass Bounty 5 years in a row since 2014.

Brief introduction

Null Pointer Dereference is a common type of vulnerability, which is generally considered to be not exploitable in user mode. Therefore, although a lot of Null Pointer Dereference vulnerabilities can be easily found through fuzzing, researchers and vendors often choose to ignore them.

However, there’s more to them than meets the eye. The root cause of a vulnerability, which looks like a Null Pointer Dereference, is not always Null Pointer Dereference, but also other types of vulnerabilities which may be exploitable.

This talk will discuss how to analyze Null Pointer Dereference vulnerabilities and convert them to exploitable type, how hardware profiles influence the type of vulnerability, and the limitations of Microsoft's mitigations for UAF (Use After Free) vulnerabilities. In the meanwhile, a complete exploit of an Internet Explorer vulnerability will be shown as an example to demonstrate the concepts.

Topic:《Breaking the Amazon Echo Smart Speaker》

SPEAKER:Yuxiang Li

Yuxiang Li, security researcher of Tencent Blade Team, former ROIS CTF team member, specialized in the study of Mobile Security and IoT security. Li has reported multiple vulnerabilities of Android and was a speaker at HITB AMS 2018.

Brief introduction

In recent years, as a product of the combination of AI and IoT technology, smart speakers have gradually become the main interactive entrance of smart homes, which can achieve entertainment, control and shopping functions based on voice interaction. Amazon, Google, Apple and many domestic manufacturers have also launched similar products. With the popularity of smart speakers, their security will become more and more important.

This topic will introduce our research results on smart speakers, including IoT device testing techniques and binary exploit methods. We selected Amazon Echo, with a market share of 69% (about 31 million active devices), as our research object. On this topic, we will show you how to break through both software and hardware for the first time, implement root for the device in two ways, and turn smart speakers into hackers' listening devices.

At the same time, we will share a complete method of Internet of things devices security audit: firmware extraction from the chip, hardware cracking to obtain root permissions. Through this method, we build the firmware analysis and debugging environment for Amazon Echo device. We will also show you how to audit and exploit multiple vulnerabilities on the device, including web vulnerability, binary vulnerability (heap overflow and information leak). We combine the exploitation chain, utilize the heap layout technology, complete the memory layout under the background thread interference and the serious heap corruption. Finally, We break through the Amazon Echo thoroughly and write shellcode to realize the persistent silent listening in LAN, achieve the purpose of remotely stealing users' privacy data.

Topic:USB-HID parse vulnerability

SPEAKER:Sen Zhang

360 Vulcan Team team member

Windows kernel、Open source software vulnerability research

Participate in the Microsoft Bonuty Program, EOS Bonuty Program

Brief introduction

It is an abbreviation of Human Interface Device. Its name can be used to understand that HID devices are devices that interact directly with people, such as keyboards, mice, and joysticks. However, HID devices do not necessarily have a human interface, as long as the devices that meet the HID category specifications are HID devices.

The exchanged data is stored in a structure called report, and the firmware of the device must support the format of the HID report. The host transmits and requests reports in control and interrupt transfers to transmit and receive data. The format of the report is very flexible and can handle any kind of data. The communication data format is organized as descriptors.

In addition to supporting five standard descriptors for USB devices, HID devices support three descriptors unique to HID devices. These descriptors are:

USB standard descriptors: device, configuration, interface, endpoint, and string descriptor.

HID-specific descriptors: HID, Report, and Physical descriptors.

Win10 1703 version began to increase the kernel call NtUserInitializeGenericHidInjection to parse the Report descriptor.

Topic: Modern Fuzz for embedded device from new perspective

SPEAKER:FengRen

Senior Security engineering of Light-Year security lab at Ant Financial, who is responsible for company's smart-side security and firmware security of Ant Financial IoT products, and focus on advanced IoT security technology research.

Brief introduction

This topic is intent to explore a whole new way to mine security issues hidden in embedded devices, which differ from the traditional way of finding out those problems using penetration testing method based on a phisical device in the real world, it strip off the relationship that security analysis must rely on real phyical device and penetration testing environment, mainly combine fuzz testing with virtual execution of firmware together.

This methodology demostrated in this topic provide a innovate thought in embedded device security field and enlighten secutity researcher on exploring more ways, its original intention is to solve two main pain points in embedded device security fields, one is how to debug firmware in a simple way shortly after a critical vulnerability related to embedded device security bursted, and the other one is how to analysis and mine security issues for a embedded device in a quite longterm, especially for those expensive devices or physical isolated industrial control equipment, it turn out that a feedback fuzz technology based on virtual execuation of firmware may be the best practise.

Topic: Modern Fuzz for embedded device from new perspective

SPEAKER:He Qu

His major experience includes mobile security and vulnerability hunt. He has reported several vulnerabilities in Samsung/Google/Twitter/Tencent/360 products, which were confirmed and credited in multiple advisories. In the past, he leads the team to pwn several android devices by remote attack. He also has did research sharing at conferences like Black Hat, CanSecWest, HITCON, ZeroNights.

Brief introduction

This topic is intent to explore a whole new way to mine security issues hidden in embedded devices, which differ from the traditional way of finding out those problems using penetration testing method based on a phisical device in the real world, it strip off the relationship that security analysis must rely on real phyical device and penetration testing environment, mainly combine fuzz testing with virtual execution of firmware together.

This methodology demostrated in this topic provide a innovate thought in embedded device security field and enlighten secutity researcher on exploring more ways, its original intention is to solve two main pain points in embedded device security fields, one is how to debug firmware in a simple way shortly after a critical vulnerability related to embedded device security bursted, and the other one is how to analysis and mine security issues for a embedded device in a quite longterm, especially for those expensive devices or physical isolated industrial control equipment, it turn out that a feedback fuzz technology based on virtual execuation of firmware may be the best practise.

Topic: Modern Fuzz for embedded device from new perspective

SPEAKER:Yu Zhou

Security Engineer of Ant-financial Light-Year Security Lab, mainly focused on fuzzing techniques, AI security. He has been credited by Google, Microsoft and Apple for many times, and also has received acknowledgments from industrial control companies such as Siemens, Schneider, Moxa, Advantech and GE in the field of IOT security.

Brief introduction

This topic is intent to explore a whole new way to mine security issues hidden in embedded devices, which differ from the traditional way of finding out those problems using penetration testing method based on a phisical device in the real world, it strip off the relationship that security analysis must rely on real phyical device and penetration testing environment, mainly combine fuzz testing with virtual execution of firmware together.

This methodology demostrated in this topic provide a innovate thought in embedded device security field and enlighten secutity researcher on exploring more ways, its original intention is to solve two main pain points in embedded device security fields, one is how to debug firmware in a simple way shortly after a critical vulnerability related to embedded device security bursted, and the other one is how to analysis and mine security issues for a embedded device in a quite longterm, especially for those expensive devices or physical isolated industrial control equipment, it turn out that a feedback fuzz technology based on virtual execuation of firmware may be the best practise.

Topic: A Common Method in Attacking Convolutional Network

SPEAKER:Wan Ming

He has been engaged in researching computer viruses, software protection and cryptology for many years, and currently works as COO of Beijing NAGA•IN

Brief introduction

By transforming any structures of convolutional network into a group of equation set and seeking approximate solutions of this group of equation set , we can deceive the identification of the network with some similar images.